CST3520 Defensive Security

Questions and Answers

Considering the nuances between cybersecurity and defensive security, which strategy MOST accurately embodies a extit{proactive} approach within defensive security, demonstrating foresight and anticipatory action rather than mere response?

• Implementing intrusion detection systems (IDS) solely based on known signature matches to generate reactive incident reports.
• Deploying honeypots strategically within the network perimeter to attract and analyze potential threat actors' tactics, techniques, and procedures (TTPs). (correct)
• Utilizing a Security Information and Event Management (SIEM) system solely for correlation of security logs and alerts in real-time to identify ongoing attacks.
• Establishing a comprehensive incident response plan (IRP) that outlines step-by-step procedures to contain and eradicate detected threats.

In the context of the CIA triad, which cryptographic control MOST effectively addresses the principle of integrity when data resides both at rest and in transit across a highly distributed and heterogenous network?

• Implementing strong access control lists (ACLs) on all network devices to restrict unauthorized access.
• Employing full disk encryption concatenated with signed cryptographic hashes for data validation, ensuring data authenticity and non-alteration. (correct)
• Implementing Transport Layer Security (TLS) with ephemeral key exchange for all network communications.
• Using a multi-factor authentication (MFA) scheme for user logins to prevent unauthorized access to sensitive data resources.

Given the landscape of cyber threats, which attribution factor MOST definitively differentiates cyberwarfare carried out by a nation-state from cybercrime orchestrated by advanced persistent threat (APT) groups?

• The utilization of zero-day exploits and custom malware tailored to specific vulnerabilities.
• The sheer scale and scope of the targeted infrastructure or information assets.
• The alignment of strategic objectives with the geopolitical interests and doctrines of a particular sovereign nation. (correct)
• The sophistication and complexity of the attack tools and techniques employed.

When strategizing against competitor threats, under which specific circumstance might commercial espionage be legitimately litigated, and what critical factor determines the viability and potential success of such litigation?

When a company demonstrates they have provided commensurate and demonstrable reasonable protection for those secrets, with the litigation depending on how the reasonably reflects the sensitivity of the secret and prevailing industry security practices. (B)

Assuming a scenario where a disgruntled IT security professional seeks to inflict maximum damage within their organization, which strategy capitalizes MOST effectively on their unique advantages and trusted insider status?

Deploying ransomware across critical server infrastructure while simultaneously manipulating SIEM rules to impair anomaly detection capabilities. (C)

In the context of cyberwarfare, what asymmetric advantage does the attack on IT infrastructure offer to a nation-state seeking to augment conventional physical attacks, particularly when facing a technologically superior adversary?

It allows targeting of critical infrastructure with reduced risk of direct military confrontation and avoids international condemnation. (C)

Considering the multifaceted nature of cyberterror threats, which characteristic behavior exemplifies the MOST concerning evolution in how terrorist groups leverage cyber capabilities to amplify their impact and propagate fear?

Disrupting communication infrastructure among first responders during ongoing physical attacks. (A)

Within the realm of malware analysis, what is the fundamental differentiating factor that distinguishes a Trojan horse from other forms of malware, particularly concerning its operational objective upon compromising a target system?

A Trojan masquerades as a legitimate program or file to deceive users and execute malicious activities behind the scenes. (A)

Given an organization's need to safeguard against man-in-the-middle attacks, what advanced cryptographic technique provides the MOST robust end-to-end protection, ensuring confidentiality, integrity, and authentication across all communication channels?

Employing a Transport Layer Security (TLS) with certificate pinning at both client and server side. (C)

In the context of Security Operations Centers (SOCs), which process BEST leverages threat intelligence platforms (TIPs) and advanced analytics to proactively identify emerging threats PRIOR to widespread exploitation?

Threat hunting activities conducted by Tier 3 analysts, focusing on identifying anomalies and patterns indicative of sophisticated attacks that evaded automated detection systems. (A)

Flashcards

What is Cybersecurity?

Protecting systems, networks, programs, and data from digital attacks, unauthorized access, or damage.

What is Defensive Security?

A subset of cybersecurity focused on protecting systems, networks, and data from threats or attacks.

What is Confidentiality?

Ensuring sensitive information isn't read by unauthorized individuals, whether at rest or in transit.

What is Integrity?

Preventing unauthorized modification or destruction of information.

What is Availability?

Ensuring authorized users can access information when needed.

Who are Hackers?

Individuals who attempt to gain unauthorized access to computer systems or networks.

Who are Cybercriminals?

Criminals who use computer skills to commit crimes, such as fraud.

What are Viruses?

Malicious software attached to another program to perform an unwanted function.

What are Worms?

Malicious code that self-replicates, infecting other hosts.

What is Social Engineering?

Manipulating individuals into divulging confidential information.

Study Notes

• CST3520 is a module on Defensive Security.
• The Module Coordinator is Dr Maha Saadeh and can be contacted via:
  • Office Hours: https://calendly.com/m-saadeh/consultation-hours
  • Email: [email protected]
• The Module Leader is Dr. Anum Kiyani.
• The course duration is 12 weeks.
• Time Allocation: 2 hours workshop, 3 hours labs, 1 hour feedback session.
• Assessments:
  • In-Class Test: 25%
  • Lab Test: 75% (Lab sessions must be attended)
• Course materials includes:
  • Module handbook
  • Lecture notes
  • Core textbooks
  • Recommended textbooks

Cybersecurity & Defensive Security

• Cybersecurity refers to the practice of protecting systems, networks, programs, and data from digital attacks, unauthorized access, or damage.
• Cybersecurity covers defensive and offensive strategies aimed at securing information and technology.
• Defensive Security specializes in protecting systems, networks, and data from potential threats or attacks.
• Defensive Security tactics including firewalls, encryption, endpoint protection, and monitoring systems.
• Defensive Security is reaction-oriented: How to respond effectively if an attack occurs.

Introduction- CIA

• Security Goals
• Confidentiality: preventing unauthorized access to sensitive information whether it is in storage or transit.
• Integrity: preventing attackers from changing or destroying information whether it is in storage or transit.
• Availability means that people who are authorized to use information are not prevented from doing so.

Introduction- Basic Security Terminology

• The Threat Environment consists of the types of attackers and attacks that companies face.

Types of Threats

• Hackers
• Cybercriminals
• Competitor Threats
• Employee and Ex-Employee threats
• Cyberwar and Cyberterror

The Hacker

• A "Hacker" refers to Internet programmers who try to gain unauthorized access to devices on the Internet.
• Hackers are individuals who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers.

Cybercriminals

• Most attackers are career criminals with traditional criminal motives such as fraud.
• Traditional criminal attack strategies are adapted to IT attacks (fraud, etc.).
• Many cybercrime gangs are international this makes prosecution difficult.
• Cybercriminals use black market forums.
• Black market forums are used for:
  • Credit card numbers and identity information
  • Vulnerabilities
  • Exploit software often with update contracts

Cybercriminals- Motivation

• Fraud: The attacker deceives the victim into doing something against the victim's financial self-interest.
• Criminals are learning to conduct traditional frauds and new frauds over networks such as click fraud.
• Financial and Intellectual Property Theft: Stealing money or intellectual property to sell it to other criminals/competitors.
• Stealing Sensitive Data about Customers and Employees such as carding (credit card number theft) and bank account theft

Competitor Threats

• Commercial Espionage involves attacks on confidentiality by gathering public information from company websites, public documents, and social media profiles of employees.
• Trade secret espionage may only can be litigated if a company has provided reasonable protection for those secrets, reasonableness reflects the sensitivity of the secret and industry security practices.

Employee and Ex-Employee Threat

• Employees and ex-employees are dangerous because:
  • They have knowledge of internal systems.
  • They often have permission to access systems.
  • They often know how to avoid detection and employees.
  • Employees generally are trusted.
  • IT and especially IT security professionals are the greatest employee threats.

Cyberwar Threat

• Computer-based attacks by national governments
• Espionage
• Cyber-attacks damage financial and communication infrastructure.
• Augmenting conventional physical attacks involves attacking IT infrastructure or paralyzing enemy and control, engaging in propaganda attacks.
• Example of cyberwar attack: Stuxnet.

Cyberterror Threat

• Attacks are carried out by terrorists or terrorist groups.
• IT resources are attacked directly.
• The Internet is used for recruitment and coordination.
• The Internet is used to augment physical attacks and to disrupt communication among first responders.
• Cyberattacks are used to increase terror in physical attacks
• Computer crime is used to fund attacks.

Common Attack Vectors Used by Threat Actors

• Classic Malware includes:
  • Viruses: malicious software that is attached to another program to execute a particular unwanted function
  • Worms: executes code and installs copies in memory, infecting other hosts
  • Trojan Horses: an application written to look like something, when, in fact, it's an attack tool

Social Engineering

• Is often used in hacking, uses:
  • Calls asking for passwords and confidential information
  • E-mail attack messages
  • Piggybacking
  • Shoulder surfing
  • Pretexting etc.
• Social Engineering is successful because it preys on human weaknesses instead of technological weaknesses

Denial-of-Service (DoS) Attacks

• Make a server or entire network unavailable to legitimate users, done by sending a flood of attack messages to the victim
• Distributed DoS (DDoS) Attacks: Bots flood the victim with attack packets and the Attackers control the bots

Exploiting Vulnerabilities

• Vulnerability: A weakness or flaw in software, hardware, or a network that can be exploited by attackers to gain unauthorized access or cause damage.
• Exploitation occurs through unpatched software bugs, misconfigurations in network devices, weak encryption standards, and outdated protocols.

Defensive Measures

• The type of attack, as specified by the categorization of reconnaissance, access, or DoS attack, determines the means of mitigating a network threat.

Mitigating Reconnaissance Attacks

• Protocols with known vulnerability to eavesdropping should have a policy directive implemented and enforced.
• Encryption that meets data security needs of the organization should be used without imposing an excessive burden on system resources/users.
• Anti-sniffer tools should be used to detect sniffer attacks.
• Mitigating Reconnaissance Attacks can be done using switched networks with a firewall and intrusion prevention system (IPS).

Mitigating Access Attacks

• Mitigation techniques:
  • Strong password security
  • Principle of minimum trust
  • Cryptography
  • Applying operating system and application patches
• Practices for strong password policy:
  • Disable accounts after a specific number of unsuccessful logins; helps prevent continuous password attempts
  • Do not use plaintext passwords. Use either a one-time password or encrypted password.
  • Strong passwords must contain at least eight characters with a combination of uppercase letters, lowercase letters, numbers, and special characters

Mitigating DoS Attacks

• The following is required:
  • IPS and firewalls (Cisco ASAs and ISRs)
  • Anti-spoofing technologies
  • Quality of Service-traffic policing

Packet Sniffer Mitigation

• Authentication requires strong authentication is a first line for defence.
• Cryptography requires if a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text.
• Anti-sniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate.
• A switched infrastructure does not eliminate the threat of packet sniffers, but greatly reduces effectiveness.

Man-in-the-Middle Mitigation

• Attacks are only effectively mitigated through the use of cryptography (encryption).

The Modern Security Operations Centre

• Elements of a Security Operations Centre (SOC):
  • Monitoring
  • Management
  • Comprehensive threat solutions
  • Hosted security
• SOCs can be:
  • In-house, owned and operated by a business.
  • Elements can be contracted out to security vendors.
• The major elements of a SOC:
  • People
  • Processes
  • Technology

The Modern Security Operations Centre - People in the SOC

• The SANS Institute classifies the roles people play in a SOC into these job titles:
  • Tier 1 Alert Analyst
  • Tier 2 Incident responder
  • Tier 3 Subject Matter Expert (SME)/ Hunter
  • SOC Manager

The Modern Security Operations Centre - Process in the SOC

• The modern SOC process includes the following:
  • Tier 1 Alert Analyst begins with monitoring security alert queues.
  • Tier 1 Alert Analyst verifies if an alert triggered in the ticketing software represents a true security incident.
  • The incident can be forwarded to investigators, or resolved as a false alarm.

The Modern Security Operations Centre - Technologies in the SOC

• Security Information and Event Management (SIEM) systems have these functions:
  • Collect and filter data
  • Detect and classify threats
  • Analyze and investigate threats
  • Implement preventive measures
  • Address future threats

Becoming a Defender - Certifications

• The following cybersecurity certifications are typically required to become a cybersecurity deender:
  • CCNA Cyber Ops
  • CompTIA Cybersecurity Analyst Certification (CSA+)
  • (ISC)² Information Security Certifications (including CISSP)
  • Global Information Assurance Certification (GIAC)

Becoming a Defender - Further Education

• Pursue a technical/bachelor's degree in computer science, electrical engineering, information technology, or information security.
• Computer programming is an essential skill in cybersecurity.
• Python is an object-oriented, open-source programming language that is routinely used.

SUMMARY

• Many hackers seek financial gain by stealing/selling sensitive information.
• Defending a nation against cyberespionage and cyberwarfare is a priority.
• The loss of competitive advantage comes from the loss of customer trust due to inability to protecting the PII of customers.
• National security is disrupted by hackers such as the Stuxnet worm example.
• Key elements of a SOC: people, processes, and technology.
• Security Operations Centers combat cybercrime.