If you’re relatively new to cybersecurity – and even if the relentless cybercriminal attacks of the past 18 months have made you feel like a seasoned pro – there are relatively new terms being used, sometimes interchangeably.

Some of the common ones, with apologies to IT professionals who live and breathe this daily:

• • COMSEC (Communications Security)
  • COMSEC refers to everything related to the prevention of unauthorized access to information sent by telecommunications in readable form, while ensuring the information is delivered accurately to the intended recipients.
  • This includes disciplines such as Cryptographic Security (which encrypts the data and renders it unreadable until decrypted at the other end), Emission Security (which prevents data from being gleaned from radiated electromagnetic signals and other machine emanations), Transmission Security (which includes controls another measures employed to ensure transmissions are not disrupted or intercepted) and, of course, physical security.
  • Defence-in-Depth (DiD) a.k.a. the Castle Approach
  • Just as it was necessary to protect castles with ramparts, moats with drawbridges, archer-filled towers and other layers of defence, multiple layers of security defence are required to protect networks and clouds today.
  • A DiD strategy, although requiring additional time to implement because of its complexity, includes redundancies that mitigate breach risk by preventing any single point of failure.
  • Typically, a DiD approach includes a combination of security best practices, strong protocols and policies and the adoption of tools such as firewalls, data encryption and integrity auditing solutions, intrusion prevention and detection systems, malware scanners, endpoint protection, detection and response, network segmentation, etc.
  • In terms of best practices, organisations go beyond patch management and requiring strong passwords, to using multifactor authentication, applying the principle of least privilege (assigning users access only to files and parts of the network absolutely essential to their work).
  • Distributed Denial-of-Service (DDoS) attack
  • A Distributed Denial-of-Service (DDoS) attack targets websites and online services with the goal of rendering the service inoperable by overwhelming the system with more traffic than the server or network can handle.
  • Typically, this includes a combination of messages, connection requests and fake data packets. This approach is one of the most powerful weapons in the cybercriminal’s toolkit.
  • One of the first recorded DDoS attacks was in 2000. Michael Calce, a 15-year-old Canadian, living in Montréal, whose online handle was “Mafiaboy”, hacked into the computers in a number of universities, and used their servers to crash several major websites. The story made international news because he took down CNN, eBay, E-trade and Yahoo. Luckily, Michael has become a “white hat hacker”, helping to identify vulnerabilities for the types of companies he once targeted.
  • Unfortunately, the perpetrators of today’s attacks are no longer boys in basements (literally). Sophisticated criminal networks and other bad actors use botnets. Botnets, sometimes referred to as “zombie computers”, are a network of remotely controlled hacked computers or bots, numbering in the thousands to millions. Often, IoT devices are hijacked for such purposes – without the owners ever being aware. This approach enables the process of overwhelming the bandwidth of targeted networks, service and websites to be easily automated.
  • In many instances, DDoS attacks our uses diversionary tactics to enable malicious code and/or ransomware to be installed on organisations’ networks, for a more nefarious Phase II attack.
  • MDR (Managed Detection and Response)
  • Managed Detection and Response firms (MDRs) are third-party IT cyber security services that detect anomalies, malware, intrusions and other suspicious or malicious activity in your network and will remediate the problem as quickly as possible. MDRs deploy multiple state-of-the-art detection technologies, and are rarely bound to a single manufacturer or provider. These tools include advanced analytics engines, behaviour-based detection software, credential theft and escalation detection, machine learning and anomaly detection algorithms, among others.
  • Some of the best MDRs also have proprietary forensic analysis tools that are used in conjunction with current best-in-class solutions.
  • Most companies can’t afford the range of protection provided by MDRs, or to invest in the constant updates required to keep the technologies used as up-to-date as the ones deployed by cyber criminals, which is why they are becoming an important part of many organisations’ cyber security strategic approach.
  • MSSP (Managed Security Services Provider)
  • A Managed Security Services Provider is engaged when organisations want to have top cyber security specialists helping to safeguard their systems.
  • Please view our May 14^th blog to read 10 Reasons for Engaging Outside Experts to Manage Your Cybersecurity
  • Network Security Zone
  • A Network Security Zone is the name given to a collection of systems, with a well-defined boundary, governed by the same access control policies – each with a specific purpose. Each zone can have a single IP address or a combination of multiple IP addresses and subnetworks, but will contain devices similar security profiles.
  • The practice of using networks zones is an accepted means of helping to build additional security into a network’s architecture. Communication between each of the zones is tightly controlled by series of policies tied to a firm’s security solutions.
  • Frequently, networks zones form part of an overall perimeter defence strategy. This case, each zone may have multiple layers to it, with traffic usually flowing in one direction only (obviously essential two-way communication is allowed, but the goal is to minimize two-way flow). The outmost layer is usually the only one actually connecting to the Internet. Deeper down, below firewalls and other protective layers, is where you’ll find applications and databases. As you may have gathered, this is part of a DiD approach.
  • SEM (Security Event Management)
  • Security event management (SEM) refers to the process of monitoring security alerts generated by all applications, along with data inputs from all devices/nodes and network hardware that’s running and correlate the events. The event data is analysed with various security algorithms, and the threat vector and risk is assessed, and data provided to the IT professional.
  • The cyber specialist or network administrator must then judiciously examine these notifications and console views – and assess their significance and threat level in real time.
  • SIM (Security Information Management):
  • The effectiveness of any firm’s Security Information Management approach is determined by the effectiveness of the policies and processes supported, and the analytic capabilities of the team making the assessments. Unfortunately, many organisations are unable to hire senior security specialists, which is why SIM products are being adopted with increasing frequency.
  • Often referred to as “log management”, SIM products automate the process of collecting, monitoring and analysing security-related data from computer logs.  This is a huge job which includes assessing data from multiple sources including antivirus and advanced malware protection alarm logs,  intrusion-detection systems (IDS), intrusion-prevention systems (IPS),  routers, servers, switches, etc.
  • For data that requires long-term storage, it’s essential to review your SIM strategy regularly as needs usually change over time, and different approaches are usually required as tech evolves.
  • SIEM (Security Information and Event management)
  • As its name suggests, this is a combination of combines SEM and SIM approaches, practices in and technology solutions. As might be expected from the above descriptions, SIEM software solutions gather security-related data, including threat vectors and anomalous behaviour, from network devices, servers, domain controllers, etc. from across your entire IT infrastructure, including cloud. Events and information are managed, true risks are reported so they can be investigated and remediated as necessary. According to Gartner, and all major manufacturers of SIEM software, the three critical requirements for effective SIEM system: threat detection, quality of investigation and timeliness of response.
  • Security as a Service (SECaaS) or Cyber Security as a Service (CSaaS)
  • This refers to having a third-party firm handle your cybersecurity needs, enabling you to have top notch experts managing your network and cloud security needs – and allowing you to move related costs into at your operating budget, rather than having to purchase software that may be viewed as a capital expense, with the purchase scrutiny often required.
  • In addition to managing your security needs on a daily basis, most firms will also provide:
    • An initial assessment of your current system security posture, with attendant recommendations as necessary.
    • A review of your Breach Response Plan and Disaster Recovery processes. If you lack either, most providers will help you develop one plans and processes that are right for your organisation to ensure business continuity.
    • Penetration testing is needed to ensure insurance requirements are met.
    • Cyber security training for employees and ongoing social engineering testing.
  • According to a survey of 10,000 businesses and IT executives completed by PWC immediately pre-pandemic, 62% of organisations now use outside cybersecurity Specialist firms to manage this portion of their business.
  • Again, for more information, I urge you to read 10 Reasons for Engaging Outside Experts to Manage Your Cybersecurity

• Blue Teaming – Pillar 1 in the Penetration Triumvirate
• When trying to determine the vulnerability of any network, security experts (internal and third-party) employ various measures to try and breach the company cloud, network and databases. Three teams usually get involved: Blue, Red and Purple.
• The Blue Team’s job is to deploy all the tools at their disposal to protect the system – to defend the organisation’s critical assets from all types of threats. Using our earlier analogy, the Blue Team’s job is to strengthen the castle walls so that no marauding intruder can get past.
• The Blue Team will conduct regular system checks (e.g. DNS audits), analyse network traffic at random periods, regularly monitor for unusual activity and monitor all system logs. It is also their job to ensure employees and other stakeholders understand, and comply with, the company security processes.
• The Blue Team also identifies potential vulnerabilities, assesses the risk of each, along with the potential impact of each threat. This includes damage to operations, reputation and the bottom line. Plans are then usually developed, in conjunction with senior management, for introducing new software and or implementing new controls to lower the risk in each category.
• Red Teaming – Pillar 2 in the Penetration Triumvirate
• The Blue Team is responsible for protecting the castle – and the Red Team is responsible for trying to storm the bastions. And, as in battle, the Red Team will spend far more time planning their approach than in actually executing the (simulated, yet very realistic) attack.
• That being said, although “simple” penetration testing may only take 5 – 10 days, Red Team exercises can last months.
• What we’re really talking about here, is ethical white hat hacking. The Red Team will use multiple tools from their arsenal over a period of time. Typically, targeted phishing campaigns designed to capture credentials, combined with packet sniffers and protocol analysers, are used in an attempt to gain system access.
• Social engineering activities are often used to help Red Team “accomplices” gain access to computer rooms – the lock picking is fair game, too.
• In short, the Red Team will do whatever it can to reach the company’s physical and digital assets, so that vulnerabilities can be discovered. Obviously, this requires excellent communication between the Red and Blue Teams, and full involvement and support of management.
• Purple Teaming
• Above we said that the Blue Team and Red Team must communicate closely, but theirs is a highly competitive relationship, with one team trying to best the other – despite the common goal of protecting the organisation.
• For this reason, many firms will introduce a Purple Team whose role is to ensure collaboration between the two groups can find ways for insights to be shared.
• Vulnerability Chaining – also known as Daisy Chain Attacks
• In the simplest terms, this is where one small local vulnerability, one that may have been overlooked, gets breached by cybercriminal, who can then gain access to the entire network. In most instances, they have well conceived, sophisticated plans already in place for how they will spread out through your network, once they managed to sneak in somewhere.
• Unfortunately, this is a well-established practice of Advanced Persistent Threat (APT) groups – and we say groups because these are well-orchestrated attacks, by well-organized and well-funded teams. Even scarier is that, according to a cybercriminal we interviewed in February 2021, the dark web is home to multiple forms where attack strategies are debated and malicious code shared. Common topic for discussion: figuring out the path of least resistance for the initial compromise and then determining the best way to exploit privilege escalation.

As you know from our other blog posts and material you encounter on a daily basis, cybersecurity is a top risk for all organisations, in all sectors, in all industries. This is an area in which we have a lot of experience and excellent partners. To learn how we can help you, or simply to get more information, please feel free to contact us at [email protected] or (416) 429-0796 or 1.877.238.9944 (Toll Free).