SRA Research Paper

profilegina123
sra_notes.docx

Technical Controls

I. Introduction

a. Technical and procedural controls are the mechanisms used by organizations to mitigate security threats.

b. Information security policies, standards, and practices are essential to govern the actions taken by an organization.

c. Technical controls are essential in enforcing compliance with policies.

d. Technical controls improve an organization’s ability to safeguard their assets and balance usability while protecting against threats.

II. Defense in Depth

a. An industry best practice approach for a strong information security program.

b. Consists of multiple layers of controls, both procedural and technical.

c. The goal is to safeguard assets in the event that a control fails or is bypassed.

i. In the event a single control fails or is bypassed by an attacker, there are multiple additional controls that need to be circumvented in order to perform a successful attack.

d. Multiple layers of controls make it more difficult for an attacker to succeed.

e. Combination of preventative and reactionary technical controls.

f. Policies and procedures work in tandem with technical controls.

i. Technical controls help to enforce policies.

g. Consider your personal laptop, smartphone, tablet, and even your home. Do you apply defense in depth strategies for each of those items?

i. It is likely that you do without even realizing it. You probably use passwords, maybe restrict user account permissions, use an anti-virus software, a firewall, encryption, and apply security patches.

III. Technical Controls

a. Technical controls are essential in enforcing policies.

b. Used to enhance the security of information assets.

c. They improve an organization’s ability to balance and manage accessibility with preserving the confidentiality, integrity, and availability of information.

d. Technical controls support procedural controls by enforcing them and/or providing a means to protect information in accordance with requirements set forth within security policies and procedures.

e. Technical controls are designed to mitigate threats at various levels.

f. There are various types of technical controls designed to provide security measures at multiple levels within an environment.

i. Logical Access Controls

ii. Perimeter Controls

iii. Endpoint Controls

iv. Data Security

v. Application Security

IV. Logical Access Controls

a. Systems used to determine someone’s identity and whether they are permitted to access electronic assets.

b. In general, logical access controls focus on the following mechanisms:

i. Identification

ii. Authentication

iii. Authorization

iv. Accountability

v. Identification: mechanism where an entity intending to access a resource provides an identifier that is known to a system.

1. Typically a username

vi. Authentication: the process of validating an entities identity.

1. Typically a password

vii. Authorization: the process of matching an authenticated user to a list of actions or assets that entity can access.

viii. Accountability: ensures all activities, authorized and unauthorized can be attributed to an identity (logging).

ix. Enhanced access control mechanisms exist in the form of biometrics or multi-factor authentication.

x. Multi-factor Authentication introduces another layer of authentication generally consisting of something a user has or can produce, along with something they know (password).

1. Password + token, smartcard, temporary PIN or code

2. Password + biometrics (fingerprint, hand geometry, retina scan)

xi. Biometrics: relies upon recognition and is based upon the use of a human characteristic or trait.

1. Fingerprint, hand geometry, retina scan, facial recognition

V. Perimeter Security Controls

a. The perimeter is the point at which an organization’s network ends and the outside world, Internet, begins.

b. Perimeter controls are designed to keep unauthorized entities out, while allowing authorized individuals and processes to operate effectively, including secured remote access.

c. Two main categories of controls, applies to both perimeter and endpoint.

i. Proactive controls – detect, log, alert, and proactively block

ii. Reactive controls – detect, log, and alert requiring manual intervention

d. Firewalls prevent specific types of information from moving between the outside world, untrusted network, and the inside world, known as the trusted network.

e. A firewall may be software-based (generally at the endpoint), dedicated hardware, or exist as a service running on existing infrastructure.

f. There are five firewall processing modes:

i. Packet filtering, application gateway, circuit gateways, MAC layer firewalls, and hybrids.

g. Packet Filtering Firewalls

i. Examines the header information of an IP packet to determine if the traffic is permitted to enter the network.

ii. The header information most often used is source and destination addresses, port, and direction (inbound or outbound).

iii. The firewall determines whether to drop (deny), or allow traffic based upon pre-defined rules.

h. Three subsets of packet filtering firewalls:

i. Static Filtering - requires filtering rules to determine action

ii. Dynamic – allows specific types of traffic to enter based upon information within a packet and automatically creates filters

iii. Stateful Inspection – (aka stateful firewalls) leverage a state table to track network connections between internal and external systems. Performs packet filtering but allows responses to all requests without an explicit rule.

i. Application Gateway

i. An application-level firewall that provides additional traffic filtering for application activity.

ii. Also known as a proxy server, which operates special software to direct and filter user traffic destined for an application.

iii. Avoids exposing servers and services directly to the outside world.

j. Circuit Gateway

i. Similar to filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another.

ii. Creates tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels.

iii. Also referred to as a VPN connection between business partners.

k. MAC Firewalls

i. Operates at a different layer than most firewalls, and not widely used.

ii. Able to consider specific host computer’s identity in its filtering decisions

iii. MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked.

l. Hybrid Firewalls

i. Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways.

ii. Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem.

m. Most firewalls exist as appliances or dedicated systems.

n. In the case of personal computers and home networks, software firewalls and firewalls built into a router are sufficient.

o. With a hardware-based firewall an attacker has to bypass it to get onto your network.

p. With a software-based firewall an attacker already has the ability to send traffic to your computer…

q. When selecting firewall, consider a number of factors:

i. What firewall offers right balance between protection and cost for needs of organization?

ii. Which features are included in base price and which are not?

iii. Ease of setup and configuration? How accessible are staff technicians who can configure the firewall?

iv. Can firewall adapt to organization’s growing network?

v. Second most important issue is cost.

r. Content Filters and Web Proxies

i. Can be software-based or hardware-based, an appliance on a corporate network.

ii. The primary focus of a content filter is to restrict the type of content, or resources, that an internal user can access outside of the company (resources on the Internet).

iii. The most common use of content filters is to restrict the type of web sites internal users are permitted to access.

1. Permit access to legitimate content, but block inappropriate material including explicit or sexual content, gambling sites, and other resources not permitted by an organization.

iv. Content filters are typically combined with web proxies to filter web content as well as restrict direct connectivity from an endpoint to the outside world.

v. These systems offer subscription services, similar to anti-virus, to provide regular updates to the catalog of known websites and categories.

vi. Very common to also be combined with anti-virus capabilities to provide a third layer of defense at the perimeter.

s. Virtual Private Networks

i. With a mobile workforce and the need to access systems remotely, remote access mechanisms were introduced.

ii. Without a secure remote access system, anyone could potentially connect to your network, or at the very least, intercept traffic sent over the Internet.

iii. Initially, remote access was provided through the use of modems.

iv. VPNs replaced the use of modems as a secure alternative that was not hardware dependent.

v. Private and secure network connection between systems; uses data communication capability of unsecured and public network.

vi. Securely extends organization’s internal network connections to remote locations beyond trusted network.

vii. Three VPN technologies defined:

1. Trusted VPN – uses leased circuits

2. Secure VPN – uses encryption to secure traffic

3. Hybrid VPN – combines trusted and secure

viii. Systems that offer secure connectivity over the Internet must provide the following:

1. Encapsulation of data to ensure native traffic is embedded or hidden.

2. Encryption of all data transmitted

3. Authentication of the remote user

ix. There are generally two types of VPN connections from an end user perspective.

x. Client-based – requires a software client installed on a computer

xi. Web-based – does not require a client, user has to log into a website

t. Intrusion Detection and Prevention Systems

i. Intrusion: occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, almost always with the intent to do harm.

ii. Intrusion prevention: consists of activities that seek to deter an intrusion from occurring.

iii. Intrusion detection: consists of procedures and systems created and operated to detect system intrusions.

iv. Detect a violation of its configuration and activate alarm.

v. Many IDSs enable administrators to configure systems to notify them directly of trouble via e-mail or pagers.

vi. Systems can also be configured to notify an external security service organization of a “break-in”.

vii. Why utilize IDS/IPS?

1. Prevent problem behaviors by increasing the perceived risk of discovery and punishment.

2. Detect attacks and other security violations.

3. Detect and deal with preambles to attacks.

4. Document existing threat to an organization.

5. Act as quality control for security design and administration, especially of large and complex enterprises.

6. Provide useful information about intrusions that take place.

viii. Can exist as network-based systems or host-based systems.

1. NIDS/HIDS

a. Network IDS, Host IDS

ix. Designed to look for attack patterns.

x. Leverage signatures, similar to anti-virus, to detect potential attacks.

xi. NIDS exist in the form of appliances and are strategically placed throughout the network.

xii. HIDS are software based and installed on endpoint computers.

xiii. Intrusion prevention involves proactive measures to identify and block a potential attack.

xiv. Intrusion detection is reactionary and alert someone to a potential attack.

xv. Neither system can reliably ascertain whether an attack was successful.

xvi. Neither system can inspect encrypted traffic.

xvii. In general, designed to the detect the following:

1. Denial of service attempts

2. Malware activity

3. Scanning activity

4. Unexpected applications

5. Exploitation attempts

u. Honeypots

i. Decoy systems designed to lure potential attackers away from critical systems.

ii. A collection of honeypots on a network is known as a honeynet.

iii. Honeypots connect fake services and applications to make them appear vulnerable to common attacks as a result of poor patching and misconfigurations.

iv. By luring an attacker to target fake systems they are revealing themselves and their tactics.

v. Consequently, allowing organizations to enhance their security controls to better protect against attackers by knowing more about their tactics.

vi. Observations can lead to enhanced technical and procedural controls.

vii. Advantages include:

1. Diversion of attackers to fake systems

2. Provides additional time for organizations to determine how to respond to attacks

3. Can even help identify insiders snooping around the network

viii. Disadvantages include:

1. Legal implications of use are not well defined

2. Could annoy or anger a skilled attacker…

3. Need to be monitored in order for them to be effective

4. Require specialized skills to maintain

v. Encryption

i. Encryption is the process of converting an original message into a form that is unreadable by unauthorized entities.

ii. Decryption is the process of converting cipher text back into its original form.

iii. An encrypted message is referred to as cipher text.

iv. The original message is referred to as plain text.

v. Encryption has been around for thousands of years and has played a key role in history.

vi. The purpose of encryption is to preserve the confidentiality of information.

vii. Popular examples of usage today include:

1. Securing websites with encryption to preserve data transmitted from a computer.

2. Securing the transmission of email and data over the Internet.

3. Securing data at rest on hard drives or removable media devices.

viii. Mathematical equations known as algorithms are used to convert plain text into cipher text.

ix. A key is used in conjunction with an algorithm to create cipher text as well as convert it back into plain text.

x. There are two main categories of algorithms:

1. Symmetric – encryption methodologies that require the same key to encrypt and decrypt a message.

2. Asymmetric – encryption methodologies that utilize different keys to encrypt and decrypt, one key remains private.

w. Patching

i. Weaknesses in software represent vulnerabilities that can be exploited by a malicious entity to bypass security controls and/or gain unauthorized access to a system.

ii. Patches are additional pieces of code designed to address flaws, or bugs, in software.

iii. Not all vulnerabilities have related patches, especially when new vulnerabilities are announced.

iv. Patching is a security practice that allows entities to proactively prevent exploitation of system vulnerabilities

v. The level of damage caused by an attacker who exploited a vulnerability in software can be severe.

vi. Patching is a relatively inexpensive technical security control.

vii. In fact, many argue it is the single best control that offers the greatest level of protection based upon the level of effort required.

viii. Patching is part of an overall vulnerability management program that involves the assessment of vulnerabilities, testing, and deployment of patches.

ix. As such it is comprised of technical and procedural components.

x. Patches can be applied manually or automatically.

xi. The application of patches and reduction in vulnerabilities can be verified sing vulnerability scanners.

x. Malware Defenses

i. Anti-virus scanners constantly monitor what is occurring in search of suspicious behavior and attempt to block such activity when it matches a pattern defined as malicious.

ii. No anti-virus technology has a success rate of 100%.

iii. Anti-virus software is only effective when it is kept up-to-date.

1. Daily, or more frequent, updates should be applied.

iv. There are multiple detection mechanisms used by today’s malware defenses.

1. Signature-based – the use of signature files as reference points to determine if a file matches malicious patterns of behavior as defined by a signature file.

2. Heuristics – use of algorithms to make assumptions as to whether files are malicious based upon the activity and behavior of files and applications.

v. Typically anti-virus technologies utilize information regarding what has occurred in the past in order to identify infected files.

vi. Virus writers have figured out an approach to defeat anti-virus software; release new variants (versions) in a rapid fashion where the newly created viruses exist in the wild far before new signatures are developed.

vii. Anti-virus systems must be monitored to ensure they are functioning properly and to identify potential issues.

Risk Management

I. Introduction

a. Organizations must design and create safe environments in which business processes and procedures can function.

b. Management must structure the IT and security functions to protect an organization’s assets.

c. IT environments must exist to preserve the confidentiality, integrity, and availability of information assets.

d. Applying the principles of risk management allows organizations to meet those objectives.

II. Risk Management Overview

a. Risk Management: process of identifying the risks an organization is faced with and taking the appropriate actions to reduce them to an acceptable level.

b. Risk management involves three major components:

i. Risk Identification – process of examining an organization’s current security posture and the risks it faces.

ii. Risk Assessment – determining the overall level of exposure as it pertains to security risks and controls.

iii. Risk Control – the application of controls (procedural or technical) to reduce risks to an acceptable level.

c. Know Yourself

i. First we must identify, examine, and understand the information, systems, and business processes currently in place.

d. Know the Enemy

i. Once we understand our business model and existing security posture, the second step is to identify, examine, and understand threats facing the organization.

e. To protect assets we must understand how they provide value to the organization, the types of information they utilize, their architecture and to which vulnerabilities they are susceptible.

f. After identifying our assets and weaknesses, it is imperative to identify the various threats facing an organization.

III. Risk Identification

a. Risk management requires the identification, classification, and prioritization of an organization’s assets.

b. The first activity is risk identification, this is where assets are identified.

c. Following the identification process, a threat assessment can begin to identify the risks facing each asset.

d. Five components of risk identification

i. People, procedures, data, software, and hardware

e. First step in the identification process is to follow your project management principles.

i. Organize a cross-functional team representing key stakeholder organizations.

ii. Determine audience for management reports, approval, etc.

iii. Plan out the process by establishing milestones, deliverables, reviews, and presentations.

iv. Assign tasks and get to work.

f. Asset Identification and Inventory

i. Iterative process where all assets are identified, including elements of an information system.

1. People, procedures, data, software, and hardware

g. Following the identification process, all assets are classified and categorized.

h. The objective is to establish a relative priority as it relates to the entire organization (what is most important).

i. Asset Categories

i. People – employees and non-employees

ii. Procedures – business and IT procedures

iii. Data – information and the processes for management of information when in use, at rest, and in motion

iv. Software – applications, operating systems, and security components

v. Hardware – devices, peripherals, and networking components

j. People, Procedures, and Data Identification

i. Human resources, documentation, and data assets can be difficult to identify.

ii. Important asset attributes:

1. People: position name/number/ID; supervisor; security clearance level; special skills

2. Procedures: description; intended purpose; what elements it is tied to; storage location for reference; storage location for update

3. Data: classification; owner/creator/ manager, type of information, accessibility, location, backup procedures

k. Classification and Management

i. Numerous classification schemes exist and are used by different organizations.

1. There is no right or wrong answer

ii. Information owners responsible for classifying their information assets.

iii. Information classifications must be reviewed periodically.

iv. Federal and military organizations have complex classification schemes.

v. Most organizations can utilize simplified classification schemes in order to limit the level of complexity.

1. Public

2. Official or internal use

3. Sensitive

4. Classified

5. Can be similar to data classification (confidential, internal use, and public)

l. Asset Valuation

i. The process of assigning a value to information assets.

ii. Relative determination of an assets value based on a series of questions.

iii. The risk management team and upper management must determine which criteria would be most appropriate when determining the value of assets.

iv. Examples of criteria to be considered:

v. Which asset is most critical to the success of the organization?

vi. Which asset generates the most revenue?

vii. Which asset is the most expensive to replace?

viii. Which asset is the most expensive to protect?

ix. Which asset would expose the company to liability or embarrassment?

x. When estimating the value for information assets, the following should be considered?

1. Value of intellectual property

2. Value to adversaries

3. Value to owners

4. Value to customers

5. Value of the protection for an asset

m. Asset Prioritization

i. Once the inventory and value assessment are complete, assets can be prioritized.

ii. The use of weightings help facilitate this process.

iii. Each asset is assigned a score for each criteria selected.

iv. Weightings for each category are based upon answers to previous questions.

v. Use the values assigned to calculate a relative importance.

vi. Prioritize assets based upon importance.

n. Identification and Prioritization of Threats

i. After identifying and classifying information assets, the next step is to examine threats.

ii. Investigate realistic threats and discard those which are less important or likely to occur.

iii. Reference the list of threats we examined in week 2.

iv. These threats must be examined to determine the potential danger they represent to an organization. This is known as a threat assessment.

o. Threat assessments should include consideration of and answers to the following questions.

i. Which threats present a danger to assets in a specific environment?

ii. Which threats represent the most danger to information?

iii. How much would it cost to recover from an attack?

iv. Could an organization recover from an attack?

v. Which threats are the most expensive to prevent?

p. Vulnerability Identification

i. Next we must review the assets and threats identified in order to identify a list of vulnerabilities.

ii. A vulnerability is a mechanism that can be used or opportunity that can be seized by a threat agent to exploit a weakness and attack an asset.

iii. Examine how each threat could be realized.

iv. Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions.

v. Final deliverable is list of assets and their vulnerabilities are achieved.

q. Vulnerability Identification

i. The list of prioritized assets and their vulnerabilities is the starting point for the next phase within the risk management process.

ii. This is the basis upon which controls are identified.

iii. Organizations may have to revisit the risk identification step after they’ve reach the assessment phase.

IV. Risk Assessment

a. Risk assessment is the process of evaluating the relative risk for each of the previously identified vulnerabilities.

b. Involves the assignment of a risk rating to each asset.

c. While a risk rating is a relative figure, it proves to be valuable when prioritizing risks.

d. When determining a risk rating the following factors must be considered:

i. Likelihood, value, current controls, and uncertainty

e. Likelihood is the probability that a vulnerability will be experienced.

f. Always use professionalism, experience, and good judgment when determining likelihood or probability.

g. Whenever possible, reference external resources.

i. White papers, research materials, actual incidents, security surveys and studies

h. Likelihood should be assigned using a consistent numerical scale.

i. Risk Determination

i. Generally speaking, risk = probability x impact

ii. However, it is important to consider if any controls are already in place and any uncertainty.

iii. Therefore…

iv. Risk = (probability x impact) – percentage risk is already controlled + element of uncertainty

j. Identification of Possible Controls

i. For each threat and associated vulnerabilities with a residual risk, create a list of possible controls.

ii. Residual risk is the risk to an asset that remains after controls are already in place.

iii. Controls should be both technical and procedural in nature.

k. Documenting the Results

i. A risk assessment report should be compiled that contains a final summary of the results, an overview of the process, details regarding risks, threats, and assets.

ii. Include all worksheets, such as a ranked vulnerability worksheet.

1. This is a working document required to begin the next step associated with determining risk control strategies.

V. Risk Control Strategies

a. Upon completion of the assessment process, organizations much choose how to address each of the risks identified.

b. There are five control strategies

i. Defend

ii. Transfer

iii. Mitigate

iv. Accept

v. Terminate

c. Defend

i. Attempts to prevent exploitation of the vulnerability.

ii. Preferred approach to proactively avoid risks.

iii. Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards.

iv. Three common methods of risk avoidance:

1. Application of policy

2. Training and education

3. Applying technology

d. Transfer

i. Approach that attempts to shift risk to other assets, processes, or organizations.

ii. If lacking, organization should hire individuals/firms that provide security management and administration expertise.

iii. Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks.

iv. Examples include outsourcing, purchasing insurance, and implementing service contracts.

e. Mitigate

i. Attempts to reduce impact of vulnerability exploitation through planning and preparation.

ii. Approach includes three types of plans

1. Incident response plan

2. Disaster recovery plan

3. Business continuity plan

iii. Mitigation begins with early detection of an attack and quick, efficient response activities.

f. Accept

i. This is the choice to do nothing and accept the outcome of exploitation of a vulnerability.

ii. This strategy is based upon the conclusion that the cost of protection exceeds the value of an asset.

iii. The term risk appetite is used to describe the degree to which an organization is willing to accept risk as a trade-off to the expense of applying controls.

g. Terminate

i. This strategy directs the organization to avoid those business activities that introduce risks.

ii. Businesses may identify alternative mechanisms to provide services to their customers.

iii. The termination of questionable or risky activity reduces the level of exposure.

h. Before selecting a control strategy organizations must weight the benefits of different strategies.

i. Consider all consequences associated with a strategy

ii. Consider the costs

iii. Consider all alternatives

i. Cost is usually the driving factor.

VI. Evaluation, Assessment, and Maintenance of Controls

a. Selection and implementation of control strategy is not end of process.

b. Strategy and accompanying controls must be monitored/reevaluated on ongoing basis to determine effectiveness and to calculate more accurately the estimated residual risk.

c. Process continues as long as organization continues to function.

d. While often referred to as a process, risk management is a program.

VII. Qualitative Versus Quantitative

a. Performing the previous steps using actual values or estimates is known as a quantitative assessment.

b. Qualitative assessments do not involve the use of numerical figures.

i. Relative risk ratings such as high, medium, and low are used to define risks.

c. Utilizing scales rather than specific figures simplifies the assessment process and is less expensive to perform/maintain.

d. Qualitative assessment are more popular given the level of difficulty and cost associated with quantitative assessments.

VIII. Discussion Points

a. Not every organization has the budget or will to manage all vulnerabilities through the application of controls.

b. Organizations need to define the overall level of risk that it can tolerate.

c. Risk appetite is the quantity and types of risks that organizations are willing to accept.

d. Even after controls have been applied, many times there is still some level of risk that exists.

e. The goal is not to bring the residual risk to zero, but reduce it inline with the organization’s risk appetite.

IX. Documenting the Results

a. At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual risk.

b. Another option: document outcome of control strategy for each information asset-vulnerability pair as an action plan.

c. Risk assessment may be documented in a topic-specific report.

X. Recommended Risk Control Practices

a. Convince budget authorities to spend up to value of asset to protect from identified threat

b. Final control choice may be balance of controls providing greatest value to as many asset-threat pairs as possible

c. Qualitative over quantitative

d. Keep processes as simple as possible.

e. Stakeholder involvement and approval is critical.

f. Reference frameworks to assist with risk management efforts.

Personal and Enterprise Security

I. Introduction

a. It is equally important to protect personal information and computing assets as it is enterprise computing assets.

b. Personal security programs are very similar to enterprise programs.

c. While there is more at stake, larger budgets, and more complex environments, the fundamentals remain the same between personal and enterprise security.

d. In both cases, it is important to apply defense-in-depth techniques.

II. Personal Security

a. When security personal information and IT assets, consider the following:

i. What are you trying to protect?

ii. What assets require protection?

iii. Who requires access?

iv. How do I protect my information?

v. Is a risk assessment required?

b. Individuals need to address the same common concerns that enterprises have when protecting computing assets.

c. We perform risk assessments everyday.

d. We regularly interact with security controls that are in place to secure our personal information.

e. What types of technical controls do you employ to secure your personal information?

f. Regardless of the type of computer you utilize, the following technical controls should be employed.

i. Anti-virus/anti-malware software

ii. Host-based firewall

iii. Host-based IPS

iv. Regularly applying security patches

v. Use of strong passwords

vi. Regularly backup all critical data

vii. For mobile devices: patch, use strong passwords, remote erase/find my phone capabilities, beware of application permissions.

g. Taking it one step further

i. Secure your wireless network

1. Strong encryption

2. Admin access

3. MAC filtering

h. Encrypt your hard drive and removable storage devices

i. URL filtering

j. Utilize administrative credentials only when required.

k. Backup your files regularly

l. Check your systems/network for vulnerabilities

m. Procedural controls still play an important role in a personal security program.

n. Consider the following:

i. Reuse of passwords

ii. Regular scanning for viruses

iii. Proceeding with caution when processing email or browsing the web

iv. Regularly applying security patches

v. Usage of free wireless hotspots

o. A few key items to remember

i. Do not use the same password across all systems

ii. Do not write down your passwords

iii. Enable real-time scanning of viruses

iv. Enable automatic downloads of security patches

v. Be on the lookout for spam and phishing campaigns

vi. Always confirm sites are using encryption prior to transmitting sensitive information

vii. Be mindful that free wireless networks are not the safest place to browse the Internet.

III. Enterprise Security

a. While similar, enterprise security is different than personal security.

b. Larger scope of assets to protect.

c. Informal assessments and analyses will not suffice.

d. Many stakeholders are involved.

e. More difficult to justify decisions and expenses.

f. Larger budget for security, but need to use funds wisely.

g. A defense-in-depth strategy is critical.

h. Procedural controls play a much larger role.

i. Development of a program needs to be carefully thought out, planned, and executed.

j. Application of project management principles is important to manage the overall plan.

i. Assign resources

ii. Gain management approval

iii. Establish scope

iv. Determine budget

v. Establish and meet a schedule

k. The use of a risk assessment and risk management techniques are essential.

l. A risk assessment should be the basis of every security program.

m. Without it, organizations do not fully understand the threats they are susceptible to.

n. Furthermore, assessments help to justify the establishment of security controls.

o. The completion of a risk assessment and establishment of new security controls is not the end state.

p. Continuous monitoring and assessments are required.

q. Regularly conduct internal assessments.

r. Engage third parties to perform the same assessments.

i. They have more experience, expertise, and bring a different perspective. Often carry more weight than an internal assessment.

s. Document, track, and remediate findings based on risk management program.

t. Utilize assessments to your advantage and build a defense-in-depth program.

i. Layer multiple technical and procedural controls to reduce the chance of failure or bypass.

u. When implementing a defense-in-depth strategy consider the following:

i. On and off network connectivity

ii. A/V at multiple levels, and usage of multiple products

iii. Network and host-based controls

v. Security awareness is far more important in an enterprise security program.

w. Employees need to clearly understand their roles and responsibilities.

x. Policies and procedures must be communicated, accessible, and easily understood.

y. Security professionals need to work closely with business users.

z. Security professionals must avoid the perception of being a roadblock.

aa. Organizational Structure

i. The structure of an information security organization varies from company to company.

ii. In general, there is a Chief Information Security Officer, a senior leader accountable for the security program, and then Supervisors are responsible for the administrative and technical components.

iii. Often times, cyber security and physical security report up to the same individual.

ab. Chief Information Security Officer (CISO or CSO)

i. Top information security position; frequently reports to Chief Information Officer (CIO)

ii. Manages the overall information security program

iii. Drafts or approves information security policies

iv. Works with the CIO on strategic plans

v. Develops information security budgets

vi. Sets priorities for information security projects and technology

vii. Makes recruiting, hiring, and firing decisions or recommendations

viii. Acts as a spokesperson for the cyber security program

ac. Employment practices involving cyber security

i. Integrate a component of information security into job descriptions, where appropriate.

ii. Do not advertise privilege levels in job postings.

iii. Conduct background checks to identify any potential red flags.

iv. New employees should receive briefings on all information security policies and procedures.

v. Ongoing security awareness training is essential.

ad. Employment practices involving cyber security

i. Integrate a component of information security into performance appraisals.

ii. When an employee leaves the company, access should be terminated, corporate resources collected, and they should be escorted from the premises.

iii. In the event of a for-cause termination, all access should be revoked prior to notification (immediately), escorted at all times, and no corporate resources permitted to leave the premises.

ae. Employment practices involving cyber security

i. Friendly departures can be treated differently.

ii. Employee may have prior notification.

iii. Termination of access can wait until their final day of work.

iv. Offices and information used by the employee should be inventoried to determine if retention is required.

v. Scrutinize system logs after an employee leaves to determine if there may have been a policy or data breach.

vi. Incidents involving former employees should be addressed immediately.

af. Security Management Maintenance Models

i. Management model must be adopted to manage and operate ongoing security program

ii. Models are frameworks that structure tasks of managing particular set of activities or business functions

iii. NIST SP 800-100 Information Security Handbook: A Guide for Managers provides managerial guidance for the establishment and maintenance of an information security program.

ag. Awareness and Training

i. Processes should be in place to monitor compliance with and the effectiveness of a program.

ii. The data gathered will help to assess a program and tailor awareness and training campaigns to targeted audiences.

iii. Ongoing awareness activities are important to ensure people are familiar with new and active threats.

iv. As security policies evolve, it is critical to ensure awareness and training materials are revised.

ah. Performance Measures

i. Organizations can generate information security metrics to measure the effectiveness of their security program.

ii. Metrics should be leveraged when making decisions related to implementing new controls.

iii. Conversely, they help to determine if existing controls are performing as expected.

ai. Security Assessments

i. The goal is to check the status and effectiveness of security controls.

ii. Auditing is a process used to determine if misuse has occurred.

iii. Assessments can be internal or external.

iv. They can be all encompassing of a program, or focus on specific assets.

IV. Physical Security

a. Physical security addresses the design, implementation, and maintenance of countermeasures that protect physical resources of an organization.

b. Many logical controls can be circumvented if an attacker gains physical access.

c. Physical security is as important as logical security.

d. Secure facility: physical location engineered with controls designed to minimize risk of attacks from physical threats.

e. Secure facility can take advantage of natural terrain, traffic flow, and degree of urban development; can complement these with protection mechanisms (fences, gates, walls, guards, alarms).

f. Controls include

i. Walls, fencing, gates, guards, ID cards/badges, locks, mantraps, electronic monitoring, and alarms

ii. Some controls are preventative, while others are more reactive and serve as a deterrent.

g. ID Cards and Badges

i. Ties physical security with information access control

ii. ID card is typically concealed

iii. Name badge is visible

iv. Tailgating occurs when unauthorized individual follows authorized user through a controlled entrance.

h. Locks and keys

i. Two types of locks: mechanical and electromechanical

i. Mantrap

i. Small enclosure that has entry point and different exit point.

ii. Individual enters mantrap, requests access, and if verified, is allowed to exit mantrap into facility.

iii. Individual denied entry is not allowed to exit until security official overrides automatic locks of the enclosure.

j. Electronic Monitoring

i. Records events where other types of physical controls are impractical or incomplete

ii. May use cameras with video recorders; includes closed-circuit television (CCT) systems

iii. Reactive; does not prevent access or prohibit activity

k. Alarms and alarm systems

i. Alarm systems notify when an event occurs.

ii. Detect fire, intrusion, environmental disturbance, or an interruption in services.

iii. Rely on sensors that detect event; e.g., motion detectors, smoke detectors, thermal detectors, glass breakage detectors, weight sensors, contact sensors, vibration sensors.

l. Fire Safety

i. Most serious threat to safety of people who work in an organization is possibility of fire.

ii. Fires account for more property damage, personal injury, and death than any other threat.

iii. Imperative that physical security plans examine and implement strong measures to detect and respond to fires.

iv. Routine fire drills are essential.

m. Physical Security Maintenance

i. Physical security must be constantly documented, evaluated, and tested.

ii. Documentation of a facility’s configuration, operation, and function should be integrated into disaster recovery plans and operating procedures.

iii. Testing helps improve the facility’s physical security and identify weak points.

n. Mobile and Portable Systems

i. With the increased threat to information security for laptops, and handhelds, mobile computing requires more security than average in-house system.

ii. Many mobile computing systems

1. Have corporate information stored within them.

2. Some are configured to facilitate user’s access into organization’s secure computing facilities.

o. Controls to Support Mobile and Portable Systems

i. Encryption

ii. Strong logical access controls

iii. Software to track stolen devices

iv. Remote wiping capabilities

v. Containerization

p. Don’t leave laptops in visible areas within a parked vehicle.

q. Lock your laptop at or within your desk/office.

r. Special Considerations for Physical Security

i. Develop physical security in-house or outsource?

ii. Many qualified and professional agencies.

iii. Benefit of outsourcing includes gaining experience and knowledge of agencies.

iv. Downside includes high expense, loss of control over individual components, and level of trust that must be placed in another company.

v. Social engineering: use of people skills to obtain information from employees that should not be released.