Lesson 2: Comparing and Contrasting Security Controls

Question 1

Frameworks

Answer 1

Best practice guides to implementing IT and cybersecurity

Question 2

Cybersecurity

Answer 2

mostly about selecting and implementing effective security controls

Question 3

Security control

Answer 3

countermeasure is something designed to make a particular asset or information system secure (that is, give it the properties of confidentiality, integrity, availability, and non-repudiation)

Question 4

Broad classes of controls

Answer 4

• Administrative/management Controls
• determine way people act, including policies, procedures, and guidance (annual or regularly scheduled security scans and audits can check for compliance with security policies)
• Technical Controls
• implemented in operating systems, software, and security appliances (for ex: Access Control Lists (ACL) and Intrusion Detection Systems
• Physical Controls
• alarms, gateways, and locks that deter access to premises and hardware are often classed separately

Question 5

Functions of controls

Answer 5

• Preventive
• Control physically or logically restricts unauthorized access
• Deterrent
• Control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion
• Detective
• Control may not prevent or deter access, but it will identify and record and any attempted or successful intrusion
• Corrective
• Control responds to and fixes an incident and may also prevent its recurrence
• Compensating
• Control does not prevent attack but restores function of system through some other means, such as using data backup or an alternative site

Question 6

Layered security

Answer 6

• typically seen as best protection for systems security because it provides defense in depth
• Attacker must get past multiple security controls, providing control diversity

Question 7

Control diversity

Answer 7

Combine different classes of technical and administrative controls with range of control functions (prevent, deter, detect, correct, and compensate)

Question 8

Vendor diversity

Answer 8

• security controls are sourced from multiple suppliers
• Single vendor
• Advantages
• Interoperability
  Training reduction
  Support Costs
• Disadvantages
• Not obtaining best-in-class performance
  Less complex attack surface
  Less innovation

Question 9

Cybersecurity framework

Answer 9

• List of activities and objectives undertaken to mitigate risks
• Makes an objective statement of its current cybersecurity capabilities
• Identifies target level of capability
• Prioritizes investments to achieve target
• Valuable for giving a structure to internal risk management procedures and also provides an externally verifiable statement of regulatory compliance

Question 10

Critical security management activity

Answer 10

Governed by formal policies and procedures, setting out roles and responsibilities for an incident response team

Question 11

Incident Response Procedures

Answer 11

• Procedures and guidelines for dealing with security incidents
• Incident where security is breached or there is an attempted breach

Question 12

Stages of an Incident Response Lifecycle

Answer 12

1. Preparation: making system resilient to attack in the first place
2. Identification: determining whether an incident has taken place and assessing how severe it might be
3. Containment, Eradication, and Recovery: limits scope and impact of incident
4. Lessons Learned: analyze incident and responses to identify whether procedures or systems could be improved

Question 13

Incident Response Plan

Answer 13

Preparing for incident response means establishing policies and procedures for dealing with security breaches and personnel and resources

Question 14

Data Integrity

Answer 14

Value of data

Question 15

Downtime

Answer 15

degree to which an incident disrupts business processes

Question 16

Economic/publicity

Answer 16

Short-term costs involve incident response itself and lost business opportunities | long-term economic costs may involve damage to reputation and market standing

Question 17

Scope

Answer 17

number of systems affected is not a direct indicator of priority. Large number of systems might be infected with type of malware that degrades performance, but is not a data breach risk (might even be masking attack as adversary seeks to compromise data on single database server storing top secret info

Question 18

Detection time

Answer 18

research has shown that, in a successful intrusion, data is typically breached within mins, while more than half of data breaches are not detected until weeks or months after intrusions occurs

Question 19

Recovery time

Answer 19

some incidents require lengthy remediation as system changes require are complex to implement

Question 20

Incident Response Exercises

Answer 20

Running test exercises helps staff develop competencies and can help to identify deficiencies in procedures and tools

Question 21

Identification Phase

Answer 21

• Process of collating events and determining whether any of them should be managed as incidents or possible precursor to an incident
• Precursors may be recorded through multiple channels:
• Log files, error messages, IDS alerts, firewall alerts, and etc
• Comparing deviations to established metrics to recognize incidents and their scopes
• Manual or physical inspections of site, premises, networks, and hosts
• Notification by employee, customer, or supplier
• Public reporting of new vulnerabilities or threats by system vendor, regulator, media, or outside party

Question 22

First Responder

Answer 22

When suspicious event is detected, critical that appropriate person on CIRT be notified, so they can take charge of situation and formulate appropriate response

Question 23

Containment Phase

Answer 23

No standard approach to containment, because of wide range of different scenarios, technologies, motivations, and degrees of seriousness

Question 24

Escalation

Answer 24

When more senior staff becomes involved in management of an incident

Question 25

Data Breach and Reporting Requirements

Answer 25

• where an attack succeeds in obtaining information that should have been kept secret or confidential
• Once data is stolen it has to be assumed that the data is no longer confidential
• All affected parties must be notified, esp if personally identifiable information (PII) (Reporting requirements)

Question 26

Eradication and Recovery Phases

Answer 26

• While prosecution of offenders may be important, business continuity is likely to be team’s overriding goal
• Sample responses to incidents:
• Investigation and escalation: causes or nature of incident unclear, further investigation warranted
• Containment: allow attack to proceed, but ensure valuable systems or data not at risk | allows collection of more evidence, making prosecution more likely
• Hot swap: backup system brought into operation and live system frozen to preserve evidence of attack
• Prevention: countermeasures to end incident are taken on live system (even though this may destroy valuable evidence)

Question 27

Lessons Learned Phase

Answer 27

• Review security incidents to determine their cause and whether they were avoidable
• Lessons learned activity will usually take the form of a meeting with CIRT and management:
• Identification of problem and scope
• Effectiveness of IRT and incident response plan (IRP)
• Completion of incident documentation
• Report attack to regulators or law enforcement?