CIA (objectives for cyber defender)
CNSSI 4009
NIST
Access control
Symmetric key
VPN use PSK
Confidentiality, Integrity and Availability
Integrity incomplete authenticity
Integrity add authenticity and nonrepudiation
Nonobjective but a technic to achieve
objective
Not used in non repudiation shared secret
but you must use private key
Pre shared key not achieve non repudation
Integrity:
guarding against improper information
modification, and includes ensuring information
authenticity (This is NIST’s definition, but
without non-repudiation and
without protection against destruction)
MAC
Non-repudiation
Message Authentication Codes
is a security objective that seeks to prevent an entity
from being able to falsely deny having participated in a
transaction (sender is assured of receipt by recipient,
and recipient is assured of identity of sender).
CIA Threat
C: Unauthorized Disclosure
I: Unauthorized Modification or
Impersonation (called spoofing or
masquerading)
A: Denial of Service (DOS)
Threat x Vulnerability x Impact / Security
Controls (or safeguards or
countermeasures)
Principle Of Least Privilege
Security Technical Implementation Guide or
Hardening guides or Secure configuration
guides
We have no control on impact
CIA , Threat, Vuln, Sec Control
People, Operations, Technology
Risk equation (FIPS_199 FIPS_200)
Reduce the risk to an acceptable level
PLOP
STIG
The cyber matrix 3x3
The cyber matrix 3x3x3
IATFF
Digital Signatures
Uninterruptible Power Supplies
Employing easily “cracked” passwords
A “replay” attack
Syn-Flood attack
Maintain an alternate “hot” site
Having no backup means for transmission
Transporting sensitive data on unencrypted
IA Technical Framework Forum
“Essentially, organizations address IA needs with
people executing operations supported by
technology
Tech : SecCont-I
Tech : SecCont-A
Tech : Vuln-C
Tech : Threat-I
Tech : Threat-A
OPS: SecCont-A
OPS:Vuln-A
OPS:Vuln-C
USB drives
“Wardriving”
“Phishing”
Background Checks
Insufficiently trained personnel
Forging a signature
Vulnerabilities sources
Passive vs Active Attack
DOS
Obs attack, sniffing, IVS dropping
Redirection attack
Impersonation, spoofing, masquerading
Modification attack
Hijack attack
Man in middle attack
Replay attack
Protect good bits
Identify and block bad bits
Confidentiality
OPS:Threat-C
OPS:Threat-C
People:SecCont-CIA
People:Vuln-CIA
People:Threat-I
Nvd.nist.gov, cve.mitre.org, symantec
A
C
C
I
CI
CI
CI
I
Cryptography (C, I)
Filtering and authentication (via crypto) to
detect attackers
Assurance that information is not disclosed to
unauthorized individuals, processes, or devices
- Preserving authorized restriction on
information access and discloser
- unauthorized disclosure of information
violate C
- Need to Know
- PLOP Principle Of Least Privilege
- Encryption
- Data classification
- secrecy
- Passwords
- IAM-Identity and access management
- Technical controls
- Physical controls
- Protect from: Shoulder surfing, Social
engineering
Integrity
guarding against improper information modification,
and includes ensuring information authenticity (This is
NIST’s definition, but without non-repudiation and
without protection against destruction)
-
Non-repudiation, authenticity
Dual control
Separation of duties
Promoting trustworthiness
Comparing hashes
Avaibility
Backups
Hashing
Access controls
Data validation checks
Data consistency checks
Accuracy
Completeness
Protect from: Changing sec log
information
Timely, reliable access to data and information
services for authorized users
-
Types of Data need to be protected
Security policy
AAA
Spoofing attack
Need to know
Risk
Vulnerability
Threat
Threat
Residual risk
Administrative control
Redundancy Control
DR/BDR
Failover
Backups
Increase system resiliency
Equipment maintenance
Update OS software
Recovery after disaster
Usability, timeliness
Protec from: ODS, Failure
components, Man-made, technical or
natural disaster
At Rest, In Transit, In Process
Rules for user and admin requirements
Authentication, Authorization and
Accounting
An impersonation attack that takes advantage of a
trusted relationship between two systems?
The need-to-know principle limits access to only those
personnel involved directly in a specific area, topic, or
project. The right to be forgotten is an aspect of the
EU’s General Data Protection Regulation (GDPR). Least
privilege is another personnel security principle that
involves limiting permissions within a system or
environment. Due care is a legal concept about duty to
stakeholders
potential harm to an organization.
-
is the way risk might be realized, or an avenue
of attack
- An attacker will try to exploit a
is something that poses risk
- is something that reduces risk or impact
- Hacker
is the risk remaining after controls have been applied.
The terms minimized and fragmentary are not related
to managing risk in this respect. Transferred risk is
underwritten by a third party.
-
A sign-in sheet at the reception desk
Physical control
Technical control
Access controls
Controls (safeguard or control)are implemented to
- Wall, Dog
- Firewall
- Smart cards
give organization the ability to control, restrict,
monitor, and protect resource availability, integrity and
confidentiality
Authenticity is NOT a factor related to Access Control
mitigate risk and reduce the potential for loss