Cyber Security Week 1

What classifies a strong password?

1. At least 15 characters 2. At least 1 letter (upper and lowercase) and 1 number 3. At least 1 special character

What are some Web Attacks?

1. Brute Force 2. Code Injection 3. Faulty Sessions

Execute the Plan (Security Culture Framework) Step 4

After developing the training, implement it with the goal of training approx. 25% of employees every quarter

Create an Action Plan (Security Culture Framework) Step 3

After getting clearance to run the training, plan to deliver an annual Cybersecurity Awareness Training event. Ex: Develop training to cover dangers of malware and how malware can spread through phishing and vishing

Measure Change (Security Culture Framework) Step 5

After training the entire company, have the pentesters reimplement the original phishing campaign.

What is BCP/DR?

Business Continuity Planning and disaster recovery: Ensures business and mission critical functions in the event of a disruption. Note: Knowledge of governance, compliance, and BDP/DR is crucial context for all security professionals. -Most professional security work is mandated by governance policies and subject to compliance audits.

What is DMZ?

Demilitarized Zone Includes everything in between the firewall

What is Annual Rate of Occurrence (ARO) and how do you calculate it?

Estimated number of ties the risk is likely to occur in a given year ARO = #occurrences(X) / years

Defining (Policy and Framework concept)

Formal policies for the financial tech company GeldCorp

GRC

Is a framework for answering the questions: What assets are most important? and What is adequate protection?

Define Policy

Is a rule that defines the "right" behavior. -Policies inform standards for behavior and operations.

What is Qualitative and Quantitative Analysis?

Qualitative: is evaluating risk based on intangible, unmeasurable factors. And it is used when decisions do not require cost-benefit analysis. Ex: Its impossible to calculate the precise probability that some hacker, somewhere in the world, will attack your servers within the next year Ex: It's impossible to know the precise impact of a breach. The cost of an attack will depend on its length, which is impossible to determine ahead of time vs. Quantitative: is evaluating each risk based on its measured likelihood and impact. Where likelihood is the probability an event will take place. And Impact is the measure of damage done if a risk takes place. Ex: A bakery can use qualitative analysis to decide on an inexpensive VPN, since it shouldn't matter much if they're logging non-confidential information. Ex: A government defense or financial organization can use qualitative analysis to decide on a more expensive service, since it knows it needs to keep its data confidential.

Define Guidelines

Similar to policies, as they are issued by organizations to make the actions of its employees or departments more predictable, and presumable of higher quality -Guidelines are not "mandatory." They are only suggestions, meant to be followed by those to which they apply.

Involve the Right People (Security Culture Framework) Step 2

Since this training will affect all members of the organization, inform the executive team about the problem and your decision to implement training Ex: Inform at least the CEO and/or CIO, director of HR, and the person in charge of internal training and communication.

Define the threat modeling methodology: STRIDE

Spoofing, Tampering, Repudiation, Information Disclosure, DoS (Denial of Service), Elevation of Privilege That focuses on identifying what can fail in the system being modeled

Code injection

Type of attack that injects code that is then interpreted and executed by the target application. Example: HTML injections are used to change a website or to steal personal identifiable information (PII). HTML injections can occur via a website link, data, or input fields on web forms.

What is Risk Management?

Using the results of risk analysis to create a plan for preventing likely risks

Assessing (Policy and Framework concept)

What user data collected by GeldCorp is subject to General Data Protection Regulation (GDPR) and Payment Card Industry (PCI) Security Standard

Security culture

is the way members of an organization think about and approach security issues. A healthy security culture has employees who are invested in the organization's security and "behave securely." The health of the organizations security culture is determined by : - How important employees consider security - How aware employees are of common security risks - Whether employees know how to avoid insecure behavior

How does Risk Management and Threat Modeling affect Businesses primary objective of profit?

- It directly contribute to business profit - Risk analysis helps business understand how much they'll need to spend if a given security break happens - When possible, risks are measure quantitatively in financial figures, which businesses use to prioritize threats - Threat modeling results are shared upwards to the executives who make the major business decisions Risk analysis is important because it quantifies how much a business needs to spend if a given security break happens, therefore, businesses can plan for setbacks before they occur. Threat modeling is a key step to risk management because a risk is essentially a price the business pays if the threat happens, therefore, they can prioritize the most expensive risks.

List industries with their corresponding laws

-Family Educational Rights and Privacy Act (FERPA): Protects the privacy of student education records. Parents or eligible students have the right to request records be corrected if they believe them to be misleading or inaccurate. -Gramm-Leach-Bliley Act (GLBA): Requires financial institutions that provide consumers financial products and services to provide an explanation of their information-sharing practices to safeguard sensitive data. -Federal Information Security Management Act of 2002 (FISMA): Requires the protection of government data, operations, and assets against natural or man-made threats. -Health Insurance Portability and Accountability Act (HIPPA): Regulates the flow of healthcare information and states how personally identifiable information (PII) should be protected from misuse and theft within the healthcare industry.

What are some Database Attacks?

1. Default Credentials 2. Unpatched Database 3. Lack of Segregation

What are the Six steps in OWASP Threat Modeling process?

1. Determine assessment scope 2. Identify threat agents 3. Identify potential attacks 4. Identify exploitable vulnerabilities 5. Prioritize identified risks 6. Mitigate risks

What are the categories of Loss Expectancy?

1. Marginal: The organization has the resources to respond o the breach immediately, without affecting day-to-day operations or revenue 2. Notable: The organization has the resources to respond to the breach, but may not be able to do so immediately. It may experience interruptions to operations. 3. Severe: The organization experiences serious interruptions to operations, and doesn't have the monetary and/or personnel resources to respond effectively. It may have to defer revenue, delay project timelines, reassign employees, or hire consultants to fix the issue. 4. Catastrophic: The organization suffers severe, lasting damage to its reputation and/or infrastructure. The future of the business is threatened by reputation damage, bankruptcy, being found in contempt of federal regulations, or other issues.

What are some Sever Attacks?

1. OS Exploit 2. Malicious Software

What are some User Attakcs?

1. Social Engineering 2. Phishing 3. Credential Reuse 4. Malware 5. Man-In-The-middle (MitM) 6. Packet Sniffing 7. Computer Theft

Which feature of insider threat actors makes them especially dangerous to an organization? 1. They will launch attacks using advanced persistent threats (APTs) to continuously compromise the system 2. They are opposed to the organization's political or idealogical goals. 3. They use prebuilt or canned programs for attacks. 4. They have unrestricted access to sensitive data and information.

4. They have unrestricted access to sensitive data and information -Insider actors are so dangerous because they have unrestricted access to sensitive data and info. Someone with appropriate access can then easily steal or leak that data -Insiders prefer to stay in stealth mode and an advanced persistent threat (APT) would give away their intent -A hacktivist would oppose the organization's political or ideological goals. An insider would never reveal this oppositional nature -Script kiddies use prebuilt or canned programs for attacks. Such attacks would likely give away the insider's position and intent

Keylogger

A program designed to record which keys are pressed on your computer keyboard. It can obtain passwords or encryption keys and use these to bypass security measures. Example: ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to record credentials when a user visits a banking website.

Threat assessment

A structured process of identifying the risks posed to a group or system Example: The National Institute of Standards and Technology outlines structured processes and frameworks for identifying, estimating, and prioritizing risks to individual, organizational and operational assets. (NIST Special Publication 800-30)

Phishing attack

A technique for attempting to acquire sensitive data, such as credit card numbers, usernames, or passwords, through fraudulent solicitation (e.g., email). The perpetrator pretends to be a reputable business or person. Example: During the World Cup in Russia, scammers sent out phishing emails to fans offering free trips, in order to access personal information.

Whats the difference between a vulnerability, a threat, and a risk?

A vulnerability is an aspect of a business that can be exploited to compromise a system's CIA (Confidentiality, Integrity, & Availability) A threat is an actor that might exploit a vulnerability A risk is the possibility of losing something valuable

A group known as Takedown hacked into your political action committee website and defaced it. Which type of threat actor is most likely responsible for the attack? A) Hacktivist B) Script Kiddie C) Competitor D) Insider

A) Hacktivist -Takedown is a hacktivist group. Its motivations seem political and it is interested in defacing websites of those who have opposing viewpoints from their own -Script kiddies typically do not deface websites, only using scripts and applications that help them break into systems or applications with known vulnerabilities -Although a malicious insider might have the ability to deface the site, its unlikely that they would do so. Insiders usually exfiltrate data rather than deface sites -It's unlikely that a competitor would deface the site. They would more likely search for a list of donor or other sensitive information

Which of the following threat actors or threat actor groups is most likely to have the best funding to hire and sustain a group of cybercriminals? A) Nation States B) Organized Crime C) Script kiddies D) Hacktivists

A) Nation States -Nation states have tax revenues, backing from large companies, and/or wealthy benefactors who fund malicious activities -Well-funded organized criminals do not have the resources of an entire nation behind them - Script kiddies do not have any funding because they are typically young and inexperienced and do not qualify for any backing -Hacktivist groups might have minor funding from opposing viewpoint factions but the funding is not significant or comparable to nation states

Brute force attack

An attack that involves trying all possible authentication combinations to find a match Example: These attacks are often used for attacking authentication and discovering hidden content and pages within a web application. The brute force attack on Alibaba compromised 21 million user accounts using a database of 99 million usernames and passwords.

Man-in-the-middle attack (MitM)

An attack where the adversary positions themself between the user and the system so that they can intercept and alter data traveling between them Example: We download and update software daily. A remote hacker can use the lack of integrity verification (e.g., hash value) of downloads or update information to manipulate a software package with an MitM attack.

Define Regulations

Are detailed instructions on how laws should be enforced -Sometimes referred to as administrative laws, regulations are backed by the force of law and their application is mandatory. -Legislative bodies pass laws and government agencies create regulations that implement the laws. Ex: Sarbanes Oxley Act of 2002 (SOX)

Define Law

Are policies that are written in legal language, and voted upon and passed by legislative bodies of government. -Laws are enforced by agencies tasked with overseeing and monitoring the rule of law -One such organization is the Security and Exchange Commission (SEC)

Define Standards

Are published specifications used to establish a common language and technical criteria across an organization or industry. Ex: merchants that process financial transactions are legally required to comply with Payment Card Industry Data Security Standard (PCI-DSS) to guarantee that their customers' date remains confidential. -If a company. suffers a breach that results in the disclosure of customer PII, they may have to pay large fines and face other legal penalties.

Which threat actor is most likely to be highly skilled in launching attacks involving APTs against targets? A) Script Kiddie B) Nation State C) Insider D) Organized Crime

B) Nation State -A nation state has the most sophisticated and highly skilled hackers available for launching APTs -A script kiddie is not highly skilled nor capable of launching APTs against targets -An insider can be highly skilled but does not use APTs because these would give away their positions and intent -Organized crime rings are highly skilled but they do not launch APTs against a target

Which of the following motivates a hacktivist to perpetrate a website defacing or an informational breach? A) Financial gain B) Reputation damage to the target C) Military tactics and political upheaval D) Bragging right or other form of notoriety

B) Reputation damage to the target -Hacktivists are interested in damaging or exposing their ideological opposition but not generally for monetary gain or other accolades -Hacktivists are primarily concerned with damaging the reputation of their targets -Hacktivists have no interest in military tactics or political upheaval. Their interest is purely ideological -A boost in recognition is only important to script kiddies who want to show off to friends or rival script kiddie groups

Of the several types of threat actors, which one is a novice with little experience as a hacker? A) Hacktivist B) Insider C) Script kiddie D) Competitor

C) Script Kiddie -Script kiddies have very limited knowledge of security but use automated tools, such as scripts, to hack systems -A hacktivist is a hacker who gains access to systems or other resources to disrupt operations based on ideological differences with target -An insider is someone who hacks internal systems in a company who has or had access to restricted materials -A competitor may attempt to hack, compromise, or sabotage another company or an individual's work to gain a competitive edge

Define CISO + roles associated

Chief Information Security Officer (CISO), is responsible for protecting the company's data, often supervising the following teams among others; 1. Network Security team, headed by the Director of Network security who is in charge of networks, and often has system admins, network admins, and physical network technicians on staff. They may also manage a help desk. 2. Incident Response team headed by IR Manager or SOC manager, who employs SOC analysts also known as security analysts or incident handlers. 3. Application Security, headed by Security architect, who typically manages security engineers and software engineers.

C.I.A.

Confidentiality, integrity, and availability. These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

Governance

Creating management processes for implementing security practices across the organization Codifying and enforcing proper behavior and operations by establishing standards of "right" and "wrong."

What is the difference between Cybersecurity vs. Information Security?

Cybersecurity is more focused on digital assets where Information security is more focused on people, company information, physical documents, etc.

What is the aspect of cybercrime that often motivates script kiddies to hack into systems or into a company? A) Confidential company information B) Financial motivation and ability to sell info C) Collaboration with government and other agencies D) Bragging rights, publicity, or other form of notoriety

D) Bragging rights, publicity, or some other form of notoriety -Script kiddies generally only want to be able to tell their friends that they have hacked some company, or want their names mentioned on the news -Script kiddies are not generally profit seekers because they do not have the resources to acquire or sell stolen items -Script kiddies are not involved with government entities or agencies and therefore do not seek this type of info or activity -Private or secret info motivates insiders to become threats. Script kiddies do not gain profits by having access to private or secret info

Identify Threat Agents (OWASP TMP) Step #2

Determine which attackers would be interested in the relevant assets -Threat agents include a person or group that can produce a threat, whether or not that person or group is malicious. Some Threat agents Ex's: -APT (Advanced Persistent Threats) - Script Kiddies - Employees opening phishing emails - Incompetent users breaking configurations on company computers

Threat Modeling

Determining which attacks an organization is most likely to experience, who is most likely to launch them, and what actions can be done to prevent them.

What is Annual Loss Expectancy (ALE) and how do yo calculate it?

Estimated cost of a risk occurring in a given year. ALE = SLE (Single Loss Expectancy) * ARO (Annual Rate Occurrence)

What is Single Loss Expectancy (SLE) and how do you calculate it?

Estimated cost of the risk occurring on a given asset. SLE = Asset Value (AV) * Exposure Factor (EF)

Malware

Hardware, software, or firmware meant to perform an unauthorized process that will compromise the confidentiality, integrity, or availability of a system (e.g., a virus, worm, Trojan horse, or other code-based entity that infects a host). Example: In May of 2017, the WannaCry worm spread rapidly across a number of computer networks, infecting Windows computers. It encrypts files on the machine's hard drive and demands a ransom payment in Bitcoin in exchange for decryption.

Measure and Set Goals (Security Culture Framework) Step 1

Hire a penetration testing firm to begin a phishing campaign that will send out phishing emails to users in the company. The firm will then keep track of how many users fall for the phishing emails. Ex: Set a click rate goal of 5%. Measure this data to determine (a) what percentage of employees fall victim to the phishing and (b) which employees specifically fall victim

Identify Potential Attacks (OWASP TMP) Step #3

Identify the attacks each agent is likely to perform - Different attackers use different modes of attacks. Different attacks mean different risks and different considerations. Ex; Script kiddies will have different goals than disgruntled employees - We can identify a potential attack by considering the threat agent's: Motivation, Skill level, & Funding Ex: If a client's web application is taken offline by a DoS attack, the severity of the risk depends on which threat agent is responsible; Script kiddies might DoS a server simply to cause trouble or an APT might DoS a server as smoke screen to steal valuable data

Identify Exploitable Vulnerabilities (OWASP TMP) Step #4

Identify the most vulnerable points in a system, how the agent will deliver the attack, and where an attack is most likely to occur. - Once we determine who might attack and what methods they might use, we determine where exactly in the system they will likely direct their attacks, and what the risk will be if they do Ex: If a network has only one database that stores everything, the entire company will lose access to all data if it is compromised. - An attacker seeking to DoS the company's network can exploit this database to achieve their goal.

Risk management

Identifying an organizations most important assets and determining how they might be compromised Note: We define "important" by asking: How would a security compromise of this asset affect the profiles of the business? The most significant the loss, the more important the asset.

Business goals often drive policy creation. What are the two main types of business goals?

Internal/volitional: Targets that the business sets in its own interest. -Ex: an organization might aim to reduce long-term security expenses to less than $400,000 External/imposed: Targets that the business "must" hit because they will suffer consequences if they do not. -Ex: the requirement that online merchants process all credit card transactions securely, or suffer legal penalties if a customer's PII is breached.

Define Risk Management Framework (RMF)

Is a set of standards developed by the National Institute of Standards and Technology (NIST). They are properly implemented information security frameworks that allow security professionals to intelligently manage cyber risks within their organizations. -Frameworks consist of various documents clearly defining adopted procedure, policies, and processes, which an organization must follow. -Having an information security framework reduces an organization's risk and exposure to vulnerabilities Advantages: 1. Instills confidence in your industry 2. Establishes a strong reputation with business partners 3. Provides a reputable relationship with customers

What is a Risk Matrix?

Is used to compare how many of the risks facing an organization are mild and how many are severe.

Security Culture Framework

It identifies problems in an organization's security culture and develops plans to solve them. 1. Measure and Set Goals 2. Involve the Right People 3. Create an Action Plan 4. Execute the Plan 5. Measure Change

What is a Heat Map?

It is a visual representation of the probability and likelihood of risks. Organizations can use heat maps to make strategic decisions about how to protect the company.

What is Asset Value?

It is how much money an asset is worth in currency

What is Exposure factor?

It is how much of an asset will be affected in a breach. Has a scale of 0.25 to 1.0 1.0 = Attack would completely eliminate an asset 0.75 = Attack would mostly eliminate an asset 0.50 = Attack would half eliminate an asset 0.25 = Attack would partially eliminate an asset

Determine Assessment Scope (OWASP TMP) Step #1

List the assets under consideration, determine their value, and define objectives for your threat modeling assessment. - Businesses can't effectively evaluate everything at once, so they adjust their scope to focus on a specific category of risk. Ex: performing a risk analysis to assess the weakness of a network infrastructure. Within this scope, we are not concerned with application security - Scoping begins with asset inventory, the process of identifying and assigning asset value to all of an organization's assets. Ex: The asset value of a web application could be measured by the revenue or profit it generates

Compliance

Making sure the business follows internal security policies and adheres to relevant security laws Enforcing the policies in order to meet those standards

Define the threat modeling methodology: OWASP

Open Web Application Security Project That focuses on identifying possible threats, prioritizing risks, and planning mitigation strategies. It is mainly used with web and desktop applications.

What is PII?

Personally Identifiable Information Examples include; - Name - Social Security Number (SSN) - Date of Birth (DOB) - Mother's maiden name - Financial records - Email address - Drivers License number (DL) - Passport number - Health information

Define the threat modeling methodology: PASTA

Process for Attack Simulation & Threat Analysis That focuses on aligning considerations of business objectives with technical requirements

Define General Data Protection Regulation (GDPR)

Protects the private data of all citizens of the European Union (EU) and European Economic Area (EEA) -Requires organizations that process data belonging to EU citizens protect the data sufficiently -GDPR regulations apply to organizations based in the EU, as well as those based elsewhere that process data belonging to EU citizens.

Packet sniffer

Software that monitors network traffic on wired or wireless networks and captures packets. Packet sniffers are used by network managers to monitor and analyze traffic, but hackers also use them Example: A user downloads a file from the internet. The file is a packet sniffer that, when installed on the network, can record and transmit any data to a hacker's command and control server.

Social engineering

The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by gaining confidence and trust. Example: An attacker calls and claims to be from your internet provider (this is an example of vishing, or voice phishing) and asks you questions about your account, aiming to trick you into giving account information or login credentials (credential reuse).

Cybersecurity

The assessment of threats and the mitigation of risk Example: An organization is launching a new website and is concerned about attacks interrupting service due to system request overload (denial of service, or DoS attacks). The security and IT organizations develop procedures to identify threats and protect applications and the network (e.g., packet monitoring and management, escalation management)

Discuss the Security concerns vs. Business concerns

The most profitable decision isn't always the most secure. Security objectives may be at odds with those of the business. For example, the security teams main goal is to protect the business data, whereas the business's main goal is maximize profit and improve efficiency. Another real world example would be where an organizations engineering team proposes an innovative but insecure new feature for their flagship product, where the security team would probably advise against the new feature due to its poor security and the business at large might decide to develop it anyway, believing the potential profit is worth the risk. Remember: Security teams or cyber security professionals do not make decisions, we help make them make informed decisions or advise security risks and implement a risk assessment to show executives the risks with proceeding with the new implementations. 100% security is not the business's goal. To limit spreading and increase profit, businesses often provide only adequate protection for their most important assets.

Define Governance framework

The policies an organization "must" have in place -Organizations must use these frameworks to remain compliant with federal regulations and industry standards. Tidbit: A lot of companies use NIST

Risk mitigation

The process of reducing the impact of a negative event, and/or the likelihood that it will reoccur. Example: Reducing the risks associated with signals from wireless access points that transmit beyond an organization's controlled boundaries. One mitigation action is to reduce the power of wireless transmissions so that signals are less likely to extend beyond the organization's physical perimeters.

Availability

The quality of being able to be used or obtained -Availability concerns occur when operating systems, equipment, and data are not functioning correctly and thus are not accessible by those who need it -Some examples of an availability attack include attackers taking down a web-connected generator to disable a critical power supply or using a denail of service attack to bring down a financial service provider's website, making it impossible for clients to make transactions -Creating regular backups of data is one way to maintain availability

Integrity

The quality of being honest, whole, or undivided -The integrity of info refers to protecting info from being modified by unauthorized people -Some examples of integrity attacks include intercepting money transfer and changing the amount in seemingly insignificant ways, allowing for the excess to be sent elsewhere, or altering the grades at a university to be better or worse -These kinds of attacks can be prevented by using a secure hashing algorithm and process when transferring data to ensure it isn't tampered with in transit

Confidentiality

The state of keeping or being kept secret or private -This corner of the CIA triad is all about ensuring sensitive information does not reach unauthorized people -Some examples of confidentiality attacks include uploading private photos and communications onto a forum or exposing credit card numbers online -Confidentiality comes down to the principle of "need to know": Data or info should only be made available to those who need access to it -Confidentiality is supported or enforced through various other measures, like encryption, authentication, etc.

After making a business decision affecting cyber security, what should the business do?

They should update its security practices to account for the risk(s) they've undertaken, and regularly confirm everyone is following the rules This is otherwise known as governance and compliance.

What is Risk Analysis?

Understanding the risks faced by an organization, which are most severe, and which are most likely. It is the process of prioritizing threats identified in Steps 1-4 (OWASP) based on their potential impact and likelihood Some threats are more likely than others: -Script kiddies are likely to be responsible for most of the attacks an organization experiences, simply because there are so many of them - For most organizations, organized cyber criminals aren't a major threat actor. They are more relevant to financial organizations, branches of government, and military targets.

Determining (Policy and Framework concept)

Whether GeldCorp's data collection practices are GDPR and PCI compliant