CYBERSECURITY
WE DIRECTLY CARE ABOUT
3 FORMS OF INFORMATION SECURITY.
DEFENSIVE
DEFENSIVE SECURITY HAS AS ITS TASK THE PRESERVATION OF DATA.
Must be ensured:
01. Availability
The data must be available at the time requested, regardless of possible attacks or failures of the system in which they are stored.
They fall within this category:
Redundancy systems
They can be at the level of the storage of information (RAID, Storage, Synchronous/Asynchronous Replication, Disaster Recovery), or at the level of the systems capable of processing it (Cluster, Business Continuity)
Backup systems
02. Accessibility
Precautionary measures should be put in place to limit access to the data to authorized users only.
Technologies suitable for achieving this purpose are:
Directory Service
Active Directory, RedHat Identity Manager/FreeIPA, Oracle Identity Manager, are some Directory Services on the market. The directory service contains a representation of every object within the information system. These include user accounts, computers, printers, storage systems, network folders…
Policy Manager
This component allows the creation of security policies that can be applied to any object within the Directory Service
Cryptography
The use of encryption, combined with other systems, makes it possible to properly manage the accessibility of information and protect it both within systems and in transit to other places
03. Perimeter Protection
Perimeter protection systems allow controlled and secure access to other networks (e.g., the Internet), with a lower level of security or not managed by the organization. They include:
FIREWALL: These systems allow filtering of through traffic and determine which is allowed to pass from one network to another. Modern firewalls include other functions such as:
VPN
They allow you to connect multiple locations of your company, or other collaborating companies, using low-security but pervasively available networks (such as the Internet), public leased lines
Proxy Server
Filtering service specializing in a number of layer 7 (application) protocols. An example is the http/https proxies
Advanced Thread Protection
Provides a service that can analyze traffic using Deep Packet Inspection probes and detect complex attacks
ISP/IDP
Systems capable of checking for abnormal traffic and reacting accordingly
Proxy Server
They can be integrated with other systems (such as firewalls, see above) or stand-alone systems
Sonde
They are placed at specific points in the network. Their job is to examine the through traffic and have it analyzed by IDS/IDP systems
04. Log Management
Every event, within an information system, generates logs. These logs are often the primary source of information regarding security events and security breaches.
It is necessary both to manage them properly (so that they are both accessible and properly protected from manipulation) and to have systems capable of correlating logs from different sources in order to understand the nature of one or more specific events (SIEM)
05. Patching Management
Information systems are naturally prone to bugs. Such bugs are continually discovered, and manufacturers provide patches to correct the problem.
It is essential that there are proper procedures for information system maintenance and patching management to prevent the system from becoming vulnerable through neglect.
06. Honeypot
These are systems whose purpose is to act as targets for cyber attacks.
They have the dual function of diverting attackers’ attention to a trap system and being able to allow the nature of cyber attacks brought to the system to be analyzed in order to profile the attackers and their intentions.
OFFENSIVE
OFFENSIVE SECURITY AIMS TO VERIFY THE INFRASTRUCTURE AND SERVICES IN PLACE IN ORDER TO PREVENT ANY BUGS FROM ALLOWING AN ATTACKER TO TAKE CONTROL OF THE SYSTEM.
Offensive security is essentially based on 3 processes:
01. Vulnerability assessment
It is an automated process for scanning hundreds or thousands of machines in a short period of time. Its purpose is to find known bugs in active services and systems.
Such bugs are those that are known and catalogued in CVE (Common Vulnerabilities and Exposures) lists. This means that a vulnerability assessment is effective only on known and not ad hoc developed software. In this way, the overall security level of the system can be increased and prepared for more timely control.
02. Penetration Test
It is a process that applies to a more limited and restricted target than a vulnerability assessment. Typically, a penetration test is performed on the services most exposed to the public or access via public or low-security networks.
Typical examples of the target of a penetration test are ad hoc developed web applications. A timely analysis, performed by an experienced white hacker, will be able to point out any flaws in the web application’s proprietary code.
03. Code Inspection
By having the source code, a code inspection can be performed for the purpose of general application security.
Typical problems that can be found with this specific type of code inspection can be:
SQL Injection
Cross-site Scripting
Input/data Validation
Authentication
Authorization
Exposing Sensitive Data
Code Accesss Security
Exception Management
Data Access
Weak/wrong Use of Cryptography
Unsafe and Unmanaged Code Use
Configuration
Threading
Undocumented Public Interfaces
Covert Channel
POST INCIDENT
POST INCIDENT SECURITY INVOLVES THE WHOLE PART OF PROPERLY HANDLING A SECURITY INCIDENT.
This includes both the procedures for the proper management and preservation of digital evidence, as well as the analysis part of the incident (in order to understand what actually happened), as well as everything necessary to get back with the online systems without the risk of running into the same issues as the incident.
This includes:
Computer Forensics
That branch of computer security that deals with the collection and analysis of digital evidence, for evidentiary and investigative purposes. The task of computer forensics is to examine the sources of evidence generated by an incident in order to either understand what actually happened or:
Attack vector
The attack vector is what was used to be able to generate the incident. Normally, it is the method that was used either to gain access to the information system without proper credentials or to perform a priviledge escalation operation to gain rights and deceive the security policies in place.
Trackback
Analysis of digital evidence sources allows the process to begin to understand the origin of the attack and find the possible attacker. Given the nature of the TCP/IP protocol one or more hops may be hidden or require the cooperation of third parties (e.g., providers) to get to the communication endpoint.