Cybersecurity

Asset Security is the second domain of the CISSP. This domain focuses heavily on classification of data and labels used, various roles within an organization, data security controls and frameworks, baselining and hardening, and the various states of data. In addition to this data remanence and destruction are also covered and should be understood for the exam, especially understanding the difference between traditional magnetic storage vs newer solid state devices. ...

Security Risk Management is the first domain of the CISSP. These are some notes highlighting areas of study for this domain and are by no means a comprehensive set of materials for preparing for this certification. The content below is what I have used to better prepare for this domain. Before reviewing this section, if you haven’t already taken Kelly Handerhan’s CISSP course, I would highly recommend spending some time going through it. It is by far the most engaging and relevant video series I’ve seen for CISSP study prep. In the first domain she covers a slide called the tenants of secure design, which is also very relevant here. At a minimum, make sure you are familiar with concepts she covers here including risk analysis, defense in depth, fail safe, KISS (Keep it Simple Stupid), completeness of design, open design, redundancy, separation of duties, mandatory vacations, job rotation, and others. ...

In the United States, a sizable amount of the overall federal budget is allocated to defense spending. The 2018 Defense Budget was signed into law on December 12, 2017, by President Trump, which authorized just under $700 billion in defense spending (Blankenstein, 2017). In contrast to just a few years ago where the fiscal year defense spending was set at $593 billion, the amount of money set aside for defense continues to grow. Traditionally a lot of this budget has gone into supporting the military, purchasing equipment, machinery, and paying salaries. In recent years, more money has been set-aside for defense contractors, who in turn provide products and services to the Federal Government. In 2016, nearly half of the defense budget was allocated to defense contractors. The biggest beneficiaries included Lockheed Martin- $36.2 billion, Boeing- $24.3 billion, Raytheon- $12.8 billion, General Dynamics- $12.7 billion, and Northrop Grumman- $10.7 billion (Hartung, 2017). A more detailed table of the defense sector follows. ...

I was recently notified that one of the sites I support was getting a ‘C’ rating on SSL Labs. It turned out that there were three main issues that needed to be resolved. Two out of the three were relatively easy to find via the SSL Labs documentation, which required simple fixes to the ssl.conf file. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. This was relatively easy to fix. I resolved it by modifying ssl_protocols in the ssl.conf file - thank you Digital Ocean for your comprehensive write-up on this! The server does not support Forward Secrecy with the reference browsers. Again, more simple changes in the ssl.conf file. In case you run into a similar issue, be sure to read this helpful article, Configuring Apache, Nginx, and OpenSSL for Forward Secrecy. The third issue, however, was not quite as straightforward: This server accepts RC4 cipher, but only with older protocols. I found a number of helpful articles on this stating that by adding !RC4 to exclude RC4 in SSLCipherSuite, will result in mitigation of this vulnerability. I spent quite a bit of time trying different cypher list combinations and always including !RC4, however no matter how many times I tweak this, restart httpd and revisit SSL Labs, I kept getting the annoying ‘B’ grade and RC4 complaint. For anyone facing similar issues, I highly recommend reading Hardening Your Web Server’s SSL Ciphers. ...

Prior to any cyber attack, an organization should already have a solid crisis management plan and set of disaster recovery precautions in place. In addition to this, a risk analysis should be carried out involving a holistic approach and careful investigation of information systems and the overall environment. The purpose of such an analysis is to evaluate all endpoints that could potentially fail in a disaster or cyber-attack. (Pfleeger & Pfleeger, 2007) The analysis should describe the current state of an organization’s security approaches and examine areas of the company’s infrastructure as well as external factors. ...

Organizations continue to struggle with policies and processes to effectively secure their infrastructure to protect their information assets and intellectual property. In recent years, we have seen the increase of cyber-attacks and breaches to the point that they have become common news worldwide. As systems have grown in complexity with increased capacity to store large amounts of data, so to has the appeal of targeting such systems by cyber criminals. Traditional approaches of defense including signature-based detection, behavioral-based detection, and defense in depth strategies are not enough to protect against advanced distributed attacks and zero-day attacks. Current technologies used to detect traffic, whether packet-based, time-based, or behavior-based, can provide some level of defense. Unfortunately, however as our tools and techniques improve, so too do the accuracy and advancements in sophisticated attackers. ...

The nature of the Internet and worldwide connectivity has changed the traditional centuries old paradigm regarding proximity. We now see threats from all parts of the global. What are three cybersecurity policies for a firm that would mitigate risks for cybersecurity attacks at the global level? Cybersecurity threats continue to rise year after year and the problem continues grow due to the global nature of attacks. Organizations must implement security policies in order to protect themselves against such threats. Below are three policies that would help organizations better defend against global threats. ...

Vulnerability assessments can be a very effective way of gathering information on an organizations internal security posture. The purpose is to accumulate data on any weaknesses revealed that should be proactively mitigated to prevent exploitation. There are a number of tools that can be used to carry out vulnerability assessments. Typically, a software-based tools are used to scan a selected part of an organizations infrastructure. This can range from specific areas that are exposed to the public, to entire sections of the organizations network (Cima, 2001) lists four of the most common types of vulnerability scanner. These include network-based scanning tools, host-based scanning tools, database scanning tools, and wardialers. ...

Advanced Persistent Threats (APTs) are security threats that use advanced techniques to hide their attack from their target. They are commonly used to target specific information in high-profile companies and governments. APTs usually follow a long-term strategy of attack in order to gather information from the breached system. There have been many examples of APTs over the years targeting well known organizations. In 2013 the Mandiant report revealed evidence that a specific Chinese military unit has been behind many major Advanced Persistent Threats (APTs) within the United States. Since then APTs have been used against large companies including Yahoo, Google, Northrop Grumman, and many others. One of the most complex APTs in recent years was the Stuxnet computer worm (“Stuxnet: Advanced Persistent Threat - Ran Levi,” n.d.), which targeted Iran’s nuclear program. ...

As a developer, knowledge of web application security vulnerabilities is essential in order to build software that is both resilient to attacks and protected through a layered approach of defense. The cybersecurity landscape is constantly shifting, however a good understanding of the most common vulnerabilities is a great place to get started with security. Before reviewing the articles below, be sure to look at 10 Most Common Security Vulnerabilities. The list that follows are a handful of articles I’ve written over the years both in my graduate and professional work. They focus on application security specifically as well as an understanding of the people behind such attacks. ...