02. Information Security Control Implementation and Integrations (265)

Question 1

InfoSec Control Implementation and Integrations

After a control has been designed and put into service, it needs to be managed throughout its life

265

Question 2

InfoSec Control Implementation and Integrations

May take time when implementing a control designed to harden standards to ensure it does not adversely affect performance, integrity, availability of affected system(s)

265

Question 3

Controls Development

• Control Development is foundational to a security program
• Security manager must understand intimately organisations mission, goals and objectives, risk tolerance

Relationship Diagram

265

Question 4

Controls Development from Scratch

For organisations developing their own controls from ground up must first develop high-level control objectives, seen as overreaching principles from which individual controls will be developed

266

Question 5

Developing Control Details

Security manager must develop several elements of each control

267

Answer 5

Control number
Index number assigned to control

Mapping
Relationship to other controls in other control frameworks

Title
Name

Control Objective
Desired activity

Narraitive
Detailed description of the control

Scope
Locations. business units, departments

Risk
Risk that control intends to address

Owner
Business owner

Affected and Related business Process
Business processes related to control

Control Frequency
How often performed or used

Classification
Automatic or manual, preventive or detective etc…

Measurements
Metrics, KPI

Testing procedure and Frequency
Steps to determine control effectiveness

Developed By
Person who developed control

Approved By
Person who approved control

Approval Date
Date control approved

Version
Version number

Cross References
Cross references to other controls, control frameworks, systems, documents etc..

Modification History
List of changes

Question 6

Control Implementation

New control implementation shuld be guided by a foral process, with a new control having a;

1. Control objective
2. Design reviewed by stakeholders
3. Test plan (results reviewed)
4. Authorization to implement
5. Change management process to plan implementation

268

Question 7

Control Implementation

• Controls must have control owners. They are responsible for operation of each control
• New controls audited or reviewed more frequently to ensure operating as expected

268

Question 8

Security and Control Operations

• Controls in service will transition into routine operations
• Control owners should/try to be aware of problems
• Modern information security control frameworks comprise multiple categories

268

Question 9

Security and Control Operations

Control Frameworks comprise multiple categories;

• Event monitoring
• Vulnerability management
• Secure Engineering and Development
• Network protection
• Endpoint Protection and Mangaement
• Identify and Access Management
• Security Incident Management
• Security awareness and training
• Managed security services providers
• Data Security
• Business continuity planning

269

Question 10

Event Monitoring

• Event Monitoring is the practice of examining security events that occur on information systems

Log Review
* An event log in an information system is examined

Centralised Log Management
* A practice where event logs on numerous sytems are sent over network to a central log server

Security Information Event Management (SIEM)
* Collects and analyses log data from many systems

Threat Intelligence Platform (TIP)
* Part of a modern SIEM that can receive and process threat intelligence information and correlate with received logs

Security Orchestration, Automation, and Response (SOAR)
* Orchestration refers to a scripted response automatically or manually triggered when a specific event occurs

269

Question 11

Vulnerability Management

• Vulnerability management is practice of periodically examining information systems to discover exploitable vulnerabilities for the purpose of related analysis and decisions about remediation
• Primary activity to reduce likelihood of successful attacks
• Organisations often establish SLA’s for maximum time required for remediation

270

Answer 11

Periodic Scanning
Analysis of Scan Results
Delivery of Scan results to asset owners
Remediation

Question 12

Vulnerability Management

Vulnerability management process includes the following activities;

1. Periodic Scanning
2. Analysis of Scan Results
3. Delivery of Scan results to asset owners
4. Remediation

271

Question 13

Common Vulnerability Scoring System (CVSS)

Open framework that can be used to provide common methodology for scoring vulnerabilities

271

Question 14

MITRE ATT&CK Framework

• Freely available knowledge base of threats, attack techniques, attack models adopted and used by organistaions to increase their understanding of and prevent cyber attacks
• Matrix classifies threats into several areas

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege escalation
7. Defense evasion
8. Credential access

271

Question 15

Vulnerability Identification Techniques

Security Scan
One or more vulnerability scanning tools used to identify vulnerabilities on target systems
Penetration Test
Used to mimic a realistic attack
Social Engineer Assessment
An assessment of the judgement of personnel in the organisation on how well they recognise various phishing techniques

272

Question 16

Patch Management

• Practice of ensuring that IT systems, tools, applications have consistent version and patch levels
• Typically requiest automation of deployment to be fully successful

Question 17

Secure Engineering and Development

• Security can add value at each stage of the development life cycle;

Conceptual
Security managers can bring guidance on multiple topics
Requirements
Security managers can add security, compliance, privacy requirements tp requirements are being developed
Design
Security input can influence product design and influence how secure they are
Engineering and Development
Developers are likely to improve security in development when influenced by security
Testing
Requirements are developed in a way that makes them measurable and verifiable
Sustainment
Lifecycle periodic testing and analysis keeps security managers informed

273

Question 18

E-mail protection

The following terms are used for different methods of unwanted messages;

Business e-email compromised (BEC)
Phisning email sent to personnel claiming to be from CEO or senior exec aiming to trick end user into an action
Clone Phishing
Legitimate email message that has subtly been manipulated i.e. redirecting a URL
Phishing
Unwanted emails attempt to perpetrate fraud of some kind on the recipient
Smishing
Phishing messages sent via SMS messages - mobile devices and smartphones
Spear Phishing
Phishing messages specifically crafted for target group
Spim
Phishing messages sent via instant messenger
Whaling
Phishing messages sent to key executives

282

Question 19

Zero Trust Network Architecture

• A network and system design philosophy that focuses on system and data protection
• Trust is not granted implicitly but must be continually evaluated
• Several techniques;

1. Device authentication
2. Device Validation
3. User authentication
4. Resource Access
5. Logging (SIEM utilising UBA)

284

Question 20

Endpoint Protection and Management

Endpoints are favorite targets for cybercriminals

284

Question 21

Configuration Management

main techniques for effective endpoint management;

1. Image management
2. Configuration management
3. Remote control
4. Remote Destruction
5. Data Encryption

285

Question 22

Malware protection

Different types of malware;

Virus
Fragment of an executable file that is able to attach itself to other executable files
Trojan
Stand-alone program that must be executed to be activated
Macro
Executable file embedded within another file i.e. spreadsheet
Spyware
Malware that records one or more surveillance activities on target system
Worm
Stand-alone program that is able to propagate automatically within the network
Rootkit
Malware designed to evade detection by antimalware and OS
Fileless
Malware that exists exclusively in computer memory
Ransomware
Malware that performs destructive by reverisble action such as file encryption
Destructionware
Permanent destruction
Remote Access Trojan
Provides covert remote access visibility and control
Keylogger
Records end user key strokes on a target system

286

Question 23

Identity and Access Management

Identity and Access Management is the business process and technologies used to manage the identities of workers and systems, as well as their access to systems and information

288

Question 24

Identity and Access Management

Access Governance
Development of policies, business rules, and controls for access to information and assets
Access Operations
Day to day activities of IAM management i.e. provisioning new access accounts, adjusting access rights, resetting passwords etc.
Access Reviews
Management review access, confirm if users access is still required or correct level
Segregation of Duties
To require that two or more people perform high-value and high risk activities. Makes it difficult for individuals to defraud the company i.e. same person requesting a PO raises the PO and pays the PO
Privileged and High Risk Roles
Systems typically have high privilege and administrative roles. Frequent reviewing of accounts is required to ensure fewest amount of people possible have access
Activity Reviews
A review of which user accounts have and have not been active and removing unused or unncessary accounts
Access Recertification
Where an access review is the review of users and if they still require access, access recertification reviews a list of users and their roles to determine if their access is still required
User Behavior Analystics
Individual users activities and behaviors are baselined and anomalous activity triggers events or alarms

291

Question 25

Security Incident Management

• Security incident management is a set of activities understaken to ensure a quick identification and response of/to security incidents
• Divided into 2 parts;

Proactive
* Development of policies, procedures, playbooks, training

Responsive
* Actual response to an incident, and post incident activities

292

Question 26

Data Governance and Security

• Data Governance is a collection of management activities and policies
• Enforce business rules concerning access to and use of data

293

Question 27

Data Security

Data security are controls that seek to maintain confidentiality, integrity, and availability of information

293

Question 28

Data Security

Methods, techniques, or practices deployed to manage data security;

• Access management
• Backup and Recovery
• Data Classification
• Data Loss Prevention
• Cloud Access Security Broker
• Cryptography

293

Question 29

Backup and Recovery

E-Vaulting is the method of backing up systems and data to an offsite location

294

Question 30

Backup and Recovery - Backup Schemes

3 main backup schemes used for backing up data

Full Backup
Complete copy
Incremental Backup
Copy of all data that has changed since last full or incremental backup
Differential Backup
Copy of all data that has changed since last full backup

294

Question 31

Backup and Recovery - Backup Media Rotation Scheme

Backup media rotation schemes;

First in, First Out
The oldest available backup tape is the next one to be used in the backup rotation
Granfather-father-son
The most common method where full backup is run once a week, then incrementail or differential backups run on each day of the week, with dedicated tapes for Monday, Tuesday, Wednesday etc.
Towers of Hanoi
Complex but efficient scheme for producing lenghtier retention

Question 32

Backup and Recovery - Backup Media Storage

To provide disaster recovery, backup media must be stored off site in a secure location

296

Question 33

Backup and Recovery - Hot/Warm/Cold Sites

Hot Site
Data center infrastructure fully in place, almost a mirror of actual data center
Synching with live datacenter so allows for minimal impact and downtime
Warm Site
Office space and datacenter space available, with some pre-installed server hardware but the site does not provide mirroring of production site. Servers are ready for installation of software and media.
Cold Site
Office space or datacenter space without any server hardware pre-installed.
Provides essentials such as power, cooling and space but requires extensive engineering and IT resource to make ready in event of a disaster

Question 34

Backup and Recovery - Media Records and Destruction

• Organisations need to keep a meticulous records that lists all backup volumes, their location, what data elements are backed up on it
• Organisations must maintain good record management to help them track which business records are on which media volumes
• They must know which media can be removed in compliance with retension policies and legal requirements

297

Question 35

Backup and Recovery - Replication

• Up-to-date data exists in 2 or more storage systems
• Primary backup replication - from one system to another system
• Multiprimary replication - Bidirectional between 2 or more systems
• ** Synchronous Replication** - Guarantees data on remote system is identical to live system
• Asynchronous Replication - Time lay, no guarantee that data is identical between 2 systems

298

Question 36

Data Classification

Data Classification policy defines sensitivity levels and handling procedures for protecting information

299

Question 37

Data Loss Prevention

Data Loss Prevention defines capabilities by which movement and storage of sensitive data can be detected and controlled

299

Question 38

Data Loss Prevention

• 2 main types of data loss prevent (DLP)

Static DLP
Scan unstructured storage systems for sensitive information
Effective at discovering sensitive information stored on file servers

Dynamic DLP
Detect and block movement of sensitive data

-

• Organisations require a thorough understanding of how sensitive data is stored and used
• DLP systems can block legitimate use of data where not implemented with good understanding of data

299

Question 39

Digitl Rights Management

Access control technologies used to control distribution and use of electronic content;

• Software licence keys
• Copy restriction
• Document read restriction (PDF and Office)

299

Question 40

Cryptography

• Encryption is the method of applying cryptography that converts data into a code
• Attempts to hide the information

299