1. Cybersecurity vs. Information Security (InfoSec)
1.1. InfoSec
1.1.1. In the past, information security programs and policies were designed to protect the confidentiality, integrity, and availability of data within the confines of an organization.
1.2. Cybersecurity
1.2.1. Is the process of protecting information by preventing, detecting, and responding to attacks. Builds upon traditional InfoSec
1.2.2. Includes
1.2.2.1. Cyber risk management
1.2.2.1.1. Risk Assessment
1.2.2.2. Threat Intelligence & information sharing
1.2.2.3. Threat Hunting
1.2.2.4. Third-party organization
1.2.2.5. Software, & Hardware Dependency Management
1.2.2.6. SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In an SQL injection attack, the attacker inserts or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL to execute predefined SQL commands.
2. 1.2 Security Deployment
2.1. network firewalls
2.1.1. Network Firewalls
2.1.1.1. A firewall that provides key features used for perimeter security. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules. Firewalls are often deployed in several other parts of the network to provide network segmentation within the corporate infrastructure and also in data centers.
2.1.1.2. Network Address Translation (NAT), access control lists, and application inspection. The primary task of a network firewall is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules.
2.1.1.3. Demilitarized Zones (DMZs)
2.1.1.3.1. Firewalls can be configured to separate multiple network segments (or zones), usually called demilitarized zones (DMZs). These zones provide security to the systems that reside within them with different security levels and policies between them.
2.1.1.4. Techniques
2.1.1.4.1. Simple packet-filtering techniques
2.1.1.4.2. Application proxies
2.1.1.4.3. Network Address Translation
2.1.1.4.4. Stateful inspection firewalls
2.1.1.4.5. Next-generation context-aware firewalls
2.2. Access Control Lists (ACLs)
2.2.1. Devices that can enable ACLs
2.2.1.1. Firewalls
2.2.1.2. Routers
2.2.1.3. Switches
2.2.1.4. Wireless LAN Controllers (WCLs)
2.2.2. A set of predetermined rules against which stateful and traditional firewalls can analyze packets and judge them.
2.2.3. Judges based on
2.2.3.1. Source Address
2.2.3.2. Destination Address
2.2.3.3. Source Port
2.2.3.4. Destination Port
2.2.3.5. Protocol
2.2.4. Extended ACLs
2.2.4.1. the most commonly deployed ACLs.
2.2.4.2. Packet Classification
2.2.4.2.1. Source and destination IP addresses
2.2.4.2.2. Layer 3 protocols
2.2.4.2.3. Source and/or destination TCP and UDP ports
2.2.4.2.4. Destination ICMP type for ICMP packets
2.3. Network Address Translation (NAT)
2.3.1. A method often used by firewalls; however, other devices such as routers and wireless access points provide support for NAT. By using NAT, the firewall hides the internal private addresses from the unprotected network and exposes only its own address or public range. This enables a network professional to use any IP address space as the internal network.
2.3.1.1. Static Translation
2.3.1.1.1. A different methodology is used when hosts in the unprotected network need to initiate a new connection to specific hosts behind the NAT device. You configure the firewall to allow such connections by creating a static one-to-one mapping of the public (mapped) IP address to the address of the internal (real) protected device. For example, static NAT can be configured when a web server resides on the internal network and has a private IP address but needs to be contacted by hosts located in the unprotected network or the Internet.
2.3.2. Port Address Translation (PAT)
2.3.2.1. Port Address Translation (PAT) - Typically, firewalls perform a technique called Port Address Translation (PAT). This feature, which is a subset of the NAT feature, allows many devices on the internal protected network to share one IP address by inspecting the Layer 4 information on the packet. This shared address is usually the firewall’s public address;
2.4. Data Loss Prevention (DLP)
2.4.1. A software or cloud solution for making sure that corporate users do not send sensitive or critical information outside the corporate network.
2.5. Advanced Malware Protection (AMP) - Agent based Protection
2.5.1. A Cisco solution for detecting and mitigating malware in the corporate network.
2.6. Intrusion Prevention System (IPS)
2.6.1. A network security appliance or software technology that inspects network traffic to detect and prevent security threats and exploits.
2.7. Netflow
2.7.1. As network traffic traverses a NetFlow-enabled device, the device collects traffic.
2.7.2. Original Usage
2.7.2.1. NetFlow was initially created for billing and accounting of network traffic and to measure other IP traffic characteristics such as bandwidth utilization and application performance. NetFlow has also been used as a network capacity planning tool and to monitor network availability.
2.7.3. Security Usage
2.7.3.1. Used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow data and provides a network administrator or security professional with detailed information about such flows.
2.8. Cisco Email Security Appliance (ESA)
2.8.1. Users are no longer accessing email only from the corporate network or from a single device. Cisco provides cloud-based, hybrid, and on-premises solutions based on the Email Security Appliance (ESA) that can help protect any dynamic environment.
2.8.2. Features
2.8.2.1. Access Control
2.8.2.2. Anti-Spam
2.8.2.3. Network Antivirus
2.8.2.4. Advanced Malware Protection (AMP)
2.9. Cisco Identity Services Engine (ISE)
2.9.1. The Cisco Identity Services Engine (ISE) is a comprehensive security identity management solution designed to function as a policy decision point for network access. It allows security administrators to collect real-time contextual information from a network, its users, and devices.
2.10. Application Proxies
2.10.1. Application proxies, or proxy servers, are devices that operate as intermediary agents on behalf of clients that are on a private or protected network. Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet.
2.11. Stealthwatch Cloud
2.11.1. Stealthwatch Cloud is a Software as a Service cloud solution.
2.11.1.1. You can use Stealthwatch Cloud to monitor many different public cloud environments, such as Amazon’s AWS, Google Cloud Platform, and Microsoft Azure.
2.12. Security cloud-based solutions
2.12.1. Cisco Cloud Email Security (CES)
2.12.2. Cisco AMP Threat Grid
2.12.3. Cisco Threat Awareness Service
2.12.4. Umbrella (formerly OpenDNS)
2.12.5. Stealthwatch Cloud
2.12.6. CloudLock
2.13. CloudLock
2.13.1. Cisco acquired a company called CloudLock that creates solutions to protect customers against data breaches in any cloud environment and application (app) through a highly configurable cloud-based data loss prevention (DLP) architecture.
2.13.2. Policy Actions
2.13.2.1. File-level encryption
2.13.2.2. Quarantine
2.13.2.3. End-user notifications
2.14. Cisco AMP Threatgrid
2.14.1. Cisco integrated Cisco AMP and Threat Grid to provide a solution for advanced malware analysis with deep threat analytics. The Cisco AMP Threat Grid integrated solution analyzes millions of files and correlates them with hundreds of millions of malware samples. This provides a look into attack campaigns and how malware is distributed.
2.15. Cisco Web Security Appliance (WSA)
2.15.1. Cisco Web Security Appliance (WSA), Cisco Security Management Appliance (SMA), and Cisco Cloud Web Security (CWS). These solutions enable malware detection and blocking, continuous monitoring, and retrospective alerting.
2.16. Security Information and Event Manager (SIEM)
2.16.1. A specialized device or software for security event management.
2.16.2. Provides these capabilities
2.16.2.1. Log Collection
2.16.2.2. Normalization
2.16.2.3. Aggregation
2.16.2.4. Correlation
2.16.2.5. Built-in Reporting
2.17. Security Orchestration, Automation, and Response (SOAR)
2.17.1. A system that provides automation and security orchestration capabilities for the security operations center (SOC).
2.18. Common Vulnerabilities & Exposures (CVE)
2.18.1. A dictionary of vulnerabilities and exposures in products and systems maintained by MITRE. A CVE-ID is the industry standard method to identify vulnerabilities.
2.19. Common Vulnerability Scoring System (CVSS)
2.19.1. An industry standard used to convey information about the severity of vulnerabilities.
2.20. Common Weakness Enumeration (CWE)
2.20.1. A specification developed and maintained by MITRE to identify the root cause (weaknesses) of security vulnerabilities. You can obtain the list of CWEs from cwe.mitre.org.
2.21. Common Weakness Scoring System (CWSS)
2.21.1. A specification developed and maintained by MITRE to provide a way to prioritize software weaknesses that can introduce security vulnerabilities. You can obtain the list of CWSS from cwe.mitre.org/cwss.
2.22. Structured Threat Information Expression (STIX)
2.22.1. A standard used to create and share cyber threat intelligence information in a machine-readable format.
2.23. Trusted Automated Exchange of Indicator Information (TAXII)
2.23.1. A standard that provides a transport mechanism (data exchange) of cyber threat intelligence information in STIX format. In other words, TAXII servers can be used to author and exchange STIX documents among participants.
2.24. Cyber Observable eXpression (CybOX)
2.24.1. A standard to document cyber threat intelligence observables in a machine-readable format. The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) decided to merge the CybOX and the Structured Threat Information Expression (STIX) specifications into one standard. CybOX objects are now called STIX Cyber Observables. You can find additional information about the migration of CybOX to STIX at https://oasis-open.github.io/cti-documentation/stix/compare.html.
3. White, Black, & Gray Hat Hackers
3.1. White Hat
3.1.1. These individuals perform ethical hacking to help secure companies and organizations. Their belief is that you must examine your network in the same manner as a criminal hacker to better understand its vulnerabilities.
3.2. Black Hat
3.2.1. These individuals perform illegal activities, such as organized crime.
3.3. Gray Hat
3.3.1. These individuals usually follow the law but sometimes venture over to the darker side of black hat hacking. It would be unethical to employ these individuals to perform security duties for your organization because you are never quite clear where they stand.
4. Umbrella (OpenDNS)
4.1. Cisco acquired a company called OpenDNS that provides DNS services, threat intelligence, and threat enforcement at the DNS layer.
4.2. OpenDNS has a global network that delivers advanced security solutions (as a cloud-based service) regardless of where Cisco customer offices or employees are located. This service is extremely easy to deploy and easy to manage.
5. Identifying authentication-based vulnerabilities
5.1. Credential brute forcing
5.2. Session hijacking
5.3. Redirecting
5.4. Exploiting default credentials
5.5. Exploiting weak credentials
5.6. Exploiting Kerberos vulnerabilities
6. 1.1 Confidentiality, Integrity, & Availability: The CIA Triad
6.1. Confidentiality
6.1.1. Defining PII
6.1.1.1. According to the Executive Office of the President, Office of Management and Budget (OMB), and the U.S. Department of Commerce, Office of the Chief Information Officer, PII refers to “information which can be used to distinguish or trace an individual’s identity.”
6.1.1.2. Examples
6.1.1.2.1. An individuals name
6.1.1.2.2. social security number
6.1.1.2.3. biological or personal characteristics
6.1.1.2.4. date & place of birth
6.1.1.2.5. mothers maiden name
6.1.1.2.6. credit card numbers
6.1.1.2.7. bank account numbers
6.1.1.2.8. driver's license
6.1.1.2.9. address information (email, street, telephone numbers)
6.1.2. Defining PHI
6.1.2.1. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations and providers to adopt certain security regulations for protecting health information.
6.1.2.2. The Privacy Rule calls this information “protected health information,” or PHI.
6.1.2.3. Examples
6.1.2.3.1. An individual’s name (that is, patient’s name)
6.1.2.3.2. All dates directly linked to an individual, including date of birth, death, discharge, and administration
6.1.2.3.3. Telephone and fax numbers
6.1.2.3.4. Email addresses
6.1.2.3.5. geographic subdivisions such as street addresses
6.1.2.3.6. ZIP codes & County
6.1.2.3.7. Medical record numbers and health plan beneficiary number
6.1.2.3.8. Certificate numbers or account numbers
6.1.2.3.9. Social security number
6.1.2.3.10. Driver license number
6.1.2.3.11. Biometric identifiers, including voice or fingerprints
6.1.2.3.12. Photos of the full face or recognizable features
6.1.2.3.13. Any unique number-based code or characteristic
6.1.2.3.14. The individual’s past, present, and future physical or mental health or condition
6.1.2.3.15. The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual
6.2. Integrity
6.2.1. Integrity is the ability to make sure that a system and its data have not been altered or compromised. It ensures that the data is an accurate and unchanged representation of the original secure data.
6.3. Availability
6.3.1. Availability means that a system or application must be “available” to authorized users at all times. According to the CVSS Version 3 specification, the availability metric “measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
7. SDN and the traditional management, control, & data plane
7.1. Software-defined networking
7.1.1. Software-defined networking introduced the notion of a centralized controller. The SDN controller has a global view of the network, and it uses a common management protocol to configure the network infrastructure devices. The SDN controller can also calculate reachability information from many systems in the network and pushes a set of flows inside the switches. The flows are used by the hardware to do the forwarding. Here you can see a clear transition from a distributed “semi-intelligent brain” approach to a “central and intelligent brain” approach.
7.2. Control & Data Plane changes
7.2.1. The big change was in the control and data planes in software-based switches and routers (including virtual switches inside of hypervisors). For instance, the Open vSwitch project started some of these changes across the industry.
7.3. Management Pane changes
7.3.1. These benefits are in both physical switches and virtual switches. SDN is now widely adopted in data centers. A great example of this is Cisco ACI.
8. 1.3 Security Terms
8.1. Threat Intelligence
8.1.1. Threat intelligence is referred to as knowledge about an existing or emerging threat.
8.1.1.1. Threat Intelligence Standards (STIX, TAXII, CybOX, OpenIOC, etc.)
8.1.1.1.1. Structured Threat Information eXpression (STIX)
8.1.1.1.2. Trusted Automated eXchange of Indicator Information (TAXII)
8.1.1.1.3. Cyber Observable eXpression (CybOX)
8.1.1.1.4. Open Indicators of Compromise (OpenIOC)
8.1.1.1.5. Open Command & Control (OpenC2)
8.1.1.1.6. STAXX
8.1.2. Includes
8.1.2.1. Context
8.1.2.2. Mechanisms
8.1.2.3. Indicators of Compromise (IoCs)
8.1.2.4. Implications
8.1.2.5. Actionable Advice
8.2. Threat Intelligence Platform (TIP)
8.2.1. Many organizations deploy their own threat intelligence platforms (TIPs) to aggregate, correlate, and analyze threat intelligence information from multiple sources in near real-time.
8.2.2. Supports
8.2.2.1. Threat intelligence collection
8.2.2.2. Data correlation
8.2.2.3. Enrichment and contextualization
8.2.2.4. Analyze
8.2.2.5. Integrations with other security systems
8.2.2.6. Act
8.3. Malware Analysis
8.3.1. Study of determining the functionality of a given malware sample . Eg Virus
8.4. Threat Actor
8.4.1. = Bad Actor = Malicious Actor
8.5. Playbooks, Runbooks, & Runbook Automation
8.5.1. Organizations need to have capabilities to define, build, orchestrate, manage, and monitor the different operational processes and workflows.
8.5.2. Runbook
8.5.2.1. A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators. According to Gartner, “the growth of RBA has coincided with the need for IT operations executives to enhance IT operations efficiency measures.”
8.5.3. Metrics to measure effectiveness
8.5.3.1. Mean time to repair (MTTR)
8.5.3.2. Mean time between failures (MTBF)
8.5.3.3. Mean time to discover a security incident
8.5.3.4. Mean time to contain or mitigate a security incident
8.5.3.5. Automation of the provisioning of IT resources
8.5.4. Example
8.5.4.1. Rundeck
8.6. Reverse Engineering
8.6.1. Methodology for acquiring architectural information about anything originally created by someone else
8.7. Sliding Windows Anomaly Detection
8.7.1. Traffic anomaly detection limited to only specific amount time
8.8. Principle of Least Privilege
8.8.1. All users—whether they are individual contributors, managers, directors, or executives—should be granted only the level of privilege they need to do their jobs, and no more. Also known as "need to know".
8.9. Zero Trust
8.9.1. A strategic approach to security that centers on the concept of eliminating trust from an org's network architecture
8.9.2. Zero Trust Security
8.10. Separation of Duties
8.10.1. Separation of duties is an administrative control dictating that a single individual should not perform all critical- or privileged-level duties. The goal is to safeguard against a single individual performing sufficiently critical or privileged actions that could seriously damage a system or the organization as a whole.
8.11. Data Loss Prevention (DLP)
8.11.1. Data loss prevention is the ability to detect any sensitive emails, documents, or information leaving your organization.
8.11.2. Integrations
8.11.2.1. Cisco ESA
8.11.2.1.1. RSA email DLP for outbound email traffic
8.11.2.2. Cisco Cloud Email Service & Hybrid Email Security
8.11.2.2.1. Their own DLP. engine
8.11.2.2.2. Their own DLP. engine
8.11.2.3. Cisco WSA
8.11.2.3.1. can redirect outbound traffic to a third-party DLP solution.
8.12. OWASP Top 10
8.12.1. OWASP lists the top 10 most common vulnerabilities against application at the following address: www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
8.12.1.1. Common Attack
8.12.1.1.1. Cross-Site Request Forgery (CSRF or XSRF)
8.12.1.1.2. Cross-Site Scripting
8.12.1.1.3. Command Injection
8.13. Chain of custody
8.13.1. Chain of custody is how you document and preserve evidence from the time you started a cyber forensics investigation to the time the evidence is presented at court or to your executives (in the case of an internal investigation).
8.14. Script Kiddies
8.14.1. People who use existing “scripts” or tools to hack into computers and networks; however, they lack the expertise to write their own scripts.
8.15. Digital Forensics
8.15.1. Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.”) Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains to the files on a hard drive.
8.15.2. Examples
8.15.2.1. Computers
8.15.2.2. Smartphones
8.15.2.3. Tablets
8.15.2.4. Network Infrastructure Devices
8.15.2.5. Network Management Systems
8.15.2.6. Printers
8.15.2.7. IoT Devices
8.16. Indicator of Compromise (IoC)
8.16.1. One aspect of threat intelligence, which is the knowledge about an existing or emerging threat to assets, including networks and systems.
9. 1.7 CVSS
9.1. Attack Vector
9.2. Attack Complexity
9.3. Privileges Required
9.4. User Interaction
9.5. Scope
10. 1.8 Interpret 5 Tuple Approach to isolate compromised hosts
11. 1.4 Compare Security Concept
11.1. What is an Exploit?
11.1.1. An exploit refers to a piece of software, a tool, a technique, or a process that takes advantage of a vulnerability that leads to access, privilege escalation, loss of integrity, or denial of service on a computer system.
11.1.2. Zero-Day Exploit
11.1.2.1. Sometimes no one may even know the vulnerability exists, and it is exploited. That is known as a zero-day exploit.
11.2. What is Threat
11.2.1. A threat is any potential danger to an asset.
11.3. What is a vulnerability?
11.3.1. A vulnerability is a weakness in the system design, implementation, software, or code or the lack of a mechanism.
12. 1.5 The Principles of the Defense-in-Depth Strategy
12.1. Layered and cross-boundary “defense-in-depth” strategy is what is needed to protect your network and corporate assets.
12.2. Layers
12.2.1. Nontechnical activities
12.2.1.1. Nontechnical activities such as appropriate security policies and procedures and end-user and staff training.
12.2.2. Physical Security
12.2.2.1. including cameras, physical access control (such as badge readers, retina scanners, and fingerprint scanners), and locks.
12.2.3. Network Security
12.2.3.1. Network security best practices, such as routing protocol authentication, control plane policing (CoPP), network device hardening, and so on.
12.2.4. Host Security
12.2.4.1. Host security solutions such as advanced malware protection (AMP) for endpoints, antiviruses, and so on.
12.2.5. Application Security
12.2.5.1. Application security best practices such as application robustness testing, fuzzing, defenses against cross-site scripting (XSS), cross-site request forgery (CSRF) attacks, SQL injection attacks, and so on.
12.2.5.1.1. SQL Injection
12.2.6. Data network traversal
12.2.6.1. You can employ encryption at rest and in transit to protect data.
12.3. Role-based Network Security Approach
12.3.1. When applying defense-in-depth strategies, you can also look at a roles-based network security approach for security assessment in a simple manner. Each device on the network serves a purpose and has a role; subsequently, you should configure each device accordingly.
12.3.2. Planes
12.3.2.1. Management
12.3.2.1.1. This is the distributed and modular network management environment.
12.3.2.2. Control
12.3.2.2.1. This plane includes routing control. It is often a target because the control plane depends on direct CPU cycles.
12.3.2.3. User/Data
12.3.2.3.1. This plane receives, processes, and transmits network data among all network elements.
12.3.2.4. Services
12.3.2.4.1. This is the Layer 7 application flow built on the foundation of the other layers.
12.3.2.5. Policies
12.3.2.5.1. The plane includes the business requirements. Cisco calls policies the “business glue” for the network. Policies and procedures are part of this section, and they apply to all the planes in this list.
12.4. Defense in Depth | CISA
13. Understanding global threat correlation capabilities
13.1. Cisco NGIPS devices include global correlation capabilities that utilize real-world data from Cisco Talos. Cisco Talos is a team of security researchers who leverage big-data analytics for cybersecurity and provide threat intelligence for many Cisco security products and services. Global correlation allows an IPS sensor to filter network traffic using the “reputation” of a packet’s source IP address. The reputation of an IP address is computed by Cisco threat intelligence using the past actions of that IP address. IP reputation has been an effective means of predicting the trustworthiness of current and future behaviors from an IP address.
14. Security Operations Centers (SOCs)
14.1. are facilities where an organization’s assets, including applications, databases, servers, networks, desktops, and other endpoints, are monitored, assessed, and protected.
14.2. Addresses these security concerns
14.2.1. How can you detect a compromise in a timely manner?
14.2.2. How do you triage a compromise to determine the severity and the scope?
14.2.3. What is the impact of the compromise to your business?
14.2.4. Who is responsible for detecting and mitigating a compromise?
14.2.5. Who should be informed or involved, and when do you deal with the compromise once detected?
14.2.6. How and when should you communicate a compromise internally or externally, and is that needed in the first place?
14.3. SOCs need these in order to be effective
14.3.1. Executive sponsorship
14.3.2. SOC operating as a program. Organizations should operate the SOC as a program rather than a single project.
14.3.3. A governance structure
14.3.4. Effective team collaboration
14.3.5. Access to data and systems
14.3.6. Applicable processes and procedures
14.3.7. Team skill sets and experience
14.3.8. Budget (for example, will it be handled in-house or outsourced?)
15. 1.6 Access Control
15.1. Access control process key concepts
15.1.1. Asset/Data Classification/Data States
15.1.1.1. The process of classifying data based on the risk for the organization using on CIA.
15.1.2. Asset Marking
15.1.2.1. Marking, & labeling assets.
15.1.3. Access Policy Definition
15.1.3.1. The process of defining policies that govern access to an asset.
15.1.4. Data Disposal
15.1.4.1. The process of disposing or eliminating an asset or data.
15.2. Overview of Access Control Models // Pros & Cons of Access Control Models // Main Characteristics of each
15.2.1. Discretionary Access Control (DAC)
15.2.1.1. Access decisions & permissions are decided by the object owner (DoD - Trusted Computer System Evaluation Criteria).
15.2.1.1.1. Pro
15.2.1.1.2. Con
15.2.1.2. Main Characteristic
15.2.1.2.1. In the DAC model authorization is decided by the object owner, access permissions are associated with the object, and access control is enforced by access control lists.
15.2.2. Mandatory Access Control (MAC)
15.2.2.1. Access decisions are enforced by the access policy enforcer (example, the OS), use security labels (DoD - Trusted Computer System Evaluation Criteria).
15.2.2.1.1. Pro
15.2.2.1.2. Con
15.2.2.2. Main Characteristic
15.2.2.2.1. In the MAC model the OS or policy enforcer decides on whether to grant access, not the owner, this policy is enforced by security labels.
15.2.3. Role-based Access Control (RBAC)
15.2.3.1. Access decisions are based on the role or function of the subject (INCITS 359-2004).
15.2.3.1.1. Pro
15.2.3.1.2. Con
15.2.3.2. Main Characteristic
15.2.3.2.1. In the RBAC model decisions are based on the role of the subject which an organization assigns based on policy, permissions are tied to roles, not users.
15.2.4. Attribute-based Access Control (ABAC)
15.2.4.1. Access decisions are based on the attributes or characteristics of the subject, object, & environment (NIST SP 800-162).
15.2.4.1.1. Pro
15.2.4.1.2. Con
15.2.4.2. Main Characteristic
15.2.4.2.1. In the ABAC model decisions are made based on the attributes associated with subjects, objects, or the environment. These attributes are characteristics of subject, object, or environment. User role, identitty, security classification can all be considered attributes.
15.3. Access control types based on purpose
15.3.1. Administrative Controls
15.3.1.1. Policies, procedures around definitions of access controls, definitions of information classifications, roles, responsibilities, and anything needed to manage access control from the administrative perspective.
15.3.1.2. Subtypes
15.3.1.2.1. Operational
15.3.1.2.2. Security Policies & Procedures
15.3.1.2.3. Security Education & Training
15.3.1.2.4. Auditing & Monitoring Policies
15.3.2. Physical Controls
15.3.2.1. Are aimed at protecting physical boundaries and employee safety.
15.3.3. Technical Controls
15.3.3.1. Also called logical controls are technological controls such as firewalls, IPSs, IAM systems, encryption.
15.4. Risk & Risk Analysis
15.4.1. Risk
15.4.1.1. In the world of cybersecurity, risk can be defined as the possibility of a security incident (something bad) happening.
15.4.2. Federal Financial Institutions Examination Council (FFIEC)
15.4.2.1. Developed the Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity preparedness.
15.4.2.2. Inherent Risk Profile and Cybersecurity Maturity
15.4.2.2.1. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. Cybersecurity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.
15.4.2.3. The International Organization for Standardization (ISO) 27001
15.4.2.3.1. This is the international standard for implementing an information security management system (ISMS). ISO 27001 is heavily focused on risk-based planning to ensure that the identified information risks (including cyber risks) are appropriately managed according to the threats and the nature of those threats.
15.4.2.4. ISO/IEC 27005 Information technology—Security techniques—Information security risk management
15.4.2.4.1. Establish the risk management context, Quantitatively or qualitatively assess risks, Treat risks, Keep stakeholders informed, Monitor & review risks
15.4.3. Common Weakness Scoring System (CWSS)
15.4.3.1. A methodology for scoring software weaknesses. CWSS is part of the Common Weakness Enumerator (CWE) standard.
15.4.4. Common Misuse Scoring System (CMSS)
15.4.4.1. A standardized way to measure software feature misuse vulnerabilities. More information about CMSS is available at http://scap.nist.gov/emerging-specs/listing.html#cmss
15.4.5. Common Configuration Scoring System
15.4.5.1. More information about CCSS can be found at http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf