Security - dennisholee/notes GitHub Wiki
Information Security
Information security is defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
| # | Principles | Description |
|---|---|---|
| 1. | Confidentiality | Information should only be accessed or disclosed to authorized individuals, entities or processes. |
| 2. | Integrity | Safeguarding the accuracy and completeness of assets. |
| 3. | Availability | Accessible and usable upon demand by an authorized entity. |
| 4. | Non-Repudiation | Ability to prove the occurrence of an action in such a way that the action cannot be repudiated later. |
| 5. | Accountability | Ensure the identity of the individual, with any type of action, in the information system can be traced. |
| 6. | Authenticity | Entities such as users, processes, systems, and information. |
| 7. | Reliability | Consistency in the intended behaviors and results. |
Cybersecurity
Ability to protect or defend cyberspace users from cyberattacks.
Cyber Resiliency
Identity Protect Detect Respond Recover
Confidentiality
- Sensitivity
- Discretion
- Criticality
- Concealment
- Secrecy
- Privacy
- Seclusion
- Isolation
Security Controls
- Encryption
- Access Control
- Steganography - A method of hiding a secret message inside of other data.
Integrity
Prevention of unauthorised alterations to data
Security Controls
- Hashing
Availability
Access Controls
Types of Controls
| Types of Controls | Description | Example |
|---|---|---|
| Administrative / Management | Implemented as policies, procedures, rules and regulations, and other types of directives or governance. | Personnel policies |
| Technical / Operational | Most often associated with security professionals. | Firewalls, proxy servers, virtual private network (VPN) concentrators, encryption techniques, file and folder permissions, and so on. |
| Physical | Protect people, equipment, and facilities. | Fences, closed-circuit television cameras, guards, gates, and restricted areas. |
| # | Control | Description | Guidance | Family | Class | ISO 17799 | COBIT | PCI-DSS |
|---|---|---|---|---|---|---|---|---|
| AC-03 | Access Enforcement | The information system enforces assigned authorizations for controlling access to the system in accordance with the applicable policy. | Access Control Policies, | Access Control | Technical | 11.2.4, 11.4.5 | PO2.3, AI2.4, DS11.6 | 7.1.4 |
Src: https://www.opensecurityarchitecture.org/cms/library/0802control-catalogue
Operational Technology (OT)
- Supervisory Control and Data Acquisition (SCADA)
- Distributed Control Systems (DCS)
- Programmable Logic Controllers (PLC)
- Manufacturing Execution Systems (MES)
AAA
- Identification
- Authentication
- Authorization
- Auditing
- Accounting / accountability
Auditing - internal process of providing a manual or systematic measurable technical assessment. Accounting - logging of access and use of information resources. Accountability - the process of tracing actions to the source.
Describes the Attack:
- Attack Vector: the 'route' by which an attack was carried out. SQLi is typically carried out using a browser client to the web application. The web application is the attack vector (possibly also the Internet, the client application, etc.; it depends on your focus).
- Exploit: the method of taking advantage of a vulnerability. The code used to send SQL commands to a web application in order to take advantage of the unsanitized user inputs is an 'exploit'.
Describes the Target:
- Attack Surface: describes how exposed one is to attacks. Without a firewall to limit how many ports are blocked, then your 'attack surface' is all the ports. Blocking all ports but port 80 reduces your 'attack surface' to a single port.
- Vulnerability: a weakness that exposes risk. Unsantitized user inputs can pose a 'vulnerability' by a SQL method.
Network Security
- NAC - Network Admission Control
- NAP - Network Access Protection
Advanced Persistent Threat (APT)
computer incident response team (CIRT) Tactics, Techniques and Procedures (TTP) Control Objectives for Information and Related Technology (COBIT)
Assets
- Sensitive data
- Hardware
- Storage media
Sensitive Data
- Personally Identifiable Information (PII)
- Protected health information (PHI)
- Proprietary Data
Data classification
- Assign a value to information assets based on its sensitivity to loss or disclosure.
- US Government / Military:
- Top secret
- Secret
- Confidential
- Unclassified
- Content-based classification inspects and interprets files looking for sensitive information
- Context-based classification looks at application, location, or creator among other variables as indirect indicators of sensitive information
- User-based classification depends on a manual, end-user selection of each document. User-based classification relies on user knowledge and discretion at creation, edit, review, or dissemination to flag sensitive documents.
src: https://digitalguardian.com/blog/what-data-classification-data-classification-definition
Threat Modelling
Trike Threat Modeling
** Acceptable Risk Focused
Process of Attack Simulation and Threat Analysis (PASTA)
** Attacker Focused
The PASTA threat modeling methodology combines an attacker-centric perspective on potential threats with risk and impact analysis. The outputs are asset-centric. Also, the risk and business impact analysis of the method elevates threat modeling from a “software development only” exercise to a strategic business exercise by involving key decision makers in the process.
PASTA threat modeling works best for organizations that wish to align threat modeling with strategic objectives because it incorporates business impact analysis as an integral part of the process and expands cybersecurity responsibilities beyond the IT department.
STRIDE Threat Modeling
** Developer Focused
| # | Risk | Concerns | Mitigation |
|---|---|---|---|
| 1 | Spoofing | Authenticity | Authentication |
| 2 | Tampering | Integrity | Validation, Supply Chain |
| 3 | Repudiation | Non-repudiation | Auditing, digital signatures |
| 4 | Information disclosure | Confidentiality | Encryption |
| 5 | Denial of service | Availability | |
| 6 | Elevation of privilege | Authorization | Access controls |
VAST Threat Modeling
** Enterprise Focused
Business Continuity Planning Process
- Project scope and planning
- Business organisation analysis
- BCP team selection
- Resource requirements
- Legal and regulatory requirements
- Business impact assessment
- Identify priorities / critical assets
- Conduct risk assessment
- Likelihood assessment
- Impact assessment
- Resource prioritisation
- Continuity planning
- Strategy development
- Provisions and processes
- Plan approval
- Plan implementation
- Training and education
- Approval and implementation
- BCP documentation
Law
Criminal law
Civil law
Administrative law
Regulatory
General Data Protection Regulation (GDPR)
- European Union (EU) has a new data protection law
- Replaces EU Data Protection Directive
- Applies to all organisations that process personal data and operate within, or sell goods to, the EU
- Personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
Data Controller & Data Processor Data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. Data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).
Data at Rest Data in Transit / Motion Data in Use
Advanced Persistent Threat
- Penetration Testing & Red-team
- Identity and Access Management
- Network Security Assessment
- Security Logging and Monitoring onboarding
- Privileged Access Management
- Cryptography governance and Key Management frameworks
- Governance and Management Advisory on
- ICS and Privacy Contractual requirements
- Privacy Impact Assessments
- SOC
- Data Loss Prevention
- Vulnerability testing and Assessments
- E-Discovery and E-Forensics
- Threat Intelligence
- Cyber incident management & Cyber incident prevention
- Phishing and Email hygiene
- Secure Code Scanning
- Technology Risk Review
- Customer Security Enquiries
- Security Design Review
Authenticator Type
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
| # | Type of Authenticator | |
|---|---|---|
| 1 | Memorized secrets | |
| 2 | Look-up secrets | |
| 3 | Out-of-band authenticator | |
| 4 | Single Factor OTP Device | |
| 5 | Multi Factor OTP Device | |
| 6 | Single Factor Cryptographic Software | |
| 7 | Single Factor Cryptographic Device | |
| 8 | Multi Factor Cryptographic Software | |
| 9 | Multi Factor Cryptographic Device |
DNS
| # | Threat | Attack | Likelihood | Consequence | Mitigation |
|---|---|---|---|---|---|
| 1 | DNS Flooding | DNS flood aimed at the DNS Server. | Significant | Denial of Service. | Rate Limit. Anti-spoofing rules. |
| 2 | DNS Flooding | Internal host performing DNS flood against an external victim. | Low | Denial of Service. | |
| 3 | DNS Flooding | External host performing a DNS flood using our DNS server to attack a victim. | Significant | Denial of Service. | |
| 4 | DNS Cache Poisoning | DNS cache poisoning effecting sites internal users visit when recursion is turned off or restricted | Significant | ||
| 5 | DNS Cache Poisoning | DNS cache poisoning effecting sites internal users visit when recursion is turned and on not restricted | High | ||
| 6 | DNS Cache Poisoning | DNS cache poisoning effecting external users visiting our site when referencing our DNS server | Low |
Src:https://www.giac.org/paper/gsna/88/auditing-bind-dns-server-administrators-perspective/105172