Please enable JavaScript.

Coggle requires JavaScript to display documents.

ISC2, Acronyms - Coggle Diagram

- - - - Controls and Risk
        Manage risk through controls
    - - Types of Control:
        Administrative
        Physical
        Logical
        
        Defense in Depth
        A single control type may not afford sufficient protection (layer controls)
        Layering controls means that if one control is compromised, another may be in place to provide protection
        Training as a control
        
        Least Privilege
        Ensuring that users and processes have the lowest level of authority needed to accomplish their function
        Simple conceptually (in practice this is difficult)
        
        Need to Know:
        Linked to the concept of least privilege
        Classification levels: Top secret, Secret, Restricted, Public
        Related to knowledge
        All or some
        (Apply this to assets)
        
        User Life Cycle Management
        Provisioning accounts
        Cloning accounts (people will have permissions over time) - SOULD have a template account for a particular role
        Pressure to get new users started (mistakes can happen)
        What do we provision accounts for?
        -Not just users
        -Devices
        Identity proofing (may be diff for web app then to a MoD system)
        
        De-provisioning accounts (context of how people leave - diff scenarios have varying risk)
        Voluntary termination
        How many accounts does a user have
        -SSO (broad range of services, but some apps may have a low visibility, these need tracking and mgmt)
        -Cloud services
        Payroll
        Deal with changes (promotions) this can lead to Privilege Keep
        What about wifi / door passes?
        
        (how often do we check PAM - min review is annual) PAM:
        User accounts
        Service accounts
        System accounts
        Admin accounts
        -root
        -Ent admin
        -DC admin
        -Backup admin
        Differentiating identification and authentication
        
        The passwords for some Privilaged accounts may be known by many people. Also consider MFA
        Consider changing their name
        
        Segregation of Duties (SoD)
        Requester
        Approver
        Approved
        
        Separate a process so that it requires multiple parties to complete it. Its harder for a hacker to gain access (bad actor, consider employee)
        
        Dual Controls
        Related SoD
        Two or more people required to initiate a process
        Process is less likely to be broken
        
        Identification., Authentication and Authorization:
        Identification
        Authentication
        -SFA
        -MFA
        Authorization
        Auditing
        The 4 areas provide accountability
        
        Identity proofing (check who it is)
        
        MFA - level of risk / assurance
        
        Authorize each use of the account and audit it
        example browser file system, where you have access to only some files
  - - - Policies
        C-level sign-off
        The 'what' and 'why'
        examples - security policy / acceptable use policy
        
        Procedures
        Typically created at a business unit level
        The 'how' we complete a task or function
        
        example a backup procedure
        This tells us how we complete this function in detail
        
        Procedure do not contain organizational jargon, but can take subject matter jargon (low level)
        An SME should be able to understand the procedure within a particular domain
        
        Other Examples
        AUP (acceptable use policies)
        NDA
        Employment contract
        Job description
        Standards - encryption stds
        Guidelines - recommendations
        
        Can arrive via regulation / compliance
  - - - DC located in a high crime area
        increase technical controls as well as physical controls (encrypt disks)
      - Some areas are sensitive, example data/research. You can zone off diff areas of the business
        Linked physical security to risk management
      - Env Design
        CPTED (crime prevention through env design)
        Risk of location drives control selection
        Perimeter fencing
        Open green space
        Physical barriers
        Defensive planting
        
        Shape physical env to support security
        example - concreate monuments act as a barrier to stop vehicle access, plants to add protection, plants with thorns make it difficult for a intruder to stand near by - these are simple ideas but increase security, open green space, makes it harder for an intruder to hide
        
        Control Selection
      - Biometrics
        Throughput, Accuracy, Invasiveness, Alternative approaches
        
        What is our level of RISK
        
        Consider finger print scanner that has 100% accuracy, but people with damaged finger prints
      - Security
        Detect, Deter, Prevent, Correct
        -Guard dogs
        -Security screening
        -Personnel screening
        
        CCTV, analog vs digital
        low light and infrared
        Field of vision Retention and media
        
        Alarm Systems
        Passive infrared
        Balanced magnetic switches
        Auditory sensing
        Monitoring and alerts
  - - - Logical or technical controls
        Hardware, software and cloud
        Security models
      - DAC
        The owner of the asset determines who has access
        The asset owner directly controls access
        Shared drives - orphaned files, password protection
        Consistency of use
      - MAC
        The asset owner still determines access
        Operationally this is managed through a central function
        Typically used in high-security environments
        Adds latency to changes
        More consistent outcomes by default
      - RBAC
        Your role determines what you can access
        Works well where there are multiple individuals in a single role
        In theory creates a highly compliant access control model
        Exception management
        Blended approaches
      - Common use-cases RBAC and DAC
      - ACL
        Allow list
        Deny lists
        Implicit deny
        Firewall/Routers
        Web-filtering
        Monitoring
- - - - (NIST def) Incident:
        An occurrence that actually or potentially jeopardizes the confidentiality or availability or information or an information system
        
        If we have not planned then a high price is paid
      - Response:
        Implies the adverse event has already occurred.
        The opportunity to plan has passed!
      - Zero Day:
        Not yet recognized
        (we have sigs to categorize xxx)
      - Vulnerability:
        Weakness in a system that can be exploited by a threat
      - Breach:
        Broad term used to describe cyber-security comprises. We mainly see information breaches in the media (confidentially breaches)
      - Threat Actor:
        Someone trying to cause disruption, theaft, destruction
      - Incident Response People
        
        CIRT
        Computer Incident Response Team
        The team formed to respond to incident
        
        Composition:
        Senior Manager
        Incident Manager
        Technical Lead
        Security Team
        Communication/PR
        Legal/HR
      - IR Lifecycle
        NIST SP800-161
        
        When the incident occurs:
        Preparation (this happens before the incident), Detection & Analysis, Containment, Eradication & Recovery, Post-incident activity
        
        SP800-161: preparation>Detection & Analysis>Containment Eradication & Recovery>Post-Incident Activity
      - IR Communications
        
        Single voice(internal/external)
        Stakeholders: Customers, Supply chain/logistics, Shareholders, Regulators
        Regular - even if there is nothing new
      - IR Plan
        
        Who is involved
        Relevant equipment, policies and procedures
        Links to BC/DR capabilities and plans
        When to invoke and escalate
        
        Threshold to invoke IR Plan?
        This brings the team together
        (based on a judgement - when to invoke and escalate)
  - - - NIST SP800-34
        sustaining business operations while recovering from a significant disruption
        What elements of business operations do we need, or want to continue? What can be paused?
        One for senior managemenet
        
        Preventive controls
        multiple feeds can be used
        
        BC can mature (evolve)
    - - Lessons learned - test flexible / home working
- - - - Network Models
        7 Layers
        
        Networking is a way to exchange data between two or more systems
        Binary (base 2 no. system)
        Methods of transmission: Electrical impulse, Radio wave, Light/photons
        LAN/WAN
        
        open systems interconnect OSI model (most referenced model)
        TCP/IP model - 4 layers (groups top4 layers within OSI model)
        
        OSI layers
        
        Physical - hardware: cabling, hubs/repeaters
        Traffic - bits encoded as some form of signal
        Hardware limitations - attenuation, network design
        
        Data Link
        Hardware - Switches, bridges (can read addresses)
        Addresses - Burned in address, MAC address - 48 bits
        Traffic - Frames
        Filtering
        Spoofing
        
        IP Addresses
        A 32 bit address, pub+priv IPv6 128 bit address
        (at layer 3 we have routers, routers route traffic across a network, the layer 3 traffic is a packet, L3 also has a firewall)
        
        Transport
        Hardware - routers, firewalls
        Addresses - ports (represent individual services, one IP can use different ports)
        Traffic - segments
        Protocols - TCP+UDP (TCP is connection orientated, it negotiates a handshake and traffic is numbered, therefore missing traffic can be identified examples segments, UDP is connectionless and therefore un-reliable, it has no negotiates or hand shake, TCP has more overhead, UDP cannot identify missing segments but it is faster)
        
        Session (L5 traffic needs to be secured at another layer)
        Protocols - Session Initiation Protocol (SIP)
        Password Auth Protocol (PIP)
        RPC
        
        Presentation
        getting data into the correct format, encryption happens here (IPSsec happens at L3)
        
        The way teh application accesses the network
        NOT the app itself (WAF - focuses on app level traffic)
        
        Well known ports
        risky ports
        telnet 23, FTP 20+21, http 80
        safer alternatives
        ssh 22, ftps+sftp 990/22, https 443
        
        Network Models - Encapsulation
        Application
        Presentation
        Session payload data
        Segment (header)
        Packet (header)
        Frame (header)
        Physical (0/1)
        all people seem to need delicious pizza
      - Host IDS
        Detected rather then prevents
        Localized to single node
        Can be deployed to all devices
        Protects when not on network
      - Antivirus (endpoint protection)
        Pattern/Signature based detection
        Geo-political issues - suspicious file information is sent to AV company (what if the AV company resides in an un-friendly state)
    - - Spoofing
        Impersonating another user or device
        -MAC (L2)
        -IP address (L3)
        Session (L4)
        HTTP and cookies
        A platform for - man-in-the-middle attacks, session hijacking, attacks span CIA
        
        Phishing
        Password re-use, fake portals, token misuse, role of email, role of user
        
        OSI (open-source intelligence)
        build knowledge about a person
      - DOS - Denial of Service Attacks
        Overload a capacity from a single attack source - blocking individual attackers
        DDOS - Distributed Denial of Service - Bots and Botnets, much more complex to block, content distribution networks (CDN)
        Effective?
        
        CDN - stage multiple copies of our content in different places
        The distributed bots are distributed to different points (breaks attack up)
      - Virus
        Malicious software
        Seeks to infect a host and spread, requires user interaction to operate, attack vectors
        Anti-virus products, users and training
        
        Worm
        Malicious software
        Once running on one system can infect other systems without user interaction
        Typically relies on a weakness in network stacks
        Attack vectors
        Anti-virus products, users and training
        
        Trojans
        Once running on a victims device, establishes future remote access for the attacker
        Pervasive attacks may span many devices
        Living off the land using in-built capabilities of the target system
        
        On-Path Attack
        Intercepting a line of communication
        Man-in-the-middle attackers (MITM)
        Which elements of the CIA could be comprised
        Hubs vs Switches
        Evil twin attack (clone wireless)
        
        Side-Channel Attack
        An incident attack - exploiting a weakness, measuring some aspect of the system
      - Identifying Threats
        Broad approaches - pattern based, protocol anomaly, heuristic / learning
        Intelligence - national, international
        Threat intelligence services
        Risk management
      - Network IDS
        Detects rather then prevents
        Placement - high-risk zones, high-security zones, between security zones
      - IDS - Intrusion Detection Systems
        NIPS - Network Intrusion Prevention System
        HIPS - Host Intrusion Prevention Systems
        SIEM - Security Information and Event Management
        
        SIEM systems looks for patterns of log events. example someone creating a privileged account
        Spotting failed login events (compromised account)
      - Honeypot
        Act as a trip wire
        (detective control)
        3rd party honey pot can be downloaded
      - VS scanner scan for known vulnerabilities
        Can be used as part of compliance and regulation
      - Preventing Threats
        Patching (patch vulnerabilities)
        Change Management
        Interdependent systems
      - Firewalls
        Perimeter devices
        basic f/w operate at L3 and L4
        ACL - IP addresses and Ports/or services
        Deny by default
        
        Traffic inspection
        Advanced firewalls (next gen)
        L7, zone demarcation
    - - On-premise systems
        Cloud bases systems
        Other network security controls
        
        Data Center
        Server and devices, blade servers
        Core network devices
        High availability
        Security
        Access control
        Monitoring
        Critical components
        
        Network closets/cabinets
        size varies widely
        Security and access control
        Maintenance
        Utilities and IP convergence
        Monitoring
        
        Fire Suppression
        Gas and aerosol based systems (not water based)
        DCs require active maintenance
        
        Cloud Services
        Processing somewhere else
        Considerations:
        Bandwidth
        Latency
        Cost
        Interconnectivity with other providers
        Compliance and governance
        
        Characteristics of cloud services:
        on-demand self-service
        broad network access
        resource pooling
        rapid elasticity
        measured service
        
        SaaS
        consuming an application
        Patching, maintenance, updates are done for us
        Data silos
        Include webmail and online conferencing services
        
        PaaS
        3rd party delivers hardware and software
        More control, but more responsibility:
        patching, updates, configuration
        
        IaaS
        This model offers the most control
        requires the most work by the customer
        configuring and maintaining the OS upwards
        visibility
        
        BaaS - backend as a services
        IDaaS - identity as a services
        XaaS - anything as a service
        
        Network Segmentation
        Internet (most un-trusted)
        DMZ (may see web servers)
        Client Network (most of our operations take place)
        Data Centre
        We segment between each zone, example a F/W which filters
        
        Break network into different security zones
        
        Virtual Local Area Networks (VLAN)
        Segmenting networks at L2
        A single cable can carry traffic for many different virtual networks
        switches forward frames only to ports with the same VLAN label
        VLAN can only communicate via L3 device, a router
        
        VPN
        Connecting to network over an untrusted medium
        Tunneling
        Key exchange
        Connecting devices
        Connecting remote networks or sites
        
        Low-visibility devices
        IoT
        Consumer devices
        Microsoft-segmentation
        music systems, smart systems (IoT)
        
        Defense in depth
        
        Zero Trust
        Never trust always verify
        In network contexts we micro-segment
        Exec order on improving cybersecurity 2021 - advance towards zero trust architectures
        
        Network Access Control (NAC)
        Network Access: unused ports, used ports
        wireless and physical boundaries, patches, AV, and other updates, update services only access, internet only access
    - - There are 48 bits in the hardware or MAC addressed. The 48 bits consist of a 24-bit provider and 24-bit device identifier
      - Unicast means 1 device s sending to another
        A hub noisy (forwards to all ports)
        A switch improves performance and security a network by sending unicast frames only to the designed node
        
        Packets are L3, switch operates at L2
      - IoT devices do not support encryption