IBM Cybersecurity Architecture #1: 5 Principles

Question 1

What are the 5 security principles?

Answer 1

1. Defense in depth
2. Least privilege
3. Separation of Duties
4. Security by Design
5. KISS

Question 2

Defense in Depth

Answer 2

Trying to create an obstacle course.

Castle example: moat, drawbridge, keep, towers, etc.

Multifactor auth, mobile device management software (right patches, right password) EDR (endpoint detection response capability, next gen antivirus software), firewalls on web server, vulnerability testing on web and app server. Access controls on the database.

NO SINGLE POINT OF FAILURE (SPOF)

Question 3

Least Privilege

Answer 3

Only give access to people who need it and for only as long as they need it.

Constantly go back and perform audits to make sure they still need it.

Harden the system. say a webserver runs http by default, but also turns on ftp and ssh service so people can log in remotely. If you don’t absolutely need those, remove them entirely. Minimize the attack surface. Can also remove all unnecessary IDs on the system, and change the default IDs (ie change admin to another name so peopel can’t guess it)

Privilege Creep Giving people permissions they don’t need “Just in Case” which is the opposite of least priv. Should do an annual recertification campaign and make sure users need what we’re giving them.

Question 4

Separation of Duties

Answer 4

No single point of control, force collusion from multiple bad actors to break into the system. IE two keys required.

Req > Approval > Action.

Requester is not the same as the approver. Create necessary collusion.

Question 5

Secure by design

Answer 5

Factor security in from the beginning, design through completion. Don’t wait until application is finished to do security.

Whose job is security? Everyone from designer to administrator to user.

Question 6

KISS

Answer 6

Security by complexity/obscurity is not good because people will just subvert the process.

If it’s harder to do the right thing than the wrong thing, people will just find shortcuts.

COMPLEXITY IS THE ENEMY OF SECURITY

Make sure defense in depth obstacle course only obstructs bad guys, not good guys.

Question 7

Security by Obscurity

Answer 7

secrecy !== security.

Kerckhoff’s principle: crypto system should be secure if you know everything about it except the key.

We don’t want black box security because people will still break it even if they don’t know how it works.

Question 8

CIA Triad

Answer 8

Confidentiality, integrity, availability

Question 9

CIA: Confidentiality

Answer 9

Authorization (MFA), access control (role based access control), encryption (turn message into string of bits, then turn it back on the other side).

Question 10

CIA: Integrity

Answer 10

An action or message is true to itself.

Need technologies to know if things have been tampered with.

Digital signatures, cryptographic functions, and MACs (message authentication codes).

It’s like blockchain, where there’s a distributed ledger we all have access to. We can always see if someone attempts to modify a record.

Question 11

**

CIA: Availability

Answer 11

Resources should be available to authorized users.

Flooding the system with transaction requests (DoS and DDoS) will make the data unavailable.

Older technique of syn flood. Disrupt the 3 way handshake: send a syn message, just acknolwedgment back from server, and they respond with synack.

Server will reserve sources for session in anticipation. Basically the ding dong ditch of cybersecurity.

Question 12

1. Business context diagram

Answer 12

Shows relationships among different entities in the system, buyer, building, marketing team, and tradesmen (builders).

Question 13

2.System context diagram

Answer 13

Project management in the middle, with finance, blueprints, GUI (graphical user interface), and permit system.

Example of how IT system might look.

Question 14

3.Architecture overview diagram

Answer 14

Project database, scheduler, reports, and alerts

Question 15

NIST CSF (national institute of standards cybersecurity framework)

Answer 15

Like the building codes for architecture, spells out

Identify: what you need to do to identify users

Protect: how you will protect things

Detect: how to detect when you have problems.

Respond: How will you respond when you’ve detected a problem.

Recover: how you will get the system back to normal.

Question 16

Cybersecurity lifecycle

q

Answer 16

We want security to be done at the beginning in the risk analysis phase, not during the architecture or implementation phase.

Question 17

4 As of IAM (Identity and Access Management)

Answer 17

Identity is your perimeter defense

Administration (what rights do you have), authentication (you are who you say you are), authorization (you can do what you want to do), and auditing (we got back and see we did the previous 3 A’s correctly).

Question 18

LDAP

Answer 18

Lightweight directory access protocol. Database with schema for users and their permissions.

Question 19

Directories and role based access for company

Answer 19

Most companies will have multiple directories for things like email, crm, scm, etc.

Synced directories, meta directory, or

virtual directory that knows where to find info in other directories.

meta directory where most important info is prefetched into an enterprise directory.

Question 20

Admin / Identity Governance

Answer 20

Creating, updating, and changing account levels.

Question 21

Auth is…

Answer 21

Something you know (password), something you have (phone), something you are (biometric face/finger print).

The best systems don’t rely on a single one of these factors (multi factor auth).

Passwordless is the way of the future.

Question 22

SSO

Answer 22

Single sign on system.

A Single Sign-On (SSO) system is an authentication mechanism that allows users to access multiple applications or services using a single set of credentials (such as username and password). Instead of having separate login credentials for each application, users can authenticate once and gain access to all authorized resources without needing to re-enter their credentials for each application.

Question 23

Authorization

Answer 23

What are you allowed to do?

Risked basked authorizaiton, adaptive authorization.

Location: Maybe you can do this but not from an unknown location.

Risk Based: More restrictions for important transactions, easy to check bank balance, harder to transfer funds.

Frequency: You can do something, but if do it a lot it requires more access.

Question 24

Privileged Account/Access Management (PAM)

Answer 24

Users with root level access, sysadmin, database/network admin. People with keys to the kingdom, requires additional verficiation.

One method is to set all passwords the same thing because they have the same password for potentially dozens if not hundreds of systems.

What happens if one employee leaves the company? What happens if something goes wrong, who did it? They can all point to the other guy.

Typical practice but not the best practice, this is where PAM system comes in. Users won’t log into system, they log into PAM system, which will then give them universal access.

PAM system will automatically change passwords to other systems when admin users are done with them to keep them secure.

Question 25

Audit / UBA

Answer 25

Logging the access and activity of all users. Tracking certain patterns and sequences of actions with user behavior analytics (UBA) and machine learning.

Question 26

CIAM

Answer 26

Consumer identity and access management. CIAM systems provide capabilities for managing customer identities throughout their lifecycle, from registration and authentication to profile management and account recovery. This includes features such as self-registration, social login, password management, and profile customization.

Question 27

What is an endpoint?

Answer 27

Different platforms, could be a server, desktop, laptop, mobile device, IoT (Internet of things). Can be business or personal. All of these devices contribute to the attack surface. Also a software view of this, across these devices we have different OS's.

Question 28

Endpoint management, typical practices. What is the problem here?

Answer 28

Many different endpoints and different systems. People logging in on desktop, mobile, IoT. Multiple experts managing different domains. You want to implement a single security policy from one console. One administrator who does this across all different platforms. A console you can push down policies and patches while getting info and alerts from the various systems. VISIBILITY AND CONTROL. Holistic endpoing security management system

Question 29

What should we look for in a holistic endpoint security management solution? What policies should we enforce?

Answer 29

Inventory - system should be able to tell you what different systems you have. what the hardware and software level is on each. Security Policy - Dictates what hardware and software will be allowed on the IT systems. Eg the current patch (n) and the last patch (n-1), nothing else is allowed. Password of certain length. Patching - Policy on getting the latest patches. Encryption - Data on devices should be encrypted in case they got stolen or lost. Remote Wipe - Ability to wipe all data on lost devices. Location Tracking - Track whereabouts of devices. Antivirus (AV) and EDR (Endpoint detection response) - make sure we don't have malware on the systems. Disposal - how do we get rid of the devices in a way that doesn't expose our information?

Question 30

BYOD (bring your own device) BYOIT (bring your own IT) BYOC (bring your own cloud)

Answer 30

These programs are either well defined, poorly defined, or unsanctioned (which is also poorly defined). SO much better to say "how" than "no" because people will often end up using their own devices anyway. **Consent:** People need to understand what we'll do to the personal devices they use on the job. How you're using the system, reserve the right to remotely wipe the device and remove data (can be a selective wipe). **Software:** What level is required (current, n, n-1), what pieces of software must be on your system (eg antivirus)? Also there are some things you should never have. **Hardware:** The types of acceptable and supported devices. **Services:** Things like auth, cloud service you use, etc.

Question 31

Network Security: Firewalls, packet filtering

Answer 31

Comes from a physical firewall, like in connected townhouses. Creates isolation and protection from a dangerous event. Interal and external firewall. Packet filtering: Users send a packet when arriving, in the header they send information like their source address (coming from), their destination, and the port they want to use. The firewall can then do packet filtering based on what's in the header of that packet. Can look at port 80 (standard for unencrypted internet traffic), will also allow encrypted traffic (TLS, SSL). But can also say source address has to be in the range of the external interent, don't want someone to be spoofing and pretend their coming from the inside. But can say they can only go directly to server, cannot go to database. Second firewall is between the web server and the database. Will only allow traffic from the web server. While packet filtering is a fundamental aspect of firewall functionality, **modern firewalls often incorporate additional features such as stateful inspection, intrusion detection and prevention, VPN support, and application-layer filtering to provide comprehensive security capabilities.**

Question 32

Stateful packet inspection

Answer 32

Packet filtering generally only looks at header, but in this case we look at the full packet and payload. **"opening the envelope"** not just seeing the to and the from, but also see the contents. Stateful Packet Inspection (SPI) is a firewall technology that enhances network security by monitoring the state of active connections and inspecting packet contents. **Unlike traditional packet filtering, SPI maintains a state table to track the state of connections, enabling it to make context-aware decisions based on the relationship between packets and connections.** By examining both packet headers and payloads, SPI firewalls can enforce granular security policies, dynamically create rules, and adapt to changing network conditions in real-time. This approach provides more effective protection against various threats, including unauthorized access attempts, denial-of-service attacks, and malicious content, making SPI a critical component of modern network security architectures.

Question 33

Proxy

Answer 33

Server in the middle, inserted in order to inspect the traffic and enforce rules. Can also be inserted for privacy reasons.

Question 34

Network address translation (NAT)

Answer 34

Very common thing to have in home routers, essentially a firewall. By convention, we have agreed that there is a range of addresses that are routable across the internet, and a range that are not routable. If it starts with a 10 or 192, it's for intranet (home), and not routable across the internet. NAT is for translating your internal address into an address that can go on the internet. NAT firewall maintains the table, converts outgoing traffic into a single IP address for that router. Then the NAT box can also translate the other way with incoming data. Prevents someone from getting from outisde directly inside your internal network.

Question 36

Segmentation

Answer 36

How can we apply firewalls throughout our architecture to achieve various levels of security? **Bastion host:** outdated but viable in early days of internet. Single firewall. Put our web server on the internet because don't want our intranet (internal network) to be exposed to the internet. **Tri-Homed:** Divided into three distinct zones (network interface cards): the external, internal, and demilitarized zones (DMZ). Each zone serves a specific purpose and has its own security policies and access controls. The external zone connects to the internet or other external networks, the internal zone houses internal resources and users, and the DMZ acts as a buffer zone between the external and internal networks, containing publicly accessible services such as web servers or email servers. By segregating network traffic into different zones and implementing appropriate security measures, such as firewalls, intrusion detection systems, and access controls, trihomed networks help organizations optimize security and protect sensitive data from unauthorized access or external threats while facilitating necessary communication between different network segments. Low cost and scalable, but is a single point of failure. **Basic DMZ:** Uses 2 firewalls, more complex because there are different rules to administer for each firewall. Red zone (external), yellow zone (DMZ), and green zone (internal). Provide defense in depth, not relying on single security mechanism. For example, even if external firewall fails, they still can't get in because you can say that traffic coming to internal network has to be coming from the DMZ. **Mulit-tiered DMZ:** Same as basic, but the web server, application server, and database are all split by firewalls. Implements a third firewall. More costly and complex, but more defense and greater granularity.

Question 37

VPNs

Answer 37

Designed to give us a secure channel or an untrusted network. Accomplish that by encrypting data to keep it confidential, people can't see it as a packet. Also called a pipe or tunnel. Secure connection from computer to server. Causes limited inspection capability, also means bad guy can send traffic without everybody seeing it.

Question 38

Seven Layer OSI common defenses

Answer 38

For every packet you send, there are different concerns and aspects implemented at different layers. Implementing a security layer at the lower layer will also benefit the upper layers as well. Application Layer: SSH (secure shell) or FTP, application specific VPN. Encrypts the data so you can connect into another device or console. Transport Layer: TLS (transport layer security) or SSL (secure socket layer), Network Layer: IPSEC, everything between two network addresses will be encrypted. Data Link: PPTP (point to point tunneling protocol), and L2TP (layer 2 tunneling protocol).

Question 39

Seven Layer OSI

Answer 39

Sure, here's a brief overview of each layer of the OSI model: **Physical Layer:** The physical layer deals with the **physical transmission of data over the network medium, including specifications for cables**, connectors, and signaling. **Data Link Layer:** The data link layer provides error detection and correction as well as **framing to organize bits into frames for transmission over the physical layer.** **Network Layer:** The network layer is responsible for **routing packets across different networks**, addressing, and logical addressing, **allowing data to be delivered between different networks.** **Transport Layer:** The transport layer ensures **reliable end-to-end communication between devices,** including flow control, error recovery, and segmentation/ reassembly of data. **Session Layer:** The session layer **establishes, maintains, and terminates connections between applications**, managing session synchronization and ensuring data integrity during communication sessions. **Presentation Layer:** The presentation layer **handles data formatting, encryption/decryption, and data compression,** translating data into a format that applications can understand. **Application Layer:** The application layer **provides network services directly to end-users, including protocols for email (SMTP), web browsing (HTTP), file transfer (FTP), and remote access (SSH), among others.**

Question 40

App specific VPN

Answer 40

Moving away from broad network vpn's to app specific VPNs. Network vpn's are simple but app vpn can be granular. Can have vpn for email, fire sharing application.

Question 41

SASE

Answer 41

Secure access server edge. Creates a secure capability delivered on the edge. Intersection of network, security, and cloud. Basically network security plus WAN (wide area network) delivered from the cloud.

Question 42

Zero trust

Answer 42

Zero trust is a cybersecurity framework that assumes no trust in users, devices, or networks, and requires continuous authentication, strict access controls, and least privilege principles to protect against internal and external threats.

Question 43

SASE: NetSec, WAN, Cloud, ID

Answer 43

NetSec: Firewalls, secure web gateways (app specific firewalls) and DLP (data loss prevention). WAN - dynamic network where you can change what the boundries of the network are. Cloud - can let us scale up and down, elasticity and agility. ID - Authn and authz Modern way of delivering capaibilities when in the past each one would have a been separate components administered by separate people.