Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Vanessa Carulla

Week1 Cybersecurity Basics

advertisement 
Week 1 Review: Cybersecurity Basics
INFOSEC GOALS// supports the mission of the organization, implement protections to satisfy the risk
appetite of the organization (no more, no less, just enough).
-
Risk can never completely be eliminated, find a balance between security requirements and usability
Roles and responsibilities must be explicit
Infosec is not a static process; it must be assessed regularly and methodically
WHY do we need security?
-
Reduction in financial losses
Protection of brand and reputation
Competitive advantage
Customer retention
Partner relationships and confidence
Reduction in regulatory fines
CIA TRIAD// Confidentiality, Integrity, Availability
-
CONFIDENTIALITY/ Keep data private. Only authorized users and processes should be able to access or
modify data (Access control, cryptography, etc.)
INTEGRITY/ Data can be trusted. Data should be maintained in a correct state, kept from being
tampered with, and should be correct, authentic, and reliable (Protection and verification)
AVAILABILITY/ Data should be available to authorized users whenever they require it. Keep systems,
networks, and devices up and running (Fault-tolerant architecture, redundancy, disaster recovery, etc.)
DEFENSE IN DEPTH// Combining controls into multiple layers of security helps ensure that if one layer fails
to counteract a threat, other layers are in place to help prevent a breach in the systems
Week 1 Review: Cybersecurity Basics
SHADOW IT// use of IT systems, devices, software, applications, and services without explicit IT department
approval
-
Can introduce serious security risks to the organization (data leaks, etc.)
Potential compliance violations
Lack of monitoring and auditing options
** Can be tempting for employees to bypass integrated security systems to gain time and efficiency but
puts the system at risk. Communicate with IT department to find safe and approved upon solutions to do
the work if the system in place is slowing you down.
RACI CHART-MATRIX-MODEL// diagram that identifies the key roles and responsibilities of users against
major tasks within a project
-
RESPONSIBLE/ Who is responsible for doing the actual project’s work?
ACCOUNTABLE/ Who is accountable for the success (or failure) of the project tasks and is the decision
maker **Should be only one individual, typically the PM
CONSULTED/ Who needs to be consulted for details and information on the requirements?
**Subject matter experts
INFORMED/ Who needs to be kept informed of major updates?
**Senior leadership
SECURITY CONTROLS// safeguard measures to reduce the chances a threat will exploit a vulnerability
**GOAL == RISK MITIGATION
Week 1 Review: Cybersecurity Basics
RISK MANAGEMENT LIFECYCLE// continual improvement process to ensure steady progress and
compliance with changing internal and external constraints
-
IDENTIFICATION/ List the different risks and define their characteristics with project context in mind
(brainstorming sessions, tabletop exercises, feasibility study, study data from previous projects, etc.)
-
ASSESSMENT/ Sort risk according to quantitative and qualitative criteria; this helps categorize risks (high,
moderate, low) and their impact in terms of scope, delay, or costs
o QUANTITATIVE → If expected loss > cost of control then implement the control
Single Loss Expectancy = Asset Value x Risk Factor (Exposure Factor)
SLE = AV x RF (or EF)
Annualized Loss Expectancy = Single Loss Expectancy x Annualized Rate of Occurrence
ALE = SLE x ARO
Week 1 Review: Cybersecurity Basics
o QUALITATIVE → Measures risk impact through the use of relative scale/risk rating matrix
RISK = LIKELIHOOD x IMPACT
o CVSS → Common Vulnerability Scoring System
o CEV → Common Vulnerabilities and Exposures
-
TREATMENT or MITIGATION/ Based on control strategies and careful response planning. The goal is to
describe the actions to be taken to treat the risk:
o ACCEPTANCE → Risk is accepted with no action taken to mitigate it. Will not reduce the impact
but sometimes the mitigation cost is not worth it
o TRANSFERENCE → Risk is transferred via a contract to an external party who will assume the risk
on an organization’s behalf. This does not eradicate the risk, only the responsibility for it (cyber
insurance)
o AVOIDANCE → Risk is eliminated by not taking any action that would mean the risk could occur
o REDUCTION → Risk becomes less severe through actions taken to prevent or minimize its impact
-
MONITORING/ There should be a process in place for tracking and monitoring risk throughout the
project development. Update the risk register regularly. When risks arise, re-evaluate the measures
taken previously.
-
REPORTING/ Save analyses and record tracking to make the history available to others. Derive good
practices for future projects from experience.
Week 1 Review: Cybersecurity Basics
INFOSEC DOMAINS//
-
APPLICATION SECURITY/
o Web/Desktop/Mobile applications, web services, APIs, etc.
o Software development security/SDLC → SHIFT LEFT
Bring security early on in the application development process!
o OWASP Top 10 → OPEN WEB APPLICATION SECURITY PROJECT
A01:2021 – Broken Access Control
A02:2021 – Cryptographic Failures
A03:2021 – Injection
A04:2021 – Insecure Design
A05:2021 – Security Misconfiguration
A06:2021 – Vulnerable and Outdated Components
A07:2021 – Identification and Authentication Failures
A08:2021 – Software and Data Integrity Failures
A09:2021 – Security Logging and Monitoring Failures
A10:2021 – Server-Side Request Forgery
o Bug Bounty programs → Companies provide financial incentives to independent bug bounty
hunters who discover security vulnerabilities in systems
o SaaS applications and management → Valuable target for threat actors, SaaS security is critically
important
Week 1 Review: Cybersecurity Basics
o SAST vs DAST → STATIC vs DYNAMIC APPLICATION SECURITY TESTING
-
NETWORK SECURITY/
o Infrastructure → WAN/LAN, routers, switches, 802.11, firewalls, VPNs, servers, OS, PKI, and
certification management
o Network Access Control → 802.1x, employee and guest wired/wireless access
o Remote connections/BYOD → VPN, SFTP
Week 1 Review: Cybersecurity Basics
-
HARDWARE SECURITY/
o Physical infrastructure, IoT devices, embedded devices, desktop/laptops (disk encryption, DLP)
-
PHYSICAL SECURITY/
o Physical access control → badging systems, gates, mantraps, guest check-in procedures, security
guards, CCTV, alarm systems
o Physical security personnel → should be integrated with or work closely with the Infosec team
(CSO/CISO)
-
MOBILE SECURITY/
o MDM → Mobile Device Management protocols/solutions in place
-
OPERATIONAL SECURITY/
o SOC → Security Operations Center to handle day to day security incidents and alerts
o Monitoring → Response based on SLAs (Service Level Agreements)
o Support structure in place for escalating incidents
o Events vs Incidents → Not all events are incidents, but all incidents are events
▪ EVENT: log entry/alert
▪ INCIDENT: event/alert that has a negative effect on operations
-
INCIDENT RESPONSE/
o Internal vs External or both
o Response → Escalated security incidents that require immediate attention
▪ CONTAIN
▪ REMEDIATE
▪ ROOT CAUSE ANALYSIS
o Critical → Preparation phase (tabletop exercises)
-
IDENTITY & ACCESS MANAGEMENT (IAM)/
o Onboarding/Off-boarding protocols
o Single Sign On (SSO) with Multifactor Authentication (MFA)
▪ SSO: One set of credentials used across multiple application, based on the federation that
exists between applications (SAML – Security Assertion Markup Language)
▪ MFA:
1. Something you KNOW → password, passphrase, PIN, ect.
2. Something you HAVE → smart phone, keys, badge, access card, etc.
3. Something you ARE → biometrics, retina scans, face ID, etc.
o User Access reviews
o Managing and rotating API keys and cryptographic keys
Week 1 Review: Cybersecurity Basics
RISK vs THREAT vs VULNERABILITY//
THREAT
-
RISK
VULNERABILITY
THREAT/ Something that has the potential to cause harm
RISK/ Something that can potentially cause harm, loss or damage
VULNERABILITY/ Weakness of an asset
RISK → THREAT EXPLOITS A VULNERABILITY
AAA// *now has 5 elements
1.
2.
3.
4.
5.
IDENTIFICATION/ Claiming to be an identity when attempting to access a secured area or system
AUTHENTICATION/ Proving that you are that identity
AUTHORIZATION/ Defining the permissions of a resource and object access for a specific identity
AUDITING/ Recording a log of the event and activities related to the system and subjects
ACCOUNTING or ACCOUNTABILITY/ Reviewing log files to check for compliance and violations in order to
hold subjects accountable for their actions
SUPPLY CHAIN ATTACKS//
An emerging kind of threat that targets software developers and suppliers. The goal is to access source code,
build processes, or update mechanisms by infecting legitimate applications to distribute malware.
-
TYPES/
o Compromised software building tools or updated infrastructure
o Stolen code-sign certificates or signed malicious apps using the identity of dev company
o Compromised specialized code shipped into hardware or firmware components
o Pre-installed malware on devices (camera, USB, phones, etc.)
Week 1 Review: Cybersecurity Basics
-
PROTECTION/
o Deploy strong code integrity policies to allow only authorized applications to run
o Use endpoint detection and response solutions that can automatically detect and remediate
suspicious activities
o Maintain a highly secure build and update infrastructure
▪ Immediately apply security patches for OS and software
▪ Implement mandatory integrity controls to ensure only trusted tools run
▪ Require multi-factor authentication for admins
o Build secure software updaters as part of the SDLC
▪ Require SSL (Secure Socket Layer) for update channels and implement certificate pinning
▪ Sign everything, including configuration files, scripts, XML files, and packages
▪ Check for digital signatures and don’t let the software updater accept generic input and
commands
o Develop an incident response process for supply chain attacks
▪ Disclose supply chain incidents and notify customers with accurate and timely
information
o VRM – Vendor Risk Management → Helps you identify, monitor, assess, and mitigate risks
emanating from your supply chain ecosystem rather than just sticking to incident response (IR)
DR & BCP//
-
DISASTER RECOVERY/ Focuses on what happens after a disaster; in many cases it is a part of the overall
continuity plan and tends to focus more on the technical side of the business (data backup and recovery,
computer systems, etc.)
-
BUSINESS CONTINUITY PLAN/ Umbrella policy, with DR as part of it. A plan that covers the way a
business plans for and maintains critical business functions, directly before, during, and after a disaster.
o Maintenance
o Stability
o Recoverability of service
o Day-to-day basis
o Covers the whole organization
Week 1 Review: Cybersecurity Basics
WHAT should the DR and BCP contain?
-
An operational plan for potential disasters in your geographical area
A succession plan for you or your top management
Employee training and cross-training
A communication plan that includes ways of communicating if networks are down
Off-site locations for staff and managers to meet and work
A focus on safety. Foster partnerships and communication with local and emergency response services
Daily backups of your systems and data
Training and testing of all employees to practice recovery activities
Regular audits and updates of your plans
GOVERNANCE, RISK MANAGEMENT & COMPLIANCES (GRC)//
**PCAOB – Public Company Accounting Oversight Board → Non-profit corporation created by the SarbanesOxley Act of 2002 to oversee the audits of public companies and other issuers to protect the interests of
investors and further the public interest in the preparation of informative, accurate and independent audit
reports
Some examples of legal and regulatory requirements:
-
FFIEC/ Federal Financial Institutions Examination Council
NERC SIP/ North American Electric Reliability Corporation Critical Infrastructure Protection
EDPD/ European Data Protection Directive
GDRP/ General Data Protection Regulation (EU) **Very strict; heavy fines
FISMA/ Federal Information Security Management Act
PCI DSS/ Payment Card Industry Data Security Standard
SOX/ Sarbanes-Oxley Act of 2002
HIPAA/ Health Insurance Portability and Accountability Act
SLAs/ Service Level Agreements
Policies Controls:
-
GUIDELINES/ FYI
PROCEDURE/ How do we actually do it?
STANDARD/ What is our requirement?
POLICY/ Why do we need to do this?
Common Frameworks used in the US:
-
ISO27000 SERIES/ International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC)
o ISO27001:2013 → Standard for auditing; organizations can get certified against this one
o ISO27002:2013 → Guidance to obtain your certification against 27001
Week 1 Review: Cybersecurity Basics
-
NIST/ National Institute of Standards and Technology (US)
o CORE → Identify, Protect, Detect, Respond, Recover
o IMPLEMENTATION TIERS → Partial, Risk Informed, Repeatable, Adaptive
o PROFILE → Security Roadmap
-
SOC1 vs SOC2 vs SOC3/ System and Organization Controls (US)
Related documents
Study research 2021
Study research 2021
Cybersecurity.incident.report.network.traffic.analysis
Cybersecurity.incident.report.network.traffic.analysis
6 - IIMS - 19th and 20th November 2021
6 - IIMS - 19th and 20th November 2021
New Text Document
New Text Document
10.93, Gafforov Xasan Shuxratovich
10.93, Gafforov Xasan Shuxratovich
Assessment of the Functionality of local health system
Assessment of the Functionality of local health system
key questions doodle
key questions doodle
MAT 22
MAT 22
Marketing
Marketing
Download
advertisement