Information security

  1. Classification
  2. Measures
  3. Risk
  4. Assessment
    1. CVSS
    2. Shodan
    3. Exploit DB
    4. NVD
    5. SonarQube
    6. OWASP ZAP
    7. Findsecbugs
    8. Fuzzer
    9. Haveibeenpwned.com
    10. Metasploit
    11. Masscan
    12. CIS benchmark
    13. EICAR
    14. VSS
  5. TAXII
  6. PKCS
  7. Frameworks
    1. OODA
    2. OSCAR
    3. Parkerian hexad
    4. COBIT
    5. NIST SP 800-53
    6. COSO IC
    7. Six Sigma
    8. CMMI

Classification

  • public sector
    1. unclassified
    2. sensitive but not classfied (SBU)
    3. confidential
    4. secret
    5. top secret
  • private sector
    1. public
    2. sensitive
    3. private
    4. confidential

Measures

  1. preventative
  2. detective
  3. corrective
  4. recovery
  5. deterrent
  6. compensating: utilized alternative method (e.g. pass vulnerable protocol through firewall but land it on proxy)

Risk

  1. avoidance
  2. reduction
  3. sharing/transfer
  4. retention/acceptance
  • threats * vulnerability * impact
  • RMF – risk management framework (NIST 800-37 SP)

Assessment

  1. device discovery (identity, ping, TCP SYN scan)
  2. service enumeration (TCP/UDP ports, Web services)
  3. scanning (config issue, missing patches)
  4. validation (false positive removal, manual verification)

CVSS

  • common vulnerability scoring system
  • tools: Metasploit, OpenVAS

Shodan

  • IoT

Exploit DB

NVD

  • national vulnerability database

SonarQube

  • adhering to coding standart (CERT)
  • OWASP top-10

OWASP ZAP

  • web application scanner

Findsecbugs

Fuzzer

  • test input validating using random data
  • tools: Peach, Mutiny, American FuzzyLop, Synopsys Defensics

Haveibeenpwned.com

  • DB with hacked accounts

Metasploit

  • pentesting
  • Armitage – GUI

Masscan

  • port scanner, ~nmap

CIS benchmark

  • Center for Internet security
  • guidelines for hardening

EICAR

  • European institute for computer antivirus research
  • harmless file that is agreed to be treated as malicious
  • policy check tool

VSS

  • vulnerability scan service
  • free
  • metrics:
    • base
      • attack vector
        • adjacent (L2)
        • network (L3)
        • local (shell, console)
        • physical
      • attack complexity: factors that attacker cannot control
      • privileges required
      • user interaction
      • scope: whether it can affect other users, system components
      • confidentiality impact
      • integrity impact
      • availability impact
    • temporal
      • exploit code maturity: working exploit availability in the wild
      • remediation level: patch/fix availability
      • report confidence: how much info is available about vulnerability
    • environmental
      • security requirements
      • modified base metrics

TAXII

  • trusted automated exchange of intelligence information
  • L7 protocol to exchange CTI (cyber threat information) in STIX format (structured threat information expression)
    • components
      • Observable
      • Indicator
      • Incident
      • Tactics, Techniques and Procedures (TTP)
      • Exploit Target
      • Course of Action (CoA)
      • Campaign
      • Threat Actor
    • JSON
  • HTTPS, RESTful API; publisher-subscriber

PKCS

  • public key cryptography standards
    • #1 – RSA
    • #3 – DH
    • #7 – format of CA response to certificate request
    • #10 – certificate request format
    • #12 – storing key pair, encrypted with password

Frameworks

OODA

  • observe, orient, decide, act
  • real-time incident response model

OSCAR

  • obtain information, strategize, collect evidence, analyze, report
  • digital forensics + documentation model

Parkerian hexad

  • extension to CIA:
    • authenticity: non-repudiation
    • possession: asset is possessed, not stolen
    • utility: asset can be used

COBIT

  • control objectives for information and related technology
  • ISACA and ITGI
  • enterprise and IT management framework:
    • for top management
    • 17 targets for IT and business + connection between them
  • private sector
  • operational level

NIST SP 800-53

  • public sector
  • alternative to COBIT
  • control category: technical, operational, management
  • functions
    • identify
      • asset vulnerabilities
      • threat intelligence
      • threats
      • risks
      • responses
    • protect
      • IAM
      • awareness training
      • data security
      • infosec processes and procedures
      • maintenance
    • detect
      • anomalies and events
      • security monitoring
      • detection process
    • respond
      • response planning
      • communications
      • analysis
      • mitigation
      • improvements
    • recover
      • recovery planning
      • improvements
      • communications

COSO IC

  • committee of sponsoring organisations internal control
  • corporate management
  • strategic level

Six Sigma

  • framework to improve processes
  • utilizes statistics, reducing inaccuracy

CMMI

  • capability maturity model integration
  • levels:
    • 0 = no process
    • 1 = reactive, ad hoc, disorganised (initial)
    • 2 = security assigned to IT, developing practices (repeatable)
    • 3 = defined procedures, documented, communicated (defined)
    • 4 = security mapped to business objectives, monitored and meaasured processes (managed)
    • 5 = automated processes, structured and enterprise-wide assessment (optimizing)