3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides. Flashcards

1
Q

Industry-standard Frameworks and Reference Architectures

A

The following are common security frameworks and reference architectures (documents that contain best practices) that have become industry-standard frameworks that organizations should follow:

NIST Cybersecurity Framework
Also known as NIST CSF, this framework helps organizations perform risk assessments and then develop administrative controls (security policies) to help create a more secure environment.

NIST SP 800-171 NIST
Special Publication 800-171 is a recommended standard for federal organizations to secure information while it is being processed, stored, and used on non-federal systems. This framework defines a number of technical controls that can be used to safeguard the information.

CIS Critical Security Controls
The Center for Internet Security (CIS) Critical Security Controls are top 20 recommendations on technical controls that should be used to help protect against different types of attacks.

ISO/IEC 27001 and 27002
ISO/IEC 27001 and 27002 each define a set of policies and procedures that are designed to help protect information systems. The frameworks focus on risk assessment in the initial stages and then identify controls to protect the assets from the risk.

As an information system security officer, you need to be familiar with any
regulations that your organization falls under and determine if there is a
particular security framework you are required to adhere to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Industry-standard Frameworks and Reference Architectures - Regulatory

A

A regulatory framework is a set of best practices that your organization needs to follow to maintain compliance. An example of a regulatory framework is the Health Insurance Portability and Accountability Act (HIPAA), which enforces the protection of health data. Another example is the Payment Card Industry Data Security Standard (PCI DSS), which sets forth requirements for the protection of credit card data for organizations that process customer credit cards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Industry-standard Frameworks and Reference Architectures - Non-regulatory

A

Nonregulatory frameworks are designed to give recommendations on security best practices. An example is the Federal Risk and Authorization Management Program (FedRAMP), which is an evaluation standard to evaluate the risk of a cloud-based solution for
the U.S. federal government.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Industry-standard Frameworks and Reference Architectures - National vs. International

A

There are a number of national and international frameworks that are designed to give recommendations and best practices on information security. For example, the Federal Information Security Management Act (FISMA) is U.S. legislation developed to protect government data and assets against disastrous threats, whether manmade or natural.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Industry-standard Frameworks and Reference Architectures - Industry-specific Frameworks

A

Many industries have a framework designed for the specific industry. For example, Basel III is an international framework for the banking industry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Benchmarks/Secure Configuration Guides

A

Many security configuration guides have been developed over the years. They are designed to give organizations a benchmark for determining what is considered a secure configuration for a particular type of system. For example, the National Security Agency (NSA) has published a series of security configuration guides for different software and systems, available at https://www.iad.gov/iad/library/ia-guidance/security-configuration/index.cfm.

Many vendors create security configuration guides that address best practices for their OS or device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides

A

Vendor-specific guides outline key security configuration steps that should be taken with that vendor’s specific products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Web Server

A

There are security configuration guides that outline key steps to configuring a specific web server such as IIS or Apache.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Operating System

A

Operating system configuration guides outline key configuration steps to secure operating systems such as Windows, macOS, or Linux.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Application Server

A

An application server would be a server such as Microsoft Exchange Server, SQL Server, or maybe IBM WebSphere. There are security configuration guides to outline best practices of application servers and their implementation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Benchmarks/Secure Configuration Guides - Platform/Vendor-specific Guides - Network Infrastructure Devices

A

There are a number of security guides for different vendor network devices such as switches, routers, and wireless access points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Benchmarks/Secure Configuration Guides - General Purpose Guides

A

A general-purpose guide outlines general security practices that should be followed, such as patching systems, using a network firewall, or using a host-based firewall. These are great guides to follow for general security practices, but you would also want to find specific vendor guides for your products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Defense-in-depth/Layered Security

A

Defense in depth (also known as layered security) refers to the security practice of implementing several layers of protection. You can’t simply take a single action, such as implementing a firewall or installing antivirus software and consider yourself protected. You must implement security at several different layers. This way, if one layer fails, you still have additional layers to protect you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Defense-in-depth/Layered Security - Vendor Diversity

A

Vendor diversity is the practice of implementing security controls from different vendors to increase security.

Many DMZs use two firewalls and vendor diversity dictates the use of firewalls from different vendors. For example, one firewall could be a Cisco firewall and the other one could be a Check Point firewall. If a vulnerability is discovered in one of these firewalls, an attacker might be able to exploit it. However, it’s unlikely that both firewalls would develop a vulnerability at the same time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Defense-in-depth/Layered Security - Control Diversity

A

Control diversity is the use of different security control types, such as technical controls, administrative controls, and physical controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Defense-in-depth/Layered Security - Control Diversity - Administrative

A

Administrative controls such as vulnerability assessments and penetration tests can help verify that these controls are working as expected.

17
Q

Defense-in-depth/Layered Security - Control Diversity - Technical (& Physical - Bonus)

A

Technical security controls such as firewalls, intrusion detection systems (IDSs), and proxy servers help protect a network

Physical security controls can provide extra protection for the server room or other areas where these devices are located

18
Q

Defense-in-depth/Layered Security - User Training

A

User training also helps provide defense in depth. If users engage in risky behaviors, such as downloading and installing files from unknown sources or responding to phishing emails, they can give attackers a path into an organization’s network. However, providing regular training to users on common threats, and emerging threats, helps them avoid these types of attacks.