Security Overview Flashcards
AAA of Security: Authentication
When a person’s identity is established with proof and confirmed by a system
Something you know
Something you are
Something you have
Something you do
Somewhere you are
AAA of Security: Authorization
Occurs when a user is given access to a certain piece of data or certain areas of a building
AAA of Security: Accounting
Tracking of data, computer usage, and network resources
Non-repudiation occurs when you have proof that someone has taken an action
Mitigating Threats: Physical Controls
Alarm systems, locks, surveillance cameras, identification cards, and security guards
Mitigating Threats: Technical Controls
Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication
Mitigating Threats: Administrative Controls
Policies, procedures, security awareness training, contingency planning, and disaster recovery plans
User training is the most cost-effective security control to use
Five Types of Hackers
White Hats
Non-malicious hackers who attempt to break into a company’s systems at their request
Black Hats
Malicious hackers who break into computer systems and networks without authorization or permission
Gray Hats
Hackers without any affiliation to a company who attempt to break into a company’s network but risk the law by doing so
Blue Hats
Hackers who attempt to hack into a network with permission of the company but are not employed by the company
Elite
Hackers who find and exploit vulnerabilities before anyone else does
1 in 10,000 are elite
Threat Actors (4 Kinds)
Script Kiddies
Hackers with little to no skill who only use the tools and exploits written by others
Hacktivists
Hackers who are driven by a cause like social change, political agendas, or terrorism
Organized Crime
Hackers who are part of a crime group that is well-funded and highly sophisticated
Advanced Persistent Threats
Highly trained and funded groups of hackers (often by nation states) with covert and open-source intelligence at their disposal
Threat Intelligence Sources (4)
Timeliness
Relevancy
Accuracy
Confidence Levels
Proprietary
Threat intelligence is very widely provided as a commercial service offering,
where access to updates and research is subject to a subscription fee
Closed-Source
Data that is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized
Open-Source
Data that is available to use without subscription, which may include threat feeds similar to the commercial providers and may contain reputation lists and malware signature databases
Open-Source Intelligence (OSINT)
Methods of obtaining information about a person or organization through public records, websites, and social media
Threat Hunting
A cyber security technique designed to detect presence of threat that have not been discovered by a normal security monitoring
Threat Hunting is potentially less disruptive than penetration testing
Establish a hypothesis
Profiling threat actors & activities
Consumes a lot of resources & time, but can yield a lot of benefits
Kill Chain
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion
Kill chain analysis can be used to identify a defensive course-of action matrix to counter the progress of an attack at each stage
Kill Chain: 7 Steps
1) Reconnaissance
The attacker determines what methods to use to complete the phases of the attack
2) Weaponization
The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system
3) Delivery
The attacker identifies a vector by which to transmit the weaponized code to the target environment
4) Exploitation
The weaponized code is executed on the target system by this mechanism
5) Installation
This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system
6) Command & Control (CC)
The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack
7) Actions on Objectives
The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
MITRE ATT&CK Framework
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures (attack.mitre.org)
The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain
Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim
Adversary
Infrastructure Capabilities
Victim