Chapter 11 - Implementing Policies to Mitigate Risks Flashcards
Separation of duties
prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing tasks between employees. Helps prevent potential fraud such as a single person printing and signing checks
Job rotation
a concept that has employees rotate through different jobs to learn the processes and procedures in each job; it helps prevent or expose dangerous shortcuts or even fraudulent activity. People would understand there is going to be some oversight if different people are rotating in and out of a certain role.
Supply chain
includes all the elements required to produce and sell products and services, and your supply chain can become an attack vulnerability.
Vendor diversity
policy that provides cybersecurity resilience. Using more than one vendor for the same supply reduces the organization’s risk if that vendor can no longer provide the product or service.
EOL
End of life
Generally refers to the date when a product will no longer be available for sale, ie a product’s shelf life
EOSL
End of service life
indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.
SLA
Service level agreement
Ab agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Used when contracting services from service providers such as ISPs, and many SLAs include a monetary penalty if the vendor cannot deliver.
MOU
Memorandum of understanding
Sometimes called a memorandum of agreement (MOA), expresses an understanding between 2 or more parties indicating their intention to work together toward a common goal. Less formal than an SLA and does not include monetary penalties.
BPA
Business partners agreement
A written agreement that details the relationship between business partners, including their obligations towards the partnership. Can help settle conflicts when they arise.
MSA
Measurement systems analysis
Evaluates the processes and tools used to make measurements. Uses various methods to identify variations within a measurement process that can result in invalid results. A measurement system should produce the same values when measuring the same sample, otherwise it results in inaccurate data.
Incident response process
- Preparation
Occurs before an incident and provides guidance to personnel on how to respond to an incident, including establishing the incident response plan. - Identification
All events aren’t security incidents, so when a potential incident is reported, personnel take the time to verify it is an actual incident. - Containment
After identifying an incident, security personnel attempt to isolate or contain it and protect critical systems while maintaining business operations. - Eradication
After containing the incident, it’s often necessary to remove components from the attack, such as malware installed on systems. May need to delete or disable compromised accounts. - Recovery
Admins return all affected systems to normal operation and verify they are operating normally. Might include rebuilding systems from images, restoring data from backups, and installing updates. Also need to remove vulnerabilities. - Lessons learned
Security personnel performs a lesson learvned review
SOAR
Security Orchestration, Automation and Response (SOAR) tools are used to respond to low-level security events automatically.
A SOAR platform is typically a combination of tools that can work together to detect and respond to suspicious activirt.
Playbooks and runbooks
A SOAR platform uses playbooks and runbooks. Playbooks provide general guidelines, and a run book provides the technical detail to implement the playbook guidelines.
EX:
Playbook documents the steps of formal procedures to follow for well-known incidents.
A runbook would implement the guidelines documented in the playbooks using the available tools within the organization, ie implementing a rule to quarantine or delete a phishing email if it has discrepancies in its header.
Chain of custody
Process that provides assurances that evidence has been controlled and appropriately handled after collection. Forensic experts establish a chain of custody when they first collect evidence to ensure the evidence presented in court is the same evidence the professionals collected.
The chain of custody documents who handled the evidence and when they handled it.
*A tag is placed on evidence items when they are identified.
Legal hold
refers to a court order to maintain different types of data as evidence, ie a court ordering a company to maintain digital and paper documents for the past 3 years related to a case.
Data retention policies apply here - if a policy is in writing to delete emails older than 6 months, that is ok if admins are following it. But if they didn’t follow it and have emails from 2 years ago, those need to be maintained.
Sequence of events
Forensic analysis seeks to determine the timeline of an event. Often uses interviews and event logs.
-Log entries include timestamps which can easily determine exactly when an event occurred.
–> It’s essential to consider time offsets based on how timestamps are recorded. Many use Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC).
Right to audit clause
Clause that customers often require from cloud service providers since most customers don’t know exactly where their cloud data is stored.
Allows a customer to hire an auditor to review the cloud provider’s records, and can help ensure CSP is implementing adequate security.
Regulatory jurisdiction
Relates to laws a company must abide by - if in the EU for example a company would need to follow GDPR (General Data Protection Regulation) as well as any relevant data breach notification laws.
Order of volatility
Refers to the order in which you should collect evidence - most volatile (ie least permanent) to least volatile
- Cache
In the cache memory including the processor cache and HD cache. Data in the cache is removed as new data is used. - RAM
- Swap or pagefile
A swap file is on the system disk drive and is an extension of RAM - Disk
- Attached storage (such as USB drives)
- Network
Servers and shared folders accessible by users and is used to store log files. These should have robust backup policies in place, making them the least volatile.
Snapshots and artifacts
Snapshots are used by security experts to capture data for forensic analysis - lots of tools can capture snapshots of memory (including cache memory), disk contents, cloud-based storage and more.
Forensic artifacts are pieces of data on a device that regular users are unaware of, but digital forensic experts can identify and extract. They include:
-web history
-recycle bin
-windows error reporting
-RDP cache
Forensic tools
CAPTURING DATA:
-dd command (data duplicator):
available in Linux, a disk imaging tool used for forensics
-memdump (memory dump):
open source tool to capture and extract memory contents and digital artifacts; can dump any addressable memory space to the terminal or redirect the output to a dump file
-WinHex:
Windows based hexadecimal editor used for evidence gathering, data analysis, editing, recovery of data and data removal
-FTK imager:
Part of the Forensic Toolkit (FTK) sold by AccessData; can capture an image of a disk as a single file or multiple files and save the image in various formats; you can also create images of individual folders or files
-Autopsy:
A GUI digital forensics platform allowing users to add CLI utilities from Sleuth Kit (TSK), used in both W&L
Provenance
refers to tracing something back to its origin. In digital forensics, hashing the checksums allow you to prove the analyzed copy of data is the same as the original data, which is required if the file is to be admissible in court.
After using dd to create a disk copy, you can use a sha1sum command to create and compare hashes.
eDiscovery
Electronic discovery, is the identification and collection of electronically stored information; files of any kind including VM, social media entries etc.
Also includes metadata:
-file
-email
-web
-mobile
Data recovery
restoring lost data such as restoring a corrupt file from a backup; in forensics, even without backups it’s possible to recover data that a user has intentionally or accidentally deleted. Forensics experts have tools to undelete files and unformat drives.
Impact assessment
Helps an org understand the value of data by considering the impact if it is lost or released to the public.
Data governance
refers to the processes an organization uses to manage, process and protect data. Some methods help ensure or improve the quality of the data, others are driven by regulations; all need to ensure that critical data elements are identified.
-HIPAA
-GLBA (Graham-Leach Bliley
Also known as Financial Services Modernization Act, requires notifying user of privacy policy.
-SOX (Sarbannes Oxley).
Execs at companies have to take individual responsibility for financial reports
-GDPR
EU law protecting PII and privacy of EU citizens regardless of the location of the org
–>Mandate the use of privacy notices on websites as well
Data minimization
a principle requiring organizations to limit the information they collect and use
Data masking
refers to modifying data to hide the original content, usually to protect sensitive information such as PII. The process retains usable data but converts it to inauthentic data.
Substitution is one method used in data masking, and data masking processes may go through several passes of substitution.
Anonymization
Modifies data to protect privacy of individuals by removing all PII within a data set. The goal is to remove any data that can be traced back to an individual while maintaining other data within the dataset.
Can be useful for medical data and studying results without revealing PII.
Pseudo-anonymization
Replaces PII and other data with pseudonyms or artificial identifiers. Appears anonymous to outsiders but anyone with the separate data matching the pseudonyms with the original data set can reverse the process and re-create the original data.
Tokenization
Replaces sensitive data elements with a token, ie a substitute value used in place of the sensitive data. It can convert the token back to its original form.
Used in credit cards at POS terminals. A phone passes cc data to a tokenization system and requests a token, and the system stores the token and cc data, then when user makes a charge the phone pps sends the token to the cc processor, who then sends the token to the tokenization system to retrieve the cc data and process the charge.
Data sanitization
methods that ensure that data is removed or destroyed from any devices before disposing of the device. Methods include:
-file shredding
-wiping
-erasing and overwriting
-paper shredding
-burning
-pulping
-pulverizing
-degaussing
-third party solutions
Data owner
responsible for ensuring adequate security controls are in place to protect the data.
Data controller
Determines why and how personal data should be processed.
Data processor
Uses and manipulates the data on behalf of the data controller.
Data custodian/steward
responsible for routine daily tasks like back up the data
Data protection officer
acts as an independent advocate for customer data