Principles of Cyber Security Flashcards
DAC
Discretionary Access Control
DAC: DACL
DAC List
Tracks permissions against each object
DAC: Access Matrix
Combined DACLs
DAC: Advantages
Easily Implementable
Highly Flexible
DAC: Disadvantages
Poor Scaling (Matrix Explosion)
Prone to Mistakes (Complex Policy Management)
Frequent Changes
MAC
Mandatory Access Control
MAC: Object Access Requirements
At least the specified clearance level
All need-to-knows
MAC: Advantages
Most Secure
Easily Scalable
MAC: Disadvantages
Not Flexible
Limited User Functionality
High Admin Overhead
RBAC
Role-based Access Control
RBAC: Role Hierarchies
Roles can inherit permissions from other roles
RBAC: Constraints
Restricts roles:
- Mutually Exclusive Roles (Subject has only one role)
- Cardinality Restrictions (Constrain number of subjects assigned to role)
- Prerequisite Roles (Must hold specified role before assignment of new role)
RBAC: Consolidated
Combines Role Hierarchies and Constraints
RBAC: Advantages
Scalable
Flexible (Loose coupling of user and perms)
RBAC: Disadvantages
Roles need provisioning and maintenance
Possible rule explosion
Cannot accommodate real-time context
ABAC
Attribute-based Access Control
ABAC: Subject Attributes
Identity and characteristics of a subject e.g. name, job title, etc.
ABAC: Object Attributes
Extracted from object metadata
ABAC: Environment Attributes
Describe the current environmental context e.g. current malware threat
ABAC: Advantages
Dynamic
Fine-grained
Considers the Environment
ABAC: Disadvantages
Attributes need provisioning and maintenance
Possible Attribute Explosion
Complexity to Design and Implement
CVE
Common Vulnerabilities and Exposures (CVE)
A weakness knowledge base that lists common identifiers for publicly known cybersecurity vulnerabilities.
Each entry contains
- CVE ID
- A brief description
- Any pertinent references i.e. vulnerability reports
NVD
National Vulnerability Database (NVD)
A weakness knowledge base informed by CVE and run by the U.S. government
NVD analyses CVEs
CWE
Common Weakness Enumeration (CWE)
A weakness knowledge base. Community-developed list of common software weaknesses and vulnerabilities.
Acts as a baseline for weakness identification, prevention, and mitigation
CAPEC
An Attack Technique Knowledge Base
Describes common techniques employed by adversaries
Focuses on application security by enumerating exploits against vulnerable systems (including Social Engineering and Supply Chain Attacks)
CAPECxploits. Lists exploits of vulnerable systems
ATT&CK
An Attack Technique Knowledge Base
Describes phases in an adversary’s lifecycle and specific TTPs that APTs use.
Focuses on network defence by providing a contextual understanding of malicious behaviour. Focuses on adversaries interactions with the system, not the tools used
ATT&ACK
P
T
TTP
Tactics, Techniques, and Procedures
Cyber Essentials
A UK cybersecurity certification scheme designed to help businesses protect themselves against the most common cyber threats
Cyber Essentials: Firewalls
Ensure only necessary network services can be accessed from the internet to reduce exposure to attacks
All inbound connections are blocked by default except those towards services meant to be accessed from the internet and every inbound rule that accepts connections must be motivated and documented
Cyber Essentials: Secure Configuration
Ensures devices are configured to reduce vulnerabilities and provide only strictly required services
All unnecessary software is removed/disabled, auto-run features are disabled, default/guessable passwords are changed
Cyber Essentials: User Access Control
Ensures user accounts are only for authorised individuals and only provide access to required resources
Requires
- Setup of a process and approve a new user account
- Always authenticate users before granting access to applications and devices
- Remove/disable accounts when no longer required
- Use 2FA
- Use admin accounts only for admin activities
Cyber Essentials: Malware Protection
Ensures untrusted software is restricted and known malware is restricted
Requires
- Anti-malware software that is up to date with daily checks. It should automatically scam when files are downloaded, opened, or accessed from a network folder. Web pages should be automatically scanned with blacklisting of malicious and suspicious websites
- Application whitelisting
- Application sandboxing for code of unknown origins
Cyber Essentials: Patch Management
Ensures devices and software are not vulnerable to known security issues for which fixes are available
All software is updated, licensed and supported
Additional Defences: Data Protection
Encrypt, fragment, backup, sanitise data to prevent data leaks
Additional Defences: Segregation of Duties
Have more than one person required to complete a critical task. More accounts need to be compromised to undermine it
Additional Defences: Network Fragmentation & Monitoring
Split up network infrastructure based on business process, necessary exposure and risk levels.
Firewalls used between boundaries
Use intrusion detection systems to observe network traffic and detect malicious traffic.
Signature or anomaly based
Machine learning helps with accuracy
Can suffer from false positives
Additional Defences: Honeypots
Decoys to lure in attacks for analysis
High-Interaction Honeypots: Close mimic, extensive interaction & analysis
Low-Interaction Honeypots: Simulate a few services, reduces risk of compromise
Additional Defences: Pentesting
Authorised attacks aimed at identifying how an attacker can compromise the system
Additional Defences: Pentesting: PTES
Penetration Testing Execution Standard
Comprehensive framework for effective and consistent pentesting
Additional Defences: Standards
Guide security principles
Efficient for driving adoption
Compliance-driven security risks shifting focus to meeting regulations rather than tackling security risks, giving a false sense of security
APT: Lifecycle
Reconnaissance
Initial Compromise
Post-Exploitation (Repeated until goal accomplished)
APT: Post-Exploitation: Persistence
Achieved through malware (backdoors, rootkits, remote access trojans (RATs), keyloggers) or stolen credentials (allowing maintained access if other vulnerabilities are patched)
APT: Post-Exploitation: C&C Communication
Encrypt data using non-standard communication protocols or use innocent-looking traffic to hide malicious activity
APT: Post-Exploitation: C&C Communication: Push Model
Attacker sends commands to C&C control hub which relays them to the compromised system
APT: Post-Exploitation: C&C Communication: Pull Model
Attacker leaves commands at the hub, the compromised system periodically polls the hub, the machine leaves outputs at the hub and the attacker periodically polls the hub
APT: Post-Exploitation: Lateral Spread
Seek new systems to compromise within the network via analysis of compromised machines (to gather credentials), network analysis (to find targets), and stealing credentials (using social engineering)
APT: Post-Exploitation: Data Exfiltration
Exfiltrate sensitive information to an external system. Staging servers can accumulate and transform data to reduce data size and help avoid detection.
Faster transfer speeds risk detection
Data is hidden in other data using steganography, the practice of hiding information in other data
Cryptography
The practice of secure communication in the presence of an adversarial third party
Cryptography: Symmetric Encryption
The same key is used to encrypt and decrypt data.
Requires N(N-1)/2 keys
Cryptography: Asymmetric Encryption
A sender encrypts data using the recipients public key and the recipient decrypts the data using their private key.
Requires N x 2 keys where N is the number of communicating nodes
Cryptography: Digital Signature
Used to verify the authenticity and integrity of data. Generated by creating a hash of the data and encrypting the hash when transferring the data. The recipient can then decrypt the hash and the data and compare the received data’s hash with the received hash.
Cryptography: Distributing Keys: Private Key Distribution: Public Key Encryption
To send a private key, asymmetric (public key) encryption. The recipient can send a public key used to encrypt the data.
Vulnerable to Man in the Middle Attacks where the adversary intercepts the public key from the recipient and sends it on their own to the sender.
Cryptography: Distributing Keys: Private Key Distribution: Diffie-Hellman Symmetric Key Encryption
Two parties agree on public parameters including a large prime number and primitive root modulo.
Uses a property of modulus to send the keys
Susceptible to Man in the Middle Attacks
Cryptography: Distributing Keys: Public Key Distribution
Recipient needs to know with certainty the sender’s public key to validate a digital signature or to encrypt messages so they can avoid man in the middle attacks
Cryptography: Distributing Keys: Public Key Distribution: Digital Certificate
Consist of a public key and a user ID both signed by a trusted third party
Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure
The infrastructure needed to create, manage, distribute and revoke digital certificates to enable secure and efficient acquisition of public keys
Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: CA
Certification Authority
Responsible for issuing, distributing, and revoking public key certificates. The CA uses a well-protected private key to add a digital signature to mark it as authentic. User’s have public keys for the CA’s digital signature built into operating systems
Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: RA
Registration Authority
The CA uses the RA to authenticate applicants for digital certificates
Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: PKI Repository
Stores all certificates
Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: PKI Repository: CRL
stores certificates revoked before the scheduled expiration date. It is not issued frequently enough to be effective against attackers. It is expensive to distribute and vulnerable to DoS attacks
Certificates can be revoked because of
- Compromised Private Key
- Expiration
- Human Resources
- Changes to Company Name, Physical Address, DNS
Cryptography: Distributing Keys: Public Key Distribution: Public Key Infrastructure: X.509
A widely accepted standard format for digital certificates. Instead of CRL, the Online Certificate Status Protocol (OCSP) is used to query if the certificate is still valid
Social Engineering
Use of psychological manipulation to deceive people into compromising security or divulging sensitive information
Social Engineering: Compliance Principles
Reasons to comply
- Friendships
- Commitments / Consistency
- Scarcity (Exclusive opportunity)
- Reciprocity (Obligation to return a favour)
- Social Validation (Admiration of other’s actions)
- Authority (Requests from those with power)
Social Engineering: Communication Methods
- Direct Communication
- Bidirectional Communication: Both target and attacker exchange information
- Unidirectional Communication: Only attack communicates
- Indirect Communication: Attacker uses third-party channels to communicate such as fake website
Social Engineering: Techniques
Information Gathering: Gathering of personal information for malicious purposes, gathered from:
* Company Websites
* Social Networks
* Dumpster Diving
* Shoulder Surfing
Prevented by using shredders and educating employees on being aware of their social presence
Interaction with Target: Contacting the target to establish trust or instil fear
* Phishing: Fraudulent emails designed to trick recipients into divulging sensitive data
* Spear Phishing: Targeted phishing
* Whaling: Spear phishing of high-level individuals with access to company funds
* Vishing: Voice Phishing e.g. fraudulent bank call
* Smishing: SMS Phishing
Physical Impersonation: Attacker impersonates maintenance worker, delivery driver, etc.
Prevented by filtering emails by analysing links, spelling, grammar. Not downloading attachments. Not providing personal information. Education, be wary of demanding language
Tailgating: Attacker follows someone with legitimate access into a restricted area
Baiting: Attacker offers incentive such as a USB drive to entice the target into downloading malware
Cyberwarfare: Appeal
- Cost-Effective: Cheap, openly available tools instead of expensive troops and weapons
- Anonymity: Use of false IP addresses, foreign servers, and aliases make tracing attack origins difficult
- Attribution is Near Impossible: Attacker has plausible deniability, claiming their computer has been hacked
- Cyber Deterrence: Retaliation against the wrong actor is unjust and could be a crime of war
- No Casualties
- Disruption over Destruction
- Extremely Quick
- Hard to Detect & Neutralise
- Exploitable Vulnerabilities Increase as Technology Evolves
Bitcoin: Wallet
Stores public/private keys required to access and manage funds
Bitcoin: Addresses
- Public keys generate addresses used to receive payment
- One address per payment, so that the amount of information publicly available on a user is reduced
- Provides pseudo-anonymity
Bitcoin: Transaction: Inputs
References to previous transactions. Must not already be spent, tracked Unspent Transaction Outputs (UTXOs) against a wallet
Bitcoin: Transaction: Outputs
Determine where bitcoins will be sent
Bitcoin: Transaction: Digital Signature
- Transactions are digitally signed to prove ownership and ensure integrity before being broadcast across the bitcoin network. Nodes then verify the digital signature and the funds required, the transaction is then included in blocks by miners.
- Transaction blocks have a reference to the hash of the previous block. Changing any block would require updating all subsequent blocks
Bitcoin: Advantages
Decentralised, trustless, pseudo-anonymity, immutable transaction history
Bitcoin: Disadvantages
High transaction fees reduce profits and makes it less attractive to customers, slow transaction confirmation, not a stabilised currency, lack of regulations
