Professional Documents
Culture Documents
Cybersec Reviewer
Cybersec Reviewer
Cybersec Reviewer
Chapter 1
Supporting IT Governance and Risk Management
- Identify the importance of IT Governance and Risk Management
- Assess Risk
- Mitigate Risk
- Integrate Documentation into Risk Management
IT Governance
a concept in which stakeholders ensure that IT resources align to objectives and add value.
Partnership Strategies
- Partner agreements define roles, responsibilities, and actions each partner takes.
- Risk management involved in evaluating these agreements.
o Without risk management, each partner is exposing its business to loss and other risks.
- Security team must be involved in partnership agreements.
- Agreement should define:
o How partners secure their data
o What data each partner can access
o How information should flow from partner to partner
- Each partner should consider what controls it needs to implement to mitigate risk.
Outsourcing Strategies
- Organization can shift business processes to an external service provider.
o Can save the organization time, effort, and money.
- Service provider is liable for some security risks.
- You should still evaluate and audit provider.
o Failure can lead to penalties if sensitive data or compliance requirements are involved.
- You must understand the scope of audit documents.
- Don’t assume security reports from providers are comprehensive.
o Ex. Technical penetration test may not reveal social engineering vulnerabilities.
Cloud Strategies
- Organizations offload infrastructure and other assets to an Internet-based resource.
- Like outsourcing, you typically rely on a third party.
- Cloud also offers improved automation whereas traditional outsourcing may not.
- Cloud may also provide new software, platforms, and other technology.
o You must incorporate this technology in ERC process.
o Raises unique security concerns.
Ex. Flow of sensitive data over a virtualized networking platform
- Auditing requirements may differ from traditional outsourcing providers.
- Automated cloud resources may become opaquer to the enterprise.
Third-party Providers
- You can’t control all elements of a third-party’s security.
- How do you assess its risk, then?
- Ensure third-party provides security training and awareness programs.
o Share best practices for end security.
o Human element is the biggest risk.
- Consider provisioning security controls for the third-party.
o You can help them uncover and mitigate risks.
De-perimeterization
Perimeter-Changing Risk Consideration
Concept
Mobility - Remote employees may tunnel into your network of use mobile devices.
- Expands network’s boundaries; more difficult for you to control.
Cloud - You may have less control over cloud environments than local ones.
- Provider’s security guarantees may be insufficient.
- Security controls may not integrate properly with your environments.
BYOD - Work done in the office may not stay there.
- May put sensitive data at risk of being lost or stolen.
- Users may not secure their devices.
Outsourcing - May shift your security to an environment you have little control over.
- Third party may have its own security policies, or none at all.
- Outsourcing key elements of the organization may bring significant risk.
Users Behaviors
- New products, technologies, threats, and user behaviors are constantly changing.
- Users are the largest risk.
- End users are frequent targets of social engineering.
o Not as tech savvy or knowledgeable as IT/cybersecurity personnel.
- Analyze ways organizations does business with users.
o Find weaknesses attackers exploits.
- Ex. SMTP spoofing to send fraudulent help desk requests over email.
New Threats
- Attackers are constantly inventing new attacks.
- New threats introduce new risks.
- Threats can be malicious or unintentional.
o Unintentional ex: New office in a coastal city that is subjected to hurricane.
o Malicious ex: New weakness found in existing network protocols.
Policy Lifecycle
- Reasons for policies are numerous:
o compliance reasons
o growth of business
o meeting contractual obligations
o response to a breach
- begin crafting policy:
o download a free template.
o customize the template to fit your organization.
o consult with security experts.
o compare and contrast with other organizations.
- Policy should be easy to understand.
- Policy should be treated as legal document.
- Involve business leaders in policy development.
- Policy is a living document that must adapt to:
o New business methods.
o New technologies.
o Changing environments.
o Emerging risks.
Process and Procedure Lifecycle
- Process and procedures documents support policies.
- How-to style documents used by employees to implement policies.
- Must be tailored to the audience that uses them.
o Data handling procedures used by system admins have technical steps.
o Data handling procedures used by marketing employees are more generalized.
- Style varies between organizations and industries.
- Begin crafting processes and procedures:
o Use documents templated provided by security organizations.
o Consult with security experts.
o Compare and contrast to other organizations.
- Living documents that must adapt to changes.
Chapter 2
Leveraging Collaboration to Support Security
- Facilitate Collaboration across Business Units
- Secure Communications and Collaboration Solutions
- GRC solutions collect info on how these topics are integrated into business functions.
- Can detect deviations from policy, risk management, and legal compliance.
- Used by risk-averse organizations like financial institutions.
- Enterprise may form a GRC committee.
- Requires comprehensive knowledge of security architecture.
- Need to be able to communicate the "big picture."
- Don't think of security components in a vacuum.
- How do components work together to achieve security goals?
- Committee members appointed by board of directors.
o High-level managers from IT, cybersecurity, finance, etc.
o You may not be on the committee, but you'll be affected by it.
Programmer
Database administrator
Management
Financial
Human resources
Facilities manager
Legal counsel
UC
(Unified Collaboration)
The integration of a large number of communication platforms that traverse different networking technologies.
Remote Access
A solution that enables users to access resources and services located outside of the user's network or physical
location.
- Desktop sharing:
o Remote log-in enables users to connect to their desktop while physically away.
o Real-time collaboration enables users to share their desktops to others.
o Requires strong authentication and transport encryption.
- Remote assistance:
o Enables a specialist to temporarily control a user's computer to provide help.
o Also requires strong authentication and encryption.
o Assistance should be by invitation only to prevent social engineering.
Chapter 3
Using Research and Analysis to Secure the Enterprise
- Determine Industry Trends and Their Effects on the Enterprise
- Analyze Scenarios to Secure the Enterprise
Ongoing Research
- Security is a task that never finishes.
- Threats will evolve.
- You must stay up-to-date through ongoing research.
- Best practices for research:
o Seek out reputable sources of information like NIST and ISACA.
o Subscribe to security mailing lists like Bugtraq.
o Follow social media groups dedicated to information security.
o Consult vulnerability databases like the CVE.
o Follow security vendor announcements.
o Exercise discretion with unverified sources.
o Corroborate with multiple sources.
Situational Awareness
An understanding or perception of your environment from a business or technological aspect.
Threat Intelligence
The investigation and collection of emerging threats and emerging threat sources.
Threat Modeling
The threat intelligence process of identifying and assessing possible attack vectors that target systems.
Identify
Attacker
Objectives
Identify Identify
Mitigation Vectors and
Techniques Requirement
s
Technology Evolution
The ongoing process by which older technology is replaced by newer technology to meet changing business needs.
Al
Artificial intelligence: A scientific discipline that encompasses human-like intelligence exhibited by non-living
machines.
Machine learning: An approach to Al using algorithms to parse input data and make predictions about an
environment based on this data.
Deep learning: Machine learning which constructs knowledge as a hierarchy of layers, comparing complex
concepts to simpler ones.
- Standard machine learning requires human definition of factors.
o System does its own classification of these factors when analyzing input.
o Gradually improves its classification and predictive abilities.
- Deep learning defines factors itself.
o Makes independent predictions.
o Security system can discover unprecedented threats/vulnerabilities.
Machine learning
Network traffic input -> Human determines malicious factors -> Systems classifies factors -> Decision made
(MALICIOUS or BENIGN)
Deep Learning
Network traffic input -> Systems determines and classifies factors -> Decision made (MALICIOUS or BENIGN)
- DEFCON - BlackHat
- HOPE - Source Conferences
- DerbyCon - GFIRST
- ShmooCon - SecureWorld Expo
Threat actors - Hacker sites, social media, and conventions can give you an opportunity
to learn more about what they know and plan to do.
4. Agreements:
Guidelines for Determining Industry Trends and Their Effects on the Enterprise
- Consider security to always be ongoing.
- Conduct frequent research into threats and vulnerabilities.
- Seek out reputable sources of information.
- Subscribe to social channels that focus on security.
- Stay current on newly found vulnerabilities.
- Exercise discretion with unverified sources.
- Stay aware of your enterprise environment.
- Take advantage of threat modeling.
- Research security implications of Al.
- Consult RFC proposals and ISO standards for technologies.
- Draft policies on proper use of business tools.
- Caution employees against oversharing sensitive info on social media.
- Consult services like CERT and threat intelligence.
- Attend security conferences and conventions.
- Follow attacker spaces to keep up-to-date on their activities.
- Research potential business partners to include security requirements in contracts.
Security benchmark: The current state of a system after it has been run through a test.
KPIs
A quantifiable metric used to determine if a system or other asset is meeting the enterprise's strategic and operational
goals.
CBA
(cost-benefit analysis)
The process of determining whether the cost of a solution outweighs its benefit to the organization.
Total cost of ownership: The total cost of acquiring, implementing, and maintaining a solution.
- IPS example:
o Added costs for tech support, license renewal, etc.
- Enables more objective assessment of ROI.
Solution Attributes
Attribute Description
Performance - How much work a solution can accomplish in a given time.
- Umbrella term that encompasses other attributes.
Recoverability - The ability of a solution to return to a prior state after an adverse event.
- If a solution can't recover, an incident may render it useless.
Trend Data
- Stay informed about the general direction of information security.
- Looking at data as a whole can expose trends.
- Trends can indicate future issues and help you prepare to mitigate them.
- Absorb new information from various sources.
- Exercise critical thinking.
- Don't be tripped up by distractions or misleading information.
Gap Analysis
The process of identifying the differences between an existing state and a desired state, as well as identifying how to
close the gap.
4• Identify gap
5• Identify solutions
AAR
(after-action report)
An analysis of events that can provide insight into the directions to take in the future.
- After an incident, document what the incident means for your security.
- Identify security elements that need improving.
- Learning from successes and mistakes fine-tunes your judgment.
o Questions to answer in an AAR:
o What actions did you take?
o Is this the optimal solution?
o Are there better solutions?
o Did the teams react quickly and efficiently?
o How would you respond differently?
o Does security policy need to change?
Reverse Engineering
The process of analyzing a system’s structure to reveal how it functions at the base level.
Chapter 4
Integrating Advanced Authentication
and Authorization Techniques
- Implement Authentication and Authorization Techniques
Authentication
The method of validating a particular entity or individual's identity.
Identity Proofing
The process of verifying that a user's identity characteristics are accurate and unique before their identity is
established in a system.
Certificate-Based Authentication
An authentication framework in which certificate authorities and digital certificates provide a number of security
guarantees.
- Servers and clients can verify each others' authenticity through certificates.
- Certificates prove subject's identity.
- Certificates can authenticate various actions and requests.
- Client and server can be assured of who they are communicating with.
- Revoking certificates can lock out accounts if there's an issue.
- Certificates can bypass the need for passwords.
Context-Aware Authentication
The process of authenticating a user based on various characteristics about the user's or system's environment.
Push-Based Authentication
An authentication method in which a system sends a user a push notification on a mobile device for the user to either
approve or deny.
User tries to access resource -> User receives push notification -> User is authenticated
802.1X
A standard used to provide a port-based authentication mechanism over a LAN or wireless LAN.
1 – Request initialized
2 – Identity provided
3 – Access challenge issued
4 – Credentials provided
5 – Access granted
Authorization
The process of determining what rights and privileges a particular entity has.
OAuth
An open authorization framework that enables users to access secure APIs without sharing their password.
- Uses a token.
o Short string combined with a secret string.
- User names and passwords can bring about an increased attack surface.
o Requires storage of credentials.
o Credentials may be passed over the network.
o OAuth mitigates this risk.
- Used by sites like Facebook, Twitter, etc.
- Helps limit enterprise apps' exposure of user credentials.
OAuth Process
XACML
An XML-based standard for access control and authorization.
- Highly flexible.
- Enables centralized or distributed management.
- Three-level hierarchy:
o Rules
o Policies
o PolicySets
- Rules have three components:
o Subject
o Resource
o Action
- Alleviates need for apps to have their own access control methods.
- Can integrate new policy requirements as they change.
SPML
(Service Provisioning Markup Language)
An XML-based authorization framework for automating and managing the provisioning of resources across
networks and organizations.
Trust Model
A model that defines the relationship between authentication services so that they may accept each other's assertions
of users' identities and permissions.
LDAP
(Lightweight Directory Access Protocol)
Attestation
The technique of verifying that only the individuals who need certain access privileges have those privileges.
Identity Propagation
The technique of replicating an authenticated identity through various processes in a system.
- System with multiple, discrete layers can accept the same identity.
- Often employed in mixed environments with systems from different vendors.
o Systems may differ in design or architecture.
- System must have fine-grained authorization rules.
o App developer needs their identity propagated through all processes.
o Database admin only needs propagation through front-end and records database.
SSO
A technique that enables a user to authenticate once and receive access to several independent software systems.
Identity Federation
The practice of linking a single identity across multiple disparate identity management systems.
Chapter 5
Implementing Cryptographic Techniques
- Select Cryptographic Techniques
- Implement Cryptography
Hashing
A process that transforms plaintext input into an indecipherable fixed-length output and ensures this process cannot
be feasibly reversed
Digital Signatures
A message digest that has been encrypted again with a user’s private key
Code Signing
The method of using a digital signature to ensure the source and integrity of programming code
- Apps on the Internet are untrusted
- Verify author’s identity before installing apps
- Developer signs the code with their private key
- Recipient uses sender’s public key to verify signature
- Does not prevent attackers from distributing malware
o Attacker can get their malicious code signed
- Users should install software from only trusted publishers
Blockchain
A concept in which an expanding list of transactional records is secured using cryptography
Key Stretching
The technique of strengthening weak cryptographic keys against brute force attacks
Steganography
A security technique that hides a secret message by enclosing it an ordinary message
Cryptographic Implementations
- Proper implementations:
o Choose a strong industry-standard scheme like AES or RSA
o Use algorithms with strong key lengths, like 128-bit (symmetric) and 2,048-bit (asymmetric)
o Store keys in management systems
o Regulate access to management systems
o Employ PFS in asymmetric encryption
o Ensure encryption covers all areas of enterprise
o Weigh benefits with cost of encryption
- Improper implementations:
o Choose an obsolete scheme like DES
o Use algorithms with weak key lengths, like 56-bit (symmetric) and 1,024 (asymmetric)
o Store data in insecure and easily accessible locations
o Fail to account for increased cost and overhead
o Employ encryption in only some areas of the enterprise
Watermarking
A DRM mechanism that uses steganographic techniques to embed data within media to enforce copyright
protection
SHH
- Protocol use for secure remote access and transfer of data
- Consists of a client and server
- Implements terminal emulation software for remote login sessions
- Entire session is encrypted; prevents eavesdropping
- Support PFS by default
- Used on Unix/Linux, requires third party software on Windows
- Often used to execute commands on a remote device like a file server or router
- The sender encrypts the mail contents and then encrypts this key
- Encrypted key is sent with email
- Receiver decrypts key, then uses this key to decrypt contents
- PGP also uses PKI to digitally sign emails for authentication
- Requires end-user plugins
o May make integration and management difficult
- GPG is the open-source alternative
o Complaint with PGP services
o Meet latest IETF (Internet Engineering Task Force) standards
- Resistant to tampering
- Used in TPM (Trusted Platform Module)
Cryptographic module: Any software or hardware solution that implements one or more cryptographic concepts
CSP (Cryptographic Service Provider): A Windows software library that implements Microsoft’s CryptoAPI
t0 b3 c0ntinU3….