Security And Privacy - Overview

Legal vs Compliance vs Security vs Privacy

Legal: What can we do.
Compliance: What must we do.
Security: How can we do it.
Privacy: What should we do.

Be careful about special types of data

Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.

Wipeout vs Takeout

Wipeout: all data related to the user will be removed. The right to be forgotten.
Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.

Regulartions / Standards

GDPR: General Data Protection Regulation (EU)
HIPAA: Health Insurance Portability and Accountability Act. (US)
PCI-DSS: Payment Card Industry Data Security Standard
CCPA: California Consumer Privacy Act, similar to GDPR.

GDPR

Data subject: the individual that information describes

6 GDPR DSRs: data subject rights

the right to be forgotten
the right to access
the right to portability
the right to restriction of processing
the right to rectify
the right to object

Methods to prove lawfulness of processing

contractural necessity: processing required to fulfill an agreement between a company and an individual
consent
legitimate interests

Controllers vs Processors

Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
Processors: process data at the direction of another entity

FIPS

FIPS = Federal Information Processing Standard.

The set of standards that dictates how data should be encrypted and transmitted, which has seen several revisions over the years.

FIPS 140-3: Security Requirements for Cryptographic Modules. Issued by NIST.

NIST

NIST = National Institute of Standards and Technology.

NIST Cybersecurity Framework: a set of guidelines for mitigating organizational cybersecurity risks.

FedRAMP

https://www.fedramp.gov

FedRAMP = Federal Risk and Authorization Management Program.

Required in order to do business with US government.

FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments.

Marketplace:

https://marketplace.fedramp.gov/#!/products?sort=productName

Software Supply Chain Security (S3C)

source integrity (OSS, internal developers, vendors): no bad/malicious code
build integrity (code repo, CI/CD pipelines, package repo): build and delivery are tamper proof
runtime/dynamic checks (malware/vulnerability scanning, safe deployment): ensure prod systems are not compromised

IDS/IPS

IDS: Intrusion Detection Systems.
IPS: Intrusion Prevention Systems.

What are YARA Rules?

YARA = Yet Another Ridiculous Acronym.

YARA is a framework for large-scale pattern matching, used to identify and classify malware samples.

https://github.com/virustotal/yara

Data governance

moral?
ethical?
legal?
fair?

Security

Authn, authz, audit

Resources

IAPP (The International Association of Privacy Professionals) https://iapp.org/
https://blackhat.com/

YARA-L

YARA-L is inspired by YARA — invented by Google’s VirusTotal team, for malware analysis and applied to logs (hence the “L”) and other security telemetry inside the Chronicle platform.

What is CSPM?

Cloud Security Posture Management (CSPM) is a cybersecurity solution that identifies and remediates misconfigurations and security risks in cloud environments, providing automated visibility, continuous monitoring, and remediation workflows to improve security and compliance.

"Posture" refers to an organization's overall cybersecurity strength and readiness to defend against cyber threats.

What is CNAPP?

CNAPP is an end-to-end cloud-native security solution that combines key functionalities like posture management, workload protection, runtime protection, and data security.

CNAPP represents a consolidation and evolution of multiple cloud security technologies, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), Infrastructure as Code (IaC) scanning, and more

What is Ebury?

Ebury (Malware): the name of a sophisticated and long-standing malware family that primarily targets Linux servers. Ebury is known for being an OpenSSH backdoor and credential stealer. It is used by attackers to gain unauthorized access to compromised servers, steal sensitive information (like login credentials and cryptocurrency wallet details), and use the infected servers for malicious activities such as sending spam or redirecting web traffic. Ebury has been active for many years and has infected a significant number of servers globally.

Ebury modifies libkeyutils.so.1 (a dependecy of OpenSSH server and client binaries) on disk.

It also includes a userland rootkit to hide its presence from a compromised system when managed from SSH.

It is used to deploy additonnal malware to perform web traffic redirection, steal credit card during a transaction and send spam.

The backdoor is activated by sending specially crafted SSH client version string with hexencoded or base64 encoded data (sometimes with spaces, which are ignored).

What is a Rootkit?

A rootkit is a malware that gives attackers root-level remote access.

Kernel mode rootkits vs userland rootkits

Kernel mode rootkits:
- offer the most power, such as Direct Kernel Object Manipulation (DKOM) capabilities, direct interaction with hardware devices, and the capability to perform certain privileged operations.
- more difficult to maintain due to the rapidly changing Linux kernel.
- How to fix: reinstall the OS from a trusted source to remove them.
Userland rootkits:
- hiding processes, logging keystrokes, and snooping on network activity can all be accomplished in userland.
- more portable.
- How to fix: terminate the suspicious processes; restore the altered files.

What is Endpoint Security?

Endpoint security is a critical aspect of cybersecurity focused on protecting the individual devices that connect to a network. These "endpoints" serve as potential entry points for cyber threats, and securing them is essential to safeguarding an organization's data and systems.

What is contextualized container?

It refers to analyzing and securing containers not just in isolation, but by considering their relationship to the broader environment in which they are deployed. This includes:

The host operating system.
The network configuration and traffic.
Other containers running on the same host or in the same cluster.
The orchestration platform (like Kubernetes) and its configuration.
Associated cloud infrastructure and services.
Identity and access management settings.

What does "shift left" mean?

Traditionally vulnerabilities and threats are discovered by the security team, after the software is deployed.

"Shift left" means applying security best practices BEFORE deploying the software. E.g. scan container images, Docker files, Terraform, Kuberentes YAML files during software development.

Threats vs Vulnerabilities

Vulnerabilities: a weakness, flaw, or defect within the software itself. E.g. the ones with a CVE ID.
Threats: an external entity, event, or action that could exploit a vulnerability to cause harm to the software, system, or data. E.g. remote code execution, malware, crypto-mining, lateral movement, privilege escalation, container escape.

What is Domain Generation Algorithm (DGA)?

In the realm of cybersecurity, a Domain Generation Algorithm (DGA) is a technique used by malware to algorithmically generate a large number of domain names. These generated domains are typically used by the malware to communicate with its command and control (C2) servers.

Can non-executable files be malicious?

Non-executable files can also be malicious:

Shared libraries: Those are ELF files that are loaded by the main process. If modified, they may execute malicious code when calling one of their exported function, or when they are loaded, via a glibc constructor function, DT_INIT or DT_INIT_ARRAY.
Scripts: they may be loaded and run by an interpreter (Bash, Python, Perl, etc.). They don't need the execute bit set if their path is passed as argument to the interpreter.

E.g. The recent backdoor in xz was present in a shared library (liblzma.so). Userland rootkits also use shared library to get injected via LD_PRELOAD, LD_AUDIT or other mechanism.