Security Operations and Defensive Security Notes

Security Operations

Security operations encompass activities aimed at protecting information systems and data from cyber threats through the processes of prevention, detection, and response. This integration involves leveraging people, processes, and technologies while aligning with an organization's strategy and culture. Security operation teams implement practices, such as incident management, threat intelligence, and risk management to efficiently safeguard assets.

The SOC Team

The Security Operations Center (SOC) team plays a pivotal role in protecting, monitoring, identifying, and eliminating threats within IT systems. SOC analysts conduct frontline incident responses, utilizing tools like a Security Information and Event Management (SIEM) platform, Endpoint Detection and Response (EDR) solutions, antivirus software, and Intrusion Detection Systems (IDS). Analysts respond to both common and anomalous events, including external IPs performing vulnerability scans, login failures, phishing attempts, suspicious network connections, and more.

Defensive Security

Defensive security asks an important question: "How can you defend your organization if you don’t know what to defend?" This requires a comprehensive understanding of the organization’s assets, threats, and vulnerabilities to create effective protective measures.

Security Controls

Security controls come in three categories:

  1. Technical Safeguards

    • Access Control

    • Audit Control

    • Integrity and Authentication

    • Transmission Security

    • Facility Access Control

  2. Administrative Safeguards

    • Security Management Processes

    • Workforce Security

    • Information Access Management

    • Security Awareness Training

  3. Physical Safeguards

    • Workstation Security

    • Device and Media Control

Functions of Security Controls

Security controls are designed with specific functionalities to:

  • Deter: Discourage attacks (e.g., warning messages).

  • Prevent: Stop incidents from occurring (e.g., login facilities).

  • Detect: Identify incidents (e.g., intrusion detection systems).

  • Correct: Restore systems post-incident (e.g., antivirus).

  • Recover: Bring controls back to normal operation (e.g., backup and restore procedures).

Defense in Depth

A defense-in-depth strategy utilizes multiple layers of security to provide comprehensive protection. This approach helps organizations manage vulnerabilities, contain threats, and mitigate risks effectively. If a malicious actor breaches one layer, subsequent layers can potentially thwart their efforts.

Defensive Security Policies

Establishing security policies is vital for protecting sensitive data. Key policies include:

  • Access Rights: Ensuring only authorized users have system access.

  • Acceptable Use Policy (AUP): Outlining acceptable practices for network and resource access.

  • Non-Disclosure Agreements (NDAs): To protect confidential information shared between parties.

  • Service-Level Agreements (SLAs): Defining service commitments between providers and clients.

  • Memorandum of Understanding (MOU): Agreements indicating collaborative intent between organizations.

Compliance and Regulations

As a cybersecurity professional, ensuring compliance with relevant laws is crucial. Failure to comply can result in legal penalties and reputational harm. Notable laws include:

  • Republic Act No. 10173 (Data Privacy Act of 2012): Protects personal data across private and government sectors.

  • Cybercrime Prevention Act (Republic Act No. 10175): Addresses legal issues concerning online activities and interactions.

Regular compliance assessments are needed to maintain adherence and protect customer information.

Understanding Malware

Different types of malware pose distinct threats:

  • Viruses: Executable programs that reproduce through file systems or networks.

  • Ransomware/Crypto-malware: Encrypts files and demands a ransom for decryption.

  • Worms: Malware that self-replicates without user interaction.

  • Trojan Horses: Mimics legitimate programs to gain access to records.

  • Keyloggers: Captures keystrokes to harvest sensitive data.

  • Adware/Spyware: Unwanted programs that display advertisements or collect information without consent.

Key Malware Types

Viruses: These require execution of a program to spread, with various types, including:

  • Program Viruses: Embedded in applications.

  • Boot Sector Viruses: Infect the boot sector of storage devices.

  • Script Viruses and Macro Viruses: Targets systems like email and office applications.

Protecting Against Ransomware

To protect critical data from ransomware:

  • Maintain up-to-date backups, ideally offline.

  • Ensure operating systems and applications are regularly patched and updated.

  • Utilize robust antivirus and anti-malware solutions.

Other Threats

In addition to malware, organizations must be vigilant against threats like backdoors and keyloggers, which compromise system security

Adware: Typically displays unsolicited advertisements, and can be bundled with other software, often tricking users into installation.

Tools and Techniques

Key cybersecurity practices and tools include:

  • Regular system updates and patches.

  • Utilizing antivirus software.

  • Email analysis to identify phishing attempts.

  • Conducting vulnerability assessments with tools like Nessus and OpenVAS.

Regular awareness training to identify email phishing and other unusual activities is essential for maintaining network integrity.