Security controls

• Various security risks exist for varied assets (data, physical property, computer systems)
• If we recognize security controls, we can prevent events, minimize impact, and limit damage
• Categories:
• Technical controls
• Implemented using systems
• Operating system controls
• Firewalls, anti-virus
• Managerial controls
• Administrative controls, design and implementation
• Security policies and procedures
• Operational controls
• Implemented by people
• Guards, awareness programs
• Physical controls
• Limit physical access
• Guard shack, fences, locks, badges
• Control types:
• Preventive: block access to a resource
• Deterrent: discourage an intrusion attempt
• Detective: identify and log an intrusion attempt
• Corrective: applied after an event is detected, reversing impact
• Compensating: existing controls insufficient, temporarily control using other means
• Directive: "do this, please" -- direct a subject towards a compliance (weak, based on suggestion/policy)

Full objective: "Summarize fundamental security concepts."

The CIA Triad

• Combination of principles, the fundamentals of security (not to be confused with the Central Intelligence Agency)
• C - Confidentiality: prevent disclosure of info to those unauthorized
• I - Integrity: information cannot be modified without detection
• A - Availability: systems and networks must be up and running
• Confidentiality
• Certain info should only be known to certain people
• Encryption, access controls, MFA
• Integrity
• Data is stored and transferred as intended
• Hashing, digital signatures, certificates, non-repudiation
• Availability
• Info accessible to authorized used
• Redundancy, fault tolerance, patching

Non-repudiation

• You cannot deny what you've said, like signing a digital contract
• Proof of integrity
• Verify data remains accurate and consistent
• Can be attained using a hash, data as a short string of text
• If data changes at all, "fingerprint" changes entirely
• However... this doesn't associate data with an individual
• Proof of origin
• Proving the source of the message (authentication)
• Sign with digital "private key" (only known by sender of data)
• Verified with "public key"
• Creating a digital signature

Authentication, Authorization, and Accounting

• AAA framework
• Identification: who you claim to be
• Authentication: prove you are who you claim to be
• Authorization: what access do you have when authorized
• Accounting: what resources did you use when authorized
• Authenticating people
• Authenticating systems
• Many managed devices, how to authenticate without a user?
• Device certificate, VPN or software validates authorized system
• Certificate authentication
• Organization has a trusted Certificate Authority (CA) that signs all device certificated
• Authorization models
• Certain users and services have access to certain data and applications
• Put the auth model in the middle
• Without a model, you would need to profile dozens of users individually
• With a model, you add abstractions (groups) to reduce complexity

Gap Analysis

• Where you are compared with where you want to be, requires extensive research
• Choosing the framework
• Work towards a known baseline and determine the end goal
• Following a framework like NIST SP 800-171 Revision 2 or ISO/IEC 27001
• Evaluate people and processes
• Get a baseline of employees: experience, training, knowledge
• Examine the current processes: systems and policies
• Analysis: compare and contrast
• Compare, identify weaknesses, then detailed analysis
• The analysis and report
• Report includes final comparison of objectives and current state as well as path to goal

Zero Trust

• Many networks are open on the inside, zero trust says everything must be verified and secured at every step (security in depth)
• Planes of operation
• Split the network into "functional planes"
• Data plane: frames, packets, network data
• Control plane: manage actions of data plane (policies, rules, etc.)
• Controlling trust
• Adaptive identity
• Consider source and requested resources, multiple risk indicators, make auth stronger
• Threat scope reduction: reduce number of entry points
• Policy-driven access control: combine adaptive identity with rules
• Security zones
• Broad categorization of where a user is connecting from and where you are going
• Trusted vs. untrusted, internal vs. external, departments, etc.
• Zones may be enough to deny access or provide implicit trust
• Policy enforcement point
• Subjects and systems must pass through a "gatekeeper" to access resources
• Allow, monitor, and terminate connections -- hands over to the policy decision point
• Policy decision point: responsible for examining authentication and deciding authenticity
• Policy engine: evaluates each decision based on policy -- grant, deny, or revoke
• Policy administrator: generates access tokens or credentials -- hands back to PEP
• Full zero trust model:

Physical Security

• Barricades / bollards
• Prevent access
• Channel people through an access point
• Identify safety concerns
• Access control vestibules: isolated rooms for access point authentication
• All doors either normally unlocked or locked depending on level of security
• When one door is open, other cannot be unlocked -- allows for one-at-a-time or controlled groups to access an area
• Fencing
• Building a very obvious perimeter
• May be transparent or opaque
• Must be robust to prevent bending or cutting
• Add razor wire or height to prevent climbing for more secure areas (some fences may be solely deterrents)
• Video surveillance
• CCTV (closed circuit television): can replace physical guards
• Newer features include motion detection and object recognition
• Guards and access badges
• Security guard: physical protection at reception area
• Two-person integrity/control: minimize exposure to attack, no single person has access to a physical asset
• Access badge: identifying details, worn at all times, electronically logged
• Lighting
• More light means more security: attackers avoid light and exposed areas
• Lighting and angles may be important for facial recognition
• Sensors
• Infrared: detects radiation in light and dark, common in motion detectors
• Pressure: detects change in force, floor and window sensors
• Microwave: detects movement across large areas
• Ultrasonic: sends signals and receives reflected sound waves to detect motion or collision

Deception and Disruption

• Honeypots
• Attract threat actors and trap them
• Probably a machine, create a virtual world (can be done with open source software)
• Constant battle to discern real from fake (honeypot effectiveness)
• Honeynets
• A collection of honeypots on a large deception network
• https://projecthoneypot.org
• Honeyfiles
• More honey, more believable -- increases chance of deception (passwords.txt, etc.)
• Alert sent if file accessed (virtual bear trap)
• Honeytokens
• Track malicious actors by adding traceable data to honeynet
• API credentials that don't actually provide access
• Fake email addresses whose inbox is monitored

and the impact to security."

Change Management

• Upgrading software, patching an application, changing firewall configuration, modifying switch ports, etc.
• One of the most common and frequent risks and enterprise, must be standardized
• Change approval process: a formal process for making change
• 1. Complete request forms
• 2. Determine purpose of change
• 3. Identify scope of change
• 4. Schedule a date and time
• 5. Determine affected systems and impact
• 6. Analyze risk associated with change
• Ownership
• Individual or entity needs to make a change - they own the process but don't perform the actual change
• Owner manages the change process, is informed of updates and must test their system afterward
• Stakeholders - who is impacted by this change?
• Impact analysis
• Determine a risk value (high, medium, low)
• What risks can occur upon making the change? What about NOT making the change?
• Test results - sandbox testing environment
• Technological "safe space"
• Use before making change to production
• Confirm a backout (revert) plan
• Backout plan
• Change might not go well, always have a way to revert your changes
• Some changes may be very difficult to revert
• Maintenance window - when is the change happening?
• Might be the most difficult part of the process
• Time of day, time of month, time of year
• Standard operating procedure
• Change management is critical and must be well-documented
• Changes to process itself must fit within standards

Technical Change Management

• Put change management process into action
• Change management concerned with what, technical team handles the how
• Allow list / deny list - security policy controlling app execution
• Allow list - nothing runs unless it's approved
• Deny list - everything runs unless it's disapproved (i.e. anti-malware)
• Restricted activities
• Scope of a change is critical
• Change approval is permission only for specific changes
• Scope may need to be expanded
• Change management process determines next steps
• Downtime
• Services will be eventually unavailable, usually done during non-business hours
• If possible, prevent any downtime, switch to secondary system
• Should be as automated as possible, part of backout plans
• Send email notifications and calendar updates
• Restarts - common requirement
• Reboot OS, power cycle switch, bounce service
• Services - stop and restart service or daemon
• Application - close completely
• Legacy applications
• Been around a while, often no longer supported
• Document the system, may be quirky
• Dependencies - may add complexity
• To complete A, you must complete B
• Libraries, other applications, etc.
• Modifying one component may require modifying/restarting several others
• Documentation
• New changes require new processes and documentation
• Updating diagrams (network, etc.)
• Updating policies and procedures
• Version control
• Track changes to a file or config data over time
• Router configs, Windows patches, application registry entries, etc.
• Some devices/suites provide this , some need additional software

solutions."

Public Key Infrastructure (PKI)

• Includes policies, procedures, hardware, software, people
• Creating, distributing, managing, storing, revoking digital certificates
• Also refers to the binding of public keys to people or devices, in association with certificate authority
• Symmetric encryption
• A single, shared key
• Used for the encryption and decryption of data
• Secret key algorithm
• Doesn't scale very well, but very fast
• Often combined with asymmetric encryption
• Asymmetric encryption
• Public key cryptography - two mathematically related keys
• Private key and public key
• Alice encrypts with Bob's public key
• Bob decrypts with his private key
• Cannot derive private key from public key
• The key pair
• Key generation involves random and very large prime numbers
• Everyone has public key, only individual has private key
• Key escrow
• Someone else holds your decryption keys (third-party)
• May be within your organization
• Business/government might need to decrypt partner data
• Controversial, but can be legitimate business arrangement

Encrypting Data

• Encrypting stored data
• Protect data on stored data (data at rest)
• Full-disk and partition/volume encryption - BitLocker, FileVault, etc.
• File encryption - EFS, etc.
• Database encryption
• Protecting and transmitting stored data
• Transparent encryption - encrypt all database info with symmetric key
• Record-level encryption - encrypt individual columns and use separate keys
• Transport encryption
• Protect data traversing the network
• Encrypting in the application (HTTPS, etc.)
• VPN (Virtual Private Network)
• Encrypts all data transmitted over the network
• Client-based using SSL/TLS, site-to-site using IPSec
• Encryption algorithms
• Many different options, both sides decide on algorithm
• Differentiate in security, speed, complexity
• (his graphic here for DES vs. AES is too vague/inaccurate)
• Cryptographic keys
• To be secure, cryptographic solutions must be able to withstand the algorithm/process being revealed (only cracked if key is in possession)
• Kerckhoff's principle - the security of a cryptographic system shouldn't rely on the secrecy of the algorithm
• Key determines the output (encrypted data, hash value, etc.)
• Key lengths
• Larger key = more secure
• Symmetric encryption is commonly 128-, 192-, or 256-bit (AES)
• Asymmetric encryption requires larger keys (3,072-bit or larger)
• Key stretching - make a key stronger by encrypting or hashing data multiple times

Key Exchange

• Large and popular logistical challenge
• One example is "out-of-band" (not over network)
• In-band key exchange - over network, protect key with additional encryption
• Real-time encryption/decryption
• Share a symmetric session key using asymmetric encryption (i.e. Diffie-Hellman)

Encryption Technologies

• Trusted Platform Module (TPM)
• Cryptography hardware on a device, specification for cryptographic functions
• Cryptographic processor (RNG, keygen)
• Persistent memory - keys burned during manufacturing
• Versatile memory - storage keys and hardware config info (BitLocker, etc.)
• Password protected
• Hardware Security Module (HSM)
• Used in large environments - securely store thousands of keys
• High-end cryptographic hardware
• Cryptographic accelerators - offload high computing requirement
• Key management system
• Centralized management system, on-premises or cloud-based
• Separate keys from encrypted data
• All key management from one console
• Keeping data private
• Many, many different locations, wide attack vector
• Secure enclave - a protected area, hardware isolated from main processor
• Provides extensive security features
• Has own boot ROM, monitors bot process
• Has TRNG, real-time memory encryption, and root keys

Obfuscation

• The process of making something unclear, hiding info in plain sight
• Steganography - hiding information in images
• Message is invisible but extractable
• Common steganography techniques
• Network-based - embed messages in TCP packets
• Use an image - embed message in the image itself
• Invisible watermarks
• Audio and video steganography
• Tokenization - replace sensitive data with a non-sensitive placeholder
• Common with credit card processing - temporary token during payment
• NOT encryption or hashing, original data and token not related
• Data masking
• Data obfuscation - hide some of the original data - protects S/PII
• May only be hidden from view (still in storage)

Hashing and Digital Signatures

• Hashes - represent data as a short string of text
• One-way function, impossible to recover data from hash
• Used for integrity and digital signatures
• Collision
• Hash functions may produce an identical hash from different input (i.e. MD5)
• Modern hash functions (SHA256, etc.) do not have this problem
• Practical hashing
• Verify a downloaded file by comparing hash with one provided on source
• Storing passwords as a salted hash and use those during authentication
• Adding some salt - random data added to a password when hashing
• Every user gets their own random salt, changes hash completely
• Breaks rainbow tables (pre-computed hashes of common passwords)
• Digital signatures
• Prove integrity, authentication, non-repudiation
• Sign with private key, verify with public key
• Any change in message will invalidate the signature

Blockchain Technology

• Blockchain - a distributed ledger to keep track of transactions
• Everyone maintains the ledger
• The blockchain process
• 1. Transaction is requested
• 2. Transaction is sent to every node in a decentralized network to be verified
• 3. Verified transaction is added to a new block of data with other transactions
• 4. Hash is calculated from previous blocks of transaction data and added to new block of verified transactions
• 5. Block is added to end of Blockchain, updated to all nodes in the network
• 6. If any blocks altered, all hashes recalculated, altered chain now rejected

Certificates

• Digital certificates - a public key certificate
• Binds a public key with a digital signature
• Adds trust using Certificate Authority
• Web of Trust adds other users for additional trust
• Can also be built in to OS (Windows Domain services, etc.)
• What's in a digital certificate?
• X.509 - standard format
• Details - serial number, version, algorithm, issuer, cert holder, public key, etc.
• Root of trust - an inherently trusted component to build trust
• Hardware, software, firmware, etc.
• HSM, Secure Enclave, CA, etc.
• Certificate Authorities
• Digitally signs website certificates to provide real-time verification
• Third-party trust for an unknown entity (website)
• Hundreds of third-party CAs, built in to browser
• Certificate signing requests
• Create key pair, send public key to CA to be signed
• Certificate signing request (CSR)
• CA validates request (confirm DNS emails and website ownership)
• CA digitally signs cert and returns to applicant
• Private certificate authorities
• You're your own CA, devices must trust internal CA
• Needed for medium to large organizations with lots of web servers
• Windows Certificate Services, OpenCA, etc.
• Self-signed certificates
• Internal certificates don't need to be signed by a public CA
• Build your own CA to issue your own certificates
• Install CA certificate on all internal devices
• Wildcard certificates
• Subject Alternative Name (SAN) - \*.domain.com
• Extension to X.509
• Allows certificate to support many domains
• Wildcard domain
• Certificates based on the name of the server
• Applies to all server names in a domain
• Key revocation
• Certificate Revocation List (CRL)
• Maintained by CA
• CVE-2014-0160 (Heartbleed) - OpenSSL flaw that required every web server certificate be replaced
• OCSP stapling - Online Certificate Status Protocol
• Provides scalability for OCSP checks
• CA responsible for responding to all client OCSP requests
• Instead of this, have certificate holder very their own status
• OCSP status is "stapled" into the SSL/TLS handshake
• Getting revocation details to the browser
• OCSP - browser can check certificate revocation
• Messages usually sent to OCSP responder via HTTP
• More efficient than downloading a CRL
• Not all browsers/apps support OCSP (most modern do)

Threat Actors

• The entity responsible for an event that has an impact on the safety of another entity
• Also called a malicious actor
• Attributes (types, etc.) of threat actors often considered
• Useful to categorize motivation -- why is this attack happening?
• Attributes of threat actors
• Internal vs. external (within or outside a company)
• Resources and funding (no money vs. extensive funding)
• Level of sophistication (script kiddie or nation-state zero-days)
• Motivations of threat actors
• Data exfiltration
• Espionage
• Service disruption
• Blackmail
• Financial gain
• Philosophical/political
• Ethical
• Revenge
• Disruption/chaos
• War
• Nation states
• External entity
• Motivations could be data exfiltration, political, revenge, disruption, war
• Constant attacks, massive resources
• Advanced Persistent Threat (APT)
• Highest sophistication
• Military control, utilities, finances
• Stuxnet, for example
• Unskilled attackers
• Runs pre-made scripts
• Motivated by the hunt (disruption, data exfiltration, financial)
• Can be internal or external
• Not very sophisticated
• No formal funding (low hanging fruit)
• Hacktivist
• Hacker with a purpose (philosophy, politics, ethics, disruption)
• Often external (could infiltrate to be internal)
• Can be remarkably sophisticated (DDoS, defacing websites, releasing documents)
• Funding may be limited, some perform fundraising
• Insider threat
• Motivated by revenge, financial gain
• Extensive resources, uses organization's stuff
• Medium sophistication
• Has institutional knowledge
• Can attack known vulnerable systems
• Organized crime
• Professional criminals (almost always money)
• Very sophisticated, hierarchical
• Lots of capital, the best tools and personnel money can buy
• Shadow IT
• Going rogue inside their own internal IT,
• IT can put up roadblocks, so those in IT are a more advanced internal threat
• Limit resources with company budget
• Medium sophistication, some have IT background

Common Threat Vectors

• A method used by the attacker to gain access to or infect the target
• Also called "attack vectors"
• A lot of work goes into finding them, security professionals spend lots of time protecting existing vectors and finding new vectors
• Message-based vectors
• One of the biggest and most successful vectors
• Email, SMS (malicious links/attachments)
• Phishing attacks
• Deliver malware via attachment
• Social engineering attacks (scams)
• Image-based vectors
• Easy to identify text-based, harder to identify threat in an image
• Some image formats can be a threat (SVG, described in XML)
• HTML injection, JavaScript attack code
• Browsers must provide input validation
• File-based vectors
• More than just executables
• Adobe PDF, file format containing other objects
• ZIP/RAR/any compression, obfuscates attack
• Microsoft Office (macros, add-in files)
• Voice call vectors
• Vishing - phone phishing
• Spam over IP - large-scale phone calls over IP
• War dialing - finding unpublished phone numbers to gain access
• Call tampering - disrupting voice calls (DoS)
• Removable device vectors
• Get around firewall - malicious software on a USB stick
• Infecting air-gapped networks, industrial systems, high-security services
• USB devices can act as keyboards (e.g. rubber ducky)
• Data exfiltration - terabytes of data can walk out the door with zero bandwidth
• Vulnerable software vectors
• Client-based - infected executable with known (or unknown) vulnerabilities
• Agentless - no installed executable
• Compromised software on server would affect all users
• Unsupported system vectors
• Patching must be done, but some systems are too old to be patched (EoL)
• A single unsupported system could be an entry for attack
• Unsecure network vectors
• Network connects everything, view all unencrypted data
• Wireless - outdated protocols and open/rogue networks
• Wired - unsecure interfaces, must enable 802.1X
• Bluetooth - reconnaissance, implementation vulnerabilities
• Open service ports
• Most network-based services connect over a TCP or UDP port (open)
• Every open port is an opportunity
• Every application has their own open port
• Firewall rules, limit open port rules
• Default credentials
• Most devices have defaults, absolutely MUST change them immediately
• Supply chain vectors
• Tamper with underlying infrastructure or manufacturing process
• Managed service providers - gives access to many customer networks
• Gain access to a network using a vendor - 2013 Target credit card breach
• Suppliers - counterfeit networking equipment
• Install backdoors, substandard performance and availability
• 2020 - fake Cisco Catalyst switches

Phishing

• Social engineering with a touch of spoofing (email, SMS, etc.)
• Check URL domains and attachments!
• Usually there's something not quite right
• Business email compromise
• Attackers take advantage of the internal network trust
• Spoofed email address, one or two characters changed
• Financial fraud, bank information or wire transfer details
• Links or attachments with malware
• Tricks and misdirection
• Typosquatting - URL hijacking (similar URLs)
• Pretexting - lying to get information, creating a character
• Phishing with different bait
• Vishing (voice phishing) - spoofing caller ID
• Fake security checks or bank updates
• Smishing (SMS phising)
• Commonly a shipment tracking scam (USPS, etc.)
• https://reddit.com/r/Scams

Impersonation

• Attackers pretend to be someone they aren't
• Use some details from reconnaissance, aids in trust
• Attack victim as someone higher in rank
• Throw around technical or personal details
• Eliciting information
• Extracting information, often seen in vishing, well documented
• Identity fraud
• Credit card fraud, your name and credit information
• Bank fraud, loan fraud, government benefits fraud, tax fraud
• Protect against impersonation
• Never volunteer information
• Don't disclose personal details
• Always verify before revealing info

Watering Hole Attacks

• Attacker poisons the "watering hole" and waits for you to visit
• Executing
• Determine the frequented website/service
• Infect one of these third-party sites
• Infect all visitors
• Polish Financial supervision Authority, National Banking and Stock Commission of Mexico, State-owned bank in Uruguay (January 2017)
• Visiting site would download malicious JS files, only to IPs matching targeted financial institutions
• Watching the watering hole
• Security-in-depth (layered defense, even when internal access granted)
• Firewalls and IPS
• Anti-virus/malware signature updates

Other Social Engineering Attacks

• Misinformation/disinformation
• Create confusion and division by disseminating factually incorrect information
• Influence campaigns (political and social issues)
• Nation-state actors
• Enabled through social media and advertising
• The misinformation process
• Brand impersonation - pretend to be a well-known brand
• Create tens of thousands of impersonated sites to get into the Google index
• Malware infection is almost guaranteed

Memory Injections

• Finding malware
• Malware runs in memory
• Memory contains running processes
• DLLs, threads, buffers, etc.
• Malware is hidden somewhere, either runs its own or injects itself into a legitimate process
• Memory injection - adding code into memory of an existing process
• Get access to the data in that process
• DLL injection
• Dynamic-linked library - widely used Windows libraries
• Attackers inject a path to a malicious DLL, very popular

Buffer overflows

• Reference made outside memory buffer, revealing/overwriting existing memory
• Developers need to perform bound checking, large attack surface
• Not a simple exploit, looking for easy and repeatable buffer overflows
• Before overflow:
• After overflow:

Race Conditions

• Two events happening almost simultaneously in a program, can end poorly or lead to vulnerabilities if not handled
• Time-of-check to time-of-use attack (TOCTOU)
• Something might happen between these two moments
• January 2004 - Mars rover "Spirit"
• Reboot when a problem is identified ... problem is within the filesystem
• Error repeats on reboot ... reboot loop ensues
• Fixed by deleting some erroneous software on the flash memory
• Pwn2Own Vancouver 2023
• TOCTOU attack on Tesla Model 3 - against infotainment using Bluetooth
• Elevated to root privileges, earned $100,000 and the Tesla

Malicious Updates

• Update process can be injected with malicious code
• Always, ALWAYS have a good backup
• Install from trusted sources and check signatures
• Downloading and updating
• Confirm the source
• Visit the developer's site directly
• Many OSs will only allow signed apps
• Automatic updates
• Often include security checks / signatures
• Relatively trustworthy, but...
• SolarWinds Orion supply chain attack
• Attackers gained access to development system
• Added their own code and gained access to gov agencies and companies

Operating System Vulnerabilities

• Large target, foundational computing platform
• Remarkably complex, extremely large attack surface
• Patch Tuesday
• 2nd Tuesday of each month
• Microsoft releases windows CVE patches
• June 2024 (49 Microsoft CVEs)
• Best practices
• Always update when available
• Safely and carefully, of course - backup and test in sandboxes

SQL Injection

• Code injection - adding your own information to a data stream
• Side effect of bad program design
• HTML, SQL, XML, LDAP, etc.
• SQL - structured query language, common relational DBMS language
• SQL injection (SQLi) - outside queries can reach internal database and display sensitive information, commonly on a web browser
• Web app security project at https://owasp.org/www-project-webgoat/

Cross-site scripting

• XSS (not to be confused with CSS - Cascading Style Sheets)
• Originally called this because of browser security flaws
• One of the most common web app vulnerabilities - commonly uses JS
• Non-persistent (reflected) XSS attack
• Website allows scripts to run in user input (search boxes, etc.)
• Payload (script) returned as part of the HTML response
• Victim tricked into sending malicious code to vulnerable web app, reflected back to victim's browser
• Persistent (stored) XSS attack
• Attacker posts on social media or elsewhere with link or malicious payload (script)
• Everyone gets the payload, no specific target
• Hackling a Subaru - June 2017, Aaron Guzman
• During authentication w/ Subaru, users get a token that never expires
• Can be used for any service request
• Along with this, Subaru website front-end included an XSS vulnerability
• Protecting against XSS
• Be incredibly careful when clicking untrusted links
• Consider disabling JavaScript
• Keep browser and applications updated
• Validate (clean) input on web apps

Hardware Vulnerabilities

• Surrounded by hardware / embedded systems, some with no accessible OS
• Potential security issues, everything is connected to the network (IoT)
• Firmware - the software inside of the hardware (OS, BIOS, UEFI, etc.)
• Vendors are the only ones who can fix their hardware
• Some don't care as much, take months or even years to supply a patch
• End of life (EOL) - manufacturer stops selling product
• Support may continue, even security patches
• End of service life (EOSL) - no longer selling or supporting (patching) device
• Legacy platforms - older OSs, apps, middleware (?)
• May be running EOL/EOSL software
• May require additional security protections (firewall rules, IPS signatures)

Virtualization Vulnerabilities

• Quantity of resources vary between VMs
• Quite different, but also many similarities to physical machines
• VM escape protection
• VM is self-contained, so no way out... right?
• VM escape - breaking out and interacting with host OS/hardware
• Pwn2Own March 2017
• JS bug in Microsoft Edge --> code execution in Edge sandbox
• Windows 10 kernel bug to compromise guest OS
• Hardware simulation bug in VMWare --> move to other VMs in hypervisor
• Resource reuse
• Hypervisor can be tasked with handing out more memory than is on the hardware, for example
• If software outdated, some memory can be overwritten or read unintentionally and create security risks

Cloud-specific vulnerabilities

• Lots of sensitive data, but 76% of companies are not using MFA and 63% of code is unpatched with a CVSS >= 7.0
• Attack the service
• Denial of Service (DoS or DDoS)
• Authentication bypass
• Directory traversal
• Remote code execution
• Attack the application
• Web app attacks are on the rise (Log4j and Spring Cloud Function)
• Cross-site scripting (XSS)
• Out of bounds (memory) write
• SQL injection

Supply Chain Vulnerabilities

• Only as strong as your weakest link
• Supply chain risks
• Contains many moving parts, large attack surface and lots of room for error
• Raw material, supplier, manufacturer, distributor, customer, consumer
• Service providers
• You can only control your own security posture, but not always a third-party
• Can have access to internal services, so consider ongoing audits for providers
• Target service provider attack - November 2013
• Heating and AC firm in PA had a tech's VPN creds stolen via malware delivered in an email
• Firm was a service provider for Target, network wide open and every cash register was infected
• Months later it was discovered, but 40 million credit cards stolen
• Hardware providers - can you trust your new anything?
• Use a small supplier base
• Strict controls over policies and procedures
• Cisco or not Cisco?
• All network traffic flows through switches and routers
• July 2022 Homeland Security arrests reseller CEO, $1 billion of counterfeit Cisco products creating over 30 different companies since 2013
• Made in China and distributed, started breaking / catching on fire
• Software providers
• Check signatures on initial installation
• Ensure security and authenticity of updates and patches
• Open source isn't immune
• SolarWinds Orion supply chain attack
• Used by 18,000 customers including Fortune 500 and US Gov
• Software updates were compromised from the inside
• Compromise March and June 2020, not found until December 2020

Misconfiguration Vulnerabilities

• Open permissions
• Easy to accidentally leave a door open - June 2017, 14 mil Verizon records exposed because a third-party just left an Amazon S3 data repo sitting open, thankfully it was found by a researcher
• Increasingly common with cloud storage
• Unsecured admin accounts
• Linux root / Windows Administrator
• Can be a misconfiguration or intentional malicious configuration (bad password)
• Disable direct login to the root account (su/sudo, run as Admin)
• Insecure protocols
• Some protocols like Telnet, FTP, SMTP, IMAP send unencrypted traffic
• Verify with a packet capture
• Use encrypted versions like SSH, SFTP, IMAPS, etc.
• DEFCON Wall of Sheep
• Default settings
• Every app, device, etc. has a default login
• Mirai botnet - took advantage of IoT default configs, released as open source software
• Open ports and services
• Often managed with a firewall
• Firewall rulesets can be complex
• Always test and audit

Mobile Device Vulnerabilities

• Challenging to secure - small, in motion, containing sensitive data, connected
• Jailbreaking/rooting
• Purpose-built systems without access to OS, but rooting (Android) and jailbreaking (iOS) can allow OS/hardware access to install new firmware
• Uncontrolled access, mobile device manager (MDM) becomes useless
• Sideloading
• One malicious app can cause a breach
• On most modern phones, all installations are managed by a store
• Sideloading (installing your own software) circumvents this security

Zero-day Vulnerabilities

• Many apps have unfound vulnerabilities, can be found by researchers or attackers
• If first found by attackers, they are zero-day vulnerabilities
• Vendor has no idea the vulnerability exists, no patch
• Zero-day attacks use these exploits
• Common Vulnerabilities and Exposures (CVE)
• April 2023 - Chrome zero-day memory corruption, sandbox escape
• May 2023 - Microsoft zero-day secure boot, UEFI self-signed code
• May 2023 - iOS and iPadOS sandbox escape, info disclosure, code execution

An Overview of Malware

• Malware: malicious software that can gather information, show you advertising, encrypt your data, and overall ruin your day :(
• Malware types and methods
• Virus
• Worm
• Ransomware
• Trojan Horse
• Rootkit, Keylogger, Spyware, Bloatware, Logic bomb, etc.
• How you get malware
• Worm exploits a vulnerability, installs malware with a remote access backdoor
• Your computer must run a program (email links, website pop-ups, drive-by download, and sometimes worms)
• Your data is valuable
• Personal data (pictures, videos, tax documents)
• Organizational data (planning documents, employee PII, financial info)
• Ransomware
• Encrypt all data on computer and request money
• Encrypted with a very strong symmetric or asymmetric key
• Using an untraceable payment method like cryptocurrency (blockchain)
• Protecting against ransomware
• Make backups
• Keep OS and applications up to date
• Keep anti-virus/-malware signatures up to date

Viruses and Worms

• Malware that can reproduce itself
• Reproduces through filesystem or network
• Some cause immediate problems, some are invisible
• Anti-virus is very common, update signatures!!!
• Virus types
• Program viruses
• Boot sector viruses
• Script viruses
• Macro Viruses
• Fileless virus
• Stealth attack, avoids detection
• Operates in memory, never installed
• Worms
• Malware that self-replicates without user interaction
• Can take over systems very quickly
• Firewalls and IDS/IPS can mitigate
• WannaCry

Spyware and Bloatware

• Spyware
• Spies on you for advertising, ID theft, etc.
• Can trick you into installing
• Browser monitoring and keyloggers
• Protecting against spyware
• Maintain anti-virus/-malware (latest signatures)
• Always know what you're installing
• Always have a backup
• Run malware scans
• Bloatware... not really malware though?
• New device has OS necessary apps, but also unnecessary ones
• May use storage and open device to vulnerabilities
• Removing uninstaller
• Use built-in uninstaller
• Some apps have their own uninstaller
• Third-party uninstaller

Other Malware Types

• Keyloggers
• Logins, passwords, emails, etc.
• Keystrokes captured and sent
• Circumvents encryption
• Other data logging: clipboard, screen, instant message
• Logic bomb
• Waits for predefined event
• Time or date, user event
• Difficult to identify and recover
• Preventing a logic bomb
• Formal change control
• Electronic monitoring (IPS/IDS)
• Constant auditing
• Rootkit
• Originally a Unix technique
• Modifies core system files (kernel)
• Can be invisible to OS, has full control
• Finding and removing rootkits
• Look for unusual
• Use a remover specific to rootkit
• Secure boot with UEFI

Physical Attacks

• Old-school security, locks and guards
• If you have physical access to a server, you have full control
• "Door locks keep out the honest people"
• Brute force
• Physical version... lol
• Push through / break obstruction
• RFID cloning
• Access badges, key fobs
• Duplicators are cheap and effectives
• A good reason for MFA
• Environmental attacks
• Attack everything
• Power monitoring
• HVAC and humidity controls
• Fire suppression

Denial of Service

• Force a service to fail by overloading
• Take advantage of design failure or vulnerability
• Cause systems to be unavailable to cause a smoke screen
• "Friendly" DoS
• Layer 2 loop without STP
• Downloading large files over DSL line
• Water line breaks
• Pressing two generic remotes at the same time!
• Distributed Denial of Service (DDoS)
• Launch an army of computers to bring down a service
• Usually assembled via a botnet
• At peak, Zeus infected >3.6 mil PCs
• Asymmetric attack, attacker may have limited resources but inflates them
• DDoS reflection and amplification
• Abuse specific devices/protocols that respond with more data then probed
• DNS amplification (~15 --> ~1300 characters)
• DNS amplification DDoS

DNS Attacks

• DNS poisoning
• Modify DNS server, less common
• Modify client host file (DNS precedent)
• Send a fake response to a valid DNS request
• Domain hijacking
• Get access to domain registration, control where traffic flows
• Brute force, social engineering, etc.
• 8/22/2016, 36 domains of Brazilian bank changed, under control for 6 hours
• URL hijacking
• Sell a domain typo to the legitimate owner and redirect to a website with lots of advertisements, a competitor company, or phishing/malware (typosquatting)

Wireless Attacks

• De-authentication attack (type of DoS)
• 802.11 management frames
• Management features, important for operations
• Original standards did not add protection
• Protecting against de-auth attacks
• IEEE addressed with updates in 802.11ac
• Important management frames encrypted, but not everything
• Radio frequency (RF) jamming
• Denial of service
• Transmit interfering wireless signals, more noise than actual data
• Sometimes not intentional (microwave, fluorescent lights)
• Wireless jamming
• Constant, random, legitimate, reactive (when someone transmits)
• Needs to be somewhere close
• "Fox hunting" -- hunting down a jam

On-path Attack

• AKA Man-in-the-Middle
• Effectively invisible, redirects your traffic
• ARP poisoning
• On-path in local subnet, ARP has no security
• On-path browser attack
• Malware/Trojan on host does the proxy work
• AKA Man-in-the-Browser
• Easy and looks encrypted
• Malware waits for logins and sensitive info

Replay Attacks

• Useful info transmitted over network
• Need access to raw network data
• Gathered info can help "replay" to pretend you're a trusted device
• Pass the hash
• Client logs in to server, send user and hashed password over network
• Attacker captures, replays to gain access to server
• Avoid by using traffic encryption and/or salted hashed (with session ID, etc.)
• Browser cookies and session IDs
• Cookies: info stored by your browser
• Used for tracking, personalization, etc.
• Could be considered a privacy risk, session IDs stored stored
• Session hijacking (Sidejacking)
• Using an intercepted session ID to communicated with server
• Header manipulation
• Gather info via Wireshark, Kismet
• Modify headers (Tamper, Firesheep, Scapy)
• Modify cookies (Cookies Manager+ on Firefox)
• Prevent session hijacking
• Encrypt end-to-end (additional load on web server), force HTTPS/TLS
• Encrypt end-to-somewhere, at least avoid over local wireless network (personal VPN)

Malicious Code

• Exploiting a vulnerability
• Social engineering, default creds, etc. don't require technical skills
• You can still get in by exploiting with malicious code
• Can be executable, script, macro, worm, Trojan
• Can be protected by anti-everything, firewall, patches, etc.
• Examples
• WannaCry ransomware
• Executable exploited vuln in Windows SMBv1
• British Airways XSS
• 22 lines of malicious JS, info stolen
• Estonian Central Health DB
• SQL injection, healthcare info breached

Application Attacks

• Injection attacks
• Add your own info to a data stream
• Enabled because of bad programming
• HTML, SQL, XML, etc.
• Buffer overflow (prev.)
• Replay attack (prev.)
• Privilege escalation
• Gain higher-level access to a system by exploiting a vulnerability
• Higher-level = more capabilities
• High-priority patches
• Horizontal privilege (User A can access B resources) also useful
• CVE-2023-29336
• Mitigating privilege escalation
• Employ patches as soon as possible, carefully of course
• Update anti-everything software and signatures
• Data Execution Prevention (only in executable areas can run)
• Address space layout randomization (prevent buff overflow and known address)
• Cross-site request
• Load info from other websites, HTML directs requests
• The client and the server
• Client side: renders page (HTML, JS)
• Server side: performs requests (HTML, PHP)
• Cross-site request forgery
• One-click attack, session riding (XSRF, CSRF, "sea surf")
• Takes advantage of the trust a web app has for user, requests made w/o knowledge
• Significant development oversight
• Directory traversal
• Read files from web server that are outside of website's file directory
• Web server software of web app code vulnerability
• A "dot dot slash" (../) is an indicator, accessing parent directory

Cryptographic Attacks

• Usually attacker doesn't have the "combination" so they attack the "safe"
• Birthday attack
• In a classroom of 23 students, same birthday 50%
• Digital equivalent is hash collision, find through brute force
• Mitigate with a larger hash
• Collisions
• Hash digests are *supposed* to be unique
• MD5 is very susceptible, no longer used
• Downgrade attack
• Force systems to downgrade security
• SSL stripping
• Combines on-path w/ downgrade
• Browser page un-encrypted (HTTP)

Password Attacks

• Plaintext / unencrypted passwords
• Some apps store passwords without any encryptions -- DON'T DO THIS
• Use more secure software
• Hashing a password
• Hashes represent data as a fixed-length string of text (digest/fingerprint)
• One-way function with (hopefully) no collisions
• Common way to store passwords (common hash is SHA-256)
• The password file -- varies between OSs, different syntax and algorithms
• Spraying attack
• Logging in with incorrect password can cause lockout, so common passwords are tried
• Attack account with top three or so passwords, move on to next if nothing
• No lockouts, alarms, or alerts - mini brute force
• https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
• Brute force - try every combination until hash matches
• Might take some time with strong/slow hash
• Online - keep trying API login, slow, most will lockout
• Offline - obtain users and hashes, calculate and compare, large comp. req.

Indicators of Compromise (IOC)

• An event that indicates an intrusion, high confidence
• Common
• Unusual amount of network activity
• Change to file hashes
• Irregular international traffic
• Changes to DNS data
• Uncommon login patterns
• Spikes of read requests to certain files
• Account lockout
• Credentials are not working, exceeded login attempts
• Could also be administrative disabled, more confident indicator
• Part of a larger plan, could lead to a social engineering attack
• Concurrent session usage
• Cannot be in two places at the same time (duh)
• Look for single account logged in from different locations
• This could also be a remote desktop connection or automated process, however, so it's hard to track
• Blocked content
• Attacker wants to be persistent, block security updates and patches
• IOC could be removed access to security updates
• Impossible travel
• Authentication logs (on/off)
• One login at HQ, another international, huge IOC
• Easy to identify
• Resource consumption
• e.g. unusual bandwidth spikes outside office hours
• Often first notification of real issue
• Resource inaccessibility
• Server is down
• Network disruption, cover for exploit
• Server outage
• Encrypted data (ransomware)
• Brute force attack --> lockout
• Out-of-cycle logging
• Occurs at unexpected time
• Patch logs outside normal time/day
• Firewall log activity (protocols/apps)
• Missing logs
• Log information is evidence, so some during attack might be removed
• Missing logs are also suspicious, IOC
• Published/documented
• Sometimes, attack and exfiltration can go unnoticed
• Only noticed when large data dump is released, obvious IOC

enterprise."

Segmentation and Access Control

• Segmenting the network
• Physical, logical, of virtual (devices, VLANs, virtual networks)
• To get...
• Performance (high-bandwidth apps)
• Security (isolation)
• Compliance
• Access control lists (ACLs)
• Allow or disallow traffic
• Restrict access to network devices
• List the permissions
• User X can access resource Y through port Z
• Many OSs use ACLs for file access
• Application allow/deny list
• Any app can be dangerous, security policy can control app execution
• Allow list - nothing runs unless approved (more restrictive)
• Deny list - everything runs unless disapproved
• Examples
• Decisions are built in to OSs
• Application hash (allow only with unique identifier)
• Certificate (allow digitally signed apps from certain publishers)
• Path (only run apps in these folders)
• Network zone (only run from this zone)

Mitigation Techniques

• Patching
• Incredibly, incredibly important
• Monthly incremental updates
• Third-party updates
• Auto-update (not always the best, patch testing may be necessary)
• Emergency (out-of-band) updates might be necessary
• Encryption
• Prevent access to app data files
• File level encryption (Windows EFS)
• Full disk encryption (FDE) - encrypt everything (BitLocker, etc.)
• Application Data encryption - managed by app
• Monitoring
• Aggregate information from devices, integrated
• Sensors - IPS, firewalls, auth logs, etc.
• Collectors - IPS, firewalls, SIEM tools, etc.
• Principle of Least Privilege
• Rights and permissions set to bare minimum for functionality
• All user accounts must be limited
• Don't allow users to run with admin privileges
• Configuration enforcement
• Perform a posture assessment each time a device connects (latest OS, patch, etc.)
• Systems out of compliance are quarantined
• Decommissioning
• Should be a formal policy, don't throw data into trashed
• Mostly associated with storage devices (HDD, SSD, USB stick, etc.)
• Recycle or destroy (FUBAR)

Hardening Techniques

• System hardening
• Lost of systems, lots of variety
• Updates (system, service packs)
• User accounts (passwords, limitations)
• Network access and security
• Monitor and secure (anti-x)
• Encryption (prev.)
• Encrypt all network communication (VPN)
• The endpoint - individual devices
• The user's access (apps and data)
• Stop the attackers (inbound/outbound)
• Many different platforms
• Protection is multi-faceted, practice defense in depth
• Endpoint detection and response (EDR)
• Detect by signatures, behavioral analysis
• Lightweight agent
• Can investigate and determine root cause of threat
• Respond to threat (isolate, rollback, etc.)
• Driven by API - no intervention required
• Host-based firewall
• Software-based (personal, runs on every endpoint)
• Allow/disallow incoming or outgoing app traffic
• Identify and block unknown processes
• Manage centrally
• Finding intrusions
• Host-based IPS (HIPS)
• Recognize and block known attacks
• Secure OS and app configs
• Built into endpoint protection software
• HIPS identification
• Sigs, heuristics, behavioral
• Buffer overflows, reg updates, writing files to sensitive folders
• Access to non-encrypted data
• Open ports and services
• Every open port is a possible entry point (least privilege, close most)
• Control access with firewall (NGFW ideal)
• Unused or unknown services - be wary
• Applications with broad port ranges (more than 3 or 4) are suspicious
• Use Nmap or similar port scanner
• Default password changes
• All network devices and most apps have a management interface
• Important to change defaults, these are widely available
• Add MFA or third-party auth
• Removal of unnecessary software
• All software contains bugs, some vulnerabilities
• Every application has a different patching process
• Remove all unused software to reduce risk

architecture models."

Cloud Infrastructures

• Cloud responsibility matrix
• IaaS, PaaS, SaaS... who is responsible for security? Should be well documented
• Hybrid considerations
• Hybrid cloud - more than one public or private cloud
• Network protection mismatches - auth, firewall, server settings
• Different security monitoring
• Data leakage
• Third-party vendors in the cloud
• You, the cloud provider, and third parties
• Ongoing vendor risk assessments to maintain posture of third-parties
• Constant monitoring
• Infrastructure as code
• Describe an infrastructure (servers, network, and apps) as code
• Modify infrastructure and create versions
• Use the code as a template to build more instances
• Very important concept for cloud computing
• Serverless architecture
• Function as a Service (FaaS)
• Apps separated into functions
• Remove OS from the equation
• Dev still creates the server-side logic
• May be event-triggered
• Managed by third-party
• Microservices and APIs
• Old: monolithic applications running locally, hard to manage
• New: Application Programming Interfaces, "glue" for the microservices, scalable

Network Infrastructure Concepts

• Physical isolation - devices are physically separate (air gap)
• Must be connected to provide communication
• Different servers on different racks (separate types, customers, etc.)
• Physical segmentation
• Local segmentation with VLANs
• Virtual Local Area Networks, same effect
• Separate logically instead of physically, cannot communicate between without a Layer 3 device (router)
• SDN (Software Defined Networking)
• Networking devices have different functional planes of operation
• Data, control, and management
• Split these into separate logical units (devices)
• Infrastructure/Data plane - network frames and packets
• Control plane - manages actions of data plane (routing, etc.)
• Application/Management Plane - configure and manage devices
• Has major new cloud applications, completely logical networking

Other Infrastructure Concepts

• Cloud vs. on-premise
• Cloud-based - centralized and cheaper
• On-premises - security burden on client, but complete control
• All in all, attackers want your data, they don't care where it is!
• On-premises security
• Pros
• Customize security posture
• On-site IT team can easily manage
• Local team maintains uptime and ability
• Cons
• Security updates may take time
• Centralized vs. decentralized
• Most are physically decentralized
• Difficult to manage
• Centralized approach can consolidate status, logs, maintenance
• Not perfect, single point of failure
• Virtualization
• Run many different operating systems on the same hardware
• Each app instance has its own operating system, adds overhead
• Relatively expensive
• App containerization
• Container - contains everything (code, dependencies), standardized unit of software
• Isolated process in a sandbox, efficient
• Lightweight, uses host kernel
• Secure separation between apps
• Popular software is Docker
• IoT (Internet of Things)
• Sensors, monitors, cameras, smart hubs, watches, phones, thermostats
• Provide automation and flexibility but lots of security flaws
• SCADA / ICS
• Supervisory Control and Data Acquisition System
• Large-scale, multi-site Industrial Control Systems (ICS)
• PC manages equipment
• Distributed control systems - real-time info, sys control
• Requires extensive segmentation
• RTOS (Real-Time Operating System)
• OS with deterministic processing schedule - industrial, military, automotive
• No time to wait for other processes
• Extremely sensitive to security issues
• Embedded systems
• Hardware and software specifically designed for a function / larger system
• Traffic light controllers, digital watches, medical imaging systems
• High availability
• Redundancy - handy, not always available
• HA (high availability) - always on, always available
• May include different components working concurrently
• Almost always higher cost

Infrastructure Considerations

• Availability
• Uptime - access data, complete transactions; foundation of IT security
• Resilience
• How to maintain availability and recover
• MTTR (Mean Time to Repair)
• Cost
• How much money is required
• Ongoing maintenance and taxes, recurring cost
• Responsiveness
• Request info, how quickly is request satisfied
• Important for interactive applications
• Scalability
• How can we increase/decrease capacity
• Elasticity of application/infrastructure
• Ease of deployment
• Many moving parts, how easy can it be employed
• Risk transference
• Transfer risk to a third-party
• Cybersecurity insurance, attacks/downtime covered
• Recover internal losses, protect against legal issues
• Ease of recovery
• Something will always go wrong eventually
• Malware infection - reload OS (hard, time consuming), reload from backup (better, faster)
• Patch availability
• Software (mostly) isn't static
• Must be up to date and update regularly
• Inability to patch - embedded systems, etc.; not designed for end-user updates
• Might require additional security controls
• Power
• Foundational, can require extensive thought and engineering
• Overall requirements (data center vs. office vs. home)
• Primary power and backup power (UPS, generator)
• Compute
• Application's heavy lifting, the compute engine
• Can be single or multiple processors

infrastructure."

Secure Infrastructure

• Device placement
• Firewalls - separate trusted from untrusted
• Other devices may require their own measures (honeypots, load balancers, etc.)
• Security zones
• Separate by use and access
• Each area associated with a zone - trusted/untrusted, internal/external
• Simplifies security policies, traffic from some zones to others allowed, some not\\
• Attack surface
• Any opening that may be on the network
• Code, ports, auth process, human error
• Want to minimize - audit, block ports, monitor traffic
• Connectivity
• Every connected device contributes to security
• Secure physical and logical connections
• Only as strong as the weakest link
• Application/network-level encryption

Intrusion Prevention

• IPS - watch network traffic, detect common/uncommon intrusions, enable preventative measures
• IDS similar, but only alarms - does not stop traffic
• Failure modes
• 100% uptime is a nice though, but not realistic - we need to think about what will happen during the downtime
• Fail-open - when a system fails, data continues to flow
• Fail-close - data stops flowing
• Device connections
• Active monitoring - I(D/P)S connected inline, data blocked in real-time, IPS active
• Could be too aggressive, in link so it can cause downtime
• Passive monitoring - through switch (taps traffic), data not blocked, common

Network Appliances

• Jump server - access secure network zones
• Highly secured device, SSH/Tunnel/VPN for access, significant security concern
• Proxies - sit between users and external network
• Receives requests and sends on proxy's behalf
• Caching, access control, URL filtering
• Explicit proxy - apps know how to use and is apparent
• Transparent proxy - users may not know it's even happening
• Application proxies
• NAT - network level
• Application proxy - ... application level, understands app
• May only know one app, like HTTP proxy
• Many are multipurpose, handle several protocols/apps
• Forward proxy - "internal proxy", used to protect and control user access to the internet
• Reverse proxy - inbound traffic from internet to your internal service (server)
• Open proxy - third-party, uncontrolled proxy
• Can be a significant concern, can circumvent existing controls
• Most times are blocked
• Load balancers - distribute load to multiple services for seamless end-user experience
• Active/active - all servers active, all being used actively
• Configurable load across servers
• TCP offload, SSL offload, caching, prioritization, content switching
• Active/passive - all on, some inactive
• If active server fails, passive takes its place (stand-by)
• Sensors and collectors
• Aggregate information from network devices - built-in sensors, etc.
• Sensors - IPS, firewall logs, auth logs
• Collectors - proprietary consoles, SIEM consoles

Port Security

• Individual services and resources
• Extensible Authentication Protocol (EAP) - an authentication framework
• Manufacturers build their own methods
• EAP integrates with 802.1X, no access until auth succeeds
• IEEE 802.1X - port-based Network Access Control (NAC), ^^^
• Used in conjunction with auth database (LDAP, Kerberos, etc.)
• Supplicant - client, authenticator - access provider, auth server - validator
• Authenticator sits in the middle and forwards messages

Firewall Types

• The universal security control, control flow of network traffic, inbound/outbound
• Network-based firewalls - filter traffic by port number or application
• Most are layer 3 devices (routers)
• NAT functionality, encrypt traffic (VPN), dynamic routing communication
• UTM (Unified Threat Management) /
• All-in-one security appliance, web security gateway
• URL filter, content inspection, malware inspection, spam filter, router, switch, firewall, IDS/IPS, bandwidth shaper, VPN endpoint
• Only operate at layer 4, drawback on performance and single point of failure
• Next-generation firewall (NGFW)
• OSI application layer (layer 7), all data in every packet
• Requires some advanced decodes
• Doesn't just rely on port number
• Can have an IPS, content filtering, etc.
• Web application firewall (WAF)
• Not like a normal firewall, rules for HTTP/S conversations
• Allow or deny based on expected input, identify SQL injections
• Major focus of PCI DSS

Secure Communication

• VPNs (Virtual Private Networks) - encrypted data traversing public network
• Concentrator - en/decryption access device, integrated into firewall
• Many options (cryptography, etc.), used with client software
• Encrypted tunnel
• Add new headers and tailers, "tunneling", decrypt on the other side
• SSL/TLS VPN (Secure Sockets Layer VPN)
• Uses 443, almost no firewall issues
• No big VPN clients
• Authenticate users, can be run from a browser
• On-demand access from a remote device
• Site-to-site IPsec VPN
• Always (or almost always) on
• Firewalls act as VPN concentrators
• SD-WAN (Software Defined WAN)
• WAN built for the cloud
• Cloud-based apps communicate directly from the cloud, no centralization needed
• Secure Access Service Edge (SASE)
• Update secure access for cloud services, securely connect from different locations
• Next generation VPN, security technologies in the cloud
• Selection of effective controls
• VPN - SSL/TLS for user access, IPsec for site-to-site
• SD-WAN - manage network connectivity to cloud, not great for security
• SASE - complete network and security solution, fixes ^^^

Data Types and Classifications

• Types
• Regulated: managed by a third party - government laws and statutes
• Trade secret: organizations' "secret formulas" - often unique
• Intellectual property: publicly visible but copyrighted/trademarked
• Legal information: records, documents, info - contains PII
• Financial information: internal financial details, payment records, payment medium data, etc.
• Human-readable: understandable, clear and obvious
• Non-human-readable: not easily understood, encoded data
• Some are a hybrid (CSV, JSON, etc.)
• Classifying sensitive data
• Different sensitivities require different security and handling
• Stronger network, DMZ, MFA, etc.
• Classifications
• Proprietary: property of an organization
• PII - Personally Identifiable Information: used to identify an individual
• PHI - Protected Health Information: health info used to identify an individual or associated with an individual
• Sensitive: intellectual property, S/PII, PHI
• Confidential: VERY sensitive, approved to view
• Public/Unclassified: no restrictions
• Private/Classified/Restricted: restricted access, may require NDA
• Critical: data that should always be accessible

States of Data

• Data at rest: on a storage device
• Encrypt the data - whole disk, database, file-/folder-level
• Apply permissions
• Data in transit/motion: being transmitted over the network
• Not much protection as it travels
• Network-based protection - firewall, IPS
• Provide transport encryption - TLS, IPsec
• Data in use: actively processing in memory (system RAM, CPU)
• Data is almost always decrypted
• Attackers pick the decrypted information out of RAM
• Target breach November 2013, attackers picked credit card numbers out of point-of-sale RAM
• Data sovereignty: data that resides in a country is subject to the laws of that country
• Laws may prohibit where data is stored
• GDPR - data collected on EU citizens must be stored in the EU
• Compliance laws may prohibit data moving out of the country
• Geolocation: location details
• Many ways to determine - 802.11, mobile providers, GPS
• Can be used to manage access
• Limited administrative tasks unless secure area is used

Protecting Data

• Geographic restrictions
• Network location: IP or subnet, difficult with mobile devices
• Geolocation: GPS, 802.11 wireless, IP address (most to least accurate)
• Geofencing: automatically determine access based on location
• Protecting data
• Primary important job task, but data is everywhere
• Encrypt, employ permissions
• Encryption: encode information into unreadable data
• Two-way: able to convert between one and the other
• Confusion: encrypted data is drastically different than plaintext
• Hashing: represent data as a short string of test (message digest, fingerprint, etc.)
• One-way: impossible to recover original message, used to store passwords
• Verify a downloaded document is the same as the original
• Can be a digital signature (with public-key crypto)
• Will not (usually) have collision
• Obfuscation: make something normally understandable difficult to understand
• Take readable code and turn it into nonsense
• Helps prevent the search for security holes (malware, etc.)
• Not a good technique for securing on-premises data, security-by-obscurity isn't very powerful
• Masking: type of obfuscation, hides some of the original data
• Protects PII and other sensitive data
• Example: showing only last 4 digits of credit/debit card number, replace the rest of asterisks
• May only be hidden from view, could still be in storage
• Tokenization: replace sensitive data with non-sensitive placeholder
• Common with credit card processing
• Not encryption or hashing - original data and token not related mathematically
• Segmentation
• Spread data among many servers/locations, no central point of failure
• Some data should also have stronger security
• Permission restrictions
• Control access to an account
• Auth process then permissions once in account

architecture."

Resiliency

• High availability
• Redundant doesn't always mean available
• HA (high-availability): always on, always available
• Expensive (more systems, upgraded power, etc.)
• Server clustering: combine two or more servers to function as one
• Usually configured in the OS
• Load balancing: load distributed across multiple servers using load balancer
• Distribute from central point
• Adds or removes devices as needed
• Site resiliency
• Recovery site is prepped
• Disaster called, recover site used, problem addressed, back to primary
• Hot site: exact replica of data center
• Update data, software, AND hardware
• Cold site: no hardware, empty building
• Bring your own data and people
• Warm site: just enough to get going
• Big room with rack space, still bring your own stuff
• Geographic dispersion
• Recovery sites should be far enough away to not be affected by similar physical events (eg., natural disaster)
• Platform diversity: use different platforms/apps for different purposes
• Spread the risk - if one vulnerability affects Windows, everything shouldn't shut down because of it
• Multi-cloud systems
• Plan for cloud outages
• Disperse data between multiple geographical sites and multiple cloud providers
• Continuity of operations planning (COOP)
• Have an alternative to all technological systems in case of disaster
• Document and test BEFORE a problem occurs

Capacity Planning

• Match supply to demand
• People - some services require human intervention
• Not easy to add and remove
• Technology - pick tech that can scale
• Web services - distribute load across multiple
• Database services - cluster multiple SQL servers
• Cloud services - (seemingly) unlimited resources (if you pay)
• Infrastructure: the underlying framework
• Physical devices - purchase, configure, install
• Cloud-based - easier to deploy and useful for unexpected changes

Recovery Testing

• Test before an actual event
• Use well-defined rules of engagement, a very specific scenario, and evaluate response
• Tabletop exercises: faux logistics for analysis
• No physical drill or recovery, talk through a simulated disaster
• Fail over test
• Ensure redundant systems switch to backups when a failure occurs
• Simulation: test with a fully simulated event
• Common - phishing simulation (curated emails, etc.)
• Parallel processing: split a process through multiple parallel CPUs
• Improved performance and recovery

Backups

• Incredibly important for resilience and recovery
• Implementations:
• Total data, type, media, storage location, software, time
• Onsite vs. offsite
• Onsite: not internet link, data immediately available, less expensive
• Offsite: transfer over internet or WAN link, available after disaster, performed from anywhere
• Organizations often use both for more options
• Frequency: how often?
• May be different between systems
• May be multiple backup sets
• Encryption
• Backups contain a history of data, makes it easy for an attacker
• Protect using encryption = unreadable, recovery key required to restore
• Useful for cloud backups and storage
• Snapshots: instant backup of entire system
• Popular on virtual machines
• Take snapshot after 24 hours, contains only changes between snapshots
• Recovery testing: simulate disaster, attempt to restore from backup
• Simulate, restore, test restorations
• Replication: keep data synchronized in multiple locations
• Ongoing, (almost) real-time backup
• Always available, stored locally, recoverable
• Journaling: like a data buffer
• When writing, if power goes out, data may be corrupted or only a portion of the data may be saved
• By writing to the journal, you essentially have two copies of the data being stored while it is being written
• Data transfer redundancy!! :)

Power Resiliency

• Power is the foundation of our technology
• We usually don't make our own power - ways to mitigate issues
• UPS (Uninterruptable Power Supply): short-term backup power
• Blackouts, brownouts (partial blackout), power surges
• Types:
• Offline/standby
• Line-interactive
• On-line/double-conversion
• Features
• Auto-shutdown, battery capacity, outlets, phone line suppression, etc.
• Generators: long-term power backup, fuel storage required
• Power an entire building, may take a few minutes to get up to speed

computing resources."

Secure Baselines

• The security of an application should be well defined - everything follows this baseline
• Integrity measurements check for the secure baseline
• Establish baselines
• Security baselines are often available from the manufacturer
• Man OSes have extensive options - Windows has 3,000 group policies
• Deploy baselines
• Usually managed through a centrally administered console
• May require multiple deployment mechanisms, automation is key
• Maintain baselines
• Many are best practices and won't change, but some require constant updates
• New vulnerability, new app, new OS, etc.
• Test and measure to avoid conflicts/contradictions

Hardening Targets

• No system is secure with default configurations!!!
• Hardening guides: specific to software/platform, have best details
• Mobile devices: always connected mobile technologies
• Updates are critical
• Segmentation can protect data (company vs. user data)
• Control with MDM (Mobile Device Manager)
• Workstations: user desktops and laptops
• Need constant monitoring and updates (OSes, apps, etc.)
• Automate monthly patches, probably an existing process
• Remove unnecessary software
• Network infrastructure devices: switches, routers, firewalls, etc.
• Purpose-built - embedded OS and applications
• Configure authentication - DO NOT USE DEFAULTS
• Check with manufacturer for security updates
• Cloud infrastructure
• Use principle of least privilege (services, network settings, etc.)
• Configure Endpoint Detection and Response (EDR) - all devices accessing the cloud should be secure
• Always have backups between different providers (Cloud to Cloud / C2)
• Servers
• Windows, Linux, etc.
• Updates - OS updates / service packs, patches
• User accounts - password policies, account permissions
• Limit network access and employ authentication
• Monitor and secure with anti-virus, -malware, etc.
• SCADA/ICS: industrial and manufacturing equipment
• PC manages equipment
• Power, refining, manufacturing
• Distributed control systems - real time info, system control
• Requires extensive segmentation, no access from outside
• Embedded systems: hardware and software designed for a specific function or operate as par of a larger system
• Can be difficult to upgrade
• Correct vulnerabilities, segment and firewall to prevent access
• RTOS (Real-Time Operating System): deterministic processing schedule
• Industrial equipment, automobiles, military
• Isolate to prevent access
• Run with minimum services
• Use secure communication
• IoT devices: heating and cooling, lighting, home automation, wearables, etc.
• Weak defaults - CHANGE PASSWORDS
• Deploy updates quickly
• Segmentation - put on own LAN/VLAN

Securing Wireless and Mobile

• Site survey: determine the existing the wireless landscape
• Identify existing access points
• Work around existing frequencies
• Plan for ongoing surveys
• Heat maps identify wireless signal strengths
• Wireless survey tools
• Signal coverage, potential interference
• Built-in tools sometimes exist in OSes, also 3rd-party tools
• Spectrum analyzer shows all on particular freq.
• Mobile Device Manager (MDM)
• Manage company-owned and user-owned mobile devices
• Centralized management
• Set policies on apps, data, etc.
• Manage access control
• BYOD (bring your own device/tech)
• Employee owns the device, difficult to secure
• COPE (corporate owned, personally enabled)
• Company buys, used as corporate and personal
• Org. keeps full control, info protected by corp. policies
• CYOD (choose your own device) - choose your COPE
• Cellular networks (for mobile) - 4G LTE, 5G, etc.
• Separate land into "cells" - antenna covers a cell with certain frequencies
• Security concerns - traffic monitoring, location tracking, worldwide access to a mobile device
• Wi-Fi
• Local network access = local problems
• Same security concerns as other Wi-Fi devices
• Data capture - encrypt!
• On-path attack / MITM
• Denial of service
• Bluetooth: PAN (personal area network), high speed comm. over short distances
• Connects our mobile devices
• Do not connect to unknown Bluetooth devices

Wireless Security Settings

• Authenticate users before granting access, ensure all communication is confidential, verify integrity of all communication
• Message Integrity Check (MIC)
• The WPA2 PSK problem: brute force problem
• Listen to four-way handshake, capture hash
• With hash, pre-shared key (PSK) can be brute forced
• Some methods can even derive PSK without the handshake
• Weak PSK is easier to brute force
• Amazing GPUs and cloud-based password cracking
• Once you have PSK, you have everyone's wireless key
• WPA3 and GCMP: Wi-Fi Protected Access 3 (WPA3)
• GCMP block cipher mode (Galois/Counter Mode Protocol)
• Stronger encryption
• Data confidentiality with AES
• MIC with GMAC (Galois Message Authentication Code)
• SAE (Simultaneous Authentication of Equals)
• WPA3 changes the PSK auth process
• Creates a shared session key without sending that key across the network
• Diffie-Hellman derived key exchange with an authentication component
• IEEE standard - the dragonfly handshake
• Wireless authentication methods
• Credentials - shard password / PSK or centralized authentication (802.1X)
• Configuration - part of the connection, prompted during connection process
• Wireless security modes
• Open system - no auth
• WPA3-Personal/-PSK - WPA2 or 3 with a pre-shared key
• WPA3-Enterprise/-802.1X - authenticate users individually w/ server
• AAA framework
• Identification - who do you claim to be (username)
• Authentication - prove you are who you claim to be (password)
• Authorization - what access do you have
• Accounting - what did you use and for how long
• RADIUS (Remote Authentication Dial-in User Service) - common AAA protocol
• Centralized authentication for users (user+pass)
• Routers, switches, firewalls, servers, VPNs, 802.1X networks
• IEEE 802.1X - port-based Network Access Control (NAC)
• Used in conjunction with an access database (RADIUS, LDAP, TACACS+)
• EAP (Extensible Authentication Protocol)
• Many different ways to auth based on RFC standards
• Integrates with 802.1X, prevents access until auth succeeds
• IEEE 802.1X and EAP
• Supplicant - client
• Authenticator - provides access
• Authentication server - validates credentials
• Supplicant talks to authenticator, authenticator talks to server

Application Security

• Secure coding concepts - balance between time and quality
• Quality Assurance (QA) process - you MUST test
• Vulnerabilities will eventually be found and exploited
• Input validation - what is the expected input? Compare
• Document all input methods
• Check and correct all input (normalization)
• Prevent SQL injections!
• Fuzzers (random inputters) will find what you missed
• Secure cookies - info stored on computer by browser
• Used for tracking, personalization, session management
• Secure cookies have secure attribute set (only over HTTPS)
• Sensitive info should NOT be stored in cookies
• Static code analyzers
• Static Application Security Testing (SAST)
• Many vulns found easily with static analysis (buffer overflows, injections, etc.)
• But not everything (auth security, insecure crypto, etc.), don't rely on automatic static analysis
• You still have to verify each finding, some may be false positives
• Code signing
• Verifying application is the original and originated from the correct place
• Application code can be digitally signed by developer, similar to website certificates
• Sandboxing - running the application in a safe test environment
• Limit to fewest resources possible
• Used in many different deployments - VMs, mobile devices, browser iframes, Windows User Account Control (UAC)
• Application security monitoring
• Real-time information about usage, attacks, anomalies, etc.
• View blocked attacks (injections, etc.)
• Audit the logs to find info and hidden attacks

and data asset management."

Asset Management

• Acquisition/procurement process - the purchasing process
• Start with request from user
• Negotiate with suppliers
• Purchase, invoice, and payment
• Assignment/accounting
• Central asset tracking system to keep tabs
• Ownership - associate person with asset
• Classification - type of asset
• Then classify it as hardware or software (taxed differently)
• Hardware = capital expenditure
• Software = operating expenditure
• Monitoring / asset tracking
• Inventory every asset
• Ability to associate support ticket with device make and model
• Enumeration - list all parts of an asset, list as entity
• Add an asset tag - barcode, RFID, tracking number, org. name, etc.
• Media sanitization
• System disposal or decommissioning - completely remove data for security
• Different use cases - clean hard drive, permanently delete single file, etc.
• One-way trip so no recovery with forensics tools
• Reuse the storage media
• Physical destruction - no recovery, no reuse, absolute certainty of destruction
• Shredder/pulverizer - complete destruction
• Drill/hammer - quick and easy
• Electromagnetic (degaussing)
• Incineration - fire :)
• Certificate of destruction - what if you need to destroy in bulk
• Often done by 3rd party, need confirmation for destruction
• Thus, service involves certificate with paper trail of destruction
• Data retention - back up your data!
• Regulatory compliance - certain amount of data backup to comply
• Operational needs - accidental deletion, disaster recovery
• Differentiate by type and application

management."

Vulnerability Scanning

• Minimally invasive, scan for potential of attack
• Port scan, identify systems, test from outside and inside network, gather info
• Static code analyzers (Static Application Security Testing) - prev.
• Dynamic analysis (fuzzing) - send random input to application
• Look for something out of the ordinary
• First: 1988 class project at Univ. Wisconsin, "The Fuzz Generator"
• Fuzzing engines and frameworks
• Very time and resource heavy
• Carnegie Mellon CERT Basic Fuzzing Framework (BFF)
• Package monitoring
• Some apps distributed in a package (especially in Linux)
• Confirm the package is legit - trusted source, no malware, etc.
• Confirm a safe package before deployment

Threat Intelligence

• Always keep up to date with threats and threat actors
• Make security decisions based on this intelligence
• Open-source intelligence (OSINT)
• Publicly available sources on the internet - social media, forums, etc.
• Government data - public hearings, reports, websites, etc.
• Commercial data - maps, financial reports, databases, etc.
• Proprietary / third-party intelligence
• Someone else already compiled threat info, you buy it
• Threat intelligence services - analytics, correlations, threat monitoring
• Information-sharing organizations
• Public threat intelligence - often classified info, compiled publicly
• Private threat intelligence - private companies with extensive resources, additional details
• Cyber Threat Alliance (CTA) - org. of groups that share threat intelligence
• Members upload specifically formatted threat intelligence
• CTA scores and validates across other submissions
• Dark web intelligence
• Dark web - overlay networks that use the internet, requires specific software to access
• Hacking groups and services - extract activities, tools, techniques, etc.
• Monitor dark web forums for intelligence

Penetration Testing

• Simulate an attack on your own systems - like vuln scanning, but you exploit the vulnerabilities
• Often for compliance purposes, done by a third-party
• NIST Technical Guide to Information Security Testing and Assessment
• Rules of engagement - defines purpose and scope of testing
• Type of testing and schedule - on-site vs remote, internal vs external, within or outside working hours, etc.
• Rules - IP ranges, emergency contacts, sensitive info handling, in- and out-of-scope devices/applications
• Exploiting vulnerabilities - try to break into the system
• Be careful, can cause DoS or loss of data
• Try different vulnerabilities - password brute-force, social engineering, database (SQL) injections, buffer overflows, privilege escalation, etc.
• The process
• Initial exploitation - get into the network
• Lateral movement - system to system
• Persistence - make sure you can stay or get a way back in (backdoor, etc.)
• The pivot - gain access to systems normally not accessible
• Use vulnerable system as proxy or relay
• Responsible disclosure program (like CVE db)
• It takes time to fix a vulnerability - software changes, testing, deployment, etc.
• May be a while between disclosure and patching!
• Bug bounty programs - reward for discovering vulnerabilities
• Controlled information release
• Researcher reports vulnerability
• Manufacturer creates a fix
• Vulnerability announced publicly

Analyzing Vulnerabilities

• Dealing with false information
• False positives - vuln identifies that doesn't exist
• Different than low-severity vuln - real but not highest priority
• False negative - vuln exist but goes undetected
• Much worse!
• Update to the latest signatures, work with vuln detection manufacturer
• Prioritizing vulnerabilities - difficult
• Refer to public disclosures and vulnerability databases
• Common Vulnerability Scoring System (CVSS) - quantitative scoring of a vulnerability, 0-10
• Scoring standards change over time, different from CVSS 2.0 to 3.x
• CVE
• Vulns can be cross-referenced
• Common Vulnerabilities and Exposures (CVE)
• National Vulnerability Database - synced with CVE list
• Microsoft Security Bulletins
• Some vulns cannot be definitively identified, check manually
• Vulnerability classification
• Application scans - desktop/mobile apps
• Web application scans - software on a web server
• Network scans - misconfigured firewalls, open ports, vulnerable devices
• Exposure factor - loss of value or business activity if the vuln is exploited
• Small DDoS may limit access to a service - 50%
• Buffer overflow may completely disable a service - 100%
• Consideration when prioritizing
• Environmental variables - what type of environment is associated with this vulnerability?
• Prioritization and patching frequency - isolated test lab vs database server in public cloud, etc.
• Every environment is different!
• Number and types of users (in- vs. external)
• Revenue generating application
• Potential for exploit
• Industry/organizational impact - some exploits have significant consequences
• Tallahassee Memorial HealthCare - Feb 2023 - ransomware
• Diverted emergency cases, surgeries cancelled
• Power utilities - SLC, Utah and LA County, California - March 2019 - DDoS from known unpatched vulnerability
• Risk tolerance - amount of risk acceptable to an organization
• Impractical to remove all risk
• Timing of security patches - patching immediately doesn't allow for testing
• Testing takes time, but you're vulnerable
• Middle ground, may change based on security

Vulnerability Remediation

• Patching - most common mitigation technique
• Scheduled vuln/patch notices - normal, monthly/quarterly
• Unscheduled patches - zero days, often urgent
• Ongoing process, easy way to prevent most exploits
• Insurance - cybersecurity insurance coverage
• Lost revenue, data recovery, phishing, privacy lawsuits
• Doesn't cover everything - intentional acts, funds transfers, etc.
• Ransomware has increased popularity of this
• Segmentation - limit the scope of an exploit by separating devices
• Breach would have limited scope
• Cant patch? Disconnect from the world, air-gap
• Use internal NGFWs - block unwanted/unnecessary traffic between VLANs
• Identify malicious traffic on the inside
• Physical segmentation - separate switches, air-gapped
• Logical segmentation - separate VLANs, cannot communicate b/w without layer 3 device / router
• Compensating controls
• Optimal security methods may not be available, compensate in other ways
• Disable problematic service, revoke app access, limit external access, modify internal controls and firewalls, etc.
• Provide coverage until a patch is deployed
• Exceptions and exemptions
• Removing vuln is optimal, but not everything can be patched
• Provide service but also protect data and systems
• Not all vulns share same severity - local login, physical access, etc.
• Exception may be an option, formally approved for systems and apps
• Validation of remediation - did the patch work?
• Rescanning - vuln scan to verify
• Audit - check systems to ensure
• Verification - manually confirm security
• Reporting
• Ongoing checks required but difficult without automation
• Continuous reporting solves this
• Number of identified vulnerabilities
• Systems patched vs. unpatched
• New threat notifications
• Errors, exceptions, exemptions

Security Monitoring

• Attackers never sleep, must monitor all entry points
• Logins, public services, data storage, remote access
• Monitoring --> reacting to security events
• Roll up into status dashboards
• Monitoring computing resources
• Systems
• Authentication, server monitoring
• Applications
• Availability, data transfers, security notifications
• Infrastructure
• Remote access, firewall/IPS reports
• Log aggregation
• SIEM (Security Information and Event Manager)
• Consolidate logs from different systems --> centralized reporting
• Correlation between diverse systems
• Scanning
• Actively check systems and devices (OS, drivers, applications, anomalies)
• Gather raw details for analysis
• Reporting
• Analyze collected data --> actionable reports
• Status information
• Determine best next steps
• New vulnerability, how many systems are vulnerable
• Ad hoc info summaries -- prepare for the unknown
• Archiving
• Takes on average 9 months to identify and contain a breach
• Having long-term backup strategy is critical
• May even have mandated archiving requirements
• Alerting
• Real-time notification of security events
• Increase in auth errors, large file transfers, etc.
• Actionable data
• Enable quick response and status
• Notification methods
• SMS/text, email, security console
• Alert response and remediation
• Quarantine to prevent spread
• Alert tuning -- prevent false positives and negatives

Security Tools

• Security Content Automation Protocol (SCAP)
• Maintained by NIST, security tools identify and act on same criteria/language
• Using SCAP
• Content can be shared between tools
• Especially useful in large environments
• Enables automation between diverse devices
• Benchmarks
• The bare minimum security settings for an OS, cloud, system, etc.
• https://www.cisecurity.org/cis-benchmarks
• Agents/agent-less
• To check for compliance, must install agent software on device or run on-demand agent-less check
• Agents can provide more detail, but must be maintained
• SIEM
• Log collection and aggregation, long-term storage
• Reporting engine with advances features
• Data correlation and forensic analysis
• Anti-virus and anti-malware
• Identify malicious software
• Pretty much the same thing today
• Data Loss Prevention (DLP)
• Look for and block any data you don't want on your network
• Stop data before attacker gets it
• SNMP (Simple Network Management Protocol)
• Management Information Base (MIB)
• Database contains OIDs (Object Identifiers)
• Request stats from device or poll at fixed intervals to create performance graphs
• SNMP traps
• Setting a threshold of some sort to trigger an alert
• NetFlow
• Gather traffic statistic from all traffic flows
• Standard collection method
• Probe and collector
• Probe watches communications
• Summaries are sent to collector
• Vulnerability scanners
• Minimally invasive, gathers as much info as possible
• Port scan, identify systems
• Test from outside and inside network

security."

Firewalls

• Network-based firewalls
• Filter traffic by port number or application
• Traditional vs. NGFW
• Encrypt traffic with VPN between sites
• Most firewalls can be layer 3 devices (routers)
• Next-generation Firewalls (NGFWs)
• Layer 7 (application) firewall
• Application gateway / stateful multilayer inspection / deep packet inspection
• Requires advanced decodes
• Ports and protocols
• Make forwarding decisions based on protocol and port number
• Based on destination protocols and port
• Firewall security policies
• Firewall rules
• Logical path, top-to-bottom
• Usually includes an implicit deny (if no rules match, deny by default)
• Access Control List (ACL)
• Allow or disallow traffic with groups of categories
• Screened subnet
• An additional layer of security between you and the Internet
• Alternate path for public services
• IPS (Intrusion Prevention System) rules
• Look at traffic as it passes by and look for a signature or anomaly
• You determine what happens when unwanted traffic appears
• Rules can be customized by group

Web Filtering

• Content filtering
• Control traffic based on data within content
• Corporate control of outbound and inbound data
• Control of inappropriate content
• Protection against malware
• URL scanning
• Allow or restrict based on URL/URI, allow list of block list
• Often integrated into an NGFW
• Agent based
• Install client software on the user's device
• Users can be located anywhere
• Updates must be distributed, agents must be maintained
• Proxies
• Sits between users and external network
• Receives requests and sends requests on their behalf
• Useful for caching, access control, URL filtering, content scanning
• Applications may need to know how to use the proxy, some are transparent
• Forward proxy
• Centralized "internal proxy"
• Used to protect and control user access to the internet
• Block rules
• Based on specific URL (or FQDN)
• Can also block based on category
• Reputation
• Filter URLs based on perceived risk, can be a spectrum of categories
• Some sites are scanned and automatically assigned a reputation
• DNS filtering
• Before connecting, perform a DNS lookup
• DNS is updated with real-time threat intelligence
• Harmful sites are not even resolved to an IP address

Operating System Security

• Active Directory
• Database of everything on the network (computers, users, file shares, etc.)
• Primarily Windows-based
• Manages authentication, user login with AD creds
• Centralized access control
• Group policy
• Manage computers or users based on groups
• Central console with login scripts, network configs, security parameters
• Security-Enhanced Linux (SELinux)
• Security patches for the Linux kernel
• Adds Mandatory Access Control (MAC) to Linux (usually Discretionary (DAC))
• Limits app access, least privilege
• Open source, included as option with many distros

Secure Protocols

• Unencrypted network data
• Some protocols aren't encrypted (Telnet, FTP, SMTP, IMAP, HTTP)
• Verify with a packet capture
• Protocol selection
• Use a secure application protocol with built-in encryption
• Port selection
• Secure and insecure application connections may be available
• Example: 80 is HTTP (insecure), 443 is HTTPS (secure)
• Port number does not guarantee security, just convention
• Transport method
• 802.11 wireless -- open means no encryption, WPA2/3 means all data is encrypted
• VPN -- create an encrypted tunnel

Email Security

• Email security challenges
• Protocols used to transfer emails include few security checks
• Spoofing happens all the time
• You can configure email validation
• Mail gateway -- on a screened subnet
• Evaluates source of inbound messages
• Blocks it at gateway before it reaches the user
• Sender Policy Framework (SPF)
• Sender configures a list of all servers authorized to send emails for a domain
• List of auth mail servers are added to a DNS TXT record
• Domain Keys Identified Mail (DKIM)
• Mail server digitally signs all outgoing mail -- DKIM TXT record
• Signature validated by receiving mail servers
• Same process as adding an SPF record
• DMARC (Domain-based Message Authentication, Reporting, and Conformance)
• Extension of SPF and DKIM
• Domain owner decides what receiving email servers should do with emails not validating using SPF and DKIM
• Compliance reports are sent to email administrator
• Added as TXT record like SPF and DKIM

Monitoring Data

• FIM (File Integrity Monitoring)
• Monitor important OS system and app files, identify when changes occur
• Windows -- SFC (System File Checker, built-in)
• Linux -- Tripwire (popular, open-source)
• Many host-based IPS options
• Data Loss Prevention (DLP)
• On your computer -- data in use, endpoint
• On your network -- data in motion
• On your server -- data at rest
• USB blocking
• DLP on a workstation to allow or deny certain tasks
• Cloud-based DLP
• Located between users and internet
• Block custom defined strings
• Manage access to URLs
• Block malware
• DLP and email
• Check every email inbound and outbound
• Inbound -- block keywords, identify impostors, quarantine messages
• Outbound -- fake wire transfers, W-2 transmissions, employee info

Endpoint Security

• The endpoint is the user's access to applications and data
• Edge vs. access control
• Edge is where inside meets outside
• Control at the edge using firewall rules, rarely change
• Access control -- wherever you are
• Can be modified or removed at any time
• Posture assessment
• Look for any part of BYOD (Bring Your Own Device) that may be out of date or insecure
• Good time is first time connecting to network
• Health checks / posture assessment
• Persistent agents -- installed on a system, needs maintenance
• Dissolvable agents -- no installation, runs during assessment and terminates
• Agent-less NAC -- integrated with AD, only runs on login or logout
• Failing your assessment
• Quarantine network, notify administrators
• Once resolved re-check posture
• Endpoint Detection and Response (EDR)
• Along with signature detection, we need behavioral analysis, machine learning, etc. (heuristics)
• Lightweight agent at endpoint
• Takes one step further with root cause analysis
• Response can be completely automated
• Extended Detection and Response (XDR)
• Evolution of EDR -- improved detections, false positives, and investigation times
• Adds network-based detection -- correlates between network and endpoint
• User behavior analytics
• Usually included in XDR, watches to create an activity baseline and identify anomalies
• Real-time heuristic detection of unusual activity

management."

Identity and Access Management (IAM)

• Need to give the right permissions to the right people at the right time
• Identity lifecycle management
• Access control
• Authentication and authorization
• Identity governance
• Provisioning / de-provisioning user accounts
• Starts with creation of account, ends with removal
• Account details -- name, attributes, group perms, etc.
• Permission assignments
• Each entity gets limited permissions -- least privilege
• Storage and files can be private to that user, even on same computer
• No privileged access to operating system
• Identity proofing
• IAM should confirm who I am --> resolution
• Validation -- gather information from the user to confirm
• Verification / attestation -- more specific information for further confirmation
• Single-sign-on (SSO)
• Provide credentials one time, get access to multiple resources
• Usually limited by time
• LDAP (Lightweight Directory Access Protocol)
• For reading and writing directories over IP network, used to update an X.500 directory
• Used in multiple applications (AD, OpenDirectory, etc.)
• X.500 distinguished names
• attribute=value, defines objects
• X.500 Directory Information Tree
• Hierarchical structure -- root, containers, leaves
• Security Assertion Markup Language (SAML)
• Open standard. for authentication and authorization
• Allows authentication through third-party DB
• OAuth
• Auth framework made to work with modern mobile devices
• Created with significant industry support
• *Not an authentication protocol*, OpenID Connect handles SSO auth
• OAuth provides authorization between applications
• Think of google logins, that's OAuth
• Federation
• Provide network access to others, SSO etc.
• Example: logging into GitHub with your Google account
• Interoperability
• Many different ways to communicate with authentication server
• Often determined by what is at hand -- dependent on environment

Access Controls

• Authorization -- ensuring only certain rights are exercised, policy enforcement
• Users receive rights based on Access Control models
• Least privilege
• Rights and permissions should be bare minimum, only what is required
• Mandatory Access Control (MAC)
• OS limits operation on an object
• Every object gets a label, labeling uses predefined rules (made by admin)
• Discretionary Access Control (DAC)
• Used in most OSes, flexible controls but weak security
• User of computer defines security
• Role-based Access Control (RBAC)
• Based on your organizational role, you get rights and permissions from admin
• Think of Windows Groups
• Rule-based Access Control
• Access is determined through system-enforced rules (admins)
• Rules are associated with objects
• Attribute-based Access Control (ABAC)
• Users can have complex relations to apps and data
• Considers many parameters, "next-gen" auth model
• Time-of-day restrictions
• ... self-explanatory

Multifactor Authentication (MFA)

• Prove who you are using at least two different factors
• Something you know, something you have, something you are, some*where* you are
• Something you know
• Password, pin, pattern, etc.
• Something you have
• Smart card, Yubikey, phone, etc.
• Something you are
• Biometrics
• Somewhere you are -- fragile due to VPNs?
• Location-based auth

Password Security

• Make your password strong to resist brute-force attacks
• Goal is to increase entropy, hopefully includes upper and lowercase letters, numbers, special characters
• Password age and expiration
• Password age -- how long since modified
• May expire after certain time, must change, determined by admin
• Password managers
• Store all passwords in encrypted, protected databasse
• Central point of failure, but very strong security
• Passwordless auth
• Many breaches occur due to poor password control
• Often used in conjunction with password, but some (like iPhones) go passwordless
• Just-in-time permissions
• Grant admin access for limited time to solve a particular problem
• User assigned ephemeral credentials to supply access, deleted after session

to secure operations."

Scripting and Automation

• Monitor and resolve problems before they happen, automate and orchestrate
• Save time, enforce baselines, configure infrastructure, etc.
• Automation benefits
• Secure scaling (and security scaling)
• Employee retention (automation is easy)
• Reaction time
• Workforce multiplier
• Cases for automation
• User and resource provisioning
• Guard rails -- keep humans from making mistakes
• Security group management
• Automatic issue escalation
• Controlling services
• Continuous integration and testing
• Integrations and APIs
• Scripting considerations
• Relatively complex
• Takes time and money to create automations
• Could be single point of failure
• Technical debt -- may solve symptoms instead of root of problem

Incident Response

• Security Incidents
• User clicks on email attachment and executes malware
• DDoS attack
• Confidential info stolen (ransomware)
• User installs peer-to-peer software and allows external access to internal servers
• NIST SP 800-61 Computer Security Incident Handling Guide
• Preparation
• Detection and analysis
• Containment, eradication, and recovery,
• Post-incident activity
• Preparing for an incident
• Communication methods
• Incident handling hardware and software
• Incident analysis resources -- docs, network diagrams, baselines, hashes, etc.
• Incident mitigation software
• Policies for incident handling
• The challenge of detection
• Many different detection sources
• If you are on the internet, attacks come all the time
• Incidents are almost always complex
• Analysis
• An incident might occur in the future if you see...
• Fishy web server logs
• Exploit announcements
• Direct threats
• An attack might be underway if you see...
• Buffer overflow attempt
• Anti-virus report about malware
• Host-based monitor detects config change
• Network traffic flows deviate from norm
• Isolation and containment
• Sandboxes -- run malware and analyze results
• Malware might be able to detect isolation
• Recovery after an incident
• Eradicate
• Remove malware
• Disable breached user accounts
• Fix vulnerabilities
• Recover
• Restore from backups
• Rebuild from scratch
• Replace compromised files
• Tighten down perimeter
• Lessons learned
• Post-incident meeting
• Answer the tough questions
• What happened, exactly?
• How did the incident plans work?
• What would we do different -- what indicators did we miss?
• Training for an incident
• Train PRIOR to an incident
• Initial response
• Investigation plans
• Incident reporting

Incident Planning

• Exercising
• Use well-defined rules of engagement -- test systems
• Use very specific scenario
• Evaluate your response -- document and discuss
• Tabletop exercises
• Smaller version of full-scale disaster drill
• Step through processes and procedures, simulated incident
• Simulation
• Example: internal test phishing attack
• Root cause analysis
• Create a set of conclusions regarding the incident
• There can be more than a single root cause
• Could be a user mistake, response to mistake is the difference
• Threat hunting
• Find the attacker's vector before they find it
• Intel is reactive -- sometimes you can't see the attack until it happens

Digital Forensics

• Collect and protect information relating to an intrusion
• RFC 3227: Guidelines for Evidence Collection and Archiving
• Legal hold
• Legal technique to preserve relevant information
• Custodians are instructed to preserve data
• Separate repository for electronically stored information (ESI)
• Chain of custody
• Control evidence -- maintain integrity
• Every who contacts the evidence must be documented (hashes, signatures, etc.)
• Label and catalog everything for ongoing documentation
• Acquisition
• Obtain data from disk, RAM, firmware, OS files, etc.
• Some data might be across multiple systems
• For virtual systems, make a snapshot
• Some might be temporary files
• Reporting
• Document findings for internal use and legal proceedings
• Summary information
• Detailed explanation of data acquisition
• Findings -- analysis of data
• Conclusion -- results and analysis
• Preservation
• Handle the evidence properly -- isolate and protect
• Manage collection process -- work with copies
• Live data collection is an important skill
• Follow best practices to ensure admissibility of data in court
• E-discovery
• Collect, prepare, review, interpret, and produce electronic documents
• Works in conjunction with digital forensics

Log Data

• Security log files
• Detailed security-related info -- traffic flows, exploit attempts, etc.
• Critical security information
• Firewall logs
• All traffic flows through firewall (ideally)
• NGFW -- logs the app used, URL filtering, anomalies, etc.
• Application logs
• Windows Event Viewer
• Linux/macOS -- /var/log
• Parse log details on SIEM
• Endpoint logs
• Logon, policy, system events, processes, account mgmt, directories, etc.
• Everything rolls up into the SIEM
• Use in correlation of security events
• OS-specific security logs
• OS security events
• Find problems before they happen
• Large amount of data -- may require filtering
• IPS/IDS logs
• Usually integrated into an NGFW
• Logs contain information about predefined vulnerabilities
• Use common data points to correlate data
• Network logs
• Switches, routers, APs, VPN concentrators
• Network changes -- routing, auth issues, etc.
• Metadata
• Data describing data
• Example: web browser -- OS, browser type, IP address
• Vulnerability scans
• May identify lacks of security controls on devices
• May identify misconfigurations
• May identify real vulnerabilities
• Automated reports
• Most SIEMs include a report generator
• Has some caveats -- not perfect, may be high compute req.
• Dashboards
• Real-time SIEM status information
• Add or remove information
• Shows most important data
• Packet captures
• Solve complex app issues
• Gather packets on network with something like Wireshark
• View detailed traffic information at packet level

Security Policies

• Security policy guidelines
• To provide CIA
• Need for high level strategies and detailed security goals
• Security policies answer the "what" and "why", not "how"
• Information security policies
• Big list, central resource for processes
• Compliance requirements -- may be mandated
• Answer questions about security of infrastructure
• List of roles and responsibilities
• Up to org to enforce the policy
• Acceptable Use Policies (AUP)
• What users are able to do with the tech provided to them
• Used to limit legal liability
• Business continuity
• Needs to be an alternative to technology processes
• Must be documented and tested before an incident occurs
• Disaster recovery plan
• Formal set of policies, BCP that applies to everyone for a long-term incident
• Comprehensive plan including recovery location, data recovery method, app restoration, IT availability
• Incident response roles
• Incident response team -- specialized group, trained and tested
• IT security management -- corporate support and resources
• Compliance officers
• Technical staff
• User community
• Software development lifecycle (SDLC)
• Ways to get from idea to application
• Popular are agile and waterfall
• Change management -- how to make a change
• One of the most common (and most overlooked) risks
• Have clear policies -- frequency, duration, installation, fallback

Security Standards

• A formal definition for using security technologies and processes
• ISO and NIST provide popular ones
• Password standards
• Defined policy about complexity, storage, manager, etc.
• Access control
• How does an organization control access to data?
• Define which access control types can be used and how a user gets access or gets access removed
• Physical security
• Rules and policies regarding physical security controls
• Granting physical access
• Define specific physical security systems
• Encryption
• Define specific standards for encrypting and securing data
• Methods, techniques, and minimum requirements
• For data in use, in transit, and at rest

Security Procedures

• Recall change management -- formal process for managing change
• Determine scope
• Analyze risk associated
• Create a plan
• Get end-user approval
• Present proposal to change control board
• Have backout/fallback plan
• Document changes
• Onboarding
• Bringing a new person into the organization
• IT agreements need to be signed, may be part of handbook or AUP
• Create accounts
• Provide required IT hardware
• Offboarding
• Process should be pre-planned
• What happens to hardware?
• What happens to data?
• Account info usually deactivated but not deleted
• Playbooks
• Conditional steps to follow for a specific event
• Step-by-step of processes and procedures
• SOAR (Security Orchestration, Automation, and Response)
• Monitoring and revision
• Monitor and revise processes and procedures
• May need to update posture
• Change to individual playbooks or addition of new ones
• New security concerns
• Governance structures
• Boards -- set tasks or requirements for committees
• Committees -- SMEs, consider input from board
• Government entities (public) -- different, legal administrative political
• Centralized vs. decentralized private -- one group vs. individuals or locations

Security Considerations

• Regulatory
• Regulations often mandated -- logging, data storage, data protection and retention, etc.
• Sarbanes-Oxley Act (SOX) -- all financial data protected and available to certain people
• HIPAA -- protected healthcare info
• Legal
• Security breach notifications
• Cloud computing can make things challenging
• Industry
• Electric and public utilities -- isolated and protected systems and controls
• Medical -- needs to be highly available and highly secure
• Geographical security
• Local/regional vs. national vs. global

Data Roles and Responsibilities

• Data owner -- accountable for specific data, often senior officer
• Data controller -- manages how data is used
• Data processor -- uses data
• Data custodian/steward -- responsible for accuracy and privacy of data, access controls

Risk Management

• Identify and manage potential risk
• Performing a risk assessment
• One-time -- acquisition, new installation, new threats
• Continuous -- part of existing process, e.g. change control
• Ad hoc assessments
• Org may not have formal risk assessment process
• Perform assessment when situation requires
• ... how different from one-time assessment?
• Recurring assessments
• Evaluation occurs at standard intervals
• May be internal or external
• Once again ... how different from continuous?

Risk Analysis

• Qualitative risk assessment
• Identify significant risk factors and ask questions about significance
• Use grid to identify factor, impact, occurrence, etc. then overall risk
• Quantitative risk assessment
• ARO (Annualized Rate of Occurrence)
• Asset Value (AV) -- value of asset to organization
• Exposure Factor (EF) -- percentage of value lost on occurrence
• SLE (Single Loss Expectancy) -- monetary loss if a single event occurs
• AV \* EF
• ALE (Annualized Loss Expectancy)
• ARO \* SLE
• Impact
• Life -- most important
• Property -- risk to buildings and assets
• Safety -- dangerous environments
• Finance -- cost
• Likelihood and probability
• Likelihood (qualitative) -- rare, possible, almost certain, etc.
• Probability (quantitative) -- statistical measurement
• Risk appetite and tolerance
• Appetite (qualitative) -- how much risk is acceptable
• Tolerance -- acceptable variance, larger than appetite
• Think of speed limits -- appetite is speed limit, tolerance may be 8-10 over
• Risk register
• Documentation of each individual risk and options or solutions to avoid risk
• Key risk indicators with owners and thresholds

Risk Management Strategies

• Transfer -- move risk to another party
• Accept -- common course
• Accept with *exemption* -- to accept risk, policy must be put aside
• Accept with *exception* -- to accept risk, policy must be altered
• Avoid -- stop participating in high-risk activity
• Mitigate -- decrease risk level
• Risk reporting
• A formal document identifying risks and how to handle them
• Usually created for senior management
• Contains critical and emerging risks

Business Impact Analysis

• Recovery
• Recovery Time Objective (RTO) -- how long to get back up and running
• Recovery Point Objective (RPO) -- amount of recovery where we say we are up and running
• Mean Time to Repair (MTTR) -- average time to fix an issue
• Mean Time Between Failures (MTBF) -- time between outages when using equipment

and management."

Third-party Risk Assessment

• Third-party risk -- important company data is often shared
• Always a good idea to perform an assessment of the third-party vendor's security
• Penetration testing -- simulating an attack
• Compliance mandate, may include legal requirement
• Regular testing by a third-party security vendor is common, specialized and formal
• Rules of engagement
• Defines purpose and scope of test
• Type of testing and schedule
• IP ranges, emergency contacts, handling of sensitive info, in- and out-of-scope devices and apps
• Right-to-audit clauses
• You should hold the right to audit third-party vendors of any type, your security involves their security
• Evidence of internal audits may be required for compliance, perform at regular intervals
• Supply chain analysis
• System involved when creating product -- security risks at each step
• Evaluate coordination, identify improvements, assess systems, document business process changes
• Example: SolarWinds 2020
• Independent assessments -- bring in smart person or team to evaluate security and provide recommendations, SMEs
• Vendor selection process
• Due diligence -- investigation before doing business
• Finances, legal issues, etc.
• Conflict of interest -- compromise of judgement
• Vendor monitoring
• Ongoing management of vendor relationship and security
• Review should occur on a regular basis
• Questionnaires
• A form of due diligence -- ask about processes and security
• Use to update vendor risk analysis

Agreement Types

• Service Level Agreement (SLA) -- minimum terms for services provided
• Memorandum of Understanding (MOU) -- broad goals of accomplishment, intentions
• Memorandum of Agreement (MOA) -- step above MOU, conditional agreement to objectives, no legal enforcement
• Master Service Agreement (MSA) -- legal contract and agreement of terms
• Work Order (WO) / Statement of Work (SOW) -- specific list of items to be completed
• Non-disclosure Agreement (NDA) -- protects confidential information in communication, can be one-way or mutual (unilateral or bilateral)
• Business Partners Agreement (BPA) -- legal contract of formal partnership, ownership and decision making, contingencies

Compliance

• The process of meeting a set of standard, law, or regulations
• Penalties are one of the most important considerations
• Compliance reporting
• Internal -- monitor and report on organizational compliance
• External -- documentation required by regulators, may require annual reporting
• Recall Sarbanes-Oxley Act (SOX) and HIPAA as well as GLBA
• Reputational damage
• Other consequences
• Loss of license
• Contractual impact
• Compliance monitoring -- ensure compliance of day-to-day operations
• Internal and external
• Automation is a must-have for larger organizations

Privacy

• Constantly evolving set of guidelines and regulations -- example: GDPR in EU
• Data subject -- any information relating to an identified or identifiable natural person
• Privacy is ideally defined from perspective of data subject
• Recall data roles and responsibilities
• Data inventory and retention
• Data inventory -- listing of all managed data
• Internal use vs. external use considerations

assessments."

Audits and Assessments

• Cybersecurity audit examines infrastructure, software, devices, etc.
• Checks for effectiveness of policies and procedures
• Finds vulnerabilities before attackers do
• Attestation is an opinion of truth as a result of an audit
• Internal audits
• May answer questions about compliance
• Audit committee -- oversees risk management activities
• External audits
• Often for regulatory requirements
• Examinations requiring hands-on research
• Assessing current activities and providing recommendations for improvement

Penetration Tests

• Physical security is key -- you can easily bypass operating system security
• Offensive (red team) and defensive (blue team) side
• Best option is to integrate these teams together to create an ongoing process
• Working knowledge -- how much do you know about the test
• Known environment -- full disclosure (white box)
• Partially known -- grey box
• Unknown -- black box
• Reconnaissance
• Gathering information before attack
• Understand security posture and network
• Passive reconnaissance -- info from open sources (OSINT)
• Active reconnaissance -- try the doors, examine the network

Security Awareness

• Phishing campaigns -- how many employees would click?
• Users should be able to recognize the indicators of phishing
• Organization should have standard way of reporting
• Anomalous behavior recognition
• Risky behavior -- modifying hosts file, replacing core OS file, etc.
• Unexpected behavior -- logon from foreign country, increase in transfers, etc.
• Unintentional behavior
• Reporting and monitoring
• Track and analyze security awareness metrics
• Initial -- first occurrence is opportunity for training
• Recurring -- identify users in need of extensive training or security
• Development
• Create a security awareness team
• Establish a minimum security level
• Integrate compliance mandates
• Execution
• Create the training materials
• Document success measurements
• Identify stakeholders
• Deploy training materials
• Track user training efforts

User Training

• Before providing network access, train your users
• Specialized training based on employee role
• Also applies to third-parties
• User guidance and training
• Have well-documented and openly available policies
• Improve user situational awareness (phishing, attacks, etc.)
• Insider threat -- difficult to identify and guard against
• Multiple approvals for critical processes
• Password management -- standard complexity requirements, etc.
• Removable media and cables
• Social engineering
• Operational security -- users should interpret security from attacker's perspective
• Special attention to hybrid/remote work environments

Done! :)