Ravada Cyber Security: November 2024

Friday, November 8, 2024

Governance, Risk, and Compliance

Governance, Risk, and Compliance (GRC) is a strategy that helps organizations manage risk, comply with regulations, and achieve their goals:

Governance: Defines the principles and agreements that guide an organization

Risk management: Identifies threats and puts processes in place to protect against them

Compliance: Ensures that an organization follows regulations, accounting practices, and operates ethically

GRC can help organizations: Improve decision-making and performance, Reduce costs and uncertainty, Manage IT and security risks, Strengthen cyber resilience, and Build trust with the marketplace and community.

GRC can also refer to a suite of software tools for implementing and managing GRC.

In the past, organizations often treated governance, risk, and compliance as separate activities. This could lead to inefficiencies, redundancies, and inaccuracies. GRC helps organizations unify their approach to these areas

Identity and Access Management

Identity and Access Management (IAM) is a set of policies, technologies, and processes that controls who can access a company's digital resources and information. IAM is also known as identity management (IdM).

IAM is important because it helps to:

Improve security: IAM helps to prevent unauthorized access to a company's data and networks.

Improve user experience: IAM ensures that users have the right level of access to the resources they need.

Enable remote work: IAM can help to make it easier for employees to work remotely.

Save money: IAM can help to improve operational efficiency and reduce the cost of manual IAM.

IAM works by:

Verifying a user's identity using authentication factors, such as a password, fingerprint, or facial recognition

Granting or denying access to resources based on the user's identity

IAM can be implemented as a single product or as a combination of software, cloud services, hardware, and processes.

Vulnerability Management

Vulnerability management is a continuous process that helps protect computer systems, networks, and applications from cyberattacks and data breaches. It involves identifying, evaluating, prioritizing, and fixing security weaknesses in software and systems:

Vulnerability management is a vital part of an organization's security program. It helps to: Prevent attacks, Minimize damage if an attack occurs, Reduce the organization's overall risk exposure, Prioritize possible threats, and Minimize the organization's "attack surface.

Vulnerability management is a cyclical process that needs to be performed continuously to keep up with new threats and changing environments. Security teams typically use vulnerability scanner software to automate this process.

The NIST Cybersecurity Framework outlines five core functions to manage cybersecurity risks: Identify, Protect, Detect, Respond, and Recover.

Threat Intelligence

Threat intelligence is a cybersecurity practice that involves analyzing data to identify and understand threats to an organization. The goal is to help organizations make informed security decisions to reduce risk and mitigate the impact of attacks.

Threat intelligence can include:

Information

Details about threats, such as who is attacking, their capabilities, and their motivations

Observations

Specific observations of IP addresses, domains, and other artifacts associated with known threats

Written reports

Detailed reports that provide context about a threat actor's techniques, infrastructure, and motivations

Threat intelligence can be gathered from a variety of sources, including: Open-source data feeds, Threat intelligence-sharing communities, Commercial intelligence feeds, and Local intelligence gathered during security investigations.

Organizations can use threat intelligence feeds to subscribe to a constant stream of security updates. Some feeds are free, while others are paid and provide proprietary intelligence.

Threat intelligence is a circular process that involves stages such as direction, collection, processing, analysis, dissemination, and feedback.

Secure Communications

Secure communication is a method of transmitting data between entities while ensuring that the data is confidential, authentic, and has integrity. It's designed to prevent unauthorized access, eavesdropping, or interception.

Secure communication uses various technologies and practices to keep data secure. Some key aspects of secure communication include:

Confidentiality

Ensures that only the intended recipient can access the data. Encryption is a common method for achieving confidentiality.

Integrity

Ensures that the data doesn't get altered or tampered with during transmission. Integrity checks, like hashing, can detect changes to intercepted messages.

Authentication

Verifies the identity of the parties involved in the communication. Authentication can be achieved using passwords, biometric verification, or cryptographic keys.

Some examples of secure communication solutions include: Secure file sharing, Secure email, SFTP, Managed file transfer, and Secure messaging.

To ensure communication security, you can also:

Regularly audit your communication system

Provide internal training

Use a secure messaging app with end-to-end encryption

Place sensitive information in an encrypted file attachment when you send emails

Endpoint Protection, Detection and Response

Endpoint detection and response (EDR) is a cybersecurity technology that monitors and responds to threats on devices, such as employee workstations, servers, and cloud workloads. EDR can help protect against cyberthreats like ransomware, fileless malware, and other emerging threats.

Here are some ways EDR can help:

Detect threats: EDR can detect threats in real time and analyze their nature.

Respond to threats: EDR can block or isolate threats, and send alerts to security teams.

Provide information: EDR can provide information about the threat, including how it was initiated, where it's located, and what it's doing.

Remediate threats: EDR can help eliminate threats before they spread, and can roll back damage caused by threats.

Analyze threats: EDR can provide forensic data about threats, which can help analysts identify the root cause of an event.

Reduce workload: EDR can respond to incidents automatically, reducing the workload of security teams.

EDR is often used as a second layer of security, after antivirus. EDR can be effective against emerging threats because it combines data and behavioral analysis to establish a baseline of regular activity.

Public Key Infrastructure

https://en.wikipedia.org/wiki/Public_key_infrastructure

SIM and Log Management

Security Information and Event Management (SIEM) and log management are both tools that use log files to improve security, but they have different focuses and capabilities:

SIEM

SIEM tools are designed to focus on security and provide real-time analysis of security events. SIEM tools collect log data from multiple sources, and use it to identify threats, anomalies, and patterns. SIEM tools also include threat intelligence, incident response workflows, and compliance reporting.

Log management

Log management tools focus on collecting and storing log data, and providing access to that data. Log management tools can be used for a variety of purposes, including troubleshooting network outages, managing resources, and maintaining compliance.

Here are some other ways that SIEM and log management differ:

Threat hunting: SIEMs may take longer to alert users to threats than log management tools.

Alerts and automation: Log management tools can share alerts and trigger responses faster than SIEM tools.

Audits and reporting: SIEM platforms are often limited to security-focused data, while log management platforms may have a larger spectrum of data.

Using both a log management system (LMS) and a SIEM together can provide increased visibility into system activity and security threats.

NWFW resources

https://www.zscaler.com/resources/security-terms-glossary/what-is-next-generation-firewall

https://www.cloudflare.com/learning/security/what-is-next-generation-firewall-ngfw/

https://www.cisco.com/c/en_in/products/security/firewalls/what-is-a-next-generation-firewall.html#~choose-an-ngfw-firewall

https://live.paloaltonetworks.com/t5/community-blogs/defense-in-depth-strategy-with-waf-and-vm-series-ngfw/ba-p/512860

https://docs.paloaltonetworks.com/ngfw

https://www.gartner.com/en/information-technology/glossary/next-generation-firewalls-ngfws

https://www.checkpoint.com/cyber-hub/network-security/what-is-next-generation-firewall-ngfw/next-generation-firewall-ngfw-features/

https://www.fortinet.com/products/next-generation-firewall

https://support.forcepoint.com/s/article/Getting-Started-Next-Generation-Firewall-NGFW

https://levelblue.com/blogs/security-essentials/next-generation-firewalls-a-comprehensive-guide-for-network-security

https://www.cioinsight.com/security/ngfw-vs-utm/

https://www.juniper.net/us/en/solutions/next-gen-firewall.html

https://www.datamation.com/security/next-generation-firewall-case-studies/

https://aws.amazon.com/marketplace/solutions/security/next-generation-firewalls

https://www.hpe.com/in/en/what-is/next-gen-firewall.html

https://www.esecurityplanet.com/products/top-ngfw/

https://info.support.huawei.com/info-finder/encyclopedia/en/NGFW.html

https://www.f5.com/c/landing/waf-vs-ngfw-which-technology-do-you-need

https://www.thenetworkdna.com/2024/02/key-differences-firewall-vs-ngfw-vs-utm.html

https://www.softwarereviews.com/categories/next-generation-firewall

https://www.perimeter81.com/blog/network/fwaas-vs-ngfw

https://evrimagaci.org/tpg/healthcare-cybersecurity-demands-urgent-attention-51142?srsltid=AfmBOorEBh1DypX44B625W9hCD72zUqLCNU655sLrKfQkTwKiud6g8MC

Next-Generation Firewall (NGFW) strategy

A Next-Generation Firewall (NGFW) strategy can include:

Intrusion Prevention

An IPS (intrusion prevention system) can identify and block malicious traffic.

Threat intelligence

NGFWs can use threat intelligence data to detect and prevent unknown cyber threats.

Network visibility

NGFWs can provide visibility into every application, server, file transfer, communication, and data storage in a network.

Stateful inspection

NGFWs can track Layers 2-7 of traffic, allowing them to perform the same stateful inspection duties as a traditional firewall.

Application control

NGFWs can monitor which applications and users are bringing traffic to the network.

URL filtering

NGFWs can block known and unknown threats using URL filtering capabilities.

Dynamic segmentation

Dynamic segmentation can simplify and secure a network by enforcing role-based access control.

NGFWs combine multiple security technologies on a single platform. They can provide a robust way to prevent breaches through fine-grained policy management and built-in malware protection.

Data Center Firewall

Data center firewalls and perimeter firewalls are both designed to protect an organization’s assets. However, unlike a perimeter firewall, a data center firewall is designed to protect virtual machines hosted within an organization’s data center. This includes increased agility to accommodate the architectural changes that are common in virtualized environments.

Top Perimeter Security And Firewalls technologies

Technology

1 SiteLock

2 Cisco ASA

3 Fortinet FortiGate

4 Palo Alto Next-Generation Firewall

5 Zscaler

6 Fortinet FortiGate Secure Web Gateway

7 WatchGuard Firewall

8 pfSense

9 AWS WAF

10 Cyberoam

Perimeter Firewall

What is a Perimeter Firewall?

A perimeter Firewall is a secure boundary offering the central defense of private as well as public networks, protecting and preventing the network from unidentified threats, such as from the internet.

A perimeter firewall defines the boundary between a private network and the public Internet. All traffic entering and leaving the private network passes through and is inspected by the perimeter firewall. A perimeter firewall enables an organization to restrict access to internal systems, block malicious content from entering the private network, and prevent data exfiltration and unauthorized use of corporate systems.

What are the advantages of the Perimeter Firewall?

Monitors traffic of incoming and outgoing packet transfer
Detect and prevent trojans
Prevent keyloggers

How does the perimeter firewall work?

Uses static packet filtering
Proxy services as intermediary connection
Stateful inspection of traffic

How Does a Perimeter Firewall Work?

A perimeter firewall is located at the boundary of a private network and prevents malicious traffic from crossing that boundary. It may be one of several types of firewalls with varying capabilities, such as:

Packeting Filtering: Packet filtering firewalls are the simplest type of firewall. They inspect the contents of a network packet and allow or block it based on access control lists (ACLs). A packet filtering firewall can prevent certain types of traffic from entering or leaving the private network based on packets’ source and destination ports.
Stateful Firewalls: Stateful packet inspection firewalls track the current state of network connections and incorporate this information into their access decisions. A stateful firewall can identify an ACK scan based on the fact that an ACK packet is received out of sequence while a packet filtering firewall cannot.
Proxy Firewalls: Proxy firewalls act as a proxy for user connections, creating separate connections between the user and firewall, and the server and firewall. This can help to protect users’ privacy by concealing their IP addresses.
Next-Generation Firewalls (NGFWs): NGFWs combine the features of packet filtering and stateful firewalls with other security capabilities. An NGFW performs deep packet inspection (DPI) and can incorporate an intrusion detection/prevention system, URL filtering, and antivirus and antimalware functionality.

Security Requirements of a Perimeter Firewall

A perimeter firewall should protect an organization and its users with the following capabilities:

Web, Application, and Data Controls: A perimeter firewall should provide users with safe and legitimate access to both trusted and untrusted resources. This includes protection against web-based attacks, vulnerability exploits, and threats to corporate data.
Advanced Threat Prevention: A perimeter firewall should be capable of identifying and blocking both known and unknown threats to an organization. This requires an NGFW with threat intelligence and sandbox analysis capabilities.

Firewall and Perimeter Security

A firewall is a security device that acts as a network's first line of defense against cyber threats and unauthorized access. Perimeter security is a broad category of security measures that can include firewalls, intrusion detection systems (IDS), and other components.

Here's how firewalls and perimeter security work together to protect a network:

Firewalls

These devices analyze incoming and outgoing traffic based on rules and policies. They can be deployed at the network perimeter, between network segments, or on individual devices. Firewalls can block or filter out malicious traffic, and only allow authorized traffic to pass through

Perimeter security

This category of security measures can include firewalls, IDS, and other components. Perimeter security can help organizations comply with data protection regulations and industry standards.

Other perimeter security components

These can include:

Border routers: These routers direct traffic into, out of, and throughout networks.

Intrusion detection systems (IDS): These systems signal when suspicious activity is detected.

Intrusion prevention systems (IPS): These systems attempt to defend the network against attacks automatically.

Demilitarized zones (DMZs): These segregated network zones host publicly accessible resources, such as web servers or email gateways.

CyberSecurity

1. Firewall and Perimeter Security

2. SIEM and Log Management

3. Public Key Infrastructure

4. Endpoint Protection, Detection and Response

5. Secure Communications

6. Threat Intelligence

7. Vulnerability Management

8. Identity and Access Management

9. Governance, Risk and Governance