Files
OpenCybersecLessonPlan/01 - Intro to Cybersec.txt
T
2024-06-28 18:50:56 -06:00

157 lines
6.1 KiB
Plaintext

Lesson 1: Theory
define "assessing threats and mitigating risk within means"
"assessing theats"
Threat actors "who is threatening my shit"
Script kiddies - hack for bragging rights, low sophistication
"a `hacker` who uses premade tools and exploits without understanding them"
Hacktivists - Political motive
higher sophistication
more motivated
far more targeted
Organized crime - profit motive
Even higher sophistication
Scams, spam, phishing, malware
"scanning the whole fuckin internet for known exploits"
APTs - Advanced Persistant Threats - nation-state actors
Highest level of sophistication
Highly funded, large groups, well Organized
Espionage motives - occasional profit motive
Tend to operate in social engineering or especially 0day exploits.
Super important: find out who your most likely threat actors are.
Assets
"what shit do I have that needs to be protected" / "attack surface"
computers, phones, apps, servers, etc
Human beings
Super important: inventory your assets
"risk"
Financial
Reputational / social
Political
Important: find out what the risk of being pwned is
"mitigating"
Important: what assets should we focus on protecting?
Important: how should we go about protecting them?
"means"
Money
Time
user compliance
GRC
Governance
Policies
Adminsistration
"structure"
Risk
above
Compliance
"what laws do we have to follow?"
CIA Triad
Confidentiality
keep secrets secret
Make sure the people who need access, have access, securely
Integrity
Make sure your data is intact, unmodified, uncorrupted, correct
Availabiltiy
"make sure what should be available remains available"
Blue Team
"on defence"
Red Team "informs blue team"
"white hack hackers"
Try to break blue team's shit
they exist to inform blue team.
Purple Team "red team and blue team work together"
best model (imo)
Inventory Threats
Make a list of shit that could go wrong, as complete as possible
organize by impact and likelyhood
Threat heatmap
a simple heatmap
likelyhood of an attack (per year) (1-100%)
VS
impact of an attack (1-100)
One corner is "high likelyhood, high impact"
focus resources at quadrent
Opposite corner is "low likelyhood, low impact"
monitor, keep an eye on it
Continuity of business / disaster response/recovery
"to keep shit up and running when shit goes wrong"
Important: make a frikkn plan
Include: timeframe for fixes and cost of fixes
Backups
FUCKING DO THEM TWO LOCAL ONE REMOTE MINIMUM
Types:
Incremental
only back up data that has changed
uses less disk space
can be used for recovering from file deletes, mistakes, etc where you want to roll back the data
often the slowest to fully recover from
Full
just a full, seperate copy of all your data
os image, whatever
the largest in terms of filesize
also the fastest to recover from
You need both!
Schedule
"how often should we do a full backup?"
"how long should we store old data?"
"how often do we update the redundant storage?"
Redundancy
"having more than one thing in case it breaks"
9s problem
99% uptime on a decent thing is kinda a given
99.9% uptime (one 9 of uptime)
backup servers
faster incident response
more redundancy and procedure
99.99% uptime (two 9s)
geographically seperated backup servers
content delivery network
backup equipment to work on it (workstations, etc)
99.999+% uptime (three 9s)
fuckikn insane google-tier shit
Important: define what level of redundancy you need and can afford
Cold site, warm site, hot site
"spaces, physical or digital, that you can fall back to"
Backup physical office space
Backup datacenter
A spare cloud hosting account with your images loaded
Cold site
a backup space that will take some real time to get running
Hot site
a site that is 100% functional and ready to switch to at any time
Warm site
somewhere in-between
Power (electrical generator, power bank)
Manpower
Hardware (backup workstations, etc)
Backups
Important: "what is so important that we will spend money and time to mitigate downtime?"
Security Team
CISO - Cheif Information Security Officer
Generally report to the Chief Information Officer (CIO) or the Cheif Technical Officer (CTO)
Imo: CISO should to the board/president
Policymakers - make policies and rules and shit
Administration level - managing shit day to day
SOC - Security Operations Center
SOCs are fuckin cool
SOC base-level employee is a "threat analyst"
Monitor the cyber security status of the comany
tools like Splunk aggregate logs and alerts and put them into big tables, graphs, charts, maps, etc
When soemthing happens, they escelate to incident resoponse (IR)
which could be elevated to the disaster recovery team (OneDrive)
Monitoring
aggregate logs, alerts, security involved actions, all in one place
Splunk or free option ELK Stack
Baselining
"finding out what `normal` looks like, and build alerts for deviations"
AI works super good for this as a STARTING POINT
Cyber security domains: https://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html