Skip to content

Commit db60fa2

Browse files
benhunterbenhunter
committed
Cybersecurity Primer
1 parent c883e59 commit db60fa2

1 file changed

Lines changed: 181 additions & 0 deletions

File tree

src/content/posts/cybersecurity-primer.md

Lines changed: 181 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,181 @@
1+
---
2+
title: Cybersecurity Primer
3+
pubDate: '2025-10-11'
4+
---
5+
6+
# Security Objectives
7+
8+
CIA
9+
- Confidentiality
10+
- Integrity
11+
- Availability
12+
13+
# Strategies
14+
15+
Threat Modeling
16+
- Red Teaming, what can an adversary do?
17+
- Insider Threats
18+
- Social Engineering
19+
- Attack Surface
20+
21+
Risk Management
22+
- Assessment
23+
- Authorization
24+
- Compliance
25+
26+
Systems Engineering
27+
- Data
28+
- Users
29+
- Software
30+
- Hardware
31+
- Network
32+
- Understand the system. What is in it, how they interact.
33+
34+
Systems include
35+
- Data - category, classification, types
36+
- Users - Roles, Permissions, Administrators/Privileged/Root/Super
37+
- Software - Where did it come from? Supply chain, who made it, what does it do? how is it configured?
38+
- Hardware - inventory, physical access, supply chain, cloud/IaaS
39+
- Network - Ports, Protocols, Services (PPSM)
40+
41+
# When are you secure enough?
42+
43+
Security is rarely provable in a formal, mathematical way.
44+
45+
You are convincing someone else that your system is secure enough. Or someone has to convince you that the system is secure enough.
46+
- meet a specific goal (like a STIG item)
47+
- address some known risk
48+
- overall posture is acceptable
49+
- provide evidence or artifacts
50+
- trace the control through its entire implementation and check against evidence
51+
- who has authority to accept risk
52+
53+
# Principles
54+
55+
- Least Privilege
56+
- Defense in Depth
57+
- Separation of Duties
58+
- Fail safe
59+
- Deny by default
60+
- Allow list
61+
- Redundancy, replication
62+
- Denial of Service
63+
- Secure by Design
64+
- Simple (economy of mechanism)
65+
- Usable
66+
- Resilient
67+
- Minimize Attack Surface
68+
69+
# Concepts
70+
71+
- Identity
72+
- Identity Provider
73+
- Authentication
74+
- Authorization
75+
- Security boundary, Authorization boundary
76+
- Non-repudiation - proof someone did something
77+
- Trust - Considered risky, be skeptical, always verify
78+
- Zero-Trust - verify every action
79+
- Inheritance - a stack of security objectives where one component depends on another
80+
- Encryption
81+
- Data in transit
82+
- Data at rest
83+
- Data in process
84+
- Hashing
85+
- Signatures
86+
- Read versus Write
87+
88+
# Access Control
89+
90+
Who is allowed to access what?
91+
92+
- how do we enforce it?
93+
- Identity > Authentication > Authorization
94+
- Business rules
95+
- Encryption
96+
- how do we know it's working?
97+
- Audit logs
98+
- how do we know when it's not?
99+
- Testing, Automated test (unit, integration, etc), Penetration Tests
100+
- what are they allowed to do?
101+
- Read, Write
102+
103+
Examples of who:
104+
- a person
105+
- a computer
106+
- an identity delegated to person or computer
107+
108+
Access Control patterns
109+
- Passwords
110+
- Key, token, secret. Sometimes API is put in front of it. These are all just passwords.
111+
- OAuth
112+
- SAML
113+
- Kerberos
114+
- PKI
115+
- Permissions models
116+
- Role Based (RBAC)
117+
118+
# Change Management
119+
120+
- Change Control Board
121+
- ensure all changes maintain the desired security posture of the system
122+
123+
# Incidents & Recovery
124+
125+
- Audit logs
126+
- Monitoring - people checking things
127+
- Alerting - automation checking things
128+
- Backups
129+
130+
# Risk Management Framework
131+
132+
- Every system must be Assessed
133+
- Every system must be Authorized
134+
- Authority to Operate
135+
- System is defined by a boundary and what is in it
136+
- Information types
137+
- Who can access
138+
- What components
139+
- Connections. In/out, relationships with other systems
140+
- Sound familiar? This is restatement of the Systems Engineering Strategy: Data, Users, Software, Hardware, Network
141+
- Controls - The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
142+
- 20 control families
143+
- around 1200 unique controls
144+
- Inheritance makes this manageable
145+
- Control selection prioritizes which controls to implement
146+
- Control assessment determines whether a control is implemented
147+
- Risk Assessment
148+
- Threat
149+
- Impact
150+
- Likelihood
151+
- STIG = Secure Technical Implementation Guide
152+
- Standardizes the questions to ask during Assessment
153+
- Maps directly to the controls
154+
155+
# Scenarios
156+
157+
- New data type added to an application
158+
- New user personal added to an application
159+
- New network connection from an application
160+
- New application deployed
161+
- New service in cloud account
162+
- New platform in cloud
163+
- New system on tactical hardware
164+
- New plugin to ATAK
165+
166+
Techniques
167+
- Identify risks
168+
- Build threat model
169+
- Map attack surface
170+
- Design defenses
171+
- Apply security controls
172+
173+
|Risk|Impact|Likelihood|Controls, Mitigations|
174+
|-|-|-|-|
175+
| | | | |
176+
177+
# Links
178+
179+
- https://en.wikipedia.org/wiki/Information_security
180+
- Security principles https://chatgpt.com/share/68e9617a-6f90-800a-899d-f4181e358ba9
181+
- Authentication Protocols https://chatgpt.com/share/68e95cea-0f1c-800a-b64d-50283e814922

0 commit comments

Comments
 (0)