C727 Studying

Microsoft Threat Categorization Scheme - STRIDE

- Spoofing - An attack with the goal of gaining access to a target system through the use of a falsified identity. When an attacker spoofs their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access. - Tampering - Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. - Repudiation - The ability of a user or attacker to deny having performed an action or activity by maintaining plausible deniability. Repudiation attacks can also result in innocent third parties being blamed for security violations. - Information disclosure - The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. - Denial of service (DoS) - An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. - Elevation of privilege - An attack where a limited user account is transformed into an account with greater privileges, powers, and access.

Degaussing

A degausser creates a strong magnetic field that erases data on some media.

Security Procedures or Standard Operating Procedure (SOP)

A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. It ensures the integrity of business processes through standardization and consistency of results.

Security policy

A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.

DRM License

A license grants access to a product and defines the terms of use. Typically a small file that includes the terms of use, along with a decryption key that unlocks access to the prodcut.

Strategic Plan

A long-term plan that is fairly stable. It defines the organization's security purpose. It defines the security function and aligns it to the goals, mission and objectives of the organization. Long-term goals and visions for the future are discussed in a strategic plan, and it should include a risk assessment.

Tactical Plan

A midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan, or can be crafter ad hoc based on unpredicted events. It often prescribes and schedules the tasks necessary to accomplish organizational goals.

Purging

A more intense form of clearing that prepares media for reuse in less secure environments. It provides a level of assurance that the original data is not recoverable using any known methods.

Scoping

A part of the tailoring process and refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT systems you're trying to protect.

Object

A passive entity that provides information to active subjects. Examples of objects are files, databases, computers, programs, processes, services, printers, and storage media.

Clearing, or overwriting

A process of preparing media for reuse and ensuring that the cleared data cannot be recovered using traditional recovery tools.

Security Control Baselines

A set of minimum security controls defined for an information system.

Process for Attack Simulation and Threat Analysis (PASTA)

A seven-stage threat modeling methodology. PASTA is a risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected. The following are the seven steps of PASTA: - Stage I: Definition of the Objectives (DO) for the Analysis of Risks - Stage II: Definition of the Technical Scope (DTS) - Stage III: Application Decomposition and Analysis (ADA) - Stage IV: Threat Analysis (TA) - Stage V: Weakness and Vulnerability Analysis (WVA) - Stage VI: Attack Modeling & Simulation (AMS) - Stage VII: Risk Analysis & Management (RAM)

Operational Plan

A short-term, highly detailed plan based on the strategic and tactical plans. It spells out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. They include details on how the implementation processes are in compliance with the organization's security policy.

Clouse Access Security Broker (CASB)

A software placed logically between users and cloud-based resources. It can be on-premises or within the cloud. Anyone who accesses the cloud goes through the CASB software. It monitors all activity and enforces administrator-defined security policies.

Visual, Agile, and Simple Threat (VAST)

A threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis.

Concepts, conditions, and aspects of integrity include:

Accuracy - Being correct and precise Truthfulness - Being a true reflection of reality Validity - Being factually or logically sound Accountability - Being responsible or obligated for actions and results Responsibility - Being in charge or having control over something or someone Completeness - Having all necessary components or parts Comprehensiveness - Being complete in scope; the full inclusion of all needed elements

Imaging

Administrators configure a single system with desired settings, capture it as an image, and then deploy the image to other systems. This ensures that systems are deployed in a similar secure state, which helps to protect the privacy of data.

Data in Use

Also known as data being processes, refers to data in memory or temporary storage buffers while an application is using it. Applications often decrypt encrypted data before placing it in memory. This allows the application to work on it, but it's important to flush these buffers when the data is no longer needed. In some cases, it's possible for an application to work on encrypted data using homomorphic encryption. This limits the risk because memory doesn't hold unencrypted data.

Subject

Any entity that accesses an object such as a file or folder. They can be users, programs, processes, services, computers, or anything else that can access a resource.

User

Any person who accesses data via a computing system to accomplish work tasks. They should have access only to the data they need to perform their work tasks.

Data Processor

Any system used to process data. In GDPR, a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller.

High-Impact Baseline

Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a high impact on the organization's mission.

Low-Impact Baseline

Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a low impact on the organization's mission.

Moderate-Impact Baseline

Controls in this baseline are recommended if a loss of confidentiality, integrity, or availability will have a moderate impact on the organization's mission.

Categories of Laws

Criminal Law Civil Law Administrative Law

Types of Protection Mechanisms

Defense in depth - Also known as layering, is the use of multiple controls in a series. Abstraction - Simplifies security by enabling you to assign security controls to a group of objects collected by type or function. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Data hiding - Preventing data from being discover or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. Encryption - The science of hiding the meaning or intent of a communication from unintended recipients.

Security Baseline

Defines a minimum level of security that every system throughout the organization must meet. It is a more operationally focused form of a standard. All systems not complying with the baseline should be taken out of production until they can be brought up to the baseline. The baseline establishes a common foundational secure state on which all additional and more stringent security measures can be built. Baselines are usually system specific and often refer to an industry or government standard.

Security Standards

Defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. They provide a course of action by which technology and procedures are uniformly implemented throughout an organization.

Marking, or Labeling

Ensures that users can easily identify the classification level of any data. The most important information that a mark or a label provides is the classification of the data.

Due Diligence

Establishing a plan, policy, and process to protect the interests of an organization.

AAA services include:

Identification - Identification is claiming to be an identity when attempting to access a secured area or system. Authentication - Authentication is proving that you are that claimed identity. Authorization - Authorization is defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity or subject. Auditing - Auditing is recording a log of the events and activities related to the system and subjects. Accounting - Accounting (aka accountability) is reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions, especially violations of organizational security policy.

Data Classification

Identifies the value of the data to the organization and is critical to protect data confidentiality and integrity. The policy identifies classification labels used within the organization. It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification.

Focused on Software

If an organization develops software, it can consider potential threats against the software.

Data Subject

In GDPR, a person who can be identified through an identifier, such as a name, identification number, or other means

Declassification

Involves any process that purges media or a system in preparation for reuse in an unclassified environment.

Auditor

Is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate

Degausser

It generates a heavy magnetic field, which realigns the magnetic fields in magnetic media such as traditional hard drives, magnetic tape, and floppy disk drives. It will reliably rewrite these magnetic fields and remove data remanence. However, they are only effective on magnetic media.

Key provisions of the DGPR:

Lawfulness, fairness, and transparency - You must have a legal basis for processing personal information, you must not process data in a manner that is misleading or detrimental to data subject, and you must be open and honest about data processing activities. Purpose limitation - You must clearly document and disclose the purposes for which you collect data and limit your activity to disclosed purposes. Data minimization - You must ensure that the data you process is adequate for your stated purpose and limited to what you actually need for that purpose. Accuracy - The data you collect, create, or maintain is correct and not misleading, that you maintain updated records, and that you correct or erase inaccurate data. Storage limitations - You keep data only for as long as it is needed to fulfill a legitimate, disclosed purpose and that you comply with the "right to be forgotten" that allows people to require companies to delete their information if it is no longer needed. Security - You must have appropriate integrity and confidentiality controls in place to protect data. Accountability - You must take responsibility for actions you take with protected data and that you must be able to demonstrate your compliance.

Automatic Expiration

Many products are sold on a subscription basis. When the subscription period ends, an automatic expiration function blocks any further access.

Something You Know

Memorized secrets such as a password, personal identification number (PIN), or passphrase. Older documents refer to this as a Type 1 authentication factor.

Digital Rights Management (DRM)

Methods that attempt to provide copyright protection for copyrighted works. The purpose is to prevent the unauthorized use, modification, and distribution of copyrighted works such as intellectual property.

Security Guideline

Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. They are flexible, so they can be customized for each unique system or condition and can be used in the creation of new procedures. They state which security mechanisms should be deployed instead of prescribing a specific product or control and detailing configuration settings. They outline methodologies, include suggested actions, and are not compulsory.

Erasing

Performing a delete operation against a file, a selection of files, or the entire media. In most cases, the deletion or removal process removes only the directory or catalog link to the data. The actual data remains on the drive. As new files are written to the media, the system eventually overwrites the erased data, but depending on the size of the drive, how much free space it has, and several other factors, the data may not be overwritten for months.

Something You Have

Physical devices that a user possesses and can help them provide authentication. Examples include a smartcard, hardware token, memory card, or Universal Serial Bus (USB) drive. Older documents refer to this as a Type 2 authentication factor.

Due Care

Practicing the individual activities that maintain the due diligence effort.

Control Objectives for Information and Related Technology (COBIT) key principles for governance and management of enterprise IT:

Provide Stakeholder Value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-End Governance system

Proprietary Data

Refers to any data that helps an organization maintain a competitive edge.

Private

Refers to data that should stay private within the organization but that doesn't meet the definition of confidential or proprietary data.

Tailoring

Refers to modifying the list of security controls within a baseline to align with the organization's mission.

Pseudonymization

Refers to the process of using pseudonyms to represent other data. When performed effectively, it can result in less stringent requirements.

Persistent Online Authentication, or Always-On DRM

Requires a system to be connected with the internet to use a product. The system periodically connects with an authentication server, and if the connection or authentication fails, DRM blocks the use of the product.

Record Retention

Retaining and maintaining important information as long as it is needed and destroying it when it is no longer needed.

Network-Based DLP

Scans all outgoing data looking for specific data. Administrators place it on the edge of the network to scan all data leaving the organization. If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP system will send an alert, such as an email to an administrator. Cloud-based DLP is a subset of network-based DLP.

Endpoint-Based DLP

Scans files stored on a system as well as files sent to external devices, such as printers. Administrators configure the DLP to scan the files with the appropriate keywords, and if it detects files with these keywords, it will block the copy or print job. It's also possible to configure an endpoint-based DLP system to regularly scan files (such as on a file server) for files containing specific keywords or patterns, or even for unauthorized file types, such as MP3 files.

Concepts, conditions, and aspects of confidentiality include:

Sensitivity - Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Discretion - Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage. Criticality - The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. Concealment - Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. Secrecy - Secrecy is the act of keeping something a secret or preventing the disclosure of information. Privacy - Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion - Seclusion involves storing something in an out-of-the-way location, likely with strict access controls. Isolation - Isolation is the act of keeping something separated from others.

Sensitive

Similar to confidential data.

Public

Similar to unclassified data.

Focused on Attackers

Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker's motivations, goals, or tactics, techniques, and procedures (TTPs).

Data in Transit

Sometimes called data in motion or being communicated, is any data transmitted over a network. This includes data transmitted over an internal network using wired or wireless methods and data transmitted over public networks such as the internet. A combination of symmetric and asymmetric encryption protects data in transit.

Data at Rest

Sometimes called data on storage, is any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes. Strong symmetric encryption protects data at rest.

Authorization

Subjects are granted access to objects based on proven identities.

Adversarial Approach to Threat Modeling

Takes place after a product has been created and deployed. This technique of threat hunting is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.

Defensive Approach to Threat Modeling

Takes place during the early stages of systems development, specifically during initial design and specifications establishment. This method is based on predicting threats and designing in specific defenses during the coding and crafting process.

Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD)

The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat: Damage Potential - How severe is the damage likely to be if the threat is realized? Reproducibility - How complicated is it for attackers to reproduce the exploit? Exploitability - How hard is it to perform the attack? Affected Users - How many users are likely to be affected by the attack (as a percentage)? Discoverability - How hard is it for an attacker to discover the weakness?

Security Function

The aspect of operating a business that focuses on the task of evaluating and improving security over time.

Security governance

The collection of practices related to supporting, evaluating, defining, and directing the security efforts of an organization. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

Supply Chain

The concept that most computers, devices, networks, systems, and even cloud services are not built by a single entity.

Data Remanence

The data that remains on media after the data was supposedly erased. It typically refers to data on a hard drive as residual magnetic flux or slack space.

Destruction

The final stage in the lifecycle of media and is the most secure method of sanitizing media. Methods include incineration, crushing, shredding, disintegration, and dissolving using caustic or acidic chemicals.

Security Boundary

The line of intersection between any two areas, subnets, or environments that have different security requirements or needs.

Supply Chain Risk Management (SCRM)

The means to ensure that all of the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners (although not necessarily to the public). Each link in the chain should be responsible and accountable to the next link in the chain. Each handoff is properly organized, documented, managed, and audited. The goal of a secure supply chain is to ensure that the finished product is of sufficient quality, meets performance and operational goals, and provides stated security mechanisms, and that at no point in the process was any element counterfeited or subjected to unauthorized or malicious manipulation or sabotage.

Data Controller

The person or entity that controls the processing of the data. It decides what data to process, why this data should be processed, and how it is processed.

Data Owner

The person who has ultimate organizational responsibility for data. They identify the classification of data and ensure that it is labeled properly. They also ensure that it has adequate security controls based on the classification and the organization's security policy requirements.

Asset Owner, or system owner

The person who owns the asset or system that processes sensitive data.

Identification

The process of a subject claiming, or professing, an identity.

Documentation Review

The process of reading the exchanged materials and verifying them against standards and expectation. It is typically performed before any on-site inspection takes place.

Anonymization

The process of removing all relevant data so that it is theoretically impossible to identify the original subject or person.

Reduction analysis (Decomposing the application, system or environment)

The purpose of this task it to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements.

Asset Owner

The role assigned to the person who is responsible for classifying information for placement and protection within the security solution

Custodian

The role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. This role performs all activities necessary to provide adequate protection for the CIA Triad of data and to fulfill the requirements and responsibilities delegated from upper management.

Threat Modeling

The security process where potential threats are identified, categorized, and analyzed. It can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat.

Security Professional

The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management.

Security Control Framework

The structure of the security solution desired by the organization.

Third-Party Governance

The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.

End-of-support (EOS)

The time when support ends for products that have been sold.

End-of-life (EOL)

The time when vendors stop offering a product for sale.

Slack Space

The unused space within a disk cluster.

Shadow IT

The use of IT resources (such as cloud services) without the approval of, or even the knowledge of, the IT department.

Tokenization

The use of a token, typically a random string of characters, to replace other data. It is often used with credit card transactions.

User

The user (end user or operator) role is assigned to any person who has access to the secured system.

Data Custodian

They help protect the integrity and security of data by ensuring that it is properly stored and protected.

Privacy Control Baseline

This baseline provides an initial baseline for any systems that process PII. Organizations may combine this baseline with one of the other baselines.

Focused on Assets

This method uses asset valuation results and attempts to identify threats to the valuable assets.

Continuous Audit Trail

Tracks all use of a copyrighted product. When combined with persistence, it can detect abuse, such as concurrent use of a product simultaneously but in two geographically different locations.

Five Key Concepts of the Decomposition Process

Trust Boundaries - Any location where the level of trust or security changes Dataflow Paths - The movement of data between locations Input Points - Locations where external input is received Privileged Operations - Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security Details about Security Stance and Approach - The declaration of the security policy, security foundations, and security assumptions

Confidential or Proprietary

Typically refers to the highest level of classified data.

Concepts, conditions, and aspects of availability include:

Usability - The state of being easy to use or learn or being able to be understood and controlled by a subject Accessibility - The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations Timeliness - Being prompt, on time, within a reasonable time frame, or providing low-latency response

Accountability

Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs.

Authentication

Verifies the subject's identity by comparing one or more factors against a database of valid identities, such as user accounts.