CSIT302 Cybersecurity

Week 1 – Security Posture

Lecturer: Dr Zuoxia Yu
Email: zyu@uow.edu.au
Office: 3.116

1
Health and Safety
Information for
Students
Commencement of Session
What to do in an emergency?
KEEP CALM – STAY SAFE

If the alarm sounds or you are notified to

evacuate: The nearest assembly area for this building is:
- Follow instructions of building warden
or staff member
- Leave by the nearest safe emergency
exit
- Proceed to your emergency evacuation
assembly point
- Await further instructions
- Do not return to the building until it is
safe to do so

If required to take shelter:

- Follow instructions of building warden
or staff member
- Lock doors, close windows/blinds and
seek refuge
- Await further instructions
Need assistance on campus?
WE ARE HERE TO HELP

If you require first aid or

medical assistance while on
campus:
- Locate a first aid officer, or
- Call UOW Security on
4221 4900, or
- Use First Aid or Emergency
buttons on SafeZone App
available free for iOS,
Android and Windows.
Reporting hazards
KEEPING YOUR UNIVERSITY SAFE AND COMFORTABLE

If you notice any hazards (e.g. broken furniture or equipment)

in your teaching area or anywhere on Campus:
• Report it to your Lecturer/Tutor/Supervisor
• The University has an online hazard and incident reporting
tool called SafetyNet
• Report IT equipment hazards to Information Management and
Technology Services on 4221 3000
• Report building and grounds hazards to Facilities
Management Division on 4221 3217
Smoke-Free University
SAY GOODBYE TO SECONDHAND SMOKE

All UOW public areas including

buildings, eating areas, grounds,
pathways and transport stops
have been smoke-free since July
2016.
This includes the use of vapes
and e-cigarettes.
Please co-operate with this
policy to help make our campus
healthier for everyone.
For more information:
uow.info/smoke-free
For more information: uow.info/safe-at-work
About this course
• Subject Coordinator:
ØDr. Zuoxia Yu
ü Lecturer at SCIT (Room 3.116)
ü Consultation Times
§ Monday: 13:00 pm - 15:00 pm
§ Monday: 15:00 pm - 17:00 pm
ü Please book a consultation at least 15 mins ago.

8
About this course
• Info.
ØLectures
ü Venue: 20-1
ü Time: 08:30 - 10:30 on Monday
ØWorkshop
ü Venue: 20-1
ü Time: 10:30 – 11:30 on Monday
ü Quizzes will replace workshop in weeks 4, 7 and 10.
ü There is no workshop class in the first week.
ØTextbook
ü Y. Diogenes and E. Ozkaya, Cybersecurity – Attack and Defense Strategies, Packt
Publishing, 2018, ISBN 978-78847-529-7 (Available at UoW library website)

9
About this course
• Assessments
Ø3 Quizzes
ü Taken during tutorial classes on weeks 4, 7 and 10
ü Total 30% (10% per each)
ü Only students with AC will be offered a deferred quiz.
ØAssignment
ü Assignment will be either written reports or programs (or combined).
ü Total 20%
ü Penalty of 25% per day for the late submission.
ü Submissions received 4 days after the due date will receive no marks.
ØFinal
ü 50%: Inevitably theory + Some material from workshops
ü Technical failure: below 40 / 100

10
Course Structures (Topics)
Week Topic
1 Security Posture/Incident Response Process
2 Understanding the Cybersecurity Kill Chain/Reconnaissance
3 Compromising the System
4 Chasing a User's Identity
5 Lateral Movement
6 No Lecture due to public holiday
7 Privilege Escalation
8 Security Policy and Network Segmentation
9 Active Sensors / Threat Intelligence
10 Investigating an Incident
11 Recovery Process
12 Vulnerability Management
13 Revisit some topics

11
Learning Outcomes
• After successful completion, you will be able to
1. Identify and describe issues of cybersecurity.

2. Explain principles and concepts underlying cybersecurity topics.

3. Demonstrate an understanding of cybersecurity related issues.

4. Describe and analyze solutions for preventing and responding to

cybersecurity issues.

12
Today’s Topics:
Why is it important to learn this subject?
• Introduction of Cybersecurity
• Security Posture
• The current threat landscape
• Cybersecurity Challenge
• Red and Blue Team

13
What is the Cybersecurity
• Definition of CYBERSECURITY (First Known Use: 1989)
“measures taken to protect a computer or computer system (as on the Internet)
against unauthorized access or attack” - by Merriam-webster dictionary
• CIA triad
ØConfidentiality: Keep information

lity
secret/private from those who are not

Av
tia

ail
authorised.

en

ab
d
ØIntegrity: Keep information in a format that

ilit
nfi

y
Co
retains its original purpose and meaning.
ØAvailability: Keep information and
resources available to those legitimate.
Integrity
14
For example,
• Multi-factor Authentication for UOW system and applications to
protect the data confidentiality

15
What is the Cybersecurity
• The investment in cybersecurity is crucial for successful businesses.
ØIt moved from nice-to-have à must-have
ØFailure in cybersecurity results in irrevocable damage or even bankruptcy.

Facebook–Cambridge
Analytica data scandal
was revealed.

16
What is the Cybersecurity
• British Airways faces record £183m (AUD 330m) fine for data breach.
ØBreach happened in 2017.
ØThis is about 350 times higher than the fine imposed on Facebook (previous record
high) over the Cambridge-Analytica scandal.
ØThe first fine imposed to the company under a new European’s GDPR law.
• Also, many incident reported regarding to Cryptocurrency.
ØMultiple coin exchange companies were bankrupted due to (cyber-)security
breaches.
ü MtGox - 70% of bitcoins were traded in MtGox before the breach. It lost 850,000 bitcoins and
bankrupted (2014).
ü The South Korean exchange Youbit shut down and filed for bankruptcy after being hacked
twice (2017).
ü Japan’s Coincheck was hacked and more than USD 500m-worth of digital currency stolen
(2018).

17
What is Cybersecurity
• Data breaches in Australia, e.g.,
ØIn September 2022, Australian telecommunications giant Optus suffered data
breach, affecting up to 10 million customers.
ØIn December 2022, Medibank, the Australian health insurance giant, was the
victim of a major data breach, affecting the personal details of 9.7 million
customers.

18
The current threat landscape
• Threat landscape is continuously expanding as many organisations allow
working flexibility such as remote access or BYOD:
• Remote Access
Øthe number of remote workers are growing. (e.g., Forty-three percent of employed
Americans are already working remotely in 2016). It means they are using their own
infrastructure to access company's resources.
ØCOVID-19 forced a huge experiment in our ability to work remotely. By May 2020, in
response to the COVID-19 pandemic, 46% of NSW workers were working from home.
• Bring Your Own Device (BYOD)
ØA growth in the number of companies allowing BYOD in the workplace.
ØMost of the failures in the BYOD scenario usually happen because of poor planning
and network architecture, which lead to an insecure implementation.

19
The current threat landscape
• For entry points for the end user based on connectivity to be
consider:
1) Between On-premises and Cloud
2) Between BYOD devices and Cloud
3) Between On-premises and BYOD
4) Between Cloud and Personal devices

20
The current threat landscape
• Many companies are adopting cloud computing:
ØInfrastructure as a service (IaaS) refers to online services that provide high-
level APIs used to dereference various low-level details of underlying network
infrastructure like physical computing resources, location, data partitioning,
scaling, security, backup etc. (e.g. Amazon S3, Microsoft Azure)
ØSoftware as a service (SaaS) is a software licensing and delivery model in
which software is licensed on a subscription basis and is centrally hosted. (e.g.
Microsoft Office365)
ØWhen an organization decides to extend their on-premise infrastructure with
a cloud provider to use IaaS, the company needs to evaluate the threats for
this connection and the countermeasure for these threats through a risk
assessment.
21
The current threat landscape
• Connectivity between Cloud and Personal devices
ØA personal device has no direct connectivity with on-premise resources.
However, if this device is compromised, the user could potentially
compromise the company's data in the following situations:
ü Opening a corporate email from this device
ü Accessing corporate SaaS applications from this device
ü If the user uses the same password for his/her personal email and his corporate account,
this could lead to account compromise through brute force or password guessing.
• Having technical security controls in place could help mitigate some
of these threats against the end user. However, the main protection is
continuous use of education via security awareness training.

22
The Credential – New perimeter
• A user’s identity is the new perimeter. Stealing credentials is the
preferred attack vector of cybercriminal.
• Credential theft could be a first step of the attack
to get an opportunity to escalate privileges
to a domain administrator.
• Company must focus on
authentication and
authorization of users and their
access rights.

23
The Credential
• MFA (Multi Factor Authentication):
ØUsing multi factors for the authentication. For examples, Australian
electronic government (my.gov.au) requires ID/Password + One-time
password. One-time password is delivered through a registered mobile
number after a user is authenticated by ID/Password.
Ø Other factors which can be used for the authentication are biometric
information such as finger prints, Irises, face recognitions and voices.
• Continuous monitoring:
ØContinuous monitoring (Continuous Authentication) is a new technology that
uses a person's behaviour to continuously verify their identity throughout a
session — not just at the entry login point.

24
Applications (Apps)
• Applications are the entry points for users to consume data and
transmit, process or store information onto the system.
• Security consideration taken to those apps:
ØApps developed in-house: Measures should be taken to ensure that the apps
are using a secure framework throughout the software development lifecycle.
ØApps that users paying for as a service: if the vendor and the app are able to
meet your company's security and compliance requirements by reading the
vendor's security and compliance policy.

25
Applications (Apps)
• Personal apps on BYOD: Every user has their
own sets of apps in their own device. Users
are consuming many apps that may not be
secure.
• Shadow IT: The traditional network security
approach to support apps is not designed to
protect data in SaaS apps, and worse. They
don't give IT managers the visibility they need
to know how employees are using them.
“You can't protect something you don't know
you have.”
CLOUD ADOPTION PRACTICES &
PRIORITIES SURVEY REPORT (CSA, Jan. 2015)
26
Examples of threats and countermeasures
• Examples of threats and countermeasures for the data:
State Description Threats Counter- Security Triad
meastures affected
Data at rest The data is located on the Unauthorized or Data encryption: Confidentiality
on the user’s user’s device. malicious process could File level or disk Integrity
device read or modify the data encryption
Data in The data is being A man-in-the-middle SSL/TLS with Confidentiality
transit transferred from one host attack could read, modify, valid certificates Integrity
to another. or hijack the data
Data at rest The data is located at rest Unauthorized or Data encryption: Confidentiality
on-premise either on the server’s hard malicious process could File level or disk Integrity
or cloud drive located on-premise read or modify the data encryption
or in the cloud.

27
Cybersecurity Challenges
• The top causes for the most costly data breaches in an order:
ØViruses, malware, and Trojans
ØLack of diligence and untrained employees
ØPhishing and social engineering
ØTargeted attack
ØCrypto and ransomware
• The real problem with the top three is that they are usually correlated
to human error. Everything may start with a phishing email that uses
social engineering to lead the employee to click on a link that may
download a virus, malware, or Trojan.
à Human are considered as the weakest link in cybersecurity.

28
Cybersecurity Challenges
• Targeted attack
ØThe attacker has a specific target in mind when he/she starts to create a plan
of attack. During this initial phase, the attacker will spend a lot of time and
resources to perform public reconnaissance to obtain the necessary
information to carry out the attack.
ØAnother attribute for the targeted attack is the longevity, or the amount of
time that they maintain persistent access to the target's network. The intent
is to continue moving laterally across the network, compromising different
systems until the goal is reached.

29
Cybersecurity Challenges
• Crypto and ransomware
ØIn May 2017, the world was shocked by the biggest ransomware attack in
history, called Wannacry.
ØWannacry infected more than 400,000 machines across the globe, which is a
gigantic number, never seen before in this type of attack.
ØThis ransomware exploited a known Windows SMBv1 vulnerability that had a
patch released in March 2017 (59 days prior to the attack). à It shows that
companies across the world are still failing to implement an effective
vulnerability management program.

30
Cybersecurity Challenges
• Government-sponsored cyber attacks (data as a weapon)
ØThe intent is to steal information that can be used against the hacked party.
ØThe private sector should not ignore the signs of this attack.
ØOrganizations start to invest more in threat
intelligence, machine learning, and
analytics to protect their assets.

31
Security Posture
• The objective of cybersecurity is to enhance the security posture of
the organization.
• Solidifying protection system for organization’s security is not enough.
• Detection and response must be aligned
in order to enhance overall security Security Posture
posture. D
P
R R
E
ØEnhancing detection systems to quickly T
O E
identify an attack. E
T
E
S
P
C
ØEnhancing the effectiveness of the response T
C O
T N
process to reduce the time between I
I S
infection and containment. O
N
O E
N

32
The Red and Blue Team
• The original concept of the Red and Blue Team was introduced a long time
ago during World War I. The general idea was to demonstrate the
effectiveness of an attack through simulations.
• In the cybersecurity field, the adoption of the Red and Blue Team approach
also helped organizations to keep their assets more secure.
• The Red Team will perform an attack and penetrate the environment by
trying to breakthrough the current security controls, also known as
penetration testing.
• The Blue Team needs to ensure that the assets are secure and in case the
Red Team finds a vulnerability and exploits it, they need to rapidly
remediate and document it as part of the lessons learned.

33
The Red and Blue Team

34
The Red Team
• The Red Team must be composed of highly trained individuals, with
different skill sets and they must be fully aware of the current threat
landscape for the organization's industry.
• The Red Team must be aware of trends and understand how current
attacks are taking place.
• In some circumstances and depending on the organization's
requirements, members of the Red Team must have coding skills to
create their own exploit and customize it to better exploit relevant
vulnerabilities that could affect the organization.

35
The Red Team
• The main metrics of the red team:
ØMean Time to Compromise (MTTC): This starts counting from the minute
that the Red Team initiated the attack to the moment that they were able to
successfully compromise the target
ØMean Time to Privilege Escalation (MTTP): This starts at the same point as
the previous metric, but goes all the way to full compromise, which is the
moment that the Red Team has administrative privilege on the target

36
The Blue Team
• The Blue Team members should also have a wide variety of skill sets
and should be composed of professionals from different
departments.
• The Blue Team also has accountability for some security metrics as
follows:
ØEstimated Time to Detection (ETTD)
ØEstimated Time to Recovery (ETTR)
• Those metrics is not 100% precise.
ØThe true reality is that the Blue Team might not know precisely what time the
Red Team was able to compromise the system.

37
The Blue Team
• What does the Blue Team do when the Red Team is able to breach the
system:
ØSave evidence: It is imperative to save evidence during these incidents to
ensure you have tangible information to analyze, rationalize, and take action
to mitigate in the future.
ØValidate the evidence: Not every single alert, or in this case evidence, will
lead you to a valid attempt to breach the system. But if it does, it needs to be
catalogued as an Indication of Compromise (IOC).
ØEngage whoever is necessary to engage: At this point, the Blue Team must
know what to do with this IOC, and which team should be aware of this
compromise. Engage all relevant teams, which may vary according to the
organization.
38
The Blue Team
• What does the Blue Team do when the Red Team is able to breach the
system:
ØTriage the incident: Sometimes the Blue Team may need to engage law
enforcement, or they may need a warrant in order to perform the further
investigation, a proper triage will help on this process.
ØScope the breach: At this point, the Blue Team has enough information to
scope the breach.
ØCreate a remediation plan: The Blue Team should put together a remediation
plan to either isolate or evict the adversary.
ØExecute the plan: Once the plan is finished, the Blue Team needs to execute it
and recover from the breach.

39
Assume breach
"Fundamentally, if somebody wants to get in, they're getting in. Alright,
good. Accept that.”
- Michael Hayden (the former director of the CIA and NSA)

40
Assume breach
• Due to the emerging threats and cyber security challenges, it was
necessary to change the methodology from preventing breach to
assuming breach.
• The traditional prevent-breach approach by itself does not promote
the ongoing testing. à You must always be refining your protection to
deal with modern threats.
• The red and blue team simulation should not be a one-off exercise,
instead, must be a continuous process that will be refined and
improved with best practices over time.

41