Studied by 6 peopleConfidentiality
Protect info from unauthorized access, whether intentional or accidental.
Integrity
Ensure that info is authentic and unedited, and the source is genuine.
Availability
Ensure the info is accessible by authorized users.
Intentional Actors
Attackers who want to access information. A person, group, or entity (state actor)
Unintentional Actors
Bugs in the OS and software or mistakes made by administrators.
Local Threat
A disgruntled or untrained employee
Remote Threat
A hacker from across the globe (State actors, hacking groups)
Risk assessment
Determine applicable threats both local and remote, effectiveness of current security controls, and security posture.
Steps to build a secure server
Plan the installation of the OS —> Install, configure, and secure the OS. Install, configure and secure server software. Ensure content is properly secured, employ appropriate network protection mechanisms. Finally Employ secure administration and maintenance processes.
Simplicity
Security mechanisms should be as simple as possible with complexity at the root of many issues.
Fail-Safe
The system should fail in a secure manner
Backups
Critical data should be maintained in the event of catastrophic system failure.
Separation of Privilege
Functions, to the degree possible, should use ___________ and provide as much granularity as possible.
Least Privilege
This principle dictates that each task, process, or user is granted the minimum rights required to perform its job.
User Education
This can be provided through training and education, ______ should understand the necessity of security.
Defense-in-Depth
A single security mechanism is generally insufficient, mechanisms need to be layered to prevent compromise.
Work Factor
Understand what it takes to break the system or network’s security features.
Maintain logs
Records should be maintained so that if a compromise does occur, evidence of the attack is available to the organization.
Application security
The process of developing, testing, and adding security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.
Authentication
Ensure that a user is who they say they are.
Authorization
The system can validate that a user has permission to access the application by comparing the user’s identity with a list of authorized users.
Accounting
Logging can help identify who got access to the data and how.
Encryption
Other security measures can protect sensitive data from being seen or even used by a cybercriminal.
Application security controls
Techniques to enhance the security of an application at the coding level, making it less vulnerable to threats.
Static testing
Analyzes code at fixed points during its development.
Dynamic testing
Analyzes running code while simulating outside, or “black box” attacks
Interactive testing
Combines elements of both static and dynamic testing
Mobile testing
Designed specifically for the mobile environments and can examine how an attacker can leverage the mobile OS and the aps running on the in its entirety.
Security Training for Developers
It is critical that developers receive proper security training. tailored to the specific needs of their role.
Adopt a DevSecOps approach
The shift-left approach, aims to detect security holes from day one in order to prevent security issues to begin with and to resolve them as quickly as possible if they do indeed arise.
Automate
Virtually impossible to mitigate the endless number of vulnerabilities that exist using a manual approach, this is critical in order to allow teams to focus on more challenging undertakings.
Update and Patch Regularly
Installing software updates and patches is one of the most effective ways to keep your software secure.
Encrypt your data
Encryption of both data at rest and in transit is key, using an SSL/TLS with a current certificate.
Use Pen-testing
This type of ethical hacker attempts to break into the application in order to detect vulnerabilities and find potential attack vectors with the aim of protecting the system from a real attack.
“Session”
Refers to a connection for ongoing data exchange between two parties (client and server).
Session management funcitons
Establishing and keeping alive the communications links for the duration of the session, keeping the communication secure, synchronizing the dialogue between the two nodes, determining whether communications have been stopped and figuring out whether to restart the transmission or terminate the communication.
Session ID
A unique identifier assigned for tracking a customer accessing an organization’s website.
Session Hijacking
If a hacker obtains a customer’s session ID info, the attacker is able to manipulate the active sessions.
OWASP (Open Web Application Security)
considers the improper implementation of authorization/authentication as the second biggest risk to application security.
Authentication tokens
These are frequently sent over the network and are vulnerable to man in the middle, XSS, XSRF, Brute Force, and social engineering.
Man in the Middle Attacks (MITM)
Someone intercepting data being sent between two parties.
XSS (Cross-Site Scripting)
An attacker can maliciously inject JavaScript into an application running on the victim’s browser. Prevented easily by using input validation as well as secure cookies
XSRF (Cross-Site Request Forgery)
Allows an attacker to piggyback on an existing active session. The goal is to submit a fake request and get you to click on it. Prevention typically requires the use of an anti-______ token.
Brute Force Attack
Incessantly guessing auth tokens until one of the attempts proves successful.
Physical Access
An attacker with _______ to a victim’s device can steal auth tokens in multiple ways
Secure Socket Layers (SSL)
Provided a secure encryption communication method for TCP connections, especially HTTP. Replaced by TLS.
Transport Layer Security (TLS)
A widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. Encrypts the communication between web applications and servers, etc…
Components of TLS
Encryption, Authentication, and Integrity
TLS certificate
Contains important information about who owns the domain, along with the server’s public key, both of which are important for validating the server’s identity.
TLS handshake
Specify which version of TLS, decide on which cipher suites to use, authenticate the identify of the server using the server’s TLS certificate, and generate session keys for encrypting messages between them after the handshake is complete.
Cipher suite
A set of algorithms that specifies details such as which shared encryption keys, or session keys, will be used for that particular session.
System Boundary
The point where data transfers from the intranet to the internet and vice versa.
Fuzzing
A type of application security testing where developers test the results of unexpected values or inputs to discover which ones cause the application to act in an unexpected way that might open a security hole.
Boundary Protection
The monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication. Through gateways, routers, firewalls, guards, and encrypted tunnels.
Control objectives
Statements of the desired result or purpose to be achieved by implementing said control
Demilitarized zone (DMZ)
A physical or logical subnet that separates an internal network from the internet.
Boundary Interaction Best Practices
Scan for unauthorized connections, deny comms with malicious IPs, no unauth ports, configure monitor systems to record packets, use IDS sensors, use Network based intrusion prevention, use NetFlow collection, use application layer filtering proxy servers, decrypt network traffic at Proxy, require all remote logins to use multi-factor auth, and manage all devices remotely logging into internal networks.
Firewalls
A software or hardware-based network security system controlling incoming and outgoing network traffic.
Packet Filtering
A technique used to control network access by monitoring outgoing and incoming packets and either allowing or blocking them. Accomplished by implementing Access Control Lists
Proxy
A network device or software acting on behalf of clients to retrieve requested content from the internet.
Web Proxy
A proxy dedicated solely to web traffic.
Network Address Translation (NAT)
An internet standard that enables a local area network to use one set of IP address for internal traffic and a second set for external traffic.
Intrusion Detection System (IDS)
A system that scans, audits, and monitors the security infrastructure for signs of attacks in progress. It is passive but can still identify malicious activity and provide evidence to inform us of an attack.
IDS functions
Recognition of patterns associated with known attacks, Statistical analysis of abnormal traffic patterns, assessment and integrity check of defined files, monitoring and analysis of user and system activity, network traffic analysis, and even log analysis.
IDS sensors
Installed on a dedicated device or on the devices already installed on a network. Can analyze every packet traversing the network. Tie into a centralized command console that monitors them and generates alerts.
Air Force Enterprise Configuration Management Office (AFECMO)
Creates pre-configured operating system images that are compliant with all applicable TCNOs and STIGs. perform SDC/SSC testing and risk analysis on TCNOs/IAVMs published to the AFCYBER Readiness Center Site.
690 Network Support Squadron (NSS)/AMAC
Will direct NOSs, base NCCs/CFPs, and PMOs through the Acknowledgement Compliance Tool (ACT) to implement Normal vulnerability remediation actions. Authorize NOS personnel to test software and OS updates as well as the associated Remedy CRQ ticket for the TCNO with relevant changes and confirm with software dashboard. Normal = 11 days
Network Operations Squadron (NOS)/Cyberspace Operations Squadron (COS)/Vulnerability Remediation Operator (VRO)
Execute vulnerability remediation to reduce AFIN risk through the implementation of approved countermeasures.
NOS, COS, and VRO countermeasures
Configuration changes to systems, installation of patches, removal of non-approved software, searching for malicious files, upgrades of applications, reinstallation of OSs, and correction of system configs against stigs.
NOS
Responsible for patching vulnerabilities on servers, network infrastructure, boundary devices, and all other IP capable asses within their respective AOR utilizing both enterprise automated tools and manual processes.
VROs
Create patch packages for all vulnerabilities impacting the preponderance of the AFIN to be deployed using enterprise remediation capabilities.
Mandatory Deployments
Target all machines that require an update, are not a part of an exemption, and are not designated a PMO/Medical. A deadline of one day.
Available Deployments
Target all systems, unless stated otherwise by the tasking authority.
Cookies
Used to store details about the session. Which may present a security risk.
Program Management Office (PMO)
Responsible for remediating assets that are supported by a weapons system. Coordinate vulnerability remediation on servers, within their respective AORs with NOSs, until acceptable compliance levels are achieved.
Command Cyber Readiness Inspection (CCRI)
DISA-led formal inspection designed to increase accountability and the security posture of DoD Information Networks according to DoD standards.
CCRI process
Typically every 3 years. The inspection culminates in a week-long visit by a visit by a DISA inspection team, who perform a deep dive into the installation’s cybersecurity posture.
CCRI Graded Areas: Contributing Factors
Contributing Factors: Culture, Capability, and Conduct
CCRI Culture
Command leadership engagement in cybersecurity program, awareness and implementation of STIG reqs, authority to operate, plan of action & milstones, and Program managed system baselines.
CCRI Capability
Computer cyber security server provider (CCSP) alignment, external NIDS-CCSP monitoring, internal NIDS-CCSP monitoring, local incident handling, and continuity of operations plan (COOP).
CCRI Conduct
IA workforce-DoD 8570 Training, configuration management processes, and comprehensive vulnerability management program.
CCRI graded areas: endpoint security
ESS is a suite of centrally managed DCO tools that provide a means for the denial of adversary actions.
CCRI graded areas: site vulnerability scan
DISA calculates the score, or vulnerability index (VI) based on the total number of systems, the number of vulnerabilities on each system, and the level of severity of those vulnerabilities. No concern → Minor concern → Minimal concern → Moderate concern → Critical concern.
CCRI graded areas: STIGS
DISA checks to see whether or not the base is aware of and implementing STIG requirements. Also evaluates how well STIGs are implemented.
Assessment & Authorizations (A&A) requirements
Utilizes the Risk Management Framework (RMF) process to submit a complete and accurate security plan.
Risk Management Framework (RMF)
Prepare, Categorize, Assess, Authorize, and Monitor are parts of what?
Vulnerability Assessment Tools (VATS)
Software packages used on information systems or networks to scan looking for weaknesses like open port exploitations, weak passwords, and security configuration errors leading to potential misuse and abuse.
Vulnerability Management System (VMS)
A DoD information system used to record, track, and disseminate critical vulnerability information throughout the DoD Enterprise network.
Assured Compliance Assessment Solution (ACAS)
Automatically identifies configuration vulnerabilities threatening the security of the DoD’s computer systems. Enhances the availability and security of the DoD Information Network (DoDIN) by ensuring adherence to Information Assurance (IA) and Network Operations (NetOps) policies.
Security Center
Single console access used by ACAS managing Nessus scans at the enterprise network level. real-time detection of network anomalies and is scalable.
Nessus
A comprehensive vulnerability scanner. It performs configuration scans of servers, network devices and databases to test for specific policy settings and can check internal security policy compliance.
Passive Vulnerability Scanner (PVS)
Monitors the network in real-time, continuously looking for new hosts, applications and new vulnerabilities without requiring the need for active scanning.
Microsoft Enterprise Configuration Manager (MECM)
Designed to support a faster pace of system updating and patch management for our network connected Windows devices.
Host assessment
The assessment of critical servers, which may be vulnerable to attacks if not adequately tested or not generated from a tested machine image.
Network and wireless assessment
The assessment of policies and practices to prevent unauthorized access to private or public networks and network-accessible resources.
Database assessment
The assessment of databases or big data systems for vulnerabilities and misconfigurations, identifying rogue databases or insecure dev/test environments, and classifying sensitive data across an organization’s infrastructure.
Applications scans
The identifying of security vulnerabilities in web applications and their source code by automated scans on the front-end or stat/dynamic analysis of source code.
Vulnerability assessment scanning process
four steps: vulnerability identification, analysis, assessment and remediation.
DISA Security Technical Implementations Guides (STIGS)
The configuration standards for DOD IA and IA enabled devices/systems. Describes how to minimize network-based attacks and prevent system access when the attacker is interfacing with the system, either physically at the machine or over a network.
SRG-STIG Library Compliation
Compilations of STIGs and SRGs
Note
Flashcard