Lesson 2: Comparing and Contrasting Security Controls

Question 1

Frameworks

Answer 1

There are many different ways of thinking about how IT services should be governed to fulfill overall business needs. Some organizations have developed IT service frameworks to provide best practice guides to implementing IT and cybersecurity. These frameworks can shape company policies and provide checklists of procedures, activities, and technologies that should ideally be in place.

Question 2

Security controls

Answer 2

Whatever the framework or organizationally driven requirements, cybersecurity is mostly about selecting and implementing effective security controls. A security control (or countermeasure) is something designed to make a particular asset or information system secure (that is, give it the properties of confidentiality, integrity, availability, and non-repudiation). Security controls can be classified according to their type or function. Controls can be divided into three broad classes:

• Administrative/management—controls that determine the way people act, including policies, procedures, and guidance. For example, annual or regularly scheduled security scans and audits can check for compliance with security policies.
• Technical—controls implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and Intrusion Detection Systems.
• Physical—controls such as alarms, gateways, and locks that deter access to premises and hardware are often classed separately.

Question 3

Whether administrative, technical, or physical, controls can also be divided into types according to the goal or function of the control:

Answer 3

• Preventive—the control physically or logically restricts unauthorized access. A directive can be thought of as an administrative version of a preventive control.
• Deterrent—the control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
• Detective—the control may not prevent or deter access, but it will identify and record any attempted or successful intrusion.
• Corrective—the control responds to and fixes an incident and may also prevent its reoccurrence.
• Compensating—the control does not prevent the attack but restores the function of the system through some other means, such as using data backup or an alternative site.

Note: As no single security control is likely to be invulnerable, it is helpful to think of them as delaying or hampering an attacker until the intrusion can be detected. The efficiency of a control is a measure of how long it can delay an attack.

Question 4

Layered security

Answer 4

Layered security is typically seen as the best protection for systems security because it provides defense in depth. The idea is that to fully compromise a system, the attacker must get past multiple security controls, providing control diversity. These layers reduce the potential attack surface and make it much more likely that an attack will be prevented (or at least detected and then prevented by manual intervention).

Question 5

Control diversity

Answer 5

Control diversity means that the layers of controls should combine different classes of technical and administrative controls with the range of control functions (prevent, deter, detect, correct, and compensate).

Question 6

Vendor diversity

Answer 6

As well as deploying multiple types of controls, you should consider the advantages of leveraging vendor diversity. Vendor diversity means that security controls are sourced from multiple suppliers. A single vendor solution is a tempting choice for many organizations, as it provides interoperability and can reduce training and support costs. Some disadvantages could include the following:

• Not obtaining best-in-class performance—one vendor might provide an effective firewall solution, but the bundled malware scanning is found to be less effective.
• Less complex attack surface—a single vulnerability in a supplier’s code could put multiple appliances at risk in a single vendor solution. A threat actor will be able to identify controls and possible weaknesses more easily.
• Less innovation—dependence on a single vendor might make the organization invest too much trust in that vendor’s solutions and less willing to research and test new approaches.

Question 7

Cybersecurity framework

Answer 7

A cybersecurity framework is a list of activities and objectives undertaken to mitigate risks. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target.

Question 8

Regulatory compliance

Answer 8

The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. This is valuable for giving a structure to internal risk management procedures and also provides an externally verifiable statement of regulatory compliance.

Question 9

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (https://nist.gov/cyberframework)

Answer 9

a relatively new addition to the IT governance space and distinct from other frameworks by focusing exclusively on IT security, rather than IT service provision more generally. It is developed for a US audience and focuses particularly on US government, but its recommendations can be adapted for other countries and types of organizations.

Question 10

The International Organization for Standardization (ISO)

Answer 10

produced a cybersecurity framework in conjunction with the International Electrotechnical Commission (IEC). The framework was established in 2005 and revised in 2013. Unlike the NIST framework, ISO 27001 must be purchased (https://iso.org/standard/54534.html). ISO 27001 is part of an overall 27000 series of information security standards.

Question 11

The Control Objectives for Information and Related Technologies (COBIT)

Answer 11

overall IT governance framework with security as a core component. The framework was first published in 1996 and version 5 was released in 2012. COBIT is published by ISACA and like the ISO is a commercial product, available through APMG International (https://apmg-international.com/product/cobit-5).

Question 12

The Sherwood Applied Business Security Architecture (SABSA), maintained by the SABSA Institute (https://sabsa.org)

Answer 12

a methodology for providing information assurance aligned to business needs and driven by risk analysis. The SABSA methodology is designed to be applicable to different types of organizations and scalable for use on small-scale projects through to providing overarching enterprise information assurance. The methodology is applied using a lifecycle model of strategy/planning, design, implementation, and management/measurement.

Question 13

Due diligence

Answer 13

legal term meaning that responsible persons have not been negligent in discharging their duties. Negligence may create criminal and civil liabilities.

Question 14

Negligence in information management

Answer 14

Many countries have enacted legislation that criminalizes negligence in information management.

Question 15

Sarbanes-Oxley Act (SOX)

Answer 15

In the US, for example, the passage of the Sarbanes-Oxley Act (SOX) has mandated the implementation of risk assessments, internal controls, and audit procedures. The act was introduced following several high-profile accounting scandals, including the collapse of Enron. The Computer Security Act (1987) requires federal agencies to develop security policies for computer systems that process confidential information. In 2002, the Federal Information Security Management Act (FISMA) was introduced to govern the security of data processed by federal government agencies. FISMA compliance is audited through the risk management framework (RMF), developed by NIST (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf). Agencies can go through a process of Assessment & Authorization (A&A) to demonstrate compliance with the RMF.

Question 16

The Gramm–Leach–Bliley Act (GLBA)

Answer 16

There are also acts that require security standards and controls to ensure customer privacy in particular industries like financial services

Question 17

The Health Insurance Portability and Accountability Act (HIPAA)

Answer 17

There are also acts that require security standards and controls to ensure customer privacy in particular industries like healthcare

Question 18

benchmarks and secure configuration guides

Answer 18

Although a framework gives a “high-level” view of how to plan IT services, it does not generally provide detailed implementation guidance. At a system level, the deployment of servers and applications is covered by benchmarks and secure configuration guides.

Most vendors will provide guides, templates, and tools for configuring and validating the deployment of network appliances, operating systems, web servers, and application/database servers. The security configurations for each of these devices will vary not only by vendor but by device and version as well. The vendor’s support portal will host the configuration guides (along with setup/install guides and software downloads and updates) or they can be easily located using a web search engine.

Question 19

The Open Web Application Security Project (https://owasp.org)

Answer 19

not-for-profit, online community that publishes several secure application development resources, such as the Top 10 list of the most critical application security risks.

OWASP has also developed resources, such as the Zed Attack Proxy and Webgoat (a deliberately unsecure web application), to help investigate and understand penetration testing and application security issues.

Question 20

Security Technical Implementation Guides (STIGs)

Answer 20

Department of Defense provide hardening guidelines for a variety of software and hardware solutions (https://iase.disa.mil/stigs/Pages/index.aspx).

Question 21

National Checklist Program (NCP) by NIST

Answer 21

provides checklists and benchmarks for a variety of operating systems and applications (https://nvd.nist.gov/ncp/repository).

Question 22

The SANS Institute (https://sans.org)

Answer 22

company specializing in cybersecurity and secure web application development training and sponsors the Global Information Assurance Certification (GIAC). The SANS website publishes a huge amount of research, white papers, and best practice guidance.

Question 23

Center for Internet Security (https://cisecurity.org)

Answer 23

not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations). CIS also produces benchmarks for different aspects of cybersecurity. For example, there are benchmarks for compliance with IT frameworks and compliance programs, such as PCI DSS, NIST 800-53, SOX, and ISO 27000. There are also product-focused benchmarks, such as for Windows® Desktop, Windows Server®, macOS®, Linux®, Cisco®, web browsers, web servers, database and email servers, and VMware ESX®.

Question 24

Incident management or incident response policy

Answer 24

procedures and guidelines for dealing with security incidents. An incident is where security is breached or there is an attempted breach; NIST describes an incident as “the act of violating an explicit or implied security policy.” Incident management is vital to mitigating risk. As well as controlling the immediate or specific threat to security, effective incident management preserves an organization’s reputation.

Question 25

Incident response is also one of the most difficult areas of security to plan for and implement because its aims are often incompatible:

Answer 25

• Identify and prioritize all incidents that pose risk without overloading the security team.
• Re-establish a secure working system.
• Preserve evidence of the incident with the aim of prosecuting the perpetrators.
• Prevent reoccurrence of the incident.

Incident response is also likely to require coordinated action and authorization from several different departments or managers, which adds further levels of complexity.

Question 26

The NIST Computer Security Incident Handling Guide special publication identifies the following stages in an incident response lifecycle:

Answer 26

• Preparation—making the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and establishing confidential lines of communication. It also implies creating a formal incident response plan.
• Identification—determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders.
• Containment, Eradication, and Recovery—limiting the scope and impact of the incident. The typical response is to “pull the plug” on the affected system, but this is not always appropriate. Once the incident is contained, the cause can then be removed and the system brought back to a secure state.
• Lessons Learned—analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.

Question 27

Preparation phase

Answer 27

Preparing for incident response means establishing the policies and procedures for dealing with security breaches and the personnel and resources to implement those policies. In order to identify and manage incidents, an organization should develop some method of reporting, categorizing, and prioritizing them (triage), in the same way that troubleshooting support incidents can be logged and managed.

Incident response policies should also establish clear lines of communication, both for reporting incidents and for notifying affected parties as the management of an incident progresses. It is vital to have essential contact information readily available. Also consider that the incident response personnel might require secure, out-of-band communication methods, in case standard network communication channels have been compromised.

Question 28

Incident Response Plan (IRP)

Answer 28

From the policies, a formal Incident Response Plan (IRP) listing the procedures, contacts, and resources available to responders should be developed.

Question 29

cyber incident response team (CIRT) or computer security incident response team (CSIRT)

Answer 29

Large organizations will provide a dedicated cyber incident response team (CIRT) or computer security incident response team (CSIRT) as a single point-of-contact for the notification of security incidents. The members of this team should be able to provide the range of decision making and technical skills required to deal with different types of incidents. The team needs a mixture of senior management decision makers (up to director level) who can authorize actions following the most serious incidents, managers, and technicians who can deal with minor incidents on their own initiative.

It is also worth considering that members of the CIRT should be rotated periodically to preclude the possibility of infiltration.

Question 30

Incident response

Answer 30

Incident response will typically require 24/7 availability, which will be expensive to provide.

Question 31

For major incidents, expertise and advice from other business divisions will also need to be called upon:

Answer 31

• Legal—it is important to have access to legal expertise, so that the team can evaluate incident response from the perspective of compliance with laws and industry regulations. It may also be necessary to liaise closely with law enforcement professionals, and this can be daunting without expert legal advice.
• HR (Human Resources)—incident prevention and remediation actions may affect employee contracts, employment law, and so on. Incident response requires the right to intercept and monitor employee communications.
• Marketing—the team is likely to require marketing or public relations input, so that any negative publicity from a serious incident can be managed.

Some organizations may prefer to outsource some of the CIRT functions to third-party agencies by retaining an incident response provider. External agents are able to deal more effectively with insider threats.

Question 32

“out-of-band” or “off-band” communication method

Answer 32

It is imperative that adversaries not be alerted to detection and remediation measures about to be taken against them. The team requires an “out-of-band” or “off-band” communication method that cannot be intercepted. Using corporate email or VoIP runs the risk that the adversary will be able to intercept communications. One obvious method is cell phones but these only support voice and text messaging. For file and data exchange, there should be a messaging system with end-to-end encryption, such as Off-the-Record (OTR), Signal, or WhatsApp, or an external email system with message encryption (S/MIME or PGP). These need to use digital signatures and encryption keys from a system that is completely separate from the identity management processes of the network being defended.

Where disclosure is required to law enforcement or regulatory authorities, this should be made using the secure out-of-band channel.

Question 33

Identified incidents must be assessed for severity and prioritized for remediation. There are several factors that can affect this process:

Answer 33

• Data integrity—the most important factor in prioritizing incidents will often be the value of data that is at risk.
• Downtime—another very important factor is the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. If you have completed an asset inventory and a thorough risk assessment of business processes (showing how assets and computer systems assist each process), then you can easily identify critical processes and quantify the impact of an incident in terms of the cost of downtime.
• Economic/publicity—both data integrity and downtime will have important economic effects, both in the short term and the long term. Short-term costs involve incident response itself and lost business opportunities. Long-term economic costs may involve damage to reputation and market standing.
• Scope—the scope of an incident (broadly the number of systems affected) is not a direct indicator of priority. A large number of systems might be infected with a type of malware that degrades performance, but is not a data breach risk. This might even be a masking attack as the adversary seeks to compromise data on a single database server storing top secret information.
• Detection time—research has shown that, in a successful intrusion, data is typically breached within minutes, while more than half of data breaches are not detected until weeks or months after the intrusion occurs. This demonstrates that the systems used to search for intrusions must be thorough and the response to detections must be fast.
• Recovery time—some incidents require lengthy remediation as the system changes required are complex to implement. This extended recovery period should trigger heightened alertness for continued or new attacks.

Question 34

Identification Phase

Answer 34

Identification/detection is the process of collating events and determining whether any of them should be managed as incidents or as possible precursors to an incident; that is, an event that makes an incident more likely to happen. There are multiple channels by which events or precursors may be recorded:

• Using log files, error messages, IDS alerts, firewall alerts, and other resources to establish baselines and identifying those parameters that indicate a possible security incident.
• Comparing deviations to established metrics to recognize incidents and their scopes.
• Manual or physical inspections of site, premises, networks, and hosts.
• Notification by an employee, customer, or supplier.
• Public reporting of new vulnerabilities or threats by a system vendor, regulator, the media, or other outside party.

It is wise to provide for confidential reporting so that employees are not afraid to report insider threats, such as fraud or misconduct. It may also be necessary to use an “out-of-band” method of communication so as not to alert the intruder that his or her attack has been detected.

Question 35

First Responder

Answer 35

When a suspicious event is detected, it is critical that the appropriate person on the CIRT be notified so that they can take charge of the situation and formulate the appropriate response. This person is referred to as the first responder. This means that employees at all levels of the organization must be trained to recognize and respond appropriately to actual or suspected security incidents. A good level of security awareness across the whole organization will reduce the incidence of false positives and negatives. For the most serious incidents, the entire CIRT may be involved in formulating an effective response.

Question 36

Analysis and Incident Identification

Answer 36

When notification has taken place, the CIRT or other responsible person(s) must analyze the event to determine whether a genuine incident has been identified and what level of priority it should be assigned. Analysis will depend on identifying the type of incident and the data or resources affected (its scope and impact). At this point, the incident management database should have a record of the event indicators, the nature of the incident, its impact, and the incident investigator responsible. The next phase of incident management is to determine an appropriate response.

Question 37

Containment Phase

Answer 37

As incidents cover such a wide range of different scenarios, technologies, motivations, and degrees of seriousness, there is no standard approach to containment or incident isolation. Some of the many complex issues facing the CIRT are:

• What damage or theft has occurred already? How much more could be inflicted and in what sort of time frame (loss control)?
• What countermeasures are available? What are their costs and implications?
• What actions could alert the attacker to the fact that the attack has been detected? What evidence of the attack must be gathered and preserved?

Question 38

Quarantine and Device Removal

Answer 38

If further evidence needs to be gathered, the best approach may be to quarantine or sandbox the affected system or network. This allows for analysis of the attack and collection of evidence using digital forensic techniques. This can only be done if there is no scope for the attacker to cause additional damage or loss. There are great practical problems in establishing an effective quarantine, however. It may be possible to redirect the attacker into some kind of honeypot or honeynet or to use a firewall or intrusion detection to limit wider access. It may also be possible to restrict the attack by changing account passwords or privileges or to apply patches to hosts not yet affected by the attack. Another option is to remove an affected device from the system it is attached to (“pull the plug”). This will prevent the attacker from widening the attack but may alert him or her to the fact that the attack has been detected. A sophisticated attacker may have retaliatory attacks prepared to meet this sort of contingency.

Question 39

Escalation

Answer 39

An incident may be judged too critical to continue to be managed by the first responder. The process by which more senior staff become involved in the management of an incident is called escalation. Escalation may also be necessary if no response is made to an incident within a certain time frame.

Question 40

data breach

Answer 40

A data breach is where an attack succeeds in obtaining information that should have been kept secret or confidential. Once data has been stolen in this way, it is virtually impossible to prevent further copies of it being made, though it may be possible to act against those that try to publish it. It has to be assumed, however, that the data stolen is no longer confidential. It is critical to identify precisely what has been stolen, though often this is a difficult enough task in itself. Security systems must be reanalyzed and re-secured, so that things like passwords are changed, even if there is no direct evidence that they have been compromised. Note that, in this context, the suspicion of data theft may be enough to have to trigger reporting procedures. Even if it is only suspected that customer passwords or credit card numbers have been stolen (for instance), customers must be notified so that they can take steps to re-secure other online accounts or financial accounts.

Question 41

reporting requirements

Answer 41

As well as attempting to identify the attacker, a data breach will normally require that affected parties be notified, especially if personally identifiable information (PII) or account security information is involved. As well as data protection legislation, many industries have strict regulations regarding the safe processing of data and will set out reporting requirements for notifying affected customers as well as the regulator. The regulator will also require evidence that the systems that allowed the breach have been improved.

Question 42

Eradication and Recovery Phases

Answer 42

There are often no right answers to the question of what mitigation steps are appropriate to contain, eradicate, and recover from an incident. The response team may have to choose the “least bad” option. While prosecution of the offenders may be important, business continuity is likely to be the team’s overriding goal. Again though, every situation is different and if there is sufficient time, a full evaluation of the different issues should be made so that the best response can be selected. Some sample responses to incidents include the following:

• Investigation and escalation—the causes or nature of the incident might not be clear, in which case further (careful) investigation is warranted.
• Containment—allow the attack to proceed, but ensure that valuable systems or data are not at risk. This allows collection of more evidence, making a prosecution more likely and also gathering information about the way the attack was perpetrated.
• Hot swap—a backup system is brought into operation and the live system frozen to preserve evidence of the attack.
• Prevention—countermeasures to end the incident are taken on the live system (even though this may destroy valuable evidence).

Question 43

Eradication of malware or other intrusion mechanisms and recovery from the attack will involve several steps:

Answer 43

• Reconstitution of affected systems—either remove the malicious files or tools from affected systems or restore the systems from secure backups.

Note: If reinstalling from baseline template configurations, make sure that there is nothing in the baseline that allowed the incident to occur! If so, update the template before rolling it out again.

• Re-audit security controls—ensure they are not vulnerable to another attack. This could be the same attack or from some new attack that the attacker could launch through information they have gained about your network.

Note: If your organization is subjected to a targeted attack, be aware that one incident may be very quickly followed by another.

• Ensure that affected parties are notified and provided with the means to remediate their own systems. For example, if customers’ passwords are stolen, they should be advised to change the credentials for any other accounts where that password might have been used (not good practice, but most people do it).

Question 44

Lessons Learned Phase

Answer 44

Once the attack or immediate threat has been neutralized and the system restored to secure operation, some follow-up actions are appropriate. The most important is to review security incidents to determine their cause and whether they were avoidable.

This can be referred to as “lessons learned.” It is also necessary to review the response to the incident, to determine whether it was appropriate and well implemented

Question 45

A lessons learned activity will usually take the form of a meeting with the CIRT and management to finalize the incident timeline. This meeting should take place within two weeks of the incident so that events are fresh in everyone’s minds. The meeting should establish:

Answer 45

• Identification of the problem and scope, as well as the steps taken to contain, eradicate, and recover.
• The effectiveness of the IRT and the incident response plan (IRP), particularly what worked well and what needs improvement.
• Completion of the incident documentation to provide a comprehensive description of the incident and how the IRT responded to it.

Question 46

Report the attack

Answer 46

You need to consider obligations to report the attack. It may be necessary to inform affected parties during or immediately after the incident so that they can perform their own remediation. It may be necessary to report to regulators or law enforcement. You also need to consider the marketing and PR impact of an incident. This can be highly damaging and you will need to demonstrate to customers that security systems have been improved.

Question 47

Follow these guidelines when responding to security incidents:

Answer 47

• If an IRP exists, then follow the guidelines outlined within it to respond to the incident.
• If an IRP does not exist, then determine a primary investigator who will lead the team through the investigation process.
• Determine if the events actually occurred and to what extent a system or process was damaged.
• Try to isolate or otherwise contain the impact of the incident.
• Document the details of the incident.