Intro

avatar
Created by
EarlyHorse17571

Cards (102)

  • Threat Intelligence
    • In this context, intelligence refers to information you gather about actual and potential enemies. A threat is any action that can disrupt or adversely affect a system. Threat intelligence aims to gather information to help the company better prepare against potential adversaries. The purpose would be to achieve a threat-informed defense. Different companies have different adversaries. Some adversaries might seek to steal customer data from a mobile operator; however, other adversaries are interested in halting the production in a petroleum refinery.
  • Example adversaries include a nation-state cyber army working for political reasons and a ransomware group acting for financial purposes. Based on the company (target), we can expect adversaries.
  • Digital Forensics
    • Forensics is the application of science to investigate crimes and establish facts. With the use and spread of digital systems, such as computers and smartphones, a new branch of forensics was born to investigate related crimes: computer forensics, which later evolved into, digital forensics.
    • In defensive security, the focus of digital forensics shifts to analyzing evidence of an attack and its perpetrators and other areas such as intellectual property theft, cyber espionage, and possession of unauthorized content
  • Digital forensics will focus on different areas such as:
    • File System: Analyzing a digital forensics image (low-level copy) of a system’s storage reveals much information, such as installed programs, created files, partially overwritten files, and deleted files.
    • System memory: If the attacker is running their malicious program in memory without saving it to the disk, taking a forensic image (low-level copy) of the system memory is the best way to analyze its contents and learn about the attack.
  • Digital forensics will focus on different areas such as:
    • System logs: Each client and server computer maintains different log files about what is happening. Log files provide plenty of information about what happened on a system. Some traces will be left even if the attacker tries to clear their traces.
    • Network logs: Logs of the network packets that have traversed a network would help answer more questions about whether an attack is occurring and what it entails.
  • Incident Response
    • An incident usually refers to a data breach or cyber attack; however, in some cases, it can be something less critical, such as a misconfiguration, an intrusion attempt, or a policy violation. Examples of a cyber attack include an attacker making our network or systems inaccessible, defacing (changing) the public website, and data breach (stealing company data)
  • Incident response
    • Specifies the methodology that should be followed to handle such a case. The aim is to reduce damage and recover in the shortest time possible. Ideally, you would develop a plan ready for incident response.
  • The four major phases of the incident response process are:
    1. Preparation: This requires a team trained and ready to handle incidents. Ideally, various measures are put in place to prevent incidents from happening in the first place.
    2. Detection and Analysis: The team has the necessary resources to detect any incident; moreover, it is essential to further analyze any detected incident to learn about its severity.
  • The four major phases of the incident response process are:
    1. Containment, Eradication, and Recovery: Once an incident is detected, it is crucial to stop it from affecting other systems, eliminate it, and recover the affected systems. For instance, when we notice that a system is infected with a computer virus, we would like to stop (contain) the virus from spreading to other systems, clean (eradicate) the virus, and ensure proper system recovery.
    2. Post-Incident Activity: After successful recovery, a report is produced, and the learned lesson is shared to prevent similar future incidents.
  • Malware AnalysisMalware stands for malicious software. Software refers to programs, documents, and files that you can save on a disk or send over the network. Malware includes many types, such as:
    • Trojan Horse is a program that shows one desirable function but hides a malicious function underneath. For example, a victim might download a video player from a shady website that gives the attacker complete control over their system.
    • Ransomware is a malicious program that encrypts the user’s files. Encryption makes the files unreadable without knowing the encryption password. The attacker offers the user the encryption password if the user is willing to pay a “ransom.”
  • Malware analysis aims to learn about such malicious programs using various means:
    1. Static analysis works by inspecting the malicious program without running it. Usually, this requires solid knowledge of assembly language (processor’s instruction set, i.e., computer’s fundamental instructions).
    2. Dynamic analysis works by running the malware in a controlled environment and monitoring its activities. It lets you observe how the malware behaves when running.
  • There are many open-source databases out there, like AbuseIPDB, and Cisco Talos Intelligence, where you can perform a reputation and location check for the IP address. Most security analysts use these tools to aid them with alert investigations. You can also make the Internet safer by reporting the malicious IPs, for example, on AbuseIPDB.
  • Tabletop Exercises
    • Tabletop exercises are often conducted to gauge the operational readiness of an organization from a security point of view. Certain scenarios are identified to be exercised, and security team members must explain their respective roles in the scenarios under discussion. For example, a scenario might include the compromise of an endpoint device through a phishing email. All the team members will then explain their respective steps per the organization's playbooks. The security engineer is sometimes required to conduct these exercises.
  • confidentiality, integrity, and availability (CIA) triad.
    • Confidentiality ensures that only the intended persons or recipients can access the data.
    • Integrity aims to ensure that the data cannot be altered; moreover, we can detect any alteration if it occurs.
    • Availability aims to ensure that the system or service is available when needed.
  • Let’s consider the CIA security triad in the case of placing an order for online shopping:
    • Confidentiality: During online shopping, you expect your credit card number to be disclosed only to the entity that processes the payment. If you doubt that your credit card information will be disclosed to an untrusted party, you will most likely refrain from continuing with the transaction. Moreover, if a data breach results in the disclosure of personally identifiable information, including credit cards, the company will incur huge losses on multiple levels
  • Let’s consider the CIA security triad in the case of placing an order for online shopping:
    • Integrity: After filling out your order, if an intruder can alter the shipping address you have submitted, the package will be sent to someone else. Without data integrity, you might be very reluctant to place your order with this seller.
  • Let’s consider the CIA security triad in the case of placing an order for online shopping:
    • Availability: To place your online order, you will either browse the store’s website or use its official app. If the service is unavailable, you won’t be able to browse the products or place an order. If you continue to face such technical issues, you might eventually give up and start looking for a different online store.
  • Let’s consider the CIA as it relates to patient records and related systems:
    • Confidentiality: According to various laws in modern countries, healthcare providers must ensure and maintain the confidentiality of medical records. Consequently, healthcare providers can be held legally accountable if they illegally disclose their patients’ medical records.
  • Let’s consider the CIA as it relates to patient records and related systems:
    • Integrity: If a patient record is accidentally or maliciously altered, it can lead to the wrong treatment being administered, which, in turn, can lead to a life-threatening situation. Hence, the system would be useless and potentially harmful without ensuring the integrity of medical records.
  • Let’s consider the CIA as it relates to patient records and related systems:
    • Availability: When a patient visits a clinic to follow up on their medical condition, the system must be available. An unavailable system would mean that the medical practitioner cannot access the patient’s records and consequently won’t know if any current symptoms are related to the patient’s medical history. This situation can make the medical diagnosis more challenging and error-prone.
    • Authenticity: Authentic means not fraudulent or counterfeit. Authenticity is about ensuring that the document/file/data is from the claimed source.
    • Nonrepudiation: Repudiate means refusing to recognize the validity of something. Nonrepudiation ensures that the original source cannot deny that they are the source of a particular document/file/data. This characteristic is indispensable for various domains, such as shopping, patient diagnosis, and banking.
  • As a company, if you receive a shipment order of 1000 cars, you need to ensure the authenticity of this order; moreover, the source should not be able to deny placing such an order. Without authenticity and nonrepudiation, the business cannot be conducted.
  • Parkerian Hexad
    In 1998, Donn Parker proposed the Parkerian Hexad, a set of six security elements. They are:
    1. Availability
    2. Utility
    3. Integrity
    4. Authenticity
    5. Confidentiality
    6. Possession
    • Utility: Utility focuses on the usefulness of the information. For instance, a user might have lost the decryption key to access a laptop with encrypted storage. Although the user still has the laptop with its disk(s) intact, they cannot access them. In other words, although still available, the information is in a form that is not useful, i.e., of no utility.
  • Possession: This security element requires that we protect the information from unauthorized taking, copying, or controlling. For instance, an adversary might take a backup drive, meaning we lose possession of the information as long as they have the drive. Alternatively, the adversary might succeed in encrypting our data using ransomware; this also leads to the loss of possession of the data.
  • DAD: The opposite of the CIA Triad would be the DAD Triad: Disclosure, Alteration, and Destruction.

    The security of a system is attacked through one of several means. It can be via the disclosure of secret data, alteration of data, or destruction of data.
    • Disclosure is the opposite of confidentiality. In other words, disclosure of confidential data would be an attack on confidentiality.
    • Alteration is the opposite of Integrity. For example, the integrity of a cheque is indispensable.
    • Destruction/Denial is the opposite of Availability.
  •  Fundamental Concepts of Security Models
    • Bell-LaPadula Model
    • The Biba Integrity Model
    • The Clark-Wilson Model
  • Fundamental Concepts of Security Models
    The Bell-LaPadula Model aims to achieve confidentiality by specifying three rules:
    1. Simple Security Property: This property is referred to as “no read up”; it states that a subject at a lower security level cannot read an object at a higher security level. This rule prevents access to sensitive information above the authorized level.
  • The Bell-LaPadula Model aims to achieve confidentiality by specifying three rules:
    • 2. Star Security Property: This property is referred to as “no write down”; it states that a subject at a higher security level cannot write to an object at a lower security level. This rule prevents the disclosure of sensitive information to a subject of lower security level.
    • 3. Discretionary-Security Property: This property uses an access matrix to allow read and write operations. An example access matrix is shown in the table below and used in conjunction with the first two properties.
  • Certain limitations to the Bell-LaPadula model. For example, it was not designed to handle file-sharing.
  • Security Models:
    Biba Model
    The Biba Model aims to achieve integrity by specifying two main rules:
    • Simple Integrity Property: This property is referred to as “no read down”; a higher integrity subject should not read from a lower integrity object.
    • Star Integrity Property: This property is referred to as “no write up”; a lower integrity subject should not write to a higher integrity object.
  • Security Models
    Biba Model:
    These two properties can be summarized as “read up, write down.” This rule is in contrast with the Bell-LaPadula Model, and this should not be surprising as one is concerned with confidentiality while the other is with integrity.
    Biba Model suffers from various limitations. One example is that it does not handle internal threats (insider threat).
  • Clark-Wilson Model
    The Clark-Wilson Model also aims to achieve integrity by using the following concepts:
    • Constrained Data Item (CDI): This refers to the data type whose integrity we want to preserve.
    • Unconstrained Data Item (UDI): This refers to all data types beyond CDI, such as user and system input.
    • Transformation Procedures (TPs): These procedures are programmed operations, such as read and write, and should maintain the integrity of CDIs.
    • Integrity Verification Procedures (IVPs): These procedures check and ensure the validity of CDIs.
  • More Security Models:
    • Brewer and Nash model
    • Goguen-Meseguer model
    • Sutherland model
    • Graham-Denning model
    • Harrison-Ruzzo-Ullman model
  • Defence-in-Depth refers to creating a security system of multiple levels; hence it is also called Multi-Level Security.
  • Defense-In Depth:
    If we think of multi-level security, we would prefer that the important drawer be locked, the relevant room be locked, the main door of the apartment be locked, the building gate be locked, and you might even want to throw in a few security cameras along the way. Although these multiple levels of security cannot stop every thief, they would block most of them and slow down the others.
  • The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have created the ISO/IEC 19249. ISO/IEC 19249:2017 Information technology - Security techniques - Catalogue of architectural and design principles for secure products, systems and applications. The purpose is to have a better idea of what international organizations would teach regarding security principles.
  • Trust but Verify: This principle teaches that we should always verify even when we trust an entity and its behaviour. An entity might be a user or a system. Verifying usually requires setting up proper logging mechanisms; verifying indicates going through the logs to ensure everything is normal. In reality, it is not feasible to verify everything; just think of the work it takes to review all the actions taken by a single entity, such as Internet pages browsed by a single user. This requires automated security mechanisms, such as proxy, intrusion detection, and intrusion prevention systems.