Essential Cybersecurity Concepts: Risk, Frameworks, and Security
Risk Management Basics
Risk: Probability of loss or disruption. Asset: Item of value (e.g., data, systems). Threat: Entity exploiting a weakness. Vulnerability: Weakness that can be exploited. Risk Management: Identifying, evaluating, reducing, or accepting risks.
Types of Threat Actors
Script Kiddie: Uses pre-written code, lacks technical skill, wants fame. Hacktivist: Politically motivated, defaces sites or networks. Nation State/APT: Government-backed, highly sophisticated. Organized Crime: Seeks financial gain, well-funded. Insider Threat: Disgruntled employee, hardest to detect. Competitor: Tries to steal business intelligence or trade secrets.
Attributes of Threat Actors
Internal vs. External, Level of sophistication, Resources and funding, Intent and motivation
Policies, Plans, and Agreements
SOP (Standard Operating Procedures): Step-by-step instructions for tasks. BPA (Business Partnership Agreement): Defines roles, responsibilities, and profit-sharing. SLA (Service Level Agreement): Specifies service expectations and metrics. ISA (Interconnection Security Agreement): Describes how systems connect securely. MOU (Memorandum of Understanding): Formal, non-binding agreement. MOA (Memorandum of Agreement): Legally binding version of an MOU. NDA (Non-Disclosure Agreement): Legal agreement to protect confidential information.
Personnel Management Policies
Job Rotation: Cross-training and fraud detection. Mandatory Vacations: Detects ongoing fraud. Separation of Duties: Splits responsibilities to reduce fraud risk. Clean Desk Policy: Prevents data exposure outside work hours. Background Checks: Validates candidate history. Exit Interview: Understands reasons for leaving and improves retention. Acceptable Use Policy (AUP): Defines proper use of company tech. Rules of Behavior: Expectations on conduct and respect. Adverse Action: Illegal workplace actions (e.g., threats, discrimination). Policy Violation: Ignoring established procedures or AUPs.
Business Impact Analysis (BIA)
Focus: Measures financial loss from an incident, not its source. Impact Areas: Sales, reputation, life/safety, property. Mission-Essential Functions: Core business operations. Critical Systems: Technology that supports essential functions.
Recovery Metrics
RPO (Recovery Point Objective): Maximum acceptable data loss. RTO (Recovery Time Objective): Time to restore operations. MTTR (Mean Time to Repair): Time it takes to fix something. MTBF (Mean Time Between Failures): System reliability. MTTF (Mean Time to Failure): Expected lifespan of a system.
Risk Calculation
SLE (Single Loss Expectancy): Loss from one incident. ARO (Annual Rate of Occurrence): How often a loss occurs annually. ALE (Annual Loss Expectancy): SLE x ARO (total expected annual loss).
Privacy Assessments
PTA (Privacy Threshold Assessment): Determines use of personal data (PII, SPI, PHI). PIA (Privacy Impact Assessment): Reviews how personal data is handled.
Risk Treatment Options
Accept: Risk is low and acceptable. Transfer: Outsource risk (e.g., insurance, SLAs). Avoid: Eliminate the activity causing risk. Mitigate: Reduce risk through controls (e.g., firewalls, antivirus). Residual Risk: Risk remaining after mitigation.
Risk Register
Logs all identified risks with probability, impact, treatment, owner, and actions taken.
Risk Analysis Types
Qualitative: Subjective (e.g., high, medium, low risk). Quantitative: Objective, numerical (e.g., cost-based risk score).
Frameworks and Reference Architecture
Industry-Standard Frameworks: Best practices followed by an industry (e.g., ISO).
Reference Architecture: Blueprints with hardware, software, processes, configurations.
ISO/IEC 17789:2014: Cloud computing reference architecture.
OSI Model (7 layers): Physical, Data Link, Network, Transport, Session, Presentation, Application.
TCP/IP Model (4 layers): Application, Transport, Internet, Network
Types of Frameworks
Regulatory: GDPR, HIPAA (legally enforceable).
Non-Regulatory: ITIL, COBIT 5 (best practices, not law).
National vs. International: UK Data Protection Act, ISO/IEC 27002.
Industry-Specific: IFRS (finance sector)
Secure Configuration Guides
Platform/vendor-specific: Windows, Apache, Cisco. Provide security baselines, reduce attack surface, improve performance
Security Policies and Procedures
Policies: Directives for IT security and user responsibilities.
Least Privilege: Users get minimum access needed.
On-Boarding Policy: BYOD devices checked before access.
Off-Boarding Policy: Company data removed on departure.
Acceptable Use Policy (AUP): Rules for using company systems/devices.
Remote Access Policy: Requires VPN use (e.g., L2TP/IPSec).
Data-Retention Policy: Defines how long data is kept for legal compliance.
Change Management: Manages approved changes, prevents unauthorized actions.
Auditing: Verifies compliance, reports issues to management
General Purpose Guides
Vendor Diversity: Multiple suppliers to ensure uptime and reliability.
Control Diversity: Layers of controls (e.g., firewall + IDS).
Administrative Controls: Audits, training, policies, pen testing.
Technical Controls: Firewalls, antivirus, IDS/IPS.
User Training: Helps prevent phishing, social engineering
Data Destruction & Sanitization
Burning: Incinerates classified paper.
Shredding: Strip-cut, cross-cut, micro-cut.
Pulping: Turns paper to sludge using water/acid.
Pulverizing: Smashes hard drives/CDs.
Degaussing: Wipes magnetic storage with strong magnetic fields.
Purging: Removes data from databases.
Wiping: Remote wipe of mobile devices.
Cluster Tip Wiping: Clears leftover data in disk clusters
Data Sensitivity and Handling
Confidential: R&D, legal info.
Private: Internal pricing, PII, PHI.
Public: Brochures, leaflets, news.
Proprietary: Trade secrets, R&D data.
PII: DOB, SSN, biometrics.
PHI: Medical records.
Privacy Law: Governs disclosure and storage of personal data
Data Retention and Legal Compliance
Legal Hold: Preserves data during investigations.
Data Compliance: Follows national/international data laws.
Retention Timeframes: Financial (6 years), medical (20–30 years), pension (indefinitely)
Data Roles
Owner: Sets data classification, responsible for protection.
Custodian: Secures and backs up data.
Security Administrator: Grants access, enforces least privilege.
Privacy Officer: Ensures legal and compliant data handling
AAA Concepts
Identification, Authentication, Authorization, Accounting (AAA)
Authentication Factors
Something you know: Password, PIN, security questions
Something you have: Smart card, token, key fob
Something you are: Biometrics like fingerprint, iris, retina, voice
Something you do: Signature, keystroke pattern, gait
Somewhere you are: Geographic location
Authentication Types
Single-factor: Same type (e.g., password, PIN, DOB)
Dual/multifactor: Different types combined (e.g., smart card + PIN)
Password Policy Settings
Password history: Prevent reuse, e.g., last 24 passwords
Maximum password age: Forces regular change, e.g., every 21 days
Minimum password age: Stops quick cycling to reuse old ones
Password complexity: Requires 3 of 4 character types
Reversible encryption: Avoid storing clear text credentials
Account lockout threshold: Lock after 3–5 bad attempts
Account lockout duration: How long to stay locked out
Password recovery: Email or SMS code, reset disk
Identity Federation and SSO
Federation: Third-party trust, uses SAML, cookies, extended attributes
SAML: XML-based authentication, used in federation
Shibboleth: Open-source SAML federation system
Single Sign-On (SSO): One login for many services, e.g., Kerberos
Directory Services and Protocols
LDAP: Stores/searches X.500 objects (CN, OU, DC)
LDAPS: Secure LDAP
Distinguished Name example: CN=User, OU=IT, DC=Company, DC=com
Kerberos (Microsoft Authentication)
Uses: Tickets, timestamps, USNs, mutual authentication
TGT: Ticket Granting Ticket session for initial login
Prevents: Replay attacks, pass-the-hash
Requires: Synchronized time (Stratum 0 = time source)
Legacy Protocols
NTLM: Old, uses MD4, vulnerable to pass-the-hash
PAP: Insecure, sends password in clear text
CHAP: Uses challenge-response
MSCHAPv2: Updated Microsoft protocol, more secure
Open Authentication (Web)
OAuth 2.0: Authorization for web/mobile apps
OpenID Connect: Built on OAuth, uses accounts like Google, Facebook
AAA Servers
RADIUS: UDP 1812 (auth), 1813 (accounting), used by VPN, 802.1x
TACACS+: TCP 49, more secure, used by Cisco
Diameter: TCP-based successor to RADIUS, uses EAP
Biometric Authentication
Fingerprint: Commonly used (e.g., phones, customs)
Retina: Scans blood vessels inside eye
Iris: Scans colored part, used in biometric passports
Voice: Stored voiceprint profile
Facial recognition: Shape of jaw, nose, eyes; better with IR (e.g., Windows Hello)
FAR: False Acceptance Rate (Type II error)
FRR: False Rejection Rate (Type I error)
CER: Crossover Error Rate = FAR = FRR
Tokens & Certificate-Based Auth
HOTP: HMAC-based, one-time use, no time limit
TOTP: Time-based, expires after 30–60 seconds
Smart card: Holds certificate, no data trace on PC
CAC: Government/military smart card with photo
PIV: Federal agency smart card
IEEE 802.1x: Port-based authentication for wired/wireless access
Account Types
User: Standard access, SID-based
Guest: Legacy, low privilege
Sponsored guest: Temp external users (e.g., presenters)
Privileged/admin: Elevated rights, manage systems
Service: Runs software with minimal necessary rights
Shared: Used by teams, not ideal for auditing
Generic: Default vendor accounts, should be renamed/disabled
Account Management Practices
Naming convention: Standardize formats (e.g., j.smith)
Disable on departure: Don’t delete immediately
Recertification: Auditor checks permissions, reports to mgmt
Account maintenance: Follow lifecycle, lock on inactivity
Monitoring: SIEM tools for real-time alerts
Account expiry: Automatic deactivation on contract end
Time-of-day restrictions: Login allowed only during shifts
Group-based access: Assign permissions to groups instead of individuals
Credential management: Windows Credential Manager stores login info
User account review: Audits to enforce least privilege
Host Security
HIDS/HIPS: Monitors system behavior for threats.
EDR: Continuous endpoint monitoring and response.
Application Whitelisting: Allows only approved apps.
Patch Management: Regular updates to fix vulnerabilities.
Antivirus/Antimalware: Protection from malicious software
Mobile Device Security
MDM: Central management of mobile security policies.
Remote Wipe: Erase data from lost/stolen devices.
Geofencing: Limits features by physical location.
Screen Locks/Biometrics: Prevent unauthorized access.
Application Control: Restricts unauthorized app installation
Application Deployment
Secure Coding: Prevents software vulnerabilities.
Code Signing: Verifies source and integrity of code.
Sandboxing: Isolates applications from host system.
Environment Separation: Separate dev/test/production environments.
Automation/Scripting: Reduces errors, standardizes deployment
Embedded Systems Security
Firmware Updates: Patch known vulnerabilities.
Network Segmentation: Isolate embedded devices from main network.
Physical Security: Prevent tampering with hardware.
Monitoring/Logging: Track activity for auditing.
Access Controls: Restrict use to authorized personnel
Malware Types
Viruses: Attach to files and replicate.
Worms: Self-replicate without user action.
Trojans: Disguise as legitimate software.
Ransomware: Encrypts data for ransom.
Spyware: Collects user information covertly.
Adware: Displays unwanted advertisements.
Rootkits: Hide malicious processes.
Keyloggers: Record keystrokes
Social Engineering Attacks
Phishing: Deceptive emails to steal data.
Spear Phishing: Targeted phishing attacks.
Whaling: Phishing targeting high-profile individuals.
Vishing: Voice call phishing.
Smishing: SMS text phishing.
Impersonation: Posing as trusted individuals.
Tailgating: Unauthorized physical access
Application and Network Attacks
SQL Injection: Malicious SQL code execution.
Cross-Site Scripting (XSS): Injecting scripts into web pages.
Cross-Site Request Forgery (CSRF): Unauthorized commands from a user.
Privilege Escalation: Gaining higher access levels.
Man-in-the-Middle (MitM): Intercepting communications.
Denial-of-Service (DoS): Overwhelming systems to disrupt service
Vulnerability Scanning and Penetration Testing
Vulnerability Scanning: Automated system checks for known issues.
Penetration Testing: Simulated attacks to find weaknesses.
Black Box Testing: No prior knowledge of the system.
White Box Testing: Full knowledge of the system.
Gray Box Testing: Partial knowledge of the system
Security Controls
Administrative Controls: Policies and procedures.
Technical Controls: Hardware and software mechanisms.
Physical Controls: Security guards, locks, and surveillance
Risk Management Concepts
Risk Assessment: Identifying and evaluating risks.
Risk Mitigation: Implementing measures to reduce risks.
Risk Acceptance: Acknowledging and accepting risks.
Risk Avoidance: Eliminating activities that introduce risk
Incident Response Process
Preparation: Develop policies, train staff, establish communication plans.
Identification: Detect incidents, analyze severity, classify threats.
Containment: Isolate affected systems, prevent further damage.
Eradication: Remove threats, patch vulnerabilities.
Recovery: Restore systems, validate functionality.
Lessons Learned: Document findings, improve response strategies.
Infosec Institute+1Quizlet+1YouTube+2Brainscape+2CliffsNotes+2
Incident Response Team Roles
Incident Response Manager: Oversees response efforts.
Security Analyst: Investigates and analyzes incidents.
IT Auditor: Ensures compliance with policies and regulations.
Legal Counsel: Advises on legal implications.
Public Relations: Manages external communications.
Human Resources: Handles internal personnel issues.
Forensic Procedures
Order of Volatility: Prioritize data collection from most to least volatile.
Chain of Custody: Maintain documentation of evidence handling.
Data Acquisition: Capture system images, collect logs, take hashes.
Legal Hold: Preserve data for legal proceedings.
Security Tools and Techniques
SIEM: Aggregates and analyzes security event data.
HIDS/HIPS: Monitors host systems for malicious activity.
Antivirus Software: Detects and removes malware.
Firewalls: Controls incoming and outgoing network traffic.
Vulnerability Scanners: Identifies security weaknesses
Reporting and Communication
Incident Reporting: Document incidents promptly.
Escalation Procedures: Notify appropriate personnel based on severity.
Internal Communication: Inform stakeholders within the organization.
External Communication: Coordinate with law enforcement and public as needed
CVE (Common Vulnerabilities and Exposures)
Purpose: Standardized list of publicly disclosed vulnerabilities. Managed by: MITRE. Uses: Security tools, databases, and patch management systems. Format: CVE-ID (e.g., CVE-2025-1234). Scope: Software and hardware vulnerabilities.
CWE (Common Weakness Enumeration)
Purpose: Categorized list of software and hardware weaknesses that lead to vulnerabilities. Managed by: MITRE. Uses: Helps identify and mitigate root causes of vulnerabilities. Format: CWE-ID. Scope: Software weaknesses (e.g., improper input validation, buffer overflow).
OSINT (Open Source Intelligence)
Purpose: Gathering publicly available information for intelligence. Sources: Social media, websites, public records, forums, etc. Uses: Cybersecurity threat intelligence, investigations. Tools: Maltego, Shodan, theHarvester. Legal Concerns: Must stay within ethical and legal boundaries when collecting information.
CIS Controls
Purpose: A set of best practices to help organizations strengthen their cybersecurity posture. Managed by: Center for Internet Security (CIS). Format: 18 controls grouped into 3 categories: Basic, Foundational, and Organizational. Scope: Security practices for protecting networks, data, and systems.
Control Categories:
Basic (1-6): Essential security measures like inventory, continuous vulnerability management, and controlled use of administrative privileges.
Foundational (7-16): Focus on network monitoring, data protection, security configurations, and incident response.
Organizational (17-18): Address security management, and vulnerability assessments, including penetration testing and red teaming.