S3 - Security and Confidentiality

Information is compromised and utilized without the authorization of the owner

Data Breach

Unplanned Events that cause a general system or major application to be inoperable for an unacceptable length of time

Service Disruption

The failure of an organization to comply with regulations that may result in fines and penalties

Compliance risk

Attacker, threat actor, hacker, adversary, government sponsored actors, hacktivists, insiders, external threats

Threat agents

Attacks target the infrastructure of a network, including switches, routers, servers, and cabling, with the intent to gain unauthorized access or disrupt operations for users (ex. buffer overflows, spoofing, backdoors/trapdoors)

Network-based attacks

SQL Injection, Cross-Site Scripting, Race Conditions, Mobile Code (virus)

Application Based Attacks

Attacks target a single host, such as a laptop, mobile device, or server, to disrupt functionality or obtain unauthorized access. (ex. brute force attacks, keystroke logging, malware, rogue mobile apps

Host-Based Attacks

Phishing, spear phishing, business email compromise, pretexting, catfishing, pharming, vishing

Social engineering attacks

Intercepting discarded equipment, piggybacking, infrastructure targeted by attackers, tampering, theft

Physical Attacks

Embedded software code, foreing-sourced attacks, pre-installed malware on hardware, venor attacks, watering hole attacks

Supply Chain Attacks

Reconnaissance, gaining access, escalation of privileges, maintaining access, network exploitation and exfiltration, covering tracks

Stages of cyberattacks

Additional industry exposures, cloud malware injection attacks, compliance violations, loss of control, loss of data loss of visibility, multi-cloud and hybrid management issues, theft or loss of intellectual property

Risks to Cloud Computing

Application malware, lack of updates, lack of encryption, physical threats, unsecured wifi networks, location tracking

Risks to mobile technology

Device mismanagement, device spoofing, escalated cyberattacks, expanded footprint, information theft, outdated firmware, malware, network attacks

Risks to the Internet of Things

Identify assets, identify threats, perform reduction analysis, analyze the impact of an attack, develop countermeasures and controls, review and evaluate

Phases of Threat Modeling

Process for Attack Simulation and Threat Analysis (PASTA), Visual, Agile, and Simple Threat (VAST), Spoofing, Tampering, Repudiation, Information Disclosures, Denial-of-service attack, and Elevation of privilege (STRIDE)

Methodologies for Threat Models

Three Internal Control Objective Groups in the COSO Framework

Operational objectives, reporting objectives, compliance objectives

Five Components of the COSO Internal Control Framework

Control Environment, Risk Assessment, Information and Communication, Controls Activities (Existing), Monitoring

Comprehensive guide for the implementation of an organization’s security framework. The document outlines the extent to which security measures are applied to various company resources

Security Policies

Control document that is created by an organization to regulate and protect technology resources by assigning varying levels of responsibilities to job roles, listing acceptable behaviors, and specifying consequences for those who violate the document

Acceptable Use Policy

Policy allows employees to use their personal devices for work-related activities and for connecting to a company’s network

Bring-your-own-device policy

Process of controlling network traffic so that it is either inaccessible or separated from the outside communications or otherA segments within an organization’s own network

Network segmentation/isolation

A virtual network built on top of existing physical networks that provides a means of secure communications using encryption protocols such as tunneling or Internal Protocol Security

Virtual Private Network

A multipronged, comprehensive security approach that reduces risk by minimizing the number of access points through which a company can be attacked. Ex:

• database hardening

• endpoint hardening

• network hardening

• server hardening

System hardening

Zero trust, Least privilege, Need-to-know, allow listing and denylisting

Authorization and Authentication Practices

Context aware authentication, digital signatures, single sign-on, multi factor authentication, personal identification numbers, smart cards, token, biometrics

Authentication technologies

Proactive security practice designed to prevent the exploitation of IT vulnerabilities that could potentially harm a system to organization. It involves identifying, classifying, mitigating, and fixing known vulnerabilities within a system

Vulnerability management

A multilayered security approach that combines people, policies, technology, and physical/logical access controls

Defense in depth, Layered Solutions

Safeguarding practices, education and training, regular security updates, encryption, firewalls, physical barriers, device and software hardening, Intrusion prevention systems

Preventive Controls

Designed to detect a threat while it is occurring and provide assistance during investigations and audits after the event has occurred

Detective Controls

Intended to fix known vulnerabilities as a result of recent security incidents, security self-assessments, or changes in industry practices

Corrective Controls

Identify four components to manage risk under the NIST Special Publication 800-39

Risk Framework, Assess Risk, Respond to risk, Monitor risk

Key items generally included in a Security Assessment Report (SAR)

Summary of findings, system overview, assessment methodology, security assessment findings, recommendations, action plan

Results help the org:

• Identify potential deficiencies in their risk management processes

• Identify security and privacy related deficiencies in the security system’s environment

• Prioritize the responses to risks

• Support the monitoring activities and system authorization decisions

• Inform budgeting and investment decision makers

SAR

Regarding security awareness, what are the three generally relevant categories of personnel in terms of responsibility?

Management, Specialized IT Personnel, all other employees

Components of a successful security awareness program

Phishing simulations security program champions, employee engagement

Click rate, re-click rate, report rate, nonresponder rate, reply rate

Metrics to measure phishing simulations

Protects unauthorized access to information gathered by the organization

Confidentiality

Protects the rights of an individual and gives the individual control over what information they are willing to share with others

Privacy

Three most common data obfuscation applications to help protect confidential data

Encryption, tokenization, masking

Involves a single shared or private key for encryption and decryption within a group

Symmetric encryption

Uses two keys, a public key and a private key, where the public key encrypts the message and the private key decrypts the message

Asymmetric Encryption

Identify two of the most common cipher techniques that encode unencrypted messages into encrypted form

Substitution ciphers, transposing ciphers

Five safeguards that should be in place to protect data-at-rest

Physical security, digital security controls, authorization and user access controls, change management controls, backup and recovery mechanisms

1. Plan and prep

2. obtain an understanding

3. perform the walk-through

4. create documentation

5. test controls

6. evaluate and report

Walk-through steps

The documentation of a set of procedures, people, adn infromation to detect, respond to, and limit the consequences of a cyberattack against an organization

Incident Response Plan

Models recommended by NIST to base the Incident Response Team, this depends on an entity’s size and business model

Centralized incident response team, distributed incident response teams, coordinating team

Factors that organizations should consider when selecting the appropriate structure and staffing models for incident response teams

24/7 Availability, Full time vs. part time, employee morale, cost, staff expertise

Observable occurence in a system or network

Event

A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation)

Cybersecurity Event

Any event with a negative consequnce

Adverse event

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information that the system processes, stoes, or transmits. May constitute a violation or imminent threat of violation of security policies, procedures, or acceptable use policies

Incident

A type of adverse event that is computer-security related and caused by malicious human intent

Computer security incident

A cybersecurity event that has been determiend

Cybersecurity incident

Seven widely recognized steps in responding to incidents

Preparation, Detection, Containment, Eradication, Reporting, Recovery, Learning

Common methods of testing when orgs periodically test whether IRP plans repond as expected to boht hypothetical and actual cybersecurity threats

Simulations, IRP metrics, post-incidnet review, periodic audits, continuous monitoring

Business interruption losses, cyber extortion losses, incident response costs, replacement costs for IS, litigation and attorney fees, reputational damage, information or identity theft

Common losses covered by cyber insurance