Isc Chapter 5
Isc Chapter 5
Chapter 5 Agenda
Module 1: Understand Data Security (D5.1)
Module 2: Understand System Hardening (D5.2)
Module 3: Understand Best Practice Security Policies (D5.3)
Module 4: Understand Security Awareness Training (D5.3, D5.4)
Chapter 5 Overview
Let’s take a more detailed look at the day-to-day, moment-by-moment active use of
the security controls and risk mitigation strategies that an organization has in place.
We will explore ways to secure the data and the systems they reside on, and how to
encourage secure practices among people who interact with the data and systems
during their daily duties.
Learning Objectives
Domain 5: Security Operations Objectives
After completing this chapter, the participant will be able to:
Explain concepts of security operations.
Discuss data handling best practices.
Identify important concepts of logging and monitoring.
Summarize the different types of encryption and their common uses.
Describe the concepts of configuration management.
Explain the application of common security policies.
Discuss the importance of security awareness training.
Practice the terminology of and review the concepts of network operations.
Chapter at a Glance
Domain D5.0, D5.1.1, D5.1.2, D5.1.3
Module Objective
Hardening is the process of applying secure configurations (to reduce the attack surface) and
locking down various hardware, communications systems and software, including the operating
system, web server, application server and applications, etc. In this module, we will introduce
configuration management practices that will ensure systems are installed and maintained
according to industry and organizational security standards.
Manny: It's hard to imagine the sheer volume of data that's flying around the world right now.
Tasha: Right, and information security, as a process and discipline, provides a structure for
protecting
the value of data. As an organization creates, stores, shares, uses, modifies, archives, and finally
destroys that data.
Manny: Writing information down on paper, a whiteboard, or a flash drive, or putting it in a file
on
Cloud creates data that is a tangible asset. The organization has to protect both the ideas and
the
data.
Tasha: Yes, and all the copies of it in papers, books, conversation logs, computer files, database
records and the network packets which help move that information from one location or user to
another.
Data itself goes through its own life cycle as users create, use, share and modify it.
Many different models of the life of a data item can be found, but they all have
some basic operational steps in common. The data security life cycle model is
useful because it can align easily with the different roles that people and
organizations perform during the evolution of data from creation to destruction (or
disposal). It also helps put the different data states of in use, at rest and in motion,
into context. Let’s take a closer look.
All ideas, data, information or knowledge can be thought of as going through six
major sets of activities throughout its lifetime. Conceptually, these involve:
Create
Creating the knowledge, which is usually tacit knowledge at this point.
Store
Storing or recording it in some fashion (which makes it explicit).
Use
Using the knowledge, which may cause the information to be modified,
supplemented or partially deleted.
Share
Sharing the data with other users, whether as a copy or by moving the data from
one location to another.
Archive
Archiving the data when it is temporarily not needed.
Destroy
Destroying the data when it is no longer needed.
First, we need to recognize which assets we need to protect. This is based on the
value of the data according to the owner of that data. Based on that, we see what
kind of risk we are facing with respect to the likelihood that this information could
be compromised, destroyed or changed by any means, and what vulnerabilities
exist that we need to account for. This is the life cycle of data handling, from create,
to store, to use, to share, to archive and finally to destroy. And at any point there
are different risks to the data and different practices for handling it. Some of these
procedures are mandated by government standards.
For example, in the US, the Occupational Safety and Health Administration (OSHA)
is the federal government agency that protects the well-being of workers. Under
the rules of the Healthcare Insurance Portability and Accountability Act (HIPAA),
medical records need to be kept for 10 years, but under OSHA, if we have a medical
record of an on-the-job injury, that record needs to be maintained for over 30
years, even after the last day of work in that particular organization. That’s a
regulatory requirement, and if you don’t know that or don’t abide by it, you can find
yourself in trouble as the result of an audit. So you can see that we have to be very
cautious when deciding how to handle data, as there may be multiple regulations
that apply to a single piece of data.
Also in the US there are also specific guidelines related to the Payment Card
Industry Data Security Standards (PCI DSS) requirements regarding credit card
information and how to maintain that information securely. In the European Union,
the GDPR also has specific requirements regarding the handling of financial data. In
order to protect the data properly, you need to know all the relevant requirements
for the type of data being protected in the various geographic areas.
Many countries and other jurisdictions have regulations that require certain data
protections throughout every stage of the data’s life cycle. These govern how the
data is acquired, processed, stored, and ultimately destroyed. And when looking at
the life cycle of the data, we need to keep a watchful eye and protect the
information at every stage, even if it’s ready to be legally destroyed at the end of
the life cycle. In some cases, multiple jurisdictions may impose rules affecting the
data we are charged with protecting. In these instances, we need to be aware of
any and all regulations that affect us.
Some data handling practices include classification and labeling, where you
determine the sensitivity of the data, what is available to everyone and what needs
to be restricted, and label the information accordingly so that your access controls
will allow the correct level of access.
Retention is how long we store the information and where, based on the
requirements of our organization and perhaps regulatory agencies as well. And
then there needs to be defensible destruction, meaning that we have the regulatory
mandate backing up our decision to destroy the data. Destruction can be physical,
of hard drives or computer chips, or destruction of digital records, which can be
done under a number of methodologies. We need to make sure we understand the
secure destruction of the data, because often we think we can just empty the virtual
trash can to delete the data. But when we do that, old emails and other data may
never be erased. To completely erase the data on physical media, you need to use
some technical equipment for degaussing, such as powerful magnets to erase the
data stored on tape and disk media such as computer and laptop hard drives,
diskettes, reels, cassettes and cartridge tapes.
Data itself has value and must be handled appropriately. In this section, we will
explore the basics of classifying and labeling data to ensure it is treated and
controlled in a manner consistent with the sensitivity of the data. In addition, we
will complete the data life cycle by documenting retention requirements and
ensuring data that is no longer in use is destroyed.
Classification
Businesses recognize that information has value and others might steal their
advantage if the information is not kept confidential, so they classify it. These
classifications dictate rules and restrictions about how that information can be
used, stored or shared with others. All of this is done to keep the temporary value
and importance of that information from leaking away. Classification of data, which
asks the question “Is it secret?” determines the labeling, handling and use of all
data.
Before any labels can be attached to sets of data that indicate its sensitivity or
handling requirements, the potential impact or loss to the organization needs to be
assessed. This is our first definition: Classification is the process of recognizing the
organizational impacts if the information suffers any security compromises related
to its characteristics of confidentiality, integrity and availability. Information is then
labeled and handled
accordingly.
The immediate benefit of classification is that it can lead to more efficient design
and implementation of security processes, if we can treat the protection needs for
all similarly classified information with the same controls strategy.
Labeling
Security labels are part of implementing controls to protect classified information. It
is reasonable to want a simple way of assigning a level of sensitivity to a data asset,
such that the higher the level, the greater the presumed harm to the organization,
and thus the greater security protection the data asset requires. This spectrum of
needs is useful, but it should not be taken to mean that clear and precise
boundaries exist between the use of “low sensitivity” and “moderate sensitivity”
labeling, for example.
Data Sensitivity Levels and Labels
Unless otherwise mandated, organizations are free to create classification systems
that best meet their own needs. In professional practice, it is typically best if the
organization has enough classifications to distinguish between sets of assets with
differing sensitivity/value, but not so many classifications that the distinction
between them is confusing to individuals. Typically, two or three classifications are
manageable, and more than four tend to be difficult.
Retention
Information and data should be kept only for as long as it is beneficial, no more and
no less. For various types of data, certain industry standards, laws and regulations
define retention periods. When such external requirements are not set, it is an
organization’s responsibility to define and implement its own data retention policy.
Data retention policies are applicable both for hard copies and for electronic data,
and no data should be kept beyond its required or useful life. Security professionals
should ensure that data destruction is being performed when an asset has reached
its retention limit. For the security professional to succeed in this assignment, an
accurate inventory must be maintained, including the asset location, retention
period requirement, and destruction requirements. Organizations should conduct a
periodic review of retained records in order to reduce the volume of information
stored and to ensure that only necessary information is preserved.
Destruction
Data that might be left on media after deleting is known as remanence and may be
a significant security concern. Steps must be taken to reduce the risk that data
remanence could compromise sensitive information to an acceptable level. This can
be done by one of several means:
user IDs
system activities
dates/times of key events (e.g., logon and logoff)
device and location identity
successful and rejected system and resource access attempts
system configuration changes and system protection activation and
deactivation events
Logging and monitoring the health of the information environment is essential to
identifying inefficient or improperly performing systems, detecting compromises
and providing a record of how systems are used. Robust logging practices provide
tools to effectively correlate information from diverse systems to fully understand
the relationship between one activity and another.
Log reviews are an essential function not only for security assessment and testing
but also for identifying security incidents, policy violations, fraudulent activities and
operational problems near the time of occurrence. Log reviews support audits –
forensic analysis related to internal and external investigations – and provide
support for organizational security baselines. Review of historic audit logs can
determine if a vulnerability identified in a system has been previously exploited.
Here is a data security event example. It’s a raw log, and it is one way to see if
someone tried to break into a secure file and hijack the server. Of course, there are
other systems now that are a little more user-friendly. But security engineers get
very familiar with some of these codes and can figure out exactly who was trying to
log it, was it a secure port or a questionable port that they were trying to use to
penetrate our site.
Information security is not something that you just plug in as needed. You can have
some patching on a system that already exists, such as updates, but if you don’t
have a secure system, you can’t just plug in something to protect it. From the very
beginning, we need to plan for that security, even before the data is introduced into
the network.
Different tools are used depending on whether the risk from the attack is from
traffic coming into or leaving the infrastructure. Ingress monitoring refers to
surveillance and assessment of all inbound communications traffic and access
attempts. Devices and tools that offer logging and alerting opportunities for ingress
monitoring include:
Firewalls
Gateways
Remote authentication servers
IDS/IPS tools
SIEM solutions
Anti-malware solutions
Egress monitoring is used to regulate data leaving the organization’s IT
environment. The term currently used in conjunction with this effort is data loss
prevention (DLP) or data leak protection. The DLP solution should be deployed so
that it can inspect all forms of data leaving the organization, including:
Encryption Overview
Almost every action we take in our modern digital world
involves cryptography. Encryption protects our personal and business
transactions; digitally signed software updates verify their creator’s or supplier’s
claim to authenticity. Digitally signed contracts, binding on all parties, are routinely
exchanged via email without fear of being repudiated later by the sender.
Cryptography is used to protect information by keeping its meaning or content
secret and making it unintelligible to someone who does not have a way to decrypt
(unlock) that protected information. The objective of every encryption system is to
transform an original set of data, called the plaintext, into an otherwise
unintelligible encrypted form, called the ciphertext.
Plaintext is the data or message in its normal, unencrypted form and format. Its
meaning or value to an end user (a person or a process) is immediately available
for use.
The central characteristic of a symmetric algorithm is that it uses the same key in
both the encryption and the decryption processes. It could be said that
the decryption process is just a mirror image of the encryption process. This image
displays how symmetric algorithms work.
The same key is used for both the encryption and decryption processes. This
means that the two parties communicating need to share knowledge of the same
key. This type of algorithm protects data, as a person who does not have the
correct key would not be able to read the encrypted message. Because the key is
shared, however, this can lead to several other challenges:
Distribution of the key is difficult, because the key cannot be sent in the same
channel as the encrypted message, or the man-in-the-middle (MITM) would
have access to the key. Sending the key through a different channel (band)
than the encrypted message is called out-of-band key distribution. Examples
of out-of-band key distribution would include sending the key via courier, fax
or phone.
Any party with knowledge of the key can access (and therefore change) the
message.
Each individual or group of people wishing to communicate would need to
use a different key for each individual or group they want to connect with.
This raises the challenge of scalability — the number of keys needed grows
quickly as the number of different users or groups increases. Under this type
of symmetric arrangement, an organization of 1,000 employees would need
to manage 499,500 keys if every employee wanted to communicate
confidentially with every other employee.
Same key
Single key
Shared key
Secret key
Session key
An example of symmetric encryption is a substitution cipher, which involves the
simple process of substituting letters for other letters, or more appropriately,
substituting bits for other bits, based upon a cryptovariable. These ciphers involve
replacing each letter of the plaintext with another that may be further down the
alphabet.
Asymmetric Encryption
Asymmetric encryption uses one key to encrypt and a different key to decrypt the
input plaintext. This is in stark contrast to symmetric encryption, which uses the
same key to encrypt and decrypt. For most security professionals, the math of
asymmetric encryption can be left to the cryptanalysts and cryptographers to
know.
Note that anyone can encrypt something using the recipient’s public key, but only
the recipient —with their private key—can decrypt it.
Asymmetric key cryptography also solves the problem of scalability. It does scale
well as numbers increase, as each party only requires a key pair, the private and
public keys. An organization with 100,000 employees would only need a total of
200,000 keys (one private and one public for each employee). This is less than half
of the number of keys that would be required for symmetric encryption.
The problem, however, has been that asymmetric cryptography is extremely slow
compared with its symmetric counterpart. Asymmetric cryptography is impractical
for everyday use in encrypting large amounts of data or for frequent transactions
where speed is required. This is because asymmetric key cryptography is handling
much larger keys and is mathematically intensive, thereby reducing the speed
significantly.
The two keys (private and public) are a key pair; they must be used together. This
means that any message that is encrypted with a public key can only be decrypted
with the corresponding other half of the key pair, the private key. Similarly, signing
a message with a sender’s private key can only be verified by the recipient
decrypting its signature with the sender’s public key. Therefore, as long as the key
holder keeps the private key secure, there exists a method of transmitting a
message confidentially. The sender would encrypt the message with the public key
of the receiver. Only the receiver with the private key would be able to open or read
the message, providing confidentiality.
This image shows how asymmetric encryption can be used to send a confidential
message across an untrusted channel.
It is part of human nature to encrypt information. You start with clear text, which is
the information that you and I could easily read, and then you use an algorithm,
which is often a form of software that can be embedded in the system. But that
needs to be activated with an encryption key. A very simple example is if you are
trying to encrypt a PDF document; for example, perhaps your accountant is sending
you some documents to sign before submitting your taxes. Encryption would create
a ciphertext, which no one can use, and you and your accountant would have set
up a preset encryption key so that you could retrieve the information at either end
of the communication. You need to have good key management, which means you
safeguard the information, because imagine if you have thousands of keys in a
commercial environment. There is often a third party or external server where the
keys will be separately stored and managed, so you don’t have all your eggs in one
basket, so to speak. It will be protected through a hashing system, which we will
explore in a moment, and no one else can have access to those keys.
Asymmetric encryption is more secure because the sender and receiver each uses a
unique code, often a certificate, so you can confirm that the information has been
sent from the sender to the recipient in a secure manner.
Hashing
Hashing takes an input set of data (of almost arbitrary size) and returns a fixed-
length result called the hash value. A hash function is the algorithm used to
perform this transformation. When used with cryptographically strong hash
algorithms, this is the most common method of ensuring message integrity today.
Hashes have many uses in computing and security, one of which is to create
a message digest by applying such a hash function to the plaintext body of a
message.
To be useful and secure, a cryptographic hash function must demonstrate five main
properties:
Useful: It is easy to compute the hash value for any given message.
Nonreversible: It is computationally infeasible to reverse the hash process or
otherwise derive the original plaintext of a message from its hash value
(unlike an encryption process, for which there must be a corresponding
decryption process).
Content integrity assurance: It is computationally infeasible to modify a
message such that re-applying the hash function will produce the original
hash value.
Unique: It is computationally infeasible to find two or more different,
sensible messages that hash to the same value.
Deterministic: The same input will always generate the same hash, when
using the same hashing algorithm.
ryptographic hash functions have many applications in information security,
including digital signatures, message authentication codes and other forms
of authentication. They can also be used for fingerprinting, to detect
duplicate data or uniquely identify files, and as checksums to detect
accidental data corruption. The operation of a hashing algorithm is
demonstrated in this image.
The problem with a simple hash function like this is that it does not protect
against a malicious attacker that would be able to change both the message
and the hash/digest by intercepting it in transit. The general idea of a
cryptographic hash function can be summarized with the following formula:
Hash functions are very sensitive to any changes in the message. Because the size
of the hash digest does not vary according to the size of the message, a person
cannot tell the size of the message based on the digest.
Hashing Deep Dive
For example, we pay our rent through automatic withdrawal, and it’s $5,000 a
month. Perhaps someone at the bank or at the rental office thinks they can just
change it to $50,000 and keep the extra money. They think no one will notice if they
just add another zero to the number. However, that change will completely change
the digest. Since the digest is different, it will indicate that someone corrupted the
information by changing the value of the automatic withdrawal, and it will not go
through. Hashing is an extra layer of defense.
Before we go live with a software product provided by a third party, for instance, we
have to make sure no one has changed anything since it was tested by you and the
programmer. They will usually send you the digest of their code and you compare
that to the original. This is also known as a Checksum. If you see a discrepancy, that
means something has changed. Then the security coders will compare the original
one and the new one, and sometimes it’s very tedious, but they have software that
can do it for them. If it’s something a little more intricate, they may need to go line
by line and find out where the bugs are or if some lines need to be fixed. Often
these problems are not intentional; they sneak in when you are making final
adjustments to the software.
An incident occurred at the University of Florida many years ago, where a very
reputable software source, Windows 2000 or Millennium, was provided to 50,000
students via CD-ROMs, and the copies were compromised. The problems were
detected when the digests did not match on a distribution file.
Domain D5.2.1
Module Objective
Manny: With so much data to work with, and so many different software applications required
to handle it, how do companies keep track of everything?
Tasha: It's a challenge all right, that's why we need configuration management. It's part of
cybersecurity in that it protects the confidentiality, integrity, and availability of data by making
sure
that only authorized and validated changes are made to a system. Every change also needs to
be
tested to make sure it doesn't cause any disruption to any other part of the system.
Manny: I can understand that. It seems like every time we upgrade our computer systems at the
high
school, something else stops working.
Tasha: Let's find out how cybersecurity professionals work to prevent that from happening
Inventory
Making an inventory, catalog or registry of all the information assets that the
organization is aware of (whether they already exist, or there’s a wish list or need to
create or acquire them) is the first step in any asset management process. It
requires that we locate and identify all assets of interest, including (and especially)
the information assets:
It becomes even more challenging to keep that inventory, and its health and status
with respect to updates and patches, consistent and current, day in and day out. It
is, in fact, quite challenging to identify every physical host and endpoint, let alone
gather the data from them all.
Baselines
Once controls are in place to mitigate risks, the baselines can be referenced. All
further comparisons and development are measured against the baselines.
Repairs, maintenance actions and updates are frequently required on almost all
levels of systems elements, from the basic infrastructure of the IT architecture on
up through operating systems, applications platforms, networks and user
interfaces. Such modifications must be acceptance tested to verify that newly
installed (or repaired) functionality works as required. They must also be regression
tested to verify that the modifications did not introduce other erroneous or
unexpected behaviors in the system. Ongoing security assessment and evaluation
testing evaluates whether the same system that passed acceptance testing is still
secure.
Patches
There are some issues with the use of patches. Many organizations have been
affected by a flawed patch from a reputable vendor that affected system
functionality. Therefore, an organization should test the patch before rolling it out
across the organization. This is often complicated by the lack of a testing
environment that matches the production environment. Few organizations have
the budget to maintain a test environment that is an exact copy of production.
There is always a risk that the testing will not always be able to test everything, and
problems may appear in production that were not apparent in the test
environment. To the extent possible, patches should be tested to ensure they will
work correctly in production.
If the patch does not work or has unacceptable effects, it might be necessary to roll
back to a previous (pre-patch) state. Typically, the criteria for rollback are previously
documented and would automatically be performed when the rollback criteria
were met.
Many vendors offer a patch management solution for their products. These
systems often have certain automated processes, or unattended updates, that
allow the patching of systems without interaction from the administrator. The risk
of using unattended patching should be weighed against the risk of having
unpatched systems in the organization’s network. Unattended (or automated)
patching might result in unscheduled outages as production systems are taken
offline or rebooted as part of the patch process.
Narrator: You have to make sure you have a robust change management process and make
sure you test in model environments before you make any change in a production or live
environment. Even with extensive planning and testing, there are sometimes unintended
consequences, so you must make sure there is a rollback plan. A rollback is restoring the system
to the state it was in before the change was made. To the point where we know it was working
properly before we introduced changes into the environment. We need to make sure we
review and test all the patches and can restore the previous configuration.
Module Objective
Manny: What kind of policies can organizations establish to help their employees or members
protect their data?
Tasha: Policies can include password requirements, limits on personal devices, and all kinds of
other policies to ensure privacy and security. In this module, we'll explore the most common
security policies found in organizations and identify some components of these policies.
Here are six common security-related policies that exist in most organizations.
Password Policy
Every organization should have a password policy in place that defines expectations
of systems and users. The password policy should describe senior leadership's
commitment to ensuring secure access to data, outline any standards that the
organization has selected for password formulation, and identify who is designated
to enforce and validate the policy.
Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors or
other vulnerabilities that could be used to access organizational data or systems.
All employees must read and agree to adhere to this policy before any access to the
systems, network and/or data is allowed. If and when the workforce grows, so too
will the problems with BYOD. Certainly, the appropriate tools are going to be
necessary to manage the use of and security around BYOD devices and usage. The
organization needs to establish clear user expectations and set the appropriate
business rules.
Privacy Policy
An organization may allow workers to acquire equipment of their choosing and use
personally owned equipment for business (and personal) use. This is sometimes
called bring your own device (BYOD). Another option is to present the teleworker or
employee with a list of approved equipment and require the employee to select
one of the products on the trusted list.
Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors or
other vulnerabilities that could be used to access organizational data or systems.
All employees must read and agree to adhere to this policy before any access to the
systems, network and/or data is allowed. If and when the workforce grows, so too
will the problems with BYOD. Certainly, the appropriate tools are going to be
necessary to manage the use of and security around BYOD devices and usage. The
organization needs to establish clear user expectations and set the appropriate
business rules.
Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors or
other vulnerabilities that could be used to access organizational data or systems.
All employees must read and agree to adhere to this policy before any access to the
systems, network and/or data is allowed. If and when the workforce grows, so too
will the problems with BYOD. Certainly, the appropriate tools are going to be
necessary to manage the use of and security around BYOD devices and usage. The
organization needs to establish clear user expectations and set the appropriate
business rules.
Common Security Policies Deeper Dive
Policies will be set according to the needs of the organization and its vision and
mission. Each of these policies should have a penalty or a consequence attached in
case of noncompliance. The first time may be a warning; the next might be a forced
leave of absence or suspension without pay, and a critical violation could even
result in an employee’s termination. All of this should be outlined clearly during
onboarding, particularly for information security personnel. It should be made clear
who is responsible for enforcing these policies, and the employee must sign off on
them and have documentation saying they have done so. This process could even
include a few questions in a survey or quiz to confirm that the employees truly
understand the policy. These policies are part of the baseline security posture of
any organization. Any security or data handling procedures should be backed up by
the appropriate policies.
Rollback
Depending upon the nature of the change, a variety of activities may need to be completed.
These generally include: Scheduling the change, Testing the change, Verifying the rollback
procedures, Implementing the change, Evaluating the change for proper and effective
operation, and Documenting the change in the production environment. Rollback authority
would generally be defined in the rollback plan, which might be immediate or scheduled as
a subsequent change if monitoring of the change suggests inadequate performance.
All security related policies should align with the organization’s risk tolerance while ensuring
that regulatory requirements are met. An organization that does not store confidential data on
a laptop or workstation is likely to be more relaxed in their acceptable use policy, while a
healthcare facility, research institution or defense contractor may be much stricter, as they
have data that can be potentially devastating if compromised.
Domain D5.4, D5.4.1, D5.4.2, D5.3.2
Module Objective
To reduce the effectiveness of certain types of attacks (such as social engineering), it is crucial
that the organization informs its employees and staff how to recognize security problems and
how to operate in a secure manner. While the specifics of secure operation differ in each
organization, there are some general concepts that are applicable to all such programs.
Employees cannot follow policies and procedures if they have not received training
on what the policies and procedures are. This is especially important for topics like
data handling and emergency response activities. For instance: fire drills are crucial
to protect health and human safety, and train users how to implement the process
of protecting themselves from danger.
Education may help workers in a secure server room understand the interaction of
the various fire and smoke detectors, suppression systems, alarms and their
interactions with electrical power, lighting and ventilation systems.
Training would provide those workers with task-specific, detailed learning about the
proper actions each should take in the event of an alarm, a suppression system
going off without an alarm, a ventilation system failure or other contingency. This
training would build on the learning acquired via the educational activities.
Awareness activities would include not only posting the appropriate signage, floor
or doorway markings, but also other indicators to help workers detect an anomaly,
respond to an alarm and take appropriate action. In this case, awareness is a
constantly available reminder of what to do when the alarms go off.
Translating that into an anti-phishing campaign might be done by:
Education may be used to help select groups of users better understand the ways in
which social engineering attacks are conducted and engage those users in creating
and testing their own strategies for improving their defensive techniques.
Training will help users increase their proficiency in recognizing a potential phishing
or similar attempt, while also helping them practice the correct responses to such
events. Training may include simulated phishing emails sent to users on a network
to test their ability to identify a phishing email.
Raising users’ overall awareness of the threat posed by phishing, vishing, SMS
phishing (also called “smishing) and other social engineering tactics. Awareness
techniques can also alert selected users to new or novel approaches that such
attacks might be taking.
Let’s look at some common risks and why it’s important to include them in your
security awareness training programs.
Phishing
The use of phishing attacks to target individuals, entire departments and even
companies is a significant threat that the security professional needs to be aware of
and be prepared to defend against. Countless variations on the basic phishing
attack have been developed in recent years, leading to a variety of attacks that are
deployed relentlessly against individuals and networks in a never-ending stream of
emails, phone calls, spam, instant messages, videos, file attachments and many
other delivery mechanisms.
Phishing attacks that attempt to trick highly placed officials or private individuals
with sizable assets into authorizing large fund wire transfers to previously unknown
entities are known as whaling attacks .
Social Engineering
Social engineering is an important part of any security awareness training
program for one very simple reason: bad actors know that it works. For the
cyberattackers, social engineering is an inexpensive investment with a potentially
very high payoff. Social engineering, applied over time, can extract significant
insider knowledge about almost any organization or individual.
Most social engineering techniques are not new. Many have even been taught as
basic fieldcraft for espionage agencies and are part of the repertoire of investigative
techniques used by real and fictional police detectives. A short list of the tactics that
we see across cyberspace currently includes:
Phone phishing or vishing: Using a rogue interactive voice response (IVR) system
to re-create a legitimate-sounding copy of a bank or other institution’s IVR system.
The victim is prompted through a phishing email to call in to the “bank” via a
provided phone number to verify information such as account numbers, account
access codes or a PIN and to confirm answers to security questions, contact
information and addresses. A typical vishing system will reject logins continually,
ensuring the victim enters PINs or passwords multiple times, often disclosing
several different passwords. More advanced systems may be used to transfer the
victim to a human posing as a customer service agent for further questioning.
Domain 5.1.1, 5.1.2, 5.1.3, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.6, 5.4.1, 5.4.2
Module Objective
L5.5.1 Practice the terminology and review concepts of access controls
This chapter focused on the day-to-day, moment-by-moment, use of security controls and risk
mitigation strategies in an organization. We discovered ways to secure data and the systems they
reside on. Data (information) security as a process and discipline provides a structure for
protecting the value of data as the organization creates, stores, shares, uses, modifies, archives
and finally destroys that data (known as data handling). During data handling, an organization
classifies (assigns data sensitivity levels), categorizes (determines type of data), labels (applies a
name to the data), retains (determines how long to keep the data) and destroys (erases or
destroys) the data.
A best practice for securing data is encrypting the data. We explored the process of encrypting
data in plaintext with a key and algorithm to create ciphertext then using either the same key
(symmetric) or a different key (asymmetric) and same algorithm to decrypt the ciphertext to
convert it back to plaintext. Then hashing was methodically described; hashing takes an input set
of data (of almost arbitrary size) and returns a fixed-length result called the hash value.
System hardening is the process of applying secure configurations (to reduce the attack surface)
and locking down various hardware, communications systems and software, including operating
system, web server, application server, application, etc. We also discussed configuration
management, a process and discipline used to ensure that the only changes made to a system are
those that have been authorized and validated. Configuration management consists of
identification, baseline, change control, and verification and audit. During configuration
management, one must conduct inventory, baselines, updates, and patches.
The following best practice security policies were examined: data handling (appropriate use of
data), password (appropriate use of passwords), acceptable use (appropriate use of the assets,
devices, and data), bring your own device (appropriate use of personal devices), privacy
(appropriate protection of one’s privacy), and change management (appropriate transition from
current state to a future state). Change management practices address a common set of core
activities: documentation, approval, and rollback. It starts with a request for change (RFC) and
moves through various development and test stages until the change is released to the end users.
We ended the chapter by discussing the importance of security awareness training and how it
reduces the internal threat to an organization. By breaking down the levels of security awareness
training into education, training, and awareness, we identified that the training can be tailored to
the security topic(s), organization, position and/or individual. The module highlighted some of
the main threats, including phishing and social engineering and why it's important to include
them in your security awareness training programs. We also emphasized the importance of
password protection.
A) Encryption
B) Hashing
Incorrect. Encryption is one type of control that can be used to protect data.
B) You can't protect what you don't know you have
Correct. The inventory records which assets the organization has, which gives the organization the opportunity to
Who is responsible for publishing and signing the organization's
policies? (D5.3, L5.3.1)
Question options:
D) Logs should be stored separately from the systems they're logging
Correct. It is important to store log data somewhere other than on the machine where the data is gathered.
B) Symmetric
C) Hashing
D) Covert
Correct. Symmetric encryption provides confidentiality with the least amount of processing overhead.
A ready visual cue to let anyone in contact with the data know what the
classification is. (D5.1, L5.1.1)
Question options:
A) Encryption
B) Label
C) Graphics
D) Photos
A) Patches
B) Inventory
C) Baseline
D) Policy
Correct. There is nothing more important than health and human safety.
C) Regulators
D) The security office
Correct. While the policy is dictated by senior management, the security office is often tasked with monitoring/e
Correct. The BYOD policy typically describes which devices can be used to process data and access networks be
80 %
80 %
Done