🌌 arthurs.dev

Recent Notes

Cybersecurity - 1. Foundations

9 min read

Cybersecurity Analyst Responsibilities

  1. Protecting computer and network systems: Requires monitoring and the ability to respond to threats.
  2. Searching for weaknesses: Penetration testing to identify vulnerabilities and suggesting ways to patch them, often by installing prevention software that identifies risks/vulnerabilities.
  3. Conducting security audits: Reviewing security records, activities, and other documents to ensure legal compliance, or that ensuring that sensitive information isn’t available to employees.
    It ultimately boils down to investigation, response, and implementation.

Some less-obvious terminology

  • Security posture: an organization’s ability to manage its defense of critical assets and data and react to change
  • Security framework: overarching guidelines used for building security plans
  • Security controls: safeguards designed to reduce specific risks
  • SIEM Tools: Security information and event management tools which can analyze security threats, risks, and vulnerabilities
  • IDSs: Intrusion detection systems
  • PII/SPII: (Sensitive) Personally identifiable information
  • Computer security incident response teams (CSIRTs): Responds to incidents
  • Virus: A subset of malware that may replicate through user interaction or otherwise insert its own code
  • Worm: A subset of malware that self-replicates, spreading over a network

Evolution of Cybersecurity

Just a handful of attacks like these + Morris worm and Brain virus in the early days of the internet shaped our current understanding of cybersecurity.

LoveLetter Malware (ILOVEYOU)

To steal login credentials. Unsolicited emails were sent with an attachment labeled, “Love Letter For You.” When opened, it scanned the users address book and resent itself to each person on the list and installed a program on the host to collect information. Affected 45 million computers. First notable example of social engineering, coercing people into thinking a trusted person is sending them this email.

Equifax Data Breach

Affected 40% of the U.S. population with revealed records like SSNs, driver’s license numbers, CC numbers, home addresses, etc. Caused by numerous failures on Equifax’s part, by failing to address multiple vulnerabilities known in the months leading up to the attack.

Phishing terminology

  • Business Email Compromise (BEC): A malicious email sent that appears to be from and impersonates a known sender; like a colleague, business partner, etc
  • Spear Phishing: Malicious email attack that targets a specific user/group originating from what appears to be a trusted sender
  • Whaling: A form of spear phishing, by targeting company executives
  • Vishing: Exploitation of voice communication to impersonate a trusted source, particularly relevant in the age of generative AI
  • Smishing: Exploitation of SMS to impersonate a trusted source

Social engineering terminology

  • Social media phishing: Collecting detailed information that is publicly available on social media sites
  • Watering hole attack: Employees or groups of people may regularly interact with a certain website (the “watering hole”), knowing this an attacker can instead focus on attacking that website to get one step closer to compromising that specific person/group
  • USB baiting: Leaving a malicious USB stick in a target area as an attempt to exploit someone’s curiosity
  • Physical social engineering: Impersonating a specific person or type of person to obtain unauthorized access to sensitive areas

Tactics

  • Intimidation: Bullying tactics or aggressively coercing victims into doing what they’re told
  • Familiarity: Establishing a fake emotional connection
  • Consensus/Social Proof: Taking advantage of people trying to avoid standing out and believe they’re doing what others are doing; “Attacker: I was able to access this sensitive data just fine in the past, you’re making a mistake by creating a big deal out of this”
  • Urgency: Threats or allusions to there being limited time to act or question the task

Security Domains

As of 2022, CISSP has identified eight domains to organize the work of cybersecurity professionals, with varying levels of overlap.

  1. Security and Risk Management: Defines security goals and objectives, risk mitigation, compliance, business continuity, and the law (i.e. a sort of high-level domain)
  2. Asset Security: Relates to the storage, maintenance, retention, and destruction of digital data and/or physical assets
  3. Security Architecture and Engineering: Optimizes data security by ensuring effective tools, systems, and processes are in place (e.g. firewall)
  4. Communication and Network Security: Managing and securing physical networks and wireless communication (i.e. preventing employees from connecting to non-company Wi-Fi)
  5. Identity and Access Management: Keeps data secure by ensuring users or employees follow established policies to control and manage physical assets (office spaces) and logical assets (networks/apps)
  6. Security Assessment and Testing: Conducting security audits and collecting and analyzing data to monitor for risks/threats/vulnerabilities (e.g. OpenVAS)
  7. Security Operations: Conducting investigations and implementing preventative measures (i.e. what do you do when you receive an alert of a potential risk)
  8. Software Development Security: Uses secure coding practices to create secure applications/services

Understanding attackers

  • Advanced Persistent Threats (APTs): Have significant expertise in a given organization’s network/systems, with a largely undetected presence, often gaining additional information (possibly intellectual property) or damaging critical infrastructure
  • Insider Threats: Those that abuse their access to commit sabotage, corruption, espionage, or other acts of personal gain
  • Hacktivists: Motivated by a political agenda, usually resulting in demonstrations, propaganda, fame
  • Authorized/Ethical Hackers
  • Semi-Authorized Hackers/Researchers: Searching for vulnerabilities without taking advantage of them
  • Unauthorized/Unethical Hackers

Security Frameworks and Controls

Frameworks allow analysts to work alongside other members of the team to document, implement, and use policies and procedures that have been created. Controls are safeguards designed to reduce security risks, for example a software that tracks which employees have completed mandatory security trainings.

Purpose

  • Securing PII
  • Securing financial information
  • Identifying security weaknesses
  • Managing organizational risks
  • Aligning security with business goals

Components

  1. Identifying and documenting security goals (e.g. are we out of compliance with GDPR?)
  2. Setting guidelines to achieve security goals (e.g. develop new policies on how to handle data for GDPR)
  3. Implement strong security processes (e.g. how will you handle a user that wants to update their profile information?)
  4. Monitoring and communicating results (e.g. report an issue that may affect GDPR to the relevant official)

CIA Model

  • Confidentiality - Only authorized users have access to certain information, assets, data (e.g. access controls)
  • Integrity - Data is correct, authentic, and reliable. (e.g. encryption to prevent tampering)
  • Availability - Data is accessible to those authorized to access it

Specific Frameworks

NIST

The National Institute of Standards and Technology (NIST) is a U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. Frameworks include CSF (cybersecurity) and RMF (risk management).

FERC-NERC

For the Federal Energy Regulatory Commission - North American Electric Reliability Corporation, FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid.

FedRAMP

The Federal Risk and Authorization Management Program is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

CIS

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.

GDPR

General Data Protection Regulation is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

PCI DSS

Payment Card Industry Data Security Standard is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

HIPAA

The Health Insurance Portability and Accountability Act is a U.S. federal law established in 1996 to protect patients’ health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:
Privacy → Security → Breach notification

ISO

International Organization for Standardization was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.

Ethical Principles

  • Confidentiality
  • Privacy protection
  • Laws

Standpoints on Counterattacks

Both in the U.S. and internationally, counterattacks are generally disallowed. The U.S. has exceptions only for approved employees of the government or military. Internationally, ICJ states that a counterattack is reasonable under a specific set of circumstances where A) only affecting the attacking party B) the counterattack is a direct communication asking the attacker to stop C) the counterattack does not escalate and D) the counterattack can be reversed.

Ethical Principles and Methodologies

  1. Confidentiality: Only authorized users can access specific data
  2. Privacy protection: Safeguarding information (PII/SPII) from unauthorized use, an ethical obligation to secure that information, identify vulnerabilities, and manage risks
  3. Laws: Must remain unbiased and conduct work honestly with higher respect for the law (e.g. HIPAA), be transparent and just, stay informed and advance your skills to contribute to the betterment of the cyber landscape

Common Violations of Ethical Principles

Generally speaking, a violation is often the result of slight laziness or otherwise taking shortcuts around procedures without thinking through the consequences of their actions.

  • Sharing passwords
  • Giving away private information
  • Poking into systems out of curiosity/personal benefit

Tooling

SIEM Tools

These monitor real time logs to identify threats and other issues.
- Splunk: A self-hosted data analysis platform that retains, analyzes, and searches log data
- Chronicle: Google’s cloud-native platform that stores data for search and analysis

Playbooks

Vary from organization to organization, used to guide an analyst on how to handle an incident before, during, and after its occurrence. The first type of playbook you may see is chain of custody which documents the possession of forensic evidence (say, in a data break), every time evidence is moved it should be reported. The second type of playbook you may see will involve protecting and preserving evidence. When following this playbook, you will follow the order of volatility, prioritizing collecting/making copies of the most volatile data in an incident.

Network Protocol Analyzer (Packet Sniffer)

Captures and breaks down network data
- Wireshark
- tcpdump

Graph View