First Principles

What is Cyberspace?

Cyberspace: The notional environment in which communication over computer networks occurs.

Alternative Definition:
An operational domain whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interconnected and internetted information systems and their infrastructures. (US Military Joint Doctrine).

What is Cybersecurity?

When you hear the word “cybersecurity”, what do you think of?

Cybersecurity: Protection of computer systems from theft, damage, disruption, or misdirection of hardware, software, information, or services.

CIA Triad

Foundational principles of security:

Confidentiality: Protect information from unauthorized disclosure.
Integrity: Ensure information isn’t altered accidentally or unauthorizedly.
Availability: Ensure information can be used when and where needed.

Example: Confidentiality

Q: Suppose Alice is connected to JFK Airport WiFi.

Bob is listening-in on the public WiFi, what can he see?

A: Bob will be able to see the contents of unencrypted messages, and additional metadata such as sender and reciever.

Alice should avoid public WiFi, but if she needs to use it, she shouldn’t access anything sensitive.

WPA3 is the current standard of encrypted wireless channels.

Example: Integrity

Q: Suppose Bob made a fake JFK WiFi to trick Alice to connect.

What should Alice do?

A: Just don’t connect, and if you do, don’t access anything sensitive (but better to not connect).

Example: Availability

Q: Let’s say Alice can’t connect to the WiFi because Bob is jamming the WiFi with a denial of service attack.

A: Redundancy and whatnot.

More generally, backup stuff is important, like having backup power for a home security system.

Example: Applying CIA

Suppose your gradebook.

C: Who should see it?
- Registrar’s office? Me? Professor?
I: Who can edit it?
- All professors? Just your professor? The TA?
A: Is it available?
- Can I see it 24/7, from anywhere? When’s maintenance?

More Terms

Asset: What we care about

e.g., info, software, hardware, bandwidth, reputation, privacy, money, etc.

Threat: Potential for occurrence of undesirable effect on asset.

Often evaluated with respect to CIA.

Safeguard: Control implemented to reduce risk posed by a threat.

Vulnerability: Absence or weakness of safeguards.

Allows a threat to effect assets.

Exploit: Technique that takes advantage of a vulnerability to effect an asset.

Example: Threats and Safeguards

Threats	Safeguards
C: Packet sniffing, file grabbing	Encryption, access controls
I: Spoofed emails, disk drive corruption	digital signatures, backups
A: DoS attacks, power failure	firewall, redundant capability, back-up generator

Remember: Threats don’t need malice (e.g., power failure, corruption)

Cost-Benefit and Risk

Principle: Do not devote more resources than potential loss.

Cost of Loss: How much does it cost if I fail to main CIA?
- Remember to include secondary costs.
Cost of Prevention: How much do safeguards cost?

On Risk: Different businesses have different acceptable risks

e.g., a healthcare company has lower acceptable risks than a coffee shop

Security Fundamentals

There are trade-offs between security and usability.
Security is a process, not a product.
Perfectly secure systems don’t exist, but we can make them more defensible.

Attacker Goals

Q: Why would you attack systems and networks?

A: Money, reputation, revenge, social change, etc.

Defensible Systems

Goal: Make our systems harder to attack and easier to defend.

Definition:
Systems: Hosts and networks

Four Main Elements of Defensibility

These four elements are from TAO Security

1. Controlled

Access Controls:

What has control access?
- Data, executables, hardware
Who has control access?
- Subjects: Do-ers
  - User, group membership.
- Objects: Do-ees
  - Access control lists, owners.
Enforced by security kernel / reference monitor.

Example: Types of Access Control:

Mandatory Access Controls (MAC)
- e.g., firing an employee
Discretionary Access Controls (DAC)
- e.g., giving files to a friend
Role-Based Access Controls (RAC)
- e.g., an accountant only has access to files relevant to accounting

Don’t forget about physical security.

2. Minimized

Reduce the attack surface.

Complexity is the enemy of security.

Example: Things that could be disabled

Basically, anything that is unused.

Services
Software
Accounts
Hardware (ports, peripherals, etc.)

Least-Privilege: Subjects should only have privilege for stuff their job needs.

Example: Least privilege

A janitor doesn’t need to see stuff HR needs, HR doesn’t need to see the stuff the CEO sees, etc.

3. Monitored

Logging and Auditing: What should be logged?
- Essential for troubleshooting and security and incident monitoring.
Antivirus and Intrusion Detection
File integrity monitoring

Example: Things that can be logged

Permission changes
Device information (MAC, IP, unique information)
Time / what is accessed
Login/logout, startup/shutdown.
Access to important things.
et cetera

4. Current

Keep things up-to-date.

Automatic updates should be from a trusted and controlled source.

Example: Things that should be up-to-date

Executables (OS, services, applications, drivers)
Antivirus and intrusion detection systems (signature and engine)
Software inventory and version checking (check for old/unused software)
Backups (should be up-to-date and easy/routine/validated/secure)

Attack Phases (The Five P’s)

Probe: Passive and active reconnaissance.
- Who is this? What can I exploit? etc.
Penetrate: Gain initial access.
- via software vulnerabilities, weak/stolen credentials, social engineering, etc.
Persist: Maintain access and leave no trace.
- compromised accounts, backdoor, toolkits, bots
Propagate: Spread up and out.
- Privilege escalation, and
- Extend to other systems/networks.
Profit: Achieve attack goals, whatever they may be.

Incident Prevention

Preventative measures can mitigate and lessen the impact of an incident and help the incident response process.

Non-Technical Prep:

Safety/security training
- The human firewall is the first line of defense
Implement a security policy
Incident response plans
Make security easy and obvious
- This is tied to having a good user experience.

Technical Prep:

Harden systems and networks.
Enforce security policy.
Functional response process

Thought Process

Have an open mindset. Think like an attacker.

Sometimes, answers are not intuitive.