Endpoint Security, Threat Intelligence, Authentication, Access Control, Incident Response, and Cloud Computing

Securing Endpoints

  • Confirming secure computer startup.
  • Protecting from attacks.
  • Hardening for increased protection.

Threat Intelligence Sources

  • Key Risk Indicators (KRIs): Metrics for normal network activity bounds.
  • Indicator of Compromise (IOC): Shows malicious activity in early stages.
  • Two categories:
    • Open Source Intelligence (OSINT): Freely available information.
    • Cyber Information Sharing and Collaboration Program (CISCP): Enables information exchange through partnerships.
      • Services: Analyst exchanges, analytical products, cross-industry coordination, digital malware analysis.
  • Concerns around public information sharing:
    • Privacy: Avoiding sharing proprietary information.
    • Speed: Automated Indicator Sharing (AIS) for cyberthreat exchange.
      • Tools: Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII).
  • Vulnerability database: Repository of known vulnerabilities and exploitation info.
  • Threat maps: Cyberthreats overlaid on geographical representations.
  • File and code repositories: Where malicious files are uploaded for examination.
  • Dark web: Used to find signs of critical information being sought or sold.

Authentication Methods

  • Something you know: Passwords.
  • Something you are: Biometrics (voice, face recognition).
  • Something you have: Multifactor authentication (MFA), smart card, security key.
  • Single Sign-On (SSO): Uses one credential for multiple accounts.

Access Control Schemes

  • Discretionary Access Control (DAC): Least restrictive; object owners control access.
    • Weaknesses: Relies on end-user decisions, permission inheritance.
  • Mandatory Access Control (MAC): Most restrictive; uses labels and levels.
    • Labels: Classify object importance.
    • Levels: Hierarchy based on labels.
    • Microsoft Windows uses Mandatory Integrity Control (MIC).
  • Role-Based Access Control (RBAC): Permissions based on job function.
  • Rule-Based Access Control (RB-RBAC): Dynamically assigns roles based on rules.
  • Attribute-Based Access Control (ABAC): Uses flexible policies with attributes (object, subject, environment).

Incident Response

  • Process includes:
    • Preparation
    • Identification
    • Containment
    • Eradication
    • Recovery
    • Lessons learned
  • Incident Response Plan (IRP) should contain:
    • Documented incident definitions
    • Incident response teams
    • Reporting requirements/escalation
    • Retention policy
    • Stakeholder management
    • Communication plan
  • Steps:
    • SOAR (Security Orchestration, Automation and Response) runbooks and playbooks.
    • Performing containment.
    • Making configuration changes.

Cloud Computing Service Models

  • Software as a Service (SaaS): Vendor provides access to software.
  • Platform as a Service (PaaS): Users run specialized applications.
  • Infrastructure as a Service (IaaS): Users deploy and run software, including OSs.
  • Anything as a Service (XaaS): Broad category of subscription services.

Hypervisors

  • Type I
  • Type II