Security+ Module 5
Data roles
Data controller manages the purpose and means by which the data is processes. Data processors work on the behalf of the controller, often a third party or different group.
Disaster types
Environmental threats: tornadoes, hurricanes, earthquake Person-made threats: human intent, negligence, error or arson, crime, disorder, riots, fire Internal (from employees) and External (outside the organization).
Inherent Risk
Impact + Likelihood The probability that in the absence of internal controls and some modes have an existing set of controls
End of Life (EOL)
Manufacturer stops selling the product, but continues to support it with security patches and updates still involved.
Security controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Risks are out there with many different types and assets also being varied. Prevent security events, minimize the impact, limit the damage.
SSAE SOC 2 Type I/II
• The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18) • SOC 2 - Trust Services Criteria (security controls) - Firewalls, intrusion detection, and multi-factor authentication • Type I audit - Tests controls in place at a particular point in time • Type II - Tests controls over a period of at least six consecutive months
Risk management strategies
- Acceptance: take the risk - Avoidance: stop participating high-risk activity - Transference: buy some cybersecurity insurance - Mitigation: decrease the level or invest in security systems.
Risk register
A document in which the results of risk analysis and risk response planning are recorded. Associate the risk with each step and apply possible solutions. Monitor the results.
External threats
A threat to an IT system that comes from outside the organization. (Hackers, Virus, former employees)
risk assessment
Identify assets that could be affected by an attack and the hardware, customer data, and intellectual property that could get lost. Identify the threats such as loss of data or disruption of services. The severity of the risk and the total risk for the organization.
Impact
Life - most important consideration Property - risk to building and assets Safety - too dangerous to work Finance - resulting financial cost Reputation - event can cause status and character problems
Labeling sensitive data
Not all data has the same level of sensitivity - License tag numbers vs. health records Different levels require different security and handling - Additional permissions - A different process to view - Restricted network access
Data masking
Obfuscation hides some of the original data to protect the PII and other sensitive data. May only be hidden from view, data still intact in the storage, controlled by permissions.
Information Life Cycle
• Creation and receipt - Create data internally or receive data from a third-party • Distribution - Records are sorted and stored • Use - Make business decisions, create products and services • Maintenance - Ongoing data retrieval and data transfers • Disposition - Archiving or disposal of data
Network Infrastructure Devices
• Switches, routers, firewalls, IPS, etc., you never see them, but they're always there • Purpose-built devices, embedded OS, limited OS access Configure authentication, don't use the defaults • Check with the manufacturer • Security updates • Not usually updated frequently • Updates are usually important
Memorandum of Understanding (MOU)
- Both sides agree on the contents of the memorandum - Usually includes statements of confidentiality - Informal letter of intent; not a signed contract
Data Retention
- Keep files that change frequently for version control: Files change often; Keep at least a week, perhaps more • Recover from virus infection- Infection may not be identified immediately; May need to retain 30 days of backups • Consider legal requirements for data retention- Email storage may be required over years; Some industries must legally store certain data types • Different data types have different storage requirements- Corporate tax information, customer PII, tape backups, etc.
NDA (Non-Disclosure Agreement)
A formal signed agreement between a company and an agency in which the agency promises they will not disclose or share confidential information. One-way or mutual, single party or multiple parties.
risk matrix/heat map
A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders. Assists with strategic decisions.
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote best practices for using cloud computing securely. Cloud Controls Matrix (CCM) for cloud-specific controls that are mapped to the best practices. The enterprise architecture is used for methodology and tools, access internal IT groups, and build a roadmap for capabilities.
Acceptable Use Policy (AUP)
A policy that defines the actions users may perform while accessing systems and networking equipment. Used by an organization to limit legal liability, should give well-detailed reasons.
clean desk policy
A security policy requiring employees to keep their areas organized and free of papers. Nothing should be left on your desk. The goal is to reduce threats of security incidents by protecting sensitive data.
PCI DSS (Payment Card Industry Data Security Standard)
A standard for protecting credit cards. Build and maintain a secure network and systems Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain and information security policy
End of Service Life (EOSL)
A term used to describe the date by which the vendor or manufacturer ceases to support and provide software updates and patches for a product or software application
Web Server Hardening
Access a server from your browser or the fundamental server on the Internet. Huge potential for access issues such as data leakage or server access. Secure configuration Information leakage: Banner information, directory browsing. Permissions: Run from a non-privileged account and configure file permissions Configure SSL: Manage and install certificates Log files: Monitor access and error logs.
Device accounts
Access to devices, especially mobile Local security has device certificate and should require screen locks and unlocking standards. Manage through MDM (Mobile Device Management) Add additional security with geography-based, additional authentication factors, associate a device with a user.
Third party accounts
Access to external third party systems and third party access to corporate systems that can come from anywhere. Add additional layers of security such as 2FA (two-factor authentication) or audit the security posture of third parties. Don't allow account sharing, accounts should stay unique.
credential management
Allows usernames and passwords to be stored in one location and then used to access websites and other computers. Passwords must not be embedded in the application as everything needs to reside on the server, not the client. Communication across the network needs to be encrypted so traffic would be impossible to see.
personnel accounts
An account on a computer associated with a specific person as the computer associates the user with a specific identification number. Storage and files can be private to that user. No privileged access to the operating system for the user accounts. The default for everyone in the community.
Business Partnership Agreement (BPA)
An agreement between two business partners that establishes the conditions of the partner relationship. -Going into business together -Owner stake -Financial contract -Decision making agreement -Prepare for contingencies
Privacy Impact Assessment (PIA)
An assessment that determines the impact on the privacy of the individuals whose data is being stored, and ensures that the organization has sufficient security controls applied to be within compliance of applicable laws or standards. • Almost everything can affect privacy - New business relationships, product updates, website features, service offering • Privacy risk needs to be identified in each initiative - How could the process compromise customer privacy? • Advantages - Fix privacy issues before they become a problem - Provides evidence of a focus on privacy - Avoid data breach - Shows the importance of privacy to everyone
background check
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information. Adverse actions involve denying employment based on the background check and may require extensive documentation.
security framework
An outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
Role-based security awareness training
Before providing access train your users with detailed requirements. Specialized training give users their own unique responsibilities. Detailed documentation and records with problems that be severe for everyone. Applies to third parties.
Multiparty risk
Breaches involving multiple parties, coming from often trusted relationships or events involving many different parties.
pseudo-anonymization
Changing data so there is a means to reverse the process to restore the data back to its original state. Replace personal information with pseudonyms to maintain statistical relationships and consistent replacement.
Vendors
Companies that sell products and services to businesses. Every organization works with vendors. Important company data is often shared, may be required for cloud-based services. Perform as risk-assessment for each vendor and manage the risk. Use contracts for clear understanding, so everyone can understand the expectations and enforce a secure environment.
Additional data roles
Data custodian/steward - Responsible for data accuracy, privacy, and security - Associates sensitivity labels to the data - Ensures compliance with any applicable laws and standards - Manages the access rights to the data - Implements security controls • Data protection officer (DPO) - Responsible for the organization's data privacy - Sets policies, implements processes and procedures
Disaster Recovery Plan (DRP)
Details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations. Extensive planning can include backups, data replication, cloud alternatives, or a remote site. Many third party options.
Separation of Duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records. Split knowledge - no person has all the details, one has the rest. Dual control - two people must be present to perform the business function
GDPR (General Data Protection Regulation)
European Union regulation - Data protection and privacy for individuals in the EU - Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer's IP address, etc. • Controls export of personal data - Users can decide where their data goes • Gives individuals control of their personal data - A right to be forgotten • Site privacy policy - Details all of the privacy rights for a user
User training
Gamification to score points with others and earn badges. Capture the flag (CTE) is a security competition to hack into the server and steal data in highly technical simulations. Phishing simulations has sending user phishing emails or vishing calls and see what users are suspectable for falling for them. Computer-based training (CBT) is automated pre-built training done at a user's own time, receive the same training experience.
Social media analysis
Gather data from social media to understand your presence on the Internet. Build a personal profile. Can make decisions in the hiring process.
Data Responsibilities
High-level relationships in organizations. Data owner is accountable for specific data. VP Sales: customer relationship Treasurer: financial information.
Data Classification
Identify data types to use and protect efficiently. Associate governance controls to the classification levels and how the data class should be managed. The data compliance have laws and regulations, GDPR
Qualitative Risk Assessment
Identify significant risk factors, ask opinions about the significance. Likelihood, Annualized Rate of Occurrence (ARO), how likely will it hit? SLE (Single Loss Expectancy), how much monetary loss if a single event occurs? Laptop stolen = $1000 loss value. ALE (Annualized Loss Expectancy) = ARO * SLE - 7 laptops stolen a year (ARO) * $1000 (SLE) = $7000 loss
Center for Internet Security (CIS)
Improve cyber defenses with twenty key actions (critical controls) and categorized from different organization sites. Designed for implementation, written for IT professionals with practical tasks.
Residual risk
Inherent risk + control effectiveness the risk that remains after management implements internal controls or some other response to risk
Notification
Internal escalation have breaches found by technician so provide a process to make findings known. External escalation has to know when to ask for assistance from external resources to stop an active breach Public notification and disclosures refers to the security breach notification laws with delays might be allowed for investigation.
Control Categories
Managerial: controls that address security design and implementation (policies and standard operating procedures) Operational: implemented by people (guards and awareness programs) Technical: implemented using systems or operating system controls (firewalls, anti-virus)
Operating system hardening
Many and varied - Windows, Linux, iOS, Android, et al. • Updates - Operating system updates/service packs, security patches • User accounts - Minimum password lengths and complexity - Account limitations • Network access and security - Limit network access • Monitor and secure - Anti-virus, anti-malware
Compliance
Meeting the standards of the laws, policies, regulations in a healthy catalog with business and life. Penalties and scope based on local geography.
Data minimization
Minimal data collection, only use what is needed. Some information may not be required. Internal data use should be limited, only for the task. - HIPAA has a "Minimum Necessary" rule - GDPR - "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed."
Business partners
Much closer to the data than vendors. Often involves communication over a trusted connection, which can be harder to detect malicious activity. Partner risk management should be included for the best practices and data management. Include additional security between partners with firewalls.
NIST CSF
National Institute of Standards Technology Cyber Security Framework Framework Core: Identify, Protect, Detect, Respond, Recover Framework Implementation Tiers: organization's view of cybersecurity risk and processes to manage the risk. Framework Profile: alignment of standards, guidelines, and practices to the Core.
NIST RMF
National Institute of Standards and Technology, Risk Management Framework. - Mandatory for US federal agencies and organizations that handle federal data Step 1: Categorize - Define the environment Step 2: Select - Pick appropriate controls Step 3: Implement - Define proper implementation Step 4: Assess - Determine if controls are working Step 5: Authorize - Make a decision to authorize a system Step 6: Monitor - Check for ongoing compliance
Security configurations
No system is secure out-of-the-box in default, so you need guideline. Hardening guides are specific to the software on the platform to get feedback from the manufacturer. Other general-purpose guidelines are available online.
Legacy systems
Older information systems that are incompatible with other systems, technologies, and ways of conducting business and may not be supported by manufacturers or have security updates. May not be accessible.
Control types
Preventive: physical control access, door lock, security guard, firewall Detective: identifies and prevents any intrusion attempts. Motion detector, IDS, not prevent. Corrective: designed to mitigate damage where IPS can block an attacker and backups can mitigate ransomware. Deterrent: discourages (not prevent) an intrusion attempt with signs, banners, and lights Compensation: restores from a backup or re-image, hot sites, backup power system. Physical: fences, locks, mantraps, real-world security.
Change management
Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability. The common risk in an enterprise as change occurs very frequently. Often overlooked or ignored. Have clear policies for frequency, duration, installation process, and fallback procedures. It's hard to change corporate culture.
Application server
Programming languages and runtime libraries, etc., usually between the web server and the database, or middleware. Very specific functionality, disable anything unnecessary. Keep operating system updated with security patches. Limit the rights and access to files.
Data classifications
Proprietary: often unique in the property of an organization that could include trade secrets. PII (personally identifiable information): data used to identify an individual PHI (protected health information): health information associated with an individual. Public/Unclassified: no restrictions in viewing the data Private/Classified/Restricted/Internal use only: restricted access, may require non-disclosure agreement (NDA) Sensitive: Intellectual property, PII, PHI Confidential: very sensitive and must be approved to view. Critical: data should always be available Financial information: internal company financial information and customer financial details Government: open data, but may be protected by the law, transfer between government entities Customer: associated with customers with user-specific details, have legal handling requirements.
Recovery
Recovery Time Objective (RTO) - how long get back up to a particular service level Recovery Point Objective (RPO) - How much data loss is acceptable to bring the system back online? Mean Time to Repair (MTTR) - Time required to fix an issue. Mean Time between Failures (MTBF) - Predict the time between outages.
consequences
Reputation - opinion of the organization becomes negative, impacting products, services, and stocks. Identity theft - Company/customer private information becomes public in a disclosure Fines - being forced to pay for the damages. Intellectual Property (IP) theft - stealing company secrets and go out of business.
Mandatory Vacations
Requirement to take time off and have others rotate through the job. The longer the vacation, the better chance of identity fraud, essential for high-security.
Least Privilege
Rights and permission should be set to bare minimum, doing only what is needed. All accounts and applications should run with limited privileges, no administrative for users. Would limit the scope of malicious behavior.
Software Compliance/Licensing
Risk associated with a company not being aware of what software or components are installed within its network. Too few licenses, financial risk with over-allocating licenses.
Risk control assessment
Risk has been determined, so it's time to build the requirements. Find the gaps as it often requires a formal audit and self-assessments may be an option. Build and maintain security systems based on the requirements. Determine if the existing controls are compliant and non-compliant, so make plans.
data governance
Rules, processes, and accountability associated with the organization's data, in the right ways. Data steward: manages the governance processes, responsible for accuracy, privacy and security, associates sensitivity labels to the data, and ensures compliance with any laws and standards. Formal rules for data everyone should know.
Notices
Terms of service/use/conditions (T&C) is a legal agreement between the service provider and the user to which a user must agree to. Privacy notice/policy have documents that explain the handling of personal data and provide additional data options and contact information.
Anonymization
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data. Make it impossible to identify data from a dataset. Covert from detail customer purchase data, remove the personal information and change the phone number, cannot be reversed.
Risk Appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Risk awareness
The process of being consistently informed about the risks in one's organization or specific department. New risks bring an overwhelming amount of information so difficult to manage defense. Knowledge is key for every employee. Maintain awareness with ongoing group discussions, presentations from law enforcement, or conferences.
Measurement System Analysis (MSA)
The process to determine whether a measurement process is capable of providing information which is reliable enough to base decisions on its output. Calculate measurement uncertainty.
Supply chain
The systems involved when creating a product. The supply chain assessment -Get a product or service from supplier to customer -Evaluate the coordination between groups -Identify areas of improvement -Assess the IT systems supporting the operation -Document the business process changes
Intellectual Property (IP) theft
Theft of ideas, inventions, and creative expressions. Human error, hacking, employees, with access, etc. Identify IP and educate employees.
Internal threats
Threats that originate within an organization, disgruntled employees and partners.
Job rotation
a job enrichment strategy that involves moving employees from one job to another, no one maintains control for long periods of time
Service Level Agreement (SLA)
formal contract between customers and their service providers that defines the specific responsibilities of the service provider and the level of service expected by the customer. Minimum terms for services.
Change control
formal process for managing change to avoid downtime, confusion and mistakes. -Determine the scope of the change -Analyze the risk -Create a plan -Get end-use approval -Present the proposal to change control board -Have a backout plan if it doesn't work out -Document the changes
Functional recovery plans
recover from an outage in a step-by-step process. contact information to keep everyone up to date technical process with reference in the knowledge base or follow the internal process recover and test to confirm the normal operation
Removing Single Points of Failure
• A single event can ruin your day - Unless you make some plans • Network configuration - Multiple devices (the "Noah's Ark" of networking) • Facility / Utilities - Backup power, multiple cooling devices • People / Location - A good hurricane can disrupt personnel travel • There's no practical way to remove all points of failure - Money drives redundancy
On-boarding
• Bring a new person into the organization - New hires or transfers • IT agreements need to be signed - May be part of the employee handbook or a separate AUP • Create accounts - Associate the user with the proper groups and departments • Provide required IT hardware - Laptops, tablets, etc. - Preconfigured and ready to go
Administrator/root accounts
• Elevated access to one or more systems - Super user access • Complete access to the system - Often used to manage hardware, drivers, and software installation • This account should not be used for normal administration - User accounts should be used • Needs to be highly secured - Strong passwords, 2FA - Scheduled password changes These accounts allow the installing of software, the making of configuration changes, and have the ability to access any file. Should be restricted to a very few IT personnel, such as users should keep away.
asset management
• Identify and track computing assets - Usually an automated process • Respond faster to security problem - You know who, what, and where • Keep an eye on the most valuable assets - Both hardware and data • Track licenses - You know exactly how many you'll need • Verify that all devices are up to date - Security patches, anti-malware signature updates, etc.
ISO/IEC Frameworks
• International Organization for Standardization / - International Electrotechnical Commission • ISO/IEC 27001 - Standard for an Information Security Management System (ISMS) • ISO/IEC 27002 - Code of practice for information security controls • ISO/IEC 27701 - Privacy Information Management Systems (PIMS) • ISO 31000 - International standards for risk management practices
Regulations that affect risk posture
• Many of them - Regulations tend to regulate • Regulations directly associated to cybersecurity - Protection of personal information, disclosure of information breaches - Requires a minimum level of information security • HIPAA - Health Insurance Portability and Accountability Act - Privacy of patient records - New storage requirements, network security, protect against threats • GDPR - General Data Protection Regulation - European Union data protection and privacy - Personal data must be protected and managed for privacy
Off-boarding
• This process should be pre-planned - You don't want to decide how to do things at this point • What happens to the hardware and the data? • Account information is usually deactivated - But not always deleted
Service accounts
• Used exclusively by services running on a computer - No interactive/user access (ideally) - Web server, database server, etc. • Access can be defined for a specific service - Web server rights and permissions will be different than a database server • Commonly use usernames and passwords - You'll need to determine the best policy for password updates
