New in 2024 Flashcards
Risk frameworks vs. Security Control Frameworks
Risk Frameworks
Address the “why
” - they guide strategic decision making about risk
The 5 Pillars of Information Security
- Confidentiality
- Integrity
- Availability
- Authenticity
- Nonrepudiation
Risk frameworks vs. Security Control Frameworks
Security Control Frameworks
Address the “how
” = providing specific controls to mitigate cybersec risks
Risk frameworks & Security Control Frameworks
Sherwood Applied Business Security Architecture (SABSA)
A security architecture framework and methodology
Focuses on aligning security with business goals by providing a structured method for designing, implementing, and managing security architectures
It can be used in conjunction with both risk frameworks and security controls frameworks
It adds a layer focused on practical security architecture implementation
NIST Risk Management Framework (RMF)
Auidience is federal government agencires
The RMF is MANDATORY for those which it applies
NIST Cybersecurity Framework (CSF)
Audience is private / commercial business
The CSF is purely OPTIONAL guidance from NIST
Federal Risk and Authorization Management Program (FedRAMP)
A government wide program that provides a standardized approach to security assessment, authZ, and continuous monitoring for cloud products and services
Goals:
1. Accelerate secure cloud adoption
2. Enhance trust in cloud solutions
3. Promote a reusable approach for multiple agencies
ISO / IEC 27001:2022
Outlines a framework for implementing, maintaining, and continually improving an Information Security Management System (ISMS)
ISMS is a set of policies, processes, and controls that help orgs protect their info assets
Guides orgs in:
- ID’ing information assets and assessing their value and info security risks
- Implementing mitagating security controls based on ISO 27002
- Regularly monitoring and measuring effectiveness of and continuously improving ISMS
focuses on WHAT and WHY
ISO / IEC 27002:2022
Focuses on the HOW
Offers best practices and control objectives related to key aspects on cybersec in support of ISO / IEC 27001
Personal Information Protection Law (PIPL)
Effective since 2021, aims to establish comprehensive framework for the protection of PI in China
Protection of Personal Information Act (POPIA)
Enacted in 2013, est regs for the responsible processing of PI by both public and private entities in South Africa
Privacy Impact Assessment (PIA)
Several privacy laws explicitly require PIAs
- GDPR
- HIPAA
To conduct a PIA, you must define assessment scope, data collection methods, and plan for data retention
Clarifying Lawful Overseas Uses of Data (CLOUD)
Requires CSPs to hand over data to aid in investigation of serious crimes, even if stored in another country
Can conflict with GDPR
- B/c GDPR forbids transfer of data to any country without good privacy protections
- Issues like this require legal counsel
Hardware Root of Trust
A line of defense against executing unauthorized firmware on a system
When serts are used in Full Disk Encryption (FDE) they use a hardware root of trust for key stoage
it verifies that the keys match before the secure boot process takes place
Examples:
- Trusted platform module (TPM)
- Silicon Root of trust (SRoT)
Silicon Root of Trust (SRoT)
A specialized chip or module embedded directly into the hardware of a device (mainly is IoT)
Contains a unique, unchangeable cryptographic (“immutable fingerprint”) ID that is established during manufacturing
Acts as anchor point for verifying the integrity of systems firmware
If firmware is compromised the SRoT will detect the change and prevent the system from booting
Physically Unclonable Function (PUF)
Hardware component that generates a digital fingerprint or signatures based on the unique physical characteristics of integrated circuit or chip
- Typically a semiconductor device
- unique hardware root of trust
Software Bill of Materials (SBOM)
A list of all software components that go into a particular software build or product
- Functions as inventory
- Helps orgs better understand, manage, and secure their apps
- An attack in 2020 lead to a US Gov requirement for SBOM in the 2021 Executive Order on Improving the Nation’s Cybersecurity
Secure Access Service Edge (SASE)
A design philosophy closely related to Zero Trust
Brings together networking and security functions, delivered together as integrated cloud service
SASE Components:
- Firewall services
- Secure web gateway
- Anti-malware services
- IPS
- CASB
- Data Loss Prevention
Focus on WAN, cloud, and IoT
Cryptographic Life Cycle
Federal Information Processing Standard (FIPS) 140-3
Supersedes FIPS 140-2
Security Levels:
- Level 1: Require production grade equipment and externally tested algos
- Level 2: Adds requirements for physical tamper-evidence and *role based authN**
- Level 3: Adds requirements for physical tamper-resistance, ID based authN, and separation between interfaces
- Level 4: Makes the physical security requirements more stringent. Requiring ability to be tamper-active, erasing the contents of the device if it detect various fors of env attack
Cryptographic Life Cycle
FIPS 140-3 Cryptographic Modules
(3 types with Ex)
Hardware:
- SafeNet Luna HSM (Thales)
- Gemalto SafeNet HSM (Thales)
- nShield HSM (Entrust)
- Utimaco CryptoServer HSM
Software:
- OpenSSL FIPS Object Module
- Microsoft Window Crypto Modules
- Bouncy Castle FIPS Module
Cloud
- Microsoft Azure Key Vault
- Amazon Key Management Service (KMS)
- Google Cloud Key Management Service (KMS)
Cryptographic Life Cycle
Key Management Strategy For Encryption Key Lifecycle
- Generation - Encryption keys should be generated within a trusted secure crypto module
-
Distribution - Should be distributed securely to prevent compromise during transit
- Encrypt keys with another key to give to third parties - Storage - Protected at rest and never stored in plaintext
- Use - Clients use keys to get resources as access controls allow
- Revocation - Process for revoking access if compromise
-
Destruction - Removal of key from its operational location
- Key Deletion goes further and removes any info that could be used to reconstruct it
Quantum Key Distibution
Enables 2 parties to generate a shared random secret key known only to them
NOTE
Essential property of QKD is the ability to detect eavesdropping by any 3rd party
- Eavesdropper interception introduces detectable anomalies
Main drawback = QKD relies on a authenticated classical channel of comms
- Parties have already exchanged either symmetric key or public keys to talk
- Inpractice, much cheaper not to use QKD
- QKD is only used to produce and distribute a key NOT
to transmit any messages
- Used in very niche high security scenarios
Information System Lifecycle
- Stakeholders needs and requirements
- Requirements Analysis
- Architectural design
- Development / implementation
- Integration
- Verification and validation
- Transition / deployment
- Ops and mant / sustainment
- Retirement / disposal
Information System Lifecycle
1. Stakeholders needs and requirements
Key activities:
- Gather requirements and define project scope
Security goal:
- Establish baseline
Information System Lifecycle
2. Requirements analysis
Key activities:
- Prioritize reqs
- Make req spec docs
- perform risk analysis
- Map reqs to security controls
Security Goals:
- translate high level expectations into details and action items
Information System Lifecycle
3. Architectural Design
Key Activities:
- Create system architecture diagrams
- Data flows
- threat modeling
Security goals:
- Incorporate Security by Design
Information System Lifecycle
4. Development / Implementation
Key activities:
- Develop or produce hardware and software
- Implement security configurations
Security Goal:
- Ensure secure implementation of the design.
Information System Lifecycle
5. Integration
Key Activites:
- Integration testing
- Documentation
Security Goals:
- Maintain integrity and security during integration
Information System Lifecycle
6. Verification and Validation
Key activities:
- Employ various testing technoques
- Obtain stakeholder feedback
Security goals:
- Rigorously test that security requirements are met
- Systems dont introduce unacceptable levels of risk
Information System Lifecycle
7. Transition / deployment
Key activities:
- Develop implementation plans
- user training
- full system implementation
Security Goal
- Secure and controlled transition
- Protect data during migration
Information System Lifecycle
8. Ops and maint / sustainment
Key Activities:
- System montioring
- patch management
- Care and feeding
Security Goals:
- Maintain security posture
Information System Lifecycle
9. Retirement / Disposal
Key Activities:
- Data archival
- system decomm
- Secure disposal of hardware / media
Security Goals
- Prevent data exposure
- secure data sanatization,
- compliance with data retention
IPv4 vs. IPv6
Multicast
Supported by both IPv4 and IPv6
One to many
IPv4 vs. IPv6
Broadcast
Supported by IPv4, but workarounds for IPv6
One to all recipient on the network segment
IPv4 vs. IPv6
Unicast
Supported by both IPv4 and IPv6
One to one
IPv4 vs. IPv6
Anycast
Supported natively by IPv6
Single source to the nearest or most optimal recipient
Converged Protocols
Infiniband over Ethernet
A network protocol that allows remote direct memory access (RDMA) over an Ethernet network
- Provides lower latency and higher throughput than vs Ethernet alone
“Converged” bc it runs over the existing TCP/IP network
Converged Protocols
Compute Express Link
An open standard for high-speed, high capacity CPU-to-device and CPU-to-memory connections
“Converged” bc it runs over the existing TCP/IP network
Transport Architecture
Control Plane
Manages routing and determines optimal paths
- Open Shortest Path First (OSPF)
- Border Gateway Protocol (BGP, TCP, 179)
Transport Architecture
Data Plane
Forwards data packets based on control plan guidance
Switching types:
Cut-through the switch makes a forwarding decision as soon as it recv the 1st part of the frame
- When ultra low latency is important and cost/simplicity is high priority
Store-and-foreward the switch waits to recv the entire frame before making a fwd decision
- When reliability is essential or network is less reliable
Transport Architecture
Management Plane
Configures, monitors, maintains the network
- Simple Network Management Protocol (SNMP TCP/UDP, 161/162)
- Network Configuration Protocol (NETCONF)
Network Performance Metrics
Bandwidth
Theoretical maximum data transfer rate