Upgrade to remove ads
Only $35.99/year

5.1 - Security Controls

Terms in this set (39)

Security controls
• Security risks are out there - Many different types to consider • Assets are also varied - Data, physical property, computer systems • Prevent security events, minimize the impact, and limit the damage - Security controls
• Managerial controls
Controls that address security design and implementation - Security policies, standard operating procedures
• Operational controls
Controls that are implemented by people - Security guards, awareness programs
Technical Controls
Controls implemented using systems - Operating system controls - Firewalls, anti-virus
preventive
- Physically control access
- Door lock
- Security guard - Firewall
Detective
May not prevent access - Identifies and records any intrusion attempt - Motion detector, IDS/IPS
Corrective
- Designed to mitigate damage - IPS can block an attacker
- Backups can mitigate a ransomware infection
- A backup site can provide options when a storm hits
Deterrent
May not directly prevent access
- Discourages an intrusion attempt - Warning signs, login banner
Compensating
Doesn't prevent an attack
- Restores using other means
- Re-image or restore from backup
- Hot site
- Backup power system
Physical
- Fences, locks, mantraps - Real-world security
Compliance
Compliance - Meeting the standards of laws, policies, and regulations • A healthy catalog of regulations and laws - Across many aspects of business and life - Many are industry-specific or situational • Penalties - Fines, incarceration, loss of employment • Scope - Covers national, territory, or state laws - Domestic and international requirements
GDPR - General Data Protection Regulation
European Union regulation - Data protection and privacy for individuals in the EU - Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer's IP address, etc. • Controls export of personal data - Users can decide where their data goes • Gives individuals control of their personal data - A right to be forgotten • Site privacy policy - Details all of the privacy rights for a user
PCI DSS
• Payment Card Industry - Data Security Standard (PCI DSS) - A standard for protecting credit cards
PCI DSS • Six control objectives
- Build and maintain a secure network and systems - Protect cardholder data - Maintain a vulnerability management program - Implement strong access control measures - Regularly monitor and test networks - Maintain an information security policy
Security frameworks • Secure your data
Where do you start? What are the best practices? - If only there was a book. • Often a complex problem - Unique organizational requirements - Compliance and regulatory requirements - Many different processes and tools are available • Use a security framework - Documented processes - A guide for creating a security program - Define tasks and prioritize projects
Center for Internet Security (CIS)
• Center for Internet Security - Critical Security Controls for - Effective Cyber Defense - CIS CSC • Improve cyber defenses - Twenty key actions (the critical security controls) - Categorized for different organization sizes • Designed for implementation - Written for IT professionals - Includes practical and actionable tasks
NIST RMF
National Institute of Standards and Technology - Risk Management Framework (RMF) - Mandatory for US federal agencies and organizations that handle federal data
NIST RMF • Six step process
Step 1: Categorize - Define the environment - Step 2: Select - Pick appropriate controls - Step 3: Implement - Define proper implementation - Step 4: Assess - Determine if controls are working - Step 5: Authorize - Make a decision to authorize a system - Step 6: Monitor - Check for ongoing compliance
NIST CSF
• National Institute of Standards and Technology - Cybersecurity Framework (CSF) - A voluntary commercial framework • Framework Core - Identify, Protect, Detect, Respond, and Recover • Framework Implementation Tiers - An organization's view of cybersecurity risk and processes to manage the risk • Framework Profile - The alignment of standards, guidelines, and practices to the Framework Core
ISO/IEC frameworks
International Organization for Standardization / - International Electrotechnical Commission
ISO/IEC 27001
- Standard for an Information Security Management System (ISMS)
• ISO/IEC 27002
- Code of practice for information security controls
• ISO/IEC 27701
- Privacy Information Management Systems (PIMS)
• ISO 31000
- International standards for risk management practices
SSAE SOC 2 Type I/II
The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18)
• SOC 2 - Trust Services Criteria (security controls)
Firewalls, intrusion detection, and multi-factor authentication
SSAE SOC 2 Type Type I audit
- Tests controls in place at a particular point in time
SSAE SOC 2 Type Type II
Tests controls over a period of at least six consecutive months
Cloud Security Alliance (CSA)
Security in cloud computing - Not-for-profit organization • Cloud Controls Matrix (CCM) - Cloud-specific security controls - Controls are mapped to standards, best practices, and regulations
Cloud Security Alliance (CSA)
• Enterprise Architecture
- Methodology and tools - Assess internal IT groups and cloud providers - Determine security capabilities - Build a roadmap
Secure configurations
No system is secure with the default configurations - You need some guidelines to keep everything safe • Hardening guides are specific to the software or platform - Get feedback from the manufacturer or Internet interest group - They'll have the best details • Other general-purpose guides are available online
Web server hardening
• Access a server with your browser - The fundamental server on the Internet - Microsoft Internet Information Server, Apache HTTP Server, et al. • Huge potential for access issues - Data leaks, server access
Web server hardening • Secure configuration
- Information leakage: Banner information, directory browsing - Permissions: Run from a non-privileged account, configure file permissions - Configure SSL: Manage and install certificates - Log files: Monitor access and error logs
Operating system hardening
Many and varied - Windows, Linux, iOS, Android, et al. • Updates - Operating system updates/service packs, security patches • User accounts - Minimum password lengths and complexity - Account limitations
Operating system hardening • Network access and security
Network access and security - Limit network access • Monitor and secure - Anti-virus, anti-malware
Application server
Programming languages, runtime libraries, etc. - Usually between the web server and the database - Middleware • Very specific functionality - Disable all unnecessary services
Application server • Operating system updates
• Operating system updates - Security patches • File permissions and access controls - Limit rights to what's required - Limit access from other devices
Network infrastructure devices
• Switches, routers, firewalls, IPS, etc.
- You never see them, but they're always there
• Purpose-built devices
- Embedded OS, limited OS access
• Configure authentication
- Don't use the defaults
Network infrastructure devices • Check with the manufacturer
- Security updates - Not usually updated frequently - Updates are usually important
Other sets by this creator