Cyber Security Operations and Administration PDF
Document Details
Uploaded by Deleted User
Stacy Nicholson
Tags
Summary
This document outlines the course CYB 205 focused on security operations and administration. It covers areas like security concepts, controls, code of ethics, physical security, and awareness. The document also delves into accountability, identification, authentication, key principles of information security, and data security roles.
Full Transcript
Course: CYB 205 Professor : Stacy Nicholson Topic :Security Operations and Administration Security Operations and Administration Areas to cover includes: ▪ Security concepts ▪ Security controls ▪ Code of ethics overview ▪ Physical control security ▪ Security awareness Security Ope...
Course: CYB 205 Professor : Stacy Nicholson Topic :Security Operations and Administration Security Operations and Administration Areas to cover includes: ▪ Security concepts ▪ Security controls ▪ Code of ethics overview ▪ Physical control security ▪ Security awareness Security Operations and Administration ▪ Security operations and administration involve a range of tasks related to identifying an organization’s information assets and the necessary documentation for implementing policies, standards, procedures, and guidelines. ▪ The primary goal is to ensure confidentiality, integrity, and availability of information Accountability ▪ The ability to trace every action taken on a system back to an individual user without any ambiguity and without allowing the user to deny responsibility for that action. ▪ There are two prerequisites for ensuring accountability: 1. Identification 2. Authentication Accountability Conti. 1. Identification ▪ Each use must have a unique identifier such as username ▪ Shared or generic accounts should be avoided as the system cannot distinguish them. 2. Authentication ▪ Strong authentication prevents unauthorized users from gaining access ▪ Also prevents users from denying their activity. Accountability Conti ▪ Access control systems must track user activity carefully to enforce accountability through use of auditing mechanisms. ▪ Note that logs must be kept secure where they can't be modified by individuals accessing the system in question. Key Principles of Information Security 1. Need to know ▪ Limits information access ▪ Access is based on a case-by-case basis ▪ Accessing information requires an individual to demonstrate a valid business need. Note: ▪ Having the right security credentials and clearance does not automatically grant individuals access to sensitive information in organizations that enforce need to know. Key Principles of Information Security ▪ Least Privilege ▪ The minimum set of privileges required for an individual to perform their job functions should be given to them. ▪ Limits system permissions An organizations can choose to follow a least privilege approach and supplement it with emergency access procedures that allow IT staff to upgrade their own privileges in an emergency. Separation of Duties and Responsibilities ▪ Separation of Duties ▪ No single person should possess two permissions that, in combination, allow them to perform a sensitive operation. ▪ Permissions should be separated and held by two different groups of people. ▪ Account reviews and audits should inspect permissions to ensure that separation of duties is properly enforced. Data Security Roles Concepts surrounding data ownership and stewardship. Four-tiered model of roles includes : 1. Data Owner ▪ These are business leaders with total responsibility for data. They set polices and guidelines for their data assets, use and data security. ▪ At the highest level, the data owner for a particular datasets is a senior level official who bears overall responsibility for that data. ▪ For example, an organization's vice president for human resources might be the data owner for employment information. Data Security Roles Cont. 2. Data Stewards ▪ Manage the day-to-day data governance activities. They delegate responsibilities by the data owner. ▪ For example, a data steward might make day-to-day decisions about who can access the dataset. 3. Data Custodian ▪ Individuals who store and process the information and are often IT staff members. Data Security Roles Cont. 4. Data Users ▪ Individuals who work with data on a regular basis. ▪ Examples: analysts, customer service representatives, managers, and others in an organization ▪ They must protect data from unauthorized disclosure ▪ Data users must work within the rules set by data owners and data stewards Limiting Data Collection ▪ Limiting data collection reduces the risk of information being misused or lost. ▪ Privacy principles, requires that organization provide individuals with notice of the information they collect, the ways that they use it, and obtain consent of those individuals for that use. ▪ Organizations should never collect information that falls outside of the disclosures that they've made to individuals, even if it's easy to do so, or seems to be incidental to the approved purpose. ▪ New consent must be obtained before collecting od new information Code of Ethics Overview ▪ Protect society, the common good, necessary public trust and confidence, and the infrastructure. ▪ Act honorably, honestly, responsibly and legally. ▪ Provide diligent and competent service to principals ▪ Advance, and protect the profession. Security Controls ▪ Security controls are the procedures and mechanisms that an organization puts in place to manage security risks, protect data and infrastructure important to an organization. ▪ Any safeguard or countermeasure used to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets is considered a control. ▪ These controls are crucial in ensuring the confidentiality, integrity, and availability of information in information security. These security controls include data, physical , cloud, cybersecurity security control , etc. Security Controls Cont. ▪ Example : Home Security ▪ Lock on doors ▪ Burglar alarm designed to detect intrusions, ▪ Security cameras to record activity inside your home. ▪ Neighborhood watch ▪ Automatic light switches to deter a burglar by simulating human activity ▪ Defense in depth – use of multiple security controls. Defense in Depth ▪ Defense in depth involves the use of multiple layers of security controls and protocols to protect an organization's environment and critical assets instead of relying on a single protective measure. ▪ Defense in depth is a way to prevent attacks that make it past your initial security measures as no single security measure can prevent all attacks ▪ The overall goal is to applying multiple overlapping controls to achieve the same objective. ▪ Security professionals categorize security controls into similar groups using different categories Security Controls Grouping ▪ Categorize controls by their purpose or mechanism of action. ▪ This includes preventing, detecting, correcting, or deterring security issues. ▪ Preventive controls - stop a security issue from occurring in the first place. ▪ Example - A firewall that blocks unwanted network traffic ▪ Detective controls - identify potential security breaches that require further investigation. ▪ Example: network intrusion detection systems (NIDS) Security Controls Grouping Conti. ▪ Corrective controls remediate security issues that have already occurred. ▪ Example: If an attacker breaks into a system and wipes out critical information, restoring that information from backup is an example of a corrective control. ▪ Deterrent controls are designed to discourage an attacker from even attempting an attack in the first place. ▪ Example: posting guard dogs inside the fence to deter intruders. Security Controls Grouping Conti. ▪ Categorize controls is by their mechanism of action. ▪ Controls are group either technical, administrative or physical controls. ▪ Technical controls - use of technology to achieve security objectives. ▪ Examples: firewalls, intrusion prevention systems, password policies, session timeouts, data loss prevention systems, and anti-malware software, etc. Administrative Controls ▪ Administrative controls use human-driven processes to manage technology in a secure manner ▪ These include User access reviews ▪ Log monitoring ▪ Security policies, standards, and procedures ▪ Background checks ▪ Conducting security awareness training ▪ Etc. Physical Controls Security ▪ Physical controls safeguard the physical facilities. ▪ Thes include man traps, cameras and locks to help protect the security of information, offices and other physical facilities ▪ Visitor management ▪ Describe who may authorize visitor access ▪ How visitors may behave in your facilities. ▪ Explain the role of visitor escorts ▪ Etc. ▪ Visitors access to secure areas should be logged. ▪ All visitors should wear a badge that clearly identify them a visitor. Security Controls ▪ False Positive Errors ▪ False Negative Errors ▪ occurs when a control activates ▪ occurs when a control fails to in a situation where it shouldn’t trigger in a situation where it should. ▪ Example: a false negative ▪ Example: a false positive would would occur if an actual occur when a detective control, security incident takes place such as an intrusion detection and the system fails to detect it, system, issues of false alarm. giving administrators a false sense of safety Security Awarenesses Security Training Security Awareness ▪ Keeps the lessons learned ▪ Provides users with the during a security training top knowledge they need to protect of mind for employees. the organization's security. ▪ Awareness doesn't require a commitment of time to sit ▪ Security training may use a down and learn new material. variety of delivery techniques, but the bottom-line goal is to impart ▪ Instead, a variety of different knowledge. method is used to reinforced awareness such as : posters, videos, email messages, and similar techniques.