CIA triad
- Confidentiality (least privilege / zero trust)
- Integrity ( data is correct and reliable, can't be edit, encryption )
- Availability ( data can be used when needed )
CISSP
Certified Information Systems Security Professional
CISSP 8 security domains
- Security and Risk Management: The foundational domain covering governance, compliance, the CIA triad (Confidentiality, Integrity, Availability), legal/regulatory issues, and organizational risk assessment
- Asset Security: Focuses on the protection of assets, data classification, handling requirements, data retention policies, and data lifecycle management
- Security Architecture and Engineering: Encompasses security models, cryptography, hardware/software design, and mitigating vulnerabilities within system architectures
- Communication and Network Security: Deals with secure network design, hardware, transmission methods, and securing communication channels (e.g., VPNs, firewalls)
- Identity and Access Management (IAM): Centers on controlling access to systems and data, covering authentication, authorization, and identity provisioning
- Security Assessment and Testing: Focuses on security testing methodologies, vulnerability assessments, penetration testing, and auditing to evaluate security controls.
- Security Operations: Covers daily operational tasks such as incident management, disaster recovery, patch management, and foundational forensic
- Software Development Security: Applies security controls and coding principles within the Software Development Life Cycle (SDLC) and databases.
Asset
- A item that has value to an organisation
- Anything that can negatively impact assets
Risk
- The likelihood of a threat occurring. We can also take into account low/high risk assets.
Vulnerability
A weakness that can be exploited by a threat. There must be a vuln and a threat for there to be a risk
vuln + threat = risk
Risk management framework
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
What to do about risk:
Acceptance: Accepting a risk to avoid disrupting business continuity
Avoidance: Creating a plan to avoid the risk altogether
Transference: Transferring risk to a third party to manage
Mitigation: Lessening the impact of a known risk
NIST RMF terms
- Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly
- Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization
- Business continuity: An organization's ability to maintain their everyday productivity by establishing risk disaster recovery plans
- Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks
- External threat: Anything outside the organization that has the potential to harm organizational assets
- Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization
- Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk
- Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating
- Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs
- Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access
- Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
- Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach
- Security posture: An organization’s ability to manage its defense of critical assets and data and react to change
- Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization
- Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security
- Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables
- Vulnerability: A weakness that can be exploited by a threat
Frameworks
Guidelines to build plans
NIST frameworks (CSF)
- Govern - strong management of cyber sec risk across the whole org
- Identify - Knowing what's in your network from assests to policies
- Protect - Secure systems like adding firewall rules or removing malware
- Detect - watching logs to detect issues or issues logged by ticket
- Respond - respond to an incident
- Recover - restore files from backups
OWASP
- Open
- Web
- Application
- Security
- Principles
Minimize attack surface
Least privilege / zero trust
Defence in depth, multiple lines of defence. MFA / segregation
Separation of duties. Eg windows admins / network admins / backup admins. No one has full control of the org. We can also look at it like having 3 team members if one gets sick the team is still up
Keep security as simple as possible (
Fix security issues, do root cause analysis and fix for good.
Keeping up to date
Medium
Conferences local and the big ones
Security audit
External and internal
Most will be done internal
We will review and improve se
identify risk
check controls
assess compliance
Security controls
- admin controls - policies
- technical controls - IPS systems
- physical controls - cctv / locks
If we opeerate in the EU and take CC payment then we need to comply with GDPR and PCIDSS.
Log analysis
- Firewall logs - connections / actions / traffic passing through the firewall
- Network logs - Taken from the switches in side getting that east > west traffic
- Server / endpoint logs - User login's / process / etc
SIEM
- Security
- Information
- Event
- Management
The SIEM takes in all the logs from multiple sources. It will create dashboards / graphs / timelines etc.
SOAR
- Security
- Orchestration
- Automation,
- And Response
SIEM types
Self hosted - you have your own server and data storage
Cloud hosted - cloud hosted by your vendor
hybrid -
Splunk / splunk enterprise - cisco purchased it
Chronical - googles cloud native tool
- Chronicle: A cloud-native tool designed to retain, analyze, and search data
- Incident response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
- Log: A record of events that occur within an organization’s systems
- Metrics: Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application
- Operating system (OS): The interface between computer hardware and the user
- Playbook: A manual that provides details about any operational action
- Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization
- Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that use automation to respond to security events
- SIEM tools: A software platform that collects, analyzes, and correlates security data from various sources across your IT infrastructure that helps identify and respond to security threats in real-time, investigate security incidents, and comply with security regulations
- Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data
- Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization's log data to provide security information and alerts in real-time
No comments:
Post a Comment