02. Information Security Control Implementation and Integrations (265) Flashcards
InfoSec Control Implementation and Integrations
After a control has been designed and put into service, it needs to be managed throughout its life
265
InfoSec Control Implementation and Integrations
May take time when implementing a control designed to harden standards to ensure it does not adversely affect performance, integrity, availability of affected system(s)
265
Controls Development
- Control Development is foundational to a security program
- Security manager must understand intimately organisations mission, goals and objectives, risk tolerance
Controls Development from Scratch
For organisations developing their own controls from ground up must first develop high-level control objectives, seen as overreaching principles from which individual controls will be developed
266
Developing Control Details
Security manager must develop several elements of each control
267
Control number
Index number assigned to control
Mapping
Relationship to other controls in other control frameworks
Title
Name
Control Objective
Desired activity
Narraitive
Detailed description of the control
Scope
Locations. business units, departments
Risk
Risk that control intends to address
Owner
Business owner
Affected and Related business Process
Business processes related to control
Control Frequency
How often performed or used
Classification
Automatic or manual, preventive or detective etc…
Measurements
Metrics, KPI
Testing procedure and Frequency
Steps to determine control effectiveness
Developed By
Person who developed control
Approved By
Person who approved control
Approval Date
Date control approved
Version
Version number
Cross References
Cross references to other controls, control frameworks, systems, documents etc..
Modification History
List of changes
Control Implementation
New control implementation shuld be guided by a foral process, with a new control having a;
- Control objective
- Design reviewed by stakeholders
- Test plan (results reviewed)
- Authorization to implement
- Change management process to plan implementation
268
Control Implementation
- Controls must have control owners. They are responsible for operation of each control
- New controls audited or reviewed more frequently to ensure operating as expected
268
Security and Control Operations
- Controls in service will transition into routine operations
- Control owners should/try to be aware of problems
- Modern information security control frameworks comprise multiple categories
268
Security and Control Operations
Control Frameworks comprise multiple categories;
- Event monitoring
- Vulnerability management
- Secure Engineering and Development
- Network protection
- Endpoint Protection and Mangaement
- Identify and Access Management
- Security Incident Management
- Security awareness and training
- Managed security services providers
- Data Security
- Business continuity planning
269
Event Monitoring
- Event Monitoring is the practice of examining security events that occur on information systems
Log Review
* An event log in an information system is examined
Centralised Log Management
* A practice where event logs on numerous sytems are sent over network to a central log server
Security Information Event Management (SIEM)
* Collects and analyses log data from many systems
Threat Intelligence Platform (TIP)
* Part of a modern SIEM that can receive and process threat intelligence information and correlate with received logs
Security Orchestration, Automation, and Response (SOAR)
* Orchestration refers to a scripted response automatically or manually triggered when a specific event occurs
269
Vulnerability Management
- Vulnerability management is practice of periodically examining information systems to discover exploitable vulnerabilities for the purpose of related analysis and decisions about remediation
- Primary activity to reduce likelihood of successful attacks
- Organisations often establish SLA’s for maximum time required for remediation
270
Periodic Scanning
Analysis of Scan Results
Delivery of Scan results to asset owners
Remediation
Vulnerability Management
Vulnerability management process includes the following activities;
- Periodic Scanning
- Analysis of Scan Results
- Delivery of Scan results to asset owners
- Remediation
271
Common Vulnerability Scoring System (CVSS)
Open framework that can be used to provide common methodology for scoring vulnerabilities
271
MITRE ATT&CK Framework
- Freely available knowledge base of threats, attack techniques, attack models adopted and used by organistaions to increase their understanding of and prevent cyber attacks
- Matrix classifies threats into several areas
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege escalation
- Defense evasion
- Credential access
271
Vulnerability Identification Techniques
Security Scan
One or more vulnerability scanning tools used to identify vulnerabilities on target systems
Penetration Test
Used to mimic a realistic attack
Social Engineer Assessment
An assessment of the judgement of personnel in the organisation on how well they recognise various phishing techniques
272
Patch Management
- Practice of ensuring that IT systems, tools, applications have consistent version and patch levels
- Typically requiest automation of deployment to be fully successful
Secure Engineering and Development
- Security can add value at each stage of the development life cycle;
Conceptual
Security managers can bring guidance on multiple topics
Requirements
Security managers can add security, compliance, privacy requirements tp requirements are being developed
Design
Security input can influence product design and influence how secure they are
Engineering and Development
Developers are likely to improve security in development when influenced by security
Testing
Requirements are developed in a way that makes them measurable and verifiable
Sustainment
Lifecycle periodic testing and analysis keeps security managers informed
273
E-mail protection
The following terms are used for different methods of unwanted messages;
Business e-email compromised (BEC)
Phisning email sent to personnel claiming to be from CEO or senior exec aiming to trick end user into an action
Clone Phishing
Legitimate email message that has subtly been manipulated i.e. redirecting a URL
Phishing
Unwanted emails attempt to perpetrate fraud of some kind on the recipient
Smishing
Phishing messages sent via SMS messages - mobile devices and smartphones
Spear Phishing
Phishing messages specifically crafted for target group
Spim
Phishing messages sent via instant messenger
Whaling
Phishing messages sent to key executives
282
Zero Trust Network Architecture
- A network and system design philosophy that focuses on system and data protection
- Trust is not granted implicitly but must be continually evaluated
- Several techniques;
- Device authentication
- Device Validation
- User authentication
- Resource Access
- Logging (SIEM utilising UBA)
284
Endpoint Protection and Management
Endpoints are favorite targets for cybercriminals
284
Configuration Management
main techniques for effective endpoint management;
- Image management
- Configuration management
- Remote control
- Remote Destruction
- Data Encryption
285
Malware protection
Different types of malware;
Virus
Fragment of an executable file that is able to attach itself to other executable files
Trojan
Stand-alone program that must be executed to be activated
Macro
Executable file embedded within another file i.e. spreadsheet
Spyware
Malware that records one or more surveillance activities on target system
Worm
Stand-alone program that is able to propagate automatically within the network
Rootkit
Malware designed to evade detection by antimalware and OS
Fileless
Malware that exists exclusively in computer memory
Ransomware
Malware that performs destructive by reverisble action such as file encryption
Destructionware
Permanent destruction
Remote Access Trojan
Provides covert remote access visibility and control
Keylogger
Records end user key strokes on a target system
286
Identity and Access Management
Identity and Access Management is the business process and technologies used to manage the identities of workers and systems, as well as their access to systems and information
288
Identity and Access Management
Access Governance
Development of policies, business rules, and controls for access to information and assets
Access Operations
Day to day activities of IAM management i.e. provisioning new access accounts, adjusting access rights, resetting passwords etc.
Access Reviews
Management review access, confirm if users access is still required or correct level
Segregation of Duties
To require that two or more people perform high-value and high risk activities. Makes it difficult for individuals to defraud the company i.e. same person requesting a PO raises the PO and pays the PO
Privileged and High Risk Roles
Systems typically have high privilege and administrative roles. Frequent reviewing of accounts is required to ensure fewest amount of people possible have access
Activity Reviews
A review of which user accounts have and have not been active and removing unused or unncessary accounts
Access Recertification
Where an access review is the review of users and if they still require access, access recertification reviews a list of users and their roles to determine if their access is still required
User Behavior Analystics
Individual users activities and behaviors are baselined and anomalous activity triggers events or alarms
291
