1.0 Security Concept

Avtech Cisco Cyberops Associate CBROPS 200-201

Get Started. It's Free
or sign up with your email address
1.0 Security Concept by Mind Map: 1.0 Security Concept

1. Cybersecurity vs. Information Security (InfoSec)

1.1. InfoSec

1.1.1. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization.

1.2. Cybersecurity

1.2.1. Is the process of protecting information by preventing, detecting, and responding to attacks. Builds upon traditional InfoSec

1.2.2. Includes Cyber risk management Risk Assessment Threat Intelligence & information sharing Threat Hunting Third-party organization Software, & Hardware Dependency Management SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL to execute predefined SQL commands.

2. 1.4 Compare Security Concept

2.1. What is an Exploit?

2.1.1. An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system.

2.1.2. Zero-Day Exploit Sometimes no one may even know the vulnerability exists, and it is exploited. That is known as a zero-day exploit.

2.2. What is Threat

2.2.1. A threat is any potential danger to an asset.

2.3. What is a vulnerability?

2.3.1. A vulnerability is a weakness in the system design, implementation, software, or code or the lack of a mechanism.

3. White, Black, & Gray Hat Hackers

3.1. White Hat

3.1.1. These individuals perform ethical hacking to help secure companies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities.

3.2. Black Hat

3.2.1. These individuals perform illegal activities, such as organized crime.

3.3. Gray Hat

3.3.1. These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking. It would be unethical to employ these individuals to perform security duties for your organization because you are never quite clear where they stand.

4. Identifying authentication-based vulnerabilities

4.1. Credential brute forcing

4.2. Session hijacking

4.3. Redirecting

4.4. Exploiting default credentials

4.5. Exploiting weak credentials

4.6. Exploiting Kerberos vulnerabilities

5. Understanding global threat correlation capabilities

5.1. Cisco NGIPS devices include global correlation capabilities that utilize real-world data from Cisco Talos. Cisco Talos is a team of security researchers who leverage big-data analytics for cybersecurity and provide threat intelligence for many Cisco security products and services. Global correlation allows an IPS sensor to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco threat intelligence using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.

6. Umbrella (OpenDNS)

6.1. Cisco acquired a company called OpenDNS that provides DNS services, threat intelligence, and threat enforcement at the DNS layer.

6.2. OpenDNS has a global network that delivers advanced security solutions (as a cloud-based service) regardless of where Cisco customer offices or employees are located. This service is extremely easy to deploy and easy to manage.

7. 1.5 The Principles of the Defense-in-Depth Strategy

7.1. Layered and cross-boundary “defense-in-depth” strategy is what is needed to protect your network and corporate assets.

7.2. Layers

7.2.1. Nontechnical activities Nontechnical activities such as appropriate security policies and procedures and end-user and staff training.

7.2.2. Physical Security including cameras, physical access control (such as badge readers, retina scanners, and fingerprint scanners), and locks.

7.2.3. Network Security Network security best practices, such as routing protocol authentication, control plane policing (CoPP), network device hardening, and so on.

7.2.4. Host Security Host security solutions such as advanced malware protection (AMP) for endpoints, antiviruses, and so on.

7.2.5. Application Security Application security best practices such as application robustness testing, fuzzing, defenses against cross-site scripting (XSS), cross-site request forgery (CSRF) attacks, SQL injection attacks, and so on. SQL Injection

7.2.6. Data network traversal You can employ encryption at rest and in transit to protect data.

7.3. Role-based Network Security Approach

7.3.1. When applying defense-in-depth strategies, you can also look at a roles-based network security approach for security assessment in a simple manner. Each device on the network serves a purpose and has a role; subsequently, you should configure each device accordingly.

7.3.2. Planes Management This is the distributed and modular network management environment. Control This plane includes routing control. It is often a target because the control plane depends on direct CPU cycles. User/Data This plane receives, processes, and transmits network data among all network elements. Services This is the Layer 7 application flow built on the foundation of the other layers. Policies The plane includes the business requirements. Cisco calls policies the “business glue” for the network. Policies and procedures are part of this section, and they apply to all the planes in this list.

7.4. Defense in Depth | CISA

8. SDN and the traditional management, control, & data plane

8.1. Software-defined networking

8.1.1. Software-defined networking introduced the notion of a centralized controller. The SDN controller has a global view of the network, and it uses a common management protocol to configure the network infrastructure devices. The SDN controller can also calculate reachability information from many systems in the network and pushes a set of flows inside the switches. The flows are used by the hardware to do the forwarding. Here you can see a clear transition from a distributed “semi-intelligent brain” approach to a “central and intelligent brain” approach.

8.2. Control & Data Plane changes

8.2.1. The big change was in the control and data planes in software-based switches and routers (including virtual switches inside of hypervisors). For instance, the Open vSwitch project started some of these changes across the industry.

8.3. Management Pane changes

8.3.1. These benefits are in both physical switches and virtual switches. SDN is now widely adopted in data centers. A great example of this is Cisco ACI.

9. 1.1 Confidentiality, Integrity, & Availability: The CIA Triad

9.1. Confidentiality

9.1.1. Defining PII According to the Executive Office of the President, Office of Management and Budget (OMB), and the U.S. Department of Commerce, Office of the Chief Information Officer, PII refers to “information which can be used to distinguish or trace an individual’s identity.” Examples An individuals name social security number biological or personal characteristics date & place of birth mothers maiden name credit card numbers bank account numbers driver's license address information (email, street, telephone numbers)

9.1.2. Defining PHI The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations and providers to adopt certain security regulations for protecting health information. The Privacy Rule calls this information “protected health information,” or PHI. Examples An individual’s name (that is, patient’s name) All dates directly linked to an individual, including date of birth, death, discharge, and administration Telephone and fax numbers Email addresses geographic subdivisions such as street addresses ZIP codes & County Medical record numbers and health plan beneficiary number Certificate numbers or account numbers Social security number Driver license number Biometric identifiers, including voice or fingerprints Photos of the full face or recognizable features Any unique number-based code or characteristic The individual’s past, present, and future physical or mental health or condition The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual

9.2. Integrity

9.2.1. Integrity is the ability to make sure that a system and its data have not been altered or compromised. It ensures that the data is an accurate and unchanged representation of the original secure data.

9.3. Availability

9.3.1. Availability means that a system or application must be “available” to authorized users at all times. According to the CVSS Version 3 specification, the availability metric “measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

10. Security Operations Centers (SOCs)

10.1. are facilities where an organization’s assets, including applications, databases, servers, networks, desktops, and other endpoints, are monitored, assessed, and protected.

10.2. Addresses these security concerns

10.2.1. How can you detect a compromise in a timely manner?

10.2.2. How do you triage a compromise to determine the severity and the scope?

10.2.3. What is the impact of the compromise to your business?

10.2.4. Who is responsible for detecting and mitigating a compromise?

10.2.5. Who should be informed or involved, and when do you deal with the compromise once detected?

10.2.6. How and when should you communicate a compromise internally or externally, and is that needed in the first place?

10.3. SOCs need these in order to be effective

10.3.1. Executive sponsorship

10.3.2. SOC operating as a program. Organizations should operate the SOC as a program rather than a single project.

10.3.3. A governance structure

10.3.4. Effective team collaboration

10.3.5. Access to data and systems

10.3.6. Applicable processes and procedures

10.3.7. Team skill sets and experience

10.3.8. Budget (for example, will it be handled in-house or outsourced?)

11. 1.2 Security Deployment

11.1. network firewalls

11.1.1. Network Firewalls A firewall that provides key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers. Network Address Translation (NAT), access control lists, and application inspection. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Demilitarized Zones (DMZs) Firewalls can be configured to separate multiple network segments (or zones), usually called demilitarized zones (DMZs). These zones provide security to the systems that reside within them with different security levels and policies between them. Techniques Simple packet-filtering techniques Application proxies Network Address Translation Stateful inspection firewalls Next-generation context-aware firewalls

11.2. Access Control Lists (ACLs)

11.2.1. Devices that can enable ACLs Firewalls Routers Switches Wireless LAN Controllers (WCLs)

11.2.2. A set of predetermined rules against which stateful and traditional firewalls can analyze packets and judge them.

11.2.3. Judges based on Source Address Destination Address Source Port Destination Port Protocol

11.2.4. Extended ACLs the most commonly deployed ACLs. Packet Classification Source and destination IP addresses Layer 3 protocols Source and/or destination TCP and UDP ports Destination ICMP type for ICMP packets

11.3. Network Address Translation (NAT)

11.3.1. A method often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range. This enables a network professional to use any IP address space as the internal network. Static Translation A different methodology is used when hosts in the unprotected network need to initiate a new connection to specific hosts behind the NAT device. You configure the firewall to allow such connections by creating a static one-to-one mapping of the public (mapped) IP address to the address of the internal (real) protected device. For example, static NAT can be configured when a web server resides on the internal network and has a private IP address but needs to be contacted by hosts located in the unprotected network or the Internet.

11.3.2. Port Address Translation (PAT) Port Address Translation (PAT) - Typically, firewalls perform a technique called Port Address Translation (PAT). This feature, which is a subset of the NAT feature, allows many devices on the internal protected network to share one IP address by inspecting the Layer 4 information on the packet. This shared address is usually the firewall’s public address;

11.4. Data Loss Prevention (DLP)

11.4.1. A software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.

11.5. Advanced Malware Protection (AMP) - Agent based Protection

11.5.1. A Cisco solution for detecting and mitigating malware in the corporate network.

11.6. Intrusion Prevention System (IPS)

11.6.1. A network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.

11.7. Netflow

11.7.1. As network traffic traverses a NetFlow-enabled device, the device collects traffic.

11.7.2. Original Usage NetFlow was initially created for billing and accounting of network traffic and to measure other IP traffic characteristics such as bandwidth utilization and application performance. NetFlow has also been used as a network capacity planning tool and to monitor network availability.

11.7.3. Security Usage Used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow data and provides a network administrator or security professional with detailed information about such flows.

11.8. Cisco Email Security Appliance (ESA)

11.8.1. Users are no longer accessing email only from the corporate network or from a single device. Cisco provides cloud-based, hybrid, and on-premises solutions based on the Email Security Appliance (ESA) that can help protect any dynamic environment.

11.8.2. Features Access Control Anti-Spam Network Antivirus Advanced Malware Protection (AMP)

11.9. Cisco Identity Services Engine (ISE)

11.9.1. The Cisco Identity Services Engine (ISE) is a comprehensive security identity management solution designed to function as a policy decision point for network access. It allows security administrators to collect real-time contextual information from a network, its users, and devices.

11.10. Application Proxies

11.10.1. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.

11.11. Stealthwatch Cloud

11.11.1. Stealthwatch Cloud is a Software as a Service cloud solution. You can use Stealthwatch Cloud to monitor many different public cloud environments, such as Amazon’s AWS, Google Cloud Platform, and Microsoft Azure.

11.12. Security cloud-based solutions

11.12.1. Cisco Cloud Email Security (CES)

11.12.2. Cisco AMP Threat Grid

11.12.3. Cisco Threat Awareness Service

11.12.4. Umbrella (formerly OpenDNS)

11.12.5. Stealthwatch Cloud

11.12.6. CloudLock

11.13. CloudLock

11.13.1. Cisco acquired a company called CloudLock that creates solutions to protect customers against data breaches in any cloud environment and application (app) through a highly configurable cloud-based data loss prevention (DLP) architecture.

11.13.2. Policy Actions File-level encryption Quarantine End-user notifications

11.14. Cisco AMP Threatgrid

11.14.1. Cisco integrated Cisco AMP and Threat Grid to provide a solution for advanced malware analysis with deep threat analytics. The Cisco AMP Threat Grid integrated solution analyzes millions of files and correlates them with hundreds of millions of malware samples. This provides a look into attack campaigns and how malware is distributed.

11.15. Cisco Web Security Appliance (WSA)

11.15.1. Cisco Web Security Appliance (WSA), Cisco Security Management Appliance (SMA), and Cisco Cloud Web Security (CWS). These solutions enable malware detection and blocking, continuous monitoring, and retrospective alerting.

11.16. Security Information and Event Manager (SIEM)

11.16.1. A specialized device or software for security event management.

11.16.2. Provides these capabilities Log Collection Normalization Aggregation Correlation Built-in Reporting

11.17. Security Orchestration, Automation, and Response (SOAR)

11.17.1. A system that provides automation and security orchestration capabilities for the security operations center (SOC).

11.18. Common Vulnerabilities & Exposures (CVE)

11.18.1. A dictionary of vulnerabilities and exposures in products and systems maintained by MITRE. A CVE-ID is the industry standard method to identify vulnerabilities.

11.19. Common Vulnerability Scoring System (CVSS)

11.19.1. An industry standard used to convey information about the severity of vulnerabilities.

11.20. Common Weakness Enumeration (CWE)

11.20.1. A specification developed and maintained by MITRE to identify the root cause (weaknesses) of security vulnerabilities. You can obtain the list of CWEs from cwe.mitre.org.

11.21. Common Weakness Scoring System (CWSS)

11.21.1. A specification developed and maintained by MITRE to provide a way to prioritize software weaknesses that can introduce security vulnerabilities. You can obtain the list of CWSS from cwe.mitre.org/cwss.

11.22. Structured Threat Information Expression (STIX)

11.22.1. A standard used to create and share cyber threat intelligence information in a machine-readable format.

11.23. Trusted Automated Exchange of Indicator Information (TAXII)

11.23.1. A standard that provides a transport mechanism (data exchange) of cyber threat intelligence information in STIX format. In other words, TAXII servers can be used to author and exchange STIX documents among participants.

11.24. Cyber Observable eXpression (CybOX)

11.24.1. A standard to document cyber threat intelligence observables in a machine-readable format. The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) decided to merge the CybOX and the Structured Threat Information Expression (STIX) specifications into one standard. CybOX objects are now called STIX Cyber Observables. You can find additional information about the migration of CybOX to STIX at https://oasis-open.github.io/cti-documentation/stix/compare.html.

12. 1.6 Access Control

12.1. Access control process key concepts

12.1.1. Asset/Data Classification/Data States The process of classifying data based on the risk for the organization using on CIA.

12.1.2. Asset Marking Marking, & labeling assets.

12.1.3. Access Policy Definition The process of defining policies that govern access to an asset.

12.1.4. Data Disposal The process of disposing or eliminating an asset or data.

12.2. Overview of Access Control Models // Pros & Cons of Access Control Models // Main Characteristics of each

12.2.1. Discretionary Access Control (DAC) Access decisions & permissions are decided by the object owner (DoD - Trusted Computer System Evaluation Criteria). Pro Con Main Characteristic In the DAC model authorization is decided by the object owner, access permissions are associated with the object, and access control is enforced by access control lists.

12.2.2. Mandatory Access Control (MAC) Access decisions are enforced by the access policy enforcer (example, the OS), use security labels (DoD - Trusted Computer System Evaluation Criteria). Pro Con Main Characteristic In the MAC model the OS or policy enforcer decides on whether to grant access, not the owner, this policy is enforced by security labels.

12.2.3. Role-based Access Control (RBAC) Access decisions are based on the role or function of the subject (INCITS 359-2004). Pro Con Main Characteristic In the RBAC model decisions are based on the role of the subject which an organization assigns based on policy, permissions are tied to roles, not users.

12.2.4. Attribute-based Access Control (ABAC) Access decisions are based on the attributes or characteristics of the subject, object, & environment (NIST SP 800-162). Pro Con Main Characteristic In the ABAC model decisions are made based on the attributes associated with subjects, objects, or the environment. These attributes are characteristics of subject, object, or environment. User role, identitty, security classification can all be considered attributes.

12.3. Access control types based on purpose

12.3.1. Administrative Controls Policies, procedures around definitions of access controls, definitions of information classifications, roles, responsibilities, and anything needed to manage access control from the administrative perspective. Subtypes Operational Security Policies & Procedures Security Education & Training Auditing & Monitoring Policies

12.3.2. Physical Controls Are aimed at protecting physical boundaries and employee safety.

12.3.3. Technical Controls Also called logical controls are technological controls such as firewalls, IPSs, IAM systems, encryption.

12.4. Risk & Risk Analysis

12.4.1. Risk In the world of cybersecurity, risk can be defined as the possibility of a security incident (something bad) happening.

12.4.2. Federal Financial Institutions Examination Council (FFIEC) Developed the Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity preparedness. Inherent Risk Profile and Cybersecurity Maturity The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. Cybersecurity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. The International Organization for Standardization (ISO) 27001 This is the international standard for implementing an information security management system (ISMS). ISO 27001 is heavily focused on risk-based planning to ensure that the identified information risks (including cyber risks) are appropriately managed according to the threats and the nature of those threats. ISO/IEC 27005 Information technology—Security techniques—Information security risk management Establish the risk management context, Quantitatively or qualitatively assess risks, Treat risks, Keep stakeholders informed, Monitor & review risks

12.4.3. Common Weakness Scoring System (CWSS) A methodology for scoring software weaknesses. CWSS is part of the Common Weakness Enumerator (CWE) standard.

12.4.4. Common Misuse Scoring System (CMSS) A standardized way to measure software feature misuse vulnerabilities. More information about CMSS is available at http://scap.nist.gov/emerging-specs/listing.html#cmss

12.4.5. Common Configuration Scoring System More information about CCSS can be found at http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf

13. 1.3 Security Terms

13.1. Threat Intelligence

13.1.1. Threat intelligence is referred to as knowledge about an existing or emerging threat. Threat Intelligence Standards (STIX, TAXII, CybOX, OpenIOC, etc.) Structured Threat Information eXpression (STIX) Trusted Automated eXchange of Indicator Information (TAXII) Cyber Observable eXpression (CybOX) Open Indicators of Compromise (OpenIOC) Open Command & Control (OpenC2) STAXX

13.1.2. Includes Context Mechanisms Indicators of Compromise (IoCs) Implications Actionable Advice

13.2. Threat Intelligence Platform (TIP)

13.2.1. Many organizations deploy their own threat intelligence platforms (TIPs) to aggregate, correlate, and analyze threat intelligence information from multiple sources in near real-time.

13.2.2. Supports Threat intelligence collection Data correlation Enrichment and contextualization Analyze Integrations with other security systems Act

13.3. Malware Analysis

13.3.1. Study of determining the functionality of a given malware sample . Eg Virus

13.4. Threat Actor

13.4.1. = Bad Actor = Malicious Actor

13.5. Playbooks, Runbooks, & Runbook Automation

13.5.1. Organizations need to have capabilities to define, build, orchestrate, manage, and monitor the different operational processes and workflows.

13.5.2. Runbook A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators. According to Gartner, “the growth of RBA has coincided with the need for IT operations executives to enhance IT operations efficiency measures.”

13.5.3. Metrics to measure effectiveness Mean time to repair (MTTR) Mean time between failures (MTBF) Mean time to discover a security incident Mean time to contain or mitigate a security incident Automation of the provisioning of IT resources

13.5.4. Example Rundeck

13.6. Reverse Engineering

13.6.1. Methodology for acquiring architectural information about anything originally created by someone else

13.7. Sliding Windows Anomaly Detection

13.7.1. Traffic anomaly detection limited to only specific amount time

13.8. Principle of Least Privilege

13.8.1. All users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more. Also known as "need to know".

13.9. Zero Trust

13.9.1. A strategic approach to security that centers on the concept of eliminating trust from an org's network architecture

13.9.2. Zero Trust Security

13.10. Separation of Duties

13.10.1. Separation of duties is an administrative control dictating that a single individual should not perform all critical- or privileged-level duties. The goal is to safeguard against a single individual performing sufficiently critical or privileged actions that could seriously damage a system or the organization as a whole.

13.11. Data Loss Prevention (DLP)

13.11.1. Data loss prevention is the ability to detect any sensitive emails, documents, or information leaving your organization.

13.11.2. Integrations Cisco ESA RSA email DLP for outbound email traffic Cisco Cloud Email Service & Hybrid Email Security Their own DLP. engine Their own DLP. engine Cisco WSA can redirect outbound traffic to a third-party DLP solution.

13.12. OWASP Top 10

13.12.1. OWASP lists the top 10 most common vulnerabilities against application at the following address: www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Common Attack Cross-Site Request Forgery (CSRF or XSRF) Cross-Site Scripting Command Injection

13.13. Chain of custody

13.13.1. Chain of custody is how you document and preserve evidence from the time you started a cyber forensics investigation to the time the evidence is presented at court or to your executives (in the case of an internal investigation).

13.14. Script Kiddies

13.14.1. People who use existing “scripts” or tools to hack into computers and networks; however, they lack the expertise to write their own scripts.

13.15. Digital Forensics

13.15.1. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.

13.15.2. Examples Computers Smartphones Tablets Network Infrastructure Devices Network Management Systems Printers IoT Devices

13.16. Indicator of Compromise (IoC)

13.16.1. One aspect of threat intelligence, which is the knowledge about an existing or emerging threat to assets, including networks and systems.

14. 1.7 CVSS

14.1. Attack Vector

14.2. Attack Complexity

14.3. Privileges Required

14.4. User Interaction

14.5. Scope

15. 1.8 Interpret 5 Tuple Approach to isolate compromised hosts