New in 2024 Flashcards
Risk frameworks vs. Security Control Frameworks
Risk Frameworks
Address the “why” - they guide strategic decision making about risk
The 5 Pillars of Information Security
- Confidentiality
- Integrity
- Availability
- Authenticity
- Nonrepudiation
Risk frameworks vs. Security Control Frameworks
Security Control Frameworks
Address the “how” = providing specific controls to mitigate cybersec risks
Risk frameworks & Security Control Frameworks
Sherwood Applied Business Security Architecture (SABSA)
A security architecture framework and methodology
Focuses on aligning security with business goals by providing a structured method for designing, implementing, and managing security architectures
It can be used in conjunction with both risk frameworks and security controls frameworks
It adds a layer focused on practical security architecture implementation
NIST Risk Management Framework (RMF)
Auidience is federal government agencires
The RMF is MANDATORY for those which it applies
NIST Cybersecurity Framework (CSF)
Audience is private / commercial business
The CSF is purely OPTIONAL guidance from NIST
Federal Risk and Authorization Management Program (FedRAMP)
A government wide program that provides a standardized approach to security assessment, authZ, and continuous monitoring for cloud products and services
Goals:
1. Accelerate secure cloud adoption
2. Enhance trust in cloud solutions
3. Promote a reusable approach for multiple agencies
ISO / IEC 27001:2022
Outlines a framework for implementing, maintaining, and continually improving an Information Security Management System (ISMS)
ISMS is a set of policies, processes, and controls that help orgs protect their info assets
Guides orgs in:
- ID’ing information assets and assessing their value and info security risks
- Implementing mitagating security controls based on ISO 27002
- Regularly monitoring and measuring effectiveness of and continuously improving ISMS
focuses on WHAT and WHY
ISO / IEC 27002:2022
Focuses on the HOW
Offers best practices and control objectives related to key aspects on cybersec in support of ISO / IEC 27001
Personal Information Protection Law (PIPL)
Effective since 2021, aims to establish comprehensive framework for the protection of PI in China
Protection of Personal Information Act (POPIA)
Enacted in 2013, est regs for the responsible processing of PI by both public and private entities in South Africa
Privacy Impact Assessment (PIA)
Several privacy laws explicitly require PIAs
- GDPR
- HIPAA
To conduct a PIA, you must define assessment scope, data collection methods, and plan for data retention
Clarifying Lawful Overseas Uses of Data (CLOUD)
Requires CSPs to hand over data to aid in investigation of serious crimes, even if stored in another country
Can conflict with GDPR
- B/c GDPR forbids transfer of data to any country without good privacy protections
- Issues like this require legal counsel
Hardware Root of Trust
A line of defense against executing unauthorized firmware on a system
When serts are used in Full Disk Encryption (FDE) they use a hardware root of trust for key stoage
it verifies that the keys match before the secure boot process takes place
Examples:
- Trusted platform module (TPM)
- Silicon Root of trust (SRoT)
Silicon Root of Trust (SRoT)
A specialized chip or module embedded directly into the hardware of a device (mainly is IoT)
Contains a unique, unchangeable cryptographic (“immutable fingerprint”) ID that is established during manufacturing
Acts as anchor point for verifying the integrity of systems firmware
If firmware is compromised the SRoT will detect the change and prevent the system from booting
Physically Unclonable Function (PUF)
Hardware component that generates a digital fingerprint or signatures based on the unique physical characteristics of integrated circuit or chip
- Typically a semiconductor device
- unique hardware root of trust
Software Bill of Materials (SBOM)
A list of all software components that go into a particular software build or product
- Functions as inventory
- Helps orgs better understand, manage, and secure their apps
- An attack in 2020 lead to a US Gov requirement for SBOM in the 2021 Executive Order on Improving the Nation’s Cybersecurity
Secure Access Service Edge (SASE)
A design philosophy closely related to Zero Trust
Brings together networking and security functions, delivered together as integrated cloud service
SASE Components:
- Firewall services
- Secure web gateway
- Anti-malware services
- IPS
- CASB
- Data Loss Prevention
Focus on WAN, cloud, and IoT
Cryptographic Life Cycle
Federal Information Processing Standard (FIPS) 140-3
Supersedes FIPS 140-2
Security Levels:
- Level 1: Require production grade equipment and externally tested algos
- Level 2: Adds requirements for physical tamper-evidence and *role based authN**
- Level 3: Adds requirements for physical tamper-resistance, ID based authN, and separation between interfaces
- Level 4: Makes the physical security requirements more stringent. Requiring ability to be tamper-active, erasing the contents of the device if it detect various fors of env attack
Cryptographic Life Cycle
FIPS 140-3 Cryptographic Modules
(3 types with Ex)
Hardware:
- SafeNet Luna HSM (Thales)
- Gemalto SafeNet HSM (Thales)
- nShield HSM (Entrust)
- Utimaco CryptoServer HSM
Software:
- OpenSSL FIPS Object Module
- Microsoft Window Crypto Modules
- Bouncy Castle FIPS Module
Cloud
- Microsoft Azure Key Vault
- Amazon Key Management Service (KMS)
- Google Cloud Key Management Service (KMS)
Cryptographic Life Cycle
Key Management Strategy For Encryption Key Lifecycle
- Generation - Encryption keys should be generated within a trusted secure crypto module
-
Distribution - Should be distributed securely to prevent compromise during transit
- Encrypt keys with another key to give to third parties - Storage - Protected at rest and never stored in plaintext
- Use - Clients use keys to get resources as access controls allow
- Revocation - Process for revoking access if compromise
-
Destruction - Removal of key from its operational location
- Key Deletion goes further and removes any info that could be used to reconstruct it
Quantum Key Distibution
Enables 2 parties to generate a shared random secret key known only to them
NOTE
Essential property of QKD is the ability to detect eavesdropping by any 3rd party
- Eavesdropper interception introduces detectable anomalies
Main drawback = QKD relies on a authenticated classical channel of comms
- Parties have already exchanged either symmetric key or public keys to talk
- Inpractice, much cheaper not to use QKD
- QKD is only used to produce and distribute a key NOT to transmit any messages
- Used in very niche high security scenarios
Information System Lifecycle
- Stakeholders needs and requirements
- Requirements Analysis
- Architectural design
- Development / implementation
- Integration
- Verification and validation
- Transition / deployment
- Ops and mant / sustainment
- Retirement / disposal
Information System Lifecycle
1. Stakeholders needs and requirements
Key activities:
- Gather requirements and define project scope
Security goal:
- Establish baseline
Information System Lifecycle
2. Requirements analysis
Key activities:
- Prioritize reqs
- Make req spec docs
- perform risk analysis
- Map reqs to security controls
Security Goals:
- translate high level expectations into details and action items
Information System Lifecycle
3. Architectural Design
Key Activities:
- Create system architecture diagrams
- Data flows
- threat modeling
Security goals:
- Incorporate Security by Design
Information System Lifecycle
4. Development / Implementation
Key activities:
- Develop or produce hardware and software
- Implement security configurations
Security Goal:
- Ensure secure implementation of the design.
Information System Lifecycle
5. Integration
Key Activites:
- Integration testing
- Documentation
Security Goals:
- Maintain integrity and security during integration
Information System Lifecycle
6. Verification and Validation
Key activities:
- Employ various testing technoques
- Obtain stakeholder feedback
Security goals:
- Rigorously test that security requirements are met
- Systems dont introduce unacceptable levels of risk
Information System Lifecycle
7. Transition / deployment
Key activities:
- Develop implementation plans
- user training
- full system implementation
Security Goal
- Secure and controlled transition
- Protect data during migration
Information System Lifecycle
8. Ops and maint / sustainment
Key Activities:
- System montioring
- patch management
- Care and feeding
Security Goals:
- Maintain security posture
Information System Lifecycle
9. Retirement / Disposal
Key Activities:
- Data archival
- system decomm
- Secure disposal of hardware / media
Security Goals
- Prevent data exposure
- secure data sanatization,
- compliance with data retention
IPv4 vs. IPv6
Multicast
Supported by both IPv4 and IPv6
One to many
IPv4 vs. IPv6
Broadcast
Supported by IPv4, but workarounds for IPv6
One to all recipient on the network segment
IPv4 vs. IPv6
Unicast
Supported by both IPv4 and IPv6
One to one
IPv4 vs. IPv6
Anycast
Supported natively by IPv6
Single source to the nearest or most optimal recipient
Converged Protocols
Infiniband over Ethernet
A network protocol that allows remote direct memory access (RDMA) over an Ethernet network
- Provides lower latency and higher throughput than vs Ethernet alone
“Converged” bc it runs over the existing TCP/IP network
Converged Protocols
Compute Express Link
An open standard for high-speed, high capacity CPU-to-device and CPU-to-memory connections
“Converged” bc it runs over the existing TCP/IP network
Transport Architecture
Control Plane
Manages routing and determines optimal paths
- Open Shortest Path First (OSPF)
- Border Gateway Protocol (BGP, TCP, 179)
Transport Architecture
Data Plane
Forwards data packets based on control plan guidance
Switching types:
Cut-through the switch makes a forwarding decision as soon as it recv the 1st part of the frame
- When ultra low latency is important and cost/simplicity is high priority
Store-and-foreward the switch waits to recv the entire frame before making a fwd decision
- When reliability is essential or network is less reliable
Transport Architecture
Management Plane
Configures, monitors, maintains the network
- Simple Network Management Protocol (SNMP TCP/UDP, 161/162)
- Network Configuration Protocol (NETCONF)
Network Performance Metrics
Bandwidth
Theoretical maximum data transfer rate
Network Performance Metrics
Throughput
Actual data transfer rate in practice
- Considers latency, packet loss, network congestion
Network Performance Metrics
Latency
Time delay between sending a data packet from the src to its arrival at the dest
- Has inverse relationship to throughput
- Less latency = More throughput
Network Performance Metrics
Jitter
Variation in network latency over time, causes irregular delays in packet arrival
- Affects QoS for real-time apps
Network Performance Metrics
Signal-to-noise ratio (SNR)
Measures quality of signal compared to background noise, common for wireless comms
- Higher SNR indicated better signal and less interference
Physical Network Segmentation
Out-of-band
Physically separating network infrastructure into distinct security zones using hardware
- Alt comm paths for diff types of traffic
Physical Network Segmentation
Air gap
Complete physical isolation of a network by having no wired or wireless connections
- Common in high security government networks and critical infrastructure (utilities, etc)
Logical Network Segmentation
In-band
Separating network segments by config routers, switches, firewalls, etc to control traffic flow
- Techniques include subnets and VLANs
Logical Network Segmentation
Virtual routing & forwarding (VRF)
Facilitates coexistence of multiple routing table instances on a router simultaneously
- Fairly common in today’s IP routers
Logical Network Segmentation
Virtual Domains
The network segments / chunks created through logical segmentation techniques like VRF
- in VRF context they are called “VRF” domains
Micro-segmentation
Logical segmentation at the apps / workloads level
‘microsegments’ contain a specific workload or functionally similar / identical nodes
- Policies and controls are then targeted to these microsegments
Edge Networks
Distributed networks that bring compute and storage resources physically closer to end users and devices on the “edge” of a network
Edge Networks Types
Ingress / Egress
The entry point for traffic entering an edge network, usually from an end user device or external network
- Important for security, monitoring, traffic shaping
Edge Networks Types
Peering
Direct interconnection between edge network locations to allow traffic exchange without traveling through a central hub
- Reduces latency, costs, and central bottlenecks
Edge Networks Types
Caching
Caching popular content like video / audio/ and web pages
- Provides better user experience in SaaS
Edge Networks Types
Compute
Granular compute functions, containerized to provide low latency processing near users and devices
- known as edge computing
Edge Networks Types
Storage
Storage at multiple edge location reduces latency for access and updates
Virtual Private Cloud
A virtual network that consists of cloud resources, where the VMs for one company are isolated from the resources of another company
- Separate VPCs can be isolated using public / private networks or segementation
- in AWS and GCP its VPC
- in Microsoft Azure its virtual network (VNET)
Monitoring & Management
Network Observability
Collecting data and gaining visibility into the status and performance of network components and traffic flows
- Supports issue ID and troubleshooting
Monitoring & Management
Traffic Flow / Shaping
Managing and controlling the volume and priorities of different types of traffic across network links
- QoS, rate limiting, throttling
Monitoring & Management
Capacity Management
Tracking network utilization and planning capacity expansion to meet future demands
Monitoring & Management
Fault Detection and Handling
Discovering, diagnosing, and responding to problems like failed devices, connection loss, performance slowdowns
OATH Tokens
OATH (Open Authentication) is an open standard that specifies how time-based one time password (TOTP) codes are generated
- Software OATH typically apps, like IBM Security Verify
- Hardware OATH small hardware devices that look like a key fob, like YubiKey
Access Policy Enforcement
Policy Enforcement Point (PEP)
Enforces policies at the connection level
Responsible for enabling, monitoring, and terminating connections between a subject and an enterprise resource
Ex)
- Access request occurs, PEP evals request against policies and applies necessary controls
- Like enforcing MFA for access requests from unexpected locations
Part of Zero Trust Network Architecture: Data Plane
Access Policy Enforcement
Policy Decision Point
Makes access decision based on contextual information
Evaluates context of an access request and decides wheter it should be allowed, denied, or subject to additional controls
- Based on various factors like user ID, device health, and risk assessment
Zero Trust Network Architecture: Control Plane
Adaptive Identity
Changes the way that the system asks a user to authenticate based on context of the request
- location, device, app, risk
Zero Trust Network Architecture: Control Plane
Threat Scope Reduction
End goal of ZTNA
Decrease risks to the org
Zero Trust Network Architecture: Control Plane
Policy- Driven Access Control
Controls based on user’s ID rather than simply their system’s location
Ex)
- Conditional Access in MSFT Entra ID
Zero Trust Network Architecture: Control Plane
Policy Administrator (PA)
Responsible for communicating the decisions made by the policy engine
Zero Trust Network Architecture: Control Plane
Policy Engine (PE)
Decides whether to grant access to a reource for a given subject
Ex)
- MSFT Entra ID Active Directory
Zero Trust Network Architecture: Data Plane
Implicit Trust Zones
Part of traditional Security approach in which firewalls and other security devices formed a perimeter.
- Systems belonging to the org are inside boundry
Zero Trust Network Architecture: Data Plane
Subject / System
Subject: a user who wishes to access a resource
System: a non-human entity often the device used by the user to access the resource
Service Account
“Service Principal”
Essentially lower-leve admin account without human intervention used to run an application like a antivirus
In the cloud:
- similar concept exists for cloud resources like VMs that provide an ID for that resource to accress other resources like data
Least privilege and lifecycle mgmt are important for service accounts
Credential Management Systems
Password Vault
Stored locally on. the device and store passwords so user does not need to remember them
- Uses strong encryption (AES - 256) for secure storage
- only as secure as the owner password that is used to protect the vault itself
- Typically used MFA
Credential Management Systems
Key Management System (KMS)
Cloud version of Password Vaults
Centralized secure storage and access for application secrets called a vault
- Service will typically off programmatic access via API to support DevOps and CI/CD
- Access control at vault instance-level and to secrets stored within
Penetration Testing: Exercise Types
Red Team
Offense
Pen test by emulating tools and techniques likely used by attackers in the most realistic way possible
Penetration Testing: Exercise Types
Blue Team
Defense
defends against both reall attackers and Red Teams
Penetration Testing: Exercise Types
Purple Team
Process Improvement
Ensure and maximize the effectiveness / competition between Red v Blue
Penetration Testing: Exercise Types
White Team
Judge / Referee
Oversees engagement / competition between a Red and Blue Team
Cloud Audit Standards (Applies to On-Prem)
Statements on Standards for Attestation Engagements (SSAE)
SSAE18 is a set of standards defined by the American Institute of CPAs (AICPA)
- Designed to enhance the quality and usefulness of System and Organization (SOC) reports
- Includes audit standards and suggested report formats to guide and assist auditors
- SOC 1 - Financial controls
- SOC 2 - Security controls (often requires NDA)
- SOC 3 - Auditors, general opinion, non-sensitive data, for public audience
Cloud Audit Standards (Applies to On-Prem)
International Standard on Assurance Engagements (ISAE)
Issued by the International Auditing and Assurance Standards Board
- Very similar to AICPA and SSAE standards
- ISAE 3402 standard is very similar to SOC 2 reports
Cloud Audit Standards (Applies to On-Prem)
Cloud Security Alliance (CSA)
CSA offers the Security Trust Assurance and Risk (STAR) cert program
- used by CSPs, Cloud customers, auditors / consultants
- Designed to demonstrate compliance
- consists of 2 levels of certification
- Level 1: Self-assessment
- Level 2: 3rd party audit
SIEM and SOAR cycle
Cycle
1. Log Collection
2. SIEM
3. SOAR
4. Security Operations Center Team
- Reduces MTTD and accelerates response
Playbook v Runbook
Playbook: a document or checklist that defines how to verify an incident (paperwork)
Runbook: implements the playbook data into an automated tool (technology)
Scaled Agile Framework (SAFe)
Builds on Agile for the whole enterprise
Based on 3 bodies of knowledge:
1. Agile software dev
2. Lean product dev
3. System thinking
- Coordination across teams
- Strategic alignment
- Emphasize quality
- Architectural guidance for scaling
- Cadence and synchronization through Program Increment planning and demos
- Lean / Agile leadership
Interactive Application Security Testing (IAST)
Analyzes code for vulns while its being used
Focuses on real time reporting to optimize testing and analysis process
- Often built into CI/CD
NOTE: Unlike SAST / DAST, IAST analyzes the internal functions of the app while its running
Software Composition Analysis (SCA)
Used to track the components of a software package or application
- Is of special concern for apps built with open src software components
- bc of open src components often involve reusable code libraries
SCA tools ID flaw / vulns in these included components, ensures latest version are in use
- Automated, combines app security and patch mngmt
Benefits of 5G over 4G Networks
- Enhanced Subscriber ID protection
- Mutual AuthN capabilities
Tiers of Scaled Agile Framework (SAFe)
Small to Large
- Essential
- Large Solution
- Portfolio
- Full
Tiers of Scaled Agile Framework (SAFe)
Large Solution SAFe
Large Solution SAFe is for developing large and complex solutions that do not require the constructs of the portfolio level
Tiers of Scaled Agile Framework (SAFe)
Full SAFe
Full SAFe is designed to support enterprises in building and maintaining large integrated solutions with the collaboration of hundreds of practitioners. It provides the most extensive level of guidance, with roles, responsibilities, and activities needed to sustainably deliver complex solutions.
Tiers of Scaled Agile Framework (SAFe)
Essential SAFe
Essential SAFe focuses on the basic elements of the framework needed to be agile
Tiers of Scaled Agile Framework (SAFe)
Portfolio SAFe
Portfolio SAFe is for aligning enterprise strategy with execution but does not address the complexity of building large solutions that Full SAFe is designed for.
Internet Small Computer Systems Interface (iSCSI)
a converged protocol that allows location-independent file services over traditional network technologies. It costs less than traditional Fibre Channel.
SIPS
SIPS, the secure version of the Session Initialization Protocol for VoIP, adds TLS encryption to keep the session initialization process secure.
SRTP
SRTP is the secure version of RTP, the Real time Transport Protocol.
KPIs vs KRIs
Key Performance Indicators (KPIs): are used to assess how an organization is performing.
Key Risk Indicators (KRIs): are often used to monitor risk for organizations that establish an ongoing risk management program. Using automated data gathering and tools that allow data to be digested and summarized can provide predictive information about how organizational risks are changing.
Digital Certificate Steps
Remote journaling
Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly.
Fagan inspection
Fagan inspection is a highly formalized review and testing process that uses planning, overview, preparation, inspection, rework, and follow-up steps. Static inspection looks at code without running it, dynamic inspection uses live programs, and interface testing tests where code modules interact.
Software Defined Security (SDS)
is an increasingly common approach to security that involves using software solutions and policies to secure environments, rather than traditional hardware-based approaches. This strategy allows for flexible and dynamic security configurations, particularly suited to the cloud’s scalable nature.
policy engines contribute to decision-making in SDS and other frameworks by enforcing security policies. Software-defined networks focus on network management through software, showcasing the broader move toward software-defined approaches in IT infrastructure.
Differential Backup
A type of backup that copies only new files or files that have
changed since the last full backup onto the backup media. Differential backups differ from
incremental backups in that they *don’t clear the archive bit or change the timestamp on completion.
Incremental Backup
A type of backup that includes only new files or files that have
changed since the last full backup or the last incremental backup. Incremental backups clear the archive bit or change the timestamps of files on completion
