Threat summary

Simple chart with classification of different InfoSec threats.

Misdirection:

  • Spoofing,
  • Pharming,
  • XSS,
  • poisoning (arp,dns)
Social trust:

  • Phishing,
  • Social engineering,
  • Social network attacks,
Vulnerability:

  • SQl inject,
  • code injection,
  • path traversal,
  • buffer overflow,
Snooping:

  • Replay attacks,
  • Sniffing,
  • Keylogging,
  • Session Hijacking,
  • TEMPEST
Password attacks:

  • Dictionary,
  • Brute force,
  • Rainbow(hash) tables,
  • Shoulder surfing
Escalation:

  • Authentication
  • Bypass,
  • Pivoting,
  • Heuristic commits
Malware:

  • Rootkits,
  • Trojans,
  • Worms,
  • Spyware
Malicious actions:

  • DoS,
  • DDoS,
  • Virus,
  • Scare/Ransomware
Mitigations:

  • Hardening,
  • Secure boot,
  • threat Scanning

What control activities to verify?

During the validation of control activities you should attempt to make security easier on users and more difficult for attackers. 

Activities to verify may include (not limited to):

  • Prevention (2FA, least privilege, reduce deniability, …)
  • Delay (strong encryption, layering, …)
  • Detect (monitor, detect change, audit, automate, …)
  • Compliance (implementation of corporate policy and standards, including configuration best practices)
  • Recover (verify the ability to reset to the last known good state)

NOTE: validation of control activities is not considered an audit. Auditors should also be evaluated by watching the watcher & comply with segregation of duties. Example: auditors should NOT define the governing policy or have the ability to implement change.

More assurance slang

Due care:

You should care! Due care is the conduct of a person in a particular situation. If due care negligence is tested, each due care juror (auditor/tester) has to determine what is “reasonable” in the given situation. Do train people in good choice vs bad choice.

Due diligence:

Continually ensure that threats and vulnerabilities are known and acted upon.

  • Assets are identified and protected.
  • Controls are in-place.
  • Regulations are followed and evaluated.

CIA, a convenient reminder

Q. What is CIA?

Confidentiality:

is:

  • who can access
  • how data is classified

enforced via:

  • file permissions,
  • encryption (how data is transferred & stored),
  • secrecy (what you know),
  • isolation (from network or in vault),
  • Bell-LaPadula model

Integrity (of data):

is:

  • who can change data
  • verify data has not changed
  • know data has been changed

enforce via:

  • permissions
  • hashing (traceability)
  • digital signatures
  • wax seals
  • tamper evident packaging,
  • Biba model

Availability:

is:

  • Keep data and services online
  • restore data after failure
  • restore services quickly after failure (incl. DR)
  • scale to peak capacity (DoS)

enforced via:

  • testing
  • redundancy
  • anti malware
  • backups
  • Disaster Recovery plan (get data back)
  • Business Continuity (get business back)

Accountability in a more classical structure

Is…

  • Who did it?
  • Do we have Non-repudiation?
  • What are legal consequences?
  • How shall we secure the systems?
  • Who is accountable?

Provides:

  • integrity and assurance,
  • authenticity..

Enforced via:

  • audit trails & logs,
  • design, governance and policy,
  • standards*,
  • RACI matrix..

*standards should include [internal] Minimal Security Baseline (MSB) with influences of vendor best practices, external standards, directives, etc.

Information System types and CIA

Q. is the Classical CIA triad still valid as a base for our information systems?

A. Sure, below are some examples for information systems that mainly require – but are not limited to:

  • Confidentiality for Personal data systems (ex: PII, HR info),
  • Integrity for Financial critical systems (ex: reporting, projections),
  • Availability for Business critical systems (ex: production, assembly).