DEV Community: Romanus Onyekwere

Introduction to Microsoft Security Copilot

Romanus Onyekwere — Tue, 10 Dec 2024 20:55:42 +0000

Chapter 1; What is Microsoft Copilot for Security?
Chapter 2; The Workflow of Microsoft Copilot For Security
Chapter 3; Get Started With Microsoft Copilot For Security
Chapter 4; Create Effective Prompts
Chapter 5; Handle Incidents With Microsoft Copilot For Security
Chapter 6; Use Microsoft Copilot For Security in Microsoft Defender
Chapter 7; Analyze Vulnerabilities With Microsoft Copilot For Security
Chapter 8; Analyze Suspicious Code With Microsoft Copilot For Security
Chapter 9; Analyze vulnerabilities With Microsoft Copilot For Security
Chapter 10; Analyze Suspicious Code With Microsoft Copilot For Security
Chapter 11; Hunt Threats With Microsoft Copilot For Security
Chapter 12; Create Your Promptbooks
Chapter 13; Query Uploaded Files

Chapter 1; What is Microsoft Copilot For Security?
It is a virtual assistant powered by AI and designed for security analysis. Why do we need a Copilot for Security? Because it addresses some common challenges in cybersecurity. For example, we have too many security threats with all kinds of hacking techniques and techniques, too many alerts that overwhelm our security team, and too many manual tasks to analyze, mitigate, and report security incidents. On the other side, we have too few skills covering multiple knowledge domains, too few analysts who are experienced in security operations, and the too few hours for incident response. But is it possible for us to manage security at machine speed and scale? A potential answer is using artificial intelligence, or AI, specifically the rise of generative AI is transforming how we work and learn today. Generative AI became popular after OpenAI launched its ChatGPT application in late 2022. Powered by its large language model, ChatGPT can answer questions covering many domains, summarize documents, write articles and reports, analyze and generate codes, and provide advice and recommendations. Partnering with OpenAI, Microsoft introduced a Copilot, an AI-powered virtual companion to improve work productivity. Building on the Copilot architecture,

Microsoft announced a series of products, such as Copilot for Windows, Microsoft 365, Dynamics 365, Power Platform, GitHub, and Copilot for Security, which you will learn in this course. There are two ways to use Microsoft Copilot for Security. You can directly access its portal at securitycopilot.microsoft.com and enter your prompts, just like how you use ChatGPT. This is called a standalone experience, or you can use Copilot within Microsoft Security Solutions, like a Microsoft Defender, Intune, Entra, and Purview. This is called an embedded experience. What can you do with Microsoft Copilot for Security?

Here are some common use cases. Summarize security incidents, investigate and respond to incidents, write security reports, analyze vulnerability impact, analyze suspicious codes, and generate scripts for threat hunting. To do that, Copilot for Security can work with various security solutions, such as XDR, extended detection and response; SIEM, security information and event management; IAM, identity and access management, Cloud Posture Management, data protection, endpoint management, and threat intelligence.

Chapter 2; The Workflow of Microsoft Copilot For Security
Let's take one step deeper and look at the workflow of Microsoft Copilot for Security. Copilot for Security works as an orchestrator to interact with three parties, user interfaces, including Copilot for Security portal, and Microsoft Security Solutions with Copilot embedded, like Microsoft Defender and Intune, plugins for integrating with Microsoft security products like Defender and Sentinel, and the third-party products like ServiceNow and Splunk, and AI services, including large language models like GPT, responsible AI for checking input prompts and output responses, and underlying Azure Open AI service. Here's how it works. First, a user prompt is sent to Copilot for Security. Next, Copilot for Security selects the right plugins to preprocess the prompt, so it can retrieve specific context. For example, it can call Microsoft Defender Threat Intelligence to get information about a vulnerability, based on the CVID in the user prompt. This process is called grounding. It helps AI generate more relevant and actionable answers. Then the modified prompt is sent to the large language model. Next, the large language model generates results. Once the responsible AI check is completed, the LLM response is sent to Copilot for Security.

Then Copilot for Security chooses the plugins for post processing or grounding for output. Finally, Copilot for Security sends the response plus app commands, if applicable, back to the requester. One thing I want to point out, the whole workflow is governed by the Microsoft Security Trust Boundary. In other words, your data are your data. They always remain within your company's boundary, and your data are not used to train the foundation AI models.

Chapter 3; Get Started With Microsoft Copilot For Security
Let's get started with Microsoft Copilot for Security. Open a browser, then enter the URL, securitycopilot.microsoft.com. I will sign in with my Microsoft work account. On the Copilot for Security portal, the top area is for showing your session history. If this is your first time on Copilot for Security, you will see some learning information. In the middle area, you can explore some promptbooks. A promptbook is a collection of prompts working together to complete a security task. For example, this vulnerability impact assessment, it has four prompts. The prompt bar is where you interact with Copilot. You can ask anything about security, or click the prompts icon for prompt suggestions. I can use promptbooks, I can also leverage your system capabilities. Click "see all system capabilities." There are many prebuilt prompts based on the plugins I have. I can search for a specific promptbook or system capability. For example, search for script. It will find for me. Now let's enter a prompt. For example, I want to get an overview of recent cyber threats. I can enter, "Summarize cyber threats within the last seven days." Then click submit. We will get the response from Copilot for Security, and it provides some reference links. To see how the Copilot worked on my request, I can expand the steps completed. First, based on my prompt, it chose the plugin, Microsoft Defender Threat Intelligence. Then it looked up threat intelligence information, and sent to large language model to process. Finally, it prepared the response, run safety checks, and compose the output message. I can rate the Copilot's response by selecting, "it looks right," "needs improvement," or "inappropriate." I can export response by saving it to a Word document, sending a email, or copying it to the clipboard. I can also ping this response to a ping board so I can revisit later. In addition, I can edit, resubmit, and delete this prompt. Copilot for Security keeps a history of my sessions. I can edit the session name at the top. For example, change it to summarize recent cyber threats. Then I click save. Click Microsoft Copilot for Security at the top left, to go back to the homepage. I can see my recent session shown on the homepage. Click the manual icon at the top left. I can view all my sessions, access the promptbook library, and adjust the settings, like the preferences, user permissions, data, and the privacy. Go back to the homepage. Click the sources icon in the prompt bar. Here, we can manage plugins. I can set up Copilots access to Microsoft security products like Defender, Entra, Intune and Sentinel, third party products like ServiceNow and Splunk, public websites, and add your custom plugins. As we learned earlier, Microsoft Copilot for Security can use these plugins to pre-process your prompt, and post process AI's response. I can also upload files like my security policies, so it will add my organizational knowledge to Copilot, and it will help Copilot generate more relevant responses. Click the question icon at the bottom right of the homepage. We can view documentation, or click help to contact support. Now, you should know the general operations of Microsoft Copilot for Security, but this portal is not the only place to access Copilot for Security. We can also use this embedded experience in some Microsoft security products like Microsoft Defender. I will show you later in this course.

Chapter 4; Create Effective Prompts
Microsoft Copilot for Security is powered by generative AI. To help generate better responses, we need to create effective prompts. What is the prompt? Basically, it's an instruction you send to generative AI. Unlike programming languages, such as Java or Python, we use natural language to create a prompt. For example, you can enter, "Suggest a seven-day California travel plan." Then based on your prompt, generative AI applications, like ChatGPT, will generate the response.

Microsoft Copilot for Security is a generative AI application specializing in security, so your prompts should be security related. If you ask for a recommendation on your next vacation, Copilot for Security won't help with it. The effectiveness of your prompts directly affects AI-generated responses. For example, let's compare two prompts, "List all incidents," versus, "Can you find the incidents within the last 60 days? It's for my status update with managers. Make output as a table with title, severity, status, and owner. Please check with Microsoft Defender." Which prompt do you think will better help get what you want from Copilot for Security? Did you select the second one? Then you are right. How can we create effective prompts? Actually, we just need to ask five basic questions: who, what, why, how, and where? Specifically, who means the role we want AI to play. Copilot for Security has a predefined role as a knowledgeable security analyst, so we don't need to worry about this question, and we can simply call Microsoft Copilot for Security you. What means the goal we want to achieve with AI. For example, to find the incidents within the last 60 days. Why means the context of our request. For example, the reason for finding incidents is for my status update with managers. How means the output format we want. For example, output as a table with title and severity. And where means the source of our plugins or data. For example, check with Microsoft Defender to find incidents.

Now, let's put these essential elements together, we'll get an effective prompt. In Microsoft Copilot for Security, you have three ways to provide prompts. You can write your prompts from scratch, use a system capability, it's a prebuilt prompt provided by one of your plugins, or use a promptbook, it's a collection of prompts working together to complete a task. Let's do a quick demo of using prompts in Microsoft Copilot for Security. Open the left menu, then click My sessions, click New session. In the prompt bar, enter a simple prompt, "List all incidents." Copilot for Security generated the response with some incidents. It looks okay, but it's not tailored to my status report. Now I will enter a prompt with my specific expectations, "Can you find the incidents within the last 60 days? It's for my status update with managers. Make output as a table with title, severity, status, and owner. Please check with Microsoft Defender." Click Submit. Expand the output message. Here's a table with the required information for my status report. I then click Export to Excel. So this prompt is more effective.

Chapter 5; Handle Incidents With Microsoft Copilot For Security
Incident investigation and response are critical to our security operations. Let's see how Microsoft Copilot for Security can help us handle incidents. In a typical security operation center, or SOC, security analysts spend significant time handling incidents. They're using variance of security systems. For example, XDR extended defense and response, like Microsoft Defender, SIEM, security information and event management like Microsoft Sentinel, and threat intelligence, like Microsoft Defender Threat Intelligence. And they are following a multi-step workflow. For example, triage incidents to assess security impact, determine incident severity, and assign owners, investigate incidents to correlate security events, discover associated entities and collect evidence, respond to incidents to contain attacks, eradicate threats, and recover services. Also, security analysts need to provide summaries and write reports along the process. As you can see, the job of a security analyst is complex and time consuming. That's why we need Copilot for Security, an AI powered virtual companion specializing in security. Working together with Copilot, security analysts can significantly improve their productivity of incident handling.

Now let's do a quick demo. Here's my Microsoft Copilot for Security. In the prompt bar, enter the prompt, "List incidents in Microsoft Defender within the last 30 days. Make output as a table." Expand the response message. I can see a table with an incident and the incident ID is 100. To quickly understand this incident, I can go back to the prompt bar and enter, "Summarize the key facts of incident number 100 in Microsoft Defender." Click submit. Copilot for Security provided a summary of the incident with some key points. Next to help with my investigation, I will enter "Find entities associated with that incident." Click submit. Entities involved with an incident are like account. IP address, device, URL, file, and the process. Copilot found the device vm-win11, the user vmadmin, IP address, and the suspicious file. These entities provide valuable context for further investigation. For example, if I want to know about the device vm-win11, I can enter, "Tell me about the device vm-win11." Copilot told me the device IDs, the operating system and the version, and the primary user. I can also ask Copilot for Security to suggest how to respond to this incident. Copilot suggested contacting the device user, in this case, Harry, to confirm the activity. It even wrote a sample email. This email looks very professional, so I can use it right away and it will help me determine the next steps in the incident response process. Finally, I can ask Copilot for Security, "Write an incident report for non-technical managers." Copilot provided a good starting point. I can then tailor this report to meet my specific needs.

Chapter 6; Use Microsoft Copilot For Security in Microsoft
Defender
Microsoft Copilot for Security is embedded in Microsoft Defender. This is convenient for security analysts because they don't need to open another browser while investigating and responding to incidents. Here's my Microsoft Defender environment. From the list of incidents, let's select the incident number 100. The Copilot for Security pane is embedded on the right hand side. It automatically creates an incident summary and it recommends some investigation actions. Under the attack story, I can see a Suspicious PowerShell Command Line. Click it to see more details. It tells me that the WINWORD.EXE executed a script. Click it. It shows the script. I'm not familiar with the parameters used here, but I can ask Copilot to analyze it. It helps me quickly understand the purpose of the script. Finally, I can ask the Copilot to write an incident report. Click the three dots to show more options. Then click generate incident report. It drafted a report for me. I can also open it in Copilot for Security standalone portal, and I can continue my work there. Click my sessions and click view my sessions. I can see the sessions created in Microsoft Defender are also kept in my session history.

Chapter 7; Analyze Vulnerabilities With Microsoft Copilot For Security
Vulnerabilities are weaknesses in our systems that hackers can exploit to launch cyber attacks. So analyzing vulnerabilities is a common task for security professionals. In vulnerability analysis, security analysts often start with a Common Vulnerability and Exposure or CVE. There are various sources where you can search CVEs. For example, the official CVE List managed by Miter, threat intelligence products like Microsoft Defender's Threat Intelligence, and many threat intelligence feeds. The analysis work often includes vulnerability summary, impacted technologies, threat actors, tactics, techniques, and procedures, or TTPs, used by hackers, suggested actions for prevention, and the remediation. It takes time for security analysts to complete the vulnerability research and analysis. Now let's see how Microsoft Copilot for Security can help us. First, we'll find a sample CVE. This is a CVE website. We can click Search to search CVE List. Let's use this CVE. CVE-2020-1472. Click Submit. And then we can see the details about this CVE. Go to my Microsoft Copilot for Security. In the prompt bar, enter the prompt. Summarize vulnerability CVE-2020-1472. Make a list of key points and impacted technologies. This is for my vulnerability impact analysis. Click submit. Copilot for Security provided a summary of that vulnerability with some key points. It also showed the base score is 5.5, and the severity level is medium. And the impacted technology is the Netlogon Remote Protocol. To defend against this vulnerability, I can ask Copilot for Security to suggest actions to handle this vulnerability categorized into prevention and the remediation. Copilot recommended several actions for prevention and the remediation. Finally, let's ask Copilot for Security to generate an executive report about this vulnerability for non-technical managers. Copilot wrote a decent report with essential elements of this vulnerability analysis including summary, impact, and the suggested actions.

Chapter 8; Analyze Suspicious Code With Microsoft Copilot For Security
Security analysts need to deal with all kinds of suspicious codes. Let's see how Microsoft Copilot for Security can help with that. Suspicious code analysis includes some common tasks, such as explain what the code does, investigate its security impact and related vulnerabilities, recommend actions to defend against the malicious code, write a code analysis report, and share your findings with your team members. It's impossible for security analysts to know every programming language and the system command. Also, examining a complex script with hundreds of lines takes a long time. This is why we need Microsoft Copilot for Security to work with us together. Now, let's do a quick demo. Here's a sample incident in my Microsoft Defender. Under Attack story, click Suspicious PowerShell download or encoded command execution. I find a suspicious PowerShell script. Under the command line, I see a very long script and a part of it seems to be encoded by Base64. Fortunately, we can click Analyze to let Copilot for Security analyze it. Copilot summarized the script with a step-by-step explanation. This embedded script analysis function is very convenient for me during my incident investigation. I can also click more options than click Open in Copilot for Security. It will take me to the standalone portal, and I can continue my work there. Now let's start a new session to analyze another script. To find a sample script, I will go to Exploit Database. Exploit Database is a collection of public exploits used by many penetration testers and security researchers. For our demo, we will use this script. I'll copy the whole script. Go back to my Microsoft Copilot for Security. This time, instead of entering my prompt, I will use a system capability. Let's search, "Analyze the script or command." I will paste the sample script and click prompt. Copilot provides a step-by-step breakdown of what the script does. To further investigate that script, I can enter, "Show me the CVEs related to the script." Copilot found the CVE ID and provided the details of this vulnerability. I can then ask a Copilot to recommend actions to defend against the script. Copilot has suggested some actions such as update phpMyAdmin to the latest version. Finally, I can share my findings with my colleagues. Click the share icon at the top right. Enter the name or email. In this case, I just sent to myself, and click Send button. Once my colleagues receive the invitation email, they can click a view in Copilot link to access my shared session.

Chapter 9; Analyze Vulnerabilities With Microsoft Copilot For Security
Vulnerabilities are weaknesses in our systems that hackers can exploit to launch cyber attacks. So analyzing vulnerabilities is a common task for security professionals. In vulnerability analysis, security analysts often start with a Common Vulnerability and Exposure or CVE. There are various sources where you can search CVEs. For example, the official CVE List managed by Miter, threat intelligence products like Microsoft Defender's Threat Intelligence, and many threat intelligence feeds.

The analysis work often includes vulnerability summary, impacted technologies, threat actors, tactics, techniques, and procedures, or TTPs, used by hackers, suggested actions for prevention, and the remediation. It takes time for security analysts to complete the vulnerability research and analysis. Now let's see how Microsoft Copilot for Security can help us. First, we'll find a sample CVE. This is a CVE website. We can click Search to search CVE List. Let's use this CVE. CVE-2020-1472. Click Submit. And then we can see the details about this CVE. Go to my Microsoft Copilot for Security. In the prompt bar, enter the prompt. Summarize vulnerability CVE-2020-1472. Make a list of key points and impacted technologies. This is for my vulnerability impact analysis. Click submit. Copilot for Security provided a summary of that vulnerability with some key points. It also showed the base score is 5.5, and the severity level is medium. And the impacted technology is the Netlogon Remote Protocol. To defend against this vulnerability, I can ask Copilot for Security to suggest actions to handle this vulnerability categorized into prevention and the remediation. Copilot recommended several actions for prevention and the remediation. Finally, let's ask Copilot for Security to generate an executive report about this vulnerability for non-technical managers. Copilot wrote a decent report with essential elements of this vulnerability analysis including summary, impact, and the suggested actions.

Chapter 10; Analyze Suspicious Code With Microsoft Copilot For Security
Security analysts need to deal with all kinds of suspicious codes. Let's see how Microsoft Copilot for Security can help with that. Suspicious code analysis includes some common tasks, such as explain what the code does, investigate its security impact and related vulnerabilities, recommend actions to defend against the malicious code, write a code analysis report, and share your findings with your team members. It's impossible for security analysts to know every programming language and the system command. Also, examining a complex script with hundreds of lines takes a long time. This is why we need Microsoft Copilot for Security to work with us together. Now, let's do a quick demo. Here's a sample incident in my Microsoft Defender. Under Attack story, click Suspicious PowerShell download or encoded command execution. I find a suspicious PowerShell script. Under the command line, I see a very long script and a part of it seems to be encoded by Base64. Fortunately, we can click Analyze to let Copilot for Security analyze it. Copilot summarized the script with a step-by-step explanation. This embedded script analysis function is very convenient for me during my incident investigation. I can also click more options than click Open in Copilot for Security. It will take me to the standalone portal, and I can continue my work there. Now let's start a new session to analyze another script. To find a sample script, I will go to Exploit Database. Exploit Database is a collection of public exploits used by many penetration testers and security researchers. For our demo, we will use this script. I'll copy the whole script. Go back to my Microsoft Copilot for Security. This time, instead of entering my prompt, I will use a system capability. Let's search, "Analyze the script or command." I will paste the sample script and click prompt. Copilot provides a step-by-step breakdown of what the script does. To further investigate that script, I can enter, "Show me the CVEs related to the script." Copilot found the CVE ID and provided the details of this vulnerability. I can then ask a Copilot to recommend actions to defend against the script. Copilot has suggested some actions such as update phpMyAdmin to the latest version. Finally, I can share my findings with my colleagues. Click the share icon at the top right. Enter the name or email. In this case, I just sent to myself, and click Send button. Once my colleagues receive the invitation email, they can click a view in Copilot link to access my shared session.

Chapter 11; Hunt Threats With Microsoft Copilot For Security
Let's look at how to use Microsoft Copilot for Security to hunt threats. What is threat hunting? It's a proactive approach to discovering potential cyber threats. In other words, security analysts don't wait for alerts to come. They actively search for signs of malicious behavior within their environments. There are some common activities in the threat hunting. First, security analysts need to create a hypothesis. That's an assumption about a specific threat that might exist in the environment. Then they create hunting queries to analyze data from various sources Once they discover the potential threat, security analysts will take actions, like a reporting investigation and a response. If you use Microsoft Security products, you can hunt threats in Microsoft Defender and a Microsoft Sentinel, and you need to use KQL, Kusto Query Language, to write hunting queries.

But the challenge is that security analysts may lack expertise in KQL and may not be familiar with data schemas. Now let's see how Microsoft Copilot for Security can help us. Here's Advanced hunting in Microsoft Defender. I need to create KQL queries to hunk threats over the data in these schemas. For example, I can write alertinfo summarize count() by category. Click Run query. It will return the count of each alert category. However, threat hunting queries are much more complex. You can find a sample query by clicking Queries, then choose one from the list. For example, under Lateral Movement, I can choose impersonated User Footprint. If I'm not familiar with KQL and underlying data schemas, it will take me a long time to write this hunting query. Fortunately, we can ask for help from Copilot for Security. To do that, let's create a new query window. Then click Copilot. I can ask a question to generate a query. For example, find the devices with software linked to high severity CVEs. Copilot generated a hunting query and ran it for me. In the Result pane, it showed some matching records. Expand the first record. I can see the device, vm-win11, has an outdated Windows version that contains the vulnerability, and I can also see the related CVE ID. After validating my hypothesis, I can take further actions. I can choose the record, then click Take actions. Then I can decide if I want to isolate device, collect investigation package, or restrict app execution. Go back to the Copilot for Security pane. If I don't want Copilot to automatically run query for me, I can click More options. Then uncheck this setting. I can then start a new chat. Let's ask a new question. Find all failed remote logins to the device vm-win11 within the last 30 days. Click Submit, After Copilot for Security generates the query, I can choose Run query or just Add to editor. I can continue editing the query. After it's done, I can click Run query

Chapter 12; Create Your Promptbooks
Let's talk about how to create your promptbooks in Microsoft Copilot for Security. A promptbook is a collection of prompts that run in sequence automatically to complete a task. For example, investigating an incident or analyzing a vulnerability. Also, we can define the inputs for a promptbook. For example, an incident ID, a CVE ID, or additional context.

Microsoft Copilot for Security provides a promptbook library. You can find many prebuilt promptbooks created by Microsoft, or you can add your custom promptbooks to the library, and you can decide who can use these promptbooks, anyone in your organization, or just you. Here's my Microsoft Copilot for Security. In the previous lesson, we wrote some prompts to analyze a vulnerability. Now we can create a custom promptbook to save those prompts as a series of actions. So next time we need to analyze another vulnerability, we can just use this promptbook to complete our task automatically. I will click the checkbox to select the prompts I want. (silence) Then click the Create Promptbook icon at the top. I will name this promptbook as Custom Promptbook, Analyze a Vulnerability. I can add a tag, for example, demo. For the description, I will enter summarize a CVE, suggest actions for prevention and remediation, and create an executive report. The input for this prompt book is a CVE ID. To add this input, I can modify the first prompt. Replace the existing CVE number with a variable format. (silence) Left arrow, CVE ID, and the right arrow. Then click the confirm icon. At the bottom of the window, I can see the input field, CVE ID, has been added. I can select who can use this promptbook. I will choose anyone in my organization. Finally, click Create to create this promptbook. Go to the promptbook library. I can see my custom promptbook is in the library. I can filter my promptbook by sources. For example, click Demo SOC, which is my demo organization. I can see the custom promptbooks shared within my organization. To run this promptbook, I can click the play icon to start a new session, provided the CVE ID, for example, CVE-2020-1472. Then click Run. It will run the prompts in sequence automatically and generate the responses.

Chapter 13; Query Uploaded Files
We can add our organizational knowledge to Microsoft Copilot For Security by uploading files. This method is based on the generative AI architecture approach called the Retrieval-Augmented Generation or RAG. By using this method, we can ground the AI model with our own data so it will generate more relevant responses.

In Copilot For security, you have two ways to connect your organizational knowledge base, upload files, or use Azure AI Search Plugin. Let's do a quick demo on uploading a file. I have a sample file called Incident Response Team Communication Plan. This document defines the roles and the responsibility of my team members during the incident response process. Now let's upload this file to Microsoft CoPilot For Security. In the prompt bar, click the Sources icon. In the left menu, click Files. Click Upload File. Choose my sample document. I already have my file uploaded, so I will just click Cancel. Wait for the file status to become ready. Now we can use this file name or the keyword uploaded files in our prompt. Go back to the prompt bar. I will enter a prompt. Query the uploaded files to find who should provide detailed technical information about an incident. It tells me the person responsible is the Technical Lead, Henry. I can also use a system capability to query this document. Click the prompts in the prompt bar. Then search for query uploaded files. Enter my query. List the primary contact persons during an incident response process. I can also provide my instructions on how to compose an answer. For example, format output as a table. Click Submit. Expand the result table. Copilot helps me find the related information.

The Best Way Of Making Cybersecurity Effective

Romanus Onyekwere — Sun, 08 Dec 2024 18:27:02 +0000

Chapter 1; Architecting for security
Chapter 2; Protecting Payment Card Data
Chapter 3; Clouding The Issues
Chapter 4; Securing Things On The Internet
Chapter 5; Ensuring Security is Effective
Chapter 6; Incident Management Basics
Chapter 7; Measuring Incident Management Maturity
Chapter 8 ; Detecting an Attack
Chapter 9; Hunting For Threats
Chapter 10; Responding to an Incident
Chapter 11; Communications Plan And Notification
Chapter 12; Cybersecurity Goes Global
Chapter 13; Understanding Cyber Norms
Chapter 14; Cybil And The Global Forum on Cyber Expertise
Chapter 15; The Traffic Light Protocol

Chapter 1; Architecting for security
Security doesn't exist in isolation. It's a characteristic of a business service, a business system and business information. All of these are either secure or not secure. Although in reality, security isn't black and white, it most definitely comes in shades of gray. Nevertheless, organizations will often adopt a set of controls to secure their IT systems and not consider whether or not these reflect any of the requirements of the business. Rather than just adopt a generic control set, we can use what's known as enterprise security architecture to architect a security solution which meets the needs of our business and then apply the controls that are necessary to achieve that architecture. One of the most popular enterprise security architecture frameworks is SABSA, the Sherwood Applied Business Security Architecture. SABSA is used to capture business requirements and then determine what security is needed to meet those requirements. The basic construct in SABSA is its architecture matrix.

The two top layers, the contextual and conceptual, contain the elements of the architecture necessary in the strategy and planning stage. While the three lower layers, the logical physical and component, contain those necessary to design secure IT systems and processes to support the higher level business goals and objectives. This matrix is used to capture all relevant security concepts and activities for the enterprise and these are shown in summary in the cells. Security is often defined in terms of the information assurance we achieve by considering a system's confidentiality, integrity and availability. This approach came from early work on models of security and while it's a very common approach, it's also a very constricting and artificial paradigm. Confidentiality, integrity and availability are indeed three attributes but they're not the only ones.

We can add more such as non-repudiation, authenticity, utility. But to create an effective information security architecture that's business centric rather than security centric, this is still inadequate. The SABSA framework provides a comprehensive set of business security attributes, which have been collected from hundreds of consultancy projects, and most, if not all, attributes that an organization needs to define their own conceptof security.

SABSA's many attributes are grouped into seven categories in what's called an attribute taxonomy: user, management, operational, risk, technical, legal, and business. These categories represent the focus of the business outcome which is being protected by the attributes. This is in effect a picture of what business success looks like. This set of attributes are often used as a pick list from which to choose a relevant subset of attributes for an architecture project and they're quite useful as a cross check on the attributes derived from the business. We can show the attributes in a business relevant form. We show the attributes representing activities which are important to the military, preparation of the force, intelligence regarding the battlefield, the characteristics of operations, commanding and sustaining the force and providing protection of the force.

When we architect security, we start with business goals and objectives. Here's a strategic business construct showing goals and objectives. The smaller ellipses together represent the objectives which are required to meet the goals in the larger ellipses. We can analyze the objectives to determine what we need in terms of security attributes to ensure the objectives are met. In this table, we can see some general business objectives, we call these business drivers, which map to a number of the individual enterprise technology and business division objectives. For each of these, we can describe the business driver as a set of security focused attributes. We can then use these attributes to measure security across the organization and we can map them down to the information systems which support the various business processes. By measuring the effect of a security incident on an attribute, we can map this easily back to the business goals and objectives, which depend upon it. There's much more to SABSA and enterprise security architecture in general but the main takeaway is that we need to always look at security through business eyes because security is what we need to achieve business success.

Chapter 2; Protecting Payment Card Data
Cyber criminals understand that credit cards are a lucrative target for attack. The payment card industry governing body, the PCI Council, has responded to this threat by issuing the PCI Data Security Standard as an actionable framework for developing a robust security regime for cardholder data. More recently, and in the light of state sponsored attacks on personal and government data identified in the Snowden leaks, government regulators have enacted regulatory requirements for notification of data breaches. In particular, the European General Data Protection Regulations. This has increased the business liability in the event of a data breach.

It's now critically important for any business taking payments through credit cards to protect their information and transactions. It helps to understand the terminology of PCI when reviewing the Data Security Standard. Let's look at the key terms. A merchant is someone who takes a credit card or debit card as a form of payment. A service provider is someone who provides a service that is used for payment card information storage, or transactions of a merchant. A qualified security assessor is an independent person certified to report on PCI compliance. An internal security assessor works for the merchant, and is certified to submit a self-assessment. A data breach is a failure of security, which results in the loss of cardholder information. Cardholder data, or information, is the primary account number, the cardholder name, the expiration date, and the service code. The sensitive authentication data is the encoded data on the magnetic stripe or chip, the card verification value, and the pin. In the event of a data breach, the card company will launch an investigation to determine the cause. If the company has its PCI compliance, it can claim safe harbor. If not, it could face a hefty fine, or removal of its right to accept credit cards. Regardless, it will face remediation costs, which could include card replacement and possibly customer compensation. With that background to PCI, let's now look at the PCI Data Security Standard itself. The standard provides a set of actionable controls together with testing procedures to provide a clear definition of what has to be done to achieve compliance. Version 3.2 of the standard provides 12 technical and operational requirements areas, covering almost 200 mandatory controls. Let's have a look at some of the key controls for the first six requirements areas. The first requirement is to have an effective firewall configuration. This means that firewall configuration standards have been set, that all firewall changes are tested, and that the rule sets are reviewed every six months. A network diagram must be maintained for any part of the network that stores, transmits, or interfaces to payment card data. And data flows across the network need to be defined. Traffic not related to cardholder transactions must be denied access to the cardholder systems. So it's normal to have a segregated PCI zone on the internal network so that the traffic can be managed at the PCI zone gateway. A demilitarized zone is required for any systems with direct internet access, and this needs to be firewalled at both the internal and external gateways. Firewalls are not just for the enterprise. Mobile devices, including any employee-owned devices that are allowed to be connected to the internal network, must have personal firewall software installed and operational, with a configuration that's not able to be changed by the employee. This is a key consideration when thinking about bring your own device, or BYOD, environments. The next requirement is that all default passwords and insecure configuration settings are changed. Security configuration standards are required for each device and system component to allow effective hardening, and all necessary reports and services should be removed. Stored cardholder data has to be kept to a minimum and protected, and no sensitive authentication data can be stored, even in encrypted form, once authentication has been completed. The account number, when displayed, must be masked, typically by replacing all except the last four digits with asterisks. When stored, the account number must be protected through strong cryptography, or one-way hashing. Key management is a critical part of any cryptographic solution, and must be implemented effectively. Transmitted cardholder data on open networks, such as the internet and unprotected wireless networks, must be encrypted. And then user systems, such as email and messaging, must never be used to send unprotected account numbers. The cryptographic scheme must be effective, and what's effective may change over time. For many years, the Secure Sockets Layer, SSL, had been a common cryptographic solution for web access. In 2013, a fundamental vulnerability in the scheme was detected and exploited in the Heartbleed vulnerability. Subsequently, the PCI Security Standards Council determined that the Secure Sockets Layer protocol was no longer an acceptable solution for the protection of cardholder data. Systems processing cardholder data must implement antivirus software to provide protection against malware on both endpoint devices and servers. As some malware may enter a system prior to its signature being included in the antivirus database, regular scans must also be undertaken. Threats and vulnerabilities should be monitored through vendor alerts and threat intelligence feeds, and critical security patches must be installed within one month of release. Development and test accounts must be removed before systems are put into production, and custom development must include source code review prior to implementation, with special attention given to common vulnerabilities, such as SQL injection and cross-site scripting. Production account numbers must not be used for testing. The next six security requirements in the PCI Data Security Standard address the level of security required outside of the PCI environment. Of particular interest is the requirement to restrict physical access, which extends to special purpose devices used to read cards. ATMs, and more recently embedded readers in devices such as gas pumps, are regularly targeted by criminals who install skimmers, which can copy credit card data. These are big business. In April, 2015, a sweep of 6,000 gas stations in Florida found 81 skimmers attached to gas pumps. This particular scam has been estimated to make, in the US, as much as $3 billion a year for criminals. This has been a quick introduction to the PCI Data Security Standard. There's much more detail provided by the PCI Council on this and their other standards, and these are available for download from their website, shown here.

Chapter 3; Clouding The Issues
Cloud technology is no longer a novel approach to deploying infrastructure, but is a mainstream option for enterprises. Cloud security solutions may be deployed by the enterprise IT team, or solutions may be deployed by business groups.

There are three forms of Cloud deployments in common use, infrastructure as a service, platform as a service and software as a service. However, there are many more specialist forms of Cloud service that can be used. In all cases, there's a need for security controls to be used to protect the Cloud solution, just as there is for an open premise solution. However, there are some differences in the controls when using them for Cloud, and there are some new controls that need to be considered. The International Standards Organization has produced an ISO 27,000 standard for Cloud known as ISO 27017. This is based on ISO 27002, and includes an additional six controls. NIST has produced the SP 800-144, "Guidelines on Security and Privacy in Public Cloud Computing," which refers back to the SP 853 controls. However, the main reference for Cloud security is the "Cloud Security Alliance Security Guidance" for critical areas of focus in Cloud computing, with its 14 areas of controls. These domains provide a full description of Cloud, its security needs, and the controls needed to protect Cloud deployments. The guidance is supported by a Cloud controls matrix, which can be downloaded from the CSA site, shown here. The Cloud Controls Matrix provides the fundamental security principles that should be adopted by Cloud vendors and that can assist Cloud customers in assessing the overall security risk of a Cloud provider. It provides clarity on the shared responsibilities between the Cloud service provider and customer, according to the form of Cloud. More importantly, it provides a controls framework cross-reference to the other major security standards recognized in industry. Version 3.0.1 of the CCM has 133 controls in 16 domains.

The 16 domains can be seen here. They don't align with the domains in the security guidance for critical areas of focus in Cloud computing, but they do provide a comprehensive coverage of security across Cloud, starting with application and interface security and finishing with threatened vulnerability management. However, the main reference for Cloud security is the "Cloud Security Alliance Security Guidance" for critical areas of focus in Cloud computing, with its 14 areas of controls.

Chapter 4; Securing Things On The Internet
``The Internet of Things is a term which means everything that's connected to the internet that isn't a standard laptop, workstation or server. One dictionary definition of the Internet of Things is the interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data. Wikipedia goes a little deeper and defines the Internet of Things as a system of interrelated computing devices, mechanical and digital machines, objects, animals, or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human to human or human to computer interaction.

An obvious characteristic of the Internet of Things is that it's connected to the internet. It may only send data, it may only receive data, or it may do both. An important class of internet things are the low power things, those objects which have an embedded battery and no external power supply. These are often required to have a life of 10 years or longer, and so require very low power operation. One of the first organizations to provide guidance on security for the Internet of Things was the IoT Alliance Australia, a part of the Australian Communications Alliance. Its initial Internet of Things Security Guideline was published in February, 2017, and provides an introduction to IoT technology and the key IoT industry sectors. It covers legal, privacy, security, resilience, and survivability issues, as well as IoT device development considerations. There is no definitive set of security controls for IoT, although organizations such as OWASP and GSMA have provided some guidance. The IoT Security Foundation has published a comprehensive set of 142 controls in their security guideline which are grouped into 13 areas of compliance. Take a moment to think about the challenges in providing guidance for IoT. A small sensor may have little memory and a very low power processor but an industrial SCADA device may be as powerful as a modern PC. Think about an IoT soil moisture sensor which is deployed out in the field and has to run in its own internal battery for no less than 10 years. Jot down two reasons why you wouldn't want it to have to run antivirus software. An interesting additional attribute that the IoT Security Foundation has tagged to each control is its compliance class, which can be one of five values relating to the data generated or the level of control provided by the device. The control is then relevant to the IoT device if it's compliance class is equal or higher to the control tag. Class 0 means that the compromise is likely to result in little discernible impact on an individual or organization. Class 1 means that the compromise would likely have limited impact on an individual or organization. Class 2 devices are those designed to resist attacks on availability that would have a significant impact on individuals or an organization. Class 3 devices additionally are designed to protect sensitive data and Class 4 devices are those which have the potential to affect critical infrastructure or cause personal injury. We're likely to see much more attention being given to IoT security controls as we see deployments into key sectors such as intelligent transport and smart cities.

Chapter 5; Ensuring Security is Effective
Commercial cybersecurity products and services can be very expensive, and often we'll pay for a hundred percent of a product and use only five to 10% of its functionality. However, cybersecurity doesn't need to be expensive. We can cover many of our cybersecurity needs with open source products and get a solid capability in place for minimal cost. Having gained experience with them, we can then better determine where we have gaps and which areas we need to invest in to grow our capability. A good place to start in looking for open source solutions is the Kali Purple platform, which has been developed as both a cyberdefense workstation and as a cyberdefense platform for server-based tools. You can check out the details of Kali Purple in my Complete Guide to Kali Purple course, or by going to the Kali Purple Wiki in GitLab. Let's take a look at some of the open source products we can use. There are three popular open source firewalls, pfSense, OPNSense, and Smoothwall. These are great solutions to start with, and as we outgrow them, we can consider moving up to higher performance commercial products. Behind the firewall, we might want to set up a demilitarized zone or DMZ and run a proxy server to manage all traffic in and out of our internal network. Nginx is a well-respected web and proxy server which we can use. Another important tool to have running is a web application firewall. This tool monitors our web traffic to stop attacks on our web applications. Unfortunately, the open source WAF solutions for nginx have been pretty much discontinued, so this is a gap we'll need to address when we upgrade nginx to nginx plus. We'll also want to have an intrusion detection system to monitor for malware coming through the network. Suricata is an open source intrusion detection system that we can install. Another key area of cybersecurity capability is logging alert monitoring. There are a number of open source solutions for this, including ELK, which stands for Elastic, Logstash, and Kibana. These solutions provide dashboards and real-time log displays, which allow us to see everything that's happening on our networks and in our systems. Here's an example of the ELK solution running on Kali Purple. Being able to check that we've patched our vulnerabilities is one of the more important capabilities that we need.

The Greenbone Vulnerability Manager provides a dedicated vulnerability scanning solution as a community product, and as our needs grow, we can seamlessly move up to its commercial version. Here's an example of GVM running on Kali Purple. A slightly more sophisticated capability is threat hunting, which is where we proactively check out networks for any malicious activity we might not have caught with our monitoring. A good example of what we might use is the Malcolm solution developed by Idaho Labs and the Department of Homeland Security. This integrates a number of tools so we can check the details of sessions that have been run and deep dive into our logs after the event.

Velociraptor is another threat hunting tool with which we can run queries concurrently across large networks. This provides an extremely efficient way of investigating the spread of malware. Again, it's running on Kali Purple. Another open source threat hunting solution is SELKS, which is again built on Elasticsearch and Kibana. This is designed for smaller networks and we can move to the commercial grade Stamus Security Platform as we outgrow the community version. Wazuh is an open source multi-role solution providing alert monitoring, compliance, and vulnerability management all in the one tool. Here we see Wazuh running on Kali Purple. There are many more open source solutions and guidance on installation and use of many of these is being delivered as part of the Kali Purple Initiative. Putting open source or commercial tools in place is a good start to securing our networks, but it isn't the complete answer. Tools need trained staff to use them effectively, and cybersecurity requires lifelong learning.

Chapter 6; Incident Management Basics
With the resources being invested in both cybercrime and state-sponsored malware, it's inevitable that an attack will eventually penetrate even the most careful organization. When that happens, the difference between inconvenience and disaster will be how well-prepared the organization is to respond to the incident. NIST Cybersecurity Framework provides a set of control objectives under the functional area, Respond. This consists of five categories: Planning, Communicate, Analysis, Mitigation, and Improvements. The framework also includes a recovery function, which adds to the three of the Respond categories. The five cybersecurity framework categories align closely with the four-stage incident handling process defined in the NIST Special Publication SP 800-61, Incident Handling Guide. Unlike the cybersecurity framework, the communications which occur throughout these four stages is not shown as a separate stage. The cybersecurity framework and the SP 800-61 can also be aligned to the three-stage model published by Crest UK, with its model of Prepare, Respond, and Follow Up. Whatever the model, a key aspect of incident management is information sharing. This includes threat intelligence in the preparation stage and operational response matters during an incident. NIST established the Forum of Incident Response and Security Teams, or FIRST, in 1990, and this continues today as an active forum helping support the industry, government and vendor communities. FIRST runs workshops and conferences to foster cooperation and coordination in incident prevention to stimulate rapid reaction to incidents and where subject matter experts can meet to share information. The Community of Computer Incident Response Teams or CERTs, operate at a national level to protect the government and its critical infrastructure and to provide community advice on cybersecurity matters. The US-CERT, for example, is part of the Department of Homeland Security. Through its 24-by-7 operations center. US-CERT accepts, triages, and collaborates on incidents, provides technical assistance and disseminates notifications of current and potential issues. CERTs also collaborate at the international level through the Forum of Incident Response Teams. This involves not only maintaining national CERT-to-CERT channels, running training courses, and participating in annual conferences, but also being the main contact for CERTs to organizations such as the Global Forum of Security Experts and the International Telecommunications Union. It's useful to have a common language when talking about types of incidents and having a set of generic templates which are fit for purpose for each. US-CERT defines seven categories of incidents. Category 0 covers incidents that are part of cyber exercises for testing network defenses. Category 1 incidents are those where an individual gains logical or physical access without permission to a network system, application, data, or other resource. Category 2 incidents are denial-of-service events where the attack successfully prevents or impairs the normal authorized functionality of a network, system, or application by exhausting resources. Category 3 covers the successful installation of malicious software, not quarantined by antivirus software. Category 4 incidents are those involving a breach of acceptable use. Category 5 incidents are scans and probes of a system, looking for open ports, protocols, or services, which don't directly result in a compromise or denial of service. Category 6 is for incidents involving unconfirmed, but potentially malicious activity, which justifies further investigation. Incidents don't often appear in a way which is immediately obvious for categorization. We'll usually have some form of event that's flagged as suspicious and some investigation is needed. An important tool for incident management is the trouble ticket system, which enables us to maintain all relevant information on an event through to it becoming an incident and eventually being resolved. Here's an example of a trouble ticket system called osTicket, displaying its list of open tickets. The US Cybersecurity and Infrastructure Agency runs the National Initiative for Cybersecurity Careers and Studies, and through that, has published what is known as the NICE Framework, which describes workforce roles in cybersecurity. There are three roles related to incident response. Cyber defense analyst, whose role includes running vulnerability scans, monitoring for attacks, and analyzing malware. Cyber defense incident responder, whose role is to investigate, analyze, and respond to cyber incidents, and cyber defense forensics analyst whose role is to analyze digital evidence and investigate incidents. The NICE Framework provides a useful reference to the skills and knowledge required for each of these roles. Why don't you pause the course and take a moment to check out the skills and knowledge required to be a cyber defense incident responder, and check out the tasks you'll be expected to undertake.

Chapter 7; Measuring Incident Management Maturity
The effort put into preparing for an incident will be paid back many times over through a timely and effective response which contains the damage. Preparation involves establishing and training an incident response team, establishing and exercising processes, and acquiring the necessary tools and resources. Once a basic program is up and running, it's useful to carry out a baseline survey of incident response preparedness. CREST UK has developed an incident response maturity assessment tool, which is free to download and use. This is a spreadsheet-based tool which contains over 600 questions across the three stages of incident management. And it can be used to assess an organization's readiness to respond to a cyber attack. A summary version of the tool with just a handful of higher level questions is also available for download from its website. Another early task for the incident response team will be to take advantage of the strategic threat intelligence sources which are being used to inform the cyber risk management team. In addition to the threat reports, it's useful to have tactical and operational threat intelligence. Tactical information exchange is usually available within an operating community. A good example of this is the financial services FS-ISAC. FS-ISAC is an intelligence sharing community for the banking industry. This allows organizations to get early warnings and real-time information about the kind of activities that are impacting other members of the community. At an operational level, the use of mechanisms for distributing indicators of compromise provides real-time actionable intelligence for feeding into firewalls and intrusion detection devices. MITRE has been leading the development of standards for operational feed mechanisms, and the STIX/TAXII protocols are widely recognized within the incident response community. Incident response procedures need to be defined and installed. An issue tracking system is an important tool to enable effective incident management from operational detection through to resolution and recovery. While a standard service management or IT operations ticket system may include incident tracking, it may not satisfy the full requirements for security incident handling.

The Hive is an open source cybersecurity incident management system which runs in the cloud and allows multiple teams to collaborate on incident investigations. It enables automated analysis at scale of incoming incident information and includes integrated real-time threat intelligence. Another requirement is to establish a set of response playbooks which detail the actions to be taken for specific categories of incident. Many incident response teams create a jump kit, which is a portable case that contains materials that may be needed during an investigation. A jump kit typically includes a laptop loaded with networking and forensic software, backup devices, blank media, and basic networking equipment and cables. The preparation stage is a good time to build relationships in the incident response community, so that access to information and support comes naturally during a crisis. It's also a good time to build relationships inside the company, particularly with the IT team, so that there's no political stumbling blocks when a response is necessary. Finally, incident responders will need to be able to function effectively when managing the containment of an incident. And this means having pre-authorization to take unilateral action and make or direct emergency changes. The last thing a good crisis needs is decision making by committee. With a team established, the key element of ongoing preparation is cyber crisis exercises. These exercise the incident response procedures as well as the skills of the team, and provide visibility of the impact of a cybersecurity incident on the organization. The initial website provides a substantial amount of training and exercise material which can be used for internal cert training and as the basis for customization to the wider crisis management program. This includes handbooks tools, and a full program of pre-exercise training through to complete exercises.

Chapter 8 ; Detecting an Attack
Let's look at the operational response phases of incident response. In the NIST model of incident response these are detection and analysis, containment, eradication, and recovery, and post-incident activities. Detection and analysis is the non-stop process of monitoring for evidence of a cyber attack, and this is the job of the SOC analyst. During the detection phase, the SOC analyst is looking for evidence of malware or intrusive behavior coming into the organization from external sources. This will usually involve watching real-time alerting screens, which run 24-by-7. The analyst is also looking for evidence of malware that has succeeded in penetrating the organization by running file scans and monitoring for signals going out to the malware's command and control servers. A further requirement is to monitor for lateral malicious movement between systems inside the organization to detect malware or an intruder that's penetrating deeper into our networks. Here's an example of the monitoring screen which SOC analysts use. This is the Splunk system, but there are others, such as Graylog and ELK Stack, each with its own pros and cons. All of them, however, digest log records and raise alerts when certain conditions are met. Life in the operations room monitoring for attack isn't easy. It involves many hours of staring at screens of scrolling log records and alerts for candidate incidents which are relevant to pull out and investigate further. Even when there's real evidence of an incident, such as a crashed server, it's often difficult to determine whether the incident is just an IT issue or whether it really is security related, and if so the type, extent, and magnitude of the problem. Picking cyber attacks often requires as much intuition as intelligence. Another challenge is that many alert sources such as IDS have a high rate of false positives. Being under-responsive will let the attack in, but being over-responsive means there's a risk of crying wolf. When an incident is confirmed as being security-related, incident responders will often be asked to analyze ambiguous, contradictory, and incomplete symptoms to determine what's happened. This is where an analyst's skill really becomes important. Signs of an incident fall into one of two categories. A precursor is a sign that an incident may occur in the future. A port scan may be a precursor to an attack, as an adversary would likely do surveillance before launching a hard attack. Similarly, the release of an exploit in the wild to attack a known vulnerability in the organization would be a precursor to an attack. An indicator is a sign that an incident may have occurred or may be occurring now. A beaconing connection back to an unusual IP address may be an indicator that malware is attempting to make a command and control connection. Many of the alerts which are raised in the operations room will be false positives, and it's important to validate any detection before raising alarms. Understanding normal behavior is one of the best ways of discriminating between false precursors and indicators and real ones. Having a knowledge base helps, as this can be used to quickly determine whether the same anomaly has been seen before. Here's what a traffic flow monitoring screen looks like. With this, a SOC analyst can check for unusual flows of information such as might occur in a major data breach. And here's another showing unusually large amounts of traffic going to a port which normally has minimal traffic flows. Detection may involve correlating information over a period of time. Today's analytical tools tend to use big data analytics as a key strategy to detect long and slow APT infections. Deep packet inspection can be used to provide a detailed snapshot of activity on a particular part of the network, and this may give more context to the precursor or indicator. Host-based packet capture tools such as Wireshark can be used, as can network-based devices such as FireEye and Net Witness. Once an indicator is turned into an incident, prioritization is perhaps the most critical decision point in the incident handling process. Incidents shouldn't be handled on a first come, first serve basis, but should be prioritized based on the criticality to the business.

Chapter 9; Hunting For Threats
Stock analysts don't have to just wait for an attack to be detected. They can be proactive and hunt for any threats that might have got into the system undetected. Threat hunting involves both looking for the threat agent itself or by detecting traces of activity related to the threat agent. For example, finding a file of user credit cards in a temporary shared folder or finding an account which shouldn't exist are both evidence that there may have been an attack. A comprehensive set of threat characteristics, what are known as indicators of compromise, are necessary to enable the threat hunter to search for known threats. We can also use advanced analytics and big datasets to look for traces of threat activity in logs. This is how we might find beaconing, the regular connections malware sends out to its command and control system. The threat hunting process is a continuous process of looking around for a trigger to provide the context for a specific investigation, the investigation itself, and then resolution through taking action to mitigate the threat that has been found. Idaho Labs, in conjunction with the Department of Homeland Security, has released an excellent tool for threat hunting called Malcolm. This tool can be used in real time to monitor an attack as it happens, or more usually, as a way of analyzing a packet capture file to hunt for signs of an attack.

We can view a dashboard, or we can view the packet capture, either as packets using the Malcolm component called Arkime, or at the session level using the Malcolm component called Zeek.

Chapter 10; Responding to an Incident
Early containment is necessary to stop an incident overwhelming resources, or increasing the level of damage it inflicts. Pre-authorization to take action enables containment and allows time to develop a tailored remediation strategy. Containment decisions, such as disconnecting a system, are much easier to make if a response plan template for this kind of incident has been predetermined. Separate containment strategies for each major incident type need to be prepared and pre-authorized. Most incidents will require an ongoing investigation to trace back to the source and the cause of the attack, and this will occur in parallel with containment and recovery activities. This is likely to be the primary role for cyber instant responders, with IT and networks taking the lead on containment and recovery. Access to a wide range of sensor information is important to getting the network visibility that's required to fit all the pieces together. If the incident is serious, then it's likely that a major incident management event will be called. This will typically be run by IT or network operations and will be under the control of the MIM manager. A MIM consists of a group of key stakeholders establishing regular meetings or conference calls to monitor the progress of incident resolution, make decisions collaboratively and coordinate messaging. Although the primary reason for gathering evidence during an incident is to resolve the incident, it may also be needed for legal proceedings. In such cases, it's important to clearly document how all evidence, including compromised systems, has been preserved, using an official chain of custody evidence tag. After an incident has been contained, eradication may be necessary to delete malware, disabled breached user accounts and identify and mitigate all vulnerabilities that were exploited. It's important to eradicate the issues, not only on the affected hosts, but on all hosts that could be affected through the same or a similar attack. For example, removing a default administrator account on one server, whilst leaving the same account open on another, is just asking for more trouble. The last and probably most important rule when responding to an incident, is to continue monitoring for other incidents. An attack may well be a diversion in order to gain more subtle access somewhere else on the network.

Chapter 11; Communications Plan And Notification
One of the critical activities in any incident response is communications. It's particularly important to get this right when we have to prepare our senior executives to face interviews with the media. Doctors Knight and Nurse are two British researchers who've developed a practical framework for effective corporate communication in the event of a data breach. It covers the preparation of the communications plan in advance of an incident and execution of the plan as part of the response. The pre-crisis component of the framework covers five objectives as shown. It requires that we establish and prioritize our long-term aims beyond just the response. This might include protecting our stock value, our brand, and our ability to trade. We need to determine security gaps so that we're not caught flatfooted in the event of weaknesses in our system that might have contributed to the incident. Better we know about and explain them than be caught unawares. We need to make sure before we have an incident that we do have the capability to respond to a crisis, both in terms of tools and skills staff. We can gain a lot by making sure our response plans include working with our partners and key organizations in our supply chain. We'll have a more effective response and we'll be prepared to communicate with a unified voice. Last but not least, we need to perform regular rehearsals and testing to make sure the response plans work and that we're experienced in following them. When we experience an incident that has an external impact, we'll need to decide when and how to disclose it. The framework provides for the two situations, firstly, where we are required to disclose it, and secondly, where we choose to disclose it to avoid potential downstream issues of being perceived to be hiding it. Having made the decision to disclose, we then need to address the main points of our disclosure. Can those impacted by the incident mitigate the risk, for example, by changing their credit cards? We need to be able to say what has been lost, its impact, and provide a point of contact for any questions. We'll also be asked and need to have an accurate answer for the size of the breach. We need to be mindful of what interpretation the media may put on this, and ensure we establish our own interpretation of the incident. The way we frame the message will have a significant bearing on how it's interpreted. There are fourth key things we need to do. Accept responsibility for having let data in our care be breached. Avoid trying to make the incident less important than it is because the truth will out eventually. Be aware and make a point of addressing the fact that those impacted, our staff or our customers, may feel quite vulnerable as a result of their data being potentially made public or misused. Finally, it's important that we don't try to blame someone else for the incident. Even if the weakness came from a service or product we're using, it's our responsibility to make sure these are fit for purpose. By this point, we've had an incident and we need to make as good an impact as we can under the circumstances. Being upfront and taking responsibility, we'll go a long way to mitigating the long-term impact. It's likely that for a significant incident, the person who has to face up to the regulators and media will be the chair of the board or the CEO. In addition, there's an increasing focus from regulators on making directors accountable for cyber incidents and data breach in particular. An example of this is the U.S. Securities and Exchange Commission ruling that came into force in December, 2023. This requires public companies to disclose material cybersecurity incidents within four days and disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance. In addition to disclosing the governance processes, directors will need to be able to evidence that they've in fact provided effective oversight of cybersecurity. There are guidelines that directors can follow in governing cybersecurity. Ensure CIOs provide effective cyber resilience for IT systems. Ensure cyber resilience is a critical project success factor. Cybersecurity is about managing risk and requires separation of duties. So the CISO should report to the chief risk officer, not the CIO. Acknowledge that security is never perfect and ensure CISOs are able to effectively detect and respond to a cyber attack. Finally, ensure IT systems are checked and approved for operation on a regular basis, a process known as accreditation, and ensure our board-level risk and resilience dashboard is maintained.

Chapter 12; Cybersecurity Goes Global
With the advent of the internet, there came a need to interconnect certain aspects of information technology. Telecommunications providers needed to be able to connect data services through global gateways, and with that, came the need to provide security at those gateways. Electronic information evolved from simple bulletin boards to sophisticated websites and a simple exchange of text messages evolved to the now ubiquitous electronic mail system. Such evolution required establishing global technical standards for interconnectivity and security. The internet engineering task force had been producing technical requests for comments or RFCs from the start of the internet. Shortly thereafter, ISO, the International Standards Organization initiated a project to develop a more sophisticated set of standards known as Open Systems Interconnect or OSI. These were not widely adopted and the IETF continues to be the driving force in internet standardization. Coordination of internet addressing is managed by the internet corporation for assigned names and numbers. ICANN, as it's known is an American-based organization responsible for the databases which determine internet naming and traffic routing. While this arrangement is designed to ensure the stable and secure operation of the internet, it also gave America control of the internet.

This became a bone of contention with some of the other cyber savvy nations. As early as 2008, there were signs that Russia was concerned about US control over the internet and was considering breaking away and running its own national network. This was also driven by Russia's goal of managing the information available to its citizens. China also was making sure that free information and western culture did not permeate the emerging Chinese cyberspace domain. The great firewall of China, with its estimated 50,000 cybersecurity defenders, carries out a highly effective program of cyber control and surveillance of its citizens. By 2010, the West was becoming very nervous that the global economic miracle being realized through the internet was about to crash. Should the internet become a splinter net? This led the UK to run the first of what was to be an ongoing program of global conferences on cyberspace. The conference considered a set of seven principles for use of the internet, which provided the foundation for maintaining a global network while ensuring nations were able to operate within their own culture.

The seven principles proposed at the start of the initiative were as follows; Proportionality. Government should act in cyberspace, in accordance with national, international law. Accessibility. All people should be able to access cyberspace. Respect. Users of cyberspace should show tolerance and respect for diversity of language, culture, and ideas. Human rights. The internet should encourage the right to privacy and protection of intellectual property for all people. Openness. Cyberspace should be an open forum for innovation and the free flow of ideas, information, and expression. Collaboration. Nations should work collectively to tackle the threat from criminals acting online. And competition. The internet should be a competitive environment which ensures a fair return on investment in network services and content. Before moving on, take a moment to think about these principles. How well do they fit with the approach the US, UK, Russia and China takes to the internet?

Chapter 13; Understanding Cyber Norms
The principles tabled at the First Cyberspace Conference have evolved into the United Nations Cyber Norms, the rules of normally acceptable behavior for any nation using the internet. These are managed by the group of governmental experts at the UN's Office for Disarmament Affairs, UNODA. The United Nations encourages peaceful use of the internet through adherence to the set of cyber norms and through an active program of cyber diplomacy. UNODA provides a full training course on cyber diplomacy, which includes a module on cyber norms, rules and principles. Implementing cyber norms isn't always easy, however. The first cyber norm is cooperation between states in order to increase stability and cybersecurity, and to discourage harmful cyber practices, particularly those that might impose threats to international peace and security. There's been a lot of progress on cooperation, with nations maintaining a technical focus and avoiding political issues. The second cyber norm is a duty of care over incidents. This means not jumping to conclusions and making sure that all aspects of the incident are considered. This includes addressing the challenges of determining accurate attribution and understanding the impact that's occurred. This is important to avoid misunderstandings and wrongful blame escalating into a more serious event. The third cyber norm is that states should not knowingly allow their territory to be used for malicious cyber activities, including launching cyber attacks and running malicious servers. This is a challenging norm to uphold, especially when private citizens or groups respond to international events by launching private attacks or when a state relays their attacks through another country. The fourth cyber norm is similar to the first in that it involves cooperation between states. However, the focus in this norm is to counter terrorist and criminal use of cyber. The norm suggests that nations exchange information, assist each other and pursue prosecution as part of bi and multilateral cooperation. The fifth cyber norm is to respect human rights on the internet, including freedom of expression and privacy online. There are many cultural challenges in meeting this norm and challenges also with the growing use of misinformation and oversight of social media. As a result, this norm encourages nations to apply the same rights online as exist in their nation offline. The next norm is similar to the third norm, encouraging nations not to carry out or support malicious cyber activities, but with a focus on those that impact critical infrastructure. This is the first of three norms relating to critical infrastructure. Following this is the second critical infrastructure norm, encouraging nations to proactively protect their critical infrastructure from attack. The third critical infrastructure norm is that nations are encouraged to respond to requests from other nations whose critical infrastructure is under attack, particularly where that attack emanates from or relays through their nation. The ninth cyber norm is to take steps to protect the supply chain from being compromised. Starting with nations where information technology products are designed and developed. This is a challenging norm for technology-producing countries where the temptation to subvert equipment is high. The 10th norm is about sharing vulnerability information between nations to support early global mitigation. The final norm, again, encourages nations not to carry out or support malicious cyber activity, this time with a focus on the systems of the Computer Emergency Response Teams of other nations. Take a moment to consider the fifth cyber norm which covers freedom of expression and privacy online. We're seeing a lot of hateful commentary on the internet, some of which is nation-state generated to influence another nation's opinion. Is this okay, because we're encouraging freedom of speech? Consider the privacy of terrorists communicating about an attack they're planning. Should they be allowed to do this in private? And if not, then how do we manage legitimate privacy concerns? The United Nations cyber norms set out what are generally-accepted behaviors on the internet and have evolved significantly from the initial London principles. While laudable, there is a big gap between what nations accept as global norms and what they practice as global participants.

Chapter 14; Cybil And The Global Forum on Cyber Expertise
The Global Forum on Cyber Exchange was established during the 2015 GCCS meeting in the Hague, with the aim of strengthening cyber capacity building globally. At the New Delhi GCCS meeting in 2017, the GFCE launched the Global Agenda for Cyber Capacity building, and in doing so became the global coordinating body for capacity building. The GFCE has five themes, cybersecurity policy and strategy, cyber incident management and critical infrastructure protection, countering cyber crime, cybersecurity culture and skills, and cybersecurity standards. The GFCE encourages voluntary participation by governments, private companies, civil society, the technology industry, and academia, in order to share expertise. The GFCE operates a number of conferences, meetings, working groups, and task forces, and provides a clearinghouse to enable participants to offer their services and expertise to countries which need assistance in developing their cyberspace. This is achieved through the use of a collaboration portal called Cybil. The GFCE provides a range of reports on the development of cybersecurity and resilience and cyber diplomacy, and these are available via the GFCE Cybil portal. Cybil also provides details of the various projects by beneficiary country. Here we see the first 4 of 27 projects relating to assisting Cambodia develop its cyber expertise.

Chapter 15; The Traffic Light Protocol
As cybersecurity collaboration between governments and private industry and other nations has grown, it became apparent there was a need for managing information exchange without resorting to national classification schemes. Information needed to flow freely to those that needed it but not be accessible to the point where it compromised the global cybersecurity activities it was intending to assist. This led to the creation of a scheme called the Traffic Light Protocol, which adds markings to information being exchanged to indicate how freely the information can be shared. There are four marking levels, three of which reflect the colors used in traffic lights. White: where information is marked white, this information can be freely shared as there is no risk of misuse. Green information can be circulated widely within the recipient's sector community, but not via publicly accessible channels, such as an open website. An example of this would be sharing a sector-specific malware analysis. Information marked TLP Amber can be shared with members of the recipient's organization and with clients or customers who need the information to protect themselves. Once again, this information should not be shared via publicly accessible channels. This form of information might include such items as sensitive indicators of compromise. And Red, this is the highest level of marking in the protocol, and it's used when information is intended for the recipient only. This may be an individual or a committee. Unauthorized disclosure of TLP Red information could lead to impacts on a party's privacy, reputation, or operations if misused. Examples of TLP Red might include tentative attribution of a cyber attack. ENISA provides more detailed information on what we might need to think about when we receive TLP-marked information.

The Exact Framework For Protection Against Cyber Threat

Romanus Onyekwere — Thu, 05 Dec 2024 22:24:48 +0000

Chapter 1; Early Concepts in Computer Security
Chapter 2; Understanding the NIST Cybersecurity Framework
Chapter 3; Adopting the NIST Cybersecurity Framework
Chapter 4; Understanding The Basics of Cyber Risk
Chapter 5; Analyzing Cyber Threats And Controls
Chapter 6; Recording, Reporting, And The Risk Context
Chapter 7; An Advanced Risk Framework
Chapter 8; Managing Security With COBIT
Chapter 9; COBIT For Operational Security
Chapter 10; Introduction to Cybersecurity Controls
Chapter 11; Cybersecurity Control Framework
Chapter 12; Cybersecurity Standards of Good Practice

Chapter 1; Early Concepts in Computer Security
The era of trusted computing started in the 1980s with the publication of a series of books on the security requirements for systems used by the United States Department of Defense. These books were known as the Rainbow Series of books. The best known book in the Rainbow Series is the Orange book, which describe the security design of a computer that can be trusted to handle both unclassified and classified information, known as a multi-level secure, or trusted computer. The Orange book describes the security design and subsequent evaluation of security for an information system. It introduces four key concepts in information security. A reference monitor, which mediates access to system resources, a formal security model for reading and writing information. The idea of a trusted computing base as a subsystem containing all the security code and the testing required to achieve various levels of assurance. The reference monitor concept is an essential element of any system that provides multi-level secure computing facilities and controls. The reference monitor enforces access controls between subjects and objects of the system. The subject may be a user or a program module and the object may be a data file or a restricted system function. I'll just use the term user as the more common term for subject. The reference monitor has three essential characteristics. It must be tamper-proof, it must always be invoked, and it must be small enough to be completely analyzed and tested. The Orange book introduces the Bell-LaPadula scheme for managing multi-level information flows. Using this scheme, the book presents two approaches to security. Discretionary access control is used for applying security within the same classification of information to provide a means of restricting information access on a need-to-know basis. It requires an access control list to be maintained by an administrator who authorizes subjects to access objects. This is the normal folder and file control scheme we use today.

Mandatory access control is the Bell-LaPadula scheme in which each subject holds a certain level of access rights or clearance and an object is labeled at a certain level of sensitivity. The security labels which define the level of sensitivity in the Orange book include restricted, confidential-secret and top-secret. Mandatory access control has two rules. The first rule is the simple security rule, which states that a user at a certain clearance level cannot read anything which has a label at a higher sensitivity level, which by definition they do not have access to. The second rule is the star security rule, which states that a user at a certain clearance level cannot write down into a file which is labeled at a lower level, as this may expose sensitive information to subjects not clear to access it. The heart of a trusted computer system is its trusted computing base, which contains the elements of the system responsible for security, all within the security perimeter. The TCB includes hardware, firmware, and software critical to protection. It must be designed and implemented such that nothing outside the trusted computing base is sensitive or relevant to managing security. A TCB should be as simple as possible, consistent with the functions it has to perform, in order to enable adequate testing. The final and probably most important part of the Orange book is the classification scheme is introduced for evaluating assurance of systems. In short, the scheme provides for four levels of system assurance, within each level, there are one or more tiers. The levels are D1, C1 to C2, B1 to B3, and A1. We'll look further at security assurance

Chapter 2; Understanding the NIST Cybersecurity Framework
The inclusion of cyberspace international critical infrastructures was formally recognized at the 3rd Global Conference on Cyberspace held in Seoul in 2013, with the publication of the Seoul Framework for Commitment to Open and Secure Cyberspace. It states, the global and open nature of the internet is a driving force in accelerating progress towards development. Governments, businesses, organizations and individual owners and users of cyberspace must assume responsibility for and take steps to enhance the security of their information technologies. In response to this, in 2014, the US National Institute of Standards and Technology issued the "Framework for Improving Critical Infrastructure Cybersecurity." This NIST Framework has now become the de facto standard for cybersecurity. Let's take a look at it. The NIST Cybersecurity Framework is an action-oriented approach to security and consists of three elements. The Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core provides a set of activities to achieve cybersecurity. Described in the five areas of Identify, Protect, Detect, Respond, and Recover. Each of these activities is decomposed into a total of 23 categories of security activities. For example, we can see that the Detect Group decomposes into the three categories of Anomalies and Events, Security Continuous Monitoring and Detection Processes. Going deeper, the categories are further decomposed into a set of controls. For example, the Detection Processes category is broken down into five subcategories. Roles and responsibilities, compliant with requirements, activities are tested, detection information is communicated, and continuous improvement. Each of these subcategories is referenced to the relevant NIST, ISO and COBIT standards. The NIST Cybersecurity Framework doesn't introduce its own set of controls. It provides a higher level framework which can be used to develop a contemporary cybersecurity profile for an organization. But it relies on existing control frameworks for its implementation.

And these are COBIT, ISA, otherwise known as IEC 62443, ISO 2700 and NIST SP 800-53. A draft of the Cybersecurity Framework version 2.0 has been released and this includes a sixth area called Govern. Into which a number of the existing categories in the five other areas have been moved. This change consolidates governance for the framework and adds a new category to explicitly call out a requirement for oversight. It also adds additional subcategory controls.

Chapter 3; Adopting the NIST Cybersecurity Framework
The second component of the NIST Cybersecurity Framework is the framework profile. This is used to align business outcomes and cybersecurity activities, providing a view of risks and a development plan to bridge the two. The third and final component of the NIST Cybersecurity Framework is a maturity model for cybersecurity known as the implementation tiers. The basic level of cybersecurity maturity is the partial implementation tier. This is characterized by enterprise risk management being somewhat ad hoc and reactive, where cybersecurity activities aren't based on risk objectives or business outcomes and where there's little external collaboration. At the next level of maturity, risk management practices are formalized but may not be adopted across the enterprise. There's informal sharing of cybersecurity information internally, but not externally. The third tier of maturity, repeatable, is where risk management is formalized and mandated as policy and processes exist to respond to changes in risk. Collaboration and information sharing exist both internally and externally. The highest maturity level, adaptive, extends the third level with the awareness and agility to apply continuous changes to cybersecurity activities as a result of changes to assets, threat, and vulnerabilities. When adopting the cybersecurity framework for an organization, NIST recommends establishing two profiles. The first should represent the current state of cybersecurity as assessed against the subset of enterprise-specific activities that have been selected as being required. This is what cybersecurity looks like now. The second should be the target state of cybersecurity, set as the acceptable level of risk against each of the enterprise-specific activities.

A security plan of prioritized projects can then be defined to close the gap between the current and the target state framework profiles. For an organization that's starting up its cybersecurity program, there are some key actions required to take advantage of the cybersecurity framework. The first is to identify the key business outcomes and then understand the threats and vulnerabilities to those outcomes. Create a profile, conduct a risk assessment, decide on the target profile, determine, analyze, and prioritize the gaps to create the action plan, and establish and execute a program to implement the plan.

Chapter 4; Understanding The Basics of Cyber Risk
Risk is an essential part of doing business, whether it's taking a risk on a merger or acquisition, taking a risk that purchasing new equipment will be a cost-effective investment, or whether there's sufficient plant protection to avoid injuries to workers.

Management needs to understand their level of risk exposure and make sure that it's within their risk appetite. Cybersecurity is at its heart, the management of risk related to internet connected businesses. This includes the threat of hackers and malicious software entering from the internet, the vulnerabilities of internet facing-IT systems and the attack countermeasures or controls, all of which affect how successful the business will be in meeting desired outcomes.

A standard approach to managing risk has been developed by the National Institute of Standards and Technology and its application is described in Special Publication 830, Guide for Conducting Risk Assessments. The International Standards Organization also provides guidance with its ISO 27005, Information Security Risk Management Publication. While there are minor terminology differences the intent of both documents is the same. Cyber risk focuses on the information technology assets we operate and the services we deliver. It starts with a threat event which must be analyzed to determine that the event will occur. This is done by considering the likely threat actors, their capabilities, and their resources. The intent or motivation needs to be considered. What is it that drives this threat actor to want to mount an attack? An attacker will only attack if the results outweigh the cost of attacking and that depends on the value of the target to the threat actor. This could be financial gain, obtaining intelligence, disrupting services or just peer recognition. Think about the scam emails you've received. Who is the likely threat actor? Might it be just a student looking for a couple of extra dollars or could it be an East European organized crime gang? Think about their capabilities and what it means for the sophistication of the attack.

The next risk issue to consider is the set of vulnerabilities in the information and processing assets, databases, workstations, servers and networks, which this event can exploit to cause damage. For instance, a data center in the basement of a building may be vulnerable to a flood event. A website may have a software vulnerability which can be exploited. A server without an uninterruptable power supply would be vulnerable to a power outage. However, not all vulnerabilities are equal. A flood may be catastrophic with the whole data center out of action for weeks, whereas an attack which exploits a website floor may just be a nuisance. Then we consider the impact to the business in the event the threat is realized. This is typically done by carrying out a business impact assessment to determine what systems will be affected, how this flows on to business processes and the cost of service degradation or failure to meet critical levels of performance. Being able to describe a security event as a business impact is a powerful way of gaining the attention and the respect of the business and being able to get a well-balanced business decision on what to do about the threat. Controls may have been put in place to protect the asset and their effectiveness needs to be considered for each of the feasible threat scenarios. This will then allow calculation of the overall risk.

Chapter 5; Analyzing Cyber Threats And Controls
The cybersecurity risk management program starts with sourcing threat intelligence. Let's have a look at some sources of threat intelligence. A useful catalog of threats can be found at Appendix E to the NIST Special Publication. This catalog provides representative examples of adversarial threat events expressed as tactics, techniques, and procedures, or TTPs, and non-adversarial threat events. Another useful source of TTPs is the Mitre ATT&CK site, which is used in Mitre's Cybersecurity Resiliency Framework.

This is a detailed source of information on who the threat actors are and how they carry out their cyber attacks. Many of the threats that have been turned into exploits and are being seen in cyber attacks are listed in the Exploit-DB database. For example, here we see the details of an exploit against the SmartRG Router. There are a number of companies that publish malware analysis reports, such as this one produced by VMRay. These are useful for gaining an insight into the contemporary techniques being used by attackers. There are four possible treatments once an assessment has identified the risk: risk acceptance, where the risk is within the business's appetite, risk avoidance, where it's better to stop doing that line of business than take the risk, risk transfer, where a third party takes the risk, such as insurance to cover the risk should it eventuate, and risk mitigation, where controls are implemented to reduce risk. Risk mitigation, and the protection of business outcomes which they provide means implementing controls in the form of cybersecurity policies, processes, and technical solutions. We'll cover controls shortly.

Chapter; 6 Recording, Reporting, And The Risk Context
A key part of risk management is maintaining a record of the risks that have been identified, and where relevant, tracking the progress of work to reduce the risk. The normal way to record risks is in a risk register. This could be a manual record, but more usually it's automated. The basic form of automation is using a spreadsheet. Larger organizations may use the more sophisticated governance risk and controls, or GRC solutions, although the principle as far as managing risk is the same. The risk register contains the basic risk information, such as an ID and name, classification information, and the risk owner. It also contains a summary of the consequences of a risk being realized. The risk information is usually presented in two ways. The first is the inherent risk, assuming no controls are in place. This is useful to know because it determines how strong the controls need to be.

The higher the risk, the stronger the control. Then the control details are provided and a residual risk is calculated to show the current risk that is being experienced by the business. Take a few minutes to set up your own spreadsheet risk register as we've just discussed, and add an entry, malware infection. Think about your own situation. What could be the root cause, the consequence, and the inherent risk level? What controls do you have in place, and what is the residual level of risk?

Risks can be shown as bubbles on what's known as a risk heat map, where individual risks are charted in the cell which exists at the intersection of the likelihood row and the impact column. This is sometimes called a risk bubble chart. A typical approach to managing risks is to accept any very low risks which appear in the green area. Low risks shown in the gold area are accepted but monitored to ensure they don't increase. Medium risks in the yellow area are scheduled for routine remediation work, and high and very high risks are shown together here in the red area and require immediate remediation. This form of risk chart is very common and it provides a succinct way to present a high-level picture of the risks. Sometimes the bubble chart is enhanced to show the plan progress of mitigations using an arrow and a bubble to identify the final expected risk level after mitigation. This is a powerful way to show the work being done to reduce risk. The term "risk context" refers to the risk bubble chart in the tables used to determine likelihood and impact. Here we can see the tables representing the five levels of likelihood, which make up the vertical axis on the heat map and the multiple tables representing different perspectives on impact, which together make up the horizontal axis. These tables are typically developed specifically for the business by their risk officer. The risk context should also include guidance on the actions required to be taken at each risk level, reflecting more urgent action and more intense oversight at the higher levels of business risk.

Chapter 7; An Advanced Risk Framework
NIST, in December 2018, issued revision 2 to their original special publication on risk: SP 800-37: Risk Management Framework. The Risk Management Framework provides a disciplined, structured, and flexible process for managing security and privacy risk. It covers information security categorization, control selection, implementation, and assessment, system and common control authorizations, and continuous monitoring of risks. The Risk Management Framework considers risk at three levels: information systems risk, mission or business process risk, and whole of business risk. The risk management process involves preparation of the necessary risk material needed to carry out risk management.

And then a six-stage process of categorization, selection, implementation, assessment, authorization, and monitoring. The prepare stage of the framework involves seven actions, three of which are risk-related and four controls-related. They are: assign people to risk management roles; prepare the risk management context, also known as the risk strategy; complete an organization-wide risk assessment; establish control baselines according to the standards relevant to the organization; identify common controls and prioritize them according to the potential impact of an attack; and develop the plan for monitoring control effectiveness.

The categorize phase overlaps somewhat with the prepare phase, as it requires a full review of the IT systems in use, particularly identifying the system characteristics and the information they process and store. The next step is to determine the impact levels to confidentiality, availability, and integrity. And the final step is to get business endorsement or authorization of the three impact classification levels. The select stage requires that controls are selected and tailored to the specific system environment, to mitigate all risks to the system that are beyond risk appetite. This is judged by determining the risk level, and then now identifying from the risk context whether controls are required. The steps in the select stage are: control selection, either by adopting a baseline set of controls, by a custom set of controls driven by the risk assessments, or by a combination of both; control tailoring to suit the operating environment; control allocation to systems, ensuring that the specific business requirements for security in that system are met across people, process, and technology; documenting the controls for each system in a system security plan; developing and implementing the approach to continuous monitoring of control effectiveness; and gain business approval of the system security plans and continuous monitoring process. The next stage is to implement the controls that have been identified for the system, and maintain the system security plans accordingly. The assess stage is about through-life assessment of the system to ensure that controls are effective, and there is no evidence of a breach.

There are seven steps in this stage of the risk management life cycle: assess a selection based on candidate qualifications and target knowledge; develop the plan for the assessment; and carry out the assessment plan for the controls; report on the control effectiveness, providing findings and recommendations; remediate any findings that can be immediately rectified; and develop an overall plan of action for findings that can't be immediately rectified. The purpose of the authorize stage is to provide organizational accountability, by requiring a senior manager to determine if the security and privacy risk represented by the overall set of risk management activities and plans is acceptable. This stage has five steps: for developing the submission, management review additional risk management response to any issues raised; approval of decisions for each system; and an authorization report. The final stage is monitoring. This is a key stage of the framework which provides the ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions, and includes some of the above stages. It has seven steps: the systems and environment are monitored for any changes that might occur, in-flight assessments are performed as required, any issues identified are responded to, risk management documents are maintained, and security and privacy risks are reported regularly, authorizations are given to systems as required, and systems are securely disposed of when no longer required.

Chapter 8; Managing Security With COBIT
One of the more important IT frameworks for the enterprise is COBIT, the Control Objectives for IT. COBIT is published by the Information Systems' Audit and Control Association, ISACA, and its purpose is to ensure that enterprises have in place an effective and auditable set of governance and management processes for IT, which deliver value for its stakeholders. COBIT is designed around a set of processes. These are grouped into the four areas of plan, build, deliver, and monitor. We can see at the top left the Plan group, known in full as a Align, Plan and Organize, with its 14 APO processes. Below that is the Build, Acquire, and Implement group. It has 11 processes. At the bottom of the diagram are the six processes in the Deliver, Service and Support group. And to the right is the Monitor, Evaluate and Assess group with its four processes.

The COBIT framework is used by the financial sector for carrying out IT general controls external audits. Consequently, having a COBIT aligned security framework is the first step in putting in place an IT environment which will meet regulatory obligations. From a cybersecurity perspective, there are two key processes for security. APO13, Managed Security, in the Plan group, and DSS05, Managed Security Services in the Deliver group. Of course, there are many other processes in which security plays a part. For example, security incident management is an important activity but this falls within the overall IT process of DSS02, Managed Service Requests and Incidents. Let's take a look into APO13 Managed Security which defines the requirement for security management. The process description is define, operate and monitor a system for information security management. And it has five goals: support IT and business compliance, support the management of IT and enterprise risk. Contribute to the transparency of IT costs and benefits. Ensure the security of information, infrastructure, and applications and provide reliable information for decision making. APO13 consists of three control objectives. APO13.01, establish and maintain an Enterprise Information Security Management System. APO13.02, define and manage a security plan which establishes a set of objectives to progress towards the desired security posture and APO13.03, monitor and review the ISMS. The Enterprise Information Security Management System, or ISMS, defines the approach taken to ensuring information security is effective. And this is often aligned to the set of requirements outlined in the international standard ISO 27001, information security management systems requirements. While IPO 1301 is a single control objective, to satisfy it involves putting in place a number of lower level controls from the ISO 27000 series of standards.

Chapter 9; COBIT For Operational Security
Let's look now at the second security-focused process, DSS05-Managed Security Services. The description of this process is to protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy, establish and maintain information security roles and access privileges, and perform security monitoring. Essentially, DSS05 defines the requirements of operational security. DSS05 provides operational processes to satisfy three of the five APO13 goals, support IT and business compliance, support the management of IT and enterprise risk, and ensure the security of information, infrastructure, and applications. There are seven operational security control objectives in DSS05, which provide the foundation for a defensive cybersecurity program. Let's take a look at what's in each of them. The first control objective is protect against malware. Malware is one of the main challenges in cybersecurity today, and protecting against it involves a number of activities and controls. These include antivirus, security patching, security information awareness, and in contemporary terms, cyber threat intelligence, change management, security filtering of email and web traffic, and security training. The second control objective is manage network and connectivity security. This includes establishing and enforcing policy on network connections, enforcement of password entry, the configuration and use of firewalls and intrusion detection systems, network security protocols and communications encryption, network configuration, security mechanisms to ensure trusted transmission and receipt, network security control testing and penetration testing. A critical control for this objective is network segregation. Manage endpoint security covers the security of laptops, desktops, servers, mobile devices, and network equipment. It requires that controls are put in place to ensure the endpoints are securely configured, hardened to remove unnecessary ports and protocols, and that remote access is managed. The next control objective is manage user identity and logical access. Identity and access management is a very complex issue and this one control objective can easily consume half the effort in a mature cybersecurity program. It's also the area which generates a good proportion of all audit findings, so it pays to keep a tight focus on it. This process requires that identities are managed from creation to removal, access rights are established and maintained in line with the roles and responsibilities of the organization, that access to systems and information is authorized and authenticated, that privileged access is strictly controlled, and that access rights are regularly reviewed, and that appropriate audit trails of access are kept. The fifth of these control objectives covers the management of physical access to IT assets. This includes perimeter protection, such as fences, doors, and locks, intruder detection systems, access controls for data centers and office spaces, identity cards and visitor-management procedures. Increasingly, the use of cloud-based infrastructure is reducing the effort required to manage this area but increasing the dependence on and the oversight of third-party security. Managing sensitive documents is an increasingly important aspect of security, as the focus of protective measures shrinks from the perimeter to the information itself. With employees taking laptops out of the enterprise and sending data out to mobile devices, perimeter security devices such as corporate firewalls no longer protect enterprise information.

New techniques such as digital rights management and mobile email encryption need to be employed. This process also includes information and device-centric controls, such as passwords or pin-controlled printing and pin codes on mobile devices. Finally, monitor the infrastructure for security-related events provides the detective controls which are needed to identify security breaches should the enterprise's preventative controls fail. This control objective includes the operation of intrusion detection and prevention systems, logging and alerting security-related events, operating log management in security information and event-monitoring systems, delivering security incidents to the incident-management process, carrying out forensics, and managing evidence. These are all key activities for a cybersecurity operations center.

Chapter 10; Introduction to Cybersecurity Controls
The term cybersecurity means to protect things in cyberspace from attack. And we do this by using security controls. When designing our controls we need to make sure they're fit for purpose. Firstly, we need to check whether the cost of the control is more or less than the loss associated with the impact of the attack. We often see a curve graph to explain this where we plot the cost of an increasingly powerful control against the benefit it provides. Where the benefit in additional risk reduction outweighs the cost of achieving it, we don't proceed with any further control.

Secondly, we need to consider how effective the control is against the threat. The result of assessing the risk based on the likelihood an impact of a threat is known as the inherent risk. When controls are implemented, they'll usually be an acceptably small level of risk remaining which is known as the residual risk. We can apply what's known as a multi-tiered or defense in depth control strategy to mitigate cyber risks. There are four key types of controls that can be applied and it's generally recommended that two or more are used together. The first is deterrent controls. These reduce the threat. An example of this is incarceration which deters would be criminals from carrying out their attacks. Preventative controls are designed to stop the attack from succeeding by not allowing it to get at an asset to exploit a vulnerability. A firewall is one such preventative control, blocking protocols that might be used as attack vectors. Detective controls are used to detect that an attack has taken place.

A burglar alarm is a typical detective control. And finally, corrective controls are used to reduce the impact of an incident. And a good example of this is recovery from data backups. The NIST Cybersecurity Framework presents corrective as the respond and recover functional controls. Let's look at an example. In order to protect data from an authorized modification, we firstly apply access controls to ensure that anyone trying to access the data has been authorized. In case this fails, we then monitor for any data changes. If data is changed maliciously, we can recover it by restoring from backup.

Chapter 11; Cybersecurity Control Framework
While controls can be applied by an enterprise as a customized response to business risks, in many cases, an external authority will direct that a predefined set of controls be adopted as a baseline for security. An example of government policy is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which federal organizations are required to adopt. An authority may be an industry body, such as the Payment Card Industry Council, which requires that merchants adhere to the Payment Card Industry Data Security Standard. NIST's SP 800-53 is one of two important control frameworks used in cybersecurity, the other being ISO 27002. They're both structured as a set of control categories within each existing number of specific controls. While the categories and the controls are different for each standard, they can be mapped against each other. These two control frameworks are widely referenced by other security schemes. In particular, the NIST Cybersecurity Framework. The controls in ISO 27002 are described in a three-tier hierarchy of security category, security control objective, and control. Let's have a look at an example. Here, we can see access control is the main category, operating system access control is the control objective, and user identification and authentication is the control. The NIST SP 800-53 controls are described in a two-tier hierarchy. In this example, identity and authentication is the control family and identity and authentication, organizational users, is the control. The description is very similar to the description of the ISO 11.5.2 control. An important first stage in implementing a control framework is to create what's known as a Statement of Applicability. The Statement of Applicability is the main link between the risk assessment and the selection of controls, and its purpose is to provide evidence that all controls have been considered. The controls that aren't applicable won't be implemented, and the rationale for emitting them is recorded in the Statement of Applicability. Developing a clear Statement of Applicability is a good way to reduce the effort required to meet and maintain a compliant and effective security posture. There are a number of specific considerations around controls. Common controls can be inherited by one or more systems, reducing both deployment and ongoing operational effort and cost. Where specific controls are called for but are either not yet present or can't be implemented, then compensating controls will be required, such as sample checks of manual authorizations in the absence of an electronic authorization process. Once a control has been implemented, it needs regular testing, and this should be a routine part of any compliance program. Control testing involves two stages: testing design effectiveness, and testing operational effectiveness. Design effectiveness is checked by verifying that the control, as implemented, meets the original design requirements. For example, to carry out a design test of control ISO 11.5.2, user identification and authentication would involve verifying configuration files.

To confirm, the taxes to the system requires entry of a user identifier and that a password or some other form of authentication is required prior to allowing access into the system. Operational effectiveness involves testing the system and making sure that the control is continuing to be effective against attack. For example, a penetration testing might attempt an SQL injection on the user identifier field in a log-on form to see whether access can be gained without entering valid credentials.

Chapter 12; Cybersecurity Standards of Good Practice
here are a number of industry standards of good practice which provide guidance on cybersecurity. The most well-known is the ISF Standard of Good Practice. It's essentially a risk and control framework for managing cybersecurity.

The Standard of Good Practice is consistent with the major recognized information security standards such as ISO 27002, the NIST Cybersecurity Framework, COVIT and PCI DSS control standards. It also aligns with the controls required to satisfy Europe's General Data Privacy Regulations. It incorporates the ISF Risk Assessment Methodology or IRAM, which presents a risk management scheme with the three phases of business impact assessment, threat and vulnerability assessment and control selection. Let's have a look at what the ISF controls look like. The ISF standard of good practice structures its controls into categories, areas, and topics. Let's have a look at the security monitoring and improvement category. It has two areas and eight topics. The two areas are security audits, with its five topics and security improvement, with its three. If we dig down into security monitoring, topic S 12.1, it has a principle. The information security condition of the organization should be monitored regularly and reported to executive management. And an objective. To provide the executive management with an accurate, comprehensive, and coherent assessment of the information security condition of the organization. The standard of good practice is a comprehensive industry approach to security but only available to members of the Information Security Forum.

The Central Bank of the Netherlands, DNB, has published a cybersecurity standard of good practice as guidance for the financial sector. This is freely available from their website. As we can see it takes a risk and testing perspective on controls. The standard is structured into categories with each having one or more controls. There are almost 60 controls detailed in the standard across these categories. The standard contains a maturity model in support of the process category. Here we see five levels of maturity, starting with initial and progressing through repeatable, defined, managed and measured to continuous improvement. Each level builds on the previous ones and adds more rigor to the process at each step. Here we see one of the controls. This is the DNB standard of good practice guidance on security and monitoring. The DNB standard isn't as well known as the ISF standard but it is free and it contains a lot of valuable guidance.

Cybersecurity Foundation, What You Should Know

Romanus Onyekwere — Tue, 03 Dec 2024 21:28:24 +0000

Table of Contents

Chapter I; Understanding The Cyber Kill Chain
Chapter 2; Pre-cyber Threats
Chapter 3; The Emergence of The Cyber Threats
Chapter 4; Botnets And The Cybercrime Industry
Chapter 5; Cloaking And Alternate Data Streams
Chapter 6; Controlling The Target Through a Rootkit
Chapter 7; Phishing And Watering Holes
Chapter 8; Understanding Advanced Persistent Threats
Chapter 9; Ransomware: A Modern Form of Extortion
Chapter 10; Hardware Implants And Other Cyber FUD

Chapter 1; Understanding the Cyber Kill Chain
In the 1990s, cyber attack was generally associated with pranks by bored teenagers just hacking around for fun. However, the potential for committing crime via the Internet did not go unnoticed, nor did the possibility of exploiting connectivity for intelligence gathering. Nowadays, cyber attacks come mostly from organized criminals and state-sponsored agents using well-defined end-to-end business processes. In 2009, a team from the *Lockheed Martin Cyber Emergency Response Team produced a seminal paper on cyber attack called "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. The research paper introduced the concept of what is now commonly known as the Cyber Kill Chain.

The Cyber Kill Chain views an attack in seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Action. An attack doesn't always progress from one step to the next. They'll often overlap, but each stage represents a milestone in prosecuting the attack. Reconnaissance is the term given to finding a target and understanding its characteristics, the cyber equivalent of casing the joint. Individuals typically have one address on the Internet, which has been allocated by their Internet Service Provider, whereas a business may have a number of addresses in what's known as their Internet Domain.

A cyber attack against a business target will start with a known website address, and then scan the Internet space around that address for other systems used by the target. The business will see this as a response check on every host in its domain. This is known as an IP address scan. When the attacker has a list of active hosts, he or she will scan each host in turn to find out what entry points are exposed. This is known as a Port scan. This is done to identify potential vectors for attack and check the versions of software used in those vectors. Attacks nowadays are not done manually.

An attacker will usually purchase time on a network of compromised computers in order to run automated scans. These networks are known as Botnets, and may consist of hundreds of thousands, if not millions of compromised computers. This allows cyber attacks to be run at scale. Weaponization means taking a known vulnerability and customizing it to a specific target or group of targets, and integrating it to enable it to be run from an automated cyber attack platform. The weaponized malware may be designed to exploit a vulnerability in a specific version of an operating system, or target a specific online banking website. In the age of hacking as a business, cyber criminals will often purchase the weaponized malware from dedicated developers, rather than develop their own. The most common way of delivering malware is to attach an infected document, a PDF image, or other electronic item in a way that when the document is opened, the malware will self-install. This file can then be sent to the victim via email, a process known as phishing. Another way might be to find a vulnerable website, infect it with malware, and send an email invitation to the target to visit the website. If the victim visits the website, then the malware is downloaded and infects their workstation.

A third way might be to use default user IDs and passwords built into software on the target system, or to use a stolen user ID and password to enter the target system and directly implant the malware. It's also possible to find flaws in the software that's exposed to the Internet and to manually deliver the malware. In practice, an attack will often require establishing a beachhead on an Internet-exposed host, and then using that to penetrate deeper into the system to get to the real target, which may not be directly connected to the Internet. Finally, an infected flash drive can be used to deliver the malware, and this can be very effective if the target system is not connected to the Internet. This requires that a user of the target system can be persuaded or tricked into using the flash drive. For email attachment and flash drive attacks, the infected item will exploit a vulnerability in the target software post-delivery, when the document is opened. A compromised website may similarly download HTML code, which takes advantage of a browser vulnerability. In the case of remote access, the exploitation phase may use a packet stream to exploit a vulnerability in the protocol of an Internet-exposed service, or may simply use cracked or stolen credentials. After the exploitation phase, the malware or intruder may simply take action, skipping directly to the last phase of the Cyber Kill Chain. However, the more usual case is that a payload is installed either into the memory, or onto the hard disk of the target system. Additionally, some form of mechanism may be introduced to make sure the payload is restarted every time the system is rebooted. One way of doing this in Windows is to add a registry entry to automatically run the payload when the system starts up. The payload will often be, or include, a means of maintaining ongoing access into a command shell. A system compromise is often automated. Once a payload has been installed, the first action it takes will be to connect back to a Command and Control server to register as a compromised host. The attacker will then want to direct the implant to take action, such as listing the sub (indistinct) files, extracting specific named files, modifying or replacing software, and so on. An important feature of the payload is that it can determine the address of the Command and Control server, which may change over time. Exactly what form of action is carried out by the payload when it arrives at its target depends upon the motives of the attacker. A hactivist may want to deface a website. A state-sponsored agent may want to steal sensitive information, and a cyber criminal may want to access a bank account in order to steal money. The common theme, however, is that whatever the action is, it's unlikely to be in the best interests of the target. Stop for a moment and think about this week's current events. Have you heard about a recent attack? How might you relate what you've heard to the Cyber Kill Chain? You probably heard about the action that happened, but not about the delivery phase. How might that have occurred?

Chapter 2; Pre-cyber Threats
In the early days of computing, the security threats faced by businesses reflected traditional pre-IT fraud. One traditional method of fraud is to have non-existence employees on the payroll with pay being drawn and put into someone else's account.

In January, 2012, a woman in Hawaii was indicted for allegedly attempting to embezzle money from the security guarding firm for which she worked by registering and taking the pay for two fictional employees. The scam would net her more than $200,000.

A second method is known as salami fraud, so named because it resembles shaving a thin slice of meat. In this case, what's shaved is the fractions taken off in a rounding calculation, or changing transactions by taking a few cents from them. If the business deals in millions of transactions, then this can become a significant fraud. A third form of fraud is payment for non-existent goods. This can happen when one person has the ability to raise a purchase order, receipt goods, and issue checks. A similar problem occurs for individuals when an online seller receives money in advance for non-existent goods, or has the auctions rigged by entering false bids to inflate prices. As the use of computer systems grew, so did the threats. More sophisticated forms of fraud emerged, taking advantage, in many cases, of the weakening controls in the IT environment.

The early days of computing brought with them youngsters enthralled by the challenge of using a computer and a modem to break into other computers. And so began the age of the teen hacker. This was mostly individual challenge and peer recognition, although there were some early instances of what we now know as cyber espionage and cyber crime. The classic hacker of the 1990s was Kevin Mitnick, otherwise known as Condor. After a decade of hacking for no other reason than to demonstrate how good he was, Mitnick was finally caught and sentenced to three years jail time. The full story, book and film, is described on the "Takedown" website. As the use of the web grew and information websites and business web portals became more common, we saw bored teenagers defacing websites and leaving I-got-you messages. Website defacements were also targeted as part of politically-motivated attacks and used to communicate a political message in what's known as hacktivism.

As dependence upon IT systems grew, another security threat to emerge was the denial-of-service attack, in which a remote attacker can compromise IT systems through exploiting vulnerabilities or through overwhelming their ability to handle the size of information flows. As the internet grew, adversaries were able to take control of large numbers of computers, known as a botnet, and focus them on a single target, substantially amplifying the impact of the denial of service. This is known as a distributed denial of service, or DDoS. A global example of a denial of service occurred in February, 2014 when an unknown attacker launched a rolling wave of distributed denial-of-service attacks on a variety of targets, country by country, around the world. The scale of the attack was enormous. The attack used a special feature of the network time protocol to amplify the data. By the time the packet had reached the target, it had been amplified 50 times, making this the equivalent of about 250,000 individual denial-of-service attacks. One of the businesses targeted in this campaign was attacked by 4,278 individual IP addresses from over 80 countries, delivering a continuous stream of over 1 million packets per minute for about an hour. The graphic shows the timeline of data arriving from the internet to this company.

Chapter 3; The Emergence of The Cyber Threats
By the late 1990s, electronic commerce had become a significant part of the economy and organized crime was starting to look at the potential for low risk, high gain crimes through the internet. Cybercrime started to grow rapidly, with one of the major targets being access to databases of credit card information. The loss of credit cards known as a data breach became a significant risk for businesses as the payment card industry introduced penalties for non-compliance with their cybersecurity standards. By 2010, cybercrime had become as big an industry as illicit drugs.

There have been many data breaches over the last few years. This visualization of data breaches shows the massive breaches in the Shanghai Police, Syniverse and Facebook. With a breach of half a billion records, Facebook takes top place in the last year or so. Credit cards are not the only sensitive information that can be breached. In June 2015, the US government admitted that intruders had stolen personnel files, including security clearance data of over 4 million current and former government employees. Governments have, for some time, been the victims of hacking attacks but with little evidence to be able to positively attribute the source. In June 2007, US officials disclosed that hackers broke into the Pentagon through a directed attack on elements of the email system and called it the most successful cyber attack at that time on the US Defense Department. US attributed the attack to China, one of a number of Chinese attacks on Western governments known by the code name Titan Rain. China denied any involvement in the attacks. In 2010, the first attributed cyber sabotage case was made public. The US confirmed that it had worked with Israel to develop and deploy the Stuxnet malware to attack the Iranian nuclear enrichment program. It was successful, disrupting the nuclear production capability of Iran. We've seen a new form of attack of recent times, cyber influence operations, with the Clinton email attack which focused on election meddling. Take a moment to check out the world's largest data breaches. Take a look at some of the smaller attacks and see if you can find how many records were lost by the craft beer company BrewDog.

Chapter 4; Botnets And The Cybercrime Industry
By its very nature, cybercrime lends itself to automation. The malware writers in the cybercrime business ecosystem, are now some of the most proficient software writers in the world. But to make money from cybercrime requires automation to carry out attacks at scale. In the early days of computers, viruses propagated through floppy disks. As the internet grew, infections started to appear in file downloads, and as floppy drives phased out, USB drives took their place as a vector for infection. Compromised websites began to host malware, and take advantage of browser weaknesses to infect visitors. As the impact of viruses moved from nuisance value to financial gain, so did automation of the crime. By automating and taking advantage of the growing popularity of email, and the sheer size of the internet, organized crime was able to achieve cybercrime at a scale which is now eclipsed illicit drug dealing. Cybercrime scales by what's known as a botnet. A botnet consists of a criminal, known as the Botmaster, who runs a number of command and control systems. The botmaster will usually encrypt his or her command and control access, and often disguise it to look like normal web traffic when accessing these systems.

Legitimate websites are compromised and used for command and control, operating only for a certain period of time before being discarded, and a new one taking over. The botmaster runs the command and control servers, and each command and control system, in turn, controls a large number of computers known as zombies that have been infected with a back door. A large botnet may have over millions zombies under its control. A typical task for the zombie would be to extract files from a target, to use the targets as a source of email spam, or to send specially crafted packets out as part of a distributed denial of service attack.

Given that the command and control servers change, both the botmaster and the zombies have to be able to find the current server, and they do this by using a domain generation algorithm. This allows the malware to predict what URLs and/or IP addresses may be active at any particular time in the future. The domain name may stay the same, and the IP address change, or the domain and IP address may change together. The most notorious botnet, and the grandfather of many subsequent variants is Zeus. Zeus itself is a botnet construction kit which enables an attacker to create a customized Zeus-style botnet through a simple-to-use desktop application. The construction kit delivers a selectable remote access trojan or RAT, and a command and control module. The Zeus source code was leaked in 2010, and as a result it's been used by many cyber criminals to carry out attacks. It's also been used as the foundation to add functionality and create new botnets, such as Citadel, ICE 9 and Gameover Zeus. Zeus's main purpose is to steal online credentials. It includes automated features such as copying the protected storage area which contains internet passwords, intercepting account credentials typed into a browser, or even modifying banking webpages sent from a server to add requests for passwords. Zeus can be used to target both computers and smartphones. Smartphone infections allows Zeus to steal banking access codes that are sent via text message. Cybercrime is a complex, highly-organized business, involving organized criminals, a variety of service enablers, malware producers, and of course victims. The criminal organizations decide on the crime campaigns, and are supported by the service enablers who run the systems needed to execute the campaign. Banking fraud campaign, for example, will follow the cyber kill chain. It will select targets, through surveillance, which are vulnerable to a specific technical attack. The malware developers will create malware specifically targeted to this attack, customizing it perhaps to a specific bank website. A team of testers will quality assure the software through testing. The malicious payload is delivered, and installed through the botnet. The criminals will often not have their own botnet, but will rent one from another criminal group. For those attacks that are successful, the stolen funds are then transferred to the disposable bank account set up for the campaign. The aim then is to withdraw the funds as cash, to break the electronic money trail. To do this, the campaign use what known as Money Mules. The often poor unfortunates, who were recruited to go and collect the money by withdrawing it out of the fraudster accounts, with the very real risk of being caught. While money mules have traditionally been small time criminals or people with financial difficulties, an interesting development is the emergence of the professional mules for hire, who for about 40% of the money collected, offer a fast and responsive service. These services exist in most US cities. Once such service has been reported as moving between 30,000 and a hundred thousand dollars per day.

Chapter 5; Cloaking And Alternate Data Streams
Attackers who penetrate systems with malware go out of their way to hide it once it's on the target system. If the infection can evade detection, it's more likely to accomplish its intended goals. Let's have a look at some of the ways in which malware can hide. The first method is to use the techniques used by the Windows operating system to hide its own activities. An example of this is the hidden history folder. I'm in a command shell and I'll go into a folder in my user applications directory by typing cd appdata \local \microsoft\windows.

When I list the contents of the directory, there's a number of files and folders, but there's no history sub-directory. I can list hidden files with dir /ah, but there's still no history sub-directory. However, things are not always as they seem. The history sub-directory does exist, but we just can't see it. Let's try to change directories and go into it. cd history. Well that worked. So now let's see what's here. And we see the file desktop.ini. This is the method Microsoft uses to hide the sub-directory. When I take a look at what's in it, by typing desktop.ini I see it has two cloaking entries. The first is a CLSID line, which stops the sub-directory from being included in file-based finds. And the second, the UICLSID line, which stops the sub-directory from being seen using Windows Explorer. Another little known way of hiding on disk is to use what's known as alternate data streams. In the early MS-DOS and FAT file systems, files were simply strings of data which could be read byte by byte by applications. In NTFS, a file is a complex structure. NTF files contain as a minimum a section called $DATA, which is where the data read by an application resides. This is the data stream. However, a file may have many other sections, each with its own name, and each of which can hold information. These are called alternate data streams. Importantly, windows only recognizes the $DATA section so data in any alternate data streams isn't generally recognized.

Okay, back at the terminal, let's go into the temporary folder and create a new file called datafile.txt by typing, type con, the console, to datafile.txt. Here's a text file which has nothing much to hide. It's simply a string of words that is saved to disk. Okay, that's created the file, let's check it. Type datafile.txt, and we can see the contents as we entered them. We can also check its size. Dir datafile.txt is 105 bytes long. I'll create another file called adsfile.txt. Type con: to adsfile.txt. This is my secret message which I want to store where no one can find it. Now I'll insert that into a hidden data stream in datafile.txt by typing, type adsfile.txt to datafile.txt, colon, hidden.txt. Let's see what datafile.txt looks like now. type datafile.txt and dir. So there's no apparent change. However, if I now type more from datafile.txt colon hidden.txt we see the hidden text. Alternate data streams can also be used to hide executable files. As an example, I'll insert the Windows calculator into this text file. type \windows \system32 \calc.exe to datafile.txt and we'll call it mycalc.exe type datafile.txt And dir, and again, we see no change. We can use a special form of the Windows instrumentation tool, wmic, to run this hidden executable. wmic process call create '"C:\temp \datafile.txt: mycalc.exe"

Then we have the calculator executed. While alternate data streams can't be seen in Explorer or by using the dir command normally, it is possible to use the /r command line option on the dir command to see them. dir datafile.txt /r Now we can see that this file does have two additional streams. hidden.txt and mycalc.exe.

Chapter 6; Hiding Using Processes
Let's now look at how we build a program which uses a more sophisticated means of hiding by looking at a simple malware function written as a Windows process to intercept all keystrokes. In Microsoft, when a key on the keyboard is pressed, an event is signaled to the operating system. Windows uses its keyboard driver to read the character that's been pressed and sends it as a message to the application that's waiting for it. However, Windows also allows other processors to look at the message as it passes through the system. That's how hotkeys work. Windows does this by something known as a keyboard hook callback routine. It hooks the key that's been pressed and then calls back after processing it to pass it onto its original destination. This technique can be used to write what's known as a simple keystroke logger. This only takes a few lines of code but it's quite powerful.

I've prepared a keyboard hook program called wmisvc64.cpp, which we can see here. This is a very simple program. The first five lines provide the standard setup code for a C++ program. These are followed at line seven by code which is executed when the program first starts to open an output file called intercept.txt that we'll use later to store intercepted characters.

The next six lines specify a callback procedure. This is the code that's executed when a key is pressed. Events in Windows are quite granular. For instance, a key press involves two events, a key down and a key up. We only need to check one of these, so the callback routine at line 11 just checks for the WM Key Up event. When it sees this, it writes out to the output file the data associated with this event which is the internal Windows code for the character pressed on the keyboard. The final action in this routine is to pass on the event by calling the next hook in the chain, using the aptly named CallNextHookEx function, which will allow the message to resume its path to the target application. The remainder of the program is the main controlling logic for the Windows process that supports the callback routine. We don't need to go into this in detail, but do note at line 20 that we're registering a HotKey with MOD.ALT and zero times three nine which is program speak for ALT nine. When this is pressed, the program will terminate. Okay, let's see this program in action. We can compile this at the command line by entering cl wmisvc64.cpp. Okay, that's compiled and we can now run it by typing wmisvc64 and we'll now close the command window. Let's do a bit of simple forensics and look at what's running on our computer. We'll type control Alt del, open the task manager and look at the processes. There's nothing in the application list to show the interceptors running. If we scroll down to the background processes, at the very bottom, we can see wmisvc64.exe. There's little about it to distinguish it from the normal Windows system processes which are running. It's in plain sight, but it's fairly well hidden, nevertheless. Let's type some data into a notepad document. This is my secret note on writing callback routines to capture keystrokes. Okay, I'll close this. We won't save it, and I'll press ALT nine to terminate the intercept. Let's use Explorer to check the log file the Intercept program has been using. And here we see what the program has intercepted. The intercept contains our exit and also the note that we wrote. And it also contains other keyboard activities, such as ALT and shift keys, which displays various special characters. Of course, what an attacker would like to see in the Intercept they capture is our system access and banking account login. Lesson here is that if an adversary can get access to implant malware on a computer, even a simple program of a few lines and running as a normal user, it can be difficult to detect and has the ability to read everything that's typed including access codes and passwords.

Chapter 6; Controlling The Target Through a Rootkit
Malware using the basic hiding and cloaking techniques can be detected by a knowledgeable investigator. Consequently, the more sophisticated attackers have developed techniques which install malware, not just as an application or process, but deep into the heart of the operating system.

This kind of malware is known as a rootkit. In order to deploy a rootkit, an attacker must first penetrate the target system and then use what's known as a dropper to install the rootkit, which it either carries as a payload or subsequently downloads. The job of the dropper is to check whether the rootkit already exists on the system, whether the system is operating inside a virtual machine, and special checks such as the country in which it's operating. Once satisfied that this is a legitimate and available target, it inserts the rootkit into the system and makes sure it can restart after a system boot and starts it running.

A rootkit doesn't exploit your vulnerabilities. It's designed to hide, operate, and carry out its mission using normal system functions. Similarly, a rootkit isn't a virus. It's an implant which exists in a target, but it doesn't by itself propagate. It can however, be combined with virus-like code to enable propagation laterally once installed in a system. A rootkit is designed to bypass intrusion detection systems. For example, it may contain code to look for and disable certain forms of antivirus or host intrusion detection software. It will also want to avoid detection by a forensics analyst and the best place to hide is in the operating system kernel. This is the inner core of the operating system. An intrusion detection systems can't easily see inside the kernel. Getting into the kernel requires rootkits to be coded as a special form of program called a loadable kernel module or driver. Microsoft provides the Windows driver development kit, or DDK, for developing loadable kernel modules. A driver uses quite complex coding techniques so I'll not delve into the process of developing and deploying a driver. Suffice to say, drivers operate in the deepest part of the kernel, what's known as ring zero, and this gives them access to all the kernel data structures. In addition to being in the kernel, rootkits run with elevated privileges. There's very little that a rootkit can't do and it can be very hard to find. Being a privileged process in the kernel allows a rootkit to employ direct kernel object modification, or DKOM. The kernel uses data structures to keep track of its environment. An example is the process data structure, held in the EPROCESS module. This is a doubly linked list, meaning each entry has two pointers. The forward pointer chain starts at the head of the list and each entry points to the next entry in the list. The backward points chain starts at the end of the list and each entry points to the previous one.

Using these pointers, the kernel can keep track of and manage all active processes. When a user opens task manager, what actually happens is that the task manager application loads and then calls the kernel asking for a list of applications and processes. The kernel checks its data structures, creates the lists and then sends them back to the task manager for display. When the rootkit is loaded, one of the first things it does is to examine the EPROCESS list. It follows the forward chain to find its own process and the previous and next ones. Once it has them, it can then change the pointers so that the previous process points to the one following the rootkit and the one following has its backward pointer changed to point to the one before the rootkit. The first known rootkit to perform DKOM appeared around 2006 and did just this. Changing the list pointers in the EPROCESS data structure to point around its own entry. It then hides rootkit activity from the task manager and event scheduler. DKOM can be used on other data structures such as the driver list and the list of open ports. Rootkits will also intercept and remove their entries from directory and file lists. A common way to provide remote command and control is to create an encrypted channel through the use of secure shell connections. This gives an attacker remote control over compromised systems, and at the same time encrypts any malware that may be downloaded to prevent it from being detected by network-based intrusion detection systems and monitoring tools. Using SSH has the advantage of requiring a username and password to be entered, thereby ensuring only the adversary can use the back door to access the rootkit. Trojan Downloader 3, or TDL3, is the third generation of rootkit developed by the Dogma Millions cybercrime group and is an example of a real world rootkit. The rootkit adds itself as a printer driver which gives it kernel mode driver privileges. It installs an encrypted file system for its own use that begins at the end of the hard disk and grows backwards to the beginning of the disk. Windows just thinks this is free space with nothing in it which means it's not detected by traditional scanning techniques. TDL3 operates on a per install cost model by recording when it gets installed on a target and who purchased this source version. The TDL3 rootkit is used to download, install, and hide malicious payload modules that can then do keystroke monitoring, carry out distributed denial of service attacks, and many more actions.

Chapter 7; Phishing And Watering Holes
As the security of the operating application surface improved, direct penetration of a target became more difficult. Consequently, cyber criminals looked for other ways to get malware into their target. On a workstation, the weakest link, of course, is the person using the computer, and so we become the target. The first approach taken by attackers to exploit the user is what's called phishing. This involves sending an email with a malicious attachment or a link to a malicious site to a lot of users, hoping that at least one will take the bait and open the attachment or click on the link. At this point, the malware downloads into the target system and begins executing. A phishing email will do as much as possible to entice its recipient to open its malicious attachment or to click on the link. In the early days, this might have been a rather crude appeal to greed by suggesting the recipient had won a lottery they hadn't entered. But nowadays, the better phishing attacks are much more sophisticated. The email may pretend to have an up-to-date analysis of a current news topic. It may look like an official bank email asking you, ironically, to check your security or account settings. It may look like a postal email advising you a parcel is ready for pickup. Attachments are always suspicious, and hovering over a supposed government hyperlink to find it links to GF65mmjy.com is a sure giveaway. Sometimes phishing attacks aren't carried out by sending email to a large recipient list but are designed to trap a specific person. These are referred to as spear phishing emails.

In this case, the attacker will have spent a fair bit of time researching the target and will craft an email which may purport to come from a colleague inside the business and use common business terminology. These are not necessarily harder to detect as phishing emails, but they are designed to have the recipient let down their guard. Consider your own email over the last week or month. Have you received a phishing email? What did you do? Did you open it or just delete it? Was it fairly crude or did it look quite convincing? Many phishing emails these days can be quite sophisticated and difficult to detect as traps. Some special forms of phishing campaigns have been seen.

Some phishing campaigns target mobile users while others target users of voice over IP services, an attack also known as phishing. Phishing attacks, like any cyber attack, can be costly. Between 2013 and 2015, cyber attackers scammed over a hundred million dollars out of Facebook and Google by asking for it through phishing emails. Waterholes are another type of attack focused on the user. In this attack, a website which focuses on a specific set of users, doctors, for instance, is compromised. The site is typically one commonly used by the group and when they subsequently visit it, their malware is downloaded. The attacker hopes that the user will do this on their business computer, hence enabling access to their organization. In 2020, Kaspersky discovered a waterhole attack targeting religious charities. The campaign was named Holy Water and worked by tricking visitors into downloading an Adobe update which contained the malware. The attackers have yet to be identified. A good example of how an event can trigger phishing attacks is the 2022 FIFA World Cup where phishing attacks targeting the Middle East doubled in the lead up to the event. Many of the emails look like they were from the FIFA help desk. The goal of these phishing attacks included financial fraud, gaining credentials, stealing information, and surveillance. Many of the emails focused on betting on the World Cup enabling, the attackers to gain credentials which they could reuse.

Chapter 8; Understanding Advanced Persistent Threats
Over recent years, there's been an increasing recognition of the threat posed by nation states using highly sophisticated malware known as advanced persistent threats, or APTs. This is malware directed at political and military targets using a multiple vectors to attack. APTs have a high degree of stealthiness and can persist over a long period of time. There are five key characteristics which make APTs quite different to rootkits. The first is that they tend to be highly customized to a specific target or set of targets rather than being a common code module. An associated characteristic is that they're focused on targeting the specific system or set of systems for which they've been designed, rather than being opportunistic. They usually have multiple advanced and often zero-day exploits through which to exploit the target. Their deployment is likely to be controlled or have some level of intervention by humans rather than being fully automated. And once in place, operate in a low and slow manner in order to remain stealthy and unnoticed. An APT may have one or more objectives depending upon the source of the attack, and these may change over time. An APT may be sent by an adversary to carry out espionage against nation-state targets with the intention of stealing sensitive information. It may be sent to cause sabotage by disrupting the operation of the critical infrastructure systems such as telecommunications, power, and water. An APT must infiltrate its target, find a place to hide, and then continue to operate if it's to succeed as a persistent threat. This requires it to have five key functions. The first is command and control, the ability for the remote attacker to direct tasking and configuration of the implanted malware, to download new payloads, and to provide malware updates. This requires the APT to connect back to its command and control server to look for tasking or to open an access path for the adversary to gain direct control. The more sophisticated APTs don't operate as discreet applications, but attach themselves to an existing application or process that's running in memory. This is known as malware injection. An APT wants to remain invisible for as long as possible and operate as a low-and-slow attack, stealthily extracting what it needs with as little impact on the host computer and without generating regular or predictable network traffic. Consequently, a substantial amount of effort is invested in the cloaking subsystem to ensure that malicious actions can't be observed by legitimate operators of the systems. APT software is typically designed to collect information and it needs to send it back to its control server. This is known as exfiltration, and a good exfiltration system will not only encrypt the information being sent so that it isn't seen by any monitoring systems, but it may also hide it in the kind of packets that are normally ignored, such as HTTP or DNS requests.

The final function is known as reignition. In order to remain operational for a period of time, an APT needs to restart when the system is rebooted or if the system administrator attempts to remove it. The basic approach to reignition on a Windows system is to write a new entry into the registry to instruct Windows to run the malware loader. This may not be the only reignition mechanism, however, as often, an APT will use multiple means of reigniting. So what does an APT really look like when it's militarized and deployed by a state? While a malware module called Agent.BTZ was the earliest recorded APT, infecting the Pentagon in 2008, the most notorious military-grade APT to date has been Stuxnet, detected in 2010. Stuxnet was designed specifically to target centrifuges in the Iranian nuclear program, targeting the Siemens industrial plant equipment used in nuclear fuel enrichment, the kind of equipment used in the uranium enrichment facility at Natanz, Iran.

The US admitted in 2012 that it was responsible, together with Israel, for developing Stuxnet. The key feature of Stuxnet is that it was designed to be delivered via email or on a USB stick, or through prior implantation on electronic equipment being used in the facility. With its design, Stuxnet can get to its target systems even if they're not connected to the internet. Stuxnet, when it was first released, used four previously unknown vulnerabilities on Windows computers to propagate and deliver the payload to the SCADA system. Once on the system, Stuxnet took advantage of a vulnerability in the Siemens WinCC, PCS 7 SCADA control software, which allowed it to take control of the software and then repeatedly speed up and slow down the centrifuges, causing the aluminum tubes to expand and contract, eventually destroying between 900 and 1000 centrifuges. A good source of information on APTs is Kaspersky Labs. Shortly after Stuxnet was made public, a similar APT called Duqu was identified, followed by Flame, and a year or so later, Equation. Defending against APTs is difficult and it's likely that an APT attack will succeed. APTs are usually found when network monitoring detects the installed malware attempting to connect to its command and control systems. Focusing controls which address each stage of the cyber kill chain provides the opportunity for early detection, and using tools such as Microsoft's arbitrary code guard can help stop them. Nevertheless, APTs will often penetrate their targets and the average time it takes to detect them, once in, is measured in months. Advanced persistent threats are very sophisticated forms of malware. They're difficult to detect and there's every indication that they're here to stay.

Chapter 9; Ransomware: A Modern Form of Extortion
Let's have a look at a particular form of malware known as ransomware. For targets with current backups, being hit with ransomware is just a nuisance but for those without it, it can be a very expensive lesson in practical cybersecurity.

Instead of stealing information, ransomware encrypts files or storage systems on its target to lock out their legitimate owner and then demands payment for the decryption key. Asymmetric encryption is typically used for this. I won't delve into the mysteries of asymmetric encryption in this guide, but if you'd like to learn more about it, then you can go to the LinkedIn learning page and search for asymmetric encryption. There's plenty of courses to choose from to learn more. Let's look at a contemporary example of ransomware. CryptoLocker emerged in 2013 and was the most prevalent variant of ransomware until mid 2014 when new variants such as TorrentLocker and CryptoWall took over. CryptoLocker was extraordinarily successful with an estimated 234,000 victims. It used phishing campaigns to opportunistically target its victims. These campaigns included the FedEx and UPS you have a parcel emails, which includes a hyperlink to a malicious website where the malware exists. Similar ransomware campaigns using bank emails, FBI notices and speeding fines have also been identified. The newer version, particularly prevalent in the Netherlands, used a malicious attachment, a Word document with an embedded macro which downloaded the malware directly onto the target computer when the document was opened. The person behind the CryptoLocker campaign is a Russian called Evgeny Mikhailovich Bogachev. Bogachev used the game over Zeus botnet, a network of commander control servers to distribute CryptoLocker. The network was taken down by the FBI in June, 2014 but Bogachev is still at large with a $3 million bounty on his head. CryptoLocker executes through a five-stage process. Firstly, the victim computer is infected and the malware is installed. Then the malware attempts to connect to its command control server. It contains an algorithm which randomly creates domain names such as the one shown and tries each of these until it finds one which is active. It then generates an encryption key and uses the advanced encryption algorithm, AES, to encrypt files on the target computer. At that point, the malware issues a demand for money in order to recover the decryption key.

CryptoLocker is particularly difficult to recover from as it uses RSA, a strong asymmetric encryption system to encrypt and send the AES decryption key back to the command and control server ensuring it can't be seen. After being encrypted, the decryption key can't be recovered directly from the victim's computer. More details on CryptoLocker are available from the U.S. cert site. When CryptoLocker hits an enterprise, it can have a pretty serious consequence as it not only encrypts files on the employee's computer, but also encrypts files in any shares that the computer has access to. For a business which manages its information in a Windows file system, this can be devastating with often tens of thousands of business files rendered inaccessible. The criminals running ransomware campaigns usually require payment through financial systems such as Bitcoin or pay safe cards in order to make themselves difficult to trace. When ransomware emerged, payment demands were in the order of a few hundred dollars. It was often easier for the victim to pay the money than cope with the loss of their files and potentially their ability to run their businesses while they engage in a lengthy and likely futile law enforcement pursuit. However, ransomware targeting in demands have changed. The Ryuk ransomware targets local government and small to medium businesses, and its ransom demands vary with one victim being asked for 65 Bitcoins, about $600,000 at the time, and they still get paid. In 2019, two municipalities in the state of Florida together paid over $1.1 million ransom to recover their data.

In the 18 months from June, 2021 to November, 2022, the Hive Ransomware Group has netted over a hundred million dollars with its ransomware campaign which focuses on the healthcare sector and it's also extended this campaign to other areas of the critical infrastructure. The attacks use a variety of tactics including exploiting Microsoft Exchange servers and typically gains access through phishing emails.

Chapter 10; Hardware Implants And Other Cyber FUD
In October, 2018, Bloomberg created a sensation by announcing that the Chinese had implanted tiny chips in the servers of an American company, Super Micro Computer. The article reported that the servers were supplied to the Departments of Defense and other sensitive government agencies, as well as Amazon and Apple. In a letter sent to its customers, Super Micro reported that their investigations found no evidence of Bloomberg's claim. Apple and Amazon also very quickly denied the findings and called on Bloomberg to retract the story. Eventually, one of Bloomberg's named sources said that his comments were taken out of context and he actually told Bloomberg that what it had reported didn't make sense. While he had discussed the theoretical feasibility with Bloomberg, he'd never suggested that they'd been used in the Super Micro board. His overall take on the piece is that the technical details were taken from an earlier black hat presentation he'd made and were jumbled. Another hardware FUD was unleashed when the reports started to emerge about two new computer chip exploits called Meltdown and Spectre.

The initial reports indicated the vulnerabilities in these chips would leak passwords and sensitive data and could be used to steal data from other cloud users. Another report from a computer consultancy company suggested that the current standards of security in the tech industry means that it was crucial that businesses contacted their highly qualified cybersecurity team to protect against Meltdown, Specter and future security threats. Adding to the drama, CNN reported that a US government backed body warned that the chips themselves needed to be replaced to completely fix the problems. One cybersecurity expert announced Meltdown and Specter were disasters and another stated that Meltdown can be exploited by any script kiddie. It was suggested that the exploits are nearly impossible to fix short of shipping out new processes. As it turned out, firmware patches were shipped quickly and there have been no reports of any successful exploit using the two techniques. Meltdown and Spectre were high on drama and low on real risk, and FUD once more trumped common sense. Not all reports relating to hardware insecurity are FUD.

The research has shown here identified flaws in the Trusted Protection module chips from Intel and STMicro, which enabled the extraction of signature keys, breaking the chain of trust for which they form the roots. The researchers have been involved in identifying previous hardware vulnerabilities and are respected in their field. The vulnerability in this case can be readily exploited. For an end user, this particular vulnerability can be exploited via the Target's browser by having it visit a malicious website and it was effective on all versions of Internet Explorer running at the time of the announcement. This announcement was one that was worth taking seriously. Nevertheless, when it comes to sensational exposes regarding cybersecurity, check the evidence before you believe it.

The Cybersecurity Threat Landscape Step by Step Guide

Romanus Onyekwere — Sun, 01 Dec 2024 22:28:29 +0000

Table of Contents

Chapter 1; Introduction to Cybersecurity Threat Landscape
Chapter 2; Explore The Threat of Malware And Ransomware
Chapter 3; Protect Against Malware And Ransomware
Chapter 4; Explore The Threat of Phishing And Smishing
Chapter 5; Explore The Threat of Business Email Compromise
Chapter 6; Protect Against Business Email Compromise
Chapter 7; Explore The Threat of Botnets And DDoS Attacks
Chapter 8; Protect Against Botnets And DDoS Threats
Chapter 9; Exploring The Threat of Zero-Day Attacks
Chapter 10; Mitigating Zero-Day Attacks
Chapter 11; Protecting Against AI-Based Cyberattacks
Chapter 12; Exploring The Threat of Advanced Persistent Threats (APTs)
Chapter 13; Protecting Against Advanced Persistent Threats (APTs)
Chapter 14; Explore The Risk of Insider Threats
Chapter 15; Protect Against Insider Threats
Chapter 16; Explore The Threat of Unmanaged IoT Devices
Chapter 17; Protect Against Unmanaged IoT Device
Chapter 18; Explore The Threat of Shadow IT
Chapter 19; Protect Against Shadow IT
Chapter 20; The Threat of Supply Chain Attacks And Third-Party Risks
Chapter 21; Stay up to Date on Cybersecurity

Chapter 1; Introduction to Cybersecurity Threat landscape
Modern cyber attacks are constantly evolving. Not long ago, internet of things devices and deep fakes didn't even exist. Now they are emerging threats that shouldn't be ignored. This unpredictable change requires organizations to frequently survey the threat landscape and reassess the strength of their cybersecurity. Based on the threats, your organization may need to invest in new technologies and implement new security controls. I am excited to share with you the latest intelligence about the shifting cybersecurity threat landscape. In this guide, I will cover many of the most common cybersecurity threats. Plus, some emerging threats you should know about. I will also show you ways you can protect against these threats and share resources to get more information about them. Keep in mind that the cybersecurity threat landscape may be different for different organizations. If your organization handles a lot of sensitive data, you are likely to be the target of more cybersecurity threats than an organization that doesn't. But it's important to understand today's threat landscape in any case, because for every organization, it's not a matter of if they will be targeted by one of these threats but when. If you are ready to explore the cybersecurity threat landscape.

Chapter 2; Explore The Threat of Malware And Ransomware
Malware has been a serious cybersecurity threat to both individuals and organizations since the late 1980s. Ransomware has many of the same characteristics of malware, so it makes sense to examine them together. First, what is malware? Malware is a catchall term for any software that is designed to gain unauthorized access to computers or network equipment with the goals of causing damage, extracting information, or making money for the attackers. Malware can take on many forms, including viruses, worms, Trojans, rootkits, adware, and spyware.

A growing form of malware attack is known as Cryptojacking. This malware variant exploits a vulnerable computer and uses its resources to mine cryptocurrency. While there are many types of malware, the infection methods are often similar. There are two main ways that systems become infected with malware. The first is system vulnerabilities. These are flaws in hardware or software that allow malware to get installed and function. Usually, patches exist to fix these vulnerabilities, but users and organizations don't always apply these patches in a timely manner, leaving themselves exposed. And even old vulnerabilities are still targeted by malware attackers. In 2020, a Microsoft vulnerability first identified back in 2012 was still included in the FBI's list of the top 10 most exploited security flaws. The second most common way that systems get infected with malware is users falling prey to social engineering.

This happens when attackers successfully convince a user to download infected software, open an infected email attachment, or connect an infected disk or drive. The system still needs to be vulnerable to the malware that the user introduces for it to work though. Now let's look at ransomware.

Ransomware is a form of malware that has a special purpose. It encrypts data and files on the infected computer and instructs the user to send the attackers money to recover their information. In some cases, attackers will also steal files from the victim's systems and threaten to expose these files to the public to increase the pressure to pay. This is known as double extortion. Ransomware can be a lucrative income for attackers. In 2020, the FBI's internet crime complaint center, or IC3, received 2,474 ransomware complaints that cost victims over $29.1 million. Of course, these are only the attacks in America that were reported. The actual number of worldwide attacks and money made with ransomware is much higher.

Although ransomware can use any of the malware attack techniques I mentioned earlier, one of the most common is the fake urgent email with a malicious link or attachment designed to trick users to click the link or open the attachment. This is a phishing attack, which is another threat I'll cover in this course. Due to their success and huge ransom demands, ransomware attacks have generated a lot of dramatic headlines, like this one about Acer getting charged up to a $100 million to get their data back after a ransomware attack. As long as systems remain vulnerable and users keep falling for social engineering attacks, malware and ransomware will continue to be serious components of the cybersecurity threat landscape.

Chapter 3; Protect Against Malware And Ransomware
A successful malware or ransomware attack can be catastrophic for both individuals and organizations. There are some simple steps you can take though to protect against both malware and ransomware. Let's look at five of them.

First is frequent backups. If your system has been compromised by malware or ransomware, you may have lost access to some or all of the data on that system. If you've been keeping frequent data backups however, the impact goes from possibly devastating to merely inconvenient. Simply restore the backed up data onto an uninfected system. Backing up your data is especially important to recover from ransomware attacks that specifically target your data. Also make sure you test your backups. You don't want to attempt restoring your backups in an emergency only to find they're corrupted or not complete.

Second, apply security updates and patches. Malware and ransomware can only work on systems that are vulnerable to their attacks. You can significantly reduce your exposure to malware and ransomware attacks by making sure your systems have all their security updates and patches.

Third, upgrade to the latest operating system versions. If you've been putting off the expense or hassle of upgrading your operating systems to their most current versions, you could be exposing yourself to vulnerabilities that don't have patches. Plus, current operating systems are often designed to be more secure than previous versions.

Fourth, install firewalls. Firewalls are designed to prevent unauthorized traffic from getting directly to your systems. Many forms of malware attempt to exploit systems that are directly connected to the internet without a firewall. There are also types of malware that once installed, attempt to communicate with a command and control system outside of the infected network. Hardware and software firewalls can block these malicious traffic flows.

Fifth, install anti malware software. No matter how much you try to protect your network and systems, malware can still be introduced by accident if a user becomes a victim of social engineering. That's why it's important to install antimalware software on all systems, and make sure the malware signatures are updated at least daily. By following these security controls, you will be significantly reducing your exposure to malware and ransomware.

Chapter 4; Explore The Threat of Phishing And Smishing
Phishing and smishing are social engineering attacks designed to trick users into sharing sensitive personal information, like usernames, passwords, and credit card details with attackers.

Let's take a look at what these threats are and how they work. Phishing has been around since the 1990s, but it's still going strong. IBM Security X-Force reported that phishing was the top method of compromise in 2021. The most common phishing technique is to send a fraudulent email to a targeted user. The email is designed to look like it came from a trusted entity and it will often appear urgent, so the recipient will quickly open it. Typically, the email will contain a manipulated link that looks like it goes to a real website. If the user clicks the link, though, it goes to a forged website designed to look like the real thing.

Once there, the target will usually be prompted to enter their username and password for the site. If they do, the attacker will now have their credentials for the real site. Depending on the site, this can turn into an immediate loss of information or money for the victim.

In some cases, the phishing email won't have a link. It will have a malicious attachment. If the recipient clicks on the attachment, it will often attempt to install ransomware, which is another threat I cover in this guide.

One of the keys to a successful phishing attack is making the emails look like they came from trusted sources. So phishing attackers frequently co-op trusted brands like Microsoft, Apple, Google, Chase, and Amazon. Phishing email subject lines often have a certain style. Here are examples of typical subject lines used in phishing emails. "Your account will be locked." "Important: Please log into your account to verify your info." And "Invoice due." Note, how they sound urgent or at least important enough to not ignore.

Spear phishing is a variety of phishing that customizes email attacks to specific users, hoping the illusion of familiarity will create more trust. Smishing has many of the same characteristics of phishing, but instead of sending fraudulent emails, the attackers send SMS texts to the victim's phone.

Common smishing text messages often impersonate a bank with an urgent message about how your account has been locked due to suspicious activity, or a recent payment was made and the bank needs your confirmation. Then there's usually a link to a malicious site designed to steal your online banking credentials.

Smishing scams can also include text messages about winning a prize that you have to redeem through a website. You should immediately be suspicious of getting anything for free through a text message. Another form of smishing includes text messages impersonating someone you work with, like your boss or the CEO of your company. Threat actors can easily find the company you work for and get your cellphone number to pull off this attack.

They will send a text message, pretending to be your boss or CEO, and ask you to help them with a task. The task often requires you to buy gift cards to give to employees or clients. If you buy the cards, the attackers will ask you to send them the codes, which will allow them to instantly extract the money off the cards. Because both phishing and smishing attacks are cheap, simple, and effective, we can expect that they will continue to be among the most common attacks on the cybersecurity threat landscape.

Chapter 5; Explore The Threat of Business Email Compromise
Business email compromise, or BEC for short, is a cyber crime that can cost organizations a lot of money if they become victims. In this guide, I will cover what BEC attacks are and why they can be so dangerous.

BEC attacks usually start with criminals hacking into email accounts and using them to pretend to be someone they're not. The criminals will then use the hacked email accounts to impersonate C-level executives, finance teams, or even suppliers. Their goal is to trick employees into making large payments or changing the payment process to send funds to a scammer's bank account.

The most common way the email accounts are hacked is through a phishing attack. Since the BEC criminals are going after specific email accounts, this is considered spear phishing.

So, BEC attackers typically combine phishing, social engineering, and financial fraud to pull off these scams. And it is likely they will soon add another technology to the mix; deepfake audio, generated by artificial intelligence to make the request even more convincing to the victim. BEC criminals will sometimes try to use spoofed emails where the email header is forged to look like it's coming from somewhere it's not, or they'll use lookalike domains to try to make their email look legitimate. While these methods of faking email senders might be easier than hacking into an email account, they are not as effective at tricking the victims. Variations of BEC attacks include the false invoice scam; tricking the finance team to send a vendor invoice payment to a fraudulent account. Payroll diversion; tricking HR to change the direct deposit banking information for an employee to send salary payments to a fraudulent account. CEO fraud; tricking the finance team to send an emergency wire transfer for the CEO, which goes to a fraudulent account. The gift card scam; tricking the victim to buy gift cards for staff or clients, then send the serial numbers of the cards to the attacker. And home buyer fraud; tricking home buyers into transferring funds to a fraudulent account. While BEC may not be the most common cybersecurity threat, it is easily the most costly type of cyber crime. According to the FBI, losses in the US alone to BEC scams in 2021 were nearly $2.4 billion. That's up more than 30% from the year before, showing that BEC attacks are effective and increasing. And those losses are just in the US, and just from the cases that are reported. The worldwide losses are much higher. The huge payoffs, ease of execution, and low risks of BEC attacks are attracting criminals all around the world. Because it's so attractive to attackers, we can expect business email compromise to be a big part of the cybersecurity threat landscape well into the future.

Chapter 6; Protect Against Business Email Compromise
Because business email compromise, or BEC, has characteristics similar to phishing attacks, some of the ways to protect against it will overlap.

First, like with phishing, you can protect against BEC by implementing email filtering controls on your email server. This will help prevent email attacks designed to trick users into giving away their credentials. And because BEC attackers will sometimes try to spoof legitimate domains in their emails, consider configuring email protocols like SPF, DKIM, and DMARC to reduce this type of spoofing. For instance, DKIM can be used to reject emails where the displayed domain doesn't match the domain of the originating email server. Mike Chapple gives a good overview of these protocols in his CompTIA Cybersecurity Analyst+ course on LinkedIn Learning.

Second, enable multifactor authentication, or MFA, especially on email accounts. This will significantly reduce the chances of an attacker taking control of an email account with just a username and password. Once enabled, never disable MFA. User security awareness training is another important protection against BEC attacks. Train users about these attacks and that they should be suspicious of urgent-sounding or unusual emails that request transferring funds.

Show them how to spot look-alike domains used in emails. Teach them to confirm these financial transaction requests out of band, meaning through some method other than email, such as calling the person or meeting with them directly. And any change in payment instruction should be verified, no matter how it is sent or who it comes from.

Third way to protect against BEC is to add a warning banner to emails coming from outside your organization. Marking external emails helps warn users that an email spoofed to look like it's from someone within the organization really isn't. Then train users to understand what these warning banners mean and why they're important. If you or someone in your organization is a victim of a BEC scam, you should contact your financial institution immediately and tell them what happened. In some cases, money transfers can be frozen or canceled. Next, if you're in the US, report the crime to your local FBI field office. If you're outside the US, contact your equivalent law enforcement agency. Also, if you're in the US, file a complaint with the FBI's Internet Crime Complaint Center at ic3.gov. Business email compromise is a growing problem on the cybersecurity threat landscape. Take the steps described in this video to reduce the chances that you or your organization will become a victim of a BEC attack.

Chapter 7; Explore The Threat of Botnets And DDoS Attacks
While the term botnets may conjure up images of robots taking over the world like in a sci-fi movie, the reality is different. Let us take a look at botnets and DDoS attacks.

A botnet is a collection of computers or internet of things devices, which have been infected by malware, allowing a malicious actor to take remote control of them. Because so many systems can come under one attacker's control, botnets can become a serious force multiplier, allowing an attacker to inflict a lot more damage than they could accomplish on their own. And compromised systems that become part of a botnet are sometimes called zombies because they are no longer able to control their own actions.

Once compromised, botnets can be used for many types of cyber attacks, including distributed denial of service, or DDoS, attacks, spam and fishing campaigns, spreading malware, brute force and other cyber attacks, and crypto mining.

The terms botnets and DDoS attacks are related, but not the same. Botnets are the actors. DDoS attacks are the actions.
A DDoS attack is an attempt to make an online service, usually a website, unavailable by overwhelming it with traffic from many sources. With sometimes thousands of zombie computers at their disposal, attackers will often use botnets to flood their target websites with millions of HTTP browser based requests per second.

These traffic floods can disrupt or completely block the services of targeted websites, and DDoS attacks can last hours, days, or even weeks. In fact, one DDoS attack in 2021 lasted more than 776 hours, which is over a full month. DDoS attacks are frequently used for extortion. The attackers behind botnets will often send emails to organizations threatening to launch the DDoS attack if a ransom isn't paid. If they don't get the ransom, they'll gradually ramp up the DDoS attack to put pressure on their victims to pay quickly. Because botnets are so common and they can be used to make a lot of money, some botnet owners sell DDoS attacks as a service.

DDoS as a service enables any criminal to conduct these attacks without needing any technical skills or resources of their own. The ever increasing number of poorly secured internet connected devices and the chance to use them to make money is driving the growth of botnets and DDoS attacks. This is why we can expect botnets and DDoS attacks to continue playing a big role in the cybersecurity threat landscape for some time.

Chapter 8; Protect Against Botnets And DDoS Threats
Although botnets and distributed denial of service, or DDoS attacks may be growing threats on the cyber security threat landscape, there are effective ways to minimize your exposure to them. In this guide, I will cover how to protect against botnet and DDoS attacks and how to keep your systems from becoming part of a botnet. We will start by talking about several ways to protect your websites and online applications from DDoS attacks.

First, you absolutely must have either firewalls or web application firewalls or WAFs for short in front of your websites. Firewalls and WAFs can be used to detect and block unwanted and abnormal traffic. They can also be used to control or throttle the traffic that reaches your applications. Firewalls and WAFs though can still be overwhelmed by DDoS attacks.

The second way you can protect against DDoS attacks is by using load balancers or content delivery networks or CDNs for short. Load balancers and CDNs can share the traffic load across servers in different locations, which waters down the DDoS attack. Third, consider using DDoS defense systems or service providers that specialize in protecting organizations from these attacks.

Cloud Flare for instance provides a service that can absorb DDoS traffic and route only legitimate traffic to your web servers. Next, a good network monitoring system will detect unusual internet traffic like a DDoS attack once it starts.

Notifications from a network monitoring system will give you an early warning about the attack, so you can respond quickly. And finally, develop a denial of service response plan. Define who will be on the response team in the event of a DDoS attack, and write down the procedures that must be followed in the event of an attack. When you have these protections in place, you can hire a qualified third-party firm to conduct a DDoS test.

There are many security companies that specialize in pretend DDoS attacks, load tests, and other external threat simulations. They can help identify system misconfigurations, network bottlenecks, poor instant response, and more. Now let's talk about how to keep your systems from joining a botnet. Since the primary way systems are taken over and added to botnets is through the use of malware, the best way to protect your systems is by using effective anti-malware. Make sure you're using the latest version with the most current malware definitions.

Next, you should monitor your system processes, investigating any that look unusual or take excessive CPU or memory. These can be signs that your system is part of a botnet, and of course follow good enterprise security practices. Example practices include, make sure all your devices have strong passwords, keep software, firmware, and applications updated and patched. Implement anti-spam controls on your email server. Use web filtering to block access to sites that commonly host malware, and conduct regular user security awareness training and phishing training. These may seem like basic security tasks, but they'll go a long way toward protecting your systems from becoming part of a botnet. Botnets and DDoS attacks are getting bigger and more common. And like an arms race, their attack methods are getting more creative and evolving to overcome existing defense measures. Take the steps I covered in this video to protect your organization's data from botnet and DDoS threats.

Chapter 9; Exploring The Threat of Zero-Day Attacks
Zero-day attacks are one of the most feared threats in cybersecurity. So what exactly is a zero-day attack? Essentially, it's an exploit that targets a vulnerability in software or hardware unknown to the vendor and users.

Because no one knows about the flaw, they haven't had a chance to patch it, leaving systems open to attacks. Here's how a zero-day attack typically unfolds. An attacker discovers an unknown vulnerability in a software or hardware product. Instead of reporting it, they create an exploit to take advantage of this weakness. Once the exploit is ready, they launch an attack, often causing significant damage before anyone knows what's happening. For example, the infamous Stuxnet worm was a zero-day exploit that targeted industrial control systems, causing widespread damage before it was discovered. Zero-day attacks can have devastating impacts. They can lead to data breaches, financial loss, and even physical damage, as seen with Stuxnet. Organizations can face severe repercussions, including loss of customer trust and regulatory penalties. Detecting zero-day attacks is incredibly challenging. Traditional security measures like antivirus and firewalls are often ineffective because they rely on known signatures to identify threats. This means that zero-day attacks can go undetected for long periods, allowing attackers to exploit vulnerabilities without being noticed. Zero-day attacks represent a significant and evolving threat in the cybersecurity landscape. Their ability to exploit unknown vulnerabilities makes them dangerous and difficult to defend against. Understanding the nature and potential impact of zero-day attacks is crucial for organizations striving to protect their systems and data.

Chapter 10; Mitigating Zero-Day Attacks
Zero-day attacks are among the most challenging cybersecurity threats to defend against because they exploit unknown vulnerabilities. Let's explore how you can protect your organization from these elusive threats. First, keeping your software and systems updated is crucial. Regular updates and patches can close vulnerabilities before attackers can exploit them. Make sure your organization has a robust patch management process in place. This helps ensure that all systems are up to date with the latest security patches. Next, leveraging threat intelligence is essential. You can take proactive steps to protect your systems by staying informed about emerging threats. Subscribe to threat intelligence feeds and remain connected with the cybersecurity community for timely updates about new vulnerabilities and exploits. For instance, subscribe to notifications from the Cybersecurity and Infrastructure Security Agency or CISA to receive valuable alerts and updates. Advanced monitoring and anomaly detection are critical in identifying potential zero day attacks. Implement tools like security information and event management or SIEM systems that use machine learning and AI to detect unusual activities in your network. SIEM systems analyze patterns and behaviors to spot anomalies, aggregate data from various sources and provide real-time threat detection. Regularly reviewing logs and conducting thorough audits can also help in early detection. Having a well-defined instant response plan is vital. Your plan should outline the steps to take immediately after detecting a zero-day attack.

This includes isolating affected systems, conducting a detailed investigation, and communicating with stakeholders. Ensure your incident response team is well-trained and conducts regular drills to stay repaired. Employee training and awareness are also key components in your defense strategy. Educate your staff about security, best practices, and the importance of vigilance. Regular training sessions help employees recognize potential threats and respond appropriately. Encourage them to report suspicious activities and ensure that they understand their role in maintaining cybersecurity. Protecting against zero day attacks requires a combination of proactive measures and preparedness. By staying proactive and vigilant, you can significantly reduce the risk of zero-day attacks and protect your organization from potential harm.

Chapter 11; Protecting Against AI-Based Cyberattacks
AI-based cyber attacks, including deep fakes and AI-powered phishing, are designed to be hard to detect, and this will only get more challenging as technology improves. But there are ways to protect yourself and your organization. Train users about AI-based technology, how it works, and how it can be used to conduct payment fraud and other attacks. Educate them on how to spot deepfake audios and videos by looking for: unnatural speech cadence, low-quality audio and video, digital artifacts like noise in audio and video, unnatural movement in videos, unnatural blinking, unexpected shifts in lighting and skin tone, and poor lip syncing. Train users to recognize AI-powered phishing emails, which can analyze past communications to mimic writing styles and increase believability. Educate users to be cautious of emails that: urgently request sensitive information or payments, come from unfamiliar or slightly altered email addresses, and contain links or attachments that seem out of context. Both deepfakes and phishing attacks often have typical social engineering red flags, like a sense of urgency. Attackers want you to act quickly without thinking. Watch out for unusual behavior. Attackers may not use the cloned voice or writing style perfectly, and the request might be something the actual person wouldn't usually say. Train users to verify any phone calls or emails requesting financial transactions or payment changes through other methods. The best way to verify a request is face-to-face, but if that's not possible, call the person back at their official phone number to confirm the request and ask a test question that the person would know the answer to but attackers probably wouldn't. For instance, their favorite sports team or a specific detail about their office. Ensure the finance department has authorization processes to confirm transactions and payment changes which can't be done with a simple phone call or email. By staying vigilant and following these steps, you can better protect yourself and your organization from AI-based cyber attacks.

Chapter 12; Exploring The Threat of Advanced Persistent Threats (APTs)
Imagine a group of cyber criminals hiding in the shadows, carefully planning their next move to infiltrate a high-security network. They're not in a rush. They have time, resources, and advanced tools. This scenario describes the reality of advanced persistent threats, or APTs, one of today's most sophisticated and dangerous types of cyber threats. At its core, an APT is a prolonged and targeted cyber attack in which an intruder gains access to a network, and remains undetected for an extended period.

APTs have unique characteristics that set them apart from other threats. They are persistent, meaning attackers are determined to achieve their goals over a long period, often adapting their methods to stay under the radar. These threats are also sophisticated, employing advanced techniques to bypass security defenses. APTs are also highly targeted, focusing on specific organizations or industries, such as government agencies, financial institutions, and healthcare providers. Here's how APTs typically operate. The process usually begins with reconnaissance, where attackers gather as much information as possible about their target. Next, they move to the initial compromise stage, often gaining entry through phishing emails or exploiting known vulnerabilities. Once inside, attackers establish a foothold, installing backdoors and malware to ensure they can return, even if discovered. They then escalate their privileges, allowing them to access more sensitive areas of the network. The attacker's next move is lateral movement, where they navigate through the network, avoiding detection while identifying valuable data. The final stages include data exfiltration, where they steal sensitive information and maintain persistence, ensuring their presence remains undetected for future exploitation. The impact of APTs can be devastating. These threats can lead to severe data breaches, financial losses, reputational damage, and even pose risks to national security. For example, the healthcare industry has been a frequent target of APTs, with attackers aiming to steal patient data, which can be sold on the dark web for significant profit. Government agencies are also prime targets, with attackers seeking access to classified information that can be used for espionage or to disrupt national security. By being aware of how APTs operate and their potential impacts, organizations can better prepare to face this severe threat.

Chapter 13; Protecting Against Advanced Persistent Threats (APTs)
Advanced persistent threats or APTs are among the most insidious cyber threats organizations face today. In this video, I'll show you how you can protect your organization from these sophisticated attacks. First, leverage threat intelligence. Staying informed about emerging threats is crucial. By subscribing to threat intelligence feeds and connecting with the cybersecurity community, you can receive timely updates about new vulnerabilities and exploits. For example, subscribing to notifications from the Cybersecurity and Infrastructure Security Agency or CISA, can provide valuable alerts and updates. A multi-layered security approach is essential in defending against APTs. This means implementing security measures like firewalls, intrusion detection systems, and antivirus software. Additionally, regular software updates and patch management are crucial. Ensuring all systems are up-to-date with the latest security patches helps close vulnerabilities before attackers can exploit them. Your employees play a key role in preventing APTs. Regular security awareness training sessions are essential. Educate your staff about security best practices and the importance of vigilance. Training helps employees recognize potential threats and respond appropriately. Encourage them to report suspicious activities and ensure they understand their role in maintaining cybersecurity. Finally, having a well-defined incident response plan is vital. Your plan should detail the actions to take when an APT is detected. This involves isolating compromised systems, thoroughly investigating, and keeping stakeholders informed. Ensure your incident response team is well-trained and frequently conducts drills to maintain readiness. Protecting against advanced persistent threats demands a blend of proactive strategies and thorough preparation. By staying alert and taking proactive steps, you can safeguard your organization from these sophisticated threats.

Chapter 14; Explore The Risk of Insider Threats
When we think about the cybersecurity threat landscape, it's easy to focus on attackers coming from the outside but internal threats can sometimes be just as dangerous if not more dangerous than outside threats. In this video, I'll cover what insider threats are and why we should be concerned about them.

Insiders can include anybody who has inside information about your organization's data, IT systems, and security practices. This can include current or former employees, vendors with internal access, third party contractors, and business partners. The reason why insider threats can sometimes be more dangerous than outside threats is because trusted insiders have been given access to assets and data based on that trust and that access can be misused or abused.

Insider attacks can also be hard to detect because trusted insiders may have legitimate access that allows them to access and steal data without going through firewalls or other controls that could track their activity. Types of malicious insider attacks include sabotage, where the goal is to damage systems or destroy data. Fraud, which can come in many forms, but often involves criminal financial transactions. Theft of sensitive data or intellectual property. And espionage, where the attacker steals sensitive data to sell to competitors. An example of a real world malicious insider attack was the case of a trusted software engineer at a cloud services provider who went rogue. She hacked into one of their customers using a firewall vulnerability that she found. She was then able to access accounts of millions of credit card customers. The hacked company recovered from the attack and patched the vulnerability but they estimated the total cost of the incident to be around 150 million dollars. Unintentional insider threats include human error, bad judgment, falling victim to a fishing attack or malware, and unintentionally aiding an attacker.

An example of an unintentional insider threat was the case of an employee who had a question about how to format some of the data on a company spreadsheet. He emailed the spreadsheet to his wife's personal email account to ask her for help. While this may have seemed like a harmless action, it turned out that the spreadsheet had hidden columns which included sensitive employee data. This turned his simple email into a major security breach that had to be reported to the state's attorney general and likely cost the company millions of dollars. The Ponemon Institute regularly publishes reports on the cost of insider threats.

Their research shows that the average cost from insider threats in North American companies is millions of dollars and the cost is rising every year. That's why we can expect that insider threats will continue to hold a place in the cybersecurity threat landscape for years to come.

Chapter 15; Protect Against Insider Threats
Insider threats can be dangerous and hard to detect. In this video, I will show you four steps you can take to protect your organization against insider threats. First, if you haven't already, take the time to identify the critical assets in your organization. These are the IT systems that are essential for the operations of your business, have the most sensitive information, or both.

When you identify the critical assets, ensure that they are being properly protected and monitored. Also, review and validate who has access to these assets. Confirm that everyone who has access to them really needs that access. It's a good idea to conduct these asset access reviews on a regular basis. Next, write and enforce policies and processes that can protect against insider threats. Examples of these policies and processes include an acceptable use policy, which defines authorized and unauthorized use of your organization's assets. Without an acceptable use policy an employee could claim they didn't know that their malicious activity wasn't allowed. Once your acceptable use policy is written, make sure all employees read and agree to follow it. A policy on the proper use of admin accounts, this will define who is authorized to have admin accounts and how these accounts are allowed to be used. A clear employee performance review process, including requirements for promotions and financial bonuses. This is often handled by HR and is necessary to avoid misunderstandings that could lead to disgruntled employees. A process for addressing employee grievances. This is also often an HR process and is necessary to help prevent unhappy employees from becoming insider threats. And an offboarding process that quickly removes access from employees who are no longer in the organization. Third, let's look at some technical security controls that can be implemented to protect against insider threats. To avoid having insider threats go undetected, you should monitor user activities, especially on your critical assets. One of the best tools for doing this is a security information and event management system, or SIM. A SIM will collect and analyze event log activity from all your systems and can help identify suspicious or malicious activity. When it comes to access, it's important to follow the least privileged principle. Only grant the bare minimum of privilege that someone needs to do their job. Regularly review each user's privileges to make sure they're not excessive. And use network segmentation to isolate the critical assets from the rest of the network. This will help protect those assets from insider threats who shouldn't have access to those parts of the network. Finally, user security awareness training can be an important way to protect against insider threats. Teach users about the acceptable use of your organization's assets. Let users know that their activity is being monitored and the consequences of unauthorized activities. And remind users to report any suspicious activity to the appropriate parties in your organization. Although insider threats are a growing part of the cybersecurity threat landscape, you can take the steps I covered in this guide to help protect your organization against them.

Chapter 16; Explore The Threat of Unmanaged IoT Devices
The internet of Things, or IoT can be the source of major cybersecurity threats, including data leakage, distributed denial of service attacks, and any attack that can be launched from botnets.

Let's take a look at what the Internet of Things is and why it's part of the cybersecurity threat landscape. More and more devices are being connected to the internet in the name of convenience and control, key drivers for the growth of IoT devices include the rise of cloud computing as the foundational technology for IoT, plummeting cost of IoT devices, common usage of smartphones and tablets to control IoT devices, and easy access to wifi.

Practically any electronic device can be connected to the internet and become an IoT device. Common IoT devices include smart home lights, switches, thermostats, home appliances, TVs, security cameras, and even locks.

Many health devices are also directly connected to the internet, such as fitness trackers, connected scales, pedometers, and sleep monitors. Personal assistants that respond to voice commands are also popular. And of course, most modern vehicles are also IoT devices. And the number of IoT devices is projected to grow to more than 50 billion by 2025. The problem is IoT devices are often connected to the internet without thinking about their security and IoT devices can be more vulnerable to attacks than servers and network devices connected to the internet.

That's because they usually don't have enough computing power to support basic protections like antimalware and firewalls. They also often have built in back doors for maintenance with default passwords that can easily be found on the internet, because these IoT devices are usually directly connected to the internet, attackers can easily exploit these and other vulnerabilities with automated scripts. Once they have control of an IoT device it can be added to a botnet or used as a jumping off point to attack other devices on the same network. According to Symantec's internet security threat report, routers and connected cameras are the IoT devices most infected by malware and the main sources of IoT attacks, accounting for over 90% of malicious activity.

One of the most dramatic examples of the threat of unmanaged IoT devices is the Mirai botnet. The attackers built their botnet army by running a simple script against devices on the internet that attempted to log in with 61 known IoT default passwords. If they successfully logged in, the IoT device was infected with malware that directed them to follow the instructions of a central command and control system. The attack was very effective. It's estimated that there were nearly half a million Mirai infected IoT devices, mostly composed of closed circuit TV cameras, DVRs, and routers. They were used to conduct distributed denial service or DDoS attacks against a wide variety of targets. Some good news is governments and regulatory bodies are recognizing the problem of poor or no security standards for devices connecting to the internet. They're proposing minimum security standards for device manufacturers and labeling to raise the awareness of users about how secure their devices are. These requirements are being enforced as laws like the IoT cybersecurity improvement act which was signed into US law in 2020, but with next generation internet capabilities like 5g dramatically increasing data speeds and throughput, we may see IoT devices continue being a key player on the cybersecurity threat landscape well into the future.

Chapter 17; Protect Against Unmanaged IoT Device
The number of Internet of Things or IoT devices is growing rapidly and so are the related threats when they're deployed in an unsecure way. The good news is there are some straightforward steps you can take to protect your organization from the threat of unmanaged IoT devices.

It's important to understand though that some IoT devices are so poorly designed that they may be challenging to secure. For instance, they might not allow you to change default passwords. So we'll start by looking at a few effective security actions you can take at the network level even if the IoT devices themselves are hard to secure. First, you should conduct an IT asset inventory, run network scans like Nmap to know which systems and devices are on your network.

This will help you identify IoT devices you may not have known about. Investigate any that seem out of the ordinary and remove any unauthorized devices. Second is network segmentation. Now that you have an inventory of your network assets, the next step is to identify which ones are your critical information assets and where they are in your network. Use your routers and switches to segment your network and isolate your critical assets from IoT devices as much as possible. Finally, block ports. Figure out which network ports the IoT devices need and block traffic at the firewall for any other ports, especially block Telnet port 23 unless it's absolutely required. Telnet was the protocol that the Mirai attack software used to compromise hundreds of thousands of IoT devices. Some IoT devices on the other hand are easier to secure. If that's the case, then at a minimum implement the following. Change default passwords when possible.

This is easily the most important way you can protect your organization and data from attacks against your IoT devices. Attackers know the most common IoT default passwords and will use them to compromise your devices. Changing the default password keeps these attacks from being successful. Next, configure strong security, if possible. Practice the least privileged principle and only give the device and accounts that access it the ability to do what they should be doing and no more. Set restrictive security controls on the device itself if that's an option. And third, install software updates and patches. If the manufacturer is supporting their IoT devices with periodic software updates and patches, make sure you install them in a timely manner. They may include important security fixes that will help protect your IoT devices from attacks.

The Open Web Application Security Project or OWASP published the IoT top 10, which is a list of the key vulnerabilities to avoid when building, deploying, or managing IoT systems. If you're responsible for securing IoT devices, I recommend reviewing this list to make sure you've protected against all of these vulnerabilities. By implementing these and the other protections I covered in this video, you'll significantly reduce your exposure to the threat of unmanaged IoT devices.

Chapter 18; Explore The Threat of Shadow IT
Most of the dangers on the cybersecurity threat landscape come from malicious actors outside of your organization. Shadow IT is different though because this threat comes from within your organization and many times it's not malicious. That doesn't mean it's not a serious problem. Let's take a look at Shadow IT and why it's part of the cybersecurity threat landscape. Shadow IT refers to the unauthorized use of systems, software, personal devices, or cloud services by enterprise employees. To best manage and secure IT systems, all technology purchases should be approved and budgeted by a shared services IT function, but users will sometimes go around IT and purchase technology with their own budget. When implemented, this unsanctioned and often unmanaged technology solution becomes part of the Shadow IT in the enterprise. IT will either find out about these Shadow implementations after they've been deployed or even worse, not at all.

There are many reasons behind the rise of Shadow IT but some of the most common are understaffed IT departments that can't support the IT needs of users. The perception by users that IT is too slow or restrictive with technology deployments, and easy access to software as a service or SaaS solutions like Dropbox, Salesforce, or Amazon web services. Shadow IT can represent a large amount of spending in organizations. In fact, Gartner has estimated that Shadow IT accounts for 30 to 40% of IT spending in large enterprises. Other research states that this number could be even higher but many enterprise leaders either aren't aware of the Shadow IT problem or downplay it as not that big of a deal.

That can be a costly mistake because there are real risks associated with Shadow IT, simply put it's impossible for the enterprise to secure systems that the organization's IT function isn't even aware of. Here are just a few of the Shadow IT risks. First is data loss, if the Shadow IT systems are processing or storing important information, it probably isn't being included in the enterprise backup solution. So if the data is lost there's no chance for recovery, even worse if the information is confidential and the Shadow IT systems aren't secured, that could lead to a data breach. Next is unpatched vulnerabilities, Shadow IT systems probably aren't being included in vulnerability scans or scheduled patch cycles. That means these systems could have vulnerabilities that expose them to attacks and possible data breaches. And lack of security compliance, all sanctioned IT solutions should be deployed with standard security controls that may not exist on Shadow IT systems. These could include antimalware, encryption, security monitoring, and more. And enterprise could be subject to big fines if a data breach occurs on Shadow IT systems that aren't compliant with enterprise or regulatory security controls. We can expect that IT departments will continue being challenged by users who circumvent required processes for implementing IT solutions. For this reason, we'll likely see Shadow IT being part of the cybersecurity threat landscape for some time.

Chapter 19; Protect Against Shadow IT
Shadow IT as the name implies can be challenging to both detect and prevent. In this video, I'll cover some specific actions you can take to reduce the likelihood and impact of shadow IT in your organization. First, let's look at some fundamental controls for protecting against shadow IT. These are steps you should be taking anyway, but if you aren't, your exposure to the shadow IT threat increases a lot. The first control you need to have is an IT asset inventory. If you don't have a current inventory of your sanctioned IT assets, you won't be able to identify shadow IT systems. Run an Nmap scan or use a similar tool to get a baseline of systems currently on your network. Review the results to make sure all systems you found are authorized and deal with any that aren't. Next, make sure users know about correct IT deployment processes. It's hard to blame users who don't follow the system when they don't know what it is. Define a clear IT deployment process and write it down. Publish it in a place that's easy for users to find and heavily promote it. Finally, implement and enforce strong security policies that prohibit unauthorized deployment of IT systems or solutions. Security policy should be approved by executive leadership and should clearly state what is allowed when it comes to IT deployments. That way, you'll have an answer when asked why shadow IT systems need to be removed.

There are also several technology controls that will help keep shadow IT from becoming a serious problem in your organization. First is security monitoring. Security monitoring systems like a security information and event management system or SIEM can track all network activity and notify the IT or security team if an unauthorized system is added to the network. This may be an indication of shadow IT or another type of security incident. Next, consider ways to implement network access control or NAC. This is a technical security restriction that only allows authorized systems such as those with enterprise issued certificates from joining your network. With NAC in place, if a user attempts to add shadow IT systems to the network, they wouldn't be able to connect. Finally, consider using a cloud access security broker or CASB. CASB is a technology that sits between users and the cloud services they try to use. CASBs can enforce security controls on the use of software as a service or SaaS applications. They can also monitor your organization's network traffic to detect any cloud-based applications in use. You can use that information to detect shadow IT SaaS applications. By implementing the fundamental and technology security controls I covered in this video, you should significantly reduce your exposure to the threat of shadow IT.

Chapter 20; The Threat of Supply Chain Attacks And Third-Party Risks
All organizations have what is called an attack surface. This is the part of the organization that is exposed to any kind of threat. One of the biggest attack surfaces for most organizations is their supply chains and exposures to third parties.

This attack surface is also one of the most challenging to protect. In this video, I'll cover what supply chain and third party risks are and why they're part of the cybersecurity threat landscape.

Every organization has suppliers.
They provide the needed resources for that organization to function. These suppliers can be software as a service or other technology providers that are critical to your business. And these suppliers have their own suppliers, and those suppliers have suppliers, and so on. If a direct or downstream supplier fails, that could have a negative impact on your organization. That's the idea of supply chain risk. Now let's think about the access your suppliers and other third parties might have to your systems and data.

If third parties like suppliers, contractors, and vendors need access to your systems to provide their services, that can create risk. For instance, if one of your vendors has access to your systems and they get hacked, now the hackers can attack your systems. This is what happened to a major retailer, which led to a security breach that cost an estimated $202 million.

On top of that, consider all the data your organization stores with third parties. Cloud-based software as a service, or a SAS applications like Dropbox, Salesforce, and Google Drive can store some of your organization's most critical data. And your organization may be storing its data with other third parties that aren't SAS apps. If the right controls aren't in place, that data may be accessible to malicious actors outside or inside of your organization. Finally, we have software supply chain risk.

Many organizations develop software for their own internal systems or to provide the services they offer. Instead of writing everything from scratch, developers will often use free open source software. But open source software comes with potential problems. It can be hard to keep track of, especially if your organization develops a lot of software. And opensource software can contain vulnerabilities or even malicious code.

For instance, and opensource Java logging library called LOG4J was used by software found on millions of servers around the world. But a zero day vulnerability was found in LOG4J which allowed remote code execution attacks that could be used to compromise these servers. Every organization who developed its own software immediately needed to determine if any of their software contained LOG4J, and if it did, patch it. As you can see, supply chain and third party risks can be highly complex and have serious consequences for your organization. That's why they're an important part of the cybersecurity threat landscape.

Chapter 21; Stay up to Date on Cybersecurity
In this guide I have described some of the most common cybersecurity threats you're likely to encounter. To best protect against them, your next step after watching these videos would be to figure out which of these threats apply to your organization.

Then find out if the security controls for those threats are in place and apply any that are missing. By following the recommendations in these videos, you'll definitely reduce your exposure to these threats.

But the challenge is cyber security threats keep evolving to overcome even the best defenses. Just because you're secure today doesn't mean new threats won't be a problem tomorrow. So how do you keep up? Let's look at three actions you can take to keep ahead of cybersecurity threats.

First, stay up to date with changes in the cybersecurity threat landscape. I recommend subscribing to security newsletters like SANS NewBites and Bruce Schneier's Crypto-gram. There are a lot of weekly security podcasts that cover current cybersecurity threats like Security Weekly News and Defense in Depth. There are also plenty of cybersecurity magazines with articles about the latest threats like Infosecurity Magazine and Cyber Defense Magazine.

Second, to get a more in-depth look at cybersecurity threats, attend security conferences and seminars. Presentation topics will often explore current threats in detail. Conferences and seminars are also good ways to connect with security professionals who have firsthand knowledge of the latest cybercnsecurity threats and how they've dealt with them.

Third, hire security professionals who specialize in cybersecurity threat simulation and management. These include companies and consultants who conduct penetration tests, threat modeling, and DDoS simulations. I hope you use the knowledge you gain from this guide to protect you and your organization from current and future cybersecurity threats.

Cybersecurity Awareness; Cybersecurity Terminology

Romanus Onyekwere — Sat, 30 Nov 2024 22:10:22 +0000

Table of Contents

Chapter 1; Introduction To Cybersecurity Terminology
Chapter 2; What is Cybersecurity
Chapter 3; People, Process, and Technology
Chapter 4; Security Awareness and Leadership
Chapter 5; Red vs. Blue vs. Purple Teams
Chapter 6; Who Are The Adversaries?
Chapter 7; Understanding Privacy
Chapter 8; Understanding Processes And Documentation
Chapter 9; Technical Controls
Chapter 10; Secure Practices, Terms, And Exercises
Chapter 11; Network controls
Chapter 12; Advancements in Technology
Chapter 13; Threat Actors And Definitions
Chapter 14; Technical Risks
Chapter 15; Threats That Target The Human Element
Chapter 16; Apply Cybersecurity Terminology

Chapter 1; Introduction To Cybersecurity Terminology
In this guide, I will cover a number of terms, definitions and acronyms, or as some may even say, buzzwords that are commonly heard when cybersecurity is being discussed.

The intent of this is to give high-level definitions that are easy to understand, as so many of these concepts can be rather technical in nature or hard to digest without relatable context.

And while there is a vast number of definitions I could cover, it's not feasible to cover them all here. So I chose some of the more common terms one may hear or encounter at work or in their day-to-day life.

One task that aligns with security culture and awareness is being able to relay information in layman's terms to generally non-technical audiences. And I will do just that.

Chapter 2; What is Cybersecurity?

Cybersecurity may be called a number of things including Information Security, Computer Security and even just Cyber InfoSec among some others not mentioned. According to Digital Guardian, cybersecurity refers to the body of technologies, processes, and practices, designed to protect networks, devices, programs, and data from attack, damage or unauthorized access. As the use of technology and data continues to grow exponentially, so does the need for protecting the technology and the data. That is where cybersecurity comes in.

Cybersecurity doesn't just apply at work though, it also applies in your personal life, on your personally owned devices such as computers, cell phones, and even other IoT devices that are being brought into your home.

As technology continues to advance, so to do the associated risks. Multiple layers of defense and continuous awareness and training around these risks are imperative in order to create safety and security on networks and devices.

I will cover a number of technologies leveraged in cyber to protect people, data, and organizations. Additionally, I will look at some of the positions within cybersecurity teams, and even to find some of the threat actors that are looking to infiltrate our data and use it for malicious purposes. I will also break down some of the policies, processes, guidelines, and frameworks that are put into place to create a better understanding of what needs to be done in order to keep data, information, and assets secure in the first place.

In this guide, I have aligned the terminology I will define similarly to the definition provided at the beginning. I broke it down into three segments, people, processes, and technology, which is often coined as the three pillars of cybersecurity.

As the saying goes, you don't know what you don't know. However, this guide will help change all of that. Whether you are in security, IT, HR, finance, or anywhere else, understanding some of the basic terminology within the cybersecurity field will allow you to take a huge step forward in playing your part in helping to secure your organization.

Chapter 3; People, Process, and Technology
First is the people. The people pillar includes a number of elements, from the way the teams are structured to the way the companies protect the human element and even who the adversaries are that you must protect against.

Next is the process. When people hear processes, they tend to assume documentation. And while that is right, there is a lot more that goes into the process pillar in security, including, but not limited to, specific technical controls to protect the company, its assets, and its people. And finally, we will cover technology.
Technology is the most well-known pillar within cybersecurity, which isn't surprising, as cybersecurity needs technology as much as technology needs cybersecurity. Within this pillar, we will cover security best practices and controls, as well as define some of the more recent technological advancements.

Though most of the definitions were able to fit within the scope of the three pillars, there was still a large area that we had to define outside of people, process, and technology. That is the threat actors and their methods of executing attacks. As attacks continue to grow, so does the need for cyber security in all its forms, including people, process, and technology.

Chapter 4; Security Awareness and Leadership
As technology continues to advance and processes and requirements continually change, one thing remains constant, and that is the people. While advancements in technology have taken some of the human aspect out of the equation, there is one that will never be able to be replaced, and that is the end user.

The term, user, is utilized often in security, and is defined as a person or group of people that operate within your business environment including but not limited to operating computers, systems, applications, networks, and more. This term is typically used to describe employees in a more technical sense, and is often associated with a username, login name, or screen name. Let's take a look at the leadership. Usually, though not always, within a security organization, there will be a CISO or CSO that leads the security team. The difference between a CISO and a CSO is that CISO stands for chief information security officer, and means that the team consists of just logical and technological security positions and areas of focus. Whereas the CSO stands for chief security officer, and usually means that this group is all-encompassing of security, including both logical and physical security within the respective groups. Many times under the CISO or CSO security umbrella is a dedicated area to protect the human element. Typically, this falls under the name of security awareness, though it may be named a few other things, such as security training, security education, security culture, and even human risk officer.

Security awareness is a person, group, or team that focuses on awareness, training, communications, and education for the employees of the organization. Their goal within the program is to help make the employees more knowledgeable of the risk, both they and their organization face, as well as what to do if they are faced with those risks. Their end goal is to create a more security-minded environment and risk-averse culture. While a security awareness person, team, or group is essential to any successful security program, this team can't be everywhere to train everyone. One approach to help expand their awareness efforts is to create a network of extensions of the security team, which is often called security champions. Other terms used interchangeably include security ambassadors, partners, or liaisons. A security champion is someone in a company that volunteers their time to help create a more secure environment as well as helps develop a two-way pipeline between security and other groups, regions, and organizations within a company.

While there are many positions, teams, and individuals we didn't list that make up the people side of security, the three we did cover all can work together in a business or organization to accomplish one goal, securing the company and its assets and data.

Chapter 5; Red vs. Blue vs. Purple Teams

What makes up a security team, and how are the people categorized? Oftentimes there is a red team, a blue team, and sometimes even a purple team. Let's take a deeper dive into the makeup of a security team and how they may be categorized. Typically, one will hear red team versus blue team when threat exercises are being conducted within their organization or their environment. Let's break down exactly what red and blue teams look like, as well as what a newer group, labeled purple team, means as well.

In the most simplest of terms, a red team is the group that attacks. Usually, this is done via third-party penetration test, or via social engineering, or even vulnerability scanning. This is conducted without the blue team being aware that the test is even occurring. The purpose of the red team is to find vulnerabilities in areas that are susceptible to attack, should a real one occur. The findings from such tests are then leveraged to harden the environment along with bettering any existing policies and technologies to create a higher level of security within the organization. Since the red team's job is to attack, the duty of the blue team is to defend. The blue team understands the company's network, tools, and policies, and works to ensure they all work together to protect the company and its assets. The blue team constantly monitors for abnormalities, and if/when they are detected, they work to mitigate the presented issues. The blue team also focuses on the human element of security by conducting social engineering simulations to test users.

Many people have heard the term red versus blue team, but did you know there's a newer definition of a purple team? while the red team attacks and the blue team defends, the purple team is a combination of both red and blue coming together to work as one team. The red team needs to disclose their methods of infiltrating a network or company to the blue team so they can be better prepared for potential future attacks, and the blue teams can divulge how they defended against any vulnerabilities they discovered. This is a true lessons learned exercise that aligns practices from both sides to share their findings, and in turn strengthen the security of the team and its security tactics.

Chapter 6; Who Are The Adversaries?
The word criminal is a familiar term which means someone participating in nefarious behavior. So now let's align that with cybersecurity and then what we get is a cybercriminal, which is an individual that is conducting this malicious behavior via computers, networks, and even the internet. There is a high likelihood that you have heard the term hacker used most frequently when describing the bad guy. However, that term has many meanings beyond just the negative connotation so often associated with it.

What you may not know is there are variety of different hackers, including black hat, white hat, and gray hat hackers. Let's start with the good guys or the white hat hacker. These are the people that look for vulnerabilities and exploit them for the purpose of reporting them to be fixed. Therefore, what they do, while it may seem questionable, is actually done with good intent. You may hear white hat hackers referred to as ethical hackers. They are often employed by an organization to find their areas of exploit before the bad guys do. The opposite of black is white and the opposite of ethical is unethical and this is exactly how a black hat hacker would be described in the most simple of terms. Black hat hackers find vulnerabilities for their own gain, whether it be money, fame, notoriety, or something else. They illegally go around security controls to find vulnerabilities and exploit them before a company can discover what has been done. These are the cybercriminals companies are working to protect themselves against. When you think of a Venn diagram and one circle is black, the other is white, and in the middle where they overlap, would then be the gray. This is a good visual demonstration of what a gray hat hacker is. They are somewhere in between white and black. They may hack into networks to find vulnerabilities without permissions, which is technically illegal. But then, instead of leveraging what they found for their own personal gain, they would report it to the company to help them out in the end, which is a gray area, hence the name. So the next time you hear the word hacker, remember that it doesn't always have the negative connotation that is typically tied to it. As we defined here, there are hackers that are good, bad, and everything in between.

Chapter 7; Understanding Privacy
Another aspect of the human element of security is privacy and understanding how to protect your own information. Privacy in the purest sense means freedom from or protection of something. But how does that apply in terms of cybersecurity? Privacy, as related to cybersecurity, is the protection of your information. The main questions around privacy are usually what information of mine is being collected and stored? How is my data being used? And who has access to my data and can share it?

Personally identifiable information, or PII, is information that is directly related to an individual that may be used to identify them. This can be broken down into two areas: sensitive, and non-sensitive PII. The best way to describe non-sensitive PII would be to think of it as information that is easily searchable or accessible to anyone should someone go looking. A simple internet search could provide such information on an individual. This includes but is not limited to your name, your birthday, and even your gender. While this information is not worrisome, if anonymized and accessed independently, it can be used to link other information and tie back to an individual, and that is where it becomes an issue of privacy.

Since non-sensitive PII is easily accessible information, sensitive PII is information that should not be searchable or easily accessed. Someone should not simply be able to search for this information online and easily find it. For example, you probably don't want your personal medical information easily accessible to the public. So that is sensitive information. This breaks down into a number of categories that include but are not limited to Social Security number, passport and driver's license information, and even credit card and medical information as well. Many new laws and regulations have been implemented to help keep companies accountable for protecting this information.

There is a certain expectation of companies to protect our information on our behalf. However, even with regulations and laws in place, it is imperative that individuals take their own privacy and PII, both sensitive and non-sensitive, and hold it in high regard to help add an extra layer of protection against information loss and exposure. You can do this by thinking before you share information, questioning why information requested is needed, removing any social media content that is no longer necessary, and updating your privacy settings, as well as searching your name regularly, and where you can, opting out or removing your information to make it private.

Chapter 8; Understanding Processes And Documentation

If you are in a high stake situation you're going to want to know exactly what to do and have somewhat of a playbook to follow, right? That's the kind of stuff that makes processes and documentation so important. In addition to all the lower stake situations you may encounter where you need to leverage this information as well. Processes are when you take certain actions to get a defined end goal. In security, having the right processes in place ensures that people know what actions need to be taken in order to achieve the same set of results, like securing the company and its assets.

CIA stands for confidentiality, integrity and availability and is a well known model within cyber security. Confidentiality is the work done to keep data secure within the company environment. Integrity equates to trusted, which means the data is reliable and verified. And finally, availability means that the data is available to authenticated users as needed.

Another well known area of process is policy. And it is often hard for people to distinguish when a policy is needed versus a procedure, standard or guideline. For example, policies are usually broad in general and don't need updating nearly as often. Whereas procedures are more detailed, step-by-step instructions that may need more frequent updating as requirements change. A policy is defined as a formal statement that needs to be followed by a defined audience. This is usually high level, and doesn't go into the weeds with details.

A procedure on the other hand is a detailed document with step-by-step instructions on how to comply with the related policy. Typically, a policy is written first to define the statement and the procedure follows with much more description on the rules to follow to achieve the statement within the policy. Standards also accompany a policy and may be related to an industry standard or an internal company defined technology standard. A policy will determine whether the standard is mandatory or voluntary as well as which groups need to follow the standard.

A guideline sets itself apart in that it provides general guidance related to the policies, procedures and standards. It is often more generalized and spelled out in more layman's terms to assist various audiences that the policy may not specifically apply to, but may need knowledge of. While a company will develop their own internal policies, procedures, standards, and guidelines, there are also state and federally mandated cyber security controls and frameworks. These frameworks provide detailed instructions for how to maintain a secure environment and many companies, even if not mandated, will strive to align their requirements with various industry controls and frameworks as best practice. Some of the most well known are GDPR, HIPAA and PCI. After the documentation is in place, you will need to test implementation to verify everything is being followed properly.

This is called a security audit. It can be managed internally or externally. This audit is a deep dive into the documentation to confirm that the organization is adhering to the requirements they have established regarding policies, procedures, standards, and guidelines.

Chapter 9; Technical Controls
Have you turned on the news lately only to hear of the latest company that has experienced a breach? To prevent these types of incident, cybersecurity teams implement controls within their environment so they don't become the next company that you read about in the news. Let's take a deeper look into some of the controls that may be included within the policies, procedures, standards and guidelines.

Access control, which can be described as who you give permission to allow within your environment. When you think of access control from a physical security perspective, you may think of employees with badges that permit certain people access to the building. And then once inside, the individual may even be prohibited access to certain areas within. This is the same for logical access control. Users are given rights to your network and applications and may be restricted to certain areas. One way to define such access is through an administrative account, which allows for elevated or privileged access. People that are assigned elevated access should only be done so on a need-to-have basis, which leads up to least privilege. Least privilege is when users are given only the minimum access needed in order to complete their required job functions. This is imperative to ensure that people don't end up accessing areas of the network or data that they shouldn't be able to access and doing something with that data or out of negligence or even maliciously. Just as you wouldn't want someone to physically access your data center, you also don't want someone to access your data on your network.

So how do you determine what access you have to the network? First, you need to authenticate. Authentication is how you verify who a user is and what all they should have access to. As with physical security being tied to what access you have within a building, your logical access is usually tied to a username. Beyond the username, a user must also know the password as well as possibly even knowing how to get beyond any multi-factor authentication parameters that may be in place. A password is a set of letters, numbers, characters, or a phrase that only you should know that will allow you access to a system when paired with the associated username. Multi-factor authentication, or MFA, or even two-factor authentication is an extra layer of security beyond just a username and password.

MFA can be verified based on something only you know, you have or you are. An example of something you know would be an answer to a security question, such as your favorite restaurant, or your mother's maiden name. Something you have would be something such as a security token or a badge. And something you are could be your fingerprint, retina or face. While there are other ways to utilize MFA, these three are the most common.

Chapter 10; Secure Practices, Terms, And Exercises
Technology is often the most talked about and most considered side of security. Let's walk through a few definitions of terms often used when describing how to secure environments.

First up is encryption. Think of encryption as a secret code that one needs to decipher in order to understand the true meaning or gain access, and more specific to security, it is data, such as passwords, messages, and even payment information.

A good visual for this is to think of encryption like a decoder ring toy. You have a message that you want to get to your friend, that you don't want anyone without the decoder ring to understand. So it becomes a secret message. This is the same with encryption. In that once encrypted, only the right people with the right technologies can decrypt the content. Most companies will require encryption of secret or confidential files, especially if being shared outside of the company. However, not everything is encrypted by default. If something is not encrypted, it is known in the industry as cleartext. Often you'll hear cleartext when someone is referring to finding or storing of passwords. To refer to the previous decoder ring example, this would be like sharing a secret message but forgetting to put it in secret code. So anyone that finds your message would be able to read it and use the information.

Computer or digital forensics is when a person or team is tasked with uncovering information on a system or network, usually for the purpose of a court case or investigation. Computer forensics can be thought of almost as detectives looking into evidence in a case. Just as detectives in a real case would look through physical evidence, computer forensics is tasked with looking through digital evidence. These teams often deploy a lot of tools to recover data or pull it as needed. Some of these tools may even include description techniques if data needed has been encrypted.

Next step is penetration testing. A good way to think of this is similar to how car manufacturers intentionally crash their cars with dummies inside in order to find any issues or flaws so they can build their cars to be more safe. In cybersecurity, penetration tests are done by a network to find flaws or vulnerabilities in a controlled environment before cyber criminals find them and exploit them. Findings from such tests allow networks and environments to be hardened in order to create more security.

Chapter 11; Network controls
When you think of your own personal people network, it is typically people with a common interest that you communicate with in order to help you complete tasks or leverage to gain something from and vice versa. When you use a computer such as in a work environment, you are communicating and sharing information via your company's network.

A network is a set of computers that leverage the same set of resources and are able to communicate due to a set of common technologies. A virtual private network, or VPN, is almost like a tunnel you can turn on and off when connected to a public network. This tunnel, when turned on, serves as a way to encrypt data being transmitted, which in turn is an extra layer of security when utilizing public wifi. Your company may require use of a VPN in order to access certain information within your company environment. When you consider the physical security of a company building, one layer of security that may be in place is a security guard. This guard is there to monitor people coming into and out of a building, and verify they have the correct permissions to be there, usually by looking at their badge credentials. A firewall serves a similar purpose in digital means by monitoring both incoming and outcoming traffic on a network and not permitting access if access is not authorized.

Just like criminals can find ways around physical security controls, cyber criminals have been known to exploit firewalls in order to gain access into the network as well. Utilizing VPNs and firewalls are one way to protect yourself and your data, but there are a number of others. While we can't cover them all, we will define a few. Next up is antivirus. One can think of antivirus similar to when someone goes to the doctor, either because they are not feeling well or just as a wellness checkup to ensure everything is in order.

The doctor will do a scan and check your body, and if something is found, notify you, and perhaps make recommendations to help fix the issue. Antivirus is similar, and that it is placed on a device with the purpose of scanning the device, either automatically or on demand for malicious malware and viruses, notifying the user of what has been found, and even sometimes giving advice for how to remedy the issues that were discovered. When it comes to securing a network and/or devices, there is no one size fits all, and the amount of tools and technologies out there is enumerable. We only covered a minuscule amount of what can be done to create a secure environment. So I encourage you to continue to research additional methods for protecting yourself and your information.

Chapter 12; Advancements in Technology

So often, it is said, "Save that to the cloud," or "That is in the cloud," but what does in the cloud really mean? According to Microsoft, Cloud computing is the "delivery of computing services, including servers, storage databases, networking, software, analytics, and intelligence over the internet to offer faster innovation, flexible resources, and economies of scale."

Next is Artificial Intelligence, or AI. As humans, we are able to think and make intelligent decisions, as it is human nature to be able do so. AI is when computers, robots, and machines have the ability to make decisions in a humanlike way, because they have been designed in such a way to mimic human thought processes. These technologies are programmed in a way to align with human intelligence, but taking it further is complicated. As Inc put it, "While AI can learn the 'how' to just about anything better than a human, it does not have the curiosity to ask 'why.'" And that is the true differentiator between human and artificial intelligence. Similar to AI is machine learning. And just as humans can learn so they develop new skills, so can machines. Machine learning is part of AI, and it leverages data to develop, learn, and grow over time. Just as we as students go to school to learn based on curriculum we are given, machines are also taught based on very specific information they are given. According to IBM, "Machine learning is a branch of artificial intelligence and computer science which focuses on the use of data and algorithms to imitate the way humans learn, gradually improving its accuracy." As defined by Investopedia,

"A cryptocurrency is a digital or virtual currency that is secured by cryptography, which makes it nearly impossible to counterfeit or double-spend." A defining feature of cryptocurrency is that they are generally not used by any central authority, rendering them theoretically immune to government interference or manipulation. There are many types of cryptocurrency with new ones being added, which include Bitcoin, Ethereum, and Litecoin. While cryptocurrency continues to grow, it is also an area of contention and has not been as widely adopted as some may have anticipated.

Chapter 13; Threat Actors And Definitions
In previous chapter we covered what a hacker is, including the various types, and now we are going to get more in depth about various threat actors and what they mean. Let's start with defining what a cyber criminal is. Similar to regular run of the mill criminals you see in the movies or on TV, cyber criminals are not much different, except for their method of committing the crime.

Cyber criminals still commit crimes, they just do it via digital means such as computers, mobile devices and the internet. They may steal personal and/or company data as a way to turn a profit or even exploit individuals or companies. Cyber criminals are not who you want to welcome into your networks or devices, though they are very good at finding and forcing their way in. You can't turn on the news nowadays without hearing of the latest data breach caused by these individuals or groups. A data breach as defined by Trend Micro, is an incident where information is stolen or taken from a system without the knowledge or authorization of the system's owner. A small company or large organization may suffer a data breach. Stolen data may involve sensitive, proprietary or confidential information, such as credit card numbers, customer data, trade secrets, or even matters of national security. So just how do these cyber criminals get into a network and breach data? Unfortunately, there are a number of ways, but one we will define here is via an exploit.

An exploit is when there is a digital flaw or vulnerability that a cyber criminal has discovered and they are able to leverage said flaw or vulnerability to gain unwanted access to networks, systems, software, and more. Think of it like a criminal going door to door until they're able to find a broken lock or an open window that allows them to go inside and gain access to things that they want to take, while cyber criminals usually don't reside within the company, there are other threats to consider that do. The term for this is insider threat, which is when someone within the company or organization has access to private or confidential information, and they share this information both willingly and unwillingly with threat actors. The reason it can be unwillingly is if the insider accidentally divulges information or access to information without even realizing. A way to circumvent accidental data leakage is through various processes, technologies and even training. The other side of insider threat is when it is conducted willingly and with intention.

There are very things that may motivate someone to turn on a company or organization in such a way they would share a secret or confidential information, including but not limited to personal injustices related to pay, performance or even leadership. There are even instances where individuals may be approached and incentivized to divulge this information from someone outside of the organization that could use it for personal gain. Similar to the concept of a mole, an insider threat can wreak havoc on your company environment.

Chapter 14; Technical Risks
You now know who the threat actors are, but do you know some of the tactics that they leverage? While companies are always implementing controls to protect against the bad guys, the bad guys are always trying to stay one step ahead. Let's dive a bit more into some of the methods the cyber criminals utilize to gain unwarranted access. First up is advanced persistent threat, also known as APT. According to Kaspersky, APT uses continuous clandestine and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences. They are stealth and may access a network and lay dormant for a while before they strike, or they may be in a network for months or even years, siphoning information undetected.

Think of it like if your home had termites. You would assume your home was built to be safe from the risk, and once they were in, you likely wouldn't know before it was too late and the damage was done. A botnet is a group of computers or other internet-connected devices being controlled in unison to perform malicious acts.

Botnets have also been referred to like zombies in that once they are infected, they no longer have a mind of their own but instead are being manipulated to perform specific tasks to take down others. The same is true for botnets. Once controlled, they may propagate viruses, malware, and even conduct DDoS attacks against others. Oftentimes, without the knowledge of the owner of said device. So what are these DDoS attacks that botnet can perform? DDoS, also known as distributed denial of service, is when a threat actor intentionally floods a server beyond its capacity to the point it essentially breaks and/or others can't access the site or service. Similar to when people try to call a phone number, but too many people are trying to also call at the same time, so they keep getting a busy signal. And they can't get through. However, the differentiator in this attack scenario here is that this is done with malicious intent. Malware is a term that is actually two words combined to create a new word, malicious software, AKA malware. Malware is software that is designed specifically with the intent of performing malicious tasks and wreaking havoc on computer systems by gaining unwarranted access, disrupting service, and even purposefully causing damage via viruses, Trojans, and more.

A virus is a very specific version of malware that can self-replicate and spread. A computer virus is similar to a virus in people that can actually make them sick. The more things it comes in contact with that don't have the proper protection in place, the more it will propagate and infect, though the damage may differ. Though a virus is just one of many forms of malware, it is often the one we hear the most because it is the most common.

Chapter 15; Threats That Target The Human Element
What about the human side of security? The human element is often the most exploited, but why and how do the cyber criminals do it? The first, most commonly leveraged method attacking the human element is social engineering.

The best way to describe social engineering is to think of a puppet master pulling the strings on a puppet to get the puppet to do exactly what they want, when they want. Social engineering is the same. In that an attacker plays the role of the puppeteer, trying to manipulate the people who play the role of the puppet into divulging information or giving access to certain things that shouldn't be shared. And all of this is done for malicious purposes. This can be conducted in a number of ways, but we will cover some of the most common. Then we have phishing.

Phishing is when an email is sent with malicious intent with the appearance of coming from a legitimate person or company. However, that is not the case. Phishing is named so because like with sport fishing, a malicious actor throws out a line, hoping that someone takes the bait by either replying to the email, clicking on a link or opening an attachment. Vishing while similar in nature to phishing is conducted over the phone instead of via email. A threat actor may contact you via phone and solicit personal or confidential company information with ill-natured intent. These attackers may pose as legitimate businesses or government organizations or may even play into your human instinct to want to help.

Smishing is SMS or text message phishing. Have you ever received a strange text on your phone asking you to click a link to something you weren't expecting? This may have been a real-life example of smishing. Smishing may include a link to a malicious site or may request personal information that you wouldn't typically divulge via text. It is always important to be wary of all types of ishing attacks and stay up to date on the cyber criminals' tactics. Spoofing is just one mechanism that the bad guys may leverage in these types of attacks. Spoofing is where they make an email, call, or even text message appear as though it is coming from a trusted name, number, and or source. They do this spoofing or impersonating with the help of technology to look like trusted people or organizations with the hopes that the attack seems more believable and the receiver will fall for it and take the suggested action. Another threat vector that continues to grow year over year is ransomware.

Ransomware is similar to how it sounds. When something is taken and a ransom is requested to get it back. But in this, the items that are taken or locked down are digital. And in order to gain back access, the cyber criminal request payment, typically in cryptocurrency. However, there is no guarantee if you pay that they will actually give you access back. So, the process for handling ransomware differs case by case.

Chapter 16; Apply Cybersecurity Terminology
Selecting transcript lines in this section will navigate to timestamp in the video

[Instructor] With limited time, we were unable to cover each and every definition and/or acronym within cybersecurity. However, it is my hope that you were able to learn a number of new concepts in a way that was easily digestible. Now that you've discovered the definition of a number of concepts you may or may not have heard before, I hope you are able to apply what you learned in your everyday conversations around cybersecurity, both at work and at home. If there were definitions not covered in this training or if there are definitions that you want to take a deeper dive into learning more about, I encourage you to check out the extensive catalog of cybersecurity training right here on LinkedIn Learning. There are many exceptional instructors that can help take you beyond just the definitions in a truly immersive learning experience. Also, make sure to check out the definition library in the Resources section of this training. This document will include the definitions we covered in this training and can serve as a hands-on reference for the definitions covered. And remember, always keep learning and never lose the passion to help make your workplace and the world a more secure place for all of us.

Create a Virtual Machine on Azure Using Terraform

Romanus Onyekwere — Sat, 05 Oct 2024 10:57:47 +0000

Terraform is an infrastructure as code (IAC) tool that enables us to define and manage infrastructure resources in a declarative way, making it easier to automate the provisioning, deployment, and management of our cloud resources. With Terraform, we can easily and consistently create and manage our Azure infrastructure resources, such as resource groups and VMs, among others.

Virtual Machine (VM) provisioning on Azure can be a seamless process when leveraging Terraform, an Infrastructure as Code (IaC) tool. This article guides you through the quick and efficient steps to create a VM on Azure using Terraform.

Step 1; Install terraform Software
On the web browser, download Terraform and install window AMD64

Locate the terraform folder, unzip it

Extract the file

Highlight and copy the location terraform text
Search environmental variable at the left lower search bar

Click environmental variable

Click on path
Click on edit

Click on new to create a position to paste the copied terraform text
Click OK

Open the terminal of Vscode and input the terraform space dash version

Create a new terraform Configuration file
In the Vscode, open a file (terraform)

In the working directory create a file main.tf and paste the terraform configuration on it

Save the file
Initialise and apply Terraform configuration

In the Git bash, run the following command to initialise the Terraform configuration: terraform init

I will continue later. This prompt is saying ;

the directory has no terraform configuration files

Create a Windows Virtual Machine in the Azure portal. Step-by-Step Guide

Romanus Onyekwere — Sun, 29 Sep 2024 00:46:24 +0000

Steps

Introduction of Virtual Machine
Sign in to the Azure portal
Create a Virtual machine
Connect to the virtual machine
Clean up resources

1. Introduction
What are Virtual Machines?

VMs are emulations of computer systems.
They provide the functionality of a physical computer.

Why Azure Virtual Machines?

On-demand, scalable computing resources.
Flexibility: Choice of OS, size, and configuration.
Scalability: Adjust resources based on demand.
Support for Windows and Linux.
Full administrative control over the VM.

Azure virtual machines (VMs) can be created through the Azure portal. This method provides a browser-based user interface to create VMs and their associated resources. This quickstart shows you how to use the Azure portal to deploy a virtual machine (VM) in Azure that runs Windows Server 2019. To see your VM in action, you then RDP to the VM and install the IIS web server.

If you don't have an Azure subscription, create a free account before you begin
Click try Azure for free and follow the prompt

2. Sign in to the Azure
Sign in to the Azure portal

3. Create a virtual machine

Enter virtual machines in the search bar
Under services select virtual machine
On the virtual machines page, select Create and the Azure virtual machineThe Create a virtual machine page opens
On the Basics tab under Project details enter Azure Subscription 1 for the Subscription and onyekwereRG for the Resource group created or enter the existing name.
Under Instant details enter onyekwereVM for the Virtual machine name
Choose Windows Server 2022 Datacenter; Azure edition- x64 Gen 2 for the Image.
Leave others at defaults

Under the Administrator account provide a username such as azureuser and a password
Confirm the password

Under inbound port rules, choose Allow selected port and then select RDP (3389) and HTTP (80) from the drop-down
Leave the rest at default
Click review and create

After validation runs, select the Create button at the bottom of the page
After deployment is completed, select Go to resource

4. Connect to Virtual Machine
Create a remote desktop connection to the virtual machine.
These directions tell you how to connect to your VM from a Windows computer. On a Mac, you need an RDP client such as this Remote Desktop Client from the Mac App Store

On the overview page of your virtual machine, select the Connect > RDP

In the Connect with RDP tab, keep the default option to connect by IP address over port 3389, and click on Download RDP file
Open the downloaded RDP file and click Connect when prompted.
In the Windows Security window, enter your password
Click OK.

You may receive a certificate warning during the sign-in process.
Click View certification to install Certification.

Click on install

Certificate import wizard
Click next

Click Finish

Click Yes to create the connection and your Virtual Desktop is created

5. Clean Up
Delete Resources

When no longer needed, you can delete the resource group, virtual machine, and all related resources.
On the Overview page for the VM, select the Resource group link.
At the top of the page for the resource group, select Delete resource group.
A page will open warning you that you are about to delete resources. Type the name of the resource group
Select Delete to finish deleting the resources and the resource group.

Digging Deep Into Docker; A Step-by-Step Guide For Begginers

Romanus Onyekwere — Sat, 28 Sep 2024 12:34:26 +0000

Table of contents

Docker Installation

Containers provide a way of creating an isolated environment, sometimes called a sandbox, in which applications and their dependencies can live. the isolated environment that containers provide effectively means the container is decoupled from the environment in which they run. Basically, they don’t care much about the environment in which they run, which means they can be run in many different environments with different operating systems and hardware platforms.

Docker Installation

On the Docker Website, you will download Docker either for Desktop or Windows which is specific to your Operating System

*Installation Verification *

Effective Web App Deployment With ARM Template And Azure CLI

Romanus Onyekwere — Sat, 24 Aug 2024 15:06:08 +0000

Table of contents

Introduction

Installation steps;

Deploy ARM Template with Azure CLI
Open the Visual studio code portal
Download and instal the Visual Studio Code
Create an Azure account
Install Azure CLI on your device

Introduction
In this tutorial, we are going to explain very clearly how to deploy a web app with the Azure Resource Manager (ARM)template and Azure Command Line interphase (CLI)
ARM template is a set of instructions that has the following abilities;
(a) It describes what kind of resources (like web apps, databases etc) should be created in Azure.
(b) It describes how resources should be configured in Azurw
(c) It also describes where resources should be placed in Azure

This could also be illustrated with someone who is building a house. The ARM template is the plan that tells the builders (Azure) what rooms (resources)are needed, how many windows (configuration) and where the house should be built (location)

The Azure command line interphase (CLI) is a tool for controlling and managing Azure resources by typing simple commands on the terminal prompt.

The CLI is like a *remote control * for Azure. You can press buttons to create an update and manage resources like your web app without needing the Azure website

Deploy ARM Template with Azure CLI
Locate the ARM template file already prepared and downloaded in your folder

Download and instal the Visual Studio Code
Make sure you have the most recent Visual Studio Code downloaded and installed on your computer. Incase you did not have one, get the recent version from the Visual Studio Code Official Website

On the VSCode, create a folder for the template and call it template.jason.
Copy the json file from here
To copy the json file, scrow down to review template and click on the copy icon

With the copied file, return to your VSCode and create a new folder with the name template.jason and save.
Paste the dopied json file on the template window

Go through the json ARM template file and ensure that all the configuration keys are complete and none is interupted.
It also means that the ARM template is prepared.
It also suggest that you have logged in to Azure and your subscrition is set.

Open the terminal and select python and prompt opens
Input az login to and you will be prompted to login to your Azure account.
Click Continue

Unfortunatly, it could not continue and I have being directed back as many times as I tried

Deploying a Virtual Machine Using ARM Template

Romanus Onyekwere — Sat, 17 Aug 2024 00:30:02 +0000

Azure Virtual Machines (VMs) are a key component of cloud computing, providing scalable and flexible infrastructure for various applications and workloads.

In this post, we will explore the process of deploying Azure Virtual Machines using ARM (Azure Resource Manager) templates in Visual Studio Code, a powerful and extensible code editor.

ARM templates enable the definition of the Azure resources needed for your solution in a declarative manner, making it easier to manage and reproduce your infrastructure.

Deploying a virtual machine (VM) using an Azure Resource Manager (ARM) template is a straightforward process. ARM templates allow you to define the infrastructure and configuration for your Azure resources in a declarative JSON format. Below are the steps to deploy a VM using an ARM template:

1.Edit And Deploy a Template

In the Web browser, go to Azure Portal and login
On the Azure portal search bar, search deploy a custom template and select it from the avaliable options

On the This template will define properties such as VM size, OS image, networking, and storage configurations. You can either write or build the template from scratch or use existing templates from the Azure Quickstart Templates repository.
Using the avaliable Template, you can do the following;
(a) Create a Linux Vm
(b) Create a Window VM
(C) Create a Web App
(d) Create SQL database
(e) Create Azure Landing Zone
We are concentrating on building on our own template
Click on build your own template with the editor

You can as well use the Quickstart template disclaimer dropdown to select template repository of your choice.

You will see a blank template

Replace the blank template with the following template. It deploys a virtual network with a subnet.
Click Save

You will see Custom Deployment Window
Under Project details, choose your subscription and Create a new resource group, But you can use the existing one
Leave other parameters at default values.
Then Click Review and Create

After the portal finished template validation, click on Create
When the deployment completes, you see the status of the deployment. This time select the name of the resource group and go to resource

You will notice that your resource group now contains a storage account and a virtual network.
To locate your resource group page, you can click on the name of the resource group you created or search the resource group name under resource group on the Azure portal

Click on the resource group to see the Window Overview

2.Export a Custom Template

One of the easiest way to work with an ARM template is to have the portal generate it for you. The portal can create an ARM template based on the current state of your resource group.
On the oveview page of the VNET, Click Autmation at the left menu
Under automation you will see export template and click it
Your template will be generated

The portal generates a template for you based on the current state of the resource group. Notice that this template is not the same as either template you deployed earlier. It contains definitions for both the storage account and virtual network, along with other resources like a blob service that was automatically created for your storage account.
To save this template for later use, select Download.

You can reuse the downloaded file after download is completed
Locate the folder and unzip and click the template.jason

It wil open in VSCode portal

You now have an ARM template that represents the current state of the resource group. This template is auto-generated. Before using the template for production deployments, you may want to revise it, such as adding parameters for template reuse.

3.How To Clean Up Your Resources

When the Azure resources are no longer needed, clean up the resources you deployed by deleting the resource group.

In the Azure portal, select Resource groups on the left menu.
Enter the resource group name in the Filter for any field search box.
Select the resource group name. You shall see the storage account in the resource group.
Select Delete resource group in the top menu

Deploying Web App With CI/CD Pipeline On Azure

Romanus Onyekwere — Sat, 10 Aug 2024 15:38:40 +0000

Azure is the Cloud computing platform and Suite of cloud services provided by Microsoft.
Azure provides various services including building and deploying web apps, logic apps, configuring databases, etc.
In this article, let us understand the step by step how to deploy a Web App with CI/CD pipeline on Azure app service.

Step 1; Create and set up your Microsoft Azure account

Sign in to your Azure Portal
After signing in, you will preview this dashboard.

Create Your App Service Plan

On the search bar of the dashboard, type app service plan and click on it and create

In the Basic tab
Under Project Details

Choose your subscription.
Create new Resource group or choose the existing one. Under App Sevice Plan
Enter the name of your App service
Select the operating system that will integrate Github action either Linux or Windows
Select the region close to you

Under pricing tier

Click on expolore pricing plans to access free plan
Under Access App Service Pricing Plans
By default leave it at hardware view
Select free plan
Click on select
Under zone redundacy
Leave it at Disabled
Click Review + Create to Validate

Click on Create for depolyment
Go to Resource

Step 2; Create App Service
On Azure dashboard search for app services
Open it on new tab
On the + create dropdown, click on web app
Proceed for Configuration

On the Basics tab
Under Project Details
Select your Subscription
Use the existing Resource group
Under Instant Details
Choose the name of your web app and confirm the avaliability by unchecking the botton
Leave the publish at code
For runtime stack, select PHP 8.3
Operating system is at Linux by default
Select the region of your choice
Leave others in default position

Select next Deployment
Leave Networking, Monitor + secure Tags in default
Click on review + create

Step 3; Create New Repository
Login to your Github account
Create new account and follow the prompt
If you already have account, login directly
Click on Create Repository
Make sure you fill in the neccessary fields
Repository name
Description is optional
Leave it in Public window
Add a readme file
Leave others in default
Click on Create

Create the VsCode to Clone the Repository

Click on Code dropdown
Copy the web url to clone by pasting it on a browser
Open the already Installed VSCode in your system
You will be prompted to Login with your Github details for integration with VSCode
You can clone the repository at the Github bar from the dropdown, you will see the file name created
You can also clone directory at Git Repository
-Clone using the terminal to be more professoional
Click on the terminal botton on the three dots at the left upper window close to Run icon
Follow the prompt to create new terminal
Switch from powershell to Gitbash though both works
Type git clone which is the command or keyword used to clone the application which is the repository we just created
Copy the code Url link of the repository and paste after git clone
Hit the enter key and wait for the cloning prompt
Create directory project
Create cd project
Create git clone plus repository link all in powershell

Open a folder to view the cloned file

Go to file icon at the upper right side of Vscode
From the dropdown, locate create a folder
Locate the folder following the prompt
Select the folder and open to view the created folder

Create a file

On Vscode, click on the terminal on top of bar
Switch to gitbash
Input touch index.php
Type cd romanusapp and observe the change in directory
Type touch index.php
Observe thier appreance at the upper left side of Vscode You can run html file
Impute nano idex.php
We can do simple expression like <?php echo:helow World"
If we have html file that will still be alright
From your computer keyboard, use control x to exist
Choose Yes and press enter to save
Impute cat index.php to see our output
Back to Azure portal to make our connection at Depolyment center
Click select code source to view avaliable connection options including CI/CD
Select Github

Step 4;Push The Repository Created