Information Security or InfoSec
the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
Confidentiality
only authorized users can view sensitive information
Integrity
only authorized subjects can change sensitive information
Availability
guarantees uninterrupted access by authorized users to important computing resources and data
Assumptions about today's computer networks that lead to increased need for security
�Modern networks are often more open to being accessed, and a potential attacker can easily attach to or remotely access such networks.
�Modern networks use a common set of well known and open protocols
�Computer networks are becoming increasingly complex
PII
Personally Identifiable Information
Examples of PII data
�Name, such as full name, maiden name, mother's maiden name
�Telephone numbers, including home, and mobile numbers
�Date and place of birth
�Passport number, social security number, driver license number
�Personal characteristics, including photographic i
Examples of non-PII data
�Office location
�Business email address
�Other information that is releasable to the public
Best way to handle PII data
Apply confidentiality processes when handling it
Risk=
Threats X Vulnerabilities X Impact
Threat-source
An intent & method targeted at intentional exploitation of a vulnerability or situation and method that may accidentally trigger a vulnerability.
Threat
the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
Vulnerability
the weakness that makes the resource susceptible to the threat- a defect in hardware or software
Attack surface
the total sum of the vulnerabilities in a given system that is accessible to an attacker
Impact
resulting damage to the organization that is caused by the threat
Flavors of risk assessment
Quantitative- trying to map a dollar amount to each specific risk.
Qualitative- assigning a risk level such as low, medium, or high to each specific risk.
Organizational risk types
�Business risk
�Data risk
�Data loss
�Systems risk
�Insider threat
�Application risk
Business risk
risk of merely doing business
Data risk
risk of corruption or disclosure of important company data
Data loss
hard drive failure, accidental deletion
Systems risk
the likelihood that a company information system is not adequately protected from damage, loss, or compromise
Insider threat
attack by a rogue employee who attempts to damage the organization by stealing confidential data, destroying systems, or causing downtime
Application risk
the risk that business applications will fail, causing financial damage
APT [Advanced Persistent Threat]
a network attack in which an unauthorized person gains access to a network and stays there undetected for a long time period
APT intent
to steal data rather than to cause damage to the network or organization
Risk Management
process that balances operational & economic costs of protective measures & achieved gains in mission capability by protecting IT systems & data that support organization's missions
Risk Management or mitigation options
�Risk acceptance- when cost of other risk management options outweigh cost of the risk itself.
�Risk avoidance- most expensive option.
�Risk limitation limits a company's risk exposure by taking some action. It employs a bit of risk acceptance and a bit o
Vulnerability assessment activities
Device Discovery
Service Enumeration
Scanning
Validation
Device Discovery activities
�Identify
�Ping
�SYN scan
Service Enumeration activities
�TCP ports
�UDP ports
�Web services
Scanning activities
�Configuration issues
�Missing patches
�Dangerous services
Validation activities
�False positive removal
�Manual verification
�Review scan logic
Triggers for organization to perform a vulnerability assessment
�when new technology/software is planned to be deployed
�when software or hardware updates are released
CVSS v3.0 [Common Vulnerability Scoring System]
captures principal characteristics of a vulnerability & provides cybersecurity professionals a better understanding of the risk posed by each vulnerability
Who developed CVSS?
NIAC- National Infrastructure Advisory Council and several security industry vendors and research organizations
Custodian of CVSS to promote its adoption globally
Forum of Incident Response and Security Teams (FIRST)
CVSS=
a free and open industry standard for assessing the severity of computer system security vulnerabilities
CVSS v3.0 base score is calculated based on
attack vector, attack complexity, privileges required, user interaction, scope, confidentiality, integrity, and availability
Base and Temporal Metric Groups are set by
the vendor
Environmental Metric Group is set by
the end user and represents the final score.
Organizational benefit of incorporating CVSS into risk analysis
It's a structured method to assist with prioritizing a vulnerability response.
Access Control Models
Mandatory Access Control
Discretionary Access Control
Non-Discretionary Access Control
Mandatory Access Control
Secures information by assigning sensitivity (security level) labels on information and comparing it to the level of sensitivity a user is operating at. Appropriate for military applications
Discretionary Access Control
Uses ACL to decide which users or group of users have access to information. Owner can change the ACL permissions at his or her discretion.
Non-Discretionary Access Control
Access decisions are based on an individual's roles and responsibilities within the organization, also known as RBAC [role-based access control]. Can be centrally controlled.
Basic access control principles
�Principle of least privilege- you only get as many rights as you need
�Separation of duties- having more than 1 person who's required to complete a task
Current trends in regulatory compliance
�Strengthened enforcement
�Global spread of data breach notification laws
�More prescriptive regulations
�Growing requirements regarding third parties (business partners)
�Risk-based compliance on the rise
�Compliance process streamlined and automated
Examples of compliance regulations
�Payment Card Industry Data Security Standard-PCI DSS- for handling credit cards. Private label cards are not included in the scope.
�Health Insurance Portability and Accountability Act-HIPAA- for confidentiality of healthcare transactions.
�Sarbanes-Oxle
Information security management
the identification of an organization's assets, followed by the development, documentation, and implementation of policies and procedures for protecting these assets
4 step Information security management method
Plan-do-check-act
Plan phase
designing the ISMS [information security management system]
Do phase
implementing and operating the controls
Check phase
review and evaluate the performance (efficiency and effectiveness) of the ISMS
Act phase
tuning ISMS to peak performance
Common security management systems/processes
�IT asset management [ITAM]- collecting inventory, financial, and contractual data to manage the IT asset throughout its life cycle.
�Configuration management- the process for establishing and maintaining consistency of a product's performance, functional
2 widely recognized and deployed IT security control frameworks
�Control Objectives for Information and Related Technologies (COBIT) is a good-practice framework. It provides an implementable set of controls over information technology and organizes them around a logical framework of IT-related processes and enablers.
SOC- Security Operations Center
the facility where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops, other endpoints, and so on) are monitored, assessed, and defended
NOC- Network Operations Center
responsible for monitoring and maintaining the overall network infrastructure�its primary function is to ensure uninterrupted network service
Types of SOCs
�Threat-centric SOC- proactively hunts for threats on the network.
�Compliance-based SOC- focuses on the state of the company's overall security posture as it relates to compliancy testing, penetration testing, vulnerability testing.
�Operational-based SO
OpenSOC
open source security analytics framework
OpenSOC goals
�open source community for development of extensible and scalable advanced security analytics tool.
�open communication for additional features and identification of deficiencies for a stable and functionally usable tool.
�Identify key feature enhancement