Lecture 1-1

Secrecy: Methods to restrict access to information (e.g., cryptography, access control). Confidentiality: Duty to protect others' secrets. Privacy: Right to control your personal information and space.

Infrastructure as a service provides scalable and automated computer resources for monitoring, networking and storage. I will use this to create virtual servers to store data and monitor them virtually and configure network so that the users can use it safely and efficiently. Platform as a service allows developers to implement and deliver applications within the cloud environment. This will help the developers in my company to focus coding without worrying about the infrastructure. Software as a service is using the cloud-based software with a subscription. This is for the non-coding employees, cloud based software will allow them to access their work materials anywhere they want or on any devices as long as they have internet. They can use collaborative apps and work more effectively.

A personal device cannot access on-premise resources but if that device gets hacked, the hacker could open their cooperate email, access the saas applications on the device to steal or destroy the company data and if the employee uses the same password for their personal and work email, it can lead to compromise through brute force or password guessing.

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring multiple forms of verification. For example, when you log into your corporate account, you may receive a one-time password on your mobile device that you need to enter in addition to your regular password. This makes it significantly harder for a hacker to compromise your account because they would need both your login credentials and access to your mobile device.

Shadow IT refers to the use of software, applications, or services that are installed on organizational devices without the explicit approval or knowledge of the IT. The main issue is that the IT managers do not have the visibility to know how the employees are using them, which can lead to security vulnerabilities, data fragmentation, and loss of control over the technology environment.

Threat: unauthorized or malicious process could read and modify the data. Counter measurement: file level or disk encryption.

Threat: man-in-the-middle attack could read and modify the data. Counter measurement: SSL/TLS with valid certificate.

Malware, lack of trained employees, phishing and social engineering, targeted attack, ransomware, government sponsored attack

The attacker has a specific target in mind when he/she creates a plan of attack. During this phase, the attacker will spend a lot of time and resources to gather information to carry out the attack. The objective is to stay within the target's network for a long period of time and move around and compromise different systems until goal is met.

Mean Time to Compromise (MTTC): This starts counting from the time the red team started the attack to the time they compromised the target. Mean Time to Privilege Escalation (MTPE): this starts the same point as the previous metric but goes until the target is fully compromised, that is until the red team has administrative privileges.

Estimated Time to Detection (ETTD) and Estimated Time to Recovery (ETTR)

save evidence: it is important to save evidence during the incident so that you have information to analyze, justify and mitigate in the future. validate the evidence: not every single alert or evidence will lead to valid attempt to compromise. so when it does, it needs to be catalogued as indication of compromise (IOC). engage whoever is necessary: at this point, the blue team must know what to do with the ioc and which teams should be aware of this. Engage all relevant teams which may vary according to the organization. determine the urgency for the incident: sometimes the blue team must get involved with law enforcements, or they may need a warrant to perform further investigation. Scope the breach: At this point, the Blue Team has enough information to scope the breach. Create a remediation plan: The Blue Team should put together a remediation plan to either isolate or evict the adversary. Execute the plan: Once the plan is finished, the Blue Team needs to execute it and recover from the breach.