Intro to the Cybersecurity Fan Diagram

Endpoint Terms

Network Sec Terms

App Sec Notes

ICAM Terms

Identity, Credential, & Access Management

Ensuring the right people are getting access to the right resources, at the right time. Encompasses policies, processes, technologies, and standards for authenticating users and controlling their access to resources and data. IAM is just a part of ICAM. At the perimeter level, ZTNA has taken place of traditional hardware-based approaches since so many users/resources sit outside the perimeter, so today, solutions like SSO, MFA, etc. are in place. Back in the day, most used a mix of firewalls, VPNs, and AD and other asset discovery tooling to ensure the right identities were granted access to the perimeter.

Advanced Sensors

Meant for on-site deployments, advanced sensors are actual sensors -- think James Bond movies: like infrared, microwave, video motion, etc. for preventing access to critical assets.

Identity, Credential, & Access Management

Ensuring the right people are getting access to the right resources, at the right time. Encompasses policies, processes, technologies, and standards for authenticating users and controlling their access to resources and data. IAM is just a part of ICAM. At the network level, ICAM encompasses 802.1x, NAC solutions & other segmentation approaches, VPN management, and RBAC (role-based access controls).Prominent Vendors to Know: networking vendors are the leader in this space -- Cisco, Extreme, Fortinet, Arista, PAN, Juniper, etc.

Identity, Credential, & Access Management

Ensuring the right people are getting access to the right resources, at the right time. Encompasses policies, processes, technologies, and standards for authenticating users and controlling their access to resources and data. IAM is just a part of ICAM. At the application level, this is where you'll see traditional IAM type of solutions, such as IAM, SSO, PAM, etc. Prominent Vendors to Know: SSO/MFA/IAM -- Okta, AzureAD, PingIdentityPAM -- Cyberark, BeyondTrust, & Delinea

Identity, Credential, & Access Management

Ensuring the right people are getting access to the right resources, at the right time. Encompasses policies, processes, technologies, and standards for authenticating users and controlling their access to resources and data. IAM is just a part of ICAM. At the endpoint level, most typical ICAM type of solutions are covered, such as IAM, SSO, PAM, etc. Prominent Vendors to Know: SSO/MFA/IAM -- Okta, AzureAD, PingIdentityPAM -- Cyberark, BeyondTrust, & Delinea

Identity, Credential, & Access Management

Ensuring the right people are getting access to the right resources, at the right time. Encompasses policies, processes, technologies, and standards for authenticating users and controlling their access to resources and data. IAM is just a part of ICAM. At the data level, ICAM consists of data access governance, encryption, active monitoring, and PAM.Prominent Vendors: Varonis, Cyera, etc.

Data Loss Prevention

Involves ensuring sensitive data isn’t lost, leaked. Misused, or accessed by unauthorized individuals. At the network level, people used to install DLP appliances (physical hardware) intended for DLP. However, today, software-based approaches take popularity, including vendors such as: Proofpoint, Checkpoint, Symantec, Trellix, etc.

Data Loss Prevention

Involves ensuring sensitive data isn’t lost, leaked. Misused, or accessed by unauthorized individuals. At the endpoint level, DLP agents are installed on endpoints or most EDR's include DLP-like outcomes (monitoring, analyzing, and responding to threats to prevent data breaches). Examples include: Broadcom /Symmantec, Cyberhaven, Forcepoint, etc.

Data Loss Prevention

Involves ensuring sensitive data isn’t lost, leaked. Misused, or accessed by unauthorized individuals. At the application level, 2 big focuses are: -Database DLP -Cloud DLP DSPM (Data Security Posture Management) is a new area that's come out that encompasses app/cloud DLP as one of its main components. Vendors Include: Orca, Cyera, and Varonis

Sanitization

Destroying data and the media holding it (ie: exposing a disk drive to a magnetic field to physical destroy it).

CM

Configuration Management (SCM or CMDB) • 4 parts: asset discovery, baseline establishment, monitoring/change detection, & remediation • Include CMDB’s like ServiceNow and configuration automation tools

Honeypot

A server or group of servers in the DMZ that imitate servers to trick intruders, used to observe them and learn their tactics.

ICAM Terms

Terms to Know: -IGA (identity governance and administration) falls under ICAM, but focuses more specifically on the policies, processes, and technologies used to manage, monitor, and secure digital identities within an org. It often includes: identity lifecycle management, access management, compliance & auditing, role management, and policy enforcement.

Application Firewall

Apps inside DMZ are scanned for vulnerabilities and have been mitigated.

Malware Analysis

Servers in the DMZ that analyze malware and provide zero-day malware detection capability.

Message Security

Server that sits in the DMZ to identify messages with potentially malicious content. You might hear “Advanced Threat Detection” which encompasses cloud security, email security, endpoint, and more.

Intrusion Detection/Prevention System

is a passive (out of band) system that monitors the perimeter for malicious traffic. IPS (Intrusion Prevention System) is active, sitting in-line with the traffic and stops traffic from entering.

Data Loss Prevention

Involves ensuring sensitive data isn’t lost, leaked. Misused, or accessed by unauthorized individuals. At the perimeter level, this means SEGs (email security) and web proxies (web gateways), etc. In the traditional castle & moat method, legacy tech was used, but today, companies leverage a software-defined perimeter, which can include the following vendors: Mimecast, Proofpoint, Barracuda, & Abnormal

Perimeter Firewall

Deployed at the network’s edge, denies/allows traffic based on FW rules. This is the first device when entering an enterprise from the internet.

Physical Security

actual security measures to prevent entrance to assets or the enterprise (security guards, cameras, scanners, etc.).

Secure Demilitarized Zone

A type of architecture where essential services that exposes email, web servers, honey pots, etc are segmented outside of the enterprise and placed in the DMZ -- the “network enclave” or buffer zone in between the internet and the internal enterprise network. • “Secure Web Gateway” (SWG) usually encompasses antivirus/malware, email security, DLP, URL Filtering, and VPN access at the network perimeter. It’s whole purpose is to block malicious internet and prevent phishing, malware, etc. o RBI, or Remote Browser Isolation is often a part of SWG. It intends to prevent direct contact between the internet and a users local environment by taking the user to an isolated browsing environment (either cloud or on-prem) when they navigate to a website. • Zero trust has replaced the traditional perimeter security methodology.

Enclave Firewall

A firewall that permits/denies access to the enclave (a segmented part of the network)

Remote Access

Just means making sure that remote users/devices can access enterprise resources SECURELY. How you do it isn’t necessarily specified – could be a combo of antivirus, FW’s, NAC, etc.

Message Security

Same as perimeter except these sit INSIDE the enterprise.

Mobile Security

Just making sure that traffic into the enterprise is going through a VPN.

Network Access Control

discovers all endpoints and authenticates users, assesses posture, and making decision based on findings.

Network IDP/IDS

Same as perimeter solutions but sit inside enterprise.

Virtual Firewall

Security solutions that protect a virtual network (VLANs, VPNs, etc.).

VoIP protection

Embedded security software in VoIP telephone systems. Sold by most prominent network vendors.

Web Proxy Content Filtering

Sits between a user and the server/internet, which restricts access to specific sites.

Network Sec Terms to Know

o “packet” = Basically, data being sent over the network (such as files/messages) are broken up into smaller segments, packets, and can then be sent on different routes based on network conditions, which makes it more efficient. Used in IP. o VPN vs dVPN:  VPN – Virtual Private Network, more traditional where you have to go through a private tunnel to get access to a network, your data in encrypted, etc.  dvPN: Decentralized, basically means that instead of relying on one company, it is broken up where you use people’s unused bandwidth. Makes it harder to track you (big with crypto industry, not really popular overall yet as its super new). o Taps (Test Access Point) – creates a copy of the traffic between two ports for network monitoring purposes (passive). Can feed an IDS/network monitoring tools. o SPAN port (switched port analyzer) – replicates traffic from 1+ ports/entire VLANs to another port on the switch that’s been connected – Can be configured as a setting in the switch pretty easily, but might cause dropped packets which impacts visibility of all traffic. The use case is to send traffic to a separate port so it can be analyzed in real-time without impacting network operations. o L3/L4 DDoS – Attacking the network or transport layers with packet requests, overwhelming the network and ultimately can lead to service disruption. WAF can help (in line option is a “reverse proxy”, out of band is a tap/span port). o SDN vs Traditional Network Architecture?  SD = software-defined, and it’s the movement from hardware to software-based networking, where the control plane is separated from the data plane (where the switches/routers sit), allowing for management via software applications. (Move to cloud, more flexible and agile)  Traditional or legacy relies on switches/routes and physical hardware to direct, manage, route, and secure traffic in the network. o DNS = Domain Name Spoofing, where malicious domain names are used (looking similar to a known domain, etc.). Relevant in email security.

Content Security

Putting antivirus/malware on endpoints where you can.

Endpoint Security Enforcement

doesn’t allow a user to enter the network if security policies are not met (ie: patching, etc.). Policy enforcement can be done with a NAC

Host IDP/IDS

stops abnormal behavior on the endpoint (host).

Patch Mgmt

A part of configuration management that ensures all endpoints are patched and that information is visible.

Personal Firewall

Provides FW functions at the individual device level.

USGCB Compliance

If the policy mandates that the system must comply with USGCB, then the system won’t be allowed to connect to the enterprise until compliance.

Endpoint Sec Terms

• EPP = endpoint protection platformo EDR is just one aspect of it o EPP includes: next-gen antivirus, threat hunting & intel, and vulnerability management. o EPP collectively focuses on prevention, EDR is on detection.

Database Monitoring/Scanning

DB Monitoring is for detection of database vulnerability, incorrect or non-compliant settings, and monitoring data integrity.

Database Secure Gateway

Secures database resources by being a middle-man between users or apps and the databases they access.

Dynamic App Testing vs SAST or DAST

• SAS (Static App Security) – Also known as “white box” looks at developer code for security vulnerabilities before the code is put into production. o Wiz, Veracode, Checkmarx • DAS (Dynamic App Security) – Also known as “black box,” tests the app from the outside-in by simulating attacks and analyzing the apps behavior in a runtime environment. o Wiz, Qualys, Rapid7, Snyk • IAST (Integrated Application Security Testing) – SAST & DAST in a single platform, ie: “Shift left” = Integrating security earlier in the SDLC pipeline. o Wiz, Veracode, Checkmarx

Runtime Application Self Protection

• runtime = the phase in the SDLC (software development lifecycle) when code is executed o Stages of SDLC: 1 = planning, 2 = gathering requirements, 3= design, 4=coding/implementation, 5=testing, 6=deployment, 7=maintenance. o CI/CD (continuous integration and delivery/deployment) is a set of principles that focus on automating and optimizing process involved in building, testing, and deploying software change.  Step 0 – Plan: Jira  Step 1 – Code (Management): GitHub or GitLab  Step 2 – Build: Bazel, Webpack, Gradle  Step 3 – Test: Jest, Playwright, JUnit  Step 4 – Release: Jenkins  Step 5 – Deploy: Docker, Argo, AWS Lambda  Step 6 – Operate: Kubernetes, Terraform  Step 7 – Monitor: Datadog • Instead of SAS or DAS, RASP is built into the app and uses the data and logic so it can detect, block, and report attacks. When an abnormal behavior is detected, it tells you exactly who is attacking, where the vulnerability lies, and which app has been targeted.

Software Assurance

Assuring that code is secure (encompasses DAST, SAST, etc.).

Web Application Firewall

filters and monitors HTTP traffic between a web app and the internet. Protects against XXS, SQLi, DDoS, etc.

Content Security

Putting antivirus/malware on endpoints where you can.

Dynamic App Testing vs SAST or DAST

• SAS (Static App Security) – Also known as “white box” looks at developer code for security vulnerabilities before the code is put into production. o Wiz, Veracode, Checkmarx • DAS (Dynamic App Security) – Also known as “black box,” tests the app from the outside-in by simulating attacks and analyzing the apps behavior in a runtime environment. o Wiz, Qualys, Rapid7, Snyk • IAST (Integrated Application Security Testing) – SAST & DAST in a single platform, ie: “Shift left” = Integrating security earlier in the SDLC pipeline. o Wiz, Veracode, Checkmarx

AppSec Notes

Types of Attacks:• SQL Injection (SQLi)– Injecting malicious statements into an input field to steal important data from a database. SQL is just a query language for managing databases. • Cross-Site Scripting (XSS) – “script” = malicious JavaScript code that an attacker injects into a webpage viewed by other users. • Distributed Denial of Service (DDoS) – Overwhelming a website/service with traffic, making it inoperable. A few notes: • CASB, which sits between cloud services and the user, has morphed into a single feature of SASE. • SASE is cloud-native and includes: SWGs, CASBs, FWaaS, WANaaS, and ZTNA capabilities.

Data At Rest/In Motion/In Use

Data at rest, data in motion, data in use – In order to protect data’s confidentiality, integrity, and availability, the location of the data must be known at all times and preferably, encrypted.

Data/Drive Encryption

Encrypting plaintext data to make it readable.

Data Classification

Having a good grasp on different classifications of data so you can be compliant.

Data Integrity Monitoring

software that alerts if data has experienced an unauthorized change

Enterprise Rights Management (eDRM)

(eDRM) is tech that protects sensitive info from unauthorized access, alteration, or copying. Used mainly for IP in music/movies.

PKI

Leverages all 3 types of encryption (symmetric, asymettric, and hashed) to provide/manage digital certificates. If both types of digital certificates are used (server-based/Websites) and client-based (bound by person), it provides mututal authentication/encryption.

Vulnerability vs Risk vs Threat?

• Vulnerability vs Risk vs Threat: o Threat: an event that can exploit a vulnerability (cyberattacks, SQL injection, ransomware, phishing attempts, DDoS, etc.). o Vulnerability: Weakness in OS, network, or app o Risk: The likelihood of a threat exploiting a vulnerability, how likely it is to be damaging.

Compliance Frameworks to know

• Compliance Frameworks: o ISO/IEC 27001: Various industries finance, healthcare, tech, and gov o NIST: All sectors o PCI DSS: orgs that process, store, or transmit credit card data (FINS, Retail, hospitality, e-commerce, airlines, etc.). o HIPAA – healthcare o GDPR – orgs that handle EU resident data. o FERPA – education (higher ed included) o NERC CIP – Electric utilities with critical infrastructure o IEC 62443 – manufacturers

A Note on Threat Detection

• The term “threat detection” encompasses IDR, EDR, IDS, SIEM, and others. It ultimately becomes a single pane of glass that houses each of these solutions.