Important notes

Comparison Table

What is CASB in Cybersecurity?

CASB stands for Cloud Access Security Broker. It is a security solution or software that acts as an intermediary between users and cloud service providers to enforce security policies, compliance requirements, and safeguard sensitive data.

The 4 Pillars of CASB:

These pillars outline the core functionalities of CASB:

1. Visibility:
   • Ensures complete visibility into shadow IT, sanctioned, and unsanctioned cloud usage.
   • Tracks cloud application usage and identifies risky behaviors or non-compliant activities.

2. Compliance:
   • Helps meet legal, regulatory, and internal policy requirements.
   • Enforces rules around data retention, encryption, and access control.

3. Data Security:
   • Protects sensitive data from unauthorized access.
   • Includes data loss prevention (DLP), encryption, tokenization, and monitoring for improper sharing.

4. Threat Protection:
   • Detects and mitigates threats such as account compromise, insider threats, or malware in cloud services.
   • Leverages advanced tools like user behavior analytics (UBA) to identify anomalies.

What is the Traffic Light Protocol (TLP)?

The TLP is a set of designations used to indicate how sensitive information can be shared and with whom. It helps organizations and individuals share threat intelligence in a controlled manner, ensuring that sensitive data isn't shared beyond its intended audience.

The protocol uses color-coded classifications to specify how information can be shared:

TLP Classifications

1. TLP:RED:
   • Scope: For the recipient(s) only.
   • Sharing: The information must not be shared with anyone else, including within your organization.
   • Use Case: Highly sensitive information, such as an active cyber threat targeting a specific individual or organization.

2. TLP:AMBER:
   • Scope: Limited sharing within your organization or a trusted group.
   • Sharing: Can be shared on a "need-to-know" basis only.
   • Use Case: Threat intelligence with sensitive context, such as a vulnerability or threat targeting your sector.

3. TLP:GREEN:
   • Scope: Can be shared within your community or sector.
   • Sharing: The information can be shared more broadly but not publicly.
   • Use Case: General threat intelligence or indicators of compromise (IOCs) that are useful to your peers.

4. TLP:WHITE:
   • Scope: No restrictions on distribution.
   • Sharing: The information is approved for public dissemination.
   • Use Case: General security awareness, public advisories, or widely applicable threat information.

Controls

Controls in cybersecurity and risk management are categorized based on their purpose and functionality. Here's a breakdown of control types, their purpose, and examples:

1. Managerial Controls

• Purpose: Focus on policies, procedures, and processes to manage risk and oversee security efforts.

• Key Characteristics:
  • Ensure proper planning, governance, and adherence to organizational goals.
  • Indirectly reduce risk by influencing the behavior of individuals and systems.

• Examples:
  • Risk assessments
  • Security awareness training
  • Incident response plans
  • Vendor management policies

2. Preventive Controls

• Purpose: Stop or mitigate threats before they occur.

• Key Characteristics:
  • Proactive in nature.
  • Focus on reducing vulnerabilities and blocking unauthorized actions.

• Examples:
  • Firewalls
  • Access control lists (ACLs)
  • Encryption
  • Multi-factor authentication (MFA)
  • Physical locks on server rooms

3. Detective Controls

• Purpose: Identify and detect malicious activity, policy violations, or failures in preventive controls.

• Key Characteristics:
  • Reactive in nature.
  • Help monitor, log, and analyze suspicious activities.

• Examples:
  • Intrusion Detection Systems (IDS)
  • Security Information and Event Management (SIEM) solutions
  • Video surveillance
  • System log analysis
  • File integrity monitoring

4. Corrective Controls

• Purpose: Minimize the impact of a security incident by restoring systems or mitigating damage.

• Key Characteristics:
  • React after an incident occurs to reduce harm and prevent recurrence.

• Examples:
  • Data backups and disaster recovery plans
  • Patch management
  • Quarantine of infected systems
  • Updating firewall rules post-attack

5. Compensating Controls

• Purpose: Provide alternative measures when primary controls are not feasible or sufficient.

• Key Characteristics:
  • Designed to meet the same objectives as the original control.
  • Often used as temporary solutions or when implementing a primary control is too expensive.

• Examples:
  • Using a security guard in place of a malfunctioning surveillance system.
  • Increased monitoring to offset lack of encryption.

6. Physical Controls

• Purpose: Protect physical assets and environments.

• Key Characteristics:
  • Designed to prevent unauthorized physical access or tampering.

• Examples:
  • Security guards
  • Biometric locks
  • CCTV cameras
  • Fencing and barriers

7. Technical Controls

• Purpose: Use technology to enforce security policies and protect assets.

• Key Characteristics:
  • Implemented within hardware or software.

• Examples:
  • Firewalls
  • Antivirus software
  • Intrusion Prevention Systems (IPS)
  • Role-Based Access Control (RBAC)

8. Deterrent Controls

• Purpose: Discourage potential attackers or unauthorized activities by creating awareness of consequences.

• Key Characteristics:
  • Psychological or visible measures.

• Examples:
  • Warning signs
  • Security cameras (real or dummy)
  • Legal penalties outlined in Acceptable Use Policies

9. Recovery Controls

• Purpose: Restore operations to normal after an incident.

• Key Characteristics:
  • Focus on continuity and resilience.

• Examples:
  • Disaster recovery plans
  • Restoring backups
  • Incident response teams
  • System rebuilds

Summary Table

Difference Between Risk Avoidance and Risk Mitigation

• Risk Avoidance:
  • Definition: Eliminating the risk entirely by avoiding activities or situations that could lead to it.
  • Approach: Proactive; choose not to engage in the risky activity.
  • Example: Not storing sensitive data in the cloud to avoid data breaches.

• Risk Mitigation:
  • Definition: Reducing the likelihood or impact of a risk through controls or measures.
  • Approach: Reactive or proactive; implement safeguards to minimize risk.
  • Example: Encrypting data stored in the cloud to reduce the impact of a potential breach.

Key Difference:

• Avoidance eliminates the risk entirely; mitigation reduces the risk's impact or likelihood.

Credential Stuffing:

• Definition: An attack where stolen username-password pairs from previous data breaches are tested across multiple websites to gain unauthorized access.

• Key Characteristic: Relies on users reusing the same credentials across different platforms.

• Example: Using leaked credentials from a breached social media account to log into a banking website.

What is SAML?

SAML (Security Assertion Markup Language) is an open standard that allows secure exchange of authentication and authorization information between an Identity Provider (IdP) and a Service Provider (SP).
SAML is primarily used for Single Sign-On (SSO) to enable seamless, secure access to multiple applications or services without requiring the user to log in separately to each one.

Exculpatory evidence proves that a suspect is not guilty of the actions of which they are accused. It is the opposite of incriminating evidence, which supports accusations against a suspect.

Inadmissible evidence is evidence that cannot be used to support the facts of the case and cannot be presented in court. An example would be evidence that has been obtained illegally or in a questionable manner.

A non-credentialed scan limits the amount of detail obtained from a host during a vulnerability scan but is most realistic, since an attacker may also not have valid credentials for hosts on the network.

Credentialed scan is used to elicit more detail about vulnerabilities from a host, but it also uses administrative credentials for hosts that are scanned, so it would not be the most realistic type of scan in this scenario.

Server-based scan is essentially conducted from the server and does not affect whether the scan is realistic from an attacker's perspective.

Agent-based scan uses an agent installed on each host, which an attacker is not very likely to have, and it must use network credentials. This is not the most realistic type of scan for this scenario.

Metric Groups in CVSS (Common Vulnerability Scoring System)

CVSS is used to assess the severity of vulnerabilities in software systems. It consists of three metric groups, each contributing to the overall score:

1. Base Metric Group

• Definition: Represents the intrinsic and unchanging characteristics of a vulnerability, regardless of how or where it is exploited.

• Components:
  • Exploitability Metrics:
    • Attack Vector (AV): Describes how the vulnerability can be exploited (e.g., Network, Adjacent, Local, Physical).
    • Attack Complexity (AC): How difficult it is to exploit the vulnerability (Low or High).
    • Privileges Required (PR): Level of privileges required for exploitation (None, Low, High).
    • User Interaction (UI): Whether user interaction is required (None or Required).
    • Scope (S): Whether the exploitation affects resources beyond the vulnerable component (Unchanged or Changed).
  • Impact Metrics:
    • Confidentiality Impact (C): Effect on confidentiality (None, Low, High).
    • Integrity Impact (I): Effect on integrity (None, Low, High).
    • Availability Impact (A): Effect on availability (None, Low, High).

2. Temporal Metric Group

• Definition: Represents characteristics of the vulnerability that change over time as it is addressed or exploited.

• Components:
  • Exploit Code Maturity (E): Availability of exploit code (Unproven, Proof-of-Concept, Functional, High).
  • Remediation Level (RL): Availability of a fix or workaround (Unavailable, Workaround, Temporary Fix, Official Fix).
  • Report Confidence (RC): Confidence in the validity of the vulnerability report (Unknown, Reasonable, Confirmed).

3. Environmental Metric Group

• Definition: Represents the characteristics of the vulnerability that are specific to a user's environment.

• Components:
  • Modified Base Metrics: Allows organizations to adjust base metrics for their specific environment.
  • Security Requirements:
    • Confidentiality Requirement (CR): Importance of confidentiality in the environment (Low, Medium, High).
    • Integrity Requirement (IR): Importance of integrity in the environment (Low, Medium, High).
    • Availability Requirement (AR): Importance of availability in the environment (Low, Medium, High).

How These Groups Interact

1. Base Metrics determine the initial severity of the vulnerability.

2. Temporal Metrics refine the score over time as exploitability or remediation status changes.

3. Environmental Metrics allow organizations to customize the score based on their unique environment.

Example CVSS Metrics and Score Calculation

• Base Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Confidentiality, Integrity, Availability Impact: High
  • Base Score: 9.8 (Critical)

• Temporal Metrics:
  • Exploit Code Maturity: Proof-of-Concept
  • Remediation Level: Temporary Fix
  • Report Confidence: Confirmed
  • Temporal Score: Adjusted to 9.0

• Environmental Metrics:
  • Confidentiality Requirement: High
  • Integrity Requirement: Medium
  • Availability Requirement: High
  • Environmental Score: Adjusted further to align with organizational priorities.

Clustering analysis is a technique often used in statistics to identify groups of data points based on certain criteria, such as occurrence. Clustering does not require that the criteria be specified in advance, as the criteria is searched for after the data is collected from a sample.

Grouping is a means used to categorize similar data points by taking a set of unique features and determining the artifacts that fit the criteria. Unlike clustering, grouping requires that these defining features be described in advance before data collection.

"Stacking" is incorrect because stacking, or stack counting, is a basic technique for identifying outliers in data. It involves counting the number of occurrences of a particular value, sorting them, and investigating the extreme outliers. Stacking is less useful with very large data sets because the outliers in these collections can themselves be quite large.

"Aggregation" is incorrect because aggregation is simply the collecting, combining, and summarizing of large volumes of similar data.

In the CVSS (Common Vulnerability Scoring System), the Report Confidence (RC) metric is part of the Temporal Metric Group, which assesses the credibility of the information about a vulnerability. It measures how confident an assessor is about the validity of the vulnerability and the reliability of its details.

Report Confidence Levels:

1. Unknown (RC:U):
   • Meaning: There is little to no information available to validate the vulnerability or confirm its existence.
   • Typical Scenario:
     • The vulnerability is reported through unverified sources or rumors.
     • There’s insufficient technical data or proof to substantiate the claim.
   • Impact on CVSS Score: Reduces the score significantly because of the uncertainty about the vulnerability's validity.

1. Reasonable (RC:R):
   • Meaning: The vulnerability is plausible but lacks conclusive evidence or technical details for full confirmation.
   • Typical Scenario:
     • The report is based on credible sources, but it may not include proof-of-concept code or full technical details.
     • Evidence points to the vulnerability being real, but further verification is required.
   • Impact on CVSS Score: Moderately lowers the score compared to "Confirmed" due to incomplete confidence in the vulnerability.

1. Confirmed (RC:C):
   • Meaning: The vulnerability has been thoroughly validated and confirmed by reliable, authoritative sources.
   • Typical Scenario:
     • The vulnerability is disclosed by the vendor, a security researcher, or other trusted entities.
     • Detailed information is available, such as exploit code, analysis, or evidence from a trusted source.
   • Impact on CVSS Score: Does not reduce the score because the vulnerability is verified.

A corrective control is used immediately following an incident to correct an urgent security issue or weakness. It is used with the understanding that it will soon be replaced by a more permanent control. A compensating control is used when a preferred control cannot be implemented but the risk must still be reduced. A compensating control could be semipermanent in nature, until the organization implements the preferred control.

Data aggregation combines data that is similarly formatted and has similar contacts. An example would be logging data gathered from many different systems. Data correlation looks at relationships between aggregated or individual pieces of data with other dissimilar data. An example would be looking for correlations between victim host log data gathered from systems that have been attacked and data gathered from an intrusion detection/prevention system and a firewall to determine whether there are any relationships between the host log data and the network detection device data.

The Scope (S) metric indicates whether a vulnerability in one area may affect a vulnerable component in another area. This means that the vulnerability of a component in a specific security domain, or security scope (as described by CVSS documentation), could possibly impact components or resources in another security domain or scope.

Attack Complexity (AC) metric characterizes any factors that are not within the attacker's control and must be favorable for the exploit to be successful. Some of these factors are also their own metrics, such as whether user interaction is required or the level of privileges that must be used to exploit the vulnerability.

Attack Vector (AV) metric describes how exploitation of a given vulnerability could happen. There are five potential values for the AV metric, based on whether the attack vector occurs remotely, locally, or physically.

Impact in the base metric group with regard to confidentiality, integrity, and availability, but not necessarily the same way. Confidentiality and integrity values measure impacts that affect the data itself. The availability values refer to the actual operation of a system or service, not the availability of
the data itself.

A false positive is data that shows that a particular vulnerability exists when, in fact, it does not.

A false negative consists of data that indicates a particular vulnerability does not exist, but other data indicates that it in fact does exist and is present on the system.

A true positive asserts that a particular vulnerability exists and is present on a system, and this can be verified independently through other data.

A true negative indicates that a particular vulnerability does not exist, and there is no other indication or data that shows otherwise.

A gold master is the standardized configuration baseline containing a hardened image that can facilitate the process of rebuilding a compromised host.

Comparison Table