Lessons 20-24 Flashcards
SCRIPTING TOOLS
- python- A high-level, versatile programming language. ( Writing scripts, building websites, data analysis, automation, machine learning.)
- Powershell- A task automation and configuration management framework from Microsoft, consisting of a command-line shell and scripting language. ( Managing Windows systems, automating administrative tasks.)
- Bash- A Unix shell and command language. ( Running commands and scripts on Unix/Linux systems, automating tasks.)
- Macro- A set of instructions that automate repetitive tasks within software applications. (Automating tasks in applications like Microsoft Excel or Word.)
SCRIPTING
A set of instructions used to automate a sequence of repetitive tasks
VBA ATTACK
Visual Basic for Applications) attack is a type of cyber attack that exploits the VBA programming language used in Microsoft Office applications like Excel, Word, and Access. Attackers embed malicious VBA code into Office documents, and when the document is opened and macros are enabled, the code executes, potentially compromising the user’s system.
Security orchestration automation and response (SOAR)-
an automation tool that reduces response times, improves consistency and amplifies the productivity of incident response teams.
INCIDENT MANAGEMENT
Is Inclusive of roles and responsibilities, strategies, and procedures for preparing for, responding to, and managing security incidents
Security incident-
an event or action that endangers the confidentiality, integrity, or availability of information or information systems.
Data breach
when data is exfiltrated or extracted, or there is a loss of control. A data breach may trigger reporting and notification requirements.
Incident prevention & Incident preparation-
- threat modeling, risk assessment, controls implementation, monitoring, and assurance activities.
- planning, documenting, assigning responsibilities, training, and practicing response capabilities.
Incident detection & Incident response
- monitoring incident reporting, analysis, and participation in threat intelligence and information-sharing activities.
- validation, containment, mitigation, eradication, recovery, and evaluation activities.
INCIDENT PLAYBOOK
Is a set of instructions for planning for, and responding to, a specific type of event, attack or scenario
Categorization
the process of classifying incidents based on severity.
Escalation thresholds
the point at which an incident or issue requires a higher level of attention or response.
INCIDENT RESPONSE TEAM
IRT
a group of experts who are responsible for managing and responding to cybersecurity incidents within an organization.
Walkthrough
personnel or departments review (walkthrough) their plans and procedures for completeness. Accuracy is the objective
Tabletop
scenario-based group workshop focuses on the application of plans and procedures as well as participant readiness. Objectives are familiarity, coordination, and accuracy.
Simulation-
a localized scenario that simulates an actual event. A pre-planned simulation is scheduled, and attendees are invited. Surprise simulation, attendees are notified “at the moment” objective: readiness
VALIDATION
Determine whether an incident has occurred and, if so, the type, extent, and magnitude of the problem
Indicator-
tells us that something is happening or has happened
PRIORITIZATION
The process of determining the order of importance or urgency. It is the most critical decision point in the incident handling process.
CONTAINMENT
A short-term approach to limiting or reducing the impact of an incident
ERADICATION
Is inclusive of the steps taken to correct and or eliminate the root cause (not just the symptoms) that led to the incident
Root cause analysis (RCA)
a method of problem-solving used to investigate known problems and identify what happened and the underlying causes
The main goal of RCA is to prevent the problem from recurring by eliminating the root cause
CYBER INVESTIGATIONS
Can be triggered by a variety of incidents. (intrusion, extortion, insider activity)
3 types of investigations: criminal, civil, and internal (administrative)
Evidence collection is the first step of the investigation.
Direct evidence
supports the truth of an assertion directly
Circumstantial evidence
relies on inference to connect it to a conclusion of fact.
E-DISCOVERY
Refers to any process in which digital data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal law case.
A legal hold
an order that suspends the modification, deletion, or destruction of records or media. Can be issued to avoid evidence spoliation
evidence spoliation
the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying evidence.
EVIDENCE COLLECTION
Collection of digital evidence is the first step of a forensic investigation.
Governed by 2 main rules
Admissibility of evidence- whether the evidence can be used in court
Weight of evidence- the quality and completeness of the evidence
There is tension between response(find and fix) teams and evidence collectors.
VOLATILITY
The acquisition of evidence before it disappears is overwritten or is no longer useful
The goal is to create a snapshot of the environment as it existed at the time of the attack or incident
Persistent data-
data that does not change and is preserved when the device is turned off
Volatile data
data that easily degrade and can be lost when the device is turned off.
chain of custody
is chronoligiacl documentation that records the collection, control, transfer, analysis, and disposition of evidence.
Factual witness
a person who is knowledgeable about the facts of the case through direct participation or observations
Expert witness
a person who has knowledge beyond that of an ordinary person. Experts can give opinions
DIGITAL FORENSICS
The application of science to the identification, collection, examination, and analysis of data (evidence) while preserving the integrity of the information.
CHECKSUM INTEGRITY
A checksum is a single value derived from a block of digital data to detect errors that may have been introduced during its transmission or storage
Checksums are like hashes as they are used to verify data integrity however, they use simpler algorithms and are smaller than hashes.
FILE RECOVERY TERMINOLOGY
Cluster- a fixed length block of disk space indexed in a file allocation table or equivalent
Slack space- The space between the end of a file and the end of a cluster. Slack spaces can contain data from RAM or segments of deleted files
Unallocated (free) space- are clusters that are not allocated to a file. Clusters can contain deleted file fragments.
Carving is the process by which deleted files or fragments are recovered
Metadata- data about data
write blocker
used to intercept inadvertent drive writes
clone
exact copy of the entire physical hard drive.
DATA BREACH
an incident where unauthorized individuals or entities gain access to legally protected or confidential information stored by an organization, resulting in the potential misuse, loss, theft, or exposure of that data.
THE DARK WEB
Is part of the internet that in not indexed by search engines and is known for its anonymity. Compromised data often ends up on the dark web after a data breach occurs.
Disclosure
the requirements to reveal the situation
Notification
the act of informing affected parties
INFORMATION SHARING
Describes a means of conveying information or experience from one trusted party to another
An information sharing and analysis center (ISAC)
is a trusted sector-specific entity that facilitates sector-specific and or geographic-specific information sharing about vulnerabilities, threats, and incidents
Structured threat information expression STIX-
is a standardized language developed by MITRE and the OASIS cyber threat intelligence (CTI) technical committee for describing cyber threat information. STIX is structured to describe a threat in terms of motivations, abilities, capabilities, and response.
Trusted automated exchange of intelligence information TAXII
defines how cyber threat information can be shared via services and message exchanges by defining an API. it is designed specifically to support STIX information.
three principal models for TAXII include:
- Hub and spoke- one single source of information
- source/subscriber- one single source of information
- Peer-to-peer- multiple groups share information
downstream liability
is responsibility for damages that result from a security compromise in your business
DATA SOURCES
Incident investigation often requires analysis of several data sources in order to draw a defensible conclusion
log data
log data is a record of events or activities that occur within a computer system, network, or application.
METADATA
Data about data; it is machine-readable and searchable
PACKET CAPTURE
The process of intercepting and logging traffic for analysis
Protocol analyzer (sniffer)
a tool used to capture and analyze network packets( data can also be imported for analysis)
A port mirror
captures network traffic from one or several ports of a switch and forwards a copy of the traffic to an analysis device
Network tap
a dedicated hardware device that is inserted between network devices, like a switch and routers, and makes copies of the traffic and forwards to an analysis device.
ENTERPRISE GOVERNANCE
The system by which entities are directed, controlled, and held to account
SECURITY LEADERSHIP AND GOVERNANCE
As applied to information/cybersecurity, governance is the responsibility of leadership to determine and articulate the organization’s desired (future) state of security.
A role
is a specific position or job title that an individual occupies within an organization or group
Stewardship
is a responsible oversight and protection of something entrusted to one’s care
Responsibility
refers to the specific duties or tasks that an individual is expected to fulfill within a given role
Strategy-
determine the desired (future) state of information/cybersecurity. Codify in strategy and policy. Provide funding
Due care
a legal construct defined as exercising the standard of care that a prudent person would have exercised under the same or similar conditions.
Fiduciary-
a person or organization who holds a position of trust. Being a fiduciary requires being bound both legally and ethically to act in the trustor’s best interest.
Oversight
oversight and authorization of organizational activities
Privacy Officer
is responsible for developing, implementing, and administering all aspects of an organization’s privacy program
Compliance officer-
responsible for identifying applicable statutory, regulatory, and contractual requirements, as well as ensuring compliance with thereof
Physical security officer-
responsible for ensuring that appropriate physical security procedures have been established and controls implemented.
Internal audit-
responsible for providing independent, objective assurance services.
Owners, Custodians & Users-
- are responsible for oversight and decisions related to classification access control, and protection
- are responsible for advising, implementing, managing, and monitoring data protection controls
- are responsible for treating data and interacting with information systems in accordance with organizational policy and handling standards
POLICY
The objective of a policy is to communicate and codify management requirements, and to provide direction.
Information security policies
codify the high-level requirements for protecting information and information assets, and ensuring confidentiality, integrity, and availability.
Agreements-
are used to enforce policies and related governance publications legally.
Standards & Baselines & Guidelines
- serve as precise specifications for the implementation of policy and dictate mandatory requirements. Standards must be unambiguous
- are the aggregate of standards for a specific category or group such as a platform device type, ownership, or location
- help people understand and conform to a standard. Guidelines are customized to the intended audience and are not mandatory.
Policy
multifactor authentication is required for access to data and systems classified as confidential
Standard-
multifactor authentication requirements for data and systems classified as confidential. Factor 1: 8-digit numeric PIN, no repeating characters, changed every 90 days. Factor 2: biometric fingerprint
ACCEPTABLE USE POLICY (AUP)
Details user community obligations about information and information systems
An AUP contains rules that specifically pertain to acceptable behavior, activities that are required, and actions that are prohibited
RISK
Is broadly defined as uncertainty of outcome.
Low-risk volatility
means that the level of risk is relatively stable and predictable over time
High-risk volatility
means that the level of risk is likely to fluctuate significantly over time
RISK VELOCITY
Measures how fast an exposure can impact an organization
Is the time that passes between the occurrence of an event and the point at which the organization first feels its effects
CASCADING RISK
Is the principle that, often, risks are linked, and failing to address one risk could cause a chain reaction
The cascading risk is divided into 3 categories
Parallel risk
Serial risk
Mixed risk
RISK APPETITE
The level of risk that an organization is comfortable engaging in
RISK MANAGEMENT
Implies that actions are being taken to either mitigate the impact of an unfavorable outcome and or enhance the likelihood of a positive outcome
RISK ASSESSMENT
A structured method of understanding risk
RISK ANALYSIS
The process by which the likelihood, impact, and level of risk are determined
Inherent risk- the level of risk before controls or safeguards have been implemented
Residual risk- the level of risk after controls or safeguards have been implemented
QUALITATIVE RISK ANALYSIS
Uses well-defined descriptive terminology to indicate likelihood, impact, and residual risk.
Qualitative
uses narrative to describe likelihood and impact. outcome is a descriptor.
Quantitative-
assigns numeric and monetary values to likelihood and impact. Outcome is monetary
ALE annualized loss expectancy
the financial impact on an annualized basis
ARO annualized rate of occurrence
how many times in a single year the event is expected to occur
SLE single loss expectancy t
the financial impact of a single event
Risk response
the responsibility to determine how to respond to the outcome of a risk analysis
Risk treatment-
to select one or more options for addressing an identified risk.
Risk tolerance
tactical and specific to the target being evaluated.
Risk appetite
a strategic construct broadly defined as the level of risk an entity is willing to accept in pursuit of its mission
Risk exception
a formal acknowledgment that a risk has been identified, but it is not feasible or practical to implement standard risk treatment or control measures. Workarounds may be implemented
Expectation handling-
the process of approving an exception on either a temporary or permanent basis
Risk exemption-
a formal decision not to address risk at all. Generally implemented when the potential impact of a risk is low, and the cost and effort required to mitigate the risk are disproportionate to the potential impact.
Risk monitoring
a continuous activity that is used to identify trends, failures, or opportunities and respond in an efficient and appropriate manner
Risk reporting
the process of communicating real-time risk and performed data to stakeholders.
Risk register
a dynamic, central repository for all risk-related documentation, tracking, and accountability including acceptance exceptions and exemptions.
Heat maps
a visualization tool to convey likelihood and impact
Dashboards
a visualization tool to convey security posture.
Metrics
predefined measures usually in the form of Key Risk Indicators KRIs.
KEY RISK INDICATORS KRIs
Are predictors (early warning signs) of unfavorable events that can adversely impact an organization
A leading indicator
looks forward at future outcomes and events. Leading KRIs are measures that are considered predictive in nature. They are derived from metrics that can help to forecast future occurrences.
Lagging indicator-
looks back at what happened. Lagging KRIs are metrics based on historical measures and are used to identify trends.
BUSINESS IMPACT ANALYSIS
Characterize the system components, supporting business processes, and interdependencies.
MAXIMUM TOLERABLE DOWNTIME MTD
Represents the amount of time the system owner is willing to accept for a service/process outage or disruption and includes all impact considerations.
Service delivery objective (SDO)-
the acceptable level of operations in alternate processing mode
RPO
recovery point objective is the acceptable data loss. This translates to the point in time, prior to the disruption that data can be recovered.
RTO
recovery time objective is the amount of time allocated for system recovery before negatively impacting other systems
MTTR
mean time to repair is the average time it takes to repair a failed component or device
MTBF
mean time between failures is a measure of reliability (usage stated in hours)
