Cybersecurity Essentials - Module 11 Cheat Sheet

# Module 11: Understanding Defense :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 11.1 Defense-in-Depth --- #### **11.1.1 Assets, Vulnerabilities, Threats** - **Assets:** Anything valuable to an organization (e.g., servers, devices, data). - **Vulnerabilities:** Weaknesses in a system/design exploitable by threats. - **Threats:** Potential dangers targeting assets. --- #### **11.1.2 Identify Assets** - Assets grow as organizations expand or merge. - Assets include devices, data, and systems that form the attack surface. - **Asset Management:** Inventory assets, identify critical information storage, and develop policies to secure: - Customer credit card information (retail). - Competition-sensitive designs (engineering). - Financial data (banks). --- #### **11.1.4 Asset Classification** 1. **Identify Categories:** Information, software, physical assets, services. 2. **Assign Ownership:** Define asset owners for accountability. 3. **Classification Criteria:** Consider confidentiality, value, access rights, and destruction. 4. **Implement Schema:** Use a consistent labeling system for uniform protection and monitoring. --- #### **11.1.5 Asset Standardization** - Standardizing hardware/software ensures faster response during failures. - Non-standard environments increase costs and management complexity. --- #### **11.1.6 Asset Lifecycle Stages** 1. **Procurement:** Purchase and add to inventory. 2. **Deployment:** Assemble, inspect, and tag for tracking. 3. **Utilization:** Continuously check performance, apply upgrades/patches. 4. **Maintenance:** Extend life with modifications/upgrades. 5. **Disposal:** Wipe data and dispose of environmentally hazardous parts. --- #### **11.1.8 Identify Vulnerabilities** - Ask: 1. What are the system’s vulnerabilities? 2. Who might exploit these vulnerabilities? 3. What are the potential consequences? - Example threats in **e-banking:** - Insider attacks, phony transactions, stolen customer data, data center destruction. --- #### **11.1.9 Identify Threats** - Use a **Defense-in-Depth** approach with multiple security layers: 1. **Edge Router:** Initial filtering of incoming/outgoing traffic. 2. **Firewall:** Tracks connection states, blocks unauthorized access, enables user authentication. 3. **Internal Router:** Final filtering before traffic reaches internal destinations. - Additional layers: Intrusion Prevention Systems (IPS), Advanced Malware Protection (AMP), web/email content security systems, identity services. ![image](https://hackmd.io/_uploads/H13widMVyl.png) --- #### **11.1.10 Security Onion vs. Security Artichoke** - **Security Onion:** - Each defense layer must be breached sequentially (e.g., AAA, IPS, firewalls). - Ideal for layered security with minimal gaps. ![image](https://hackmd.io/_uploads/BygssOGNkl.png) - **Security Artichoke:** - Threat actors exploit weaker, peripheral defenses like mobile devices or web applications. - Attackers skip layers, using exposed leaves to reach sensitive data. ![image](https://hackmd.io/_uploads/B1Uhsdf4Jg.png) --- #### **11.1.11 Defense-in-Depth Strategies** 1. **Layering:** - Build multiple defensive layers (e.g., password-protected servers inside a locked building with electric fences). - Minimize risk through redundancy. 2. **Limiting:** - Restrict access based on roles (e.g., file permissions). - Use procedural safeguards, like monitoring sensitive documents in secured rooms. 3. **Diversity:** - Use varied security layers to prevent repeated breaches using the same methods. - Examples: Different encryption/authentication systems, diverse security products. 4. **Obscurity:** - Hide sensitive information (e.g., OS details, error messages) to prevent exploitation. - Conceal system configurations and vulnerability indicators. 5. **Simplicity:** - Security solutions should be simple for employees to use internally but complex for attackers externally. - Avoid overly complicated setups that could lead to misconfigurations. >[!Warning]Recap >To prepare for any type of attack, cybersecurity technicians must first identify assets, vulnerabilities, and threats. The collection of all the devices and information owned or managed by the organization are assets. The assets constitute the attack surface that threat actors could target. There are four steps to asset identification and classification: >1. Determine the proper asset identification category >2. Establish asset accountability by identifying the owner of each information asset and each piece of software >3. Determine the criteria for classification >4. Implement a classification schema > >Asset standards identify specific hardware and software products used by an organization. The stages of an assets lifecycle are procurement, deployment, utilization, maintenance, and disposal. Identifying vulnerabilities on a network requires an understanding of the important applications that are used, as well as the different vulnerabilities of that application and hardware. Organizations must use a defense-in-depth approach to identify threats and secure vulnerable assets. This approach uses multiple layers of security at the network edge, within the network, and on network endpoints. There are two common analogies that are used to describe a defense-in-depth approach: the Security Onion and the Security Artichoke. To make sure data and infrastructure remain secure, an organization should create different layers of protection including layering, limiting, diversity, obscurity, and simplicity. ### 11.2 Cybersecurity Operations Management --- #### **11.2.2 Configuration Management** - **Definition:** Configuration management ensures secure, consistent, and documented configurations for systems. - **Baseline Configuration:** A template of system settings and requirements used for similar systems across an organization. - Example: Deploying Windows workstations with pre-installed apps and defined system settings. - **Documented Configuration Resources:** - Network maps, cabling, and wiring diagrams. - Standard naming conventions for computers. - IP schemas for tracking addresses. - **OS Hardening:** - Configure log files and auditing. - Change default account names and passwords. - Implement account policies and file-level access control. --- #### **11.2.3 Log Files** - **Purpose:** Logs document events to track actions, monitor security, and analyze incidents. - **Examples:** - **Audit Logs:** Track user authentication attempts. - **Access Logs:** Record details of file requests on a system. - **Log Management Steps:** 1. Generating logs. 2. Transmitting logs. 3. Storing logs. 4. Analyzing log data. 5. Disposing of log data. --- #### **11.2.4 Types of Logs** 1. **Operating System Logs:** - Document OS-related events. - Include: - Client requests and server responses. - Usage information (e.g., transaction numbers and sizes). 2. **Application Security Logs:** - Generated by security software to detect malicious activity. - Provide: - Data for auditing and compliance. - Insights into trends and long-term security issues. --- #### **11.2.5 Protocol Analyzers** - **Also Known As:** Packet sniffers. - **Function:** Capture and analyze network traffic (wired and wireless). - **Key Uses:** 1. Logging network traffic. 2. Analyzing network problems. 3. Detecting network misuse and intrusions. 4. Isolating exploited systems. - **Popular Tools:** Wireshark, tcpdump, SolarWinds, and more. >[!Warning]Recap >Configuration management refers to identifying, controlling, and auditing the implementation and any changes made to a system’s established baseline. Documented configuration resources can include network maps, cabling/wiring diagrams, app configuration standards, naming conventions and an IP schema. Configuring log files along with auditing, changing default account names and passwords, and implementing account policies and file-level access control are all used to create a secure OS. Management of computer security log data should determine the procedures for the following: generating, transmitting, and storing log files, as well as analyzing and disposing of log data. Operating system logs record events that are linked to actions that have to do with the OS. Organizations use network-based and/or system-based security software to detect malicious activity. This software generates security logs which are useful for performing auditing analysis and identifying trends and long-term problems. Logs also enable an organization to provide documentation showing that it complies with laws and regulatory requirements. Packet analyzers, otherwise known as packet sniffers, intercept and log network traffic. Packet analyzers perform the following functions: traffic logging, network problem analysis, detection of network misuse, detection of network intrusion attempts, and isolation of exploited systems. ### 11.3 Security Policies, Regulations, and Standards --- #### 11.3.1 Business Policies - Business policies guide an organization's actions and define standards of behavior for both the business and its employees. - In networking, these policies set a baseline of acceptable use and help detect potential security breaches. - Examples of business policies include **Company Policies**, **Employee Policies**, and **Security Policies**. **Business Policies:** - **Company Policies:** Establish rules for employee and employer conduct, ensuring rights protection and compliance with employment terms. - **Employee Policies:** Detail pay, schedules, benefits, and vacation policies, maintained by HR for consistency. - **Security Policies:** Outline security objectives, system requirements, and mechanisms to safeguard organizational assets. --- #### 11.3.2 Security Policy - **Benefits of a Security Policy:** - Demonstrates commitment to security. - Establishes rules for behavior and legal consequences for violations. - Ensures consistency across operations and acquisitions. - Provides backing for security staff and compliance measures. **Security Policies:** - **Identification and Authentication Policy:** Authorizes user access to network resources and defines verification processes. - **Password Policies:** Sets requirements for passwords, including regular updates. - **Acceptable Use Policy (AUP):** Defines acceptable network usage and repercussions for violations. - **Remote Access Policy:** Specifies how and what remote users can access. - **Network Maintenance Policy:** Covers device OS and application update procedures. - **Incident Handling Procedures:** Details processes for managing security incidents. **Key AUP Notes:** - Specifies allowable traffic and prohibited activities. - Explicit rules minimize misunderstandings. - Requires signed acknowledgment by employees. --- #### 11.3.3 BYOD Policies - **Definition:** BYOD policies enable employees to use personal devices for company tasks, offering increased productivity and reduced IT costs but introducing security risks. - **Goals of a BYOD Security Policy:** - Define program goals and identify eligible employees and devices. - Set access levels for personal devices. - Specify security personnel rights regarding the devices. - Address regulatory compliance and safeguards for compromised devices. **BYOD Security Best Practices:** - **Password-Protected Access:** Use unique passwords for each device and account. - **Manually Control Wireless Connectivity:** Disable unused Wi-Fi and Bluetooth and connect only to trusted networks. - **Keep Updated:** Ensure devices and software have the latest security patches. - **Back Up Data:** Regularly back up device data to mitigate loss risks. - **Enable "Find My Device":** Utilize locator services with remote wipe features. - **Provide Antivirus Software:** Equip BYOD devices with approved antivirus tools. - **Use Mobile Device Management (MDM):** Implement MDM software to manage security settings and configurations. --- #### **11.3.4 Regulatory and Standards Compliance** - **Overview:** External regulations mandate the development and enforcement of security policies. - **Key Points:** - Regulations define organization responsibilities and liabilities for non-compliance. - Security professionals must be familiar with relevant laws and ethics codes. - Compliance depends on the type of organization and the nature of data handled. **Note:** More specific compliance regulations are covered in later sections of the course. >[!Warning]Recap >Business policies define standards of correct behavior for the business and its employees. In networking, policies define the activities that are allowed on the network, setting a baseline of acceptable use. If behavior that violates business policy is detected on the network, it is possible that a security breach has occurred. Most organizations will have company policies, employee policies, and security policies. Security policies are made up of a variety of policies including: Identification and authentication, passwords, Acceptable Use, remote access, network maintenance, and incident handling. BYOD policies are made up of best practices including: password protected access, manual control of wireless connectivity, patches and updates are current, backups are current, enable “Find my Device”, use antivirus software, and use MDM. There are also external regulations regarding network security. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals.