Section 1: Risk Management (CIA of security, Threat actors, What is risk?, Managing Risk)
What is the CIA triad? What does CIA stand for?
Are three elements of the information system that each organization is trying to protect. CIA stands for Confidentiality, integrity, and availability. CIA is defined as the GOAL of security.
Risk Transference
Basically means that you offload some of thew likelihood, risk and impact on a third party. For example: Instead of monitoring and controlling our own web server I go ahead and use a cloud based web server service. That way I don't have to deal with the power supplies going out and bad internet connections because those guys will take care of that for me.
Risk Acceptance
Basically, you reach a point where the likelihood and the impact of the risk is less than the cost of actually trying to mitigate that particular risk. For example, I accept the risk that a meteor can fall out of the sky and knock out all my servers. Because, it's not worth the cost for that amount of protection.
What is a hacktivist?
A cyber criminal pursuing political, religious, or ideological goals
What elements should you add to the CIA triad?
Auditing, Accountability, and Non-Repudiation
What is the SP 800-30?
The Special Publication(SP) 800-30 is used to provide guidance for conducting risk assessments of federal information systems and organizations. This document has lots of threats and vulnerabilities that the typical security person might be exposed to. Use this document as part of risk assessment. Everyone uses the SP 800-30 as a starting place to be able to provide good risk management for their infrastructures.
What is non-repudiation?
The assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.
What to remember about risk?
Threats applied to vulnerabilities equals risk.
What is a competitor?
Usually trying to find ways to bring down your systems. Maybe they're looking for some insider information with espionage, or maybe they're just trying to make you look bad so that all of the customers will come over to their side. They usually have a high level of sophistication because they do have some significant funding. And they know that there is a competitive advantage to bringing you down so that the customers all come over to their site. Competitors are not as common as before but they can still be a big problem.
What is an Organized Crime when it comes to security?
Very smart groups of people who are working together in order to mainly, more than anything else, make money. They can do this in many ways. This is a big issue in Security today.
What is risk in security?
When talking about risk, its the potential to harm organizations, people, IT equipment, etc.
Framework
It's a methodology, an idea of a process that helps you as a security professional deal with risk management.
What is a threat agent?
A person or element that has the power to carry out a threat. Often a human being. But can also be, for example, a hurricane that knocked out lots of offices.
Nessus
A program that you run within your local area network and it will go out and check everything out for you, and generates a document which provides you a lot of detail in terms of the vulnerabilities it finds.
Risk assessment
A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker's perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization's risk management process.
Penetration Testing
A test by an outsider to actually exploit any weaknesses in systems that are vulnerable. When the outsider finds the vulnerabilities, they report them to the organization. Pen testing is the best way to determine what your vulnerabilities actually are for your network.
What is a threat?
A threat is a negative event that exploits a vulnerability. Threats exploit vulnerabilities to harm assets. Example:Someone actually goes into the open server room that wasn't locked and steals a server, that is a threat.
What is an insider?
Any person (employee, contractor, subcontractor) who can access assets. Can be someone inside the infrastructure that is not an employee. For example, the cleaning people or a vendor working within the infrastructure. Anyone with access to information(Username and password) should be treated as an insider.
What are assets?
Assets provide benefits to the organization. They are any part of our infrastructure that we are worried about getting harmed. People can be assets. Doors locked to server rooms can also be an asset. Assets can have vulnerabilities.
What is availability in the CIA triad?
Availability indicates that data and services are available when needed. For some organizations, this simply means that the data and services must be available between 8:00 a.m. and 5:00 p.m., Monday through Friday.
What is Open-source Intelligence (OSINT)?
Data collected from publicly available sources to be used in an intelligence context. Provides ample information to intrigue a threat actor.
Environmental threat
It can be fires, earthquakes, and air conditioners going out and all of those things that could potentially cause problems.
ISACA
Good source to turn to. Can find this document on the internet. Helps with security management.
NIST(Risk Management Framework) SP 800-37
Good source to turn to. Can find this document on the internet. Helps with security management.
What is impact?
Impact is the harm caused by a threat. In order to have that impact you have a threat that has actually hit you in some way.
What are the attributes of all threat actors?
Internal/External Level of Sophistication Intent Open-source Intelligence (OSINT)
What is internal/external as an attribute to threat actors?
Internal: Are people inside your infrastructure, within your organization. Not always an employee. External: Somebody in a far off country or outside the organization.
Structural Threat
Is like when the power supply on your router dies for you, or you're having problems with a monitor, or a camera goes out. These are things that break so equipment failure is the best place to look at, although it could include software that fails too.
What is "Level of sophistication" as an attribute to threat actors?
Is the level of threat you encounter. The more sophisticated the evil, the more resources and money are probably being used.
Threat Assessment
Is to define the threats that are applicable to your particular infrastructure.
What is Likelihood?
Likelihood defines the level of certainty that something is going to happen. In the security world we tend to think about it in an annualized basis. Example: Particular threats will be questioned as "in the course of a year, what is the likelihood of that happening?
What is a Nation-state?
Probably the biggest single threat these days. Its where an entire country has a job to have tremendous sophistication in order to get, more often than not, intelligence.
What is confidentiality?
Protecting information against someone who doesn't have the need or right to access the data. In other words protecting against unauthorized access.
Risk Avoidance
Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization's assets. Risk avoidance seeks to avoid compromising events entirely.
What are the types of Threat Actors?
Script Kiddies Hacktivist Organized Crime Nation states/advanced persistent threat (APT)
What is an Advanced Persistent Threat (APT)?
Some sort of threat where they get into a system and they stay there. Their goal is to be persistent. Example: They wanna get into a cable and get naval intelligence or they want to connect into a wireless network and get State Department information. APT is a big issue that comes into play with Nation-states
What is risk management?
The identification, assessment, and prioritization of risk.
What is intent when thinking of threat actors?
The motivation for which the threat actor is there. Ask yourself: What is their intention? What are they going for? What's their goal?
Risk Response
The procedures that are implemented if an identified risk occurs.
What are threat actors?
These are the people and organizations that actually do the attacks against your network
Accidental threats
These are threats like when a user accidentally typed something weird into a form and it causes your database to corrupt. Or like an administrator inadvertently reformats a hard drive with a lot of data in it.
Adversarial threat
This would be a hacker or a malware where somebody is intentionally doing bad things to your particular infrastructure.
What is a script kiddie?
Unskilled users with goal to break into computers to create damage. Users with trivial amount of attack knowledge. Most cases script kiddies are the types of people who are easily blocked and good fire-walling and good basic system controls are always going to keep these people from doing any attack.
Vulnerability Assessment
Vulnerability assessment provides deep insights on security deficiencies in an environment and helps to evaluate a system's vulnerability to a specific threat and the evolving ones. Simply put, an organization can fully understand the security flaws, overall risk, and assets that are vulnerable to cyber security breaches.
What is vulnerability?
Vulnerability is a flaw or weakness that allows a threat agent to bypass security. Example: If you have a SOHO router with a default username and password that was never changed, so anybody can get to it. Another example of a vulnerability is leaving a door open or unlocked to a server room where anyone can get in and do bad things.
How can you look at impact quantitatively?
We can measure impact quantitatively by measuring cost, labor and time. For example, someone knocks down a router and now it doesn't work. No one in the office can get on the internet and it's a big problem. You can measure the cost of getting a new router, you can measure the cost of labor, and you can measure the amount of time it'll take to get the problem fixed.
Mitigation
Whatever we can do to reduce the likelihood or the impact of that particular risk. Meaning we are going to do something to it, like applying security controls, to reduce the likelihood and the impact of the risk.
What is integrity?
When we send information from one point to another, that information is not changed anywhere in between. And everything that we have received is being received and stored exactly the way it was intended when it was set.
What is auditing and accountability in the security world?
When you keep track of things that go on. For example: Who's logging in? Where are they logging in? Who has accessed this data? When did somebody get in the gate? Who's made changes to something?