What interests me, though, is how differently each group relates to technology. Millennials are widely seen as the generation that adapted to technology. Gen Z grew up with technology as a constant, almost like a second language. And Gen Alpha? They are growing up fully immersed in a world where AI, touchscreens, and digital ecosystems aren’t innovations; they’re just the normal way life works.

But today's discussion is really about Gen Z.

The first time I heard Vandana Verma Sehgal say, “APIs are like Gen Z,” it stopped me. Immediately, my mind went to all the bold, unfiltered, and sometimes hilarious comments employers make about Gen Z on Twitter. You know the ones, calling them audacious, direct, uncompromising, and allergic to nonsense.

But the moment she explained her analogy, it made perfect sense. APIs and Gen Z genuinely share more similarities than you would expect. They’re fast. They’re expressive. They expect clarity. They don’t like ambiguity. And they absolutely will not tolerate friction.

And just like Gen Z, APIs never hide; they communicate openly through clear responses, detailed errors, and transparent documentation. Everything is meant to be visible and discoverable. Yet in the same breath, APIs can overshare too, exposing more data than intended, revealing internal details, or exposing sensitive information when not properly secured, exactly the way people joke about Gen Z oversharing their thoughts and lives online.

The comparison was so accurate that I couldn’t help but laugh and agree. There isn’t much difference between these two super forces.

And that’s exactly what I’m about to show you.

In this blog post, we’ll explore the fundamentals of API security, what it is, why it matters, and the essential best practices every developer, business, and security professional must apply to protect data and system integrity and stay secure in an increasingly API-driven world.

APIs and API Security: What They Are and Why They Matter

What is an API?

API is an acronym for Application Programming Interface. Let’s break it down:

• An application is a software program that performs a specified function.

• Programming is the process of writing instructions that tell software how to work.

• Interfaces are agreements that define how two applications communicate.

Putting it together, an API is a software intermediary that allows different applications, services, systems, and databases to communicate and exchange data efficiently.

What is API Security?

API security is the process of protecting APIs’ integrity from attacks, data breaches, unauthorized access, and other security risks. It addresses techniques, methods, measures, best practices, protocols, and solutions for detecting, understanding, and mitigating the unique vulnerabilities and risks associated with both your APIs and the third-party APIs you rely on.

Why API Security Matters

APIs are the heart that makes modern applications operate. They power web apps, mobile apps, cloud services, and the connections between systems. Insecure APIs can result in severe consequences, including:

• Data breaches and exposure of sensitive information.

• Unauthorized access to critical systems

• Service disruptions and financial loss

• Reputational damage

In short, API security is important because APIs handle sensitive data and critical functions in modern apps. Protecting them helps organizations maintain trust, compliance, and operational integrity.

OWASP API Security Top 10

001: Broken Object Level Authorization(BOLA)

What it is: An authorization flaw vulnerability occurs when an API permits a user to access the data of another user without adequately verifying if the user is allowed to do so.

How to prevent it: Always enforce and continuously test authorization controls across all endpoints, and verify users have permission to access or alter objects before processing requests.

002: Broken authentication

What it is: This vulnerability arises from a poor or improperly implemented API authentication method. This gives attackers an opportunity to take control of user accounts, access their sensitive data, or carry out actions on their behalf.

How to prevent it: Implement strong authentication mechanisms, such as multi-factor authentication (MFA).

003: Broken Object Property Level Authorization

What it is: This vulnerability happens when an API fails to implement proper access control for particular elements of an object, resulting in the disclosure or manipulation of sensitive data. The issue stems from two flaws: mass assignment (when APIs modify object properties without verifying user authorization) and excessive data exposure.

cUse allow lists (whitelists) for fields so that users can only modify specific, permitted properties. Apply data minimization to return only the minimum amount of information.

004: Unrestricted Resource Consumption

What it is: This vulnerability exists when an API permits users to consume excessive amounts of system resources (CPU, memory, and bandwidth) without any restrictions. It can result in slow performance, system crashing, and to initiation of denial-of-service (DoS) attacks

How to prevent it: How to Avoid It: Implement rate limiting to restrict the number of requests that an IP or user can make in a particular period of time. Monitor API performance to detect anomalous consumption spikes.

005: Broken function-level authorization

What it is: The API lacks proper authorization checks at the function or operation level, allowing users to access authorized functionality. Authorization issues are commonly created by complex access control policies and ambiguous responsibilities, allowing attackers to access resources and administrative powers of other users.

How to prevent it: Implement role-based access control and test all endpoints to identify any permission gaps or unauthorized access.

006: Unrestricted Access to Sensitive Business Flows

What it is: This vulnerability arises when attackers study the business model of an API, identify key business flows, and automate access to them, which could be destructive to the business at large.

How to prevent it: Think like an attacker when identifying threats, and implement authorization rules to limit the creation of resources.

007:Server Side Request Forgery (SSRF)

What it is: This vulnerability occurs when an API accepts a link from a user without validating it. When the server tries to navigate to this link, it forces it to visit endpoints it should not, potentially allowing access to internal systems.

How to prevent it: Validate and sanitize all input, and implement network segmentation and firewall rules

008: Security Misconfiguration

What it is: This vulnerability occurs when a system, application, or network is not configured securely. Incorrect or flawed security settings might reveal gaps that attackers can exploit.

How to prevent it: Regularly audit your systems to find misconfigurations and vulnerabilities, and keep all software patched and updated to fix security issues.

009: Improper Inventory Management

What it is: You can't protect APIs you don't know exist. Without effective tracking, some APIs may exist without your team's knowledge; they are known as zombie or shadow APIs.

How to prevent it: Because APIs typically have a large number of endpoints, keep up-to-date documentation and an inventory of them. Manual tracking can be burdensome, so adopt automated tools to maintain and secure hidden APIs. Make API documentation visible only to authorized users.

010: Unsafe Consumption of APIs

What it is: This vulnerability exists when you use third-party APIs that you simply do not fully control. Even if your own API is secure, relying on external APIs might be risky since attackers may target the connected services.

How to prevent it: To eliminate security risks, maintain an inventory of all third-party APIs, encrypt all communications, validate all supplied data, and enable error handling.

Back to the real deal!!!
In this post, we will look at different Threat Actors, Vectors, and Intelligence Sources.

Sit Back and enjoy the Ride!!!

Basic Terms

Vulnerability: is a weakness that, when exploited, can result in a security breach.

Threat: the possibility of someone or something exploiting a vulnerability and breaching security. It can be purposeful or unintentional.

Risk: the possibility and impact of a threat actor exploiting a vulnerability is known as risk.

Risk = Likelihood × Impact

Threat actor: the person or entity that poses a potential threat to the security of systems, networks, or data.

Capability: is the ability of a threat actor to create fresh exploit methodologies and tools

Various Actors and Threats

Nation-state actors: include entities or groups that are supported by the government that exploit cyberspace for their wealth, military, or political objectives. Control of intelligence gathering is a primary aim of state actors for spying and strategic gain. It is commonly an Advanced Persistent Threat (APT), as They are long-lasting and are designed to gain persistent access to networks or systems for data theft or espionage.

Script kiddies/Unskilled: Individuals with little or no technical skills who conduct attacks using already existing hacking tools and scripts. They may not have a specified target or any other objective that makes sense besides grabbing attention or showcasing their technical skills.

Hacktivists: threat actors that are motivated by a belief in the social or political causes. They pursue the objective of exposing the existing corrupt layers, propagating the most preferred ideologies, or destabilizing them, these individuals may hit organizations or governments

Insider Threats: type of threat actor within an organization that has authorized access to the system and results in intentional or unintentional misuse of their privileges.

Organized crime: involves professional criminals, motivated by money, who are usually external entities and highly sophisticated, with a structured organization and supported by substantial capital to fund their efforts.

Shadow IT: this is the use of unapproved technology or applications within a company that is not under the control of IT departments

Criminal syndicates: threat actor that engages in computer fraud and hacking for Financial gain. The complexity of prosecuting is heightened by the possibility that a criminal syndicate operates online from countries other than those of its victim.

Competitors: competitors can try to get unlawful access to confidential information, trade secrets, or sensitive data.

Hackers: An individual with the knowledge to access computer systems by unauthorized methods.

• Authorized/ white hat: a hacker working for a security consultancy or conducting authorized penetration testing.

• Unauthorized/ black hat: a malicious hacker acting without authorization.

• Semi-authorized/Gray hat: a hacker with limited authorization. They have no hostile motive, and might look for security holes, but won't take advantage of it. They are paid for discovering the vulnerabilities (like a bug bounty).

Attributes of Actors

Internal/external: External actors may be referred to as intruders that may be hackers, criminal gangs, or state sponsors while internal actors are employees, contractors, or any external partner with legitimate access to the organization's systems.

Level of sophistication/capability: This attribute captures the technical awareness and capacity of a threat actor.

Resources/funding: The power that actors have as well as the amount of money that they can lay their hands on greatly defines their capabilities and the operational level of their activities. Cybercriminals such as state-sponsored actors and organized crime groups often have several advantages such as financial backing, access to modern technologies, as well as knowledge obtained from relevant fields.

Intent/motivation: This is the aim that an attacker has in place once they decide to launch an attack.

Attack Vectors

The attack vector is how threat actors can infiltrate the system.

Direct access: It is having physical access/control of a system, which enables an attacker to directly compromise its target. e.g. corrupting the configuration of the hardware, or attempting to use a boot disk to install a virus.

Wireless: This entails establishing unauthorized control by exploiting loopholes in wireless networks or devices. e.g. Wi-Fi eavesdropping, spoofing, or brute-forcing of passwords for wireless networks.

Email: entails sending a malicious file attachment through email.

Supply chain: involves targeting the hardware or software supply chain to introduce infected components into networks or systems. This might involve intrusive modifications or creating backdoors

Social media: involves using social media platforms to promote malicious content, conduct social engineering attacks on people or organizations, or obtain information against them.

Removable media: entails the introduction of malware or the extraction of data from systems using external storage media. Attackers may send infected removable media to their target PCs or use auto-run options to run malicious malware.

Cloud: entails using infrastructure or cloud-based service vulnerabilities to their advantage. E.g. breaking into cloud accounts without authorization, stealing data, or taking advantage of vulnerabilities in cloud-based apps.

Attack Motivations

Data exfiltration: Data Exfiltration involves the unauthorized transfer of data from a computer, often conducted by nation-states, organized crime, insiders, and unskilled attackers for espionage, financial gain, or opportunistic purposes.

Espionage: involves nation-states and organized crime groups, it is the act of spying on nations, persons, or organizations to obtain sensitive information for strategic or competitive advantage.

Service disruption: Service disruption occurs when actors such as hacktivists, nation-states, and inexperienced attackers attempt to interrupt the services of organizations to cause havoc, make political criticism, or demand ransom.

Blackmail: Blackmail occurs when actors, such as organized crime groups and insider threats gather sensitive or incriminating information and use it to extort money or accomplish personal gain by threatening to reveal the information unless demands are granted

Financial gain: This is commonly achieved by organized crime to exploit cyber attacks, such as ransomware and banking trojans, to make money by collecting financial information and gaining access to victims' bank accounts.

Philosophical/political beliefs: Hacktivists, nation-states, and sometimes inexperienced attackers carry out cyberattacks motivated by their intellectual or political ideas.

Ethical: Ethical hackers (white-hats) do permitted security testing to improve and strengthen corporate defenses, driven by a desire to improve security rather than engage in malicious behavior.

Revenge: Insider threats, hacktivists, and nation-states launch revenge-driven cyber attacks against entities they believe have mistreated them, seeking payback.

Disruption/chaos: Nation-states, hacktivists, and inexperienced attackers seek disruption and disorder that cause instabilities, distribute malware, or target vital systems.

War: Nation-states utilize cyber warfare to disrupt or damage a rival country's infrastructure, economy, or security, to compromise national security, and to cause economic hardship

Threat intelligence sources

Cyber Threat Intelligence (CTI) is the process of gathering, analyzing, and disseminating data concerning new threats and their sources. Professionals can improve their comprehension of attacks and successfully reduce risks by actively participating in CTI. The following are sources of gathering information.

Open-source intelligence (OSINT): information obtained from publicly available sources, such as news articles, social media, and forums.

Closed/proprietary: Intelligence is obtained from private enterprises, security vendors, or government authorities. Extensive threat research is conducted and collated, and the results are made available as a paid subscription.

Vulnerability Databases: Vulnerability databases contain information on known software and system weaknesses and on the hardware ones too. There is a list known as the Common Vulnerabilities and Exposures (CVE) that has been developed as a common list for the development of specific identifiers. The United States Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) support the U. S National Vulnerability Database (NVD), which provides CVE, its details, patch, and its severity, besides other data.

Public/private information-sharing centers: promote the exchange of threat intelligence between organizations, government institutions, and security professionals. Participants share useful ideas, threat indicators, and mitigation techniques. an example is the Cyber Threat Alliance(CTA)

Dark Web: This is like a mysterious part of the World Wide Web that contains illicit business. To that end, it can help to establish threat intelligence by tracking activity in underground forums, markets, and even communication channels of cybercriminals.

Indicators of compromise: A reference to an indication that an asset or network is compromised or has been hacked or is being hacked. These can be IP addresses, domain names; the hash values of files that might have been infected; or behavioral activity identified during an attack.

Automated Indicator Sharing (AIS): AIS frameworks automate the sharing of important threat data or information between organizations. AIS is based on the STIX and TAXII standards and protocols.

• Structured Threat Information eXpression (STIX): is a standardized language for describing cyber threat information, it includes motivations, abilities, capabilities, and response information. it describes standard terminology for IoCs and ways of indicating relationships between them

• TrustedAutomated eXchange of Intelligence Information (TAXII): protocol provides a means for transmitting CTI data between servers and clients.

Predictive analysis: forecasts potential future threats using historical data, statistical modeling, and machine learning algorithms. It enables enterprises to predict and defend against emerging threats.

Threat maps: are graphical displays that indicate the geographical distribution and levels of cyber threats experienced in different countries internationally. They help in mapping out the high-risk zones and in interpreting the new risk sight. This option focused on constructing an animated map that would depict the threat sources in near real-time. is an animation of a graph depicting the source, target, and the different kinds of attacks identified by a particular CTI platform

File/code repositories: Signatures of known malware code are stored in a file/code repository. The code samples are taken from live customer systems and (in the case of public repositories) files uploaded by subscribers

Research sources

Vendor websites: The official websites of technology vendors contain product information such as release notes, security advisories, and patches. This helps researchers to stay up to date on the newest vulnerabilities and patches for a specific technology.

Vulnerability feeds: these are data sources with information about newly identified vulnerabilities in software, systems, or networks. An example is CVE data feeds that provide descriptions, severity ratings(CVSS), and mitigation solutions for vulnerabilities that have been detected.

Conferences: Various institutions host and sponsor security conferences, which allow for presentations on the most recent threats and technologies.

Academic journals: Academic researchers and non-profit trade groups and associations, such as the IEEE, publish their findings in journals as papers. These papers are often available only through subscription.

Request for Comments (RFC): when a new technology is accepted as a web standard, it is published as an RFC by the W3C. They give technical information, standards, and best practices for new technologies

Local industry groups: Professional associations and user groups, for example, bring together professionals working in the field. They host events, webinars, and forums where participants can discuss industry challenges and share experiences

Social media: Twitter and LinkedIn are other common media used in sharing of cybersecurity knowledge. Whenever researchers or any professionals or related organizations obtain new information or publish new research results, they announce it on these platforms.

Threat feeds: Threat feeds are sources of information on current cyber threats, IOCs, malware signatures, or malicious behavior patterns. These feeds collect information from a variety of sources, including security companies, security research teams, and threat intelligence systems to get Signatures and pattern-matching rules to identify specific threat

Adversary tactics, techniques, and procedures (TTP): Historical cyber-attacks and adversary acts are examined using TTPs.TTPs divide behaviors into three categories: campaign strategy and approach (tactics), generalized attack vectors (techniques), and particular intrusion tools and methods (procedures).

“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”

Dr. Larry Ponemon

5.6 Review Questions

I believe it is safe to claim that our moms were among the early adopters of encryption, with their "coded" ways of interacting with their children, ensuring their messages, particularly warnings, can only be understood by you. This can be achieved by winking the eyes, giving some type of facial expression, and so on. A wonderful scenario in which a visitor gives me a gift, my mother's "type of look or laughter" serves as a disguised communication, instructing me to gracefully decline the offer. At this time, she would persuade me to accept the gift, saying, "Timi, take it" before going on to tell the guest, "She's just a shy person!" Despite her prodding, my response should be firmly "No, thanks," as I discreetly hunt for the nearest exit to leave the situation.

In this analogy, my mother’s laughter/type of look and her words represent the encrypted message. To an outsider, it may seem like a lighthearted interaction, but for me, it carries a clear directive that only I understand. Similarly, encryption works by encoding information so that only those with the correct key or understanding can access the original message.

In this post, we will be discussing different cryptographic solutions. Stay Tuned!!!

First, what is cryptography?

Cryptography is the use of mathematical techniques to encrypt and decrypt information, transforming data for the purpose of preventing unauthorized access and ensuring only the intended recipient can read it.

Public key infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework for managing digital keys and certificates to ensure secure and reliable digital communications.
It includes the hardware, software, procedures, and policies required to generate, distribute, use, store, and revoke digital certificates and public keys.

Simply put, PKI is the technology used to authenticate users and devices in the digital world.

Why do we need PKI?

PKI is needed to protect sensitive information, such as financial transactions, from unauthorized access, verify identities by functioning as a digital passport to prevent fraud and impersonation, encrypt data to keep communications confidential and unaltered, ensure compliance with data security regulations, and support secure e-commerce and the Internet of Things (IoT) by providing necessary tools for digital signatures and encryption.

Now, let us go over the key components of PKI

Public key: This is an openly distributed cryptographic key, It is used to validate digital signatures and encrypt information so that only the designated recipient may decrypt it using their private key.

Private key: A private key is a secret cryptographic key only known to the owner. The matching public key can be used to decrypt data or create digital signatures. It is kept confidential to maintain the integrity and security of digital communications.

Key escrow: This is a security measure where cryptographic keys are stored with a trusted third party. This approach makes it possible to recover keys in the event of a loss, ensuring that access to digital signatures or encrypted data can be regained as needed.

So we've been hearing the word Cryptography Key and don't seem to understand what it means.

A key is a string of characters used to change data presentation to make it seem random. It locks (encrypts) data, just like a real key, so that only the appropriate key can unlock (decrypt) it.

Encryption

Encryption is a data security technology that uses a cryptographic algorithm to convert readable data, or "plaintext," into an encoded format called "ciphertext." It ensures that data remains unreadable to unauthorized users and can only be accessed or processed after being decrypted with a specific cryptographic key.

Why do we need encryption?

Encryption helps prevent data breaches whether the data is in transit or at rest (e.g., if a corporate device is lost or stolen and its hard drive is properly encrypted, the data will remain secure), it prevents malicious behavior like on-path attacks, ensures compliance with regulatory standards like HIPAA, NDPR, and GDPR, and provides authentication to verify legitimate entities. Encryption ensures that no one can read communications or data at rest except the intended recipient or the rightful data owner.

Ever heard of the different states of data? Let's go over them, shall we?

• Data at rest: This is data in storage, that is not being accessed(in use) or transferred(in motion)
• Data in motion: is data moving between systems or locations
• Data in use: This is data that is being accessed, modified, processed, and read by a system

Now, let us go over the 6 levels of encryption which answer to protecting data at rest

Full-disk: Full-disk encryption (FDE) secures data at rest by encrypting the entire physical storage device, including SSDs and hard disks, while protecting its metadata. It ensures that all data on the storage device is encrypted. BitLocker and FileVault are two examples of solutions that use FDE. it ensures that data on servers, PCs, and laptops remains secure even if the device is stolen.

Partition: This is encryption of specific partitions of a disk instead of the whole disk, permitting selective encryption of some partitions while leaving others unencrypted. it is useful to protect sensitive data in a partition.

File: This level of encryption is achieved with third-party programs or Microsoft's EFS (Encrypting File System), which encrypts individual files or folders without compromising the security of the system's other data.

Volume: Volume encryption secures an entire logical volume or virtual disk, which is commonly used in virtual machines or storage devices, by encrypting certain files or directories within that volume.

Database: Database encryption uses symmetric keys to provide transparent encryption, protecting sensitive data by encrypting the entire database. It can also be applied at the column, row, or table levels to protect data from transmission and unauthorized access.

Record: Record encryption uses different symmetric keys to encrypt each column within a database or file, providing greater protection. 

we aren't neglecting encryption methods for data in motion, are we? let's go over them

Transport/communication Encrption: This type of encryption secures data as it travels across networks. here are key transport encryption methods/Protocols:

• SSL (Secure Sockets Layer) and TLS (Transport Layer Security): encrypt data to secure network communications, such as web browsing (HTTPS) and email, with TLS being the updated, more secure successor to the outdated SSL.
• IPSec (Internet Protocol Security): secures IP communications by authenticating and encrypting data packets at the network layer, commonly used in VPNs to protect data sent over the internet.
• VPN(Virtual Private Network): VPNs create a secure, encrypted connection over the internet to protect all transmitted data and are used for secure remote access and privacy, with client-based VPNs using SSL/TLS and site-to-site VPNs using IPsec

we have discussed what encryption is, its use, and different methods of encrypting the different states of data, now let's discuss the 2 different types of encryption

Asymmetric/ Private Key Encryption: uses a single key for both encryption and decryption, is faster and has less computation overhead, but requires secure key distribution and lacks non-repudiation

Symmetric/Public Key Encryption: uses different keys (public and private) or encryption and decryption, where the public key can be shared freely and the private key remains secret, it is slower with more computational overhead than symmetric encryption.

When choosing an encryption method, several key factors should be considered

Key exchange: Securely sharing encryption keys is important, especially over insecure mediums. This can be done through out-of-band methods like using a telephone or courier for physical transfer, or in-band methods such as asymmetric encryption to transmit symmetric session keys. Real-time encryption demands fast, ephemeral keys, which must be carefully managed. Key exchange protocols such as Diffie-Hellman and Elliptic-Curve Diffie-Hellman (ECDH) enable secure key agreements.

Algorithms: An encryption algorithm is the mechanism used to change data into ciphertext. An algorithm will use the encryption key to alter the data predictably so that even though the encrypted data will appear random, it can be turned back into plaintext by using the decryption key.

Key length: Key length, measured in bits, determines the security of encryption algorithms, with longer keys offering stronger protection, especially against brute force attacks; symmetric encryption commonly uses 128 bits or a little higher, while asymmetric encryption employs much larger keys of 3,072 bits or larger.

Some common symmetric encryption algorithms include:

DES (Data Encryption Standard): Uses a 64-bit key (56 effective bits) to encrypt data in 64-bit blocks.

AES (Advanced Encryption Standard): Replaced DES and 3DES and supports 128, 192, or 256-bit keys and block sizes, and used for sensitive unclassified information.

Blowfish: has key sizes from 32 to 448 bits, developed as a DES replacement but not widely adopted

Some common asymmetric encryption algorithms include:

Diffie-Hellman: Used for secure key exchange and distribution over insecure channels, therefore it is commonly used in VPNs (IPSec).

RSA (Rivest-Shamir-Adleman): used in multi-factor authentication and Digital signatures. it works off the factorization of the product of two large prime numbers

Elliptic Curve Cryptography (ECC): Efficient and secure, based on elliptical curve mathematics, used in mobile and low-power devices.

Different Tools for Encryption

Trusted Platform Module (TPM): is a hardware-based security component designed for the secure storage of keys, passwords, and other sensitive data. It performs encryption and digital signing, features versatile memory for securely storing BitLocker keys and hardware configuration information, and is commonly used in BitLocker drive encryption for Windows devices while also offering protection against dictionary attacks.

Hardware security module (HSM): is a physical device designed to protect, store, and manage digital keys, it performs encryption and decryption while ensuring key security and regulatory compliance, often used in mission-critical scenarios like financial transactions and large environments with clusters and redundant power.

Key management system: is a centralized solution for managing the entire lifecycle of cryptographic keys, including their creation, storage, rotation, and destruction, ensuring efficient and secure key handling to protect data and prevent unauthorized access, while automating key management tasks and integrating with various systems to enforce encryption policies.

Secure Enclave: is an isolated coprocessor within a device that handles sensitive data and operations securely by providing extensive security features such as real-time memory encryption, monitoring system boot process, and root cryptographic keys, while being isolated from the main processor to protect sensitive data and prevent unauthorized access to devices.

Obfuscation

Obfuscation is the process of making data difficult to read or analyze by concealing it in plain sight or hiding it within other mediums.

Let us go over different obfuscation methods

Steganography: involves hiding data within other media such as images, audio, or video to make the message invisible but present, techniques include embedding messages in TCP packets, images, or modifying digital audio and video files, and is often used with encryption to enhance security while being challenging to detect due to its obscurity.

Tokenization: involves replacing sensitive data with non-sensitive placeholders. Unlike encryption and hashing, tokenization does not mathematically link the original data to the token, lowering the risk of sensitive data exposure during transactions. It is commonly used in payment systems and credit card processing to protect actual card details and meet security standards.

Data masking: is the process of masquerading original data to conceal sensitive information while keeping its authenticity and usability. It is widely used in testing environments, particularly for software development. Data masking is common in sectors that handle personal information, where it covers sensitive data such as credit card digits and social security numbers.

Hashing

Hashing is the process of converting data into a fixed-size string of characters known as a hash value or digest, which is then used to verify data integrity and assure security. Strong and widely used algorithms include SHA256, while MD5, despite being less secure, is still employed for compatibility.

Hashing is a one-way function, so the original data cannot be recovered from the hash. It is used for securely storing passwords and ensuring the integrity of downloaded data or files. A hash can also be used as a digital signature to ensure authenticity, non-repudiation, and integrity.

A hash function generates a unique digest for every input. A collision happens when two separate inputs provide the same hash value. MD5 is known to cause collisions and is not recommended for use in secure applications.

Salting

Salting is a security technique that adds random data (salt) to passwords before hashing, which guarantees that even identical passwords create different hash values and defend against attacks such as rainbow tables and brute-force attacks.

Digital Signatures

Digital signatures use a hash digest encrypted with a private key to authenticate the sender, verify the message's integrity, and ensure non-repudiation, with the recipient decrypting the signature with the sender's public key to confirm that the message was not altered and that the signature is genuine.

Key stretching

Key stretching is a technique that strengthens a weaker key by generating longer, more secure keys (at least 128 bits), thereby increasing the time required to crack the key, and is utilized in systems such as Wi-Fi Protected Access, Wi-Fi Protected Access version 2, and Pretty Good Privacy

Blockchain

Blockchain is a distributed ledger that tracks transactions through a shared immutable ledger, with each block containing the previous block's hash, a timestamp, and hashes of individual transactions, ensuring trust, transparency, and chronological order. It is widely used in cryptocurrencies such as Bitcoin and for payment processing, digital identification, supply chain monitoring, and digital voting.

Open public ledger

A public ledger is a secure and anonymous record-keeping system that protects users' identities, tracks cryptocurrency balances, and records all legitimate transactions inside a network.

Digital Certificates

Digital certificates are digitally signed electronic documents that link a public key to a user's identity and are used across individuals, servers, workstations, and devices. They follow the X.509 standard and include details such as the certificate holder's name, public key, serial number, version, signature algorithm, issuer, and extensions, with trust established through Certificate Authorities in a PKI system or a Web of Trust, and can be created through operating system or third-party options.

let us go over the concepts of issuing digital certificates

Certificate authorities: A Certificate Authority (CA) is a trusted third party that issues digital certificates, verifies certificate requestors' identities, and links their identities to a public key, with the certificate containing the CA's information and digital signature; this trust model ensures that certificates can be relied on for secure connections to websites and other entities as long as the CA is trusted, allowing for real-time verification of authenticity.

Certificate revocation lists (CRLs): Certificate Authorities (CAs) maintain a Certificate Revocation List (CRL), which consists of certificates that have been revoked before their expiration date, therefore preventing the use of compromised or outdated certificates; it is frequently updated with new revocations.

Online Certificate Status Protocol (OCSP): OCSP (Online Certificate Status Protocol) is used to check the real-time status of a digital certificate, enabling clients to query an OCSP responder for certificate validity rather than downloading a CRL, which is more efficient; OCSP stapling improves this by having the certificate holder regularly retrieve the OCSP status from the CA and include it in the SSL/TLS handshake, improving performance and reducing the load on CA servers.

The root of trust: The root of trust is the highest level of trust in a certificate validation hierarchy, established through a root certificate issued by trusted third-party providers like Verisign or Google It may include various components such as hardware security modules (HSMs), secure enclaves, and certificate authorities, ensuring trust in IT security.

Certificate signing request (CSR)generation: A Certificate Signing Request (CSR) is a unit of encoded text containing information about the entity requesting the certificate, including their public key, which is sent to a Certificate Authority (CA) for validation and signing, while the requester retains control of the private key; the CA verifies the request, confirms ownership details, and returns the signed certificate to the applicant.

let us go over some Types of Digital Certificates

Self-signed: Self-signed certificates are digital certificates signed by the same entity whose identity they validate; they provide encryption but lack third-party trust and are used for internal purposes or testing; for more general internal use, organizations can build their own CA, issue self-signed certificates, and install the CA certificate on all devices to create a trusted internal certification chain.

Third-party: Third-party certificate authorities (CAs) are built into browsers and systems, enabling you to obtain a web certificate that will be widely trusted. These CAs are in charge of verifying the certificate request, including confirming the certificate owner's identity, making them the preferred choice for public-facing websites due to their high credibility and recognition.

Wildcard: A wildcard certificate secures several subdomains with a single certificate, making maintenance easier and less expensive; nevertheless, if the wildcard certificate is compromised, all related subdomains are affected. likewise, the Subject Alternative Name (SAN) extension in X.509 certificates can list several domain names or subdomains, whereas a wildcard domain certificate covers all subdomains under a specific domain, such as *.cyvally.com.

If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.

~Kahlil Gibran

Review Questions

My first time boarding the yellow buses in Lagos State wasn't a funny one. I took a bus from Lekki Phase 1 to Ajah. As a Yoruba girl who had stayed in Port Harcourt and was just arriving in Lagos, my first instinct wasn't to use the popular "owa" to indicate that I wanted to get off. Using the word "highlight" wasn't an option either, as Twitter stories had taught me that people might look at me strangely. So, I used the usual "dropping" word, as I was used to in Port Harcourt, and the drivers there clearly understood. Ladies and gentlemen, the driver carried me past my destination. The other passengers told me I should have used "owa" and mentioned the exact destination. Trust me, I have learned my lesson.

In this story, "ports" are like bus stops, specific locations where you need to signal your intention to stop. Just as different bus stops have specific names ("Lekki Phase 1," "Ajah"), ports have specific numbers (like 80, and 21). The "protocols" are the methods of communication, how you signal to the driver. In Port Harcourt, I used "dropping," similar to how protocols like HTTP or FTP have specific ways to communicate. In Lagos, the expected protocol was "owa + exact destination," just as HTTP and FTP, respectively.

What's your own way of communicating with conductors or drivers to stop you at your destination?

In this post, we will look into what Ports and Protocols are, the Purposes of common ports and their Encrypted Alternatives

Let's Get Right Into It!!!

What are Ports/ Port Numbers?

A port, often known as a port number, is a number allocated to identify a connection endpoint and route data to a service. Ports guarantee that when data arrives on a device, it is sent to the right service/protocol.

Port numbers range from 0 to 65535, with 0-1023 being well-known.

What are Protocols?

A protocol is a way for computers or devices connected to a network to communicate with one another. It outlines the rules or procedures for transmitting data.

Simply put, they are the common language that computers speak.

Now, let's go through common port numbers, protocols, and their encrypted/ secure alternatives.

Knowing the ports and protocols in your networks is one of the first steps in identifying potential vulnerabilities and understanding how to secure your systems.

If one does not know to which port one is sailing, no wind is favourable.

~Seneca the Younger

To reach a port, we must sail - sail, not tie at anchor - sail, not drift.

~Franklin D. Roosevelt

Review Questions

During my previous role as a Network Performance Optimization (NPO) engineer, in my first month on the job, I received a serious warning from my line manager during one of our training sessions. He emphasized the importance of getting official approval before implementing any optimizations or changes to keep the network running smoothly. Understanding the potential impact of changes, especially in the Radio Network Controller (RNC), where an optimization could inadvertently cause regional degradation and job losses. I learned that our client's primary Key Performance Indicator (KPI) was 100% availability, although optimization is to achieve this goal, getting change approval is most important, which required thorough justification and readiness for any potential side effects by my team. Achieving optimal network performance was a notable accomplishment that NPO engineers, like my friend Rex, celebrated passionately when ranked among the top performers. However, adherence to the rule of obtaining change approval before implementation is a major factor used in deciding the ranks.

In this post, we will look into the concept of change management, explore its impact on business processes related to security operations, discuss the technical implications of changes, and examine the essential elements of effective documentation.

Grab your favorite drink; you're going to enjoy this!

What is Change Management?

Change management is the formal process to make changes to systems, processes, goals and technologies. It ensures that these changes are implemented successfully while minimizing disruption to business operations.
Examples of changes that businesses may implement are application patches, software upgrades, Firewall Configuration Updates and Vulnerability Remediation

Business Processes Impacting Security Operation

Business processes have a great impact on security operations, determining how controls are managed in an organization. Let us go over some business processes impacting security operations:

Approval Process: security changes are evaluated and authorized by key stakeholders (Change Advisory/Control Board) before execution, hence promoting uniformity and adherence to organizational standards.

Ownership: The change owner is the individual who needs to make a change. The owner controls the change process and tests the system to ensure that the change is executed effectively and has no negative impact on the organization.

Stakeholders: individuals or groups with an interest in the proposed change, as they will be affected by its implementation and play a role in its evaluation and execution.

Impact analysis: often referred to as Business Impact Analysis(BIA) helps mitigate risks and focus on recovery efforts by evaluating the potential impact of proposed change.

Test results: entail conducting test both before and after implementing changes to confirm the desired outcomes and identify areas needing further adjustments. A sandbox test, conducted in an isolated environment, is a common pre-production test that does not impact live systems.

Backout plan: strategy for rolling back to original configurations to limit the impact of failed security changes, thereby minimizing disruptions to business operations.

Maintenance window: scheduled time to implement security changes without notably impacting operations. This is decided after understanding business busy/peak hours.

Standard Operating Procedure(SOP): documented step-by-step procedures for implementing a change in order to promote consistency and efficiency in security operations.

Technical Implications of Changes

These are possible implications that changes to systems, software, or configurations may have on an business operations.

Allow lists/deny lists: are list that dictate which applications are permitted or blocked from operating in your organization. When applying changes, review these lists to ensure that only the right applications are allowed, as they are ones that can be assessed.

Restricted activities: only implement changes outlined within the change control document's scope. In instances where adjustments are necessary, a documented change control process should be in place to ensure clarity and avoid confusion among all stakeholders.

Downtime: Applying changes might cause service disruptions which could lower productivity and perhaps cost the business financially. You can minimize downtime events by having secondary system in place to provide availability for the period of change implementation. You can also send out notices to those who may be impacted should there by a downtime.

Service restart: some changes may require service restarts and have the potential to disrupt services, resulting in backlogs or data loss.

Application restart: just like service restart, applications may also need to be restarted in response to changes thereby interfering with accessibility or performance

Legacy applications: Legacy applications are older software still in use due to their critical importance to the organization, despite the availability of newer alternatives, yet they lack support and are less flexible, making them more sensitive to change, where even minor alterations can lead to system crashes.

Dependencies: Before implementing changes, it is essential to map dependencies as interconnected systems create dependencies in which changes in a single domain impact others, requiring careful evaluation to ensure that all dependencies are addressed, avoiding disruptions or compatibility issues in systems or software.

Documentation

Change documentation is the practice of documenting any changes in any area of an organization's operations. It entails recording the reasons for the change, the precise adjustments made, the people or groups in charge of putting it into practice, and any related effects or considerations. Let's go over the elements of proper documentation

Updating diagrams: Regularly examining and modifying diagrams (network diagrams, system architecture diagrams, and process flowcharts) to accurately reflect the current state of systems, configurations, and interdependencies. This helps stakeholders in better decision-making, troubleshooting, and planning.

Updating policies/procedures: Organizational policies, processes, and documentation standards should be constantly reviewed, updated, and documented to ensure that they meet changing business needs, standards and industry best practices.

Version control

Version control is a system for tracking and managing changes to files, documents, software code, and other digital assets. It enables multiple users to work together on projects by providing means for tracking changes, reverting to prior versions, and managing continuous edits.

It keep track of modifications, allowing users to determine who made what changes, when, and why. This improves teamwork by assuring consistency, reducing conflicts, and promoting collaboration in software development and other collaborative environments, which are foundational to the principles of DevOps.

END!!!

"If anything is certain, it is that change is certain. The world we are planning for today will not exist in this form tomorrow."

Philip Crosby

Review Questions

Ever kept an electronic journal to jot down your innermost thoughts and secrets? Let's connect this to the CIANA Pentagon:

C- Confidentiality- To maintain its privacy, you'll encrypt it and store it on a platform with strong access controls.

I-Integrity- you can apply cryptographic hash functions to ensure that the content remains unchanged and unaltered.

A- Availability- you consider creating regular backups. having a soft copy stored in the cloud or another secure location.

N-Non-repudiation- you digitally sign each entry, so you cannot later refute it. The digital signature serves as a unique seal that verifies your authorship.

A-Authentication- To access the electronic diary, a strong authentication mechanism is in place where only you, with the right credentials, can unlock and modify the content

In this post, we will explore several fundamental security concepts such as the CIA Triad, which later extended to CIANA Pentagon, the triple A's, and others.

JUMP ON THIS RIDE!!!

CIA TRIAD

The CIA Triad is fundamental to IT security. Everything we do in cybersecurity focuses on achieving CIA. Let's discuss the CIA in detail.

Confidentiality: the principle that ensures information can be accessed by only those with authorization. Let's discuss some security measures to ensure confidentiality

• Encryption: It converts plain text into ciphertext, securing information from unauthorized access by rendering it unreadable to outsiders.
• Access control: it restricts access to confidential information, allowing only authorized individuals to view it. This can involve password restrictions, two-factor authentication, and role-based access control.

Integrity: the principle that ensures information is reliable and accurate and that modification cannot occur without detection. Let's discuss some security measures to ensure integrity

• Hashing: this is the process of converting data into a fixed-length string of characters that cannot be changed back to its original form. Integrity is ensured by verifying the received data's hash value against the hash value of the original data, allowing detection of any alterations or modification.
• Digital Signatures: are used to validate the authenticity of electronic documents and ensure they have not been altered. Cryptographic procedures are used to generate digital signatures, which can be used to validate the signer’s identity.
• Digital certificates: are electronic papers that are used to validate the identification of individuals, companies, or devices as well as to enable secure internet communication.

Availability: the principle that information is accessible to authorized users at all times. Let's discuss some security measures to ensure availability

• Redundancy: refers to the process of duplicating important components or systems to guarantee their availability in the event of a malfunction.
• Patching: is the process of updating software to fix vulnerabilities and ensure system stability by reducing the risk of exploitation and downtime.
• Backups: are copies of important information or system configurations that can be used to restore the original information or configurations in the event of a breakdown or loss. In the event of an interruption, they guarantee that critical data and systems can be quickly restored.

TO READ UP ON MORE SECURITY MEASURES- CIA TRIAD

Non-repudiation

Before diving into what Non-repudiation is, ever heard of the CIANA pentagon?

CIANA pentagon is an extension of the CIA Triad, its stands for Confidentiality, Integrity, Availability, Non-Repudiation and Authentication.

Non-repudiation: is a principle that proves that an event or action took place and cannot be denied by those involved. Non-repudiation is essential for authenticating by proving the source of the message, preserving integrity, and establishing accountability in digital processes. Digital signature is used to ensure Non-repudiation

• Scenario: A digital signature uses asymmetric cryptography, which consists of two keys: a public key and a private key. The sender(Gabriel) uses his private key to generate a unique digital signature for the communication. The recipient(Lola) verifies the signature using Gabriel's public key. The private key is only known to Gabriel and the public key is openly distributed so Lola can authenticate that the message was truly signed by Gabriel. Because the private key is necessary to generate the signature and only Gabriel has it, he cannot deny sending the message, ensuring non-repudiation.

AAA Framework/The Triple A's

This framework begins with identification, which is who you assert to be, the most frequent example is your username.

Authentication: A security measure that verifies users and entities are who they say they are. Password is an example

Authorization: refers to the rights and privileges given to users or entities upon their authentication. Permissions and privileges are granted based on roles, policies, or attributes.

Accounting: a security measure that guarantees accurate tracking and recording of every user action throughout  their operations

Gap Analysis

Gap analysis is a method used to evaluate the variance between an organization's current performance and its desired objectives. In simpler terms, it assesses the difference between our current security status and our desired security goals. Before beginning a gap analysis, it is important to have clear goals in mind. Standards like NIST or ISO/IEC 27001 help to set a baseline for achieving the intended results. A gap analysis is an effective technique for organizations looking to improve their security posture. The following are steps involved in conducting a gap analysis

• Define Goals and Objectives
• Identify Current Security State
• Compare the current state to the desired state to identify any gaps
• Develop a detailed action plan to bridge the gap
• Carry out the action plan by executing the suggested solutions.
• Regularly track and assess progress to close the gaps.

Zero Trust

The Zero Trust concept is "never trust, always verify." This means all devices, users, systems, or transactions in the company's network are not automatically trusted. Rather, it demands constant identification and security posture verification, irrespective of their location, origin, or point of network entrance. The control plane and Data plane are needed for a zero-trust architecture

Control Plane: This is the framework and factors in charge of creating, overseeing, and implementing the policies governing user and system access in an organization. it manages the actions taking place in the data plane. The key elements/technologies of the control plane are

• Adaptive identity: refers to verifying a user's identity and implementing security measures according to the authentication they have provided. An example of factors used is the user's device and location.
• Threat scope reduction: refers to limiting users' access to only what's needed to get their job done to strengthen the overall security against cyber threats by reducing the attack surface of the network and improving resilience against malicious acts.
• Policy-driven access control: involves creating, overseeing, and implementing user access policies per their roles and responsibilities. It is adaptive identity + established policies
• Policy Administrator: Communicate with policy enforcement point on whether to allow or deny access
• Policy Engine: compares the access request against its established policies.

Data Plane: This component of network devices executes the actual security processes, such as packet forwarding and filtering. Examples include switches and routers.

• Implicit Trust Zones: These are network areas where trust is automatically assumed, based on predetermined security policies.
• Subject/System: These are anything that interact with the network, like users, devices, or applications.
• Policy Enforcement Point: This is the technology in charge of enforcing access controls and security policies. As data packets move over the network, it intercepts them, examines them based on predetermined policies, and decides whether to allow, deny or modify them.

Physical security

Physical security refers to controls in place to secure physical assets, resources, and personnel from illegal access, theft, damage, or harm. Let us go over some examples of these controls

Bollards: Short post or object for directing or preventing vehicle access.

Access control vestibule: Electronically controlled double door system that only permits one door to open at a time

Fencing: physical barriers that define limits and restrict entry to a particular area.

Video surveillance: deploying recording devices and cameras to observe and record visual data in real-time.

Security guard: Persons with the necessary training who are in charge of patrolling, keeping an eye on, and ensuring security in a specific area.

Access badge: Personalized identity cards or badges provided to authorized persons to allow regulated access.

Lighting: lighting to improve visibility and deter criminal activity.

Sensors: devices that are capable of sensing and responding to environmental variations or external triggers, there are 4 categories of sensors

• Infrared: detect infrared radiation generated by objects, which allows them to detect temperature changes or movement(but in a smaller area). They are widely used in motion detectors.
• Pressure: detects force changes, it is activated whenever the sensor implanted in the floor or a mat detects a certain minimum weight.
• Microwave: emit microwave signals and analyze the reflections to detect motion in a larger area
• Ultrasonic: measures ultrasonic wave reflections to detect motion and collision, it is commonly used in parking areas and robotic application

Deception and disruption technology

Cyber strategies such as deception and disruption are used to counter advanced threats. These strategies involve using deceptive components (SUCH AS THE ONES WE WILL BE DISCUSSING BELOW) to expose threat actors. Deception entails deploying decoy assets to entice attackers and makes it simpler to spot intrusions and regulate normal behavior.

Honeypot: a server that is created to mimic a real server but contains fake data instead of actual data. it is used to entice attackers to reveal and analyze their strategies.

Honeynet: it is a collection of honeypots

Honeyfile: it is a file that is made to appear to be a genuine file on a server, but the information it contains is false. The data can be monitored for access and can contain triggers to notify DLP solutions, acting as a trap for intruders. A common example is a password.txt file that the bad guys will believe is real, opening this file will trigger an alert.

Honeytoken: it is fake data added to Honeynet to detect and alert on unauthorized access

END!!!

Many things in life can be safely ignored but ignoring Cybersecurity Safe Practices is an open invitation for disaster.

JC Hunter

Review Questions

Action movie fans like myself will enjoy this: Marvel agents go on a quest to find a vital document locked within a safe in a building. The heroes were faced with series of difficulties, each emphasizing a different security control put in place by the Villian. The first obstacle is manipulating an electronic gate(Technical Control) of the building with sophisticated hacking tools to gain access. Next are wild guard dogs(Physical Control) which the team used their firearms on. When the team gets to the safe's room, they find a tripwire, a security device managed with strategic precision. Contact with this wire will instantly sound an alert; this feature is managed by managerial control. Operational control is demonstrated by the last barrier of security, an identification mechanism at the impenetrable safe where fingerprint scans, retinal recognition, and voice authentication become the key to unlocking the safe

In this post, you will learn about the different types of security controls

WALK WITH ME!!!

WHAT ARE SECURITY CONTROLS

I appreciate the NIST definition of security controls, which states, "A countermeasure prescribed for an information system or an organization, designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements." This definition highlights that we not only need security controls to ensure the CIA of information but to also align security measures or countermeasures with specific objectives and standards set forth for information protection.

HAVEN'T HEARD ABOUT CIA TRIAD?
CYVALLY GAT YOU WHAT IS CIA?

CATEGORIES OF SECURITY CONTROLS

• Technical: refer to the use of technology for risk management and reduction

Examples include antivirus software, intrusion detection systems, access controls, encryption, and firewalls.

• Managerial: Often referred to as administrative controls, concentrate on planning, policies, and procedures to manage security risk. 

Examples are incident response plans, security awareness training, risk assessments, and security policies.

• Operational: includes day to day procedures and actions that enhance security.

Examples include incident reporting, change management, backup processes, and user authentication.

• Physical: are measures that prevent unauthorized physical access to assets.

Examples include locks, security cameras, biometric access controls, and environmental controls (such as fire suppression systems).

TYPES OF SECURITY CONTROLS

Preventive: measures to stop security incidents before they happen. Examples are access controls, encryption, IPS and firewalls.

Deterrent: measures to discourage potential attackers making their effort less tempting to continue. Examples include noticeable surveillance cameras, security patrols, and warning signs.

Detective: measures to identify and alert as security incident happens. Examples include log monitoring, security audits, and IDS.

Corrective: measures to mitigate the impact of security incidents and return systems to normal operation. examples are recovery techniques, system backups, and incident response plans.

Compensating: measures that offer substitute protections. Multi-factor authentication is an example.

Directive: Guide behavior and actions to ensure compliance with security policies. Examples include awareness and training programs, safety policies and procedures.

To provide a multi-layered defense against a range of threats, it is frequently necessary to combine several control types and categories for better effectiveness.

“Technology trust is a good thing, but control is a better one.”

Stephane Nappo

REVIEW QUESTIONS

We learned about automated vulnerability scanning in our last post, but it does not assess what a highly proficient threat actor would be capable of. Penetration testing is an assessment that uses strategies and procedures to simulate intruders. Understanding the underlying notion of pentesting is critical regardless of the team you belong.

In this post, you will learn about different penetration testing concepts, the passive and active ways of performing reconnaissance and exercise types

STAY TUNED!!!

Penetration Testing Concepts

A penetration test simulates an attack on a system in order to evaluate security. A pentest includes procedures such as threat verification, security control bypass, active control testing, and vulnerability exploitation. It is frequently referred to as ethical hacking. Pentesters acquire initial access, then try to expand it. There are other test variations, including blind tests (where the attacker is unaware of the system) and double-blind testing (where the staff is unaware of the test). The following are different penetration testing concepts:

Known Environment: An assessment where the pentester has a full disclosure and total access to the target. It is also known as a White box.

Unknown Environment: An assessment where the pentester has no information regarding the target. it is also called black box. Pentest is performed from an external viewpoint without having any knowledge of the internal operations.

Partially Known Environment: An assessment that replicates an insider attacker who is only partially familiar with the target. it is also called Gray box

Rules of Engagement: These are rules and guidelines set for the penetration test's scope and purpose. They specify the pentester's rights and obligations, making it easier to make sure the test is carried out securely and within the legal limits.

Lateral movement: This means moving from system to system after acquiring initial access in order to investigate and exploit other systems. It helps to determine how far an attacker might go in a compromised environment.

Privilege escalation: It is the process of getting additional account privileges. Pentesters put the system's defenses to the test by attempting to elevate privileges above what an initial intrusion would allow.

Persistence: This is the ability to continue to exist after a system restart or a network disconnect. This indicates that the attacker can and will return to the network, using good techniques and several accounts so that their reentry will not be noticeable.

Cleanup: For a threat actor, this entails getting rid of any trace of the attack, or any evidence that might link them to it. For the pentester, this stage calls for the removal of any backdoors or tools and verification that the system is not any less secure than it was before the engagement.

Bug bounty: Several organizations have bug bounty programs where they compensate/reward people who responsibly report security flaws. This could be a tactic used during pentesting to entice ethical hackers to discover and report vulnerabilities.

Pivot: It entails using a hacked system as a launching pad to attack other systems on a network.

Passive and Active Reconnaissance

Reconnaissance is gathering information about the target, it can be passive or active.
Passive reconnaissance entails gathering data without directly interacting with the target system, so avoiding discovery or trigging an alert. Active entails directly interacting with the target system or network to acquire information and find vulnerabilities. such as performing a port check to identify any open ports or gaining physical access to premises. The following are different ways of gathering information:

Drones: A flying machine without a human pilot inside.

War flying: Drones can be used by pen testers for "war flying," which is a technique for approaching and capturing wireless network signals, allowing them to record network traffic.

War driving: This entails driving around with devices capable of detecting and recording wireless networks.

Footprinting: This is the first step in gathering live information about a network. This method is used by pen testers to gather information about computer systems, the relationships between them, and occasionally user data. Specifically, network sniffing and scanning technologies are used to achieve this.

OSINT: it is the use of publicly available information sources to obtain knowledge about a system.

Exercise Types

Red-team: They are the attacking/offensive team that attempts to enter the target by playing the attacking role.

Blue-team: They are the defensive team that operates by monitoring and alerting controls to detect and stop the infiltration.

White-team: They are the panel of judges that does not belong to any team. They determine scores and rules in an exercise.

Purple-team: it is the combination of the red team and blue team player. Red team member assist your blue team in understanding the moves from the attacker's point of view.

Pentesting is not a technique, it's a skill. A technique is obtained through knowledge, A skill is obtained through practice.

Rafay Baloch

Review Questions

The story of "Alarina" as a middleman between potential spouses raises concerns about the possibility of manipulation and disruptions in the communication process. Now, let's take this to the digital world, EVER HEARD OF THE MAN-IN-THE-MIDDLE ATTACK? it is an attack that involves interception and manipulation of communication between two entities. leading to unauthorized actions. Although both scenarios involve intermediaries who have the power to influence the flow of information, raising concerns about the trustworthiness and integrity of the communication process, Alarina's role is based on trust and consultation, a man-in-the-middle attack is an act of deception and malicious intent.

In this post, you will learn about the indicators of network attacks. These indicators provide details about the nature of the attack, what is happening, and the required countermeasures.

Stay plugged!!!

4.1 Wireless Attack Types

Wireless networking technology is widely utilized, with several protocols and techniques available to connect users to networks without the use of physical wires. Wireless networking, like any other software system, is vulnerable to hacker efforts. Let's look at the types of wireless attacks:

Evil twin

• An evil twin involves a rogue WAP masquerading as a legitimate one

• It may share the same name (SSID) as the real one

• This attack involves an attacker using their own AP that looks like a stronger connection.

• The attacker has the ability to intercept network traffic from users who connect to the malicious access point, potentially gaining access to private data.

Rogue access point

• This is an unauthorized access point that is installed with malicious intent or not.

• Attackers can set up rogue access points to create backdoor, eavesdrop on network traffic, launch man-in-the-middle attacks, or gain unauthorized access to the network.

• Ensure that you periodically survey the site to detect rogue WAPs

• Use 802.1X (Network Access Control) to mandate authentication for all connections

Bluesnarfing

• An attack where an attacker uses a Bluetooth connection to obtain unauthorized access to data on a target device

Bluejacking

• It involves sending unsolicited(SPAM) text (or picture/video) message or vCard (contact details) to Bluetooth-enabled devices.

Disassociation Attack

• Disassociation attacks are attempts to disconnect a host from the wireless access point and the wireless network.

• A disassociation attack sends spoofed frames by taking advantage of the lack of encryption in management frame communication.

• Attackers can prevent genuine users from connecting to the network by delivering fake disassociation signals, which results in denial-of-service (DoS) problems.

• It can be mitigated by configuring Management Frame Protection (MFP/802.11w) , both on clients and WAP

Jamming

• An attack in which radio waves interferes with 802.11 wireless signals.

• it can result from installing a WAP with a stronger signal

• To detect the source of interference, use a spectrum analyzer

• To mitigate, locate and disable the malicious radio source or boost the signal on the legitimate source.

Radio frequency identification (RFID) Attack

• RFID is used on anything that requires tracking; such as access badges

• Attackers might take advantage of flaws in RFID technology to intercept or alter information being sent between RFID tags and readers, thereby obtaining access or tampering with the data.

• Skimming(unauthorized capture of information from RFID tags) is a good example of RFID Attack.

Near-field communication (NFC)

• NFC is a 2-way (peer to peer) radio communications system that enables contactless payments across very short distances.

• it is a high-frequency subset of RFID

• NFC is mainly used for contactless point-of-sale transactions. Customers enter their credit card details into a mobile wallet app to set up a payment service. Instead of transmitting the actual credit card data, the app sends a one-time token that the merchant links to the correct client account.

• Attackers can perform Remote capture, frequency jamming that will lead to a DoS attack

Initialization vector (IV)

• IV is a random value used in cryptographic algorithms, particularly in wireless encryption protocols like WEP (Wired Equivalent Privacy)

• IV is a type of nonce (generated once) and used at the beginning of a connection. its primary aim is to prevent replay attack

• IV-related attacks take advantage of weaknesses in the creation or maintenance of the IV, giving attackers access to wireless networks and the ability to decrypt encrypted data.

4.2 On-path attack/Man-in-the-Middle attack/Man-in-the-Browser Attack

• This is a type of eavesdropping where an attacker establishes a separate link between two victims and steals information

• The threat actor positions themselves between two hosts and intercepts, watches and broadcasts all of their communication

• In Man-in-the-Browser attack, a malware attack installs a trojan element on the target machine. This trojan can act as a proxy and modifies the browser's behavior by utilizing browser helper objects or extensions.

• On-path attacks can be defeated using mutual authentication, where both hosts exchange secure credentials.

4.3 Layer 2 attacks

Local addressing decisions are made at Layer 2 of a network. Switches and MAC address operate at this layer. Here are types of Layer 2 attacks

Address Resolution Protocol (ARP) poisoning

• ARP matches IP addresses to MAC addresses on a local network

• An attacker uses ARP poisoning to deliver fake ARP packets to a target computer, forcing it to link wrong MAC addresses with specific IP addresses

• All traffic destined for remote networks will be sent to the attacker

• The attacker can use a man-in-the-middle attack by monitoring the communications and then sending them to the router, or by changing the packets before transferring them or DOS attack by not forwarding the packets.

Media access control (MAC) flooding

• This is an attack on the switch

• The MAC address table is used by the switch to decide which port to utilize to forward unicast traffic to the correct destination.

• It involves an attacker exhausting the switch's memory capacity by flooding it with a high number of false MAC addresses.

• Overwhelming the table result to the switch to abandon MAC-based forwarding and flood unicast traffic out of all ports, effectively acting as a hub. This leads to the attacker eavesdropping on network traffic

MAC cloning/MAC address spoofing

• This involves an attacker forging the network interface card's (NIC) factory-assigned MAC address in order to impersonate another device on a network.

• The manufacturer assigns a unique MAC address to each network interface. An attacker can trick network switches and routers into associating their own device with the cloned MAC address by cloning the MAC address of another device.

• It can be used to bypass MAC address filtering

4.4 Domain name system (DNS) Attack Types

The Domain Name System (DNS) of port 53, resolves Fully Qualified Domain Name (FQDNs) to IP addresses. It makes use of a distributed database system to store information about domains and hosts within those domains.

Domain hijacking/Brandjacking

• This is the unauthorized takeover of a domain name by compromising the domain registrar or DNS (Domain Name System) credentials.

• The attacker gets control of the domain name and can modify its DNS records, routing traffic intended for the genuine domain to a different website

• The whois command can be used to check up domain registration information in order to detect misuse.

DNS poisoning

• Also called DNS cache poisoning or DNS spoofing

• It corrupts the DNS cache by inserting fake DNS information into it, forwarding a domain name to an IP address of the attacker's choice and redirecting visitors to malicious websites.

• it can also be achieved via Man in the middle attack.

Uniform Resource Locator (URL) redirection

• A uniform resource locator (URL) is an address for website pages and files.

• URL redirection is the use of HTTP redirecting to open a page other than the one requested by the user.

• Malicious actors might utilize the URL redirection mechanism to redirect users to phishing websites.

• Types of URL redirection is Typosquatting/brandjacking

Domain reputation

• This is the assessment of a domain's integrity and reputation

• If your domain, website, or email servers have been compromised, they are likely to be exploited for malware distribution. Monitor your site via talosintelligence.com/reputation_center to detect misuse early.

DNS Security

• Local DNS servers should only allow recursive requests from authenticated local hosts and not from the Internet on a private network.

• Establish access control techniques on the server to prevent a malicious user from manually modifying records.

• Clients should also be limited to using authorized resolvers for name resolution.

• Implement DNS Security Extensions (DNSSEC) to provide a validation mechanism for DNS answers, which helps to mitigate spoofing and poisoning attacks.

• To prevent Footprinting, Implement Access Control List to block zone transfers to unapproved hosts or domains, preventing an external server from learning about the private network architecture.

NOTE: DNS footprinting is the process of acquiring information about a private network by utilizing its DNS server to make a zone transfer (all the records in a domain) to a rogue DNS server or by querying the DNS service with a tool like nslookup or dig.

4.5 Distributed denial-of-service (DDoS)

DOS attacks impair resource availability, whereas DDOS attacks flood a service with traffic from several infected hosts. DDOS attack can be mitigated by high availability services and stateful firewalls. ACLs, blackholes or sinkhole can also be used to mitigate against a DDoS attacks with blackholes being preferred to preserve processing resources. Although Legitimate traffic is dropped with DDoS packets in if sinkhole or blackhole is implemented.

Sinkhole refers to the process of transferring flooding traffic to a different network for investigation allowing the source to be identified and filtering rules to be applied.

While A blackhole is a network segment that is inaccessible to the rest of the network. The blackhole method is preferable since it reduces the impact of the attack on the ISP's other customers.

• Network: DoS attack in which the attacker makes multiple SYN requests to a target server in the hope of using enough resources to prevent legitimate traffic from being sent.

• Application: DoS attack that targets vulnerabilities in the headers and payloads of application protocols or resource-intensive activities within web applications or servers.

• Operational technology (OT): OT network is established between embedded systems devices and their controllers. DDoS attacks against vital infrastructure, such as industrial control systems (ICS), Supervisory Control and Data Acquisition(SCADA)systems

4.6 Malicious code or script execution

Scripting promote speed, accuracy, reproducibility, and portability, it can be used for good intent as well as for bad intent. The following are different programming languages or scripting environments:

PowerShell: is a command-line interface and scripting language based on the.NET Framework. It is a primary way for executing Windows administrative tasks.

Python: it is a high-level programming language popular for automation. It can be used for data theft, network scanning, or the creation of botnets.

Bash: It is a Unix-like command shell and scripting language. It can be used to perform privilege escalation, data exfiltration, or creating backdoors.

Macros: are short pieces of code that are inserted within documents, such as Microsoft Office files, to automate repetitive activities.

Visual Basic for Applications (VBA):Programming languages used in Office document automation to construct macros and scripting.Microsoft Office use the Visual Basic for Applications (VBA) programming language, whereas PDF documents employ JavaScript. ALT+F11 can be used to inspect Microsoft Office document macros.

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”

Stephane Nappo

I understand that many of my readers are entry-level professionals and might find the labs a bit challenging. However, if you encounter any difficulties, don't hesitate to reach out to me in the comments section of this post or through my social media direct messages. I'll be more than happy to guide you. I strongly encourage you to complete all the content on the CyberSecBase page and review the previous posts on the Sec+ page. This will help you to better understand the vulnerability assessment scope and get the idea around the labs. Yes, this may be challenging, but trust me, it will be fun too. You won't just gain theoretical knowledge about vulnerability assessment, but also practical skills. I believe this will renew your passion for cybersecurity. I will love to know how engaging you find these practicals, so please remember to share your comments. Your feedback will help decide to add more hands-on activities in the future or not. THANK YOU

To assess anything, you should compare it to a standard to determine how well it aligns. This standard is your organization's security policy, and should comply with external regulations. Threat hunting, penetration testing, and vulnerability assessment are three important security assessments. Threat hunting identifies hidden risks, penetration testing simulates actual attacks and scanners are used in vulnerability assessments to compare system configurations to the baseline.

In this post, you will learn about threat hunting, vulnerability scanning, and syslog/SIEM/SOAR technologies.

Basic Terms

IOCs (Indicators of Compromise): these are pieces of evidence that point to a network or system that has been infected or compromised by a threat actor. IP addresses, domain names, file hashes, URLs, registry keys, and suspicious activity patterns are a few examples.

TTP (Tactics, Techniques, and Procedures): are methods, strategies, and actions used by threat actors to achieve their objectives during a cyber attack.

Threat hunting

Threat hunting is an assessment that looks for TTPs in a system or network using information from threat intelligence. It entails looking for cyberthreats that avoid being noticed by the organization's defenses. Using tools like Threat Intelligence and IOCs, threat hunters may determine the actions an attacker must take and the traces they leave behind. The following techniques are used in threat hunting:

Intelligence Fusion: Threat hunting uses a threat's capabilities, motives, and resources as the foundation for understanding threats in the environment. Through security information and event management (SIEM) and threat analytics platforms, the intelligence fusion approach updates analytics platforms with TTP and IoC threat data feeds.

Threat Feeds: Threat feeds are information about adversaries collected from both internal and external sources. Threat details gathered internally, such as findings from incident responses, help in recognizing threats within your environment. Tools like Structured Threat Information eXpression (STIX) are used in the transfer of information from external sources.

Advisories and Bulletins: Threat hunting requires clear objectives and sufficient resources, often driven by hypotheses about potential threats. Security advisories that identify new TTPs or vulnerabilities are a good place to start when looking for threats. external threat feeds come from respected sources such as security vendors and industry associations.

Maneuver: This involves defenders and threat actors employing deceptive and counterattacking tactics to gain an advantage. It represents a sophisticated adversary's method to network navigation. Threat hunting strengthens defenses against lateral movement by countering attacker lateral movement through network infrastructure monitoring and analysis.

Vulnerability Scans

Vulnerability scanning is the process of examining services on systems for known vulnerabilities in software using signatures and scripts. Scanners, such as Tenable Nessus or OpenVAS, check network hosts for vulnerabilities and compare results to templates and lists of vulnerabilities. These scanners group vulnerabilities, give impact alerts, and offer remedies. The following concept contribute to accuracy, thoroughness, and effectiveness of a vulnerability scan:

False positives: A false positive is something that a scanner incorrectly identifies as a vulnerability. It takes time and effort to investigate the problem and ignoring the scans entirely may result in more serious issues.

False negatives: These are potential vulnerabilities that go undetected by a scan. it can be reduced by regularly performing additional scans and by employing scanners from many vendors.

Log reviews: The validation procedure for vulnerability reports can be improved by reviewing relevant system and network logs. Log reviews might reveal security events, policy violations, and other unusual circumstances that call for additional investigation.

Credentialed vs. non-credentialed: There are two methods for vulnerability scan with credentials and without credentials. Non-credentialed scans provide an outsider's perspective assessment of services for possible vulnerabilities, but they lack in-depth information. Credentialed scans, on the other hand, demand login information and offer more thorough, accurate risk information. They entail extra steps and expose configuration errors, providing details on potential insider attacks.

• Intrusive vs. non-intrusive:There are two types of vulnerability scans: intrusive and non-intrusive. Non-intrusive scans, which only partially comprehensively identify vulnerabilities, analyze intercepted network traffic or passive reconnaissance methods without direct engagement. Although passive scanning, like the Zeek Network Security Monitor, has no effect on the network, it might not catch every vulnerability. On the other side, intrusive scans are active and actively explore target devices, increasing the likelihood of system breakdowns. Intrusive scans try to take advantage of vulnerabilities to show that they exist, which could result in disruptions.

• Application: applications that process data and act as user interfaces are frequently targeted by attackers. A vulnerability scan measures an application's resistance to attacks.

• Web application: web applications provide convenience but also increase the risk of unauthorized access. Vulnerability scans assesses the security of web applications .vulnerability of web app is mostly due to improper input validation

• Network: Users and computing systems are connected through the network, which facilitates data exchange. The network is used by vulnerability scanners to access connected systems. To map and enumerate systems, scans typically cover the whole network.

• Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS): Known software vulnerabilities are included in the CVE, which includes each vulnerability's ID, description, and reference. Vulnerability scanners that identify software versions and related vulnerabilities are built on this foundation. Using a scale from 0 to 10, the Common Vulnerability Scoring System (CVSS) evaluates the severity of vulnerability risk. In addition to other factors, CVSS takes into account exploit complexity, user engagement, and permission requirements. The combination of CVE and CVSS offers insightful information about possible risks related to certain software systems.

• Configuration review: incorrect configurations make systems more vulnerable and may even bypass security controls. Verifying configurations is important for vulnerability assessments, It is advised to perform routine automatic configuration reviews. Resources for measuring and validating configurations are provided by protocols and standards like the Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE) guides, part of NIST's National Vulnerability Database (NVD)

Syslog/Security information and event management (SIEM)

security controls generate log data and alerts, posing a risk. SIEM technologies aggregate data from various sources and analyze real-time security alerts from network hardware and applications. A protocol for Linux systems called Syslog aggregates logs and delivers them to a server, improving security by segregating problem reports from other logs. Through aggregation, enrichment, and pattern matching for incident response, SIEM transforms raw syslog data into insights that can be used for incident response. The following are concepts that are essential

• Review reports: An alert or a report are the two main output formats from a SIEM. These are predetermined conditions that, in accordance with the system's rules, cause a certain information output. Then, these reports can be examined to establish whether an incident actually occurred or if it was a false alarm.

• Packet capture:Network sensors and NetFlow sources collect information that allows for comprehensive frame inspection and compiled statistics on bandwidth and protocol utilization. Continuous packet captures have been a popular security technology that let experts successfully monitor different network segments. you can replay traffic, assisting investigations. While advantageous, this strategy necessitates large storage and requires careful placement and length consideration for optimal use..

• Data inputs:SIEM systems collect a variety of data inputs from multiple systems. Despite the fact that contemporary networks produce a large amount of log data, SIEM focuses on locating critical information to support particular decisions. Collecting everything costs money and results in pointless reports. Instead, specifying desired outputs and tracking the required inputs from firewalls, network appliances, and important servers are what make SIEM effective. Unused data sources are eliminated as SIEM develops, and more sources are incorporated. The SIEM is fine-tuned by security specialists to meet issues and risks unique to a given environment.

• User behavior analysis: By contrasting them with a baseline, a User and Entity Behavior Analytics (UEBA) solution can spot undesirable behaviors. This software monitors user account activity across platforms and cloud services, including embedded hardware, machine accounts, and other services. Due to the baseline complexity and minimization of false positives, UEBA mainly relies on AI and machine learning. SIEMs apply rules to data to identify certain patterns, typically for server and network events. Modern SIEMs keep an eye out for irregularities by using user behavioral analysis breakthroughs. For instance, analysis is triggered by changes in known user patterns. Microsoft's Advanced Threat Analytics is one example.

• Sentiment analysis:It is a challenging undertaking to create an AI/ML algorithm that can describe or classify intentions expressed in natural language sentences. Recognizing intent presents a significant difficulty for behavior analytics powered by machine learning. Though advancements are being made in this field, which is frequently referred to as sentiment analysis or emotion AI, the complexity derives from a machine's difficulty in understanding context and meaning in natural language. Sentiment analysis is frequently used to track brand-related events on social media, such as identifying dissatisfied customers. Sentiment analysis assists in gathering threat intelligence in security situations to anticipate and identify potential internal or external threats before they develop into attacks. This method looks for patterns in data that reflect human emotions, viewpoints, or attitudes.

• Security monitoring: Data is gathered and analyzed as part of security monitoring in order to spot illegal changes or suspicious activity in connected systems and networks. Setting up alert triggers based on predetermined behaviors is required for this. SIEM devices first focused on data collection before moving on to event data management. Security orchestration, automation, and response (SOAR) systems, which completely automate security procedures, are used in the current stage. Without automated solutions like SIEM and SOAR, security monitoring would be impossible given the complexity of modern IT systems, businesses, attacks, and behavioral patterns.

• Log aggregation:The technique of integrating logs from several systems allows for the peaceful coexistence of various forms. This generates a more complete picture of the system's state than could be obtained from a single data source. Key fields are parsed, altered, and extracted throughout this aggregation process, which is frequently governed by rules or lookups. The goal is to transform various data sources into a format that can be searched and used for particular purposes. This standardized approach encourages reliability and searchability. Using regular expressions for parsing and mapping data to standard fields, SIEM software with connectors interprets and accounts for data from diverse systems. Log aggregation also synchronizes time zones for a single timeline.

• Log collectors: a network appliance that acquires log and/or status information from other network systems. The purpose of log collectors is to collect data from various independent sources and input it into a single source, such as a SIEM. The formats of different sources may vary, but log collectors can synchronize these many field elements into a comprehensive data stream.

Security orchestration, automation, and response (SOAR)

The goal of security orchestration, automation, and response (SOAR) is to address the issue of the volume of warnings outpacing the capacity of analysts to respond. A SOAR can be used as a stand-alone technology or combined with a SIEM, also known as a next-generation SIEM. In order to automate and offer data enrichment for the workflows that support incident response and threat hunting, SOAR first scans the organization's repository of security and threat information, analyzes it using machine learning and deep learning techniques, and then uses that data. Integrated platforms throughout the enterprise's SOAR systems gather data and alerts, bringing them together in one area where automated reactions may subsequently address threats and weaknesses.

Security is always excessive until it’s not enough.

Robbie Sinclair

Review Questions

Links to the Labs

1. Vulnerability Management

2. Nessus Tool

3. OpenVAS Tool

Now, imagine the repercussions a company faces after suffering an attack that results in significant consequences, such as those listed below. The impact on their reputation would be even more severe.

As technology exists and evolves, so do its vulnerabilities. Identifying these weak points and managing your organization's security is important. To conduct a successful security assessment, you must understand the vulnerabilities that affect information systems and networks and prioritize remediation based on their potential impacts (YOU CAN'T REMEDIATE WHAT YOU DON'T UNDERSTAND). It is not all about choosing the right tools (yes, there are hundreds of tools out there) but understanding the consequences of vulnerabilities to focus on critical areas.

In this post, we will explore the various types and impacts of vulnerabilities.

STAY TUNED!!!

6.1 Cloud-based vs. on-premises vulnerabilities

FIRST, WHAT IS CLOUD COMPUTING?

Cloud Computing is the on-demand delivery of IT resources over the internet. The computing environment and their security concerns includes

Cloud-Based: These are services, resources, and applications hosted and provided over the internet by third-party cloud service providers, such as AWS, Microsoft Azure, and Google Cloud Platform (GCP). Vulnerabilities in this environment include data breaches, data loss, shared resources due to multi-tenancy, and insider threats from cloud providers.

On-premises: These are services, resources, and applications hosted and managed within an organization's own physical data centers, providing the organization with full control over its data, software, and hardware. Vulnerabilities in this environment include unauthorized physical access, insider threats from within the organization, lack of monitoring, and delayed response to breaches.

6.2 Zero-day

A zero-day vulnerability is a security flaw discovered by attackers but remains unknown to the software vendor and has no patch. Compensating controls, such as containment measures can me used to mitigate against the risk of zero-day. These controls aim to limit the vulnerability's impact until an official fix or patch is made available.

6.3 Weak configurations

Poor configuration management could be a sign that the company isn't strictly controlling and documenting its assets. Misconfiguration provides attackers with entry points and opportunities to elevate privileges, allowing them to gain control over critical components and potentially compromising the entire enterprise. The following are examples of weak configurations that an organization must avoid and check their systems against:

Open permissions: Permissions specify the types of activities that can be performed on an object within a system. When access rights for user groups are not correctly distinguished, open permissions occur. This leads to an unauthorized person accessing sensitive data or modifying critical settings. ENSURE THAT YOUR PERMISSIONS ARE SECURE.

Unsecure root accounts: The root account, also known as the superuser or Administrator account, has unrestricted system access and poses a serious security risk. Unsecure root accounts give threat actors unlimited access to the system. To reduce risks, implement least privilege management and permission rules to limit the superuser account. Disable direct login to the root account and implement access control vault.

Errors: Applications that are not properly configured can expose error messages that can be advantageous to attackers. To reduce this risk, practice secure coding, avoid disclosure of sensitive information, and ensure that programs trap errors and generate appropriate log files for better security.

Weak encryption: Encryption algorithms protect data at rest and in transit, requiring a decryption key for access. Weak encryption vulnerabilities allow unauthorized access to data. Weak encryption vulnerabilities arise from simple password-generated keys, known algorithm weaknesses, and insecure key distribution. For example, all versions of SSL are now considered deprecated, therefore, TLS should be used. Also, AES (Advanced Encryption Standard) is the strongest encryption algorithm advised to be used.

Unsecure protocols: Unsecure protocols transfer data in cleartext without encryption, leaving it vulnerable to interception and modification. Without encryption, there is no secure way to authenticate endpoints, allowing attackers to perform man-in-the-middle attacks. Examples of unsecure protocols are Telnet, FTP, SMTP, IMAP, HTTP, and their alternatives are SSH, SFTP, IMAPS, HTTPS.

Default settings: Default settings may enable unsecure interfaces, leaving devices vulnerable to compromise and allowing attackers to move through the network undetected. To ensure a secure environment, organizations should customize settings to their specific needs and create a well-defined default configuration baseline.

Open ports and services: To access a service, its port must be open. However, having unnecessary open ports can create potential pathways for unauthorized users to exploit. To ensure security, it's important to control the open ports and services on a system through auditing and disable any unnecessary services that run with elevated privileges.

6.4 Third-party risks

Third-party risk refers to potential risks and vulnerabilities arising from involving external entities, like vendors, suppliers, or contractors, in an organization's operations. Reliance on third-party services exposes organizations to security, operational, financial, and compliance risks.

Vendor management: This involves identifying needs and finding vendors that align with business goals.

• System integration: System integration links components and services from different vendors, with the main risk being a lack of expertise in overseeing the project and excessive trust in the third-party integrator.

• Lack of vendor support: This may occur when manufacturers stop providing assistance for products(This may be due to the product reaching its End of Life), leaving organizations vulnerable. Compensating controls become crucial in such cases.

Supply chain: It involves interconnected components and vendors in an organization's IT infrastructure. When using third-party hardware or software, maintaining local security controls is vital to mitigate risks.

Outsourced code development: This can be a security concern due to lack of control, potential data exposure, and quality assurance issues. Mitigation includes clear security requirements and regular assessments.

Data storage: Data storage, being distributed throughout an organization, requires proper access controls and security measures to prevent risks, such as data manipulation leading to disruptions in operations. Implementing a consistent data storage policy and checklist helps secure data from becoming vulnerabilities in the system.

6.5 Improper or Weak Patch Management

Weak patch management leaves systems exposed to potential exploits. Implement centralized patch management with an update server, thorough testing, and efficient deployment.

Firmware: Firmware vulnerabilities include weaknesses in BIOS/UEFI and device firmware that controls the boot process for PCs, as well as bugs in device firmware like network cards and disk controllers. Exploits can be hard to detect due to high privilege access.

Operating System: OS vulnerabilities, like in the kernel or shared library, can lead to privilege escalation. Promptly apply monthly and on-demand patches.

Application: Application vulnerabilities run with user permissions. Limit permissions and timely patches from manufacturers to protect against known vulnerabilities.

6.6 Legacy platforms

Legacy platforms are systems that are no longer supported with security patches by their developers or vendors, making them unpatchable. These systems are highly likely to have vulnerabilities and need to be protected using security controls other than patching, such as isolating them in networks inaccessible to attackers physically. The risks associated with legacy platforms must be weighed against the costs of change when considering their use in an organization.

6.7 Impacts

Data loss occurs when information becomes inaccessible, either permanently or temporarily.

Data breaches occur when sensitive data is viewed, moved, modified, or deleted without authority. A privacy breach occurs when personal data is not gathered, maintained, or processed in accordance with applicable laws or regulations.

Data exfiltration involves the methods and tools used by an attacker to transfer data from the victim's systems to an external network or media without authorization.

Identity theft is a breach in privacy where the threat actor illegally uses the sensitive information obtained or sells the data to other malicious actors.

Financial losses are incurred due to damages, fines, and loss of business.

Reputation loss occurs when an organization loses its integrity, good name, and customers' trust.

Availability loss occurs when a company's systems are brought down, or when the organization experiences downtime due to malicious disaster events, leading to a loss of revenue and customers.

END.

There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.

Ted Schlein

Review Questions

Threat actors can enter the network or move about it by using attacks to execute arbitrary code on trusted hosts. An attacker can easily progress to breaching data assets or triggering a denial of service against critical servers with adequate privileges and access.

Most application attacks aim to achieve arbitrary code execution, which involves exploiting vulnerabilities to allow an attacker (or threat actor) to execute their own code. When the code is transmitted from one machine to another, it is known as remote code execution, enabling the attacker to send and execute code from a remote host on a target host that is vulnerable to such exploits.

In today's post, we will look at potential application attack indicators to help in recognize the presence of a current or future attack on software applications. Examining odd network traffic, anomalous system activity, unusual user actions, security alerts, and known attack patterns are all part of this. Individuals can more effectively notice and respond to application threats if these indications are successfully examined.

#1: Privilege escalation

Privilege escalation is the process by which an attacker elevates their privileges from a lower level (such as a regular user) to a higher level (such as an administrator or root) in order to gain increased/higher access and control within a system, network, or application.

Privilege escalation can occur in an operating system or other application

Types of privilege escalation:

Vertical Privilege Escalation: An attacker attempts to elevate their privileges inside the same user hierarchy. A user with limited privileges, for example, attempts to get administrative access to the same system.

Horizontal Privilege Escalation: In this case, the attacker attempts to achieve the same level of privileges as another system user. This often occurs when a flaw permits impersonation or session hijacking, allowing the attacker to obtain access to another user's account or session.

Lateral Privilege Escalation: Obtaining privileges in another system or environment within a network. Once an attacker has gained access to one system, they will exploit weaknesses to gain access to other interconnected systems.

Mitigation

• Implement security measures such as strong access controls, least privilege principles(giving users just the privileges they need)
• Updated anti-virus/anti-malware software to Block known vulnerabilities
• Employ defense-in-depth strategies to limit the impact of successful attacks.
• Data Execution Prevention
  – Only data in executable areas can run
• Perform regular software patching, monitoring and auditing of user activities
• Implement Data Execution Prevention (DEP) prevents the execution of malicious code by designating specific memory regions as non-executable(i.e. Only data in executable areas can run)
• Implement Address space layout randomization(ASLR) to Prevent a buffer overrun at a known memory address

Cross-site scripting

Cross-site scripting (XSS) is one of the most common web attack
methodologies. The cause of the vulnerability is weak user input validation.
If input is not validated properly, an attacker can include a script in their
input and have it rendered as part of the web process.

cross-site because of browser security flaws
– Information from one site could be shared with another

Takes advantage of the trust a user has for a site

TYPES OF XSS

Non-persistent XSS attack The injected script is not persisted or
stored but rather is immediately executed and passed back via the web
server.

• Persistent XSS attack The script is permanently stored on the web
  server or some back-end storage. This allows the script to be used
  against others who log in to the system. No specific target
• DOM-based XSS attack The script is executed in the browser via the
  Document Object Model (DOM) process as opposed to the web
  server.

CONTROL

Controls to defend against XSS attacks include the use of anti-XSS
libraries to strip scripts from the input sequences. Various other ways to
mitigate XSS attacks include limiting the types of uploads, screening the size
of uploads, and whitelisting inputs. However, attempting to remove scripts
from inputs can be a tricky task. Well-designed anti-XSS input library
functions have proven to be the best defense. Cross-site scripting
vulnerabilities are easily tested for and should be a part of the test plan for
every application. Testing a variety of encoded and unencoded inputs for
scripting vulnerability is an essential test element

Input validation is helpful at preventing XSS attacks.

Input validation, also commonly known as data validation, is the
structured and proper testing of any input that is supplied by an application or
user. Input validation prevents improperly formed (malformed) data from
entering a system.

Protecting against XSS

• Be careful when clicking untrusted links
  – Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
  – Or control with an extension
  – This offers limited protection
• Keep your browser and applications updated
  – Avoid the nasty browser vulnerabilities
• Validate input
  – Don’t allow users to add their own scripts to an
  input field

Injections

User input without input validation results in an opportunity for an attacker to
craft input to create specific events that occur when the input is parsed and
used by an application

Types of injection attacks

Structured query language (SQL)

Structured Query Language (SQL) injection attacks
involve the manipulation of input, resulting in a SQL statement that is
different from the statement the designer intended

A SQL injection attack is a form of code injection aimed at any SQL-based
database, regardless of vendor. An example of this type of attack is where the
function takes the user-provided inputs for username and password and
substitutes them in a where clause of a SQL statement with the express
purpose of changing the where clause into one that gives a false answer to
the query

The addition of the or clause, with an always true statement and the
beginning of a comment line to block the trailing single quote, alters the SQL
statement to one in which the where clause is rendered inoperable. If the
where clause is altered to return all records, this can result in a data breach.

control

Stored procedures are precompiled methods implemented within a
database engine. Stored procedures act as a secure coding mechanism
because they isolate user input from the actual SQL statements being
executed. This is the primary defense mechanism against SQL injection
attacks—in other words, separation of user input from the SQL statements.
User-supplied input data is essential in interactive applications that use
databases; these types of applications allow the user to define the specificity
of search, match, and so on

Dynamic-link library (DLL)

DLL injection is a vulnerability that allows the malware to take advantage of the operating system's ability to attach one process to another. Attackers inject a malicious DLL into a legitimate process, potentially causing program instability and sensitive data spillage. This method makes use of dynamic-link library (DLL) technology, which provides functionality to a program via library routines that are linked at runtime. DLLs, for example, are loaded at runtime in Microsoft Office, and putting a malicious DLL in the relevant directory or via a registry entry can bring new destructive functionality.

A Dynamic-Link Library is a Windows library that contains both code and data. Inject a DLL into an application and have it run a program that runs as part of the target process.

Lightweight Directory Access Protocol (LDAP)

LDAP-based systems are also subject to injection attacks. When an
application constructs an LDAP request based on user input, a failure to
validate the input can lead to a bad LDAP request. Just as SQL injection can
be used to execute arbitrary commands in a database, LDAP injection can do
the same in a directory system. Something as simple as a wildcard character
(*) in a search box can return results that would normally be beyond the
scope of a query. Proper input validation is important before a request is
passed to an LDAP engine.

Extensible Markup Language (XML)

XML can be tampered with via injection as well. XML injections can be
used to manipulate an XML-based system. Because XML is nearly
ubiquitous in the web application world, this form of attack has a wide range
of targets. XML that is maliciously altered can affect changes in
configurations, changes in data streams, changes in outputs—all from the
injection

#: Pointer/object dereference

Pointer dereference is a software vulnerability that occurs when code tries to access memory through a pointer but the pointer itself is null. Pointers in C/C++ programming store memory addresses. Dereferencing a pointer entails reading or writing data to the memory address to which it points. If the pointer is null or invalid (which can happen as a result of malicious intervention), a null pointer dereference exception occurs, resulting in a process crash.

Mitigation

• programmers should include logic statements that ensure that a pointer is not null before using it.

Directory traversal

A directory traversal attack is when an attacker uses special inputs to
circumvent the directory tree structure of the filesystem. Adding encoded
symbols for “../..” in an unvalidated input box can result in the parser
resolving the encoding to the traversal code, bypassing many detection
elements, and passing the input to the filesystem. The program then executes
the commands in a different location than designed. When combined with a
command injection, the input can result in the execution of code in an
unauthorized manner. Classified as input validation errors, these can be
difficult to detect without doing code walkthroughs and specifically looking
for them.

Directory traversals can be masked by using the encoding of input
streams. If the security check is done before the string is decoded by the
system parser, then recognition of the attack form may be impaired.

# Buffer overflows

A buffer is a section of memory reserved by the application to store expected data. Buffer overflows occur when data exceeds a target buffer's capacity, damaging adjacent memory. This can cause system crashes or allow attackers to run unauthorized code. Consider a program that expects a username of maximum of 15 characters but receives a string of 100 characters.. If not handled properly, this can result in a buffer overflow.

In a buffer overflow attack, the attacker deliberately sends data that exceeds the buffer's intended capacity.

Mitigation

• Perform bounds checking by Implementing correct input length validation, for example, by using safe library functions for inputs.
• Adhere to secure programming practices.

#: Race conditions

A race condition is a software vulnerability that happens when certain events do not take place in the sequence and at the right times as intended by the developer and the expected result of execution processes depends on them. The idea of several inputs trying to impact the output first is referred to as a "race condition." This flaw can appear in distributed or multithreaded programs where appropriate program operation depends on the order or timing of processes or threads.

Time of check/time of use

When there is a delay between when an application examines a resource and when it actually uses it. This inconsistency creates the possibility for modifications to happen between the check and use stages, which could compromise the application's integrity or security.

For instance, an attacker might modify or delete a temporary file generated by an application to store a value for later use if they have access to the system between the time the file is created and the time it is utilized.

Mitigation

• Design data structures or objects to be immutable, which means they cannot be updated after being created.
• Implement Synchronization mechanisms like locks, semaphores, or mutexes control access to shared resources, ensuring atomic execution of critical code sections and preventing concurrent conflicts.
• Incorporate time stamp verification techniques to validate the consistency and integrity of resources
• Implement thorough input validation
• Access Control and Permissions

#: Error handling

Application security depends on secure handling of errors and exceptions, as they are inevitable in every application. Attackers can exploit error management procedures to gain access to sensitive data by intentionally triggering errors.

Mitigation

• Record error details in a secure log file that is protected by access control
• Avoid echoing error information to users
• Error messages shouldn't divulge configuration or platform information that could help attackers, like disclosing database server information on an error page for a web application.

# Improper input handling

To avoid application attacks, proper input handling is crucial in software development. Attackers frequently take advantage of inadequate input validation by sending erroneous or malicious data to vulnerable processes. This can lead to SQL injections, buffer overflows, denial of service, etc

Mitigation

• Implement strong input validation procedures that verify the desired input data's format, type, and length. Techniques like input sanitization, whitelisting, and blacklisting can be used in this regard.
• When interacting with databases, use parameterized queries or prepared statements to fend off SQL injection threats. By doing this, it is made sure that user input is handled more like data than like executable code.
• Perform Regular software updates and patching
• Regular security testing, including code reviews and penetration testing, should be carried out in order to identify and fix any possible vulnerabilities in the input handling logic.

Replay attack

Replay attacks work against applications by attempting to re-create the
conditions that existed the first time the sequence of events occurred. If an
attacker can record a series of packets and then replay them, what was valid
before may well be valid again. An example of this would be repeating the
previous set of transactions, like getting paid twice or successfully passing a
security check at a login event.

Session replays

When a user connects to a system via the web, the connection forms a
“session” in the respect that the various elements that are transmitted back
and forth form a conversation between the client and the server. A session
replay event is the re-creation of this interaction after it has occurred.

#: Integer overflow

Integers (whole integers) are data types defined with fixed lower and upper bounds. An integer overflow attack occurs when a computed result is too large to fit in the allocated storage space, resulting in a crash or data corruption, as well as a buffer overflow. This can cause a positive number to become negative (for example, transforming a bank debit to a credit).

Mitigation

• Implement proper input validation and perform appropriate checks to prevent integer overflow vulnerabilities.

Request forgeries

Request forgery is a class of attack where a user performs a state-changing
action on behalf of another user, typically without their knowledge. It is like
having someone else add information to your web responses. These attacks
utilize the behavioral characteristics of web-based protocols and browsers,
and they occur because of client-side issues but they can be seen on both the
server side and the client side.

Server-side:

Server-side request forgery is when an attacker sends requests to the serverside application to make HTTP requests to an arbitrary domain of the
attacker’s choosing. These attacks exploit the trust relationship between the
server and the target, forcing the vulnerable application to perform
unauthorized actions. The typical trust relationships exploited are those that
exist in relation to the server itself, or in relation to other back-end systems
within the same organization. Common attacks include having the server
attack itself or attack another server in the organization.

Cross-site:

Cross-site request forgery (XSRF) attacks utilize unintended behaviors that
are proper in defined use but are performed under circumstances outside the
authorized use. This is an example of a “confused deputy” problem, a class
of problems where one entity mistakenly performs an action on behalf of
another. An XSRF attack relies upon several conditions to be effective. It is
performed against sites that have an authenticated user and exploits the site’s
trust in a previous authentication event. Then, by tricking a user’s browser
into sending an HTTP request to the target site, the trust is exploited. Assume
your bank allows you to log in and perform financial transactions but does
not validate the authentication for each subsequent transaction. If a user is
logged in and has not closed their browser, then an action in another browser
tab could send a hidden request to the bank, resulting in a transaction that
appears to be authorized but in fact was not done by the user.

Many different mitigation techniques can be employed, from limiting
authentication times, to cookie expiration, to managing specific elements of a
web page (for example, header checking). The strongest method is the use of
random XSRF tokens in form submissions. Subsequent requests cannot work
because a token was not set in advance. Testing for XSRF takes a bit more
planning than for other injection-type attacks, but this, too, can be
accomplished as part of the design process

#: Application programming interface (API) attacks

APIs are used to feed data to an application. It is used in web apps and cloud services to enable consumers to automate services. if the API is not secure, threat actors can simply exploit it to compromise the web application's services and data. It is critical to utilize an API exclusively via an encrypted channel (HTTPS).

Mitigation

• Always use encrypted communication protocols, such as HTTPS and employ TLS/SSL certificates to establish secure connections.
• Implement Input Validation and Sanitization to validate and filter user input so that only expected and safe data is allowed.
• Ensure that strong authentication mechanisms, such as secure tokens or OAuth, are in place to authenticate API users' identities and approve their access to specified resources.
• For API keys and other sensitive information, use safe storage and management techniques. Use secure key storage options instead of hardcoding secrets into the code.
• Implement proper Error Handling techniques and Message Obfuscation to avoid exposing sensitive information
• Implement rate-limiting and throttling mechanisms to prevent excessive API requests from a single source, protecting against Denial of Service (DoS) attacks. Set appropriate limits based on expected usage patterns.

#: Resource exhaustion

Resource exhaustion occurs when a system lacks the necessary resources to function properly, including capacity and memory. Attacks exploiting this vulnerability aim to deplete these resources, similar to race conditions, leading to system crashes and disruption of services. Examples include overwhelming a system with TCP SYN requests or exhausting program memory. These attacks can impact customer-facing systems and disrupt essential services. Resource exhaustion attacks target CPU time, memory, disk capacity, and network utilization, causing systems to become unresponsive or fill up state tables.

Mitigation

• Implement measures such as resource monitoring, limitation, load balancing, rate limiting, intelligent resource allocation, secure coding practices, and attack detection and response

#: Memory leak

Memory management is the process of controlling and coordinating computer memory, allocating it to variables, and reclaiming it when it is no longer required. Memory leaks, a software vulnerability in which allocated memory is not released once it is no longer in use. This can lead to increased resource use over time, potentially causing system instability. A memory leak happens when a process fails to relinquish memory, resulting in ongoing memory depletion and possible system crashes.

Mitigation

• Implement proper resource deallocation, utilize automated memory management mechanisms, conduct code reviews and testing, employ memory leak detection tools, follow best practices and coding standards, and continuously monitor and optimize memory usage.

Secure Sockets Layer (SSL) stripping

Secure sockets layer (SSL) stripping is a man in the middle attack against all
SSL and early versions of TLS connections. The attack is performed
anywhere a man in the middle attack can happen, which makes wireless
hotspots a prime location. The attack works by intercepting the initial
connection request for HTTPS, redirecting it to an HTTP site, and then
mediating in the middle. The reason the attack works is because the
beginning of an SSL or TLS (v1.0 or v1.1) handshake is vulnerable to attack.
The main defense is technical: only use TLS 1.2 or 1.3, as these versions
have protections against the specific attack method.

Driver manipulation

Drivers are pieces of software that sit between the operating system and a
peripheral device. In one respect, drivers are a part of the OS, as an
extension. In another respect, drivers are code that is not part of the OS and
are developed by firms other than the OS developer. Driver manipulation is
an attack on a system by changing drivers, thus changing the behavior of the
system. Drivers may not be as protected as other parts of the core system, yet
they join it when invoked. This has led to drivers being signed and
significantly tightening up the environment of drivers and ancillary programs.

Shimming

A shim is an additional code that is placed between an application driver and the operating system to enable functionality that would otherwise be unavailable. It allows modifications between different OS versions without altering the original driver code, giving it flexibility and portability. Shimming can be exploited by malicious code to change the functionality of a driver without altering the driver itself.

Refactoring

Refactoring is the practice of restructuring application code in order to improve its design and performance while retaining its original functionality. It can be used to improve code or to deal with certain scenarios. However, attackers can use refactoring to introduce illegal functionality to a driver while still allowing it to work normally. it is a Metamorphic malware that can appear different each time

#: Pass the hash

The pass-the-hash attack is an attack in which the attacker takes hashed user credentials and uses them to authenticate on the same network or other systems without knowing the original password. This technique makes use of hashed passwords rather than plaintext passwords for authentication.

Mitigation

• Enforce strong password policies
• Implement the principle of least privilege to limit user permissions.
• Implement network segmentation to isolate critical systems.
• Minimize credential exposure and use centralized authentication.
• Use multi-factor authentication (MFA) for an additional layer of security.
• Implement privileged access management (PAM) solutions for secure management of privileged accounts.
• Provide regular security awareness training to educate users and administrators.
• Keep systems and software up to date with the latest patches.
• Monitor for suspicious activities and use security tools for detection.

Are you a "Jack"?

In this post, I discussed different careers in cybersecurity, required skills and certifications

Sit Back & Enjoy the Ride!!!

Different Team/Aspects in Cybersecurity

Cybersecurity is broken down into 3 teams; namely Offensive, Defensive and GRC Security

• Offensive Security: you must have heard of the phrase "To beat a hacker, you need to behave like one". The technique of deliberately attacking and exploiting computer systems and networks in order to test their defenses and identify vulnerabilities is referred to as offensive security. It is also called the Red Team

• Defensive security: refers to protecting computer systems and networks against attack by detecting and mitigating vulnerabilities and putting in place controls to prevent or detect unwanted access or activity. It is also called the Blue Team

• GRC Security: The use of governance, risk management, and compliance (GRC) concepts to ensure the security of an organization's information and technological assets is referred to as GRC security. It entails putting in place policies, processes, and technology to manage risk, stay in compliance with rules and standards, and ensuring that the organization's security goals are in line with its broader objectives

Red Team

To test an organization's security defenses, a red team is a group of ethical hackers or security specialists that simulates cyberattacks on the organization's systems. The red team's objective is to help the organization strengthen its security posture by identifying vulnerabilities and flaws that may be exploited by an actual attacker.

Required Skills/Expertise

• Knowledge of computer systems and networks

• Knowledge of hacking tools and techniques

• Programming skills

• Knowledge of social engineering techniques

• Penetration testing skills

• Communication and reporting skills

• Critical thinking and problem-solving skills

• Understanding of industry standards and regulations

• Interpersonal skills

• Continuous learning

Certifications Required/Needed in Red Teaming

-

Career Paths in Red Teaming

Penetration Tester/Ethical Hacker - Conducts controlled hacking attempts to detect vulnerabilities in systems and networks and makes security recommendations.

Vulnerability Researcher/Bug Bounty Specialist: detects and exploits vulnerabilities before cyber criminals discover them, preventing widespread exploitation and assisting organizations in enhancing their security. They are compensated and recognized for reporting bugs, hence the word bug bounty..

Malware Analyst - Examines and reverse-engineers malware to determine and comprehend determine its behavior, purpose, and origin, and then develops detection and removal procedures.

Social Engineering Specialist - Tests an organization's sensitivity to phishing, pretexting, and other social engineering methods using social engineering methodologies.

Wireless Security Specialist - Simulates attacks and identifies vulnerabilities to test an organization's wireless network security defenses.

Web Application Security Specialist - Conducts simulated assaults and penetration testing to identify vulnerabilities in web applications.

Physical Security Specialist - Evaluates the physical security defenses of an organization, such as access controls, surveillance systems, and perimeter defenses.

Blue team

Blue Team monitors and respond to security problems in order to thwart cyberattacks. They are in charge of identifying and neutralizing security risks as well as creating and putting into effect security controls to fend against further attacks.

Required Skills/Expertise

• Knowledge of technologies and security approach

• Incident response skills

• Security monitoring skills

• Knowledge of security tools and techniques

• Analytical and problem-solving skills

• Knowledge of threat intelligence

• Risk assessment and management

• Communication and reporting skills

• Compliance and regulatory knowledge

• Familiarity with SIEM

• Continuous learning

Certifications Required/Needed in Blue Teaming

Career Paths in Blue Teaming

Cybersecurity Analyst - Monitors and analyzes security events and occurrences, and responds to security threats in real time.

Incident Responder: responds to security incidents by determining the source of the attack, containing the issue, and recovering systems and data.

Forensic Analyst - Gathers and analyzes digital evidence connected to cyber incidents to determine the source of the attack, the offender, and the degree of the damage. and delivers results in court.

Security Engineer – Creates and installs security systems and infrastructure to combat cyber threats.

Network Security Specialist - Implements and maintains network security measures such as firewalls, intrusion detection and prevention systems, and VPNs.

Endpoint Security Specialist - Installs and maintains security measures for an organization's endpoints, which include laptops, desktop computers, and mobile devices.

Identity and Access Management (IAM) Specialist - Manages and regulates access to a company's systems and data, as well as ensuring compliance with security rules and regulations. They Create and deploys systems and processes to manage user identities, access privileges, and authentication methods in order to prevent illegal access.

Threat Intelligence Analyst - Monitors and analyzes cyber threats and emerging security trends in order to identify potential threats and vulnerabilities ahead of time.

Vulnerability Assessor- Detects vulnerabilities in computer networks and systems, evaluates their potential impact, and makes remedial recommendations.

Security Architect- they focus on designing and implementing security solutions to protect against cyber threats.

Governance, Risk, and Compliance (GRC).

GRC is a framework for managing and keeping track of a company's cybersecurity procedures and policies to make sure they adhere to legal requirements and business norms. The GRC team is in charge of creating and enforcing security policies and processes, evaluating and managing risks, and making sure that laws and regulations are being followed.

Required Skills/Expertise

• Understanding of regulatory compliance

• Auditing and assessment

• Governance

• Risk management

• Project management

• Communication skills

• Analytical skills

• Business knowledge

• Continuous learning

Certifications Required/Needed in GRC

Career Paths in GRC

Chief Information Security Officer (CISO) - Creates and executes an organization's entire cybersecurity strategy, as well as manages the security team.

Risk Analyst - Conducts risk assessments to identify and prioritize potential cybersecurity threats, and creates mitigation measures.

Policy and Standards Manager - Creates and oversees an organization's security policies and standards, as well as ensuring compliance with industry best practices and legislation.

Cybersecurity Compliance Auditor - Ensures compliance with cybersecurity rules and industry standards, as well as managing the compliance certification process.

Third-Party Risk Manager - Manages the cybersecurity risks associated with third-party vendors and partners, as well as ensuring they follow security rules and regulations.

Data Protection Officer - Responsible for managing an organization's data protection policy and ensuring compliance with data privacy requirements.

Cyber Security Trainer- Educates and instructs personnel on best practices for cybersecurity to lessen the risk of cyber attacks and data breaches. Creates and oversees cybersecurity awareness and training programs for workers to ensure they understand security rules and best practices.

Cybersecurity Project Manager:Supervises and oversees cybersecurity projects to ensure they are completed on time, within budget, and fulfill the organization's security requirements.

Don't let your learning lead to knowledge. Let your learning lead to action

Jim Rohn

Never become so much of an expert that you stop gaining expertise. View life as a continuous learning experience.

Denis Waitley

Review Question

1. What inspired you to seek a career in cybersecurity, and what interests you the most about the field?

2. Which career path of cybersecurity most interests you? And why?

3. RESEARCH: What trends do you see in the future of cybersecurity, and how do you think they will impact the industry and job opportunities?

In this post, we will discuss 10 simple cyber safety tips to help you keep your personal information safe. Remember to share these tips with your employees and loved ones.

HOLD ON TIGHT FOR THIS RIDE!!!

TIP #1- Use Strong Passwords

Passwords are one of the most vulnerable points in the Internet security hierarchy. When generating a new password, keep strong password requirements in mind:

• Use at least 12 characters, but 14 or more is preferable.

• A mix of capital and lowercase characters, numbers, and symbols.

• Do not use a dictionary word, name of a person, character, product, or organization.

• Use passwords that are different from your previous ones.

• Use something distinctive that is easy for you to remember but tough for others to guess.

• Ensure that you frequently change your passwords.

• Never reveal your passwords to anyone, have ZERO TRUST

• Ensure that passwords and password hints are securely saved.

• Use different emails and passwords for different accounts

• Avoid using personal information in your passwords

TIP #2- Set Up Two-Factor Authentication

Two-factor authentication stops hackers from gaining access to your accounts and personal data. It Increases your account security by adding this extra layer of protection, even if someone knows your password.

• Consider utilizing an authenticator app, such as Microsoft Authenticator, to create unique time-based codes for authentication.

• Enable Two-Factor Authentication on All Your Accounts.

• Keep your authentication device, such as your phone or authenticator app, secure

• Once you've configured two-factor authentication, ensure sure it's operating properly. Log out of your account and then log back in using your authentication method to confirm that everything is working as it should.

TIP #3- Backup Your Data

Back up your data on a regular basis to avoid data loss in the event of a security breach or ransomware attack

• Automate your backup process to ensure that your data is backed up on a regular basis without the need for manual intervention.

• Select a secure backup location that is independent from your primary device, such as an external hard drive or a cloud storage service with robust encryption.

• Make sure your backups are working properly by testing and confirming them on a regular basis. YOU DONT WANT TO BE CAUGHT UNAWARE

• Consider backing up your data in multiple locations for redundancy and security against data loss.

• Identify and prioritize the most crucial data that needs to be backed up, and make sure you backup that data on a regular basis.

• Regularly review and update your backup strategy to ensure that it is in line with your evolving demands and the most recent best practices for data backup.

TIP #4- Take Caution When Using WiFi

Using public Wi-Fi exposes your online activities and sensitive information to possible attackers, who can intercept or manipulate your data, resulting in identity theft, financial loss, or other cybercrime. When using public Wi-Fi networks, it is critical to exercise caution and implement adequate security precautions.

• Do not put your reliance in public Wi-Fi security.

• Connecting to unprotected public Wi-Fi networks should be avoided.

• Make sure your own Wi-Fi networks are password-protected.

• Create a secure password for your Wi-Fi network and allow only authorized users access.

• Change your wireless password on a regular basis.

TIP #5- Keep Software and Systems Up to Date

It's crucial to install software updates for your operating system and programs. Install the most recent security updates for your devices:

• Maintaining your software and systems guarantees that you have the most recent security patches and fixes.

• Install software updates as soon as possible, especially if they include crucial security changes.

• Set your devices to receive automatic updates so you never miss one!

TIP #6- Be Cautious of links

Hackers frequently utilize links in emails to lure people into disclosing sensitive information. This frequently takes the guise of bank statements, flight tickets, password recovery emails, and other documents.

When a person clicks on one of these links, they are sent to a false site that appears suspiciously similar to the real thing. The site will prompt them to login or provide personal information. When a hacker obtains this information, they gain access to the user's account.

• Avoid opening emails from unfamiliar or strange senders and clicking on suspicious links. They could contain malware or phishing scams.

• Keep an eye out for links in your emails.

• Don't click on anything that appears suspicious.

• Rather than using an email, the best bet is to go directly to a provider's website.

TIP #7-Be Aware of Social Engineering Tactics

Social engineering is a technique used by online criminals/cyber attackers to trick people into disclosing private information or taking potentially dangerous actions. It entails the use of psychological manipulation techniques to trick, manipulate, or take advantage of people in order to access private data or systems.

Phishing, pretexting, baiting, and quid pro quo are examples of common social engineering techniques. Email, phone, social media, and in-person contacts are just a few of the communication methods that can be used for social engineering attacks.

TIP #8- Limit Personal Information Access

Be cautious when sharing personal information online, and limit the information you publish on social media and and other websites.

• Avoid sharing sensitive information such as your full name, date of birth, home address, and phone number online.

• Use a virtual private network (VPN) which encrypts your internet connection and hides your IP address, making it more difficult for others to track your online activities and access your personal information.

TIP #9- Use Antivirus Software

• Malware, viruses, and other sorts of dangerous software can be detected and removed from your computer using antivirus software.

• Install antivirus software on all of your computers and mobile devices, including laptops, desktops, cellphones, and tablets.

• Maintain the antivirus software to the most recent version to ensure that it can identify and prevent the most recent threats.

• Use trusted antivirus software from well-known vendors with a proven track record of detecting and stopping malware.

• Disabling antivirus software, even briefly, leaves your device vulnerable to attacks.

• Enable automatic updates so that the antivirus software can be updated with the most recent malware definitions.

• Schedule frequent virus and malware scans for your device.

TIP #10- Educate Yourself

Keep up to date on the newest cybersecurity dangers and best practices for protecting yourself and your data online.

• Read cybersecurity blogs to remain up to date on the newest threats and online safety tips.

• Attend cybersecurity webinars to learn about particular cybersecurity subjects or issues.

• Follow cybersecurity experts on social media to remain up to date on the newest cybersecurity news and trends.

Ignorance is an enemy, even to its owner. Knowledge is a friend, even to its hater. Ignorance hates knowledge because it is too pure. Knowledge fears ignorance because it is too sure.

Sri Chinmoy

These recommendations can assist you in protecting your personal information and digital assets from cyber threats.

1.4 Review Question

1. Which of the aforementioned cybersecurity safety measures have you overlooked or neglected to implement, if any?

2. Have you or a loved one been a victim of social engineering tactics? If so, what important lesson did you learn and how are you ensuring that you or your loved ones are no longer victims?

you have a journal/diary where you record your deepest thoughts and feelings. If someone reads it without your consent, you will feel violated and certainly be angry, and will seek measures to secure it(IS THIS CORRECT?). NOW LET US CONNECT THIS TO THE CIA TRIAD

C- Confidentiality- To maintain its privacy, you will put your journal in a locked drawer that only you have the key to.

I-Integrity- To maintain the accuracy of your diary and ensure that no one can delete or alter your writings without your knowledge, you will use a pen that cannot be erased.

A- Availability- You would want your diary to be available to you always, whenever you need to update it. You could make a backup copy of your diary in case your original diary is lost or stolen. This is likely a soft backup copy.

In this post, we will discuss the 3 elements of Cybersecurity, the CIA Triad, along with security measures to ensure each element

Hold on for the ride!!!

From the story above, your journal can be protected so that only you have access to your thoughts and feelings by following the simple steps listed. The same is true for information security; by implementing protections for confidentiality, integrity, and availability, sensitive data and systems can be kept secure and available to ONLY AUTHORISED USERS. Now, let's discuss the CIA in detail.

Confidentiality

Confidentiality is a principle that ensures information is kept private and not exposed to unwanted access, disclosure, or usage

Security Measures to Ensure Confidentiality

Encryption: This is the process of converting plain text into a ciphertext that can only be decrypted with the use of a secret key. Encrypting confidential information ensures that even if an unauthorized person has access to it, they cannot read or use it.

Access Control: Access control techniques only permit those people who are authorized to see confidential information to have access to it. This can be via the usage of password restrictions, two-factor authentication systems, and role-based access control(RBAC).

Physical Security: This is the process of ensuring secure access to locations where sensitive information is stored, such as data centers and servers.

Data loss prevention (DLP): DLP solutions can help to track the movement of private data in an organization and ensure data privacy. it will alert and stop the illegal sharing of sensitive data.

Confidentiality policy: These are procedures that employees must follow to protect confidential information.

Secure Communication: is dependent on secure channels like Virtual Private Networks (VPN) and secure messaging platforms to maintain the confidentiality of private information before it is transmitted on the internet.

Data retention policy: This policy will guide employees on what data to keep, for how long, and how to dispose of data that is no longer necessary. This policy helps in reducing the amount of data held by a company, making it easier to protect and manage.

Training and Awareness: Companies might organize training sessions and awareness sessions regularly for the employees to teach them about the protection of sensitive information. Employees will be evaluated after each training session.

Non-Disclosure Agreements(NDA): employees are required to sign it to ensure that those granted access to the data do not reveal it.

Integrity

Integrity ensures that information is trustworthy in the sense that it’s reliable and authentic.

Security Measures to Ensure Integrity

Hashing: this is the process of converting data into a fixed-length string of characters that cannot be changed back to its original form. Integrity can be ensured by comparing the hash value of received data to the hash value of data as it was sent to ascertain whether the data was altered.

Digital Signatures: are used to control the digital documents' authenticity and trace if they have not been edited. Digital signatures are developed by the use of security processes that allow a signer's identity to be authenticated. The signature is a guarantee from the signer that the information was not changed in any way.

Version Control: It is one of the software engineering disciplines that is necessary for the management of different versions of files kept in history. The system keeps a thorough history of changes, makes vital authorization before such changes are introduced, and prevents unintentional changes. A perfect example is Git

Digital Certificates: These are electronic documents that are used to validate the identification of individuals, companies, or devices and to enable secure Internet communication. They contribute to data integrity by generating digital signatures, verifying identities, encrypting data, and depending on trusted third-party certificate authorities

Data Validation Implementation: data validation methods are also put in place so that data is not incomplete or inaccurate, and it has allowed character. E.g., checking data format, length of fields, and checking the range of values is a part of it.

Change management: This is essential to guarantee that changes to data and systems are permitted, recorded, and tested.

Availability

The principle that ensures data and system accessibility to authorized users at all times is called availability or uptime.

Security Measures to Ensure Availability

Redundancy: the need to duplicate the important systems/components to guarantee availability in case there is a failure.

Business Continuity and Disaster Recovery Planning: Business continuity planning is the ability to continue delivering products or services at predefined acceptable levels following a disruptive incident. Disaster recovery is a set of policies and procedures, along with tools, that recover either the key infrastructure of technology or its systems in the aftermath of a disaster.

Backups: These are copies of important data or system configurations that, if, for any reason, failure or loss occurs, the original data or configurations can be recovered.

Virtualization: This is the technology that makes it possible to run a lot of virtual machines (VMs) in one device. Virtualization effectively manages availability by ensuring the availability of the core applications and services and quickly returning the VM in case of failure, in addition to offering flexible and resilient network virtualization that can be redesigned quickly in the event of a disruption.

Monitoring and Maintenance: This measure helps to identify a potential problem before it grows into a problem that causes a major system downtime. Performance measurements, such as CPU consumption, memory usage, and disk space utilization, may be employed as an assessment that will help to detect a problem and take corrective action in due time. Regular maintenance in the form of improved software versions, security patches for regular updating, and backup copies can help to negate the onset of failures and increase stability of the system.

"Privacy, accuracy, and accessibility are the cornerstones of information management. We need to ensure that we are protecting people's privacy, while also ensuring that information is accurate and accessible to those who need it."

- Ann Cavoukian