COMPTIA Security + 601 5.0

Managerial controls

Primarily administrative in function. They are typically documented in an organization’s security policy and focus on managing risk.

Operational Controls

Help ensure that day-to-day operations of an organization comply with the security policy. People implement them.

Technical Controls

Use technology such as hardware, software, and firmware to reduce vulnerabilities.

Preventive Controls

Attempt to prevent an incident from occurring.

Detective Controls

Attempt to detect incidents after they have occurred.

Corrective Controls

Attempt to reverse the impact of an incident.

Deterrent Controls

Attempt to discourage individuals from causing an incident.

Compensating Controls

Are Alternative controls used when a primary control is not feasible.

Physical Controls

Refer to controls you an physically touch.

Compliance

Meeting the standards oof laws, policies, and regulations. A healthy catalog of regulations and laws. Across many aspects of business and life. Many are industry-specific or situational

Penalties

Fines, incarceration, loss of employment

Scope

Covers national, territory, or state laws. Domestic and international requirements.

GDPR (General Data Protection Regulation)

European Union regulation

• Data protection and privacy for individuals in the EU

• Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer's IP address, etc. • Controls export of personal data

• Users can decide where their data goes • Gives individuals control of their personal data

• A right to be forgotten • Site privacy policy

• Details all of the privacy rights for a user

PCI DSS (Payment Card Industry Data Security Standard)

A standard for protecting credit cards.
Six control objectives
- Build and maintain a secure network and systems,
- Protect cardholder data,
- Maintain a vulnerability management program,
- Implement strong access control measures,
- Regularly monitor and test networks,
- Maintain an information security policy.

CIS (Center for Internet Security)

Improve cyber defenses. Twenty key actions (the critical security controls). Categorized for different organization sizes. Designed for implementation. Written for IT professionals. Includes practical and actionable tasks.

NIST RMF (National Institute of Standards of Technology Risk Management Framework)

Mandatory for federal agencies and organizations that handle federal data.
Six Step Process:
Step 1: Categorize - Define the environment
Step 2: Select - Pick appropriate controls.
Step 3: Implement - Define proper implementation.
Step 4: Assess - Determine if controls are working
Step 5: Authorize - Make a decision ton authorize a system.
Step 6: Monitor - Check for ongoing compliance

NIST CSF ( National Institute of Standards and Technology Cybersecurity Framework)

A voluntary commercial framework.
Framework Core
- Identify, Protect, Detect, Respond, and Recover.
Framework Implementation Tiers
- An organization's view of cybersecurity risk and processes to manage the risk.
Framework Profile
- The alignment of standards, guidelines, and practices to the framework Core

ISO/IEC

International Organization for Standardization/International Electrotechnical Commission

ISO/IEC 27001

Standard for an Information Security Management System (ISMS)

ISO/IEC 27002

Code of practice for information security controls

ISO/IEC 27701

Privacy Information Management Systems (PIMS)

ISO 31000

International standards for risk management practices

SSAE SOC 2 Type I/II

• The American Institute of Certified Public Accountants
(AICPA) auditing standard Statement on Standards for
Attestation Engagements number 18 (SSAE 18)

• SOC 2 - Trust Services Criteria (security controls)
- Firewalls, intrusion detection, and multi-factor authentication

• Type I audit
- Tests controls in place at a particular point in time

• Type II
- Tests controls over a period of at least six consecutive months

CSA (Cloud Security Alliance)

Security in cloud computing - Not-for-profit organization. Cloud Controls Matrix (CCM) - Cloud-specific security controls.
Controls are mapped to standards, best practices, and regulations.
Enterprise Architecture
- Methodology and tools
- Assess internal IT groups and cloud providers
- Determine security capabilities
- Build a roadmap

Web Server Hardening

• Access a server with your browser
• The fundamental server on the Internet
• Microsoft Internet Information Server,
Apache HTTP Server, et al.
• Huge potential for access issues
• Data leaks, server access
• Secure configuration
• Information leakage: Banner information,
directory browsing
• Permissions: Run from a non-privileged account,
configure file permissions
• Configure SSL: Manage and install certificates
• Log files: Monitor access and error logs

operating system hardening

Many and varied
- Windows, Linux, iOS, Android, et al.
• Updates
- Operating system updates/service packs,
security patches
• User accounts
- Minimum password lengths and complexity
- Account limitations
• Network access and security
- Limit network access
• Monitor and secure
- Anti-virus, anti-malware

Application Server

• Programming languages, runtime libraries, etc.
• Usually between the web server and the database
• Middleware
• Very specific functionality
• Disable all unnecessary services
• Operating system updates
• Security patches
• File permissions and access controls
• Limit rights to what's required
• Limit access from other devices

Network Infrastructure Devices

• Switches, routers, firewalls, IPS, etc.
• You never see them, but they're always there
• Purpose-built devices
• Embedded OS, limited OS access
Configure authentication
- Don't use the defaults
• Check with the manufacturer
• Security updates
• Not usually updated frequently
• Updates are usually important

AUP Adventist Univ of Phil./ PUC-old name

What us acceptable use of company assets? Detailed documentation. May be documented in the Rules of Behavior. Covers many topics. Internal use, telephones, computers, mobile devices, etc. Used by an organization to limit legal liability. If someone is dismissed, these are the well - documented reasons why.

job rotation

Keep people moving between responsibilities. No one person maintains control for long periods of time.

Mandatory Vacations

- Rotate others through the job
- The longer the vacation, the better chance to identify fraud
- Especially important in high-security environments

Seperation of Duties

Split knowledge
No one person has all the details. Half of a safe combination.
- Dual control
- Two people must be present to perform the business function.
- Two keys open a safe (or launch a missile)
- Clean desk policy
- When you leave, nothing is on your desk.
- Limit the exposure of sensitive data to third-parties

Least Privilege

• Rights and permissions should be set
to the bare minimum
• You only get exactly what's needed to
complete your objective
• All user accounts must be limited
• Applications should run with minimal privileges
• Don't allow users to run with administrative privileges
• Limits the scope of malicious behavior

Background Checks

- Pre-employment screening
- Verify the applicant's claims
- Discover criminal history, workers compensation claims, etc.
- Legalities vary by country

Adverse actions

- An action that denies employment based on the
background check
- May require extensive documentation
- Can also include existing employees

NDA (Non-Disclosure Agreement)

Confidentiality agreement/ Legal contract. Prevents the use and dissemination of confidential information.

• Confidentiality agreement between parties

• Information in the agreement should not be disclosed • Protects confidential information

• Trade secrets, business activities

• Anything else listed in the NDA • Unilateral or bilateral (or multilateral)

• One-way NDA or mutual NDA • Formal contract - Signatures are usually required

Social Media Analysis

- Gather data from social media
- Facebook, Twitter, LinkedIn, Instagram
- Build a personal profile
- Another data point when making a hiring decision

On-boarding

• Bring a new person into the organization
- New hires or transfers
• IT agreements need to be signed
- May be part of the employee handbook or
a separate AUP
• Create accounts
- Associate the user with the proper groups
and departments
• Provide required IT hardware
- Laptops, tablets, etc. - Preconfigured and ready to go

Off-boarding

All good things... (But you knew this day would come)
• This process should be pre-planned
- You don't want to decide how to do things at this point
• What happens to the hardware and the data?
• Account information is usually deactivated
- But not always deleted

Gamification

Score points. Compete with others. Collect badges.

Capture the Flag

Security competition. Hack into a server to steal data (the flag). Can involve highly technique. A practical learning environment.

Phishing Simulations

Send simulated phishing emails. Make vishing calls. See which users are susceptible to phishing attacks without being a victim of phishing.

CBT (computer-based training)

Automated pre-built training. May include video, audio, and Q&A. Users all receive the same training experience.

Role-based security awareness training

• Before providing access, train your users
- Detailed security requirements

• Specialized training
- Each user role has unique security responsibilities

• Also applies to third-parties
- Contractors, partners, suppliers

• Detailed documentation and records
- Problems later can be severe for everyone

vendors

every organization works with these.
Payroll, customer relationship management, email marketing, travel, raw materials. Important company data is often shared. May be required for cloud-based services.
Perform a risk assessment. Categorize risk by vendor and manage the risk. Use contracts for clear understanding. Make sure everyone understands the expectations. Use the contract to enforce a secure environment.

supply chain

the system involved when creating a product. Involves organizations, people, activities, and resources.
Supply chain assessment
- Get a product or service from supplier to customer
- Evaluate coordination between groups
- Identify areas of improvement
- Assess the IT systems supporting the operation
- Document the business process changes

Business partners

Much closer to your data than a vendor. May require direct access. May be a larger security concern than an outside hacker. Often involves communication over a trusted connection. More difficult to identify malicious activity.
Partner risk management should be included. - Requirements for best practices, data handling, intellectual property. Include additional security between partners. - Firewalls and traffic filters.

Service Level Agreement (SLA)

Minimum terms for services provided
• Uptime, response time agreement, etc.
- Commonly used between customers and service providers.

MOU (memorandum of understanding)

- Both sides agree on the contents of the memorandum
- Usually includes statements of confidentiality
- Informal letter of intent

not a signed contract

Measurement System Analysis

Don't make decisions based on incorrect data!
Used with quality management systems, i.e., Six Sigma. Assess the measurement process. Calculate measurement uncertainty

Business Partnership Agreement (BPA)

Going into business together. Owner stake. Financial contract. Decision-making agreements. Prepare for contingencies.

EOL (end of life)

Manufacturer stops selling a product. May continue supporting the product. Important for security patches and updates.

End of Service Life (EOSL)

- Manufacturer stops selling a product
- Support is no longer available for the product
- No ongoing security patches or updates
- May have a premium-cost support option

Data governance

Rules, processes, and accountability associated with an organization's data. - Data is used in the right ways.

data steward

Manages the governance processes
- Responsible for data accuracy, privacy, and security
- Associates sensitivity labels to the data
- Ensures compliance with any applicable laws and
standards

Data Classification

Identify data types
- Personal, public, restricted, etc.
- Use and protect data efficiently
• Associate governance controls to the classification levels
- How the data class should be managed
• Data compliance
- Laws and regulations regarding certain types of data
- GDPR - General Data Protection Regulation

Data Retention

• Keep files that change frequently for version control
- Files change often
- Keep at least a week, perhaps more
• Recover from virus infection
- Infection may not be identified immediately
- May need to retain 30 days of backups
• Often legal requirements for data retention
- Email storage may be required over years
- Some industries must legally store certain data types
- Different data types have different
storage requirements
- Corporate tax information, customer PII, tape backups, etc.

Personnel accounts

• An account on a computer associated with
a specific person
- The computer associates the user with a specific
identification number
• Storage and files can be private to that user
- Even if another person is using the same computer
• No privileged access to the operating system
- Specifically not allowed on a user account
• This is the account type most people will use
- Your user community

Third-party accounts

• Access to external third-party systems
- Cloud platforms for payroll, enterprise resource
planning, etc.
• Third-party access to corporate systems
- Access can come from anywhere
• Add additional layers of security
- 2FA (two factor authentication)
- Audit the security posture of third-parties
• Don't allow account sharing
- All users should have their own account

Device Accounts

• Access to devices
- Mobile devices
• Local security
- Device certificate
- Require screen locks and unlocking standards
- Manage through a Mobile Device Manager (MDM)
• Add additional security
- Geography-based
- Include additional authentication factors
- Associate a device with a user

Service accounts

• Used exclusively by services running on a computer
- No interactive/user access (ideally)
- Web server, database server, etc.
• Access can be defined for a specific service
- Web server rights and permissions will be
different than a database server
• Commonly use usernames and passwords
- You'll need to determine the best policy for
password updates

Administrator/root accounts

• Elevated access to one or more systems
- Super user access
• Complete access to the system
- Often used to manage hardware, drivers, and
software installation
• This account should not be used for normal
administration
- User accounts should be used
• Needs to be highly secured
- Strong passwords, 2FA
- Scheduled password changes

Change Management

How to make a change. Upgrade software, change firewall configuration, modify switch ports. One of the most common risks in the enterprise. Occurs very frequently. Often overlooked or ignored. Did you feel that bite? Have clear policies. Frequency, duration, installation process, fallback procedures.
Sometimes extremely difficult to implement. It's hard to change corporate culture.

Change control

formal process for managing change to avoid downtime, confusion and mistakes. Nothing changes without the process. Determine the scope of the change. Analyze the risk associated with the change. Create a plan. Get end-user approval. Present the proposal tot he change control board. Have a backout plan if the change doesn't work. Document the changes.

asset managment

Identify and track computing assets. Usually an automated process. Respond faster to security problem. You know who, what, and where. Keep an eye on the most valuable assets. Both hardware and data. Track licenses. You know exactly how many you'll need. Verify that all devices are up to date. - Security patches, anti-malware signature updates, etc.

risk assessment

Identify assets that could be affected by an attack. Define the risk associated with each asset. Hardware, customer data, intellectual property. Identify threats - loss of data, disruption of services, etc. Determine the risk - High, medium, or low risk. Assess the total risk to the organization. Make future security plans.

External Threats

- Outside the organization
- Hacker groups, former employees

Internal Threats

- Employees and partners
- Disgruntled employees

Legacy systems

Outdated, older technologies. May not be supported by the manufacturer. May not have security updates. Depending on the age, may not be easily accessible.

Multiparty Risk

Breaches involving multiple parties. Often trusted business relationships. Events often involve many different parties.

Intellectual Property (IP) theft

- Theft of ideas, inventions, and creative expressions
- Human error, hacking, employees with access, etc.
- Identify and protect IP
- Educate employees and increase security

Software Compliance/Licensing

- Operational risk with too few licenses
- Financial risk with budgeting and over-allocated licenses
- Legal risk if proper licensing is not followed

Acceptance

A business decision we'll take the risk.

Risk Avoidance

stop participating in high-risk activity

Transference

Buy some cybersecurity insurance.

Mitigation

Decrease the risk level. Invest in security systems.

Risk Register

Every project has a plan, but also has risk. Identify and document the risk associated with each step. Apply possible solutions to the identified risks. Monitor the results.

Risk Matrix/ Risk Heat map

- View the results of the risk assessment
- Visually identify risk based on color
- Combines the likelihood of an event with the potential impact
- Assists with making strategic decisions

Inherent Risk

Impact + Likelihood. Risks that exists in the absence of controls

Residual Risk

Inherent Risk + Control effectiveness. Risks that exist after controls are considered.

Risk Appetite

The amount of risk an organization is willing to take

Risk Control Assessment

Risks have been determined, and Time to build cybersecurity requirements, Find the gap, Build and maintain security systems based on the requirements, and Determine if existing controls are compliant or non-compliant.

Risk awareness

A constantly changing battlefield (i.e, New risks, Emerging risks, A nearly overwhelming amount of information, Difficult to manage a defense). Knowledge is key (Part of every employee’s daily job role, Part of the onboarding process for employees and partners). Maintaining awareness (Ongoing group discussions, Presentations from law enforcement, Attend security conferences and programs)

Regulations that affect risk posture

Many of them, Regulations tend to regulate. Regulations directly associated with cybersecurity. HIPAA, GDPR

Regulations directly associated to cybersecurity

Protection of personal information, disclosure of information breaches. Requires a minimum level of information security.

HIPAA (Health Insurance Portability and Accountability Act)

Privacy of patient records. New storage requirements, and network security, protect against threats.

GDPR - General Data Protection Regulation

European Union data protection and privacy. Personal data must be protected and managed for privacy.

Qualitative risk assessment

Identify significant risk factors. Ask opinions about the significance. Display visually with a light grid or similar method.

Quantitative Risk Assessment

Likelihood

(Annualized Rate of Occurence (ARO), How likely is it that a hurricane will hit? In Montana? In Florida?, SLE (Single Loss Expectancy), What is the monetary loss if single event occurs? ALE (Annualized Loss Expectancy)

Annualized Rate of Occurrence (ARO)

Likelihood of an event occurring. How likely is it that a hurricane will hit? In Montana? In Florida?

SLE (Single Loss Expectancy)

What is the monetary loss if a single event occurs

ALE (Annualized Loss Expectancy)

ARO *SLE. Example: 7 Laptops stolen in a year (ARO)* \* $1000 (SLE) = $7000

Disaster types

Environmental threats, Person-made threats, Internal and external threats.

Environmental Threats

Tornado, hurricane, earthquake, severe weather

Person-made threats

Human intent, negligence, or error. Arson, crime, civil disorder, fires, riots, etc.

Internal and External

One is from employees. the others are from outside the organization.

Recovery Time Objective (RTO)

Describes how long it would take to get back up and running to a particular service level.

Recovery point objective (RPO)

We would set an objective to meet a certain set of minimum requirements to get a system up and running

Mean time to Repair (MTTR)

Time required to fix the issue