Chap1_SecurityFundamental.pdf
Document Details
Uploaded by InvincibleConsonance
California State University, East Bay
2020
CompTIA
Tags
Related
- Chapter 3 - 01 - Discuss Information Security Fundamentals - 01_ocred.pdf
- Chapter 3 - 01 - Discuss Information Security Fundamentals - 02_ocred.pdf
- Network Security Fundamentals Exam 212-82 PDF
- Chapter 3 - 01 - Discuss Information Security Fundamentals_fax_ocred.pdf
- CCF-Session-1-v4-Regular-2023-lec-clsu-1 PDF - Information Security Fundamentals
- CompTIA Security+ Guide to Network Security Fundamentals PDF
Full Transcript
CompTIA Security+ Certification Exam SY0-701 C opyright © 20 20 30 Bird Media LLC Course Objectives You will know how to: Correctly use fundamental security terminology, identify common threat sources, and describe organizational security strategies Conduct risk asses...
CompTIA Security+ Certification Exam SY0-701 C opyright © 20 20 30 Bird Media LLC Course Objectives You will know how to: Correctly use fundamental security terminology, identify common threat sources, and describe organizational security strategies Conduct risk assessments, categorize security auditing procedures, and plan vulnerability management Identify social engineering techniques, practice organizational security through organizational policies, and plan user training Explain common cryptographic techniques and standards, and identify public key infrastructure concepts Continued… C opyright © 20 20 30 Bird Media LLC Course Objectives You will know how to: Describe common network attacks, and categorize traffic management devices like firewalls and packet filters Identify network security devices, supply transport encryption, and harden networks Explain authentication factors, and understand network authentication protocols Compare access control models, apply file-level access control, and centrally manage account security Categorize common host attacks and vulnerabilities, and identify the security ramifications of various popular system architectures Continued… C opyright © 20 20 30 Bird Media LLC Course Objectives You will know how to: Choose appropriate physical security controls and protect data through its life cycle Secure hosts in the enterprise and manage mobile devices Describe application attack techniques, and oversee secure development processes Plan for disaster through business continuity plans, fault tolerant systems and data backups Use monitoring and logging systems to detect security threats, and respond to incidents C opyright © 20 20 30 Bird Media LLC Chapter 1: Security fundamentals You'll learn how to: Identify basic security concepts Describe threat sources and threat intelligence Participate in enterprise security planning C opyright © 20 20 30 Bird Media LLC Module A: Security concepts You will learn how to: Describe basic security concepts Categorize security controls Identify key principles of identifying security incidents C opyright © 20 20 30 Bird Media LLC About assets and threats An asset can be anything of value to your organization A threat is anything that can harm an asset C opyright © 20 20 30 Bird Media LLC What is Information Security? The first step in understanding security is to define exactly what it is Understanding Security – Security is: To be free from danger, which is the goal of security The process that achieves that freedom – As security is increased, convenience is often decreased The more secure something is, the less convenient it may become to use C opyright © 20 20 30 Bird Media LLC The CIA triad C opyright © 20 20 30 Bird Media LLC The CIA triad Other core principles Authenticity Non-repudiation Accountability Privacy Safety C opyright © 20 20 30 Bird Media LLC Risk, threats, and vulnerabilities Risk – The chance of harm coming to an asset. Risk evaluation is essential in determining where and how to deploy security resources. Threat – Anything that can cause harm to an asset. Attacks caused by malicious actors are threats, but so are human errors, equipment malfunction, or natural disaster. The mechanism of a particular threat is called a threat vector or attack vector. Vulnerability – Any weakness the asset has against potential threats. Vulnerabilities can be hardware, software, or human/organizational. C opyright © 20 20 30 Bird Media LLC Security standards organizations Center for Internet Security (CIS) Institute of Electrical and Electronics Engineers (IEEE) Internet Engineering Task Force (IETF) International Organization for Standardization (ISO) Internet Society (ISOC) International Telecommunication Union (ITU) National Institute of Standards and Technology (NIST) National Security Agency (NSA) Open Web Application Security Project (OWASP) C opyright © 20 20 30 Bird Media LLC Security controls Managerial – Also known as administrative controls, these represent organizational policies and training regarding security. Technical – Technological solutions used to enforce security, sometimes also called logical controls. Operational – Day-to-day employee activities which are used to achieve security goals. Physical – Methods used to guarantee the physical security and safety of organizational assets. Physical controls can include locks, fences, video surveillance, and security guards. Continued… C opyright © 20 20 30 Bird Media LLC Security controls Preventative – Proactive controls which act to prevent a loss from occurring in the first place. Directive – Proactive controls that are intended to create secure behaviors within the organization. Detective – Monitoring controls which either detect an active threat as it occurs or record it for later evidence. Corrective – Follow up controls used to minimize the harm caused by a security breach and to prevent a recurrence. Deterrent – Visible controls designed to discourage attack or intrusion, especially in physical security. C opyright © 20 20 30 Bird Media LLC Confidentiality controls Keeping confidential data out of the wrong hands is a primary goal of cybersecurity, so many controls are designed for just that Many of the most effective confidentiality controls aren’t technological, but policy- based By controlling where data is kept and who has access to it, you can reduce its exposure in the first place C opyright © 20 20 30 Bird Media LLC Managerial confidentiality controls Least privilege – Users are given only the permissions they need to perform their actual duties. Need to know – Similar to least privilege, but focused on restricting data access to those who require it. Separation of duties – Breaking critical tasks into components, each of which is performed by a different employee with different permissions. C opyright © 20 20 30 Bird Media LLC Technical confidentiality controls Access controls – Restrict access to systems and other resources, typically utilizing passwords, smart cards, or other authentication methods. Encryption – Uses mathematical processes to render data unreadable to those without the proper decryption key. Steganography – The practice of concealing a secret message inside a more ordinary one. C opyright © 20 20 30 Bird Media LLC Integrity controls Hashing – Mathematical functions designed to create a small, fixed-size fingerprint of a given message or file, such that any small change in the original data will produce an entirely different hash. Digital signatures – A combination of hashing and other cryptography that can verify the authenticity of a messager’s creator as well as its integrity. Backups – When data is changed or lost, regular and complete backups ensure that you can restore it to its original form. Version control – Storing multiple versions of files meant for frequent and collaborative change, such as documents, code repositories, and other collections of documents. C opyright © 20 20 30 Bird Media LLC Availability controls Redundancy – Multiple or backup systems arranged so that if one fails, others can take its place immediately or at least more quickly than the original can be repaired. Fault tolerance – A system designed to continue functioning if a hardware or software component fails. Patch management – Whether security and stability updates are being applied proactively or in response to a security incident, it’s essential to make sure they don’t unduly disrupt system availability. C opyright © 20 20 30 Bird Media LLC Compensating controls A compensating control is an alternative control that doesn’t match the letter of the requirement but gives equal or better protection. Used for regulatory compliance. C opyright © 20 20 30 Bird Media LLC Events and incidents An event, generally speaking, is any meaningful change in a system’s state that is both detectable and happened at a specific time. An incident is an event or series of events that is unexpected, unusual, and that poses some meaningful threat to the system’s functions, performance, or security. C opyright © 20 20 30 Bird Media LLC Event evaluation A problem occurred, and the analysis recognized it. True positive This is a good result: even if the problem itself is bad, it was recognized and can be addressed. The event was benign and triggered no alerts. This is True negative a good result since everything is quietly working correctly. The event was benign, but the analysis mistook it for a problem. This is bad: frequent false alarms can False positive disrupt routine functions, cost administrators time, or just make people less alert when a real attack happens. A problem occurred, and the analysis mistook it for False negative benign behavior. This is potentially disastrous since any resulting security compromise will go unnoticed. C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts Someone put malware on your computer that records all of your keystrokes. What aspect of security was primarily attacked? Choose the best response. A. Confidentiality B. Integrity C. Availability C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts What type of control would a security assessment procedure be? Choose the best response. A. Management B. Operational C. Physical D. Technical C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts Malware is a common example of a threat vector. True or false? A. True B. False C opyright © 20 20 30 Bird Media LLC Metrics and indicators Capability Performance Latency Availability Usability Maintainability Scalability Recoverability Cost C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts Which controls primarily protect data integrity? Select all that apply. A. Backups B. Encryption C. Fault tolerance D. Hashing E. Need to know C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts A security program alerts you of a failed login attempt to a secure system. On investigation, you learn the system’s regular user accidentally had caps lock turned on. What kind of alert was it? Choose the best response. A. True positive B. True negative C. False positive D. False negative C opyright © 20 20 30 Bird Media LLC Key indicators Key Performance Indicator (KPI) – Some form of a measurable performance metric that's been designated as relevant to business goals, whether it represents some sort of automated performance or human activity Key Risk Indicator (KRI) – A metric that's specifically relevant to your organization's risk levels and how they change over time Key Control Indicator (KCI) – Measures the effectiveness of a security control based on testing or real-world monitoring C opyright © 20 20 30 Bird Media LLC Analyzing metrics Gap analysis – Comparing current status with a target status and identifying what must improve to reach the target Trend analysis – Tracking changes in performance or requirements over time, to anticipate a problem before it occurs and give you time to address it C opyright © 20 20 30 Bird Media LLC Discussion: Security data C opyright © 20 16 30 Bird Media LLC Assessment: Security concepts Someone put malware on your computer that records all of your keystrokes. What aspect of security was primarily attacked? Choose the best response. A. Confidentiality B. Integrity C. Availability C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts What type of control would a security assessment procedure be? Choose the best response. A. Management B. Operational C. Physical D. Technical B C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts Which of the following metrics is most appropriate as a key risk indicator? Choose the best response. A. Effectiveness of employee phishing awareness training B. False positive rate for endpoint security agents C. Number of concurrent users D. Percentage of systems upgraded to the latest patch level D C opyright © 20 20 30 Bird Media LLC Assessment: Security concepts A security program alerts you of a failed login attempt to a secure system. On investigation, you learn the system’s regular user accidentally had caps lock turned on. What kind of alert was it? Choose the best response. A. True positive B. True negative C. False positive D. False negative C C opyright © 20 20 30 Bird Media LLC Module B: Understanding threats In this module, you'll learn how to: Categorize attackers by motivation Identify threat vectors and impacts Practice cyber threat intelligence C opyright © 20 20 30 Bird Media LLC Threat sources Adversarial – Attacks from malicious users, inside or outside the organization. Accidental – Errors made by users who did not intend to hurt organizational security. Structural – Failures of hardware, software, or other equipment such as environmental controls which are directly controlled by the organization. Environmental – Natural disasters, or structural failures to resources the organization depends on but does not control, such as power or network access. C opyright © 20 20 30 Bird Media LLC About hackers Unauthorized (aka “black hat”) – Criminal hackers who break computer security for personal gain or other malicious purposes. These are the dangerous attackers you must worry about, who will steal or destroy information, spread malware, or otherwise damage your computing assets. Authorized (aka “white hat”) – Security experts who study and practice hacking, but only use it for legal purposes such as finding countermeasures against other hackers. Also known as ethical hackers. Semi-authorized (aka “gray hat”) – Hackers who are neither authorized nor malicious. They include those who research security flaws as a recreational exercise, those who break into systems without permission but do no intentional harm, and those who simultaneously believe their motivation is to improve the state of computer security and also don’t care if their activities violate the law. C opyright © 20 20 30 Bird Media LLC Attacker attributes Intent/Motivation – Attackers might be motivated by any number of reasons. Sophistication/Capability level – Some attackers are relatively inexperienced, relying on automated tools or simple vulnerabilities Resources/funding – Some hackers might be the stereotypical lone hacker using a home PC in the basement, others can be even more threatening Location – Some attacks require physical proximity to your computing resources, while others can be conducted anywhere Target information – Some attackers might know little about your organization and just probe at random network addresses until they find something vulnerable C opyright © 20 20 30 Bird Media LLC Attacker motivations Financial gain Espionage Philosophical/political beliefs Ethical goals Blackmail Revenge Disruption/Chaos War Data exfiltration Service disruption C opyright © 20 20 30 Bird Media LLC Common attacker types Script kiddies Hacktivists Criminal syndicates Competitors Insiders Nation-states APT Shadow IT C opyright © 20 20 30 Bird Media LLC Threat vectors Direct access – A threat that comes from a source that can directly contact your resources. Wired and wireless networks – A threat that does not have direct access to IT resources may still affect them over the local network or the internet Email/Personal communications – Email, internet messaging, telephone, and every other communication tool can be used to attack the organization Social media – Social media platforms have become a core part of how businesses communicate with their customers and the general public Supply chains – Your organization’s vendors, outside contractors, and customers can be used to attack you. Removable media and mobile devices – Any kind of electronic device which can be connected to your computing and network infrastructure can be used to attack it Cloud services – A service “on the cloud” is just a service on someone else’s computer C opyright © 20 20 30 Bird Media LLC Artificial intelligence (AI) risks If the training data for the AI is tainted or non- representative, the trained algorithm will not respond appropriately to real-world data. If the machine learning algorithms have unknown biases or oversights introduced during development, the AI will not behave appropriately regardless of how well-designed the training data set was. An attacker who knows enough about how the finished AI “thinks” can game the system by meddling with real-world data to obscure their own activities or create false alarms that keep security analysts busy. C opyright © 20 20 30 Bird Media LLC Third - party risks Any business relationship with a third party introduces risks apart from anyone attacking you. C opyright © 20 20 30 Bird Media LLC Incident impact Availability loss – A disabled or compromised resource can prevent your organization from achieving goals like producing goods or providing services. Recovery costs – The equipment and labor cost required to repair or replace an asset harmed by a threat. Data loss – Damage done to the data itself. Information disclosure – Damage done when sensitive data is exposed to untrusted parties can be as severe as losing the data entirely. Identity theft – Use of private data to perform identity theft against employees, customers, or any other data subjects. Other financial costs – In addition to the direct costs of downtime and recovery, an incident can economically harm your business in many other ways. Public/professional reputation – Serious security incidents can harm an organization’s reputation. Legal consequences – Many laws or industry regulations require measures to be taken against likely threats. C opyright © 20 20 30 Bird Media LLC Discussion : Threats C opyright © 20 16 30 Bird Media LLC Threat intelligence Cyber threat intelligence (CTI) is evidence-based knowledge that reflects current or emerging threats against your assets and can be used to inform your security decisions practically It should incorporate multiple types of data from multiple sources to help you better understand the broad picture of security threats Internal data like network monitoring and incident reports can provide CTI, but you also should rely on external sources The final phase of threat intelligence is acting on it C opyright © 20 20 30 Bird Media LLC Threat awareness Known threats – Long-established threats can still be potent against weak security, or if a new attack variant emerges. Current vulnerabilities – Documented vulnerabilities in hardware, software, or procedures are continually changing, so you must remain aware of them. Trending attacks – Attackers frequently adopt new strategies as defenses and vulnerabilities change. Emerging threat sources – Ongoing changes in technologies and business practices can affect both individual attacks and the security landscape. Zero-day vulnerabilities – Newly discovered vulnerabilities are an especially dangerous threat. C opyright © 20 20 30 Bird Media LLC Intelligence gathering 1. Define intelligence requirements –the goals and priorities for intelligence gathering. 2. Collect and process information that is likely to meet your requirements. 3. Analyze processed information to turn it into actionable intelligence. 4. Disseminate intelligence to the decision makers who can act on it, according to organizational policies. 5. Generate feedback to improve the next round of the cycle. C opyright © 20 20 30 Bird Media LLC Intelligence source types Open-source intelligence (OSINT) – Intelligence sources that are free to use and available to anyone Closed-source/proprietary intelligence (CSINT) – Intelligence sources that are only available to paying customers or otherwise exclusive audiences C opyright © 20 20 30 Bird Media LLC Cybersecurity information sources IT and cybersecurity vendor websites Social media Academic journals Security conventions and conferences News stories about cyber attacks, or Resources and communities used by attackers C opyright © 20 20 30 Bird Media LLC Information sharing organizations Computer Emergency Response/Readiness Teams (CERT) – Expert groups that respond to security incidents or coordinate responses to widespread threats – NOTE: As of 2023, the US-based US-CERT and ICS-CERT have been retired and folded into their parent organization, the Cybersecurity & Infrastructure Security Agency (CISA) Information Sharing and Analysis Center (ISAC) – Organizations and communities related to CERTs, also known as Information Sharing and Analysis Organizations (ISAO) MITRE – A US-based nonprofit corporation that manages federally funded research and development centers to support government agencies such as NIST and DHS C opyright © 20 20 30 Bird Media LLC Threat intelligence sources Internal sources Data repositories Vulnerability feeds Threat intelligence feeds Threat maps Deep web/dark web Predictive analytics C opyright © 20 20 30 Bird Media LLC Vulnerability disclosure A responsible disclosure program uses the following process: 1. When a security professional discovers a security vulnerability, they privately inform the vendor 2. After informing the vendor, they wait for a reasonable period to see if a fix is implemented a) If the vendor takes appropriate measures to fix the vulnerability, it is disclosed as a coordinated process between the vendor, regulators, and various parties in the security community b) If the vendor does not produce a timely fix, or indicates that they will not address the vulnerability at all, the vulnerability is disclosed to the public so that users are aware of the risk C opyright © 20 20 30 Bird Media LLC Threat indicators Reputational indicator – An indicator of attack (IoA) that is associated with a known or likely threat source. Behavioral indicator – An IoA associated with a known or suspected action performed by attackers. Indicator of Compromise (IoC) – A piece of forensic data which is associated with malicious activity on a system or network. Vulnerability – A weakness in a system or network which can be exploited by a threat actor. C opyright © 20 20 30 Bird Media LLC Spotting indicators Documented indicators Resource inaccessibility Resource consumption Account lockout Concurrent session usage Impossible travel Blocked content access Out-of-cycle logging Missing logs C opyright © 20 20 30 Bird Media LLC Automated indicator sharing C opyright © 20 20 30 Bird Media LLC Attack frameworks Cyber Kill Chain The Diamond Model of Intrusion Analysis MITRE ATT&CK C opyright © 20 20 30 Bird Media LLC Discussion : Threat intelligence C opyright © 20 16 30 Bird Media LLC Assessment: Understanding threats What category of attackers are defined by their limited sophistication and reliance on pre-packaged tools? Choose the best response. A. APTs B. Hacktivists C. Organized criminals D. Script kiddies D C opyright © 20 20 30 Bird Media LLC Assessment: Understanding threats What kind of attacker is an APT most commonly associated with? Choose the best response. A. Business competitors B. Hacktivists C. Nation states D. Shadow IT C C opyright © 20 20 30 Bird Media LLC Assessment: Understanding threats What category of attacker might also be called cyberterrorists? Choose the best response. A. Hacktivists B. Nation states C. Script kiddies D. Shadow IT A C opyright © 20 20 30 Bird Media LLC Assessment: Understanding threats Which of the following are examples of open source intelligence? Choose all that apply. A. A list of compromised accounts/passwords from a dark website B. An AlienVault OTX alert about a new phishing campaign by a known criminal group C. IOCs generated by your incident response team based on past attacks D. Daily updates from your commercial antivirus subscription E. The latest vulnerability entries in the NVD B, E C opyright © 20 20 30 Bird Media LLC Assessment: Understanding threats A coworker detects a potential social engineering attack because the return email address is a domain associated with scammers. What kind of threat indicator is this? Choose the best response. A. Behavioral B. IoC C. Reputational D. Vulnerability C C opyright © 20 20 30 Bird Media LLC Module C: Enterprise security strategy In this module, you'll learn how to: Describe security governance and regulatory compliance concepts Identify relationships between security practices and organizational structure Apply defense in depth to security planning C opyright © 20 20 30 Bird Media LLC About governance Security governance Corporate governance IT governance GRC – Governance, risk, and compliance C opyright © 20 20 30 Bird Media LLC Organizational planning Strategic plan – A business-wide plan based on the organization’s vision, values, and objectives; created by senior management. Tactical plan – A mid-level plan designed to meet some objective defined by the strategic plan. Operational plan – A plan describing how to perform specific day- to-day operations to meet goals described in strategic or tactical plans. C opyright © 20 20 30 Bird Media LLC Regulatory compliance The goal of security policies is to ensure the organization follows best practices in protecting its informational assets A governance-based approach to meeting security needs requires security choices that meet internally defined policy decisions and meet requirements defined by outside stakeholders Since it’s so easy to make errors or cut corners on your own, GRC requires a formal procedure of determining and meeting external requirements You are obligated to know and comply with all national, state, or territory laws in the place you do business You must also comply with directives from non- government regulatory bodies if your business agreements require it C opyright © 20 20 30 Bird Media LLC Consequences of non - compliance Fines Sanctions Loss of license Reputational damage Contractual impacts Increased scrutiny C opyright © 20 20 30 Bird Media LLC Regulatory compliance Sarbanes-Oxley Act of 2002 (SOX) Federal Information Security Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) General Data Protection Regulation (GDPR) Payment Card Industry Data Security Standard (PCI DSS) C opyright © 20 20 30 Bird Media LLC PCI DSS compliance Goal Controls Build and maintain a 1. Install and maintain a firewall configuration to protect secure network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability 5. Use and regularly update antivirus software or programs management program 6. Develop and maintain secure systems and applications Implement strong access 7. Restrict access to cardholder data by business need to control measures know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and 10. Track and monitor all access to network resources and test networks cardholder data 11. Regularly test security systems and processes Maintain an information 12. Maintain a policy that addresses information security for security policy all personnel C opyright © 20 20 30 Bird Media LLC Due diligence Due diligence – Before you sign a contract, take a regulated action, or anything else that could lead you into legal liability, you must investigate the situation you’re entering, understand the risks and obligations it brings, then take reasonable care in your following actions. Due care – This is less about the research you put in ahead of time and more about the ongoing actions you perform for whatever assets you’re responsible for. C opyright © 20 20 30 Bird Media LLC Compliance monitoring Monitoring can be performed internally by your own organization or externally by another party One solution is to have a trusted third party perform the monitoring – A specialist will be objective, skilled, and able to attest to your compliance while not sharing any sensitive information Even internal compliance monitoring can be resource-intensive, particularly in complex organizations or demanding regulatory structures Automated security tools can be useful – Vulnerability scanners, software configuration management (SCM) platforms, and data loss prevention (DLP) systems often have premade profiles corresponding to popular regulations like GDPR, SOX, or HIPAA C opyright © 20 20 30 Bird Media LLC Compliance reporting Attestation is a formal assertion that some statement or condition is true, by someone taking responsibility for its accuracy Acknowledgment is a formal statement recognizing a condition or obligation C opyright © 20 20 30 Bird Media LLC Discussion: Security governance C opyright © 20 16 30 Bird Media LLC Privacy Privacy isn't the same as confidentiality, but it’s similar in that you must restrict access to private data while still making it available to legitimate public or business interests Private information belongs at least in part to the data subject – the individual it describes Another way private data differs greatly from corporate intellectual property is how long you can keep it Privacy protections can also vary depending on the data subject C opyright © 20 20 30 Bird Media LLC Private data Some industries face stricter PII rules than others because of the types they handle. Examples include: Health-related industries must protect Protected Health Information (PHI) attached to individual health records (Defined by HIPAA in the US) Educational institutions must protect student records, especially those belonging to minors Any business accepting payment cards is required by its vendor agreement to protect customer payment data under PCI-DSS regulations Any business actively doing business with European Union residents must comply with GDPR rules governing their private information C opyright © 20 20 30 Bird Media LLC GDPR compliance The General Data Protection Regulation (GDPR) is a European Union regulation covering all individual data relating to EU residents The GDPR defines three roles in privacy: A data subject is an individual whose private data is collected; GDPR subjects must be EU residents A data controller is any entity that collects information about a data subject, regardless of location A data processor is an entity that handles or processes PII on behalf of a data controller, such as a cloud service provider C opyright © 20 20 30 Bird Media LLC Data breach notification When you detect a cybercrime or other security incident, fail an audit, or discover any intentional or unintentional data breach, you may be required to report it to the proper authorities In the EU, the GDPR provides general requirements for data breach notification, but there's no similarly comprehensive law in the US Typically, you may need to provide written notification to individuals when their name has been acquired along with – Social security number – Driver's license or ID card number – Bank account or payment card information that would permit access to the account – Medical records or health insurance information C opyright © 20 20 30 Bird Media LLC Discussion: Privacy C opyright © 20 16 30 Bird Media LLC Organizational roles and responsibilities Manager – A person who is responsible for the organization’s assets and who is empowered to make decisions about how to protect them. Security professional – Any technically trained employee who is responsible for implementing security controls as designated by upper management. User – A person who has access to a sensitive asset, but not directly in the context of securing it. Auditor – A person who is responsible for monitoring and reviewing the effectiveness of security policies. C opyright © 20 20 30 Bird Media LLC Management positions The Chief Information Officer (CIO) oversees IT operations. It’s a role requiring technical knowledge, but in large organizations is more strategic than hands-on. The Chief Security Officer (CSO) oversees strategic security needs, with a focus on organizational risk management. The Chief Information Security Officer (CISO) may exist in addition to or instead of the CSO. If both exists, the CISO is more technically focused on information assets. The Chief Compliance Officer (CCO) and Chief Privacy Officer (CPO) are more specialized roles which ensure compliance with industry regulations and privacy laws, respectively. C opyright © 20 20 30 Bird Media LLC Corporate governance structures A board of directors represents the interests of the organization’s owners, such as the shareholders of a private company, the members of a society-based organization, or the people served by a government organization Board structures and responsibilities vary greatly, but unlike executives, they’re not generally full-time workers or company employees While they should also understand the organization's IT needs, it shouldn’t be primarily an IT committee; in security governance, IT needs to be a subset of information security, not vice-versa Governance structures of government entities will be defined by statutes and regulations with less independence than a private enterprise and depend on the jurisdiction of the organization C opyright © 20 20 30 Bird Media LLC Policy enforcement Ensuring security programs are sufficiently funded to allow policy enforcement Performing periodic audits and ongoing monitoring to detect policy compliance issues Establishing reporting procedures for when compliance issues are discovered C opyright © 20 20 30 Bird Media LLC Discussion: Secure organizations C opyright © 20 16 30 Bird Media LLC Defense in depth C opyright © 20 20 30 Bird Media LLC Security by design Secure by design – Developers follow secure development procedures to minimize security bugs and incorporate security controls that resist attack Secure by default – Finished software should have default configuration settings that promote secure operations Secure by deployment – Software should be easy for users to deploy and maintain in a secure state Communications – Developers should communicate openly with users and administrators about security issues with the software. Without communications, vulnerabilities won’t be found and mitigated C opyright © 20 20 30 Bird Media LLC Security through obscurity Security through obscurity – Uses security technology or features that are not standard or hidden. Open security – All the technologies and methodologies you use are known quantities based on openly published technologies that anyone can inspect and dissect. C opyright © 20 20 30 Bird Media LLC Security vs. usability You can have a system that’s secure, usable, or inexpensive to design and maintain, but when you stress one of the three too much, at least one of the others will suffer C opyright © 20 20 30 Bird Media LLC Communicating the importance of security The better you understand a risk yourself, the more accurate your advice will be to others. Clear communication will help people to pay more attention to security. People give more priority to risks and controls phrased in the language of their own areas of expertise. Prioritizing risks is difficult, and individual stakeholders will do it differently. “Ability to convince management” is itself a limited resource you have to spend. C opyright © 20 20 30 Bird Media LLC Discussion: Security strategies C opyright © 20 16 30 Bird Media LLC Assessment: Enterprise security strategy A new privacy law demands more robust protection for your customer database. First, you researched database security products to find which would reliably meet your needs. Now that you’ve selected and installed one, you’re currently training administrators to perform integrity checks, update the software, and review logs for suspicious activities. What are you practicing? Choose the best response. A. Due care B. Due diligence C. Negligence D. Regulatory compliance A C opyright © 20 20 30 Bird Media LLC Assessment: Enterprise security strategy Your internal network is protected from internet attacks by a Cisco firewall. To improve security, your supervisor suggests installing a Fortinet firewall between the Cisco firewall and the trusted LAN, then using the space between as a perimeter network. Which security principles does this promote? Select all that apply. A. Availability B. Defense in depth C. Security by design D. Security by obscurity E. Vendor diversity B and E C opyright © 20 20 30 Bird Media LLC Assessment: Enterprise security strategy Your business markets online services to EU customers, so you’re verifying GDPR compliance. Which of the following parties is most accurately a “data processor” under the law? Choose the best response. A. Employees who analyze customer data for marketing purposes B. Employees who enter customer data and review its accuracy C. The administrator of the customer database D. The CSP hosting the customer database D C opyright © 20 20 30 Bird Media LLC Assessment: Enterprise security strategy Your company is developing an application a private US-based hospital will use to give patients online access to their medical records. Regardless of what other data the application handles, what kind of compliance do you already know you need to research? Choose the best response. A. FERPA B. FISMA C. HIPAA D. PCI-DSS C C opyright © 20 20 30 Bird Media LLC Assessment: Enterprise security strategy A US government agency plans to migrate some of its internally hosted data to a cloud-based service. You need to make sure the proposed vendor can meet the same security requirements as the current solution. What are you currently practicing? Select all that apply. A. Due care B. Due diligence C. FISMA compliance D. GDPR compliance E. GLBA compliance B and C C opyright © 20 20 30 Bird Media LLC Summary : Security fundamentals You should now know how to: Identify security concepts such as the CIA triad and security controls; how to distinguish between risks, threats, and vulnerabilities; apply secure design principles; and distinguish events and incidents Recognize threats, categorize attackers by motivation and resources, and develop cyber threat intelligence Achieve security governance in the enterprise via multi-level planning, responsible management, and defense in depth C opyright © 20 20 30 Bird Media LLC
