Security Architectures and Toolsets - Paiet/Tech-Journal-for-Everything GitHub Wiki
Cybersecurity Frameworks
-
Frameworks
-
NIST (National Institute of Standards and Technology)
- Creates standards for US government
- Popular with other orgs though
- Framework for Improving Critical Infrastructure Cybersecurity
- Framework Core
- Presents ubiquitous and common cybersecurity activities, desired outcomes, and applicable references
- Applies to all organizational levels
- CEO to person in mail room
- Applies to all organizational levels
- 5 concurrent and continuous functions
- Identify
- Protect
- Detect
- Respond
- Recover
- Presents ubiquitous and common cybersecurity activities, desired outcomes, and applicable references
- Framework Tiers
- 4 Tiers
- 1: Partial
- 2: Risk Informed
- 3: Repeatable
- 4: Adaptive
- 4 Tiers
- Framework Profile
- Framework Core
-
ISO
- 270001 Framework
- Certification
- 270001 Framework
-
COBIT
-
SABSA
-
TOGAF
-
ITIL
Policies, Controls, and Procedures
-
Regulatory compliance
-
What industries or governmental regulations should we be familiar with
-
HIPAA (Health Insurance Portability and Accountability Act)
-
PCI DSS (Payment Card Industry Data Security Standard)
-
GLBA (Gramm-Leach-Bliley Act)
- Financial Institutions
-
SOX (Sarbanes-Oxley Act)
- Financial oversight of publicly traded companies
-
FERPA (Family Educational Rights and Privacy Act)
- Student info and educational records
-
GDPR (General Data Protection Regulation)
- European data privacy and protection regulations
-
Policies
-
Rules that MUST be followed
-
Password policy
- Defines the length and complexity of user/service passwords
- Must be X characters long
- Cannot reuse password for X amount of time
- Must contain at least X special chars (!@#$%)
- Defines the length and complexity of user/service passwords
-
Acceptable use policy
- White/Black listing of activities
- Internet use
- Content
- Copyrighted material and Piracy
- Bypass of security controls
- White/Black listing of activities
-
Data ownership policy
- Who owns the data created or stored on company systems
- If user writes a program on company assets during work hours, who owns it?
- Who owns the data created or stored on company systems
-
Data retention policy
- What data will be archived and for how long
- What to do with older data
- Destruction
-
Account management policy
- Defines account creation and deletion
-
Data classification policy
Policies, Controls, and Procedures Pt.2
-
Controls
-
Technical or Administrative defenses employed to reduce loss/unavailability because of threats leveraged against their corresponding vulnerability
- e.g. Things we do to stop threats from compromising or making unavailable a system/service
-
Control selection based on criteria
- Could be dictated by regulatory body
- Could be dictated by org's desired security objectives
-
Organizationally defined parameters
- What is most important to least important
- More security focus on most important and less on the least
- Physical access to R&D of robotics company
- More focus on physical security
- Locks, cameras, MFA, biometrics, guards,
- Less focus on DDoS protection of the web site
- More focus on physical security
- Physical access to R&D of robotics company
- More security focus on most important and less on the least
- Probably consists of all types of security controls
- Physical, logical, Administrative
- What is most important to least important
-
Physical controls
- Guards, Gates, Guns, Locks, Mantraps, Fences, Moats, etc...
-
Logical controls
- Passwords
- Biometrics
- Firewall rules
- File permissions
- Encryption
- IDS/IPS
-
Administrative controls
- Actions that people take to strengthen security
- Creating and enforcing procedures
- Things employees are allowed to do, must do, or never do
- Account Reviews
- Background checks
- Separation of duties
- Review system logs
- Creating and enforcing procedures
- Actions that people take to strengthen security
-
Procedures
-
Step-by-step checklists used to ensure a task is performed according to policies
-
MANDATORY ADHERENCE
-
Continuous monitoring
- How monitoring will be executed
- What technologies will be used
-
Evidence production
- How organization will handle requests for evidence
- Subpoenas
- Court Orders
- How organization will handle requests for evidence
-
Patching
- Well defined patching schedule
- Testing
- Production
- Corrective measures if a patch breaks things
- Well defined patching schedule
-
Control testing procedures
- Meant to verify that the controls will/are performing as required/desired
- Should have schedule to be done regularly
-
Manage exceptions
- All exceptions must be authorized
- Good reason must be submitted for exception
- All exceptions must be documented
- What requires an exception
- Why is the exception needed
- How long will the exception be needed
- Risks associated with exception
- Can compensating controls be employed to mitigate risks
-
Compensating control development
- Must meet the intent and rigor of original requirement
- Must provide similar level of defense as original requirement
- Must go above and beyond other requirements
-
Remediation plans
-
Verifications and quality control
-
Audits
- Outside party performs formal investigation into the company security process
- Verifies compliance with organization and/or regulatory compliance
- Outside party performs formal investigation into the company security process
-
Evaluations
-
Assessments and Evaluations
- Informal review of company security process
- Many times self-requested
- Proactive
- Less intensive
- Informal review of company security process
-
Maturity model
- A map of where the org is to where it would like to be as far as security posture
- Where do we stand now
- Where do we wish to be
- How do we get there
- NIST and COBIT have maturity models
- A map of where the org is to where it would like to be as far as security posture