Lesson 2: Comparing and Contrasting Security Controls Flashcards
Frameworks
Best practice guides to implementing IT and cybersecurity
Cybersecurity
mostly about selecting and implementing effective security controls
Security control
countermeasure is something designed to make a particular asset or information system secure (that is, give it the properties of confidentiality, integrity, availability, and non-repudiation)
Broad classes of controls
- Administrative/management Controls
- determine way people act, including policies, procedures, and guidance (annual or regularly scheduled security scans and audits can check for compliance with security policies)
- Technical Controls
- implemented in operating systems, software, and security appliances (for ex: Access Control Lists (ACL) and Intrusion Detection Systems
- Physical Controls
- alarms, gateways, and locks that deter access to premises and hardware are often classed separately
Functions of controls
- Preventive
- Control physically or logically restricts unauthorized access
- Deterrent
- Control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion
- Detective
- Control may not prevent or deter access, but it will identify and record and any attempted or successful intrusion
- Corrective
- Control responds to and fixes an incident and may also prevent its recurrence
- Compensating
- Control does not prevent attack but restores function of system through some other means, such as using data backup or an alternative site
Layered security
- typically seen as best protection for systems security because it provides defense in depth
- Attacker must get past multiple security controls, providing control diversity
Control diversity
Combine different classes of technical and administrative controls with range of control functions (prevent, deter, detect, correct, and compensate)
Vendor diversity
- security controls are sourced from multiple suppliers
- Single vendor
- Advantages
- Interoperability
Training reduction
Support Costs - Disadvantages
- Not obtaining best-in-class performance
Less complex attack surface
Less innovation
Cybersecurity framework
- List of activities and objectives undertaken to mitigate risks
- Makes an objective statement of its current cybersecurity capabilities
- Identifies target level of capability
- Prioritizes investments to achieve target
- Valuable for giving a structure to internal risk management procedures and also provides an externally verifiable statement of regulatory compliance
Critical security management activity
Governed by formal policies and procedures, setting out roles and responsibilities for an incident response team
Incident Response Procedures
- Procedures and guidelines for dealing with security incidents
- Incident where security is breached or there is an attempted breach
Stages of an Incident Response Lifecycle
- Preparation: making system resilient to attack in the first place
- Identification: determining whether an incident has taken place and assessing how severe it might be
- Containment, Eradication, and Recovery: limits scope and impact of incident
- Lessons Learned: analyze incident and responses to identify whether procedures or systems could be improved
Incident Response Plan
Preparing for incident response means establishing policies and procedures for dealing with security breaches and personnel and resources
Data Integrity
Value of data
Downtime
degree to which an incident disrupts business processes
Economic/publicity
Short-term costs involve incident response itself and lost business opportunities | long-term economic costs may involve damage to reputation and market standing
Scope
number of systems affected is not a direct indicator of priority. Large number of systems might be infected with type of malware that degrades performance, but is not a data breach risk (might even be masking attack as adversary seeks to compromise data on single database server storing top secret info
Detection time
research has shown that, in a successful intrusion, data is typically breached within mins, while more than half of data breaches are not detected until weeks or months after intrusions occurs
Recovery time
some incidents require lengthy remediation as system changes require are complex to implement
Incident Response Exercises
Running test exercises helps staff develop competencies and can help to identify deficiencies in procedures and tools
Identification Phase
- Process of collating events and determining whether any of them should be managed as incidents or possible precursor to an incident
- Precursors may be recorded through multiple channels:
- Log files, error messages, IDS alerts, firewall alerts, and etc
- Comparing deviations to established metrics to recognize incidents and their scopes
- Manual or physical inspections of site, premises, networks, and hosts
- Notification by employee, customer, or supplier
- Public reporting of new vulnerabilities or threats by system vendor, regulator, media, or outside party
First Responder
When suspicious event is detected, critical that appropriate person on CIRT be notified, so they can take charge of situation and formulate appropriate response
Containment Phase
No standard approach to containment, because of wide range of different scenarios, technologies, motivations, and degrees of seriousness
Escalation
When more senior staff becomes involved in management of an incident
Data Breach and Reporting Requirements
- where an attack succeeds in obtaining information that should have been kept secret or confidential
- Once data is stolen it has to be assumed that the data is no longer confidential
- All affected parties must be notified, esp if personally identifiable information (PII) (Reporting requirements)
Eradication and Recovery Phases
- While prosecution of offenders may be important, business continuity is likely to be team’s overriding goal
- Sample responses to incidents:
- Investigation and escalation: causes or nature of incident unclear, further investigation warranted
- Containment: allow attack to proceed, but ensure valuable systems or data not at risk | allows collection of more evidence, making prosecution more likely
- Hot swap: backup system brought into operation and live system frozen to preserve evidence of attack
- Prevention: countermeasures to end incident are taken on live system (even though this may destroy valuable evidence)
Lessons Learned Phase
- Review security incidents to determine their cause and whether they were avoidable
- Lessons learned activity will usually take the form of a meeting with CIRT and management:
- Identification of problem and scope
- Effectiveness of IRT and incident response plan (IRP)
- Completion of incident documentation
- Report attack to regulators or law enforcement?
