Cybersecurity 101
Handling MinistryofDevOps(Pun intended)
In this blog, I will briefly discuss very common terms used in day to today life of Security Engineers. I hope this will be helpful for people who want to start their journey in cybersecurity or just want to understand the basics of frequently used terms.
Cybersecurity | Cybersecurity relates to processes employed to safeguard and secure assets used to carry information of an organization from being stolen or attacked. It requires extensive knowledge of possible threats such as viruses or other malicious objects. Identity management, risk management, and incident management form the crux of the cybersecurity strategies of an organization. |
Red Team | Red teams are offensive. They attack their own systems to find the vulnerabilities of a company’s network and infrastructure within a controlled environment (i.e. penetration testing, threat emulation, threat hunting). This is critical for security as it shows the real strength of the infrastructure, by stress-testing the defense mechanisms the Blue team created. |
Blue Team | Blue teams are defensive. They employ defensive strategies to prevent external parties from getting access to critical infrastructure (i.e. antiviruses, firewalls, security policies, access procedures, compliance rules). Most security departments will have at least a Blue team. |
Purple Team | Purple teams act as an intermediary that allows Red and Blue teams to communicate. Ideally, a Blue team can install defenses, and a Red team will attack them and report if it found any exploits or weaknesses. The Purple team should then review this report with the Blue team and help them define a strategy to fix the issues. This creates a feedback loop between the two teams, so they can collaborate more effectively to patch vulnerabilities and establish a stronger more secure environment. |
Clickjacking | Clickjacking involves tricking someone into clicking on one object on a web page while they think they are clicking on another. The attacker loads a transparent page over the legitimate content on the web page so that the victim thinks they are clicking on a legitimate item when they are really clicking on something on the attacker’s invisible page. This way, the attacker can hijack the victim’s click for their own purposes. Clickjacking could be used to install malware, gain access to one of the victim’s online accounts, or enable the victim’s webcam. |
Attack Vectors | An Attack Vector is the collection of all vulnerable points by which an attacker can gain entry into the target system. Attack vectors include vulnerable points in technology as well as human behavior, skillfully exploited by attackers to gain access to networks. The growth of IoT devices and (Work from Home) have greatly increased the attack vector, making networks increasingly difficult to defend. |
Attack Surface | The attack surface is the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data. The smaller the attack surface, the easier it is to protect. |
SIEM | Security Information and Event Management (SIEM) is a formal process by which the security of an organization is monitored and evaluated on a constant basis. SIEM helps to automatically identify systems that are out of compliance with the security policy as well as to notify the IRT (Incident Response Team) of any security-violating events. |
SOAR | SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that organizations use to collect data about security threats from across the network and respond to low-level security events without human assistance. |
Threat Actor | A threat actor, also known as a malicious actor, is any person or organization that intentionally causes harm in the digital sphere. They exploit weaknesses in computers, networks and systems to carry out disruptive attacks on individuals or organizations. |
Advanced Persistent Threat (APT) | In an APT attack, a threat actor uses the most sophisticated tactics and technologies to penetrate a high-profile network. APTs aim to stay ‘under the radar’ and explore the network while remaining undetected for weeks, months, and even years. APTs are most often used by nation-state threat actors wishing to cause severe disruption and damage to the economic and political stability of a country. They can be considered the cyber equivalent of espionage ‘sleeper cells’. |
Advanced Threat Protection (ATP) | Advanced Threat Protection (ATP) are security solutions that defend against sophisticated malware or hacking attacks targeting sensitive data. Advanced Threat Protection includes both software and managed security services. |
Brute Force Attack | This is a method for guessing a password (or the key used to encrypt a message) that involves systematically trying a high volume of possible combinations of characters until the correct one is found. One way to reduce the susceptibility to a Brute Force Attack is to limit the number of permitted attempts to enter a password – for example, by allowing only three failed attempts and then permitting further attempts only after 15 minutes. |
Detection and Response | Network Detection and Response is a security solution category used by organizations to detect malicious network activity, perform a forensic investigation to determine the root cause, and then respond and mitigate the threat. |
Endpoint Detection and Response (EDR) | Endpoint Detection and Response (EDR) are tools for protecting computer endpoints from potential threats. EDR platforms comprise software and networking tools for detecting suspicious endpoint activities, usually via continuous network monitoring. |
Honeypot | Honeypots are computer security programs that simulate network resources that hackers are likely to look for to lure them in and trap them. An attacker may assume that you’re running weak services that can be used to break into the machine. A honeypot provides you with advanced warning of a more concerted attack. Two or more honeypots on a network form a honeynet. |
MITRE ATT&CK™ Framework | The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization’s risk. The aim of the framework is to improve post-compromise detection of adversaries in enterprises by illustrating the actions an attacker may have taken. |
CIS(Center for Internet Security) | The Center for Internet Security (CIS) publishes the CIS Critical Security Controls (CSC) to help organizations better defend against known attacks by distilling key security concepts into actionable controls to achieve greater overall cybersecurity defense. |
CIS Controls | The CIS Critical Security Controls (CIS Controls) are a prescriptive, prioritized, and simplified set of best practices that you can use to strengthen your cybersecurity posture. |
CIS Benchmarks | CIS Benchmarks from the Center for Internet Security (CIS) are a set of globally recognized and consensus-driven best practices to help security practitioners implement and manage their cybersecurity defenses. |
NIST Framework | The NIST Cybersecurity Framework (NIST CSF) consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk. The NIST CSF is designed to be flexible enough to integrate with the existing security processes within any organization, in any industry. |
Pen Testing | Pen (Penetration) Testing is the practice of intentionally challenging the security of a computer system, network, or web application to discover vulnerabilities that an attacker or hacker could exploit. |
Rootkit | A Rootkit is a collection of software tools or a program that gives a hacker remote access to, and control over, a computer or network. Rootkits themselves do not cause direct harm – and there have been legitimate uses for this type of software, such as to provide remote end user support. However, most rootkits open a backdoor on targeted computers for the introduction of malware, viruses, and ransomware, or use the system for further network security attacks. A rootkit is typically installed through a stolen password, or by exploiting system vulnerabilities without the victim’s knowledge. In most cases, rootkits are used in conjunction with other malware to prevent detection by endpoint antivirus software. |
Social Engineering | Social Engineering is an increasingly popular method of gaining access to unauthorized resources by exploiting human psychology and manipulating users – rather than by breaking in or using technical hacking techniques. Instead of trying to find a software vulnerability in a corporate system, a social engineer might send an email to an employee pretending to be from the IT department, trying to trick him into revealing sensitive information. Social engineering is the foundation of spear phishing attacks. |
Threat Assessment | Threat Assessment is a structured process used to identify and evaluate various risks or threats that an organization might be exposed to. Cyber threat assessment is a crucial part of any organization’s risk management strategy and data protection efforts. |
Threat Hunting | Cyber Threat Hunting is an active cyber defense activity where cybersecurity professionals actively search networks to detect and mitigate advanced threats that evade existing security solutions. |
Threat Intelligence | Threat Intelligence, or cyber threat intelligence, is intelligence proactively obtained and used to understand the threats that are targeting the organization. Trojan Trojans are malicious programs that perform actions that are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, Trojans are unable to make copies of themselves or self-replicate. |
Threat Modeling | A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through the lens of security. |
PASTA | PASTA is an acronym that stands for Process for Attack Simulation and Threat Analysis. It is a 7-step risk-based threat modeling framework. |
DREAD | The DREAD model quantitatively assesses the severity of a cyber threat using a scaled rating system that assigns numerical values to risk categories. |
STRIDE | The STRIDE threat model is a developer-focused model to identify and classify threats under 6 types of attacks – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service DoS, and Elevation of privilege. |
White Hat – Black Hat | White hat – Black Hat are terms to describe the ‘good guys’ and ‘bad guys’ in the world of cybercrime. Blackhats are hackers with criminal intentions. White-hats are hackers who use their skills and talents for good and work to keep data safe from other hackers by finding system vulnerabilities that can be fixed. |
WAF | A Web Application Firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. |
Vulnerability | Vulnerabilities are weaknesses in software programs that can be exploited by hackers to compromise computers. |
DevSecOps | DevSecOps—short for development, security, and operations—automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. |
References:
https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
