2. Core Principles.pptx

Full Transcript

Module 1
Core Principles
Module 1:
Core Principles
The Principle of Least Privilege
The Core of All Security (CIA, AAA
and PPT)
Prevent / Detect / Respond
Security by Thirds
Security Roles and Responsibilities
The Nature of the Threat
The principle of least privilege

Everyone can do
everything they need
to do, and NOTHING
MORE!
The principle of least privilege
Everyone can do everything they need to do, and NOTHING
MORE!
It refers to the concept and practice of limiting/restricting access rights
for users to only those resources absolutely required to perform routine
and authorized activities
“allowing only the minimum access to perform the required job”

Common mistakes:
1. The security team is too restrictive with its rules and settings. So, the employees
can not do their mission.
e.g. putting lot of network security mechanisms that may slow down the
performance of the network
and accordingly the productivity of the employees

2. The last three words ("and nothing more") are often left out of the principle.
They give users all the access they need and a lot more.
 CIA: Confidentiality, Integrity
and Availability
One of the cornerstones of all security:
Everything done in security addresses these three things:
Confidentiality:
Protecting information from being accessed by unauthorized users
Only those who require access actually have access (The confidentiality of
information is protected)
Integrity:
Ensuring the authenticity of information, that information is not altered, and that
the source of the information is genuine.
Data is edited correctly and by the right people
Availability:
Information is accessible by authorized user
If you cannot use it, why do you have it?
If you are doing things in your security program that do not address one of these,
you are doing the wrong stuff.
Applying CIA: Confidentiality, Integrity
and Availability
Ideal: Three equal parts
Only works in “perfect world security”

Reality: Not three equal parts AbbVie made $19.94 billion
Government and Pharmaceuticals: on the sale of Humira® in
2018 ($94.15 Billion 1992-
Confidentiality rules
2017).
Financial: If I can see your balance,
Integrity must be maintained its not good. If I can
change your balance, it is
E-commerce: VERY bad! sales in
Amazon’s online
Availability is most important
2018: $232.91 Billion
($443,132 per minute.)
Use CIA for PRIORITIZATION…
The AAA
Vital pillars of a good security program.
The better you implement these three principles, the more secure your organization will be:

Authentication:
The process of verifying someone's identity.
Is Keith really Keith?

Authorization:
The process of giving the user permission to access a specific resource or function.
While we know Keith is Keith, what can Keith do?

Accountability:
Accountable to what he is authorized to do and to what he is not authorized to do
While we know Keith is Keith, what did Keith do?
The PPT
If you do not have these three things in place, you do not have a security
program, or, you likely don't have a program that has any possibility of being
effective.
Policy:
Broad general statement of management’s intent
It is a legal document that spells out the general sense of how management expects the
assets of the organization to be protected.
Example: strong password for all accounts
Procedure:
The detailed steps to make policy happen
The description and the step-by-step procedures to implement the policies
Example:
1. Combination of numbers, letters and characters
2. Not less than 10 digit
3. Not sequence
Training:
Users must know what policies and procedures say in order to follow them
You can create the best policies and procedures in the world but not telling anyone what
 The Core of All Security
All of these principles need to be considered when implementing security in order to guide
all its practices

Achieving CIA requires the good implementation of AAA
You will not have effective AAA without solid PPT
E.g. the employees will not be accountable of their action and lack of action without knowing
the policy, procedures and understanding of these policy and procedures through training.
All of these supports the fundamental security goal of the Principle of Least Privilege:
Everyone can do everything they need to do, and nothing more.
All security practices should be guided by all theses principles
Prevent/Detect/Respond (PDR)
Current state of the art – it is as good as it gets:
Prevent as much as you can
Detect for anything you can not prevent:
Or if the preventive measures fail
Respond to what is detected

Prevention is ideal
Detection is a must
Detection without response is useless
Security by Thirds
A security professional needs to be:
Security
professional:
1/3 technologist
the person who is
Technology supports security efforts
to implement technologies to protect information.
responsible for
To communicate with IT system administrator and explain security so that they understand. protecting
information in an
1/3 manager organization
to make decisions about the technologies they need to implement , risk they have and budget required.
to attend board of directors' meeting and talk about security so that the directors understand.

1/3 lawyer
to consider all legal and regulatory requirements and issues to protect information (penalties).
to go to corporate legal and talk to the lawyers about security in terms they understand.

This is the perfect summation of the career field
 Roles and Responsibilities (1)
Senior Manager:
Has legal responsibility to protect the assets of the organization
That gives them the ultimate responsibility for security

Senior Manager means:
Commercial (.com) = CEO
DoD (.mil) = Commander
Government (.gov) = Director, Secretory, and such

Authority can be delegated – responsibility cannot be
They can delegate the authority to implement security to the Chief Information Security
Officer, but the responsibility rests on the Senior Managers shoulders.
Roles and Responsibilities (2)
Data Owner:
Person with primary responsibility for data
Owners determine classification, protective measures, and more

Data Custodian:
The person/group that makes
the decisions of the owners happen

Users:
Use data
Are also automatically Data Custodians (provide advice)
The Nature of the Threat (1)
Years ago: We faced teenagers

Today: We face organized crime and nation states
They are well funded
They are highly motivated
They are making a LOT of money
The Hiscox (Cyber Academy) states that cybercrime cost around half billion globally in 2017

This completely changes the landscape
The Nature of the Threat (2)
Disgruntled Insider: Accidental Insider:
An employee/user from inside the A employee/user on our network that
organization who have already granted has no intention of causing damage,
some level of access to do his work and but does so by accident
become unhappy, angry or dissatisfied No intent to cause harm
with the organization. opening email attachments
Difficult to counter Common – User clicks a link or open
Tends to be subtle email attachment
In aggregate, more damaging than
Often
External Insider:
damaging or even devastating disgruntled
Individual or group that has gained remote control access to at least one computer
inside the network of the organization.
Outside threat source
Accidental inside threat actor:
End result of the accidental insider
The most-common attack vector