Chapter 1
International Telecommunication Union (ITU)
A UN agency charged with global tasks related to telecommunications. It allocates shared global use of the radio spectrum, coordinates national governments in assigning satellite orbits, and promotes global technical standards related to networking and communication. Many ITU standards are recognizable by their "letter-period-number" format: include.X.509 (Digital certificates) used by secure websites, and H.264 (MPEG-4) used for digital video encoding both on the internet and by television providers
NIST cybersecurity framework (CSF)
A framework containing voluntary guidelines for private sector organizations in the United States, particularly in critical infrastructure. It is shorter and higher-level than RMF, focusing on standard guidelines and language for cybersecurity, and based on industry standards and best practices. It does not contain detailed risk-management procedures or security controls, so you should use it in conjunction with RMF or another framework
Federal information security management act (FISMA)
A law applying to all federal agencies. It requires every agency to develop, document, and implement an information security and protection program. Each agency can establish its own program, but the act provides guidelines for minimum standards and cost-effectiveness. It also provides guidelines for information security reviews and reporting to the office of management and budget (OMB)
Gramm-Leach-Bliley Act (GLBA)
A law designed to protect the customers of financial institutions. It requires that such institutions meet minimum standards to safeguard the personal information of their clients and customers. It also requires them to inform customers about how their data will be stored, used, or shared
CIA triad
Confidentiality, Integrity, Availability
communications
Developers should communicate openly with users and administrators about security issues with the software. without communications, vulnerabilities won't be found and mitigated
strategic plan (organizational planning)
a business-wide plan based on the organization's vision, values, and objectives; created by senior management. strategic plans are designed to meet the long-term goals of the company, so they may look into the future. Often, they are primarily statements of principle rather than hard and fast points, but they're used to shape plans at all levels of the organization. A strategic security plan might include elements like "ensure our customers know their data us safe, and how it is being used"
benchmark (security documentation)
a checklist of potential vulnerabilities in a piece of software along with configuration settings you can use to mitigate them. Also known as secure configuration guide. A benchmark might be for a particular hardware or software product. It might also be for a generic type instead of a specific product. A benchmark for Windows Server would tell you to make sure domain policies are set to require eight-character complex passwords
least privilege (confidentiality control)
users are given only the permissions they need to perform their actual duties. can be enforced on the human level by policies or the technical level by system or account permissions
encryption (confidentiality control)
uses mathematical processes to render data unreadable to those without the proper decryption key. Secure communications widely use encryption, but there are many technical challenges involved in ensuring it is secure
National Institute of Standards and Technology (NIST)
A US government agency charges with developing and supporting standards used by other government organizations: while it primarily promotes standards for use by the US government, they frequently are used by others with similar technology needs, In recent years, computer security standards have become a major part of its mission. NIST shares most of its findings with the broader security community and regularly publishes information about known software vulnerabilities and security best practices
single point of failure
A component or entity in a system which, if it no longer functions, would adversely affect the entire system.
Sarbanes-Oxley Act of 2002 (SOX)
A federal law designed to protect investors from fraudulent corporate accounting practices. It applies to all publicly traded companies and public accounting firms that do business in the United States. Some provisions even apply to private companies. From the IT. perspective, Sarbanes-Oxley primarily regulates the preservation, auditing, and disclosure of financial records and related communications. Data protected by the act cannot be deleted for a set period after its creation, and neither it nor accounting software can be modified without an appropriately documented process
Health Insurance Portability and Accountability Act (HIPAA)
A federal law designed to protect the health insurance coverage of workers who change or lose their jobs. The important part from an It perspective is how it protects the privacy of patient records. HIPAA defines protected health information (PHI) and regulates how it can be used or disclosed. it also defines security standards for the storage and access of PHI
Family educational rights and privacy act (FERPA)
A federal privacy law that governs access to educational records held by any school or other educational institution. The act requires that adult students or the parents of minor students have access to their records and strictly limits how those records can be shared with others without their consent. FERPA describes guidelines for what data must be protected and how it may be disclosed
controls (security documentation)
Any safeguard or countermeasure that is designed to reduce security risks. Security policies and procedures themselves are controls, but when you see "control" used as a contrasting term, it generally means a physical or technological tool that enforces policy goals. The password-protected login system itself is a technical control, as is the password complexity enforcement that rejects new passwords if they don't meet the standard.
security professional
Any technically trained employee who is responsible for implementing security controls as designated by upper management. security professionals at all levels are responsible for performing security tasks, overseeing users, and recognizing policy violations or security incidents. While they can advise upper management, they don't make policy decisions on their own.
vulnerability
Any weakness the asset has against potential threats. Vulnerabilities can be hardware, software, or human/organizational; likewise, they can represent system shortcomings or known tradeoffs for desired features. Many attacks are exploits targeting specific vulnerabilities known to the attacker
Patch management (availability control)
whether security and stability updates are being applied proactively or in response to a security incident, it's essential to make sure they don't unduly disrupt system availability. Some patches, often known as hotfixes, can be applied to a system with little or no downtown, Otherwise, to maximize availability, you can schedule downtimes to coincide with low usage periods
backups (integrity control)
When data is changed or lost, regular and complete backups can be used to restore it to its original form. Effective backup systems require policies governing what is backed up and when, technical methods for the process itself, and security controls to protect the data in the backup copy
National Security Agency (NSA)
A US signals intelligence agency, responsible for information gathering, codebreaking, and codemaking. The NSA develops cryptographic standards and secures government information against attack. Much of the NSA's work is classifies, but it has had a visible role in designing and standardizing some of the most widely used cryptograph standards, such as DES, AES, and SHA
NIST CSF component-Profile
A description of how specific organization can achieve its security goals by indexing its core functions, categories, and subcategories with its business requirements and resources. Every organization should have a current profile describing its existing state and a separate target profile describing its security goals. Comparing the two will reveal what needs to be done. An organization might have a different pair of profiles for every component of its security structure
General data protection regulation (GDPR)
A newly enacted European Union privacy law governing all individual data relating to EU residents. It addresses the security, privacy, and export of such data. The GDPR is even important to American companies since it specifically applies to foreign organizations that do business with or market to EU residents. Internet commerce means that this may also apply to organizations that have no physical presence in the EU
Center for Internet Security (CIS)
A non-profit organization formed by a large number of commercial, academic, and government organizations. The CIS's mission is to identify, develop, and promote best practices in cybersecurity. to this end, it develops security benchmarks and assessment tools for a wide variety of operation systems and network applications
Manager
A person who is responsible for the organization's assets and who is empowered to make decisions about how to protect them. How many levels of management there are depend on the organization, but ultimately senior management must approve of all security decisions and will be held liable for any security failings. Management frequently delegates technical decisions to other people, but must still practice due diligence and due care, ensuring that security policies are both soundly designed and faithfully implemented
Operational plan (organizational planning)
A plan describing how to perform a specific day-to-day operations to meet goals described in a strategic or tactical plans. operational plans include policies and procedures which can be created or administered by low-level management and followed directly by employees. They can be one-time events or ongoing operations which can be performed as often as needed. Operational plans to achieve the strategic and tactical plans might include updating database software to ensure compliance with the new regulations or new auditing policies to detect violations by employees
Institute of Electrical and Electronics Engineers (IEEE)
A professional association of engineers and scientists of many disciplines, including computer scientists, software developers, and IT professionals. The IEEE's mission is to advance technological innovation of all sorts, and they publish standards in many technological fields. One family you're likely familiar with tis the IEEE 802 networking standards, such as ethernet (802.3) and Wi-Fi (802.11)
framework (security documentation)
A program or blueprint that documents the overall processes you need to design policies achieving specific security needs. A good framework is designed and maintained by a certification body or standards organization drawing from the practices and experiences of organizations with similar needs. It may include a wide variety of more specific documents, or it might just be a structure for you to develop your own
Cloud security alliance cloud control matrix (CSA CCM)
A security framework that details 133 security controls for cloud services. It is structured into 16 domains that cover all aspects of operating as a cloud service provider. They are designed to audit compliance with the CSA's Enterprise Architecture (formerly the TCI Reference Architecture); however, both can interoperate with many other industry standards and frameworks. The CCM is useful for cloud providers to secure their services and for customers to assess security risks related to a cloud provider
CIS Critical Security Controls for Effective Cyber Defense (CIS CSC)
A set of 20 best practice guidelines for general cybersecurity, initially developed by the SANS institute. Also known as the CIS 20 or the SANS Top 20. Each control on the list defines a type of action you can use to reduce cybersecurity vulnerabilities. Each control is written in language that's understandable to typical IT personnel and it is designed to be applied primarily by automated processes to reduce labor costs. The CSC is designed to map to the NIST CSF, making it a useful tool in implementing that framework
NIST CSF component-Core
A set of common and continuous cybersecurity functions that can apply to almost any industry sector: Identify, Detect, Respond, and Recover. All five functions must be considered together, and each has individual underlying categories and subcategories. These references include standards such as NIST 800-53, ISO 27001, COBIT, ISA/IEC-62443, and the CIS Controls
NIST CSF component-Tiers
A set of implementation tiers describing how the organization views cybersecurity risk, and what overall approach it takes toward managing those risks. Lower tiers indicate informal or reactive approaches to risk management, while higher tiers indicate formalized, active approaches. Sometimes NIST implementation tiers are described a maturity model, where Tier 4 is the ideal every organization should evolve toward. NIST discourages that interpretation and instead recommends that organizations only move to a higher tier when doing so cost-effectively reduces risk according to their goals 1:partial 2:Risk informed 3: Repeatable 4:Adaptive
World Wide Web Consortium (W3C)
A standards organization founded to develop and maintain interoperable standards for the World Wide Web (WWW) used by web browsers, servers, and other technologies. W3C standards include HTML, XML, CSS, and many others used for web-based communications. While the W3C's publications don't focus on security technologies, the security of web standards is an essential topic in information security.
policy (security documentation)
A statement describing how the organization is to be run. A policy reflects organizational intent and goals, and generally is written for broad audiences rather than strictly technical personnel. Compliance with policies is mandatory for all employees or users; any exceptions defining when policies should be disregarded must be a documented as policies. "User accounts must be protected by strong passwords" might be found in a policy
fault tolerance (availability control)
A system designed to continue functioning if a hardware or software component fails. Often this is done via redundant components: for example, RAID storage uses multiple redundant disks so that if one fails, it can be replaced without data loss or even interrupting operations. Other fault-tolerant systems include software that will automatically resume operations after encountering errors and backup electrical power sources such as UPS or generators
Managerial (security control)
Also known as administrative controls, these represent organizational policies and training regarding security. Management controls define the other control types in use by an organization, so they're the starting point for implementing security. Common management controls include password policies, employee screening, training procedures, and compliance with legal regulations
Statement on Standards for Attestation Engagements (SSAE)
An auditing standard published by the American Institute of Certified Public Accountants (AICPA). it can be applied to any subject matter but it is intended to ensure accurate, complete, and fair financial reporting. It pays particular focus to operational controls on informational systems used for financial reporting and is valuable for SOX compliance
Open Web Application Security Project (OWASP)
An international non-profit organization founded to further the state of web application security. OWASP provides freely available guidelines, articles, software tools, and other resources, all of which are devoted to the development and testing of secure web applications. Their regularly updated "Top Ten" list is a popular resource for common web application vulnerabilities
International Organization for Standardization (ISO)
An international organization comprised of the standards bodies of over 160 member nations. ISO standards include everything from the OSI network model (ISO/IEC 7498-1) to the twist direction of yarn (ISO 2); many involve information technology or security standards and practices. When ISO standards are revised, their years are attached: in 2013, ISO 27001:2013 replaced the older ISO 27001:2005
Internet Engineering Task Force (IETF)
An open standards organization under the management of the Internet Society, consisting of volunteer contributors. It developed many common internet protocols by consensus, distributing numbered request for comments (RFC) documents via internal mailing lists. A specification that advances through the review process is classified as a proposed standards, and finally, and internet standard.
Threat
Anything that can cause harm to an asset. Attacks caused by malicious actors are threats, but so are human errors, equipment malfunction, or natural disaster. The mechanism of a particular threat is called a threat vector or mechanism vector. EX. common threat vectors can include malware, fraudulent email messages, or password cracking attempts
separation of duties (confidentiality control)
Breaking critical tasks into components, each of which are performed by a different employee with different permissions
corrective (security control)
Follow-up controls used to minimize the harm caused by a security breach and to prevent its recurrence. corrective controls include restoring data from backups, changing compromised passwords, or patching vulnerable systems. Ideally, a corrective control leaves the system more secure than it was before the threat occured
physical (security control)
Methods used to guarantee the physical security and safety of organizational assets. Physical controls can include locks, fences, video surveillance, and security guards
detective (security control)
Monitoring controls which either detect an active threat as it occurs or record it for later evidence. Either way, detective controls primarily notify security personnel who can take preventative or corrective measures, rather than securing assets themselves. Typical detective controls include security cameras, network logs, auditing policies, and physical or network alarms
secure by deployment
Software should be easy for users to deploy and maintain in a secure state. Installation and maintenance tasks should be well documented, security features like logging should be easily accessible, and security patches should be easy to apply. Software that isn't secure by deployment tends to develop vulnerabilities over time
version control (integrity control)
Storing multiple versions of files meant for frequent and collaborative change, such as documents, code repositories, and other collections of documents. Version control systems don't prevent data from being changed or deleted, but automatically track changes and allow easy reversion to the original state
international organization for standardization (ISO) frameworks
The ISO 27000 series is a broad risk-management framework containing information security guidelines for all sorts of organizations. It's comprehensive, including specific documents for individual security areas The ISO 31000 series is an even broader risk-management framework that applies to all aspects of organizational risks and their effects on business goals. It is not limited to information systems, but it uses standards in alignment with the 27000 series. Compared to the 27000 series or RMF, it is more focused on organizational leadership and less on informing cybersecurity decisions
true negative (event evaluation)
The even was benign and triggered no alerts. This is a good result since everything is quietly working correctly
false positive (event evaluation)
The event was benign, but the analysis mistook it for a problem. This is bad: frequent false alarms can disrupt routine functions, cost administrators time, or just make people less alert when a real attack happens
Internet Society (ISOC)
The parent organization of the IETF and several other organizations and committees involved in internet development. The ISOC doesn't directly develop standards: instead it focuses primarily on providing organizing conferences, seminars, and training services for its member organizations
Payment Card Industry Data Security Standard (PCI DSS)
The payment card industry data security standard isn't a law; instead, it's a set of shared rules developed by the world's major credit card companies and administered by the PCI council. PCI DSS compliance is part of the contract and organization must sign before processing payment cards. The standard itself regulates how payment must be stored, processed, and transmitted. It also requires a specific standard of vulnerability scanning
Security
The practice of protecting assets from anything that might do harm to them
digital signatures (integrity control)
a combination of hashing and other cryptography that can verify the authenticity of a messenger's creator as well as its integrity. Digital signatures can be used to create authentication tools called certificates. They can also be used as a method of non-repudiation in much the same way that a physical signature can
standard (security documentation)
a definition of specific methodologies or requirements needed to satisfy policies. Standards are mandatory but tend to have a more technical and specific focus than policies. "Passwords must be at least eight characters long and contain letters, numbers, and special characters" might be founded in a standard
ISO 27001:2013
a management standard describing 114 security controls that can be used to meet 35 control objectives. They are grouped in 14 broader categories, such as "Access Control" or "Supplier relationships."
tactical plan (organizational planning)
a mid-level plan designed to meet some objective defined by the strategic plan. Tactical plans tend to work toward specific goals, with a defined timeline and allocated resources; often, their creation or oversight is delegated to mid-level management. A security-related tactical plan might be "bring the customer database and associated procedures into compliance with the new privacy law before it takes effect on January 1"
user
a person who has access to a sensitive asset, but not directly in the context of securing it. Users are given access and instruction by security professionals, at the direction of management. users must have enough training and awareness of security to intelligently comply with user policies and refrain from any actions which may compromise security
auditor
a person who is responsible for monitoring and reviewing the effectiveness of security policies. Auditors may be outside consultants or independent security professionals within the organization. The goals of auditing are to make sure that security policies are adequately designed, that security professionals are implementing them correctly and that users are complying with them. To those ends, auditors produce status reports showing the effectiveness of the security program, and present them to management so improvements can be made.
false negative (event evaluation)
a problem occurred, and the analysis mistook it for benign behavior. This is potentially disastrous since any resulting security compromise will go unnoticed
true positive (event evaluation)
a problem occurred, and the analysis recognized it. This is a good result: even if the problem itself is bad, it was recognized and can be addressed
NIST risk management framework (RMF)
a risk-management framework defined by SP 800-37, using the controls described in SP 800-53. It uses a six-step cyclical process to identify and manage risks, combining some risk-management flexibility with prescriptive details. RMF compliance is mandatory for US federal government agencies, but it has been adopted by many other public and private organizations
ISO 27002:2013
a supplementary standard that gives detailed guidance about the functions and best practices for security controls in ISO 27001. In practice, organizations use 27001 to choose appropriate controls, and then they use 27002 to choose appropriate configurations
incident
an event or series of events that is unexpected, unusual, and that poses some meaningful threat to the system's functions, performance or security. Ex. Email containing a virus
event
any meaningful change in a system's state that is both detectable and happened at a specific time. Ex. an emailing arriving
Chief compliance officer (CCO) and chief privacy officer (CPO)
are more specialized roles which ensure compliance with industry regulations and privacy laws, respectively
non-repudiation
authenticity is verified in a way that prevents the creator from disputing it
PCI DSS compliance goals
build and maintain a secure network protect cardholder data maintain a vulnerability management program implement strong access control measures regularly monitor and test networks maintain an information security policy
critical infrastructure
business and organizations essential to the orderly functioning of society
Asset
can be anything of value to your organization
privacy
control of personal information of users or customers
operational (security control)
day-to-day employee activities which are used to achieve security goals. These are often defined by policies by exist in the effective execution of secure practices. Operational controls include backup management, security assessments, and incident response
guideline (security documentation)
descriptions of best practices or recommendations for achieving a specific policy goal. In theory, guidelines are optional and leave room for misinterpretation. In practice, just how "optional" a given guideline is can vary. Advice on how to design a strong password might be found in a guideline
secure by design
developers follow secure development procedures to minimize security bugs and incorporate security controls that resist attack. software that isn't secure by design will have more vulnerabilities intrinsic to the software, and they will have a greater impact
policy enforement
ensuring security programs are sufficiently funded to allow policy enforcement performing periodic audits and ongoing monitoring to detect policy compliance issues establishing reporting procedures for when compliance issues are discovered
accountibility
ensuring that employee actions with security ramifications are tracked to be held accountable for inappropriate activities
availability
ensuring that information is always easily accessible to authorized users. In addition to preventing deliberate or accidental data loss, this means making sure that connectivity and performance are maintained at the highest possible level and that security controls aren't overly cumbersome for legitimate users.
Confidentiality
ensuring that information is only viewable by authorized users or system
integrity
ensuring that information remains accurate and complete over its entire lifetime. ensuring that data in storage or transit can't be modified in an undetected manner, but can encompass all methods for preventing data loss
Secure by default
finished software should have default configuration settings that promote secure operations. Software that isn't secure by design will be vulnerable until a knowledgable user hardens it
Information Security
focuses on sensitive data and communications, overall organizational security must also consider assets such as employees, physical property, and business relationships
PCI DSS compliance controls
install and maintain a firewall configuration to protect cardholder data do not use vendor-supplied defaults for system passwords and other security parameters protect stored cardholder data encrypt transmissions of cardholder data across open, public networks use and regularly update antivirus software or programs develop and maintain secure systems and applications restrict access to cardholder data by business need to know assign a unique ID to each person with computer access restrict physical access to cardholder data track and monitor all access to network resources and cardholder data regularly test security systems and processes maintain a policy that addresses information security for all personnel
threat examples
malicious attacks: malware, hackers, thieves, or disgruntles employees others: accidental data loss, equipment failures, fire, natural disasters, or anything else that can disrupt business operations
hashing (integrity control)
mathematical functions designed to create a small, fixed-size fingerprint of a given message or file, such that any small change in the original data will produce an entirely different hash. Some hashes are only designed to protect against accidental data changes, while others cryptographic formulas intended to foil malicious modifications
Chief Information Security Officer (CISO)
may exist in addition to or instead of CSO. If both exists, CISO is more technically focused on information assets
redundancy (availability control)
multiple or backup systems arranged so that if one fails, others can take its place immediately or at least more quickly than the original can be repaired. Redundancies can include multiple identical servers able to perform the same function, backup systems that can be quickly brought online, or even entire backup sites for use in case of natural disaster. redundant systems typically have manual or automatically triggered failover features that allow functions to switch from a failed system to its backup in a way that's transparent to the user
NIST 800 series
not a framework in itself so much as a series of documents defining security standards, policies, and procedures for the US government. While they are designed for federal agencies, they contain many useful guidelines for other organizations, and are available free of charge. Most prominently, SP 800-53 is a comprehensive catalog of security controls used by the federal information systems, so is a valuable resource for choosing security controls
Chief Information Officer (CIO)
oversees IT operations. It's a role requiring technical knowledge, but in large organizations is more strategic than hands-on
Chief Security Officer (CSO)
oversees strategic security needs, with a focus on organizational risk management
preventative (security control)
proactive controls which act to prevent a loss from occurring in the first place. Preventative controls include locked doors, network firewalls to prevent intrusion, and policies designed to minimize vulnerabilities. Ideally, preventative controls work well enough that the other types are just backup. Since that's not likely in the real world, you can't ignore the others
Access controls (confidentiality control)
restrict access to systems and other resources, typically utilizing passwords, smart cards, or other authentication methods. Secure access control systems not only prevent unauthorized access but enforce user permissions for authorized users and log activity for later review
need to know (confidentiality control)
restricting data access to those who require it. restricting who can access a particular sort of data in the first place. Even when users have permission to access data of a particular type and sensitivity, a need to know policy can restrict them to the specific information they need, rather than allowing casual browsing that might lead to security risks
procedures (security documentation)
specific and ordered instructions for complying with a particular element of a policy or standard. Procedures are mandatory and written for the people who perform them. In general, a procedure represents a short-duration task, while long tasks are called processes and contain multiple procedures. The steps needed to change or reset a password would be written as a procedure
technical (security control)
technological solutions used to enforce security, sometimes also called logical controls. Technical controls include firewalls, authentication systems, and encryption protocols, among others. In modern data systems, technical controls do a great amount of the work and require the most exacting knowledge. However, they're still only effective in conjunction with human activities used to implement and enforce them
authenticity (trustworthiness)
the ability to verify the source of information in addition to its integrity
Risk
the chance of harm coming to an asset. Risk measurements can incorporate any combination of the likelihood of harm, the impact it will have on the organization, and the cost of repairing the damage. Risk evaluation is essential in determining where and how to deploy security resources
security governance
the collection of practices related to supporting, defining, and directing the security efforts of an organization
steganography (confidentiality control)
the practice of concealing a secret message inside a more ordinary one; for example, a hidden watermark used to show a documents' origin should it be stolen or copied. The hidden message itself might be encrypted as well, or it might rely on merely being hard to discover in the first place
Security Controls
the tools and measures used to achieve security goals. ex. network firewall, locks on doors, company policy of data backups
deterrent (security control)
visible controls designed to discourage attack or intrusion, especially in physical security. A locked door might be a preventative control and a security camers a detective one, but the "NO TRESPASSING" sign and the visibility of the camera might convince casual attackers from going in regardless of whether it is locked. Deterrent controls also include disciplinary policies or training used to discourage employees from ignoring good security practices out of convenience