CSE Module 02 - Policies - EN PDF
Document Details
Uploaded by SecureAlbuquerque
Howest Hogeschool
Tags
Summary
This document outlines cybersecurity concepts, policies, and procedures. It covers threat agents, tools used in attacks, malware types, and the generalized attack process. Security architecture, advantages, and disadvantages are also detailed.
Full Transcript
Image Review Module 1 – Concepts II Threat agents in cyberspace Espionage (Country or Company) Script kiddi...
Image Review Module 1 – Concepts II Threat agents in cyberspace Espionage (Country or Company) Script kiddies High-tech Low-tech Young, unskilled Provider/ Developer/ Hacktivist Operator Online social hacker Current Little skilled Tools user Cyber Terrorist Insider (employee) Former Low to medium skilled Cyber Warrior Consultant Cyber Criminal 4 Tools used in an attack Voettekst 5 Malware Malware, also called malicious code, is software designed to: Gain access to the affected computer systems. Steal information or make information inaccessible. Interfere with the operation of the computer. There are different types of malware, distinguished by the way they operate or spread. The main ones are: Computer Viruses Network Worms Trojan horses Malware & Attack Techniques & Social Engineering Malware Aanvalstechnieken Aanvalstechnieken Viruses APT Logic Bomb (Network worm) Brute Force Attack SQL injection Trojan horse Buffer Overflow Bot Botnet Cross-Site Scripting Social Engineering Spyware DoS Social Engineering Adware DDoS (Spear) Phishing Ransomware (Double, Triple) Man-in-the middle Vishing & Smishing Keylogger Zero-day exploit Spoofing Generalized Attack Process - The Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Actions on Command Reconnaissance Weaponization Delivery Exploitation Installation the and Control Objective With hands-on Harvesting email Delivery of Exploiting a Command channel Linking the exploit access to the addresses, payload to victim vulnerability to Installing malware for remote with a backdoor to keyboard, information from via email, web, execute code on on the asset manipulation of a payload intruders achieve conferences, etc. USB the victim's system the victim their original goals. The security architecture A security architecture describes the structure, components, connections and layout of security controls within an organization's IT infrastructure. There are different types of security architectures with various details for components such as subsystems, products and applications these details affect the “defense-in-depth” approach (see below). Each security architecture carries its own risk -> Below we discuss the variables and best practices involved. De beveiligingsarchitectuur Honeypot Client Machines Mail Server Firewall Router Firewall Client Machines Internet Web Server Database Server RADIUS Directory Server Voettekst 10 Securing the perimeter In cybersecurity, this is the “Internet Perimeter.” It is the boundary between the corporate network and the Internet. It is important to secure it properly. Two possible approaches: Network or system-based approach A well-defined (albeit usually virtual) boundary between the organization and the outside world. In our physical example, the outer castle border. Control is placed at the network and system level. Data-centric security approach Data protection regardless of location. E.g. POTUS travels in a secure plane, secure car, hotels are secured etc.... Internet, outsourcing, mobile devices, cloud... -> the perimeter is considerably extended and often difficult to define. Defense in depth Concentric rings Overlapping redundancy Compartmentalization Segregation Horizontal and vertical defense in depth Logging A log is a record of “events” that occur within an organization's systems and networks. So a kind of “diary” kept by a process or device. For example, a log of events maintained by a firewall. Very valuable information to monitor controls detect risks but often underutilized. Logging – Per event There is no limit to what a log can hold (other than data capacity): Timestamp Event ID (unique) Event type Severity Level Source IP addres and/or location Process information (where appropriate) Detailed description Logging - Types Successful and failed login attempts Software installations and updates Change and reset password Application errors and crashes. Create, modify and delete user Configuration changes accounts Alerts from endpoint controls Accessing sensitive data File access and changes Network control alerts Actions for privileged users VPN connections Access to audit log System Startup & Shutdown Policy changes Voettekst 15 Security Information and Event Management (SIEM) Challenge: There are many security tools, each with its own log -> large amounts of data (literally encyclopedias of data, every day!). -> How is one going to analyze and interpret this overwhelming amount of data? Solution = SIEM systems (combination of SEM and SIM) Automatically aggregate (merge) and correlate log data across multiple security devices. Reduces the information to a manageable list of prioritized events! Used in war rooms or the so-called SOC (Security Operations Center). SIEM - Methodology 1. Data collection 2. Data aggregation 3. Data Analysis 4. Alarms and Reports 5. Incident Response SIEM - Methodes voor het zoeken van verbanden Rule-based correlation Statistical correlation Neural networks Voettekst 18 Introduction An organization needs the following : comprehensive cybersecurity policies, management, standards, procedures, guidelines and work instructions To ensure consistent, effective protection of sensitive data & processes To ensure compliance (compliance) with legal and other requirements thereby protecting its operations and reputation. COMPLIANCE DOCUMENTS - Hierarchy Policy. - Why I need to do this. - Management Procedures Standards Guidelines - How should I do - What is needed? - - Recommended - it? - Work instructions Advantages Consistency Ensures that all employees follow the same rules, reducing variability and errors. Compliance Helps organizations comply with regulatory and legal requirements. So also helps avoid fines and penalties. Risk Management Provides a structured approach to identifying, assessing and mitigating risks. Voettekst 22 Advantages Accountability Clear definitions of roles and responsibilities, making it easier to hold individuals accountable for their actions. Improved Security Posture A comprehensive set of policies, standards, procedures, guidelines, and work instructions helps protect against a wide range of cyber threats. Voettekst 23 Disadvantages Complexity Developing and maintaining a comprehensive set of documents can be time- consuming and complex. Resistance to change Employees may resist new policies and procedures, especially if they perceive them as inconvenient. Intensive use of resources Implementing and maintaining this requires significant resources, including time, money and personnel. Potential for overhead Too much documentation and too rigid procedures can slow down operations and reduce flexibility. Voettekst 24 Pitfalls Lack of clarity Policies and procedures that are too vague or complex can lead to confusion and noncompliance. Inadequate training Employees may not understand or follow policies and procedures if they are not properly trained. Overreliance on technology Ignoring the human element and focusing only on technological solutions can lead to security gaps. Voettekst 25 Pitfalls Lack of updates Cyberbeveiligingsbedreigingen evolueren snel en verouderde beleidsregels en procedures kunnen een organisatie kwetsbaar maken. Poor communication Failure to effectively communicate policies and procedures to all employees can lead to Inconsistent application Increased risks. No audit If there is no verification of compliance with these documents, it is often dead letter. Voettekst 26 Policies High-level statements - Helicopter Level Outline an organization's overall approach and goals regarding cybersecurity. Specify requirements, prohibitions and expected activities and behaviors and define the roles and responsibilities of everyone in the organization. They are usually validated and approved by senior management and/or the board of directors.... Provide a framework for decision-making. For example, a policy may state that all sensitive data must be encrypted. Clear and easy to understand, short and to the point. Voettekst 27 Management The “ management” of a particular cybersecurity topic has everything to do with: the creation of the implementation of het onderhoud van monitoring of the coordination of standards, procedures, guidelines and work instructions related to said topic. Maw management deals with the processes surrounding this topic. Standards Specific, mandatory rules that support the policy by describing the requirements necessary to achieve the objectives of the policy. Standards ensure consistency and compliance throughout the organization. Example: a standard can specify which types of encryption algorithms are accepted. Voettekst 29 Procedures Detailed, step-by-step instructions for implementing standards and policies. Procedures are often used by employees to perform specific tasks. Example: how to configure a firewall How to respond to a security incident. Voettekst 30 Guidelines Recommendations advising on best practices. Not mandatory and offer flexibility. Help users make decisions in situations where standards do not apply. Example: a guideline may suggest best practices for creating strong passwords. Voettekst 31 Working Instructions Very detailed, task-specific instructions. Describe in minute detail how to perform a particular task or activity. Are often used for training purposes To ensure consistency in task performance. Example: the exact steps to follow when setting up a new user account in a specific system. Voettekst 32 An example around data protection Policy: The company's policy is that all customer data must be encrypted. Standard: The standard specifies that AES-256 encryption must be used for all databases. Procedure: The procedure describes how to configure AES-256 encryption on the company's database systems. Guideline: It recommends regular checks to ensure encryption is active and suggests regular staff training on data protection. Work Instruction: The work instruction provides step-by-step guidance for IT staff in setting up and verifying encryption on a new database server. Voettekst 33 Common Types of Policies Voettekst 34 Types Beleid volgens de Standaard COBIT 5 Disaster recovery Risk Asset Management Management General Acceptable Compliance Information Use Policy Security Acquisition Comms and Development Operations Maintenance Vendor management 35 IT Infrastructure Related Policies IT Security Policy: This policy defines the rules and procedures for protecting the organization's IT infrastructure from cyber threats. This often includes the use of antivirus software, firewalls, and regular updates. Network Security Policy: Policy for securing the organization's network, including the use of firewalls, VPNs, and network segmentation to prevent unauthorized access. Wireless Security Policy: Policy for securing wireless networks within the organization, including the use of strong encryption and access control. Voettekst 36 IT Infrastructure Related Policies Cloud Security Policy: This policy addresses the security of data and applications hosted in the cloud. It often includes policies for selecting cloud providers, configuring security settings, and managing access rights. Endpoint Security Policy: This policy addresses the security of endpoints such as laptops, desktops, and mobile devices that access the organization's network. Mobile Device Management (MDM) Policy: This policy addresses the management and security of mobile devices that access corporate data, including smartphones and tablets. Voettekst 37 IT Infrastructure Related Policies Communication Security Policy: This policy focuses on securing communications within the organization - often focusing primarily on e-mail. It may include policies for dealing with suspicious emails, using encryption, and preventing phishing attacks. Physical Security Policy: Security measures for physical access to the organization's facilities, such as access control, surveillance cameras, and security personnel. Environmental Security Policy: Security measures to protect facilities from environmental hazards such as fire and flooding. Voettekst 38 HR related policies Acceptable Use Policy (AUP): This policy describes what is and is not allowed when using the organization's IT resources. This helps prevent misuse and unintended security risks. Social Media Policy: Policy for employee use of social media, including what may and may not be shared. Bring Your Own Device (BYOD) Policy: This policy sets rules for using personal devices for work purposes. It may include requirements for installing security software, use of strong passwords, and use of VPNs. Voettekst 39 HR related policies User Awareness and Training Policy: Policy for educating employees on cybersecurity risks and best practices to ensure that everyone in the organization is aware of their role in protecting data. Security Awareness Training Policy: This policy describes the requirements for educating employees about cybersecurity risks and best practices. The goal is to foster a culture of security awareness within the organization. Voettekst 40 Identity & access related Policies Identity Management Policy: This policy addresses the management of user identities and access rights within the organization. This helps prevent unauthorized access to sensitive information. Access Control Policy This policy defines who has access to what information and systems, and under what conditions. This helps limit access to sensitive data to only those who need it for their work Password Management Policy This policy addresses the creation, management, and protection of passwords within the organization. It may include requirements for password length, complexity, and refresh rate. Voettekst 41 Identity & access related Policies Remote Access Policy: Policy for securely connecting to the organization's network from remote locations. This often includes the use of VPNs and multi-factor authentication. Remote Work Policy: This policy addresses data and systems security for employees working remotely, including the use of secure connections and devices. Voettekst 42 Data Related Policies Data Security Policy: Policy for protecting data from unauthorized access, modification, or destruction. This often includes encryption, access control, and data backups. Data Classification Policy: This policy helps categorize data based on their sensitivity and value, and determines how each category should be protected. Voettekst 43 Data Related Policies Data Loss Prevention (DLP) Policy: Guidelines for preventing loss or theft of sensitive data, including the use of DLP software to detect and block suspicious activity. Data Retention Policy: Policy for how long different types of data should be kept and when they should be securely deleted. Backup Policy: This policy describes the procedures for regularly backing up important data and systems, and testing these backups to ensure they are reliable. Voettekst 44 Third-party related Policies Third-Party Vendor Management Policy: This policy focuses on reviewing and managing the security practices of external vendors who have access to the organization's systems or data. Third-Party Risk Management Policy: Policy for reviewing and managing the security practices of external vendors and partners who have access to the organization's systems or data. Third-Party Access Policy: Policy voor het beheren van toegang tot het netwerk en de systemen van de organisatie door externe partijen, zoals leveranciers en partners. Voettekst 45 Encryption Related Policies Encryption Policy: This policy specifies when and how data should be encrypted, both at rest and during transmission. Acceptable Encryption Policy: Specifies which encryption methods and protocols are acceptable for use within the organization. Voettekst 46 Incident Response Related Policies Incident Response Policy: This policy describes the steps to be taken in the event of a security incident. This includes detecting, reporting, and responding to incidents to minimize damage. Incident Detection Policy: Policy for detecting security incidents, including use of monitoring tools and establishment of reporting systems. Disaster Recovery & Business Continuity Policy: This policy focuses on restoring IT systems and ensuring business continuity after a disaster or major incident. Voettekst 47 System Management Related Policies Patch Management Policy: Policy for regularly updating and patching software and systems to fix vulnerabilities and plug security holes. Change Management Policy: Manages how changes are introduced into the IT environment to minimize disruptions and ensure changes are implemented smoothly and effectively. Configuration Management Policy: Manages the tracking of all parts of your IT system (such as software and hardware) to ensure that everything works well together and remains reliable. Voettekst 48 Risico & Audit Related Policies Risk Assessment Policy: This policy describes how the organization identifies, assesses, and manages risks. It helps prioritize security measures based on the severity of the risks. Audit and Logging Policy: Policy for maintaining logs and conducting audits to detect and investigate suspicious activity. Similar to Monitoring and Logging Policy Asset Management Policy: manage assets to optimize performance and maximize value over the asset life cycle. Voettekst 49 Default content of a Policy Purpose and Objectives Describes why the policy exists and what the organization wants to achieve with it. Scope and Applicability Defines the boundaries of the policy and to whom or what it applies. Policy rules Provides clear instructions on what is and is not allowed with a focus on the subject of the policy. Voettekst 50 Standaard inhoud van een Policy Roles and Responsibilities Specifies who is responsible for reviewing, modifying, complying with and enforcing the policy. Compliance and Enforcement. Describes how compliance with the policy is monitored and penalties for noncompliance. Training and Awareness Describes requirements for educating employees on security risks and best practices. Review and Update Determines how often the policy is reviewed and updated to remain relevant. Voettekst 51 Policies Zooming in on some examples Voettekst 52 The General Information Security Policy High-level general information security policy In smaller companies, often one of the few policy documents. Larger companies have many policy documents by subject matter in addition to these (cfr supra). Must be clear and actionable. Must be effective in protecting the organization from cyber threats. The General Information Security Policy - Content Purpose: Example: “ This Cybersecurity Policy defines the minimum requirements applicable to all departments of [Organization] so that we protect our intellectual property, our commercial advantage and our people from the consequences of poor information security and possible cyber-attacks. “. Scope and Applicability: Example: “ In general, this Cybersecurity Policy applies to all information and systems of [Organization], along with ... The information systems they provide, ... the people (internal and external) who process them, ... the devices used to process it, ... the procedures on which it depends, ... the locations where we work, ... the other aspects that may pose a risk. The General Information Security Policy - Content Policies and Guidelines: Example: “We have effective policies and procedures We are aware of information security risks. We create security policies and procedures together. We know who is responsible and how we apply the rules and procedures. “. Roles and Responsibilities: Example: “The Cybersecurity Department is responsible for implementing security measures.” The General Information Security Policy - Content Compliance and Enforcement: Example: “Failure to comply may result in disciplinary action, including dismissal.” Training and Awareness: Example: “All employees must attend annually at least one training around a cybersecurity topic.” Review and Update: Example: “This policy will be reviewed annually and updated as needed.” An example from CyFun (for NIS2) CYBERSECURITY POLICY (BASIC) TEMPLATE Voettekst 57 Identity Management (IM) Focuses on streamlining various business processes required to manage all forms of identities in an organization - from starting in the organization to leaving the organization. Links people to systems and services. Main Objective: Protects sensitive data and systems by ensuring that only authorized users have access. Identity Management (IM) - Contents Identity Management (“directory services”) The user must be present in our “directory” (compare to phone book). Create, maintain and delete digital identities for users. This includes updating user data. User provisioning & deprovisioning. Authentication The user must prove his identity. Verify user identities. Authorization Often role-based (RBAC). See acces control policy IM - Provisioning Part of the organization's recruitment process involving the creation of user accounts. Complicated process: Users may need access to many different assets, each with its own authorization and authentication requirements. Privelege Creep: occurs when employees accumulate more access rights by retaining access to systems and data from previous jobs. Best practice: Authentication mechanism and access control rights are assigned based on job assignments. IM - Deprovisioning When the user leaves the organization OR changes function. All accounts and accesses must be suspended or deleted in a timely manner. Depending on the circumstances, consider auditing the activities of the particular user. Both provisioning and deprovisioning should be synchronized with HR, preferably automated. IM - Authentication There are several principles for authenticating yourself = proving your identity Something you know You must know something to authenticate yourself e.g. Password, PIN, passphrase Federated Identity Management (FIM). Example: FB or Google identity is used to log in to a web service. Something you have You have to have something to authenticate yourself e.g. smart card, dongle, transmitter Something you are You use your biometrics to authenticate yourself. e.g. Facial recognition, fingerprint, retina-can, footprint. IM - Authenticatie Somewhere you are This principle uses location-based factors, such as GPS data or IP addresses, to verify the user's location during authentication. Something You Do This principle looks at behavioral factors, such as typing patterns, writing style or gesture-based authentication. Voettekst 63 IM - Authenticatie 2FA – Two-factor Authentication Combining 2 authentication principles. Often using “Something you know” and “Something you have.” Example: paying with a credit card requires a PIN and owning a credit card. MFA – Multi-Factor Authentication Extension of 2FA. Minimum a combination of 2 authentication principles. Example: Using itsme on government sites where you must 1) have the correct SIM card, 2) enter a PIN on the smartphone (initial access) and 3) a fingerprint to start itsme. Voettekst 64 IM - Privileged User Management Concerns management of a special type of users: administrators. They often have access to all the information stored in a system. Best Practice: Check accounts regularly for privileges and delete them when they are no longer needed. Require privileged users to have two accounts (privileged and non-privileged) and mandate the use of the non-privileged account for general tasks. IM - Privileged User Management Limit to functions that require privileged access => apply “least-privilege” Conducting background checks Additional logging of activities Maintaining accountability => never share privileged accounts! (or any accounts for that matter) Use of stronger passwords or additional authentication checks. An example from CyFun (for NIS2) Voettekst 67 Access Control Policy Access rights and levels: Defines different access rights and levels based on roles and responsibilities within the organization. Example: “Only IT administrators have access to servers and network configurations.” Authorization matrix: A detailed table indicating which users or roles (RBAC) have access to which systems and data. Example: “HR employees have access to personnel files, but not financial data.” Often refers to Least Privilege principle and Need to Know principle. Access Control: Least Privilege, Need to Know and Four-Eyes Least Privilege: Users are given only the minimum access rights they need to perform their tasks (read, write, execute). Example: the accountant has access only to the accounting system but not to the accounting analysis package used by management. Need to Know: Deals exclusively with access to sensitive information where only those who need the information for their work can access it. Example: only a senior engineer will have access to the IPR needed to build a particular device. Voettekst 69 Access Control: Least Privilege, Need to Know and Four-Eyes Four-eyes: Critical actions are checked by two people. Commonly used in financial transactions, changes to key systems, and approval of sensitive documents. Example: Financial transactions over a certain amount must be approved by two employees. Voettekst 70 Access Control Policy Authentication and Authorization: Describes methods for assigning access rights (authorization) based on an authentication type. Four-eye principle may be recommended for critical actions. Example: “Users must authenticate with a username and password, and two- factor authentication is required for access to sensitive systems.” Access review and update: Guidelines for regularly reviewing and revising access rights to ensure they remain current and appropriate. Example: “Access rights are reviewed quarterly to ensure they are still relevant.” Access Control Policy Just-In-Time Access: Policy for temporarily granting access rights for specific tasks or projects. Example: “Employees are only granted access to certain systems for the duration of a specific task.” Incident Management: Procedures for reporting and responding to access-related security incidents. Example: “All suspicious activity should be reported immediately to the IT department for investigation.” Example: “When a user enters an incorrect password 5 times or more in a row, it should be investigated.” Access Control Policy Logging and Monitoring: Guidelines for maintaining logs and monitoring access activities to detect suspicious activity. Example: “All access activity is logged and regularly monitored for suspicious patterns.” An example from CyFun (for NIS2) ACCESS POLICY (BASIC) TEMPLATE Voettekst 74 (Security) Incident Response Policy Goal Security: Protects the organization by responding quickly and effectively to security incidents. Mitigation of Damage: Minimizes the impact of incidents on business operations. Compliance: Ensures that the organization complies with legal and regulatory requirements. (Security) Incident Response Policy - Contents The incident response team (CSIRT - Computer Security Incident Response Team), with organizational roles and responsibilities Describes the steps to be taken when an incident occurs, including: detection, prioritization, analysis, containment, eradication, and recovery. Guidelines for internal and external communication during an incident. (Security) Incident Response Policy - Contents Requirements for regular training and simulation exercises to prepare the team for incidents. Reporting and escalation processes. Recovery procedures include: RPO - Recovery Point Objective RTO - Recovery Time Objective IR Policy: RPO en RTO IR Policy: RPO Recovery Point Objective. Is determined based on the acceptable loss of data in case of interruption of operations. Thus, quantifies the allowable amount of data loss in case of interruption. Indicates the most recent time from which it is acceptable to restore the data, which is generally the last backup. The maximum time from last restore point to incident is the RPO. IR Policy: RTO Recovery time objective Time needed for estimated return to a reliable state. The time from the incident to the estimated return to “business as usual” is the RTO. IR Policy: RPO en RTO - more RPO - This is an exact calculable figure. A company makes a backup every week. So the maximum time to go back is when an incident occurs just before a new backup. So that means the RPO is one week. RTO - This is more of an objective based on experience and established in the Incident Response Policy. In most cases, this should be as short as possible. This often involves looking at the cost of being back operational versus the loss of not being operational. Cost of being operational again must be strictly smaller than the loss of not being operational. An example from CyFun (for NIS2) CYBER INCIDENT RESPONSE PLAN TEMPLATE Voettekst 82
