Fundamental Security Concepts
1
�2
�•Confidentiality means that information can only be read by people who have been
explicitly authorized to access it.
•Integrity means that the data is stored and transferred as intended, and any modification
is unauthorized unless explicitly authorized through proper channels.
•Availability means that information is readily accessible to those authorized to view or
modify it.
3
�Information security and cybersecurity tasks can be classified as five functions, following
the framework developed by the National Institute of Standards and Technology (NIST)
Identify—develop security policies and capabilities.
Protect—procure/develop, install, operate, and decommission IT hardware and software
assets with security
Detect—perform ongoing, proactive monitoring to ensure that controls are effective and
capable of protecting against new types of threats.
Respond—identify, analyze, contain, and eradicate threats to systems and data security.
Recover—implement cybersecurity resilience to restore systems and data if other controls
are unable to prevent attacks.
4
�Gap Analysis - An analysis that measures the difference between the current and desired
states in order to help assess the scope of work included in a project.
For each section of the framework, a gap analysis report will provide an overall score, a
detailed list of missing or poorly configured controls associated with that section, and
recommendations for remediation.
5
�Modern access control is typically implemented as an identity and access management
(IAM) system. IAM comprises four main processes:
•Identification—creating an account or ID that uniquely represents the user, device, or
process on the network.
•Authentication—proving that a subject is who or what it claims to be when it attempts to
access the resource. An authentication factor determines what sort of credential the
subject can use. For example, people might be authenticated by providing a password; a
computer system could be authenticated using a token such as a digital certificate.
•Authorization—determining what rights subjects should have on each resource, and
enforcing those rights. An authorization model determines how these rights are
granted. For example, in a discretionary model, the object owner can allocate rights. In a
mandatory model, rights are predetermined by system-enforced rules and cannot be
changed by any user within the system.
•Accounting—tracking authorized usage of a resource or use of rights by a subject and
alerting when unauthorized use is detected or attempted.
6
�A security control is designed to give a system or data asset the properties of
confidentiality, integrity, availability, and non-repudiation. Controls can be divided into four
broad categories based on the way the control is implemented:
•Managerial—the control gives oversight of the information system. Examples could
include risk identification or a tool allowing the evaluation and selection of other security
controls.
•Operational—the control is implemented primarily by people. For example, security
guards and training programs are operational controls.
•Technical—the control is implemented as a system (hardware, software, or firmware). For
example, firewalls, antivirus software, and OS access control models are technical controls.
•Physical—controls such as security cameras, alarms, gateways, locks, lighting, and security
guards that deter and detect access to premises and hardware are often placed in a
separate category from technical controls.
7
�•Preventive—the control acts to eliminate or reduce the likelihood that an attack can
succeed. A preventive control operates before an attack can take place. Access control lists
(ACL) configured on firewalls and file system objects are preventive-type technical controls.
Antimalware software acts as a preventive control by blocking malicious processes from
executing.
•Detective—the control may not prevent or deter access, but it will identify and record an
attempted or successful intrusion. A detective control operates during an attack. Logs
provide one of the best examples of detective-type controls.
•Corrective—the control eliminates or reduces the impact of a security policy violation. A
corrective control is used after an attack. A good example is a backup system that restores
data that was damaged during an intrusion. Another example is a patch management
system that eliminates the vulnerability exploited during the attack.
•Directive—the control enforces a rule of behavior, such as a policy, best practice standard,
or standard operating procedure (SOP). For example, an employee's contract will set out
disciplinary procedures or causes for dismissal if they do not comply with policies and
procedures. Training and awareness programs can also be considered as directive controls.
•Deterrent—the control may not physically or logically prevent access, but it
psychologically discourages an attacker from attempting an intrusion. This could include
signs and warnings of legal penalties against trespass or intrusion.
•Compensating—the control is a substitute for a principal control, as recommended by a
8
�security standard, and affords the same (or better) level of protection but uses a different
methodology or technology.
8
�•Directive—the control enforces a rule of behavior, such as a policy, best practice standard,
or standard operating procedure (SOP). For example, an employee's contract will set out
disciplinary procedures or causes for dismissal if they do not comply with policies and
procedures. Training and awareness programs can also be considered as directive controls.
•Deterrent—the control may not physically or logically prevent access, but it
psychologically discourages an attacker from attempting an intrusion. This could include
signs and warnings of legal penalties against trespass or intrusion.
•Compensating—the control is a substitute for a principal control, as recommended by a
security standard, and affords the same (or better) level of protection but uses a different
methodology or technology.
9
�•Overall responsibility for the IT function lies with a Chief Information Officer (CIO). This
role might also have direct responsibility for security. Some organizations will also appoint
a Chief Technology Officer (CTO) , with more specific responsibility for ensuring effective
use of new and emerging IT products and solutions to achieve business goals.
•In larger organizations, internal responsibility for security might be allocated to a
dedicated department, run by a Chief Security Officer (CSO) or Chief Information Security
Officer (CISO).
•Managers may have responsibility for a domain, such as building control, web services, or
accounting.
•Technical and specialist staff have responsibility for implementing, maintaining, and
monitoring the policy. Security might be made of a core competency of systems and
network administrators, or there may be dedicated security administrators. One such job
title is Information Systems Security Officer (ISSO).
10
�IT professionals working in a role with security responsibilities must be competent in a
wide range of disciplines, from network and application design to procurement and human
resources (HR).
11
�The following units are often used to represent the security function within the
organizational hierarchy.
A security operations center (SOC) is a location where security professionals monitor and
protect critical information assets across other business functions, such as finance,
operations, sales/marketing, and so on. Because SOCs can be difficult to establish,
maintain, and finance, they are usually employed by larger corporations, like a government
agency or a healthcare company.
DevSecOps
Network operations and use of cloud computing make ever-increasing use of automation
through software code. Traditionally, software code would be the responsibility of a
programming or development team. Separate development and operations departments or
teams can lead to silos, where each team does not work effectively with the other.
Development and operations (DevOps) is a cultural shift within an organization to
encourage much more collaboration between developers and systems administrators. By
creating a highly orchestrated environment, IT personnel and developers can build, test,
and release software faster and more reliably.
A dedicated computer incident response team (CIRT) /computer security incident
response team (CSIRT)/computer emergency response team (CERT) is a single point of
contact for the notification of security incidents. This function might be handled by the SOC
12
�or it might be established as an independent business unit.
12
�Threat Types
13
�•Vulnerability is a weakness that could be triggered accidentally or exploited intentionally
to cause a security breach. Examples of vulnerabilities include improperly configured or
installed hardware or software, delays in applying and testing software and firmware
patches, poorly designed network architecture, inadequate physical security, insecure
password usage, and design flaws in software or operating systems. Factors such as the
value of the vulnerable asset and the ease of exploiting the fault determine the severity of
vulnerabilities.
•Threat is the potential for someone or something to exploit a vulnerability and breach
security. A threat can have an intentional motivation or be unintentional. The person or
thing that poses the threat is called a threat actor or threat agent. The path or tool used by
a malicious threat actor is a threat vector.
•Risk is the level of hazard posed by vulnerabilities and threats. When a vulnerability is
identified, risk is calculated as the likelihood of it being exploited by a threat actor and the
impact that a successful exploit would have.
14
�Internal/external refers to the degree of access that a threat actor posseses before
initiating an attack. An external threat actor has no account or authorized access to the
target system.
Level of sophistication/capability refers to a threat actor's ability to use advanced exploit
techniques and tools. The least capable threat actor relies on commodity attack tools that
are widely available.
A high level of capability must be supported by resources/funding. Sophisticated threat
actor groups need to be able to acquire resources, such as customized attack tools and
skilled strategists, designers, coders, hackers, and social engineers. The most capable threat
actor groups receive funding from nation-states and organized crime.
15
�Service disruption—prevents an organization from working as it does normally.
Data exfiltration—transfers a copy of some type of valuable information from a computer
or network without authorization.
Disinformation—falsifies some type of trusted resource, such as changing the content of a
website, manipulating search engines to inject fake sites, or using bots to post false
information to social media sites.
Chaotic Motivations
In the early days of the Internet, many service disruption and disinformation attacks were
perpetrated with the simple goal of causing chaos. Hackers might deface websites or
release worms that brought corporate networks to a standstill for no other reason than to
gain credit for the hack.
Blackmail is demanding payment to prevent the release of information.
Extortion is demanding payment to prevent or halt some type of attack.
Fraud is falsifying records. Internal fraud might involve tampering with accounts to
embezzle funds or inventing customer details to launder money.
16
�Hacker describes an individual who has the skills to gain access to computer systems
through unauthorized or unapproved means.
An unskilled attacker is someone who uses hacker tools without necessarily understanding
how they work or having the ability to craft new attacks. Unskilled attacks might have no
specific target or any reasonable goal other than gaining attention or proving technical
abilities.
17
�Most nation-states have developed cybersecurity expertise and will use cyber weapons to
achieve military and commercial goals.
The term advanced persistent threat (APT) was coined to understand the behavior
underpinning modern types of cyber adversaries.
APT An attacker's ability to obtain, maintain, and diversify access to network systems using
exploits and malware.
Nation-state actors have been implicated in many attacks, particularly on energy, health,
and electoral systems.
18
�n many countries, cybercrime has overtaken physical crime in terms of the number of
incidents and losses. Organized crime can operate across the Internet from a different
jurisdiction than its victim, increasing the complexity of prosecution. Criminals will seek any
opportunity for profit, but typical activities are financial fraud—against individuals and
companies—and blackmail/extortion.
19
�An internal threat (or insider threat) arises from an actor identified by the organization and
granted some type of access. Within this group of internal threats, you can distinguish
insiders with permanent privileges, such as employees, from insiders with temporary
privileges, such as contractors and guests.
Shadow IT Computer hardware, software, or services used on a private network without
authorization from the system owner.
20
�The attack surface is all the points at which a malicious threat actor could try to exploit a
vulnerability. Any location or method where a threat actor can interact with a network port,
app, computer, or user is part of a potential attack surface.
A threat vector is the path that a threat actor uses to execute a data exfiltration, service
disruption, or disinformation attack.
21
�Vulnerable software contains a flaw in its code or design that can be exploited to
circumvent access control or to crash the process.
Unsupported systems and applications are a particular reason that vulnerable software will
be exposed as a threat vector.
Client-Based versus Agentless
Scanning software helps organizations to automate the discovery and classification of
software vulnerabilities. These tools can also be used by threat actors as part of
reconnaissance against a target. This scanning software can be implemented as a client-
based agent. The agent runs as a scanning process installed on each host and reports to a
management server.
22
�•Remote means that the vulnerability can be exploited by sending code to the target over a
network and does not depend on an authenticated session with the system to execute.
•Local means that the exploit code must be executed from an authenticated session on the
computer.
•Lack of Confidentiality —threat actors are able to snoop on network traffic and recover
passwords or other sensitive information. These are also described as eavesdropping
attacks .
•Lack of Integrity —threat actors are able to attach unauthorized devices. These could be
used to snoop on traffic or intercept and modify it, run spoofed services and apps, or run
exploit code against other network hosts. These are often described as on-path attacks .
•Lack of Availability —threat actors are able to perform service disruption attacks. These
are also described as denial of service (DoS) attacks .
23
�A lure is something superficially attractive or interesting that causes its target to want it,
even though it may be concealing something dangerous, like a hook. In cybersecurity
terms, when the target opens the file bait, it delivers a malicious payload hook that will
typically give the threat actor control over the system or perform service disruption.
24
�Email—the attacker sends a malicious file attachment via email, or via any other
communications system that allows attachments.
Short Message Service (SMS)—the file or a link to the file is sent to a mobile device using
the text messaging handler built into smartphone firmware and a protocol called Signaling
System 7 (SS7).
Instant Messaging (IM)—there are many replacements for SMS that run on Windows,
Android, or iOS devices. These can support voice and video messaging plus file
attachments.
Web and Social Media—malware may be concealed in files attached to posts or presented
as downloads. An attacker may compromise a site so that it automatically infects
vulnerable browser software (a drive-by download). Social media may also be used more
subtly, such as a disinformation campaign that persuades users to install a "must-have" app
that is actually a Trojan.
25
�A supply chain is the end-to-end process of designing, manufacturing, and distributing
goods and services to a customer. Rather than attack the target directly, a threat actor may
seek ways to infiltrate it via companies in its supply chain.
•Supplier —obtains products directly from a manufacturer to sell in bulk to other
businesses. This type of trade is referred to as business to business (B2B).
•Vendor —obtains products from suppliers to sell to retail businesses (B2B) or directly to
customers (B2C). A vendor might add some level of customization and direct support.
•Business Partner — implies a closer relationship where two companies share quite closely
aligned goals and marketing opportunities.
26
�Social Engineering
27
�Social engineering refers to means of either eliciting information from someone or getting
them to perform some action for the threat actor. It can also be referred to as "hacking the
human.“
28
�Impersonation simply means pretending to be someone else. It is one of the basic social
engineering techniques. Impersonation is possible when the target cannot verify the
attacker's identity easily, such as over the phone or via an email message. A threat actor
will typically use one of two approaches:
•Persuasive/consensus/liking—convince the target that the request is a natural one that
would be impolite or somehow "odd" to refuse.
•Coercion/threat/urgency—intimidate the target with a bogus appeal to authority or
penalty, such as getting fired or not acting quickly enough to prevent some dire outcome.
29
�Phishing is a combination of social engineering and spoofing. It persuades or tricks the
target into interacting with a malicious resource disguised as a trusted one, traditionally
using email as the vector. A phishing message might try to convince the user to perform
some action, such as installing disguised malware or allowing a remote access connection
by the attacker.
Vishing—a phishing attack conducted through a voice channel (telephone or VoIP, for
instance).
SMiShing—a phishing attack that uses simple message service (SMS) text communications
as the vector.
A pharming attack is one that redirects users from a legitimate website to a malicious one.
Rather than using social engineering techniques to trick the user, pharming relies on
corrupting the way the victim's computer performs Internet name resolution so that they
are redirected from the genuine site to the malicious one. For example, if mybank.foo
should point to the IP address 2.2.2.2, a pharming attack would corrupt the name
resolution process to make it point to IP address 6.6.6.6.
30
�Typosquatting means that the threat actor registers a domain name very similar to a real
one, such as exannple.com, hoping that users will not notice the difference and assume
they are browsing a trusted site or receiving email from a known source. These are also
referred to as cousin, lookalike, or doppelganger domains.
Another technique is to register a hijacked subdomain using the primary domain of a
trusted cloud provider, such as onmicrosoft.com. If a phishing message appears to come
from example.onmicrosoft.com, many users will be inclined to trust it.
31
�BUSINESS EMAIL COMPROMISE An impersonation attack in which the attacker gains
control of an employee's account and uses it to convince other employees to perform
fraudulent actions.
Brand impersonation means the threat actor commits resources to accurately duplicate a
company's logos and formatting (fonts, colors, and heading/body paragraph styles) to make
a phishing message or pharming website, a visually compelling fake.
Disinformation/misinformation tactics could be used to create fake social media posts or
referrers (sites that link to the fake site) to boost search ranking.
A watering hole attack relies on a group of targets that use an unsecure third-party
website. For example, staff running an international e-commerce site might use a local
pizza delivery firm. A threat actor might discover this fact through social engineering or
other reconnaissance of the target. An attacker can compromise the pizza delivery firm's
website so that it runs exploit code on visitors. They may be able to infect the computers of
the e-commerce company's employees and penetrate the e-commerce company systems.
32
