REVIEWER-FINALS.pdf

Transcript

REVIEWER FINALS intentionally blocks redundant paths that could
cause a loop.

Router Redundancy
System and Network Defense
Default Gateway – provides devices access
to the rest of the network and/or to the
Cybersecurity Resilience: internet.

- RAID Stroage If there is only one router serving as the
- Spanning Tree default gateway, it is a single point of
- Router Redundancy failure. To avoid this, you can choose to
install an additional standby router.
RAID (Redundant Array of Independent Disks)
Internet of Things – big and collective network
- takes data that is normally stored on a
of connected devices and several technologies
single disk and spreads it out among
which communicates on either device, cloud and
several drives.
even between the devices themselves.
- Increases the speed of data recovery.
- It is usually group to:
Mirroring – stores data, then duplicates and
o General devices – data hub and
stores the same on a second drive.
smart devices
Striping – writes data across multiple drives o Sensing devices – sensors that
so that consecutive segments are stored on measure different parameter and
different drives. performs different intended
action.
Parity – more precisely, striping with parity.
After striping, checksums are generated to Special-Purpose Embedded Systems:
check that no errors exist in the striped data.
Medical Devices
BREAKDOWN OF COMMON RAID LEVELS
- The following devices are capable of
wireless connectivity, remote monitoring,
and Near-Field Communication (NFC).
o Pacemakers
o Insulin pumps
o Medical implants
o Defibrillators
- Vulnerabilities in these medical devices
can lead to patient safety issues, medical
record leaks or the risk of granting access
to the network to cybercriminals, who will
move through it in search of a target.

Automotive

Spanning Tree Protocol (STP) – basic function is - For computer operated vehicle, it connects
to prevent loops on a network when switches to the Internet to that may:
interconnect via multiple paths and o Vehicles record speed
 o Location ASSESSMENTS
o Braking maneuvers
o Driver’s insurance company
- Therefore, risks to in-vehicle
communications include unauthorized
tracking, wireless jamming, and spoofing.

Aviation

- Aircraft has many embedded control
systems for:
o Flight control
o Communications
- Unmanned Aerial Vehicles (UAVs), more
commonly called drones, have been used
in military, agricultural, and cartography
applications.
- Risks include hijacking, wi-fi attacks, GPS
spoofing, jamming, and de-authentication
attacks.

Deception Devices – used by organizations to
distract attackers from production networks.

- Used to learn an attacker’s method and
to warn of potential attacks that could
be launched against the networks.
- Adds a fake layer to the organization’s
infrastructure.

Honeypot – decoy system that is configured
to mimic a server in the organization’s
network. It is purposefully left exposed to lure
attackers.

DNS Sinkhole – prevents the resolution of
hostnames for specified URLs and can push
users away from malicious resources.. Services:

- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)

Deployment:

- Public
- Private
- Hybrid
- Community

CLOUD SECURITY

Cloud Computing – usually associated with an
internet-based set of computing resources, and
typically sold as a service, provided by a cloud
service provider (CSP).

Characteristics:

- Broad Network Access
- Rapid Elasticity
- Measured Service
- On-Demand Self-Service
 Data in process – refers to data during
initial input, modification, computation,
or output.

Technologies and Protocol

Syslog – used for logging event messages from
network devices and endpoints.
Cyber Threats to Cloud
- Allows for a system-neutral means of
- Data Breaches
transmitting, storing, and analyzing
- Cloud Misconfiguration
messages.
- Poor Cloud Security Architecture
- Helps to make security monitory practical.
- Compromised Account Credentials
- Typically listen on UDP port 514.
- Insider Threat
- Syslog messages are usually timestamped.
- Insecure User Interface or Application
Programming Interface (API) NTP (Network Time Protocol) – uses a hierarchy
- Limited Cloud Visibility Usage of authorities time sources to share time
information between devices on the network.
Cloud Servicer Provider – IT company that
provides on-demand, scalable computing - Operates on UDP port 123.
resources like computing power, data storage, or - By using NTP, device messages will have
application over the internet. consistent time information which can be
submitted to the syslog server.

State of Data – describes controls related to
securing the data itself, of which encryption and DNS Threats
hashing are of the most important. - DNS is now used by many types of
Data at rest – no user or process is malware.
accessing, requesting, or amending it. - Sme use DNS to communicate with
command-and-control (CnC) servers to
Data in transit – transmission could be exfiltrate data in traffic disguised as
within a single server along its normal DNS queries.
motherboard’s bus lines, between devices - Malware could encode stolen data as the
on a single network, or between networks subdomain portion of a DNS lookup for a
and possibly across the internet. domain where the nameserver is under
control of an attacker.
 Incident – an event that actually or potentially
jeopardizes the CIA of an information system.

Intrusion – security event or combination of
events that constitutes a deliberate security
incident in which an intruder gains without
authorization.

Breach – loss of control, compromise,
unauthorized disclosure or acquisition, or any
SMTP – Simple Mail Transfer Protocol
similar occurrence where a person other than
IMAP – Internet Message Access Protocol authorized user accesses personally identifiable
information.
POP – Pop Office Protocol
Exploit – the specific attack.
Email Threats
Threat – any circumstance or event with the
- SMTP, POP3, and IMAP can be used by
potential to adversely impact either national or
threat actors to spread malware,
organizational operations, assets, destruction,
exfiltrate data, or provide channels to
disclosure, modification of information, and
malware CnC servers.
denial of service.
IMAP & POP3 – used to download email
Zero Day – previously unknown system
messages from a mail server to the host
vulnerability with the potential of exploitation
computer.
without risk of detection or prevention.
ICMP (Internet Control Message Protocol)

- Can be used to identify hosts on a
The Goal of Incident Response
network, the structure of a network, and
determine the operating systems at use on 1. Preparation
the network. 2. Protect life, health, and safety
- Can also be used as a vehicle for various 3. Reduction of Impact
types of DoS attacks.
Components of an IR Plan
- Can also be used for data exfiltration.
- Preparation
ICMP Tunneling – transferring files from
- Detection and Analysis
infected hosts to threat actors.
- Containment
- Post-Incident Activity

INCIDENT RESPONSE

ACCESS CONTROLS

Terminologies:

Event – any observable occurrence in a network Security Controls – pertain to different
or system. mechanisms that act as safeguards or
countermeasures prescribed for an information
system to protect the CIA of the system and its Accountability – the protection against an
information. individual falsely denying having performed a
particular action.

ASSESSMENT

Authorization – the right or a permission that is
granted to a system to access a system resource.

Integrity – the property that data has not been
altered in an unauthorized manner.

Confidentiality – the characteristic of data or
information when it is not made available or
disclosed to unauthorized persons or processes.

Privacy – the right on a individual to control the
distribution of information about themselves.
Physical Controls – provide ways of controlling,
directing or preventing the movement of people Availability – ensuring timely and reliable access
and equipment throughout a specific physical to and use of information by authorized users.
location. Non-repudiation – inability to deny taking an
Administrative Controls – also called as action.
managerial controls, are directives, guidelines, or Authentication – Access control process that
advisories aimed at the people within the compares one or more factors of identification
organization. to validate that the identity claimed by a user is
Technical Controls – also called as logical known to the system.
controls, are security controls that computer
systems and networks directly implement.
Logical Controls:

1. Discretionary Access Control (DAC) –
Authentication – process of verifying or proving grants the user almost the same level of
the user’s identification. access as the original owner of the file.
Three Common Method 2. Mandatory Access Control (MAC) – only
properly designated security
Something you know: Passwords administrators can modify any of the
Something you have: Memory Cards security rules that are established.
Something you are: Biometrics 3. Role-Based Access Control (RBAC) –
provides each worker privileges based on
Methods of Authentication
what role they have in the organization.
- Single-factor Authentication (SFA) 4. Attribute-Based Access Control (ABAC) –
- Multi-factor Authentication (MFA) allows access based on attributes of the
object (resource) to be accesses.
Principle of Least Privilege

- To preserved the confidentiality of
information and ensure that it is only
available to the personnel who are
authorized to see it, we use privileged
access management concept.

ASSESSMENTS
FIREWALL TECHNOLOGIES 2. Stateful Firewalls – provide stateful
packet filtering by using connection
information maintained in a state table.
Firewalls – system that enforces an access 3. Application Gateway Firewall – filters
control policy between networks. information at Layers 3, 4, 5, and 7 of the
OSI reference model.
All firewalls share some common properties:
4. Next-Generation Firewalls – go beyond
- Resistant to network attacks stateful firewalls by providing integrated
- Only transit point between internal intrusion prevention and more.
corporate networks and external networks
- Enforces the access control policy Host-Based Firewall – a pc or serve
with firewall software running on it.
Transparent Firewall – filters IP
traffic between a pair of bridged
interfaces.
Hybrid Firewall – combination of the
various firewall types.

ASSESSMENTS

Types of Firewall:

1. Packet Filtering (Stateless Firewall) –
typically a router firewall, which permits
or denies traffic based on Layer 3 and
Layer 4 information.
Common Security Architectures

Public and Private

Demilitarized Zone
 Zone-Based

Best Practices for Firewall Implementation

- Position firewalls at security boundaries.
- Deny all traffic by default.
- Permit only services that are needed.
- Ensure that physical access to the firewall
is controlled.
- Regularly monitor firewall logs.
- Practice change management for firewall
configuration changes.
- Remember that firewalls primarily protect
from technical attacks originating from
the outside.

ASSESSMENTS