ICS1 Flashcards
Regulations, Standards, Framework
Application of Information Technology is the systematic implementation of…
Hardware and software so data can be
-Transmitted
-Modified
-Accessed
-Stored securely and efficiently
Name three NIST Frameworks
-NIST Cybersecurity Framework
-NIST Privacy Framework
-NIST 800-53 Security and Privacy controls for informations systems and organizations
NIST Cybersecurity Framework primary components
1
Voluntary framework
1. Framework Core
2. Framework implementation tiers
3. Framework profile
Purpose of NIST CSF
To develop a set of plain language controls for protection of IT infrastructure
What are the NIST CSF Framework Core Areas of Focus
- Identify
- Protect
- Detect
- Respond
- Recover
What is the purpose of the NIST CSF Framework Core Focus Areas?
Things to help develop a program to identify, assess, and manage cyber security risks in a cost effective and repeatable manner. Each core area represent points in the security risk management life cycle and are performed concurrently
NIST CSF - Core Area - IDENTIFY
1
Keep record of:
- Assets used to support information processing operations
- Users both internal and external
-Systems
NIST CSF - Core Area - PROTECT
1
Focuses on:
- Safegaurds and access controls to networks, applications, and other devices.
- Updates to security software
-Encryption of information
-Data backups
-Plans for disposing of files/devices
-User training
NIST CSF - Core Area - DETECT
1
Deploy tools to:
-Detect active attacks
-Monitor network access points, devices, unauthorized personal access, and high risk employee behavior or use of high risk devices
NIST CSF - Core Area - RESPOND
1
Develop response policies addressing how to:
-contain a cybersecurity event
-react using planned responses to mitigate losses
NIST CSF - Core Area - RECOVER
1
Restoration of network to normal operations through:
-repairing equiptment
-restoring back up files/env.
-positioning employees to rebound w/ right responses
1 NIST CFS - Categories/Sub categories of Functions or Core Areas
Core areas have categories that are tied to specific activities/company needs
and further into subcategories for mgmt and technical activities to help achieve outcomes.
NIST CFS - Implementation Tiers - purpose
1
Provides a measure of an organizations informaiton security infrastructure sophistication.
The 4 tiers act as a benchmark to identify the degree to which informaiton security practices are integrated throughout an organization.
How does an organization deteremine their implementation tier?
Based on perception of its own risk given the cybersecurity policies in place.
NIST CFS Implementation Tiers vs. Framework Profiles?
Profiles determine success or failure of information security implementation
Tiers inform the org as to the effectiveness of those profiles.
1 NIST CFS - Implementation Tiers - List Them
Divided into four levels:
1. Partial (Lowest)
2. Risk-Informed
3. Repeatable
4. Adaptive
NIST CFS - Implementation Tiers - division
Tiers are subdivided into
1. Risk Management process
2. Risk management program integration
3. External participation
NIST CFS Implementation Tier - Partil
incident mgmt is not incorporated into processes.
RM Process/Program Integration - RM is ad hoc/reactive
External Participation - corporate cybersecurity is isolated, does not evaluate external risks.
NIST CFS - Implementation Tier - Risk Informed
Involves cybersecurity awareness but not security managed
RM Process - cybersecurity prioritization is based on org. risk, and mgmt approves cybersecurity efforts - CS may be isolated from org processes.
Awareness of environmental security risks impact org, but inconsistent actions to respond to risk.
NIST CSF - Implementation Tier - Repeatable
Integrated into planning and regularly communicated.
RMP - Cybersecurity planning and in policies
RMPM - org risk approach
External participation - org collabs w/ and contributes to security community & governance structures to manage cyber risk.
NIST CFS Implementation Tier - Adaptive
RPP - Org. cybersecurity is based on iterative improvement based on incidents and is responsive to evolving threats
RMPM - org. wide affair - cyber risk is prioritized to other risks
External participation - robustly participates in external info sharing and frequency contributes to community.
1 NIST CFS - Framework profiles - purpose
Mechanism by which companies measure cybersecurity risk and how to minimize risk. - implementation guides w/ industry insights
should consider - org goals, industry goals, legal/reg requirements, best practices, RM priorities.
1 NIST CFS - Framework profiles - Categories
Current profile - current state of org. RM
Target profile - desired future state
Gap analysis - differences between 2
1 NIST Privacy Framework
To protect individuals data as used in data processing applications
any industry
What concepts are present in both NIST Cyber Security Framework and Privacy Frameworks
similar structures, RM approaches but applied to each subject matter differently.
Identify, Protect
1 NIST Privacy Framework - Core
Identify, Govern, Control, Communicate, Protect
1 NIST Privacy Framework - Core - Identify
What are the privacy risks related to data processing?
Inventory/mapping, business env., RA, data processing ecosystem RM.
1 NIST Privacy Framework - Core -Govern
What is the best governance structure ?
Governance P&P, RM strategy, awareness/trainings, monitoring review.
1 NIST Privacy Framework - Core - Control
What is the best management structure
- data processing P&P, mgmt, and disassociated processing.
1 NIST Privacy Framework - Core - Communication
How to drive dialog around privacy risk related to data processing activities.
1 NIST Privacy Framework - Core - Protect
What safeguards should be in place, five categories
- data protection p&p,
- identity mgmt, authentication and
access control - , data security, maintenance, protective technology.
NIST Privacy Framework Core - subdivisions
Functions are subdivided into categories to address privacy program considerations, and further subdivided to sub-categories.
1 NIST Privacy Framework profile
Mirrors Cybersecurity framework (current, target, gap analysis)
1 NIST Privacy Framework Implementation Tiers
Mirrors cybersecurity framework (partial, risk informed, repeatable, adaptive)
1 NIST SP 800-53 - what is it
Set of security and privacy controls applicable to all Info systems and the standard for federal info security systems.
1 NIS SP 800-53 purpose
designed for protecting info systems against sophisticated threats
establishes controls for systems/orgs that can be implemented within org/system that process, store or transmit information.
Helps to identify security and privacy controls needed to manage risk and satisfy requirements by OMB A-130 and FISMA.
1 Office of Management Budget CircularA-130
requires controls for federal Info Systems
1 Federal IS Moderization Act (FISMA)
required implementation of minimum controls to protect federal info and IS.
1 Target Audience of NIST SP 800-53
- System admins : individuals with system, info security, privacy, or RM and oversight responsibilities
-System developers: program managers, engineers, developers
-logistical personnel: procurement, system integrators property managers
- security/privacy personnel and assessment and monitoring personnel
-Commerical entities (3rd party vendors) producing products/system/services that support security or privacy.
1 NIST SP 800-53 Organizational Responsibilities
- Well defined security and privacy requirement for systems/orgs.
- Use of trustworthy system components (
- Rigorous security and privacy planning and system development life cycle mgmt.
- Application of security and privacy practices for system integration of info systems.
-Documented practices
- Continuous monitoring of info system to eval effectiveness of controls.
1 NIST SP 800-53 Control Families
They cover org. risk and are subdivided into controls and control enhancements. Controls are to be implemented for family conformance enhancements are best practices (some recommended, some required for baseline conformance)
1 NIST SP 800-53 Control Implementation approaches
3 approaches that are to be implemented on a per control basis:
- Common - inheritable, implement controls at org. level, which are adopted by Info Systems.
- System Specific - at info system level
- Hybrid - org level where appropriate and remainder at system level.
2 Privacy laws
regulate how those entrusted w/ private information collect, process, maintain and disclose it.
2 General Data Protection Regulation
EU enacted one comprehensive data privacy law that applies and governs how all entrusted w/ personal data handle that info.
imposes steep penalties and fines
2 Where does GDPR apply?
Data processors based in EU, or those offering services to those in EU, or where public international law applies.
2 GDPR Princpals
- Lawfulness, Fairness, Transparency
- Purpose Limitation
- Data minimization
- Accuracy
5.Storage Limit - Integrity/Confidentiality
2 Safe Harbor Framework
support transatlantic commerce, EU/US, transmit data -
EU declarer invalid replaced with Privacy Shield, which also was invalid.
2 four categories of costs incurred for data breach
- Detection/escalation
- notification
- Response
- Loss of business/rev. (during downtime)”
2 HIPPA covered entities
Health care providers that transmit info electronically, health plans, health care clearing houses, business associates who are service providers who need access to PHI
2 Who can PHI be disclosed to w/o permission
- individuals,
- for treatment, payment, and health care operations
- incident to otherwised permitted use and disclosure
- With valid auth
- Redacted for research, public health or health care ops
- public interst and benefit activities provided by law
2 Under HIPPA for electornic PHI MUST
- ENSURE - confidentiality, integrity and availability of electronic PHI
- PROTECT against reasonably anticipated threats to security of info, impermissible use or disclosures
- ENSURE compliance by workforce
2 HIPPA - Administrative Safeguards
- Security mgmt processes
- assigned security responsibilties, 3. workforce security
- Info access mgmt
- security awareness/training, 6. security incident procedures
- contingency plans,
- evaluation.
2 HIPPA - Physical Safegaurds
facility access, workstation use/security, device/media controls
2 HIPPA - Technical Safegaurds
access controls, audit controls, data integrity controls, person/entity authentication, transmission security
2 HITECH
Health Information Tech for Economic and Clinical Health Act
Amended HIPPA to increase penalties, patients option to obtain records electronically, and add business associates as covered entities, breach notification rule.
2 HITECH - Breech Notification Rule
w/in 60 days to impacted people
2 Payment Card Industry Data Security Standards (PCI DSS)
Data protected includes cardholder data, authentication data - Account data
Six goals and 12 requirements
1. Build/Maintain a secure network of system
2. Protect account data
3. vulnerability mgmt program
4. strong access control measures
5. Regular monitor/test
6. maintain info sec policy”
3 Center for Internet Security Controls (CIS) - define
recommended set of actions, processes and best practices to strengthen cybersecurity defenses.,
(Supported by SANS institute)
Controls are task focused and organized by activity (instead of who manages the device) a total of 18 controls and 153 subcategories of safeguards.
3 CIS Design Principles
- Align - controls should map to other top CS standards
- Measurable - simple, measurable and avoid vague language
- Offense Informs Defense - controls drafted based on events
- Focus - help prioritize most critical problems and avoid resolving every issue
- Feasible -
3 CIS Implementation
Implementation of CIS can be tailored to org. size by using one of three implementation groups, these are self assessed categories that ID subset of the CIS controls which are critical to adopt given size.
3 CIS Implementation Groups - 1
Small or Medium sized org that have limited cybersecurity defense mechinism in place.
Main focus - keep operational since limited expertise, not sensitive data, cant sustain long periods of downtime.
CIS Implementation Group 2
Orgs that have IT staff who support departments that have various risk profiles.
Sensitive client data and can tolerate short term disruption.
Biggest concern - lost of trust
CIS Implementation Group 3
Orgs have security experts in all domains w/in CS.
Sensitive data assets subject to compliance or reg oversight.
Attacks cause significant damage to company/public.
3 CIS Control 1 - Inventory and Control of Enterprise Assets
- helps organizations actively track/manage all IT assets
connect to IT infrastructure physically or virtually/cloud. Also focus on external devices connect via guest network
-Gives visibility on how data flows, which device contains sensitive data to help prioritize security/maintenance
3 CIS Control 1- challenges w/ inventory
portable end-user devices that periodically connect to network and then disappear - makes it hard to have a holistic view of inventory.
3 CIS Control 2- Inventory and Control of Software Assets
Track and actively manage all software applications so that only authorized software is installed on company devices
-Guidance on finding unmanaged and unauthorized software already installed so it can be removed and remediated.
Control lists and policies should be in place
(operating systems, programming software, business applications, drivers, open-source software, some firmware)
What does a software control list help with?
info on if software patches are installed, applications reaching end of life support are renewed or transitioned out, safeguards needed are in place
3 CIS Control 3 - Data Protection
Develop ways to securely manage the entire life cycle of their data, from the initial identification and classification data to its disposal.
Must identify, archive, label, and classify their data to understand implications of data being lost or compromised
3 CIS Control 3 - Data Protection - data classification categories
Labeled at discretion of the enterprise and should be assigned based on sensitivity (i.e. internal, public, sensitive, and confidential)
3 CIS Control 3 - Data Protection - data mapping
After sensitivity is defined, mapping should be developed to ID software that access, and allow consolidation of sensitive classification into one network.
3 CIS Control 4 - Secure Configuration of Enterprise Assets and Software
Establish and maintain secure baseline configurations for enterprise assets (hardware/software - network devices, mobile/end user, IoT, operating systems).
3 Problem with applications?
Many are sold with preconfigured settings that can present vulnerabilities, therefore should have control activities to assess configurations and modify and move to continuous monitoring.
3 What are good tools to assess asset configerations?
CIS Benchmark Program or NIST National Checklist Program Repository
3 security hardening
process of making an organization less vulnerable to attacks, examples include removing unused software, closing network ports, changing default passwords, turning off non essential services.
3 CIS Control 05: Acount Management
best practices managing credentials and authorization for user accounts, privledge user accounts, and service accounts for hardware/software.
3 what are actions realted to CIS Control 5: Account Managmenet
- central account mgmt, acceptable use policy and account safety guidelines, credential are sensitive info, training for users, password requirements, controls for inactivity, and account lockouts.
3 CIS Control 06: Access Control Management
Specifies the types of access that user accounts should have.
3 What principal should be followed for user access?
least privledge or “need to know”
only what is needed to do job
3 what are actions realted to CIS Control 5: Account Control Management?
Protocols for granting access and revoking access, MFA or privledge account management for security, a comprehensive solution for provisioning and de-provisioning access
3 CIS Control 07: Continuous Vulnerability Management
Assist in continuously identifying and tracking vulnerabilities within infrastructure so they can be remediated and eliminate weak points/widows of opportunity.
zero-day exploits
unknown vulnerabilities - no known solution to weak point
3 What can be used to help determine vulnerablity impact?
Classification schemes like Common Vulnerablity Scoring System or Common Vulnerabilites Exposure
3 CIS Control 08: Audit Log Management
Establishes and enterprise log management process so that organizations can be alert and recover for an attack in real time using log collection and analytic features.
3 CIS Control 09: Email and Web Browser Protections
How to detect and protect against cybercrime attempted through email or internet by engaging w/ EE.
3 Actions realted to CIS Control 09: Email and Web Browser Protections
policies and tools to enforce URL filtering, blocking certain file types, restrict users add-ons
URL filtering can be done by Domain Name System (DNS) filtering - which blocks users from accessing certain domains on a blacklist.
4 CIS Control 10: Malware Defenses
Prevent the installation and propagation of malware onto company assets and its network. Endpoint assets and devices can be leveraged as entry points and targets
4 what is malware
viruses, worms, spyware, adware, keyloggers, ransomware
can cause damage by stealing intellectual property, log-ins, destroying data, or encryption for ransom.
4 Anti-malware
solution should be centrally managed, maintained, and deployed to all potential entry points.
Autorun/auto play features should be disabled
4 LotL
Living off the land approach minimizes likelihood attacker will get caught by using organization’s existing tools against them - quick window
4 CIS Control 11: Data Recovery
Establishes data backup, testing, restoration processes that allow organizations to effectively recover company assets to a pre-incident state.
backup and restorage methods will be based on data value, sensitivity, classification, and retention requirements.
4 Actions related to CIS Control 11: Data Recovery
automating back-up process, off site storage and encryption. These should be tested once per quarter - restore using test bed environment
4 CIS Control 12: Network Infrastructure Management
procedures and tools for managing and securing a company’s network infrastructure (both physical/virtual devices - firewall, gateways routers, switches, wireless access points).
4 Actions for CIS Control 12: Network Infastructure Management
network architecture documenation/diagrams should be kept up to date to reflect network topology and layout
Should include critical vendor contract info to increase likelihood for upgrade/patches timely,
Monitor for end of life network components to make upgrades or mitigating controls
Continuously identify and remediate insecure default network config settings, misconfig network, insecure protocol usage, outdated network software
4 CIS Control 13: Network Monitoring and Defense
Processes for monitoring and defending network infrastructure against threats.
4 Denial of Service
ways networks are attacked.
DoS - gain access to network and overloading it with traffic so it is rendered useless.
How to defend DoS and Ransomware
Establish event logging and alerting mechanisms tools such as security info and event management (SIEM) to help centralize and assist in log analysis.
Traffic flow monitoring, alerting and detection safeguards can also be implemented (network intrusion prevention system, next-gen firewall, data loss prevention end point detection systems)
4 CIS Control 14: Security Awareness and Skills Training
guides in establishing security awareness and training program to reduce cybersecurity risk.
4 CIS Control 15: Service Provider Management
Develop processes to evaluate 3rd party service providers that have access to data or manage IT functions.
4 Actions for CIS Control 16: Service Provider Management
Processes to oversees service provider life cycle
Providers should be assessed and their performance and standards catalogued from initial engagement through decommissioning for adherence to security standards, protocols, and best practices. SOC audit reports can be used.
4 CIS Control 16: Application Software Security
Safegaurds that manage the entire life cycle of software that is aquired, hosted or developed to detect, deter and resolve cybersecurity weaknesses before they are exploited.
Types of software vulnerabilities
Buffer overflows,
corss site scripting - xxs inject content and code into a website to take over
Sql injections - sql query to extract or corrupt data
race conditions - two apps share the same data, race to get data first
CIS Control 16: Application Software Security - ACTIONS
Consider if best practices/safegaurds are followed (secure design standards, secure code reviews, security testing tools)
introuce application security as early as possible
process in place to inventory 3rd party components, tools, and apps (ensuring software up to date, configurations are reviewed, compensating controls for attach mitigation) SAAS can be an weak spot
can implemenet bug bounty programs
4 CIS Control 17: Incident Response Management
Establish incident response management program to detect, respond, and prepare for cybersecurity attacks.
4 Actions for CIS Control 17: Incident Response Management
-Designation of key contact,
- establishment of incident response team
-development of communications plans for notifying impacted business units, stakeholders, and regulatory agencies.
-Exercises/test the incident response process
4 CIS Control 18: Pentration Testing
Test sophistication of cybersecurity defense system in place by simulating attacks in an effort to find and exploit weaknesses.
Begins with discovery or observation of env., followed by scans to find vulnerablities that can gain access, results are studied, revise controls - at least annually for large orgs w/ significant risks
5 Control Objectives for Information and Related Technologies (COBIT)
-ISACA developed
-Most widely used IT governance standards
-Provides a roadmap to implement best practices for IT governance and management
5 COBIT Governance Stakeholders
-Governance - BOD
-Management - daily planning/admin of operations CEO, CFO, COO
-Internal Stakeholders - BOD/MGMT, managers, assurance providers, RM
- External stakeholders - regulators, investors, business partners
What is the COBIT core model?
Formed by princples, standards and regulations (Cobit 5, 6 principals for governance systems 3 principals of governance framework, community collabor, regs)
The core model can be customized through design factors and focus areas to arrive at a enterprise governance system.
There are Framework guides (Intro/Methodology and governance and mgmt objecgices) a Design guide and implemenation guide that can be refernced.
5 COBIT - 6 Principles for Goverance System
VHDDTE (very healthy diet do try everything)
1. Provide Stakeholder VALUE
2. HOLISTIC Approach
3. DYNAMIC Governance System
4. Governance DISTINCT From Management
5. TAILOR Enterprise Needs
6. END to END Governance System
COBIT Principal for Governance System
- Provide Stakeholder Value
governance system should create value for stakeholders by balancing benefits, risks, and resources through well designed governance system with actionable strategy.
COBIT Principal for Governance System
- Holistic Approach
governance systems for IT can comprise diverse components, collectively providing an holistic model (18 CIS controls)
COBIT Principal for Governance System
- Dynamic Governance System
When a change in one governance system occurs, the impact on all others should be considered so they system continues to meet demands - system that is dynamic enough that it can be relevant while adjusting
COBIT Principal for Governance System
- Governance Distinct from Mgmt
Management activites and governance systems should be clearly distinguished from each other as they have different functions
COBIT Principal for Governance System
- Tailored to Enterprise Needs
Customized to each company, using design factors to prioritize and tailor the system. No one size fits all.
COBIT Principal for Governance System
5.End to End Governance System
More than just the IT function should be considered - all processes involving information and technology should be factored.
5 COBIT - 3 Principals for Governance Framework
- Based on Conceptual Model
Should identify key components and relationships between those components to provide for greater automation and max consistency.
5 COBIT - 3 Principals for Governance Framework
- Open and Flexible
Ability to change adding relevant content and removing irrelevant content, while keeping consistency and integrity.
5 COBIT - 3 Principals for Governance Framework
- Aligned to major standards
align with regulations, frameworks, and standards
5 COBIT Core Model - Governance Objectives
Responsibility of BOD
Evaluate, direct, monitor - evaluate strategic objectives, direct management to achieve those objectives, and monitor if they are being met.
1. Ensuring benefits delivery
2. governance framework setting
3. risk optimizatoin
4. resource optimization
5. stakeholder engagement
5 COBIT Core Model - Management Objectives 4 Domains
- Align Plan and Organize
Focus on aligning technology’s overall strategy, planning how to utilize technology in business operations, organizing resources for most efficient and effective usage.
Managed data is one of the most significant objectives
Things such as: IT infrastructure, budgeting, HR, vendors, quality, security, managing risk.
5 COBIT Core Model - Management Objectives 4 Domains
Build Acquire Implement
building, acquiring, and Implementation of IT solutions in business processes
11 objectives on requirements definitions, ID solutions, managing capacity, dealing with org and IT change, managing knowledge, administering assets, managing configuration
5 COBIT Core Model - Management Objectives 4 Domains
Deliver, Services Support
Address the delivery, service, and support of IT services. 6 objectives cover managed operations, service requests, managed problems, continuity, security services, business process controls.
5 COBIT Core Model - Management Objectives 4 Domains
Monitor Evaluate Assess
address IT conformance with performance targets and control objectives w/ external requirements : managed performance,
Through continuous monitoring, evaluations and assessments
of IT systems, controls and components.
5 Components of Governance System define
factors collectively or individually contribute to successful execution of governance system over IT and systems.
What 7 components satisfy COBIT 19 core model management and governance objectives?
- Process - activities to ach. overall tech goals
- Org Structure - decision making entities in org
- principals, policies, and frameworks - guidance to turn desired behavior into practice
- information -
- cultuer, ethics, behavior
- people skills and competencies
- service infrastructure and applications
5 COBIT Design Factors
Influence design of IT governance system, 11 factors
5 COBIT Design Factor - Enterprise Stategy
primary and secondary strategy like growth and acquisition, innovation/differentiation, cost leadership strategies, and client service/stability strategies
5 COBIT Design Factor - Enterprise Goal
goals support the strategy and are structured based on the balance scorecard dimensions (which are financial, customer, interal, and growth)
5 COBIT Design Factor - Risk Profile
addresses current risk exposure and maps which risks exceed appetite - risks include IT operational incidents, software adoption and usage problems, noncompliance, tech-based innovation, and geopolitical issues
5 COBIT Design Factor - IT Issues
regular IT audit findings of poor IT quality or controls, insufficient IT resources, frustration between IT and departments, hidden IT spending, problems with data quality, noncompliance w/ regs.
5 COBIT Design Factor - Threat Lanscape
Environment in which company operates - classified as normal or high due to geopolitical issues, industry, or economic issues.
5 COBIT Design Factors - Compliance Requirements
Compliance demands can be low (minimal demands), normal (typical for the industry), or high
5 COBIT Design Factors - Role of IT - Support
system not critical for operating or maintain business
5 COBIT Design Factors - Role of IT - Factory
immediate impact on business ops and continuity if fails
5 COBIT Design Factors - Role of IT - Turnaround
drives innovation but not required for critical business ops
5 COBIT Design Factors - Role of IT - Stategic
crucial for both innovation and business ops
5 COBIT Design Factor - Sourcing Model for IT
type of IT procurement model from outsources to cloud to built in house or hybrid
5 COBIT Design Factor - IT Implementation Methods
methods to implement new IT projects - agile, DevOps, traditional waterfall or hybrid
5 COBIT Design Factor - Tech Adoption Strategy - First Mover
emerging technologies adopted as soon as possible to gain edge
5 COBIT Design Factor - Tech Adoption Strategy - Follower
emerging technologies adopted after proven
5 COBIT Design Factor - Tech Adoption Strategy - Slow Adopter
very late to adopt new technologies
5 COBIT Design Factor - Enterprise Size
Large - FT count > 250 , small/medium with 50-250 FT.
