Security Frameworks and Controls PDF

Summary

This document provides an overview of security frameworks, emphasizing the importance of security policies and procedures. It explains the concept of the CIA triad, examining confidentiality, integrity, and availability in detail. The document also discusses common security controls like encryption and authentication procedures.

Full Transcript

# Frameworks

In an organization, plans are put in place to protect against a variety of threats, risks, and vulnerabilities. The requirements used to protect organizations and people often overlap. Because of this, organizations use security frameworks as a starting point to create their own security policies and processes.

## Security Frameworks

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy, such as social engineering attacks and ransomware.

* Security involves more than just the virtual space. It also includes the physical, which is why many organizations have plans to maintain safety in the work environment.
* EX: access to a building may require using a key card or badge.

Other security frameworks provide guidance for how to prevent, detect, and respond to security breaches. This is particularly important when trying to protect an organization from social engineering attacks like phishing that target their employees.

## People are the Biggest Threat to Security

Frameworks can be used to create plans that increase employee awareness and educate them about how they can protect the organization, their co-workers, and themselves. Educating employees about existing security challenges is essential for minimizing the possibility of a breach. Providing employee training about how to recognize red flags, or potential threats, is essential, along with having plans to quickly report and address security issues.

*As an analyst, it is important to understand and implement the plans your organization has in place to keep the organization, its employees, and the people it serves safe from social engineering attacks, breaches, and other harmful security incidents.

## Frameworks are used to create plans to address security risks, threats, and vulnerabilities.

## Controls are used to reduce specific risks.

## Three Common Controls - Encryption, Authentication, Authorization

* **SECURITY CONTROLS** are one element of a core security model = **CIA triad**.
* The **CIA triad** helps to protect your organization's sensitive assets and data from threat actors.

## Confidentiality, Integrity, Availability (CIA) Triad

The CIA triad is a model that helps inform how organizations consider risk when setting up systems and security polices.

### Security Controls

Security controls are safeguards designed to reduce specific security risks. If proper controls are not in place, an organization could face significant financial impacts and damage to their reputation because of exposure to risks including trespassing, creating fake employee accounts, or providing free benefits.

#### Encryption

Encryption is the process of converting data from a readable format to an encoded format. Typically, encryption involves converting data from plaintext to ciphertext. It is used to ensure confidentiality of sensitive data, such as customers' account information or social security numbers. Ciphertext data cannot be read until it's been decrypted into its original plaintext form. It is the raw, encoded message that's unreadable to humans and computers.

#### Authentication

Authentication is the process of verifying who someone or something is.

* EX: Logging into a website with your username and password. This basic form of authentication proves that you know the username and password and should be allowed to access the website.
* A more advanced method of authentication, such as **multi-factor authentication (MFA)**, challenges the user to demonstrate that they are who they claim to be by requiring both a password and an additional form of authentication, like a security code or biometrics, such as a fingerprint, voice, or face scan.

Biometrics are unique physical characteristics that can be used to verify a person's identity.

* EX: fingerprint, eye scan, or palm scan.

#### Vishing

Vishing is a social engineering attack that can exploit biometrics. It is the exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source. Could be used to impersonate a person's voice to steal their identity and then commit a crime.

#### Authorization

Authorization refers to the concept of granting access to specific resources within a system. Essentially, authorization is used to verify that a person has permission to access a resource.

* **EX:** Working as an entry-level security analyst for the federal government, you could have permission to access data through the deep web or other internal data that is only accessible if you're a federal employee.

## Explore the CIA Triad

The CIA triad is a core security model that will help protect your organization's sensitive assets and data from threat actors. It helps inform how organizations consider risk when setting up systems and security policies.

## Confidentiality, Integrity, Availability (CIA) Triad:

* **Confidentiality:** Only authorized users can access specific assets or data. Sensitive data should be available on a “need to know” basis, so that the only people who are authorized users handle certain assets or data.
* **EX:** If you work for a bank/large organization there are large amounts of private data. The **confidentiality principle** is essential because the bank must keep people's personal and financial information safe.

* **Integrity:** The data is correct, authentic, and reliable. Determining the integrity of data and analyzing how it's used will help you decide whether the data can or cannot be trusted. One way to verify data integrity is **CRYPTOGRAPHY.**
* **CRYPTOGRAPHY** is used to transform data so unauthorized parties cannot read or tamper with it.
* **EX:** An organization might implement integrity by enabling **encryption**.
* **Encryption** is the process of converting data from a readable format to an encoded format. It can be used to prevent access and ensure data, such as messages on an organization's internal chat platform, cannot be tampered with.
* **EX:** The principle of **integrity** is also a priority. If a person's spending habits or purchasing locations change dramatically, the bank will likely disable access to the amount until they can verify that the account owner, not a threat actor, is actually the one making purchases.

* **Availability:** Means that the data is accessible to those who are authorized to access it. When a system adheres to both availability and confidentiality principles, data can be used when needed.
* **EX:** In the workplace, an organization allows remote employees to access its internal network to perform their jobs. *The* access to data on the internal network is still limited, depending on what type of access employees need to do their jobs. Working in the accounting department, you might need access to corporate accounts but not data related to ongoing development projects.

* **Inaccessible data** isn't useful and can prevent people from being able to do their jobs.
* **EX:** The **availability** principle is also very critical. Banks put a lot of effort into making sure that people can access their account information easily on the web. And to ensure that information is protected from threat actors, banks use a validation process to help minimize damage if they suspect that customer accounts have been compromised.

## Security Posture

* **SECURITY POSTURE** - an organization's ability to manage its defense of critical assets and data and react to change.
* **CIA Triad** - **Confidentiality, integrity, availability** - three core principles used to protect your organization and the people it serves.

## Three Elements Cybersecurity Analysts and Organizations Work Towards Upholding = CIA

## National Institute of Standards and Technology

* **NIST** is a US-based organization, the guidance it provides can help analysts all over the world understand how to implement essential cybersecurity practices.

## NIST Frameworks

Organizations use **frameworks** as a starting point to develop plans that mitigate risks, threats, and vulnerabilities to sensitive data and assets. Organizations worldwide create frameworks that are used to develop those plans.

There are two frameworks of the NIST that can support ongoing security efforts for all types of organizations, including for-profit and non-profit businesses, as well as government agencies.

* **NIST Cybersecurity Framework (CSF):** A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. This framework is widely respected and essential for maintaining security regardless of the organization. The core functions provide specific guidance and direction for security professionals. This framework is used to develop plans to handle an incident appropriately and quickly to lower risk, protect an organization against a threat, and mitigate any potential vulnerabilities. It also expands into the protection of the United States federal government with NIST special publication (SP800-53).

* **NIST Special Publication (SP 800-53):** It provides a unified framework for protecting the security of information systems within the federal government, including the systems provided by private companies for federal government use.

Because they're core elements of the security profession, the NIST, SP 800-53 is crucial if you have an interest in working for the US federal government.

## Security Controls

**SECURITY CONTROLS** provided by this framework are used to maintain the CIA triad for those systems used by the government.

## NIST Cybersecurity Framework (CSF) - Five Core Functions:

* **IDENTIFY**, **PROTECT**, **DETECT**, **RESPOND**, **RECOVER**.

These core functions help organizations manage cybersecurity risks, implement risk management strategies, and learn from previous mistakes.

* When it comes to **SECURITY OPERATIONS**, NIST CSF functions are key for making sure an organization is protected against potential threats, risks, and vulnerabilities. Each function can be used to improve an organization's security.

* **1st IDENTIFY**: Related to the management of cybersecurity risk and its effect on an organization's people and assets.
* **EX:** As a security analyst, you may be asked to monitor systems and devices in your organization's internal network to identify potential security issues.

* **2nd PROTECT**: Which is the strategy used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats.
* **EX:** As a security analyst, you and your team might encounter new and unfamiliar threats and attacks. For this reason, studying historical data and making improvements to policies and procedures is essential.

* **3rd DETECT**: Which means identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections.
* **EX:** As an analyst, you might be asked to review a new security tool's setup to make sure it's flagging low, medium, or high risk, and then altering the security team about any potential threats or incidents.

* **4th RESPOND**: Which means making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
* **EX:** As an analyst, you could be working with a team to collect and organize data to document an incident and suggest improvements to process to prevent the incident from happening again.

* **5th RECOVER**: Which is the process of returning affected systems back to normal operation.
* **EX:** As an entry-level security analyst, you might work with your security team to restore systems data, and assets, such as financial or legal files, that have been affected by an incident breach.

From **proactive** to **reactive** measures, all five functions are essential for making sure that an organization has effective security strategies in place. Security incidents are going to happen, an organization must have the ability to quickly recover from any damage caused by an incident to minimize their level of risk.

## Open Web Application Security Project (OWASP)

## Security Principles

There are principles and guidelines that can be used, along with **NIST frameworks** and the **CIA triad**, to help security teams minimize threats and risks.

**Security principles** are embedded in your daily tasks. Whether analyzing logs, monitor a security information and event management (SIEM) dashboard, or using vulnerability scanner.

* **VULNERABILITY SCANNER** - A network tool (hardware and/or software that scans network devices to identify generally known and organization-specific CVEs. It may do this based on a wide range of signature strategies. A tool used to identify hosts/host attributes and associated vulnerabilities.

* **1st Principle is to minimize the attack surface area.**

* **ATTACK SURFACE** - refers to all the potential vulnerabilities that a threat actor could exploit, like attack vectors.

* **ATTACK VECTORS** - are pathways attackers use to penetrate security defense.

* **EX:** An example of common attack vectors are phishing emails and weak passwords. To minimize the attack surface and avoid incidents from this type of vectors, security teams might disable software features, restrict who can access certain assets, or establish more complex password requirements.

* **2nd Principle of least privilege** means making sure that users have the least amount of access required to perform their everyday tasks. Main reason is to reduce the amount of damage a security breach could cause.

* **3rd Principle is defense**. Defense means that an organization should have multiple security controls that address risks and threats in different ways.

* **EX:** **SECURITY CONTROL** is multi-factor authentication, or MFA (multi-factor authentication), which requires users to take an additional step beyond simply entering their username and password to gain access to an application.
* **OTHER CONTROLS** include: firewalls, intrusion detection systems and permission settings that can be used to create multiple points of defense, a threat actor must get through to breach an organization.

* **4th Principle is separations of duties.** This can be used to prevent individuals from carrying out fraudulent or illegal activities. The principle means that no one should be given so many privileges that they can misuse the system.
* **EX:** The person that signs the paycheck, shouldn't be the same person that prepares them.

* **5th Principle is keep security simple.** When implementing security controls, unnecessarily complicated solutions should be avoided because they can become unmanageable.
* **EX:** The more complex the security controls are the harder it is for people to work collaboratively.

* **6th Principle is to fix security issues correctly.** Technology is a great tool but can also present challenges.
* **EX:** When a security incident occurs, security professionals are expected to identify the root cause quickly. From there, it's important to correct any identified vulnerabilities and conduct tests to ensure that repairs are successful.
* **EX:** An example of an issue is a weak password to access an organization's Wi-Fi because it could lead to a breach. To fix this type of security issue, stricter password policies could be put in place.

* **7th Principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.**

* **8th Principle Fail securely.** Means that when a control fails or stops, it should do so by defaulting to its most secure options.
* **EX:** When a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.

* **9th Principle don't trust services.**
* **EX:** Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn't explicitly trust that their partners' systems are secure. EX: if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.

* **10th Principle is to avoid security by obscurity.** The security of key systems should not rely on keeping details hidden.
* **EX:** In 2016, OPEN WEB APPLICATION SECURITY PROJECT (OWASP) Security principles, the security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.

* **You will constantly apply security principles to safeguard organizations and the people they serve. You can use the security principles to promote safe development practices that reduce risks to companies and users alike.**

## PLAN A SECURITY AUDIT / PLANNING ELEMENTS

Frameworks, controls, security principles, and compliance regulations:

**How do they all work together?** By conducting security audits.

## Two Types of Audits - Internal and External Security Audits

* **An entry-level analyst** contributes doing internal security audits.

## Security Audit

**SECURITY AUDIT** - is a review of an organization's security controls, policies, and procedures against a set of expectations.

## Internal Security Audit

**INTERNAL SECURITY AUDIT** - is typically conducted by a team of people that might include an organization's compliance officer, security manager, and other security team members. They are used to help improve an organization's security posture and help organizations avoid fines from governing agencies due to a lack of compliance.

## Internal Security Audits Help Security Teams:

* Identify organizational risk
* Assess controls
* Correct compliance issues

## Common Elements of an Internal Audit:

These elements include establishing the scope and goals of the audit, conducting a risk assessment of the organization's assets, completing a controls assessment, assessing compliance, and communicating results to stakeholders.

## Planning Elements of Internal Security Audits

The first two elements are part of the **AUDIT PLANNING PROCESS:** Establishing the scope and goals, then completing a risk assessment.

## Establishing the Scope and Goals:

Establishing the **SCOPE** - refers to the specific criteria of an internal security audit. Scope requires organizations to identify people, assets, policies, procedures, and technologies that might impact an organization's security posture.

## Goals

**GOALS** - are an outline of the organization's security objectives, or what they want to achieve in order to improve their security posture.

*Although more senior-level team members and other stakeholders usually establish the scope and goals of the audit, entry-level analysts might be asked to review and understand the scope and goals in order to complete other elements of the audit.

**EX:** Of an audit shown: the scope will list what is involved assessing user permissions; identifying existing controls, policies, and procedures, and accounting for the technology currently in use by the organization. The goals outlined include implementing core functions of frameworks, like NIST CSF; establishing policies and procedures to ensure compliance; and strengthening system controls.

## Conducting a Risk Assessment of the Organization's Assets

Is focused on identifying potential threats, risks and vulnerabilities. This helps organizations consider what security measures should be implemented and monitored to ensure the safety of assets. Often completed by managers or other stakeholders.

* An analyst might be asked to analyze details provided in the risk assessment to consider what types of controls and compliance regulations need to be in place to help improve the organization's security posture.

**EX of an audit shown:** this risk assessment highlights that there are inadequate controls, processes, and procedures in place to protect the organizations' assets. Specifically, there is a lack of proper management of physical and digital assets, including employee equipment. Equipment used to store data is not properly secured. Access to private information stored in the organization's internal network likely needs more robust controls in place.

## To Do List

* Review The Scope
* Review The Goals
* What is the audit meant to achieve?
* Which assets are most at risk?
* Are controls sufficient to protect those assets?
* If not, what controls and compliance regulations need to be implemented?

These questions will support your ability to complete the next element:

## A Controls Assessment

A control assessment involves closely reviewing an organization's existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective.

## Complete A Security Audit

The remaining elements are: Completing a controls assessment, assessing compliance, and communicating results.

## Completing A Controls Assessment

A controls assessment involves closely reviewing an organization's existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective.

## To Do This, You Classify Controls Into Categories:

* **Administrative Controls**,
* **Technical Controls**, and
* **Physical Controls**

## Administrative / Managerial Controls

* Administrative controls are related to the human component of cybersecurity. They include policies and procedures that define how an organization manages data and clearly defines employee responsibilities, including their role in protecting the organization.
* Administrative controls are typically policy-based; the enforcement of those policies may require the use of technical or physical controls, such as the implementation of password policies.

## Technical Controls

* Technical controls consist of hardware and software solutions used to protect assets, such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), antivirus (AV) products, encryption, etc.

## Physical Controls

* Physical controls refer to measures put in place to prevent physical access to protected assets, such as surveillance cameras and door and cabinet locks, badge readers etc. They are used to limit physical access to physical assets by unauthorized personnel.

## Assessing Compliance Regulations

This element is determining whether or not the organization is adhering to necessary compliance regulations.

## Compliance Regulations

Compliance regulations are laws that organizations must follow to ensure private data remains secure.

## Communication

Once the internal security audit is complete, results and recommendations need to be communicated to stakeholders

* This type of communication summarizes the scope and goals of the audit.
* It then lists existing risks and notes how quickly those risks need to be addressed.
* It also identifies compliance regulations the organization needs to adhere to and provides recommendations for improving the organization's security posture.

## Control Types

Control types include, but are not limited to:

* **Preventative Controls** - are designed to prevent an incident from occurring in the first place.
* **Corrective Controls** - are used to restore an asset after an incident.
* **Detective Controls** - are implemented to determine whether an incident has occurred or is in progress.
* **Deterrent Controls** - are designed to discourage attacks.

## Glossary Terms From Module 2

## Terms and Definitions From Course 2, Module 2

* **Asset**: An item perceived as having value to an organization
* **Attack Vectors**: The pathways attackers use to penetrate security defenses
* **Authentication**: The process of verifying who someone is
* **Authorization**: The concept of granting access to specific resources in a system
* **Availability**: The idea that data is accessible to those who are authorized to access it.
* **Biometrics** : The unique physical characteristics that can be used to verify a person's identity
* **Confidentiality**: The idea that only authorized users can access specific assets or data.
* **Confidentiality, Integrity, Availability (CIA) Triad**: A model that helps inform how organizations consider risk when setting up systems and security polices and improving monitoring capabilities to increase the speed and efficiency of detections
* **Detect**: A NIST core function related to identifying potential security incidents
* **Encryption**: The process of converting data from a readable format to an encoded format
* **Identify**: A NIST core function related to management of cybersecurity risk and its effect on an organization's people and assets
* **Integrity**: The idea that the data is correct, authentic, and reliable
* **National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)**: A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
* **National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53**: A unified framework for protecting the security of information systems within the U.S. federal government
* **Open Web Application Security Project/Open Worldwide Application Security Project (OWASP)**: A non-profit organization focused on improving software security
* **Protect**: A NIST core function used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats
* **Recover**: A NIST core function related to returning affected systems back to normal operation
* **Respond**: A NIST core function related to making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process
* **Risk**: Anything that can impact the confidentiality, integrity, or availability of an asset
* **Security Audit**: A review of an organization's security controls, policies, and procedures against a set of expectations
* **Security Controls**: Safeguards designed to reduce specific security risks
* **Security Frameworks**: Guidelines used for building plans to help mitigate risk and threats to data and privacy
* **Security Posture**: An organization's ability to manage its defense of critical assets and data and react to change
* **Threat**: Any circumstance or event that can negatively impact assets