../cybersecurity

Cybersecurity

Whats in the scope of cybersecurity

While the lesson of OSCP and most of the lesson online only talk about CIA because they are in a web pentesting point of view i prefer my own model that take account legal reliability and OT.

CIARANT

Risk

From the lessons i had before :

Risk = (Threat x vulnerability / conter-measure) * Impact

More

Threat

When we are talking about threat we have to think about what we do and who may be interesting about stealing my stuff or sabotaging me. Everyone is in the risk of the bored kid but only some company need to be ready to face the threat of an entire state ressources and the probability of this threat may change overtime depending on the politicoeconomic contexts and the business core. What’s most important about the Threat is that you can’t control it

Vulnerability

It’s the joint job of the Redteam and Dev/Operationnal to identify this vulnerability and try to lower them to minimize the global risk.

Conter-Measure

It’s the job of the blue and purple team, i’m to far from this world to not make mistake so i will shut up.

Impact

This on is my teacher which add that, it ponderate the risk for the different feature/ressources exposed.

Ruling

LAWS
HIPAA (Health Insurance Portability and Accountability Act)
  • US (United States) health privacy law covering protected health information (PHI) held by covered entities and business associates.
  • Privacy Rule limits use/disclosure and grants individual rights to access and amend records.
  • Security Rule protects electronic PHI (e-PHI) with administrative, physical, and technical safeguards.
  • Breach Notification Rule requires notice to affected individuals and HHS (Department of Health and Human Services), with media notice for large breaches and no later than 60 days.
  • Enforced by HHS Office for Civil Rights (OCR) with civil penalties.
FERPA (Family Educational Rights and Privacy Act)
  • US law protecting education records at schools receiving Department of Education (ED) funding; rights transfer to eligible students at age 18 or postsecondary.
  • Rights: inspect/review records (within 45 days), request amendment, and consent before disclosure of personally identifiable information (PII).
  • Exceptions allow disclosure without consent (e.g., school officials with legitimate educational interest, transfers, health/safety emergencies, judicial order/subpoena, and directory information with opt-out).
GLBA (Gramm-Leach-Bliley Act)
  • US law for financial institutions to protect nonpublic personal information (NPI).
  • Privacy Rule: provide notices and allow opt-out before sharing NPI with nonaffiliated third parties (with exceptions).
  • Safeguards Rule: written information security program with administrative, technical, and physical safeguards, plus risk assessment and oversight.
GDPR (General Data Protection Regulation)
  • EU (European Union) law with extraterritorial scope; applies to processing of EU data in certain cases even when the controller/processor is outside the EU.
  • Processing must have a lawful basis (e.g., consent, contract, legal obligation, vital interests, public task, legitimate interests).
  • Data subject rights include access, rectification, erasure, restriction, portability, objection, and limits on automated decisions.
  • Requires a data protection officer (DPO) in specific cases (public authorities, large-scale monitoring, or large-scale special-category data).
  • Personal data breaches must be reported to the supervisory authority within 72 hours unless unlikely to risk rights/freedoms.
  • Fines up to EUR 20M or 4% of global annual turnover (whichever is higher).
Key Disclosure Laws
  • Some jurisdictions can compel disclosure of encryption keys or decrypted data in investigations.
  • Example: UK RIPA (Regulation of Investigatory Powers Act) Part III uses section 49 notices; failure to comply is a criminal offence.
CCPA (California Consumer Privacy Act)
  • California privacy law for for-profit businesses that meet statutory thresholds (revenue, data volume, or sale/sharing of personal data).
  • Rights include know/access, delete, correct, opt-out of sale or sharing, limit use of sensitive personal information (SPI), notice at collection, and non-discrimination.
  • Amended by CPRA (California Privacy Rights Act).
Standards and Frameworks
PCI DSS (Payment Card Industry Data Security Standard)
  • Industry security standard maintained by PCI SSC (Payment Card Industry Security Standards Council) to protect payment account data.
  • Applies to entities involved in payment account processing and handling of payment account data.
  • Requires implementation of baseline technical and operational security requirements.
CIS Controls (Center for Internet Security Controls)
  • Set of 18 prioritized security controls, grouped into Implementation Group 1 (IG1), IG2, and IG3.
  • IG1 is essential cyber hygiene; IG2/IG3 add safeguards for more complex or higher-risk environments.
NIST (National Institute of Standards and Technology) CSF (Cybersecurity Framework)
  • Risk-based framework with functions: Govern, Identify, Protect, Detect, Respond, Recover.
  • Uses Core, Profiles, and Tiers to map current vs target posture.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) and D3FEND (defensive countermeasure knowledge base)
  • ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
  • D3FEND is a defensive countermeasure knowledge base that maps defenses and detections.
ISA/IEC 62443 (International Society of Automation / International Electrotechnical Commission 62443)
  • Standards for securing industrial automation and control systems (IACS) in operational technology (OT) environments.
  • Defines security requirements and maturity levels for stakeholders (asset owners, integrators, product suppliers).
Cyber Kill Chain (Lockheed Martin)
  • Seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), actions on objectives.
  • Used to map and disrupt the intrusion lifecycle.
FedRAMP (Federal Risk and Authorization Management Program)
  • US program providing standardized security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
  • Uses Low, Moderate, and High baselines aligned to impact levels.