Foundations of cybersecurity and managing security risks
Physical Social Engineering
An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.
USB Baiting
An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network.
Security Information and Event Management (SIEM)
An application that collects and analyzes log data to monitor critical activities in an organization.
Intrusion Detection System (IDS)
An application that monitors system activity and alerts on possible intrusions.
Security Governance
Practices that help support, define, and direct the security efforts of an organization
Security Artifact
Residual traces left behind by the actions of attackers or malicious actors within a computer system or network.
Risk Mitigation
The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach.
Programming
The process that can be used to create a specific set of instructions for a computer to execute tasks like, automation of repetitive tasks, reviewing web traffic, and alerting suspicious activity.
Risk analysis dashboard
The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.
Common elements of internal audits
- Establishing the scope and goals - Conducting a risk assessment - Completing a controls assessment - Assessing compliance - Communicating results
Common Log Sources
- Firewall logs - Network logs - Server logs
Social engineering tactics
- Impersonation of authority figures. - Intimidation. - Use of fake or assumed consensus and/or social proof by tricking someone by saying they have been given access to the information the threat actor wants. - Implying there is a scarcity that needs to be filled. - Using familiarity through emotional connection to extract information. - Using trust built over time. - Persuasion through threats of urgency.
Security Audit Control Types
- Preventative: Controls which proactively reduce the likelihood of security incidents or breaches. Ex. Firewalls, access controls, encryption, security awareness training. - Corrective: Controls that are activated in response to a security incident or breach. Ex. response plans, system patching, data recovery. - Detective: Controls that are designed to identify and alert organizations to security incidents or sus activities after they occur. Ex. intrusion detection, security monitoring, log analysis. - Deterrent: Controls that discourage potential attackers from attempting to exploit vulnerabilities. Ex. security cameras, warning signs and access control measures.
The Five Functions of the NIST framework
1.) Identify- The management of cybersecurity risk and its effect on an organization's people and assets. 2.) Protect - The strategy used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cyber security threats. 3.) Detect - Identify potential security incidents and improve monitoring capabilities to increase the speed and efficiency of detections. 4.) Respond - Making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to security processes. 5.) Recover - The process of returning affected systems back to normal operation.
The Four Core Components of Security Frameworks
1.) Identifying and documenting security goals. 2.) Setting guidelines to achieve security goals. 3.) Implementing strong security processes. 4.) Monitoring and communicating results.
Open Worldwide Application Security Process (OWASP)
1.) Minimize attack surface area 2.) Principle of least privilege 3.) Defense Depth 4.) Separation of duties 5.) Keep security simple 6.) Fix security issues correctly
Incident Response Playbook Phases
1.) Preparation - Preemptively mitigating potential impacts by documenting, establishing staff plans, and educating users. 2.) Detection and Analysis - Detect and analyze events by implementing defined processes and appropriate technology. 3.) Containment - Prevent further damage and reduce immediate impact of incidents. 4.) Eradication and recovery - Remove artifacts of the incident so organization can return to normal operations. 5.) Post incident activity - Document the incident, inform organizational leadership, and apply lessons learned. 6.) Coordination - Report incidents and share information throughout the response process, based on established standards.
Risk Management Framework (RMF)
1.) Prepare - Activities that are necessary to manage security and privacy risks before a breach occurs. 2.) Categorize - Used to develop risk management processes and tasks. 3.) Select - Choose, customize, and capture documentation of the controls that protect an organization. 4.) Implement - Implement security and privacy plans for the organization. 5.) Assess - Determine if established controls are implemented correctly. 6.) Authorize - Being accountable for the security and privacy risks that may exist in an organization. 7.) Monitor - Be aware of how systems are operating.
The 8 Points of CISSP
1.) Security and Risk Management. 2.) Asset Security. 3.) Security Architecture and Engineering. 4.) Communications and Network Security. 5.) Identity and Access Management. 6.) Security Assessment and Testing. 7.) Security Operations. 8.) Software Development Security.
Chronical
A cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify security threats, risks, and vulnerabilities.
Security Orchestrated, Automation, and Response (SOAR)
A collection of apps, tools, and workflows that uses automation to respond to security events.
Internal Threat
A current or former employee, and external vendor, or a trusted partner who poses a security risk. At times, an internal threat is accidental. Other times it can be intentional.
Whaling
A form of spear phishing. Threat actors target company executives to gain access to sensitive data.
Malware
A malicious attack during which threat actors encrypt an organization's data and demand payment to restore access. This can cause damage to software, services, and systems.
Ransomware
A malicious attack where threat actors encrypt an organization's data and demand payment to restore access.
Spear Phishing
A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.
Social Engineering
A manipulation technique that exploits human error to gain private information, access, or valuables.
Playbook
A manual that provides details about any operational action.
Hacker
A person who uses computers to gain unauthorized access to data.
Programming
A process that can be used to create a specific set of instructions for a computer to execute tasks.
Network logs
A record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network.
Firewall logs
A record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network.
Server log
A record of events related to services, such as websites, emails, or file shares. It includes actions such as login, password, and username requests.
Log
A record of events that occur within an organization's systems.
Security Audit
A review of an organization's security controls, policies, and procedures against a set of expectations.
Order of Volatility
A sequence outlining the order of data that must be preserved from first to last.
Antivirus Software
A software program used to prevent, detect, and eliminate malware and viruses.
Data Point
A specific piece of information.
Business Email Comprise (BEC)
A threat actor sends an email messages that seems to be from a known source to make seemingly legitimate requests for information, in order to obtain a financial advantage.
Network Protocol Analyzer (Packet Sniffer)
A tool designed to capture and analyze data traffic within a network.
Social Media Phishing
A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack.
Security Architecture
A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats.
NIST SP 800-53
A unified framework for protecting the security of information systems within the federal government.
NIST Cybersecurity Framework (CSF)
A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
Vulnerability
A weakness that can be exploited by a threat.
Watering Hole Attack
An attack in which threat actors compromise a website frequently visited by a specific group of users.
Supply-chain Attack
An attack that targets systems, applications, hardware, and/or software to locate a vulnerability in a system of integrated software where malware can be deployed. This can be within one complicated multi-level organization, or an multiple organizations working together.
Asset
An item perceived as having value to an organization.
Security Posture
An organization's ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.
Incident Response
An organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach.
Threat
Any circumstance or event that can negatively impact assets.
Personal Identifiable Information (PII)
Any information used to infer an individual's identity.
Advanced Persistent Threats (APTs)
Any sophisticated series of related attacks taking place over an extended period of time.
Risk
Anything that can impact the confidentiality, integrity, or availability of an asset.
CISSP
Certified Information Systems Security Professional
CSIRTS
Computer security incident response team.
Security Operations
Conducting investigations and implementing preventative measures.
Security Assessment and Testing
Conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.
CIA Triad
Confidentiality, Integrity, Availability. A foundational model that helps inform how organizations consider risk when setting up systems and security policies.
Availability
Data is accessible to those who are authorized to access it.
integrity
Data is correct, authentic, and reliable.
Security and Risk Management
Defines security goals and objectives, risk mitigation, compliance, business continuity, and the law.
Chronicle dashboards
Enterprise insight - this highlights recent alerts and identifies suspicious domain names in logs, known as indicators of compromise (IOCs) Data ingestion and health - Shows the number of event logs, log sources, and success rates of data being processed. IOC matches - Indicates the top threats, risks, and vulnerabilities to the organization. Main - Displays a high level summary of info related to the organization's data ingestion, alerting, and event activity over time. Rule detection - Provides statistics related to incidents with the highest occurrence, severity, and detections over time. User sign in - Provides information about user access behavior across the organization.
GDPR
General Data Protection Regulation
Security Frameworks
Guidelines used for building plans to help mitigate risk and threats to data and privacy.
High-Risk Asset
Information protected by regulations or laws, which if compromised would have a severe negative impact on an organization's finances, ongoing operations, or reputation.
Low-Risk Asset
Information that would not harm the organization's reputation or ongoing operations, and would not cause financial damage if compromised.
Medium-Risk Asset
Information that's not available to the public and may cause some damage to the organization's finances, reputation, or ongoing operations.
Threat Actor
Is a person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.
Identity and Access Management
Keeps data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications.
Metrics
Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application.
Computer Virus (Malware)
Malicious code written to interfere with computer operations. Causes damage to data and software.
Spyware
Malware installed without permission that's used to spy or gather and sell information without consent. It can be used to access devices allowing threat actors to collect data like, private emails, texts, voice, image recordings, and locations.
Worms
Malware that can duplicate and spread itself across systems on its own. Unlike a virus it does not need to be downloaded by a user. It self replicates and spreads from an already infected computer to other devices on the same network.
Communication and Network Security
Managing and securing physical networks and wireless communications,
Confidentiality
Only authorized uses can access specific assets or data.
Security Architecture and Engineering
Optimizes data security by ensuring effective tools, systems, and processes are in place.
Security Controls
Safeguards designed to reduce specific security risks.
Security controls
Safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.
Asset Security
Secures digital and physical assets. It's also related to the storage, maintenance, retention, and destruction of data.
Executive Summary Dashboard
The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.
Vishing
The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.
Incident Review Dashboard
The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.
Operating System (OS)
The interface between computer hardware and the user.
Cyber Security
The practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation.
Network Security
The practice of keeping an organization's network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization's network.
Compliance
The process of adhering to internal standards and external regulations. This enables organizations to avoid fines and security breaches.
Compliance
The process of adhering to internal standards and regulations.
Cloud Security
The process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity that focuses on the protection of data, applications, and infrastructure in the cloud.
Security Posture Dashboard
The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization's notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.
Phishing
The use of digital communications to trick people into revealing sensitive data or deploying malicious software.
Smishing
The uses of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.
Hacktivist
Threat actors that are driven by a political agenda.
Software Development Security
Uses secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services.