Information Security

Instructor:
Syeda Mahnoor Gilani

Department of Computer Science

Air University - Aerospace & Aviation Campus, Kamra

1
 Cyber Security Maturity Matrix
• Cyber Security Maturity Matrix
• Industry Security Challenges
• What challenges does CSMM address?
• How is the local industry coping with security implementation?
• Large organizations
• Medium sized organizations
• Small organizations
• The Industry Status
• How does CSMM help?
• Cyber Security Maturity Matrix Layers

22-May-24 2
What is Cybersecurity Framework?
Why Cybersecurity Framework?
Types of Cybersecurity Framework?
Cyber Security Maturity Model
• Cybersecurity maturity matrix measures an
organization's security readiness. It assesses processes,
controls, and policies to enhance protection against
cyber threats.

• Regular evaluations ensure continual improvement.

6
Cyber Security Maturity Matrix
1.Foundation
2. Fundamentals
3. Hardened
4. Protected
5. Monitored
6. Secured 7
Industry Security Challenges
• Grass-roots security controls have not been
implemented

•Haphazard, reactive security approach.

•Not following any structured security architecture

or framework
8
Grass-roots security controls
•Grass-roots security controls refer to foundational and
fundamental measures implemented at the grassroots
level of an organization to enhance overall security.
These controls are often basic yet crucial for
establishing a solid security posture.

•Grass-roots security controls lay the foundation for a

robust security posture, providing a solid base upon
which more advanced security measures can be built.

9
Grass-roots security controls
•They include:

User Authentication
Access Controls
Device Security
Security Awareness Training
Patch Management
Network Security
Incident Response Plan
Physical Security
Data Backup and Recovery
Vendor Security
10
What challenges does CSMM address?

5 characteristics of Information Security in Pakistan:

- Reactive
- Superficial
- Box approach
- Contention
- Governance Overkill
11
How is the local industry coping with security
implementation?
a. Large organizations
b. Medium sized organizations
c. Small organizations

12
Issues with large organizations Issues with medium sized organizations
• Missed out on security hardening • Don't have sufficient security expertise and
• Vulnerability management effectively knowledge
not being done as per best-practice • Security was never a focus
• Attempting automation or box • VM & Hardening Missing
approach • Insecure IT Network

Issues with smaller organizations

• Pirated Software
• Enterprise antivirus & Microsoft AD missing
• Not enough budget
• No personnel allocated for security

13
The Industry Status
1. Industry lacks a standard & authentic roadmap of how to
achieve security
• The absence of a standard roadmap makes it difficult for organizations to
navigate the complex landscape of security implementation.

2. No mechanism to measure or certify security

• Without a mechanism to measure or certify security, there is
uncertainty about the actual security status of organizations, making it
challenging to assess and compare security levels.

3. Divergent understanding of how security will be achieved

• Differing views on how security should be achieved can lead to
confusion and potential inefficiencies in implementing security
measures.
14
How does CSMM help?
• Offers a proactive, structured, sequential model to
implement security

•Model is certifiable

• Cyber Security

•Certification Board (CSCB) will certify security status

of organizations
15
16
Layer 1: FOUNDATION
1. LICENSED WINDOWS OR OPEN SOURCE
• Licensed windows (MS)
• Ubuntu open source
• Other numerous open source alternatives
• Basic requirement for a secure IT setup
• Pirated S/W infested with malware
2. LICENSED ENTERPRISE ANTI-VIRUS
• Users usually do not update their AV
• Visibility dashboard, & central management required
• Consistent management of hundreds or thousands of anti-virus agents
• Many anti-virus agents are out of syn with the update server

18
Layer 1: FOUNDATION
3. ACTIVE DIRECTORY (AD)
• Active Directory (AD) is essential not only to regulate account
management (authentication and authorization) but also to enforce
and manage security controls

4. Edge FW With Filtering

• Forms first line of perimeter defense
• Filtering of incoming and outgoing traffic
• DMZ for hosted services
• Policy enforcement for security

19
Layer 2: FUNDAMENTALS
1. LICENSED OR OPEN SOURCE VM TOOL
•Vulnerability management or patch management is a
foundational layer of security practice
•Open source: OpenVAS
•Licensed: Qualys, Nessus, Rapidy

2. MIN QUARTERLY CREDENTIAL BASED VM

CYCLE
• For those organizations that have not conducted VM practice before
• International best- practice is weekly VM cycle

20
Layer 2: FUNDAMENTALS
3. Edge NGN FW With Web, Email, Anti-malware
Filtering
• Typical NGN FW: Fortinet
• Features: VPNs, web filtering, email anti- spam filtering, Antivirus,
anti malware, application visibility and control, access-lists.

4. Network Segmentation With VLANs by Dept./Service &

DMZ
• Network segmentation helps create separate broadcast domains
• Separate policies and filtering possible for each separate VLAN
• Helps manage traffic
• Segregate traffic into traffic-types
21
Layer 3: HARDENED
1. Minimum Monthly Credential Based VM Scan
• Now moved to monthly scan from quarterly scan
• Credential based scan from non-credential scan

2. CIS BENCHMARKSHARDENING OF ALL IT ASSETS

• Hardening covered in detail in this course
• Planning, pilot, production implementation
• Usually takes 6-8 months depending upon the size of an
organization.

22
Layer 3: HARDENED
3. NGN FW At Datacenter Entry Point With Filtering
•Filtering and malware protection at datacenter entry point
often ignored
•All traffic including internal user traffic entering or exiting
datacenter needs to be filtered.

4. Software Security Hardening Program

• Software security program needs to be developed
• Software security hardening: controls identification, pilot controls
implementation, validation, testing, change management, PROD

23
Layer 4: PROTECTED
1. CIS 20 CRITICAL SECURITY CONTROLS
• Aggregate control set covering ail aspects of IT
• CIS benchmarks covered individual asset hardening
• Excellent set of security controls
• Sets of international best practices

2. Software Source Code Review For Critical Applications

• Source code review is a specialized activity which may be conducted in a
manual or automated manner.
• Specific to the software technology platform
• Peer or 3rd Party

24
Layer 4: PROTECTED
1. External/Internal Penetration Test (Critical Assets):
• Penetration test most beneficial after the internal VM program is
functional, and security hardening has been performed
• Third-party review of vulnerabilities and hacker-view of assets.

2. ISO 27001:2013 (ISMS) Certification

• Global gold standard for Information Security Governance
• Needs to be wisely used as it is both deep and broad
• Utilizes as security governance framework leveraging VM &
software hardening.

25
Layer 5: Monitored
1. SIEM SOLUTION FOR SECURITY EVENTS DETECTION
• SIEM solutions provide security log collection, dashboard
reporting, root-cause analysis, and correlation
• Leading SIEM solutions: LogRhythm, IBM Q-Radar,
Splunk,Flastic Search

2. DATA LOSS PREVENTION (DLP) SOLUTION

• Classification, visibility, and control of data
• Monitoring and blocking of data leakage and data exfiltration
• Network DLP and system DLP (agent)

26
Layer 5: Monitored
3. CRITICAL DATA ENCRYPTION
• Protect intellectual property and confidential information
• Confidentiality and integrity of data
• Encrypt data at rest, in transit, and in use
• Laptop HDD and removable media

27
Layer 6: SECURED
1. THREAT SIMULATION
• Platform such as Redwolf Security (www.redwolfsecurity.com)
• Security testing, load testing, and DOS testing
• Misconfigured security devices and incident response

2. THREAT PROTECTION
• Various threat protection solutions
• Best solutions will map to the vulnerability condition of your IT assets e.g.
Qualys Threat Protect
• Helps to pinpoint most critical assets and prioritize patching.
• Qualys Threat Protection Live Threat Intelligence Feed displays the latest
vulnerability disclosures and maps them to your impacted IT assets. You can see
the number of assets affected by each threat, & drill down into asset details

28
Layer 6: SECURED
3. THREA SECURITY ORCHESTRATION, AUTOMATION,
AND INCIDENT RESPONSE
• Solution such as Cybersponse (www.cybersponse.com )
• From triaging and investigating alerts to collaboration and remediation
between team members, CyberSponse takes security operation team to the
next level.

4. RED TEAM PENETRATION TESTING

• Red team and blue team
• Attack & defense simulation
• Continuously find holes in security defenses
• Uncover security vulnerabilities before hackers exploit them.

29
Any Question

30