Comptia Security+ Domain 5

CIA

Confidentiality, Integrity, and Availability

Information security policies

• Big list of all security-related policies

• Compliance requirements

• Detailed security procedures

• A list of roles and responsibilities

• Just words and letters

(AUP) Acceptable user policies

• What is acceptable use of company assets?

• Covers many topics

  • Internet use, telephones, computers, mobile devices, etc.

• Used be an org to limit legal liability

Business continuity

• Not everything goes according to plan

• Needs to be an alternative:

  • Manual transactions

  • Paper receipts

  • Phone calls for transaction approvals

• Must be documented and tested before a problem occurs

Disaster recovery plan

• Types of disasters

  • Natural

  • Technology or system failures

  • Human-created

• A comprehensive plan:

  • Recovery location

  • Data recovery method

  • App restoration

  • IT team and employee availability

Incident response team

Specialized group, trained and tested

Compliance officers

Intricate knowledge of compliance rules

Technical staff

Team in the trenches for incident response

NIST SP800-61

1) Preparation

2) Detection and Analysis

3) Containment, Eradication, and Recovery

4) Post-incident Activity

SDLC (Software Development Lifecycle)

• Many ways to get from idea to app

  • Many moving parts

  • Customer requirements

  • Keeping process on schedule

  • Stay in budget

• No “best way”

Popular SDLCs

AGILE and WATERFALL

Security standards

• Formal definition for using security technologies and processes

• May be written in-house

• Standards:

  • ISO (International Organization for Standardization)

  • NIST (National Institute of Standards and Technology)

Password

• Define acceptable authentical methods

  • No local accounts, only LDAP to the AD datavase, etc.

• Create policies for secure password resets

Physical security

• Rules and policies regarding physical security controls

• Granting physical access

• Define specific physical security systems

Encryption

• Password storage

  • Examples: Salting or hashing

• Minimums:

  • Algorithms for data in use, in transit, and at rest

Change managment

• Formal process for managing change

  • Avoid downtime, confusion, and mistakes

• Nothing changes with the process

  • Scope of change

  • Analyze risk

  • Create a plan

  • Get end-user approval

  • Present the proposal

  • Have a backout plan

  • Document the changes

Onboarding

• Bring a new person into the org

• IT agreements need to be signed

• Create accounts

• Provide required IT hardware

Offboarding

• Process should be pre-planned

• What happens to the hardware?

• What happens to the data?

• Account info is usually deactivated

  • Not always deleted

Playbooks

• Conditional steps to follow; a broad process

• Step-by-step set of processes and procedures

• Often integrated with a SOAR platform

  • Security Orchestration, Automation, and Response

  • Integrate 3rd party tools and data sources

Monitoring and revision

• IT security is constantly changing 

• Update to security posture

• Change to an individual procedure

• New security concerns

Governance structures

• Boards

• Committees

• Government entities

• Centralized/decentralized

Boards

• Panel of specialists

• Sets the tasks or requirements for the committees

Committees

• Subject-matter experts

• Considers input from board

• Determines next steps for a topic at hand

• Presents the results to the board

Government entities

• Legal concerns, admin requirements, political issues

• Often open to the public

Centralized/decentralized

• Source of the processes and procedures

• Centralized governance is located in one location with a group of decision makers

• Decentralized governance spreads the decision-making process around to other individuals or locations

Regulatory

• Often mandated

• Sarbanes-Oxley Act (SOX)

• The Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley Act (SOX)

The Public Company Accounting Reform and Investor Protection Act of 2002

The Health Insurance Portability and Accountability Act (HIPAA)

Extensive healthcare standards for storage, use, and transmission of health care info

Legal

• Security team is often tasked with legal responsibilities

  • Reporting illegal activities

  • Holding data required for legal proceedings

• Security breach notifications

• Cloud computing can make this challenging

Industry

• May require specific security considerations

• Electrical power and public utilities

  • Isolated and protected system controls

• Medical

  • Highly secure data storage and access logs

  • Data encryption and protection

Geographical security

• Local/regional

  • City and state gov records

  • Uptime and availability of end-user services

• National

  • Federal governments and national defense

  • State secrets

• Global

  • Large multinational companies

  • Global financial markets

  • Legal concerns will vary widely

Data responsibilites

• High-level data relationships

  • Org responsibilities, not always technical

• Data owner

  • Accountable for specific data, often a senior officer

  • VP of Sales owns the customer relationship data

  • Treasurer owns the financial info

Data roles

• Data controller

• Data processor

• Payroll controller and processor

• Data custodian/steward

Data controller

Manages the purposes and means by which personal data is processed

Data processor

• Processes data on behalf of the data controller

• Often a 3rd party or different group

Payroll controller and processor

• Payroll department (data controller) defines payroll amounts and timeframes

• Payroll company (data processor) processes payroll and stores employee info

Data custodian/steward

Responsible for data accuracy, privacy, and security

Performing a risk assessment

• Not all risk requires constant evaluation

• One-time

  • One-time project

  • Company acquisition, new equipment installation, etc.

• Continuous assessments

  • May be part of an existing process

  • Change control requires a risk assessment as part of the change

Ad hoc assessments

• An org may not have a formal risk assessment process

• CEO is back from a conference

  • Wants to know if the org is protected from a new attack type

• Committee is created and risk assessment proceeds

  • Disbanded after assessment if complete

Recurring assessments

• Occurs on standard intervals

• Internal assessment

• Mandated risk assessment

  • Required by certain orgs

  • Some legal requirements

  • will mandate an assessment

  • PCI DSS requires annual risk assessments

Qualitative risk assessment

Legacy Windows Clients

• Impact: medium

• ARO: high

• Cost of Controls: medium

• Overall Risk: high

Untrained staff

• Impact: low

• ARO: medium

• Cost of controls: low

• Overall: medium

No Anti-Virus software

• Impact: medium

• ARO: high

• Cost of controls: medium

• Overall risk: high

ARO (Annualized Rate of Occurance)

How likely something will happen

AV (Asset Value)

• Value of the asset to the org

• Cost of asset, effect on company sales, potential regulatory fines, etc.

EF (Exposure Factor)

% of the value lost due to an incident

SLE (Single Loss Expectancy)

• Monetary lost if a single event occurs

• AV x EF

ALE (Annualized Loss Expectancy)

ARO x SLE

Impact

• Life

• Property

• Safety

• Finance

Risk appetite

Amount of accepted risk before taking any action to reduce the risk

Risk appetite posture

• Qualitative description for readiness to take risk

• Conservative, neutral, and expansionary

Risk management strategies

• Transfer

• Accept

• Accept with exemption

• Accept with exception

• Avoid

• Mitigate

Risk reporting

• Formal document

• Usually created for senior management

• Commonly includes critical and emerging risks

RTO (Recovery Time Objective)

How long it took to get back up and running

RPO (Recovery Point Objective)

Amount of data lost acceptable

MTTR (Mean Time To Repair)

Avg time to required to fix an issue

MTBF (Mean Time Between Failures)

Time between outages

Rules of engagement

• An important document

• Type of testing and schedule

  • On-site, internal test, etc.

• The rules

  • IP address ranges

  • Emergency contacts

  • How to handle sensitive info

Right-to-audit clauses

• Common to work with business partners

• 3rd party providers

• Should be in contract

  • Option to perform a security audit at any time

Evidence of internal audits

• Evaluate effectiveness of security controls

• May be required for compliance

• Check for security controls and processes

• Perform at a reasonable frequency

Supply chain analysis

• System involved when creating a product

• Get a product from supplier to customer

• Evaluate coordination between groups

• Identify areas of improvement

• Assess the IT systems supporting the operation

• Document the business process changes

Independent assessments

Bring in an outside first to evaluate security and provide recommendations

Vendor selection process

• Due diligence

  • Check company out before doing business

• Conflict of interest

Vendor monitoring

• Ongoing management of the vendor relationship

• Should occur on a regular basis

• Different vendors, different indicators

• Assign  person to be in charge of this

Questionnaires

• Important part of due diligence and ongoing vendor monitoring

• Security-related questions

• Results are used to update a vendor risk analysis

SLA (Service Level Agreement)

• Minimum terms for services provided

• Uptime, response time agreement, etc.

• Commonly used between customers and service providers

• Example with ISP:

  • No more than 4 hours of unscheduled downtime

  • Technician will be dispatched

MOU (Memorandum of Understanding)

• Both sides to agree in general to the contents of the memorandum

• Usually states common goals

• Informal letter of intent; not a signed contract

MOA (Memorandum of Agreement)

• Step above MOU

• Both side conditionally agree to the objectives

• Can also be a legal document, even without legal language

• Unlike a contract, may not contain legally enforceable promises

MSA (Master Service Agreement)

• Legal contract and agreement of terms

• Many detailed negotiations

• Future projects based on this agreement

WO (Work order) / SOW (Statement of Work)

• Specific list of items to be completed

• Used in conjunction with a MSA

NDA (Non-disclosure Agreement)

• Confidentiality agreement between parties

• Info such as:

  • Trade secrets

  • Business activities

  • Anything else listed

• Unilateral or bilateral (or multilateral)

  • One-way or mutual NDA

• Formal contract

BPA (Business Partners Agreement)

• Going into business together

• Owner stake

• Financial contract

• Who makes the business decisions?

Compliance

• Meeting standards of laws, policies, and regulations

• A healthy catalog of rules

• Penalties

• Scope

Compliance reporting

• Internal

  • Large orgs have a CCO (Central Compliance Officer)

• External

  • May require annual or ongoing reporting

GLBA (The Gramm-Leach-Bliley Act of 1999)

Disclosure of privacy info from financial institutions

Consequences

• Loss of license

• Contractual impacts

GDPR (General Data Protection Regulation)

• EU regulation

• Controls export of personal data

• Gives “data subjects” control of their personal data

Data subject

• Any info relating to an identified or identifiable natural person

• Includes everyone

Audits and assessments

• Not just for taxes

• Cybersecurity audit

• Attestation

Internal audits

• Aren’t just for 3rd parties

• Compliance

• Audit committee

• Self-assessments

External audits

• Regulatory requirements

  • Independent 3rd party may be required to perform the audit

• Examinations

  • Often require hands-on research

  • View records, compile reports, etc.

• Assessment

  • Assess current activities

  • Recommendations for future improvement

Phishing campaigns

• Companies will perform this

• An automated process

Anomalous behavior

• Risky behavior

  • Modifying hosts file

  • Replacing a core OS file

• Unexpected behavior

  • Logon from another country

  • Increase in data transfers

• Unintentional behavior

Reporting and monitoring

• Track and analyze security awareness metrics

• Initial

  • First occurrence is an opportunity for user training

• Recurring

  • Value of long-term monitoring

  • High-frequency security issues

Development

• Create a Security Awareness team

• Establish a minimum awareness level

• Integrate compliance mandates

• Define metrics

Execution

• Create the training materials

• Document success measurements

• Identify the stakeholders

• Deploy the training materials

• Track user training efforts

Security Awareness training

• Train users before providing access

• Specialized training

• Also applies to 3rd parties

• Detailed documentation and records

User guidance and training

• Policy/handbooks

• Situational awareness

• Insider threat

  • Add multiple approvals for critical processes

  • Monitor files and systems as much as possible

• Password management

• Removable media and cables

• Social engineering

• Operational security

  • View security from the attacker’s perspective

• Hybrid/remote work environments