Please enable JavaScript.
Coggle requires JavaScript to display documents.
Cybersecurity Fundamentals (Section 3: Security Architecture Principles…
Cybersecurity Fundamentals
Section 5: Incident Response
Topic 1: Event VS Incident
Event (Planned)
An identifiable occurrence that could theoretically be relevant to information security
Example: a firewall blocking a
connection attempt
Incident (Unplanned)
Physical incident : social engineering and lost or stolen laptops or mobile
devices.
Technical incident : viruses, malware, denial-of-service (DoS)
A viable risk or that causes damage such as lost data or operational disruptions
Topic 2: Security Incident Response
Incident Response Phase
Step 1: Preparation
Create and Catalogue Incident Response Policies
Regularly Update Your Policies
Define Clear Communication Channels
Train Your Team
Review Threat Intelligence Feeds
Step 2: Detection & Analysis
Using Proper tool to perform analysis
Step 3: Containment, Eradication and Recovery
Containing an Incident: Evidence Preservation
Eradicate : Determine the Root of Cause
Recovery
Step 4: Post Incident Activity
Topic 3: Forensics
Chain of Events
Identify
Preserve
Analyze
Present
Tools
Computer: Magnet Axiom
Mobile Device: Cellebrite / XWays forensic
Memory: Volatility
Network:wireshark
Key to Consider during investigation
Data Protection & acquisition
Imaging
Reporting
Timelines and user activities
Log file, Windows Event file, Network Traffic, registry
Topic 4: Disaster Recovery and Business Continuity
Disaster
Sudden accident that causes great damage or loss to the asset
Need to have a plan to recover the lost asset
Business Continuity Planning(BRP)/Disaster recovery planning
(DRP)
Ensure the survival of the organization and the assert are recoverable during a disaster happen.
Identify the priorities,interdependencies,resource and method that use for recovery process
Do Business impact analysis(BIA)
Focus on Recovery Time Objective(RTO) and Recovery Point Objective(RPO)
Backup Plan: Full / Incremental / Differential
BCP
The blueprint to adjust to and continue to operate despite the impacts of a disruption
Section 6: Security Implications and Adoption of Evolving Technology
Mobile Technology - Vulnerabilities, Threats and Risk
Thread
Improper platform usage
Insecure data storage
Insecure Communication
Insecure Authentification
Insecure Authorization
Technical Risk
Activity monitoring and Data retrieval
Geolocation
Monitoring and retrieval of GPS positioning data
Pictures/Video
Retrieval of pictures and videos by piggybacking
Audio
Covert call initiation or call recording
Open microphone recording
Storage
Generic attacks on data and device storage
Messaging
Generic attacks on SMS text
Phishing attack through SMS or Email
Risk Associated with Mobile Data Storage and Transmission
Unsafe Sensitive Data Storage
Application may store credentials or token as plaintext
Data stored without encryption
Unsafe Sensitive Data Transmission
Mobile device rely on wireless data transmission creating a risk of unauthorized network
Users are likely to use unsecured public network
Automatic network recognition
Sensitve Data Leakage
Can occur through side channel attacks
Inadvertent
Require additional physical protection
Store replicated information from enterprise networks
Unauthorized Network Connectivity
HTTP GET/POST
Generic attack vector for browser-based connectivity
TCP/UDP socket
Lower- level attack vector for simple to complex data transmission
Email
Simple to complex data transmission
WLAN/WiMAX
Generic attack vector for full command and control of target
Consumerization of IT and Mobile Devices
Reorientation of technologies and services designed around individual end user
Bring Your Own Device (BYOD)
Use privately owned mobile devices for work
Con's
IT loss of control
Known or unknown security risk
Unclear compliance and ownership of data
Pro's
Important job motivation factor
Cutting-edge technology
Shift costs to user
Internet Of Things
Physical objects that posses embedded network and computing elements
Business Risk
Health and safety
User privacy
Unexpected cost
Technical Risk
Device vulnerabilities
Device updates
Device management
Operational Risk
Inappropriate access to functionality
Performance
Big Data
Risk
Amplified technical impact
Privacy in data collection
Re-identification
Relies on data sets
Information
Advanced Persistent Threats (APT)
Composed of various complex attack vectors
Can remain undetected for an extended period of time
Charateristic
Unprecedented degree of planning
Follow a particular modus operandi
Target
Companies of all size, all sector
Companies contain high-value assets
Encompass third-party organizations to targeted enterprises
Sources of Threat
Intelligent Agencies
Political defense of commercial trade secrets
Competitive Advantage, Loss of Trade Secrets
Criminal Groups
Money transfer, personal identity information or secrets
Financial Loss, Data Breach, Loss of Trade Secrets
Terrorist Groups
Produce terror
Loss of production and services, Potential risk to human life
Activist Groups
Confidential Information, Disruptive services
Data breach, Loss of Service
Armed Forces
Intelligence support on Military activities
Serious damage to facilities
Stages of APT Attack
Target Selection
Data Exfiltration
Command And Control
Target Penetration
Information Exploitation
Target Research
Target Discovery
Cloud and Digital Colloboration
Cloud Computing
Model for enabling convenient, on-demand access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Save cost
Platforms
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Risk
Primary malware
Secondary malware
Zero-day exploits
Threats
Account hijacking
Insecure APIs
Data Loss
Malicious Insider
DoS
Data breach
Social Media
Creation and dissemination of content through social network
Differentiate by level of interaction
Create highly effective communication platforms
Enterprise use for increase brand recognition, sales, revenue and customer satisfaction
Enterprise Risk
Virus/Malware attack on organization network
Misinformation
Unclear or undefined content rights
Customer dissatisfaction
Mismanagement of electronic communications
Empolyee Risk
Excessive employee use of social media in workplace
Risk of misusing enterprise-supplied mobile devices
Use of personal accounts to communication work-related information
Current Threat Landscape
Threat Landscape
Thread Environment (Collection Of Threads)
Constantly Changing
Recent Trends
Malware, DoS, Insider Threats, Ransomware
Section 2: Cybersecurity Concepts
Topic 2: Common Attack Types & Vendors
Malware & Attack Types
Viruses & Worms
Backdoor
Brute Force
Phishing
Attacks Attributes
Activity by threat against an assets.
Ingress:
Focus on intrusion / hacking into system.
Egress:
To remove data from systems & networks
Non-adversarial Threat Events
Incorrect configurations devices / systems
Vulnerabilities in software products
Mishandling of sensitive information by authorized users
Reconnaissance
>>
Tools
>>
Deliver malicious capabilities
>>
Exploit
>>
Attack
>>
Results
>>
Maintain presence
>>
Coordinate campaign
Topic 1: Risk
Approach to Cybersecurity Risk
Compliance-based:
Based on the checklist when apply it.
Risk-based:
Approach relies on scenario-based.
Ad hoc:
Simply implement security with no particular reason.
Key Terms
Asset
Threat Event
Threat Source
Vulnerability
Inherent Risk
Residual Risk
Likelihood:
Probability measures of frequency of an event's occurrence
Third-party Risk
Difficult to quantify & potentially difficult to mitigate
Potentially the third-party abused the information of organizations
Topic 3: Policies & Procedures
Policy Life Cycle
Create
>>
Review
>>
Update
>>
Approve
Compliance Document Types
Standards:
Interpret policies in specific situation
Procedures:
Details how to comply with policies & standards
Policies:
Communicate & prohibit activities required
Guidelines:
General guidance on particular situation
Information Security Policies
= primary element of cybersecurity and overall security governance.
Define the roles and responsibilities within the organization
Outline expected behaviors in various situations
Specify requirements
Types of Security Policies
Access Control Policy
proper access to internal and external stakeholders to accomplish business goals.
Personnel Information Security Policy
Security Incident Response Policy
Requirement creation incident response plan
Statement how the incident should be handles
Information security incidents definition
COBIT 5 Information Security Policy Set
Rules of Behavior
Development / Maintenance
Assets Management
Vendor Management
Disaster recovery / Business Continuity
Communications & Operations
Risk Management
Compliance
Topic 4: Cybersecurity Controls
Provisioning and Deprovisioning
Provisioning
occurs when a new user is created either through hiring or based on shifting job requirements.
Deprovisioning
occurs when a user leaves the organization.
Identity Management
the task of controlling information about users on computers.
Authentication & Authorization services
User-management capabilities
Directory services
Authorization and Access Restriction
Authorization:
process for access control to differentiate user what they are able to do.
Access
: Granted on least privilege and can be set on various levels.
Access Lists
filter traffic at network interfaces based on specified criteria, providing basic network security
Permitted the traffic based on rules.
Access Control Lists
Provide security authorized for organizational assets such as data and facilities.
Eg: Types of access permitted.
Patch Management
Patches are solutions for some programming errors that probably lead to security vulnerabilities.
Organization need to identify which software require the patches
Change Management
Disciplines that guide how to prepare and support individuals to successfully adopt change in order to drive organizational success and outcome.
Privileged User Management
Common controls
review / removal privileges
Use of stronger password
Background checks for elevated access
Additional activity logging
The process of monitoring and protecting the privileges accounts in organizations.
Configuration Management
Process for establishing and maintaining consistency of a product's performance, functional, and physical attributes
Eg:
Verify the impact on related items
Attempt related risk assessment to a proposed change
Inspect the different defense for potential weaknesses
Section 1: Cybersecurity Introduction and Overview
Topic 3: Cybersecurity
Objectives
Integrity: The accuracy and completeness of information in accordance with business values and expectations
Availability: The ability to access information and resources required by the business process
Confidentiality: The protection of information from unauthorized disclosure
Topic 4: Cybersecurity Roles
Executive Committee
Security Management
Cybersecurity Practitioners
Board of Directors
Topic 2: Difference Between Information
Security and Cybersecurity
Protecting Digital Assets
Identify, Protect, Detect, Respond and Recover
Information security focuses on protection of information, regardless of format whereas cybersecurity focuses on protection of digital assets
Topic 5: Cybersecurity
Domains
Security Architecture Principles
Security of Networks, Systems, Applications and Data
Cybersecurity Concepts
Incident Response
Security Implications and Adoption of Evolving Technology
Topic 1: Introduction to Cybersecurity
Business-related Factors
Security mission, vision and strategy
Risk tolerance and appetite
Nature of the business
Industry alignment and security trends
Compliance requirements and regulations
Mergers, acquisitions and partnerships
Outsourcing of services or providers
Technological Factors
Network connectivity (internal, third party, public)
Specialist industry devices / instrumentation
Level of IT complexity
Platforms, applications and tools used
On-premise, cloud or hybrid systems
Operational support for security
User community and capabilities
New or emerging security tools
Cybersecurity professionals must understand organizational environment and have knowledge of information threats
Cybersecurity is a subset of information security and encompasses Application Security, Network Security and Internet Security
What is Cybersecurity?
The protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.
Section 3: Security Architecture Principles
Topic 4: Information Flow Control(Firewall)
A firewall is a system or combination of systems that enforces a boundary between two or more networks.
Firewall Technolgies
Packet Filters
Stateful Inspection
Application Proxy
Next Generation Firewall
Web Application Firewalls (WAF)
additional filter that can be used to apply rules to a specific web application
operates at level 7
Topic 5: Isolation and Segmentation
Virtual local area networks (VLANs)
No additional encryption
Set up by configuring ports on a switch
Set up based on logical rather than physical connections
Separate zones allows the application of controls at a more granular level, supporting defense in depth
Topic 3: Defense in Depth
Defense in Depth Implementations
What vulnerabilities are addressed by each layer or control?
How does each layer mitigate the vulnerability?
How does each control interact with or depend on the other controls?
Architectural Perspective
VERTICAL DEFENSE IN DEPTH
HORIZONTAL DEFENSE IN DEPTH
Topic 6: Logging, Monitoring and Dectection
Security Event Management (SEM) systems
aid in reducing the resulting
overload
automatically aggregates and correlates security event log data across multiple security devices
Log should contains
Time of the event
Changes to permissions
System startup or shutdown
Login or logout
Changes to data
Errors or violations
Job failures
Security Information and Event Management (SIEM) systems
combine SEM capabilities with the historical analysis and reporting features of security information management (SIM) systems
Attack Vectors
Ingress
Egress
Data Loss Prevention Software
Strong Data Loss Prevention (DLP) solutions cover three primary states of information
Data at rest
Data in transit
Data in use
Intrusion Detection Systems
working in conjunction with routers and firewalls to monitor anomalies in network usage
runs in the background and notifies administrators when a perceived threat is detected
IDS Categories
Host-based IDS
Configured for a specific environment
Monitors internal operating system resources to warn of attacks
Can detect the modification of executable programs and deletion of files
Issues a warning if a privileged command is attempted
Network-based IDS
Identifies attacks within the monitored network and issues awarning to the operator
Detects attack attempts
Not a substitute for a firewall, but rather a complement
Intrusion Prevention Systems
similar to IDS, but detects attacks and
prevents damage to the intended victim/host
Topic 2: The OSI model
Physical layer
Data link layer
Network layer
Transport layer
Session layer
Presentation layer
Application layer
Topic 7: Encryption Fundamentals, Techniques and Applications
Key elements of cryptographic systems
Encryption algorithm
Encryption key
The longer the key, the more difficult it is to compromise
Types of Cryptographic Systems
Symmetric Key Systems
Use single, secret bidirectional keys that encrypt
and decrypt
DES, AES and Triple DES/DES3
Asymmetric Key Systems
Use pairs of unidirectional, complementary keys that
only encrypt or decrypt
Public Key and Private Key
RSA, ECC(Elliptical Curve Cryptography)
Provides Authentication and Non-repudiation
Provides Authentication and Confidentiality
Digital Signature
A digital signature is an electronic identification of a person or entity created by using a public key algorithm
Data integrity
Authentication
Non-repudiation
A cryptographic hashing algorithm, called a checksum, is computed against the entire message
or electronic document, generating a small fixed
This process creates a message digest, which is a smaller extrapolated version of the original message.
Common types of message digest algorithms are SHA-256 and SHA-512.
These are one-way functions, and the process of creating message digests cannot be revers ed.
Applications of Cryptographic Systems
Email and Internet transactions, generally involves a combination of private/public key pairs, secret keys, hash functions and digital certificate
purpose of applying these combinations is to achieve confidentiality, message integrity or non-repudiation by either the sender or recipient.
Public Key Infrastructure(PKI)
allows a trusted third party to issue, maintain and
revoke public key certificates
Certificate Authority (CA)
The CA is an authority in a network that issues and manages security credentials and public keys for message signature verification or encryption
Registration Authority (RA)
An RA is an authority in a network that verifies user requests for a digital certificate and tells the CA to issue it.
Digital Certificates
A digital certificate is composed of a public key and identifying information about the owner of the public key
Topic 1: Overview of security architecture
describes the structure, components, connections and layout of security controls within an organization’s IT infrastructure.
Models of Cybersecurity
System/Network - centric model
Data-centric model
Security Perimeter
Many current security controls and architectures were developed with the concept of a perimeter
Internet Perimeter
Important component of the security perimeter
Ensure secure access
To provide security of email, front-end mobile and web apps, and domain name system (DNS), the Internet perimeter should:
• Enforce filtering policies to block access to web sites containing malware or questionable content
• Eliminate threats such as email spam, viruses and worms
• Identify and block anomalous traffic and malicious packets recognized as potential attacks
• Control user traffic bound toward the Internet
• Detect and block traffic from infected internal end point
• Monitor internal and external network ports for rogue activity
• Prevent executable files from being transferred through email attachments or web browsing
• Route traffic between the enterprise and the Internet
Network Security
provide protection for virtual private networks (VPNs), wide area networks (WANs) and wireless local area networks (WLANs)
Interdependencies
Modern IT architectures are usually decentralized and deperimeterized, increasing security risk across several fronts, including:
Cloud-based platforms and services
Smart and mobile devices
Third-party products and services
Weak and unsecured parts of the IT architecture
Models of Security Architecture
Process Model
Describes elements in terms of the processes used for them
Framework Model
Describes these elements, and how they relate to one another
Zachman and SABSA Framework
Section 4: Security of Networks, Systems, Applications and Data
3. Process Controls - Penetration Testing
Purpose
- Confirm exposures, Ensure compliance , Assess effectiveness & quality of security controls, Identify the way vulnerabilities expose IT resources & assets
Penetration Testing Frameworks
PCI Penetration Testing Guide, Standard, ISSAF, OSSTMM
Phases of a Penetration Test
Planning -> Discovery -> Attack -> Reporting
Attack Phase
Gaining Access -> Escalate Privilege -> System Browsing-> Install Additional Tools (Gain critical info)
2. Process Controls - Vulnerability Management
General - Identifying and assessing vulnerabilities and determine potential impact
Vulnerability Scans - Proactively used to locate vulnerabilities
Types of vulnerabilities
Process
Cause - Errors in operation
E.g : Failure to monitor logs & Patch software
Organizational
Cause - Errors in management, planning
E.g : Lack of policies, awareness
Technical
Cause - Errors in design,configuration
E.g : Coding errors, open network ports,
Emergent
Cause - Interactions or changes in environment
E.g : Implementing new technology, Interoperability errors
Vulnerability Assessment - Analyzed on how they are exploited
Remediation - Patch management or reconfiguration of existing or new controls
1. Process Controls - Risk Assessment
Threat
Adversary Characteristics, Likelihood, Impact
Vulnerability
Access, Existing Controls, Attacks & Exploits
Asset
Criticality, Value
4. Network Security
Network Management
Fault management
- Detection, isolation, notification & correction of faults
Performance Management
- Monitoring performance metrics to get the acceptable performance
Accounting Management
- Usage information regarding network resources
Security Management
- Authorized individuals have access to network devices and corporate resources
Configuration Management
- File, Inventory & software management
LAN
and WAN Security
Susceptible to people & virus-related threats because of large number of individuals
Network Access Control (NAC) controls access using policies that can secure network nodes
Features: Automatic remediation process fixing noncompliant nodes before access is allowed
Enable network infrastructure to work with back office services and end-user computing to ensure network security
LAN Risk
Loss of data through unauthorized changes
Lack of current data protection through inability to maintain version control
Exposure to external activity through limited user verification
Virus and worm infection
Illegal access by impersonating impersonating impersonating legitimate users
Internal users sniffing and spoofing
LAN Security Provisions
Limit access to read-only
Enforce user id and password (password length, format)
Encrypting local traffic using IPSec (IP security) protocol
Implement record and file locking
Wireless technologies
Include Wireless Local Area Network (WLAN)
Consists of standards - IEEE 802.11
Wireless Network Protections
Remote tools can be used to intercept connection
IEEE 802.11'S Wired IEEE 802.11’s Wired Equivalent Privacy (WEP) encryption uses symmetric, private keys. It is static making it easy to be cracked.
Strong encryption such as WPA2 should be implemented since they use dynamic keys
Ports & Protocols
Range: 0 to 65535
Well-known ports: 0 to 1023 (Can only be used by system or root processes)
Registered ports: 1024 to 49151 (Only ordinary user processes)
Dynamic /Private ports: 49152 to 65535 (Not listed by IANA)
Commonly exploited ports and services
Port 25 (SMTP), 21 (FTP), 23 (Telnet), 80 (HTTP)
Tunneling
Hackers uses pathway or tunnel, directing exchange of information for malicious purposes.
Types of tunneling
ICMP tunneling - Used to bypass firewall rules via obfuscation of the traffic
HTTP tunneling - Various network protocols encapsulated in HTTP are used to perform communications.
VPN Tunneling
Types:
Point-to-point protocol (PPTP) - Layer 2 protocol developed by Microsoft that encapsulates point-to-point data. Simple but less secure
Layer 2 tunneling protocol (L2TP) - Encapsulates point-to-point protocol data & compatible with various manufacturer's equipment
Secure Sockets Layer VPN - Layer 3 VPN to be used for Web browser & uses Transport Layer Security (TLS) to encrypt traffic
IPSec VPN - Protects Layer 2 & 3 IP packets between remote networks and IPSec gateway at the edge of private network.
VOIP
No scheduled downtime in telephony
Disclosure of confidential information
Remote access
Outside to inside
Can create holes in organization's security infrastructure
Risks
Denials of service (DOS)
Malicious third parties
Misconfigured devices and communications software
Physical security issues
Remote Access Controls
Policy and standards
Encryption tools and techniques (VPN)
Proper authorizations (Restriction to controlled systems)
5. Operating System Security
System Hardening Controls
Authentication and authorization
Logging and system monitoring
Access privileges
System services
File system permissions
Credentials and Privileges
Passwords
Prevent misuse or compromise
Limited user access
Platform Hardening
Disables unnecessary functions (ports, services, protocols that are not required)
Use only passwords and accounts that have been changed or disabled (No defaults passwords)
Reduces vulnerability by securing the possible points that can be used to compromised
Virtualization
Increase opportunity to increase efficiency and decrease costs in IT operations
Risks
Host represents a single point of failure
Compromise in large scale
Solution
Strong Physical & logical access controls
Appropriate network segregation
Strong change management practices
Specialized Systems
Supervisory Control and Data Acquisition (SCADA) systems
Real-time monitoring and control systems
Operate in specialized environments: Industrial manufacturing, Power generation, defense systems
Security should be highly considered as there may be unique threats and risk requiring different types of controls
6. Application Security
System Development Life Cycle(SDLC)
Planning ->Analysis->Design-Implementation->Maintenance-> Go back to Planning
Consider security and risk mitigation in any SDLC process
Treat and risk assessment of proposed system
Identification and Implementation of Controls
Vulnerability testing and review
Testing phases
Ensure the tested units function well as what they should do
Ensure the tested units operates without any error
Review phases
Code review processes varying from informal processes to formal walk-throughs
Team review or code inspections
OWASP TOP 10 Application Security Risk 2018
Injection
Weak authentication and session management
XSS
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross Site Request Forgery
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
Benefits of using Agile and DevOps approch
Flexible and Rapid Software Development
Break huge project into small, easy for debugging and made changes
Additional Threats
Convert Channel
Race Condition
Return Oriented Programming Attack
Steganography
Wireless Application Protocol (WAP)
Allow mobile devices connect to wireless internet
Displayed through Micro-browser
7. Data Security
Data Classification
Requirement
Availability
Ownership and Distribution
Privacy
Integrity
Data Retention
Auditability
Establish security control after data classification is assigned
Security measure should increase
Access and Authentication
Crucial to understand sensitivity of the information it possesses
Classified based on sensitivity and impact of unintended release or loss
Keeps levels to minimum
Define levels in policy
Reclassify information as needed
Database Control
Controls
Logging and other transactional monitoring
Encryption and integrity controls
Access control limiting or controlling type of data
Backups
Authentication and authorization access
Protect database individually with control
Database Vulnerabilities
Unauthorized activity by authorized users
Malware infections or interactions
Vulnerable to many risks
Capacity issues
Physical Damage
Design Flaws
Data Corruption
Database Security
Restrict information to a user
Secure protocols to communicate with database
Encryption of sensitive data
Restricting adminstator-level access
Entity integrity
Validation of input
Backup of databases