3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides.

Question 1

Industry-standard Frameworks and Reference Architectures

Answer 1

The following are common security frameworks and reference architectures (documents that contain best practices) that have become industry-standard frameworks that organizations should follow:

NIST Cybersecurity Framework
Also known as NIST CSF, this framework helps organizations perform risk assessments and then develop administrative controls (security policies) to help create a more secure environment.

NIST SP 800-171 NIST
Special Publication 800-171 is a recommended standard for federal organizations to secure information while it is being processed, stored, and used on non-federal systems. This framework defines a number of technical controls that can be used to safeguard the information.

CIS Critical Security Controls
The Center for Internet Security (CIS) Critical Security Controls are top 20 recommendations on technical controls that should be used to help protect against different types of attacks.

ISO/IEC 27001 and 27002
ISO/IEC 27001 and 27002 each define a set of policies and procedures that are designed to help protect information systems. The frameworks focus on risk assessment in the initial stages and then identify controls to protect the assets from the risk.

As an information system security officer, you need to be familiar with any
regulations that your organization falls under and determine if there is a
particular security framework you are required to adhere to.

Question 2

Industry-standard Frameworks and Reference Architectures - Regulatory

Answer 2

A regulatory framework is a set of best practices that your organization needs to follow to maintain compliance. An example of a regulatory framework is the Health Insurance Portability and Accountability Act (HIPAA), which enforces the protection of health data. Another example is the Payment Card Industry Data Security Standard (PCI DSS), which sets forth requirements for the protection of credit card data for organizations that process customer credit cards.

Question 3

Industry-standard Frameworks and Reference Architectures - Non-regulatory

Answer 3

Nonregulatory frameworks are designed to give recommendations on security best practices. An example is the Federal Risk and Authorization Management Program (FedRAMP), which is an evaluation standard to evaluate the risk of a cloud-based solution for
the U.S. federal government.

Question 4

Industry-standard Frameworks and Reference Architectures - National vs. International

Answer 4

There are a number of national and international frameworks that are designed to give recommendations and best practices on information security. For example, the Federal Information Security Management Act (FISMA) is U.S. legislation developed to protect government data and assets against disastrous threats, whether manmade or natural.

Question 5

Industry-standard Frameworks and Reference Architectures - Industry-specific Frameworks

Answer 5

Many industries have a framework designed for the specific industry. For example, Basel III is an international framework for the banking industry.

Question 6

Benchmarks/Secure Configuration Guides

Answer 6

Many security configuration guides have been developed over the years. They are designed to give organizations a benchmark for determining what is considered a secure configuration for a particular type of system. For example, the National Security Agency (NSA) has published a series of security configuration guides for different software and systems, available at https://www.iad.gov/iad/library/ia-guidance/security-configuration/index.cfm.

Many vendors create security configuration guides that address best practices for their OS or device.

Question 7

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides

Answer 7

Vendor-specific guides outline key security configuration steps that should be taken with that vendor’s specific products.

Question 8

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Web Server

Answer 8

There are security configuration guides that outline key steps to configuring a specific web server such as IIS or Apache.

Question 9

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Operating System

Answer 9

Operating system configuration guides outline key configuration steps to secure operating systems such as Windows, macOS, or Linux.

Question 10

Benchmarks/Secure Configuration Guides - Platform/Venfor-specific Guides - Application Server

Answer 10

An application server would be a server such as Microsoft Exchange Server, SQL Server, or maybe IBM WebSphere. There are security configuration guides to outline best practices of application servers and their implementation.

Question 11

Benchmarks/Secure Configuration Guides - Platform/Vendor-specific Guides - Network Infrastructure Devices

Answer 11

There are a number of security guides for different vendor network devices such as switches, routers, and wireless access points.

Question 12

Benchmarks/Secure Configuration Guides - General Purpose Guides

Answer 12

A general-purpose guide outlines general security practices that should be followed, such as patching systems, using a network firewall, or using a host-based firewall. These are great guides to follow for general security practices, but you would also want to find specific vendor guides for your products.

Question 13

Defense-in-depth/Layered Security

Answer 13

Defense in depth (also known as layered security) refers to the security practice of implementing several layers of protection. You can’t simply take a single action, such as implementing a firewall or installing antivirus software and consider yourself protected. You must implement security at several different layers. This way, if one layer fails, you still have additional layers to protect you.

Question 14

Defense-in-depth/Layered Security - Vendor Diversity

Answer 14

Vendor diversity is the practice of implementing security controls from different vendors to increase security.

Many DMZs use two firewalls and vendor diversity dictates the use of firewalls from different vendors. For example, one firewall could be a Cisco firewall and the other one could be a Check Point firewall. If a vulnerability is discovered in one of these firewalls, an attacker might be able to exploit it. However, it’s unlikely that both firewalls would develop a vulnerability at the same time.

Question 15

Defense-in-depth/Layered Security - Control Diversity

Answer 15

Control diversity is the use of different security control types, such as technical controls, administrative controls, and physical controls.

Question 16

Defense-in-depth/Layered Security - Control Diversity - Administrative

Answer 16

Administrative controls such as vulnerability assessments and penetration tests can help verify that these controls are working as expected.

Question 17

Defense-in-depth/Layered Security - Control Diversity - Technical (& Physical - Bonus)

Answer 17

Technical security controls such as firewalls, intrusion detection systems (IDSs), and proxy servers help protect a network

Physical security controls can provide extra protection for the server room or other areas where these devices are located

Question 18

Defense-in-depth/Layered Security - User Training

Answer 18

User training also helps provide defense in depth. If users engage in risky behaviors, such as downloading and installing files from unknown sources or responding to phishing emails, they can give attackers a path into an organization’s network. However, providing regular training to users on common threats, and emerging threats, helps them avoid these types of attacks.