Security Frameworks

Question 1

Compliance

Answer 1

• Compliance
—Meeting the standards of laws, policies, and regulations
• A healthy catalog of rules
—Across many aspects of business and life
—Many are industry-specific or situational
penalties
—Fines
— Loss of employment
—Incarceration
• Scope
—Domestic and international requirements

Question 2

Regulatory

Answer 2

•Sarbanes-Oxley Act (SOX)
— The Public Company Accounting Reform and
Investor Protection Act of 2002
•The Health Insurance Portability and
Accountability Act (HIPAA)
— Extensive healthcare standards for storage, use,
and transmission of health care information
•The Gramm-Leach-Bliley Act of 1999 (GLBA)
— Disclosure of privacy information
from financial institutions

Question 3

HIPAA non-compliance penalties

Answer 3

• Fine of up to $50,000, or up to 1 year in prison,
or both; (Class 6 Felony)
• Under false pretenses; a fine of up to $100,000,
up to 5 years in prison, or both; (Class 5 Felony)
• Intent to sell, transfer, or use individually identifiable health information
for commercial advantage, personal gain, or malicious harm, a fine up
to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
• Civil fines; maximum is $100 for each violation, with the total amount
not to exceed $25,000 for all violations of an identical requirement or
prohibition during a calendar year. (Class 3 Felony)

Question 4

Non-regulatory

Answer 4

•No rule of law
—May be strongly suggested
•A regulation may be in the works
—Get used to the impending change
• Creates value for yourself and/or others
—You don’t need a law if it’s the right thing to do
• Sharing of identified malicious IP addresses
—There’s no law or rule that requires you participate
—It’s in your best interest to share

Question 5

Frameworks

Answer 5

• Structure and organization 
—What works best for IT? 
• Process management 
—Getting the IT "product" to 
work best with the organization 
• Best practices 
—Guidelines and examples 
for IT management 
—Cost effective, agile 
• Lots of training 
— For everyone

Question 6

Industry-specific frameworks

Answer 6

• COBIT
—Control Objectives for Information and Related Technologies
—Created by ISACA, formerly the Information Systems Audit
and Control Association
—Focus on regulatory compliance, risk management and
aligning IT strategy with organizational goals
• ITIL
—Formerly the Information Technology Infrastructure Library
—Multiple stages of the IT lifecycle
—Service Design, Service Transition, Service operation,
Service Strategy, Continual Service Improvement

Question 7

Secure configurations

Answer 7

• No system is secure with 
the default configurations 
—You need some guidelines to 
keep everything safe 
• Hardening guides are specific to 
the software or platform 
—Get feedback from the manufacturer 
or Internet interest group 
—They'll have the best details 
• Other general-purpose guides online

Question 8

Web server hardening

Answer 8

• Access a server with your browser
—The fundamental server on the Internet
—Microsoft Internet Information Server, Apache HTTP Server, et al.
• Huge potential for access issues
—Data leaks, server access
• Secure configuration
—Information leakage: Banner information, directory browsing
—Permissions: Run from a non-privileged account, configure file permissions
—Configure SSL: Manage and install certificates
—Log files: Monitor access and error logs

Question 9

Operating system hardening

Answer 9

• Many and varied 
—Windows, Linux, iOS, Android, et al. 
• Updates 
—Operating system updates/service packs, security patches 
• User accounts 
—Minimum password lengths and complexity 
—Account limitations 
• Network access and security 
—Limit network access 
• Monitor and secure 
—Anti-virus, anti-malware

Question 10

Application server

Answer 10

• Programming languages, runtime libraries, etc. 
—Usually between the web server and the database 
—Middleware 
• Very specific functionality 
—Disable all unnecessary services 
• Operating system updates 
—Security patches 
• File permissions and access controls 
—Limit rights to what's required 
—Limit access from other devices

Question 11

Network infrastructure devices

Answer 11

• Switches, routers, firewalls, IPS, etc. 
—You never see them, but they're always there 
• Purpose-built devices 
—Embedded OS, limited OS access 
• Configure authentication 
—Don't use the defaults 
• Check with the manufacturer 
—Security updates 
—Not usually updated frequently 
—Updates are usually important

Question 12

Layering the defense

Answer 12

• Physical controls 
—Keep people away from the technology 
—Door locks, fences, rack locks, cameras 
•Technical controls 
—Hardware and software to keep things secure 
—Firewalls, active directory 
authentication, disk encryption 
• Administrative controls 
—Policies and procedures 
—On boarding and off boarding 
—Backup media handling

Question 13

Defense in depth

Answer 13

• Firewall 
• DMZ 
• Hashing and salting passwords 
• Authentication 
• Intrusion prevention system 
• VPN access 
• Card/badge access 
• Anti-virus and 
anti-malware software 
• Security guard