Lesson 1: Theory define "assessing threats and mitigating risk within means" "assessing theats" Threat actors "who is threatening my shit" Script kiddies - hack for bragging rights, low sophistication "a `hacker` who uses premade tools and exploits without understanding them" Hacktivists - Political motive higher sophistication more motivated far more targeted Organized crime - profit motive Even higher sophistication Scams, spam, phishing, malware "scanning the whole fuckin internet for known exploits" APTs - Advanced Persistant Threats - nation-state actors Highest level of sophistication Highly funded, large groups, well Organized Espionage motives - occasional profit motive Tend to operate in social engineering or especially 0day exploits. Super important: find out who your most likely threat actors are. Assets "what shit do I have that needs to be protected" / "attack surface" computers, phones, apps, servers, etc Human beings Super important: inventory your assets "risk" Financial Reputational / social Political Important: find out what the risk of being pwned is "mitigating" Important: what assets should we focus on protecting? Important: how should we go about protecting them? "means" Money Time user compliance GRC Governance Policies Adminsistration "structure" Risk above Compliance "what laws do we have to follow?" CIA Triad Confidentiality keep secrets secret Make sure the people who need access, have access, securely Integrity Make sure your data is intact, unmodified, uncorrupted, correct Availabiltiy "make sure what should be available remains available" Blue Team "on defence" Red Team "informs blue team" "white hack hackers" Try to break blue team's shit they exist to inform blue team. Purple Team "red team and blue team work together" best model (imo) Inventory Threats Make a list of shit that could go wrong, as complete as possible organize by impact and likelyhood Threat heatmap a simple heatmap likelyhood of an attack (per year) (1-100%) VS impact of an attack (1-100) One corner is "high likelyhood, high impact" focus resources at quadrent Opposite corner is "low likelyhood, low impact" monitor, keep an eye on it Continuity of business / disaster response/recovery "to keep shit up and running when shit goes wrong" Important: make a frikkn plan Include: timeframe for fixes and cost of fixes Backups FUCKING DO THEM TWO LOCAL ONE REMOTE MINIMUM Types: Incremental only back up data that has changed uses less disk space can be used for recovering from file deletes, mistakes, etc where you want to roll back the data often the slowest to fully recover from Full just a full, seperate copy of all your data os image, whatever the largest in terms of filesize also the fastest to recover from You need both! Schedule "how often should we do a full backup?" "how long should we store old data?" "how often do we update the redundant storage?" Redundancy "having more than one thing in case it breaks" 9s problem 99% uptime on a decent thing is kinda a given 99.9% uptime (one 9 of uptime) backup servers faster incident response more redundancy and procedure 99.99% uptime (two 9s) geographically seperated backup servers content delivery network backup equipment to work on it (workstations, etc) 99.999+% uptime (three 9s) fuckikn insane google-tier shit Important: define what level of redundancy you need and can afford Cold site, warm site, hot site "spaces, physical or digital, that you can fall back to" Backup physical office space Backup datacenter A spare cloud hosting account with your images loaded Cold site a backup space that will take some real time to get running Hot site a site that is 100% functional and ready to switch to at any time Warm site somewhere in-between Power (electrical generator, power bank) Manpower Hardware (backup workstations, etc) Backups Important: "what is so important that we will spend money and time to mitigate downtime?" Security Team CISO - Cheif Information Security Officer Generally report to the Chief Information Officer (CIO) or the Cheif Technical Officer (CTO) Imo: CISO should to the board/president Policymakers - make policies and rules and shit Administration level - managing shit day to day SOC - Security Operations Center SOCs are fuckin cool SOC base-level employee is a "threat analyst" Monitor the cyber security status of the comany tools like Splunk aggregate logs and alerts and put them into big tables, graphs, charts, maps, etc When soemthing happens, they escelate to incident resoponse (IR) which could be elevated to the disaster recovery team (OneDrive) Monitoring aggregate logs, alerts, security involved actions, all in one place Splunk or free option ELK Stack Baselining "finding out what `normal` looks like, and build alerts for deviations" AI works super good for this as a STARTING POINT Cyber security domains: https://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html