CySA+ Chapter 11: Frameworks, Policies, Controls, and Procedures
What is FIPS 199?
"FIPS" stands for the "Federal Information Processing Standards." During the business impact analysis (BIA), each system or asset is identified and prioritized according to the guidelines laid out in the FIPS 199 publication. Because information systems are complex and often possess multiple mission-critical processes, it can be difficult to determine the importance of each system and its security categorization. CIOs and contingency planning coordinators can therefore work with management, IT specialists, and internal/external points of contact to validate the importance of each system and its proper security categorizations. Creating resource tables are helpful when identifying the value of mission critical systems. FIPS 199 assists organizations with providing appropriate levels of information security by helping organizations classify their assets according to a range of potential impact levels (e.g., low, moderate, and high potential impact from potential disruption). Additionally, estimated downtime can also be estimated for each disaster, which is also extended by the estimated maximum amount of downtime tolerable for maintaining business operations. Three security objectives are also defined: confidentiality, integrity, and availability of data (or the CIA triad). Both the potential impact level and the security objective are used to produce a security categorization (SC) for each system and component. For example, the security categorization for a SCADA system at a power plant is expressed as Confidentiality = moderate; Integrity = high; Availability = high.
What is the ISO/IEC 27000 Series?
"ISO" stands for the "International Organization for Standardization." I know, the acronym isn't right, but that's the way it is. The "IEC," on the other hand, stands for the "International Electrotechnical Commission (IEC)." These two groups work together to provide a wide range of standards from various industries, including agriculture, engineering, mining, electrical technologies, and cybersecurity. What cybersecurity analysts are particularly interested in, however, is the ISO/IEC 27000, or the "Information Security Management System (ISMS)" standards ISO/IEC 27000 Overview and Vocabulary ISO/IEC 27001 ISMS Requirements ISO/IEC 27002 Security Management ISO/IEC 27003 ISMS Implementation ISO/IEC 27004 ISMS Measurement ISO/IEC 27005 Risk Management ISO/IEC 27006 Certification Requirements ISO/IEC 27007 ISMS Auditing ISO/IEC 27008 Guidance for Auditors ISO/IEC 27031 Business Continuity ISO/IEC 27033 Network Security ISO/IEC 27034 Application Security ISO/IEC 27035 Incident Management ISO/IEC 27037 Digital Evidence Collection and Preservation As you can see, there is a lot to know. But, it helps to be familiar with at least some of these. These are all standards and best practices for a particular focus (e.g., network security, application security, incident management, etc.).
What are the 3 categories for access controls and their implementation?
1) Physical controls are safeguards that deter, delay, prevent, detect, or respond to threats against physical property. Examples of physical controls include a security guard verifying individuals identities prior to entering a facility, fencing, locking wiring closets and server rooms, HVAC, 2) Technical (also called "Logical") Controls are the software tools used to restrict subjects' access to objects. A subject can be a user or process, whereas an object is any system resource. These controls are components of OSs, add-on security packages, applications, network devices (e.g., firewalls, IDS/IPS, UTM), protocols, encryption, access control matrices, authentication and authorization mechanisms, etc. 3) Administrative Controls are security mechanisms implemented by management primarily through policies and procedures. An example is personnel controls, which indicate how employees are expected to interact with security mechanisms and address non-compliance issues pertaining to these expectations. These controls indicate what security actions should be taken when an employee is hired, terminated, suspended, moved into another department, or promoted.
What are 3 ways attackers can elevate their privileges on an account?
1. "Compromise and existing privileged account." This can be mitigated through the use of strong authentication (strong passwords, two factor authentication) and by having administrators only use privileged accounts for specific tasks and only from jump boxes. 2. "Create a new privileged account." This can be mitigated by paying close attention to the creation, modification, or misuse of user accounts. So, user account reviews are great. 3. "Elevate the privilege of a regular user account." This can be mitigated by paying close attention to the creation, modification, or misuse of user accounts. So, user account reviews are great.
Name the 4 main ways in which organizations conduct verification and quality control
1. Audits, 2. Assessments, 3. Certifications, and 4.Maturity models
Which NIST publication describes a voluntary cybersecurity structure for organizations that are part of the critical infrastructure?
Cyber Security Framework (CSF). Key word here is "voluntary."
How can a certification help with verification and quality control?
A Certification is the comprehensive technical evaluation of the security components of a system and their compliance with applicable regulations . A certification process may use safeguard evaluation, risk analysis, verification, testing, and auditing techniques to assess the appropriateness of a specific system. The goal of the certification process is to ensure that a system, product, or network satisfies all security requirements. This process is usually applied to a new component (e.g., server or sensor) is being introduced into an existing system). Some organizations have a second step called "accreditation" before introducing the new capability. This is the formal acceptance of the adequacy of a system's overall security and functionality by management. The certification information is presented to management or a responsible body and it's up to management to ask questions, review the reports, findings, and decide whether to accept the product and whether any corrective action needs to take place.
How can assessments help with verification and quality control?
An assessment is any process that gathers information and makes a determination based on it. This rather general term encompasses audits and a host of other evaluations, such as vulnerability scans and pen tests. The most popular assessments are : -Vulnerability assessments -Penetration testing -Red Team Assessments -Risk Assessments -Threat modeling -Tabletop exercises Every org. should have a formal assessment program that specifies how, when, where, why, and with whom the different aspects of its security will be evaluated
How do audits help with verification and quality control?
An audit is a systematic inspection by an independent third party, oftentimes, driven by regulatory compliance requirements. This can be expensive
Why are "Compensation and Control Development Procedures" important?
As we discussed in the last section, sometimes, leaders will knowingly choose to take actions that leave vulnerabilities in their information systems. This usually happens because the fix is too costly (e.g., a patch would break a critical business process) or because there is no feasible way to fix the vulnerability directly (e.g., an older X-ray machine at a hospital). Compensation controls are security controls that are not directly applied to a vulnerable system, but that compensate for the lack of a direct control. For example, if you have a vulnerable system that is no longer supported by its vendor, you may put it in its own VLAN and create ACLs that allow it to communicate with only one other host, which has been hardened against attacks. You may also want to deploy additional sensors to monitor traffic on that VLAN and activity on the hardened host. The process by which these decisions are made and the compensation controls developed should be codified in its own separate procedure, or included in another related procedure.
What is TOGAF?
Based on the U.S. Department of Defense's TAFIM, TOGAF is an enterprise architecture methodology and framework used by the world's leading organizations to improve business efficiency. TOGAF stands for "The Open Group Architecture Framework." TOGAF helps organizations create a broad range of different architectures by designs and implementations, specifically in the following areas: Business architecture, Data architecture, Applications architecture, and Technology architecture. Whichever architecture is chosen for development, it can follow TOGAF's "Architecture Development Method (ADM)," which helps provide a description of the system to be implemented, its structure, components, and any principles or guidelines governing its design.
What is COBIT?
COBIT was developed by the "Information Systems Audit and Control Association (ISACA)" and the "IT Governance Institute (ITGI)." It is an IT governance framework and supporting toolset that defines the goals for control objectives for managing IT. COBIT is broken down into 4 "domains," which are: 1. Plan and Organize, 2. Acquire and Implement, 3. Deliver and Support, and 4. Monitor and Evaluate Each domain has a complete "roadmap" to properly manage IT in each area.
Name the 5 key functions of the Framework Core of the CSF
Identify, Protect, Detect, Respond, Recover
Why are "Continuous Monitoring" procedures important?
In NIST's SP 800-127, the NIST defines information security "continuous monitoring" as "maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." A continuous-monitoring procedure, therefore, would describe the process by which an organization collects and analyzes information in order to maintain awareness of threats, vulnerabilities, compliance, and the effectiveness of security controls. When continuous monitoring reveals actionable intelligence (e.g., a new threat or vulnerability), there should be a pre-established process in place to deal with this situation. The "remediation plan" describes the steps that an org. takes whenever its security posture worsens. This plan will likely have a reference to multiple procedures
How can you run a program with elevated privileges for a Windows, Linux, and Mac OS?
In Windows OS allows you to right-click any program and select Run As... in order to elevate privileges. From the command prompt, you can just use the command runas /user:<AccountName> to accomplish the same goal In Linux OS, you can simply type sudo <SomeCommand> at the command line in order to a run a program as the super (or root) user. If the program is a GUI one, you need to start it from the command line using the command gksudo (or kdesudo for Kubuntu). Linux has no way to run a program with elevated privileges directly from the GUI; you must start from the command line. In Mac OS X, you use sudo from the Terminal app just like you would for form a Linux terminal. However, if you want to run a GUI app with elevated privileges, you need to use sudo open -a <AppName> since there is no "gksudo" or "kdesudo" command.
What does ISO/IEC 27000 Series describe?
Information Security Management Systems (ISMS)
Which of the following standards, composed of 5 core volumes, is widely accepted for service management of information technology assets?
Information Technology Infrastructure Library (ITIL)
When referring to frameworks, policies, and procedures, what does "verification" and "quality control" referring to?
It's not uncommon for organizations to put significant amounts of effort into developing frameworks, policies, procedures, and controls only to discover that their security posture is not what they thought. Every implementation should be followed with verification and quality controls to ensure it was done properly. There should be ongoing periodic effort to ensure that the safeguards are still being done right and they are still effective. "Verification" is the process of ensuring that policies and procedures are being followed. "Quality Control" is the process of sampling our controls and ensuring they provide a certain baseline of security, which is to say they are effective against previously identified risks.
What device part of a formal process to improve a cybersecurity posture by developing comprehensive and repeatable security processes unique to the organization?
Maturity models. They are used to create processes that are unique to the operating environment and help improve operational performance and the security posture.
What is NIST SP-800-61 (Revision 2)?
NIST Special Publication 800-61 (Revision 2) is the "Computer Security Incident Handling Guide" and it deals specifically with Incident Response (IR). SP 800-61 helps organizations respond efficiently and effectively to incidents big and small. Every organization is going to experience and incident at one point, so being able to appropriately respond and analyze incident-related data to determine an appropriate response is crucial in a time where IR has become an important aspect of Information Technology. SP 800-61 provides organizations with a way to develop incident handling policies, plans, procedures, teams, and recommendations. It also prepares organizations the detection and analysis of cyber attacks as well as the containment, eradication, and recovery from cyber incidents.
What is a password policy used for?
Perhaps the most visible of security policies because every user will have to deal with its effects on a daily basis. A good password policy should motivate users to manage their passwords securely, describe to them how this should be accomplished, and prescribe the consequence of failing to comply. The three main elements in most password policies relate to generation, duration, and use. When creating passwords, users should be informed of the requirements of an acceptable one. These standards include the following: 1) Minimum length (8 characters or more) 2) Complexity (upper, lower, numbers, and special characters) 3) Password history (cannot be any of the latest 4 passwords) 4) Minimum age (prevents flipping in order to reuse an old password) 5) Maximum age (90 days) 6) Prohibition against certain words (such as user's name or company name) 7) Prohibition of same-use passwords (same password for multiple systems)
Which is the NIST publication that outlines various security controls for government agencies and information systems?
SP 800-53
What is NIST SP 800-53?
SP 800-53, the "Security and Privacy Controls for Federal Information Systems and Organizations," is a document cataloging the security and privacy controls of federal information systems. SP 800-53 includes a helpful process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. SP 800-53 breaks down the different control categories (e.g., access control, awareness and training, configuration management, contingency planning, incident response, risk assessment, and so on) into 1 of 3 different classes (either technical, operational, or management). This publication helps organizations outline controls they can place on their information systems to remain compliant with FIPS 199, which I'll get into later.
Why are "Patching" Procedures important?
Security "Patch Management" is the process by which fixes to software vulnerabilities are identified, tested, applied, validated, and documented. These 5 functions should be codified in a formal procedure within every organization. The identification function requires having complete, accurate, and updated software inventories. Only when you know exactly what software is running on your systems can you identify the need for (and sources of) patches. Once you determine the need for a patch and acquire it from a trusted source, you have to test it in order to determine what effects it may have on your business processes. It is not unusual for security patches to break something, which requires the IT security staff to look for these unintended effects. The organization's leaders will have to decide whether to apply the patch anyway, implement other controls, or do nothing and assume the risk. Once the decision is made to push the patch onto the production systems, this should not be done all at once. Different organizations will have procedures that prioritize patching of systems that are high risk (for example, outward-facing systems), non-critical (that is, if they break because of the patch, it won't hurt the company much), or whose work unit leaders offer to be guinea pigs for the rest of the organization. There is no universal right answer for this sequencing, but the approach should be formally documented. After the patches are installed, they have to be documented and validated. Documentation of patching means that you update your software inventory to reflect the fact that a specific installation of the software is now patched (or not). Every unpatched system should require a formal waiver that includes how (if at all) the risk of not being patched is being mitigated. Finally, the patches should be validated to ensure they serve the intended purpose. This usually entails adding plug-ins to vulnerability scanners and perhaps even running a special scan
Why are "Control-Testing" procedures important?
Security controls may fail to protect IS against threats for a variety of reasons. If the control is improperly installed or configured, or if you chose the wrong control to begin with, then the asset will remain vulnerable. For this reason, you should have a formal procedure that describes the steps by which your organization's security staff will verify and validate controls they use. Verification is the process of ensuring that the control was implemented correctly. Validation ensures that the (correctly installed) control actually mitigates the intended threat.
What is SABSA?
Sherwood Applied Business Security Architecture (SABSA) uses a matrix for developing risk-driven enterprise information security architectures. SABSA attempts to assist an organization in answering "What, Why, How, Who, Where, and When. Answering these questions at each layer requires an analysis of business requirements for security.
What is NIST SP 800-37?
Special Publication 800-37 is the "Guide for Applying the Risk Management Framework to Federal Information Systems." SP 800-36 provides a life cycle approach and guideline for applying an organization-wide Risk Management Framework (RMF) to federal information systems. RMF is a 6-step process that includes the following: 1. security categorization, 2. security control selection, 3. security control implementation, 4. security control assessment, 5. information system authorization, and 6. security control monitoring SP 800-37 places a heavy emphasis on continuous monitoring (#6) of controls, risk, and response, which entails appropriate, cost-effective decisions that not only mitigate the risk involved, but also remain inline with the organization's core missions and business functions.
What is the CCMI?
The "Capability Maturity Model Integration (CCMI)" is a comprehensive, integrated set of guidelines for developing products and software. It can be used to evaluate security engineering practices and identifying ways to improve them. The model describes procedures , principles, and practices that underlie process maturity. This model was developed to help software vendors improve their development processes by providing an evolutionary path from an ad hoc "fly by the seat of your pants" approach to a more disciplined and repeatable method that improves quality, reduces the lifecycle of development, provides better project management capabilities, allows for milestones to be created and met in a timely manner, and takes a more proactive approach than the less effective reactive approach. It provides best practices to allow an org. to develop standardized approaches that can be used across many different groups. The goal is to continue to review and improve upon the processes to optimize output, increase capabilities, and provide higher-quality products and services at a lower cost through the implementation of continuous improvement steps. The 5 maturity levels of the CCMI model are here: Level 1 = 1 Initial: The development process is as hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable. Success is usually the result of individual heroics. Level 2 = Repeatable: A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined. Level 3 = Defined: Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement Level 4 = Managed: the company has formal processes in place and analyze quantitative data, and metrics are defined and fed into the process-improvement program Level 5 = Optimizing: the company has budgeted and integrated plans for continuous improvement.
What is the EDRM?
The "Electronic Discovery Reference Model (EDRM)" identifies the following 8 steps, though they're not necessarily all required, nor are they performed in a linear manner: 1) Identification of data required under the order 2) Preservation of this data to ensure it is not accidentally or routinely destroyed while the order is being complied with 3) Collection of the data from the various stores in which it may be housed 4) Processing to ensure the correct format is used for both the data and its metadata 5) Review of the data to ensure it's relevant 6) Analysis of the data for proper context 7) Production of the final data set to those requesting it 8) Presentation of the data to external audiences to prove or disprove a claim.
What is an AUP?
The Acceptable Use Policy (AUP) specifies what the organization considers an acceptable use of the information systems that are made available to the employee. Using a workplace computer to view porn, send hate e-mail, or hack other companies is always forbidden.
What is CSF?
The CSF was created by the NIST in response to Executive Order 13636, which called for the development of a voluntary cybersecurity framework for organizations that are part of the nation's critical infrastructure. But the biggest factor of CSF is that it had to be flexible, repeatable, and cost effective. The CSF is split into its 3 main components, which are the Framework Core, the Implementation Tiers, and the Framework Profile. The Framework Core is split into 5 functions (Identify, Protect, Detect, Respond, and Recover). These are all cybersecurity activities that will help organizations enable risk management decisions, address threats, and improve by learning from previous activities. Functions are further split into 22 categories (e.g, access control and detection processes) and 98 subcategories (e.g., Data-at-rest is protected). The Implementation Tiers help organizations classify the degree of cybersecurity practices into 1 or 4 tiers: Tier 1 (Partial), Tier 2 (Risk Informed) Tier 3 (Repeatable), and Tier 4 (Adaptive) A Framework Profile is used to describe the current state or the desired target state of specific cybersecurity activities and organization. It indicates what the organization is currently achieving and additional requirements needed to achieve its overall risk management goals.
What is FISMA?
The Federal Information Security Management Act (FISMA) of 2002: applies to information systems belonging to or operated by federal agencies or contractors working on their behalf. Among its key provisions are requirements on the minimum frequency of risk assessments, security awareness training, IR, and continuity of operations.
What is the GLBA?
The Gramm-Leach-Bliley Act (GLBA) of 1999 applies to financial institutions and is intended to protect consumers' personal financial information. Notably, it includes the "Safeguards Rule," which requires financial institutions to maintain safeguards to protect confidentiality and integrity of personal consumer information
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) requires health care facilities to protect the CIA and privacy of PHI.
What is NIST?
The National Institute of Standards and Technology (NIST) is an organization within the U.S. Department of Commerce that is charged with promoting innovation and industrial competitiveness. NIST develops and publishes standards and guidelines aimed at improving practices, including cybersecurity across a variety of sectors.
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an standard that applies to any organization that handles credit or debit card data. It's main security control focuses on vulnerability scanning
What is SOX?
The Sarbanes-Oxley Act (SOX) of 2002 is intended to protect investors and the public against fraudulent and misleading activities by publicly traded companies. SOX-regulated organizational must ensure that digital records are not improperly altered
Between the data owner, CIO, CSO, and system admin, who is responsible for ensuring that data security controls are in place, defining classification requirements, and approving disclosure?
The data owner
Which component of the CSF describes the degree of sophistication of cybersecurity practices?
The implementation tiers.
What is ITIL?
The last security framework, ITIL, is a set of best practices for IT service management with a primary focus on meeting an organization's business needs. ITIL stands for " Information Technology Infrastructure Library." ITIL integrates IT and business. Therefore, instead of having the IT team solely working IT support, they can also assist in business services. The ITIL framework is divided into 5 categories that make up the ITIL Service Life Cycle: 1. Service Strategy, 2. Service Design, 3. Service Transition, 4. Service Operation, and 5. Continual Service Improvement Each category contains subcategories of different processes and functions. If you're interested in digging deeper into what each category entails, you can read more about it here. Overall, the ITIL framework helps an organization design a strategy for achieving its goals, designing the services and supporting elements, and designing any activities that are necessary to achieve these goals.
How can a maturity model help with verification and quality control? What even is a maturity model?
The maturity of an org. with regard to cybersecurity is a measure of how introspective its security process are. In other words, if there is no real awareness of processes and security is managed through crisis, we can conclude the org. is very immature. On the other hand, if there are formal, documented processes that are periodically examined for the purpose of continuous improvement, we can conclude that the org. is very mature. There are a number of maturity models, but perhaps the most useful is the one developed by Carnegie Mellon University's Software Engineering Institute, known as the CCMI.
What is a data classification policy used for?
The most common security policies deal with the classification of organizational data, which is a topic from Chapter 5. The rationale behind assigning classification levels to different types of data is that it enables an organization to gauge the amount of funds and other resources that should go toward protecting each. A key reason to have a data classification policy is to organize it according to its sensitivity to loss, alteration, disclosure, or unavailability.
What is a data retention policy used for?
There is no universal agreement on how long you should retain data that you own. Legal and regulatory requirements (where they exist) vary among countries and sectors. What's universal is the need to ensure your org. has and follows a documented data retention policy. You need to ensure it is followed too. Holding data for too long might make it difficult to comply with e-discovery orders from a court. A better approach is to find the specific data sets that have mandated retention requirements and handle those accordingly. Everything else has a retention period that minimally satisfies the business requirements. You will also find that different business units have different data retention requirements. For instance, you may want to keep data from your R&D division for a much longer period than you would keep from the customer service division.
Why are "Exception Management" policies important?
There will be times when an org. chooses to violate its own policies or procedures. We already saw some of this when we introduced compensation control development earlier in this chapter. Whatever the reason for this decision, it is critical that it be made by the right people., with access to the right information, and with proper documentation. These are the essential elements of an exception management procedure.
What is a data ownership policy used for?
These policies are typically combined with data classification ones because it is difficult to separate the two issues. The main reason is that data is classified by the person who "Owns" it. Data ownership policies establish the roles and responsibilities of data owners within the organization. The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information A key issue to address in data owner ship is who owns the personal data than an employee brings into an organizational information system. For example, if employees are allowed to check e-mail or social media sites from work, their personal data will traverse and be stored, albeit temporarily, on corporate information systems. Does it now belong to the company? Are there expectations of privacy? What about personal e-mail received by employees at their work accounts? These issues should be formally addressed in a data ownership policy.
What are "organizationally-defined parameters?"
Unsurprisingly, organizational policies play a large role in control selection and determine the values of key parameters in the process. An "organizationally-defined parameter" is a variable that defines the selected portions of the controls (physical, technical, or adminstrative) to support specific organizational requirements or objectives. In some cases, the minimum and maximum values of these parameters are dictated by laws or government regulations. Examples of these organizationally defined parameters are the frequency with which system back-ups must be conducted, the time before a data breach must be disclosed, and the maximum number of people who can have access to particularly sensitive information.
What is an account management policy used for?
When new employees arrive, they should follow a well-defined onboarding process that ensures they not only understand their duties and responsibilities, but also that they are assigned the required company assets and that these are properly configured, protected, and accounted for. Among these assets is a user account that grants them access to the ISs and authorization to create, read, modify, execute, or delete resources (e.g., files) within it. The policy should dictate the default expiration date of accounts, the password policy (unless it's a separate doc). And the information to which a user should have access. This last part becomes difficult because the information needs of users will typically vary over time. Adding, removing, or modifying permissions that a user has should be a carefully controlled and documented process. Who authorized it? Organizations that are mature in their security process will have a change-control process in place to address user privileges. While many auditors will focus on who has administrative privileges in the org., there are many custom sets of permissions that approach the level of an admin account. It is important, then, to have and test the processes by which elevated privileges are issued. Another important piece in account management is the suspension of accounts that are no longer needed. Every large org. eventually stumbles across one or more accounts that belong to users who are no longer part of the org. In some extreme cases, these users left several months ago and had privileged accounts. The unfettered presence of these accounts on our networks gives our adversaries a powerful means to become a seemingly legitimate user, which makes our job of detecting and repulsing them that much more difficult.
Why are "Evidence Production" procedures important?
When parties go to court, the manner in which evidence is introduced is almost as important as the evidence itself, which is the reason why having a well-documented and enforced procedure can be the difference between prevailing and losing. "Evidence Production" is a legal request for documents, files, or any other tangible items that may have bearing on a legal procedure. This oftentimes happens during the early (discovery) portion of a legal action, which is why the term "evidence production" is sometimes used interchangeable with "E-Discovery." But, E-discover includes seizure, and Evidence production does not.