What is a control? Controls can be implemented and enforced through hardware or software. It is a solution we put in place to implement and enforce the policy. Using control best practices, the organization wants to implement and enforce the control. Some organizations can implement policies but not enforce them.

7.1. Control Types

What kind of control lists does the organization have?

• Technical (passwords/encryption)
• Management (policies)
• Operational (procedures/standards)

These could also be regarded as logical controls, passwords, and encryptions; these are technical controls.

False positives or negatives

The security controls say there is a problem, but there is no real problem. Say we have, for example, a user that has access to a facility. The user then decides to access the facility. The user got authorized to access the facility, but the alarms go off when the user decides to access the facility. This person is authorized to access it, but the system says there is an intruder, which is a false positive. Yes, it is a positive, but it is false. There is no intruder. The person that the alarm is going off is authorized to access the system. 

False negatives, What do they mean?

The system says there is no problem, but there is a real problem. Say they visit a store. They have to pay for every item picked. However, visit the store, pick up the items, and do not pay. Furthermore, when someone walks to the door, the alarms do not go off, so the system says, Oh, there is no problem, but there is a problem because the person has not paid for these items in the bag. So that is a false negative, it is seeing it as if nothing is happening, but in reality, something is happening. 

It is a false positive.

When the system alerts you when there is no problem, it is falsely flagging the malicious file. This is what we call false positives and is important to remember.

Risk Reduction

Identifying, assessing, and mitigating potential threats and vulnerabilities that could hurt an organization or individual. Risk reduction aims to minimize the likelihood and impact of negative events and maximize the potential for positive outcomes.

There are various strategies that organizations can adopt to reduce risk, including implementing controls, establishing policies and procedures, and developing contingency plans. Some common examples of risk reduction measures include

1. Implementing security controls

Implement various technical, physical, and administrative controls to reduce the risk of threats and vulnerabilities. These controls can include firewalls, antivirus software, access controls, and incident response plans.

2. Establishing policies and procedures
   1. Organizations can establish clear policies and procedures to guide employees’ day-to-day activities. We could include guidelines for handling sensitive information, password management, and responding to potential security breaches.
3. Developing contingency plans
   1. Contingency plans help organizations respond effectively to unexpected events, such as natural disasters or data breaches. These plans can include procedures for backing up data

Threat Management

Refers to identifying, evaluating, and prioritizing potential organizational or individual threats and implementing measures to mitigate or eliminate those threats. Threats can come from various sources, including cyber-attacks, natural disasters, and human error.

Effective threat management involves continuous monitoring of the organization’s environment to identify potential threats and develop and implement strategies to address those threats. This may involve implementing controls, establishing policies and procedures, and developing contingency plans.

Some critical components of an effective threat management program include

1. Threat intelligence
   1. Organizations need to have a good understanding of the threats they are facing, including the nature of the threat, its potential impact, and the likelihood of occurrence. This requires collecting and analyzing threat intelligence from various sources, such as industry reports, media articles, and government agencies.
2. Risk assessment
   1. Organizations need to assess the potential impact of threats on their operations, assets, and people and prioritize the risks based on their likelihood and potential impact. This will help the organization determine which risks we address first and how to allocate our organizational resources.
3. Mitigation strategies
   1. Once the organization has identified and prioritized the risks, it can develop and implement strategies to mitigate or eliminate them. This may involve implementing controls, establishing policies and procedures, and developing contingency plans.

Threat Surface management

identifies, evaluates, and reduces an organization’s or individual’s attack surface. The attack surface refers to the total number of vulnerabilities an organization or individual has which can be exploited by an attacker.

Effective threat surface management involves continuously monitoring the organization’s environment to identify potential vulnerabilities and implementing measures to reduce the attack surface. This may involve implementing controls, establishing policies and procedures, and developing contingency plans.

Some key components of an effective threat surface management program include

1. Asset inventory
   1. Organizations must clearly understand their assets, including hardware, software, and data, and how they are connected and protected. This will help the organization identify potential vulnerabilities and prioritize which ones to address first.
2. Vulnerability assessments
   1. Organizations must regularly assess their assets for vulnerabilities and prioritize them based on their potential impact and the likelihood of exploitation. This may involve penetration testing, security audits, and other types of assessments.
3. Remediation
   1. Once the organization has identified and prioritized the vulnerabilities, it can implement measures to remediate them. This may involve patching

The Principle Of Least Privilege (POLP)

A security concept requiring users and processes to have only the minimum access rights and privileges necessary to perform their assigned tasks. This principle is designed to reduce the risk of unauthorized access, misuse, and damage to an organization’s resources and protect against external cyber-attacks.

One of the main benefits of the POLP is that it limits the potential impact of a security breach or malicious activity. For example, if an employee has access to only the resources they need to do their job, they will not be able to cause harm to other areas of the organization if their account is compromised. This is especially important for employees with administrative or privileged access, as they can change the system, which could have significant consequences.

Attack Surface Reduction (ASR)

Is a cybersecurity strategy that aims to reduce the number of vulnerabilities and entry points that attackers can exploit. It involves identifying and eliminating

• Unnecessary features
• Protocols
• Services

that may be exploited by attackers and reducing the overall attack surface of a system or network. ASR can be implemented through various methods, such as

• Disabling unnecessary services
• Limiting access to certain resources
• Implementing secure configuration

ASR is an important aspect of cybersecurity as it helps organizations prevent potential attacks and reduce the risk of data breaches. By reducing the attack surface, organizations can make it more difficult for attackers to access their systems and data. In addition, implementing ASR can also help organizations streamline their security posture and reduce the burden on their security teams. By reducing the attack surface, organizations can prioritize their efforts and resources more effectively and respond quickly to potential threats.

Vulnerability Management

Identifies, assesses, and prioritizes vulnerabilities in an organization’s systems and networks. It involves regularly scanning for vulnerabilities, patching or mitigating them, and monitoring for new vulnerabilities. Vulnerability management is essential to cybersecurity as it helps organizations protect their systems and data from cyber-attacks and reduce the risk of data breaches.

Vulnerability Disclosure

is a complex and often controversial issue. On the one hand, disclosing vulnerabilities can help organizations and individuals protect themselves from attacks. On the other hand, disclosing vulnerabilities before they have been properly addressed can also increase the risk of attacks, as hackers may exploit the vulnerability before it is patched. As such, it is important for organizations to carefully consider the potential risks and benefits of disclosing vulnerabilities. To follow established guidelines and best practices for responsible disclosure.

Threat hunting

Threat hunting process is looking for suspicious behavior on networks and systems. Threat hunting uses manual and software-assisted techniques to find possible threats in security systems. Threat-hunting tasks include

1. Hunting for threats possibly existing within the organization, anything an attacker could implant to exfiltrate info and cause damage
2. Hunting for threats proactively that are active anywhere worldwide
3. Setting a honey trap and essentially waiting for threats to attack

Source:

Cyber threat hunting – Wikipedia

Video

Black Hat Webcast Series | Practical Threat Hunting: Straight Facts and Substantial Impacts