Security References

Advantage in cybersecurity is gained by harnessing smart ideas. So we collect resources that work and are open to use. So open licensed cybersecurity references are preferred instead of resources that are a fad based on the latest technology buzz.

Creating a good solid cyber security solution is complicated. So the most valuable tip is:

Use and reuse good knowledge

Using and reusing good open cyber security references saves you time and improves the quality of your solution.

Good and excellent knowledge for building better security solutions is available under an open access licenses. This is why all references in this section are open access references or available for free under an open liberal license.

Too often information behind paywall turns out to be a fad or pure marketing information. So be warned!

• Cryptography
• Security Frameworks
• Cybersecurity Research Labs
• Open Security Foundations
• Government security organizations
• Vulnerability management
• Vulnerability Databases

Attacks methods

Rowhammer: http://www.thirdio.com/rowhammer.pdf or https://en.wikipedia.org/wiki/Row_hammer

DDos: https://www.us-cert.gov/sites/default/files/publications/DDoS Quick Guide.pdf

Learning from attacks

Key Reinstallation Attacks- Breaking WPA2 by forcing nonce reuse (KRACK). With hands-on description, check it out: https://www.krackattacks.com/

Thread Models

The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications. https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

The Cyber Law Toolkit

The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its core, it presently consists of 25 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis.

Great toolkit, with all material available under a nice CC BY-SA 4.0 license.

Check the toolkit on: https://cyberlaw.ccdcoe.org/wiki/Main_Page

The Common Criteria for Information Technology Security Evaluation (CC)

If you want to launch a product is many countries and want to make sure you follow all regulations per country: A smart thing is to make use of the common criteria checks.

The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:

• Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance;

• Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;

• The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation. These certificates are recognized by all the signatories of the CCRA.

More information on: https://www.commoncriteriaportal.org/

Web Authorization Protocol (OAuth)

Web Authorization Protocol (OAuth), https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01

Mozilla Information Security Guides

Security Assurance and Security Operations.Technical guidelines, principles and general information as used by the infosec team of Mozilla.