Describe the CIA triad
The CIA triad is not attributed to any single author but rather emerged over time as an article of wisdom among information security professionals. The CIA triad is Confidentiality, Integrity, and Authentication.
Confidentiality – prevents the theft of data, using encryption Algorithms (DES, 3DES, AES & Blowfish).
Integrity – ensures that data is not tampered or altered, using a hashing algorithm (HMAC-SHA1, HMAC-MD5).
Authentication – confirms the identity of the host sending data, using pre-shared keys, RSA Digital signatures.
Compare security deployments
1.2.a Network, endpoint, and application security systems
Network security systems include such products as Firewalls, Intrusion Detection or Prevention Systems (IDS/IPS).
Endpoint security systems vary from home routers to various types of installed software on a personal computer. An Endpoint is a device that is the end or last point attached to a network. Personal computers and laptops are endpoint devices. In modern networks there are many more types of devices that attach to a network as endpoints including cameras, entertainment systems, industrial control, and residential thermostats.
Application security systems encompass measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Agentless and agent-based protections
Agentless protection allows you to monitor one or more computers without having to install an agent. This type of protection is often proposed for virtual machines or cloud-based workloads.
Agent-based protection is traditional antivirus and anti-malware solutions that are installed and run on individual computers.
Legacy antivirus and antimalware refers to agent-based protections.
SIEM, SOAR, and log management
Security Information and Event Management (SIEM) solutions aggregate and correlate data from multiple sources, perform analyses of that data, identify deviations from the norm, and either display the information or take a prescribed action.
Security Orchestration, Automation, and response (SOAR) solutions add threat and vulnerability management, security incident response, and security operations automation to SIEM.
Log Management describes all the activities and processes used to generate, collect, centralize, parse, transmit, store, archive, and dispose of massive volumes of computer-generated log data.
Describe security terms
Threat intelligence (TI)
Threat intelligence refers to a dynamic, adaptive technology that leverages large-scale threat history data to proactively block and remediate future malicious attacks on a network.
A security practice where you look for threats that managed to get past your defenses and have hidden themselves within your environment.
The study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor.
A threat actor or malicious actor is a person or entity that is responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity.
Run book automation (RBA)
A runbook is a collection of procedures and operations performed by system administrators, security professionals, or network operators.
Sliding window anomaly detection
Principle of least privilege
Threat intelligence platform (TIP) – A Cisco product / service offering.
Compare security concepts
Risk (risk scoring/risk weighting, risk reduction, risk assessment)
Risk is the possibility that something bad or unpleasant (a security incident) will happen.
The US Federal Financial Institutions Examination Council (FFIEC) cyber security assessment tool “to help financial institutions identify their risks and determine their cyber security preparedness.”
An assessment consists of two parts:
Inherent Risk Profile and Cybersecurity Maturity. The Inherent risk Profile identifies an institution’s inherent risk before implementing controls. The Cybersecurity maturity includes domains, assessments factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place.
The International Organization of Standardization (ISO) 27001. An international standard for implementing an information security management system.
Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. [NIST 800-39]
Risk framing, Risk Assessment, Risk Response, Risk Monitoring
Risk scoring/Risk weighting [AKA Risk framing]
The first component of risk management addresses how organizations frame risk or describe the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.
Risk assessments of systems and applications should determine what risks are posed by combinations of threats and vulnerabilities. [NIST 800-61]
A threat is any circumstance or event with the potential to adversely impact an organizations operations, assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
An exploit is a program or piece of code that finds and takes advantage of a vulnerability in an application or system.
Describe the principles of the defense-in-depth strategy
The Cisco defense in depth strategy recommends deploying multiple, overlapping security solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and evaluation. Security solutions should also overlap in a way that eliminates any single point of failure.
Compare access control models
1.6. a Discretionary access control – The object owner has the right to decide who has what access.
1.6. b Mandatory access control – Access decisions are enforced by the operating system (OS) based on labels placed by the OS on files and directories.
1.6.c Nondiscretionary access control – A central administrator or authority decides who has what access.
1.6.d Authentication, authorization, accounting (AAA)
Authentication determines who you are such as through the use of a username and password.
Authorization Determines what you can do (think read, write, execute)
Accounting keeps track of what has been done. Think logs.
1.6.e Rule-based access control – if then logic.
1.6.f Time-based access control – Think time of day and day of week logic
1.6.g Role-based access control – Users are assigned roles and roles have defined privileges.
Describe terms as defined in CVSS
The Common Vulnerability Scoring System (CVSS) captures the principal technical characteristics of software, hardware and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities.
CVSS is composed of three metric groups: Base, Temporal, and Environmental.
The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst-case impact across different deployed environments.
The Temporal Metrics adjust the Base severity of a vulnerability based on factors that change over time, such as the availability of exploit code.
The Environmental Metrics adjust the Base and Temporal severities to a specific computing environment. They consider factors such as the presence of mitigations in that environment.
1.7.a Attack vector (AV)
This Base metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base Score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater Base Score. Values for Attack Vector are:
Network – the vulnerable component is attached to the network stack and can be accessed over a network.
Adjacent – the vulnerable component is attached to the network stack, but the attack is limited at the protocol level.
Local – The vulnerable component is not attached to the network stack and the attacker’s path is via read/write/execute capabilities. This assumes that the attacker can gain access to the component via the keyboard or other input device, via Telnet or SSH, or via the interaction of some person or user.
Physical – The attack requires the attacker to physically touch or manipulate the vulnerable component.
1.7.b Attack complexity (AC)
This Base metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Values for Attack Complexity are:
Low – The attacker can expect to have access to vulnerable component as Special access or conditions are not required.
High -A successful attack depends on conditions beyond the attacker’s control.
1.7.c Privileges required (PR)
(None, High, Low) This Base metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
1.7.d User interaction
(None, Required) This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
(Changed, Unchanged) An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope.
Identify the challenges of data visibility (network, host, and cloud) in detection
Visibility equates to record which equates to logs.
Log collection / management (LM) comprises an approach to collect large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.).
Security information and event management (SIEM) products combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.
Identify potential data loss from provided traffic profiles
This is all about log analysis.
Interpret the 5-tuple approach to isolate a compromised host in a grouped set of logs
The 5 tuple is:
– Source IP address
– Destination IP address
– Source port
– Destination port and
Compare rule-based detection vs. behavioral and statistical detection
Rule based detection is based on if then type logic. Dependent on matching rule conditions.
Behavioral detection is based on on statistical characteristics of the data. If data is arriving at a device where a measurement is taken those measurements can be used to create a baseline or average. If some data arrives at the device that exceeds the baseline or average then take some action.
Behavioral and statistical detection are the same. behaviors are determined based on statistics.