Cyber Security for Business
Infrastructure Threats
A potentially negative action or event impacting infrastructure ◦Concern: IT/OT convergence - effecting not just traditional computer systems but everything that uses or is integrated with a computer ◦ Operational Technology (OT): the devices that essentially drives all machine-driven physical processes ◦Do not need to be directly targeted (or connected to the internet) in order to be shut down as the result of a cyber-attack Use Case: Ransomware Vs. Worm ◦Seeking profit, disruption or both
Cyber Value at Risk CVAR
A statistical methodology used to quantify the level of risk within a firm - Estimates how much value might be lost in a worst case scenario - Must weigh tangible and intangible assets HOW? - Use probabilities to look at timeframe and risk of cyber attack - Goal is to help articulate cyber attacks in financial terms PROBLEMS: - Some limitations with this because not enough data is available at times to properly quantify the level of risk - There isn't a standard definition of risk across the board for every company
Script Kiddies
●A term given for inexperienced or young hackers ○Usually teens who use premade software to launch attacks ○They usually don't understand the script and are unable to edit it ○DDos (distributed denial of service) - sends multiple requests to a network that exceed the services capacity ○Phishing emails ○Fake websites for login ●For fun, chaos, or revenge
VPN
1. A virtual private network is an encrypted connection over the internet from a service to a network 2. Th encrypted connection helps ensure that sensitive data is safely transmitted - it prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely 3. A VPN allows users to send and receive data across shared or public networks as of their devices were directly connected to a private network
CISA 16 Define Critical Target
"CISA monitors the evolving virus threats closely, taking part in interagency and industry coordination calls, and working with critical infrastructure partners to prepare for possible disruptions to critical infrastructure."
Comp TIA Security
"Verifies the knowledge and skills required to assess the security posture of an enterprise environment and recommend and implement appropriate security solutions; monitor and secure hybrid environments, including cloud, mobile, and IoT; operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance; identify, analyze, and respond to security events and incidents." - CompTIA website 6 domains covered:1. Threats, attacks, and vulnerabilities2. Identity and Access Management3. Technologies and Tools4. Risk Management5. Architecture and Design6. Cryptography and PKI (Public Key Infrastructure) Unlike other certifications, CompTIA does not have a work requirement
ROUTER
1. Is a device that connects two or more packet switched networks or subnetworks 2. Serves two primary functions: Managing traffic between these networks by forwarding data packets to their intended IP address A packet is a small segment of a larger message Allowing multiple devices to use the same internet connection
Dark Web
1. Part of the internet that isn't indexed search engines 2. Only accessible by means of special software, allowing users and website operators to remind anonymous or untraceable 3. People can literally buy anything 4. Not everything id illegal - things like social media sites exist on the dark web (imagine buying groceries on the dark web. What a flex right?)
IoT (Internet of Things)
1. Refers to the billions of physical devices around the world that are now connected to the internet, all collecting and sharing data 2. Any physical object can be transformed into an IoT device if it can be connected to the internet to be controlled or to communicated information 3. Mainly used for devices that would not be expected to have an internet connection EX: lightbulb that be turned on and off using an app However smartphones and PC ARE NOT IoT devices
Public and Private Cloud
1. A public loud is a cloud service offered to multiple customers by a cloud provider 2. A private cloud is a cloud service that is not shared with any other organization 3. Analogy: renting an apartment and renting a house. A house is more private. You have to spend more money to maintain the house comparing to maintenance for the apartment
Buffer Overflow
1.Buffers are memory storage regions that temporarily hold data while it is being transferred from one location to another 2.Buffer overflow (or buffer overrun) is an anomaly that occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations.. 3.Can affect all types of software. If the transaction overwrites executable code, it can cause the program to behave unpredictably and generate incorrect results, memory access errors, or crashes. 4.Types of attacks: a.Stack-based buffer overflows are more common, and overwrite the data on the stack, including its return pointer, which hands control of transfers to the attacker. b.Heap-based attacks are harder to carry out and involve flooding the memory space allocated for a program beyond memory used for current runtime operations. 5.Types of protection a.Address space randomization (ASLR)—randomly moves around the address space locations of data regions. Typically, buffer overflow attacks need to know the locality of executable code, and randomizing address spaces makes this virtually impossible. b.Data execution prevention—flags certain areas of memory as non-executable or executable, which stops an attack from running code in a non-executable region. c.Structured exception handler overwrite protection (SEHOP)—helps stop malicious code from attacking Structured Exception Handling (SEH), a built-in system for managing hardware and software exceptions. It thus prevents an attacker from being able to make use of the SEH overwrite exploitation technique
SQL
1.It is the placement of malicious code in SQL statements, via web page input. 2.SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database. 3.This can be very dangerous as hackers can easily access your users' stored data if you do not secure the system against these attacks
Election Threats
A potentially negative action or event impacting an election Election Systems, Election Administration, Campaigns / Information oNot a "money maker" hack - foreign / political adversaries target o oAdvance Voter Data Manipulation oAccessing and changing voter registration databases in advance oEx. changing street addresses to cause confusion at polling places. oActual Vote Manipulation o2016, Russian intelligence probe US voting networks oDenial-of-Service (or DDoS) oEx. Day-of-Vote Interruption like a sudden bandwidth clog oMessing with Reporting oHackers targeting reporting on the vote totals oEx. Attempting to manipulate telling services like the Associated Press. oHack and Dump oEx. Russian thefts/ leak of emails from DNC and Clinton campaign manager oRansomware
Healthcare threat
A potentially negative action or event impacting healthcare and health services ◦Typically a data breach NOT disruption of services ◦Ransomware Vs. Worm ◦Supply chain security concerns ◦ ◦Most expensive industry ◦$9.23 million on average; Cost increased by $2 million YOY. ◦Ransomware HIPPA Health Insurance Portability and Accountability Act of 1996: privacy laws and standards that comprehensively covers patient protected information oThe Breach Notification Rule + HIPAA data breach reports Concerns oMobile Data Access oLack of Security Education oPhishing was the biggest cause of security breaches
Fireye Election Potential
All of these entities may be targeted for a variety of reasons to influence, disrupt or collect intelligence on the electoral process and participants." Election Infrastructure Protection •Assess infrastructure •Test existing plans •Modernize and collaborate •Secure existing technology
Quantitative Risk Assessment
Quantitative Risk Assessment is a formal and systematic risk analysis approach to quantifying the risks associated with the operation of an engineering process. - Uses verifiable data to analyze the effects of risk in terms of of cost overruns, scope creep, resource consumption, and schedule delays - Has the advantage of understanding and ranking different risk factors - Will allow businesses to rank the amount of risk that they have present Problem: - Assessing risk like this can be harder, more time consuming, and may require more intricate modeling
AI - Behavioral and neutral network
Artificial Intelligence - Branch of computer science which works to develop softwares ability to analyze its environment and then make decision based on those analyzes Neural network - translate raw data from brain activity using learning algorithms. Computational model that mimics the way nerve cells work in the human brain Behavioral network - records activity from every device that is connected to the network. Example: "Using past consumption behavior data, AI algorithms can help to discover data trends that can be used to develop more effective cross-selling
Information System Auditor
As a Certified Information Systems Auditor (CISA), you're tasked with tremendous responsibility: You'll audit, control and provide security of information systems for a multitude of industries throughout the business and IT sectors. - Implementing an audit strategy for information systems (IS) that is based on risk management. Planning audits that can be used to determine whether IT assets are protected, managed and valuable. - CISA certification instantly declares your team's expertise in auditing, control and information security. It proves your team's abilities to assess vulnerabilities, report on compliance and validate and enhance controls--ultimately improving your organization's image.
Attack Vector and Attack Surface
Attack Vector: The path that an unauthorized person follows in order to gain access to private information and compromise your data. Ex. In case of Target 2013 the attack vector was "compromised credentials in Network-trusted Third Parties" Attack surface: Is the sum of all possible methods with which attackers may attempt to compromise your network.
Nation States
●Actors fueled by countries (China, Russia, North Korea, Iran) to steal, change or destroy data ●Attack aggressively and persistently ○Political, economic, military, espionage, infrastructure, propaganda ●Nation state ties ● Spear-phishing password attacks, social engineering, direct compromise, data exfiltration, remote access trojans, and destructive malware Sony hack
CEA
CEH (Certified Ethical Hacker) "A qualification obtained by demonstrating knowledge of assessing the security of computer systems by looking for weaknesses and vulnerabilities in target systems, using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system." Questions revolve around various hacking techniques and tools 3 domains covered: Malware Attacks Latest Hacking Tools New Emerging Attack Vectors Includes modules with hacking challenges
CISA
CISA (Certified Information Systems Auditor) • Issued by the ISACA • Global standard for professionals in information systems • Auditing, control, security • 5 domains covered: Process of Auditing Information Systems Government and Management of IT Information Systems Acquisition, Development, and Implementation Information Systems Operations, Maintenance, and Service Management Protection of Information Assets
CISM
CISM (Certified Information Security Manager) • Develop and manage an enterprise information security program • Offered by ISACA • 4 domains covered: Information Security Management Information Risk Management and Compliance Information Security Program Development and Management Information Security Incident Management • 42% salary increase in managerial roles• 70% on-the-job performance improvement
CSSP
CISSP (Certified Information Systems Security Professional) • Independent information security certification• Granted by the (ISC)2 • International Information System Security Certification Consortium • 149,174 certifications • 8 domains covered: Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Security Assessment and Testing Security Operations Software Development Security
Domain Name System (DNS)
•The system by which internet domain names and addresses are tracked and regulated •The "phonebook" of the Internet •DNS translates domain names to IP addresses so browsers can load Internet resources •Hotel Example •Example: www.google.com •Naming convention moves from right to left •First checks com, or the commercial domain •Google is a sub-domain to com •www is a sub-domain to Google •"." separates domain and sub-domains
FICO Scores
FICO score: a credit score created by the Fair Isaac Corporation (FICO). •Lenders use borrowers' FICO scores along with other details on borrowers' credit reports to assess credit risk and determine whether to extend credit. •FICO scores take into account data in five areas to determine creditworthiness: payment history, current level of indebtedness, types of credit used, length of credit history, and new credit accounts. To determine credit scores, the FICO weighs each category differently for each individual. However, in general, payment history is 35% of the score, accounts owed is 30%, length of credit history is 15%, new credit is 10%, and credit mix is 10%. •The FICO scoring methodology is updated from time to time, with the most recent version now being FICO Score 10 Suite, announced on Jan. 23, 2020. Various versions of FICO exist because the company has periodically updated its calculation methods since introducing its first scoring methodology in 1989. The multiple FICO score versions in use today include: FICO 2, 3, 4, 5, 8, 9 & 10 suite •The most widely used version as of 2021 is still FICO Score 8. However, the incorporation of trended credit bureau data in FICO Score 10T (part of FICO Score 10 Suite) might cause it to surpass FICO Score 8 in the future. Each scoring model may be used in different lending situations. FICO scores 2, 4, and 5, for example, are used by both mortgage and auto lenders to determine borrowers' creditworthiness
IPv4 and IPv6
IP address: Set of numbers given to a computer to communicate to the internet Internet Protocol Version Four (IPv4) . Uses a 32 bit address . Made up of 4 numbers, ranging from 0 to 255 (4.3 billion IP addresses). EX: 192.68.1.1 . Simple and proved but fewer resources due to smaller size of new addresses Internet Protocol Version Six: . Uses a 128 bit address . Made up of 8 groups of four hexadecimal digits (349 Undecillion IP addresses) . More unique addresses and better or new devices but not support by all websites
Information System Analyst
Information security analysts install software, such as firewalls, to protect computer networks. Information security analysts plan and carry out security measures to protect an organization's computer networks and systems. Their responsibilities are continually expanding as the number of cyberattacks increases. - A cybersecurity analyst protects company hardware, software, and networks from cybercriminals. The analyst's primary role is to understand company IT infrastructure in detail, monitor it at all times, and evaluate threats that could potentially breach the network.
Zero Day Attack
Is the attack that happens once the flaw has been discovered. A zero-day exploit leaves no opportunity for detection. It means that the vendor or developer has "zero days" to fix it. -Sony Zero-Day Attack, 2014. -The DNC Hack', 2016. A team of hackers gained access to the network of Democratic National Committee (DNC) and released various confidential emails communicated between various key members in the Democratic Party.
ISMS (Information Security Management System)
It's a documented management system that consists of a set of security controls that protect the confidentiality, availability, and integrity of assets from threats and vulnerabilities. - Companies must design, implement, manage, and maintain an ISMS - Will help keep personal, confidential, and sensitive data from being comprised How to implement? - PDCA process - The use of ISO 27001 -It is the international security standard that details the requirements of an ISMS
Cybersecurity and Infrastructure Security Agency (CISA)
Maintains a national Cyber Awareness system Operational component of the US Department of Homeland Security "Defend tomorrow, secure today" Est. in 2018 under Pres. Trump Set out to be our nation's risk advisor to understand and manage risk to our critical infrastructure Monitors and provides information about patching certain vulnerabilities Provide cybersecurity tools, incident response and assessment services to protect .gov networks
Requirements
Operating procedures for IT management Secure system engineering principles Supplier security policy Incident management procedure Business continuity procedures Legal, regulatory, and contractual requirements Records of training, skills, experience and qualifications Monitoring and measurement of results Internal audit program and results Results of the management view Non-conformities and results of corrective actions •Scope of the Information Security Management System •Information security policy and objectives •Risk assessment and risk treatment methodology •Statement of applicability •Risk treatment plan •Risk assessment and risk treatment report •Definition of security roles and responsibilities •Inventory of assets •Acceptable use of assets •Access control policy •Logs of user activities, exceptions, and security events
Malware
Or malicious software is any program or file that is harmful to a computer user. It is usually introduced using different types of software like phishing, malicious attachments or downloads.
DDOS - Distributed Denial of Service
This type of attack takes advantage of the specific capacity limits that apply to any network resources. Is a method where cybercriminals flood a network with so much malicious traffic that it cannot operate or communicate as it normally would. Ex. A lot of cars start entering the highway until all of the sudden traffic has slowed to a crawl. This traffic is what happens with this kind of attack and the network.
Risk Appetite
level of risk that an organization is willing to accept while pursuing its objectives Benefits: Help a company better manage and understand its risk exposure Help management make informed risk-based decision Help management allocate resources and understand risk/benefit trade-offs Help improve transparency for investors, stakeholders, regulators and credit rating agencies. COVID-19 example
Unpatched Software
v1.Refers to computer code with known security weaknesses. Users can also be responsible for their unpatched software if they refuse to check for and perform regular updates 2.Once the vulnerabilities come to light, software vendors write additions to the code known as "patches" to cover up the security "holes." 3.Though reputable vendors typically offer free, automated patching for outdated software, the process can sometimes break down or cause software to malfunction. 4.One of the main reasons for unpatched software is what the industry refers to as patching gaps. Some IT teams are unaware of the updates that are available for their software that patch these security holes. Some know these updates are available, but simply don't have the resources or strategies to keep up with their release. This is due in large part to staffing concerns as well as a gap in the skill sets of team members. But, according to the Ponemon survey, 64% of businesses in the U.S. are actively seeking to add IT employees that are dedicated to patching. This will hopefully help fill a large percentage of patching gaps in SMBs. 5.Antivirus programs are not enough to keep you completely protected anymore. Regular scanning for patches and pen tests for your own data security strategies are only a couple of the methods you should use to protect your company's information. Plus, you should have data backups and replications that you can recover easily in case a breach does happen.
Intrusion Detection System
•A device or software application that monitors a network or system for malicious activity or policy violations •Identified by comparison with AttackSignatures •Once malicious activity is detected, it is reported to the network administrator •Types of IDS range in scope from single computers to large networks •Example: comparable to iPhone spam call warnings
Wireless Access Points
•A device that creates a wireless local area network, or WLAN, usually used in offices or large buildings •Serves as a traffic cop and allows devices to share the Internet connection and communicate with one another • •Devices connect to the access point which is connected to the Local Area Network •Functions differently than a hotspot • •Security concerns if connected to network without access controls
Device Entitlement
•A security feature that allows administrators to manage which devices are allowed certain capabilities •Administrators can also control whether access on unmanaged devices is allowed or set up additional restrictions to minimize the risk of data loss •Is usually a feature within a software application that lets admin decide which devices can access the application and the data within it
Incident Réponse Plan
•A set of instructions to help IT staff detect, respond to, and recover from network security incidents. •Normally outlines steps an organization will take if there is a cyber breach or network security incident •Is important beyond cyber breaches - it is useful for successful litigation, documentation, and risk assessment
CISO: Chief information Security Officer
•AKA Chief Security of Architecture •Responsible for developing and implementing an information security program •Procedures and policies designed to protect enterprise communications, systems, and assets from both internal and external threats a senior-level executive responsible for developing and implementing an information security program; this includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external threats. - an executive role that oversees the protection of company and customer data, as well as the protection of infrastructure and assets from malicious actors. - oversee strategic, operational, and budgetary aspects of data management and protection. These professionals work closely with fellow executives to develop information security policies and procedures for a business or organization.
Access Control System
•Access control systems control who is allowed access to company information and resources •Identifies users by various login credentials, which can include usernames, passwords, PINS, etc. •Many access control systems also include multifactor authentication (think DUO) •Once a user is authenticated, access control will allow the user the appropriate amount of access based on their credentials
AICPA Trust Services
•American Institute of Certified Public Accountants •Trust services criteria were designed to provide flexibility in application and use for a variety of different subject matters •Trust Service categories include: Security, Availability, Processing Integrity, Confidentiality, and Privacy •May be used when evaluating the suitability of the design and operating effectiveness of controls relevant to these criteria of the information processed by the entity
Federal Energy Regulatory Commission
•An independent agency that regulates the interstate transmission of natural gas, oil, and electricity •Comprised of 5 members elected by the president and confirmed by the senate •What FERC Does: •Regulates the transmission and wholesale sales of electricity and natural gas, in interstate commerce •Reviews certain mergers and acquisitions and corporate transactions by electricity companies •Regulates the transportation of oil by pipeline in interstate commerce •Protects the reliability of the high voltage interstate transmission system through mandatory reliability standards •Monitors and investigates energy markets •Enforces FERC regulatory requirements through imposition of civil penalties and other means •Oversees environmental matters related to natural gas and hydroelectricity projects •Cybersecurity and FERC: •The Energy Policy Act of 2005 gave FERC the authority to oversee the reliability of the "bulk power system", or better known as the electric/power grid. Which includes approving mandatory cybersecurity reliability standards. • Stated that a certified Electric Reliability Organization (ERO) was needed to develop reliability standards, which are subject to FERC review and approval. •Once approved, these reliability standards become mandatory and may be enforced by the ERO, subject to FERC oversight. •In July 2006, FERC certified the North American Electric Reliability Corporation (NERC) as the ERO.
Pasword Management Systems
●A software application that stores and manages online credentials ○Can generate highly secure passwords ○Stores passwords in an encrypted database and are locked behind a master password ○Can autofill credentials for faster access to online accounts ●Only password you have to memorize is the master password ●Most password managers use military-grade encryption to keep passwords safe ●Different types of password managers: ○Desktop-based: stored locally on the device, cannot access from a different device ○Cloud-based: store encrypted passwords on the service provider's network, can access from any device with an internet connection ○Single Sign-On: allows you to use one password for every application, SSO provider vouches for your identity ■Similar to passport Example: LastPass
Personally Identifiable Information PII
•Any identifying piece of information that can be directly or indirectly linked back to an individual •Two broad classifications: Non-Sensitive PII and Sensitive PII •Non-Sensitive PII: gender, date of birth, race, religion, zip code etc. (information that individually cannot be directly traced to one person, but when combined with other data can be used to identify one person) •Sensitive PII: social security number, driver's license number, full name, financial information, mailing address, medical records, criminal history, credit card information, passport, email and phone number etc. (personal information can be directly traced to one person, therefore requiring stricter security measures) •Standards of security for PII are determined by impact level •Identifiability, quantity of PII, the combination of PII, context of use, accessibility to PII, and obligations for confidentiality •Loss of PII can result in identity theft or fraudulent activity
Why ISO 27001?
•Applicable to any organization •Confidentiality à authorized personnel only •Integrity à protection •Availability à accessible •Secures all information •Adaptable •Cost effective •Certifications have grown by 450%+ since 2009 •Complies with a host of laws •General Data Protection Regulation (GDPR) Networking Information Systems Regulations (NIS)
Cambridge Analytica
•Cambridge Analytica was a consulting company that specialized in using data science methodologies to support political campaigns. •Founded in 2013 by Alexander Nix, Steve Bannon, Robert Mercer, Nigel Oakes, and Alexander Oakes •Idea: Use data modeling and psychographic profiling to grow audiences, identify key influencers, and connect with people in ways that move them to action. •Breach: In early 2018, Facebook and Cambridge Analytica were implicated in a massive data breach. Personal data from over 87 million Facebook users had been improperly obtained by the political data-analytics firm •The company declared bankruptcy in 2018 following legal and political fallout from its use of personal data obtained •several of the company's key personnel have since founded or moved to similar companies.
COBIT
•Control Objectives for Information Technology •COBIT 5 Principles: 1.Meeting stakeholders needs 2.Covering the enterprise end to end 3.Applying a single integrated framework 4.Enabling a holistic approach 5.Separating governance from management
Lockbit
•Cybercriminal organization also operating a RaaS business model •Leases ransomware software for other state/independent threat actors and entities to use based on an affiliate model •Revenue generated from hacks using LockBit code are split between affiliates and the LockBit gang •Believed to be responsible for the raid on Accenture
Stuxnet
•Definition: a computer worm that can be aimed at causing physical destruction to equipment connected to computers. •Targets •Programmable Logic Controllers (PLC) •Industrials industry •Led to creation of other malware •Natanz Uranium Enrichment Plant
Hacktivism
•Definition: hacking, or breaking into a computer system, for politically or socially motivated purposes. •Targets •Gov't Agencies •Multinational Corps •Anyone "good" or "bad" •Methods for hacktivism •DOS/ DDOS •Doxing •Info leaks/ anonymous blogging
Supply Chain Threats
•Definition: technology, people, or processes that threatened the supply chain of a business. •Examples •DOS, data leaks, customer data thefts, disruption of business, ransomware •Risks •Mediation
Threat Hunter
•Detects, analyzes, and combats advanced threats, including vulnerabilities and mitigating associated risk before it effects the organization
Encryption
•Encodes a message by using an algorithm to scramble it up •Public key - two keys à one for encryption and one for decryption •One of the two keys is kept the "secret key" •Asymmetrical •Public key is used to encrypt, and private key is used to decrypt •A user's digital certificate holds the details of the key •Private key - one key à "secret key" •Symmetrical
Ryuk Ransonware
•Family of Ransomware first appearing in 2018 •Accounted for 3/10 of the largest ransom demands for 2020 •$5.3 million, $9.9 million, and $12.5 million •Believed to be operated by Russian cybercriminal group - WIZARD SPIDER •Attack Process: •Shuts down 180 services and 40 processes related to computer defenses •Runs AES-256 encryption on all primary drive data •Symmetric Encryption Keys are then encrypted using asymmetric RSA-4096 •Can run control and encrypt computers remotely
Hitrust CSF
•Health Information Trust Alliance Common Security Framework •The CSF framework is a comprehensive security standard created to provide measurable and objective means of managing risk. •"By including federal and state regulations, standards, frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security and privacy controls." •HITRUST CSF Components: •Includes and cross-references existing globally recognized standards, regulations, and business requirements, (ISO, GDPR, COBIT, NIST, and PCI) •Scales controls according to type, size, and complexity of an organization •Provides prescriptive requirements to ensure clarity •Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds •Allows for the adoption of alternate controls, when necessary; •Evolves according to user input and changing conditions in the standards and regulatory environment on an annual basis; and •Provides a unified approach for managing data protection compliance. •Importance: •System is clear, standard, and secure greatly benefiting an at-risk industry handling sensitive date. •HITRUST is the most widely applied security framework in the U.S. healthcare industryà adopted by 83% hospitals and healthcare providers. •Required by many of the leading payers & Certification shows strength. Actively updated to address current regulations and cybersecurity threats.
Risk Assessment
•ISO 27005 •Describes procedure for conducting information security risk assessment •Context establishment •Risk assessment •Risk treatment •Risk acceptance •Risk monitoring and review •Risk assessment required under ISO 27001 •Supports identification, detection, and response functions of NIST framework •Applicable to all organizations •Supports general concepts of ISO 27001
ISO 27005
•ISO 27005 is the international standard for performing an information security risk assessment •ISO 27005 is a component of the ISO/IEC 27000 Standards •Information security risk assessment helps identify potential risks •Although ISO 27005 does not specify a specific structure for the risk assessment process, the following 6 stages are discussed: •Context Establishment (How are risk identified? How are a risk's likeliness and impact determined?) •Risk Assessment (Ranking and prioritizing some risks over others) •Risk Treatment (Avoid risk entirely, modify risk with security controls, share/insure the risk, or keep the risk) •Risk Acceptance (Company creates methodology for accepting risks) •Risk Communication and Consultation (Communicate who is responsible for the risk assessment and transparency with stakeholders) •Risk Monitoring and Review (Risk assessment is an ongoing process)
ID Theft
•Identity theft is a term used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. •With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes: •False applications for loans and credit cards •Fraudulent withdrawals from bank accounts •Fraudulent use of telephone calling cards or online accounts •Obtaining other goods or privileges which the criminal might be denied if they were to use their real name
Firewall
•Information system barriers that monitor network traffic based on a set of rules •First line of defense •3 basic types of firewalls: •Packet filters - Checks incoming packets against known threats •Proxy servers - Prevents direct connection between packets and internal network •Serves as a gateway •Verifies the authenticity of incoming packets and forwards it without exposing internal network •Stateful inspections - Examines many elements of an incoming packet and checks them against a trusted database •Only allows access if it receives a match Ex: Checking if it is a valid IP address
Darkside
•Presumed Eastern-European ransomware (RaaS) group •Believed to be the organization behind the Colonial Pipeline cyberattack •Unclear whether state-sponsored or not •Operates a franchise-like business model •Leases ransomware software for other Blackhat hacker groups to use
ISO 27001
•Published 10/2013 •Reviewed every 5 years •Last version: 2005 •Current: 2013 •One of more than a dozen standards in ISO/IEC 27000 family •Specifies requirements for establishing, implementing, maintaining, and continually improving information security management systems (ISMS) •Intended to be applicable to all international organizations •Supports protection function of NIST framework •Enables organizations to manage security of assets •Financial information •Intellectual property •Employee/customer data
ISP SP 800-39
•Purpose is to "provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems." •Meant to be a general guideline & provide flexibility à not law •Guides how to manage information security risk by adding to other NIST security standards and guidelines •Part of a more comprehensive Enterprise Risk Management System
Cyber Hygiene
•Refers to fundamental cybersecurity best practices that an organization's security practitioners and users can undertake •Help protect the health of the organization's network and assets •Should be done by both individuals and businesses as a whole to protect their data and prevent malware and other attacks •Good cyber hygiene includes: Setting strong passwords and changing them regularly Installing antivirus software In-dept cybersecurity awareness training during onboarding of new employees Regularly update and patch servers, computers, security cameras, and other devices Not allowing employees to use personal devices for work purposes Creating an incident response plan
REvil-
•Russian-Based Ransomware-as-a-Service (RaaS) organization •Threaten to publish information to their page "Happy Blog" •Notable cases include attack on Apple to acquire IP •Related to Darkside organization •Disappeared as of July 13, 2021
Nobelium
•Russian-linked cybercriminal group •Responsible for the SolarWinds cyberattack of December 2020 •Broke in through software updates •Injected Malware spread to numerous government agencies (e.g., Pentagon & NSA) •Investigated/tracked by FireEye, Microsoft Threat Intelligence Center, & CISA •Conducted phishing scams using USAID to target 150 organizations
Zero Trust
•Security model that helps prevent successful data breaches by eliminating the concept of trust from an organization's architecture •Based off the idea that not everything in an organization's network should be trusted •Requires both authorization and authentication
NIST SP 800-30
•Special Publication ("SP") 800-30 has been developed by the National Institute of Standards and Technology ("NIST") •This discusses ways for companies to conduct risk assessments and is a resource for federal information systems and organizations •A risk assessment process includes four primary steps: framing the risks, assessing the risks, responding to the risks, and then the ongoing monitoring of risks •A company considers the potential threats, internal/external vulnerabilities, potential impact/risks, and the likeliness of occurring •The SP 800-30 links risk and cybersecurity to a company's usual business operations by considering potential business, financial, and organizational impacts, among others
Penetration Tester
•Test computer systems to expose weaknesses in computer security that could be exploited by criminals •Requires ability to script or write code •Ex. Spoofing Emails
Level of Privilege
•The delegation of authority to perform security-relevant functions on a computer system •A privilege allows a user to perform an action with security consequences. •Examples: ability to create new user, install software, etc. •Users can be granted different levels of privilege that allow them to perform different tasks and access different types of information •Ensures that employees, applications, and system processes do not have access to more data than they need •The Principle of Least Privilege (PoLP) - mandates that users, accounts, and computing processes only have minimal rights and access to resources they absolutely need (and nothing more)
Protected Health Information PHI
•This is any information that pertains to someone's health records and medical information •PHI includes any piece of data that is created, used, or disclosed during a medical appointment that could be linked back to an individual •Examples include medical records, laboratory results, medications, insurance coverages, billing information, mental health conditions, family medical history, weight/height etc. •PHI is protected under The Health Insurance Portability and Accountability Act (HIPAA) •All forms of medical records are protected under HIPAA (electronic, oral, and paper) •It is important to note that PII gains protection under HIPAA when it is paired with PHI (for example: your medical record from your doctor's appointment might contain your full name, email, and phone number in addition to the medical information from the doctor's visit) •PHI is critical because it allows for the consolidation of an individual's medical history over their entire lifetime •Additionally, scientists have been able to anonymize this data to understand societal health trends
TSA Pipeline Cybersecurity Rules
•Transportation Security Administration reversed previously voluntary pipeline cybersecurity requirements and issued mandatory cybersecurity rules on owners and operators of pipelines. •This was in direct response to the Colonial Pipeline ransomware hack. •The new rules came in the form of two directives issued in 2021. •The First Directive: 3 mandatory requirements (May 28, 2021) •Report all cybersecurity incidents to CISA within 12 hours •Designate a primary and alternative Cybersecurity Coordinator, at the corporate level, who is accessible 24/7 to TSA and CISA •Conduct a cybersecurity vulnerability assessment and provide a report of this assessment to TSA and CISA within 30 days. •The Second Directive: 3 mandatory requirements (July 20, 2021) •Implement immediate mitigation measures to protect against cyberattacks •Develop a cybersecurity contingency and recovery plan •Conduct a cybersecurity architecture design review •Fines for non-compliance could be up to $11,904 per violation. •A lot of unknowns since these rules are so new and subject to be challenged under the APA.
CIP
•What is CIP: •CIP is a NERC standard that is specifically focused on securing the critical infrastructure for operating North America's bulk power system. •U.S. Department of Homeland Security (DHS) defines critical infrastructure as the essential activities that support national security, the economy, and the overall welfare of citizens. •As of today, NERC has 12 critical infrastructure protection requirements: •CIP-002 BES Cyber System Categorization — Identify and categorize BES cyber assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse could have on the reliable operation •CIP-003 Security Management Controls — Specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES cyber systems against compromises.
North American Electric Reliability Company
•What is NERC: •NERC is an international regulatory organization that works to reduce risks to power grid infrastructure. •Goal: To reduce the risks of the electrical grid by working with all stakeholders to develop standards for power system operation, monitor and enforcing compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient. •NERC also investigates and analyzes the causes of significant power system disturbances in order to help prevent future events. •NERC's area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. •Has jurisdiction over 400 million people •NERC Standards and Compliance: •Any organization associated with electrical generation, transmission, and interconnection of the electric grid in the United States, Canada, and part of Mexico is subject to NERC standards. •NERC enforces approximately 100 standards across 14 different disciplines. •Standards cover various business functions, such as planning, emergency preparation, voltage and balancing, and interconnectivity. •Standards include elements for communication, personnel, training, and physical and cybersecurity •Compliance with these standards is not simple and takes a great deal of time and effort. •Provide equal baseline that everyone must follow so it ensures cohesiveness across its areas of responsibility. •
Credit Monitors
•the monitoring of one's credit history in order to detect any suspicious activity or changes •In the U.S. there are several different credit bureaus, but only three that are of major national significance: Equifax, Experian, and TransUnion. This trio dominates the market for collecting, analyzing, and disbursing information about consumers in the credit markets. •Each credit bureau uses information on consumers to develop credit reports and calculate credit scores. The higher the score, the lower the credit risk a consumer is deemed to be—and the higher their creditworthiness. •Two of the biggest companies when it comes to credit scoring models are Fair Isaac Corporation (FICO) and VantageScore. VantageScore is the result of a collaboration between the three nationwide credit bureaus: Equifax, Experian, and TransUnion. Each of the credit unions has built its own FICO models specific to different types of lending. •While FICO 8 is commonly used across all bureaus to assess general creditworthiness, each bureau has a different model for different types of lending. For example, Experian developed FICO 2, Equifax uses their FICO 5, and TransUnion has their own version in FICO 4.14
Security Framework
●A "roadmap" that defines the steps a firm can/must take to assess, monitor, and mitigate cybersecurity risks ●Includes industry guidelines and practices that help with the implementation and ongoing management of a security system ●Overarching goal is to identify and fix weaknesses in a firm's system, thereby improving its resilience and protecting its valuable data and infrastructure against cyber attacks ●Voluntary or mandatory, depending on industry ●Variety of frameworks, including the NIST Cybersecurity Framework
Dictionary Attacks
●A brute-force technique where attackers run through common words and phrases to guess passwords ○Uses predefined list of passwords that would have a higher probability of success ○Requires less time and resources to execute ●The password dictionary list is typically built specifically for the target under attack ○Tools include common passwords taken from security breaches leaked online and common variants of certain words or phrases (ie. substituting 'a' with '@' or adding numbers to the end of passwords ●Usually very successful because of individuals reusing common password variation
NISK Cybersecurity Framework
●National Institute of Standards and Technology (NIST) ○Established the CSF as a result of Executive Order 13636, signed by former President Barack Obama ●Required for government agencies; optional for organizations in the private sector ●Inclusive framework, meant to compliment an organization's existing security program ●NIST Cybersecurity Framework has three components: 1.Core: simplistic model; easy to understand; divides risk management into five functional areas: 1.Identify: to examine the work environment and identify the processes/assets that need protection 2.Protect: to install safeguards such as firewalls and IT/physical controls and encrypt data 3.Detect: to monitor networks for unauthorized usage, recognize threats, and carry out risk management and/or damage control procedures 4.Respond: to investigate the threat, inform stakeholders and law enforcement, and update security policies 5.Recovery: to restore information, functions, and services 2.Implementation Tiers: divided into four tiers that increase with rigor based on a firm's risk management process (policies), integrated risk management program (decisions), and external participation (sharing information) 1.Tier 1- Partial Implementation: few or no policies, risk is managed in a reactive manner; management has limited awareness of security risks; firm does not collaborate with other entities or understand supply chain risks 2.Tier 2 - Risk Informed: policies are somewhat formalized; only management is aware of risks; shares some information with specific stakeholders 3.Tier 3 - Repeatable: formally approved policies; firm-wide approach to security; understands its place in the larger ecosystem and shares information accordingly 4.Tier 4 - Adaptive: adapts policies based on lessons learned and/or predictive indicators; firm-wide approach, with a larger portion of the budget dedicated to cybersecurity; firm communicates proactively with external stakeholders, and reacts to supply chain risks based on real-time information Profiles:the alignment of an organization's cybersecurity objectives, risk appetite, and budget with a desired outcom
Cyber Criminals
●Person or group that uses technology to launch malicious attacks on networks to steal sensitive information or personal data ○Ransomware, phishing, extortion, malware ●Money, fun, activism, espionage ●Gain access to computers to launch attacks, run scams, or save illegal information
hacktivists
●Political or socially motivated ●Hacks target people or groups they see as doing wrong ○Governments, Corporations ●Use hacking as a way to protest in hope of inspiring change ●Information leaks, doxing, website replication ●Anonymous, Legion of Doom, Masters of Deception
Exploit
●Program or code used to take advantage of weaknesses or vulnerabilities in computer systems ○Usually bugs in system architecture ●Can be used to inject malware into systems ●Once known the vulnerability is patched ○Software- cross site scripting(xss) allows cyber criminals to inject client side scripts that bypass access controls (authentication) ○Hardware- poor encryption ○Network- poor encryption, poor authentication
Key Logging
●The action of recording the keys struck on a keyboard without the permission or knowledge of the user ○Similar to listening to a private conversation ○Data can user behavior can be assembled from logged keystrokes ●Usually uses a keylogger: a type of monitoring software designed to record keystrokes; usually sent back to a third-party (criminal) ○Basic form only collects information typed into a single website or application ○More sophisticated forms can record everything you type no matter the application ●Commonly used to steal financial information, PII, or sensitive business information ●First case of keylogging: used by the Soviet Union in the 1970s to monitor IBM typewriters used at embassies based in Moscow
Password Hash Value
●Turning your password into a short string of letters and/or numbers using an encryption algorithm ○Common Hashing Algorithms: MD5, Secure Hashing Algorithms (SHA) ○Performs a one-way transformation of a password ●It's easy to compute the hash, but difficult to re-generate the original input if only the hash value is known ●When logging in, the software performs a one-way hash to compare it to the hash value stored in the database Hashing is preferable to encryption when storing passwords because in the event of a cyberattack, hackers won't get access to the plaintext password
Brute Force Attacks
●Uses trial-and-error to guess login info or encryption keys, working through all possible combinations hoping to guess correctly ○Using excessive attempts to try and 'force' their way into your accounts ○Usually aided by automated software that uses computing to systematically check password combinations until the correct one is identified ●Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years ●5% of confirmed data breach incidents in 2017 stemmed from brute force attacks ●Other types of Brute Force Attacks ○Reverse Brute Force Attack: use a password/group of passwords to find possible usernames ○Credential Stuffing: after discovering a username and password pairing, using this to gain access to multiple websites and network resources
Advanced Persistent Threat APT
❏An individual or group that is very skilled and determined to steal an organization's info or seriously disrupt their operations ❏This individual or group uses a variety of methods to accomplish their goals over a substantial period of time. ❏Stalker Example
Spyware
❏Can be legitimate or malicious ❏Malicious spyware is usually installed without your knowledge. It tracks and sells your data. ❏Steps that spyware performs: ❏Infiltrate ❏Monitor ❏Send/Sell ❏4 types of spyware: ❏Trojan ❏Adware ❏Tracking cookie files ❏Keyloggers ❏Can steal very personal information as it tracks your movements
Spoofing
❏It is when hackers misrepresent themselves to gain trust and access to an individual or company's system. ❏Two-pronged approach: ❏Technical aspect (ex. Fake email) ❏Psychological aspect (ex. convincing people to click a link or hand over information) ❏Can lead to ransomware attacks ❏There are different types, but the most common is email spoofing
In the Wild ITW
❏Once software has gone through the design and production process, it is released to the public and considered to be "in the wild" ❏Relates to the level of control that the creators of software or technology have over their products