資安基礎知識清單 (上)

Security Concepts

• Information security
• • CIA triad
• Cybersecurity framework
• Gap analysis
• Access control
• • IAM and AAA

Security Controls

• Security control categories
• • Managerial, operational, technical, physical
• Security control functional types
• • Preventive, detective, corrective plus directive, deterrent, compensating
• Information security roles and responsibilities
• Information security competencies
• Information security business units
• • SOC, DevSecOps, and CIRT

Threat Actors

• Vulnerability, threat, and risk
• Attributes of threat actors
• • Internal/external, level of sophistication/capability, resources/funding
• Motivations of threat actors
• • Service disruption, data exfiltration, disinformation
  • Chaotic, financial, political
• Hackers and hacktivists
• Nation-state actors and advanced persistent threats
• Organized crime and competitors
• Internal threat actors

Attack Surface

• Attack surface and vectors
• Vulnerable software
• Network vectors
• • Remote versus local
  • Direct access, wired, remote/wireless, cloud, Bluetooth, default credentials, open ports
• Lure-based vectors
• • Devices, programs, documents, images
• Message-based vectors
• • Email, SMS, IM, web/social media
• Supply chain attack surface
• • Design, manufacture, distribution

Social Engineering

• Social engineering
• Human vectors
• Impersonation and pretexting
• Phishing and pharming
• Typosquatting
• Business email compromise

Cryptographic Algorithms

• Cryptographic concepts
• Symmetric encryption
• • Same secret key encrypts and decrypts
• Key length
• Asymmetric encryption
• • Public/private key pair
• Hashing
• • Non-reversible
• Digital signatures
• • Sign message hash with private key and validate with public key

Public Key Infrastructure

• Certificate authorities
• Digital certificates
• Root of trust
• Certificate signing requests
• Subject name attributes
• Certificate revocation
• Key management
• Cryptoprocessors and secure enclaves
• Key escrow

Cryptographic Solutions

• Encryption supporting confidentiality
• Disk and file encryption
• Database encryption
• Transport encryption and key exchange
• Perfect forward secrecy
• Salting and key stretching
• Blockchain
• Obfuscation

Authentication

• Authentication design
• • Something you know/are/have
• Password concepts and password managers
• Multifactor authentication
• Biometric authentication
• Hard authentication tokens
• • Smart cards, OTP generators, FIDO U2F
• Soft authentication tokens
• • Two-step verification
• Passwordless authentication

Access Management

• Discretionary and mandatory access control
• Role-based and attribute-based access control
• Rule-based access control
• Least privilege permission assignments
• User account provisioning
• • Identity proofing, secure credentials, asset allocation, policy/awareness training, permissions assignments
• Account attributes and access policies
• Account restrictions
• • Location- and time-based
• Privileged access management
• • Zero standing privileges and ephemeral/vaulted credentials

Enterprise Network Architecture

• Architecture and infrastructure concepts
• • Media, applications/services, data supporting workflows
• Network infrastructure
• • OSI layer model
• Switching and routing infrastructure considerations
• Security zones and attack surface
• Port security and physical isolation
• • MAC filtering, 802.1X/EAP/RADIUS
• Architecture considerations
• • Cost, compute/responsiveness, scalability/ease of deployment, availability, resilience/ease of recovery, power, patch availability, risk transference

Network Security Appliances

• Device placement
• • Defense in depth plus use of preventive, detective, and corrective controls
• Device attributes
• • Active versus passive, inline versus TAP/monitor, fail-open versus fail-closed
• Firewalls (layer 4/7)
• Proxy servers
• Intrusion detection systems
• Next-generation firewalls and unified threat management
• Load balancers
• Web application firewalls
• Remote access architecture
• • Tunneling, client-to-site remote access VPN, site-to-site VPN
• Transport Layer Security (TLS) tunneling
• Internet Protocol Security (IPSec) tunneling
• Internet Key Exchange
• Remote Desktop
• Secure Shell
• Out-of-band management and jump servers