Mitigation Basics, Patches & Intro into Insider Threats Flashcards
What are the 6 categories of Security Controls?
Directive: Controls that guide users to adopt safer behaviours, such as security training or establishing codes of conduct. Deterrent controls, a type of directive control, influence behaviour by linking risky actions to penalties, like criminal charges for hacking.
Preventative: Controls that safeguard assets by preventing risky actions, such as enforcing password requirements or securing assets behind locked doors to block unauthorised access.
Compensating: Also known as alternative controls, these are implemented when standard controls are too challenging or impractical to deploy immediately. For instance, while large expenses typically require approval from two authorised employees to prevent fraud, a compensating control in a small company might involve approval by a single person with thorough monitoring and audits.
Detective: Controls designed to detect an attack, such as monitoring failed login attempts and locking the account once a certain number of attempts is reached.
Corrective: Controls aimed at reducing the impact if a risk occurs, such as using an uninterruptible power supply during a power outage.
Recovery: Recovery controls focus on repairing damage after an incident. A common example is restoring data from backups following accidental deletion or disk failure.
What are the four questions you should ask yourself in relation to the efficacy of your security controls?
- Are the selected security controls appropriate to reduce the risks?
- Have those security controls been correctly implemented?
- Are processes in place to determine whether security controls are actually reducing risk?
- Has the introduction of security controls introduced new vulnerabilities into the system?
Other than hardware, software and infrastructure, what are the other three aspects to consider for effective security control?
An effective selection of security controls should address all three of these considerations. For example:
1. people and cultures can be addressed through appropriate staff training
2. Attitudes and processes can be improved by raising people’s awareness of cyber security risks. This can be complemented by suitable technologies, such as encrypting data to prevent unauthorised access
3. Procedures and standards should be implemented through compliance with appropriate legislation, standards and guidelines (such as the Data Protection Act 2018, or PCI-DSS for financial transactions).
What are the two types of mandatory security controls?
While it is always prudent for an organisation to have security controls in place, certain circumstances may require their implementation:
Legislation: National or international laws may mandate security controls for organisations to remain compliant.
For instance, the Data Protection Act 2018 requires organisations to safeguard personal information (such as through encryption) to significantly mitigate the impact of a data breach.
Industry-standard regulations: Organisations might be required to adhere to specific regulations that, while not legally binding, are mandatory for those operating in certain sectors or serving particular industries.
For example, companies handling debit and credit card payments must comply with the Payment Card Industry Data Security Standard (PCI-DSS), which prohibits storing the three-digit Card Verification Value (CVV) from the back of cards. This CVV authenticates ‘cardholder not present’ transactions, such as those conducted online or over the phone. Not storing the CVV helps thwart attackers by denying them a critical piece of data necessary for processing a payment.
What are the two most widely adopted security control standards?
The two most widely adopted are:
• ISO/EC 27001 (Information Security Management) standard (ISO, 2013)
• NIST Special Publication 800-53 (NIST, 2020).
The NCSC has developed a watered-down version of the NIST special publication 800–53 an an security control essentials guide for businesses in the UK, namely the NCSC Cyber Essentials checklist.
- REMEMBER: adhering to legislation is the minimum standard required for compliance*
What is software patching?
Software patching is the process of updating software to fix vulnerabilities, bugs, or security flaws. It involves applying updates or “patches” provided by the software vendor to enhance security, improve performance, or add new features, ensuring the software remains secure and functional.
NOTE: Improperly applied or poorly programmed patches can introduce new risks by affecting the availability or functionality of a system. Most large organisations use a ‘patch management programme’ to handle the testing, distribution, and installation of software updates. This process can be partially automated with dedicated patch management software, which identifies vulnerable systems, schedules and applies updates, and reports on patching success or failure. If issues arise after patching, a well-designed patch management programme allows for rolling back to previous software versions, but effective security controls must be in place to mitigate the risks that the failed patch would have addressed.
How do you secure an obsolete system?
Reduce the risk of compromise: Access to obsolete systems should be as restricted as possible. Strategies include:
- Limiting network access and blocking certain applications (e.g., file sharing and email).
- Preventing the use of removable media that could introduce malware or exfiltrate data.
- Blocking access from obsolete systems to untrusted services such as web browsing or web email.
- Removing or disabling all non-essential services from obsolete computers.
Reduce the impact of compromise: If attackers gain access to an obsolete system, they should be prevented from damaging important data or disrupting critical services. This can be achieved by:
- Regularly erasing and rebuilding obsolete systems to remove any malicious software (though this does not prevent future exploitation of unpatched vulnerabilities).
- Treating obsolete systems as unmanaged or untrusted, with very limited access to other systems, and ensuring they never store sensitive information.
- Implementing intensive monitoring, logging, and auditing of obsolete systems to detect and respond to potential attacks.
In the absence of patches, what are the three key strategies to significantly reduce the risk of zero day attacks?
In the absence of patches, the impact of zero-day vulnerabilities can only be reduced, not entirely eliminated. Three key strategies can significantly lower the risk:
- Effective patch management: Minimising the damage from zero days involves reducing the window of vulnerability. Patches should be applied as quickly and broadly as possible.
- Additional security measures: Zero days can only be exploited if attackers gain access to a system. Antivirus software, firewalls, and blocking USB ports help prevent malware or unauthorised access. For highly sensitive systems, complete isolation from external networks, known as ‘air gapping’, can be employed, although determined attackers may still find ways to bypass it.
- Developing a security-conscious culture: Many zero-day attacks are inadvertently enabled by users, particularly through phishing. Educating users on the importance of security and involving them in creating a secure working environment is essential.
What is an insider threat?
An insider threat refers to someone who is trusted to operate within a system but acts either intentionally or inadvertently against its interests.
Insider threats can manifest in various ways, including fraud (e.g., a bank employee diverting funds to their own accounts), unauthorised access to confidential information (such as commercially or politically sensitive data like diplomatic cables), and sabotage (such as destroying backup data).
What are the four factors that increase risk of insider threat?
The four factors that increase the risk of insider threats are:
- Economic factors: Organisations under economic strain may see heightened insider threats. Employees facing job insecurity, reduced pay, or potential layoffs may feel resentful towards their employer, increasing the risk of malicious actions.
- Cultural factors: Insider threats can arise from cultural clashes within an organisation, especially when dealing with employees from diverse ethnic, religious, or social backgrounds. These threats are particularly pronounced in sectors like military or advanced technology, where state-backed espionage or differing organisational cultures (e.g., academic freedom vs. corporate secrecy) can create conflicts.
- Political and social factors: Employees with political or social views that conflict with the organisation’s values may attempt to undermine it through sabotage or leaking sensitive information. This is complex, as it intersects with legal protections for free expression and whistleblowing.
- Organisation-specific factors: Certain organisations, like those in the military, security, or highly competitive industries (e.g., high-tech or pharmaceuticals), are more prone to insider threats. These sectors are targets for espionage, and employees may be tempted by lucrative offers from rival companies, potentially taking sensitive information with them.
What is an Unintentional Insider Threat (UIT)?
An unintentional insider threat occurs when an employee or trusted individual inadvertently causes harm to an organisation’s security.
This can happen through careless actions, such as falling for phishing attacks, mishandling sensitive information, or accidentally introducing malware into the system, without any malicious intent.
Other examples of unintentional insider threats include:
- Leaving a computer unlocked or failing to log off when stepping away from the desk.
- Falling victim to a phishing attack.
- Neglecting to install software updates due to concerns about work disruption.
- Sending emails with sensitive information to the wrong recipient.
- Losing work devices, storage media, or documents, or not securely disposing of them when they are no longer needed.
What are the six psychological characteristics of malicious insider threat actors?
Frustration: Many attackers had difficult personal circumstances or troubled family backgrounds, leading to negative attitudes towards authority, including policies and security controls. They often struggled with forming personal and professional relationships, resulting in poor social skills, isolation, and conflicts with colleagues.
Computer dependency: Instead of building social and professional relationships with colleagues, attackers often preferred online activities. Some admitted to enjoying the challenge of bypassing security controls and accessing restricted data.
Ethical flexibility: Attackers often did not view their actions as unethical and sometimes believed they were justified. This aligns with earlier findings that a small percentage of IT professionals considered it acceptable to access inadequately secured data. The researchers suggested that this ethical flexibility was partly due to inadequate training in ethics and privacy, as well as limited personal interactions, as noted in the previous traits.
Reduced loyalty: Many attackers identified more strongly with their profession or specialist interests than with their employer, a tendency closely linked to other characteristics.
Entitlement: Many attackers felt they had special privileges that exempted them from certain rules or workplace behaviours. This sense of entitlement was often exacerbated if they were given tasks they perceived as menial or punitive, particularly if they held positions of authority like system administrators.
Lack of empathy: Many attackers failed to recognise the potential or actual harm caused by their actions. This detachment was heightened by the impersonal nature of working through computer terminals rather than face-to-face interactions.
The common sense guide to mitigating insider threat (link)
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=886874
