Getting started with cyber sec

avatar
Created by
SpotlessGoose13689

Cards (88)

  • Sandbox
    A system that confines the actions of an application to an isolated virtual environment to study its interactions and uncover any malicious intent
  • Sandbox
    • It is typically managed by an organization's information security team, but is used by network, applications, and desktop operations teams to bolster security
    • If something unexpected or dangerous happens, it affects only the sandbox, and not the other computers and devices on the network
  • Zero-day attack
    Exploiting an unknown vulnerability
  • Before sandboxing, there was no effective means to stop a zero-day attack
  • Sandbox
    • It allowed potential threats to play out within the safety of these virtual systems
    • If the sandbox concluded that the suspicious file or activity was benign, no further action was needed
    • If it detected malicious intent, the file could be quarantined or the activity could be stopped on the real device
  • Many of the early sandboxes failed to tightly integrate with other security devices within the network
  • Second-Generation Sandbox
    Sandboxes were equipped with more integration tools or partnered with other product vendors to improve integration, allowing them to share threat intelligence with other security devices more effectively
  • Today, threat actors are innovating automation and Artificial Intelligence AI techniques to accelerate the creation of new malware variants and exploits, and to discover security vulnerabilities more quickly, with the goal of evading and overwhelming current defenses
  • To keep pace, a new generation of sandboxes has emerged that leverages AI and machine learning to detect and respond to these advanced threats
  • Attempts to aggregate threat intelligence data
    Was difficult and time consuming
  • Second-Generation Sandbox
    Came about to correct the siloed, piecemeal approach<|>Sandboxes were equipped with more integration tools or partnered with other product vendors to improve integration<|>Could share threat intelligence with other security devices more effectively<|>Allowed analysts to correlate threat intelligence centrally and respond to threats from a single pane-of-glass<|>Could share information to a threat intelligence service in the cloud, which could be pushed to other networks
  • To keep pace and accelerate detection of these new threats, it is imperative that AI-learning is added to the sandbox threat analysis process
  • Third-Generation Sandbox
    1. Based on a Threat analysis standard
    2. Covered the Expanding attack surface of businesses due to the digital transformation
  • MITRE ATT&CK framework

    Describes standard malware characteristics categorically<|>Provided security devices with a common language in which to identify, describe, and categorize threats, which could be shared with and readily understood by other vendor devices
  • As more businesses adopt digital transformation, there are new organizations or parts of organizations exposed to attacks, such as Operational technology (OT) industry and organizations that offer Applications, Platforms, and Infrastructure as services in the public cloud
  • Sandbox technology evolved to provide wider coverage to these new areas and others as they develop
  • FortiSandbox
    Fortinet sandbox product that embodies the latest technologies discussed<|>Integrates with other security products in a collective defence called the Fortinet Security Fabric<|>FortiGuard Labs brings AI learning and other threat intelligence services to sandbox technology
  • Content classification

    Safe<|>Moderate<|>Inappropriate<|>Rejected
  • Email content filters
    Check header against real-time blackhole lists<|>Scan body for inappropriate content<|>Provide spam confidence level
  • Email content filters

    Check attachments<|>Identify keywords or unauthorized file types<|>Block, quarantine or reject malicious emails
  • DNS-based content filters

    Check website during domain resolution using blocklists<|>Redirect browser to replacement message if website is not allowed<|>Define allowlist of approved websites
  • Web filters
    Categorize websites<|>Block access to websites based on category and user profile<|>Adhere to regulations like CIPA
  • Content filters
    • Block access to sites known to carry malware
    • Identify and block phishing or exploit kits
  • Content filters
    Increase bandwidth efficiency<|>Enable faster connections for employees
  • Content filters
    Block access to social media and online shopping to increase staff productivity
  • Disk encryption
    The OS encrypts the entire disk. The UEFI loads the decrypting information from the OS. The cryptographic keys are stored in a trusted platform module (TPM) and protected by a password or other authentication method.
  • Full disk encryption
    • If the disk is stolen, no useful information can be retrieved except by attempting to brute force the drive encryption, which is very costly.
  • Self-encrypting drive (SED)

    A hard drive with a built-in module that automatically handles the encryption and decryption of the contents of the hard drive using instructions from the firmware and OS.
  • Data loss prevention (DLP) software

    Can detect if someone is trying to copy sensitive information from a device or send it over the network. Can block or log the transaction for security. Can prevent or limit the use of attachable drives to prevent the copying of large amounts of data. Can inspect network traffic to alert administrators to keywords or other sensitive information being transmitted over networks.
  • Many modern devices like smartphones automatically use full disk encryption, but on some devices, this may be an option that is disabled by default.
  • It is extremely important for administrators to be able to update, patch, and back up all connected endpoints.
  • Keeping patches up-to-date is critical because identifying and closing potential vulnerabilities is a key step in preventing a large-scale cybersecurity attack.
  • Having a fully patched and updated system can help slow down and restrict the compromising of systems using common, well-established malware and attack vectors.
  • Having a comprehensive backup solution for critical endpoints can greatly assist in recovering from cyberattacks or accidents.
  • Backing up IoT devices, like security cameras or smart locks, depends heavily on the manufacturer, and many such devices do not have backup capability.
  • Having a regular backup schedule for all your devices, from computers to cameras, is one of the most effective ways to mitigate a ransomware attack.
  • SIEM
    Security information and event management
  • SIEM was introduced in 2005
  • What SIEM does
    1. Collect, normalize, and store log events and alerts
    2. Run advanced analytics on the data
    3. Prove that security controls are in place and effective
  • SIEM
    • Collects information from physical and virtual devices both on-premises and in the cloud
    • Employs simple cross-correlation rules, monitors for user-behavioral anomalies, watches for known indicators of compromise, and applies sophisticated machine learning models