Cybersecurity Essentials - Module 2 Cheat Sheet

# Module 2: Securing Networks :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 2.1 Current State of Affairs --- #### 2.1.2 Networks Are Targets - **Overview**: Networks are constantly under threat, with news of breaches and attacks regularly surfacing. These incidents highlight the vulnerabilities in network systems, the latest network security threats, and the tools available for defense. - **Cyberthreat Maps**: Real-time cyberthreat maps, such as Kaspersky’s Cyberthreat Real-Time Map, display ongoing network attacks worldwide. These visual tools use data from deployed security products to show active threats and help raise awareness of the scale and diversity of cyber threats. --- #### 2.1.3 Reasons for Network Security - **Purpose**: Network security is essential for ensuring an organization’s business continuity by protecting systems, data, and users from breaches that can result in severe consequences. - **Impact of Security Breaches**: - Disruption of e-commerce and business operations. - Loss of sensitive data and intellectual property. - Threats to user privacy and information integrity. - Financial losses, potential lawsuits, and public safety risks. - **Key Security Tools**: - **Cisco Talos Intelligence Group**: Provides threat intelligence to help organizations protect assets. - **Cisco Product Security Incident Response Team (PSIRT)**: Investigates and mitigates vulnerabilities in Cisco products, providing real-time advisories to assist network administrators in securing systems. --- #### 2.1.4 Vectors of Network Attacks - **Attack Vector**: The path by which a threat actor gains unauthorized access to a server, host, or network. Attack vectors may come from both internal and external sources. - **External Threats**: Often originate from the internet, where attackers attempt to compromise the network perimeter, for example, by conducting a Denial of Service (DoS) attack to incapacitate network resources. - **Internal Threats**: - Insider threats can stem from employees who may, intentionally or accidentally: - Copy or steal confidential data. - Compromise servers or network infrastructure. - Cause network outages by disconnecting critical connections. - Introduce malware through infected USB drives. - **Risk**: Internal users have direct access to physical infrastructure, confidential data, and network resources, making internal threats particularly dangerous. ![Capture d’écran 2024-11-08 à 10.53.13](https://hackmd.io/_uploads/SyGOTgsbye.png) **Note**: Network security professionals must implement robust measures to mitigate both internal and external threats. --- #### 2.1.5 Data Loss - **Definition**: Data loss, or data exfiltration, is when sensitive data is lost, stolen, or leaked externally, either intentionally or accidentally. - **Consequences of Data Loss**: - Damage to brand reputation and customer trust. - Loss of competitive advantage and potential revenue. - Legal action resulting in fines and penalties. - High costs in notifying affected parties and mitigating the breach. - **Data Loss Prevention (DLP)**: DLP strategies combine various measures to prevent data breaches, including strategic, operational, and tactical controls. **Common Vectors for Data Loss**: - **Email/Social Networking**: Intercepted emails or instant messages can reveal sensitive information. - **Unencrypted Devices**: Stolen devices (e.g., laptops) can expose data if not encrypted. - **Cloud Storage**: Data stored in the cloud can be compromised if security settings are weak. - **Removable Media**: Unauthorized data transfers to USB drives or lost drives containing corporate data pose security risks. - **Hard Copy**: Physical documents should be securely disposed of, such as by shredding, to prevent unauthorized access. - **Improper Access Control**: Weak or stolen passwords can grant attackers access to corporate data. --- #### 2.1.6 Threat Landscape Investigation (PT Video) - **Purpose**: Staying informed about the threat landscape is crucial for network security. Network professionals can use tools and intelligence sources to monitor and analyze current threats, helping them to adapt and strengthen network defenses. >[!Warning]Recap >Network security relates directly to an organization's business continuity. Network security breaches can disrupt e-commerce, cause the loss of business data, threaten people’s privacy, and compromise the integrity of information. These breaches can result in lost revenue for corporations, theft of intellectual property, lawsuits, and can even threaten public safety. Many tools are available to help network administrators adapt, develop, and implement threat mitigation techniques, including the Cisco Talos Intelligence Group. An attack vector is a path by which a threat actor can gain access to a server, host, or network. Attack vectors originate from inside or outside the corporate network. Data is likely to be an organization’s most valuable asset. Various DLP controls must be implemented, that combine strategic, operational, and tactical measures. Common data loss vectors include email and social networking, unencrypted data devices, cloud storage devices, removable media, hard copy, and improper access control. ### 2.2 Who is Attacking Our Network? --- #### 2.2.1 Threat, Vulnerability, and Risk - **Threat**: A potential danger to an organization’s assets, such as data or network infrastructure. - **Vulnerability**: A weakness in a system or design that can be exploited by a threat. - **Attack Surface**: The combined vulnerabilities accessible to an attacker within a system, such as exposed operating systems or web browsers. - **Exploit**: The method used by an attacker to leverage a vulnerability and compromise an asset. Exploits can be **remote** (no prior access) or **local** (requires user or admin access). - **Risk**: The likelihood that a specific threat will exploit a vulnerability, resulting in an adverse outcome. Risk management balances the cost of protective measures with the benefits of securing the asset. - **Risk Management Strategies**: - **Risk Acceptance**: Accepting the risk when mitigation costs exceed the risk itself. - **Risk Avoidance**: Eliminating activities or assets that introduce risk. - **Risk Reduction**: Taking actions to reduce the impact of the risk. - **Risk Transfer**: Transferring risk to a third party, like an insurance company. **Additional Terms**: - **Countermeasure**: Actions taken to protect assets and reduce risk. - **Impact**: The potential damage resulting from a threat. --- #### 2.2.2 Hacker vs. Threat Actor - **Hacker**: A term with multiple meanings, often used to describe a skilled programmer or network professional who might also use their knowledge to attack networks. Hackers are generally classified by their ethical intent: - **White Hat Hackers**: Ethical hackers who test systems for vulnerabilities to help organizations strengthen security. - **Grey Hat Hackers**: Hackers who act without authorization but often reveal vulnerabilities publicly, sometimes helping organizations address them. - **Black Hat Hackers**: Criminal hackers who exploit vulnerabilities for personal gain or malicious intent. **Note**: In cybersecurity, the term **threat actor** is often used for grey and black hat hackers who may pose risks to network security. --- #### 2.2.3 Evolution of Threat Actors The motivations and profiles of threat actors have evolved since the 1960s. Key types include: - **Script Kiddies**: Inexperienced individuals using pre-made scripts to cause harm, usually without financial motive. - **Vulnerability Brokers**: Typically grey hats who discover exploits and report them, sometimes for rewards. - **Hacktivists**: Grey hat hackers driven by political or social causes, using tactics like DDoS attacks and information leaks. - **Cybercriminals**: Black hats working independently or in organizations, often motivated by financial gain. - **State-Sponsored Hackers**: Threat actors working on behalf of governments to conduct espionage, steal information, or sabotage foreign networks. They can be perceived as white or black hats depending on perspective. --- #### 2.2.4 Cybercriminals - **Definition**: Black hat hackers motivated by financial gain, often supported by criminal organizations. - **Activities**: Operate in an underground economy, buying, selling, and trading exploits, tools, and stolen data. Cybercriminals target consumers, small businesses, and large enterprises, resulting in billions in losses globally each year. --- #### 2.2.5 Cybersecurity Tasks Cybersecurity is a shared responsibility for individuals and organizations alike. Key practices include: - **For Individuals**: Report cybercrime, be vigilant against suspicious emails or websites, and protect sensitive data. - **For Organizations**: - Use trustworthy IT vendors. - Keep security software up-to-date. - Conduct regular penetration testing. - Backup data to cloud and physical storage. - Regularly change Wi-Fi passwords. - Update security policies. - Enforce strong passwords and two-factor authentication. --- #### 2.2.6 Cyber Threat Indicators - **Indicators of Compromise (IOC)**: Evidence of a network attack, such as malware file attributes, IP addresses used in attacks, or characteristic software changes. IOCs help cybersecurity personnel identify attacks and develop defenses. ```bash Malware File - "studiox-link-standalone-v20.03.8-stable.exe" sha256 6a6c28f5666b12beecd56a3d1d517e409b5d6866c03f9be44ddd9efffa90f1e0 sha1 eb019ad1c73ee69195c3fc84ebf44e95c147bef8 md5 3a104b73bb96dfed288097e9dc0a11a8 DNS requests domain log.studiox.link domain my.studiox.link domain _sips._tcp.studiox.link domain sip.studiox.link Connections ip 198.51.100.248 ip 203.0.113.82 ``` - **Example**: A suspicious email claiming a prize may have IOCs like an unfamiliar sender IP, suspicious subject line, or fraudulent URL. - **Indicators of Attack (IOA)**: Focus on the motivations and strategies behind attacks, helping develop proactive security measures to prevent future attacks using similar methods. --- #### 2.2.7 Threat Sharing and Cybersecurity Awareness Governments and organizations actively promote cybersecurity and the sharing of threat intelligence: - **US Cybersecurity and Infrastructure Security Agency (CISA)**: Provides tools like Automated Indicator Sharing (AIS) to allow real-time threat sharing between the government and private sector, reducing the national attack surface. - **National Cybersecurity Awareness Month (NCASM)**: An annual campaign by CISA and the National Cyber Security Alliance to raise awareness, focusing on security best practices in social media, online shopping, software updates, and more. - **European Union Agency for Cybersecurity (ENISA)**: Similar to CISA, ENISA supports EU member states with cybersecurity guidance and resources. >[!Warning]Recap >Understanding network security requires you to understand the following terms: threat, vulnerability, attack surface, exploit, and risk. Risk management is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset. Four common ways to manage risk are risk acceptance, risk avoidance, risk reduction, and risk transfer. Hacker is a term used to describe a threat actor. White hat hackers are ethical hackers using their skills for good, ethical, and legal purposes. Grey hat hackers are individuals who commit crimes and do unethical things, but not for personal gain or to cause damage. Black hat hackers are criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Threat actors include script kiddies, vulnerability brokers, hacktivists, cybercriminals, and state-sponsored hackers. Many network attacks can be prevented by sharing information about IOCs. Many governments are promoting cybersecurity. CISA and NCSA are examples of such organizations.