5.1/5.2 Flashcards
automation
involves generating a single task to run automatically without any human intervention
Automation could involve sending alerts to a security
information and event management (SIEM) system,
dynamically triggering a serverless function at a cloud
provider, or adding a record to a database when a
batch job is run
Orchestration
involves managing several or many
automated tasks or processes
orchestration (info)
As opposed to focusing on one task, orchestration combines all the individual tasks
Orchestration occurs with various technologies, applications, containers, datasets, middleware,
systems, and more
User and resource provisioning
Most modern
enterprises have tightly integrated Joiner and Mover
onboarding and provisioning processes that involve
automation between human resources, legal,
directory services, identity management (IdM), and
inventory engines
Guardrails
Cloud providers use JSON policies and Infrastructure as Code (IaC) to enforce least privilege policies and separation of duties to remove
certain application programming interface (API) calls from privileged groups and users
Security group firewalls
are layer 3/5 stateful packet
filters applied to either subnets or virtual instances
in hypervisors or cloud
Ticket creation and escalation
as part of a service
desk deployment will run scripts and automated
workflow:
* Software-defined networks (SD-LAN, SD-WAN, SDMAN)
benefits of automation
- Efficiency and productivity
- Time savings
- Enforcing baselines
- Standard infrastructure configurations
- Secure scalability
- Employee retention
- Reaction time
- Force multiplier
single point of failure (SPOF)
is a flaw in the design, configuration, or implementation
of the automation solution:
* If the automation solution is not redundant and
reliable, one loses the overall benefits
goals of incident response
Prevent the spread
Reduce the immediate impact
Protect and maintain ongoing operations
Support forensics, e-discovery, and
continuity of operations
Provide after-action reports and lessons learned
readication
Potentially unwanted programs (PUPs) can be eradicated by
advanced antivirus and antimalware suites
testing incident response
Plan review (read-through)
Tabletop
Walk-through (exercise)
Simulation
Parallel
Full interruption
Plan review (read-through):
- Group discussion, plan auditing, and Delphi and
brainstorming sessions with stakeholders
Tabletop:
- Documented plans, diagrams, and logical
and virtual walk-throughs to eliminate gaps/errors
Walk-through (exercise):
- Planned rehearsals and drills
- Performed in stages and by department/building only
- Should find additional gaps to those found during
plan review and tabletop exercises
Simulation:
- Focus on specific scenarios and areas
- Use real business continuity plan (BCP) and disaster
recovery plan (DRP) resources (recovery sites)
and teams (swarm simulations) - Test snapshot recovery and hot spares
- May be the highest-level test that most
organizations conduct
Parallel:
- Conduct a real-world drill while still operating
business - Is more resource-intensive than simulations
Full interruption:
- Conduct real-world drill while ceasing business
activities - Is cost-prohibitive for most organizations
Root cause analysis (RCA)
defined as a collective term that describes a wide range of approaches, tools, and techniques
used to uncover causes of problems
a function of the Problem Management IT
service practice
root cause
is defined as a factor that introduced a non-conformance in an application, service, or
system
RCA steps
define the problem
collect data
identify possible causal factors
identify the root causes
recommend and implement solutions
threat hunters
aka “hunt teams”
Involve groups of cyber investigators aggressively
seeking out threats on a network or system
Are often compliance or regulatory auditors
cyber kill chain
the succession of steps and phases used during a structured external or internal cyberattack
It is used by penetration testers and threat-hunting teams to better understand advanced persistent threats from exploits and malware attacks
why perform digital forensics?
- Laws have been violated
- Organizational policies have been violated
- Systems have been attacked
- Data and identity have been breached
- Intellectual property has been exfiltrated
- Privileged insiders are suspected of crimes
- It is the next incident response phase (root cause
analysis/problem management)
E-discovery
is innovative technology that has
emerged over the last decade to lower the risks and costs associated with big data, especially in litigation
and internal corporate and government investigations
The e-discovery process includes four phases:
- Identifying and collecting documents
- Sorting through data by relevance
- Creating production sets
- Managing data
order of volatility
- CPU and its cache
- Kernel statistics, tables, and caches
- Memory (RAM)
- Temporary file systems and swap/slack space
- Disk drives and volumes
- Attached removable drives
- Logged data to a remote location
- Copies of data to archived media/cloud
processing forensic evidence
- Detect encrypted files and volumes
- Discover compressed files and folders
- Perform validation and pattern matching
- Leverage regular expressions and metacharacters in forensic kits
- Filter for suspected user data
- Filter security identifiers (SIDs) on shared systems for privacy reasons
- Perform discovery of hidden data in slack space
- Extract only meaningful data
- Conduct traces and calibrated estimates to determine suspect(s)
chain of custody
ensures that the integrity of collected evidence remains intact in its original state
two important things of chain custody:
date and time the evidence is collected and the location of artifacts
chain of custody involves:
strict procedures for collecting,
handling, and tagging evidence
Provides a history and timeline of
evidence handling
chain of custody maintains, provides and prohibits what?
- Maintains evidence integrity
- Provides accountability
- Prohibits tampering
legal hold
a process that an organization uses
to retain all forms of pertinent data and information when it reasonably expects some type of litigation against it, or some need for future utility in a court of law
forensic reporting
Should have as much information as necessary but not a “data overload”
May need to express in simpler terms or have different reports for different target audiences
* Provide electronic and physical documents of all findings
* Meet with proper authorities and possibly prepare to offer expert testimony
* Provide any needed clarification
* Identify overall impact on business and recommend any countermeasures
* Answer who, what, when, and how – important for court and other proceedings
data source logs
firewall
application
endpoint
OS-specific
IPS/IDS
network
firewall
can provide traffic data in layer 2
frames up to deep packet application inspection
using different outputs
application
for email, web, SharePoint, file,
directory, database servers, and more
endpoint
such as Palo Alto Cortex XDR
OS-specific
security logs from Windows, UNIX,
Linux, macOS, Solaris
IPS/IDS
logs, alerts, dumps, traps, informs
network
from infrastructure device, security
appliances, database activity monitors, and more
SOAR allows organizations to simplify and aggregate
security operations in three core areas:
- Threat and vulnerability management
- Incident response
- Security operations automation
Security automation involves:
performing securityrelated tasks without the need for human
intervention
- It includes defensive detection, response, and
remediation, or offensive vulnerability assessment
and penetration testing
These categories are then mapped to three types of playbooks for SOAR:
- Manual (series of manual tasks)
- Semi-automated (hybrid of automated and manual subtasks)
- Fully-automated (completely automated)
(SOAR) Four types of automation:
- Defensive (anything that tries to prevent the threat or risk)
- Forensic (anything that tries to retrieve additional evidence)
- Offensive (anything proactive that tries to investigate an asset)
- Deception (anything that retrieves or adjusts deception tools)
(SOAR) Three different categories of action:
- Enrichment (adding additional configuration management database
(CMDB) or environment data) - Escalation (email, ticket escalation, Simple Notification Service (SNS),
chat/messaging communication) - Mitigation (the modification of device configuration)
security practitioner
must align all security
functions to a business’s strategy, value proposition, charters, goals, mission, and objectives
This alignment must permeate through all organizational processes including governance, steering committee charters, and corporate
initiatives to name a few
Security governance typically focuses on three
attributes or characteristics:
- Authority
- Decision-making
- Accountability
Security governance
as the rules
that protect the assets and continuity of an
organization
It includes mission statements, charters, declarations of value propositions, policies, standards, and procedures
Security governance activities
- Creating a risk register (ledger)
- Aligning security strategy with organizational goals
- Publishing all compliance and regulatory requirements
- Performing a vital role in risk assessment and management:
- Offering guidance into acquiring security controls to reduce risk
- Tracking and recording all compliance and remediation initiatives
- Documenting stakeholder interactions and reporting related
workflows
centralized governance
the higher positions of
management, such as executives and/or the C-suite,
hold the decision-making authority:
- It relies heavily on top-down decision-making
decentralized governance
management distributes the decision-making authority throughout the organization:
- Decisions are made closer to the source of action and information
- It is used in flatter, more projectized organizations
Board governance defines the roles and
responsibilities of board members and executives in
the form of a:
- Working board
- Governing board
- Advisory board
board of directors (BOD)
the governing body of an organization or company, whose members are
elected by shareholders (in the case of public
companies)
** Every public company must have a board of directors
The duties of the board of directors include:
setting strategy, overseeing executive management, and protecting the interests
of shareholders, bondholders, and other
stakeholders
steering committee
a group of key
organizational stakeholders that makes determinations regarding an organization’s priorities
or order of business, and manages its operations
general counsel
goal of a steering committee is to:
oversee and
support a project from the management level
Information Security Committee exists to:
offer recommendations to executive management and
team leads concerning security efforts undertaken
Cybersecurity and Infrastructure Security Agency (CISA)
leads the national effort to understand, manage, and reduce risk to
our cyber and physical infrastructure
United States Customs and Border Protection (CBP)
has the
mission to keep terrorists and their weapons out of the U.S.
along with securing trade and travel while enforcing regulations,
including immigration and drug laws
Office of Homeland Security Situational Awareness (OSA)
provides operations coordination, information sharing,
situational awareness, common operating picture, and executes
the DHS Secretary’s responsibilities across the homeland
security enterprise
Office of Intelligence and Analysis (I&A)
assists the Homeland
Security Enterprise with the timely intelligence and information
it needs to keep the homeland safe, secure, and resilient
Physical and logical asset owners may:
- Determine the classification level
- Conduct labeling and tagging
- Grant additional shares and rights
Custodians (controllers)
- They should maintain the assets from a technical and operational perspective
- Custodians often interact directly with owner stakeholders and answer to executive managers (C-suite)
responsible for
custodians often responsible for:
ensuring confidentiality,
integrity, authenticity, availability and non-repudiation of assets
stewards
- Will manage assets from a business perspective
- May interface with other departments such as legal,
human resources, mobile application, and digital asset managers - Are more likely to deal directly with internal and external customers and stakeholders
stewards ensure:
compliance (standards and controls)
and data quality
officers are responsible for:
due diligence and adherence to
security governance
- They will often answer to steering committees and various boards
such as the BOD
Regulatory compliance
describes the actions an organization takes to comply with those rules and policies as part of its operations
best practices and guidelines are
e like standards, but
are more flexible and not usually mandatory
standards allow:
information technology staff to
be consistent and systematic
Standards specify:
use of specific technologies
in a uniform way, because no one individual
practitioner can know everything
standards help to provide:
consistency in the enterprise,
because it is unreasonable to support multiple
versions of hardware and software unless
necessary
usually mandatory
policies establish:
a general framework within which to work and a guiding direction to take in the future
The function of a policy is to:
classify guiding
principles, direct behavior, and offer stakeholder
guidance and a security control implementation
roadmap
Sanctioned policy:
- The policy has the support of executive
management - It requires visible participation and action,
ongoing communication and championing,
investment, and prioritization
Applicable policy:
- The policy is applicable to the organization
- Strategically, the information security policy must support the guiding principles and goals of the organization
- Tactically, it must be relevant to those who must comply
Realistic policy:
- The policy can be effectively executed
- Policies must represent the actual environment in
which they will be deployed - Information security policies and procedures should only express what is achievable
- If the policy is to advance the organization’s guiding
principles, one can also assume that a positive
outcome is anticipated
A policy should never:
set up constituents for
failure but instead should offer a clear track for
success
Flexible policy:
- The policy can accommodate change and be adapted if necessary
- An adaptable information security policy recognizes that information security is not a static, point-in-time endeavor, but rather an ongoing
process designed to support the organizational mission
Comprehensive policy:
- The policy scope includes all relevant parties - it is inclusive
An information security policy must consider:
- Organization objectives
- International law
- Cultural norms of its employees
- Business partners, suppliers, and customers
- Environmental impacts
- Global cyber threats
Enforceable policy:
- The policy is statutory and is enforced
- Enforceable means that administrative, physical, or
technical controls can be put in place to support the
policy - Compliance can be measured and, if necessary,
appropriate sanctions applied
Enforcement stages should be well-documented:
- Verbal reprimand
- Written warning
- Punitive actions
- Temporary suspension
- Permanent termination
- Legal actions
Standard and policy examples:
- Password
- Access control
- Physical security
- Encryption
- Information security
- Business continuity
- Disaster recovery
- Incident response
- Software development life cycle (SDLC)
- Change management
- Acceptable Use Policy (AUP)
Acceptable Use Policy (AUP)
Identifies how employees are expected to
use resources in the organization
AUP defines rules of behavior/code of conduct:
- Use proper and acceptable language
- Avoid illegal activities
- Avoid disturbing or disrupting other
systems - Do not reveal personal information
- Do not reveal confidential information
Sample AUP categories
- Mobile device policy
- Virtual private network (VPN)/software-defined
perimeter (SDP) usage - Operating systems and software
- Social media
- Removable media
- Augmented reality
- Personal cloud storage
- Clean desk
Procedures
usually required and are the lowest level of the policy chain
Procedure documents are longer and more
detailed than standards and guidelines documents
Standard operating procedure (SOP)
Are step-by-step instructions that define how workers carry out routine tasks
SOP can greatly improve:
- Efficiency
- Quality
- Performance
- Communication
- Compliance with regulations
SOP considerations
-Offer all the steps needed to complete the
process
-Describe the purpose and limits of
procedures
-Clarify concepts and terminology
-Consider health and safety issues
-List the location of all necessary supplemental resources
change management practice (change control practice)
reduces risk in security
policy by delivering a systematic approach to assess and manage proposed and subsequent changes
what three changes does change control practice help?
- Normal changes (passwords)
- Standard changes (lap tops replaced)
- Emergency changes (RFC, service desk)
what does change control practice assure?
that changes are carefully assessed for
possible impacts on project scope, schedule, and resources, allowing for informed decisions
onboarding (provisioning)
Provides assets, guidance, knowledge, skills, and
behavior needed for associated job roles:
- Videos, printed material, computer-based training
(CBT), lectures, formal and informal meetings, and
mentors
