5.2 Regulations, Standards, or Frameworks Flashcards
the process of monitoring and assessing systems, devices, and networks to ensure they comply with regulatory requirements, as well as industry and local cybersecurity standards.
• [this]
– Meeting the standards of laws, policies, and regulations
• A healthy catalog of regulations and laws
– Across many aspects of business and life
– Many are industry-specific or situational
• Penalties
– Fines, incarceration, loss of employment
• Scope
– Covers national, territory, or state laws
– Domestic and international requirements
Compliance
the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The [this] will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
• European Union regulation
– Data protection and privacy for individuals in the EU
– Name, address, photo, email address, bank details, posts
on social networking websites, medical information,
a computer’s IP address, etc.
• Controls export of personal data
– Users can decide where their data goes
• Gives individuals control of their personal data
– A right to be forgotten
• Site privacy policy
– Details all of the privacy rights for a user
GDPR - General Data Protection Regulation
an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.) to manage the ongoing evolution of [this] industry’s security standards with a focus on improving payment account security throughout the transaction process.
• [this]
– A standard for protecting credit cards
• Six control objectives
– Build and maintain a secure network and
systems
– Protect cardholder data
– Maintain a vulnerability management program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain an information security policy
Payment Card Industry Data Security Standard (PCI DSS)
This defines policies and procedures for establishing and maintaining security controls. [this] clarifies processes used to protect an organization from cybersecurity risks. They help IT security professionals keep their organization compliant and insulated from cyber threats.
• Secure your data.
– Where do you start? What are the best practices?
– If only there was a book.
• Often a complex problem
– Unique organizational requirements
– Compliance and regulatory requirements
– Many different processes and tools are available
• Use a security framework
– Documented processes
– A guide for creating a security program
– Define tasks and prioritize projects
Security frameworks
nonprofit organization focused on improving public- and private-sector cybersecurity readiness and response.
• Center for Internet Security
– Critical Security Controls for
– Effective Cyber Defense
– CIS CSC
• Improve cyber defenses
– Twenty key actions (the critical security controls)
– Categorized for different organization sizes
• Designed for implementation - Written for IT professionals
– Includes practical and actionable tasks
Center for Internet Security (CIS)
provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA)
• [this]
– Mandatory for US federal agencies and
organizations that handle federal data
• Six step process
– Step 1: Categorize - Define the environment
– Step 2: Select - Pick appropriate controls
– Step 3: Implement - Define proper implementation
– Step 4: Assess - Determine if controls are working
– Step 5: Authorize - Make a decision to
authorize a system
– Step 6: Monitor - Check for ongoing compliance
• National Institute of Standards and Technology Risk Management Framework (NIST RMF)
provides guidance on how to manage and reduce IT infrastructure security risk. Its made up of standards, guidelines and practices that can be used to prevent, detect and respond to cyberattacks.
• [this]
– A voluntary commercial framework
• Framework Core
– Identify, Protect, Detect, Respond, and Recover
• Framework Implementation Tiers
– An organization’s view of cybersecurity risk and
processes to manage the risk
• Framework Profile - The alignment of standards,
guidelines, and practices to the Framework Core
National Institute of Standards and Technology - Cybersecurity Framework (NIST CSF)
an international standard created to guide corporate governance of information technology (IT). The standard provides broad guidelines and a framework of practices for IT oversight within an organization.
• ISO/IEC 27001
– Standard for an Information Security
Management System (ISMS)
• ISO/IEC 27002
– Code of practice for information security controls
• ISO/IEC 27701
– Privacy Information Management Systems (PIMS)
• ISO 31000
– International standards for risk management practices
ISO/IEC frameworks
• International Organization for Standardization / International Electrotechnical Commission
a standard that auditors can use to review the controls of technology vendors and other service providers so that businesses using those vendors can be confident that the vendors’ controls—particularly those related to cybersecurity—won’t pose a risk to your own business.
• The American Institute of Certified Public Accountants
(AICPA) auditing standard Statement on Standards for
Attestation Engagements number 18 (this)
• SOC 2 - Trust Services Criteria (security controls)
– Firewalls, intrusion detection, and
multi-factor authentication
• Type I audit
– Tests controls in place at a particular point in time
• Type II
– Tests controls over a period of at least six
consecutive months
Statement on Standards for
Attestation Engagements number 18 (SSAE 18) SOC 2 Type I/II
a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing. • Security in cloud computing – Not-for-profit organization • Cloud Controls Matrix (CCM) – Cloud-specific security controls – Controls are mapped to standards, best practices, and regulations • Enterprise Architecture – Methodology and tools – Assess internal IT groups and cloud providers – Determine security capabilities – Build a roadmap
Cloud Security Alliance (CSA)
security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary cyber vulnerabilities. Security misconfigurations are one of the most common gaps that criminal hackers look to exploit.
• No system is secure with the default configurations
– You need some guidelines to keep everything safe
• Hardening guides are specific to the software or platform
– Get feedback from the manufacturer or
Internet interest group
– They’ll have the best details
• Other general-purpose guides are available online
Secure configurations
the process of increasing security on your server through a variety of means to result in a much more secure operating environment. [this] is one of the most important tasks to be handled on your servers.
• Access a server with your browser
– The fundamental server on the Internet
– Microsoft Internet Information Server,
Apache HTTP Server, et al.
• Huge potential for access issues
– Data leaks, server access
• Secure configuration
– Information leakage: Banner information, directory browsing
– Permissions: Run from a non-privileged account,
configure file permissions
– Configure SSL: Manage and install certificates
– Log files: Monitor access and error logs
Web server hardening
to minimize a computer’s exposure to current and future threats by fully configuring the operating system and removing unnecessary applications.
• Many and varied - Windows, Linux, iOS, Android, et al.
• Updates
– Operating system updates/service packs,
security patches
• User accounts
– Minimum password lengths and complexity
– Account limitations
• Network access and security
– Limit network access
• Monitor and secure
– Anti-virus, anti-malware
Operating system hardening
a modern form of platform middleware. It is system software that resides between the operating system (OS) on one side, the external resources (such as a database management system [DBMS], communications and Internet services) on another side and the users' applications on the third side. • Programming languages, runtime libraries, etc. – Usually between the web server and the database – Middleware • Very specific functionality – Disable all unnecessary services • Operating system updates – Security patches • File permissions and access controls – Limit rights to what’s required – Limit access from other devices
Application server
the components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.
• Switches, routers, firewalls, IPS, etc.
– You never see them, but they’re always there
• Purpose-built devices
– Embedded OS, limited OS access
• Configure authentication
– Don’t use the defaults
• Check with the manufacturer
– Security updates
– Not usually updated frequently
– Updates are usually important
Network infrastructure devices
