Chapter 01: Today's Cybersecurity Analyst Flashcards
Privacy vs Security
Security is the CIA triad, and focuses on the ways an org can protect its own data
Privacy focus on the ways than an org can use and share information that it’s collected about individuals (PII)
PII is protected by regulatory standards and always governed by ethical considerations
Privacy also includes the ways than an org uses ands hares information it collects and maintains with others
Page 5 | Major exam concept
GAPP
Generally Accepted Privacy Principles
Outlines 10 privacy practices that say how organizations should:
- Management: Document privacy practices in a privacy policy and related docs
- Notice: Notify individuals about its privacy practices and inform them of the type of info it collects, and how that info is used
- Choice and Consent: Obtain the direct consent of individuals for the storage, use, and sharing of PII
- Collection: Collect PII only for the purposes identified in the notice and consented to by the individual
- Use, Retention, and Disposal: Only use info for identified purposes and not for any other nondisclosed purpose
- Access: Provide individuals with access to any information about that individual in the org’s records, at the individual’s request
- Disclosure: Info will only be disclosed to third parties when consistent with notice and consent
- Security: PII will be protected against unauthorized access
- Quality: Maintain accurate and complete information
- Monitoring and Enforcement: Put business processes in place to ensure that it remains complaint with its privacy policy
Page 6
Vulnerability
A weakness in a device, system, app, or process that might allow an attack to take place
Internal controls that may be controlled by cybersecurity professionals
- EX: A webserver running an outdated version of Apache might contain and vulnerability that would allow an attacker to conduct a DOS attack against sites hosted on the server
- Analysts can remediate by updating Apache
Threat
An outside force that may exploit a vulnerability
Many threats are malicious in nature, but not always
In most cases, cybersecurity pros can’t do much to eliminate threats—hackers will always hack, and earthquakes will always strike
- EX: A hacker who wants to DOS a website and knows about an Apache vulnerability presents a clear cybersecurity threat
- EX: An earthquake that could damage a datacenter containing servers is a threat
Risk
A combination of a threat and a corresponding vulnerability
Both must be present before a situation poses a risk to the security of an org
- EX: If a hacker targets an org’s webserver with a DoS attack, but the server was patched so it’s not vulnerable, there’s zero risk
- EX: A datacenter may be vulnerable to earthquakes, but it’s in a part of the world that doesn’t have earthquakes, there’s zero risk
Walking down the street with cars metaphor
Adversarial Threats
Individuals, groups, and orgs that attempt to deliberately undermine the security of an organization
Adversaries may include trusted insiders, competitors, suppliers, customers, business partners, or even nation states
When evaluating an adversarial threat, analysts should consider:
- The capability of the threat actor to engage in attacks, their intent, and the likelihood they’ll target the org
Accidental Threats
These occur when individuals doing their routine work mistakenly perform an action that undermines security
- EX: A system admin accidentally deletes a critical disk volume, causing a loss of availability
When evaluating an accidental threat, analysts should consider:
- The possible range of effects that the threat might have on the org
Structural Threats
These occur when equipment, software, or environmental controls fail due to:
- Exhaustion of resoruces, like running out of gas
- Exceeding operational capability, like operating in extreme heat
- Failure due to age
Structural threats may come from:
- IT componenets like sotrage, servers, and network devices
- Environmental controls like power and cooling infrastructure
- Software like OS and aps
When evaluating structural threats, an analyst should consider:
- The possible range of effects the threat might have on the org
Environmental Threats
These occur when natural or human-made disasters occur that are outside the control of the organization
They might include fires, floods, sever storms, power failures, or widespread telecomms disruptions
When evaluating an accidental threat, analysts should consider:
- Common natural environmental threats to their geographic region, as well as how to appropriately prevent or counter human-made environmental threats
Insider Threats
Always remember that threats come from both external and internal sources
In addition to hackers, natural disasters, and other threats that begin outside the org, an analyst must be thinking about:
- Rogue employees
- Disgruntled team members
- Incompetent admins
NAC
Network access control
Provides the means to authenticate users and evaluate device integrity before a connection is permitted
NAC solutions help security pros achieve two cybersecurity objectives:
- Limiting network access to authorized individuals
- Ensuring that systems accessing the org’s network meet basic security requirements
Key features of a NAC solution:
* Posture Assessment: The process of assessing the endpoint for compliance with the health policy
* Remediation: The process and procedures that occur when a device doesn’t meet the minimum security policy
* Pre and Post Admission Controls: The point at which client devices are granted or denied access based on their compliance with a health policy
EX: 802.1X protocol is a common standard used for NAC
Agent-Based NAC vs Agentless NAC
Agent-based solutions like 802.1X require the device requesting access to the network to run special software designed to cmmunicate with the NAC service
Agentless approaches to NAC conduct authentication in the web browser and don’t require special software
In-Band NAC vs Out-of-Band NAC
In-band (or inline) NAC solutions use dedicated appliances that sit between devices and the resources they want to access
They’ll deny or limit network access to devices that don’t pass the NAC authentication process
- EX: Captive portals found in hotels that hijack all web requests until a guest enters a room number
Out-of-band NAC solutions, like 802.1X, leverage the existing network infrastructure
They have network devices communicate with authentication servers and then reconfigure the network to grant or deny access as needed
NAC Criteria
- Time of Day: Users may be authorzied to acces the network during specific time periods, like business hours
- Role: Users may be assigned to network segments based on their role in the org
- Rule: A complex admission policy that enforces a series of rules which are written as logical statemends: IF Jason AND student, DENY access
- Location: Users may be granted or denied access to network resources based on their physical location
- System Health: NAC solutions may use agents running on devices to obtain configuration information from the device. Devices that fail to meet minimum security standards (incorrectly configured host firewall, outdated virus protections, missing security patches) may be completely denied network access or placed on a quarantine network with limited access until they update the system security
Triple-Homed Firewall
The firewall connects to three different networks, and any traffic that wants to pass from one zone to another must pass through the firewal
- EX: The internet, an internal network, and a DMZ (screened subnet)
DMZ / Screened Subnet
A special network zone designed to house systems that receive connections from the outside world, like email and web servers
Sound firewall design places these systems on an isolated network where, if they become compromised, pose little threat to the internal network
Packet Filtering Firewalls
Check the characteristics of each packet against the firewall rules without any additional intelligence
These capabilities are often found in routers and other network devices, and are very rudimentary
Stateful Inspection Firewalls
Goes beyond packet filters and maintains information about the state of each connection passing through the firewall
These are the most basic firewalls sold as standalone products
NGFW
Next gen firewalls incorproate even more information into their decision-making process, including contextual information about users, apps, and business processes
They’re the current state of the art in network firewall protection and are expensive compared to stateful
WAF
Web app firewalls are specialized firewalls designed to protecte against web app attacks, like SQL injection and XSS
Network Segmentation
A principle used by firewalls to separate networks of differing security levels from each other
Jump Box
A server that acts as a secure transition point between networks, providing a trusted path between two zones
System admins shouldn’t connect to a network directly, but instead use the jump box to SSH or RDP
It can also be used as a layer of insulation against systems that are only partially trusted
- EX: If contractors bring equipment owned by their employer onto your network, you can use the jump box to prevent htem from directly connecting to company systems
Single Pane of Glass
A cybersecurity philosophy whereby analysts integrate all of their tools into a single platform
That way, they can use one, consistent interface to perform all of their work
It’s almost impossible to have a pure “Single Pane of Glass,” but reducing the number of interfaces as much as possible can dramatically increase efficiency
Reverse Engineering
The procss of analyzing the structure of hardware or software to reveal more about how it functions
With regard to software, you can run dynamic analysis, like in a sandbox environment, where the code is executed so you can see what happens
If you want to look at it in a static way, you’ll need some tools to help examine the source code
Disassembler
* A program that translates machine language into assembly language
Decompiler
* Software that translates a binary, or low-level machine language code, into higher-level code (C, Java, etc)
We reverse engineer code into human readable formats so that we can find strings to use as a signature for rule-based detection—you can also use “strings” to dump some of these things:
* ASCII sequences with usernames
* Passwords
* File names
* Function calls
* URLs
Program Packers
* A method of compression in which an executable is mostly compressed and the part that isn’t compressed contains the code to decompress the executable
* A type of self-extracting archive
* This makes the file smaller, easier to transfer
* Also makes it harder for analysts to find
* Until malware is unpacked, it can mask string literals and effectively modify its signatures to avoid triggering signature-based scanners
Machine Code
* Software that has been assembled into binary instructions that are expressed as hexadecimal digits native to the processor platform
Assembly Code
* A compiled software program converted to binary machine code using the instruction set of the CPU platform and is represented in human-readable text
* Typical instructions include int, push, mov, not, and, or, xor, add, sub, inc, dec, jmp, cmp, and test
Debugging Tools
* Immunity Debugger: A debugger built specifically for pentesters to write exploits, analyze malware, and reverse engineer binary files using Python scripts and APIs
* GNU Debugger (GDB): An open source, cross-platform debugger for Unix, Windows, and MacOS
* SearchSploit: A tool used to find exploits available in the Exploit-DB
Trusted Firmware
UEFI (Unified Extensible Firmware Interface)
* A type of system firmware providing support for 64 bit CPU operation at boot, full GUI and mouse operation at boot, and better boot security
* Almost all modern systems use UEFI and not BIOS
Secure Boot
* A UEFI feature that prevents unwanted processes from executing during the boot operation
Measured Boot
* A UEFI feature that gathers secure metrics to validate the boot process in an attestation report
Attestation
* A claim that the data presented in a boot report is valid by digitally sining it using the TPM’s private key
eFUSE
* A means for software or firmware to permanently alter the state of a transistor on a computer chip
* Like a real world fuse, if someone tries to modify the hardware containing sealed cryptographic keys, the eFUSE will be blown and the hardware will be rendered invalied and untrustworthy
Trusted Firmware Update
* A firmware update that is digitally signed by the vendor and trusted by the system before installation
SED
* A disk drive where the controller can automatically encrypt data that’s written to it
Secure Processing
A mechanism for ensuring the CIA of software code and data as it’s executed in volatile memory
Processor Security Extensions
* Low-level CPU changes and instructions that enable secure processing
* AMD: Secure Memory Encryption (SME) or Secure Encrypted Virtualization (SEV)
* Intel: Trusted Execution Technology (TXT) or Software Guard Extensions (SGX)
Trusted Execution
* The CPU’s security extensions invoke a TPM and secure boot attestation to ensure that a trusted OS is running
Secure Enclave
* An extension that allows a trusted process to create an encrypted container for sensitive data
Atomic Execution
* Certain operations that should only be performed once or not at all, such as initializing a memory location
Bus Encryption
* Data that’s encrypted by an application prior to being placed on the data bus
Legal Regulations
SOX (Sarbanes-Oxley Act)
* Sets for the requirements for the storage and retention of documents relating to an org’s financial and business operations, including the type of documents to be stored and their retention periods
* Applies to publicly traded companies with a value of at least $75 million
GLBA (Gramm-Leach-Bliley Act)
* Sets for the requirements that help protect the privacy of an individual’s financial information that’s held by financial institutions
FISMA (Federal Information Security Management Act)
* Sets for the requirements for federal orgs to adopt information assurance controls
HIPAA
* Protec the privacy of an individual’s health information that’s held by healthcare providers, hospitals, and insurance companies
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
* Provides guidance of governance-related topics including fraud, controls, finance, and ethics, and relies on COSO’s ERM-integrated framework
APIs, Webhooks, and Plug-Ins
API
* A set of protocols and routins for building and interacting with software apps
* Serves as intermediary between different systems, and allows them to communicate and exchange data with each other
* Allows for automated administration, management, and monitoring of cloud services
* Allows for direct integration of different third party apps in a web app
* Can be used to improve efficieny and aid in the integration of different systems
curl
* When working with APIs, you can use curl
* It’s used to transfer data from, or to, a server using one of the supported protocols: HTTP/S, FTP/S, SCP, SFTP, TFTP, DICT, TELNET, LDAP, FILE
Webhook
* Way for on app to provide other apps with real-time information
* More like notifications than a traditional API call where you have to request the information
* Often set up to listen for specific events to occur
* Detected events will send a message containing information to a specific URL
* Useful where real-time information is critical and low latency is necessary
* They use HTTP/S protocols
* Server pushes data to client instead of client pulling data
Plug-Ins
* AKA connectors or add ons
* Used to extend the functionality of a software program
* Commonly used with tools like SIEM to integrate with other tools and techs
* Allow orgs to customzie and enhance the capabilities of their cyber software
* Helps orgs improve security posture and ensure compliance with relevant regulations and standards