Einführung Flashcards
Risk-Reduction ROI Formel
(reduction in risk in $ - cost of control) / cost of control
Reduction in risk Formel
Annualized rate of occurrence * expected monetary loss for a single event * reduction in probability of risk occurrence with the control
Compliance vs. Security
- Compliance: Regulatory Frameworks, risks, standards, policies, documentation
-> only mandates basic security hygiene
-> should be technology-neutral - Security: Authentication Mechanisms, Secure IT Environment, Physical Controls, Network Access, Business Processes
-> Compliance misst Security
Advanced Persistent Threat (APT): Characteristics
- Sophisticated & sustained
- Undetected presence over a prolonged period of time
- High degree of customization
- Experienced and well-funded attacker
APT categories
- Cyberespionage
- Financial crimes
- Hacktivism
- Destruction
APT Modus Operandi
- Stage 1: Planning
- Stage 2: Infiltration
- Stage 3: Expansion
- Stage 4: Execution
APT: Planning
1) Research the target
2) Assemble a team of attackers
3) Acquire or build the necessary tools
4) Test the target’s detection capability
5) Zero-day vulnerability hunts on used technology
APT: Infiltration
5) Distraction with a DDoS attack
6) Initial Infiltration on found vulnerability to enter system
APT: Expansion
7) Expand access across the network
8) Move laterally through the system
9) Gather target data in bundles
APT: Execution
10) White noise attack (DDoS zur Ablenkung)
11) Exfiltrate data
12) Leave a backdoor for future attacks
-> also: clean-up, erase footsteps
Common types of security vulnerabilities
- Vulnerabilities in the source code
- Misconfigured system components
- Trust configurations
- Weak credentialing practices
- Lack of strong encryption
- Insider threat
- Psychological vulnerability
- Inadequate authentication
- Injection flaws
- Sensitive data exposure
- Insufficient monitoring and logs
- Shared tenancy vulnerabilities
Definition attack vector
- Are the methods that attackers use to break into a network
- sum of attack vectors: attack surface
Common attack vectors (categories)
- Targeting the network vulnerabilities
- Targeting the network services
- Targeting the users
Attack vectors: Network Vulnerabilities
- Missing or poor encryption
-> Measure: Encryption while data is at rest, transferred or processed - Misconfiguration
-> Measure: Micro-segmentation policy - Session Hijacking
-> Measure: Secure Channel Protocols - MITM
-> Measure: Encryption - Cross-Site-Scripting/SQL-Injection
-> Measure: Don’t trust user’s input (sanitize)
–> attacks can be made harder or even prevented without affecting the services
Attack vectors: Network Services
- Brute Force attacks
- (D)DoS
- Zero-Day-Exploits
–> Can’t be prevented without affecting the services
Attack vectors: Users
- Phishing
- Typosquatting
- Compromised, weak or stolen credentials
- Trust relationships
- Malicious insiders
–> Awareness Training
Other common attack vectors
- Ransomware
- Third party vendors
Future Shift of Attack Vectors
- IoT
- Home office
- “Always on”
- Miniaturization (immer kleinere Hardware)
- Quantum computers
- Breaking old protocols with new methods
Social Engineering Definition
Using the human component to get reconnaissance (Auskundschaften) of a network
Social Engineering: Six Levers
- Reciprocration (“Gegenseitigkeit”)
- Scarcity (“Knappheit”)
- Consistency (“Konsistenz”)
-> User prüfen “alltägliche” Dinge nicht genau - Liking (“Sympathie”)
- Authority (“Authorität”)
- Social validation (“soziale Bestätigung”)
-> Schwarmintelligenz
Popular social engineering attacks
- Pretexting
-> construct a lie such that the victim believes it is real - Diversion theft
-> Convince the courier that the service is required somewhere else
-> MITM - Phishing
- Vishing
-> phone systems - Spear-phishing
-> more targeted, background information - Water holing
-> exploit vulnerabilities on trusted sites - Baiting
-> flash drive - Quid pro quo
- Tailgating
Defenses against Social Engineering
- Education/training
- Multi-layer defense
- Password guidelines
- Technical defenses against special attacks
Security Operations Center (SOC) Definition
- Centralized unit offering services regarding IT-Security
- Can be internal within an organization or external, providing remote services for outside parties
- Consists of a security team that defends the network against unauthorized activities. Responsibilities include protection, monitoring, detection, and analysis
SOC: Roles and Responsibilities
- Tier 1: Incident detection, incident triage
- Tier 2: Incident Responder
- Tier 3: Incident Resolution, post-incident, threat hunter
- SOC manager: supervision
SOC: Services
- Preventive:
-> Real time monitoring and triage, including call center
-> Prevention of cybersecurity incident
-> Regular vulnerability scan for network and host - Detective:
-> Incident analysis and response
-> Forensic artifact analysis
-> Deploying countermeasures - Post:
-> Regular security policies adaption and consultation
-> Sensor tuning and maintenance
How to collect Cyberintelligence
- Cyber news feed
- Signature updates
- Incident reports
- Threat briefs
- Being up to date with tactics, techniques and procedures (TTP) of advanced adversaries
SOC data sources
- Monitoring systems
- Calls / E-mails from employees, customers
- Broadcast messages from providers/agencies/authorities
- Threat intelligence
Security Information and Event Management (SIEM)
- One of the most important tool in SOC
- Basic tasks: data aggregation, correlation, alert ranking and prioritization, alerting
Incident Handling Prozess
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learnt
Identifizierung vs. Authentifizierung
- Identifizierung ist die Fähigkeit, eindeutig einen Benutzer eines Systems oder einer Anwendung zu identifizieren
- Authentifizierung ist die Möglichkeit, zu beweisen, dass ein Benutzer oder eine Anwendung wirklich die Person oder die Anwendung ist, die/der die Anwendung beansprucht