Course Description
This course takes a deeper look at the governance and risk elements of cybersecurity. It starts with a focus on cyber and legal frameworks, then moves into information assurance. After this, it moves into risk management and treatment, followed by service assurance and standards. Finally the course ends with software security assurance and threat modelling.
Learning Objectives
The objectives of this course are to provide you with and understanding of:
- Legislation, chain of custody, reporting and assurance within the context of a legal framework. Inc. overview of Data Protection Act (DPA 2018) and the EU General Data Protection Regulation (GDPR)
- The drivers for UK Information Assurance, initiatives and programmes, risk assessment vs risk management, risk components
- Business context and risk management approach, risk management lifecycle, who delivers risk management - where in the lifecycle, understanding the context, legal and regulatory. Risk Treatment - Identify the ways of treating risks, methods of gaining assurance, understanding the nature of residual risk, collecting evidence that supports decisions, risk management decisions
- Assurance perspective – including CPA, CAPS, FIPS, CE, Common Criteria, SPF. Summary of common industry standards. (Inc. OWASP, ISO27001, PCI-DSS)
- Principles for software security, (securing the weakest link, defence in depth, failing securely, least privilege, separation of privilege), IA design principles
- What is threat modelling, threat modelling processes
- Risk mitigation options
Intended Audience
This course is ideal for members of cybersecurity management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
Prerequisites
There are no specific pre-requisites to study this course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
Feedback
We welcome all feedback and suggestions - please contact us at support@cloudacademy.com if you are unsure about where to start or if would like help getting started.
Welcome to this video on Information Assurance.
In it, you’ll learn about Information Assurance and why it is important to you personally as well as in the workplace. We will focus on Information assurance, the CIA triad, the drivers of UK information assurance, the role of the UK government in information assurance and the motivations, types and capabilities of attackers.
Information is a common currency in our daily lives and includes what we do, where we go and basically how we live our lives. This information is stored in many places and is facilitated by the ever greater access to smart technology. Information assurance is about protecting this information.
This information may be deeply personal, or simply mundane. Even seemingly insignificant information can be used by others to help them make decisions about us, so it is important that this information is secure and accurate. For instance, in the United Kingdom, the government are pushing for programs to make public services available digitally, usually using the cloud. Information assurance in this sphere is vital given the nature of the information we supply to government.
The diagram shows the overlapping considerations of Information Assurance. Information risk management is a methodology for assessing the risks to information, and how best to mitigate those risks. Information assurance describes how we can implement our risk management strategies, to keep information safe and secure. Information security is the actual process of how we maintain the security of our information, and below, you can see the breakdown of different types of security considerations we must have.
The CIA triad is a popular way of describing the features required to achieve Information Assurance. The three areas of focus are:
- Confidentiality – ensuring that information does not get disclosed to unauthorized individuals or entities.
- Integrity – ensuring that information is correct and complete.
- Availability – ensuring that information is available to authorized entities, on demand.
There are three main reasons for the UK governments focus on information assurance. Firstly, the UK government has suffered a number of embarrassing incidents where data under their control has been disclosed to non-authorized parties, through either negligence or deliberate misconduct.
This is obviously unacceptable for the government, and measures were called for to stop it happening again, as far as possible. With the increasing inter-connectivity of the UK economy, threats to cyber security and information assurance have the capability to cause significant economic damage. Coupled with this, cyber threats to national security have the potential to cause major issues with the everyday running of the country.
One of the UK government's response’s to these threats was to develop the UK Cyber Security Strategy. Lastly, the internet has become a major support structure for the UK economy. Because of this, information assurance is a major player in supporting the UK economy.
Looking at the governments areas of concern, one of the major worries relates to the Critical National Infrastructure, or CNI. The CNI includes things like power and water supplies; transport; the banking system, especially institutions such as the Bank of England; and communications. Any attack on these entities could result in a major impact on nationwide daily life. Much of the CNI is held in private hands, rather than the public sector. This arrangement has led to a lack of joined-up thinking in the past, and a varied approach to concerns such as cyber-security or vulnerabilities in the supply chain.
To mitigate this, the government created the Centre for the Protection of National Infrastructure, or CPNI in 2007. This government body is accountable to the UK’s Security Service, and is responsible for the over-arching protection of the UK’s CNI. Alongside this, in 2016 the government created the National Cyber Security Centre, or NCSC. This entity is a part of GCHQ, and combines elements from CPNI, GCHQ and the UK’s Computer Emergency Response Team, or CERT-UK. NCSC is the central point for the UK’s cyber security efforts, and is heavily involved in the Cyber Security Strategy.
On screen you can see the division of responsibilities for Information Assurance within the UK government. Ultimately, responsibility lies at the ministerial level and with the Cabinet.
Each government department needs to adhere to the Security Policy Framework, and provide annual audit reports back to Cabinet. The NCSC acts as the technical lead for all cyber security matters, alongside the CPNI who act as the advisors for all security questions regarding the CNI.
On screen you can see the division of responsibilities for Information Assurance within the UK government.
Ultimately, responsibility lies at the ministerial level and with the Cabinet. Each government department needs to adhere to the Security Policy Framework, and provide annual audit reports back to Cabinet. The NCSC acts as the technical lead for all cyber security matters, alongside the CPNI, who act as the advisors for all security questions regarding the CNI.
CERT-UK was launched in 2014, with the remit to take the lead when dealing with any national cyber-security incidents, as well as to handle international liaison with other governments. CiSP is a secure information sharing portal, run by the NCSC in conjunction with industry partners. It provides a means to securely share information about cyber threats and vulnerabilities.
The Fusion Cell is part of CiSP, and performs cyber-threat analysis and reports.
The UK was lacking a single source of cyber security threat intelligence and information assurance.
This led to dis-jointed messages being given out to industry, as well as the public at large. The NCSC brought all of this under one roof, providing a consistent approach in these areas.
The NCSC work across many boundaries, collaborating with industry and academia to help protect the UK from cyber-attacks. It is also able to reach out to international partners, or back into GCHQ to utilize top secret intelligence and superior technical expertise.
The NCSC, working with industry and academia, created the Cyber Body of Knowledge, or CyBOK, to codify the state of cyber knowledge within the UK.
Over-seeing all these initiatives, strategies and agencies, we find the National Cyber Security Programmer. This is a government lead programmer, coordinated by the Cabinet Office. It accounts for a wide range of different approaches to cyber-security and information assurance, ranging from teams handling specific areas through to certification and assurance schemes for industry. It covers a central agency for handling cybercrime, as well as teams that can specialize in dealing with cyber fraud. It also handles dealing with the impact of any external regulations that may be imposed on the UK or UK businesses.
Let’s explore the reasons for the various initiatives and agencies that have been kicked off by the UK government. The ubiquity of information, and the increasingly inter-connected nature of modern life, means that there are people that will leverage that connectivity, to gain access to information.
There are many reasons to do so, but given that some of the information that is out there could be used for financial or political gains, it is no surprise that the threat from cyber-enabled attackers is on the rise. Every organization that is connected to the Internet, no matter what its business entails, should consider itself a potential target. An organization may feel that they hold no information of particular value, but there are attackers that will go after an organization just for the sake of executing a successful attack, such as a website defacement or a denial of service.
We can categorize the different types of attackers and what motivates them. Cyber criminals are generally motivated by financial concerns, and are looking to steal information that they can leverage as a commodity. Hacktivism is the use of technology to promote a political agenda or a social change. One famous hacktivist group is Anonymous, who often target financial entities.
State sponsored attackers push to further the aims of a nation state. These people could be civil servants, working a standard 9 to 5 day, whilst aiming to penetrate high security cyber targets. Or they could be criminal individuals working almost as sub-contractors to the state. In return for their assistance, the state will turn a blind eye to their criminal activities as long as their targets are external to the country’s borders.
Hackers will attack targets for the prestige of breaking into a secure environment, or simply for the fun of it. Highly skilled hackers may use their knowledge to find vulnerabilities in systems and report these to the owner or vendor. Low skilled scripters are individuals who will obtain tools from the web, such as HOIC or LOIC, and deploy them against targets whilst having little idea of what the tool is doing, nor the damage it could be causing.
Other attackers may make use of cyber-criminals or hackers, or may even be internal to the organization.
There are a number of tools available to hackers. We have already discussed tools such as HOIC and LOIC which provide a quick and easy route into denial of service attacks, but there are many other tools available on the web, designed to assist with all manner of attacks.
Many of these tools require little skill to put into operation, and are therefore accessible to anyone with an Internet connection and the willingness to use them. These same tools are also used by more serious attackers, as they have fairly powerful features and can help in more sophisticated attacks.
The more sophisticated an attacker though, the more likely they will use bespoke tools, designed to target particular vulnerabilities or entities.
That brings us to the end of this video.
Paul began his career in digital forensics in 2001, joining the Kent Police Computer Crime Unit. In his time with the unit, he dealt with investigations covering the full range of criminality, from fraud to murder, preparing hundreds of expert witness reports and presenting his evidence at Magistrates, Family and Crown Courts. During his time with Kent, Paul gained an MSc in Forensic Computing and CyberCrime Investigation from University College Dublin.
On leaving Kent Police, Paul worked in the private sector, carrying on his digital forensics work but also expanding into eDiscovery work. He also worked for a company that developed forensic software, carrying out Research and Development work as well as training other forensic practitioners in web-browser forensics. Prior to joining QA, Paul worked at the Bank of England as a forensic investigator. Whilst with the Bank, Paul was trained in malware analysis, ethical hacking and incident response, and earned qualifications as a Certified Malware Investigator, Certified Security Testing Associate - Ethical Hacker and GIAC Certified Incident Handler. To assist with the teams malware analysis work, Paul learnt how to program in VB.Net and created a number of utilities to assist with the de-obfuscation and decoding of malware code.