Fundamentals of Security (Sec 2)

CIA Triad
● Confidentiality: Ensures information is accessible only to authorized personnel (e.g.,
encryption)
● Integrity: Ensures data remains accurate and unaltered (e.g., checksums)
● Availability: Ensures information and resources are accessible when needed (e.g.,
redundancy measures)

Non-Repudiation
● Guarantees that an action or event cannot be denied by the involved parties (e.g., digital
signatures)

CIANA Pentagon
● An extension of the CIA triad with the addition of non-repudiation and authentication

Triple A’s of Security

● Authentication: Verifying the identity of a user or system (e.g., password checks)
● Authorization: Determining actions or resources an authenticated user can access
(e.g., permissions)
● Accounting: Tracking user activities and resource usage for audit or billing purposes

Security Control Categories

● Technical, Managerial, Operational, Physical
● Preventative, Deterrent, Detective, Corrective, Compensating, Directive

Zero Trust Model

● Operates on the principle that no one should be trusted by default
○ Control Plane: Adaptive identity, threat scope reduction, policy-driven access
control, and secured zones
○ Data Plane: Subject/system, policy engine, policy administrator, and establishing
policy enforcement points

Threats and Vulnerabilities

 ● Threat: Anything that could cause harm, loss, damage, or compromise to our
information technology systems, including natural disasters, cyber-attacks, data integrity
breaches, and disclosure of confidential information.
● Vulnerability: Any weakness in the system design or implementation, originating from
internal factors such as software bugs, misconfigured software, improperly protected
network devices, missing security patches, and lack of physical security.
○ Where threats and vulnerabilities intersect, that is where the risk to your
enterprise systems and networks lies. If you have a threat but there is no
matching vulnerability to it, then you have no risk. Similarly, if you have a
vulnerability but there’s no threat against it, there would be no risk.
● Risk Management: Finding different ways to minimize the likelihood of an outcome and
achieve the desired outcome.

Confidentiality
● Confidentiality: Refers to the protection of information from unauthorized access and
disclosure, ensuring that private or sensitive information is not available or disclosed to
unauthorized individuals, entities, or processes.
■ Encryption: Process of converting data into a code to prevent
unauthorized access.
■ Access Controls: By setting up strong user permissions, you ensure that
only authorized personnel can access certain types of data.
■ Data Masking: Method that involves obscuring specific data within a
database to make it inaccessible for unauthorized users while retaining
the real data's authenticity and use for authorized users.
■ Physical Security Measures: Ensure confidentiality for both physical
types of data, such as paper records stored in a filing cabinet, and for
digital information contained on servers and workstations.
■ Training and Awareness: Conduct regular training on the security
awareness best practices that employees can use to protect their
organization’s sensitive data.

Integrity
● Integrity: Helps ensure that information and data remain accurate and unchanged from
its original state unless intentionally modified by an authorized individual.
○ Verifies the accuracy and trustworthiness of data over the entire lifecycle
○ Integrity is important for three main reasons:
■ To ensure data accuracy
■ To maintain trust
■ To ensure system operability
○ To help us maintain the integrity of our data, systems, and networks, we usually
utilize five methods:
■ Hashing: Process of converting data into a fixed-size value
■ Digital Signatures: Ensure both integrity and authenticity
■ Checksums: Method to verify the integrity of data during transmission

1
 ■ Access Controls: Ensure that only authorized individuals can modify
data and this reduces the risk of unintentional or malicious alterations
■ Regular Audits: Involve systematically reviewing logs and operations to
ensure that only authorized changes have been made, and any
discrepancies are immediately addressed

Availability
● Availability: Ensure that information, systems, and resources are accessible and
operational when needed by authorized users. As cybersecurity professionals, we value
availability since it can help us with ensuring business continuity, maintaining customer
trust, and upholding an organization's reputation. To overcome the challenges
associated with maintaining availability, the best strategy is to use redundancy in your
systems and network designs.
● Redundancy: Duplication of critical components or functions of a system with the
intention of enhancing its reliability.
● There are various types of redundancy you need to consider when designing your
systems and networks:
○ Server Redundancy: Involves using multiple servers in a load balanced or
failover configuration so that if one is overloaded or fails, the other servers can
take over the load to continue supporting your end users.
○ Data Redundancy: Involves storing data in multiple places.
○ Network Redundancy: Ensures that if one network path fails, the data can travel
through another route.
○ Power Redundancy: Involves using backup power sources, like generators and
UPS systems.

Non-repudiation
● Non-repudiation: Focused on providing undeniable proof in the world of digital
transactions. Security measure that ensures individuals or entities involved in a
communication or transaction cannot deny their participation or the authenticity of their
actions.
○ Digital Signatures: Considered to be unique to each user who is operating
within the digital domain. Created by first hashing a particular message or
communication that you want to digitally sign, and then it encrypts that hash
digest with the user’s private key using asymmetric encryption.

Authentication
● Authentication: Security measure that ensures individuals or entities are who they
claim to be during a communication or transaction.
○ 5 commonly used authentication methods:
■ Something you know (Knowledge Factor): Relies on information that a
user can recall.
■ Something you have (Possession Factor): Relies on the user
presenting a physical item to authenticate themselves.

2
 ■ Something you are (Inherence Factor): Relies on the user providing a
unique physical or behavioral characteristic of the person to validate that
they are who they claim to be.
■ Something you do (Action Factor): Relies on the user conducting a
unique action to prove who they are.
■ Somewhere you are (Location Factor): Relies on the user being in a
certain geographic location before access is granted.
○ Multi-Factor Authentication System (MFA): Security process that requires
users to provide multiple methods of identification to verify their identity.
● Authentication is critical to understand because of the following: to prevent unauthorized
access, to protect user data and privacy, and to ensure that resources are accessed by
valid users only.

Authorization
● Authorization: Pertains to the permissions and privileges granted to users or entities
after they have been authenticated. Authorization mechanisms are important to help us
with protecting sensitive data, maintain system integrity in our organizations, and create
a more streamlined user experience.

Accounting
● Accounting: Security measure that ensures all user activities during a communication
or transaction are properly tracked and recorded. Your organization should use a robust
accounting system so that you can create an audit trail, maintain regulatory compliance,
conduct forensic analysis, perform resource optimization, and achieve user
accountability.
○ To perform accounting, we usually use different technologies like the following:
■ Syslog Servers: Used to aggregate logs from various network devices
and systems so that system administrators can analyze them to detect
patterns or anomalies in the organization’s systems.
■ Network Analysis Tools: Used to capture and analyze network traffic so
that network administrators can gain detailed insights into all the data
moving within a network.
■ Security Information and Event Management (SIEM) Systems:
Provides us with real-time analysis of security alerts generated by various
hardware and software infrastructure in an organization.

Security Control Categories

● 4 Broad Categories of Security Controls:
○ Technical Controls: Technologies, hardware, and software mechanisms that
are implemented to manage and reduce risks.
○ Managerial Controls: Sometimes also referred to as administrative controls,
involve the strategic planning and governance side of security.
○ Operational Controls: Procedures and measures that are designed to protect
data on a day-to-day basis, mainly governed by internal processes and human
actions.

3
 ○ Physical Controls: Tangible, real-world measures taken to protect assets.

Security Control Types

● 6 Basic Types of Security Controls:
○ Preventive Controls: Proactive measures implemented to thwart potential
security threats or breaches.
○ Deterrent Controls: Discourage potential attackers by making the effort seem
less appealing or more challenging.
○ Detective Controls: Monitor and alert organizations to malicious activities as
they occur or shortly thereafter.
○ Corrective Controls: Mitigate any potential damage and restore our systems to
their normal state.
○ Compensating Controls: Alternative measures that are implemented when
primary security controls are not feasible or effective.
○ Directive Controls: Guide, inform, or mandate actions, often rooted in policy or
documentation and set the standards for behavior within an organization.

Gap Analysis
● Gap Analysis: Process of evaluating the differences between an organization's current
performance and its desired performance. Conducting a gap analysis can be a valuable
tool for organizations looking to improve their operations, processes, performance, or
overall security posture. There are several steps involved in conducting a gap analysis:
Define the scope of the analysis, Gather data on the current state of the organization,
Analyze the data to identify any areas where the organization's current performance falls
short of its desired performance, Develop a plan to bridge the gap.
● 2 Basic Types of Gap Analysis:
○ Technical Gap Analysis: Involves evaluating an organization's current technical
infrastructure, identifying any areas where it falls short of the technical
capabilities required to fully utilize their security solutions.
○ Business Gap Analysis: Involves evaluating an organization's current business
processes, identifying any areas where they fall short of the capabilities required
to fully utilize cloud-based solutions.
● Plan of Action and Milestones (POA&M):
○ Outlines the specific measures to address each vulnerability.
○ Allocate resources.
○ Set up timelines for each remediation task that is needed.

Zero Trust
● Zero Trust: Demands verification for every device, user, and transaction within the
network, regardless of its origin. To create a zero trust architecture, we need to use two
different planes:
○ Control Plane: Refers to the overarching framework and set of components
responsible for defining, managing, and enforcing the policies related to user and
system access within an organization. It typically encompasses several key
elements:

4
 ○ Adaptive Identity: Relies on real-time validation that takes into account the user's
behavior, device, location, and more.
○ Threat Scope Reduction: Limits the users’ access to only what they need for their
work tasks because this reduces the network’s potential attack surface. Focused
on minimizing the "blast radius" that could occur in the event of a breach.
○ Policy-Driven Access Control: Entails developing, managing, and enforcing user
access policies based on their roles and responsibilities.
○ Secured Zones: Isolated environments within a network that are designed to
house sensitive data. Ensures the policies are properly executed.

Threat Actor Motivations (Sec 3)

Threat Actor Attributes

● Internal vs. External Threat Actors
● Differences in resources and funding,
● Level of sophistication

Types of Threat Actors

● Unskilled Attackers: Limited technical expertise, use readily available tools
● Hacktivists: Driven by political, social, or environmental ideologies
● Organized Crime: Execute cyberattacks for financial gain (e.g., ransomware, identity
theft)
● Nation-state Actor: Highly skilled attackers sponsored by governments for cyber
espionage or warfare
● Insider Threats: Security threats originating from within the organization
● Shadow IT: IT systems, devices, software, or services managed without explicit
organizational approval

Threat Vectors and Attack Surfaces

● Message-based, Image-based, File-based, Voice Calls, Removable Devices, Unsecured
Networks

Deception and Disruption Technologies

● Honeypots: Decoy systems to attract and deceive attackers
● Honeynets: Network of decoy systems for observing complex attacks
● Honeyfiles: Decoy files to detect unauthorized access or data breaches
● Honeytokens: Fake data to alert administrators when accessed or used

Threat Actor Motivations

5
 ● Threat Actors Intent: Specific objective or goal that a threat actor is aiming to achieve
through their attack
● Threat Actors Motivation: Underlying reasons or driving forces that pushes a threat
actor to carry out their attack
● Different motivations behind threat actors:
○ Data Exfiltration: Unauthorized transfer of data from a computer
○ Financial Gain: Achieved through various means, such as ransomware attacks,
or through banking trojans that allow them to steal financial information in order
to gain unauthorized access into the victims' bank accounts
○ Blackmail: The attacker obtains sensitive or compromising information about an
individual or an organization and threatens to release this information to the
public unless certain demands are met
○ Service Disruption: Some threat actors aim to disrupt the services of various
organizations, either to cause chaos, make a political statement, or to demand a
ransom
○ Philosophical or Political Beliefs: Attacks that are conducted due to the
philosophical or political beliefs of the attackers is known as hacktivism
○ Ethical Reasons: Contrary to malicious threat actors, ethical hackers, also
known as Authorized hackers, are motivated by a desire to improve security
○ Revenge: It can also be a motivation for a threat actor that wants to target an
entity that they believe has wronged them in some way
○ Disruption or Chaos: Creating and spreading malware to launching
sophisticated cyberattacks against the critical infrastructure in a populated city
○ Espionage: Spying on individuals, organizations, or nations to gather sensitive
or classified information
○ War: Cyber warfare can be used to disrupt a country's infrastructure,
compromise its national security, and to cause economic damage

Threat Actor Attributes

● 2 Most Basic Attributes of a Threat Actor:
○ Internal Threat Actors: Individuals or entities within an organization who pose a
threat to its security
○ External Threat Actors: Individuals or groups outside an organization who
attempt to breach its cybersecurity defenses
● Resources and funding available to the specific threat actor:
○ Tools, skills, and personnel at the disposal of a given threat actor
● Level of sophistication and capability of the specific threat actor:
○ Refers to their technical skill, the complexity of the tools and techniques they use,
and their ability to evade detection and countermeasures
○ In the world of cybersecurity, we usually classify the lowest-skilled threat actors
as "script kiddies"
■ Script Kiddie: Individual with limited technical knowledge, uses pre-made
software or scripts to exploit computer systems and networks
○ Nation-state actors, Advanced Persistent Threats, and others have high levels of
sophistication and capabilities and possess advanced technical skills, using
sophisticated tools and techniques

Unskilled Attackers

6
 ● Unskilled Attacker(Script Kiddie): Individual who lacks the technical knowledge to
develop their own hacking tools or exploits
○ These low-skilled threat actors need to rely on scripts and programs that have
been developed by others
● How do these unskilled attackers cause damage?
○ One way is to launch a DDoS attack
● An unskilled attacker can simply enter in the IP address of the system they want to
target, and then click a button to launch an attacker against that target

Hacktivists
● Hacktivists: Individuals or groups that use their technical skills to promote a cause or
drive social change instead of for personal gain
● Hacktivism: Activities in which the use of hacking and other cyber techniques is used to
promote or advance a political or social cause
○ To accomplish their objectives, hacktivists use a wide range of techniques to
achieve their goals, including:
■ Website Defacement: Form of electronic graffiti and is usually treated as
an act of vandalism
■ Distributed Denial of Service (DDoS) Attacks: Attempting to
overwhelm the victim's systems or networks so that they cannot be
accessed by the organization's legitimate users
■ Doxing: Involves the public release of private information about an
individual or organization
■ Leaking of Sensitive Data: Releasing sensitive data to the public at
large over the internet
○ Hacktivists are primarily motivated by their ideological beliefs rather than trying to
achieve financial gains
○ One of the most well-known hacktivist groups is known as “Anonymous”, a
loosely affiliated collective that has been involved in numerous high-profile
attacks over the years for targeting organizations that they perceive as acting
unethically or against the public interest at large

Organized Crime
● Organized cybercrime groups are groups or syndicates that have banded together to
conduct criminal activities in the digital world
○ Sophisticated and well-structured, they use resources and technical skills for illicit
gain
○ In terms of their technical capabilities, organized crime groups possess a very
high level of technical capability and they often employ advanced hacking
techniques and tools such as:
■ Custom Malware, Ransomware, Sophisticated Phishing Campaigns
○ These criminal groups will engage in a variety of illicit activities to generate
revenue for their members, including:
■ Data Breaches, Identity Theft, Online Fraud, Ransomware Attacks
○ Unlike hacktivists or nation-state actors, organized cybercrime groups are not
typically driven by ideological or political objectives

7
 ■ These groups may be hired by other entities, including governments, to
conduct cyber operations and attacks on their behalf
○ Money, not other motivations, is the objective of their attacks even if the attack
takes place in the political sphere

Nation-state Actor
● Nation-state Actor: Groups or individuals that are sponsored by a government to
conduct cyber operations against other nations, organizations, or individuals
○ Sometimes, these threat actors attempt what is known as a false flag attack
○ False Flag Attack: Attack that is orchestrated in such a way that it appears to
originate from a different source or group than the actual perpetrators, with the
intent to mislead investigators and attribute the attack to someone else
○ Nation-state actors possess advanced technical skills and extensive resources,
and they are capable of conducting complex, coordinated cyber operations that
employ a variety of techniques such as:
■ Creating custom malware, Using zero-day exploits, Becoming an
advanced persistent threats
● Advanced Persistent Threat (APT): Term that used to be used synonymously with a
nation-state actor because of their long-term persistence and stealth - A prolonged and
targeted cyberattack in which an intruder gains unauthorized access to a network and
remains undetected for an extended period while trying to steal data or monitor network
activities rather than cause immediate damage - These advanced persistent threats are
often sponsored by a nation-state or its proxies, like organized cybercrime groups
● What motivates a nation-state actor? Nation-state actors are motivated to achieve their
long-term strategic goals, and they are not seeking financial gain

Insider Threats
● Insider Threats: Cybersecurity threats that originate from within the organization.
Insider threats can take various forms such as Data Theft, Sabotage, or Misuse of
access privileges.
○ Each insider threat is driven by different motivations. Some are driven by
financial gain and they want to profit from the sale of sensitive organizational
data to others.
○ Some may be motivated by revenge and are aiming to harm the organization due
to some kind of perceived wrong levied against the insider. Some may take
action as a result of carelessness or a lack of awareness of cybersecurity best
practices.
○ Insider threat refers to the potential risk posed by individuals within an
organization who have access to sensitive information and systems, and who
may misuse this access for malicious or unintended purposes.
○ To mitigate the risk of an insider threat being successful, organizations should
implement the following: Zero-trust architecture, employ robust access controls,
conduct regular audits, and provide effective employee security awareness
programs.

8
Shadow IT
● Shadow IT: Use of information technology systems, devices, software, applications, and
services without explicit organizational approval.
○ Shadow IT exists because an organization's security posture is set too high or is
too complex for business operations to occur without being negatively affected.
● Bring Your Own Devices (BYOD) involves the use of personal devices for work
purposes.

Threat Vectors and Attack Surfaces

● Threat Vector: Means or pathway by which an attacker can gain unauthorized access to
a computer or network to deliver a malicious payload or carry out an unwanted action.
● Attack Surface encompasses all the various points where an unauthorized user can try
to enter data to or extract data from an environment.
○ It can be minimized by restricting access, removing unnecessary software, and
disabling unused protocols.
○ Think of threat vector as the "how" of an attack, whereas the attack surface is the
"where" of the attack.
○ There are several different threat vectors that could be used to attack your
enterprise networks such as Messages, Images, Files, Voice Calls, Removable
Devices, and insecure networks.
■ Messages: Message-based threat vectors include threats delivered via
email, simple message service (SMS text messaging), or other forms of
instant messaging. Phishing campaigns are commonly used as part of a
message-based threat vector when an attacker impersonates a trusted
entity to trick its victims into revealing their sensitive information to the
attacker.
■ Images: Image-based threat vectors involve the embedding of malicious
code inside of an image file by the threat actor.
■ Files: The files, often disguised as legitimate documents or software, can
be transferred as email attachments, through file-sharing services, or
hosted on a malicious website.
■ Voice Calls: Vhishing involves the use of voice calls to trick victims into
revealing their sensitive information to an attacker.
■ Removable Devices: One common technique used with removable
devices is known as baiting. Baiting involves an attacker leaving a
malware-infected USB drive in a location where their target might find it,
such as in the parking lot or the lobby of the targeted organization.
■ Unsecure Networks: Unsecure networks include wireless, wired, and
Bluetooth networks that lack the appropriate security measures to protect
these networks. Exploiting vulnerabilities in the Bluetooth protocol, an
attacker can carry out their attacks using techniques like the BlueBorne or
BlueSmack exploits.
■ BlueBorne: Set of vulnerabilities in Bluetooth technology that can
allow an attacker to take over devices, spread malware, or even
establish an on-path attack to intercept communications without
any user interaction.

9
 ■ BlueSmack: Type of Denial of Service attack that targets
Bluetooth-enabled devices by sending a specially crafted Logical
Link Control and Adaptation Protocol packet to a target device.

Outsmarting Threat Actors

● Tactics, Techniques, and Procedures (TTPs): Specific methods and patterns of
activities or behaviors associated with a particular threat actor or group of threat actors
● Deceptive and Disruption Technologies: Technologies designed to mislead, confuse,
and divert attackers from critical assets while simultaneously detecting and neutralizing
threats
○ Honeypots: Decoy system or network set up to attract potential hackers
○ Honeynets: Network of honeypots to create a more complex system that is
designed to mimic an entire network of systems, including servers, routers, and
switches
○ Honeyfiles: Decoy file placed within a system to lure in potential attackers
○ Honeytokens: Piece of data or a resource that has no legitimate value or use
but is monitored for access or use
● Some disruption technologies and strategies to help secure our enterprise
networks:
○ Bogus DNS entries: Fake Domain Name System entries introduced into your
system's DNS server
○ Creating decoy directories: Fake folders and files placed within a system's
storage
○ Dynamic page generation: Effective against automated scraping tools or bots
trying to index or steal content from your organization's website
○ Use of port triggering to hide services:
■ Port Triggering: Security mechanism where specific services or ports on
a network device remain closed until a specific outbound traffic pattern is
detected
○ Spoofing fake telemetry data: When a system detects a network scan is being
attempted by an attacker, it can be configured to respond by sending out fake
telemetry or network data

10