Foundation of Cyber Security (1)

Title: V u l n e r a b i l i t y S c a n n i n g w i t h O p e n V A S

OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated

and authenticated testing, various high-level and low-level internet and industrial protocols,
performance tuning for large-scale scans and a powerful internal programming language to
implement any type of vulnerability test.

1. Objective: Understanding Automated Vulnerability Scanning and Risk

Prioritization

 Automated Vulnerability Scanning:

 Involves using tools to identify security weaknesses in systems and
applications.

 Helps in maintaining a proactive security posture.

 Risk Prioritization:
 Focuses on addressing vulnerabilities based on their potential impact and
exploitability.

 Utilizes metrics like CVE and CVSS to assess risk levels.

2. Key Concepts
 Common Vulnerabilities and Exposures (CVE):
 A publicly disclosed list of known vulnerabilities.

 Each CVE is assigned a unique identifier for easy reference.

 Common Vulnerability Scoring System (CVSS):

 A standardized framework for rating the severity of vulnerabilities.

 Scores range from 0 to 10, with higher scores indicating more critical
vulnerabilities.

 Role of Vulnerability Scanners:

 Tools like OpenVAS and Nessus automate the detection of vulnerabilities.

 They provide insights into potential security risks, enabling organizations to

take action.

1
Foundation of Cyber Security (1)

 Interpreting Scan Reports:

 Scan reports detail identified vulnerabilities, their CVE references, and CVSS
scores.

 Important to differentiate between true positives and false positives to avoid

unnecessary remediation efforts.

Comparison of OpenVAS and Commercial Tools (e.g., Nessus):

 OpenVAS:
 Open-source and free to use.

 Regularly updated with community contributions.

 May require more configurations and tuning.

 Nessus:
 Commercial tool with a user-friendly interface.

 Offers extensive support and documentation.

 More features available in the paid version.

Vulnerability Management Lifecycle:

 Identification: Scanning for vulnerabilities.

 Assessment: Evaluating the severity and impact.

 Remediation: Fixing or mitigating vulnerabilities.

 Verification: Re-scanning to ensure vulnerabilities are resolved.

 Reporting: Documenting findings and actions taken.

Comparison Table of Critical Vulnerabilities Identified in a Sample Scan

2
Foundation of Cyber Security (1)

CVE ID Description CVSS Severity

Score
CVE-2021-34527 Microsoft Exchange Server 9.8 Critical
Remote Code Execution
CVE-2019-0708 Remote Desktop Services 9.8 Critical
Remote Code Execution

Title: T h r e a t I n t e l l i g e n c e a n d A u t o m a t e d R e s p o n s e .

1. Objective
 Goal: Enhance detection and enable automated responses to emerging threats
using threat intelligence.

 Focus Areas:
 Understanding IOCs and threat feeds.

 Integration with security systems like SIEM.

 Utilizing frameworks like STIX/TAXII and platforms like MISP.

2. Key Concepts
 Indicators of Compromise (IOCs):
 Definition: Artifacts observed on a network or in operating system files that
indicate a potential intrusion.

 Types: File hashes, IP addresses, domain names, URLs, etc.

 Threat Feeds:
 Description: Continuous streams of data that provide information about
known threats.

 Sources: Commercial vendors, open-source feeds, and community-driven

sources.

 Integration with Security Systems:

SIEM (Security Information and Event Management):

 Role: Centralizes the collection and analysis of security data.

 Benefit: Correlates threat intelligence with logs to identify potential

threats.

3
Foundation of Cyber Security (1)

 Frameworks and Platforms:

STIX (Structured Threat Information Expression):
 Purpose: A standardized language for sharing threat intelligence.

TAXII (Trusted Automated exchange of Indicator Information):

 Function: A protocol for exchanging cyber threat information.

MISP (Malware Information Sharing Platform):

 Use: Facilitates sharing, storing, and correlating indicators of
compromise.

 Research Current on Platforms:

 Explore platforms like Recorded Future, Threat Connect, and Alien Vault.

 Analyze their features, integrations, and user feedback.

 Compare Proactive vs. Reactive Approaches:

 Proactive Threat Intelligence:
 Anticipates threats and prepares defenses.

 Benefits: Reduces response time and minimizes damage.

 Reactive Incident Response:

 Responds to incidents after they occur.

 Drawbacks: Often leads to higher costs and longer recovery times.

Title: D e c e p t i o n T e c h n o l o g i e s .

1. Objective
 Goal: Enhance detection and enable automated responses to emerging threats
using threat intelligence.

Honeypots:
 A honeypot is a security mechanism that creates a virtual trap to
lure attackers. An intentionally compromised computer system allows
attackers to exploit vulnerabilities so you can study them to improve
your security policies.

2. Key Concepts
4
Foundation of Cyber Security (1)

1. Types of Honeypots:
 Low-Interaction Honeypots:
 Example: Honeyd
 Characteristics:
 Simulate services and systems.
 Limited interaction with attackers.
 Easier to deploy and maintain.
 High-Interaction Honeypots:
 Example: Cowrie
 Characteristics:
 Full operating systems that allow attackers to interact.

 More resource-intensive.

 Provide deeper insights into attacker behavior.

2. Tools:
 T-Pot:
 An all-in-one honeypot platform.

 Integrates multiple honeypots and tools for comprehensive

monitoring.

 Supports various protocols and services to attract different types of

attackers.

3. Ethical Considerations:
 Legal Implications:
 Ensure compliance with local laws regarding data privacy and
monitoring.

 Consider the potential for misuse of captured data.

 Establish clear policies on the use of honeypots to avoid legal

repercussions.

3. Learning Approach
 Case Studies:
 Analyze real-world examples of honeypots successfully capturing
attacker activity.

 Identify patterns and tactics used by attackers.

 MITRE ATT&CK Framework:
 Study the "Decoy" tactic within the framework.
 Explore practical applications and how decoys can be integrated
into existing security measures.

5
Foundation of Cyber Security (1)

Honeypot Deployment Diagram

Figure1.1 HoneyPot

Title: Z e r o T r u s t P r i n c i p l e s

6
Foundation of Cyber Security (1)

1. Objective:
Understand the fundamentals of Zero Trust Architecture (ZTA).

Zero Trust is a security model granting access to only verified and authenticated users.
It provides an ultra-safe defense against potential threats by the user, devices, and
network access control. Unlike traditional security models, it does not assume that
people within an organization are safe. Instead, it requires every user to be authorized
before granting any access.

The zero-trust security model is generally based on a three-step process.

 Verify a user’s identity via authentication

 Implement device and network access control

 Limit privileged access.

Figure1.2:Zero Trust Architecture

It is required to address critical threats use cases, including:
 Supply chain attacks_ generally involve privileged users working remotely and on
unmanaged devices.

 Ransomware_ a two-part problem, including identity compromise and code

execution.

 Insider Threats_ extremely challenging while users are working remotely.

2. Key Concepts:
 Never Trust, Always Verify:

7
Foundation of Cyber Security (1)

Every access request is treated as if it originates from an open network,

requiring verification regardless of the user's location.

 Micro-segmentation:
This involves dividing the network into smaller, isolated segments to limit
lateral movement and reduce the attack surface.

 Least Privilege Access:

Users are granted the minimum level of access necessary to perform their
tasks, minimizing potential damage from compromised accounts.

 Supporting Tools:
Platforms like Zscaler and Cloudflare Access facilitate the
implementation of ZTA by providing secure access to applications and
data.

Zscaler:
 The Zscaler Zero Trust Exchange is a cloud native platform that securely
connects users, apps, and devices—using business policies—over any
network, in any location.

 It's the world’s largest cloud security platform, enabling increased user
productivity, reduced business risk, lower costs, and far less complexity.

Cloudflare:
 Cloudflare offers several tools for Zero Trust, including Access, Gateway,
Tunnel, and WARP Connector.

 These tools help organizations enforce security policies and protect their
data.

1) Definition and Approach

 Zero Trust:
 Assumes that threats can exist both inside and outside the network.

 Requires verification for every user and device attempting to access

resources, regardless of their location.

 Focuses on continuous authentication and strict access controls.

 Traditional Perimeter-Based Security:
 Relies on a strong outer defense (firewalls, VPNs) to protect the internal

8
Foundation of Cyber Security (1)

network.

 Assumes that users and devices inside the network are trustworthy.

 Primarily focuses on securing the perimeter and monitoring external

threats.
2) Security Philosophy
 Zero Trust:
 "Never trust, always verify" is the core principle.

 Emphasizes the need for granular access controls and least privilege
access.

 Regularly assesses and adapts security measures based on user

behavior and risk levels.
 Traditional Perimeter-Based Security:
 "Trust but verify" is the guiding principle.

 Security measures are often static and based on predefined rules.

 Less emphasis on continuous monitoring and adaptation to new threats.

3) User and Device Authentication
 Zero Trust:
 Implements multi-factor authentication (MFA) and identity verification for
all users and devices.

 Uses context-based access controls, considering user roles, device

health, and location.
 Traditional Perimeter-Based Security:
 Often relies on single-factor authentication (e.g., username and
password).

 Once inside the network, users typically have broad access without further
verification.
4) Response to Breaches
 Zero Trust:
 Quick detection and response to anomalies or breaches.

 Limits lateral movement within the network, reducing the impact of a

breach.

 Traditional Perimeter-Based Security:

 Breaches can go undetected for longer periods due to reliance on
perimeter defenses.

 Once inside, attackers may have more freedom to move laterally across

9
Foundation of Cyber Security (1)

the network.

5) Implementation Complexity
 Zero Trust:
 Can be complex to implement due to the need for comprehensive identity
management and continuous monitoring.

 Requires a cultural shift within organizations to adopt a security-first

mindset.
 Traditional Perimeter-Based Security:
 Generally easier to implement as it relies on established technologies and
practices.

 May lead to complacency regarding internal security measures.

Benefits and Challenges of the Zero Trust Security Model

This approach requires you to regulate and classify all network resources. It lets
organizations visualize who accesses resources for which reasons and understand
what measures need to be implemented to secure help. Implementing a Zero Trust
security model is associated with deploying solutions for continuous monitoring and
logging off user activity and asset states. It allows organizations to detect potential
threats efficiently and respond to them promptly. This model helps expand security
protection across multiple containerized and computing environments, independent of
the underlying infrastructure. It prevents data breaches and has lateral movements
using application micro-segmentation. A zero trust model ensures organizational
security while providing a consistent user experience.

10