Chapter 01: Today's Cybersecurity Analyst Flashcards
Privacy vs Security
Security is the CIA triad, and focuses on the ways an org can protect its own data
Privacy focus on the ways than an org can use and share information that it’s collected about individuals (PII)
PII is protected by regulatory standards and always governed by ethical considerations
Privacy also includes the ways than an org uses ands hares information it collects and maintains with others
Page 5 | Major exam concept
GAPP
Generally Accepted Privacy Principles
Outlines 10 privacy practices that say how organizations should:
- Management: Document privacy practices in a privacy policy and related docs
- Notice: Notify individuals about its privacy practices and inform them of the type of info it collects, and how that info is used
- Choice and Consent: Obtain the direct consent of individuals for the storage, use, and sharing of PII
- Collection: Collect PII only for the purposes identified in the notice and consented to by the individual
- Use, Retention, and Disposal: Only use info for identified purposes and not for any other nondisclosed purpose
- Access: Provide individuals with access to any information about that individual in the org’s records, at the individual’s request
- Disclosure: Info will only be disclosed to third parties when consistent with notice and consent
- Security: PII will be protected against unauthorized access
- Quality: Maintain accurate and complete information
- Monitoring and Enforcement: Put business processes in place to ensure that it remains complaint with its privacy policy
Page 6
Vulnerability
A weakness in a device, system, app, or process that might allow an attack to take place
Internal controls that may be controlled by cybersecurity professionals
- EX: A webserver running an outdated version of Apache might contain and vulnerability that would allow an attacker to conduct a DOS attack against sites hosted on the server
- Analysts can remediate by updating Apache
Threat
An outside force that may exploit a vulnerability
Many threats are malicious in nature, but not always
In most cases, cybersecurity pros can’t do much to eliminate threats—hackers will always hack, and earthquakes will always strike
- EX: A hacker who wants to DOS a website and knows about an Apache vulnerability presents a clear cybersecurity threat
- EX: An earthquake that could damage a datacenter containing servers is a threat
Risk
A combination of a threat and a corresponding vulnerability
Both must be present before a situation poses a risk to the security of an org
- EX: If a hacker targets an org’s webserver with a DoS attack, but the server was patched so it’s not vulnerable, there’s zero risk
- EX: A datacenter may be vulnerable to earthquakes, but it’s in a part of the world that doesn’t have earthquakes, there’s zero risk
Walking down the street with cars metaphor
Adversarial Threats
Individuals, groups, and orgs that attempt to deliberately undermine the security of an organization
Adversaries may include trusted insiders, competitors, suppliers, customers, business partners, or even nation states
When evaluating an adversarial threat, analysts should consider:
- The capability of the threat actor to engage in attacks, their intent, and the likelihood they’ll target the org
Accidental Threats
These occur when individuals doing their routine work mistakenly perform an action that undermines security
- EX: A system admin accidentally deletes a critical disk volume, causing a loss of availability
When evaluating an accidental threat, analysts should consider:
- The possible range of effects that the threat might have on the org
Structural Threats
These occur when equipment, software, or environmental controls fail due to:
- Exhaustion of resoruces, like running out of gas
- Exceeding operational capability, like operating in extreme heat
- Failure due to age
Structural threats may come from:
- IT componenets like sotrage, servers, and network devices
- Environmental controls like power and cooling infrastructure
- Software like OS and aps
When evaluating structural threats, an analyst should consider:
- The possible range of effects the threat might have on the org
Environmental Threats
These occur when natural or human-made disasters occur that are outside the control of the organization
They might include fires, floods, sever storms, power failures, or widespread telecomms disruptions
When evaluating an accidental threat, analysts should consider:
- Common natural environmental threats to their geographic region, as well as how to appropriately prevent or counter human-made environmental threats
Insider Threats
Always remember that threats come from both external and internal sources
In addition to hackers, natural disasters, and other threats that begin outside the org, an analyst must be thinking about:
- Rogue employees
- Disgruntled team members
- Incompetent admins
NAC
Network access control
Provides the means to authenticate users and evaluate device integrity before a connection is permitted
NAC solutions help security pros achieve two cybersecurity objectives:
- Limiting network access to authorized individuals
- Ensuring that systems accessing the org’s network meet basic security requirements
Key features of a NAC solution:
* Posture Assessment: The process of assessing the endpoint for compliance with the health policy
* Remediation: The process and procedures that occur when a device doesn’t meet the minimum security policy
* Pre and Post Admission Controls: The point at which client devices are granted or denied access based on their compliance with a health policy
EX: 802.1X protocol is a common standard used for NAC
Agent-Based NAC vs Agentless NAC
Agent-based solutions like 802.1X require the device requesting access to the network to run special software designed to cmmunicate with the NAC service
Agentless approaches to NAC conduct authentication in the web browser and don’t require special software
In-Band NAC vs Out-of-Band NAC
In-band (or inline) NAC solutions use dedicated appliances that sit between devices and the resources they want to access
They’ll deny or limit network access to devices that don’t pass the NAC authentication process
- EX: Captive portals found in hotels that hijack all web requests until a guest enters a room number
Out-of-band NAC solutions, like 802.1X, leverage the existing network infrastructure
They have network devices communicate with authentication servers and then reconfigure the network to grant or deny access as needed
NAC Criteria
- Time of Day: Users may be authorzied to acces the network during specific time periods, like business hours
- Role: Users may be assigned to network segments based on their role in the org
- Rule: A complex admission policy that enforces a series of rules which are written as logical statemends: IF Jason AND student, DENY access
- Location: Users may be granted or denied access to network resources based on their physical location
- System Health: NAC solutions may use agents running on devices to obtain configuration information from the device. Devices that fail to meet minimum security standards (incorrectly configured host firewall, outdated virus protections, missing security patches) may be completely denied network access or placed on a quarantine network with limited access until they update the system security
Triple-Homed Firewall
The firewall connects to three different networks, and any traffic that wants to pass from one zone to another must pass through the firewal
- EX: The internet, an internal network, and a DMZ (screened subnet)
