02. Information Security Control Implementation and Integrations (265) Flashcards
InfoSec Control Implementation and Integrations
After a control has been designed and put into service, it needs to be managed throughout its life
265
InfoSec Control Implementation and Integrations
May take time when implementing a control designed to harden standards to ensure it does not adversely affect performance, integrity, availability of affected system(s)
265
Controls Development
- Control Development is foundational to a security program
- Security manager must understand intimately organisations mission, goals and objectives, risk tolerance
Controls Development from Scratch
For organisations developing their own controls from ground up must first develop high-level control objectives, seen as overreaching principles from which individual controls will be developed
266
Developing Control Details
Security manager must develop several elements of each control
267
Control number
Index number assigned to control
Mapping
Relationship to other controls in other control frameworks
Title
Name
Control Objective
Desired activity
Narraitive
Detailed description of the control
Scope
Locations. business units, departments
Risk
Risk that control intends to address
Owner
Business owner
Affected and Related business Process
Business processes related to control
Control Frequency
How often performed or used
Classification
Automatic or manual, preventive or detective etc…
Measurements
Metrics, KPI
Testing procedure and Frequency
Steps to determine control effectiveness
Developed By
Person who developed control
Approved By
Person who approved control
Approval Date
Date control approved
Version
Version number
Cross References
Cross references to other controls, control frameworks, systems, documents etc..
Modification History
List of changes
Control Implementation
New control implementation shuld be guided by a foral process, with a new control having a;
- Control objective
- Design reviewed by stakeholders
- Test plan (results reviewed)
- Authorization to implement
- Change management process to plan implementation
268
Control Implementation
- Controls must have control owners. They are responsible for operation of each control
- New controls audited or reviewed more frequently to ensure operating as expected
268
Security and Control Operations
- Controls in service will transition into routine operations
- Control owners should/try to be aware of problems
- Modern information security control frameworks comprise multiple categories
268
Security and Control Operations
Control Frameworks comprise multiple categories;
- Event monitoring
- Vulnerability management
- Secure Engineering and Development
- Network protection
- Endpoint Protection and Mangaement
- Identify and Access Management
- Security Incident Management
- Security awareness and training
- Managed security services providers
- Data Security
- Business continuity planning
269
Event Monitoring
- Event Monitoring is the practice of examining security events that occur on information systems
Log Review
* An event log in an information system is examined
Centralised Log Management
* A practice where event logs on numerous sytems are sent over network to a central log server
Security Information Event Management (SIEM)
* Collects and analyses log data from many systems
Threat Intelligence Platform (TIP)
* Part of a modern SIEM that can receive and process threat intelligence information and correlate with received logs
Security Orchestration, Automation, and Response (SOAR)
* Orchestration refers to a scripted response automatically or manually triggered when a specific event occurs
269
Vulnerability Management
- Vulnerability management is practice of periodically examining information systems to discover exploitable vulnerabilities for the purpose of related analysis and decisions about remediation
- Primary activity to reduce likelihood of successful attacks
- Organisations often establish SLA’s for maximum time required for remediation
270
Periodic Scanning
Analysis of Scan Results
Delivery of Scan results to asset owners
Remediation
Vulnerability Management
Vulnerability management process includes the following activities;
- Periodic Scanning
- Analysis of Scan Results
- Delivery of Scan results to asset owners
- Remediation
271
Common Vulnerability Scoring System (CVSS)
Open framework that can be used to provide common methodology for scoring vulnerabilities
271
MITRE ATT&CK Framework
- Freely available knowledge base of threats, attack techniques, attack models adopted and used by organistaions to increase their understanding of and prevent cyber attacks
- Matrix classifies threats into several areas
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege escalation
- Defense evasion
- Credential access
271
Vulnerability Identification Techniques
Security Scan
One or more vulnerability scanning tools used to identify vulnerabilities on target systems
Penetration Test
Used to mimic a realistic attack
Social Engineer Assessment
An assessment of the judgement of personnel in the organisation on how well they recognise various phishing techniques
272
Patch Management
- Practice of ensuring that IT systems, tools, applications have consistent version and patch levels
- Typically requiest automation of deployment to be fully successful
Secure Engineering and Development
- Security can add value at each stage of the development life cycle;
Conceptual
Security managers can bring guidance on multiple topics
Requirements
Security managers can add security, compliance, privacy requirements tp requirements are being developed
Design
Security input can influence product design and influence how secure they are
Engineering and Development
Developers are likely to improve security in development when influenced by security
Testing
Requirements are developed in a way that makes them measurable and verifiable
Sustainment
Lifecycle periodic testing and analysis keeps security managers informed
273
E-mail protection
The following terms are used for different methods of unwanted messages;
Business e-email compromised (BEC)
Phisning email sent to personnel claiming to be from CEO or senior exec aiming to trick end user into an action
Clone Phishing
Legitimate email message that has subtly been manipulated i.e. redirecting a URL
Phishing
Unwanted emails attempt to perpetrate fraud of some kind on the recipient
Smishing
Phishing messages sent via SMS messages - mobile devices and smartphones
Spear Phishing
Phishing messages specifically crafted for target group
Spim
Phishing messages sent via instant messenger
Whaling
Phishing messages sent to key executives
282
Zero Trust Network Architecture
- A network and system design philosophy that focuses on system and data protection
- Trust is not granted implicitly but must be continually evaluated
- Several techniques;
- Device authentication
- Device Validation
- User authentication
- Resource Access
- Logging (SIEM utilising UBA)
284
Endpoint Protection and Management
Endpoints are favorite targets for cybercriminals
284
Configuration Management
main techniques for effective endpoint management;
- Image management
- Configuration management
- Remote control
- Remote Destruction
- Data Encryption
285
Malware protection
Different types of malware;
Virus
Fragment of an executable file that is able to attach itself to other executable files
Trojan
Stand-alone program that must be executed to be activated
Macro
Executable file embedded within another file i.e. spreadsheet
Spyware
Malware that records one or more surveillance activities on target system
Worm
Stand-alone program that is able to propagate automatically within the network
Rootkit
Malware designed to evade detection by antimalware and OS
Fileless
Malware that exists exclusively in computer memory
Ransomware
Malware that performs destructive by reverisble action such as file encryption
Destructionware
Permanent destruction
Remote Access Trojan
Provides covert remote access visibility and control
Keylogger
Records end user key strokes on a target system
286
Identity and Access Management
Identity and Access Management is the business process and technologies used to manage the identities of workers and systems, as well as their access to systems and information
288
Identity and Access Management
Access Governance
Development of policies, business rules, and controls for access to information and assets
Access Operations
Day to day activities of IAM management i.e. provisioning new access accounts, adjusting access rights, resetting passwords etc.
Access Reviews
Management review access, confirm if users access is still required or correct level
Segregation of Duties
To require that two or more people perform high-value and high risk activities. Makes it difficult for individuals to defraud the company i.e. same person requesting a PO raises the PO and pays the PO
Privileged and High Risk Roles
Systems typically have high privilege and administrative roles. Frequent reviewing of accounts is required to ensure fewest amount of people possible have access
Activity Reviews
A review of which user accounts have and have not been active and removing unused or unncessary accounts
Access Recertification
Where an access review is the review of users and if they still require access, access recertification reviews a list of users and their roles to determine if their access is still required
User Behavior Analystics
Individual users activities and behaviors are baselined and anomalous activity triggers events or alarms
291
Security Incident Management
- Security incident management is a set of activities understaken to ensure a quick identification and response of/to security incidents
- Divided into 2 parts;
Proactive
* Development of policies, procedures, playbooks, training
Responsive
* Actual response to an incident, and post incident activities
292
Data Governance and Security
- Data Governance is a collection of management activities and policies
- Enforce business rules concerning access to and use of data
293
Data Security
Data security are controls that seek to maintain confidentiality, integrity, and availability of information
293
Data Security
Methods, techniques, or practices deployed to manage data security;
- Access management
- Backup and Recovery
- Data Classification
- Data Loss Prevention
- Cloud Access Security Broker
- Cryptography
293
Backup and Recovery
E-Vaulting is the method of backing up systems and data to an offsite location
294
Backup and Recovery - Backup Schemes
3 main backup schemes used for backing up data
Full Backup
Complete copy
Incremental Backup
Copy of all data that has changed since last full or incremental backup
Differential Backup
Copy of all data that has changed since last full backup
294
Backup and Recovery - Backup Media Rotation Scheme
Backup media rotation schemes;
First in, First Out
The oldest available backup tape is the next one to be used in the backup rotation
Granfather-father-son
The most common method where full backup is run once a week, then incrementail or differential backups run on each day of the week, with dedicated tapes for Monday, Tuesday, Wednesday etc.
Towers of Hanoi
Complex but efficient scheme for producing lenghtier retention
Backup and Recovery - Backup Media Storage
To provide disaster recovery, backup media must be stored off site in a secure location
296
Backup and Recovery - Hot/Warm/Cold Sites
Hot Site
Data center infrastructure fully in place, almost a mirror of actual data center
Synching with live datacenter so allows for minimal impact and downtime
Warm Site
Office space and datacenter space available, with some pre-installed server hardware but the site does not provide mirroring of production site. Servers are ready for installation of software and media.
Cold Site
Office space or datacenter space without any server hardware pre-installed.
Provides essentials such as power, cooling and space but requires extensive engineering and IT resource to make ready in event of a disaster
Backup and Recovery - Media Records and Destruction
- Organisations need to keep a meticulous records that lists all backup volumes, their location, what data elements are backed up on it
- Organisations must maintain good record management to help them track which business records are on which media volumes
- They must know which media can be removed in compliance with retension policies and legal requirements
297
Backup and Recovery - Replication
- Up-to-date data exists in 2 or more storage systems
- Primary backup replication - from one system to another system
- Multiprimary replication - Bidirectional between 2 or more systems
- ** Synchronous Replication** - Guarantees data on remote system is identical to live system
- Asynchronous Replication - Time lay, no guarantee that data is identical between 2 systems
298
Data Classification
Data Classification policy defines sensitivity levels and handling procedures for protecting information
299
Data Loss Prevention
Data Loss Prevention defines capabilities by which movement and storage of sensitive data can be detected and controlled
299
Data Loss Prevention
- 2 main types of data loss prevent (DLP)
Static DLP
Scan unstructured storage systems for sensitive information
Effective at discovering sensitive information stored on file servers
Dynamic DLP
Detect and block movement of sensitive data
-
- Organisations require a thorough understanding of how sensitive data is stored and used
- DLP systems can block legitimate use of data where not implemented with good understanding of data
299
Digitl Rights Management
Access control technologies used to control distribution and use of electronic content;
- Software licence keys
- Copy restriction
- Document read restriction (PDF and Office)
299
Cryptography
- Encryption is the method of applying cryptography that converts data into a code
- Attempts to hide the information
299