Lesson 2: Comparing and Contrasting Security Controls Flashcards
Frameworks
There are many different ways of thinking about how IT services should be governed to fulfill overall business needs. Some organizations have developed IT service frameworks to provide best practice guides to implementing IT and cybersecurity. These frameworks can shape company policies and provide checklists of procedures, activities, and technologies that should ideally be in place.
Security controls
Whatever the framework or organizationally driven requirements, cybersecurity is mostly about selecting and implementing effective security controls. A security control (or countermeasure) is something designed to make a particular asset or information system secure (that is, give it the properties of confidentiality, integrity, availability, and non-repudiation). Security controls can be classified according to their type or function. Controls can be divided into three broad classes:
- Administrative/management—controls that determine the way people act, including policies, procedures, and guidance. For example, annual or regularly scheduled security scans and audits can check for compliance with security policies.
- Technical—controls implemented in operating systems, software, and security appliances. Examples include Access Control Lists (ACL) and Intrusion Detection Systems.
- Physical—controls such as alarms, gateways, and locks that deter access to premises and hardware are often classed separately.
Whether administrative, technical, or physical, controls can also be divided into types according to the goal or function of the control:
- Preventive—the control physically or logically restricts unauthorized access. A directive can be thought of as an administrative version of a preventive control.
- Deterrent—the control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
- Detective—the control may not prevent or deter access, but it will identify and record any attempted or successful intrusion.
- Corrective—the control responds to and fixes an incident and may also prevent its reoccurrence.
- Compensating—the control does not prevent the attack but restores the function of the system through some other means, such as using data backup or an alternative site.
Note: As no single security control is likely to be invulnerable, it is helpful to think of them as delaying or hampering an attacker until the intrusion can be detected. The efficiency of a control is a measure of how long it can delay an attack.
Layered security
Layered security is typically seen as the best protection for systems security because it provides defense in depth. The idea is that to fully compromise a system, the attacker must get past multiple security controls, providing control diversity. These layers reduce the potential attack surface and make it much more likely that an attack will be prevented (or at least detected and then prevented by manual intervention).
Control diversity
Control diversity means that the layers of controls should combine different classes of technical and administrative controls with the range of control functions (prevent, deter, detect, correct, and compensate).
Vendor diversity
As well as deploying multiple types of controls, you should consider the advantages of leveraging vendor diversity. Vendor diversity means that security controls are sourced from multiple suppliers. A single vendor solution is a tempting choice for many organizations, as it provides interoperability and can reduce training and support costs. Some disadvantages could include the following:
- Not obtaining best-in-class performance—one vendor might provide an effective firewall solution, but the bundled malware scanning is found to be less effective.
- Less complex attack surface—a single vulnerability in a supplier’s code could put multiple appliances at risk in a single vendor solution. A threat actor will be able to identify controls and possible weaknesses more easily.
- Less innovation—dependence on a single vendor might make the organization invest too much trust in that vendor’s solutions and less willing to research and test new approaches.
Cybersecurity framework
A cybersecurity framework is a list of activities and objectives undertaken to mitigate risks. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target.
Regulatory compliance
The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. This is valuable for giving a structure to internal risk management procedures and also provides an externally verifiable statement of regulatory compliance.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (https://nist.gov/cyberframework)
a relatively new addition to the IT governance space and distinct from other frameworks by focusing exclusively on IT security, rather than IT service provision more generally. It is developed for a US audience and focuses particularly on US government, but its recommendations can be adapted for other countries and types of organizations.
The International Organization for Standardization (ISO)
produced a cybersecurity framework in conjunction with the International Electrotechnical Commission (IEC). The framework was established in 2005 and revised in 2013. Unlike the NIST framework, ISO 27001 must be purchased (https://iso.org/standard/54534.html). ISO 27001 is part of an overall 27000 series of information security standards.
The Control Objectives for Information and Related Technologies (COBIT)
overall IT governance framework with security as a core component. The framework was first published in 1996 and version 5 was released in 2012. COBIT is published by ISACA and like the ISO is a commercial product, available through APMG International (https://apmg-international.com/product/cobit-5).
The Sherwood Applied Business Security Architecture (SABSA), maintained by the SABSA Institute (https://sabsa.org)
a methodology for providing information assurance aligned to business needs and driven by risk analysis. The SABSA methodology is designed to be applicable to different types of organizations and scalable for use on small-scale projects through to providing overarching enterprise information assurance. The methodology is applied using a lifecycle model of strategy/planning, design, implementation, and management/measurement.
Due diligence
legal term meaning that responsible persons have not been negligent in discharging their duties. Negligence may create criminal and civil liabilities.
Negligence in information management
Many countries have enacted legislation that criminalizes negligence in information management.
Sarbanes-Oxley Act (SOX)
In the US, for example, the passage of the Sarbanes-Oxley Act (SOX) has mandated the implementation of risk assessments, internal controls, and audit procedures. The act was introduced following several high-profile accounting scandals, including the collapse of Enron. The Computer Security Act (1987) requires federal agencies to develop security policies for computer systems that process confidential information. In 2002, the Federal Information Security Management Act (FISMA) was introduced to govern the security of data processed by federal government agencies. FISMA compliance is audited through the risk management framework (RMF), developed by NIST (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf). Agencies can go through a process of Assessment & Authorization (A&A) to demonstrate compliance with the RMF.
The Gramm–Leach–Bliley Act (GLBA)
There are also acts that require security standards and controls to ensure customer privacy in particular industries like financial services
The Health Insurance Portability and Accountability Act (HIPAA)
There are also acts that require security standards and controls to ensure customer privacy in particular industries like healthcare
benchmarks and secure configuration guides
Although a framework gives a “high-level” view of how to plan IT services, it does not generally provide detailed implementation guidance. At a system level, the deployment of servers and applications is covered by benchmarks and secure configuration guides.
Most vendors will provide guides, templates, and tools for configuring and validating the deployment of network appliances, operating systems, web servers, and application/database servers. The security configurations for each of these devices will vary not only by vendor but by device and version as well. The vendor’s support portal will host the configuration guides (along with setup/install guides and software downloads and updates) or they can be easily located using a web search engine.