This is part two of a series of posts about the CCNA Cyber Ops certification, you can find the first part here. Essentially in this post, we summarize the basic security concepts needed to understand and become competent with this topic.
2.0 Security Concepts
2.1 Describe the principles of the defense in depth strategy: Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense in depth can be divided into three areas: Physical, Technical, and Administrative.
Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems.
Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and Windows Active Directory. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.
Administrative controls are an organization’s policies and procedures. Their purpose is to ensure that there is proper guidance available in regards to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.
2.2 Compare and contrast these concepts
- 2.2.a Risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.
- Risk = Likelihood * Impact
- 2.2.b Threat: In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.
- 2.2.c Vulnerability: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. A vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
- 2.2.d Exploit: An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause an unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.
2.3 Describe these terms
- 2.3.a Threat actor: A threat actor, or malicious actor, is a person or entity that is responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity. Most often, the term is used to describe the individuals and groups that perform malicious acts against organizations of various types and sizes. From a threat intelligence perspective, threat actors are often categorized as unintentional or intentional and external or internal.
- 2.3.b Run book automation (RBA): Runbook automation (RBA) is the ability to define, build, orchestrate, manage, and report on workflows that support system and network operational processes. A runbook workflow can potentially interact with all types of infrastructure elements, such as applications, databases, and hardware.
- 2.3.c Chain of custody (evidentiary): Chain of custody (CoC), in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It is essential that any items of evidence can be traced from the crime scene to the courtroom, and everywhere in between. This known as maintaining the ‘chain of custody’ or ‘continuity of evidence. You must have the ability to prove that a particular piece of evidence was at a particular place, at a particular time and in a particular condition. This applies to the physical hardware as well as the information being retrieved from that hardware. If the chain of custody is broken, the forensic investigation may be fatally compromised. This is where proper management of the evidence is important.
- 2.3.d Reverse engineering: Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. The practice, taken from older industries, is now frequently used in computer hardware and software. Software reverse engineering involves reversing a program’s machine code (the string of 0s and 1s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
- 2.3.e Sliding window anomaly detection: The time span used to collect data to build your traffic profile is called the profiling time window (PTW). The PTW is a sliding window; that is, if your PTW is one week (the default), your traffic profile includes connection data collected over the last week. You can change the PTW to be as short as an hour or as long as several weeks. A traffic profile is based on connection data collected over a time span that you specify. `After you create a traffic profile, you can detect abnormal network traffic by evaluating new traffic against your profile, which presumably represents normal network traffic.
- 2.3.f PII: Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
- 2.3.g PHI: Protected health information (PHI) under US law is any information about health status, provision of healthcare, or payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
2.4 Describe these security terms
- 2.4.a Principle of least privilege: In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
- 2.4.b Risk scoring/risk weighting: First, gather information about the threat agent involved, the attack that will be used, the vulnerability involved, and the impact of a successful exploit on the business. Then, assign a score or weight to the risk, this value will be used in the risk assessment.
- 2.4.c Risk reduction: The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
- 2.4.d Risk assessment: is the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to prioritize risks to establish a most-to-least-critical importance ranking. Ranking risks in terms of their criticality or importance provides insights to the project’s management on where resources may be needed to manage or mitigate the realization of high probability/high consequence risk events.
2.5 Compare and contrast these access control models: Access control is basically identifying a person doing a specific job, authenticating them by looking at their identification, then giving that person only the key to the door or computer that they need access to and nothing more. In the world of information security, one would look at this as granting an individual permission to get onto a network via a username and password, allowing them access to files, computers, or other hardware or software the person requires, and ensuring they have the right level of permission (i.e. read only) to do their job.
- 2.5.a Discretionary access control: this access control model is based on a user’s discretion. The owner of the resource can give access rights to that resource to other users based on his discretion.
- 2.5.b Mandatory access control: In this Model, users/owners do not enjoy the privilege of deciding who can access their files. In this model, the operating system is the decision maker overriding the user’s wishes. Every Subject (users) and Object (resources) are classified and assigned a security label. The security labels of the subject and the object along with the security policy determine if the subject can access the object. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.
- 2.5.d Nondiscretionary access control: The Role Based Access Control (RBAC) model provides access control based on the subject’s role in the organization. So, instead of assigning John permissions as a security manager, the position of security manager already has permissions assigned to it.
2.6 Compare and contrast these terms
- 2.6.a Network and host antivirus: A Network antivirus prevent unknown programs and processes from accessing the system. A host antivirus is computer software used to prevent, detect and remove malicious software once it reached a system.
- 2.6.b Agentless and agent-based protections: Agentless monitoring is deployed in one of two ways: Using a remote API exposed by the platform or service being monitored or directly analyzing network packets flowing between service components. In either, there is no special deployment of agents required. In agent-based protection, the monitoring endpoint requires an installation of the software agent. Monitoring with agents has the cost of installation, configuration (proportionate to the number of managed elements), platform support needs and dependencies. You also need to worry about patching.
- 2.6.c Security Information and Event Management (SIEM) and Log Collection: SIEM provides real-time analysis of security alerts generated by network hardware and applications. In log collection, the events from the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls are saved to a location for further analysis.
- 2.6.d Log management (LM): comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). Log Management generally covers:
- Log collection
- Centralized log aggregation
- Long-term log storage and retention
- Log rotation
- Log analysis (in real-time and in bulk after storage)
- Log search and reporting.
2.7 Describe these concepts
- 2.7.a Asset management (ITAM): It is the set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. Assets include all elements of software and hardware that are found in the business environment.
- 2.7.b Configuration management: It is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why Security Configuration Management (SCM) is so important. SCM can not only identify misconfigurations that make your systems vulnerable but also identify “unusual” changes to critical files or registry keys.
- 2.7.c Mobile device management: Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. Mobile Device Management (MDM) servers secure, monitor, manage and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers consist of a policy server that controls the use of some applications on a mobile device (for example, an e-mail application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on ACLs, SGTs, etc. To do its job, Cisco ISE queries the MDM servers for the necessary device attributes to ensure it is then able to provide network access control for those devices.
- 2.7.d Patch management: A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Patch management is a strategy for managing patches or upgrades for software applications and technologies. A patch management plan can help a business or organization handle these changes efficiently. (Patch Management Example for Windows)
- 2.7.e Vulnerability management: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability management is the “cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security.
Glossary of Cyber Security terms here
These are the remaining topics:
- Host-Based Analysis
- Security Monitoring
- Attack Methods