Chapter 10 - Cybersecurity tools, techniques and reporting Flashcards
Why use forensic analysis?
- Determine cause, culprits and consequences of a breach to ensure it cannot be repeated and to address the damaged caused
- Requires an expert to carry it out properly
- May require actions that compromise process of preserving evidence
Levels of forensic analysis:
- System level analysis – has the treat affected the entire system or just parts of it?
- Storage analysis – has the treat affected data stored by the org?
- Network analysis – could the treat have come from outside source via network?
Malware analysis:
Determining how the code behind a piece of malware works by either finding a way to remove it or finding a way of disabling it
What is reverse engineering?
Allows you to understand how something works by taking it apart and then attempting to replicate it at a base level
Responding to malware:
- Reverse engineering uses decompilation and disassembly techniques to break the malware down into different forms of code to understand how it works and what it is intending to achieve - once they understand how it works, reverse engineers can create solutions to the malware
- Quarantine the endpoint using segmented networks
- Learn from malware – understand how it came in, how it spread and how it functions
- Prevention – upgrade patches, security policies or firewall settings
What is penetration testing?
- Systematic process of probing for vulnerabilities in applications and networks
- Controlled form of hacking undertaken by a white-hat hacker
- Penetration testing is essential if org have previously suffered a cybersecurity breach or risk of such an event has increased
Types of penetration testing:
- Connections with the internet
- Connections between org’s own users
- Creating web applications
- Simulating phishing and social engineering testing
What does penetration involve?
- Attack is simulated to see where vulnerabilities are, what impact they might have and what actions an org can take to counter them
- Test can be done remotely via a network or on site
- It can look at individual systems or all systems together
White, grey and black-box testing:
- White-box testing:
* Allowed to access the entire network to review the way in which system works
* Quality check used at the creation stage but only in what has been coded - Grey-box testing:
* Access is granted at user level privileges only - Black-box testing:
* No privilege info is shared, up to the tester to find a way in however they can
* Only focuses on the user’s perspective as it only focuses on the systems outputs and has no visibility of way system operates
* Looks at what system actually creates, regardless of what went into creating it and therefore adapted as part of user testing
* Take longer and is more expensive
UK National Cyber Security Centre (NCSC) advice on data security controls:
- Appropriate devices and operating systems should be selected
- Policy for employees who bring own devices to work
- Network should be treated as unsecure and encryption technology should be adopted
- All data travelling between two points on a network – IPSec should be used for more secure connection
- One single data stream – transport layer security (TLS) should be used for secure encrypted communication
- Peer-to-peer – MIKEY-SAKKE should be used for real-time encryption
- No one systems should be used for all data as it can be exploited
- Services on network can be managed locally to stay in control of operations or cloud providers can be used to harness their expertise
- Once reviewed and implemented, constant monitoring to ensure it stays effective
What is IPSec?
IP security is a suite of protocols that interact with one another to provide secure private communications across IP networks (uses whatever security protocols that are in place on network)
What is TLS?
Transport Layer Security provides secure communications but carries its own form of encryption and uses own security protocols
What is MIKEY-SAKKE?
Protocol that allows org’s to provide secure communications with end-to-end encryption
NCSC guidance on how management should control, direct and communicate cybersecurity risk management activities as part of security governance:
- Covers how cybersecurity happens within an org and who leads it
- Depends on your org
- Link cybersecurity with org’s objectives
- Identifies individuals with responsibility for making security decisions
- System of feedback, empowerment and accountability to ensure effective cybersecurity governance, connected to existing government arrangements
NCSC cybersecurity reporting needs:
Internal:
* Org’s core values and why they are core values
* Risks the org is prepared to take
External:
* Risk management and decision-making context
* What needs to be protected and why
* Reliance placed on one party by another when protecting its assets