FUNDAMENTALS OF SECURITY

Threat is anything that could cause harm, loss, damage, or compromise to our information technology
systems and these threats come from external sources. Things like natural disasters, cyber attacks, data
integrity breaches, disclosure of confidential information and many other incidents that can arise during
our daily operations.

Risk management It's finding different ways to minimize the likelihood of a certain outcome from
occurring and achieving the outcomes that you really want to achieve.

Vulnerability is any weakness in the system design or implementation.

Confidentiality is a foundational concept in the world of information security and it refers to the
protection of information from unauthorized access and disclosure.

Encryption is a process of converting data into code to prevent unauthorized access.

Data masking is a method that involves obscuring specific data within a database to make it inaccessible
for unauthorized users while retaining the real data's authenticity and use for authorized users.

Physical security measures are used to ensure confidentiality for both physical types of data, such as
paper records stored in a filing cabinet and for digital information that's contained on servers and
workstations.

Integrity is the cornerstone in the realm of information security, because it helps to ensure that
information and data remains accurate and unchanged from its original state, unless intentionally
modified by an authorized individual.

Hashing is the process of converting data into a fixed-size value.

Hash Digest will almost serve like a Digital Fingerprint for any given piece of data to prove its integrity.

Digital Signatures use encryption to ensure both integrity and authenticity.

Checksums are a method to verify the integrity of data being sent through a transmission.

Access Controls ensure that only authorized individuals can modify data, and this reduces the risk of
unintentional or malicious alterations.

Regular Audits involve systematically reviewing your logs and operations to ensure that only authorized
changes are being made and any discrepancies are immediately addressed.

Availability in information security is used to ensure that information, systems and resources are
accessible and operational when needed by authorized users.

Redundancy is the duplication of critical components or functions of a system with the intention of
enhancing its reliability. In simple words, it's about having backup options to ensure uninterrupted
service.

· Server redundancy involves using multiple servers in a load balance or failover configuration, so
that if one of those is overloaded or fails, the other servers can take over the load and continue
to support your users.

· Data redundancy involves storing data in multiple places.

· Network redundancy ensures that if one network path fails, the data can still travel through
another route.

· Power redundancy involves using backup power sources, like generators and uninterrupted
power supply systems to ensure that your organization's systems remain operational even during
periods of power disruption or outages within your local service area.

Digital signatures are created by first hashing a particular message or communication to be digitally
signed and encrypting the hash digest with the user's private key using asymmetric encryption.

Non-repudiation in cybersecurity is focused on providing undeniable proof in the world of digital

transactions.

· Digital signature, much like the king's signet ring, is considered to be unique to each user who's
operating within the digital domain.

· Confirming the authenticity of digital transactions, is a system has the capability to guarantee a
transaction or communication's authenticity is there to ensure that your users can't state they
didn't perform a certain action.

· Ensuring integrity is since non-repudiation relies on digital signatures and digital signatures have
hash values in them, these digital signatures are used to ensure not just non-repudiation, but
also integrity.

· Providing accountability is when every action has a digital stamp of authenticity attached to it,
we can create a sense of responsibility and accountability among our users because they know
that their actions can be traced back to them without denial.

Authentication in cybersecurity is a security measure that ensures individuals or entities are who they
claim to be during a communication or transaction.

Five commonly used authentication methods

1. We refer to these as something you know

2. Something you have

3. Something you are

 4. Something you do

5. Somewhere you are

MFA or a multi-factor authentication system is a security process that requires users to provide multiple
methods of identification to verify their identity.

Authorization in cybersecurity pertains to the permissions and privileges that are granted to users or
entities after they've been authenticated.

Accounting in cybersecurity is a security measure that ensures all user activities during a communication
or transaction are properly tracked and recorded.

Security Control Categories

· Technical controls are the technologies,hardware, and software mechanisms that are
implemented to manage and reduce risk.

· Managerial controls are sometimes also referred to as administrative controls and they involve
the strategic planning and governance side of security.

· Operational controls are the procedures and measures that are designed to protect data on a
day-to-day basis and they're mainly governed by internal processes and human actions.

· Physical controls relate to the tangible real-world measures taken to protect assets.

Security Control Types

· Preventative controls are proactive measures implemented to thwart potential security threats
or breaches. These preventative controls aim to fortify your systems before an incident actually
occurs.

· Deterrent controls are aimed to discourage potential attackers by making the effort seem less
appealing or more challenging.

· Detective controls monitor and alert organizations to malicious activities as they occur, or
shortly thereafter.

· Corrective controls Now, once a threat has been detected using a detective control, we can then
use a corrective control to mitigate any potential damage and restore our systems to their
normal states.

· Compensating controls are alternative measures that are implemented when primary security
controls are simply not feasible or effective.

· Directive controls are going to guide, inform, or mandate different actions. These directive
 controls are often rooted in policy or documentation and they set the standards for behavior
within your organization.

Gap analysis is a process of evaluating the differences between organization's current performance and
its desired performance.

6. Scope of the analysis, this includes identifying the specific areas of the organization that will be
evaluated and the desired outcome of that analysis.

7. Gather data on the current state of the organization, this can be done through surveys,
interviews or other forms of data collection.

8. Analyze the data to identify any areas where the organization's current performance falls short
of its desired performance.

9. Bridge those gaps, this can include changes to processes, systems or other areas of the
organization that can help to improve the performance or security of your systems and
networks.

Technical gap analysis in the world of cloud computing would involve evaluating an organization's
current technical infrastructure and identifying any areas where it falls short of the technical capabilities
required to fully utilize their security solutions.

Business gap analysis that involves evaluating the organization's current business processes and
identifying any areas where they fall short of the capabilities required to fully utilize their new cloud-
based solutions.

Plan of Action and Milestones, known as a POA&M and that would outline the specific measures to
address each vulnerability and allocate resources and set up timelines for each of the remediation tasks
that we needed to perform.

Zero trust, we have to demand verification for every device, every user, and every transaction within the
network, regardless of its origin.

Zero Trust is a cybersecurity approach that assumes no user or system is to be trusted by default and
requires continuous verification for access to your organizational resources regardless of the location or
origin of the network request.

Zero trust architecture, we need to use two different planes.

· The control plane lays out the policies and procedures, which refers to the overarching
framework and set of components responsible for defining, managing, and enforcing the policies
that are related to the user and system access within an organization.

· The control plane will use a policy engine and a policy administrator to make decisions about
access.
 · The policy engine, like a rule book that's gonna be determining whether the request
aligns with the subject's permissions.

· The policy administrator is used to establish and manage the access policies.

· The data plane is gonna ensure that these policies are properly executed which typically
encompasses several key elements, including adaptive identity, threat scope reduction, policy
driven access control, and secured zones.

· The data plane consists of the subject or system and the policy enforcement point.

· The subject or system is gonna refer to the individual or entity that's attempting to gain
access.

· The policy enforcement point is the final step inside of this process, this is where the
decision to grant or deny access is actually being done and executed.

· Adaptive identities that rely on real-time validation that takes into account the user's behavior,
device, location, and more.

· Threat scope reduction is where we wanna limit the user's access to only what they need for
their work task because this drastically reduces the network's potential attack surface.

· Policy driven access control is gonna entail developing, managing, and enforcing user access
policies based on their roles and responsibilities.

· Secured zones now, secured zones are isolated environments within a network that are designed
to house sensitive data.

THREAT ACTORS

Honeypots are decoy systems or servers designed to attract and deceive potential attackers, simulating
real world IT assets to study their techniques.

· If you are going to install a honeypot on your enterprise network, you should locate it within a
screen subnet of the network or an isolated segment of the network that can be easily accessed
over the internet by a potential attacker

Honeynets expand on this concept of honeypots, by creating an entire network of decoy

systems(servers, routers and switches) to observe complex multi-stage attacks.

Honeyfiles are decoy files placed within systems to detect unauthorized access or data breaches.

Honeytokens are going to be fake pieces of data, like fabricated user credentials that are inserted into a
database or system to alert administrators whenever they're accessed or used.
Data Exfiltration which is the unauthorized transfer of data from a computer

Financial Gain one of the most common motivations for cybercriminals

· Ransomware Attacks

· Banking Trojans

Blackmail the attacker obtains sensitive or compromising information about an individual or an

organization and threatens to release this information to the public unless certain demands are met

· Ransomware

· Doxxing

· Sextortion

Service Disruption Often achieved by conducting a DDoS attack making it unavailable to its normal users

Philosophical or political beliefs hacking used to promote political agenda, social change or to protest
against organizations they perceive is unethical

· website defacement

· data leaks

Ethical Reasons which are ethical hackers or authorized which are motivated by a desire to improve
security

Revenge an employee who is disgruntled or one who has recently been fired or laid off might want to
harm their current or former employer by causing a data berach, disrupting services or leaking sensitive
information

Disruption or Chaos these threat actors are referred to as unauthorized hackers who engage in malicious
activities for the thrill of it, challenge their skills or to simply cause harm

Espionage involves spying on individuals, organizations or nations to gather sensitive or classified

information

War which cyberattacks have increasingly become a tool for nations to attack each other on and or off
the battlefield

Internal threat actors are individuals or entities within and organization who pose a threat to its security

External threat actos are individuals or groups outside of an organzation who attempt to breach its
cybersecurity defenses

Resources and funding refers to the tools, skills and personnel at the disposal of a given threat actor
Level of sophisitcation and capability refers to their techincal skills, complexity of the tools, techniques
they use and their ability to evade detection and countermeasures

Unskilled Attacker(Script Kiddie) is an individual who lacks the technical knowledge to develop their
own hacking tools and exploits

· Motivated by the thrill or causing some kind of disruption

Hacktivists are individuals or groups that use their technical skills to promote a cause or dive social
change instead of financial gain

· Utilizes website defacement, ddos, website defacement or leaking sensitive data

· Motivated by ideological beliefs rather than trying to achieve financial gain

Organized Crime are groups of sophisticated and well-structured entities that leverage their resources
and technical skills or illicit gain

· Have a very high level of tenchincal capability and often employ advanced hacking techniques
and tools including custom malware, ransomware and sophisticated phishing campaigns

· Motivated by financial gain

Nation-State actors groups or individuals that are sponsored by a government to conduct cyber
operations against other nations, organizations or individuals

· motivated to achieve their long-term strategic goals, not financial gain

· gathering intelligence, disrupting critical infrastructure, influencing their political processes

False flag attacks which are orchestrated in such way that it appears to originate from a different source
or group other than the perpetrators

Advanced Persistent threat(APT) is a term that used to be used synonymously with a nation-state actor
ebcause of their long-term persistence and stealth

· prolonged and targeted cyberattack

Stuxnet Worm sophisticated piece of malware that was designed to sabotage Iranian governments
nuclear program

· Exploited zero-day vulnerabilities in windows 10

· Stuxnet infected USB Drives to be transferred to more secure networks

Insider Threats are cybersecurity threats that originate from within the organization

· Knowledge of the organizations infastructure

 · data theft, sabotage or misuse of access privileges

· can install malware and create backdoors

· To mitigate the risk of an insider threat being successful, organizations should implement a zero
trust architecture, employ robust access controls, conduct regular audits, and provide effective
employee security awareness programs.

Shadow IT is the use of information technology systems, devices, software, applications and services
without explicit organizational approval

· the use of personal devices for work purposes, the installation of unapproved software, or the
use of cloud services that have not been approved by the organization.

Threat Vector(How of an attack) refers to the means or pathway by which an attacker can gain
unauthorized access to a computer or netowkr to deliver a malicious payload or cary out an unwanted
action.

Attack Surface(Where of an attack) encompasses all the various points where an unauthorized user can
try to enter data to or extract data from an environment

Different Threat Vectors

· Messages(Phishing)

· Images(Embedded malicious code inside of an image file)

· Files

· Voice calls(Vishing)

· Removable Devices(Baiting is where USB is left where it might be found and then plugged in)

· Unsecured Networks

· Wireless(Rogue access points known as evil twins to create fake wifi networks that mimic an
organization's legitimate ones)

· Wired(tapping into the network cables to intercept and manipulate the data or connecting
unauthorized devices to the network by using Mac address cloning or VLAN hopping)

· Bluetooth(exploiting vulnerabilities within the Bluetooth protocol an attacker can carry out
their attacks using techniques like the BlueBorne or the BlueSmack exploits)

· BlueBorne can allow an attacker to take over devices, spread malware, or even establish
an on-path attack to intercept communications without any user interaction

· BlueSmack, on the other hand, is a type of denial service attack that targets Bluetooth
 enabled devices by sending especially crafted logical link control adaptation protocol
packet to a target device which can then consume all the available resources on a
targeted device and causes it to crash or become inoperable

Tactics, techniques, and procedures or TTPs refer to the specific methods and patterns of activities or
behaviors associated with a particular threat actor or group of threat actors

Deception and disruption technologies are designed to mislead, confuse and divert attackers away from
critical assets while simultaneously detecting and neutralizing threats

· Bogus DNS Entries fake DNS entries introduced into a system's DNS server

· Decoy Directories fake folders and files placed within a system's storage

· Dynamic Page Generation used in websites to present ever-changed content to web crawlers to
confuse and slow down the threat actor

· Port Triggering is a security mechanism where specific services or ports on a network device
reimain closed until a specific outbound traffic pattern is detected

· Spoofing fake telemetry data where the system can respond to an attacker's network scan
attempt by sending out fake telemtry or network data

PHYSICAL SECURITY

Physical security refers to measures take to protect trangibile assets like buildings, equipment and
people from any kind of harm or unauthorized access

Fencing and Bollards

· Fences are barriers that are usually made of posts, wire or boards that are erected to enclose a
space or separate areas

· First line of defense

· Visual deterrent defining a boundary that should not be violated by unauthorized personnel

· Establishes a phsyical barrier against unauthorized personnel

· Delays intruders allowing more time to react

· Bollards are short, sturdy vertical posts designed to control or prevent access by vehicles to an
area or structure

· Designed to manage or redirect vehicular traffic

 · Shields pedestrians, structures and other assets from potential vehicular collisions

Surveillance System is an organized strategy or setup designed to observe and report activities in a given
area

Access Control Vestibule is a double-door system with two electronically controlled doors that ensure
only one door is open at any given moment

Piggybacking involves two people with and without access entering a secure area

Tailgating occurs whenever an unauthorized person closely follows someone with access without
knowledge or consent of the authorized party

Brute Force refers to attack where access to a system is gained simply by trying all the possibilities until
you break through

Forcible Entry act of gaining unauthroized access to a space by physically breaking or bypassing it
barriers such as a window, door or a fence.

Tampering with security devices involves manipulating security devices to create new vulnerabilities
that could be exploited

Infared Sensors detect changes in infrared radiation that is emitted by warm bodies

Pressure Sensors activated when a specified amount of weight is detected on the sensor that is
embedded into the floor or a mat

Microwave Sensors detect movement in an area by emitting microwave pulses and measuring their
reflection off moving objects

Ultrasonic Sensors measure the reflection of ultrasonic waves off moving objects

Visual Obstruction blocking the camera's line of sight

Blinding Sensors and Cameras overwhelming the sensor or camera with a sudden burst of light to
render it ineffective for a limited period of time

Acoustic Interference jamming or playing loud music to disrupt the microphone's functionality

Electromagnetic Interference(EMI) Jamming the signals that surveillance systems rely on to monitor the
environment

Physical Attack exploiting the environment around the surveillance equipment to compromise their
functionality

False Acceptance Rate(FAR) the rate that the system authenticates a user as valid, even thought that
person should not have been granted access to the system
False Rejection Rate(FRR) occurs any time the biometrics system denies a user who should have been
allowed access to the system

Equal Error Rate(EER) more commonly called "Crossover Error Rate(CER), which uses a measure of the
effecetiveness of a given biometric system to achieve a balance

Cipher Lock provides excellent protection using a mechanical locking mechanism with push buttons that
are numbered and require a person to enter the correect combination in order to open that door

Radio Frequency Indentification(RFID) and Near Field Communication(NFC) are popular technologies
used for contactless authentication in various applications

Access Badge Cloning refers to copying data from an RFID or NFC card or badge onto another card or
device

· Scanning is where an attacker can use a handheld RFID or NFC reader to capture data from a
victim's card and store it for further process

· Data Extraction once the data is captured, attackers extract the relevant authentication
credentials from the card

· Writing to a new card or device is using specialized writing tools to transfer the extracted data
onto a blank RFID or NFC card

· Using a cloned access Badge means they can gain unauthorized access to buildings, computer
systems or even make payments

How to stop Access badge cloning

· Implement advanced encryption in card-based authentication systems

· Implement MFA

· Regularly updated security protocols

· Educated badge users

· Users should implement the use of shielded wallets or sleeves with RFID access badges

· Monitor and audit access logs

SOCIAL ENGINEERING

Social Engineering is a manipulative strategy that exploits human psychology to gain unauthorized
access to systems, data or physical spaces

Six types of motivational triggers

 · Authority the power or right to give orders, make decisions and enforce obedience

· Urgency refers to the compelling sense of immediacy or time-sensitivity that drives individuals to
act swiftly or prioritize certain actions

· Social Proof is a psychologicala phenomenon where individuals look to the behaviors and
actions of others to determine their own decisions or actions in similar situations

· Scarcity refers to the psychological pressure people feel when they believe a product,
opportunity or resource is in limited or short supply

· Likability associated with being nice, friendly and socially accepted by others

· Fear feeling afraid of someone or something as likely to be dangerous, painful or threatening

Four basic forms of impersonation attacks

· Impersonation an attack where an adversary assumes the identity of another person to gain
unauthorized access to resources or steal sensitive data

· Brand Impersonation is a specific form of impersonation where an attacker pretends to

represent a legitimate company or brand

· Typosquatting where an attacker registers a domain name that is similar to a popular website
that contains some kind of common typographical errors

· Watering Hole Attacks is a targeted form of cyber attack where attackers compromise a specific
website or service that their target is known to use

Different types of phishing attacks

· Phishing are fraudulent attacks using deceptive emails from trusted sources to trick individuals
into disclosing personal information like passwords and credit card numbers

· Spear Phishing more tightly focused on specific group of individuals or organizations

· Whaling form of spear phishing that targets high-profile individuals like CEOs or CFOs

· Business Email Compromise(BEC) is an advanced phishing attack that leverages internal email
accounts within a company to manipulate employees into carrying out malicious actions for the
attacker

· Vishing(Voice Phishing) phone-based attack in which the attacker deceives victims into divulging
personal or financial information

· Smishing(SMS Phishing) uses text messages to deceive individuals into sharing their personal
information
Anti-phishing campaign is a vital tool for educating individuals about phishing risks and how to recognize
potential phishing attemps in user security awareness training

Phishing Indicators

· Urgency phishing emails induce urgency by pushing recipients to take immediate action

· Unusual Requests approach emails requesting sensitive information with high suspicion and
caution

· Mismatched URLs in HTML-based emails the visible text is the display text while the underlying
url can be manipulated

· Email Addresses always verify the sender's email address when receiving an email

· Poor grammar and spelling emails with "broken english", poor grammar or multiple spelling
errors are often a phishing campaign

Frauds and scams

· Fraud is the wrongful or criminal deception intended to result in financial or personal gain

· Identity fraud the use by one person of another person's personal information without
authorization to commit a crime or to deceive or defraud that other person or a third person

· Identity theft is where the attacker tries to assume the identity of their victim

· Scam is a fradulent or deceptive act or operation

· Invoice Scam a scam in which a person is tricked into paying for a fake invoice for a service
or product they did not order

· PDF Attachment to a spear-phish email is a pdf that is embedded with malicious code to
infect the victims computer providing access for the attacker

Influence Campaigns are coordinated efforts to affect public peception or behavior towards a particular
cause, individual or group and can foster misinformation and disinformation

· Misinformation inaccurate information shared unintentionally

· Disinformation intentional spread of false information to deceive or mislead

Social engineering attacks

· Diversion theft manipulating a situation or creating a distraction to steal valuable items or

information

· Hoaxes are malicious deception that is often spread through social media, email or other
 communication channels

· Shoulder surfing looking over someone's shoulder to gather personal information

· Dumpster diving searching through trash to find valuable information

· Virtual or Digital Dumpster Diving is looking through the recycling bin or deleted files on a
given system

· Eavesdropping the process of secretly listening to private conversations

· Baiting planting a malware-infected device for a victim

· Piggybacking or Tailgating both involve an unauthorized person following an authorized person

into a secure area

· Piggybacking involves two people with and without access entering a secure area

· Tailgating occurs whenever an unauthorized person closely follows someone with access
without knowledge or consent of the authorized party

Pretexting creating a fabricated scenario to manipulate or deceive someone into divulging confidential
information

MALWARE

Malware any software that is designed to infiltrate a computer system without the users knowledge

Threat Vector(Breaks into the system) is a specific method used by an attacker to infiltrate a victims
machine

· Unpatched Software

· Installing Code

· Phishing Campaign

Attack Vector(Breaks into and infects the system) the means by which an attacker gains access to a
computer system to infect the system with malware

Different type of malware attacks

· Virus is a malicious software that attaches to clean files and spreads into a computer system

· Worms standalone malware programs that replicate and spread to other system by exploiting
software vulnerabilities

· Trojans malicious programs which appear to be legitimate software that allow unauthorized
access to a victims system when executed
 · Ransomware encrypts the user's data and holds it hostage until the ransom is paid to the
attacker for that decyrption key

· Zombies compromised computers that are remotely controlled by attackers and used in
coordination to form a botnet

· Botnet is a network of compromised computer that are controlled by an attacker and are often
used for DDoS attacks, spam distribution or cryptocurreny mining

· Rootkits are malicious tools that hide their activities to operate at OS level or below to allow for
ongoing privileged access

· Backdoors are malicious means of bypassing normal authentication processes to gain

unauthorized access to a system

· Logic Bombs embed code placed in legitimate programs and can be executing malicious action
when a specific condition or trigger occurs

· Keyloggers record user's keystrokes and are used to capture password and other sensitive
information

· Spyware secretly monitors and gathers user information or activities and sends data to third
parties

· Bloatware unnecessary or preinstalled software that consumes system resources and space
without offering and value in return

Malware Exploitation Techniques involve methods by which malware infiltrates and infects targeted
systems

Different type of malware attacks

Computer Virus malicious code that's ran on a machine without the user's knowledge and this allows
the code to infect the computer whenever it has been ran

· Boot sector virus stored in the first sector of the HD or SDD and is then loaded into memory
whenever the computer boots up

· Macro virus a form of code that allows a virus to be embedded inside another document so that
when that document is opened by the user the virus is executed

· Program virus tries to find executables or application files to infect with their malicious code

· Multipartite virus a combination of a boot sector and program virus

· Encrypted virus designed to hide itself from being detected by encrypting is malicious code or
payloads to avoid detection by any antivirus software
 · Polymorphic virus advanced version of an encrypted virus but instead of just encrypting the
contents, it will actually change the virus's code each time it is executed by altering the
decryption module in order for it to evade detection

· Metamorphic virus advanced version of an polymorphic virus which is able to rewrite itself
entirely before it attempts to infect a given file

· Stealth virus not necessarily a specific type of virus as much as it is a technique used to prevent
the virus from being detected by the anti-virus software

· Armor virus have a layer of protection to confuse a program or a person who's trying to analyze
it

· Hoax virus a form of technical social engineering that attempts to scare end users into taking
undesirable action on their system

Worm piece of malicious software, much like a virus but it can replicate itself without any user
interaction

· Can infect the workstation and other computing assets

· Can cause disruptions to the normal network traffic since they are constantly trying to replicate
and spread across the network

Trojan a piece of malicous software disguised as a piece of harmless or desirable software

· Remote Access Trojan(RAT) type of trojan that is widely used by modern attackers because it
provides the attack with remote control of a victim machine

Ransomware type of malicious software that is designed to block access to a computer or its data by
encrypting it until a ransom is paid to the attacker

Botnet networker of compromised computer or devices controlled remotely by malicious actors

Zombie name of a compromised computer or device that is part of a botnet and used to perform tasks
using remote commands

Command and Control Node(C2 Node) responsible for managing and coordinating the activities of other
nodes or devices within a network

Rootkit type of software that is designed to gain administative-level control over a given computer
without being detected

Kernel Mode allows a system to control access to things like device drivers, sound card and monitor

DLL Injection technique used to run arbitrary code within the address space of another process by
forcing it to load a dynamic-link library
Shim software code that is placed between two components

Backdoor used to bypass the normal security and authentication functions

Easter Egg insecure coding practice that was used by programmers to provide a joke or a gag gift to the
users

Keylogger piece of software or hardware that records every keystroke that is made on a computer or
mobile device

Spyware type of malicious software that is designed to gather and send information about a user or
organization

Bloatware any software that comes pre-installed on a new computer or smartphone

· Waste storage space

· Slows down the performance of devices

· Introduces new security vulnerabilities into systems

Exploit Technique describes the specific method by which malware code infects a target host

Fileless Malware used to create a process in the system memory without relying on the local file system
of the infected host

Stage 1 Dropper or Downloader when a user clicks on a malicious link or opens a mailicious file,
malware is installed

· Dropper initiates or runs other malware forms within a payload on an infected host

· Downloader retrieves additional tools post the inital infection facilitated by a dropper

· Shellcode Encompasses lightweight code meant to execute an exploit on a given target

Stage 2 Downloader download and install a RAT to conduct command and control on the victimized
system

"Actions on objectives" Phase threat actors will execute primary objectives to meet core objectives(data
exfiltration or file encryption)

Concealment used to help the threat actor prolong unauthorized access to a system by hiding tracks,
erasing log files and hiding any evidence of malicious activity

Malware Delivery

· Code injection

· DLL Sideloading
 · Masquerading

· Process hollowing

· DLL injection

"Living off the land" the threat actors try to exploit the standard system tools to perform intrusions

· Powershell which is a system that has internalized commands

Indications of malware attacks

· Account lockouts

· Credential theft or brute force attacks, will trigger multiple failed login attempts that could
result in a user's account being locked out. These lockouts aren't merely an inconvenience
though, they're a bright red flag that somebody is trying to break into your network.

· Concurrent session utilization

· A single user account has multiple simultaneous or concurrent sessions open, especially
from various geographic locations, this should really be a cause for concern and suspicion.

· Blocked content

· A sudden increase in the amount of blocked content alerts you're seeing from your security
tools, this is a strong indication that a malware infection may have successfully penetrated
your system.

· Impossible travel

· A user's account is accessed from two or more geographically separated locations in an

impossibly short period of time.

· Resource consumption

· If you're observing any unusual spikes in CPU, memory, or network bandwidth utilization
that can't be linked back to a legitimate task, that could be an indication that you're the
victim of a malware attack.

· Resource inaccessibility

· If you have a large number of files or critical systems that are suddenly inaccessible to you,
Or if users receive messages demanding payment to decrypt their data, this is a pretty clear
sign of a ransomware based malware attack.

· Out-of-cycle logging
 · If you're noticing that your logs are being generated at odd hours, or during times when no
legitimate activities should have been taking place, such as in the middle of the night when
no employees are actively working, this could be an indication that you're the victim of a
malware attack.

· Missing logs

· If you're conducting a log review as a cybersecurity analyst, and you see there's a large gap
in your logs, or if the logs have been cleared out completely without any authorized reason,
this could be a good indication that you are the victim of some kind of malicious activity or
malware attack.

· Documented attacks

· If a cybersecurity researcher or reporter publishes a report that shows that your

organization's network has been infected as part of a botnet or other malware based attack,
this will serve as your notice that you've been attacked.

DATA PROTECTION

Data protection process of safeguarding important information from corruption, compromise or loss

Data sovereignty information is subject to the laws and governance strctures with the nation where it is
collected

Data loss prevention(DLP) strategy for ensuring sensitive or critical information does not leave an
organization

Data classification category based on the organizations value and the sensitivity of the infromation if it
were to be disclosed

Sensitive data any information that can result in a loss of security or a loss of advantage to a company
especially if it's accessed by unauthorized persons

Commercial Business Classification Levels

· Public Data has no impact on the company if released and is often posted in an open-source
environment

· Sensitive data has mininmal impact if released(organization's financial data)

· Private data contains data that should only be used within the organization

· Confidential Data contains items such as trade secrets, intellectual property data and source
code that affects the business if disclosed

· Critical data contains valuable information

Government Classification Levels

· Unclassified data that can be released to the public or under the freedom of information act

· Sensitive but unclassified data would not hurt national security if released but could impact
those whose data was being used

· Confidential data that could seriously affect the government if unauthorized disclosures happen

· Secret data that could seriously damage national security if disclosed

· Top secret data that would greatly damage national security if disclosed

Data ownership process of identifying the person responsible for the confidentiality, integrity, availability
and privacy of the information assets

· Data owner senior executive role that has the responsibility for maintaining the confidentiality,
intergrity and availability of the information asset

· Data controller entity that holds responsibility for deciding the purposes and methods of data
storage, collection, usage and for guaranteeing the legality of processes

· Data processor group or individual hired by the data controller to help with tasks like collecting,
storing or analyzing data

· Data steward focused on the quality of the data and the associated metadata

· Data custodian responsible for handling the management of the system on which the data
assets are stored

· Privacy officer role that is responsible for the oversight of any kind of privacy-related data like
PII, SPI, or PHI

Data at rest refers to any data stored in databases, file systems or other storage systems

· Full disk encryption(FDE) encrypts the entire hard drive

· Partition encryption encrypts specific partitions of a hard drive, leaving other partitions
unencrypted

· File encryption encrypts individual files

· Volume encryption encrypts a set of selected files or directories

· Database encryption encrypts data stored in a database

· Record encryption encrypts specific fields within a database record

Data in transit/Data in motion refers to data actively moving from one location to another such as
across the internet or through a private network

· Secure Sockets Layer(SSL) or Transport Layer Security(TLS) are cryptographic protocols designed
to provide secure communication over a computer netowrk

· Virtual Private Network(VPN) technology that creates a secure connection over a less secure
network(internet)

· Internet protocol security(IPSec) protocol suite used to secure IP communications by

authenticating and encrypting each IP packet in a data stream

Data in use refers to data in the process of being created, retrieved, updated or deleted

· Encryption at the application level, access controls and secure enclaves, where data can be
processed in a protected isolated environment

· Some mechanisms like the Intel software guard are able to encrypt data as it exists in memory so
that an untrusted process cannot decode the information

Regulated data information controlled by laws, regulations or industry standards

· Personal Identification Information(PII) Any information that can be used to indentify an

individual

· Protected Health Information(PHI) Any information about health status, provision of healthcare
or payment for healthcare that can be linked to a specific individual

· Trade secrets type of confidential business information that provides a company with a
competitive edge

· Intellectual Property(IP) Creations of the mind such as inventions, literary and artistic works,
designs and symbols

· Legal information includes any data related to legal proceedings, contract or regulatory
compliance

· Financial Information includes data related to an organizations financial transactions such as

sales records, invoices, tax documents and bank statements

· Human-readable data information that can be understood by humans without the need for a
machine or software

· Non-human readable data information that requires a machine or software to interpret

Data sovereignty refers to the concept that digital information is subject to the laws of the country in
which it is located

· based on the principle that information is subject to the laws of the nation where it is collected
 or processed

Geographical conisderations the geographical location of data storage and processing can significantly
impact businesses

General Data Protection Regulation(GDPR) has stringent rules for data protection and grants individuals
strong rights over their personal data

Different ways to secure data

· Geographic restrictions(Geofencing) involves setting up virtual boundaries to restrict data

access based on geopgraphic locations

· Encryption fundamental data security method that transforms readable data(plaintext) into
unreadable data(cipher text) using an algorithm and an encryption key

· Hashing technique that converts data into a fixed size numerical or alphanumeric characters
known as a hash value

· Masking involves replacing some or all of the data in a field with a placeholder such as "x" to
conceal the original content

· Tokenization replaces sensitive data with non-sensitive subsitutes known as tokens

· Obfuscation involves making data unclear or unintelligible making it difficult for unauthorized
users to understand

· Segmentation involves dividing a network into separate segments each with its own security
controls

· Permission restrictions involve defining who has access to specific data and what they can do
with it

Data loss prevention(DLP) set up to monitor the data of a system while it's in use, in transit or at rest in
order to detect any attempts to steal the data

Endpoint DLP System a piece of software that's installed on a workstation or a laptop and is going to
monitor the data that's in use on that computer

Network DLP System a piece of software or hardware that's a solution place at the perimeter of the
network to detect data in transit

Storage DLP a software that is installed on a server in the data center and inspects the data while it's at
rest on the server

Cloud-based DLP System usually ofered as software-as-a-service and it's part of the cloud service and
storage needs
 CRYPTOGRAPHIC SOLUTIONS

Crpytography practice and study of writing and solving codes to hide the true meaning of the
information

Encryption process of converting ordinary information(plain text) into unintelligble form(cipher text)

Data at rest inactive data that is being archived

Data in transit data that moves across the network, resides in the RAM, or moves to and from the
processor

Data in use data undergoing a current constant state of change

ROT13 Cipher means rotate 13 spots

Cipher an algorithm that performms the encryption or decryption

Encryption strength comes from the key not the algorithm

Key is the essential piece of information that determines the output of the cipher

Symmetric Algorithms use the same key for both encryption and decryption

· Data encryption standard(DES) encryption algorithm which breaks the input into 64-bit blocks
and used transposition and substitution to create ciphertext using an effective key strength of
only 56-bits

· Triple DES(3DES) encryption algorithm which uses three separate symmetric keys to encrypt,
decrypt, then ecrypt the plaintext into cipher text in order to increase the strength of DES

· International Data Encryption Algorithm(IDEA) symmetric block cipher which uses 64-bit blocks
to encrypt plaintext into ciphertext

· Advanced encryption standard(AES) symmetric block cipher that uses 128-bit, 192-bit or 256-bit
blocks and a matching encryption key size to encrypt plaintext into ciphertext(using a single key)

· Blowfish symmetric block cipher that uses 64-bit blocks and a variable length encryption key
torep encrypt plaintext into ciphertext

· Twofish provides the ability to use 128-bit blocks in its encryption algorithm and uses 128-bit,
192-bit or 256-bit encryption keys

· RC Cipher Suite created by Ron Rivest a cryptographer who's created six algorithms under the
name RC which stands for Rivest Cipher

· RC4 symmetric stream cipher using a variable key size from 40-bits to 2048-bits that is used
in SSL and WEP
 · RC5 symmetric block cipher that uses key sizes up to 2048-bits

· RC6 symmetric block cipher that was introduced as a replacement for DES but AES was
chosen instead

Asymmetric Algorithms use a pair of keys, a public key for encryption and a private key for decryption.
Does not require a shared secret key, often referred to as a public key cryptography since their key is
considered to be freely and openly available to the public

· Diffie-hellman(DC) used to conduct key exchanges and secure key distribution over an unsecure
network

· Used for the key exchange inside of creating a VPN tunnel establishment as part of IPSec

· RSA(Rivest, Shamir and Adleman) asymmetrict algorithm that relies on the mathematical
difficulty of factoring large prime numbers

· can support key sizes between 1024-bits and 4096-bits

· Elliptic Curv Cryptography(ECC) heavily used in mobile devices and is based on the algebraic
structure of elliptical cures over finite fields to define its keys

· ECC with a 256-bit key is just as secure as RSA with a 2048-bit key

· Elliptic curve diffie-helman(ECDH) ECC version of the popular Diffie-helman key exchange
protocol

· Elliptic curve diffie-helman ephermeral(ECDHE) uses a different key for each portion of the
key establishment process inside the diffie-helman key exchange

· Elliptic curve digital signature algorithm(ECDSA) used as a public key encryption algorithm
by the US Government in their digital signatures

Steganography the practice of hiding secret data within ordinary, non-secret files or messages to avoid
detection

Tokenization substitutes sensitive data elements with non-sensitive equivalents called tokens

Data masking/Data obfuscation process of disguising original data to protect sensitive information while
maintaining its authenticity and usability

Symmetric Algorithm(Private key) encryption algorithm in which both the sender and receiver must
know the same shared secret using a privately held key

Asymmetric algorithm(Public key) encryption algorithm where different keys are used to encrypt and
decrypt the data

Hybrid implementation utilizes a asymmetric encryption to securely transfer a private key that can
bused with symmetric encryption

Stream cipher utilizes a keystream generator to encrypt data bit by bit using a mathematical XOR
function to create the ciphertext

Block cipher breaks the input into fixed-length blocks of data and performs the encryption on each block

Digital signature a hash digest of a message encrypted with the sender's private key to let the recipient
know the document was created and sent by the person claiming to have sent it

· created by hashing a file and then taking that resulting hash digest and encrypting it with a
private key

Hashing one-way cryptographic function that takes an input and produces a unique message digest as its
output

· MD5 creates a 128-bit hash balue that is unique to the input file

· Can only create a limited number of unique values and this can lead to two files having the
exact same resulting hash digest which is a collision

· Secure hash algorithm family(SHA)

· SHA-1 creates a 160-bit hash digest which significantly reduces the number of collisions that
occur

· SHA-2 family of hash functions that contains longer hash digests

· SHA-224, SHA-256, SHA-348, and SHA-512 hashing functions. And each of those has a
digest between 224 bits up to 512 bits, as their name suggests

· Each version of SHA performs a different number of rounds of mathematical

computations to create the hash digest

· SHA-3 newer family of hash functions and its hash digest can go between 224-bits and 512-
bits

· Uses 120 rounds of computations compared to the 64-80 rounds used by SHA--2

· RACE integrity primitive evaluation message digest(RIPEMD) comes in 160-bit, 256-bit and 320-
bit versions

· RIPEMD-160 open source hashing algorithm that was created as a competitor to the SHA
family

· Hash-based message authentication code(HMAC) used to check the integrity of a message and
provides some level of assurance that its authenticity is real
 · Paired with algorithms

· HMAC-MD5, HMAC-SHA1 or HMAC-SHA256

Digital Security Standard(DSS) relies upon a 160-bit message digest created by the DSS

Mimikatz(penetration tool) provides the ability to automate the process of harvesting the hashes and
conducting the attack

Pass-the-hash-attack hacking technique that allows the attacker to authenticate to a remote server or
service by using the underlying hash of a user's password instead of requiring the associated plaintext
password

Birthday attack occures when an attacker is able to send two different messages through a hash
algorithm and it results in the same indentical hash digest referred to as a collision

Key stretching technique that is used to mitigate a weaker key by increasing the time needed to crack it

Salting adding random data into a one-way cryptographic hash to help protect against password cracking
techniques

Dictionary attack when an attacker tries every word from a predefined list

Brute-force attack when an attacker tries every possible password combination

Rainbow tables precomputed tables for reversing cryptographic hash function

Nonce stands for "number used once" is a unique often random number that is added to password-
based authentication process

Public key infrastructure(PKI) an entire system of hardware, software, policies, procedures and people
that is based on asymmetric encryption

· framework for managing digital keys and certificates that facilitate secure data transfer,
authentication and encrypted communications over networks

· Utilizes public key cryptography

Certificate Authority issues digital certificates and keeps the level of trust between all of the certificate
authorities around the world

Key escrow process where cryptographic keys are stored in a secure, third-party location which is
effectively an "escrow"

Digital Certificate digitally signed electronic document that binds a public key with a user's identitiy

· Wildcard certificate allows all of the subdomains to use the same public key certificate and have
it displayed as valid
 · Subject alternate name(SAN) field certificate that specifies what additional domains and IP
addresses are going to be supported

· Single-sided certificate only requires the server to be validated

· Dual-sided certificate requires both the server and the user to be validated

· Self-signed certificate digital certificate that is signed by the same entity whos indentity it
certifies

· Third-party certificates digital certificates issued and signed by a trusted certificate authority(CA)

· Root of trust each certificate is validated using the concept of a root of trust or chain of trust,
which moves from the bottom to the top(certification path)

· Certificate authority(CA) trusted third party who is going to issue these digital certificates

· Registration Authority requests identifying information from the user and forwards that
certificate request up to the certificate authority to create the digital certificate

· Certificate Signing Request a block of encoded text that contains infromation about the entity
requesting the certificate

· Organizations name, domain name, locality and country

· Certificate Revocation List(CRL) serve as an online list of digital certificates that the certificate
authority has already revoke

· Online Certification Status Protocol(OCSP) allows to determine the revocation status of any
digital certificate using its serial number

· OCSP Stapling allows certificate holder to get the OCSP record from the server at regular
intervals

· Public key pinning allows an HTTPS website to resist impersonation attacks from the users who
are trying to present fraudulent certificates

· Key escrow occurs when a secure copy of a user's private key is being held

· Key recovery agent specialized type of software that allows the restoration of a lost of corrupted
key to be performed

Blockchain shared immutable ledger for recording transactions, tracking assets and building trust

· really long series of information with each block containing information, each block contains
the hash of the block before it

· Public ledger a record-keeping system that maintains participants indentities in a secure and
 anonymous format

· Smart contracts self-executing contracts where the terms of agreement or conditions are written
directly into lines of code

· IBM focused on getting the blockchain into use inside of the commercial environment

· Permissioned blockchain used for business transactions and it promotes new levels of trust and
transparency using immutable public ledgers

· Blockchain technology is not limited to just the financial sector or cryptocurrencies; its
applications and potential span a wide array of industries

Trusted platform module(TPM) dedicated microcontroller designed to secure hardware through

integrated cryptographic keys

Hardware security module(HSM) physical device that safeguards and manages digital keys; primarily
used for mission-critical situations like financial transactions

· Not only does an HSM securely generate cryptographic keys, but it also provides accelerated
cryptographic operations

Key management system(KMS) integrated approach for generating, distributing and managing
cryptographic keys for devices and applications

Cover secure enclaves co-processor integrated into the main processor of some devices, designed with
the sole purpose of ensuring data protection

Steganography derived from the greek words meaning "covered writing: and it is all about concealing a
message within another so that the very existence of the message is hidden

· the primary goal here ins't just to prevent unauthorized access to the data, but to prevent the
suspicion that there's any hidden data at all

· frequently used alongside encryption for an extra layer of security

Tokenization transformative technique in data protection that involves subsituting sensitive data
elements with non-sensitive equivalents called tokens which have no meaningful value

Data masking used to protect data by ensuring that it remains recognizable but does not actually include
sensitive information

Cryptographic attacks techinques and strategies that adversaries employ to exploit vulnerabilities in
cryptographic systems with the intent tod compromise the confidentiality, integry or authenticity of data

· Downgrade attack aims to force a system into using a weaker or older cryptographic standard or
protocol than what it's currently utilizing
 · dangerous because they turn the very nature of evolving security, such as the development
of stronger more robust cryptographic protocols against itself

· Collision atack aims to find two different inputs that produce the same hash output

· collisions undermine the trust and reliability placed on cryptographic tools and they can
potentially allows malicious actors to impersonate trusted entities, forge digital signatures or
distribute tampered data while appearing genuine

· Quantum computing a computer that uses quantum mechanics to generate and manipulate
quantum bits(qubits) in order to access enormous processing powers

· instead of ones and zeros it uses quantum bits(qubits)

· Quantum communication a communications network that relies on qubits made of

photons(light) to send multiple combinations of ones and zeroes simultaneously which results in
tamper resistant and extremely fast communications

· Qubit a quantum bit composed of electrons or photons that can represent numerous
combinations of ones and zeroes at the same time through superposition

· designed for very specific use cases, such as very complex math problems or trying to do
something like modeling of an atom or some kind of atomic structure

· Post-quantum cryptography a new kind of cryptographic algorithm that can be implemented

using today's classical computers but is also impervious to attacks from future quantum
computers

· CRYSTALS-Dilithium

· FALCON

· SPHINCS+

RISK MANAGEMENT

Risk management fundamental process that involves identifying, analyzing, treating, monitoring and
reporting risks

Risk assessment frequency refers to how often the risk assessment process is conducted within an
organization. The regularlity with which risk assessments are conducted within an organization

· Ad-hoc risk assessments conducted as and when needed, often in response to a specific event
or sitatuon that has the potential to introduce new risks or change the nature of existing risks

· Recurring risk assessments conducted at regular intervals such as annually, quaterly or monthly

· One-time risk assessments conducted for a specific purpose and are not repeated
 · Continuous risk assessments ongoing monitoring and evaluation of risks

Risk identification recognizing potential risks that could negatively impact an organizations ability to
operate or achieve its objectives

Business impact analysis(BIA) process that involves evaluating the potential effects of disruption to an
organizations business functions and processes

· Recovery time objective(RTO) it represents that maximum acceptable length of time that can
elapse before the lack of a business function severely impacts the organization

· Recovery point objective(RPO) represents that maximum acceptable amount of data loss
measured in time

· Mean time to repair(MTTR) it represents the average time required to repair a failed
component or system

· Mean time between failures(MTBF) it represents the average time between failures

Risk management crucial for projects and businesses involving the indentification and assessment of
uncertainties that may impact objectives

Risk register(risk log) a document detailing identified risks, including their description, impact likelihood
and mitigation strategies(may also resemble the heat map risk matrix)

· Risk description entails identifying and providing a detailed description of the risk

· Risk impact potential consequences if the risk materializes

· Risk likelihood/probability chance of a particular risk occurring

· Risk outcome result of a risk, linked to its impact and likelihood

· Risk level or threshold determined by combining the impact and likelihood

· Cost pertains to its financial impact on the project, including potential expenses if it occurs or
the cost of risk mitigation

Risk tolerance/risk acceptance refers to an organization or individuals willingness to deal with

uncertainty in pursuit of their goals

Risk appetite signifies an organizations willingness to embrace or retain specific types and levels of risk
to fulfill its strategic goals

· Expansionary risk appetite organization is open to taking more risk in the hopes of achieving
greater returns

· Conservative risk appetite implies that an organization favors less risk, even it leads to lower
 returns

· Neutral risk appetite signifies a balance between risk and return

Key risk indicators(KRIs) essential predictive metrics used by an organizations to signal rising risk levels
in different part of the enterprise, used ot evaluate the impact and likelihood of risks, allowing proactive
management to prevent their escalation

Risk owner person or group responsible for managing the risk

Qualitative risk analysis a method of assessing risks based on their potential impact and likelihood of
their occurrence

Quantitative risk analysis method of evaluating risks that uses numerical measurements

· Exposure Factor(EF) proportion of an assest that is lost in an event

· Single loss expectancy(SLE) monetary value expected to be lost in a single event (Asset Value x
EF)

· Annualized rate of occurrence(ARO) estimated frequency with which a threat is expected to

occur within a year(SLE x ARO)

· Annualized loss expectancy(ALE) expected annual loss from a risk (SLE x ARO)

Risk management strategies

· Risk transference(risk sharing) involves shifting the risk from the organization to another
party(insurance or contract clauses)

· Contract indemnity claus a contractual agreement where one party agrees to cover the
other's harm, liability or loss stemming from the contract

· Risk acceptance recognizing a risk and choosing to address it when it arises

· Exemption provision that grants an exception from a specific rule or requirement(operating

without the safeguards of a rule)

· Exception provision that permits a party to bypass a rule or requirement in certain

situations(operating in a way that lets the evade the risk)

· Risk avoidance strategy of altering plans or approaches to completely eliminate a specific risk

· Risk mitigation implementing measures to decrease the likelihood or impact of a risk

Risk monitoring involves continuously tracking identified risks, assessing new risks, executing response
plans and evaluating their effectiveness during a project's lifecycle
Residual risk likelihood and impact afater implementing mitigation, transference or acceptance
measures on the initial risk

Control risk assessment of how a security measure has lost effectiveness over time

Risk reporting process of communicating information about risk management activities

· Informed decision-making offer insights for informed decisions on resource allocation, project
timelines and strategic planning

· Risk mitigation recognize when a risk is escalating to mitigate before becoming an issue

· Stakeholder communication assist in setting expectations and showing effective risk

management

· Regulatory compliance demonstrate compliance with these regulations

THIRD-PARTY VENDOR RISKS

Third-party vendor risks potential security and operational challenges introduced by external
suppliers(vendors, suppliers or service providers)

Supply chain attack attack that involves targeting a weaker link in the supply chain to gain access to a
primary target

Semiconductor essential components in a wide range of products from smartphones and cars to medical
devices and defense systems

4 things to safeguard from supply chain attacks

· Vendur due dilligence

· Regular monitoring and audits

· Education and collaboration

· Incorporating contractual safeguards

Vendor assessment process that organizations implement to evaluate the security, reliability and
performance of external entities

Penetration testing simulated cyberattack against the suppliers system to check for exploitable
vulnerabilities

Right to audit clause grants organizations the right to evaluate vendors

Internal Audit vendor's self-assessment where they evaluate their own practices against industry
standards or organizational requirements
Independent Assessment evaluation conducted by third-party entities that have no stake in the
organizations or vendors operations

Supply chain analysis used to dive deep into a vendors entire supply chain and assess the security and
reliability of each link

Due dilligence rigorous evaluation that goes beyond surface-level credentials

Conflict of interest arises when personal or financial rerlationships could potentially cloud the
judgement of individuals involved in vendor selection

Vendor questionnaires comprehensive documents that potential vendors fill out to offer insights into
the operations, capabilities and compliance

Rules of engagement guidelines that dictate the terms of interaction between an organization and its
potential vendors

Monitoring mechanism to ensure that the chosen vendor still aligns with the organizational needs and
standards

Feedback loops involve a two-way communication channel where both the organization and the vendor
share feedback

Different contracts

· Basic contract versatile tool that formally establishes a relationship between to parties

· Service-level agreement(SLA) the standard of service a client can expect from a provier

· Memorandum of agreement(MOA) Formal and outlines the responsibilities and roles of the
parties involved

· Memorandum of understanding(MOU) less bidning and more of a declaration of mutual intent

· Master Service agreement(MSA) blanket agreement that covers the general terms of
engagement between parties across multiple transactions

· Statement of work(SOW) used to specify details for a particular project

· Non-dislcosure Agreement(NDA) commitment to privacy that ensures that any sensitive

information shared during negotiations remains confidential between both parties

· Business Partnership Agreement(BPA)/Joint venture agreement(JVA) document that goes a

step beyond a basic contract when two entities decide to pool their resources for mutual benefit

GOVERNANCE AND COMPLIANCE

Governance overall management of the organizations IT infrastructure, policies, procedures and

operations align with its business objectives

· Framework includes the rules, responsibilities and practices that guide an organization in
achieving its goals and managing its IT resources

Compliance adherence to laws, regulations, standards and policies that apply to the operations of the
organization

Monitoring regularly reviewing and assessing the effectiveness of governance framework

Revision updating the governance framework to address these gaps or weaknesses

Governance Structures

· Boards a board of directors is a group of individualds elected by shareholders to oversee the

management of an organization

· Committees subgroups of a board of directors each with a specific focus

· Government Entities establish laws and regulations that organizations must comply with

· Centralized structures decision making authority is concentrated at the top levels of

management

· Decentralized structures distributes decision making authority throughout the organization

IT Policies

· Acceptable use policy(AUP) a document that outlines the do's and dont's for users when
interacting with an organizations IT systems and resources

· Information Security Policies outline how an organization protects its information assets from
threats both internal and external

· Data classification

· Access Control

· Encryption

· Physical security

· Business continuity focuses on how an organization will continue its crticial operations during
and after a disruption

· Disaster recovery focuses specifically on how an organization will recover its IT systems and data
after a disaster

· Incident response a plan for handling security incidents

 · Software development lifecycle(SDLC) guides how software is developed within an organization

· Change management aims to ensure that changes are implemented in a controlled and
coordinated manner, minimizing the risk of disruptions

Standards provide a framework for implementing security measures ensuring that all aspects of an
organizations security posture are addressed

· Password standards dictate the complexity and management of passwords which are the first
line of defense again unauthorized access

· Access control standards determine who has access to what resources within an organization

· Discretionary Access control(DAC) allows the order of the information or resource to decide
who can access it

· Mandatory Access Control(MAC) uses labels or classification to determine access

· Role-based access control(RBAC) assigns access based on roles within an orgnization

ensuring that users only have access to the resources necessary for their job functions

· Separations of duties prevents any single individual from having complete control over a critical
process or a system reducing the risk of insider threats

· Physical security standards these standards cover the physical measures taken to protect an
orgnizations assets and information

· Encryption standards ensure that data intercepted or accessed without authorization remains
unreadable and secure

Procedures systematic sequences of actions steps taken to achieve a specific outcome

· Change management systematic approach to dealing with changes within an orgnization

10. Need for change is identified

11. Plan is developed

12. Change is implemented

13. Review is conducted

· Onboarding process of integrating new employess into the organization

· Offboarding process of managing the transition when an employee leaves

· Playbooks checklist of actions to perform to detect and respond to a specific type of incident

Governance considerations
 · Regulatory considerations these regulations can cover a wide range of areas from data
protection and privacy to environmental standards and labor laws

· Legal considerations closely tied to regulatory considerations but they also encompass other
areas such as contract law, intellectual property and corporate law

· Industry considerations the specific standards and practices that are prevalent in a particular
industry

· Local considerations local ordinance in a city or zoning laws

· Regional considerations In California the Callifornia Consumer Privacy Act(CCPA)

· National Considerations laws like the Americans with Disabilities Act(ADA)

· Global Considerations General Data Protection Regulation(GDPR)

Compliance reporting systematic process of collecting and presenting data to demonstate adherence to
compliance requirements

· Internal compliance reporting collection and analysis of data to ensure that an organization is
following its internal policies and procedures

· External compliance reporting demonstrating compliance to external entities such as regulatory

bodies, auditors or customers often mandated by law or contract

Compliance monitoring the process of regularly reviewing and anaylzing an organizations operations to
ensure compliance with laws, regulations and internal policies

· Due diligence conducting an exhaustive review of an organizations operations to identify

potential compliance risks

· Due care the steps taken to mitigate these risks

Attestation formal declaration by a responsible party that the organizations processes and controls are
compliance

Acknowledgement recognition and acceptance of compliance requirements by relevant parties

Internal monitoring regularly reviewing an organizations operations to ensure compliance with internal
policies

External monitoring third-party reviews or audits to verify compliance with external regulations or
standards

Automatic in compliance automated compliance systems can streamline data collection, improve
accuracy and provide real-time compliance monitoring
 AUDITS AND ASSESSMENTS

Audits systematic evaluation of an organizations information systems, applications and security controls

· Internal audit conducted by organizations own audit team

· External audit performed by third party entities

Assessments performing a detailed anaylsis of an organizations security system to identify

vulanerabilties and risks

Penetration Testing simulated cyber attack against a computer system, network or web application

Attestation of findings formal written declaration or confirmation of the results or outcomes of an audit
or assessment

Internal audits systematic evaluation of the effectiveness of internal controls, compiance, and integrity
of information systems and processes

14. Review access control policies and procedures for alignment with best practices and regulatory
requirements

15. Examine access rights

16. Verify access rights processes, including approvals and timely revocation

17. Test the effectiveness of access controls

18. Document findings to serve as basis for recommending access control policy and procedure
improvements

Audit committee group of people responsible for supervising the organizations audit and compliance
functions

Internal assessment an in depth analysis to identify and assess potential risks and vulnerabilities in an
orgnizations informations system

Self assessment internal review conducted by an organization to gauge its adherence to particular
standards or regulations

Minnesota Counties intergovernmental trust(MCIT) created a checklist to help members reduce data
and cyber security risk by identifying and addressing vulnerabilities

External audit systematic evaluation carred out by external entities to assess an organizations
information systems and control

External assessment detailed analysis conducted by independent entities to identify vulnerabilties and
risks
Examinations comprehensive security infrastructure inspections that are conducted externally

· Review policies, procedures, controls and address weaknesses

Independent third-party audit offers validation of security practices, fostering trust with customers,
stakeholders and regulatory authorities

Penetration Testing(Pentesting) simulated cyber attack that helps in the assessment of computer
systems for exploitable vulnerabilties

· Physical Pentesting testing an organization physical security through testing locks, access cards,
security cards and other physical security measures

· Offensive Pentest(Red Teaming) proactive approach that involves use of attack techniques, akin
to real cyber threats that seek and exploit system vulnerabilties

· Defensive Pentesting(Blue teaming) reactive approach that entails fortifying systems,

indentifying and addressing attacks and enhancing incident response times

· Integrated Pentesting(Purple teaming) combination of aspects of both offensive and defensive

testing into a single penetration test

Reconnaissance an initial phase where critical information about a target system is gather to enhance an
attacks effectiveness and success

· Active reconnaissance direct engagement with the target system offering more information but
with a higher detection risk

· Passive reconnaissance gathering information without direct engagement with the target
system offering lower detection risk but less data

Known environment detailed target infrastructure information from the organization is received priot to
the test

Partially known environment involves limited information provided to tests who may have partial
knowledge of the system

Unknowne environment testers receive minimal to no information about the target system

Pentest Tools

· NMAP utilized port scanning

· Metasploit launch, exploit and gain access to a remote target

· Multi-purpose compuer security and penetration testing framework that encompasses a

wide array of powerful tools, enabling the execution of penetration tests
Attestation process that inolves the formal validation or confirmation provided by an entity that is used
to assert the accuracy and authenticity of specific information

Software attestation inovlves validating the integrity of software by checking that it hasn't been
tampered with or altered maliciously

Hardware attestation involves validating the integrity of hardware components

System attestation involves validating the security posture of a system

CYBER RESILIENCE AND REDUNDANCY

Cyber resilience entities ability to continuously deliver the intended outcome despite adverse cyber
events

Redundancy involves having additional systems, equpment or processes to ensure continued

functionality if the primary ones fail

Data redundancy achieved by having redundant storage devices all working together to protect your
data

Capacity planning strategic process that organizations use to ensure having the necessary resources

High availability the ability of a service to be continuously available by minimizing the downtime to the
lowest amount possible

Uptime the number of minutes or hours that the system remain online over a given period and this
uptime is usually expressed as a percentage

Load balancing the process of distributing workloads across multiple computing resources

Clustering the use of multiple computers, multiple storage devices and redundant network connections
that all work together as a single system to provide high levels of availability, reliability and scalability

Redundancy the duplication of critical components or functions of a system with the intention of
increasing the reliability of the system

Redundant Array of Independent Disks(RAID) combines multiple physical storage dvices into a single
logical storage devides that's recognize by your system

· RAID 0 provides data striping across multiple disks to increase performance, enhances
performance by spreading data across multiple drives without fault tolerance

· RAID 1 mirrors data for redundancy across two HDD's or SSD's, mirrors data across drives for
increased read performance and data intergrity

· RAID 5 stripes data with parity, using at least three storage devices, spreads data and parity
across disks for performance and fault tolerance
 · RAID 6 uses data striping across multiple devices with two pieces of parity data, enhances RAID
5 by using double parity across multiple drivers for better fault tolerance

· RAID 10 combines RAID 1 and RAID 0, featuring mirrored arrays in a striped setup, combbines
RAID 1 and RAID 0 for performance, fault tolerance and data redundancy

Failure-resistant use of redundant storage to withstand hardware malfunctions without data loss

Fault-tolerant use of RAID 1,5,6 and 10 for uninterrupted operation during hardware failures

Disaster-tolerant protects data from catastrophic events

Capacity planning curcial strategic planning to meet future demands cost-effectively

· People involves analyzing current skills and forecasting future needs for hiring or training

· Technology involves assessing current resources, utilization and anticipating future technological
needs

· Infrastrcture involves considering physical space and utilities to support organizational

operations

· Process aims to optimize business processes to handle demand fluctuations

Power

· Surges small and unexpected increase in the amount of voltage that is being provided

· Spikes short transient voltage that is usually caused by a short circuit, a tripped circuit breaker,
power outage or a lightning strike

· Sags a small and unexpected decrease in the amount of voltage that is being provided

· Undervoltage events occurs when the voltage is reduced to lower levels and usually occurs for a
longer period of time

· Full power loss events occurs when there is a total loss of power for a given period of time

Line conditioner used to overcome any minor fluctuations in the power being received by the given
system

Uninterruptible power supply(UPS) device that provides emergency power to a system when the
normal input power source has failed

Generator machine that converts mechanical energy into electrical energy for use in an external circuit
through the process of electromagnetic induction
Power distribution centers(PDC) acts as a central hub where power is received to all systems in the data
center

Data backup the process of creating duplicate copies of digital information to protect against data loss,
corruption or unavailability

Encryption on backups fundamental safeguard that protects the backup data from unauthorized access
and potential breaches

Journaling maintaining meticulous record of every change made to an organizations data over time

Continuity of operations plans ensures an organizations ability to recover from disruptiive events or
disasters

· Business continuity plan(BCP) addresses responses to disruptive events

· preventitive actions and recovery steps for various threats not limited to technical
disruptions

· Disaster recover plan(DRP) considered as a subset of BCP, focuses on how to resume operations
swiftly after a disaster

· focuses on how to resume operations after a disaster

Redundant site alternative sites for backup in case the primary location encounters a failure or
interruption

· Hot site fully equipped backup facility ready to swiftly take over in case of a primary site failure
or disruption

· Warm site a partially equipped backup site that can become operational within days of a
primary site disruption

· Cold site a site with no immediate equipment or infrastructure but can be transformed into a
functional backup facility

· Mobile site a versatile site that utilizes independent and portable units like trailers or tents to
deliver recovery capabilities

· Virtual site utilizes cloud-based environments and offers highly flexibile approach to redundancy

· Virtual hot site fully replicated and instantly accessible

· Virtual warm site partially replicated and scalable

· Virtual cold site minimal activation to minimize costs

Platform diversity a vital aspect in redundant site design that uses different platforms to prevent single
points of failure in disaster recovery

· Cloud-provider entails spreading resources across multiple cloud providers or regions, reducing
the risk of a single platform outage

Resilience testing assesses the systems ability to withstand and adapt to disruptive events

Recovery testing will evaluate a systems ability to return to regular functioning following a disruptive
event

Tapletop exercise simulated to discussion to improve crisis rediness without deploying resources

Failover test verifies seamless system transition to a backup for uninterrupted functionality during
disasters

Simulation computer-generated representation of real-world scenarios

Parallel processing replicates data and processes onto a secondary system, running both in parallel

In resilience testing tests ability to handle multiple failure scenarios

In recovery testing tests efficiency to recover from multiple failure points

SECRUITY ARCHITECTURE

Security architecure design, structure, and behavior of an organizations information security

environment

Serverless computing model where the cloud provider dynamically manages the allocation and
provisioning of servers

Software-defined Networking(SDN) network management method that allows dynamic and efficient
network configuration to improve performance and monitoring

Infrastrcture as code(IaC) IT setup where developers use software to manage and provision the
technology stack for an application

Internet of things(IoT) network of physical devices, vehicles and appliances with sensors, software and
network connectivitiy

Industrial Control System(ICS) types of control systems used in industrial production

Supervisory control and data acquisition(SCADA) used to control and monitor physical processes

Cloud computing delivery of computing services over the internet

· Servers

· Storage
 · Databases

· Networking

· Software analytics

· Intelligence

Responsibility Matrix outlines the division of responsibilities between the cloud service provider and the
customer

Third party vendors provide specialized services that enhance the functionality, security and efficiency
of cloud solutions

Hybrid solutions combine on-premise infrastructure, private cloud services and public cloud services

On-premise solutions computing infrastructure that's physically located on-site at a business

Availability systems ability to be accessed when needed

Resilience systems ability to recover from failures and continue to function

Cost it's essential to consider both the immediate and long-term costs of cloud adoption

Responsiveness refers to the speed at which the system can adapt to changes in demand

Scalability system's ability to handle increased workloads

Ease of deployment cloud services are easier to deploy than on-premise solutons

Risk transference when using the cloud services, some risks are transferred to the provider

Ease of recovery cloud services often offer easy data recovery and backup solutions

Patch availability cloud service providers regularly release patches to fix vulnerabilities

Inability to patch businesses might not be able to apply patches due to compatability issues

Power customers don't have to worry about power consumption

Compute amount of computational resources that a customer can use

Shared physical server vulnerabilities can lead to vulernabilities if one user's data is compromised

Inadequate virtual environment security can lead to unauthorized access, data breaches and other
security incidents

User access management can lead to unauthorized access to sensitive data and systems

Lack of up to date security measures can lead to leaving the system vulernable to new threats
Single points of failure can lead to a complete system outage affecting all users

Weak authentication and encryption practices can lead to allowing unauthorized users to gain access to
cloud systems

Unclear policies lack of clear guidelines or procedures for various security aspects

Data remnants residual data left behind after deletion or erasure processes

Virtualization technology that allows for the emulation of servers

· Type 1 Hypervisor known as a bare metal or native hypervisor, runs directly on the host
hardware and functions similarly to an operating system

· Type 2 Hypervisor operates within a standard operating system such as windows, mac or linux

Containerization lightweight alternative to full machine virtualization

Virtual machines are segmented and separated by default

Virtual Machine escape occurs when an attacker is able to break out of none of these normally isolated
virtual machine

Privilege elevation occurs when a user is able to gain the ability to run functions as a higher level user

Live migration of virtaul machines when a virtual machine needs to move from one physical host to
another

Resource reuse concept in computing where system resources like memory or processing power are
reused

Serverless model where the responsibility of managing servers, databased and some application logic is
shifted away from developers

Microservices a software achritecture where large applications are broken down into smaller and
independent services

Physical separation/air gapping isolation of a network by removing any direct or indirect connections
from other networks

Logical separation creates boundaries within a network, restricting access to certain areas

Software-defined networking(SDN) enables efficient network configuration to improve performance

and monitoring

Data plane also called the forwarding plane that is reponsible for handling packets and makes decisions
based on protocols
Control plane the brain of the network that decides where traffic is sent and is centralized SDN

Application plane the plane where all network applications interacting with the SDN controller reside

Infrastructure as code(IaC) a method in which IT infrastructures are defined in code files that can
versioned, tested and audited

Snowflake system a configuration that lacks consistency that might introduce risks so it has to be
eliminated

Idempotence the ability of an operation to produce the same results as many times as it is executed