lesson 1-4 Flashcards
Control objective
A control objective is a statement of desired result or purpose to be achieved by implementing a control or set of controls (What am I trying to achieve? Or what am I trying to accomplish?)
Ex: Control Objective: Protect Hosts from Malware Infiltration
AV software
Host firewall
Restricted email attachments
URL filtering
Sandboxing
vulnerability
a weakness
threat
potential danger
threat actor
an adversary with malicious intent
exploit
a threat actor is successful at taking advantage of a vulnerability
Proportionality
Control baselines should be proportionate to the criticality and sensitivity classifications of the asset being protected (Principle of Proportionality)
controls
Controls are tactics, mechanisms, or strategies that proactively minimize risk in one or more of the following ways:
* Reduce or eliminate a vulnerability
*Reduce or eliminate the likelihood that a *threat actor will be able to exploit a vulnerability.
Reduce or eliminate the impact of an exploit
Has to perform at least one to be considered a control. It can use more than one.
Defense-in-depth
(layered security) is the design and implementation of multiple overlapping layers of diverse controls
Controls should not be subject to a cascade (domino) effect and should maintain independence
The diversity of types of controls and associated vendors should be considered.
Cost Benefit analysis
the process of comparing the estimated costs and benefits to determine whether it makes sense to proceed from a business perspective.
*If the cost of the control is significantly lower than the losses without the control, the cost of the control is generally justified
*If the cost of the control is significantly higher than the losses without the control, the cost may not be justified
*When the cost and benefits are about the same, a return on investment (ROI) analysis is needed to determine whether the cost is justified.
Tailoring
customizing baseline recommendations to align with organizational requirements. (like buying a suit off the rack, its ok but you want it to fit better so you tailor it)
Scoping
elimination of unnecessary baseline recommendations that are not applicable.
Compensating
is substituting a recommended baseline control with a similar control
Supplementing
augmenting or adding to the baseline recommendations
Functionality-
is what a control does
Effectiveness
is how well a control works, effectiveness reflects the control’s consistent, complete, reliable, and timely operation.
Assurance
is a measure of confidence that the intended security controls are effective in their application.
Countermeasures
are controls implemented to address a specific threat.
Countermeasures are generally reactive.
Countermeasures may be more effective but less broadly efficient.
NIST Frameworks
Cybersecurity Framework (CSF)
Privacy Framework
Risk Management Framework
ISO 27014:2020
Information security, cybersecurity, and privacy protection
Technical (control category)
mechanisms are implemented using hardware, software, and/or firmware components. Can be native or supplemental. (Ex. firewalls, cryptography, authentication systems)
Managerial- (control category)
relate to risk management, governance, oversight, strategic alignment, and decision-making ( ex. Risk assessments, project management)
Operational (control category)
are aligned with a process that is primarily implemented and executed by people (ex. Change management, training, testing)
Physical (control category)
are designed to address physical interactions. Generally related to buildings and equipment. ( ex. Gates, locks, security guards)
Deterrent (control classification)
discourage a threat agent from acting
Preventative (control classification)
stops a threat agent from being successful.
Detective (control classification)
identify and report a threat agent or action
Corrective (control classification)
minimize the impact of a threat agent or modify or fix a situation.
Compensating controls
*Are controls implemented in lieu of a recommended control that provides equivalent or comparable protection
*Compensating controls can be supplemental in cases where the implemented control does not provide sufficient protection. For example in the case of a zero-day vulnerability.
*can be short-term or temporary
Directive controls
are often used to increase the effectiveness of other controls
* Proactive actions taken to cause or encourage a desirable event or outcome to occur.
Confidentiality
is the assurance that information is not disclosed to unauthorized persons, processes, or devices. Confidentiality covers data in storage, during processing, and in transit.
Integrity:
is the principle that systems are trustworthy, and work as intended, and the data is complete and accurate
Availability
is the principle that information systems and supporting infrastructure are operating and accessible when needed.
Authentication
is the process of verifying identity.
Authorization
is the process of approving access.
Accounting-
is the process of tracing actions to the source. Who did what
Non-Repudiation
is the process of securing the validity and origin of data
Privacy
the right of an individual to control the use of their personal information.
OECD PRIVACY PRINCIPLES
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
Collection Limitation
Collection of personal data should be obtained by lawful and fair means and where appropriate, with the knowledge or consent of the data subject
Data Quality
Personal data should be relevant to the purpose collected and should be accurate, complete, and kept up-to-date
Purpose Specification
The purposes for which personal data is collected should be specified no later than at the time of data collection
Use Limitation
Personal data should not be disclosed or otherwise used for purposes other than specified except with the consent of the data subject; or by authority of law
Zero trust
Is a security framework requiring all subjects, assets, and workflows to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data.
*The goal is to prevent unauthorized access to data and services
CORE PRINCIPLES OF ZERO TRUST (NIST SP 800-207)
- Continuous verification- always verify access, all the time, for all resources
- Access limitation- Access to individual enterprise resources is granted on a per-session basis.
- Limit the “Blast Radius”- Minimize impact if the internal or external resources are breached. Segmentation, least privilege
- Authomate- we can’t do this manually, automate contest collection response. Credentials, workloads, endpoints, SIEMS, threat intelligence.
control plane
The control plane is used by infrastructure components to maintain and configure assets, access control, and communication security. In a ZT environment, requests for access are made through the control plane.
data plane
The data plane is used for communication (moving data) between software components.
Policy Decision Point (PDP)
The PDP functions as a gatekeeper. The PDP has two logical components
Policy Engine
Policy Administrator
Policy Engine (PE)
The PE is responsible for the ultimate decision to grant access to a resource for a given subject.
Policy Administrator (PA)
The PA generates any specific session-specific authentication and authentication token, or credential used to access an enterprise resource.
Policy Enforcement Point (PEP)
The PEP is responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource.
Physical Security
the protection of people, property, and physical assets from actions and events that could cause damage, loss, or unauthorized activity.
Crime Prevention Through Environmental Design (CPTED)
the proper design and effective use of the physical environment can lead to a reduction in the incidence and fear of crime and increase safety.
* relies on psychological and sociological responses.
*People protect territory they feel is their own, and people have a certain respect for the territory of others
*Intruders do not want to be seen
*Limiting access discourages intruders and or marks them as intruders.
Fail-safe
implies that in an emergency or fault situation, controls will default to open (unlocked)
Fail-secure
implies that in an emergency, controls will default to close (locked).
Passive Infrared
Senses change in heat signatures
Photometric-
Senses change in light
Acoustical
Senses change in noise
Microwave
Senses movement within an invisible field of energy (between the transmitter and receiver)
Ultrasonic
proximity sensor that measures the distance of a target by emitting ultrasonic sound waves and converting the reflected sound into an electrical signal.
Pick Resistant locks
have an extra set of tumblers. These locks are resistant to lock bumping. These locks are complex and difficult to reproduce keys
access control vestibules
Barriers such as wall fences, gates, and bollards define the perimeter and can be used to control and divert traffic flow.
ENVIRONMENTAL BASELINES
- Temperature- The acceptable temp for an area containing computing devices is between 18-27 degrees C (64.4-80.6 F). Circulation must take into account temp.
- Humidity- High humidity can cause corrosion and low humidity can cause excessive static electricity. Relative humidity between 50-70% is acceptable,
- Power-Continuous clean (filtered) power, consistent voltage
- FIre- Fire detection and suppression capabilities
ESD (Electronic Discharge)
releases static electricity when two objects touch. This can damage or destroy electronic components. ESD can be minimized by using antistatic grounding workbenches, mats, bags, and wristbands. Electrical storms can increase the ESD risk.
EMI (Electromagnetic Interference RFI (Radio frequency Interference) -
Equipment and copper cables are sensitive to EMI. Equipment should have limited exposure to magnets, fluorescent lights, electric motors, space heaters, and wireless access points. The copper cable should be shielded.
Brownout-
A prolonged period of low-voltage
Sag
Moment of low voltage
surge
Prolonged period of high voltage
spike
Moment of high voltage
blackout
Prolonged period without power
Honeynet
is multiple linked honeypots that simulate a network environment.
Honeypot
A honeypot is a decoy system (e.g., a web server). High interaction honeypot is running the application that it says it is. Low interaction Honeypot is not running those services; it just appears they are.
Honeyfiles
a decoy file located on a network file share. Honeyfiles are designed to detect access and exfiltration attempts.
Honeytoken
is a beacon embedded into a document, databases, images, directory, and folders. They are used to identify the attacker.
* used to track malicious actors revealing critical information about their identity and the methods they use to exploit a system
Spam Traps/ honey traps
(fake email address) are used to identify and block spammers. Legitimate mail is unlikely to be sent to a fake address, so when an email is received, it is most likely spam.
DNS Sinkhole-
is a DNS server that responds with false results. They can be used to redirect malicious traffic so that it can be captured and analyzed by security analysts. Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.
CONFIGURATION MANAGEMENT
A set of practices designed to ensure that configuration items (CI) servers, routers, and software, are deployed in a consistent state and stay that way through their lifetime.
The goal of configuration management is to minimize risk
Configuration Item (CI)
Is an aggregation of information system components and treated as a single entity throughout the configuration process
Baseline Configuration (BC)
is a set of specifications for a CI, that has been reviewed and agreed upon and can be changed only through change control procedures. The baseline config. Is used as a basis for future builds and releases.
AUTOMATED PROVISIONING
The ability to deploy IT or OT systems and services using predefined, automated procedures without requiring human intervention.
*Automation is used to ensure consistency in provisioning in support of configuration management.
Demand-generated resource allocation-
the automatic provisioning and de-provisioning of resources based on demand
Idempotence
is a principle that every time an automated configuration script is run, the same result is produced.
Immutable System
principle that resources should not be changed, only created and destroyed. Utilizes automation to replace rather than fix
Infrastructure As Code
using code as configurations and automate provisioning of infrastructure. Supports the principle of Idempotence.
change management
Change Management is to drastically minimize the risk and impact a change can have on business operations
Rollback Strategies
Recovery to the previous state (Backout plan)
Standard Change
is one that occurs frequently, is low risk, and has a pre-established procedure with documented tasks for completion (patch management)
Normal Change
is one that’s not standard but not an emergency. Can be approved by a change control board or committee.
Major Change
may have significant financial implications and or be high risk. Such a change often requires multiple levels of management approval.
Emergency
is one that must be assessed and implemented (without prior authorization) as quickly as possible to resolve a major incident.
KPI (key performance indicator)
are business metrics used to measure performance in relation to strategic goals and objectives
1. Successful Changes- The number of changes that have been completed successfully compared to the number of completed changes. The Higher the percentage the better
2. Backlog of Changes- The number of changes that are not yet completed. While this absolute number depends on the size of the organization, it should not grow over time
3. Emergency Changes- The number of completed emergency changes. While this number depends on the size of the company, it should not trend upward.
Cryptography
the conversion of communication into a form that can only be read by the intended recipient.
Encryption
this is a process of encoding information. The use case of encryption is confidentiality.
Hashing
is a one-way function that turns a file or string of text into a unique digest of the message. The use case for hashing is integrity.
Digital Signatures
is a hash value encrypted using the sender’s private key. The use case is sender authenticity and nonrepudiation(the sender can’t deny they sent the message)
Digital Certificates
is a digital object that is tied to a cryptographic key pair. The use case for a digital certificate is authentication
Ciphertext
is encrypted or human-unreadable text
Algorithm
a mathematically complex modern cipher. Need to have a computer to solve it.
KEY
is a secret value used with an algorithm. The Key dictates what parts of the algorithm will be used, is what order, and with what values.
Trusted Platform Module (TPM)
is a hardware chip used for storing cryptographic keys and related information
Hardware Security Module (HSM)
is a hardened tamper-resistant hardware devices that secure cryptographic keys and related information
Secure Enclave
a separate processor & microkernel used for storing and processing cryptographic keys and related information in mobile devices
Deprecated
means that the use of algorithm and key length is allowed, but the user must accept some risk due to inherent weaknesses.
Broken
means that the algorithm and or key length is exploitable.
SYMMETRIC ENCRYPTION
Uses the same key to encrypt and decrypt. The key may be referred to as a single key, shared key, secret key, or session key.
SYMMETRIC ALGORITHMS
- DES- 64-bit key size, 16 rounds of substitution and transposition
In 1998 demonstrated that it could be broken in less than 56 hours - 3DES- 64-bit key size, 48 rounds of substitution and transposition using either 2 or 3 keys.
In 1999 replaced the DES as a US Gov. standard
Considered to be deprecated(it’s weak and has a lot of risk) - AES | Rijndael - 128 or 192 or 256 bit key w/10 or 12 or 14 rounds of substitution and transposition.
In 2002 it replaced 3DES as the US standard - RC4- stream cipher, Key sizes 40-2048 bits
4 variants: SPRITZ, RC4A, VMPC, RC4A+
ASYMMETRIC ENCRYPTION
Uses two mathematically related keys to encrypt and decrypt. The keys are referred to as public and private keys. The public key is freely distributed, The private key must be secured.
ASYMMETRIC ALGORITHMS
- RSA- widely implemented de facto commercial standard. Words with both encryptions and digital signatures.
- Elliptic Curve Cryptosystem ECC- similar function to RSA but with smaller keys so it takes less computing power. Current US Gov. standard
- Diffie-Hellman- Primarily used for key agreement (key exchange) Allows two parties( in the same DH group) that have no prior knowledge of each other to jointly establish a shared secret key.
- El Gamal- Primarily used for transmitting digital signatures and key exchange
Key management
describes the activities involving the handling of cryptographic keys during their entire lifecycle.
KMPS
a Key management practices statement is a document that describes in detail the organizational structure, responsible roles and rules for key management.
HASHING
The objective of hashing is to prove integrity. Hashing produces a visual representation of a data set that can be used for comparative purposes. The output is known as a message digest, fingerprint, or hash value.
one-way representation
Output must not be reversible. one of the 3 hashing criteria
collision attack
is a cryptographic attack where two different inputs produce the same hash value, compromising the integrity of the hash function.
different output for the same input
Message Digest (MD) - hash function
MD4 was developed by Ron Rivest in 1990 and has been broken.
MD5 (current use) is subject to collision attacks and is considered broken, however, it can be used for non-cryptographic purposes.
Secure Hash Algorithm (SHA) - hash function
Was developed by the NSA
SHA-1 is subject to collision attacks
Secure versions include the SHA -2 and SHA-3 families
RIPEMD- hash function
RIPEMD-160 is a cryptographic hash function based upon the Merkle-Damgard construction. It is used in the Bitcoin standard.
Salting-
salts are random values appended to the input to negate the value or rainbow tables
Rainbow tables are publicly available tables of precomputed hashes.
digital signature
is a message digest that has been encrypted using the sender’s private key
The objective of a digital signature is to prove integrity and non-repudiation. Non-repudiation means that the singer cannot deny sending the message
RSA- hashing algorithm
Widely implemented and the commercial standard. Works with both encryption and digital signatures
Digital Signature Algorithm (DSA)
Published by NIST is a cooperation with the NSA. US Gov. digital signature standard.
Digital Certificates
used to generate a private key and to bind a public key to its owner. Digital certificates are issued by commercial entities. Alternately they can be self-generated
X.509 standard
The X.509 standard is a widely used framework for defining the format of public key certificates. defines the distribution procedures.
web of trust
certificates that can be signed and validated by other users
certificate authorities (CA)
Digital certificates are issued by commercial trusted parties like the CA
A Registration Authority (RA)
offloads some of the work from the CA. The RA can accept and process registration requests and distribute certificates.
Root certificate
verifies the identity of a root certificate authority in a chain of trust
Trusted/Intermediate
Verifies root and intermediate certificate authorities.
Certificate Revocation List (CRL)
maintained list of certificates that have been revoked
Online Certificate Status Protocol (OCSP)
A process designed to query the status of a certificate in real time.
Blockchain
is a distributed, decentralized, public ledger. Blocks are linked using cryptography
Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data.
HOMOMORPHIC ENCRYPTION
Allows for encrypted data to be processed. Uses complex mathematical operations to allow a variety of computations (or operations) on encrypted data.
*Partially Homomorphic encryption (PHE)- one operation can be performed an unlimited number of times on the ciphertext
*Somewhat Homomorphic encryption (SHE)- Supports limited operations up to a certain complexity, but there operations can only be performed a set number of times.
Quantum cryptography
applies principles of quantum mechanics to encrypt messages.
Post-quantum cryptography
develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications, protocols and networks.
Steganography
Is the science of hiding information
Consists of a message and a cover image. The massage is the secret data, cover image is the carrier that hides the message
Steganalysis
is the study of detecting messages hidden using Steganography
DIGITAL COVER IMAGES
- Text- Hiding information in text files (every nth letter)
- Image- Hiding information in image files (BMP, JPEG, GIF, PNG)
- Audio- Hiding information in audio files (MP3, AU, WAV)
- Video- Hiding information in video files (MPEG, MP4)
concealment
The objective of Steganography
digital watermark
is a hidden message that is used to prove or claim ownership (generally intellectual property or artistic work)
