Metadata

Metadata refers to information about data itself, like when a file was created, who created it, or where it was stored. It essentially provides context and details about the data without revealing its actual content; in cybersecurity investigations, this metadata attached to logged events and files can be crucial for establishing timelines and identifying potential breach origins by showing "when" and "where" actions occurred.

Key points about metadata:

What it describes:

Metadata provides details about a data file's origin, properties, and history, including the creation date, modification date, author, file size, and permissions.

File system tracking:

Operating systems automatically record file metadata, such as creation, access, and modification timestamps, which can be valuable for forensic analysis.

Security attributes:

Files can have additional metadata like read-only, hidden, or system file flags, indicating security settings applied to them.

Extended attributes:

Beyond basic file system metadata, files might contain extended attributes like author names, copyright information, or tags for easier searching.

Relevance in investigations:

By analyzing metadata, investigators can build a timeline of events, pinpoint potential breach sources, and identify suspicious activity based on when and where files were accessed or modified.

Example of how metadata is used in investigations:

Identifying malicious activity: If a critical system file is suddenly modified at an unusual time, the metadata (timestamp) could indicate a potential intrusion attempt.

Tracking file movement: Investigators can determine when and from which system a copied file was transferred by examining its metadata.

Identifying the source of a document: Metadata, such as author information on a document, can help trace its origin.

 Security Control Categories

Security controls protect a system or data asset by ensuring confidentiality, integrity, availability, and non-repudiation. Depending on how they are implemented, these controls can be categorized as managerial, operational, technical, or physical. Examples include risk assessments (managerial), security guard patrols (operational), firewalls (technical), and security cameras (physical).

Key points:

Confidentiality: Limiting access to information to authorized users only.

Integrity: Ensuring data is accurate and not tampered with.

Availability: Guaranteeing that information is accessible to authorized users when needed.

Non-repudiation: Preventing a user from denying their actions on a system.

Control categories:

Managerial:

Policies, procedures, risk assessments, and oversight functions performed by management.

Operational:

Actions taken by users and system administrators, like security awareness training and access control procedures.

Technical:

Hardware and software mechanisms like firewalls, encryption, and access control systems.

Physical:

Physical security measures include locks, alarms, cameras, mantraps, access control vestibule, turnstiles, and site access controls.

Example controls in each category:

Managerial: Security policy document, risk management process, vendor assessment

Operational: User access reviews, password management procedures, incident response plan

Technical: Intrusion detection system, antivirus, port security, 802.1x, least privilege using group policy, data encryption, antivirus software

Physical: Building access control system, security cameras, data center environmental controls 

Identity and Access Management

 IAM (Identity and Access Management)

A modern access control system is usually implemented through an Identity and Access Management (IAM) system, which consists of four critical processes: identification (creating a unique user account), authentication (proving a user's identity), authorization (defining what access a user has to resources), and accounting (tracking user activity and alerting on suspicious behavior); essentially ensuring the right people have access to the correct information at the right time while monitoring their actions for security purposes.

Explanation of each process:

Identification:

This initial step involves creating a unique identifier for a user, device, or process on a network, like a username or an account number, so that the system can recognize them.

Authentication:

This process verifies that the user is who they claim to be by checking credentials like passwords, security tokens, or biometric data when they attempt to access a resource.

Authorization:

Once authenticated, the system determines the user's level of access to specific resources based on their assigned permissions, which can be managed through different models, such as discretionary (owner-defined) or mandatory (system-enforced).

Accounting:

This final stage involves recording user activity, including what resources they accessed, when, and any potential anomalies, providing an audit trail for security purposes.

Key points to remember:

Multi-factor authentication:

Modern IAM systems often incorporate multiple authentication factors (like a password and a code sent to your phone) for enhanced security.

Centralized management:

IAM systems typically manage user identities and access rights from a single platform, simplifying administration.

Compliance requirements:

IAM systems are crucial in meeting data privacy and security regulations by controlling who can access sensitive information.

 BPDU & Root Guard

A switch utilizes a cache of MAC addresses linked to each port to efficiently forward traffic. Still, when this cache is updated (like during topology changes in STP), it may need to "flood" unicast frames to all ports if it doesn't know the correct destination port, potentially impacting network performance; to mitigate this, configure access ports (connecting directly to host devices) with features like "PortFast" on Cisco switches to exclude them from topology change notifications, minimizing unnecessary flooding of unicast traffic.

 Key points:

 MAC address cache:

A switch stores MAC addresses associated with each port to quickly direct traffic.

 Flooding:

When a switch doesn't know the correct port for a destination MAC address, it sends the frame to all ports, even a unicast frame.

STP and topology changes:

Frequent changes in network topology, especially with Rapid Spanning Tree Protocol (RSTP), can cause the switch to update its MAC address cache frequently, leading to more flooding.

How to minimize flooding on access ports:

PortFast:

Configure "PortFast" on access ports on Cisco switches to prevent them from participating in topology change notifications, reducing unnecessary flooding.

 Edgeport (other vendors):

Similar functionality on non-Cisco switches is often referred to as "edgeport."

 STP commands to further control flooding:

 BPDU Guard:

If a port configured with PortFast receives a Bridge Protocol Data Unit (BPDU), which is expected on switch-to-switch links, it disables the port to prevent misconfiguration.

 BPDU Filter:

It drops all BPDUs on a port and is valid for links between separate switching domains.

Root Guard:

Prevents a switch connected to a specific port from becoming the root bridge in the Spanning Tree network, ensuring that only designated "core" switches can be the root.

Spanning Tree Port States

 Port States - Spanning Tree

When all network bridges have all their ports either in a "blocking" (inactive) or "forwarding" (active) state, the network is considered converged, meaning it has reached a stable loop-free topology; however, if a network change occurs, the network can become temporarily unavailable until the bridges recalculate their states and converge again, with RSTP (a few seconds or less) significantly reducing this downtime compared to the older STP (tens of seconds) protocol by converging much faster.

STP & RSTP - Spanning Tree

 Spanning Tree Protocol

This protocol requires a managed switch. Spanning tree prevents switching loops, which causes a broadcast storm. Without this, the switching loops continue until manually stopped.

Switching loops occur when both ends of the same cable are plugged into the same switch or adjacent wall jacks. This would also happen with multiple uplinks between two switches if LACP (Link Aggregation Control Protocol) is not configured. 

RSTP (Rapid Spanning Tree Protocol) improves STP by providing much faster convergence after any change to the topology. 

The other systems connected to the switch will eventually lose connection as though a DoS (Denial of Service) attack occurs. 

The DP (Designated Port) sends traffic down through the network. The RP (Root Port) sends traffic towards the root bridge. The BP (Blocking Port) prevents a switching loop.

Key Escrow - Private Key

 Key Escrow

A key escrow is typically a third party that safely stores a copy of private keys. They use the M of N control. The M has to be greater than 1, and the N has to be greater than the M. For example, employing 5 trusted individuals (N) would require at least 2 (M), each having part of the key.

This is in case a private key is damaged or lost. Making multiple copies of the private key becomes challenging to manage and could lead to compromise if stored on organization media. 

A company could implement its key escrow by having multiple trusted employees with part of the key. Two or three of them could have USB drives with part of the key.