Blue Team: Security Principles
Blue teaming security principles
There’s a few common security principles we must follow to ensure we protect our assets. Data is our most valuable possession in the modern era and there’s plenty of malicious users who will steal or destroy this. This blog has covered plenty of red-teaming boxes and techniques, with these thorough understanding, we can start to understand different counter measures available.
Not that CIA, the acronym in question is potentially even more important. The CIA triad are the concepts we use to define and judge security:
> Confidentiality: Can only the intended users/recipients access the data? > Integrity: Ensure data can not be altered and if it were, can we detect this? > Availability: Is the system available when I need it?
Furthering the CIA triad, two more concepts are frequently paired with this:
Authenticity: Is the data from the acclaimed source? Non-repudiation: Refusing to recognize the validity of data. This is essentially the inverse of authenticity. Does the system actually recognise the original source?
Though CIAAN isn’t quite as catchy as CIA. There are some derivatives or other ideas along the same line for this. For example, the Parkerian Hexad which essentially covers the same as the CIA triad:
DAD is the counter part of CIA. This details the triad of which ways data or a system can be harmed upon a successful attack:
Disclosure: A company must disclose the attack and the severity of said attack to the public, causing loss of public faith Alteration: Data on a system has been altered, thus losing integrity Destruction/Denial: Data or a system is no longer available
Great, you’ve password protected your computer. It should be safe now, right? While yes, it is safer with than without, you’re left with only line of defence. What if the password is compromised? You’re now left vulnerable. It’s important that we ensure we have multiple layers of defence. For example, firewalls can exist within multiple areas on a network. An example of this would be using a built-in firewall within your router (such as a Draytek or SonicWall) and also using a firewall on you Windows device, this now provides an extra layer of protection.
This isn’t necessarily limited to online security, this can be physical too. For example, if you have a locked door you’ve recently installed. The lock on the door while provide some protection but it can be bypassed entirely if your dead bolt isn’t set correctly.
There are two types of trust when it comes to security principles:
Trust but verify: This is a model that is based on the fact it's not particularly feasible to verify everything an end user does, in which they are trusted but monitored to verify they are not doing something they're not meant to. To be used in practice, this requires logging mechanisms that are analysed to ensure the "trust" is being properly verified Zero trust: This is exactly what it sounds like. Trust is a bad thing, everything is malicious. An entity is guilty until proven innocent. This method requires users to authenticate and authorize themselves before accessing any resources.
While both of these intend the same outcome, they are better deployed in different scenarios. For example, “trust but verify” is better for websites or public domain. This allows users to freely access content but will be disallowed or “untrusted” if they perform an unverified action. Zero trust is better for private or internal access, such as a file share. Only authenticated and authorized users should be able to access that share.
Access control determines who can access what and sometimes when. For example, user A can write to a directory but not read the contents within any of the files. On the other hand, user B can only read what’s written into a directory and can’t write new content. The principle of least privilege ties closely into this. User’s should be given as little privilege as possible to perform the task they need. As we know from a lot of AD boxes on hackthebox, give a user a little extra and it’ll be taken a mile.
Vulnerabilities, threats and risks
These terms get thrown around a lot however all have very different meaning, though linked:
Vulnerability: A vector of which is susceptible to exploitation or damage Threat: A potential danger associated with a vulnerability Risk: The likelihood a vulnerability being exploited and the impact on the system exploited