Security in organizations

“Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't use a computer without wondering about the security vulnerabilities. They just can't help it."

 

Bruce Schneier

 

Course ID

Credits

Schedule

Lecturers

 

00153

6

First semester

Prof. dr. Eric Verheul (Lecturer)

 

 

 

Anna Guinet (Assignments handling and administrative issues)

a.guinet at cs.ru.nl

https://cs.ru.nl/~aguinet/ 

 

 

 

Guest lecturers (see below)

 

 

Description

The goal of this class is twofold. The first goal is to demonstrate a structured approach towards security in an organization, and covers the necessary standards and tools. Secondly, it aims to introduce students to the 'security mindset', and will allow to gain an understanding on what often goes wrong with security in organizations and how to avoid this.

Information security, nowadays often called cybersecurity, deals with the preservation of the confidentiality, integrity and availability of information. The leading standard on information security is ISO 27001. This standard defines the notion of a Information Security Management System (ISMS). This is an instrument for the management of an organization to be in control of the information security risks. Fundamental within ISO 27001 is that information security is considered to be a continuous ‘process’ and not fixed set of security controls or a ‘product’ one can simply buy. The process allows management to ensure that others within their organization are implementing security controls that are effective.

One of the difficulties of the information security process is its multidisciplinary nature: it needs to grasp security requirements from the organization business processes (where the managers typically are not savvy on information security) and to translate them to security controls. These controls can be of various types, e.g. procedural, organizational, relating to personnel security, physical, ICT technical, cryptographic or legal. Moreover, the information security process needs to check that the operational effectiveness of the chosen controls is satisfactory and to adapt the controls (or the surrounding framework leading to the controls) if required.

Within the course the information security process is explored both from a theoretical and a practical level never losing sight of the computer science perspective. To this end the course also has several practical exercises. The course provides the basic information on information security required by the security officer of an organization, by IT security auditors and by IT security consultants. As information security is still a rapidly evolving topic (one might argue it is even still in its infancy) the course can also provide inspiration for further scientific research in the field.

The course closely follows the ISO27001 standard. It starts with three classes on the theory of security management in line with the ISO 27001 standard. In essence, the organization here selects different types of security controls from Annex A of the ISO 27001 standard which are described in more detail in another standard, ISO 27002.

These controls are divided into eighteen topics corresponding with respective chapters in the ISO 27002 standard (see table below). In this table we have used the grouping of the latest (2013) version of ISO27702, i.e. [ISO27002].

ISO27002 Chapter

Title

5

Information security policies

6

Organization of information security

7

Human resource security

8

Asset management

9

Access control

10

Cryptography

11

Physical and environmental security

12

Operations security

13

Communications security

14

System acquisition, development and maintenance

15

Supplier relationships

16

Information security incident management

17

Information security aspects of business continuity management

18

Compliance

From class 4 onwards the course focuses on of these topics. After a short introduction each of topics is then discussed by guest lecturers from various organizations. These lecturers will then explain the implementation of the topic in the organization and the challenges one faces in this.

Objectives (‘leerdoelen’)

·       Learn to control information security risks within an organization in an holistic fashion (procedural, organizational and technical).

·       Getting familiar with the leading standards in this area, their shortcomings and practical implementation guidelines.

·       To learn to map policies to technical countermeasures and vice versa.

·       To learn how to write and enforce security policies.

·       To learn some basic techniques in security auditing.

·       Getting an idea of the practical aspects of information security.

 

Teaching Methods (‘werkvormen’)

·       32 hrs lecture (16 lectures)

·       32 hrs “werkcollege”

·       104 hrs self-study

 

Prerequisite knowledge

It is expected that you a have basic understanding of technical computer security, including:

·       Basic networking including firewalling

·       WIFI Security

·       HTTP and cookies

·       SSL/TLS

·       Basic attacks, e.g. cross site scripting, SQL Injection, buffer overflows

·       Cryptography, e.g. SHA256, AES-ECB, AES-CBC, HMAC, RSA, ECC, ECDSA

·       Basic knowledge of Microsoft Windows security

 

Examination

To successfully pass the exam the student has to fulfill the following two conditions:

1.     Having carried out *ALL* the assignments. NOTE: TRU/e students do not need to do Assignment#4!

2.     Having taken the written exam at the end of course. This exam in closed book.

The final mark will be the average of the two averages of parts 1 and 2.

 

Detailed schedule & assignments

IMPORTANT: Hardness of the assignment deadlines

- Deadlines for assignments are *hard*: if you deliver your assignment too late it will graded with a one (1) unless you have a valid reason why you delivered the assignment too late. It is at the discretion of Alexandru Constantin to decide whether the reason is valid or not. All assignments need to be done by a team of two students.

Assignment templates (non-compulsory)

Word

Latex

#

Week

Date

Topic / Literature (slides in BlackBoard)

Focus point

#Classes

Lecturer

1

36

4 September 2020

The ISO 27001 and 27002 standards

The ISO 27005 standard

Cyber Security Assessment Netherlands 2019: https://english.ncsc.nl/publications/publications/2019/09/13/cyber-secrurity-assessment-netherlands-2019

Risk Management & Governance, see https://www.cybok.org/knowledgebase/

Adversarial Behaviours KA, see

https://www.cybok.org/knowledgebase/

 

Suggested reading/browsing:

[BLACK TULIP]

[CBP RICHTSNOEREN]

[Ach27001]

[GHOSTNET]

Chapter 1 of [Security Engineering]

Chapter 2 of [Security Engineering]

[Microsoft_Security_Intelligence_Reports]

[Verizon]

-    Introduction to IB and class

-    Security Management based on ISO 27001

Assignment #1

Deadline: 2020/10/01

 

 

 

 

 

2

Eric Verheul

2

37

11 September 2020

-    Security Management based on ISO 27001

-    Implementation of ISO 27001

Eric Verheul

Conducting Risk Assignments in IB: Assignment #2

Deadline: 2020/10/15

Eric Verheul

3

38

18 September 2020

Information security policies,  Chapter 5 of [ISO27002]

Organization of information security, Chapter 6 of [ISO27002]

Asset Management, Chapter 7 of [ISO27002]

Explanation of security policy and introduction to Assignment #3

(writing an IS policy)

Deadline: 2020/12/17

1

Eric Verheul

4

39

25 September 2020

·        Cyber Security Assessment Netherlands 2019:  https://english.ncsc.nl/publications/publications/2019/09/13/cyber-secrurity-assessment-netherlands-2019.

·        The  Cyber Security Assessment Netherlands 2020 (Cybersecuritybeeld Nederland (CSBN) 2020) is also available but only in Dutch: https://www.ncsc.nl/documenten/publicaties/2020/juni/29/csbn-2020

Cyber Security Assessment Netherlands

1

Sophie Keizer

5

40

2 October 2020

·        System acquisition, development and maintenance, Chapter 14 of [ISO27002].

Security by design

1

Jan Joris Verijken, Crunchr

6

41

9 October 2020

·        Operation security, Chapter 12 of [ISO27002]

·        Communication security, Chapter 13 of [ISO27002]

·        System acquisition, development and maintenance,  Chapter 14 of [ISO27002]

·        Supplier relationships, Chapter 15 of [ISO27002]

·        [Security Engineering, Chapter 25]

SCADA security

1

Arjan Zwikker, Akzo Nobel

7

42

16 October 2020

·        Information security incident management, Chapter 16 of [ISO27002]

·        [800-61]

Information security incident management and the role of a Security Operations Center (SOC).

Assignment #4

(Shodan test)

 

DisclosureLetter you can use

 

Alternative Assignment #4

 

Handleiding Cybercrime

 

(NOTE: TRU/e students do not need to do Assignment#4)

Deadline: 2020/11/12

1

Colin Smits

NORTHWAVE

Course free weeks: 23 October and 30 October 2020

8

45

6 November 2020

·        Operation security, Chapter 12 of [ISO27002

·        Information security incident management, Chapter 16 of [ISO27002]

Security scoring in monitoring.

1

Wiebe Fokma, INFORM

9

46

13 November 2020

·        Operation security, Chapter 12 of [ISO27002

·        System acquisition, development and maintenance, Chapter 14 of [ISO27002].

Automated Vulnerability testing

1

Frans van Buul, Micro Focus (‘Fortify’)

10

47

20 November

2020

·        Physical and environmental security, Chapter 11 of [ISO27002]

·        Chapter 11 of [Security Engineering]

·        [TOOOL]

The importance of locks in the security of organizations.

Assignment #5

(physical inspection)

Changed due to COVID-19 pandemic!

Deadline:2021/01/04

1

Jos Weyers, toool.nl

11

48

27 November 2020

·        Access control, Chapter 9 of [ISO27002]

·        Cryptography, Chapter 10 of [ISO27002]

·        [eIDAS]

·        [Security Engineering, Chapter 4]

·        [PEP]

Federated user management (e.g. DigiD, e-ID) and its usage in e-government.

1

Eric Verheul

12

49

4 December 2020

·        Human resource security, Chapter 7 of [ISO27002]

Social engineering

1

Jelle Wieringa Knowbe4.com

13

50

11 December 2020

·        Compliance, Chapter 18 of [ISO27002]

·        [Chapter 26, Security Engineering]

ICT Audit ADR

1

Ruurdje Procee

Audit Dienst Rijk (ADR)

14

51

18 December 2020

·        Compliance, Chapter 18 of [ISO27002]

·        [Chapter 26, Security Engineering]

ICT Audit

Assignment #6

(simple audit)

 

Appendix

 

Deadline: 2021/01/14

 

Eric Verheul

 

Reference to course material

Reference

Description/Location

[Ach27001]

How to Achieve 27001 Certification, Sigurjon Thor Arnason, Keith D. Willett, Auerbach publications, 2008. Available from http://www.netbks.com/. Local copy here.

[BLACK TULIP]

Black Tulip,

Report of the investigation into the DigiNotar Certificate Authority breach, Fox-IT, 2012. Local copy here.

 

See also http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2014:4888

[CBP RICHTSNOEREN]

Beveiliging van persoonsgegevens, CBP Richtsnoeren, Februari 2013.

Local copy here.

[eIDAS]

IMPLEMENTING REGULATION (EU) 2015/1502  of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic

transactions in the internal market. See  http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AJOL_2015_235_R_0001.

[GHOSTNET]

Tracking GhostNet - Investigating a Cyber EspionageNetwork, Information Warfare Monitor, March 29, 2009.  Local copy here.

[ISO27001]

Information technology — Security techniques — Information security management systems — Requirements, ISO, 2013. Available from www.iso.org.

[ISO27002]

Information technology — Security techniques — Code of practice for information security management, ISO, 2013. Available from www.iso.org.

[ISO27005]

Information technology - Security techniques - Information security risk management, ISO, 2011.Available from www.iso.org.

[ISP-BOTNET]

INTERNET SERVICE PROVIDERS AND BOTNET MITIGATION

A Fact-Finding Study on the Dutch Market,  Report prepared for the Netherlands Ministry of Economic Affairs, Agriculture and Innovation,  Michel J.G. van Eeten et al., 2011.  Available from http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/01/13/internet-service-providers-and-botnet-mitigation/tud-isps-and-botnet-mitigation-in-nl-final-public-version-07jan2011.pdf

[Microsoft_Security_Intelligence_Reports]

Microsoft Security Intelligence Reports, available from https://www.microsoft.com/en-us/security/operations/security-intelligence-report.

[PEP]

E. Verheul and B.Jacobs, Polymorphic Encryption and Pseudonymisation in Identity Management and Medical Research. Nieuw Archief voor Wiskunde NAW, 5/18, nr. 3, 2017, p. 168-172. Available from: http://www.cs.ru.nl/E.Verheul/papers/NAW2017/naw5-2017-18-3-168.pdf

[Project Fontana]

Fox-IT Report on the support of the University of Maastricht while it was under a randsomware attack on 23-24 December 2019 (in Dutch). See https://www.maastrichtuniversity.nl/um-cyber-attack-symposium-%E2%80%93-lessons-learnt.

[Security Engineering]

Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson, Second Edition, John Wiley & Sons, Inc., 2001. Available from http://www.cl.cam.ac.uk/~rja14/book.html.

[SP800-55]

Measurement Guide for Information Security,  National Institute of Standards and Technology (NIST), July 2008. Available from http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.

[SP800-30]

Guide for Conducting Risk Assignments, National Institute of Standards and Technology (NIST), Revision 1, September 2012. Available from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf.

[SP800-61]

Computer Security Incident Handling Guide, National Institute of Standards and Technology (NIST),  Revision 2, August  2012. Available from  https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.

[Toool]

www.toool.org.

[VERIZON]

Verizon Data Breach Investigation Reports, see https://enterprise.verizon.com/en-nl/resources/reports/dbir/.