Topic outline

  • About the Course

    Course Name  : Advanced Digital Security

    Course Code: MIS 9303                                                  

    Course Level: Year 2, Semester 1

    Course Credit Units:  3 CUs; 45CH

     

    COURSE DESCRIPTION

    The course aims to teach students information security awareness, standards, design, control, monitoring and response given both computer software environment and the physical environment in which human beings operate; so that the learners are capable of designing and implementing information security policies, internalizing cyber laws and, analyzing and handling information security risks and effectively respond to incidences of information security breaches for business and organizational continuity

     

    Course Content

    Overview of Information Security/Assurance

    •                    Confidentiality, integrity and availability (CIA) of data

    •                    And issues relating to authenticity, non-repudiation

    •                    Risk management, administrative control

    •                    Logical and physical security

     

    Security Classification

    •                    Value of information and defining appropriate procedures

    •                    Protection requirements for information



    Information Security Process

    •                    Method of achieving information security objectives

    •                    Threats, vulnerabilities, attack prevention techniques

    •                    The expected frequency of attacks

    •                    Institution operations and technology, and the institution’s defensive posture)

     

    Governance Issues

    •                    Information security governance

    •                    Responsibility

    •                    Accountability

    •                    Audit-ability, access control

    •                    And consequence of security breach)

     

    Information Security Standards

    •                    The ISO; establishment and maintenance a documented Information Security

     

    Management System (ISMS)

    •                    Information security policy

    •                    Information security management of identifiable risks)

     

    Information Security Risk and Assessment

    •                    Information security risk

    •                    Vulnerability, threat; risk assessment

    •                    Risk management process: analysis, description, estimation and treatment; risk management policy

    •                    Risk management standards; risk mitigation; risk management tools)

     

    Information Security Monitoring

    •                    Collection and analysis of data to guard against policy violations and anomalous behavior

    •                    Architecture issues; activity monitoring

    •                    Network intrusion detection systems

    •                    Condition monitoring; independent tests

     

    Information Security Incidents

    •                    Analysis of incidents

    •                    Intrusion response

    •                    Incident management

     

    Access Control

    •                    Authorization; access rights administration

    •                    Authentication: shared secret systems, token systems, public key infrastructure, biometrics; firewalls; operating system access

    •                    Application access; remote access; encryption

    •                    Malicious code prevention; physical security

     

    Human Resource Security

    •                    Risks posed by internal users

    •                    Background checks and screening at recruitment

    •                    Agreements: confidentiality, non-disclosure and authorized use

    •                    Job descriptions; training

     

    Data Security

    •                    Data and information security theories and tools

    •                    Data creation, handling, storage

    •                    Transmission and destruction)

     

    Asset Management

    •                    Inventories; responsibilities and operational procedures

    •                    Media handling

    •                    Systems documentation

     

    Information Security Laws and Regulations

    •                    Cyber laws; compliance

    •                    Corporate relationships and exchange of information

    •                    Information crime; scene of crime; evidence of crime

    •                    Law enforcement; business continuity during crime investigation

    •                    Video surveillance and paper records

     

    Advances in Information Security

    •                    Emerging issues on information security

     

    Mode Of Delivery

              Lectures

              Reading assignments

              Presentations

              Group discussions

     

    Instructional Materials And / Or Equipment

              Whiteboard and Markers

              Flip Charts

              LCD Projectors

              CDs, DVDs and Tapes

     

    Course Assessment

              Continuous assessments tests                                    20%

              Group and individual project (course work)   20%

              End of Semester Examination                                     60%

    Total                                                                                        100%

     

    Reading Materials

    1.         International conference on privacy , security and trust

    2.         International journal of Information Security

    3.         International journal of applied cryptography

    4.         Journal of Computer Security

    5.         Security Journal

     

    Lecturer: Prof. Zake

    +256 788485749 (WhatsApp)

    zake.muwanga@kiu.ac.ug

    tebiggwawo@gmail.com

  • Lectures

    • Assignments

      • Assignment 1 - due 30th October 2023

        Choose three of these categories of security, and show why and how you would ensure your three chosen categories in a large organisation such as KIU.

        1. Confidentiality, integrity and availability (CIA) of data
        2. And issues relating to authenticity, non-repudiation
        3. Risk management, administrative control
        4. Logical and physical security

      • Test Quiz
        Restricted Available until 10 November 2023, 8:00 AM

        You're appointed the ICT Director at KIU. Describe the KIU security ecosystem. Outline FIVE measures related to the security ecosystem you would take to make sure data at KIU is secure.

        This test is out of 20.

      • Upload your answer script for the test here Assignment

        Upload your answer script for the test here

    • Introduction

      Digital security, also known as information security, is the practice of protecting digital information from unauthorized access, use, disclosure, disruption, modification, or destruction. With the increasing use of technology in every aspect of our lives, digital security has become a top priority for organizations of all sizes.

      Digital security can be broken down into several different types, each with its specific purpose and application. The most common types of digital security include:

      • Network security: This type of digital security is focused on protecting an organization’s networks from unauthorized access or attack. It includes firewalls, intrusion detection and prevention systems, and virtual private networks (VPNs).
      • Application Security: This type of digital security is focused on protecting an organization’s applications and systems from unauthorized access or attack. It includes web application firewalls, application security testing, and secure coding practices.
      • Endpoint Security: This type of digital security is focused on protecting an organization’s endpoints, such as laptops, smartphones, and tablets, from unauthorized access or attack. It includes antivirus software, endpoint protection platforms, and mobile device management (MDM) solutions.
      • Cloud security: This type of digital security is focused on protecting an organization’s cloud-based systems and data from unauthorized access or attack. It includes security-as-a-service, cloud access security brokers, and cloud-based intrusion detection and prevention.
      • Identity and access management (IAM): This type of digital security is focused on controlling and managing access to an organization’s systems and data. It includes multi-factor authentication, single sign-on, and identity and access management platforms.

      Each type of digital security plays a critical role in protecting an organization from cyber threats. For example, network security is essential for protecting an organization’s networks from unauthorized access or attack. Application security, on the other hand, is essential for protecting an organization’s applications and systems from unauthorized access or attack.

      Applications: Digital security has a wide range of applications in various industries. In the healthcare industry, for example, digital security is essential for protecting patient information and maintaining the privacy and security of electronic health records. In the financial industry, digital security is essential for protecting sensitive financial information and maintaining the integrity of financial transactions. In the retail industry, digital security is essential for protecting customer information and maintaining the security of online transactions.

      With the growing demand for cybersecurity professionals, a career in digital security can be extremely rewarding. With the latest data and trends indicating the need for more cybersecurity professionals, now is the time to consider a career in digital security. Understanding the different types of digital security and their applications will enable you to make an informed decision about your career path. It’s also important to note that digital security is a constantly evolving field, and professionals in this field must stay up to date with the latest threats and technologies in order to be effective in their roles.

      Digital security is about securing those assets and digital identities from bad actors. Cyber security is more expansive and covers protecting not just the data, but entire networks, computer systems, servers and other digital components from unauthorized access.



      3 Pillars of Data Security: Confidentiality, Integrity & Availability

      Larry Zorio, Chief Information Security Officer  | 21 June 2022

      • Confidentiality — You need to know your data is protected from unauthorized access.
      • Integrity — You have to be able to trust your data.
      • Availability — You need to be able to access your data.

      Confidentiality

      Is your data protected from unauthorized access?

      Following the principle of least-privilege, users should only have the read, write, and execute permissions that are absolutely necessary for their jobs. Because public safety agencies handle sensitive information, confidentiality is often front-of-mind for agencies, community members, and oversight organizations. 

      To ensure data confidentiality, agencies should:

      • Comply with all FBI Criminal Justice Information Services (CJIS) guidelines 
      • Follow the practice of least-privilege access, where employees can only access the data they need for their job duties — no more, no less
      • Mandate cybersecurity training for agency employees
      • Implement an identity access management program, including identity and privilege access management, multi-factor authentication (MFA), SSO, and regular access reviews
      • Enforce secure password guidelines
      • Encrypt data and use encrypted connections to access data

      Integrity

      Is your data protected against unauthorized changes?

      Like a student accessing school systems and changing their grades, cyberattackers can access mission-critical systems and change and remove data. Public safety agencies rely on data to make informed decisions and serve their community, and incorrect data can lead to costly mistakes.

      To protect data integrity, agencies should:

      • Work with infrastructure providers who store data in physically secure locations
      • Encrypt data and securely store the encryption key
      • Audit data access and changes regularly
      • Use cyber analysis tools to monitor the flow of information and users into, through, and out of your systems, and address irregularities quickly.
      • Create a data backup and restoration strategy
      • Evaluate data integrity strategy and adherence to best practices often

      Availability

      Can authorized users access data when and where they need to?

      Availability is compromised when the servers storing your data are offline or when remote access to servers is limited or unavailable. While some government systems, like a wastewater SCADA system, can operate in an air-gapped environment (that is, not connected to the internet or other systems), public safety technologies must be connected to the internet and other agency systems to effectively collect, update, and share information.

      To ensure data availability, agencies should:

      • Run regular quality control tests to verify availability
      • Maintain hardware and software through regular maintenance, upgrades, and patches
      • Choose cloud-native systems, which reduce downtime through a continuous delivery development approach
      • Eliminate siloed, single-function, and monolithic applications, and implement multi-functional, interoperable applications and systems
      • Create connection redundancies so communications continue during an internet service provider outage

      • Overview of Information Security/ Assurance

        •                    Confidentiality, integrity and availability (CIA) of data

        Confidentiality, Integrity, and Availability (otherwise referred to as the CIA Triad) is the backbone of information security. This model guides the policies for information security with an established organization.

        Confidentiality is a set of rules that limits access to sensitive information. Confidentiality measures should prevent company information from being accessed by the wrong hands. Integrity is the assurance that the information is not only trustworthy, but accurate. To maintain integrity information, security teams must ensure that data is unaltered by data transfers and secure from unauthorized alterations.

        Availability is a guarantee that authorized persons will be able to access the information when necessary. To guarantee data availability, proper security measures must be in place to maintain software and hardware infrastructures.


        •                   Authenticity, and non-repudiation

        Authenticity and non-repudiation are two core concepts in information securityThey are closely related but different conceptsAuthentication verifies the sender’s identity and source of the messageIt can be solved through cryptography

        Non-repudiation confirms the validity and legitimacy of the messageIt is a legal concept that can only be solved through legal and social processes (possibly aided by technology)Non-repudiation is often seen in a legal setting when the authenticity of a signature is being challenged.

        •                    Risk management, and administrative control

        Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.

        Administrative controls establish work practices that reduce the duration, frequency, or intensity of exposure to hazards. This may include:

          • work process training
          • job rotation
          • ensuring adequate rest breaks
          • limiting access to hazardous areas or machinery
          • adjusting line speeds

        •                    Logical and physical security

         Logical security and physical security are two types of security measures used to protect computer systems and data storage. Logical security refers to electronic measures such as permissions within the operating system or access rules at the network layers such as the firewall, routers and switches. Physical security, on the other hand, refers to controlled entry doors, video surveillance and other metaphysical measures. Both logical and physical security use access control to manage the ins and outs of authorized individuals in an organization.

        Learn more:

        • Hierarchy of Controls URL

          Controlling exposures to hazards in the workplace is vital to protecting workers. The hierarchy of controls is a way of determining which actions will best control exposures. The hierarchy of controls has five levels of actions to reduce or remove hazards. The preferred order of action based on general effectiveness is:

          1. Elimination
          2. Substitution
          3. Engineering controls
          4. Administrative controls
          5. Personal protective equipment (PPE)

          Using this hierarchy can lower worker exposures and reduce risk of illness or injury.

          Hierarchy of Controls inverted pyramid graphic representing the page's list of general effectiveness, from greatest to least.


        • Internal Control and Risk Management for Public Integrity in the Middle East and North Africa O URL

          Internal Control and Risk Management

          This work is published under the responsibility of the Secretary-General of the OECD. The opinions expressed and arguments employed herein do not necessarily reflect the official views of OECD member countries. This document and any map included herein are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area.

        • Authenticity vs. Non-repudiation URL

          Authenticity and non-repudiation are two core concepts in information security regarding the legitimacy and integrity of data transmission. Because we transmit data every day, it's important to verify the sender's origin (authentication) and ensure that during transmission, the data was not intercepted or altered in any way (integrity). When you have both authenticity and integrity, the legitimacy of the data cannot be denied, and therefore, all parties can be confident in their data security (non-repudiation).

          Through safe data security practices, organizations can better manage their cybersecurity risk and protect their sensitive data against cyber attacks. This article will discuss the difference between authenticity and non-repudiation and why it is necessary to have both.

        • Non repudiation URL

          What is nonrepudiation?

          Nonrepudiation ensures that no party can deny that it sent or received a message via encryption and/or digital signatures or approved some information. It also cannot deny the authenticity of its signature on a document.

          Although it originated as a legal concept, nonrepudiation is also widely used in computing, information security and communications.

        • The CIA Triad URL

          The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability. The CIA triad is a common model that forms the basis for the development of security systems. They are used for finding vulnerabilities and methods for creating solutions.

          The confidentiality, integrity, and availability of information is crucial to the operation of a business, and the CIA triad segments these three ideas into separate focal points. This differentiation is helpful because it helps guide security teams as they pinpoint the different ways in which they can address each concern. 

          Ideally, when all three standards have been met, the security profile of the organization is stronger and better equipped to handle threat incidents.

      • Security Classification

        • Value of information and defining appropriate procedures
        • Protection requirements for information

      • Information Security Process

        Information security is a process that moves through phases building and strengthening itself along the way. Security is a journey not a destination. Although the Information Security process has many strategies and activities, we can group them all into three distinct phases - prevention, detection, and response.

        • The Information Security Process Prevention, Detection and Response URL

          Information security is a process that moves through phases building and strengthening itself along the way. Security is a journey not a destination. Although the Information Security process has many strategies and activities, we can group them all into three distinct phases - prevention, detection, and response

      • Governance Issues

        Information security governance
        Responsibility
        Accountability
        Audit-ability, access control
        Consequence of security breach

        Reference URL https://www.pwc.co.uk/issues/cyber-security-services/insights/governing-cyber-security-risk.html

        What is cyber security governance?

        There are many frameworks for cyber security management, which focus on the definition and build of security controls. But there is little practical guidance as to how boards should define their cyber security governance.

        Cyber security governance provides a strategic view of how an organisation controls its security, including defining its risk appetite, building accountability frameworks, and establishing who is responsible for making decisions. Effective governance will also ensure that cyber security activities help to support the organisation’s strategic goals.

        Seven principles for governance of cyber security risk

        In order to assist boards and investors, I propose seven principles for boards to adopt for the governance of cyber security. Consideration of these principles would enable boards to:

        • structure their governance of cyber security risk;
        • debate and make the tough decisions required (both by management and boards) to build an adequate response to cyber security threats;
        • challenge themselves and their executive management as to whether their response is adequate and evolving sufficiently rapidly as the risk develops;
        • structure a discussion with investors as to the appropriateness of their management of cyber security risk;
        • engage with investors to help them compare and contrast differing approaches to the management of cyber security risk, and
        • facilitate a discussion as to what would be appropriate for companies to report publically with regard to cyber security.

        The seven principles are outlined below, with more detail provided in the full paper available for download.


        1. Real understanding of exposure

        Many organisations fail to understand properly why they might be targeted; what might make them vulnerable, and how a successful attack might impact them.

        The understanding needs to extend beyond the enterprise. It must reflect relationships that could make them a target and the complexity of digital connections that could cause them to be vulnerable: suppliers, service providers, partners, cloud services, critical data feeds, staff and customers to name a few. It must also reflect what data the organisation manages, why and where.

        Building this understanding, and ensuring it stays current, is critical to ensuring that the response to the risk is adequate.


        2. Appropriate capability and resource

        Effective cyber security requires capable skilled resource that is empowered and resourced to shape an organisation to be secure. Boards need to be confident in the capability of their security function and its leadership, their ability to drive a broad response to cyber security across the whole enterprise, and rapid access to wider capability when required. Effective executive ownership is critical, with the CEO taking an active role.

        For boards to be effective in this area, they themselves require sufficient capability to probe, challenge and support management. Board-level time needs to be devoted to drilling into detail, since that is where significant issues can lie. Capable non-executives are required, potentially supported by a board sub-committee with additional expertise. 

        3. Holistic framework and approach

        A holistic approach to managing cyber security needs to not just build and operate effective cyber security controls. It must also reduce the complexity of the technology and data estate to which those controls are applied (inside and outside the organisation); address process and cultural/human vulnerabilities that attackers are increasingly targeting, and embed cyber security consideration in all business decision making.

        Process vulnerabilities are often overlooked, but common targets. Examples include weak registration processes to online services or distributing sensitive data to an inappropriate third party for processing. A simple, but often exploited human vulnerability is poor password management, such as reuse of credentials across applications.

        Recognised frameworks, such as those published by the US National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) can help define required cyber security controls, but taking a broader approach is critical. Meaningful measurement is crucial, not just of controls but also extent of exposure.


        4. Independent review and test

        As with other significant issues, boards require independent validation and testing of their believed cyber security posture. This is achievable through independent expert review of cyber security frameworks and approaches, and even certifications of specific elements.

        Strength of individual critical controls and systems needs to be tested and techniques such as ‘red team testing’ by skilled penetration testers can assess effectiveness of overall response to specific likely attack techniques (but only at a point in time). The speed with which issues identified through independent review and test are resolved should be measured. 

        5. Incident preparedness and track record

        Cyber security incidents are inevitable. Governance of cyber security risk is important but effective governance when the risk materialises is critical.

        Ensuring that focussed, practiced plans exist to respond to, and recover from, the most likely scenarios is essential. These need to consider not just technical resolution, but also business management, reputation management and management of legal and regulatory risk. Incidents need to be tracked, accurately reported, and lessons learnt.

        In addition, organisations need to be able to respond appropriately to the reporting of vulnerabilities that could make products, services or internal processes vulnerable to attack.

        The approach to incidents and vulnerabilities needs to be considered through suppliers and service providers, and not just within the ‘perimeter’ of the organisation itself. Exercising response at all levels is crucial, including the executive committee and board.


        6. Considered approach to legal and regulatory environment

        Cyber security cuts across an increasingly complex legal and regulatory environment globally. Industry regulation, data protection regimes, national security legislation, reporting requirements and product liability are a few examples of legal and regulatory environments that need to be understood, and a considered global response developed and maintained.

        7. Active community contribution

        No organisation can protect itself in isolation. Attackers commonly breach one organisation in order to target another, and replicate successful attack techniques rapidly. Thus collaboration is essential: between organisations within industries; through supply chains; between public and private sectors; between companies and law enforcement/intelligence agencies, and even with customers.


        • Cybersecurity Governance URL

          Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:

          • Accountability frameworks
          • Decision-making hierarchies
          • Defined risks related to business objectives
          • Mitigation plans and strategies
          • Oversight processes and procedures

      • Topic 8

        • Topic 9