SEC CONTROL (2)

Technical controls: firewall, anti-virus,

Managerial controls: security policies, control administrative pour la security

Operational controls: using people, security guards

Physical controls: limit physical access to something, fence, guard shack, badge reader in
buildings

Preventive control type: block access to a ressource ex: firewall rules or guard shack to
check identification.

TC: firewall

MC: On-boarding policy

OC: guard shack

PC: Door lock

Deterrent type: essaie de décourager de ne pas rentrer ou hack dans le system, ne previent
pas l’acces. Make an attacker think twice

TC : splash screen,

MC : Demotion ( server, system )

OC : Front desk reception

PC : Warning signs

Detective control type :identify log of intrusion attempt, may not prevent acces.

TC: Collect and review log system

MC: Review login reports

OC: Property patrol

PC: Motion detector

Corrective control type: apply after the event, may reverse l’impact of the event.

TC: Restore from backup, may bring ransomware infection.

MC: Policies for reporting issue

OC: Contact authorities

PC: Fire extinguisher

Compensating control type: control using other means, existing control ne sont pas assez,
peut être temporaire.

TC :Firewall block app à la place de patch

MC : Séparation des taches

OC : Besoin de plusieurs guard duties

PC : Generator, à l’attente que l’électricity revient.

Dirrective control type : diriger un sujet vers les besoins d’y avoir acces (security)

TC : store les fichiers dans des folders protéger (encrypted)

MC : créer des policies et procédures

OC :Security training policy

PC: Sign sur la porte : authorize personnel only

Managing security controls : plusieurs catégories de control, des organisation utilisent et

combine différent type.

CIA TRIAD (3)

C = confidentiality : prevent disclosure of information to unauthorised individuals or systems

I = Integrity Message can’t be modified without detection

A = avalibilty = system and network must be up and running

Confidentiality: encryption: encode messages so only certain people can read it. Access
controls: selectivity restrict access to a resource: Two-factor authentication: additional
confirmation before information is disclosed.

Integrity: hashing: Associer des données de n’importe quelle taille à une donnée de taille
fixe SHA-256 ) 64 caractère hex. Digital signiture : scheme to verify the integrity of data.
Certificates: combine with a digital Signiture to verifiy an individual. Non-repudiation: assure
qu’un individu ne peut pas nier avoir envoyé un message ou signé un document.
Availability : redundancy : build services that will tjr be available. Fault tolerance: system will
always run even when failure occurs. Patching: stabilité, fermer les trous de sécurity pour
prévenir qu’un attaqueur rentre.

NON-REPUDATION (4)
Sign un contract : signiture adds non-repudation, i really singed that, other can see my
signature
Non-repudiation adds proof of integrity et proof of origin, with high assurance of authenticity.

Proof of integrity: make sure le data qu’on recoit ne change pas. Si le data change on recoit
un hash différent. Hash ne peut pas vérifier qui l’a envoyer mais seulement si le message a
changer.

Proof of origin : verifier la personne qui a envoyer le data. Tous le monde peut verifier que le
data est bien envoyer de la bonne personne. La personne qui envoie fait une clé privé
( signature ), par la suite les personnes qui recoit le fichier utilisent la clé publique.
Authentication, Authorization, and Accounting (5) AAA framework

Identification: this is who you claim to be (username)

Authentication: prove who you are (password authentication app)

Authorization: base on you identificatiion and authentication, what acces you have (AAA
server)

Accounting: resources used: login time, data send and receive, logout time.

Authenticating systems: how to authenticate a device: put a digitally signed certificate on

the device pour avoir acces aux applications de l’entreprise, au VPN pour seulement les
appareils authorisés.

Certification authentification : Certificate authority (CA), l’entreprise créer un certificat sur

l’appareil et l’assigne au CA de l’organisation. Par la suite la signature CA est utilisé pour
validé le certificat de l’appareil.

Authorization models : associer l’utilisateur avec des applications ou data. Authorization

models sont définie par des rôles, orgranisation et attributs. Si plusieurs personnes ont le
même rôle, (trop long assigner manuellement pour chaque personnes), créer une abstaction
pour par la suite assigner les personnes a cette abstaction qui dedans contient les rôles
nécessaire pour ce département
Gap analysis (6)

Gap analysis : where you are compared with where you want to be. ( gap between the two)

Choose the framework: varie des organisation selon leurs baseline.

Evaluate people and processes

Get le baseline. des employées : leurs expérience antérieures, leur notions seurs l’it de la
sécurité et les procédures et le training qu’ils ont reçu. Examine the current processes :
évaluer les systèmes qui sont déjà en place, évaluer les security policies qui sont déjà là, …

Compare and contrast : comparison : evaluate the existing systems. Identify the
weaknesses: along with the most effective processes. A detailed analysis : examine broad
security categories, break those into smaller segments.

Final analysis and report : the final comparison: detailed baseline objectives, a clear view of
the current state. Need a path to get from the current security state to the goal: almost
certainly include time, money, and lots of change control. Time to create the gap analysis
report : a formal description of the current state, recommendations for meeting the baseline.
(OBJECTIF IS THE BASELINE)

Zero trust (7)

Zero trust: authenticate or proof yourself to have acces to the network applies to any device,
every process and person.

Everything is verified : MFA, encryption, additionals firewall, monitoring, analytics and

systems permissions.

Control plane: Data plane: s’occupe de processer les frames, packets et le network data en
meme temp de aussi processer le forwarding, trunking, routing, encrypting, NAT. Control
plane : s’occuper de controler les actions du data plane, va définir les règles, déterminer
comment le packet va être forward, routing tables, session tables, NAT tables

Controlling trust : Adaptive identity : examine identity de qql, (verifier l’ip source de la
demande de data), la relation avec l’entreprise, physical location, type of connection, ip
address, etc. Make the authentification stronger, if needed. Threat scope reduction : reduce
the amount of entry points (ports). Policy-driven access control: combiner adaptive identity
avec des règles prédefinies.

Security zones : where we are connecting from, where we want to connect. Trusted or
untrusted, internal network or external network, create sperate VPN, marketing team, it
team, accounting team.

Using the zones may be enough by itself to deny access: for example: créer une règle pour
qql qui vient d’une untrusted zone et veut aller à une trusted zone traffic.
Some zones are implicity trusted : for example: qql qui vient d’une trusted zone (le bureau)
qui veut aller vers une internal zone (db) c’est accepté.

Policy enforcment point (PEP) : The gatekeeper, peut autoriser, refuser et aussi monitor
l’activité, verifie ton identité (certificat de ton compte), appreil si à jour, chiffré et protégé, si
mon rôle autorise l’accès à ce service.

Policy decison point : l’endroit ou on décide si l’accès est autorisé ou non. 2 parties : Policy
engine : cerveau du système, évalue chaque requêtes ense basant sur des règles (l’heure,
localisation, l’état du poste), l’état de l’utilisateur ou du systèmes. Par la suite décide de
grant, deny ou revoke.

Policy administrator : le messager, fait le lien entre le policy engine et le PEP, envoie tous les
tokens d’accès et d’autorisation ou tous ce qui est Accès autorisé ou refus cette connexion.

Physical security (8)

NO NOTE.

Deception and Disruption (9)

Honeypot : attrack attacker and trap them there. (what type of breach, what type of
automation, what type of system they want to attack)

Constant battle to discearn if real or fake.

Honeynets: a real network includes more than a single device: servers, workstations,
routers, firewall, switches

Honeyfiles: attract the attackers with more honey: create files with fake information. Ex: bait
create a file password.txt, Add a alerts if the have have been accessed to, send to admin.

Honeytoken: track the malicious actors, add some traceble data to the honeynet, if stolen
you know where from. API credentials, does not actually give access, notify are sent whrn
used. Fake email addresses, add it to a contact list, monitor the internet to see who posts it.
EX other token: browser cookies, web page pixels, database record.
Change management (10)

How to make a change: ex upgrade software, patch an app, change firewall configuration,
modify switch ports. Most common risk in the enterprise, also ofter overlooked or ignored.

Change approval process: a formal process for managing change: avoid downtime, confusion
and mistakes. A typical approval process: complete the request form, determine the purpose
of the change, identify the scope of the change, schedule a date and time of the change,
determine affected systems and the impact, analyse the risk associated with the change,
get the approval from the change control board, get end-user acceptance after the change is
completed.

Ownership: and individual or entity need to make a change: they own the process but they
don’t perform the actual change. The owner manages the process, proces updates arre
provided by the owner, ensure the process is followed and acceptable. Ex: Address label
printers needs to be upgraded, shipping and receiving department owns the process and
send it to IT to actually make the process happen.

Stakeholders: who is impacted by the change, they want imput on the change process. A
single change can affect an individual or the entity of the company. Ex:

Impact analysis: determine risk value: high,medium or low. Risk can be minor or far-
reaching: the “fix” doesn’t actually fix anything, the fix breaks something else, operating
systems failure, data corruption. Risk of not making the change: security vulnerabilities
(attackers), applications vulnerabilities, unexpected downtime to other services.

Test results: sandbox testing environments: no connection to the real world or production
system, a technological safe space. Use before making a change to production: try the
upgrade, apply the patch. Test and confirm before the deployment. Confirm the backout
plan: move everything back to the original, a sandbox can’t consider every possibility.

Backout plan: the change will work perfectly and nothing will ever go bad, of course it will.
Always have a way to revert your changes, prepare for the worst, hope for the best. This
isn’t as easy as it sounds, some changes are difficult to revert. Always have backups
Maintenance window: when is the change happening, most difficult part. Potential downtime
would affect a large part of the production. Overnight are the better choice. What time of the
year, retail network are frozen during the holiday season.

The process must be well documented, should be available on the internet

Technical changes (11)

Put the change management process in action.

No simple upgrade: can have many moving parts, sperate event may be required.

Change management is often concerned with “what” needs to be changed: technical term is
with “how” to change it.

Allow list / deny list: any application can be dangerous: vulnerabilities, trojan horses,
malware. Security policy can control app execution, allow list, deny/block list. Allow list:
nothing runs unless it’s approved, very restrictive. Deny list, nothing on the “bad list” can be
executed, ex: anti-virus, anti-malware.

Restrictive activities: the scope of a change is important: define exactly which components
are covered. Change approval is not permission to make any changes, the change control
approval is very specific. Scope may need to be expanded during the change window, it’s
possible to prepare for all possible outcomes, so it can be possible to make other updates on
other systems. Change management process determines the next steps, there are processes
in place to make the change successful.

Downtime: services will be unavailable, usually scheduled during non-production hours. If

possible prevent downtime, by switching main system to the secondary system, doing the
changes on the main system and switch back to the main system when changes are applied.
Minimize downtime events, process should be automated as possible, switch back to second
system if any problems, should be part of the backout plan. Send email and calendard to
organisation to make them aware of the downtime.

Restarts: Common restarts if: new configuration, reboot the os, power cycle the switch,
bounce the service, oui un système devrait être capable de reboot d’une panne. Services,
strop and restart services or daemon. Peut prendre quelques secondes ou minutes.
Applications, close the application completely, launch a new application instance.

Legacy applications: Applications there before we were here, they’ll be there when we leave.
Often no longer supported by the devs, if fail or any holes, you’re now the support system
(may say do not modify this) (EOL = end of life) . Fear of the unknown, face you fears and
document the system, may not be as bad as you think. May be quirky, L’app peut avoir des
comportements bizarres ou imprévisibles, Il faut créer des procédures spécifiques pour la
gérer proprement (genre : "ne jamais redémarrer ce service entre 15h et 16h").

Dependencies : To complete A, you must to B first, A service will not start without other
active services, an application require a specific library version. Modifying one component
may require changing or restarting other components, this can be challenging to manage.
Dependencies may occur across systems, to upgrade the firewall management software, you
have to first updagrade the firewall code.
Documentation: documentation becomes outdated very quickly, have to document
everything with the change control management process. Ex: updating diagrams,
modification of network IP’s, ect. Updating policies / procedures, adding new systems may
require new procedures.

Version control: track changes to a file or configuration data over time, easily revert to a
previous settings. Many opportunities to manage versions: revert back to router
configuration, window OS patches, application registry entries. Not always straightforward,
some device and systems already have version control, some may require additional
management software.

Public key infrastructure (12) (PKI)

Policies, procedures, hardware, software, people: digital certificates: create, distribute,

manage, store, revoke. Big endeavor, lots of planning. Refers to the binding of publics keys
to people or devices, the certificate authority (ca), it’s all about trust (perticular device or
person is who they are).

Symetric encryption: single key, shared key, encrypt with the key and decrypt with the key,
if it gets out, you’ll need another key. Secret key algorithm, can be heared as a shared
secret. Doesn’t scale very well, can be challenging to distribute (which key with which device
or person). Very fast to use, less overhead than , often combined with asymmetric
encryption.

Asymmetric encryption: plublic key cryptography, two (or more) mathematically related
keys. Private key, keep this private, this is the key that can decrypt any data send your way.
Public key, this key everyone can have access to, and encrypt data with your public key. You
can’t reverse engineer or derive the private key from the public key.

The key pair: Asymmetric encryption, public key cryptography. Key generatioon, build both
private and public key at the same time, lost of randomization, large prime number, lots and
lots of math. Everyone can have the public key.

Asymmetric encryption:

Key escrow:

Someone else holds your decryption keys: Ça veut dire que tes clés privées ne sont pas
seulement entre tes mains, Un tiers (ex : ton entreprise, un fournisseur, un service
gouvernemental) garde une copie de secours. This can be a legitimate business
arrangement, Accès aux données d’un employé parti, Sauvegarde de données chiffrées
accessibles même si la clé principale est perdue, Organismes gouvernementaux peuvent
exiger un accès légal aux données. Controversial, oui, réduit la confdentialité, si le tiers est
compromis, tes données aussi, problème de confiance, faut que le tiers soit hyper sécurisé.

Encrypting data (13)

Protect data on storage device, SSD, hard drives, USB drive, cloud storage, this data is at
rest. Full-disk and partition/volume encryption, bitlocker, FileVault (macOS). File encryption,
EFS (encryption files system), third-party utilities.

Data base encryption: protecting stored data, and the transmission of that data. Transparent
data, encrypt all database informatio with symmetric key. Record-level encryption , encrypt
individual columns, use separate symmetric keys for each column.

Transportation encryption: protect data traversing the network, prob doing right now.
Encrypting in the application, browser can communicate using HTTPS (encrypted), VPN
( virtual private network), encrpyt all data trasmitted over the network regardless of the
application, client-based VPN using SSL/TLS, site-to-site VPN, using Ipsec.

Encryption algorithms: Many different ways to encrypt data, best way is using encryption
decryption. Both sides decides on the algorithm before encrypting the data, the details are
often hidden from the user. Advantages and disadvantages between algorithms, some are
faster, better security levels, complexity of implementation.

Cryptographic keys: very little that we don’t know about cryptographic keys, the algorithm is
usually a known entity, the only thing that you don’t know is the key itself. The key
determines the output, encrypted data, hash value, digital signature. KEEP YOUR PRIVATE
KEY PRIVATE, its the only this protecting your data.

Key lenghts, larger keys tend to be more secure, prevent brute-force attacks, attackers can
try every possible key combination. Symmetric encryption, 128-bit or larger symmetric keys
are common, these numbers get larger and larger as time goes on. Asymmetric encryption,
complex calculations of prime numbers, larger keys than symmetric encryption, common to
see key lenghts of 3,072 bits or larger.

Key strechting, a weak key is a weak key, bu itself, its not very secure. Make a key stronger
by performing multiple process, hash a password, hash the hash of the password, and
continue, key strechting/strenghtening. Brute force attack would require reversing each of
those hashes, the attacker has to spend much more time, event though the key is small
because of all the hashes.
Key changes (14)

A logical challenge, how do you share an encryption key across an insecure medium like the
internet. Out-of-band key exchange, don’t send the symmetric key over the ‘net. Telephone,
courrier or in person. In-band exchange, it’s on the network, protect the key with additional
encryption, ex: use asymmetric encryption to deliver a symmetric key.

Real-time encryption/decryption. Share a symmetric key sessions key using asymmetric

encryption, clients encrypts a random (symmetric) key with a server’s public key, the server
decrypts this shared key and uses it to encrypt data, this is the session key. Implement
session keys carefully, need to be changed, often (ephemeral keys), neet to be
unpredictable.

Keeping the data private: data is located in multiple locations, mobiles phones, cloud,
laptop, the most private data is ofter physically closest to us. Attackers are always finding
new techniques to get that data, it’s a race to stay one step ahead.

Secure enclave: protected areao for out secrets, often implemented as a hardware
processor, isolated from the main processor, many different technologies and names.
Provides extensive security features, has its own boot ROM, monitors system boot process,
true random number generator, real-time memory encryption, root cryptographic keys,
performs AES ecryption in hardware, and more.

Symmetric key from asymmetric keys, use public and private key cryptography to create a
symmetric key.

Encryption technologies (15)

Trusted platform module (TPM), cryptography hardware on a device. Cryptographic

processor, random number generator, key generator. Persistent memory, unique keys
burned in during manufactuing. Versatile memory, storage keys, hardware configuration
information, securely store bitlocker keys. Password protected, no dictionnary attacks.

Hardware security module (HSM), used in large environments, clusters, redundant power,
securely store thousands of cryptographic keys. High-end cryptographic hardware, plug-in
card or separate hardware device. Key backup, secure storage in hardware. Cryptographic
accelerators, offload cpu overhead from other devices. CPU OVERHEAD (surchage du cpu).

Key management system: manage all keys from a centralized manager, often provided as
third-party software, separate the encryption keys from the data. All key management from
one console, create keys for a specific service or cloud provider (TLS/SSL, SSH), associate
the keys with users, rotate keys on regular intervals (change la clé), log key use and
important events.

Obfuscation (16)

Obfuscation: The process of making something unclear, it’s now much more difficult to
understand. It’s not impossible to understand. Hide information in plain site, store payment
information without storing a credit card number. Hide information inside of an image,
steganography.

Steganography, security through obscurity. If you know the process that was used to hide
the data, than you can easily recover the data. The covertext, the container document or
file.

Steganography techniques, embed messages in TCP packets. Use an image. Invisible

watermark, yellow dots on printers, utilisé pour tracer l’origine d’un document imprimé.

Other steganography types, audio steganography, modify the digital audio file, interlace a
secret message within the audio, similar to image steganography. Video steganography, a
sequence of images, use image steganography on a larger scale , manage the signal to
noice ratio, potentially transfer much more information.

Tokenization, replace sensitive data with a non-sensitive

placeholder. Common with credit car processing, use a temporary token during payment, an
attacker capturing the card numbers can’t use them later because it is a one time use token
and can’t be re-used after. This isn’t encryption or hashing, the original data and token
aren’t mathematically related.

Data masking, hide some of the original data, Protects PII, and other sensitive data, may
only be hidden from view, the data may still be intact in storage, control the view base on
permissions. Many different techniques, substituting, shuffling, encrypting, masking out, etc.
Hashing and digital signatures (17)

Hashes, represent data as a short string of text, a message digest, a fingerprint. One-way
trip, impossible to recover the original message from the digest, used to store
password/confidentiality. Verify a downloaded document is the same as the original,
integrity. Can be a digital signature, authentification, non-repudiation, and integrity.

Hash example, SHA256 hash, 256 bits / 64 hexdecimal characters. One simple change in the
text and the hash completely changes.

Collsion, hash functions, take an

imput of any size, create a fixed size string, message digest, cheksum. The hash should be
unique, different imputs, should never create the same hash, if they do it’s a collison. MD5
has a collision problem, found in 1996, don’t use MD5 for important.

Pracitcal hashing, verify a downloaded file, hashes may be provided on the downloaded site,
compare the downloaded file hash with the posted hash value. Password storage, instead of
storing the password, store a slated hash, compare the hash during the authentification
process, nobody ever knows your actual password.

Adding some salt, salt, random data added to a password when hashing. Every user gets
their own random salt, it’s commonly stored with the password. Rainbow tables won’t work
with salted hashes, additional random value added to the original password. Slows things
down the brute force process, it doesn’t completely stop the reverse engineering.

Salting the hash, yellow is the salt.

Digital signatures, prove the message was not changed. Prove the source of the message,
authentification. Make sure the signature isn’t fake, non-repudiation. Sign with the private
key, the message doesn’t need to be encrypted, nobody else can sign this (obviously). Verify
with the public key, any changes in the message will invalidate the signature so the public
key won’t work anymore.

Blockchain technology (18)

Blockchain, A distributed ledger (registre de transactions), keep track of transactions.

Everyone on the blockchain network maintains, the ledger, records and replicate to anyone
and everyone. Many practicals applications, ex: payments processing, digital identification,
supply chain monitoring, digital voting.

Blockchain process,
Certificates (19)

Public key certificate, combine a public key with a digital signature, and other details about
the holder. Digital signature adds trust, PKI uses Certificates authority (CA) for additional
trust, web of trust adds other users for additional trust. Certificate creation can be built into
the OS, part of windows domain services, many 3rd party options.

What’s in a digital certificate, X.509, standard format. Certificate details, serial number,
version, signature algorithm, issuer, name of the cert holder, public key, extension, and
more.

Root of trust, everything associated with IT security requires trust, a foundational

characteristic. How to build trust from something unknown, someone/something trustworthy
provides their approval. Refer to the root of trust, an inherently trusted component,
hardware, software, firmware, or other component, hardware security modules (HSM),
secure encalve, Certificate Authority, etc.

Certificate Authorities, you connect to a random website, do you trust it? Need a good way
to trust an unknown entity, use a trusted third party, an authority. Certificate Authority (CA)
has digitally signed the website certificate, you trust the CA, therefore you trust the website,
real-time verification.

Third-party certificate authorities, built-in to your browser, any browser. Purchase your web
site certificate, it will be trusted by everyone’s browser. CA is responsible for vetting the
request, they’ll confirm the certificate owner, additional verification information may be
required by the CA.

Certificate signing request, create a key pair, then send the public key to the CA to be
signed, a certificate signing request (CSR). The CA validates the request, confirms DNS
emails and website ownership. CA digitally signs the cert, returns to the applicant.

Private certificate authorities, you are you own CA, built it in-house, your device must trust
the internal CA. Neede for medium-to-large organizations, many web servers, and privacy
requirements. Implement in computing strategy, Windows certificate services, OpenCA

Self-signed certificates, intenal certificates don’t need t be signed by public CA, your
company is the only one going to use it, no need to purchase trust for devices that already
trust in you. Build your own CA, issue your own certificates signed by your own CA. Install
the CA certificate/trusted chain on all devices, they’ll now trust any certificates signes by
your internal CA, works exactly like a certificate you pruchased.
Wildcare certificates, subjec alternative name (SAN), extension to X.509 certificate, lists
additional identification information, allows a certificate to support many different domains.
Wildcard admin, certificates are based on the name of the server, a wildcard domain will
apply to all server names in a domain.

Key revocation, Certificate revocation list (CRL), maintained by de CA, contains many
revocation in large files. Many different reason, it changes all the time. April 2014, OpenSSL
had a flaw that put the private key of affected websites at risk, than revoked all the
certificates put them in the CRL, and generated some new ones.

OCSP stapling, Online certificate status protocol, provides scalability for OCSP checks. CA is
responsible for responding to all client OCSP requests, this may not scale well. Instead have
the certificate holder verify their own status, status infromation is stored on the certificate
holder’s server. OSCP status is “stapled” into the SSL/TLS handshake, it’s digitally signed by
the CA.

Revocation details to the browser, the browser can chek the certificate revocation.
Messages ususally sent to an OCSP responder via HTTP, easy to support over internet links,
more efficient than downloading a CRL. Not all browser/apps supports OCSP, early internet
explorer version did not support OCSP, some support OCSP, but don’t bother checking.

Threath actor (20)

Threat actors, the entity responsible for an event that has an impact on the safety of
another entity, also called a malicious actor. Threath actors attributes, describes
characteristics of the attacker. Useful to categorize the motivation, why is this attack
happening, is this directed or random.

Attributes of threat actors, internal/external, the attacker is inside the house, they’re outise
and trying to get in. Ressource/funding, no money for tools, more money, more tools to be
used. Level of sophistication/capability, blindly runs a script or automated vulnerability scans
without knowing what is does, they can write their own attacks malware and scripts.

Motivation of threat actors, what them them ticks, purpose to this attack. Motivations
include, depends on the situation, the attacker and who is being attacked.

Nation states, external entity, government and national security. Many possible motivation,
data exfiltration, philosophical, revenge, disruption, war. Constant attacks, massive
ressources, commonly an advanced persistent threats (APT). Highest sophistication, military
control, utilities, financial control. United states and israel destroyed 1,000 nuclear
cetrifuges with the Stuxnet worm.

Unskilled attackers, runs pre-made scripts without any knowledge of what’s really happening
, anyone can do this. Motivated by the hunt, disruption, data exfiltration, sometimes
philosohical. Can be internal/ external, but usually external. Not very sophisticated, limited
ressources, if any. No formal funding, usually uses widely open script that are easy access.

Hacktivist, a hacker with a purpose, motivated by philosophy, revenge, disruption, etc. Often
external entity, could potentially infiltrate to also be an insider threat. Can be reamarkably
sophisticated, very specific hacks, DoS, web site defacing, private document release.
Funding may be limited, some organizations have fundraising options.

Insider threat, more than just password on sticky notes, motivtated by revenge, financial
gain. Extensive ressources, using the organization’s ressources against themselves. An
internal entity, eating away from the inside. Medium level sophistication, the insider has
instutional knowledge, attacks can be directed at vulnerables systems, the insider knows
what to hit.

Organized crime, professional criminals, motivated by money, almost always an external

entity. Very sophisticated, best hacking money can buy. Crime that’s organized, one person
hacks, one person manages the exploits, another person sells the data, another handles
customer support. Lots of capital to fund hacking efforts.

Shadow IT, going rogue, working around the internal IT organization, build their own
infrastructure, own application without IT knowing. IT can put up roadblocks, shadow IT is
unencumbered, use the cloud, might also be able to innovate. Limited ressources, company
budget, medium sophistication, may not have IT training or knowledge.

Common threats vectors (21)

Threat vectors, a method used by the attacker, gain acces or infect to the target, also called
“attack vectors”. A lot of work goes into finding vulnerabilities in these vectors, some are
more vulnerable than others. IT security professional spend their career watching these
vectors, protect existing vectors, find new vectors.

Messaged-based vectors, One of the biggest (and most successful) threat vectors, everyone
has at least one of these messaging systems. Emails, malicious links in email, link to
malicious site. SMS, attacks in a text message.

Phishing attacks, people want to click links, links in an email, links send via text or IM.
Deliver the malware to the user, attach in to the email, scan all attachements, never launch
untrusted links. Social engineering attacks, invoice scams, cryptocurrency scams. (taking
crypto wallet, selling fake crypto)

Image-based vectors, easy to identify a text-based threat, it’s more difficult to identify the
threat in an image. Some image formats can be a threat, the svg (scalable vector graphics)
format, image is described in XML (extensible markup language). Significant security
concerns, HTML injection, javascript attack code. Browser must provide input validation,
avoids running malicious code.

File-based vectors, more than just executables, malicious code can hide in many places.
Adobe PDF, a file format containing other objects. Zip/rar files ( any compresions type),
contains many different files. Microsoft office, document with macros, add-in files.
Voice call vectors, vishing phishing over the phone. Spam over IP, large-scale phone calls.
War dialing, unpublished phone number to have acces. Call tampering, disrupting voice
calls.

Removable device vectors, get around firewall, the usb interface. Malicious software on USB
flash drives, infect air gapped networks, industrial systems, high-security services. USB
devices can act as keyboards, hacker on a chip. Data exfiltration, terabytes of data out the
door, zero bandwidth used.

Vulnerable software vectors, client-based, infected executable, know (or unknown)

vulnerabilities, may require constant updates. Agentless, no installed executables,
compromised software on the server, would affect all users, clients run a new instance each
time.

Unsupported sytem vectors, patching is an important prevention tool, ongoing security fixe.
Unsupported systems aren’t patched, there may not even be an option. Outdated operating
systems, eventually, event the manufacturer won’t help. A single system could be an entry,
keep your inventory and records current.

Unsecure network vectors, the network connects everything, ease of access for the
attackers, vew all ( non-encrypted ) data. Wireless, outdated security protocols (WEP, WPA,
WPA2), open or rogue wireless netoworks. Wired, unsecure interfaces -no 802.1X protocol.
Bluetooth, reconnaissance, implementation vulnerabilities.

Open service ports, most network-based services connect over a TCP or UDP port, an “open”
port. Every open port is an opportunity for the attacker, application vulnerability or
misconfiguration. Every application has their own open port, more services, expand the
attack surface. Firewall rules, must allow traffic to open port.

Default credentials, most devices have default usernames and passwords. The right
credentials provide full control, administrator access. Very ease to find the defaults for your
access point or router. Routerpassword.com

Supply chain vectors, tamper with the underlying infrastructure, or manufacturing process.
Managed service providers (MSPs), access many different customer networks from one
location. Gain access to a network using a vendor, 2013 targer credit card breach.

Suppliers couterfeit networking equipment, install backdoors, sustandard performance and

availability, 2020 fake cisco catalyst switches.

Phishing (22)

Social engineering with a touch of spoofing, often delivered by email, text, etc, very
remarkable, when well donw,