Classification
- public sector
- unclassified
- sensitive but not classfied (SBU)
- confidential
- secret
- top secret
- private sector
- public
- sensitive
- private
- confidential
Measures
- preventative
- detective
- corrective
- recovery
- deterrent
- compensating: utilized alternative method (e.g. pass vulnerable protocol through firewall but land it on proxy)
Risk
- avoidance
- reduction
- sharing/transfer
- retention/acceptance
- threats * vulnerability * impact
- RMF – risk management framework (NIST 800-37 SP)
Assessment
- device discovery (identity, ping, TCP SYN scan)
- service enumeration (TCP/UDP ports, Web services)
- scanning (config issue, missing patches)
- validation (false positive removal, manual verification)
CVSS
- common vulnerability scoring system
- tools: Metasploit, OpenVAS
Shodan
- IoT
Exploit DB
NVD
- national vulnerability database
SonarQube
- adhering to coding standart (CERT)
- OWASP top-10
OWASP ZAP
- web application scanner
Findsecbugs
Fuzzer
- test input validating using random data
- tools: Peach, Mutiny, American FuzzyLop, Synopsys Defensics
Haveibeenpwned.com
- DB with hacked accounts
Metasploit
- pentesting
- Armitage – GUI
Masscan
- port scanner, ~nmap
CIS benchmark
- Center for Internet security
- guidelines for hardening
EICAR
- European institute for computer antivirus research
- harmless file that is agreed to be treated as malicious
- policy check tool
VSS
- vulnerability scan service
- free
- metrics:
- base
- attack vector
- adjacent (L2)
- network (L3)
- local (shell, console)
- physical
- attack complexity: factors that attacker cannot control
- privileges required
- user interaction
- scope: whether it can affect other users, system components
- confidentiality impact
- integrity impact
- availability impact
- attack vector
- temporal
- exploit code maturity: working exploit availability in the wild
- remediation level: patch/fix availability
- report confidence: how much info is available about vulnerability
- environmental
- security requirements
- modified base metrics
- base
TAXII
- trusted automated exchange of intelligence information
- L7 protocol to exchange CTI (cyber threat information) in STIX format (structured threat information expression)
- components
- Observable
- Indicator
- Incident
- Tactics, Techniques and Procedures (TTP)
- Exploit Target
- Course of Action (CoA)
- Campaign
- Threat Actor
- JSON
- components
- HTTPS, RESTful API; publisher-subscriber
PKCS
- public key cryptography standards
- #1 – RSA
- #3 – DH
- #7 – format of CA response to certificate request
- #10 – certificate request format
- #12 – storing key pair, encrypted with password
Frameworks
OODA
- observe, orient, decide, act
- real-time incident response model
OSCAR
- obtain information, strategize, collect evidence, analyze, report
- digital forensics + documentation model
Parkerian hexad
- extension to CIA:
- authenticity: non-repudiation
- possession: asset is possessed, not stolen
- utility: asset can be used
COBIT
- control objectives for information and related technology
- ISACA and ITGI
- enterprise and IT management framework:
- for top management
- 17 targets for IT and business + connection between them
- private sector
- operational level
NIST SP 800-53
- public sector
- alternative to COBIT
- control category: technical, operational, management
- functions
- identify
- asset vulnerabilities
- threat intelligence
- threats
- risks
- responses
- protect
- IAM
- awareness training
- data security
- infosec processes and procedures
- maintenance
- detect
- anomalies and events
- security monitoring
- detection process
- respond
- response planning
- communications
- analysis
- mitigation
- improvements
- recover
- recovery planning
- improvements
- communications
- identify
COSO IC
- committee of sponsoring organisations internal control
- corporate management
- strategic level
Six Sigma
- framework to improve processes
- utilizes statistics, reducing inaccuracy
CMMI
- capability maturity model integration
- levels:
- 0 = no process
- 1 = reactive, ad hoc, disorganised (initial)
- 2 = security assigned to IT, developing practices (repeatable)
- 3 = defined procedures, documented, communicated (defined)
- 4 = security mapped to business objectives, monitored and meaasured processes (managed)
- 5 = automated processes, structured and enterprise-wide assessment (optimizing)