Chapter 01 - Today's Security Professional.pdf

Full Transcript

Chapter 1
Today's Security Professional

THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS
CHAPTER INCLUDE:
Domain 1.0: General Security Concepts
1.1. Compare and contrast various types of security controls.
Categories (Technical, Managerial, Operational, Physical)
Control Types (Preventive, Deterrent, Detective, Corrective,
Compensating, Directive)
1.2. Summarize fundamental security concepts.
Confidentiality, Integrity, and Availability (CIA)
Non-repudiation
Gap analysis
1.4. Explain the importance of using appropriate cryptographic solutions.
Obfuscation (Tokenization, Data masking)
Domain 3.0: Security Architecture
3.3. Compare and contrast concepts and strategies to protect data.
General data considerations (Data states, Data at rest, Data in transit, Data
in use)
Methods to secure data (Geographic restrictions, Encryption, Hashing,
Masking, Tokenization, Obfuscation, Segmentation, Permission
restrictions)
Domain 5.0: Security Program Management and Oversight
5.2. Explain elements of the risk management process.
Risk identification

Security professionals play a crucial role in protecting their organizations in today's
complex threat landscape. They are responsible for protecting the confidentiality,
integrity, and availability of information and information systems used by their
organizations. Fulfilling this responsibility requires a strong understanding of the threat
environment facing their organization and a commitment to designing and
implementing a set of controls capable of rising to the occasion and answering those
threats.
In the first section of this chapter, you will learn about the basic objectives of
cybersecurity: confidentiality, integrity, and availability of your operations. In the
sections that follow, you will learn about some of the controls that you can put in place
to protect your most sensitive data from prying eyes. This chapter sets the stage for the
remainder of the book, where you will dive more deeply into many different areas of
cybersecurity.

Cybersecurity Objectives
When most people think of cybersecurity, they imagine hackers trying to break into an
organization's system and steal sensitive information, ranging from Social Security
numbers and credit cards to top-secret military information. Although protecting
sensitive information from unauthorized disclosure is certainly one element of a
cybersecurity program, it is important to understand that cybersecurity actually has
three complementary objectives, as shown in Figure 1.1.

FIGURE 1.1 The three key objectives of cybersecurity programs are
confidentiality, integrity, and availability.
Confidentiality ensures that unauthorized individuals are not able to gain access to
sensitive information. Cybersecurity professionals develop and implement security
controls, including firewalls, access control lists, and encryption, to prevent
unauthorized access to information. Attackers may seek to undermine confidentiality
controls to achieve one of their goals: the unauthorized disclosure of sensitive
information.
Integrity ensures that there are no unauthorized modifications to information or
systems, either intentionally or unintentionally. Integrity controls, such as hashing and
integrity monitoring solutions, seek to enforce this requirement. Integrity threats may
come from attackers seeking the alteration of information without authorization or
nonmalicious sources, such as a power spike causing the corruption of information.
Availability ensures that information and systems are ready to meet the needs of
legitimate users at the time those users request them. Availability controls, such as fault
tolerance, clustering, and backups, seek to ensure that legitimate users may gain access
as needed. Similar to integrity threats, availability threats may come either from
attackers seeking the disruption of access or from nonmalicious sources, such as a fire
destroying a datacenter that contains valuable information or services.
Cybersecurity analysts often refer to these three goals, known as the CIA triad, when
performing their work. They often characterize risks, attacks, and security controls as
meeting one or more of the three CIA triad goals when describing them.
Nonrepudiation, while not part of the CIA triad, is also an important goal of some
cybersecurity controls. Nonrepudiation means that someone who performed some
action, such as sending a message, cannot later deny having taken that action. Digital
signatures are a common example of nonrepudiation. They allow anyone who is
interested to confirm that a message truly originated from its purported sender.

Exam Note

Remember the main components of the CIA triad security model are confidentiality,
integrity, and availability. Also know that nonrepudiation is the assurance that
something cannot be denied by someone.

Data Breach Risks
Security incidents occur when an organization experiences a breach of the
confidentiality, integrity, and/or availability of information or information systems.
These incidents may occur as the result of malicious activity, such as an attacker
targeting the organization and stealing sensitive information, as the result of accidental
activity, such as an employee leaving an unencrypted laptop in the back of a rideshare,
or as the result of natural activity, such as an earthquake destroying a datacenter.
As a security professional, you are responsible for understanding these risks and
implementing controls designed to manage those risks to an acceptable level. To do so,
you must first understand the effects that a breach might have on your organization and
the impact it might have on an ongoing basis.

The DAD Triad
Earlier in this chapter, we introduced the CIA triad, used to describe the three main
goals of cybersecurity: confidentiality, integrity, and availability. Figure 1.2 shows a
related model: the DAD triad. This model explains the three key threats to cybersecurity
efforts: disclosure, alteration, and denial. Each of these three threats maps directly to
one of the main goals of cybersecurity:

FIGURE 1.2 The three key threats to cybersecurity programs are disclosure,
alteration, and denial.
Disclosure is the exposure of sensitive information to unauthorized individuals,
otherwise known as data loss. Disclosure is a violation of the principle of
confidentiality. Attackers who gain access to sensitive information and remove it
from the organization are said to be performing data exfiltration. Disclosure may
also occur accidentally, such as when an administrator misconfigures access controls
or an employee loses a device.
Alteration is the unauthorized modification of information and is a violation of the
principle of integrity. Attackers may seek to modify records contained in a system for
financial gain, such as adding fraudulent transactions to a financial account.
Alteration may occur as the result of natural activity, such as a power surge causing a
“bit flip” that modifies stored data. Accidental alteration is also a possibility, if users
unintentionally modify information stored in a critical system as the result of a typo
or other unintended activity.
Denial is the disruption of an authorized user's legitimate access to information.
Denial events violate the principle of availability. This availability loss may be
intentional, such as when an attacker launches a distributed denial-of-service
(DDoS) attack against a website. Denial may also occur as the result of accidental
activity, such as the failure of a critical server, or as the result of natural activity,
 such as a natural disaster impacting a communications circuit.

The CIA and DAD triads are very useful tools for cybersecurity planning and risk
analysis. Whenever you find yourself tasked with a broad goal of assessing the security
controls used to protect an asset or the threats to an organization, you can turn to the
CIA and DAD triads for guidance. For example, if you're asked to assess the threats to
your organization's website, you may apply the DAD triad in your analysis:
Does the website contain sensitive information that would damage the organization
if disclosed to unauthorized individuals?
If an attacker were able to modify information contained on the website, would this
unauthorized alteration cause financial, reputational, or operational damage to the
organization?
Does the website perform mission-critical activities that could damage the business
significantly if an attacker were able to disrupt the site?

That's just one example of using the DAD triad to inform a risk assessment. You can use
the CIA and DAD models in almost any situation to serve as a helpful starting point for a
more detailed risk analysis.

Breach Impact
The impacts of a security incident may be wide-ranging, depending on the nature of the
incident and the type of organization affected. We can categorize the potential impact of
a security incident using the same categories that businesses generally use to describe
any type of risk: financial, reputational, strategic, operational, and compliance.
Let's explore each of these risk categories in greater detail.

Financial Risk
Financial risk is, as the name implies, the risk of monetary damage to the organization
as the result of a data breach. This may be very direct financial damage, such as the costs
of rebuilding a datacenter after it is physically destroyed or the costs of contracting
experts for incident response and forensic analysis services.
Financial risk may also be indirect and come as a second-order consequence of the
breach. For example, if an employee loses a laptop containing plans for a new product,
the organization suffers direct financial damages of a few thousand dollars from the loss
of the physical laptop. However, the indirect financial damage may be more severe, as
competitors may gain hold of those product plans and beat the organization to market,
resulting in potentially significant revenue loss.

Reputational Risk
Reputational risk occurs when the negative publicity surrounding a security breach
causes the loss of goodwill among customers, employees, suppliers, and other
stakeholders. It is often difficult to quantify reputational damage, as these stakeholders
may not come out and directly say that they will reduce or eliminate their volume of
business with the organization as a result of the security breach. However, the breach
may still have an impact on their future decisions about doing business with the
organization.

Identity Theft

When a security breach strikes an organization, the effects of that breach often
extend beyond the walls of the breached organization, affecting customers,
employees, and other individual stakeholders. The most common impact on these
groups is the risk of identity theft posed by the exposure of personally identifiable
information (PII) to unscrupulous individuals.
Organizations should take special care to identify, inventory, and protect PII
elements, especially those that are prone to use in identity theft crimes. These
include Social Security numbers, bank account and credit card information, drivers'
license numbers, passport data, and similar sensitive identifiers.

Strategic Risk
Strategic risk is the risk that an organization will become less effective in meeting its
major goals and objectives as a result of the breach. Consider again the example of an
employee losing a laptop that contains new product development plans. This incident
may pose strategic risk to the organization in two different ways. First, if the
organization does not have another copy of those plans, they may be unable to bring the
new product to market or may suffer significant product development delays. Second, if
competitors gain access to those plans, they may be able to bring competing products to
market more quickly or even beat the organization to market, gaining first-mover
advantage. Both of these effects demonstrate strategic risk to the organization's ability to
carry out its business plans.

Operational Risk
Operational risk is risk to the organization's ability to carry out its day-to-day functions.
Operational risks may slow down business processes, delay delivery of customer orders,
or require the implementation of time-consuming manual work-arounds to normally
automated practices.
Operational risk and strategic risk are closely related, so it might be difficult to
distinguish between them. Think about the difference in terms of the nature and degree
of the impact on the organization. If a risk threatens the very existence of an
organization or the ability of the organization to execute its business plans, that is a
strategic risk that seriously jeopardizes the organization's ongoing viability. On the other
hand, if the risk only causes inefficiency and delay within the organization, it fits better
into the operational risk category.

Compliance Risk
Compliance risk occurs when a security breach causes an organization to run afoul of
legal or regulatory requirements. For example, the Health Insurance Portability and
Accountability Act (HIPAA) requires that health-care providers and other covered
entities protect the confidentiality, integrity, and availability of protected health
information (PHI). If an organization loses patient medical records, they violate HIPAA
requirements and are subject to sanctions and fines from the U.S. Department of Health
and Human Services. That's an example of compliance risk.
Organizations face many different types of compliance risk in today's regulatory
landscape. The nature of those risks depends on the jurisdictions where the organization
operates, the industry that the organization functions within, and the types of data that
the organization handles. We discuss these compliance risks in more detail in Chapter
16, “Security Governance and Compliance.”

Risks Often Cross Categories

Don't feel like you need to shoehorn every risk into one and only one of these
categories. In most cases, a risk will cross multiple risk categories. For example, if
an organization suffers a data breach that exposes customer PII to unknown
individuals, the organization will likely suffer reputational damage due to negative
media coverage. However, the organization may also suffer financial damage. Some
of this financial damage may come in the form of lost business due to the
reputational damage. Other financial damage may come as a consequence of
compliance risk if regulators impose fines on the organization. Still more financial
damage may occur as a direct result of the breach, such as the costs associated with
providing customers with identity protection services and notifying them about the
breach.

Implementing Security Controls
As an organization analyzes its risk environment, technical and business leaders
determine the level of protection required to preserve the confidentiality, integrity, and
availability of their information and systems. They express these requirements by
writing the control objectives that the organization wishes to achieve. These control
objectives are statements of a desired security state, but they do not, by themselves,
actually carry out security activities. Security controls are specific measures that fulfill
the security objectives of an organization.

Gap Analysis
Cybersecurity professionals are responsible for conducting gap analyses to evaluate
security controls. During a gap analysis, the cybersecurity professional reviews the
control objectives for a particular organization, system, or service and then examines the
controls designed to achieve those objectives. If there are any cases where the controls
do not meet the control objective, that is an example of a gap. Gaps identified during a
gap analysis should be treated as potential risks and remediated as time and resources
permit. Remediation and various other activities associated with vulnerability
management are covered in Chapter 5, “Security Assessment and Testing.”

Security Control Categories
Security controls are categorized based on their mechanism of action: the way that they
achieve their objectives. There are four different categories of security control:
Technical controls enforce confidentiality, integrity, and availability in the digital
space. Examples of technical security controls include firewall rules, access control
lists, intrusion prevention systems, and encryption.
Operational controls include the processes that we put in place to manage
technology in a secure manner. These include user access reviews, log monitoring,
and vulnerability management.
Managerial controls are procedural mechanisms that focus on the mechanics of the
risk management process. Examples of administrative managerial controls include
periodic risk assessments, security planning exercises, and the incorporation of
security into the organization's change management, service acquisition, and project
management practices.
Physical controls are security controls that impact the physical world. Examples of
physical security controls include fences, perimeter lighting, locks, fire suppression
systems, and burglar alarms.

If you're not familiar with some of the controls provided as examples in
this chapter, don't worry about it! We'll discuss them all in detail later in the book.

Organizations should select a set of security controls that meets their control objectives
based on the criteria and parameters that they either select for their environment or
have imposed on them by outside regulators. For example, an organization that handles
sensitive information might decide that confidentiality concerns surrounding that
information require the highest level of control. At the same time, they might conclude
that the availability of their website is not of critical importance. Given these
considerations, they would dedicate significant resources to the confidentiality of
sensitive information while perhaps investing little, if any, time and money protecting
their website against a denial-of-service attack.
Many control objectives require a combination of technical, operational, and managerial
controls. For example, an organization might have the control objective of preventing
unauthorized access to a datacenter. They might achieve this goal by implementing
biometric locks (physical control), performing regular reviews of authorized access
(operational control), and conducting routine risk assessments (managerial control).
 These control categories and types are unique to CompTIA. If you've
already studied similar categories as part of your preparation for another security
certification program, be sure to study these carefully and use them when
answering exam questions.

Security Control Types
CompTIA also divides security into control types, based on their desired effect. The
types of security control include the following:
Preventive controls intend to stop a security issue before it occurs. Firewalls and
encryption are examples of preventive controls.
Deterrent controls seek to prevent an attacker from attempting to violate security
policies. Vicious guard dogs and barbed wire fences are examples of deterrent
controls.
Detective controls identify security events that have already occurred. Intrusion
detection systems are detective controls.
Corrective controls remediate security issues that have already occurred. Restoring
backups after a ransomware attack is an example of a corrective control.
Compensating controls are controls designed to mitigate the risk associated with
exceptions made to a security policy.
Directive controls inform employees and others what they should do to achieve
security objectives. Policies and procedures are examples of directive controls.

Exam Note

Know the various security control categories and types. The Security+ exam is sure
to test your knowledge of them.

Exploring Compensating Controls

The Payment Card Industry Data Security Standard (PCI DSS) includes one of the
most formal compensating control processes in use today. It sets out three criteria
that must be met for a compensating control to be satisfactory:
The control must meet the intent and rigor of the original requirement.
The control must provide a similar level of defense as the original requirement,
such that the compensating control sufficiently offsets the risk that the original
 PCI DSS requirement was designed to defend against.
The control must be “above and beyond” other PCI DSS requirements.

For example, an organization might find that it needs to run an outdated version of
an operating system on a specific machine because software necessary to run the
business will only function on that operating system version. Most security policies
would prohibit using the outdated operating system because it might be susceptible
to security vulnerabilities. The organization could choose to run this system on an
isolated network with either very little or no access to other systems as a
compensating control.
The general idea is that a compensating control finds alternative means to achieve
an objective when the organization cannot meet the original control requirement.
Although PCI DSS offers a very formal process for compensating controls, the use of
compensating controls is a common strategy in many different organizations, even
those not subject to PCI DSS. Compensating controls balance the fact that it simply
isn't possible to implement every required security control in every circumstance
with the desire to manage risk to the greatest feasible degree.
In many cases, organizations adopt compensating controls to address a temporary
exception to a security requirement. In those cases, the organization should also
develop remediation plans designed to bring the organization back into compliance
with the literal meaning and intent of the original control.

Data Protection
Security professionals spend significant amounts of their time focusing on the
protection of sensitive data. We serve as stewards and guardians, protecting the
confidentiality, integrity, and availability of the sensitive data created by our
organizations and entrusted to us by our customers and other stakeholders.
As we think through data protection techniques, it's helpful to consider the three states
where data might exist:
Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on
other storage media. This data is prone to theft by insiders or external attackers who
gain access to systems and are able to browse through their contents.
Data in transit is data that is in motion/transit over a network. When data travels on
an untrusted network, it is open to eavesdropping attacks by anyone with access to
those networks.
Data in use is data that is actively in use by a computer system. This includes the
data stored in memory while processing takes place. An attacker with control of the
system may be able to read the contents of memory and steal sensitive information.

We can use different security controls to safeguard data in all of these states, building a
robust set of defenses that protects our organization's vital interests.
Data Encryption
Encryption technology uses mathematical algorithms to protect information from
prying eyes, both while it is in transit over a network and while it resides on systems.
Encrypted data is unintelligible to anyone who does not have access to the appropriate
decryption key, making it safe to store and transmit encrypted data over otherwise
insecure means.
We'll dive deeply into encryption tools and techniques in Chapter 7, “Cryptography and
the PKI.”

Data Loss Prevention
Data loss prevention (DLP) systems help organizations enforce information handling
policies and procedures to prevent data loss and theft. They search systems for stores of
sensitive information that might be unsecured and monitor network traffic for potential
attempts to remove sensitive information from the organization. They can act quickly to
block the transmission before damage is done and alert administrators to the attempted
breach.
DLP systems work in two different environments:
Agent-based DLP
Agentless (network-based) DLP

Agent-based DLP uses software agents installed on systems that search those systems
for the presence of sensitive information. These searches often turn up Social Security
numbers, credit card numbers, and other sensitive information in the most unlikely
places!
Detecting the presence of stored sensitive information allows security professionals to
take prompt action to either remove it or secure it with encryption. Taking the time to
secure or remove information now may pay handsome rewards down the road if the
device is lost, stolen, or compromised.
Agent-based DLP can also monitor system configuration and user actions, blocking
undesirable actions. For example, some organizations use host-based DLP to block users
from accessing USB-based removable media devices that they might use to carry
information out of the organization's secure environment.
Agentless (network-based) DLP systems are dedicated devices that sit on the network
and monitor outbound network traffic, watching for any transmissions that contain
unencrypted sensitive information. They can then block those transmissions, preventing
the unsecured loss of sensitive information.
DLP systems may simply block traffic that violates the organization's policy, or in some
cases, they may automatically apply encryption to the content. This automatic
encryption is commonly used with DLP systems that focus on email.
DLP systems also have two mechanisms of action:
Pattern matching, where they watch for the telltale signs of sensitive information.
 For example, if they see a number that is formatted like a credit card or Social
Security number, they can automatically trigger on that. Similarly, they may contain
a database of sensitive terms, such as “Top Secret” or “Business Confidential,” and
trigger when they see those terms in an outbound transmission.
Watermarking, where systems or administrators apply electronic tags to sensitive
documents and then the DLP system can monitor systems and networks for
unencrypted content containing those tags.

Watermarking technology is also commonly used in digital rights management (DRM)
solutions that enforce copyright and data ownership restrictions.
DLP will be covered in more detail in Chapter 5, “Security Assessment and Testing.”

Data Minimization
Data minimization techniques seek to reduce risk by reducing the amount of sensitive
information that we maintain on a regular basis. The best way to achieve data
minimization is to simply destroy data when it is no longer necessary to meet our
original business purpose.
If we can't completely remove data from a dataset, we can often transform it into a
format where the original sensitive information is deidentified. The deidentification
process removes the ability to link data back to an individual, reducing its sensitivity.
An alternative to deidentifying data is transforming it into a format where the original
information can't be retrieved. This is a process called data obfuscation, and we have
several tools at our disposal to assist with it:
Hashing uses a hash function to transform a value in our dataset to a corresponding
hash value. If we apply a strong hash function to a data element, we may replace the
value in our file with the hashed value.
Tokenization replaces sensitive values with a unique identifier using a lookup table.
For example, we might replace a widely known value, such as a student ID, with a
randomly generated 10-digit number. We'd then maintain a lookup table that allows
us to convert those back to student IDs if we need to determine someone's identity.
Of course, if you use this approach, you need to keep the lookup table secure!
Masking partially redacts sensitive information by replacing some or all sensitive
fields with blank characters. For example, we might replace all but the last four
digits of a credit card number with X's or *'s to render the card number unreadable.

Although it isn't possible to retrieve the original value directly from the hashed value,
there is one major flaw to this approach. If someone has a list of possible values for a
field, they can conduct something called a rainbow table attack. In this attack, the
attacker computes the hashes of those candidate values and then checks to see if those
hashes exist in our data file.
For example, imagine that we have a file listing all the students at our college who have
failed courses but we hash their student IDs. If an attacker has a list of all students, they
can compute the hash values of all student IDs and then check to see which hash values
are on the list. For this reason, hashing should only be used with caution.

Access Restrictions
Access restrictions are security measures that limit the ability of individuals or systems
to access sensitive information or resources. Two common types of access restrictions
are geographic restrictions and permission restrictions:
Geographic restrictions limit access to resources based on the physical location of
the user or system. For example, an organization may restrict access to a database to
only those users located within a certain country or region. This can help to prevent
unauthorized access from outside of the organization's trusted network.
Permission restrictions limit access to resources based on the user's role or level of
authorization. For example, a company may grant access to financial data only to
authorized personnel who have undergone appropriate background checks and
training.

By implementing access restrictions, organizations can ensure that sensitive
information and resources are only accessible to authorized individuals and systems,
minimizing the risk of data breaches and cyberattacks. In Chapter 8, “Identity and
Access Management,” we will explore access restrictions in greater detail.

Segmentation and Isolation
Organizations may also limit the access to sensitive systems based on their network
location. Segmentation places sensitive systems on separate networks where they may
communicate with each other but have strict restrictions on their ability to communicate
with systems on other networks. Isolation goes a step further and completely cuts a
system off from access to or from outside networks.

Summary
Cybersecurity professionals are responsible for ensuring the confidentiality, integrity,
and availability of information and systems maintained by their organizations.
Confidentiality ensures that unauthorized individuals are not able to gain access to
sensitive information. Integrity ensures that there are no unauthorized modifications to
information or systems, either intentionally or unintentionally. Availability ensures that
information and systems are ready to meet the needs of legitimate users at the time
those users request them. Together, these three goals are known as the CIA triad.
As cybersecurity analysts seek to protect their organizations, they must evaluate risks to
the CIA triad. This includes the design and implementation of an appropriate mixture of
security controls drawn from the managerial, operational, technical, and physical
control categories. These controls should also be varied in type, including a mixture of
preventive, detective, corrective, deterrent, compensating, and directive controls.

Exam Essentials