Cybersecurity Advanced Learning Path - "Know yourself, know your enemy, and you will win the battle"
An information system is made of a wide variety of constituents: hardware, software, network, data, people… All these have to be properly protected, since a chain is only as strong as its weakest link. In his famous ‘Art of War’, Sun Tzu wrote “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Thus protecting yourself means not only understanding where your values and vulnerabilities are, but also how an attacker could be able to reach and exploit them. It is thus critical to have a good grasp of what can constitute a target as well as the attack vectors that would lead to it. In this learning path, we will go deeper into some methodological aspects of cybersecurity. First of all, we will get into standards and approaches to manage risk, the basis for securing an information system. We will also cover more technical aspects, like software security, attack mechanisms, penetration tools and platforms.
Introduction to Computer Security
Let’s start this learning journey with a video that will give you a 360 degrees look at the field of cybersecurity: from the objectives and why it’s more important than ever to multi-layer security and methods of defence, it covers also covers security criteria (CIA Triad), vulnerabilities, security controls.. It is a the same time a good wrap up and reminder of what you might already know, or just introduce you to the core concepts that will allow you to follow this learning path successfully.
ISO/IEC 27001 - The international standard for information security
As we have just heard in the previous video, cybersecurity is critical for companies, organizations and even individuals. It comes with no surprise that to raise awareness and maturity and to industrialize the approaches and methods in the field, standards and norms have been progressively developed. On the European side of the world, ISO 27001 is definitely the reference standard in terms of information security. Actually, ISO 27001 is only one of the standards of the ISO 27xxx family, that contains tens of other documents, the most prominent being ISO 27001, ISO 27002 and ISO 27005. But it also contains many others, further detailing the core ones, addressing particular economic sectors or covering the deployment of particular kinds of security controls.
This article is a primer on the ISO 27001 and related standards and tools, an important reference in the domain of information security. Many other resources are available around the topic, in particular this one.
EBIOS Risk Manager – The Method
Managing information system security requires a risk-based approach, i.e. a structured methodology to identify, analyse, evaluate and treat cybersecurity risks. There exists a variety of methods, targeting specific contexts or not, some heavier, others lighter, more or less verbose and time consuming. The EBIOS Risk Manager method is a risk management approach developed by the French National Agency for the Security of Information Systems (ANSSI) that in our eyes makes a good compromise between the level of complexity and the usefulness of the results. It comes with a good documentation, a set of methodological sheets, and it is supported by different software tools. It is definitely a good approach to try, since it is very flexible and versatile and can be tailored to a large variety of cases.
OWASP Top Ten
CyberSecurity is an always and fast evolving domain; no one can be an expert on every aspect, and it is vital to rely on publicly available reference resources, maintained up to date to get the most relevant, fresh and useful information.
OWASP (Open Worldwide Application Security Project) is a nonprofit foundation established in 2001 that works to improve the security of software through the support to community-led open source projects.
One of those projects is the OWASP Top Ten, a top initiative in raising awareness in the developer community by making and regularly updating the catalogue of the 10 most critical security risks in web applications.
This inventory allows to prioritize the search for vulnerabilities and the establishment of security controls to mitigate the impact of their exploitation. We propose you to have a look at those vulnerabilities, consider them as pitfalls to avoid in your own development activities or as possible targets if you are a pentester, or as areas of training if you are a team manager. It is also interesting to see the evolution between the different versions of this list.
OWASP Juice Shop
There is no better way to improve your cybersecurity skills than experimenting with real word applications, looking for various types of vulnerabilities and the way to exploit them. The OWASP Juice Shop (another OWASP project) is a deliberately vulnerable web application that you can install locally on your machine. It contains different software vulnerabilities specific to web applications, and your role is to identify them and find a way to exploit them. It is a kind of Capture The Flag (CTF) game, where you try to solve challenges and find the hidden flag. Turn yourself into a Cyber Sherlock Holmes!
Kali Linux – The most advanced Penetration Testing Distribution
Whether you’re a cybersecurity expert or you just want to experiment with some cybersecurity exercises, you will need to learn and use a wide variety of tools, depending of your goal and the target environment. It is often not easy to find those tools, that is where Kali Linux comes in. It is a Linux distribution that contains all the major tools for performing reconnaissance, target identification or perform attacks. It can be installed on a standalone computer or in a virtual machine alongside your existing operating system. Once installed, you will be ready to kick off your first pentest!
Cryptography
This online course is definitely not for the faint-hearted ones as it focuses on theoretical and mathematical foundations of cryptography. But if you want to understand better how the protection mechanisms we all use every day work, and what guarantees their security level, and if you are not afraid of some mathematical notation, then this course is for you, as it covers the major cryptography primitives (symmetric, asymmetric, message authentication and digital signatures). Not easy, but definitely worth it!
Root Me – Challenge your hacking skills
Continuing on the idea of the OWASP Juice Shop, you can turn to the Root Me platform to further develop your hacking skills. This platform offers a very wide catalogue of cybersecurity challenges in a lot of different domains: cryptography, steganography, network, forensics, software… The challenges are sorted by difficulty level, and there is a community behind that can help you find solutions (but that will never tell you the solution!) Take your cyberdetective skills to the next level!
Breaking The Kill Chain: A Defensive Approach
To better defend yourself, you need to understand the modus operandi of an attacker: through what steps will he go to reach his objective? Lockeed Martin has formalized the attack process in 7 steps named “The Cyber Kill Chain®” This video describes those 7 steps and show how to turn them into a defensive strategy.
MITRE ATT&CK®
When analysing your systems in search for open doors and vulnerabilities, it is not always easy to know where to start, where to go next and where to stop. How do I know the kind of vulnerabilities I could exhibit? How can I exclude some attacks because they target a weakness my systems don’t expose? It is the goal of the ATT&CK knowledge base from MITRE organization, that establishes a list of attack techniques and sub-techniques according to the various steps of an attack scenario. For each technique, it lists a series of detection and mitigation measures, as well as some reading references. It is a widely used framework for attack classification and vulnerability identification.