General Concepts

General Concepts #

The 3 Cybersecurity Objectives #

CIA Triad == The 3 Objectives/goals #

Confidentiality - No unauthorized individual is able to access sensitive information. #

Integrity - No unauthorized changes to systems or data. #

Availability - Informations and systems are ready to meet the needs of legitimate users at the time those users request them. #

  • 1 Additional goal/objective

Nonrepudiation - Someone who performs some action, cannot later deny having taken that action. #

  • Digital signatures are commonly used

Security Incident #

  • When there is a breach of any of the CIA Triad goals.
  • Tip: Security therefore is not only about dangerous individuals, but also events like an earthquake.

The 3 Cybersecurity Threats #

DAD Triad #

  • Disclosure (aka data loss) <-> Confidentiality violation
    • Data exfiltration (the act of moving data outside the intended organization/boundaries)
  • Alteration <-> Integrity violation
  • Denial <-> Availability violation

Breach Impact #

Types of impact/risks when a security incident happens. Many risks cover multiple types.

Financial - Equipment broken, new datacenter, loss of revenue, … #

Reputational - Negative publicity #

Strategic - IP that allows competition to act faster, outsmart you, copy you, … #

Operational - inability to do day-to-day functions, slow down business processes, … #

Security Controls #

Control Objectives: Statements of desired security state (requirements). #

Security Controls: Speciifc measures, the implementation of the objectives/requirements. #

Gap analysis: Analyse gap between the Control Objectives and the Security Controls. #

  • Here we do actually Security Assesment and Testing.

Security Control Categories: #

  • Technical - digital implementations (firewall rules, access control, …)
  • Operational - processes (access reviews, log monitoring, …)
  • Managerial - procedural mechanisms (periodic risk assesment, security planning excerices, …)
  • Physical - physical implementation (locks, fences, …) Security Control Types
  • Preventive - Stop before it occurs (Firewalls, …)
  • Detterent - Prevent from attempting to violate the security policy (guarddogs, …)
  • Detective - Identify security events/issues that already have happened (Intrusion Detection Systems IDS, …)
  • Corrective - Remeditate a security issue that has happened (restore from backup, …)
  • Compensating - Mitigates the risk with alternative methods if the original control requirement.
    • 3 criteria for PCI DSS
      • Must meet the intent and rigor of the orginal requirement
      • Must provide similar level of defense as the original
      • Must be above and beyond other PCI DSS requirements
  • Directive - Inform employees and others what they should do to implement security objectives.

Data Protection #

  • 3 States of data
  • Data-at-rest
  • Data-in-transit
  • Data-in-use

Data Loss Pevention (DLP) #

  • Information handling policies and procedures to prevent data loss and theft.
  • 2 Environments
    • Agent-based DLP - Installed as agents on a system to scan/monitor for senstive information, system config or actions.
    • Agentless/network-based DLP - Monitors network traffic for risk or proof of data loss. Mostly to pick up on unencrypted content.
  • DLP can take actions
    • Pattern matching - find Social Security number formats, sensitive terms etc and trigger on that.
    • Watermarking - tag sensitive documents, and the DLP scans all those tagged documments to find unencrypted data

Data Minimization - minimaize the amount of senstive data #

  • Best: Destroy data once not required anymore
  • Data deintification - remove possibility to link data back to an individual
  • Data obfuscation - impossible to retrieve original data
    • Hashing - senstive to raindbow table attack
      • Raindbow Table Attack: If someone knows the hashing algoritm, they can hash all the IDs and use it later to reverse lookup.
    • Tokenization - Use an intermediate ID between data and indivudal and secure that (like different IDs per user)
    • Masking - Partial redacting (like credit card *### 0321)

Access Restrisctions #

  • Limit ability of individuals/systems
  • 2 Types
    • Geographical: Limit based on geography of individual/system
    • Permission: Limit based by role or level of authorization

Segementation and Isolation #

  • Segmentation - Allows systems only to talk to each other within the same segment or limited access to other segments.
  • Isolation - Enirely isolates a system from talking to others

Defense-in-depth #

Multiple overlapping security layers/controls so that if one fails, others still protect you.

Zero Trust #

Nobody is trusted, regardless of wheter theey are internal or an external person or system. Never trust, always verify.

There is no trust boundary and no network edge. Each action is validated when requested as part of a continious authentication process and access is only allowed after policies are cheked, including elements like idenity, permissions, system configuration and securty status, threat intelligence data review and security posture.