Advanced Security Concepts#
Unit I: Introduction to Cyber Security & Cryptography#
Lecture 4: Security Policies, Resources & Threat Modeling#
Course: Cyber Security (4353204) | Semester V | Diploma ICT | Author: Milav Dabgar
layout: default#
Recap: Previous Lectures#
Lecture 1: Introduction#
- Cyber security definition
- Digital asset protection
- Current threat landscape
- Career opportunities
Lecture 2: CIA Triad#
- Confidentiality principles
- Integrity mechanisms
- Availability requirements
- Practical applications
Lecture 3: Terminology#
- Key security terms
- Adversary classification
- Attack vectors
- Risk management
๐ฏ Today’s Learning Objectives#
- Design comprehensive security policies
- Manage system resources effectively
- Implement threat modeling methodologies
- Apply vulnerability management lifecycle
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Security Policy Deep Dive#
๐ Policy Hierarchy#
1. Organizational Policy#
- High-level strategic direction
- Board and executive approved
- Broad scope and principles
- Rarely changes
2. Functional Policies#
- Specific security areas
- Department level implementation
- Detailed requirements
- Regular updates
3. Technical Standards#
- Implementation specifications
- Technology-focused
- Measurable criteria
- Frequent revisions
๐๏ธ Policy Development Process#
Phase 1: Planning#
- Identify business requirements
- Assess current state
- Define scope and objectives
- Assemble development team
Phase 2: Development#
- Research best practices
- Draft policy content
- Review with stakeholders
- Incorporate feedback
Phase 3: Implementation#
- Approve through governance
- Communicate to organization
- Train affected personnel
- Monitor compliance
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Essential Security Policies#
๐ Core Security Policies#
Information Security Policy#
- Data classification standards
- Access control requirements
- Incident response procedures
- Employee responsibilities
Acceptable Use Policy#
- Authorized system usage
- Prohibited activities
- Personal device guidelines
- Internet and email usage
Access Control Policy#
- User provisioning process
- Role-based permissions
- Regular access reviews
- Termination procedures
๐ฑ Technology-Specific Policies#
Mobile Device Policy#
- BYOD requirements
- Device encryption standards
- App installation restrictions
- Remote wipe capabilities
Cloud Security Policy#
- Approved cloud services
- Data residency requirements
- Shared responsibility model
- Vendor assessment process
Network Security Policy#
- Firewall configurations
- Wireless network standards
- VPN usage requirements
- Network monitoring protocols
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Policy Enforcement & Compliance#
๐ฏ Enforcement Mechanisms#
Technical Controls#
- Automated policy enforcement
- System configurations
- Access restrictions
- Monitoring and alerting
Administrative Controls#
- Training and awareness
- Regular audits
- Performance reviews
- Disciplinary procedures
Physical Controls#
- Facility access restrictions
- Equipment protection
- Environmental controls
- Visitor management
๐ Compliance Monitoring#
Key Performance Indicators#
- Policy violation incidents
- Training completion rates
- Audit findings resolution
- Risk assessment results
Reporting Structure#
graph TB
A[Daily Reports] --> B[Weekly Summaries]
B --> C[Monthly Dashboards]
C --> D[Quarterly Reviews]
D --> E[Annual Assessments]
style A fill:#e3f2fd
style B fill:#f3e5f5
style C fill:#e8f5e8
style D fill:#fff3e0
style E fill:#fce4ec
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
System Resource Management#
๐ Asset Classification Framework#
Critical Assets#
- Mission-essential systems
- High business impact
- Maximum protection required
- Immediate response priority
Important Assets#
- Significant business value
- Moderate impact if compromised
- Standard protection measures
- Planned response procedures
Standard Assets#
- Regular business operations
- Limited impact potential
- Basic protection sufficient
- Standard response timeframes
๐ Asset Inventory Process#
Discovery Methods#
- Network scanning tools
- Agent-based collection
- Manual documentation
- Integration with CMDB
Asset Attributes#
- Technical: OS, versions, configs
- Business: Owner, criticality, location
- Security: Vulnerabilities, controls
- Lifecycle: Purchase, support, EOL
Maintenance Tasks#
- Regular inventory updates
- Automated discovery scans
- Change management integration
- Retirement procedures
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Threat Modeling Fundamentals#
๐ฏ What is Threat Modeling?#
Threat modeling is a systematic approach to identifying, analyzing, and mitigating security threats to applications, systems, or networks.
Core Objectives#
- Identify potential threats
- Understand attack vectors
- Prioritize security risks
- Design effective countermeasures
When to Apply#
- System design phase
- Architecture reviews
- Security assessments
- Incident investigations
๐ Threat Modeling Process#
Step 1: Define Scope#
- System boundaries
- Assets to protect
- Assumptions and constraints
- Success criteria
Step 2: Create Models#
- Data flow diagrams
- System architecture
- Trust boundaries
- Entry/exit points
Step 3: Identify Threats#
- STRIDE methodology
- Attack trees
- Threat libraries
- Expert brainstorming
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
STRIDE Threat Model#
๐ท๏ธ STRIDE Categories#
S - Spoofing#
- Definition: Pretending to be someone else
- Examples: Fake certificates, IP spoofing
- Countermeasures: Authentication, digital signatures
T - Tampering#
- Definition: Modifying data or code
- Examples: File modification, packet alteration
- Countermeasures: Integrity checks, digital signatures
R - Repudiation#
- Definition: Denying performed actions
- Examples: Claiming actions weren’t performed
- Countermeasures: Audit logs, digital signatures
I - Information Disclosure#
- Definition: Exposing protected information
- Examples: Data leaks, eavesdropping
- Countermeasures: Encryption, access controls
D - Denial of Service#
- Definition: Making systems unavailable
- Examples: DDoS attacks, resource exhaustion
- Countermeasures: Load balancing, rate limiting
E - Elevation of Privilege#
- Definition: Gaining unauthorized access levels
- Examples: Buffer overflows, privilege escalation
- Countermeasures: Input validation, least privilege
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Attack Trees & Modeling#
๐ณ Attack Tree Concepts#
Attack trees are hierarchical diagrams showing how security attacks can be decomposed into sub-attacks.
Structure Components#
- Root node: Primary attack goal
- Sub-goals: Ways to achieve parent goal
- Leaf nodes: Basic attack steps
- AND/OR logic: Relationship types
Benefits#
- Visual representation of threats
- Systematic attack analysis
- Risk quantification support
- Communication tool for stakeholders
๐ Example: Web Application Attack#
graph TD
A[Compromise Web App] --> B[Exploit Authentication]
A --> C[Exploit Authorization]
A --> D[Exploit Input Validation]
B --> B1[Brute Force]
B --> B2[Credential Theft]
B --> B3[Session Hijacking]
C --> C1[Privilege Escalation]
C --> C2[Access Control Bypass]
D --> D1[SQL Injection]
D --> D2[XSS Attack]
D --> D3[Buffer Overflow]
Analysis Questions#
- Which paths are most likely?
- What are the costs/skills required?
- Which countermeasures are most effective?
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Vulnerability Management Lifecycle#
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Risk Assessment Methodologies#
๐ Quantitative Assessment#
Components#
- Asset Value (AV): Dollar value of asset
- Exposure Factor (EF): % of asset lost
- Single Loss Expectancy: AV ร EF
- Annual Rate of Occurrence: Frequency
- Annual Loss Expectancy: SLE ร ARO
Example Calculation#
Server Value: $50,000
Fire Risk Exposure: 60%
SLE = $50,000 ร 0.60 = $30,000
Fire Frequency: 0.1/year
ALE = $30,000 ร 0.1 = $3,000/year
๐ฏ Qualitative Assessment#
Risk Levels#
- Critical: Immediate action required
- High: Address within 30 days
- Medium: Address within 90 days
- Low: Address when resources allow
Risk Matrix#
| Impact/Likelihood | Low | Medium | High |
|---|---|---|---|
| High Impact | Medium | High | Critical |
| Medium Impact | Low | Medium | High |
| Low Impact | Low | Low | Medium |
Advantages#
- Easier to understand
- Faster to complete
- Less precise data required
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Security Governance Framework#
๐๏ธ Governance Structure#
Board Level#
- Strategic oversight
- Risk appetite setting
- Resource allocation
- Performance monitoring
Executive Level#
- Policy development
- Program management
- Risk management
- Incident response
Operational Level#
- Daily operations
- Technical implementation
- Monitoring and reporting
- User support
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Practical Exercise: Security Policy Design#
๐ฏ Group Activity (15 minutes)#
Scenario: Remote Work Policy#
Your organization is implementing a permanent remote work policy post-pandemic.
Your Team’s Task:#
Identify key security concerns for remote work
Design policy sections covering:
- Device requirements
- Network security
- Data protection
- Incident reporting
Define enforcement mechanisms
Create compliance metrics
Deliverable:#
Present a 2-minute summary of your policy framework
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Implementation Challenges#
โ ๏ธ Common Challenges#
Policy Development#
- Competing priorities
- Resource constraints
- Stakeholder alignment
- Technical complexity
Implementation#
- User resistance
- Technology limitations
- Process integration
- Change management
Maintenance#
- Regular updates
- Compliance monitoring
- Performance measurement
- Continuous improvement
โ Success Factors#
Leadership Support#
- Executive sponsorship
- Clear communication
- Resource allocation
- Cultural change
Stakeholder Engagement#
- Early involvement
- Regular communication
- Feedback incorporation
- Training provision
Technology Integration#
- Automation opportunities
- Tool consolidation
- Process streamlining
- Monitoring capabilities
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Measuring Security Effectiveness#
๐ Security Metrics Categories#
Leading Indicators#
- Training completion rates
- Vulnerability scan frequency
- Patch deployment time
- Security awareness levels
Lagging Indicators#
- Security incidents count
- Data breach impact
- Audit findings
- Compliance violations
Operational Metrics#
- Mean time to detection (MTTD)
- Mean time to response (MTTR)
- False positive rates
- System availability
๐ฏ Metric Development Process#
Step 1: Define Objectives#
- Business alignment
- Stakeholder needs
- Success criteria
- Baseline establishment
Step 2: Select Metrics#
- Relevance to objectives
- Data availability
- Collection feasibility
- Actionability
Step 3: Implement Collection#
- Automated data gathering
- Standardized reporting
- Quality assurance
- Regular reviews
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: default#
Next Lecture Preview#
๐ Lecture 5: OSI Security Architecture - Part 1#
๐ฏ Focus Topics:#
- OSI model layers overview
- Security attacks at different layers
- Layer-specific vulnerabilities
- Attack classification methods
๐ Preparation:#
- Review OSI 7-layer model
- Research layer-specific security issues
- Think about network protocols you use daily
๐ Key Takeaways Today#
Security Management Foundations#
- Policies provide governance framework
- Asset management enables protection prioritization
- Threat modeling identifies security gaps
- Vulnerability management reduces risk exposure
Practice Application#
- Develop comprehensive policies
- Implement systematic asset management
- Apply threat modeling techniques
- Establish vulnerability management processes
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: center class: text-center#
Questions & Discussion#
๐ค Discussion Points:#
- Which policy areas are most challenging to implement?
- How do you balance security with business needs?
- What are the biggest asset management challenges?
๐ก Exercise Results#
Share your remote work policy frameworks
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar
layout: center class: text-center#
Thank You!#
Next Lecture: OSI Security Architecture - Part 1#
Understanding Security at Every Network Layer#
Cyber Security (4353204) - Lecture 4 Complete
Security by design, not by accident! ๐๏ธ๐
Course: Cyber Security (4353204) | Unit I | Lecture 4 | Author: Milav Dabgar