CYBER SECURITY Flashcards
CIA TRIAD
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
CONFIDENTIALITY
Can actors who should not have access to the system or information access the system or information?
INTEGRITY
Can the data or the system be modified in some way that is not intended?
AVAILABILITY
Are the data or the system accessible when and how they are intended to be?
OFFENSIVE SECURITY
DEFENSIVE SECURITY
TRY HARDER MINDSET
If my attack or defense fails, it represents a truth about my current skills/processes/configurations/approach as much as it is a truth about the system.
If my attack or defense fails, this allows me to learn something new, change my approach, and do something differently.
CYBER SECURITY CHALLENGES
INVOLVES MALICIOUS AND INTELLIGENT ACTORS (OPPONENTS)
INVOLVES REASONING UNDER UNCERTAINTY
SECURITY MINDSET
FIRST INTRODUCED BY BRUCE SCHNEIER
encourages a constant questioning of how one can attack (or defend) a system. If we can begin to ask this question automatically when encountering a novel idea, machine, system, network, or object, we can start noticing a wide array of recurring patterns.
GROWTH MINDSET
encourages the belief that mental ability is flexible and adaptable and that one can grow their capacity to learn over time
RISK
A simple way to define risk is to consider two axes: the probability that a negative event will occur, and the impact on something we value if such an event happens. This definition allows us to conceptualize risks via four quadrants:
Low-probability, low impact events
Low-probability, high impact events
High-probability, low impact events
High-probability, high impact events
THREAT
Threat is something that poses risk to an asset we care about protecting. Not all threats are human; if our network depends on the local electricity grid, a severe lightning storm could be a threat to ongoing system operations.
VULNERABILITY
For a threat to become an actual risk, the target being threatened must be vulnerable in some manner.
A vulnerability is a flaw that allows a threat to cause harm. Not all flaws are vulnerabilities.
In computer programs, vulnerabilities occur when someone who interacts with the program can achieve specific objectives that are unintended by the programmer.
EXPLOIT
In computer programs, vulnerabilities occur when someone who interacts with the program can achieve specific objectives that are unintended by the programmer. When these objectives provide the user with access or privileges that they aren’t supposed to have, and when they are pursued deliberately and maliciously, the user’s actions become an exploit.
RISK CONSIDERATION QUESTIONS
How likely is it that a particular attack might happen?
What would be the worst possible outcome if the attack occurs?
CVSS
COMMON VULNERABILITY SCORING SYSTEM
EXPLOIT (NOUN)
As a noun, an exploit is a procedure for abusing a particular vulnerability
EXPLOIT (VERB)
As a verb, to exploit a vulnerability is to perform the procedure that reliably abuses it.
ATTACK SURFACE
DESCRIBES ALL THE POINTS OF CONTACT ON OUR SYSTEM OR NETWORK THAT COULD BE VULNERABLE TO EXPLOITATION
ATTACK VECTOR
SPECIFIC VULNERABILITY AND EXPLOITATION COMBINATION THAT CAN FURTHER A THREAT ACTORS OBJECTIVES.
THREAT ACTOR CLASSIFICATION
HIGH LEVEL CLASSIFICATION:
INDIVIDUAL
GROUP
INSIDER
NATION STATE
INDIVIDUAL MALICIOUS ACTOR
Individual Malicious Actors: On the most superficial level, anyone attempting to do something that they are not supposed to do fits into this category. In cybersecurity, malicious actors can explore digital tactics that are unintended by developers, such as authenticating to restricted services, stealing credentials, and defacing websites.
MALICIOUS GROUP
Malicious Groups: When individuals band together to form groups, they often become stronger than their individual group members.
Malicious groups can have any number of goals but are usually more purposeful, organized, and resourceful than individuals. Thus, they are often considered to be one of the more dangerous threat actors.
INSIDER THREAT
Insider Threats: Perhaps one of the most dangerous types of threat actors, an insider threat is anyone who already has privileged access to a system and can abuse their privileges to attack it. Often, insider threats are individuals or groups of employees or ex-employees of an enterprise that become motivated to harm it in some capacity.
NATION STATES
Nation States: Although international cyber politics, cyber war, and digital intelligence are vast subjects and significantly beyond the scope of this Module, we should recognize that some of the most proficient, resourceful, and well-financed operators of cyber attacks exist at the nation-state level within many different countries across the globe.
SOCIAL ENGINEERING
attacks where an attacker persuades or manipulates human victims to provide them with information or access that they shouldn’t have.
PHISHING
Phishing is usually done in broad sweeps. Phishing strategy is usually performed by sending a malicious communication to as many people as possible, increasing the likelihood of a victim clicking a link or otherwise doing something that would compromise security.
SPEAR-PHISHING
VISHING
SMS-ISHING
RANSOMWARE
CREDENTIAL ABUSE
AUTHENTICATION BYPASS
ZERO TRUST SECURITY MODEL
Zero Trust is a security model that assumes that all users, devices, and networks are untrusted and must be verified before access is granted. It is based on the idea that organizations should not trust any user, device, or network, even if they are inside the organization’s network.
PRINCIPLE OF LEAST PRIVILEGE
Each user and program should operate using the fewest privileges possible.
DEFENSE IN DEPTH
involves multiple layers of security controls to protect an organization’s assets
The goal of Defense-in-Depth is to create a secure environment that is resilient to attack and can quickly detect and respond to any security incidents. By implementing multiple layers of security, organizations can reduce the risk of a successful attack and minimize the damage caused by any successful attack.
OPEN SECURITY
focuses on the need for developers to be aware of the security implications of their code and to take steps to ensure that their code is secure. This includes using secure coding practices, testing for vulnerabilities, and using secure development tools. Security-in-the-Open also encourages developers to collaborate with security experts to ensure that their code is secure.
SHIFT LEFT SECURITY
SECURITY STRATEGIES
24/7 vigilance
Threat modeling
Table top discussions
Continuous training on tactics, processes, and procedures
Continuous automated patching
Continuous supply chain verification
Secure coding and design
Daily log reviews
Multiple layers of well-implemented Security Controls
ADMINISTRATIVE SEGMENTATION
To defeat internal threats and threats that have acquired valid credentials or authentication capability, we must segment controls so that no single authority can bypass all controls. To accomplish this, we may need to split controls between application teams and administrators, or split access for administration between multiple administrators
SHAMIR’S SECRET SHARING (SSS)
SSS is used to secure a secret in a distributed form, most often to secure encryption keys. The secret is split into multiple shares, which individually do not give any information about the secret.
THREAT MODELING
Threat modeling describes taking data from real-world adversaries and evaluating those attack patterns and techniques against our people, processes, systems, and software. It is important to consider how the compromise of one system in our network might impact others.
THREAT INTELLIGENCE
Threat Intelligence is data that has been refined in the context of the organization: actionable information that an organization has gathered via threat modeling about a valid threat to that organization’s success. Information isn’t considered threat intelligence unless it results in an action item for the organization. The existence of an exploit is not threat intelligence; however, it is potentially useful information that might lead to threat intelligence
TACTICS TECHNIQUES AND PROCEDURES
(TTPs)
BUSINESS CONTINUITY PLANNING
(BCP)
TABLE TOP TACTICTS
CONTINUOUS PATCHING
CONTINUOUS SUPPLY CHAIN VERIFICATION
SOFTWARE BILL OF MATERIALS
(SBOM)
Utilizing a software bill of materials (SBOM) as a way to track dependencies automatically in the application build process greatly helps us evaluate supply chain tampering. If we identify the software dependencies, create an SBOM with them, and package the container and SBOM together in a cryptographically-verifiable way, then we can verify the container’s SBOM signature before loading it into production.
SLEEPER MALWARE
Sleeper malware is software that is inactive while on a system for some time, potentially weeks before it starts taking action.
ENCRYPTION
PERSONAL IDENTIFIABLE INFORMATION
(PII)
TLS
EPHEMERAL ENCRYPTION
LOGGING
CHAOS TESTING
DISASTER RECOVERY
CHAOS ENGINEERING
HIPPA
FERPA
Family Educational Rights and Privacy Act of 1974 (FERPA) is a United States federal law regulating the privacy of learners’ education records. This law sets limits upon the disclosure and use of these records without parents’ or learners’ consent. Some instances where schools are permitted to disclose these records are school transfers, cases of health or safety emergencies, and compliance with a judicial order.
GLBA
Gramm-Leach-Bliley Act (GLBA), enacted by the United States Congress in 1999, establishes several requirements that financial institutions must follow to protect consumers’ financial information. This law requires that institutions describe how they use and share information and allow individuals to opt-out in certain cases.
PHI
PROTECTED HEALTH INFORMATION
PRIVACY RULE
SECURITY RULE FOR E-PHI
three classes of safeguards that must be in place:
administrative (having a designated security official
a security management process, periodic assessments, etc.)
physical (facility access control, device security), and technical (access control, transmission security, audit abilities, etc.).
GDPR
General Data Protection Regulation (GDPR) is a law adopted by the European Union in 2016 that regulates data privacy and security. It applies to the private sector and most public sector entities that collect and process personal data. It provides individuals with a wide set of rights over their data including the well-known “right to be forgotten” and other rights related to notifications of data breaches and portability of data between providers.
GDPR outlines a strict legal baseline for processing personal data. For example, personal data may be processed only if the data subject has given consent, to comply with legal obligations, to perform certain tasks in the public interest, or for other “legitimate interests”. For businesses that process data on a large scale or for whom data processing is a core operation, a data protection officer - who is responsible for overseeing data protection - must be appointed.
GDPR also establishes an independent supervisory authority to audit and enforce compliance with these regulations and administer punishment for non-compliance. The fines for violating these regulations are very high: a maximum of 20 million Euros or 4% of revenue (whichever is higher), plus any additional damages that individuals may seek.
One unique aspect of GDPR is that it applies to any entity collecting or processing data related to people in the European Union, regardless of that entity’s location. At the time of its adoption, it was considered the most strict data privacy law in the world and has since become a model for several laws and regulations enacted around the globe.
CCPA
California Consumer Privacy Act of 2018 (CCPA) is a Californian law granting residents of the state certain privacy rights concerning personal information held by for-profit businesses.
the “right to know”
The “right to opt-out”
the “right to delete”
KEY DISCLOSURE LAWS
Key disclosure laws are laws that compel the disclosure of cryptographic keys or passwords under specific conditions. This is typically done as part of a criminal investigation when seeking evidence of a suspected crime.
RIPA
REGULATIONS OF INVESTIGATORY POWERS ACT OF 2000
RIGHT TO OPT OUT
allows consumers to request that their personal information not be sold, something that must, with few exceptions, be approved
RIGHT TO KNOW
requires businesses to disclose to consumers, upon request, what personal information has been collected, used, and sold about them, and why.
RIGHT TO DELETE
which allows consumers to request that businesses delete collected personal information
MITRE ATT&CK FRAMEWORK
MITRE DEFEND FRAMEWORK
CYBER KILL CHAIN
RECONNAISSANCE PHASE
WEAPONIZATION PHASE
DELIVERY PHASE
EXPLOITATION PHASE
INSTALLATION STAGE
COMMAND AND CONTROL PHASE
ACTIONS ON OBJECTIONS PHASE
FEDRAMP
NIST
NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY
NIST FRAMEWORK COMPONENTS
CORE
IMPLEMENTATION TIERS
PROFILES
FRAMEWORK CORE
CATEGORIES
5 HIGH LEVEL FUNCTIONS
FRAMEWORK IMPLEMENTATION TIER
the degree to which an organization’s Cybersecurity practices satisfy the outcome described by the subcategories of the Framework Core
4 TIERS
Tiers:
partial (the least degree),
risk-informed,
Repeatable,
Adaptive.
FRAMEWORK PROFILES
relationship between the present implementation of an organization’s cybersecurity activities (Current Profile) and their desired outcome (Target Profile).
This is determined by the organization’s business objectives, requirements, controls, and risk appetite
PCI DSS
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
PCI DSS DEFINITION
an information security standard, first published in 2004, for organizations handling customer payment data for several major credit card companies. It is managed by the Payment Card Industry Standards Council. Its purpose is to ensure that payment data is properly secured to reduce the risk of credit card fraud. As with other frameworks, PCI DSS consists of several requirements and an organization’s compliance must be assessed annually.
PCI DSS REQUIREMENTS
Most of these requirements resemble other industry best practices regarding network and system security, access control, vulnerability management, monitoring, etc. For example, Requirement 2 prohibits the use of vendor-supplied defaults for system passwords and other security-related parameters. Other requirements are credit-card-specific formulations of other familiar best practices. For example, Requirement 3 outlines what types of credit card data can be stored and how it must be protected.
CIS
CENTER FOR INTERNET SECURITY
CIS TOP 18
CIS Top 18: The Center for Internet Security (CIS) Critical Security Controls, also known as CIS Controls, is a set of 18 (previously 20) recommended controls intended to increase an organization’s security posture. While not laws or regulations, these controls pertain to areas that regulations are concerned with, including data protection, access control management, continuous vulnerability management, malware detection, and more.
CIS CONTROLS
set of 18 (previously 20) recommended controls intended to increase an organization’s security posture.
IMPLEMENTATION GROUPS
These controls are divided into safeguards (previously known as sub-controls), which, in turn, are grouped into three implementation groups (IG1, IG2, IG3) intended to help prioritize safeguard implementation.
IG1
IG1 consists of controls that are considered the minimum standard for information security meant to protect against the most common attacks and should be implemented by every organization. They are typically implemented by small businesses with limited IT expertise that manage data of low sensitivity.
IG3
IG3, which consists of all safeguards, is typically implemented by organizations with dedicated cybersecurity experts managing sensitive data that may be subject to oversight.
IG2
IG2 is composed of additional safeguards that are meant to apply to more complex organizations, typically those with multiple departments and staff dedicated to managing IT infrastructure with more sensitive customer and proprietary data
