A Collection of Foundation Cyber Principles

The Cyber War of the Triads

  • CIA Triad

    The Three key objectives in cybersecurity are Confidentiality, Integrity and Availability.
    Confidentiality - Ensuring no unauthorized persons are not able to gain access to sensitive data.
    Integrity - The assurance that data has not been altered in an unauthorized manner. In order to prevent improper alteration, errors, or information loss, as well as to ensure that the data is captured, used, and preserved in a way that maintains its completeness, this necessitates the protection of the data in systems and throughout processing. #NIST800-27
    Availability - Availability can be defined as timely and reliable access to information and the ability to use it, and for authorized users, timely and reliable access to data and information services.
    #ISC2

  • DAD Triad

    The Three key objective of Cyberthreats are Disclosure, Alteration and Denial.
    Disclosure - Exposure of sensitive information to unauthorized persons.

    Alteration - Unauthorized modification of information.

    Denial - Disruption of a legitimate users access to data or service.

What types of Data need protecting?

Personally Identifiable Information (PII) is any data about an individual that could be used to identify them.

Protected Health Information (PHI) , which is information regarding one’s health status, and classified or sensitive information, which includes trade secrets, research, business plans and intellectual property.
#ISC2

Data "Sensitivity", which is a measure of the importance assigned to information by its owner, or the purpose of denoting its need for protection
#NIST800-60

Integrity measures the degree to which something is whole and complete, internally consistent and correct. 
#ISC2

Data Integrity is the assurance that data has not been altered in an unauthorized manner. In order to prevent improper alteration, errors, or information loss, as well as to ensure that the data is captured, used, and preserved in a way that maintains its completeness, this necessitates the protection of the data in systems and throughout processing.
#NIST800 -27

System Integrity refers to the preservation of an intended operational function and known good configuration as the information processing system operates. Understanding state, or the system's current condition, is the first step in ensuring integrity. This awareness relates to the capacity to record and comprehend the condition of data or a system at a specific time, setting a baseline.
#NIST800-27

Classifying Threats

In order for us to protect an organizations information and systems, we require a solid understanding of the nature of these different threats. We need to look at the skills, capabilities, resources and motivation of a potential threat.

Internal vs External Threats

We often understand cybersecurity as external threats trying to maliciously attack your network from the outside. However internal threats whether intentional or unintentional can cause.

Level of Sophistication

The variety of sophistication in threats varies greatly from script kiddies running threats that can be patched to advanced persistent threats that can be zero day exploits not yet known.

Resources

The level of threat is influenced by how much resources the threat has available. An organization can pool resources, individuals are often limited without access to a botnet and are they sponsored in carrying out the attack?

Motivation

As a link to resources, what is the Threat's motivation for carrying out the attack? From automated deployment of ransomware for simple monetary gain, to government sponsored attackers and Hacktivists.

Threat Actors

Script Kiddies

"Script Kiddies" is a derogatory term used for people who generally have limited skills and use other peoples codes and threats. Primarily relying on Automated tools they have downloaded from elsewhere. They are however a significant threat because its is so easy to do and how many there are out there. A script kiddie running a simple 'syskey' ransomware automatically sent through spam emails can still cause havoc on a organisation if the defensive steps aren't taken. Generally their threats aren't persistent, their automated nature means the threat can be reduced by adequate spam filters and port blocks. They will have little motivation generally and they usually wouldn't conduct reconnaissance or target the threat.

Hacktivists

Activists who can Hack, they aim is to push their agenda or impact that which counters their goals. It can range from taking over a website to broadcast their message to halting operation of a Meat packing plant or even trying to bring down governments.

Criminal Syndicates

Criminal organisations, Gangs and Mafias out for financial gain or sometimes to get rid of evidence. EUROPOL(2019) categorised organised crime into a number of categories, primarily;

  • Cyber-dependant crime; Ransomware, DDOS and attacks against critical Infrastructure.

  • Child Exploitation; abuse & solicitation.

  • Payment Fraud; credit card fraud and business email compromise.

  • Dark Web; activity, selling and distribution.

  • Terrorism; support and communication.

  • Cross-cutting crime factors; social engineering, money mules and Cryptocurrency abuse.

Advanced Persistent Threats (APTs)

Also referred to as "State Actors / Nation-state Attacks", APTs was originally created to refer to attacks that were first traced back to the Chinese military, in following years this was branched out to cover nations all around the world that had cyber teams working on a nations behalf. These actors are often highly skilled, motivated and can have significant resources.

Insiders

An Insider attack is categorized as an Individual with Authorized access to the systems and uses that access to wage an attack. Depending on their reason for wanting to cause this damage it is often to release confidential information, alter information or disrupt business operation.

Competitors

Competitors to your organisation can engage in corporate espionage either destabilize your organisation, gain market share, defame your corporate image or steal beneficial data. The resources and capabilities of those carrying out this type of threat are difficult to label as this is an unethical practice this is often done off the books and outsourced to individuals that carry out the attacks on their behalf.

Threat Vectors

Threat vectors are the routes in which the Threat Actor's use to gain the data they are after.

Email and Social media

Email is up there with the most commonly exploited threat vectors, both through the amount of publicity it receives and the ease of it to be automated. Phishing, spam and other email oriented attacks are a simple means of gaining access to a network and only requires one person to start the ball rolling to gain access. Social media is on the rise as a means of harvesting data on a target and social engineering techniques off the back of this base don the information gathered.

Direct Access

Using social engineering techniques to physical enter an organisation and connect in to gain access, bypassing firewalls and external defences. Sitting in a public area such as a café or lobby and given sufficient time to connect to business networks by an unguarded Lan port, Wi-Fi vulnerability or even launch a Man in the middle attack with a rogue access point.

Wireless Networks

Wireless networks alone can be an easy target if not correctly secured. some budget/basic access points don't actually isolate the guest network from the main network. Are the devices using up to date security methods? Recently (Early 2023) a flaw in 802.11 Wi-Fi allows access to a network with the authentication being transmitted in plain text (see more: https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/)

Removable Media

Since the price of USB sticks became super cheap people can scatter around an organisation or even the car park in the hope that just one person picks it up and puts it in their computer. Other examples have been at business expositions, they give away free branded sticks, these can then be partitioned with a threat built in.

Cloud

The growing dependence on cloud services has increased the range of cloud threat vectors. Through improper configuration they can gain access to a service using default or simple settings, security flaws in new services or accidentally revealed API keys and vulnerable passwords.

Third-Party

Any threat that impacts the supply chain to an organisation whether digital or physical. Physically a threat actor could pose as a delivery driver, when you deliver any computers you could edit their configuration for access, repackage and send on to the target destination. Or digitally they might gain access through a 3rd party software they know the target uses, an example would be in an accounting software or an open port available to that software.