Professional Documents
Culture Documents
Concepts
+ Journey into Defensive
Security Security Concepts
+ Understanding the CIA Triad
+ Defense-In-Depth Strategy
+ Understanding Security Tools
+ Importance of Access Control
Course Overview
Models
+ CVSS Terms & Scoring
System
+ Data Visibility
+ 5-tuple Approach
The Importance of Cyber
Security in Today's World
Introduction to Defensive Security Concepts
Cyber Threats Overview
● Financial Losses
○ Regulatory Fines
○ Breach Remediation Costs
○ Loss of Business
● Reputation Damage
○ Loss of Trust
○ Negative Media Attention
○ Damage to Brand Image
Impact of Cyber Attacks on Businesses
● Downtime
○ Disrupted Operations
○ Loss of Productivity:
○ Delayed Service Delivery
Real World Examples of High Profile Cyber Attacks
● Confidentiality
Scenario: A healthcare provider must keep patient records confidential to comply with laws
and maintain trust.
● Integrity
Scenario: A bank must ensure the integrity of transaction data to prevent fraud and maintain
accurate account balances.
● Availability
Scenario: An e-commerce site must ensure high availability, especially during peak shopping
periods, to maintain customer satisfaction and sales.
Balancing the CIA Triad
The three elements of the CIA Triad often need to be balanced according to
the needs of the organization and specific scenarios.
Confidentiality
Availability
Confidentiality
Equifax breach (2017): Sensitive data of over 147 million people were
exposed, violating confidentiality due to poor security measures.
Integrity
Stuxnet (2010): Altered the operation of centrifuges in Iran's nuclear
program, impacting data and process integrity.
Availability
Dyn attack (2016): A massive DDoS attack on the DNS provider Dyn
caused major websites to become unavailable, disrupting the
availability component.
Guiding Cybersecurity Policies with the CIA Triad
The CIA Triad guides organizations in the development and implementation of cybersecurity
policies:
Integrity: Policies related to data validation, error checking, backup and restore
These policies help in preventing, detecting, and responding to cyber threats effectively.
Linking the CIA Triad to Compliance and Regulations
● Principle of Least Privilege: Each user and process should have the
minimum permissions necessary to perform their function.
● Separation of Duties: Divide responsibilities among multiple individuals
or systems to prevent fraud and errors.
● Fail-Safe Defaults: Base access decisions on permission rather than
exclusion.
Case Study of Defense-in-Depth Strategy
● Firewalls
● Intrusion Detection Systems (IDS)/Intrusion Prevention
Systems (IPS)
● Antivirus
● Security Information and Event Management (SIEM)
Role of Security Tools in Cybersecurity
● Regular Auditing
● Update Security Measures
● Incident Response
● Continual Improvement
Role of Security Tools in Cybersecurity
● Proactive Threat
Hunting
● Layered Defense
● Automation
● Compliance
A Detailed Overview of
the Security Toolset
Architecture
Introduction to Security Toolset Architecture
The Importance of Managing Security Tools Effectively
● Automation:
○ Automated responses to common events can
speed up response times and reduce manual
effort. Automated tasks can also be used to
keep security tools up-to-date with the latest
signatures and threat intelligence.
● AI:
○ Machine learning can be used to correlate
events across different tools and identify
unusual patterns that may indicate a threat.
○ AI can also be used to identify and respond to
threats in real time.
Role of Automation and AI in Coordinating Tools
Cybersecurity tools are designed to serve specific functions, and they can
achieve more when working together.
● Central management:
Unified security view, policy
standardization, efficient
incident response.
● SIEM reporting: Real-time
alerts, trend analysis, assists
in compliance reporting.
● Importance of visibility:
Centralized management
aids in efficient threat
detection and understanding
security posture.
The Need for Scalability and Flexibility in Security Toolset Architecture
Cloud Security Tools: Offer scalability and flexibility but introduce new
security considerations.
Strategies for Effective Integration of Security Tools
regular audits.
● IAM systems manage the identities of users, their roles, and their access
rights.
● They can automate many aspects of access control, such as provisioning
new users, de-provisioning users who leave the organization, and
managing access rights.
● IAM systems can also provide a central place to audit and review access
rights.
Importance of Regular Audits and Reviews
● A CVSS score is calculated by first determining the Base Score using the
Exploitability and Impact metrics.
● The Temporal Score is then calculated by multiplying the Base Score by
the values for the Exploitability, Remediation Level, and Report
Confidence metrics.
● The Environmental Score is calculated by adjusting the Temporal score
based on the modified impact and exploitability metrics specific to the
user's environment.
● A CVSS score is calculated by first determining the Base Score using the
Exploitability and Impact metrics.
● Data visibility refers to the ability to track and analyze all data moving
through an organization's network.
● Helps identify patterns and anomalies that might indicate a cyber threat.
● Enables proactive cybersecurity by identifying potential issues before
they become threats.
● Example: A sudden increase in data transfer could be an indicator of a
data breach in progress.
Role of Data Visibility in Threat Detection and Incident Response
● Data analysis helps identify patterns and anomalies that might signal
security issues.
● Visualization tools turn raw data into visual reports, aiding
understanding and decision-making.
● Both provide context, making threat detection more accurate and
efficient.
● Example: A visual dashboard of data traffic can help quickly spot sudden
spikes in network activity.
Importance of Well-defined Data Policies and Practices
● Compliance: Clear data policies help organizations comply with data protection
regulations and industry standards, reducing the risk of non-compliance penalties.
● Access Control: Policies specify who can access, modify, or share data, contributing
to controlled data flows and better visibility into user actions.
● Data Retention: Defined retention policies ensure data is retained for the necessary
time, improving historical data visibility.
The Role of Machine Learning in Data Analysis
● Benefits:
○ Provides a concise and comprehensive representation of network
communication flows.
○ Enables efficient analysis and classification of network traffic.
○ Facilitates the identification of patterns and anomalies for detecting security
threats.
● Limitations:
○ Limited visibility into the payload or content of network traffic.
○ Inability to provide context-specific information about the purpose or nature
of communication.
○ Requires additional methods or tools to analyze encrypted or encapsulated
traffic.
Using the 5-tuple
Approach
5-tuple Approach to Isolate a Compromised Host
Practical Steps to Use 5-tuple Data in Incident Response
● Collect and analyze 5-tuple data from network devices, firewalls, and
IDS/IPS systems.
● Identify the compromised host by examining the source and destination
IP addresses, ports, and protocols involved in the suspicious network
traffic.
● Isolate the compromised host from the network to prevent further
damage and potential lateral movement.
● Preserve the 5-tuple data as evidence for further investigation and
analysis.
Case Study of a Breach Investigation Using the 5-tuple Approach
Rule-based Detection Identifying known malware known virus signature and quarantining
transfers
between hosts
Tools and Technologies That Use These Methods
● Rule-based Detection:
○ Strengths: Effective in identifying known threats and specific patterns.
○ Weaknesses: Limited in detecting unknown or zero-day attacks.
● Behavioral Detection:
○ Strengths: Capable of detecting abnormal behaviors and insider threats.
○ Weaknesses: May generate false positives or miss sophisticated attacks.
● Statistical Detection:
○ Strengths: Able to identify anomalies and unknown threats.
○ Weaknesses: Requires historical data for accurate baseline creation.
Situations Where Each Method is Most Effective
● Rule-based Detection:
○ Use Cases: Ideal for detecting known malware, phishing attempts, or specific
attack patterns.
● Behavioral Detection:
○ Use Cases: Effective in identifying insider threats, zero-day attacks, or
abnormal system behaviors.
● Statistical Detection:
○ Use Cases: Suitable for detecting anomalies in network traffic, identifying
new or unknown threats.
How To Use These Methods
in a Complementary Manner for Enhanced Security