Fundamentals of Security

 Information Security: Protecting data and information from

unauthorized access, modification, disruption, disclosure, and
destruction
 Information Systems Security: Protecting the systems (e.g.,
computers, servers, network devices) that hold and process critical
data

CIA Triad
 Confidentiality: Ensures information is accessible only to
authorized personnel (e.g., encryption)
 Integrity: Ensures data remains accurate and unaltered (e.g.,
checksums)
 Availability: Ensures information and resources are accessible
when needed (e.g., redundancy measures)

Non-Repudiation
 Guarantees that an action or event cannot be denied by the
involved parties (e.g., digital signatures)

CIANA Pentagon
 An extension of the CIA triad with the addition of non-repudiation
and authentication

Triple A’s of Security

 Authentication: Verifying the identity of a user or system (e.g.,
password checks)
 Authorization: Determining actions or resources an authenticated
user can access (e.g., permissions)
 Accounting: Tracking user activities and resource usage for audit
or billing purposes

Security Control Categories

 Technical, Managerial, Operational, Physical

Security Control Types

 Preventative, Deterrent, Detective, Corrective, Compensating,
Directive
Zero Trust Model
 Operates on the principle that no one should be trusted by default
 To achieve zero trust, we use the control plane and the data plane
o Control Plane: Adaptive identity, threat scope reduction,
policy-driven access control, and secured zones
o Data Plane: Subject/system, policy engine, policy
administrator, and establishing policy enforcement points

Threats and Vulnerabilities

 Threat: Anything that could cause harm, loss, damage, or
compromise to our information technology systems, including
natural disasters, cyber-attacks, data integrity breaches, and
disclosure of confidential information.
 Vulnerability: Any weakness in the system design or
implementation, originating from internal factors such as software
bugs, misconfigured software, improperly protected network
devices, missing security patches, and lack of physical security.
o Where threats and vulnerabilities intersect, that is where the
risk to your enterprise systems and networks lies. If you have
a threat but there is no matching vulnerability to it, then you
have no risk. Similarly, if you have a vulnerability but there’s
no threat against it, there would be no risk.
 Risk Management: Finding different ways to minimize the
likelihood of an outcome and achieve the desired outcome.

Confidentiality
 Confidentiality: Refers to the protection of information from
unauthorized access and disclosure, ensuring that private or
sensitive information is not available or disclosed to unauthorized
individuals, entities, or processes.
o Confidentiality is important for three main reasons: to protect
personal privacy, to maintain a business advantage, and to
achieve regulatory compliance.
o To ensure confidentiality, we use five basic methods:
 Encryption: Process of converting data into a code to
prevent unauthorized access.
 Access Controls: By setting up strong user
permissions, you ensure that only authorized personnel
can access certain types of data.
 Data Masking: Method that involves obscuring specific
data within a database to make it inaccessible for
unauthorized users while retaining the real data's
authenticity and use for authorized users.
  Physical Security Measures: Ensure confidentiality
for both physical types of data, such as paper records
stored in a filing cabinet, and for digital information
contained on servers and workstations.
 Training and Awareness: Conduct regular training on
the security awareness best practices that employees
can use to protect their organization’s sensitive data.

Integrity
 Integrity: Helps ensure that information and data remain accurate
and unchanged from its original state unless intentionally modified
by an authorized individual
o Verifies the accuracy and trustworthiness of data over the
entire lifecycle
o Integrity is important for three main reasons:
 To ensure data accuracy
 To maintain trust
 To ensure system operability
o To help us maintain the integrity of our data, systems, and
networks, we usually utilize five methods:
 Hashing: Process of converting data into a fixed-size
value
 Digital Signatures: Ensure both integrity and
authenticity
 Checksums: Method to verify the integrity of data
during transmission
 Access Controls: Ensure that only authorized
individuals can modify data and this reduces the risk of
unintentional or malicious alterations
 Regular Audits: Involve systematically reviewing logs
and operations to ensure that only authorized changes
have been made, and any discrepancies are
immediately addressed

Availability
 Availability: Ensure that information, systems, and resources are
accessible and operational when needed by authorized users. As
cybersecurity professionals, we value availability since it can help us
with ensuring business continuity, maintaining customer trust, and
upholding an organization's reputation. To overcome the challenges
associated with maintaining availability, the best strategy is to use
redundancy in your systems and network designs.
  Redundancy: Duplication of critical components or functions of a
system with the intention of enhancing its reliability.
 There are various types of redundancy you need to consider when
designing your systems and networks:
o Server Redundancy: Involves using multiple servers in a
load balanced or failover configuration so that if one is
overloaded or fails, the other servers can take over the load to
continue supporting your end users.
o Data Redundancy: Involves storing data in multiple places.
o Network Redundancy: Ensures that if one network path
fails, the data can travel through another route.
o Power Redundancy: Involves using backup power sources,
like generators and UPS systems.

Non-repudiation
 Non-repudiation: Focused on providing undeniable proof in the
world of digital transactions. Security measure that ensures
individuals or entities involved in a communication or transaction
cannot deny their participation or the authenticity of their actions.
o Digital Signatures: Considered to be unique to each user
who is operating within the digital domain. Created by first
hashing a particular message or communication that you want
to digitally sign, and then it encrypts that hash digest with the
user’s private key using asymmetric encryption.
 Non-repudiation is important for three main reasons: to confirm the
authenticity of digital transactions, to ensure the integrity of critical
communications, and to provide accountability in digital processes.

Authentication
 Authentication: Security measure that ensures individuals or
entities are who they claim to be during a communication or
transaction.
o 5 commonly used authentication methods:
 Something you know (Knowledge Factor): Relies on
information that a user can recall.
 Something you have (Possession Factor): Relies on
the user presenting a physical item to authenticate
themselves.
 Something you are (Inherence Factor): Relies on
the user providing a unique physical or behavioral
characteristic of the person to validate that they are
who they claim to be.
 Something you do (Action Factor): Relies on the
user conducting a unique action to prove who they are.
  Somewhere you are (Location Factor): Relies on the
user being in a certain geographic location before
access is granted.
o Multi-Factor Authentication System (MFA): Security
process that requires users to provide multiple methods of
identification to verify their identity.
 Authentication is critical to understand because of the following: to
prevent unauthorized access, to protect user data and privacy, and
to ensure that resources are accessed by valid users only.

Authorization
 Authorization: Pertains to the permissions and privileges granted
to users or entities after they have been authenticated.
Authorization mechanisms are important to help us with protecting
sensitive data, maintain system integrity in our organizations, and
create a more streamlined user experience.

Accounting
 Accounting: Security measure that ensures all user activities
during a communication or transaction are properly tracked and
recorded. Your organization should use a robust accounting system
so that you can create an audit trail, maintain regulatory
compliance, conduct forensic analysis, perform resource
optimization, and achieve user accountability.
o To perform accounting, we usually use different technologies
like the following:
 Syslog Servers: Used to aggregate logs from various
network devices and systems so that system
administrators can analyze them to detect patterns or
anomalies in the organization’s systems.
 Network Analysis Tools: Used to capture and analyze
network traffic so that network administrators can gain
detailed insights into all the data moving within a
network.
 Security Information and Event Management
(SIEM) Systems: Provides us with real-time analysis of
security alerts generated by various hardware and
software infrastructure in an organization.

Security Control Categories

 4 Broad Categories of Security Controls:
o Technical Controls: Technologies, hardware, and software
mechanisms that are implemented to manage and reduce
risks.
 o Managerial Controls: Sometimes also referred to as
administrative controls, involve the strategic planning and
governance side of security.
o Operational Controls: Procedures and measures that are
designed to protect data on a day-to-day basis, mainly
governed by internal processes and human actions.
o Physical Controls: Tangible, real-world measures taken to
protect assets.

Security Control Types

 6 Basic Types of Security Controls:
o Preventive Controls: Proactive measures implemented to
thwart potential security threats or breaches.
o Deterrent Controls: Discourage potential attackers by
making the effort seem less appealing or more challenging.
o Detective Controls: Monitor and alert organizations to
malicious activities as they occur or shortly thereafter.
o Corrective Controls: Mitigate any potential damage and
restore our systems to their normal state.
o Compensating Controls: Alternative measures that are
implemented when primary security controls are not feasible
or effective.
o Directive Controls: Guide, inform, or mandate actions, often
rooted in policy or documentation and set the standards for
behavior within an organization.

Gap Analysis
 Gap Analysis: Process of evaluating the differences between an
organization's current performance and its desired performance.
Conducting a gap analysis can be a valuable tool for organizations
looking to improve their operations, processes, performance, or
overall security posture. There are several steps involved in
conducting a gap analysis: Define the scope of the analysis, Gather
data on the current state of the organization, Analyze the data to
identify any areas where the organization's current performance
falls short of its desired performance, Develop a plan to bridge the
gap.
 2 Basic Types of Gap Analysis:
i. Technical Gap Analysis: Involves evaluating an organization's
current technical infrastructure, identifying any areas where it
falls short of the technical capabilities required to fully utilize
their security solutions.
ii. Business Gap Analysis: Involves evaluating an organization's
current business processes, identifying any areas where they
 fall short of the capabilities required to fully utilize cloud-
based solutions.
 Plan of Action and Milestones (POA&M):

o Outlines the specific measures to address each vulnerability.

o Allocate resources.
o Set up timelines for each remediation task that is needed.

Zero Trust
 Zero Trust: Demands verification for every device, user, and
transaction within the network, regardless of its origin. To create a
zero trust architecture, we need to use two different planes:
i. Control Plane: Refers to the overarching framework and set of
components responsible for defining, managing, and enforcing
the policies related to user and system access within an
organization. It typically encompasses several key elements:
Adaptive Identity (Relies on real-time validation that takes into
account the user's behavior, device, location, and more).
ii. Data Plane:
 Threat Scope Reduction: Limits the users’ access to
only what they need for their work tasks because this
reduces the network’s potential attack surface. Focused
on minimizing the "blast radius" that could occur in the
event of a breach.
 Policy-Driven Access Control: Entails developing,
managing, and enforcing user access policies based on
their roles and responsibilities.
 Secured Zones: Isolated environments within a
network that are designed to house sensitive data.
Ensures the policies are properly executed.

o Data plane consists of the following:

 Subject/System: Refers to the individual or entity
attempting to gain access.
 Policy Engine: Cross-references the access request
with its predefined policies.
 Policy Administrator: Used to establish and manage
the access policies.
 Policy Enforcement Point: Where the decision to
grant or deny access is actually executed.

Threat Actor Motivations

 Data Exfiltration, Blackmail, Espionage, Service Disruption, Financial
Gain, Philosophical/Political Beliefs, Ethical Reasons, Revenge,
Disruption/Chaos, War
Threat Actor Attributes
 Internal vs. External Threat Actors
 Differences in resources and funding,
 Level of sophistication

Types of Threat Actors

 Unskilled Attackers: Limited technical expertise, use readily
available tools
 Hacktivists: Driven by political, social, or environmental ideologies
 Organized Crime: Execute cyberattacks for financial gain (e.g.,
ransomware, identity theft)
 Nation-state Actor: Highly skilled attackers sponsored by
governments for cyber espionage or warfare
 Insider Threats: Security threats originating from within the
organization
 Shadow IT: IT systems, devices, software, or services managed
without explicit organizational approval

Threat Vectors and Attack Surfaces

 Message-based, Image-based, File-based, Voice Calls, Removable
Devices, Unsecured Networks

Deception and Disruption Technologies

 Honeypots: Decoy systems to attract and deceive attackers
 Honeynets: Network of decoy systems for observing complex
attacks
 Honeyfiles: Decoy files to detect unauthorized access or data
breaches
 Honeytokens: Fake data to alert administrators when accessed or
used

Threat Actor Motivations

 Threat Actors Intent: Specific objective or goal that a threat actor
is aiming to achieve through their attack
 Threat Actors Motivation: Underlying reasons or driving forces
that pushes a threat actor to carry out their attack
 Different motivations behind threat actors:
o Data Exfiltration: Unauthorized transfer of data from a
computer
 o Financial Gain: Achieved through various means, such as
ransomware attacks, or through banking trojans that allow
them to steal financial information in order to gain
unauthorized access into the victims' bank accounts
o Blackmail: The attacker obtains sensitive or compromising
information about an individual or an organization and
threatens to release this information to the public unless
certain demands are met
o Service Disruption: Some threat actors aim to disrupt the
services of various organizations, either to cause chaos, make
a political statement, or to demand a ransom
o Philosophical or Political Beliefs: Attacks that are
conducted due to the philosophical or political beliefs of the
attackers is known as hacktivism
o Ethical Reasons: Contrary to malicious threat actors, ethical
hackers, also known as Authorized hackers, are motivated by
a desire to improve security
o Revenge: It can also be a motivation for a threat actor that
wants to target an entity that they believe has wronged them
in some way
o Disruption or Chaos: Creating and spreading malware to
launching sophisticated cyberattacks against the critical
infrastructure in a populated city
o Espionage: Spying on individuals, organizations, or nations to
gather sensitive or classified information
o War: Cyber warfare can be used to disrupt a country's
infrastructure, compromise its national security, and to cause
economic damage

Threat Actor Attributes

 2 Most Basic Attributes of a Threat Actor:
o Internal Threat Actors: Individuals or entities within an
organization who pose a threat to its security
o External Threat Actors: Individuals or groups outside an
organization who attempt to breach its cybersecurity defenses
 Resources and funding available to the specific threat actor:
o Tools, skills, and personnel at the disposal of a given threat
actor
 Level of sophistication and capability of the specific threat
actor:
o Refers to their technical skill, the complexity of the tools and
techniques they use, and their ability to evade detection and
countermeasures
o In the world of cybersecurity, we usually classify the lowest-
skilled threat actors as "script kiddies"
  Script Kiddie: Individual with limited technical
knowledge, uses pre-made software or scripts to exploit
computer systems and networks
o Nation-state actors, Advanced Persistent Threats, and others
have high levels of sophistication and capabilities and possess
advanced technical skills, using sophisticated tools and
techniques

Unskilled Attackers
 Unskilled Attacker(Script Kiddie): Individual who lacks the
technical knowledge to develop their own hacking tools or exploits
o These low-skilled threat actors need to rely on scripts and
programs that have been developed by others
 How do these unskilled attackers cause damage?
o One way is to launch a DDoS attack
 An unskilled attacker can simply enter in the IP address of the
system they want to target, and then click a button to launch an
attacker against that target

Hacktivists
 Hacktivists: Individuals or groups that use their technical skills to
promote a cause or drive social change instead of for personal gain
 Hacktivism: Activities in which the use of hacking and other cyber
techniques is used to promote or advance a political or social cause
o To accomplish their objectives, hacktivists use a wide range of
techniques to achieve their goals, including:
 Website Defacement: Form of electronic graffiti and is
usually treated as an act of vandalism
 Distributed Denial of Service (DDoS) Attacks:
Attempting to overwhelm the victim's systems or
networks so that they cannot be accessed by the
organization's legitimate users
 Doxing: Involves the public release of private
information about an individual or organization
 Leaking of Sensitive Data: Releasing sensitive data
to the public at large over the internet
o Hacktivists are primarily motivated by their ideological beliefs
rather than trying to achieve financial gains
o One of the most well-known hacktivist groups is known as
“Anonymous”, a loosely affiliated collective that has been
involved in numerous high-profile attacks over the years for
targeting organizations that they perceive as acting
unethically or against the public interest at large

Organized Crime
  Organized cybercrime groups are groups or syndicates that have
banded together to conduct criminal activities in the digital world
o Sophisticated and well-structured, they use resources and
technical skills for illicit gain
o In terms of their technical capabilities, organized crime groups
possess a very high level of technical capability and they often
employ advanced hacking techniques and tools such as:
 Custom Malware, Ransomware, Sophisticated Phishing
Campaigns
o These criminal groups will engage in a variety of illicit
activities to generate revenue for their members, including:
 Data Breaches, Identity Theft, Online Fraud,
Ransomware Attacks
o Unlike hacktivists or nation-state actors, organized cybercrime
groups are not typically driven by ideological or political
objectives
 These groups may be hired by other entities, including
governments, to conduct cyber operations and attacks
on their behalf
o Money, not other motivations, is the objective of their attacks
even if the attack takes place in the political sphere

Nation-state Actor
 Nation-state Actor: Groups or individuals that are sponsored by a
government to conduct cyber operations against other nations,
organizations, or individuals
o Sometimes, these threat actors attempt what is known as a
false flag attack
o False Flag Attack: Attack that is orchestrated in such a way
that it appears to originate from a different source or group
than the actual perpetrators, with the intent to mislead
investigators and attribute the attack to someone else
o Nation-state actors possess advanced technical skills and
extensive resources, and they are capable of conducting
complex, coordinated cyber operations that employ a variety
of techniques such as:
 Creating custom malware, Using zero-day exploits,
Becoming an advanced persistent threats
 Advanced Persistent Threat (APT)*: Term that used to be used
synonymously with a nation-state actor because of their long-term
persistence and stealth - A prolonged and targeted cyberattack in
which an intruder gains unauthorized access to a network and
remains undetected for an extended period while trying to steal
data or monitor network activities rather than cause immediate
damage - These advanced persistent threats are often sponsored by
a nation-state or its proxies, like organized cybercrime groups
  What motivates a nation-state actor? Nation-state actors are
motivated to achieve their long-term strategic goals, and they are
not seeking financial gain

Insider Threats
 Insider Threats: Cybersecurity threats that originate from within
the organization. Insider threats can take various forms such as
Data Theft, Sabotage, or Misuse of access privileges.
o Each insider threat is driven by different motivations. Some
are driven by financial gain and they want to profit from the
sale of sensitive organizational data to others.
o Some may be motivated by revenge and are aiming to harm
the organization due to some kind of perceived wrong levied
against the insider. Some may take action as a result of
carelessness or a lack of awareness of cybersecurity best
practices.
o Insider threat refers to the potential risk posed by individuals
within an organization who have access to sensitive
information and systems, and who may misuse this access for
malicious or unintended purposes.
o To mitigate the risk of an insider threat being successful,
organizations should implement the following: Zero-trust
architecture, employ robust access controls, conduct regular
audits, and provide effective employee security awareness
programs.

Shadow IT
 Shadow IT: Use of information technology systems, devices,
software, applications, and services without explicit organizational
approval.
o Shadow IT exists because an organization's security posture is
set too high or is too complex for business operations to occur
without being negatively affected.
 Bring Your Own Devices (BYOD) involves the use of personal
devices for work purposes.

Threat Vectors and Attack Surfaces

 Threat Vector: Means or pathway by which an attacker can gain
unauthorized access to a computer or network to deliver a malicious
payload or carry out an unwanted action.
 Attack Surface encompasses all the various points where an
unauthorized user can try to enter data to or extract data from an
environment.
o It can be minimized by restricting access, removing
unnecessary software, and disabling unused protocols.
o Think of threat vector as the "how" of an attack, whereas the
attack surface is the "where" of the attack.
o There are several different threat vectors that could be used
to attack your enterprise networks such as Messages, Images,
Files, Voice Calls, Removable Devices, and insecure networks.
 Messages: Message-based threat vectors include
threats delivered via email, simple message service
(SMS text messaging), or other forms of instant
messaging. Phishing campaigns are commonly used as
part of a message-based threat vector when an attacker
impersonates a trusted entity to trick its victims into
revealing their sensitive information to the attacker.
 Images: Image-based threat vectors involve the
embedding of malicious code inside of an image file by
the threat actor.
 Files: The files, often disguised as legitimate documents
or software, can be transferred as email attachments,
through file-sharing services, or hosted on a malicious
website.
 Voice Calls: Vhishing involves the use of voice calls to
trick victims into revealing their sensitive information to
an attacker.
 Removable Devices: One common technique used
with removable devices is known as baiting. Baiting
involves an attacker leaving a malware-infected USB
drive in a location where their target might find it, such
as in the parking lot or the lobby of the targeted
organization.
 Unsecure Networks: Unsecure networks include
wireless, wired, and Bluetooth networks that lack the
appropriate security measures to protect these
networks. Exploiting vulnerabilities in the Bluetooth
protocol, an attacker can carry out their attacks using
techniques like the BlueBorne or BlueSmack exploits.
 BlueBorne: Set of vulnerabilities in Bluetooth
technology that can allow an attacker to take over
devices, spread malware, or even establish an on-
path attack to intercept communications without
any user interaction.
 BlueSmack: Type of Denial of Service attack that
targets Bluetooth-enabled devices by sending a
specially crafted Logical Link Control and
Adaptation Protocol packet to a target device.
Outsmarting Threat Actors
 Tactics, Techniques, and Procedures (TTPs): Specific methods
and patterns of activities or behaviors associated with a particular
threat actor or group of threat actors
 Deceptive and Disruption Technologies: Technologies designed
to mislead, confuse, and divert attackers from critical assets while
simultaneously detecting and neutralizing threats
o Honeypots: Decoy system or network set up to attract
potential hackers
o Honeynets: Network of honeypots to create a more complex
system that is designed to mimic an entire network of
systems, including servers, routers, and switches
o Honeyfiles: Decoy file placed within a system to lure in
potential attackers
o Honeytokens: Piece of data or a resource that has no
legitimate value or use but is monitored for access or use
 Some disruption technologies and strategies to help secure
our enterprise networks:
o Bogus DNS entries: Fake Domain Name System entries
introduced into your system's DNS server
o Creating decoy directories: Fake folders and files placed
within a system's storage
o Dynamic page generation: Effective against automated
scraping tools or bots trying to index or steal content from
your organization's website
o Use of port triggering to hide services:
 Port Triggering: Security mechanism where specific
services or ports on a network device remain closed
until a specific outbound traffic pattern is detected
o Spoofing fake telemetry data: When a system detects a
network scan is being attempted by an attacker, it can be
configured to respond by sending out fake telemetry or
network data

Physical Security
Measures to protect tangible assets (buildings, equipment, people) from
harm or unauthorized access.

Security Controls
Measures to protect tangible assets (buildings, equipment, people) from
harm or unauthorized access.
Fencing and Bollards
Barriers made of posts and wire or boards to enclose or separate areas.

 Bollards: Short, sturdy vertical posts controlling or preventing vehicle

access.
 Fences: Barriers made of posts and wire or boards to enclose or separate
areas.

Brute Force Attacks

Forcible entry, tampering with security devices, confronting security
personnel, ramming a barrier with a vehicle.

Surveillance Systems
An organized strategy to observe and report activities. Components: Video
surveillance.

Security Guards
Lighting
 Sensors
 Access Control Vestibules
o Double-door system electronically controlled to allow only one door
open at a time.
o Prevents piggybacking and tailgating.
 Door Locks: Padlocks, Pin and tumbler locks, Numeric locks, Wireless locks,
Biometric locks, Cipher locks, Electronic access control systems
 Access Badges
o Use of Radio Frequency Identification (RFID) or Near Field
Communication (NFC) for access.

Fencing and Bollards

Primitive tools employed to safeguard assets and people.

Fence
Structure that encloses an area using interconnected panels or posts.

 Provides a visual deterrent by defining a boundary that should not be

violated by unauthorized personnel.
 Establishes a physical barrier against unauthorized entry.
 Effectively delays intruders, providing security personnel with a longer
reaction time.

Bollards
Robust, short vertical posts, typically made of steel or concrete, designed
to manage or redirect vehicular traffic.

 Fencing is adaptable and suited for safeguarding large perimeters.

  Bollards counter vehicular threats in a specific area.

Attacking with Brute Force

Brute Force: Type of attack where access to a system is gained by
simply trying all of the possibilities until you break through. In terms of
physical security, brute force focuses on the following:

Forcible Entry: Act of gaining unauthorized access to a space by

physically breaking or bypassing its barriers, such as windows, doors, or
fences. Use high-strength doors with deadbolt locks, metal frames, or a
solid core.

Tampering with security devices: Involves manipulating security

devices to create new vulnerabilities that can be exploited. To protect
against tampering with security devices, have redundancy in physical
security measures.

Confronting security personnel: Involves the direct confrontation or

attack of your organization's security personnel. Security personnel should
undergo rigorous conflict resolution and self-defense training to mitigate
risks.

Ramming barriers with vehicles: Uses a car, truck, or other motorized

vehicle to ram into the organization's physical security barriers, such as a
fence, a gate, or even the side of your building. Install bollards or
reinforced barriers to prevent vehicles from driving into your facilities.

Surveillance Systems
Surveillance System: Organized strategy or setup designed to observe
and report activities in a given area. Surveillance is often comprised of
four main categories:

Video Surveillance: Can include motion detection, night vision, and

facial recognition. Provides real-time visual feedback. A wired solution
security camera is physically cabled from the device back to the central
monitoring station. A wireless solution relies on Wi-Fi to send its signal
back to the central monitoring station.

Pan-Tilt-Zoom (PTZ) System: Can move the camera or its angle to

better detect issues during an intrusion. Best places to have cameras:
data center, telecommunications closets, entrance or exit areas. Cameras
should be configured to record what they’re observing.

Security Guards: Flexible and adaptable forms of surveillance that

organizations use. Helps to reassure your staff or your customers that
they are safe.
Lighting: Proper lighting is crucial for conducting effective surveillance
using both video and security guards. If you create well-lit areas, this can
deter criminals, reduce shadows and hiding spots, and enhance the
quality of your video recordings.

Sensors: Devices that detect and respond to external stimuli or changes

in the environment. There are four categories of sensors:

Infrared Sensors: Detect changes in infrared radiation that is often

emitted by warm bodies like humans or animals.

Pressure Sensors: Activated whenever a specified minimum amount of

weight is detected on the sensor that is embedded into the floor or a mat.

Microwave Sensors: Detect movement in an area by emitting

microwave pulses and measuring their reflection off moving objects.

Ultrasonic Sensors: Measure the reflection of ultrasonic waves off

moving objects.

Bypassing Surveillance Systems

Different methods used by attackers to bypass your organization's
surveillance systems.

Visual Obstruction
Blocking the camera’s line of sight.

 Spraying paint or foam onto the camera lens.

 Placing a sticker or tape over the lens.
 Positioning objects like balloons or umbrellas in front of the camera to
block its view.

Blinding Sensors and Cameras

Overwhelming the sensor or camera with a sudden burst of light to render
it ineffective for a limited period of time.

Interfering with Acoustics

Jamming or playing loud music to disrupt the microphone’s functionality.

Interfering with Electromagnetic

Involves jamming the signals that surveillance system relies on to monitor
the environment.

Attacking the Physical Environment

Exploit the environment around the surveillance equipment to
compromise their functionality.
  Physical tampering, like cutting wires or physically disabling devices, is an
effective strategy to bypass surveillance systems.
 Modern systems are equipped with countermeasures to help protect
surveillance systems.

Access Control Vestibules

Double-door system that is designed with two doors that are electronically
controlled to ensure that only one door can be open at a given time.
These access control vestibules can also help prevent piggybacking and
tailgating.

Piggybacking
Involves two people working together with one person who has legitimate
access intentionally allows another person who doesn't have proper
authorization to enter a secure area with them.

Tailgating
Occurs whenever an unauthorized person closely follows someone
through the access control vestibule who has legitimate access into the
secure space without their knowledge or consent. The key difference
between Piggybacking and Tailgating:

 Piggybacking uses social engineering to gain consent of the person with

legitimate access.
 Tailgating doesn’t use or obtain the consent of the person with legitimate
access.
 Access control vestibules are usually integrated with electronic badges
and operated by a security guard at the entrance to a secure facility or
office building.
 Badges contain RFID (Radio-Frequency Identification), NFC (Near-field
Communication), Magnetic strips.
 Security guards are often at access control vestibules because they
provide visual deterrent, assistance, check identity, and response.

Door Locks
Door Locks: Critical physical security control measure designed to
restrict and regulate access to specific spaces or properties, preventing
unauthorized intrusions and safeguarding sensitive data and individuals.

 Types of Door Locks:

 Traditional Padlocks: Easily defeated and offer minimal protection.
 Basic Door Locks: Vulnerable to simple techniques like lock picking.
 Modern Electronic Door Locks:
 Utilize various authentication methods for enhanced security.
o Authentication Methods:
  Identification Numbers: Require entry of a unique code,
providing a balance of security and convenience.
 Wireless Signals: Utilize technologies like NFC, Wi-Fi,
Bluetooth, or RFID for unlocking.
 Biometrics: Rely on physical characteristics like fingerprints,
retinal scans, or facial recognition for authentication.
 Biometric Challenges:
 False Acceptance Rate (FAR): Occurs when the system
erroneously authenticates an unauthorized user. Lower
FAR by increasing scanner sensitivity.
 False Rejection Rate (FRR): Denies access to an
authorized user. Adjusting sensitivity can increase FRR.
 Crossover Error Rate (CER): A balance between FAR
and FRR for optimal authentication effectiveness.
 Some electronic door locks use multiple factors, such as an identification
number and fingerprint, to increase security.
 Cipher Locks:
o Mechanical locks with numbered push buttons, requiring a correct
combination to open. Commonly used in high-security areas like
server rooms.
o Secure entry areas in office buildings, often using electronic access
systems with badges and PINs for authentication.

Access Badge Cloning

 Radio Frequency Identification (RFID) and Near Field Communication (NFC)
are popular technologies used for contactless authentication in various
applications.
 Access Badge Cloning: Copying the data from an RFID or NFC card or
badge onto another card or device.
 How does an attacker clone an access badge?
o Step 1: Scanning: Scanning or reading the targeted individual’s
access badge.
o Step 2: Data Extraction: Attackers extract the relevant
authentication credentials from the card, such as a unique identifier
or a set of encrypted data.
o Step 3: Writing to a new card or device: Attacker will then transfer
the extracted data onto a blank RFID or NFC card or another
compatible device.
o Step 4: Using the cloned access badge: Attackers gain unauthorized
access to buildings, computer systems, or even make payments
using a cloned NFC-enabled credit card.
 Access badge cloning is common because of its:
o Ease of execution.
o Ability to be stealthy when conducting the attack.
o Potentially widespread use in compromising physical security.
 How can you stop access badge cloning?
o Implement advanced encryption in your card-based authentication
systems.
o Implement Multi-Factor Authentication (MFA).
 o Regularly update your security protocols.
o Educate your users.
o Implement the use of shielded wallets or sleeves with your RFID
access badges.
 Monitor and audit your access logs.

Social Engineering
Manipulative strategy exploiting human psychology for unauthorized
access to systems, data, or physical spaces.

 Motivational Triggers used by Social Engineers:

o Familiarity and Likability
o Consensus and Social Proof
o Authority and Intimidation
o Scarcity and Urgency

Social Engineering Techniques:

 Impersonation: Pretending to be someone else. Includes brand
impersonation, typo-squatting, and watering hole attacks.
 Pretexting: Creating a fabricated scenario to manipulate targets.
Impersonating trusted figures to gain trust.
 Phishing: (Types of Phishing Attacks): Phishing, Vishing, Smishing,
Spear Phishing, Whaling, Business Email Compromise
 Frauds and Scams: Deceptive practices to deceive people into parting
with money or valuable information. Identifying and training against frauds
and scams.
 Influence Campaigns: Spreading misinformation and disinformation,
impacting politics, economics, etc.
 Other Social Engineering Attacks: Diversion Theft, Hoaxes, Shoulder
Surfing, Dumpster Diving, Eavesdropping, Baiting, Piggybacking, Tailgating

Motivational Triggers
Six main types of motivational triggers that social engineers use:

 Authority: Most people are willing to comply and do what you tell them to
do if they believe it is coming from somebody who is in a position of
authority to make that request.
 Urgency: Compelling sense of immediacy or time-sensitivity that drives
individuals to act swiftly or prioritize certain actions.
 Social Proof: Psychological phenomenon where individuals look to the
behaviors and actions of others to determine their own decisions or
actions in similar situations.
 Scarcity: Psychological pressure people feel when they believe a product,
opportunity, or resource is limited or in short supply.
  Likability: Most people want to interact with people they like, and social
engineers realize this. Can be sexual attraction, pretending to be a friend,
or common interest.
 Fear: These types of attacks generally are focused on "if you don't do
what I tell you, then this bad thing is going to happen to you".

Impersonation
 Attack where an adversary assumes the identity of another person to gain
unauthorized access to resources or steal sensitive data.
 Requires the attacker to collect information about the organization so that
they can more easily earn the trust of their targeted users.
 Attackers provide details to help make the lies and the impersonation
more believable to a potential victim.

Consequences:
Unauthorized access, Disruption of services, Complete system takeover

 To mitigate against these types of attacks, organizations must provide

security awareness training to their employees on a regular basis so that
they remain vigilant against future attacks.

Brand Impersonation:
More specific form of impersonation where an attacker pretends to
represent a legitimate company or brand.

 Attackers use the brand’s logos, language, and information to create

deceptive communications or website.
 To protect against brand impersonation, organizations should do the
following:
o Educate their users about these types of threats
o Use secure email gateways to filter out phishing emails
o Regularly monitor their brand's online presence to detect any
fraudulent activities as soon as they occur.

Typosquatting:
Also known as URL hijacking or cybersquatting.

 Form of cyber attack where an attacker will register a domain name that is
similar to a popular website but contains some kind of common
typographical errors.
 To combat typosquatting, organizations will often do the following:
o Register common misspellings of their own domain names
o Use services that monitor for similar domain registrations
o Conduct user security awareness training to educate users about
the risks of typosquatting.

Watering Hole Attacks:

A targeted form of cyber attack where attackers compromise a specific
website or service that their target is known to use.

 In the world of cybersecurity, the "watering hole" the attacker chooses to

utilize will usually be a trusted website or online service.
 To mitigate watering hole attacks, organizations should do the
following:
o Keep their systems and software updated
o Use threat intelligence services to stay informed about new threats
o Employ advanced malware detection and prevention tools

Pretexting
 Gives some amount of information that seems true so that the victim will
give more information.
 Mitigation involves training the employees not to fall for pretext and not to
fill in the gaps for people when they are calling.

Phishing Attacks
 Phishing: Sending fraudulent emails that appear to be from
reputable sources with the aim of convincing individuals to reveal
personal information, such as passwords and credit card numbers.

 Spear Phishing: More targeted form of phishing that is used by

cybercriminals who are more tightly focused on a specific group of
individuals or organizations. Has a higher success rate.

 Whaling: Form of spear phishing that targets high-profile

individuals, like CEOs or CFOs. Often used as an initial step to
compromise an executive’s account for subsequent attacks within
their organization.

 Business Email Compromise (BEC): A sophisticated type of

phishing attack that usually targets businesses by using one of their
internal email accounts to get other employees to perform some
kind of malicious actions on behalf of the attacker.

 Vishing (Voice Phishing): Attacker tricks their victims into sharing

personal or financial information over the phone.

 Smishing (SMS Phishing): Involves the use of text messages to

trick individuals into providing their personal information.

Preventing Phishing Attacks

 By implementing the right strategies and providing user security
awareness training, the threat of a successful phishing campaign against
your organization can be mitigated effectively.
  Anti-phishing Campaign: Essential user security awareness training tool
that can be used to educate individuals about the risks of phishing and
how to best identify potential phishing attempts. Should offer remedial
training for users who fell victim to simulated phishing emails.
 To help prevent phishing, your organization should regularly conduct user
security awareness training that contains coverage of the various phishing
techniques, along with other relevant cyber threats and attacks that may
affect your organization.
 Commonly used key indicators associated with phishing attacks:
o Urgency: Phishing emails often create a sense of urgency by
prompting the recipient to act immediately.
o Unusual Requests: Treat emails requesting sensitive information
with suspicion.
o Mismatched URLs: Always hover over links in emails to check if
the displayed text matches the actual URL.
 Strange Email Addresses: If the real email address and the displayed
email address don't match, treat the email as suspicious and possibly part
of a phishing campaign.
 Poor Spelling or Grammar: Emails with poor grammar or spelling errors
are likely part of a phishing campaign.

Mitigation:

 Training
 Report suspicious messages to protect your organization from potential
phishing attacks
 Analyze the threat
 Inform all users about the threat
 If the phishing email was opened, conduct a quick investigation and triage
the user’s system
 An organization should revise its security measures for every successful
phishing attack.

Frauds and Scams

Fraud:
Wrongful or criminal deception that is intended to result in financial or
personal gain for the attacker. One of the most common types of fraud
that you will see online is known as identity fraud or identity theft.

 Identity Fraud and Identity Theft: Involves the use of another person's
personal information without their authorization to commit a crime or to
deceive or defraud that other person or some other third party.
 Difference between identity fraud and identity theft:
o In identity fraud, the attacker takes the victim’s credit card number
and charges items to the card.
o In identity theft, the attacker tries to fully assume the identity of
their victim.
Scams:
Fraudulent or deceptive act or operation.

 Most common scam is called the invoice scam.

 Invoice Scam: In which a person is tricked into paying for a fake invoice
for a product or service that they did not actually order.

Influence Campaigns
 Influence Campaigns: Coordinated efforts to affect public perception or
behavior towards a particular cause, individual, or group.
o Are a powerful tool for shaping public opinion and behavior.
o Foster misinformation and disinformation.
 Misinformation: False or inaccurate information shared without harmful
intent.
 Disinformation: Involves the deliberate creation and sharing of false
information with the intent to deceive or mislead.
 Remember, misinformation and disinformation can have serious
consequences because they can undermine public trust in institutions, fuel
social divisions, and even influence the outcomes of elections.

Other Social Engineering Attacks

Some of the common other social engineering attacks:

 Diversion Theft: Involves manipulating a situation or creating a

distraction to steal valuable items or information.
 Hoaxes: Malicious deception that is often spread through social media,
email, or other communication channels. To prevent hoaxes, people must
fact-check and use good critical thinking skills.
 Shoulder Surfing: Involves looking over someone's shoulder to gather
personal information. To prevent shoulder surfing, users must be aware of
their surroundings when providing any sensitive information.
 Dumpster Diving: Involves searching through trash to find valuable
information. Commonly used to find discarded documents containing
personal or corporate information. Use clean desk and clean desktop
policies.
 Eavesdropping: Involves the process of secretly listening to private
conversations. Perpetrator intercepts the communication of parties
without their knowledge. Prevent this by encrypting data in transit.
 Baiting: Involves leaving a malware-infected physical device, like a USB
drive, in a place where it will be found by a victim, who will then hopefully
use the device to unknowingly install malware on their organization's
computer system. To prevent baiting, train users to not use devices they
find.
 Piggybacking and Tailgating: Involve an unauthorized person following
an authorized person into a secure area.
o Tailgating: Attacker attempts to follow an employee through an
access control vestibule or access control point without their
knowledge.
 o Piggybacking: Involves an attacker convincing an authorized
employee to let them into the facility by getting the authorized
employee to swipe their own access badge and allow the attacker
inside the facility.

Malware
Malicious software designed to infiltrate computer systems and potentially
damage them without user consent.

 Categories:
o Viruses
o Worms
o Trojans
o Ransomware
o Spyware
o Rootkits
o Spam

Threat Vector vs. Attack Vector:

 Threat Vector: Method used to infiltrate a victim's machine. Examples
include unpatched software, USB drive installation, and phishing
campaigns.
 Attack Vector: Means by which the attacker gains access and infects the
system. Combines both infiltration method and infection process.

Types of Malware Attacks:

Viruses: Attach to clean files, spread, and corrupt host files.

 Worms: Standalone programs replicating and spreading to other

computers.
 Trojans: Disguise as legitimate software, grant unauthorized access.
 Ransomware: Encrypts user data, demands ransom for decryption.
 Zombies and Botnets: Compromised computers remotely controlled in a
network for malicious purposes.
 Rootkits: Hide presence and activities on a computer, operate at the OS
level.
 Backdoors and Logic Bombs: Backdoors allow unauthorized access,
logic bombs execute malicious actions.
 Keyloggers: Record keystrokes, capture passwords or sensitive
information.
 Spyware and Bloatware: Spyware monitors and gathers user/system
information, bloatware consumes resources without value.
 Malware Techniques and Infection Vectors: Evolving from file-based
tactics to modern fileless techniques. Multi-stage deployment, leveraging
system tools, and obfuscation techniques.
Indications of Malware Attack: Recognizing signs like the
following:
- Account lockouts
- Concurrent session utilization
- Blocked content
- Impossible travel
- Resource consumption
- Inaccessibility
- Out-of-cycle logging
- Missing logs
- Documented attacks

Viruses
Computer Virus: Made up of malicious code that's run on a machine
without the user's knowledge, infecting the computer whenever it's run.

10 Different Types of Viruses:

 Boot Sector: Stored in the first sector of a hard drive, loaded into
memory during boot.
 Macro: Embedded inside another document to execute when opened by
the user.
 Program: Infect executables or application files with malicious code.
 Multipartite: Combination of a boot sector virus and a program virus.
 Encrypted: Hides itself by encrypting its code.
 Polymorphic: Changes its code to evade detection.
 Metamorphic: Rewrites itself entirely before infecting a file.
 Stealth: Prevents detection by antivirus software.
 Armored: Has protection layers to confuse analysis.
 Hoax: Attempts to scare users into undesirable actions.

Worms
Worm: Malicious software that can replicate itself without user
interaction, spreading throughout a network.

 Worms are dangerous as they:

o Infect workstations and other computing assets.
o Disrupt normal network traffic by constantly replicating and
spreading.

Trojans
Trojan: Disguised as harmless software, it performs malicious activities
when executed.

 Remote Access Trojan (RAT): Provides remote control of victim machines,

commonly used for data exfiltration and maintaining persistence.
Ransomware
Ransomware: Blocks access to computer systems or data by encrypting
it until a ransom is paid.

Protection Measures:

 Regular backups
 Software updates
 Security awareness training
 Multi-Factor Authentication (MFA)

Actions if Affected:

 Never pay the ransom.

 Disconnect infected machines from the network.
 Notify authorities.
 Restore data and systems from known good backups.

Zombies and Botnets

 Botnet: Network of compromised computers or devices controlled
remotely by malicious actors.
 Zombie: Name of a compromised computer or device that is part of a
botnet, used to perform tasks using remote commands from the attacker
without the user's knowledge.
 Command and Control Node: Computer responsible for managing and
coordinating the activities of other nodes or devices within a network.
 Botnets are used:
o As pivot points.
o To disguise the real attacker.
o To host illegal activities.
o To spam others by sending out phishing campaigns and other
malware.
 Most common use for a botnet is to conduct a DDoS (Distributed Denial-of-
Service) attack.
o Distributed Denial-of-Service (DDoS) Attack: Occurs when many
machines target a single victim and attack them at the exact same
time.
o Botnets are used by attackers to combine processing power to
break through different types of encryption schemes.
o Attackers usually only use about 20-25% of any zombie’s power.

Rootkits
Rootkit: Designed to gain administrative-level control over a given
computer system without being detected.
  The account with the highest level of permissions is called the
Administrator account.
o Allows the person to install programs, delete programs, open ports,
shut ports, and do whatever they want on that system.
 A computer system has several different rings of permissions throughout
the system.
o Ring 3 (Outermost Ring): Where user level permissions are used.
o Ring 0 (Innermost or Highest Permission Levels): Operating in Ring
0 is called “kernel mode”, allows control over device drivers, sound
card, video display, etc.
 When a rootkit is installed on a system, it tries to move from Ring 1 to
Ring 0 to hide from other functions of the operating system to avoid
detection.
 One technique used by rootkits to gain deeper access is DLL injection.
o DLL Injection: Technique used to run arbitrary code within the
address space of another process by forcing it to load a dynamic-
link library.
o Dynamic Link Library (DLL): Collection of code and data used by
multiple programs simultaneously for code reuse and
modularization.
 Shim: A piece of software code placed between two components to
intercept and redirect calls between them.
o Rootkits are powerful and difficult to detect because the operating
system is essentially blinded to them.
o To detect them, boot from an external device and scan the internal
hard drive using a good anti-malware scanning solution from a live
boot Linux distribution.

Backdoors and Logic Bombs

Backdoor:
Originally placed in computer programs to bypass normal security and
authentication functions, often by designers and programmers.

 Remote Access Trojan (RAT): Acts like a backdoor in modern networks,

placed by threat actors to maintain persistent access to a system.
 Easter egg: Hidden feature or novelty within a program, often inserted by
developers as an inside joke, but may contain significant vulnerabilities.

Logic Bombs:
Malicious code inserted into a program, which executes only when certain
conditions are met.

Keylogger
Keylogger: Software or hardware that records every keystroke made on
a computer or mobile device.

 Can be software-based or hardware-based.

 o Software Keyloggers: Malicious programs installed on a victim's
computer, often bundled with other software or delivered through
social engineering attacks.
o Hardware Keyloggers: Physical devices plugged into a computer,
resembling a USB drive or embedded within a keyboard cable.

Protection measures:

 Regular updates and patches.

 Quality antivirus and antimalware solutions.
 Phishing awareness training.
 Multi-factor authentication.
 Encryption of keystrokes.
 Physical checks of desktops, laptops, and servers.

Spyware and Bloatware

Spyware: Malicious software designed to gather and send information about a
user or organization without their knowledge.

 Installed through various methods such as bundling with other software or

deceptive pop-up ads.
 Protection: Use reputable antivirus and anti-spyware tools regularly
updated.

Bloatware: Pre-installed software on new computers or smartphones that users

did not request or need.

 Can waste storage space, slow down performance, and introduce security
vulnerabilities.
 Removal methods: Manual removal, bloatware removal tools, or clean OS
installation.

Malware Attack Techniques

Malware Exploitation Technique: Method by which malware
penetrates and infects a system.

 Some malware focuses on infecting system memory to leverage remote

procedure calls over the network.
 Modern malware often uses fileless techniques to avoid detection.
o Stage 1 Dropper or Downloader: Lightweight shellcode executed on
a system to retrieve additional portions of malware code.
 Dropper: Initiates or runs other malware forms within a
payload.
 Downloader: Retrieves additional tools post-initial infection.
 Shellcode: Lightweight code meant to execute an exploit on
a target.
 Stage 2: Downloader: Installs remote access Trojan for command and
control on the victimized system.
  Actions on Objectives: Execute primary objectives like data exfiltration or
file encryption.
 Concealment: Helps threat actors prolong unauthorized access by hiding
tracks and erasing log files.
 “Living off the Land”: Exploits standard tools for intrusions.

9 Common Indicators of Malware Attacks

 Account Lockouts: Malware, especially those designed for
credential theft or brute force attacks, can trigger multiple failed
login attempts that would result in a user’s account being locked
out.

 Concurrent Session Utilization: If you notice that a single user

account has multiple simultaneous or concurrent sessions open,
especially from various geographic locations.

 Blocked Content: If there is a sudden increase in the amount of

blocked content alerts you are seeing from your security tools.

 Impossible Travel: Refers to a scenario where a user's account is

accessed from two or more geographically separated locations in an
impossibly short period of time.

 Resource Consumption: If you are observing any unusual spikes

in CPU, memory, or network bandwidth utilization that cannot be
linked back to a legitimate task.

 Resource Inaccessibility: Ransomware

o Form of malware that encrypts user files to make them inaccessible

to the user.
o If a large number of files or critical systems suddenly become
inaccessible or if users receive messages demanding payment to
decrypt their data.

 Out-of-Cycle Logging: If you are noticing that your logs are being
generated at odd hours or during times when no legitimate activities
should be taking place (such as in the middle of the night when no
employees are actively working).

 Missing Logs: If you are conducting a log review as a cybersecurity

analyst and you see that there are gaps in your logs or if the logs
have been cleared without any authorized reason.

 Published or Documented Attacks: If a cybersecurity research or

reporter published a report that shows that your organization’s
network has been infected as part of a botnet or other malware-
based attack.
Data Protection
Safeguarding information from corruption, compromise, or loss

Data Classifications
Types include Sensitive, Confidential, Public, Restricted, Private, Critical

Data Ownership Roles

 Data Owners
 Data Controllers
 Data Processors
 Data Custodians
 Data Stewards

Data States
States include Data at rest, Data in transit, Data in use

 Protection Methods:
 Disk encryption
 Communication tunneling

Data Types
Data Types: Examples include Regulated data, Trade secrets, Intellectual
property, Legal information, Financial information, Human vs non-human
readable data

Data Sovereignty
Information subject to laws and governance structures within the nation it
is collected

Securing Data Methods

 Geographic Restrictions
 Encryption
 Hashing
 Masking

Tokenization
 Obfuscation
 Segmentation
 Permission Restriction

Data Loss Prevention (DLP)

Strategy to prevent sensitive information from leaving an organization
Data Classifications
Based on the value to the organization and the sensitivity of the
information, determined by the data owner

 Sensitive Data: Information that, if accessed by unauthorized persons,

can result in the loss of security or competitive advantage for a company.
Over classifying data leads to protecting all data at a high level.
 Importance of Data Classification: Helps allocate appropriate
protection resources, prevents over-classification to avoid excessive costs,
requires proper policies to identify and classify data accurately.

Commercial Business Classification Levels:

 Public: No impact if released; often publicly accessible data

 Sensitive: Minimal impact if released, e.g., financial data
 Private: Contains internal personnel or salary information
 Confidential: Holds trade secrets, intellectual property, source code, etc.
 Critical: Extremely valuable and restricted information

Government Classification Levels:

 Unclassified: Generally releasable to the public

 Sensitive but Unclassified: Includes medical records, personnel files, etc.
 Confidential: Contains information that could affect the government
 Secret: Holds data like military deployment plans, defensive postures
 Top Secret: Highest level, includes highly sensitive national security
information

 Legal Requirements: Depending on the organization's type, there

may be legal obligations to maintain specific data for defined
periods.

 Documentation: Organizational policies should clearly outline data

classification, retention, and disposal requirements.

 Note: Understanding data classifications and their proper handling is

vital for protecting sensitive information and complying with
relevant regulations.

Data Ownership
Process of identifying the individual responsible for maintaining the
confidentiality, integrity, availability, and privacy of information assets.

 Data Owner: A senior executive responsible for labeling information

assets and ensuring they are protected with appropriate controls.
  Data Controller: Entity responsible for determining data storage,
collection, and usage purposes and methods, as well as ensuring the
legality of these processes.
 Data Processor: A group or individual hired by the data controller to
assist with tasks like data collection and processing.
 Data Steward: Focuses on data quality and metadata, ensuring data is
appropriately labeled and classified, often working under the data owner.
 Data Custodian: Responsible for managing the systems on which data
assets are stored, including enforcing access controls, encryption, and
backup measures.
 Privacy Officer: Oversees privacy-related data, such as personally
identifiable information (PII), sensitive personal information (SPI), or
protected health information (PHI), ensuring compliance with legal and
regulatory frameworks.

 Data Ownership Responsibility: The IT department (CIO or IT

personnel) should not be the data owner; data owners should be
individuals from the business side who understand the data's
content and can make informed decisions about classification.

 Selection of Data Owners: Data owners should be designated

within their respective departments based on their knowledge of the
data and its significance within the organization.

 Note: Proper data ownership is essential for maintaining data

security, compliance, and effective data management within an
organization. Different roles contribute to safeguarding and
managing data appropriately.

Data States
Data at Rest:
Data stored in databases, file systems, or storage systems, not actively
moving.

Encryption Methods:

 Full Disk Encryption (FDE): Encrypts the entire hard drive.

 Partition Encryption: Encrypts specific partitions, leaving others
unencrypted.
 File Encryption: Encrypts individual files.
 Volume Encryption: Encrypts selected files or directories.
 Database Encryption: Encrypts data stored in a database at column, row,
or table levels.
 Record Encryption: Encrypts specific fields within a database record.
Data in Transit (Data in Motion):
Data actively moving from one location to another, vulnerable to
interception.

Transport Encryption Methods:

 SSL (Secure Sockets Layer) and TLS (Transport Layer Security): Secure
communication over networks, widely used in web browsing and email.
 VPN (Virtual Private Network): Creates secure connections over less secure
networks like the internet.
 IPSec (Internet Protocol Security): Secures IP communications by
authenticating and encrypting IP packets.

Data in Use:
Data actively being created, retrieved, updated, or deleted.

Protection Measures:

 Encryption at the Application Level: Encrypts data during processing.

 Access Controls: Restricts access to data during processing.
 Secure Enclaves: Isolated environments for processing sensitive data.
 Mechanisms like INTEL Software Guard: Encrypts data in memory to
prevent unauthorized access.

 Note: Understanding the three data states (data at rest, data in transit,
and data in use) and implementing appropriate security measures for each
is essential for comprehensive data protection.

Data Types
 Regulated Data: Controlled by laws, regulations, or industry
standards.

 Compliance requirements:

 General Data Protection Regulation (GDPR)

 Health Insurance Portability and Accountability Act (HIPAA)

 PII (Personal Identification Information): Information used to

identify an individual (e.g., names, social security numbers,
addresses). Targeted by cybercriminals and protected by privacy
laws.

 PHI (Protected Health Information): Information about health

status, healthcare provision, or payment linked to a specific
individual. Protected under HIPAA.
  Trade Secrets: Confidential business information giving a
competitive edge (e.g., manufacturing processes, marketing
strategies, proprietary software). Legally protected; unauthorized
disclosure results in penalties.

 Intellectual Property (IP): Creations of the mind (e.g., inventions,

literary works, designs). Protected by patents, copyrights,
trademarks to encourage innovation. Unauthorized use can lead to
legal action.

 Legal Information: Data related to legal proceedings, contracts,

regulatory compliance. Requires high-level protection for client
confidentiality and legal privilege.

 Financial Information: Data related to financial transactions (e.g.,

sales records, tax documents, bank statements). Targeted by
cybercriminals for fraud and identity theft. Subject to PCI DSS
(Payment Card Industry Data Security Standard).

 Human-Readable Data: Understandable directly by humans (e.g.,

text documents, spreadsheets).

 Non-Human-Readable Data: Requires machine or software to

interpret (e.g., binary code, machine language). Contains sensitive
information and requires protection.

Data Sovereignty
Digital information subject to laws of the country where it's located.
Gained importance with cloud computing's global data storage.

 GDPR (General Data Protection Regulation):

 Protects EU citizens' data within EU and EEA borders.

 Compliance required regardless of data location.

 Non-compliance leads to significant fines.

 Data Sovereignty Laws (e.g., China, Russia):

 Require data storage and processing within national borders.

 Challenge for multinational companies and cloud services.

 Access Restrictions:

 Cloud services may restrict access from multiple geographic

locations.
Data sovereignty and geographical considerations pose complex
challenges, but organizations can navigate them successfully with
planning, legal guidance, and strategic technology use, ensuring
compliance and data protection.

Securing Data
 Geographic Restrictions (Geofencing): Virtual boundaries to
restrict data access based on location. Compliance with data
sovereignty laws. Prevent unauthorized access from high-risk
locations.

 Encryption: Transform plaintext into ciphertext using algorithms

and keys. Protects data at rest and in transit. Requires decryption
key for data recovery.

 Hashing: Converts data into fixed-size hash values. Irreversible

one-way function. Commonly used for password storage.

 Masking: Replace some or all data with placeholders (e.g., "x").

Partially retains metadata for analysis. Irreversible de-identification
method.

 Tokenization: Replace sensitive data with non-sensitive tokens.

Original data stored securely in a separate database. Often used in
payment processing for credit card protection.

 Obfuscation: Make data unclear or unintelligible. Various

techniques, including encryption, masking, and pseudonyms, hinder
unauthorized understanding.

 Segmentation: Divide network into separate segments with unique

security controls. Prevent lateral movement in case of a breach.
Limits potential damage.

 Permission Restrictions: Define data access and actions through

ACLs or RBAC. Restrict access to authorized users. Reduce risk of
internal data breaches.

Data Loss Prevention (DLP)

Aims to monitor data in use, in transit, or at rest to detect and prevent
data theft. DLP systems are available as software or hardware solutions.

Types of DLP Systems:

 Endpoint DLP System: Installed as software on workstations or laptops.

Monitors data in use on individual computers. Can prevent or alert on file
transfers based on predefined rules.
  Network DLP System: Software or hardware placed at the network
perimeter. Focuses on monitoring data entering and leaving the network.
Detects unauthorized data leaving the network.
 Storage DLP System: Installed on a server in the data center. Inspects
data at rest, especially encrypted or watermarked data. Monitors data
access patterns and flags policy violations.
 Cloud-Based DLP System: Offered as a software-as-a-service solution.
Protects data stored in cloud services.

Cryptographic Solutions
Cryptography: Practice and study of writing and solving codes.
Encryption to hide information's true meaning.

Encryption: Converts plaintext to ciphertext. Provides data protection at

rest, in transit, and in use.

Data States:

 Data at Rest: Inactive data on storage devices.

 Data in Transit: Moving across networks.
 Data in Use: Currently undergoing change.

Algorithm and Key:

 Algorithm (Cipher): Performs encryption or decryption.

 Key: Essential for determining cipher output. Key Strength and Rotation.

Key Strength and Rotation:

 Key Length: Proportional to security.

 Key Rotation: Best practice for security longevity.

Symmetric and Asymmetric Encryption:

 Symmetric: Uses same key for encryption and decryption.

 Asymmetric: Uses a pair of keys for encryption and decryption.

Symmetric Algorithms:

 DES
 Triple DES
 IDEA
 AES
 Blowfish
 Twofish
 Rivest Cipher

Asymmetric Algorithms:
  Diffie-Hellman
 RSA
 Elliptic Curve Cryptography

Hashing: Converts data into fixed-size string (digest) using hash

functions.

Algorithms

 MD5
 SHA Family (RIPEMD, HMAC)

Public Key Infrastructure (PKI): Framework managing digital keys and

certificates for secure data transfer.

Digital Certificates: Electronic credentials verifying entity identity for

secure communications.

Blockchain: Decentralized, immutable ledger ensuring data integrity and

transparency.

Encryption Tools

 TPM
 HSM
 Key Management Systems
 Secure Enclave

Obfuscation

 Steganography
 Tokenization
 Data Masking

Cryptographic Attacks

 Downgrade Attacks
 Collision Attacks
 Quantum Computing Threats

Symmetric vs Asymmetric
Symmetric Encryption
Uses a single key for both encryption and decryption. Often referred to as
private key encryption. Requires both sender and receiver to share the
same secret key. Offers confidentiality but lacks non-repudiation.
Challenges with key distribution in large-scale usage.
Asymmetric Encryption
Uses two separate keys:

 Public key for encryption

 Private key for decryption

Often called “Public Key Cryptography”. No need for shared secret keys.
Commonly used algorithms include Diffie-Hellman, RSA, and Elliptic Curve
Cryptography (ECC). Slower compared to symmetric encryption but solves
key distribution challenges.

Hybrid Approach
Combines both symmetric and asymmetric encryption for optimal
benefits. Asymmetric encryption used to encrypt and share a secret key.
Symmetric encryption used for bulk data transfer, leveraging the shared
secret key. Offers security and efficiency.

Stream Cipher
Encrypts data bit-by-bit or byte-by-byte in a continuous stream. Uses a
keystream generator and exclusive XOR function for encryption. Suitable
for real-time communication data streams like audio and video. Often
used in symmetric algorithms.

Block Cipher
Breaks input data into fixed-size blocks before encryption. Usually 64,
128, or 256 bits at a time. Padding added to smaller data blocks to fit the
fixed block size. Advantages include ease of implementation and security.
Can be implemented in software, whereas stream ciphers are often used
in hardware solutions.

Symmetric Algorithms
DES (Data Encryption Standard)
Uses a 64-bit key (56 effective bits due to parity). Encrypts data in 64-bit
blocks through 16 rounds of transposition and substitution. Widely used
from the 1970s to the early 2000s.

Triple DES (3DES)

Utilizes three 56-bit keys. Encrypts data with the first key, decrypts with
the second key, and encrypts again with the third key. Provides 112-bit
key strength but is slower than DES.

IDEA (International Data Encryption Algorithm)

A symmetric block cipher with a 64-bit block size. Uses a 128-bit key,
faster and more secure than DES. Not as widely used as AES.

AES (Advanced Encryption Standard)

Replaced DES and 3DES as the US government encryption standard.
Supports 128-bit, 192-bit, or 256-bit keys and matching block sizes.
Widely adopted and considered the encryption standard for sensitive
unclassified information.

Blowfish
A block cipher with key sizes ranging from 32 to 448 bits. Developed as a
DES replacement but not widely adopted.

Twofish
A block cipher supporting 128-bit block size and key sizes of 128, 192, or
256 bits. Open source and available for use.

RC Cipher Suite (RC4, RC5, RC6):

Created by cryptographer, Ron Rivest. RC4 is a stream cipher with
variable key sizes from 40 to 2048 bits, used in SSL and WEP. RC5 is a
block cipher with key sizes up to 2048 bits. RC6, based on RC5, was
considered as a DES replacement.

Classification:
All the mentioned algorithms are symmetric. Most are block ciphers
except for RC4, which is a stream cipher.

Note: When working with encryption, identify if it's symmetric or

asymmetric and whether it's a block or stream cipher.

Asymmetric Algorithms
Public Key Cryptography
No shared secret key required. Uses a key pair:

 Public key for encryption

 Private key for decryption
Provides confidentiality, integrity, authentication, and non-repudiation.

Confidentiality with Public Key

Encrypt data using the receiver's public key. Only the recipient with the
corresponding private key can decrypt it.

Non-Repudiation with Private Key

Encrypt data using the sender's private key. Anyone with access to the
sender's public key can verify the sender's identity.

Integrity and Authentication with Digital Signature

 Create a hash digest of the message. Encrypt the hash digest with the
sender's private key.
 Digital Signature: A hash digest of a message encrypted with the
sender’s private key to let the recipient know the document was created
and sent by the person claiming to have sent it.
  Encrypt the message with the receiver's public key. Ensures message
integrity, non-repudiation, and confidentiality.

Common Asymmetric Algorithms:

 Diffie-Hellman: Used for key exchange and secure key distribution.

Vulnerable to man-in-the-middle attacks, requires authentication.
Commonly used in VPN tunnel establishment (IPSec).
 RSA (Ron Rivest, Adi Shamir, Leonard Adleman): Used for key exchange,
encryption, and digital signatures.

Elliptic Curve Cryptography (ECC)

Efficient and secure, uses algebraic structure of elliptical curves.
Commonly used in mobile devices and low-power computing. Six times
more efficient than RSA for equivalent security. Variants include ECDH
(Elliptic Curve Diffie-Hellman), ECDHE (Elliptic Curve Diffie-Hellman
Ephemeral), ECDSA (Elliptic Curve Digital Signature Algorithm).

Hashing
One-way cryptographic function that produces a unique message digest
from an input.

Hash Digest:
Like a digital fingerprint for the original data. Always of the same length
regardless of the input's length.

Common Hashing Algorithms

 MD5 (Message Digest Algorithm 5): Creates a 128-bit hash

value. Limited unique values, leading to collisions. Not
recommended for security-critical applications due to vulnerabilities.

o SHA (Secure Hash Algorithm) Family:

o SHA-1: Produces a 160-bit hash digest, less prone to collisions than
MD5.
o SHA-2: Offers longer hash digests (SHA-224, SHA-256, SHA-348,
SHA-512).
o SHA-3: Uses 224-bit to 512-bit hash digests, more secure, 120
rounds of computations.

 RIPEMD (RACE Integrity Primitive Evaluation Message

Digest): Open-source competitor to SHA but less popular.

 HMAC (Hash-based Message Authentication Code): Checks

message integrity and authenticity.

Digital Signatures:
Uses a hash digest encrypted with a private key. The sender hashes the
message and encrypts the hash with their private key. Recipient decrypts
the digital signature using the sender's public key. Verifies integrity of the
message and ensures non-repudiation.

Common Digital Signature Algorithms:

 DSA (Digital Security Algorithm): Utilized for digital signatures.

 RSA (Rivest-Shamir-Adleman): Supports digital signatures, encryption,
and key distribution. Widely used in various applications, including code
signing. Hashes change drastically even with minor changes in input.
Hashing is used to verify data integrity and detect any changes.

Increasing Hash Security

Common Hashing Attack
Pass the Hash Attack

 A hacking technique that allows the attacker to authenticate to a remote

server or service by using the underlying hash of a user's password
instead of requiring the associated plaintext password.
 Prevention:
o Ensure trusted OS.
o Proper Windows domain trusts.
o Patching.
o Multi-factor authentication.
o Least privilege.

Birthday Attack

 Occurs when two different messages result in the same hash digest
(collision).

Increasing Hash Security:

 Key Stretching

o Technique that is used to mitigate a weaker key by creating longer,

more secure keys (at least 128 bits).
o Used in systems like Wi-Fi Protected Access, Wi-Fi Protected Access
version 2, and Pretty Good Privacy.

 Salting

o Adds random data (salt) to passwords before hashing.

o Ensures distinct hash outputs for the same password due to
different salts.
o Thwarts dictionary attacks, brute-force attacks, and rainbow tables.

 Nonces (Number Used Once)

 o Adds unique, often random numbers to password-based
authentication processes.
o Prevents attackers from reusing stolen authentication data.
o Adds an extra layer of security against replay attacks.

 Limiting Failed Login Attempts

o Restricts the number of incorrect login attempts a user can make.

o Increases security by deterring attackers attempting to guess
passwords.
o Typically, lock the account after three incorrect attempts.

Public Key Infrastructure (PKI)

PKI Components

 An entire system involving hardware, software, policies, procedures, and

people.
 Facilitates secure data transfer, authentication, and encrypted
communications.
 Used in HTTPS connections on websites.

Establishing a Secure Connection

 User connects to a website via HTTPS.

 Web browser contacts a trusted certificate authority for the web server's
public key.
 A random shared secret key is generated for symmetric encryption.
 The shared secret is securely transmitted using public key encryption.
 The web server decrypts the shared secret with its private key.
 Both parties use the shared secret for symmetric encryption (e.g., AES) to
create a secure tunnel.

Security Benefits

 Confidentiality: Data is encrypted using a shared secret.

 Authentication: The web server's identity is verified using its private key.

Key Escrow

 Storage of cryptographic keys in a secure, third-party location (escrow).

 Enables key retrieval in cases of key loss or for legal investigations.
 Relevance in PKI:
o In PKI, key escrow ensures that encrypted data is not permanently
inaccessible.
o Useful when individuals or organizations lose access to their
encryption keys.
 Security Concerns:
o Malicious access to escrowed keys could lead to data decryption.
 o Requires stringent security measures and access controls.

Digital Certificates
Digital Certificates

 Digitally signed electronic documents.

 Bind a public key with a user's identity.
 Used for individuals, servers, workstations, or devices.
 Use the X.509 Standard.
 Contains owner's/user's information and certificate authority details.

Types of Digital Certificates

 Wildcard Certificate

o Allows multiple subdomains to use the same certificate.

o Easier management, cost-effective for subdomains.
o Compromise affects all subdomains.

 SAN (Subject Alternate Name) field

o Specifies additional domains and IP addresses supported.

o Used when domain names don’t have the same root domain.

 Single-Sided and Dual-Sided Certificates

o Single-sided: Only requires server validation.

o Dual-sided: Both server and user validate each other.

 Self-Signed Certificates

o Signed by the same entity it certifies.

o Provides encryption but lacks third-party trust.

 Third-Party Certificates

o Issued and signed by trusted certificate authorities (CAs).

o Trusted by browsers and systems.

Key Concepts:

 Root of Trust: Highest level of trust in certificate validation.

 Certificate Authority (CA): Trusted third party that issues digital
certificates.
 Registration Authority (RA): Collects user information for certificates.
 Certificate Signing Request (CSR): Includes the public key.
 Certificate Revocation List (CRL): List of revoked digital certificates.
  Online Certificate Status Protocol (OCSP): Determines certificate
revocation status.
 OCSP Stapling: Alternative to OCSP, includes OCSP record in SSL/TLS
handshake.
 Public Key Pinning: Alerts users if a fraudulent certificate is detected.
 Key Escrow Agents: Securely store copies of private keys.
 Key Recovery Agents: Allows restoration of lost or corrupted keys.

Trust in Digital Certificates:

 Compromised root CAs can impact all issued certificates.

 Commercially trusted CAs are more secure.
 Self-managed CAs must be vigilant against compromises.

Blockchain
Blockchain

 Shared immutable ledger for transactions and asset tracking.

o Builds trust and transparency.
o Each block contains information, including the hash of the previous
block.
o Block Structure:
 Previous block's hash.
 Timestamp.
 Root transactions (hashes of individual transactions).

Public Ledger:

 Secure and anonymous record-keeping system.

 Maintains participants' identities.
 Tracks cryptocurrency balances.

Blockchain Applications:
Smart Contracts:

 Self-executing contracts with code-defined terms.

 Execute actions automatically when conditions are met.
 Transparent, tamper-proof, and trust-enhancing.

Supply Chain Management:

 Transparency and traceability in the supply chain.

 Immutable records of product origin, handling, and distribution.
 Ensures compliance and quality control.

Broad Implications of Blockchain:

 Versatility beyond finance and cryptocurrencies.

  Decentralization eliminates the need for central authorities.
o Immutable ledger ensures data integrity.
o Digital Evolution: Blockchain's impact on technology and industries.

Encryption Tools
Encryption Tools for Data Security

 TPM (Trusted Platform Module):

o Dedicated microcontroller for hardware-level security.

o Protects digital secrets through integrated cryptographic keys.
o Adds an extra layer of security against software attacks.

 HSM (Hardware Security Module):

o Physical device for safeguarding and managing digital keys.

o Ideal for mission-critical scenarios like financial transactions.
o Ensures key security and regulatory compliance.

 Key Management System:

o Manages, stores, distributes, and retires cryptographic keys.

o Centralized mechanism for key lifecycle management.
o Automates key management tasks in complex environments.

 Secure Enclaves:

o Coprocessor integrated into the main processor of some devices.

o Isolated from the main processor for secure data processing and
storage.
o Enhances device security by preventing unauthorized access.

Obfuscation
Obfuscation Techniques in Data Security

 Steganography:

o Conceals a message within another to hide its very existence.

o Involves altering image or data elements to embed hidden
information.
o Primary goal is to prevent suspicion of any hidden data.

 Tokenization:

o Substitutes sensitive data with non-sensitive tokens.

o Reduces exposure of sensitive data during transactions.
  Data Masking (Data Obfuscation):

o Disguises original data to protect sensitive information.

o Common in industries handling personal data.

Cryptographic Attacks
Downgrade Attacks:

 Force systems to use weaker or older cryptographic standards or

protocols.
 Exploit known vulnerabilities in outdated versions.

Collision Attacks:

 Find two different inputs producing the same hash output.

 Undermine data integrity verification relying on hash functions.

Quantum Computing Threat:

 Threat to traditional encryption algorithms by rapid factorization of large

prime numbers.
 Post-quantum cryptography aims to create algorithms resistant to
quantum attacks.
o Methods include increasing key size and creating new cryptographic
algorithms.
 NIST selected four post-quantum cryptography standards:
o CRYSTALS-Kyber
o CRYSTALS-Dilithium
o FLACON
o SPHINCS+