Play it Safe and Manage Security Risk
GO BACK TO PORTFOLIO ACTIVITY: CONDUCT A SECURITY AUDIT
bottom of module two
Recognize and explain the focus of eight security domains-
(please make flash cards on these specifically)
Identify the steps of risk management
Describe the CIA triad
Identify security principles
Define and describe the purpose of a playbook
Explain how entry-level security analysts use SIEM dashboards
You will gain understanding of the CISSP’s eight security domains. Then, you'll learn about primary threats, risks, and vulnerabilities to business operations. In addition, you'll explore the National Institute of Standards and Technology’s (NIST) Risk Management Framework and the steps of risk management
Applying the CIA triad to workplace situations
Analyzing log data
Identifying the phases of an incident response playbook
All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization's security posture include:
Security goals and objectives
Risk mitigation processes
Compliance
Business continuity plans
Legal regulations
Professional and organizational ethics
Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as:
Incident response
Vulnerability management
Application security
Cloud security
Infrastructure security
As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union's General Data Protection Regulation (GDPR).
Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk.
This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes.
One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include:
Threat modeling
Least privilege
Defense in depth
Fail securely
Separation of duties
Keep it simple
Zero trust
Trust but verify
An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data.
This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications.
Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls—such as restricted network access—can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office.
The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks.
Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer's issue; then remove access when the customer's issue is resolved.
The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor.
This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems.
The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as:
Training and awareness
Reporting and documentation
Intrusion detection and prevention
SIEM tools
Log management
Incident management
Playbooks
Post-breach forensics
Reflecting on lessons learned
The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization's internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors.
The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users.
Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought.
Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.
Asset: An item perceived as having value to an organization.
Attack vectors: The pathways attackers use to penetrate security defenses.
Authentication: The process of verifying who someone is.
Authorization: The concept of granting access to specific resources in a system.
Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that might exist in an organization.
Availability: The idea that data is accessible to those who are authorized to access it.
Confidentiality: The idea that only authorized users can access specific assets or data.
Integrity: The idea that the data is correct, authentic, and reliable.
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset.
Vulnerability: A weakness that can be exploited by a threat.
Threat: Any circumstance or event that can negatively impact assets.
(both a vulnerability and threat need to be present for there to be a risk)
Social Engineering : (definition) people are the biggest threat to security
Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs. Reduce risks
Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks.
Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization.
Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization.
Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly.
Authorize: The sixth step of the NIST RMF that refers to being accountable for security and privacy risks.
Monitor: The seventh step of the NIST RMF that means being aware of how systems are operating.
Previously, you learned that security involves protecting organizations and people from threats, risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability to create policies and processes designed to help prevent and mitigate these types of security issues. In this reading, you will further explore how to manage risk and some common threat actor tactics and techniques, so you are better prepared to protect organizations and the people they serve when you enter the cybersecurity field.
A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical. Examples of digital assets include the personal information of employees, clients, or vendors, such as:
Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals
Dates of birth
Bank account numbers
Mailing addresses
Examples of physical assets include:
Payment kiosks
Servers
Desktop computers
Office spaces
Some common strategies used to manage risks include:
Acceptance: Accepting a risk to avoid disrupting business continuity
Avoidance: Creating a plan to avoid the risk altogether
Transference: Transferring risk to a third party to manage
Mitigation: Lessening the impact of a known risk
Additionally, organizations implement risk management processes based on widely accepted frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities. Examples of frameworks commonly used in the cybersecurity industry include the National Institute of Standards and Technology Risk Management Framework (NIST RMF) and Health Information Trust Alliance (HITRUST).
Following are some common types of threats, risks, and vulnerabilities you’ll help organizations manage as a security professional.
A threat is any circumstance or event that can negatively impact assets. As an entry-level security analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore, understanding common types of threats is important to an analyst’s daily work. As a reminder, common threats include:
Insider threats: Staff members or vendors abuse their authorized access to obtain data that may harm an organization.
Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a system for an extended period of time.
A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.
There are different factors that can affect the likelihood of a risk to an organization’s assets, including:
External risk: Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information
Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk
Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system.
Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions.
Software compliance/licensing: Software that is not updated or in compliance, or patches that are not installed in a timely manner
There are many resources, such as the NIST, that provide lists of cybersecurity risks. Additionally, the Open Web Application Security Project (OWASP) publishes a standard awareness document about the top 10 most critical security risks to web applications, which is updated regularly.
Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021: insecure design, software and data integrity failures, and server-side request forgery. This update emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance of staying up to date on current threat actor tactics and techniques, so you can be better prepared to manage these types of risks.
A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:
ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.
ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity before allowing access to a website's location.
Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it
Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.
As an entry-level security analyst, you might work in vulnerability management, which is monitoring a system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are not applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner an organization identifies a vulnerability and addresses it by patching it or updating their systems, the sooner it can be mitigated, reducing the organization’s exposure to the vulnerability.
To learn more about the vulnerabilities explained in this section of the reading, as well as other vulnerabilities, explore the NIST National Vulnerability Database and CISA Known Exploited Vulnerabilities Catalog.
In this reading, you learned about some risk management strategies and frameworks that can be used to develop organization-wide policies and processes to mitigate threats, risks, and vulnerabilities. You also learned about some of today’s most common threats, risks, and vulnerabilities to business operations. Understanding these concepts can better prepare you to not only protect against, but also mitigate, the types of security-related issues that can harm organizations and people alike.
To learn more, click the linked terms in this reading. Also, consider exploring the following sites:
Incident response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach.
Detect: A NIST core function related to identifying potential security incidents and improving monitoring capabilities.
Respond: A NIST core function related to making sure that proper procedures are used to contain, neutralize, and analyze security incidents.
Recover: A NIST core function related to returning affected systems back to normal operation.
Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53: A unified framework for protecting the security of information systems within the U.S. federal government.
Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy.
Security Controls: Safeguards designed to reduce specific risks- includes encryption, authentication, authorization (used to verify that a person has permission to access things)
Biometrics: Unique physical characteristics that can be used to verify a person’s identity.
Encryption: The process of converting data from a readable format to an encoded format.
Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities.
SIEM tools: A software platform that collects, analyzes, and correlates security data to help identify and respond to threats.
Security orchestration, automation, and response (SOAR): A collection of applications and tools that use automation to respond to security events.
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data.
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization's log data.
Business continuity: An organization's ability to maintain everyday productivity by establishing risk disaster recovery plans.
Security audit: A review of an organization's security controls, policies, and procedures against a set of expectations.
Security controls: Safeguards designed to reduce specific security risks.
Security posture: An organization’s ability to manage its defense of critical assets and data and react to change.
Playbook: A manual that provides details about any operational action.
Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security.
Log: A record of events that occur within an organization’s systems.
Metrics: Key technical attributes such as response time, availability, and failure rate used to assess software performance.
Monitor: The seventh step of the NIST RMF related to system operations awareness.
External threat: Anything outside the organization that has the potential to harm organizational assets.
Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk.
Social engineering: A manipulation technique that exploits human error to gain private information or access.
Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access.
Chronicle: A cloud-native tool designed to retain, analyze, and search data.
Open Web Application Security Project/Open Worldwide Application Security Project (OWASP): A non-profit organization focused on improving software security.
Previously, you learned how organizations use security frameworks and controls to protect against threats, risks, and vulnerabilities. This included discussions about the National Institute of Standards and Technology’s (NIST’s) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), as well as the confidentiality, integrity, and availability (CIA) triad. In this reading, you will further explore security frameworks and controls and how they are used together to help mitigate organizational risk.
Frameworks and controls
Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.
Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.
There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained.
According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors' many tactics and techniques.
An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.
Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent, detect, or correct security issues.
Examples of physical controls:
Gates, fences, and locks
Security guards
Closed-circuit television (CCTV), surveillance cameras, and motion detectors
Access cards or badges to enter office spaces
Examples of technical controls:
Firewalls
MFA
Antivirus software
Examples of administrative controls:
Separation of duties
Authorization
Asset classification
To learn more about controls, particularly those used to protect health-related assets from a variety of threat types, review the U.S. Department of Health and Human Services’ Physical Access Control presentation.
Cybersecurity frameworks and controls are used together to establish an organization’s security posture. They also support an organization’s ability to meet security goals and comply with laws and regulations. Although these frameworks and controls are typically voluntary, organizations are strongly encouraged to implement and use them to help ensure the safety of critical assets.
NIST CSF-
Identify, Protect, Detect, Respond, Recover
(not always in this order)
Used by the Federal Government
- Identify: Focuses on managing cybersecurity risks and their impact on an organization's people and assets.
Example: As a security analyst, you monitor systems and devices in your organization’s network to spot potential security issues.
- Protect: Involves strategies to safeguard an organization through policies, procedures, training, and tools that reduce cybersecurity threats.
Example: As a security analyst, you and your team may face new threats, so reviewing historical data and updating policies is crucial.
- Detect: Refers to identifying possible security incidents and improving monitoring to enhance detection speed and efficiency.
Example: As an analyst, you might check a new security tool to ensure it flags risks accurately (low, medium, high) and alerts the security team.
- Respond: Ensures proper procedures are in place to contain, neutralize, and analyze security incidents, along with making improvements.
Example: As an analyst, you collaborate with your team to document an incident and suggest improvements to prevent future occurrences.
- Recover: Involves restoring affected systems to normal operation after an incident.
Example: As an entry-level security analyst, you work with your team to restore systems and data, such as financial or legal files, affected by a breach.
Open Web Application Security Project
Security principles
In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing logs, monitoring a security information and event management (SIEM) dashboard, or using a vulnerability scanner, you will use these principles in some way.
Previously, you were introduced to several OWASP security principles. These included:
Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor could exploit.
Principle of least privilege: Users have the least amount of access required to perform their everyday tasks.
Defense in depth: Organizations should have varying security controls that mitigate risks and threats.
Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle of least privilege.
Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult.
Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.
Additional OWASP security principles
Next, you’ll learn about four additional OWASP security principles that cybersecurity analysts and their teams use to keep organizational operations and people safe.
Establish secure defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.
Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.
Don’t trust services
Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.
Avoid security by obscurity
The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016): OWASP Mobile Top 10
The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.
Key takeaways
Cybersecurity professionals are constantly applying security principles to safeguard organizations and the people they serve. As an entry-level security analyst, you can use these security principles to promote safe development practices that reduce risks to companies and users alike.
Security audits
A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations. Audits are independent reviews that evaluate whether an organization is meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best practices. External criteria include regulatory compliance, laws, and federal regulations.
Additionally, a security audit can be used to assess an organization's established security controls. As a reminder, security controls are safeguards designed to reduce specific security risks.
Audits help ensure that security checks are made (i.e., daily monitoring of security information and event management dashboards), to identify threats, risks, and vulnerabilities. This helps maintain an organization’s security posture. And, if there are security issues, a remediation process must be in place.
Goals and objectives of an audit
The goal of an audit is to ensure an organization's information technology (IT) practices are meeting industry and organizational standards. The objective is to identify and address areas of remediation and growth. Audits provide direction and clarity by identifying what the current failures are and developing a plan to correct them.
Security audits must be performed to safeguard data and avoid penalties and fines from governmental agencies. The frequency of audits is dependent on local laws and federal compliance regulations.
Factors that affect audits
Factors that determine the types of audits an organization implements include:
Industry type
Organization size
Ties to the applicable government regulations
A business’s geographical location
A business decision to adhere to a specific regulatory compliance
To review common compliance regulations that different organizations need to adhere to, refer to the reading about controls, frameworks, and compliance.
The role of frameworks and controls in audits
Along with compliance, it’s important to mention the role of frameworks and controls in security audits. Frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the international standard for information security (ISO 27000) series are designed to help organizations prepare for regulatory compliance security audits. By adhering to these and other relevant frameworks, organizations can save time when conducting external and internal audits. Additionally, frameworks, when used alongside controls, can support organizations’ ability to align with regulatory compliance requirements and standards.
There are three main categories of controls to review during an audit, which are administrative and/or managerial, technical, and physical controls. To learn more about specific controls related to each category, click the following link and select “Use Template.”
Link to template: Control categories
OR
If you don’t have a Google account, you can download the template directly from the following attachment
Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus:
Identify the scope of the audit
The audit should:
List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)
Note how the audit will help the organization achieve its desired goals
Indicate how often an audit should be performed
Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees
Complete a risk assessment
A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).
Conduct the audit
When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.
Create a mitigation plan
A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.
Communicate results to stakeholders
The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization's level of risk, and compliance regulations and standards the organization needs to adhere to.
Key takeaways
In this reading you learned more about security audits, including what they are; why they’re conducted; and the role of frameworks, controls, and compliance in audits.
Although there is much more to learn about security audits, this introduction is meant to support your ability to complete an audit of your own for a self-reflection portfolio activity later in this course.
Resources for more information
Resources that you can explore to further develop your understanding of audits in the cybersecurity space are:
GO BACK TO PORTFOLIO ACTIVITY: CONDUCT A SECURITY AUDIT
bottom of module two
Recognize and explain the focus of eight security domains-
(please make flash cards on these specifically)
Identify the steps of risk management
Describe the CIA triad
Identify security principles
Define and describe the purpose of a playbook
Explain how entry-level security analysts use SIEM dashboards
You will gain understanding of the CISSP’s eight security domains. Then, you'll learn about primary threats, risks, and vulnerabilities to business operations. In addition, you'll explore the National Institute of Standards and Technology’s (NIST) Risk Management Framework and the steps of risk management
Applying the CIA triad to workplace situations
Analyzing log data
Identifying the phases of an incident response playbook
All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization's security posture include:
Security goals and objectives
Risk mitigation processes
Compliance
Business continuity plans
Legal regulations
Professional and organizational ethics
Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as:
Incident response
Vulnerability management
Application security
Cloud security
Infrastructure security
As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union's General Data Protection Regulation (GDPR).
Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk.
This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes.
One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include:
Threat modeling
Least privilege
Defense in depth
Fail securely
Separation of duties
Keep it simple
Zero trust
Trust but verify
An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data.
This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications.
Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls—such as restricted network access—can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office.
The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks.
Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer's issue; then remove access when the customer's issue is resolved.
The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor.
This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems.
The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as:
Training and awareness
Reporting and documentation
Intrusion detection and prevention
SIEM tools
Log management
Incident management
Playbooks
Post-breach forensics
Reflecting on lessons learned
The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization's internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors.
The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users.
Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought.
Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.
Asset: An item perceived as having value to an organization.
Attack vectors: The pathways attackers use to penetrate security defenses.
Authentication: The process of verifying who someone is.
Authorization: The concept of granting access to specific resources in a system.
Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that might exist in an organization.
Availability: The idea that data is accessible to those who are authorized to access it.
Confidentiality: The idea that only authorized users can access specific assets or data.
Integrity: The idea that the data is correct, authentic, and reliable.
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset.
Vulnerability: A weakness that can be exploited by a threat.
Threat: Any circumstance or event that can negatively impact assets.
(both a vulnerability and threat need to be present for there to be a risk)
Social Engineering : (definition) people are the biggest threat to security
Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs. Reduce risks
Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks.
Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization.
Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization.
Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly.
Authorize: The sixth step of the NIST RMF that refers to being accountable for security and privacy risks.
Monitor: The seventh step of the NIST RMF that means being aware of how systems are operating.
Previously, you learned that security involves protecting organizations and people from threats, risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability to create policies and processes designed to help prevent and mitigate these types of security issues. In this reading, you will further explore how to manage risk and some common threat actor tactics and techniques, so you are better prepared to protect organizations and the people they serve when you enter the cybersecurity field.
A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical. Examples of digital assets include the personal information of employees, clients, or vendors, such as:
Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals
Dates of birth
Bank account numbers
Mailing addresses
Examples of physical assets include:
Payment kiosks
Servers
Desktop computers
Office spaces
Some common strategies used to manage risks include:
Acceptance: Accepting a risk to avoid disrupting business continuity
Avoidance: Creating a plan to avoid the risk altogether
Transference: Transferring risk to a third party to manage
Mitigation: Lessening the impact of a known risk
Additionally, organizations implement risk management processes based on widely accepted frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities. Examples of frameworks commonly used in the cybersecurity industry include the National Institute of Standards and Technology Risk Management Framework (NIST RMF) and Health Information Trust Alliance (HITRUST).
Following are some common types of threats, risks, and vulnerabilities you’ll help organizations manage as a security professional.
A threat is any circumstance or event that can negatively impact assets. As an entry-level security analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore, understanding common types of threats is important to an analyst’s daily work. As a reminder, common threats include:
Insider threats: Staff members or vendors abuse their authorized access to obtain data that may harm an organization.
Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a system for an extended period of time.
A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.
There are different factors that can affect the likelihood of a risk to an organization’s assets, including:
External risk: Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information
Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk
Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system.
Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions.
Software compliance/licensing: Software that is not updated or in compliance, or patches that are not installed in a timely manner
There are many resources, such as the NIST, that provide lists of cybersecurity risks. Additionally, the Open Web Application Security Project (OWASP) publishes a standard awareness document about the top 10 most critical security risks to web applications, which is updated regularly.
Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021: insecure design, software and data integrity failures, and server-side request forgery. This update emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance of staying up to date on current threat actor tactics and techniques, so you can be better prepared to manage these types of risks.
A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:
ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.
ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity before allowing access to a website's location.
Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it
Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.
As an entry-level security analyst, you might work in vulnerability management, which is monitoring a system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are not applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner an organization identifies a vulnerability and addresses it by patching it or updating their systems, the sooner it can be mitigated, reducing the organization’s exposure to the vulnerability.
To learn more about the vulnerabilities explained in this section of the reading, as well as other vulnerabilities, explore the NIST National Vulnerability Database and CISA Known Exploited Vulnerabilities Catalog.
In this reading, you learned about some risk management strategies and frameworks that can be used to develop organization-wide policies and processes to mitigate threats, risks, and vulnerabilities. You also learned about some of today’s most common threats, risks, and vulnerabilities to business operations. Understanding these concepts can better prepare you to not only protect against, but also mitigate, the types of security-related issues that can harm organizations and people alike.
To learn more, click the linked terms in this reading. Also, consider exploring the following sites:
Incident response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach.
Detect: A NIST core function related to identifying potential security incidents and improving monitoring capabilities.
Respond: A NIST core function related to making sure that proper procedures are used to contain, neutralize, and analyze security incidents.
Recover: A NIST core function related to returning affected systems back to normal operation.
Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53: A unified framework for protecting the security of information systems within the U.S. federal government.
Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy.
Security Controls: Safeguards designed to reduce specific risks- includes encryption, authentication, authorization (used to verify that a person has permission to access things)
Biometrics: Unique physical characteristics that can be used to verify a person’s identity.
Encryption: The process of converting data from a readable format to an encoded format.
Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities.
SIEM tools: A software platform that collects, analyzes, and correlates security data to help identify and respond to threats.
Security orchestration, automation, and response (SOAR): A collection of applications and tools that use automation to respond to security events.
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data.
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization's log data.
Business continuity: An organization's ability to maintain everyday productivity by establishing risk disaster recovery plans.
Security audit: A review of an organization's security controls, policies, and procedures against a set of expectations.
Security controls: Safeguards designed to reduce specific security risks.
Security posture: An organization’s ability to manage its defense of critical assets and data and react to change.
Playbook: A manual that provides details about any operational action.
Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security.
Log: A record of events that occur within an organization’s systems.
Metrics: Key technical attributes such as response time, availability, and failure rate used to assess software performance.
Monitor: The seventh step of the NIST RMF related to system operations awareness.
External threat: Anything outside the organization that has the potential to harm organizational assets.
Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk.
Social engineering: A manipulation technique that exploits human error to gain private information or access.
Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access.
Chronicle: A cloud-native tool designed to retain, analyze, and search data.
Open Web Application Security Project/Open Worldwide Application Security Project (OWASP): A non-profit organization focused on improving software security.
Previously, you learned how organizations use security frameworks and controls to protect against threats, risks, and vulnerabilities. This included discussions about the National Institute of Standards and Technology’s (NIST’s) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), as well as the confidentiality, integrity, and availability (CIA) triad. In this reading, you will further explore security frameworks and controls and how they are used together to help mitigate organizational risk.
Frameworks and controls
Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.
Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.
There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained.
According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors' many tactics and techniques.
An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.
Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent, detect, or correct security issues.
Examples of physical controls:
Gates, fences, and locks
Security guards
Closed-circuit television (CCTV), surveillance cameras, and motion detectors
Access cards or badges to enter office spaces
Examples of technical controls:
Firewalls
MFA
Antivirus software
Examples of administrative controls:
Separation of duties
Authorization
Asset classification
To learn more about controls, particularly those used to protect health-related assets from a variety of threat types, review the U.S. Department of Health and Human Services’ Physical Access Control presentation.
Cybersecurity frameworks and controls are used together to establish an organization’s security posture. They also support an organization’s ability to meet security goals and comply with laws and regulations. Although these frameworks and controls are typically voluntary, organizations are strongly encouraged to implement and use them to help ensure the safety of critical assets.
NIST CSF-
Identify, Protect, Detect, Respond, Recover
(not always in this order)
Used by the Federal Government
- Identify: Focuses on managing cybersecurity risks and their impact on an organization's people and assets.
Example: As a security analyst, you monitor systems and devices in your organization’s network to spot potential security issues.
- Protect: Involves strategies to safeguard an organization through policies, procedures, training, and tools that reduce cybersecurity threats.
Example: As a security analyst, you and your team may face new threats, so reviewing historical data and updating policies is crucial.
- Detect: Refers to identifying possible security incidents and improving monitoring to enhance detection speed and efficiency.
Example: As an analyst, you might check a new security tool to ensure it flags risks accurately (low, medium, high) and alerts the security team.
- Respond: Ensures proper procedures are in place to contain, neutralize, and analyze security incidents, along with making improvements.
Example: As an analyst, you collaborate with your team to document an incident and suggest improvements to prevent future occurrences.
- Recover: Involves restoring affected systems to normal operation after an incident.
Example: As an entry-level security analyst, you work with your team to restore systems and data, such as financial or legal files, affected by a breach.
Open Web Application Security Project
Security principles
In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing logs, monitoring a security information and event management (SIEM) dashboard, or using a vulnerability scanner, you will use these principles in some way.
Previously, you were introduced to several OWASP security principles. These included:
Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor could exploit.
Principle of least privilege: Users have the least amount of access required to perform their everyday tasks.
Defense in depth: Organizations should have varying security controls that mitigate risks and threats.
Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle of least privilege.
Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult.
Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.
Additional OWASP security principles
Next, you’ll learn about four additional OWASP security principles that cybersecurity analysts and their teams use to keep organizational operations and people safe.
Establish secure defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.
Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.
Don’t trust services
Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.
Avoid security by obscurity
The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016): OWASP Mobile Top 10
The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.
Key takeaways
Cybersecurity professionals are constantly applying security principles to safeguard organizations and the people they serve. As an entry-level security analyst, you can use these security principles to promote safe development practices that reduce risks to companies and users alike.
Security audits
A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations. Audits are independent reviews that evaluate whether an organization is meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best practices. External criteria include regulatory compliance, laws, and federal regulations.
Additionally, a security audit can be used to assess an organization's established security controls. As a reminder, security controls are safeguards designed to reduce specific security risks.
Audits help ensure that security checks are made (i.e., daily monitoring of security information and event management dashboards), to identify threats, risks, and vulnerabilities. This helps maintain an organization’s security posture. And, if there are security issues, a remediation process must be in place.
Goals and objectives of an audit
The goal of an audit is to ensure an organization's information technology (IT) practices are meeting industry and organizational standards. The objective is to identify and address areas of remediation and growth. Audits provide direction and clarity by identifying what the current failures are and developing a plan to correct them.
Security audits must be performed to safeguard data and avoid penalties and fines from governmental agencies. The frequency of audits is dependent on local laws and federal compliance regulations.
Factors that affect audits
Factors that determine the types of audits an organization implements include:
Industry type
Organization size
Ties to the applicable government regulations
A business’s geographical location
A business decision to adhere to a specific regulatory compliance
To review common compliance regulations that different organizations need to adhere to, refer to the reading about controls, frameworks, and compliance.
The role of frameworks and controls in audits
Along with compliance, it’s important to mention the role of frameworks and controls in security audits. Frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the international standard for information security (ISO 27000) series are designed to help organizations prepare for regulatory compliance security audits. By adhering to these and other relevant frameworks, organizations can save time when conducting external and internal audits. Additionally, frameworks, when used alongside controls, can support organizations’ ability to align with regulatory compliance requirements and standards.
There are three main categories of controls to review during an audit, which are administrative and/or managerial, technical, and physical controls. To learn more about specific controls related to each category, click the following link and select “Use Template.”
Link to template: Control categories
OR
If you don’t have a Google account, you can download the template directly from the following attachment
Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus:
Identify the scope of the audit
The audit should:
List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)
Note how the audit will help the organization achieve its desired goals
Indicate how often an audit should be performed
Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees
Complete a risk assessment
A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).
Conduct the audit
When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.
Create a mitigation plan
A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.
Communicate results to stakeholders
The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization's level of risk, and compliance regulations and standards the organization needs to adhere to.
Key takeaways
In this reading you learned more about security audits, including what they are; why they’re conducted; and the role of frameworks, controls, and compliance in audits.
Although there is much more to learn about security audits, this introduction is meant to support your ability to complete an audit of your own for a self-reflection portfolio activity later in this course.
Resources for more information
Resources that you can explore to further develop your understanding of audits in the cybersecurity space are: