157 lines
6.1 KiB
Plaintext
157 lines
6.1 KiB
Plaintext
Lesson 1: Theory
|
|
define "assessing threats and mitigating risk within means"
|
|
"assessing theats"
|
|
Threat actors "who is threatening my shit"
|
|
Script kiddies - hack for bragging rights, low sophistication
|
|
"a `hacker` who uses premade tools and exploits without understanding them"
|
|
Hacktivists - Political motive
|
|
higher sophistication
|
|
more motivated
|
|
far more targeted
|
|
Organized crime - profit motive
|
|
Even higher sophistication
|
|
Scams, spam, phishing, malware
|
|
"scanning the whole fuckin internet for known exploits"
|
|
APTs - Advanced Persistant Threats - nation-state actors
|
|
Highest level of sophistication
|
|
Highly funded, large groups, well Organized
|
|
Espionage motives - occasional profit motive
|
|
Tend to operate in social engineering or especially 0day exploits.
|
|
Super important: find out who your most likely threat actors are.
|
|
Assets
|
|
"what shit do I have that needs to be protected" / "attack surface"
|
|
computers, phones, apps, servers, etc
|
|
Human beings
|
|
Super important: inventory your assets
|
|
"risk"
|
|
Financial
|
|
Reputational / social
|
|
Political
|
|
Important: find out what the risk of being pwned is
|
|
"mitigating"
|
|
Important: what assets should we focus on protecting?
|
|
Important: how should we go about protecting them?
|
|
"means"
|
|
Money
|
|
Time
|
|
user compliance
|
|
GRC
|
|
Governance
|
|
Policies
|
|
Adminsistration
|
|
"structure"
|
|
Risk
|
|
above
|
|
Compliance
|
|
"what laws do we have to follow?"
|
|
CIA Triad
|
|
Confidentiality
|
|
keep secrets secret
|
|
Make sure the people who need access, have access, securely
|
|
Integrity
|
|
Make sure your data is intact, unmodified, uncorrupted, correct
|
|
Availabiltiy
|
|
"make sure what should be available remains available"
|
|
|
|
Blue Team
|
|
"on defence"
|
|
Red Team "informs blue team"
|
|
"white hack hackers"
|
|
Try to break blue team's shit
|
|
they exist to inform blue team.
|
|
Purple Team "red team and blue team work together"
|
|
best model (imo)
|
|
|
|
Inventory Threats
|
|
Make a list of shit that could go wrong, as complete as possible
|
|
organize by impact and likelyhood
|
|
|
|
Threat heatmap
|
|
a simple heatmap
|
|
likelyhood of an attack (per year) (1-100%)
|
|
VS
|
|
impact of an attack (1-100)
|
|
One corner is "high likelyhood, high impact"
|
|
focus resources at quadrent
|
|
Opposite corner is "low likelyhood, low impact"
|
|
monitor, keep an eye on it
|
|
|
|
Continuity of business / disaster response/recovery
|
|
"to keep shit up and running when shit goes wrong"
|
|
Important: make a frikkn plan
|
|
Include: timeframe for fixes and cost of fixes
|
|
Backups
|
|
FUCKING DO THEM TWO LOCAL ONE REMOTE MINIMUM
|
|
Types:
|
|
Incremental
|
|
only back up data that has changed
|
|
uses less disk space
|
|
can be used for recovering from file deletes, mistakes, etc where you want to roll back the data
|
|
often the slowest to fully recover from
|
|
Full
|
|
just a full, seperate copy of all your data
|
|
os image, whatever
|
|
the largest in terms of filesize
|
|
also the fastest to recover from
|
|
You need both!
|
|
Schedule
|
|
"how often should we do a full backup?"
|
|
"how long should we store old data?"
|
|
"how often do we update the redundant storage?"
|
|
|
|
Redundancy
|
|
"having more than one thing in case it breaks"
|
|
9s problem
|
|
99% uptime on a decent thing is kinda a given
|
|
99.9% uptime (one 9 of uptime)
|
|
backup servers
|
|
faster incident response
|
|
more redundancy and procedure
|
|
99.99% uptime (two 9s)
|
|
geographically seperated backup servers
|
|
content delivery network
|
|
backup equipment to work on it (workstations, etc)
|
|
99.999+% uptime (three 9s)
|
|
fuckikn insane google-tier shit
|
|
Important: define what level of redundancy you need and can afford
|
|
|
|
Cold site, warm site, hot site
|
|
"spaces, physical or digital, that you can fall back to"
|
|
Backup physical office space
|
|
Backup datacenter
|
|
A spare cloud hosting account with your images loaded
|
|
Cold site
|
|
a backup space that will take some real time to get running
|
|
Hot site
|
|
a site that is 100% functional and ready to switch to at any time
|
|
Warm site
|
|
somewhere in-between
|
|
Power (electrical generator, power bank)
|
|
Manpower
|
|
Hardware (backup workstations, etc)
|
|
Backups
|
|
Important: "what is so important that we will spend money and time to mitigate downtime?"
|
|
Security Team
|
|
CISO - Cheif Information Security Officer
|
|
Generally report to the Chief Information Officer (CIO) or the Cheif Technical Officer (CTO)
|
|
Imo: CISO should to the board/president
|
|
Policymakers - make policies and rules and shit
|
|
|
|
Administration level - managing shit day to day
|
|
|
|
SOC - Security Operations Center
|
|
SOCs are fuckin cool
|
|
SOC base-level employee is a "threat analyst"
|
|
Monitor the cyber security status of the comany
|
|
tools like Splunk aggregate logs and alerts and put them into big tables, graphs, charts, maps, etc
|
|
When soemthing happens, they escelate to incident resoponse (IR)
|
|
which could be elevated to the disaster recovery team (OneDrive)
|
|
|
|
Monitoring
|
|
aggregate logs, alerts, security involved actions, all in one place
|
|
Splunk or free option ELK Stack
|
|
Baselining
|
|
"finding out what `normal` looks like, and build alerts for deviations"
|
|
AI works super good for this as a STARTING POINT
|
|
|
|
Cyber security domains: https://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html |