Laws and regulations governing cybersecurity

Technical measures together with organisational measures are the basic elements of security measures. While organisational measures are primarily focused on setting rules and policies in an organisation, technical measures are primarily focused on rules for setting up information and communication systems and services.

Within individual technical measures, possible open source tools applicable to the given measure will also be demonstrated.

5.8.1 Physical security

Physical security is primarily focused on the protection of the technical assets of a given entity. Regarding physical security, Maisner states that “the aim of this measure is primarily to prevent unauthorised access to individual elements of infrastructure, server rooms, system administrators’ workplaces, etc. The effort is to prevent theft of property directly and indirectly related to the information system, or to prevent damage to tangible and intangible equipment or equipment of spaces. Last but not least, it tries to prevent a leakage of information and data.”[1]

Within the scope of physical security, the obligor shall

• prevent damage, theft or misuse of assets or interruption of the provision of information and communication system services,
• determine a physical security perimeter demarcating the area in which information is stored and processed and where the technical assets of the information and communication system are located,
• apply means of physical security to the physical perimeter:
  • to prevent unauthorised entry,
  • to prevent damage and unauthorised interference,
  • to provide protection at the building level and within buildings.

The term physical security perimeter delineates a designated space or the boundaries of this space. Such a space can be, for example, a set of premises, the premises itself or part of a premises.

The premises is a building or other confined space. The boundary of the premises means a building envelope, a physical barrier (fencing) or another visibly defined boundary of the area. A secured area means a space in a building that is structurally or otherwise visibly delineated.

Means of physical security may include:

• mechanical means of restraint (e.g. locks, doors, grilles, foils, glass and other security structural and building elements, cabinet safes, safe doors and chamber safes,
• secure area access inspection system [alarm and electronic security systems, detectors (motion, glass breakage, etc.) determination of conditions for entry: identification element, PIN, biometrics (or a combination thereof)],
• electrical security signalling equipment (alarm security and emergency systems – electrical security signalling control panels, electrical security signalling detectors, shock detectors, perimeter detection systems, emergency systems, etc.),
• special television systems (camera systems, CCTV surveillance systems, etc.),
• fire detection and fire alarm systems (connection to the control and alarm equipment, or to the electrical security alarm control panel),
• equipment limiting the effects of fires and natural events (alarm systems, smoke detectors, automatic fire extinguishing systems, etc.),
• equipment to ensure protection against failure of the power supply (backup power supplies – UPS, diesel generators, etc.).

It is also possible to implement, for example:

• equipment against passive and active eavesdropping.[2]

Areas where entry/access should be limited or regulated from the point of view of security of information and communication systems, include mainly server rooms (primary, backup), spaces with network elements (router, switch, etc.), data storages (filing rooms, NAS storages, etc.), premises of ICT administrators, etc.

Example:
Physical security is one of the areas where organisational rules are typically violated and where periodic audits are required. While most of the other
activities in the organisation are performed by administrators, the management of physical access is entrusted to a less qualified workforce after security
deployment, for example, for cost-benefit reasons. This workforce may not be cognisant of particular security issues. 

The author experienced several situations where, after a certain period of time, a person responsible for managing
physical access began to grant access to persons who should not have had access to the areas (e.g. server rooms), for example only because a senior manager
requested access to the protected area, although he did not have sufficient privileges to be approved. 

As part of physical security, it is also possible to use open source tools. In particular, these will involve cases of “implementation of central security counters, including camera surveillance systems. For this purpose, tools designed for monitoring network elements (Icinga, Nagios and others) can be used, supplemented by an interface for corresponding sensors, connected to programs for the transmission and capture of video signals from security cameras.”[3]

5.8.2 Tool for protecting the integrity of communication networks

Within the scope of physical security, some administrators are required to:

• ensure segmentation of the communication network,
• ensure the management of communication within the communication network and the perimeter of the communication network (i.e. manage secure access between the internal and external network),
• use cryptography to ensure the confidentiality and integrity of data during remote access, remote administration or access to the communication network using wireless technologies (i.e. use cryptography to ensure e.g. VPN, ICT connection to Wi-Fi, etc.),
• actively block unwanted communication (e.g. spam filters, etc.),
• to ensure the segmentation of the network and to manage the communication between its segments, use a tool that ensures the protection of the integrity of the communication network.

“The tool for protecting the integrity of communication networks here means a suitably designed network topology, including the use of network elements enabling the required network segmentation and filtering of traffic between individual elements. The equipment used to achieve these requirements are Ethernet switches, routers and firewalls. If it is not possible to ensure network segmentation using a VLAN on an editable switch, it is possible to secure it using several smaller non-manageable switches, each of which implements one physical LAN.

When segmenting some networks, it is possible to use, for example, Turris routers (https://www.turris.cz/cs/), where high security is guaranteed (among other things due to the firmware, which was designed with regard to and achieving the maximum possible security) and also low power consumption.

Software routers/firewalls: www.ipcop.org/; https://www.ipfire.org/

Ethernet switch for virtualised environment: http://www.openvswitch.org/“.[4]

5.8.3 Tool for user identity verification

As part of physical security, some administrators are required to use a tool to manage and verify the identity of users, administrators and information and communication system applications.

This tool is currently in effect a component of all commonly used operating systems (Linux, iOS, Windows). According to CSD, this tool should ensure

• personal identity verification (before starting activities in the information and communication system),
• management of the number of possible failed login attempts,
• resilience of stored or transmitted authentication data against unauthorised theft and misuse,
• storage of authentication data in a form resistant to offline attacks,
• re-verification of identity after a specified period of inactivity,
• observance of the confidentiality of authentication data when restoring access,
• centralised identity management.

To verify the identity of users, administrators and applications, the obligor uses:

• an authentication mechanism that is not based solely on the use of an account identifier and password but on multi-factor authentication, with at least two different types of factors,
• a tool for verifying the identity of users, administrators and applications, to use cryptographic key authentication and guarantee a similar level of security[5],
• a tool for identity verification of users, administrators and applications that uses an account identifier and password for authentication.[6]

If an account and password are used for authentication, the following conditions must be met:

• minimum password length:
  • 12 characters for users and
  • 17 characters for administrators and applications.
• possibility to enter a password of at least 64 characters,
• possibility to use lowercase and uppercase letters, numbers and special characters in a password,
• possibility to change a password, while the time between two password changes must not be less than 30 minutes,
• not allow users and administrators to:
  • choose the most frequently used passwords,
  • create passwords based on multiple repetitive characters, login name, email, system name or similar,
  • reuse previously used passwords with a memory of at least 12 previous passwords.
• mandatory change of a password at intervals of a maximum of 18 months, while this rule does not apply to accounts used to recover the system in the event of a disaster,
• force the default password to be changed immediately after its first use,
• immediately revoke a password used to restore access after its first use or after a maximum of 60 minutes from its creation,
• include rules for creating secure passwords in the security awareness development plan.

Example:
We recommend using practical demonstrations for training users. For example, CEWL or CUPP tools. Both can be found, for example, in the Linux distribution
Kali. The CEWL tool can create a dictionary for a dictionary attack tailored to a specific organisation, based on the content of its website. The CUPP tool can
then create a dictionary tailored to a specific user. According to the authors’ experience, these practical examples are very beneficial for users as they
practically see that their password used so far, consisting of, for example, the date of birth and the name of the family dog, can actually be generated if
the attacker has enough information about them.

“For practical user authentication, the open source community offers plenty of software compatible with its commercial counterparts. These are, for example:

FreeRADIUS - http://freeradius.org/ /RADIUS

OpenLDAP - http://www.openldap.org/ /Microsoft AD, Oracle Internet Directory

Kerberos - https://www.gnu.org/software/shishi/

OpenDiameter - https://sourceforge.net/projects/diameter/

All of these tools provide means to enforce the specified password complexity, as well as other attributes required by CSA, either by themselves through login.conf, or by using external mechanisms such as cracklib and dictionaries of popular ”passwords”.[7]

5.8.4 Access permission management tool

Within the scope of physical security, some administrators are required to use a centralised access permission management tool.

The term permission means the right to access any of the assets (typically an information or communication system, applications, etc.). In practice, it is a tool for “user and group management” and a tool for setting permissions on files and directories. These tools are a proprietary component of all standard operating systems.

A centralised access permission management tool is intended to ensure the management of permissions:

• for access to individual assets of the information and communication system and
• for reading data, writing data and changing permissions.

It is advisable to apply tools for centralised management of access rights that will communicate with a central AAA (Authentication, Authorisation, Accounting) server.

Example:
It is important to keep in mind the management of access permissions when designing software. The author knows of an application that had very general
permissions, and in fact only the roles of administrator and user existed in it. The administrator was authorised to add additional users and
administrators, and the user was authorised to perform other activities. However, this application stored important information about the organisation’s
customers. Because this application did not allow any granularity of permissions, all users, regardless of their actual business needs, were allowed
to access any part of the customer information. This situation eventually resulted in a leak of data related to a specific customer.

5.8.5 Malware protection tool

As part of physical security, some administrators are required to set up protection against malicious code by:

• ensuring (given the importance of assets) the use of a tool for continuous automatic protection of
  • terminal stations,
  • mobile devices,
  • servers,
  • data storages and removable data carriers,
  • communication networks and elements of the communication network,
  • similar devices.
• monitoring and managing the use of removable devices and data carriers,
• monitoring and managing the use of removable devices and data carriers,
• managing permissions to run code,
• performing a regular and effective update of an anti-malware tool.

“Protection against malicious software distributed via email. An open source email proxy solution that provides protection against malicious software is the ASSP project (AntiSpam SMTP Proxy, https://sourceforge.net/projects/assp/), which enables comprehensive configuration of mail proxy behaviour via a web interface.

Protection against malicious software distributed via web. A suitable solution is, for example, the HTTP AntiVirus Proxy project (http://www.havp.org/) or www.cacheguard.com. Here, too, it is necessary to ensure adequate protection for end workstations, as encrypted traffic cannot be scanned in real time in the ‘man in the middle‘ position.

Blocking its network traffic, both at the level of the data infrastructure and at the level of 'personal firewalls’ of end stations. Network communication rules should be set ‘in a paranoid way‘, i.e. to allow only traffic necessary for legitimate software to work and ban everything else. However, a measure of a server, proxy server or network infrastructure element in no way fully replaces protection against malware on endpoint workstations, especially as it may not always be able to intercept encrypted traffic that is decrypted only on the client program.”[8]

5.8.6 Tool for detection of cybersecurity events

Within the scope of physical security, some administrators are required to implement, within a communication network that includes an information and communication system, a tool for detection of cybersecurity events that ensures:

• verification and check of transmitted data within the communication network and between communication networks,
• verification and check of transmitted data on the perimeter of the communication network and
• blocking of unwanted communication.

“Outputs from many software tools can be used to detect cybersecurity events, including log analysers, such as Logwatch (https://sourceforge.net/projects/logwatch/files/), Epylog (https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement), intrusion detection systems, such as OpenVAS (http://openvas.org/), Suricata (https://suricata-ids.org/), Snort (https://www.snort.org/) or Samhain (la‑samhna.de/Samoin).”[9]

5.8.7 Tool for collecting and evaluating cybersecurity events

Within the scope of physical security, some administrators are required to use a tool to collect and continuously evaluate cybersecurity events. It allows

• the collection and evaluation of events,
• search for and grouping related records,
• provision of information for designated security roles on detected cybersecurity events,
• evaluation of cybersecurity incidents in order to identify cybersecurity incidents, including early warning of identified security roles,
• reduction of cases of incorrect evaluation of events by regular updating of rule settings for:
  • evaluation of cybersecurity events,
  • early warning,
• use of information obtained by a tool for collecting and evaluating cybersecurity events for optimal setting of security measures of the information and communication system.

The tool for collecting and evaluating cybersecurity events means tools that are referred to as SIEM (Security Incident and Event Management).

Within the open source SIEM solution, it is possible to use, for example, OSSIM/USM (https://www.alienvault.com/products/usm-anywhere/try-it-now), OSSEC (www.ossec.net/) or logalyze (www.logalyze.com).[10]

5.8.8 Application security

In the case of application security, attention is paid to applications that are used in information systems (whether within a computer system, mobile device or as a web application). Application security is ensured by, among other things, penetration testing of applications or application firewalls.

As part of physical security, some administrators are required to perform penetration tests of the information and communication system, focusing on important assets, namely:

• before they are put into service and
• in connection with a significant change.

Within the scope of application security, an obligor shall also ensure the permanent protection of applications, information and transactions against:

unauthorised activity,

denial of the activities performed.

“Application firewalls include, for example, web server security modules (www.modsecurity.org) or OWASP Web Application Firewall. Commercial tools for testing application security include, in particular, the Nessus tool (www.tenable.com/products/nessusvulnerability‑scanner). Its open source alternative is the Open-VAS project (www.openvas.org/).”[11]

5.8.9 Cryptographic means

Cryptography (encryption) is a scientific discipline that deals with the conversion of intelligible information into a form incomprehensible to a recipient if the recipient does not own the keys with which it is possible to decrypt the information.

With the transfer of a considerable amount of data and information to ICT systems, it is necessary to pay increased attention to the possibilities of encrypting (confidentiality of content) of transmitted data.

Within the scope of physical security, some administrators are required, to protect information and communication system assets, to:

• use currently robust cryptographic algorithms and cryptographic keys,
• use a key and certificate management system that:
  • ensures the generation, distribution, storage, changes, validity restrictions, revocation of certificates and disposal of keys,
  • enables inspection and audit.
• promote safe handling of cryptographic means,
• take into account the recommendations in the field of cryptographic means issued by the Office (NÚKIB), published on its website.

“In order to ensure sufficiently robust encryption of network traffic, the OpenSSL libraries (openssl.org) are used, but it is necessary to ensure that they are up-to-date and properly configured in order to comply with the terms of this decree. It is necessary to follow current reports on vulnerabilities and upgrade unsatisfactory versions of libraries without delay to variants without known vulnerabilities. In this regard, the bettercrypto project (https://bettercrypto.org/), is recommended to help administrators ensure the best possible security for the services and the cryptography they use.“[12]

5.8.10 Tool for ensuring the level of information availability

Within the scope of physical security, some administrators are required to implement measures to ensure the level of availability to ensure:

• availability of information and communication system,
• resilience of information and communication system to cybersecurity incidents that could reduce its availability,
• availability of important technical assets of information and communication system,
• redundancy of assets necessary to ensure the availability of information and communication system.

The implementation of a tool for ensuring the level of information availability fulfils an organisational asset: Business Continuity Management (BCM).

“To achieve the prescribed level of availability, cluster and cloud technologies developed as open source (KVM, OpenStack) can be used, or the availability of a replacement asset can be ensured at a specified time through back-up/restore software (https://sourceforge.net/projects/bacula/).”[13]