Module 1: Introduction to Cybersecurity Tools & Cyber Attacks Flashcards
We’re projecting that by the year 2022, there will be 1.8 million unfilled cybersecurity jobs.
The knowledge that’s required in order to deal with more complex attacks continues to increase. Then we have less and less time to work on these.
We’re also talking about compliance regulations like the Generalized
Data Protection Regulation from Europe - GDPR. If you don’t respond quickly enough and notify all the people that need to be notified of a breach,
it will cost your company significant money as well in terms of fines.
29/03/24
If you’re a SOC (security operation center) so that’s the control center, the nerve center of where we received the security information and event management Information, that’s the acronym SIEM. That refers to bringing in all the alarms and security information into one place.
You want to be able to do the investigations and some cases that involves using all sorts of different security tools, you may have lots of different consoles, although, we’re more and more about trying to create
an integrated whole so that we can bring in the information from the data layer, the operating system layer, the network layer, the application layer, the identity layer, bring all of those in an integrated way together, but in many cases these indicators of compromise may occur on different systems.
Information security according to NIST it is the protection of information systems from unauthorized activities in order to provide Confidentiality, Integrity, and Availability; these three principles are known as the CIA triad.
Confidentiality which is similar or equivalent to privacy, for confidentiality access to resources or data must be restricted to only authorized subjects; data encryption is a common method of ensuring confidentiality.
Integrity involves maintaining the consistency and accuracy of data over its entire life cycle, data must not be changed in transit for example when it is sent over the internet or using a local area network, and steps must be taken to ensure that no one or an unauthorized person or subject makes any changes to our data.
Availability requires maintenance and upgrading of hardware and software 24/365 and operating system environments so basically it is about keeping the business operations up and running.
VTER
A vulnerability is a flaw, loophole, oversight, or error that can be exploited to violate system security policy. For example, a software or an application that has code vulnerable to a buffer or flow exploit.
Threat is an event, natural or man-made, able to cause negative impact to an organization. It could be a storm or a hurricane or a hacker.
An exploit is a defined way to breach the security of an IT system
through a vulnerability. An exploit could be a piece of code available on the internet to execute such attack against an application that happens to be vulnerable.
A risk is the probability of an event or that an event could actually happen.
Security threats can be caused by human factors and natural factors.
Human factors are divided into internal factors and external threats. For the internal factors we have former employees and current employees. This is very important, because most of the attacks that are actually detected, or that are critical for an organization come from internal factors like internal employees. Also, former employees are threat, because they used to have access to internal resources, so if they are not properly offloaded, and their accounts are not properly disabled, then they will represent a threat for the organization.
External threats are malicious events, such as an attack coming from a specific country. These actors who tried to exploit vulnerabilities,
they try to find a way to get in, also viruses, Trojans, or worms,
which are just different attack vectors to compromise an organization.
All these are human factors, because they either interact with humans or they are developed by humans.
Natural factors are lightnings, hurricanes, tornadoes, tsunami, all those are important to consider, especially when we design business continuity plans and disaster record strategies.
Roles in information security
The Chief Information Security Officer (CISO) is a fairly new role introduced to make sure that there’s a head and someone in charge of the Information Security Division to supervise, manage and be the leader of the Information Security Tower. It is a high-level management position. This person is responsible for supervising the entire security department.
The information security analyst is more of a day to day analyst. This person is in charge of analyzing events, alerts, alarms, and any information that could be useful to identify any threats. For instance, if an IPS (Intrusion Prevention System) is sending a threat alert to the SEM (Security Event Management) or SIM (Security Information Management), an information security analyst should be able to go to the SEM, get the alert, investigate the events, and even go to the IPS to understand what exactly trigger it and be able to follow up on that to a resolution.
The Information Security Auditor is in charge of testing the effectiveness of computer information systems to make sure that they follow best practices, they follow standards as specific regulations like
the ISO27001 or 002 for instance. That they follow at least the best practices
defined in those revelations and that organizations are as protected as possible
The acronym SIEM or Security Information Event Management refers to technologies with some combination of Security Information Management and Security Event Management.
.
From Ronald Reagan and War Games to where we are today
Ronald Reagan was a Hollywood actor and he asked the security personnel if something that he saw in the movie W**ar Games (in which a teenager hacked into the Pentagon system and was able to interact with it) could be real.
The impact of 9/11 on cybersecurity
As soon as the 911 happened a lot of people in the US government started asking how can we avoid the next 911 how can we avoid the next cyber threat that will cause an interruption of for example the lining system power plants energy system. The government tried to understand how the coordination between different parts happens, and what happened if there is a 911 but not necessarily in the physical world, but on that technology something like the destruction of the power plant or the destruction of the
of electricity network in in any major or important city. Right now anyone could actually start an attack using their cell phone or their computer.
He describes 6 earlier operations. The first one - Clipper Chip - was about incorporating a chip into any landline in most of the US homes to try to spy
on their communications; this operation didn’t receive any approval from the Congress. From Edward Snowden’s leaks, we know that this operation was not only about communications over the landlines but also communications over emails, and any other communication methods.
Cybersecurity Today
There is a lot of money lost in cyber attacks, cyber crime is a 100 billion business only in the US. Cyber vulnerabilities after 9/11 have been weaponized by governments and exploited by criminals; the problem is growing rapidly, as our reliance on the digital world continues to increase. There was an attack call or a virus actually called the Stuxnet that was delivered into Iran’s nuclear plants and that virus, that trojan was created supposedly by United States and Israel. Stuxnet was used to disable uranium processing equipment in an Iranian nuclear facility.
I recommend the IBM X-Force Threat Intelligence Index report for everybody who wants to understand the current cyber security status. In 2018, the most frequently targeted industries finance and insurance, obviously because there is a lot of money, and it is necessary to protect
people’s accounts or their systems, but there is a couple of other interesting industries, for example healthcare, 6% of the targets was on healthcare institutions. And 15 years ago we didn’t use Twtitter or Instagram, and other mobile apps, so now we use these apps and we have software installed on our phones, and this software may come with vulnerabilities. And attackers know but there is a big chance that those applications come with a lot of bugs. Between 2010 and 2016, 7-10k of new software vulnerabilities were discovered.
Cybersecurity Introduction
Data protection
In the past, we protected the physical infrastructure (computers, documents), but now we need to protect our tablets and phones, smartwatches, so multiple devices and we need to protect data.
Mobile tech
We have 4G networks that practically that mimic the speeds or actually improve the speed of of wi-fi. And people try to replace their computers with mobile devices so we need to be sure that that devices are secured with the authentication methods to protect data on those devices.
Global business
Global businesses deal with a lot of offices and a lot of places in the in the world, so we need to protect each of those buildings and the communication between those businesses.
Multiple vendors and cloud computing
In the past, we had Dell, Lenovo, or Asus, but now we have multiple vendors that sell us routers and network equipment. Also we have not just our PCs but also Macs, and we see computers not only with Windows but also with Linux. Sp we need to understand those technologies in order to be to protect the infrastructure and our personal lives.
datum.org
info you have on Internet is worth almost $1000
Vulnerability Assessments
A vulnerability assessment is the process of identifying analyzing and ranking vulnerabilities in a specific environment, whereby each vulnerability is ranked according to a specific criteria.
There are two points to take into consideration: many systems are shipped with known and unknown security holes in the box, for instance this can be associated with misconfigurations, like when you get a modem and this
modem has a username and password admin; this could be considered a vulnerability since a hacker from the internet or a threat actor could connect to the modem and use those user account or those credentials to access the modem and perform a malicious activity.
The vulnerability assessment tool will be able to detect that this modem has the default credentials and will flag that as a misconfiguration vulnerability so the system management can actually go ahead and make the necessary actions or take the necessary actions to fix the vulnerability, in this case change the username and the password or change the password to something stronger.
What is Security?
CIA triad
Confidentiality is a major principle this is where only the sender and the receiver can understand the message so if it is intercepted midway, those interceptors will not be able to understand the message. We will look at several mechanisms for that to happen.
** Authentication and integrity** is about ensuring that the message the message has not been changed in transit, we want to to ascertain if it’s been changed without the detection.
Access and availability: we need to have the correct access control
mechanisms in place and also have significant availability to allow the enterprise to operate according to specs. I am a big fan of Sun Tzu and the Art of war, in which he teaches: The art of war teaches us not to rely on the likelihood of the enemy’s not coming but our own readiness to receive him not on the chance of his not attacking but rather on the fact that we have made our position unassailable.
NIST is National Institute of Standards and Technology.
Additional Security Challenges
Protection mechanism itself is subject to attack, so protectors have to be right all the time, while attackers only have to be right once to succeed. So there is a disproportionality.
A security professional’s job description is to take these somewhat simple
requirements and be able to decompose them into accomplishable or achievable modules. And security solutions themselves are also targets so can be attacked. No one likes security until it is needed (seat belt philosophy, it costs $200 to put into a vehicle, but its value is in million dollars).
The sender would encrypt or protect her message before putting it onto the
transmission channel, a cryptographic system uses a key and there’s a corresponding key in the receiver’s domain for him to decrypt that message
so the key management of the creation of those keys and the distribution of those keys is a very complicated solution.
Security is sometimes viewed as an obstacle is the fact that it’s not integrated early into the life cycle development for the project.
Beyond Technology: Critical Thinking in Cybersecurity
Kristin Dahl, IBM X-Force
Critical thinking is controlled purposeful thinking, directed toward a goal, it’s different than daydreaming or thinking about what you have for
breakfast or your to-do list, it’s very controlled purposeful thinking.
We operate in a constantly changing environment, very fast-paced we’ve got different technologies that are changing and multiple stakeholders.
We live in this age of “google it”, where often our knee-jerk reaction when we’re faced with a problem. Before, we had to rely on books and libraries and
slower research methods, information was not as widely available and so this wealth of information isn’t always good, more data doesn’t always equal more knowledge and it can quickly start to overwhelm our reasoning abilities, and because of this, critical thinking is more important now than ever, the ability to discern important information.
Who is a good critical thinker? What are the characteristics that enable critical thinking? I did some research and couldn’t find anything that was specific to cyber security but where this has been studied a lot is
in health care, in emergency rooms.
What I’ve seen in cyber security in particular is that the most successful people are often the most curious, they’ve got a constant hunger to keep learning to keep growing to solve problems.
There are 4 ability areas:
1. Personal attitudes and behaviour
2. Interpersonal skills, cybersec is not a lone job, you have to work with many people and share
3. Intellectual competencies and skills
4. Technical skills
Critical Thinking - 5 Key Skills
1.Challenge assumptions: brainstorm and question your assumptions, unsupported assumptions are not wrong, but more data is needed
2.Consider alternative explanations: avoid becoming entrenched in only one explanation, get more people, brainstorm, consider alternatives, and consider a null hypothesis (the hypothesis in which no relationship exists between two sets of data or variables being analyzed); use the 6 W’s framework (who, what, where, when, why, how)
3.Evaluate data: this is the crux of the scientific method, assess multiple hypotheses, cyber data is notoriously hard to get, because of policities (GDPR for example) and privacy issues, establish a baseline for what’s normal, be proactive and look for inconsistent data
4.Identify key drivers: society, supply chain, employees, threat actors, technology, reguatory; key drivers are not always technical
5.Understand context: consider the operational environment, consider the perspectives of managers, clients and colleagues, what they need from me, framing techniques help keep everyone on the same page
Framing the issue - technique:
1.Key components: list key actors or categories
2.Factors at play: identify driving forces, break the problem into component parts to reveal additional insights or relationships
3.Relationships: what patterns and relationships, are they static and dynamic? Graphing or sorting can help
4.Similarities and differences: are there historical analogies?
5.Re-define, reframe the problem, what we know and what we don’t know, what is the root cause?
Cybersecurity Organizations
Women in Cybersecurity (WiCys)
https://www.wicys.org/about
SANS Institute
The SANS Institute is a cooperative research and education institution. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
https://www.sans.org/
Open Web Application Project (OWASP) is a nonprofit organization with a mission to make security visible to everyone and to focus on improving the security of software.
Information Systems Security Association (ISSA) membership is required to access most ISSA resources. You can review the benefits of becoming a member and see if there are any local chapters near you. Search if there is a local chapter near you and take a look at the chapter’s website.
https://www.issa.org/
FIRST- Forum of Incident Response and Security Teams
https://www.first.org/membership/benefits
Cybersecurity Ventures is the home for the Cybercrime Magazine, which will give you some of the latest information about what is happening in cybersecurity today.
