• Resources
  • Threat Intelligence
  • Risk Management Framework
  • Common Language
  • Forensics
  • Cryptography
  • DoD 8570
  • Recommended Reading
  • Training & Kali Tools
  • Cyber Kill Chain
  • Security & Privacy
  • Research

Cyber Security Resources

What is Cyber Security?CS

“Cybersecurity” or “Cyberspace security” [is] defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”. Source: ISO/IEC 27032:2012  Information technology — Security techniques — Guidelines for cybersecurity

I define cyber security as the protection (preservation of confidentiality, integrity and availability) of information and defense (prevention, detection and response to attacks) of networks and networked systems and software applications.
This is achieved through proper execution of a comprehensive strategy outlined by policies and standards that define authorized and prohibited activities.

According to the U.S. definition:

The process of protecting information by preventing, detecting, and responding to attacks. Source: Draft Strategy for Improving Critical Infrastructure Cybersecurity (2014)

The ability to protect or defend the use of cyberspace from cyber attacks. Source: CNSS Instruction No. 4009 (26 Apr 2010)

1.The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.

2. Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.

Source: National Initiative for Cybersecurity Careers and Studies - A Glossary of Common Cybersecurity Terminology

The process of protecting information by preventing, detecting, and responding to attacks. Source: National Institute of Standards and Technology. US Department of Homeland Security - Draft Framework for Improving Critical Infrastructure Cybersecurity (2014)

The vulnerability of any computing system, software program, or critical infrastructure, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems.

Source: Compilation of Existing Cybersecurity and Information Security Related Defintions, Open Technology Institute New America -

Risk Management Framework

Resources

  • NIST SP 800-30 Rev 1 Guide for Conducting Risk Assessments
  • NIST SP 800-37 Rev 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
  • NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
  • NIST SP 800-53 Rev 5 Security and Privacy Controls for Information Systems and Organizations (DRAFT)
  • NIST SP 800-53A Rev 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
  • NIST SP 800-57 Part 1 Rev 4 Recommendation for Key Management, Part 1: General
  • NIST SP 800-60 Vol I Rev 1 Guide for Mapping Types of Information and Information Systems to Security Categories
  • NIST SP 800-60 Vol II Rev 1 Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices
  • NIST SP 800-60 Vol II Rev 1 Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
  • NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
  • NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
  • NIST SP 800-160 Vol 1 Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

The RMF Process:

  1. Prepare
    • Organizational Level
      • Task P-1 - Risk Management Roles
      • Task P-2 - Risk Management Strategy
      • Task P-3 - Risk Assessment - Organization
      • Task P-4 - Organizationally-Tailored Conrol Baselines
      • Task P-5 - Common Control Identification
      • Task P-6 - Impact-Level Prioritization
      • Task P-7 - Continuous Monitoring Strategy
    • System Level
      • Task P-8 - Mission or Business Focus
      • Task P-9 - System Stakeholdersy
      • Task P-10 - Asset Identification
      • Task P-11 - Authorization Boundary
      • Task P-12 - Information Types
      • Task P-13 - Information Life Cycle
      • Task P-14 - Risk Assessment - System
      • Task P-15 - Requirements Definition
      • Task P-16 - Enterprise Architecture
      • Task P-17 - Requirements Allocation
      • Task P-18 - System Registration
  2. Categorize
    • Task C-1 - System Description
    • Task C-2 - Security Categorization
    • Task C-3 - Security Categorization Review & Approval
  3. Select
    • Task S-1 - Control Selection
    • Task S-2 - Control Tailoring
    • Task S-3 - Control Allocation
    • Task S-4 - Documentation of Planned Control Implementations
    • Task S-5 - Continuous monitoring Strategy-System
    • Task S-6 - Plan Review and Approval
  4. Implement
    • Task I-1 - Control Implementation
    • Task I-2 - Update Control Implementation Information
  5. Assess
    • Task A-1 - Assessor Selection
    • Task A-2 - Assessment Plan
    • Task A-3 - Control Assessments
    • Task A-4 - Assessment Reports
    • Task A-5 - Remediation Actions
    • Task A-6 - Plan of Action and Milestones
  6. Authorize
    • Task R-1 - Authorization Package
    • Task R-2 - Risk Analysis and Determination
    • Task R-3 - Risk Response
    • Task R-4 - Authorization Decision
    • Task R-5 - Authorization Reporting
  7. Monitor
    • Task M-1 - System and Environment Changes
    • Task M-2 - Ongoing Assessments
    • Task M-3 - Ongoing Risk Response
    • Task M-4 - Authorization Package Updates
    • Task M-5 - Security and Privacy Reporting
    • Task M-6 - Ongoing Authorization
    • Task M-7 - System Disposal

Framework Core

The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk. The Core comprises four elements: Functions, Categories, Subcategories, and Informative References.
The Functions, Categories [Activities] and Subcategories [Outcomes] are listed below:

Function Category [Activities] Sub-Category [Outcomes]
IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery of critical services are established
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. ID.GV-1: Organizational information security policy is established
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
ID.GV-4: Governance and risk management processes address cybersecurity risks
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
PROTECT (PR) Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles & responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities
PR.AT-4: Senior executives understand roles & responsibilities
PR.AT-5: Physical and information security personnel understand roles & responsibilities
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate from the production environment
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
PR.IP-2: A System Development Life Cycle to manage systems is implemented
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested periodically
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are continuously improved
PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
PR.IP-12: A vulnerability management plan is developed and implemented
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PR.PT-2: Removable media is protected and its use restricted according to policy
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality
PR.PT-4: Communications and control networks are protected
DETECT (DE) Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
DE.AE-2: Detected events are analyzed to understand attack targets and methods
DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors
DE.AE-4: Impact of events is determined
DE.AE-5: Incident alert thresholds are established
Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
DE.CM-8: Vulnerability scans are performed
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
DE.DP-2: Detection activities comply with all applicable requirements
DE.DP-3: Detection processes are tested
DE.DP-4: Event detection information is communicated to appropriate parties
DE.DP-5: Detection processes are continuously improved
RESPOND (RS) Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. RS.RP-1: Response plan is executed during or after an event
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. RS.CO-1: Personnel know their roles and order of operations when a response is needed
RS.CO-2: Events are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities. RS.AN-1: Notifications from detection systems are investigated 
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. RS.IM-1: Response plans incorporate lessons learned
RS.IM-2: Response strategies are updated
RECOVER (RC) Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. RC.RP-1: Recovery plan is executed during or after an event
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. RC.CO-1: Public relations are managed
RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams

Security Incident Common Language

<-------------------------Incident------------------------->
  <--------------Attack-------------->  
    <--Event-->    
Attackers Tool Vulnerability Action Target Unauthorized Result Objectives
Attackers
  • Hackers - attackers who attache computer for challenge, status, or the thrill of obtaining access
  • Spies - attackers who attack computers for information to be used for political gain
  • Terrorists - attackers who attack computers to cause fear, for political gain
  • Corporate raiders - employees (attackers) who attack competitors' computers for financial gain
  • Professional criminals - attackers who attack computers for personal financial gain
  • Vandals - attackers who attack computers to cause damage
  • Voyeurs - attackers who attack computer for the thrill of obtaining sensitive information
Tool
  • Physical attack - means of physically stealing or damagin a computer, network, its components or its supporting systems
  • Information exchange - means of obtaining information either from other attackers or from the people being attacked
  • User command - means of expoiting a vulnerablitity by entering commands to a process through direct user input at the process interface
  • Script or program - means of exploiting a vulnerability by entering commands to a process thorugh the execution of a file of commands or a program at the process interface
  • Autonomous agent - means of exploiting a vulnerability by using a program or program fragment that operates independently from the user
  • Toolkit - software package that contains scripts, programs or autonomous agents that expoit vulnerabilities
  • Distributed tool - tool that can be distributed to multiple hosts, which then can be coordinated to anonymously perform an attack on the target host simultaneously after some timy delay
  • Data tap - means of monitoring the electromagnetic radiation emanating from a computer or network using an external device
Vulnerability
  • Design vulnerability - vulnerability inherent in the design or specification of hardware or software whereby even a perfect implementation will result in a vulnerability
  • Implementation vulnerability - vulnerability resulting from an error made in the software or hardware implementation of a satisfactory design
  • Configuration vulnerability - vulnerability resulting from an error in the configuration of a system
Action
  • Probe - access a target in order to determine one or more of its characteristics
  • Scan - access a set of targets systematically in order ot identify which targets have one or more specific characteristics
  • Flood - access a target repeatedly in order to overload the target's capacity
  • Authenticate - present an identity to a process and, if required, verify that identity, in order to access a target
  • Bypass - avoid a process by using an alternative method to access a target
  • Spoof - masquerade by assuming the appearance of a different entity in network communications
  • Read - obtain the content of data in a storage device or other data medium
  • Copy - reproduce a target leaving the original target unchanged
  • Steal - take possession of a target without leaving a copy in the original location
  • Modify - change the content or characteristics of a target
  • Delete - remove a target or render it irretrievable
Target
  • Account - domain of user access on a computer or network that is controlled according to a record of information which contains the user's account name, password, and use restrictions
  • Process - program in ixecution, consisting of the executable program, the program's data and stack, its program counter, stack pointer and other registers, and all other information needed to execut the program
  • Data - representations of facts, concepts, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automatic means
  • Component - one of hte parts that make up a computer or network
  • Computer - device that consists of one or more associated components, including processing units and peripheral units, that is controlled by internally stored programs and that can perform substantial computations
  • Network - interconnected or interrelated group of hosts computers, switching elements, and interconnecting branches
  • Internetwork - network of networks
Unauthorized Result
  • Increased access - unauthorized increase in the domain of access on a computer or network
  • Disclosure of information - dissemination of information to anyone who is not authorized to access that infomration
  • Corruption of information - unauthorized alteration of data on a computer or network
  • Denial of service - intentional degradation or blocking of computer or network resources
  • Theft of resources - unauthorized use of a computer or network resources
Objectives
  • Challenge, status, thrill -
  • Political gain -
  • Financial gain -
  • Damage -
Other Incident Terms
  • Site - organizational level with responsibility for security events
  • Site name - portion of the fully qualified domain name that correspons to a site
  • Reporting date - first date that the incident was reported to a response team or other agency or individuals collecting data
  • Starting date - date of the first known incident activity
  • Ending date - date of the last known incident activity
  • Number of sites - overall number of sites known to have been reported or otherwise to hve been involved in an incident
  • Reporting sites - site names of sites known to have reported an incident
  • Other sites - site names of sites known to have been involved in an incident but that did not report the incident
  • Indicent number - reference number used to track an incident or identify incident information
  • Corrective action - action taken during or after an incident to prevent further attacks, repair damage, or punish offenders

Digital Forensic Tools

Cryptography

Here is an Introduction to Public-Key Cryptography for beginners or refresher.

Open Source tools for creating RSA keys:

Open Source tools for Certificate Authorities

DoD Approved 8570 Baseline Certifications

Approved Baseline Certifications
  Level I Level II Level III
IAT  A+ CE
CCNA Security
Network+ CE
SSCP
CCNA Security
CySA+
GICSP
GSEC
Security+ CE
SSCP
CASP+ CE
CCNP Security
CISA
CISSP (or Associate)
GCED
GCIH
IAM CAP
GSLC
Security+ CE
CAP
CASP+ CE
CISM
CISSP (or Associate)
GSLC
CCISO
CISM
CISSP (or Associate)
GSLC
CCISO
IASAE CASP+ CE
CISSP (or Associate)
CSSLP
CASP+ CE
CISSP (or Associate)
CSSLP
CISSP-ISSAP
CISSP-ISSEP
     CSSP Analyst CSSP Infrastructure Support CSSP Incident Responder
CEH
CFR
CCNA Cyber Ops
CCNA Security
CySA+
GCIA
GCIH
GICSP
SCYBER
CEH
CySA+
GICSP
SSCP
CHFI
CFR
CEH
CFR
CHFI
CySA+
GCFA
GCIH
SCYBER
CSSP Auditor CSSP Manager   
CEH
CySA+
CISA
GSNA
CFR
CISM
CISSP-ISSMP
CCISO

Recommended Reading

Training and Kali Tools

Cyber Training

Cisco CCNA Cyber Operations

CCNA Cyber

Kali Linux

Kali Linux

Kali Tools

Inforamation Gathering Vulnerability Analysis Exploitation Tools Wireless Attacks Forensics Tools Web Applications

Cyber Kill Chain

Under construction

Security & Privacy

What is the difference between Security and Privacy?

First, what is the definition of Security?

  • Security is the protection of data from unauthorized access or disclosure.
  • Second, what is the definition of Privacy?

  • Privacy is the right of an individual to control who is authorized access.
  • So now, how do these support each other and interact?

  • You can have Security without Privacy, but you CANNOT have Privacy without Security.
  • In other words, Security is the mechanism that prevents certain entities from accessing information while Privacy gives control of mechanism to the information owner.
  • Privacy Policies is a for-pay site that can help you build a Privacy Policy (and other policies too).

    Research References

    Academic Research on
    Cyber Security