Balancing Security and Access

Questions and Answers

Which of the following is a disadvantage of the bottom-up approach to InfoSec implementation?

• Dedicated funding
• Leverages technical expertise of admins
• Strong executive support
• Lacks organizational support and long-term viability (correct)

In the context of information security, achieving perfect security is a realistic and attainable goal.

False (B)

What is the primary goal of data security?

protect sensitive data

A(n) _________ manipulates users into divulging confidential information, such as through phishing.

social engineer

Match the following SDLC phases with their security-focused adaptations in the SecSDLC:

Investigation = Define security policies Analysis = Study threats, legal issues, and perform risk management Logical Design = Plan incident response, disaster recovery, and continuity Physical Design = Select security technologies

Which role is typically responsible for determining data classification and security policies within an organization?

Data Owner (B)

An Intrusion Detection System (IDS) actively blocks malicious traffic, preventing it from entering the network.

False (B)

What is the initial step in the vulnerability management lifecycle?

discover

A long-term intrusion to harvest data, such as creating backdoors for undetected access, is known as a(n) _________.

advanced persistent threat

Match each category of cyber threat intelligence with its description:

Strategic = High-level trends, such as cybercrime reports Tactical = Threat actor TTPs (Tactics, Techniques, Procedures)

What is the primary purpose of Network Security?

Protecting networks from unauthorized access/misuse (B)

End users do not play a significant role in ensuring the effectiveness of security controls within an organization.

False (B)

What is the aim of Cyber Terrorists?

to disrupt critical infrastructure or national security

A program that encrypts files or locks systems for ransom is classified as _________.

ransomware

Match the following network security tools with their functionality:

Firewall = Monitors traffic between trusted/untrusted networks Antimalware = Detects and removes malware VPN = Encrypts data over public networks

Which of the following best describes the 'Security by Design' principle?

Integrating security measures from the initial stages of system development. (C)

A holistic approach to information security involves focusing solely on technological solutions, without considering policies or user awareness.

False (B)

What is the main goal of CSPM?

minimize entry points for attackers

Using HTTPS to protect data when it is being transmitted over a network would be an example of protecting data _________.

in transit

Match the responsibilities with the correct SDLC phases:

Investigation = Define project scope, costs, and feasibility Analysis = Assess current systems and integration needs Implementation = Build, test, and deploy the system

Flashcards

Information Security Solution

Balancing security with usability, allowing reasonable access while mitigating threats.

Bottom-Up Approach

A security implementation started by system administrators, often a grassroots effort.

Top-Down Approach

A security implementation initiated by upper management like the CEO, CIO, or CISO.

Security SDLC (SecSDLC)

A structured methodology for implementing systems, adapted for security.

Security step during investigation

Categorizing the potential impact of a system (low, moderate, high).

SecSDLC Investigation

Defining security policies (e.g., EISP) during the investigation phase.

SecSDLC Analysis Phase

Studying threats and legal issues, performing risk management during analysis.

SecSDLC Logical Design Phase

Planning incident response, disaster recovery, and business continuity.

SecSDLC Maintenance.

Constant adaptation to evolving threats during the maintenance phase.

Data Owner

Senior management, like the CIO, responsible for data classification and security policies.

Data User

All employees, responsible for data security in daily tasks.

Vulnerability

A weakness in systems, controls, or procedures that can be exploited.

Threat Event

An incident exploiting vulnerabilities, like a data breach.

What are 'Attackers'?

Uses scripts for thrill/challenge, like DDoS attacks.

Foreign Intelligence

Cyber espionage to target national infrastructure or sensitive data.

Logic Bomb

Code that triggers malicious actions under specific conditions.

Network Security

Protects computer networks from unauthorized access/misuse.

Firewall

Monitors traffic between trusted and untrusted networks.

Antimalware

Detects and removes malware.

IDS vs. IPS

Alerts on suspicious activity, whereas IPS actively blocks threats.

Study Notes

• Information security implementation involves balancing security and access to protect data and systems

Balancing Information Security and Access

• Perfect information security is unattainable, and should be approached as a process, and not a final goal
• The dilemma involves the inherent conflict between unrestricted access and complete security
• Unrestricted access heightens security risks
• Complete security makes systems unusable
• The solution strikes a balance, allowing reasonable access while mitigating potential threats
• Encryption is vital for safeguarding organizational secrets
• Over-focusing on security can hinder end-user productivity if both security teams and users are aligned with organizational goals
• Data should be available when and where needed, while identifying the risks such as data loss, damage, interception, or destruction

Approaches to InfoSec Implementation

• There are two types of InfoSec implementation: bottom-up and top-down

Bottom-Up Approach

• Bottom-up implementation originates from systems administrators

Top-Down Approach

• Top-down implementation is initiated by upper management, such as the CEO, CIO, and CISO
• Employs a structured Systems Development Life Cycle (SDLC)
• This approach benefits from strong executive support, dedicated funding, and clear accountability
• A CIO or VP-IT typically champions the adoption
• Joint Application Development (JAD) teams are used to ensure usability

Systems Development Life Cycle (SDLC)

• The SDLC is a structured methodology, adapted for security as the Security SDLC (SecSDLC)

Phases of SDLC (Waterfall Model)

• Investigation involves defining the project scope, costs, and feasibility
• System impact categorized during the security step (low/moderate/high risk)
• Analysis entails assessing current systems and integration needs and conducting preliminary risk assessments
• Logical Design focuses on creating a blueprint that is implementation-independent, also involves risk assessments and defining security requirements (functional + assurance)
• Physical Design focuses on selecting specific technologies (make-or-buy decisions)
• Implementation involves building, testing, and deploying the system
• Security steps include certification to verify control effectiveness and accreditation via senior management approval
• Maintenance & Change is the longest phase, including updates, patches, and monitoring and involves continuous monitoring of controls and data/media sanitization

Securing the SDLC (SecSDLC)

• Key adaptations for security include investigation, analysis, logical design, physical design, implementation, and maintenance
• Investigation defines security policies, such as an Enterprise Information Security Policy, and Analysis studies threats and legal issues, performing risk management
• Logical design involves planning incident response, disaster recovery, and continuity
• Physical Design focuses on selecting security technologies, like firewalls and encryption
• Implementation trains users and tests security solutions and Maintenance involves constant adaptation to evolving threats

Critical Principles

• Security should be integrated from the start, not as an afterthought
• Proactive security reduces long-term costs

Information Security: Security Professionals & Threats and Vulnerabilities

• There are different roles for InfoSec implementation: data owner, data custodian, data user
• Data Owner (senior management) determines data classification and security policies
• Data Custodian (CISO or sysadmin) implements security procedures (e.g., backups, policies)
• Data User (all employees) is responsible for data security in daily tasks

Threats and Vulnerabilities Definitions

• Vulnerability is a weakness in systems, controls, or procedures
• Threat Source can be adversarial (malicious actors like hackers) or non-adversarial (natural disasters or human errors)
• Threat Event is an incident exploiting vulnerabilities, such as a data breach

Adversarial Threat Sources & Events

• Includes social media exploitation, social engineering, advanced persistent threats, and insider threats
• Social Media Exploitation uses fake accounts to spread malware
• Social Engineering manipulates users into divulging confidential information
• APT is a long-term intrusion to harvest data
• Insider threats include employee sabotage such as terminated employees deleting data, crashing systems, or stealing information

Malicious Hackers

• Attackers use scripts for thrill/challenge (e.g., DDoS attacks) and Bot-Network Operators control compromised systems for spam, phishing, or malware distribution
• Criminal Groups engage in ransomware, extortion, and industrial espionage
• Foreign Intelligence conducts cyber espionage to target national infrastructure or sensitive data
• Phishers/Spammers distribute malicious emails or spyware
• Cyber Terrorists disrupt critical infrastructure or national security

Non-Adversarial Threat Sources & Events

• Human Errors are data entry mistakes, resulting in programming bugs, or misconfigurations
• Mitigation strategies include training programs and robust input validation
• Loss of infrastructure refers to power outages, natural disasters, or civil unrest

Malicious Code

• Viruses attach to executables and activate upon execution, distributing a payload
• Trojan Horses disguise themselves as legitimate software
• Worms are self-replicating and spread via networks
• Logic Bombs trigger malicious actions under specific conditions
• Ransomware encrypts files or locks systems for ransom

Information Security: Policies and Best Practices

• Network security, application security, data security, endpoint security, mobile security, cloud security, and IoT (Internet of Things) security are types of information security

Network Security

• Protects computer networks from unauthorized access/misuse
• Firewalls monitor traffic , Antimalware detects and removes malware, IDS/IPS detects or blocks activity, and VPNs encrypt data
• Cloud-based tools delegate security responsibilities to cloud providers

Application Security

• Secures software from threats (e.g., SQL injection, XSS), secure coding, penetration testing, and vulnerability assessments
• Focuses on securing software from threats like SQL injection and cross-site scripting (XSS)

Data Security

• Protects sensitive data via encryption, access controls, and backups

Endpoint Security

• Secures devices (laptops, mobiles, IoT) with traditional tools (antivirus, firewalls) and advanced solutions, such as Endpoint Detection and Response (EDR) for zero-day threats

Mobile Security

• Secures financial information, personal data, and work documents via Mobile Device Management (MDM), secure app development

IoT Security

• Concerns device authentication, network security, and data privacy

Key Components of Information Security Policies

• The key components of information security policies are purpose, scope, roles and responsibilities, access control, incident response, and training
• Purpose defines objectives and organizational commitment, scope defines personnel covered
• Roles & Responsibilities defines duties of management, IT staff, and employees and Access Control defines rules for user authentication
• Incident Response outlines procedures for detecting and mitigating security incidents and Training lists regular security awareness programs for employees

Firewalls

• Filter traffic based on IP/port/protocol rules and are hardware or software based

Intrusion Detection System (IDS)

• Alerts on suspicious activity

Intrusion Prevention System (IPS)

• Actively blocks threads

Security Incident & Event Management (SIEM)

• SIEM features involve log collection/analysis and real-time alerts and compliance reporting

Vulnerability Management

• The lifecycle of vulnerability management is to Discover → Prioritize → Assess → Report → Remediate → Verify

Tactics Against Intruders

• Attack surface management minimizes entry points and Cloud Security Posture Management (CSPM) involves misconfiguration detection and continuous threat monitoring
• Incident Response Plan phases are preparation, detection, analysis, containment, and recovery
• DevSecOps integrates security into the software development lifecycle

Red Team vs Blue Team

• Red Teams perform offensive security and Blue Teams are responsible for defensive security
• Red teams ethical hack exploit vulnerabilities
• Blue teams focus on infrastructure protection and incident response and perform threat hunting

Security Procedures

• Internal penetration testing simulates insider threats, while external simulates hackers
• Vulnerability management focuses on scanning and patch management systems
• Data encryption protects data in transit and at rest
• Strong authentication use Multifactor Authentication(MFA) and user training teaches phishing and password hygiene which is essential for a robust security posture
• Holistic policies, security technologies, and employee programs should be adopted to create a strong security