CBROPS 200-201: Chapter 1 - Cybersecurity Fundamentals
Cisco Cyberops Associate CBROPS 200-201 Official Cert Guide, by Omar Santos, Cisco Press, 2021, pp. 2–80.
1. What is an Exploit?
1.1. An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system.
1.2. Zero-Day Exploit
1.2.1. Sometimes no one may even know the vulnerability exists, and it is exploited. That is known as a zero-day exploit.
2. Threat Intelligence
2.1. Threat intelligence is referred to as knowledge about an existing or emerging threat.
2.2. Includes
2.2.1. Context
2.2.2. Mechanisms
2.2.3. Indicators of Compromise (IoCs)
2.2.4. Implications
2.2.5. Actionable Advice
3. White, Black, & Gray Hat Hackers
3.1. White Hat
3.1.1. These individuals perform ethical hacking to help secure companies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities.
3.2. Black Hat
3.2.1. These individuals perform illegal activities, such as organized crime.
3.3. Gray Hat
3.3.1. These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking. It would be unethical to employ these individuals to perform security duties for your organization because you are never quite clear where they stand.
4. Threat Intelligence Standards (STIX, TAXII, CybOX, OpenIOC, etc.)
4.1. Structured Threat Information eXpression (STIX)
4.1.1. This express language is designed for sharing cyberattack information. STIX details can contain data such as the IP addresses or domain names of command and control servers (often referred to as C2 or CnC), malware hashes, and so on. STIX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at STIX - Structured Threat Information Expression (Archive) | STIX Project Documentation.
4.2. Trusted Automated eXchange of Indicator Information (TAXII)
4.2.1. This open transport mechanism standardizes the automated exchange of cyber threat information. TAXII was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at Trusted Automated eXchange of Indicator Information (TAXII™) | TAXII Project Documentation.
4.3. Cyber Observable eXpression (CybOX)
4.3.1. This free standardized schema is used for specification, capture, characterization, and communication of events of stateful properties that are observable in the operational domain. CybOX was originally developed by MITRE and is now maintained by OASIS. You can obtain more information at CybOX - Cyber Observable Expression | CybOX Project Documentation.
4.4. Open Indicators of Compromise (OpenIOC)
4.4.1. This open framework is used for sharing threat intelligence in a machine-digestible format.
4.5. Open Command & Control (OpenC2)
4.5.1. This language is used for the command and control of cyber-defense technologies. OpenC2 Forum was a community of cybersecurity stakeholders that was facilitated by the U.S. National Security Agency. OpenC2 is now an OASIS technical committee (TC) and specification. You can obtain more information at www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2
5. SQL Injection
5.1. SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL to execute predefined SQL commands.
5.2. Out-of-band SQL Injection
5.2.1. With this type of injection, the attacker retrieves data using a different channel. For example, an email, a text, or an instant message could be sent to the attacker with the results of the query. Alternatively, the attacker might be able to send the compromised data to another system.
5.3. In-Band SQL Injection
5.3.1. With this type of injection, the attacker obtains the data by using the same channel that is used to inject the SQL code. This is the most basic form of an SQL injection attack, where the data is dumped directly in a web application (or web page).
5.4. Blind (inferential) SQL injection
5.4.1. With this type of injection, the attacker does not make the application display or transfer any data; rather, the attacker is able to reconstruct the information by sending specific statements and discerning the behavior of the application and database.
6. Identifying authentication-based vulnerabilities
6.1. Credential brute forcing
6.2. Session hijacking
6.3. Redirecting
6.4. Exploiting default credentials
6.5. Exploiting weak credentials
6.6. Exploiting Kerberos vulnerabilities
7. Network Firewalls
7.1. Network-based firewalls provide key features that are used for perimeter security.
7.2. Network Address Translation (NAT), access control lists, and application inspection. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules.
7.3. Techniques
7.3.1. Simple packet-filtering techniques
7.3.2. Application proxies
7.3.3. Network Address Translation
7.3.4. Stateful inspection firewalls
7.3.5. Next-generation context-aware firewalls
8. Extended ACLs
8.1. the most commonly deployed ACLs.
8.2. Packet Classification
8.2.1. Source and destination IP addresses
8.2.2. Layer 3 protocols
8.2.3. Source and/or destination TCP and UDP ports
8.2.4. Destination ICMP type for ICMP packets
9. Network Address Translation (NAT)
9.1. Several Layer 3 devices can supply Network Address Translation (NAT) services. The Layer 3 device translates the internal host’s private (or real) IP addresses to a publicly routable (or mapped) address. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range.
10. Static Translation
10.1. A different methodology is used when hosts in the unprotected network need to initiate a new connection to specific hosts behind the NAT device. You configure the firewall to allow such connections by creating a static one-to-one mapping of the public (mapped) IP address to the address of the internal (real) protected device. For example, static NAT can be configured when a web server resides on the internal network and has a private IP address but needs to be contacted by hosts located in the unprotected network or the Internet.
11. Demilitarized Zones (DMZs)
11.1. Firewalls can be configured to separate multiple network segments (or zones), usually called demilitarized zones (DMZs). These zones provide security to the systems that reside within them with different security levels and policies between them.
12. Application-Based segmentation & Micro-segmentation
12.1. Cisco Application Centric Infrastructure (ACI)
12.1.1. Provide micro-segmentation capabilities. Micro-segmentation in Cisco ACI can be accomplished by integrating with vCenter or Microsoft System Center Virtual Machine Manager (SCVMM), Cisco ACI API (controller), and leaf switches.
12.2. Endpoint Groups (EPGs)
12.2.1. Cisco ACI allows organizations to automatically assign endpoints to logical security zones called endpoint groups (EPGs).
12.3. μSeg EPGs
12.3.1. A micro-segment in ACI. You can apply policies to these segments based on attributes. Applying attributes to μSeg EPGs enables you to apply forwarding and security policies with greater granularity than you can to EPGs without attributes. Attributes are unique within the tenant.
13. Advanced Malware Protection (AMP)
13.1. Cisco provides advanced malware protection capabilities for endpoint and network security devices.
14. Cisco Email Security Appliance (ESA)
14.1. Users are no longer accessing email only from the corporate network or from a single device. Cisco provides cloud-based, hybrid, and on-premises solutions based on the Email Security Appliance (ESA) that can help protect any dynamic environment.
14.2. Features
14.2.1. Access Control
14.2.2. Anti-Spam
14.2.3. Network Antivirus
14.2.4. Advanced Malware Protection (AMP)
15. Security cloud-based solutions
15.1. Cisco Cloud Email Security (CES)
15.2. Cisco AMP Threat Grid
15.3. Cisco Threat Awareness Service
15.4. Umbrella (formerly OpenDNS)
15.5. Stealthwatch Cloud
15.6. CloudLock
16. Umbrella (OpenDNS)
16.1. Cisco acquired a company called OpenDNS that provides DNS services, threat intelligence, and threat enforcement at the DNS layer.
16.2. OpenDNS has a global network that delivers advanced security solutions (as a cloud-based service) regardless of where Cisco customer offices or employees are located. This service is extremely easy to deploy and easy to manage.
17. Cisco Netflow
17.1. NetFlow is a Cisco technology that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device.
17.2. Original Usage
17.2.1. NetFlow was initially created for billing and accounting of network traffic and to measure other IP traffic characteristics such as bandwidth utilization and application performance. NetFlow has also been used as a network capacity planning tool and to monitor network availability.
17.3. Security Usage
17.3.1. Used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow data and provides a network administrator or security professional with detailed information about such flows.
18. The Principles of the Defense-in-Depth Strategy
18.1. Layered and cross-boundary “defense-in-depth” strategy is what is needed to protect your network and corporate assets.
18.2. Layers
18.2.1. Nontechnical activities
18.2.1.1. Nontechnical activities such as appropriate security policies and procedures and end-user and staff training.
18.2.2. Physical Security
18.2.2.1. including cameras, physical access control (such as badge readers, retina scanners, and fingerprint scanners), and locks.
18.2.3. Network Security
18.2.3.1. Network security best practices, such as routing protocol authentication, control plane policing (CoPP), network device hardening, and so on.
18.2.4. Host Security
18.2.4.1. Host security solutions such as advanced malware protection (AMP) for endpoints, antiviruses, and so on.
18.2.5. Application Security
18.2.5.1. Application security best practices such as application robustness testing, fuzzing, defenses against cross-site scripting (XSS), cross-site request forgery (CSRF) attacks, SQL injection attacks, and so on.
18.2.6. Data network traversal
18.2.6.1. You can employ encryption at rest and in transit to protect data.
18.3. Role-based Network Security Approach
18.3.1. When applying defense-in-depth strategies, you can also look at a roles-based network security approach for security assessment in a simple manner. Each device on the network serves a purpose and has a role; subsequently, you should configure each device accordingly.
18.3.2. Planes
18.3.2.1. Management
18.3.2.1.1. This is the distributed and modular network management environment.
18.3.2.2. Control
18.3.2.2.1. This plane includes routing control. It is often a target because the control plane depends on direct CPU cycles.
18.3.2.3. User/Data
18.3.2.3.1. This plane receives, processes, and transmits network data among all network elements.
18.3.2.4. Services
18.3.2.4.1. This is the Layer 7 application flow built on the foundation of the other layers.
18.3.2.5. Policies
18.3.2.5.1. The plane includes the business requirements. Cisco calls policies the “business glue” for the network. Policies and procedures are part of this section, and they apply to all the planes in this list.
19. Confidentiality, Integrity, & Availability: The CIA Triad
19.1. Confidentiality
19.1.1. The ISO 27000 standard has a very good definition: “confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.”
19.2. Integrity
19.2.1. Integrity is the ability to make sure that a system and its data have not been altered or compromised. It ensures that the data is an accurate and unchanged representation of the original secure data.
19.3. Availability
19.3.1. Availability means that a system or application must be “available” to authorized users at all times. According to the CVSS Version 3 specification, the availability metric “measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
20. Defining PHI
20.1. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations and providers to adopt certain security regulations for protecting health information.
20.2. The Privacy Rule calls this information “protected health information,” or PHI.
20.3. Examples
20.3.1. An individual’s name (that is, patient’s name)
20.3.2. All dates directly linked to an individual, including date of birth, death, discharge, and administration
20.3.3. Telephone and fax numbers
20.3.4. Email addresses
20.3.5. geographic subdivisions such as street addresses
20.3.6. ZIP codes & County
20.3.7. Medical record numbers and health plan beneficiary number
20.3.8. Certificate numbers or account numbers
20.3.9. Social security number
20.3.10. Driver license number
20.3.11. Biometric identifiers, including voice or fingerprints
20.3.12. Photos of the full face or recognizable features
20.3.13. Any unique number-based code or characteristic
20.3.14. The individual’s past, present, and future physical or mental health or condition
20.3.15. The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual
21. Security Operations Centers (SOCs)
21.1. are facilities where an organization’s assets, including applications, databases, servers, networks, desktops, and other endpoints, are monitored, assessed, and protected.
21.2. Addresses these security concerns
21.2.1. How can you detect a compromise in a timely manner?
21.2.2. How do you triage a compromise to determine the severity and the scope?
21.2.3. What is the impact of the compromise to your business?
21.2.4. Who is responsible for detecting and mitigating a compromise?
21.2.5. Who should be informed or involved, and when do you deal with the compromise once detected?
21.2.6. How and when should you communicate a compromise internally or externally, and is that needed in the first place?
21.3. SOCs need these in order to be effective
21.3.1. Executive sponsorship
21.3.2. SOC operating as a program. Organizations should operate the SOC as a program rather than a single project.
21.3.3. A governance structure
21.3.4. Effective team collaboration
21.3.5. Access to data and systems
21.3.6. Applicable processes and procedures
21.3.7. Team skill sets and experience
21.3.8. Budget (for example, will it be handled in-house or outsourced?)
22. Digital Forensics
22.1. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.
22.2. Examples
22.2.1. Computers
22.2.2. Smartphones
22.2.3. Tablets
22.2.4. Network Infrastructure Devices
22.2.5. Network Management Systems
22.2.6. Printers
22.2.7. IoT Devices
23. Definitions
23.1. network firewalls
23.1.1. A firewall that provides key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.
23.2. Access Control Lists (ACLs)
23.2.1. Devices that can enable ACLs
23.2.1.1. Firewalls
23.2.1.2. Routers
23.2.1.3. Switches
23.2.1.4. Wireless LAN Controllers (WCLs)
23.2.2. A set of predetermined rules against which stateful and traditional firewalls can analyze packets and judge them.
23.2.3. Judges based on
23.2.3.1. Source Address
23.2.3.2. Destination Address
23.2.3.3. Source Port
23.2.3.4. Destination Port
23.2.3.5. Protocol
23.3. Network Address Translation (NAT)
23.3.1. A method often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range. This enables a network professional to use any IP address space as the internal network.
23.4. Data Loss Prevention (DLP)
23.4.1. A software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.
23.5. Advanced Malware Protection (AMP)
23.5.1. A Cisco solution for detecting and mitigating malware in the corporate network.
23.6. Intrusion Prevention System (IPS)
23.6.1. A network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.
23.7. Netflow
23.7.1. Cisco technology that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device.
23.7.2. NetFlow is used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities.
23.7.3. As network traffic traverses a NetFlow-enabled device, the device collects traffic.
23.8. Security Information and Event Manager (SIEM)
23.8.1. A specialized device or software for security event management.
23.8.2. Provides these capabilities
23.8.2.1. Log Collection
23.8.2.2. Normalization
23.8.2.3. Aggregation
23.8.2.4. Corralation
23.8.2.5. Built-in Reporting
23.9. Security Orchestration, Automation, and Response (SOAR)
23.9.1. A system that provides automation and security orchestration capabilities for the security operations center (SOC).
23.10. Common Vulnerabilities & Exposures (CVE)
23.10.1. A dictionary of vulnerabilities and exposures in products and systems maintained by MITRE. A CVE-ID is the industry standard method to identify vulnerabilities.
23.11. Common Vulnerability Scoring System (CVSS)
23.11.1. An industry standard used to convey information about the severity of vulnerabilities.
23.12. Common Weakness Enumeration (CWE)
23.12.1. A specification developed and maintained by MITRE to identify the root cause (weaknesses) of security vulnerabilities. You can obtain the list of CWEs from cwe.mitre.org.
23.13. Common Weakness Scoring System (CWSS)
23.13.1. A specification developed and maintained by MITRE to provide a way to prioritize software weaknesses that can introduce security vulnerabilities. You can obtain the list of CWSS from cwe.mitre.org/cwss.
23.14. Structured Threat Information Expression (STIX)
23.14.1. A standard used to create and share cyber threat intelligence information in a machine-readable format.
23.15. Trusted Automated Exchange of Indicator Information (TAXII)
23.15.1. A standard that provides a transport mechanism (data exchange) of cyber threat intelligence information in STIX format. In other words, TAXII servers can be used to author and exchange STIX documents among participants.
23.16. Cyber Observable eXpression (CybOX)
23.16.1. A standard to document cyber threat intelligence observables in a machine-readable format. The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) decided to merge the CybOX and the Structured Threat Information Expression (STIX) specifications into one standard. CybOX objects are now called STIX Cyber Observables. You can find additional information about the migration of CybOX to STIX at https://oasis-open.github.io/cti-documentation/stix/compare.html.
23.17. Indicator of Compromise (IoC)
23.17.1. One aspect of threat intelligence, which is the knowledge about an existing or emerging threat to assets, including networks and systems.
23.18. Script Kiddies
23.18.1. People who use existing “scripts” or tools to hack into computers and networks; however, they lack the expertise to write their own scripts.
24. Cybersecurity vs. Information Security (InfoSec)
24.1. InfoSec
24.1.1. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization.
24.2. Cybersecurity
24.2.1. Is the process of protecting information by preventing, detecting, and responding to attacks. Builds upon traditional InfoSec
24.2.2. Includes
24.2.2.1. Cyber risk management
24.2.2.2. Threat Intelligence & information sharing
24.2.2.3. Threat Hunting
24.2.2.4. Third-party organization
24.2.2.5. Software, & Hardware Dependency Management
24.2.2.6. SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL to execute predefined SQL commands.
25. What is a vulnerability?
25.1. A vulnerability is a weakness in the system design, implementation, software, or code or the lack of a mechanism.
26. What is a threat?
26.1. A threat is any potential danger to an asset.
27. Threat Intelligence Platform (TIP)
27.1. Many organizations deploy their own threat intelligence platforms (TIPs) to aggregate, correlate, and analyze threat intelligence information from multiple sources in near real-time.
27.2. Supports
27.2.1. Threat intelligence collection
27.2.2. Data correlation
27.2.3. Enrichment and contextualization
27.2.4. Analyze
27.2.5. Integrations with other security systems
27.2.6. Act
28. Command Injection
28.1. A command injection is an attack in which an attacker tries to execute commands that she is not supposed to be able to execute on a system via a vulnerable application. Command injection attacks are possible when an application does not validate data supplied by the user (for example, data entered in web forms, cookies, HTTP headers, and other elements). The vulnerable system passes that data into a system shell.
29. Cross-Site Scripting
29.1. Reflected XSS
29.1.1. Reflected XSS attacks (nonpersistent XSS) occur when malicious code or scripts are injected by a vulnerable web application using any method that yields a response as part of a valid HTTP request. An example of a reflected XSS attack is a user being persuaded to follow a malicious link to a vulnerable server that injects (reflects) the malicious code back to the user’s browser.
29.2. Stored/Persistent XSS
29.2.1. Stored, or persistent, XSS attacks occur when the malicious code or script is permanently stored on a vulnerable or malicious server, using a database. These attacks are typically carried out on websites hosting blog posts (comment forms), web forums, and other permanent storage methods.
29.3. DOM-based XSS
29.3.1. In a DOM-based XSS attack, the attacker sends a malicious URL to the victim, and after the victim clicks on the link, it may load a malicious website or a site that has a vulnerable DOM route handler. After the vulnerable site is rendered by the browser, the payload executes the attack in the user’s context on that site.
29.4. XSS is typically found
29.4.1. Search fields that echo a search string back to the user
29.4.2. HTTP headers
29.4.3. Input fields that echo user data
29.4.4. Error messages that return user-supplied text
29.4.5. hidden fields that may include user input Applications (or websites) that display user-supplied data
30. Cross-Site Request Forgery (CSRF or XSRF)
30.1. Attacks occur when unauthorized commands are transmitted from a user who is trusted by the application. CSRF attacks are different from XSS attacks because they exploit an application's trust in a user’s browser. CSRF vulnerabilities are also referred to as one-click attacks or session riding.
31. OWASP Top 10
31.1. OWASP lists the top 10 most common vulnerabilities against application at the following address: www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
32. Access Control Lists (ACLs)
32.1. Are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.
32.2. Access Control Entry (ACE)
32.2.1. Each entry of an ACL is referred to as an access control entry (ACE).
32.3. Packet Classification
32.3.1. Layer 2 protocol information such as EtherTypes
32.3.2. Layer 3 protocol information such as ICMP, TCP, or UDP
32.3.3. Layer 3 header information such as source and destination IP addresses
32.3.4. Layer 4 header information such as source and destination TCP or UDP ports
33. Application Proxies
33.1. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.
34. Port Address Translation (PAT)
34.1. Port Address Translation (PAT) - Typically, firewalls perform a technique called Port Address Translation (PAT). This feature, which is a subset of the NAT feature, allows many devices on the internal protected network to share one IP address by inspecting the Layer 4 information on the packet. This shared address is usually the firewall’s public address;
35. Understanding global threat correlation capabilities
35.1. Cisco NGIPS devices include global correlation capabilities that utilize real-world data from Cisco Talos. Cisco Talos is a team of security researchers who leverage big-data analytics for cybersecurity and provide threat intelligence for many Cisco security products and services. Global correlation allows an IPS sensor to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco threat intelligence using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.
36. Cisco Web Security Appliance (WSA)
36.1. Cisco Web Security Appliance (WSA), Cisco Security Management Appliance (SMA), and Cisco Cloud Web Security (CWS). These solutions enable malware detection and blocking, continuous monitoring, and retrospective alerting.
36.2. Attack Continuum
36.2.1. The life cycle of an attack including before, during, & after.
37. Cisco Identity Services Engine (ISE)
37.1. The Cisco Identity Services Engine (ISE) is a comprehensive security identity management solution designed to function as a policy decision point for network access. It allows security administrators to collect real-time contextual information from a network, its users, and devices.
38. Cisco AMP Threatgrid
38.1. Cisco integrated Cisco AMP and Threat Grid to provide a solution for advanced malware analysis with deep threat analytics. The Cisco AMP Threat Grid integrated solution analyzes millions of files and correlates them with hundreds of millions of malware samples. This provides a look into attack campaigns and how malware is distributed.
39. Stealthwatch Cloud
39.1. Stealthwatch Cloud is a Software as a Service cloud solution.
39.2. You can use Stealthwatch Cloud to monitor many different public cloud environments, such as Amazon’s AWS, Google Cloud Platform, and Microsoft Azure.
40. CloudLock
40.1. Cisco acquired a company called CloudLock that creates solutions to protect customers against data breaches in any cloud environment and application (app) through a highly configurable cloud-based data loss prevention (DLP) architecture.
40.2. Policy Actions
40.2.1. File-level encryption
40.2.2. Quarantine
40.2.3. End-user notifications
41. Data Loss Prevention (DLP)
41.1. Data loss prevention is the ability to detect any sensitive emails, documents, or information leaving your organization.
41.2. Integrations
41.2.1. Cisco ESA
41.2.1.1. RSA email DLP for outbound email traffic
41.2.2. Cisco Cloud Email Service & Hybrid Email Security
41.2.2.1. Their own DLP. engine
41.2.2.2. Their own DLP. engine
41.2.3. Cisco WSA
41.2.3.1. can redirect outbound traffic to a third-party DLP solution.
42. SDN and the traditional management, control, & data plane
42.1. Software-defined networking
42.1.1. Software-defined networking introduced the notion of a centralized controller. The SDN controller has a global view of the network, and it uses a common management protocol to configure the network infrastructure devices. The SDN controller can also calculate reachability information from many systems in the network and pushes a set of flows inside the switches. The flows are used by the hardware to do the forwarding. Here you can see a clear transition from a distributed “semi-intelligent brain” approach to a “central and intelligent brain” approach.
42.2. Control & Data Plane changes
42.2.1. The big change was in the control and data planes in software-based switches and routers (including virtual switches inside of hypervisors). For instance, the Open vSwitch project started some of these changes across the industry.
42.3. Management Pane changes
42.3.1. These benefits are in both physical switches and virtual switches. SDN is now widely adopted in data centers. A great example of this is Cisco ACI.
43. Risk & Risk Analysis
43.1. Risk
43.1.1. In the world of cybersecurity, risk can be defined as the possibility of a security incident (something bad) happening.
43.2. Federal Financial Institutions Examination Council (FFIEC)
43.2.1. Developed the Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity preparedness.
43.2.2. Inherent Risk Profile and Cybersecurity Maturity
43.2.2.1. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. Cybersecurity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.
43.2.3. The International Organization for Standardization (ISO) 27001
43.2.3.1. This is the international standard for implementing an information security management system (ISMS). ISO 27001 is heavily focused on risk-based planning to ensure that the identified information risks (including cyber risks) are appropriately managed according to the threats and the nature of those threats.
43.2.4. ISO/IEC 27005 Information technology—Security techniques—Information security risk management
43.2.4.1. Establish the risk management context, Quantitatively or qualitatively assess risks, Treat risks, Keep stakeholders informed, Monitor & review risks
43.3. Common Weakness Scoring System (CWSS)
43.3.1. A methodology for scoring software weaknesses. CWSS is part of the Common Weakness Enumerator (CWE) standard.
43.4. Common Misuse Scoring System (CMSS)
43.4.1. A standardized way to measure software feature misuse vulnerabilities. More information about CMSS is available at http://scap.nist.gov/emerging-specs/listing.html#cmss
43.5. Common Configuration Scoring System
43.5.1. More information about CCSS can be found at http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf
44. Defining PII
44.1. According to the Executive Office of the President, Office of Management and Budget (OMB), and the U.S. Department of Commerce, Office of the Chief Information Officer, PII refers to “information which can be used to distinguish or trace an individual’s identity.”
44.2. Examples
44.2.1. An individuals name
44.2.2. social security number
44.2.3. biological or personal characteristics
44.2.4. date & place of birth
44.2.5. mothers maiden name
44.2.6. credit card numbers
44.2.7. bank account numbers
44.2.8. driver's license
44.2.9. address information (email, street, telephone numbers)
45. Principle of Least Privilege
45.1. All users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more. Also known as "need to know".
46. Separation of Duties
46.1. Separation of duties is an administrative control dictating that a single individual should not perform all critical- or privileged-level duties. The goal is to safeguard against a single individual performing sufficiently critical or privileged actions that could seriously damage a system or the organization as a whole.
47. Playbooks, Runbooks, & Runbook Automation
47.1. Organizations need to have capabilities to define, build, orchestrate, manage, and monitor the different operational processes and workflows.
47.2. Runbook
47.2.1. A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators. According to Gartner, “the growth of RBA has coincided with the need for IT operations executives to enhance IT operations efficiency measures.”
47.3. Metrics to measure effectiveness
47.3.1. Mean time to repair (MTTR)
47.3.2. Mean time between failures (MTBF)
47.3.3. Mean time to discover a security incident
47.3.4. Mean time to contain or mitigate a security incident
47.3.5. Automation of the provisioning of IT resources
47.4. Example
47.4.1. Rundeck