National CyberWatch Center

CLARK is the largest platform that provides FREE cybersecurity curriculum. It is home to high-value, high-impact cyber curriculum created by top educators and reviewed for relevance and quality. Whether you’re looking to teach something new tomorrow, align with curriculum guidelines and standards, or refine your current course, CLARK has free resources ready for you to use!

https://clark.center/details/cobrien/0e116db4-cf8d-409b-adf8-9744f62ebc27

Cyber Security Software Vendor, Partner and Distributor Strategy.

Channel Distribution strategy for a Cyber Security Software in the context of Managed Security Services, including competitive incentives such as Market Development Funding (MDF), Deal Registration, and more:

Understanding the principles of creating a high-performance channel, and best practices for managing your partners, MSP, MSSPs in order to increase your revenue through a indirect model.

Traits if Effective Channel Managers

SubstanceStructureStyle
Demonstrate an understanding of your partners’s needs, and present your technology and programs in a manner that makes them want to engage with you.Adopt a structured framework and methodology for developing your channel strategy, to recruit, develop, enable and manage high performing partners.Establish a relationship with your partners, by adopting the appropriate approach to engage with senior stakeholders and deal with difficult situations.
Traits if Effective Channel Managers

DynamicDSI Model

  1. Channel Partner Selection:
    • Identify potential channel partners that specialize in Managed Security Services and have a strong customer base.
    • Evaluate their technical expertise, market reach, customer satisfaction, and financial stability to ensure they align with your product and business goals.
  2. Partner Onboarding and Enablement:
    • Provide comprehensive training and certification programs to empower partners with in-depth knowledge of your Cyber Security Software and its value proposition.
    • Offer technical documentation, sales collateral, and product demos to aid their understanding and promote effective sales pitches.
    • Conduct regular webinars and workshops to keep partners updated on new features, updates, and industry trends.
  3. Competitive Incentives:
    • Market Development Funding (MDF): Allocate a portion of your marketing budget to support joint marketing activities with partners. Offer co-branded marketing materials, campaigns, events, and lead generation programs.
    • Deal Registration: Implement a deal registration program to reward partners who proactively identify and register sales opportunities. Provide them with exclusive access to pricing discounts, protection from channel conflict, and priority support.
    • Volume RebatesPerformance-Based Rewards: Set up a tiered partner program that offers escalating rewards based on partner performance, including sales targets, customer satisfaction, and product adoption metrics. Rewards may include enhanced margins, exclusive access to beta versions, or early access to new features.
    • Certification based Rebate Tiers
  4. Channel Marketing Support:
    • Provide partners with customizable marketing materials, such as white papers, case studies, and solution briefs, that they can use to educate prospects and differentiate themselves in the market.
    • Offer co-branded demand generation campaigns, including email templates, landing pages, and social media assets, to drive awareness and generate leads.
    • Facilitate joint marketing events, such as webinars, seminars, and conferences, where partners can showcase your Cyber Security Software and engage with potential customers.
    • Round Tables
      • Industry Specific Event Marketing
      • Threat landscape Insight Webinars
  5. Channel Support and Collaboration:
    • Establish a dedicated channel support team to provide timely assistance to partners regarding technical queries, pre-sales support, and post-sales implementation.
    • Foster open communication channels with partners, such as partner portals or online communities, to facilitate knowledge sharing, collaboration, and feedback.
    • Encourage regular business reviews with partners to discuss performance, address concerns, and identify opportunities for improvement.
  6. Continuous Partner Development:
    • Conduct regular training sessions, workshops, and webinars to enhance partner skills and knowledge in emerging cyber security trends and technologies.
    • Provide beta access to new product features and encourage partners to provide feedback and suggestions for improvement.
    • Recognize and reward top-performing partners through awards, incentives, and public recognition.
  7. Partner Recognition
    • Rewards
    • Certification
    • Annual Events
  8. Partner Maturity Matrix and Model ( Journey )

Remember to adapt and customize this strategy based on your specific business goals, target market, and competitive landscape. Regularly assess the effectiveness of the program and make adjustments as needed to maximize channel partner engagement and revenue generation.

References

  • Market Development Fund
  • Usage and Software Credits
  • Free Software to develop Professional Service and Managed Services
  • ToolKit
    • Managed Service Agreement
    • Statement of Services Examples
    • Marketing Fund
    • Market Develop Fund
    • Rebate Program
    • Awards and Events
    • Certification Training e-learning
    • Deal Registration
    • Deal, Registration,
    • Startup Funding examples;

Malware Analysis Course and Certification

Malware Analysis Course and Certification

1) Ultimate Malware Analysis by Zero2Automated
https://lnkd.in/dN7v2zNj

2) Practical Junior Malware Research by TCM Security
https://lnkd.in/dR6mTmQ8

3) Giac Reverse Engineering and Malware by SANS
https://lnkd.in/d6UvAbun

4) Certified Malware Analyst by Ethical Hackers Academy
https://lnkd.in/dt3xQFQT

5) Malware Analysis by Red Team Academy
https://lnkd.in/duBMbZV8

6) Malware Analysis Course by Black Storm Security
https://lnkd.in/dwhn_uuH

7) Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software 
https://lnkd.in/dmyhKDBV

8) Malware Analysis Fundamentals by Let’s Defend
https://lnkd.in/dSDUeyP7

9) Malware Analysis Detection Engineering
https://lnkd.in/dSEA37wQ

10) Malware Analysis Master by Mandiant
https://lnkd.in/dNM54d2C

11) CS6038/CS5138 Malware Analysis
https://class.malware.re/

12) Malware Analysis CSCI 4976 by RPISEC
https://lnkd.in/dC7kZkAK

13) Reverse Engineering 101 by Malware Unicorn
https://lnkd.in/dwGu22if

14) Purple Team Analyst by CyberwarfareLabs
https://lnkd.in/dBAqYG3j

Information Security Risk Assessment Checklist: Risk Assessment and Analysis Methods: Qualitative and Quantitative

Information Security Risk Assessment Checklist

  • Framing Risk
    • Understand the business
    • Define & document the environment
    • Decide Risk Assessment Approach
    • Define how risk dcecisions will be made
    • Qualitative vs Quantitive vs Semi
  • Identifying Risk
    • Document threat environment
    • Identify threat scenarios & actors
    • Identify vunlnerabilities
    • Calculate likelihood & Impact
    • Consider current security controls
  • Responding to Risk
    • Document risk remediation plans
    • Accept, Mitigate, Avoid, or Transfer
    • Derive Risk Ratings
    • Focus on High Risk first
  • Monitoring Risk
    • Perform effective monitoring
    • Monitor high risks for remediation
    • Track risks over time
    • Perform audits ensuring risk treatment

Threat modeling, the cloud, and shared responsibility

An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.

If a key output of any threat modeling exercise is a set of identified threats, then the ideal state for any threat is that you eliminate it completely by way of design, engineering, or otherwise. Of course, the value of threat modeling is that you not only identify threats that you can eliminate, but that you make thoughtful decisions about how to deal with the remaining threats that you cannot.

alt

In this model, threats end up in one of three states:

  • Green, which is as good as it gets for a threat you can’t eliminate outright. Of course, if controls are available, there’s a good question to be asked re: whether those controls can be implemented such (i.e., by using restrictive defaults or policies) that the threat is eliminated and thus removed from this grid entirely.
  • Yellow, which is probably the most common. In this state, you’re able to rely on either security controls or on monitoring. The trick with relying solely on monitoring to mitigate a threat is that monitoring is only an effective mitigation when coupled with detection (knowing the threat occurred) and response (doing something about it).
  • Red, which should leave you questioning your design, your cloud provider, or both. In particular, threats in this state require putting significant trust in both your cloud provider and the security inherent to their platform, as well as your ability to engineer for safety.

Reference:

  • https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
  • https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/
  • https://www.netwrix.com/information_security_risk_assessment_checklist.html
  • https://www.slideteam.net/risk-analysis-powerpoint-presentation-slides.html#images-10
  • ISO 27001:2022 Lead Implementer https://www.udemy.com/course/information-security-for-beginners/?couponCode=JUNE2023

How to conduct a Business Impact Analysis

Step-by-step procedure and a set of questions to conduct a Business Impact Analysis (BIA):

What is a Business Impact Analysis

A Business Impact Analysis, or BIA, predicts how disruptions will impact a business’ critical business functions (CBF) and what the likely outcomes of those disruptions would be. As potential loss scenarios are identified, this deep dive into your business can also offer recovery strategies, including the order in which critical functions and processes are restored. 

Consider the Impact

The BIA should identify the operational and financial impacts resulting from the disruption of business functions and processes. Impacts to consider include:

  • Lost sales and income
  • Delayed sales or income
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
  • Regulatory fines
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or defection
  • Delay of new business plans

Business Disruption Scenarios

  • Physical damage to a building buildings
  • Damage to or breakdown of machinery, systems or equipment
  • Restricted access to a site or building
  • Interruption of the supply chain including failure of a supplier or disruption of transportation of goods from the supplier.
  • Utility outage (e.g., electrical power outage)
  • Damage to, loss or corruption of information technology including voice and data communications, servers, computers, operating systems, applications, and data
  • Absenteeism of essential employees.

Procedure for Conducting a Business Impact Analysis:

  1. Define the Scope: Determine the boundaries and objectives of the BIA. Identify the critical business processes, systems, and resources that will be analyzed.
  2. Assemble the BIA Team: Form a cross-functional team comprising representatives from different departments, including key stakeholders, subject matter experts, and IT personnel.
  3. Identify Potential Disruptions: Brainstorm and document a comprehensive list of potential threats or events that could disrupt business operations. This may include natural disasters, cyberattacks, equipment failures, or supply chain disruptions.
  4. Assess Impacts: For each potential disruption, analyze the potential impacts on the critical business processes and resources. Consider the following areas:
    • Operational Impact: How will the disruption affect day-to-day business operations?
    • Financial Impact: What are the financial consequences, including revenue loss, increased expenses, or insurance claims?
    • Customer Impact: How will customers be affected? What are the potential reputational impacts?
    • Legal and Regulatory Impact: Are there any legal or regulatory requirements that may be impacted?
    • Employee Impact: What are the potential effects on employees, such as safety concerns, workload, or morale?
  5. Determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): Define the acceptable downtime and data loss limits for each critical business process or resource. This will help prioritize recovery efforts and allocate resources effectively.
  6. Identify Dependencies: Identify the dependencies between critical business processes, systems, and resources. This includes dependencies on suppliers, IT infrastructure, personnel, or other external factors.
  7. Document Findings: Compile all the information gathered during the analysis, including the identified risks, impacts, dependencies, and recovery objectives. Document these findings in a clear and organized manner.
  8. Review and Validate: Review the documented findings with the BIA team and other relevant stakeholders to ensure accuracy and completeness. Validate the findings against available data and industry best practices.
  9. Identify Mitigation Strategies: Based on the BIA findings, develop mitigation strategies to minimize the potential impacts of disruptions. This may include implementing redundant systems, backup processes, contingency plans, or alternative suppliers.
  10. Communicate and Document: Share the BIA report and its findings with key decision-makers, stakeholders, and relevant personnel. Maintain proper documentation of the BIA process and outcomes for future reference and updates.

Questions to Ask During a Business Impact Analysis:

  1. What are the critical business processes and resources that must be analyzed?
  2. What potential threats or events could disrupt these critical processes and resources?
  3. How would each potential disruption impact the day-to-day operations of the organization?
  4. What are the financial consequences of each disruption? Are there any revenue losses or increased expenses?
  5. How would customers be affected by each potential disruption? What are the potential reputational impacts?
  6. Are there any legal or regulatory requirements that may be impacted by the disruptions?
  7. What are the potential effects on employees, such as safety concerns, workload, or morale?
  8. What are the acceptable downtime limits for each critical process or resource (RTO)?
  9. What are the acceptable limits for data loss for each critical process or resource (RPO)?
  10. Are there any dependencies between critical processes, systems, or resources? If so, what are they?
  11. How can the organization minimize the potential impacts of disruptions? What mitigation strategies can be implemented?
  12. How can redundant systems, backup processes, or contingency plans be leveraged to ensure business continuity?
  13. Are there alternative suppliers or resources that can be used in case of disruptions?
  14. How can the organization communicate the BIA findings to

Shift-Left / DEVSECOPS / SDLC / SecureStack

HoneyPot Pipeline

1. Running a Cowrie ssh honeypot
2. Using Thug as a Javascript client honeypot
3. Running Snare/Tanner web honeypot
4. Running Opencanary a low interaction honeypot

Reference

Detection Engineering in Azure & Introducing AzDetectSuite

Azure Threat Research Matrix and AzDetectSuite

Azure Threat Research Matrix (ATRM), which highlighted the potential techniques an adversary could abuse within Azure & AzureAD. The immediate thought would be to give clients an idea of what potential abuse scenarios exist when they decide to use a certain resource or feature. 

AzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.

The queries live within a publicly available GitHub repository and can openly be reviewed, Pull Requested, and critiqued. These queries are not a “one-size-fits-all” and are mostly geared towards smaller environments since they are alerting off of more basic telemetry, so use at your own discretion. Within the repository is also a PowerShell script, Invoke-AzDetectSuite.ps1, which will import an entire tactic’s detections for every technique within it, or it can also just import all available

AzDetectSuite vs Microsoft Defender for Cloud

AzDetectSuite (ADS) is not meant to compete with Microsoft Defender for Cloud (MDC). MDC provides advanced detections based on your subscription plan and will give more granular control based on the telemetry in a tenant. ADS is meant to be an open source suite of basic detections for techniques found within ATRM, as MDC is not comprehensive in its coverage for techniques found in ATRM. MDC’s capabilities far exceed ADS, as it is a subscription-based service with more insight into a resource’s telemetry than what is provided to users. In comparison, ADS is open source and is more targeted towards smaller environments that want to ensure their resources are secure from potential abuse. In addition, ADS has some additional detections that utilize agents as well. For example, ADS has a detection that when combined with PowerShell scriptblock logging, will tell you what command was run when someone utilizes RunCommand on an AzureVM. For larger environments, it is recommended to go through ADS and determine which detections will be suitable for your environment and that may compliment MDC. detections.

In Azure, logs are centralized to Azure Monitor. Azure Monitor will ingest data from hundreds of log sources.  These sources range from the general Azure Log (AzureActivity) to more detailed logs, such as Service Principal Sign-Ins (AADServicePrincipalSignInLogs). Writing a basic detection for Azure is very easy, so it is necessary to ask a few questions before developing a detection:

1. How broad should this detection be?

  • General alert on a single action
  • Specific alert when an action meets a certain condition

2. What are you trying to alert on?

  • An action in a Resource?
  • Whenever a user or service principal logs in?
  • Whenever a new resource is created?

3. Does the resource action ever occur legitimately?

  • Part of sysadmin’s routines
  • Can you minimize false positives through more granular data?

4. What steps should be taken once the alert fires?

  • Enable a runbook?
  • Email/Text appropriate parties

Using Kusto Query Language (KQL), a basic detection for something such as RunCommand on a Virtual Machine looks like this:

AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION'

Where ‘AzureActivity’ is the log provider and the logs are then filtered to look for when the OperationNameValue property matches ‘MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION’

Reference

ISACA Exam Questions CISM (v.3) – CISM Review Notes

CISM Review Notes

Exam Guide

– Exam Guide – https://www.isaca.org/-/media/files/isacadp/project/isaca/certification/exam-candidate-guides/2022/exam-candidate-guide.pdf

Domain 1 –Information Security Governance (17%)
Domain 2 –Information Security Risk Management (20%)
Domain 3 – Information Security Program (33%)
Domain 4 – Incident Management (30%)

Exam Questions

  • 4 hours (240 minutes), 150 multiple choice questions
  • 200 – 450 Pass – 800
  • 1.6 minutes per question
  • Every question has a stem (question) and four options (answer choices).
  • Choose the correct or best answer from the options.
  • The stem may be in the form of a question or incomplete statement.
  • An exam question may require you to choose the appropriate answer based on a qualifier, such as FIRST, MOST likely or BEST. So, there might be two right answers, so pick the BEST option.
  • Read the question carefully, eliminate known incorrect answers and then make the best choice
    possible.
  • Answers questions from a Business Risk perspective, rather than technical solution or control.

Domain 1: Information Security Governance

CIA Triad

The three main goals of information security are:

  • Confidentiality prevents unauthorized disclosure
    • Integrity prevents unauthorized alteration\
  • Availability ensures authorized access

Security Strategy and SWOT Analysis

Security activities must be aligned with business strategy, mission, goals, and objectives. This requires strategic, tactical, and operational planning.

SWOT analysis identifies the strengths, weaknesses, opportunities, and threats facing an organization, typically laid out in a grid:

Gap Analysis

A gap analysis compares the current state of security controls to a benchmark and identifies any areas of deviation.

Security Frameworks

Security frameworks provide templates for security activities. These include COBIT, NIST CSF, and ISO 27001/2.

Due Care and Due Diligence

Due care is taking reasonable steps to protect the interest of the organisation. Due diligence ensures those steps are carried out.

Security Governance

Security governance is carried out through

  • Policies which state high-level objectives (mandatory compliance).
  • Standards which state detailed technical requirements (mandatory compliance).
  • Procedures which provide step-by-step processes (mandatory compliance).
  • Guidelines which offer advice and best practices (optional compliance).

For the security policy framework to be successful, it must have the support of senior leadership and other stakeholders.

Security Strategy

Security is a constant balancing act between usability and control. Managers must constantly make trade-offs to allow the organization to achieve both security and business objectives.

Every organization has a risk tolerance (or risk appetite) that describes how much risk the organization is willing to accept. Understanding this tolerance, whether it is explicit or implicit, is crucial to finding the correct balance for security activities.

Key influences on security strategy include:

  • Business environment
  • Emerging technologies
  • Social media
  • Regulatory requirements
  • Threat landscape

Security baselines, such as NIST SP 800-53, provide a standardized set of controls that an organization may use as a benchmark.

Typically, organizations don’t adopt a baseline standard wholesale, but instead tailor a baseline to meet their specific security requirements

Information should be classified based upon its sensitivity to the organization.

Common classes of sensitive information include:

  • Personally identifiable information (PII) which
    uniquely identifies individuals.
  • Protected health information (PHI) which includes
    individual health records.
  • Proprietary information which contains trade
    secrets.

Data Classification

  • Data at Rest – Data stored on a system or media device
  • Data in Motion – Data in transit over a network
  • Data in Use – Data being actively processed in memory

Information Classification

Information should be labeled with its classification and security controls should be defined and appropriate for each classification level.

Collect only data that is necessary for legitimate business purposes. This is known as data minimization.

  • Data Owner – Senior-level executive who establishes rules and determines controls
  • Data Steward – Individual who handles day-to-day data governance activity. Designated by the data owner.
  • Data Custodian – IT staff members responsible for the storage and processing of information.
  • Key Performance Indicator (KPI) – Measures the success of the security program.
  • Key Goal Indicator (KGI) – Measures progress toward defined goals
  • Key Risk Indicator (KRI) – Measures risk on a forward-looking basis.

Budgets are forward-looking financial plans. As budgets are revised each year, they may be approached in two ways:

  • Incremental budgeting starts with the prior years’ budget and adjusts upward or downward
  • Zero-based budgeting starts with a blank slate
    each year

Fiscal years are the 12-month periods used for financial reporting and may differ from the standard calendar year for any organization.

Expenses come in two primary forms:

  • Capital expenses involve fixed-cost investments in major assets
  • Operational expenses cover the day-to-day costs of running the organization

Authentication, authorization, and accounting.

Authorization and Authentication are two distinct concepts in the realm of security and access control. While they are related, they serve different purposes.

Authentication: Authentication is the process of verifying the identity of a user or entity. It ensures that the user is whom they claim to be before granting them access to a system, application, or resource. Authentication typically involves the use of credentials, such as usernames and passwords, biometric information, security tokens, or digital certificates. The goal of authentication is to establish trust and validate the identity of the user or entity requesting access.

Authorization: Authorization, on the other hand, occurs after authentication and involves granting or denying access rights and permissions to authenticated users or entities. Once a user’s identity is verified, authorization determines what actions, resources, or information they are allowed to access. It involves defining and enforcing access controls based on roles, privileges, and permissions assigned to individual users or groups. The authorization ensures that users have appropriate privileges to perform specific actions or access certain resources within the system or application.

Domain 2: Information Risk Management

Assets should be classified according to their own criticality and sensitivity as well as the classification of the information that they store, process, and transmit. These asset classifications ensure that measures taken to protect assets are proportional to their business value.

Risks are the combination of a threat and a corresponding vulnerability.

Quantitative risk assessment uses the following formulas:

  • Single Loss Expectancy = AssetValue * ExposureFactor
  • Annualized Loss Expectancy = AnnualizedRateofOccurence * SLE

Responses to a risk include:

  • Avoid risk by changing business practices
  • Mitigate risk by implementing controls
  • Accept risk and continue operations
  • Transfer risk through insurance or contract

Security tests verify that a control is functioning properly.

Security assessments are comprehensive reviews of the security of a system, application, or other tested environment.

Security audits use testing and assessment techniques but are performed by independent auditors. There are three types of security audits:

  • Internal audits are performed by an organization’s internal audit staff, normally led by a Chief Audit
  • Executive who reports directly to the CEO. External audits are performed by an outside auditing firm.
  • Third-party audits are conducted by, or on behalf of, another organization, such as a regulator.

Organizations that provide services to other organizations may conduct audits under SSAE 16. These engagements produce two different types of reports:

  • Type I reports provide a description of the controls in place, as described by the audited organization, and the auditor’s opinion whether the controls described are sufficient. The auditor does not test the controls.
  • Type II reports results when the auditor actually tests the controls and provides an opinion on their effectiveness.

COBIT, ISO 27001, and ISO 27002 are commonly used standards for cybersecurity audits.

Vulnerability assessments seek to identify known deficiencies in systems and applications.


Network discovery scanning uses tools like nmap to check for active systems and open ports. Common scanning techniques include:

  • TCP SYN scans send a single packet with the SYN flag set.
  • TCP Connect scans attempt to complete the three way handshake.
  • TCP ACK scans seek to impersonate an established connection.
  • Xmas scans set the FIN, PSH, and URG flags.

Network vulnerability scanning first discovers active services on the network and then probes those services for known vulnerabilities. Web application vulnerability
scans
use tools that specialize in probing for web application weaknesses.

The vulnerability management workflow includes three basic steps: detection, remediation, and validation.
Penetration testing goes beyond vulnerability scanning and attempts to exploit vulnerabilities. It includes five steps:

Business continuity planning conducts a business impact assessment and then implements controls designed to keep the business running during adverse
circumstances.

Backups provide an important disaster recovery control. Remember that there are three major categories of backup:

  • Full Backup Copies all files on a system.
  • Differential Backup Copies all files on a system that have changed since the most recent full backup.
  • Incremental Backup Copies all files on a system that have changed
    since the most recent full or incremental backup.

Disaster recovery sites fit into three major categories:

Disaster recovery plans require testing. There are five major test types:

Domain 3: Information Security Program Development and Management

Security Controls Categorization

Security controls are categorized by their purpose as preventive, detective, or corrective controls. They are also categorized by their mechanism of action as technical, physical, or administrative controls. Controls may overlap these categories.

  • Purpose-Based Categorization: Preventive, Detective, Corrective Controls
  • Mechanism-Based Categorization: Technical, Physical, Administrative Controls
  • Overlapping Categories of Controls

Purpose-Based Categorization: Preventive, Detective, Corrective Controls

  • Preventive Controls: These controls are designed to prevent security incidents from occurring. They include measures such as access controls, security awareness training, and security policies.
  • Detective Controls: These controls are focused on detecting security incidents or breaches that have occurred. Examples include intrusion detection systems, security monitoring tools, and log analysis.
  • Corrective Controls: These controls are implemented to correct or mitigate the effects of a security incident. They include activities such as incident response, disaster recovery planning, and system restoration.

Mechanism-Based Categorization: Technical, Physical, Administrative Controls

  • Technical Controls: These controls involve the use of technology to enforce security policies and protect information assets. Examples include firewalls, encryption, antivirus software, and intrusion prevention systems.
  • Physical Controls: These controls are physical measures put in place to secure physical assets and facilities. Examples include locks, access control systems, surveillance cameras, and biometric authentication systems.
  • Administrative Controls: These controls involve policies, procedures, and organizational practices to manage security risks. Examples include security awareness training, security governance frameworks, risk assessments, and incident response plans.

Cryptography

Cryptography is one of the primary controls used to achieve security objectives. Encryption transforms plaintext data into ciphertext, while decryption reverses the process, turning ciphertext back into plaintext.

The two basic cryptographic operations are substitution which modifies characters and transposition, which moves them around.

Cryptography is the practice of securing data through encryption and decryption techniques. It plays a crucial role in achieving security objectives. Here are some key aspects of cryptography:

  • Encryption and Decryption: Encryption transforms plaintext data into ciphertext using an encryption algorithm, while decryption reverses the process, converting ciphertext back into plaintext using a decryption algorithm.
  • Basic Cryptographic Operations: Cryptographic operations involve substitution and transposition. Substitution modifies characters, while transposition moves them around, providing additional security.
  • Symmetric Encryption: Symmetric encryption uses the same shared secret key for both encryption and decryption processes. It is efficient for bulk data encryption but requires secure key management.
  • Asymmetric Encryption: Asymmetric encryption, also known as public-key cryptography, involves the use of public and private key pairs. Each user has their own key pair. Anything encrypted with one key from the pair can only be decrypted using the other key from that same pair. It provides secure key exchange and enables digital signatures.
  • Secure Symmetric Algorithms: Some commonly used secure symmetric encryption algorithms include 3DES, AES (Advanced Encryption Standard), IDEA, and Blowfish. DES (Data Encryption Standard) is considered insecure due to its key length.
  • Secure Asymmetric Algorithms: Secure asymmetric encryption algorithms include RSA, El Gamal, and elliptic curve cryptography (ECC). These algorithms provide strong security for key exchange, digital signatures, and encryption.
  • Diffie-Hellman Algorithm: The Diffie-Hellman algorithm is a key exchange protocol used to securely exchange symmetric keys over an insecure channel. It enables secure communication between parties without prior shared secrets.
  • Hash Functions: Hash functions are one-way functions that produce a unique fixed-size hash value (digest) for each input. They are used for data integrity, password storage, and digital signatures. Hash functions cannot be reversed to obtain the original data.
  • Digital Certificates: Digital certificates use the X.509 standard and contain a copy of an entity’s public key. They are digitally signed by a certificate authority (CA) to establish trust. Digital certificates are widely used in secure communication protocols such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL).

Encryption and Decryption

Symmetric encryption uses the same shared secret key for encryption and decryption.

In asymmetric encryption, users each have their own public/private keypair. Keys are used as follows:

Anything encrypted with one key from a pair may only be decrypted with the other key from that same pair.

Secure symmetric algorithms include 3DES, AES, IDEA, and Blowfish. DES is not secure.

Secure asymmetric algorithms include RSA, El Gamal, and elliptic curve (ECC).

The Diffie-Hellman algorithm may be used for secure exchange of symmetric keys.

Hashes are one-way functions that produce a unique value for every input and cannot be reversed.

Digital certificates use the X.509 standard and contain a copy of an entity’s public key. They are digitally signed by a certificate authority (CA).

Transport Layer Security (TLS) is the replacement for Secure Sockets Layer (SSL) and uses public key cryptography to exchange a shared secret key used to secure web traffic and other network communications.

Two serious issues can occur when users are granted limited access to information in databases or other repositories. Aggregation attacks occur when a user is able to summarize individual records to detect trends that are confidential. Inference attacks occur when a user is able to use several innocuous facts in combination to determine, or infer, more sensitive information.

DNS converts between IP addresses and domain names. ARP converts between MAC addresses and IP addresses. NAT converts between public and private IP addresses.

Wireless networks should be secured using WPA or WPA2 encryption, not WEP.

Network switches generally work at layer 2 and connect directly to endpoints or other switches. Switches may also create virtual LANs (VLANs) to further segment internal networks at layer 2. Routers generally work at layer 3 and connect networks to each other. Firewalls are the primary network security control used to separate networks of differing security levels.

When deploying services in the cloud, organizations may choose from three major cloud strategies:

  • Software-as-a-Service (SaaS) deploys entire applications to the cloud. The customer is only responsible for supplying data and manipulating the application.
  • Infrastructure-as-a-Service (IaaS) sells basic building blocks, such as servers and storage. The customer manages the operating system and configures and installs software.
  • Platform-as-a-Service (PaaS) provides the customer with a managed environment to run their own software without concern for the underlying hardware.

Most Virtual Private Networks (VPN) use either TLS or IPsec. IPsec uses Authentication Headers (AH) to provide authentication, integrity and nonrepudiation and Encapsulating Security Payload (ESP) to provide confidentiality.

Cloud services may be built and/or purchased in several forms:

  • Public cloud providers sell services to many different customers and many customers may share the same physical hardware.
  • Private cloud environments dedicate hardware to a single user.
  • Hybrid cloud environments combine elements of public and private cloud in a single organization.
  • Community cloud environments use a model similar to the public cloud but with access restricted to a specific set of customers.

Access Control and Attacks

Access control refers to the mechanisms and techniques used to limit and control access to information resources and systems. Here are key aspects related to access control and attacks:

  • Aggregation Attacks: Aggregation attacks occur when a user can summarize individual records to detect trends that should remain confidential. These

The core activities of identity and access management are:

  • Identification where a user makes a claim of identity.
  • Authentication where the user proves the claim of
  • identity.
  • Authorization where the system confirms that the
    user is permitted to perform the requested action.

In access control systems, we seek to limit the access
that subjects (e.g. users, applications, processes) have to objects (e.g. information resources, systems)
Access controls work in three different fashions:

  • Technical (or logical) controls use hardware and software mechanisms, such as firewalls and intrusion prevention systems, to limit access.
  • Physical controls, such as locks and keys, limit physical access to controlled spaces.
  • Administrative controls, such as account reviews, provide management of personnel and business
    practices.

Multifactor authentication systems combine authentication technologies from two or more of the following categories:

  • Something you know (Type 1 factors) rely upon secret information, such as a password.
  • Something you have (Type 2 factors) rely upon physical possession of an object, such as a smartphone.
  • Something you are (Type 3 factors) rely upon biometric characteristics of a person, such as a face scan or fingerprint.

Authentication technologies may experience two types of errors. False positive errors occur when a system accepts an invalid user as correct. It is measured using the false acceptance rate (FAR). False negative errors occur when a system rejects a valid user, measured using the false rejection rate (FRR). We evaluate the effectiveness of an authentication technology using the crossover error rate (CER), as shown here:

RADIUS is an authentication protocol commonly used for backend services. TACACS+ serves a similar purpose and is the only protocol from the TACACS family that is still commonly used.

The implicit deny principle says that any action that is not explicitly authorized for a subject should be denied.

Access control lists (ACLs) form the basis of many access management systems and provide a listing of subjects and their permissions on objects and groups of objects.

Discretionary access control (DAC) systems allow the owners of objects to modify the permissions that other users have on those objects. Mandatory access control (MAC) systems enforce predefined policies that users may not modify.

Role-based access control assigns permissions to individual users based upon their assigned role(s) in the organization. For example, backup administrators might have one set of permissions while sales representatives have an entirely different set.

Brute force attacks against password systems try to guess all possible passwords. Dictionary attacks refine this approach by testing combinations and permutations of dictionary words. Rainbow table attacks precompute hash values for use in comparison. Salting passwords with a random value prior to hashing them reduces the effectiveness of rainbow table attacks.

Man-in-the-middle attacks intercept a client’s initial request for a connection to a server and proxy that connection to the real service. The client is unaware that they are communicating through a proxy and the attacker can eavesdrop on the communication and inject commands.

When managing the physical environment, you should be familiar with common power issues:

Fires require the combination of heat, oxygen, and fuel. They may be fought with fire extinguishers:

  • Class A: common combustible fires
  • Class B: liquid fires
  • Class C: electrical fires
  • Class D: metal fires

Organizations may use wet pipe fire suppression systems that always contain water, dry pipe systems that only fill with water when activated, or preaction systems that fill the pipes at the first sign of fire detection.

Mantraps use a set of double doors to restrict physical access to a facility.

The top ten security vulnerabilities in web applications,
according to OWASP are:

  1. Injection attacks
  2. Broken authentication
  3. Sensitive data exposure
  4. XML external entities
  5. Broken access control
  6. Security misconfiguration
  7. Cross-site scripting
  8. Insecure deserialization
  9. Using components with known vulnerabilities.
  10. Insufficient logging and monitoring

In addition to maintaining current and patched platforms, one of the most effective application security techniques is input validation which ensures that user input matches the expected pattern before using it in code.

Domain 4: Information Security Incident Management

Cyber Investigations

Security professionals are often called upon to participate in a variety of investigations:

  • Criminal investigations look into the violation of a criminal law and use the beyond a reasonable doubt standard of proof.
  • Civil investigations examine potential violations of civil law and use the preponderance of the evidence standard.
  • Regulatory investigations examine the violation of a private or public regulatory standard.
  • Administrative investigations are internal to an organization, supporting administrative activities.

Evidence

Investigations may use several different types of evidence:

  • Real evidence consists of tangible objects that may be brought into court.
  • Documentary evidence consists of records and other written items and must be authenticated by testimony.
  • Testimonial evidence is evidence given by a witness, either verbally or in writing.

The best evidence rule states that, when using a document as evidence, the original document must be used unless there are exceptional circumstances. The parol evidence rule states that a written agreement is assumed to be the complete agreement.

Chain of Custody and Evidence Handling

Forensic investigators must take steps to ensure that they do not accidentally tamper with evidence and that they preserve the chain of custody documenting evidence handling from collection until use in court.

Business Continuity Planning (BCP)

Business continuity planning (BCP) attempts to design systems and controls in a manner that minimizes the risk that business activity will be disrupted.

Disaster Recovery Process

The disaster recovery process begins when operations are disrupted at the primary site and shifted to an alternate capability. The process only concludes when normal operations are restored.

Reference

Exam Questions


Which of the following should be the FIRST step in developing an information security plan?

A. Perform a technical vulnerabilities assessment

B. Analyze the current business strategy

C. Perform a business impact analysis

D. Assess the current levels of security awareness

Explanation:

Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.