3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides. Flashcards
Industry-standard Frameworks and Reference Architectures
The following are common security frameworks and reference architectures (documents that contain best practices) that have become industry-standard frameworks that organizations should follow:
NIST Cybersecurity Framework
Also known as NIST CSF, this framework helps organizations perform risk assessments and then develop administrative controls (security policies) to help create a more secure environment.
NIST SP 800-171 NIST
Special Publication 800-171 is a recommended standard for federal organizations to secure information while it is being processed, stored, and used on non-federal systems. This framework defines a number of technical controls that can be used to safeguard the information.
CIS Critical Security Controls
The Center for Internet Security (CIS) Critical Security Controls are top 20 recommendations on technical controls that should be used to help protect against different types of attacks.
ISO/IEC 27001 and 27002
ISO/IEC 27001 and 27002 each define a set of policies and procedures that are designed to help protect information systems. The frameworks focus on risk assessment in the initial stages and then identify controls to protect the assets from the risk.
As an information system security officer, you need to be familiar with any
regulations that your organization falls under and determine if there is a
particular security framework you are required to adhere to.
Industry-standard Frameworks and Reference Architectures - Regulatory
A regulatory framework is a set of best practices that your organization needs to follow to maintain compliance. An example of a regulatory framework is the Health Insurance Portability and Accountability Act (HIPAA), which enforces the protection of health data. Another example is the Payment Card Industry Data Security Standard (PCI DSS), which sets forth requirements for the protection of credit card data for organizations that process customer credit cards.
Industry-standard Frameworks and Reference Architectures - Non-regulatory
Nonregulatory frameworks are designed to give recommendations on security best practices. An example is the Federal Risk and Authorization Management Program (FedRAMP), which is an evaluation standard to evaluate the risk of a cloud-based solution for
the U.S. federal government.
Industry-standard Frameworks and Reference Architectures - National vs. International
There are a number of national and international frameworks that are designed to give recommendations and best practices on information security. For example, the Federal Information Security Management Act (FISMA) is U.S. legislation developed to protect government data and assets against disastrous threats, whether manmade or natural.
Industry-standard Frameworks and Reference Architectures - Industry-specific Frameworks
Many industries have a framework designed for the specific industry. For example, Basel III is an international framework for the banking industry.
Benchmarks/Secure Configuration Guides
Many security configuration guides have been developed over the years. They are designed to give organizations a benchmark for determining what is considered a secure configuration for a particular type of system. For example, the National Security Agency (NSA) has published a series of security configuration guides for different software and systems, available at https://www.iad.gov/iad/library/ia-guidance/security-configuration/index.cfm.
Many vendors create security configuration guides that address best practices for their OS or device.
Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides
Vendor-specific guides outline key security configuration steps that should be taken with that vendor’s specific products.
Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Web Server
There are security configuration guides that outline key steps to configuring a specific web server such as IIS or Apache.
Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Operating System
Operating system configuration guides outline key configuration steps to secure operating systems such as Windows, macOS, or Linux.
Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Application Server
An application server would be a server such as Microsoft Exchange Server, SQL Server, or maybe IBM WebSphere. There are security configuration guides to outline best practices of application servers and their implementation.
Benchmarks/Secure Configuration Guides - Platform/Vendor-specific Guides - Network Infrastructure Devices
There are a number of security guides for different vendor network devices such as switches, routers, and wireless access points.
Benchmarks/Secure Configuration Guides - General Purpose Guides
A general-purpose guide outlines general security practices that should be followed, such as patching systems, using a network firewall, or using a host-based firewall. These are great guides to follow for general security practices, but you would also want to find specific vendor guides for your products.
Defense-in-depth/Layered Security
Defense in depth (also known as layered security) refers to the security practice of implementing several layers of protection. You can’t simply take a single action, such as implementing a firewall or installing antivirus software and consider yourself protected. You must implement security at several different layers. This way, if one layer fails, you still have additional layers to protect you.
Defense-in-depth/Layered Security - Vendor Diversity
Vendor diversity is the practice of implementing security controls from different vendors to increase security.
Many DMZs use two firewalls and vendor diversity dictates the use of firewalls from different vendors. For example, one firewall could be a Cisco firewall and the other one could be a Check Point firewall. If a vulnerability is discovered in one of these firewalls, an attacker might be able to exploit it. However, it’s unlikely that both firewalls would develop a vulnerability at the same time.
Defense-in-depth/Layered Security - Control Diversity
Control diversity is the use of different security control types, such as technical controls, administrative controls, and physical controls.