Chapter 5: Security Operations

Chapter 5 Agenda
Module 1: Understand  Data Security  (D5.1)
Module 2: Understand  System Hardening (D5.2)
Module 3: Understand  Best Practice Security Policies (D5.3)
Module 4: Understand Security Awareness Training (D5.3, D5.4)

Chapter 5 Overview
Let’s take a more detailed look at the day-to-day, moment-by-moment active use of
the security controls and risk mitigation strategies that an organization has in place.
We will explore ways to secure the data and the systems they reside on, and how to
encourage secure practices among people who interact with the data and systems
during their daily duties. 

Learning Objectives
Domain 5: Security Operations Objectives
 After completing this chapter, the participant will be able to: 
 Explain concepts of security operations.
 Discuss data handling best practices.
 Identify important concepts of logging and monitoring.
 Summarize the different types of encryption and their common uses.
 Describe the concepts of configuration management.
 Explain the application of common security policies.
 Discuss the importance of security awareness training.
 Practice the terminology of and review the concepts of network operations.

Chapter at a Glance

While working through Chapter 5, Security Operations, make sure to: 

 Complete the Knowledge Check: Logging

 Complete the Knowledge Check: Privacy Policy
 Complete the Knowledge Check: Change Management Policy
 View the Chapter 5 Summary
 Take the online Chapter 5 Quiz
 View the Terms and Definitions 
Module 1: Understand Data Security

Domain D5.0, D5.1.1, D5.1.2, D5.1.3

Module Objective

 L5.0 Explain concepts of security operations.

 L5.1.1 Discuss data handling best practices.
 L5.1.2 Identify key concepts of logging and monitoring.
 L5.1.3 Summarize the different types of encryption and their common uses

Hardening is the process of applying secure configurations (to reduce the attack surface) and
locking down various hardware, communications systems and software, including the operating
system, web server, application server and applications, etc. In this module, we will introduce
configuration management practices that will ensure systems are installed and maintained
according to industry and organizational security standards. 

Manny: It's hard to imagine the sheer volume of data that's flying around the world right now.
Tasha: Right, and information security, as a process and discipline, provides a structure for
protecting
the value of data. As an organization creates, stores, shares, uses, modifies, archives, and finally
destroys that data.

Manny: Writing information down on paper, a whiteboard, or a flash drive, or putting it in a file
on
Cloud creates data that is a tangible asset. The organization has to protect both the ideas and
the
data.

Tasha: Yes, and all the copies of it in papers, books, conversation logs, computer files, database
records and the network packets which help move that information from one location or user to
another.

Manny: Wow, that's an important job.

Tasha: It sure is.

Data Handling

Data itself goes through its own life cycle as users create, use, share and modify it.
Many different models of the life of a data item can be found, but they all have
some basic operational steps in common. The data security life cycle model is
useful because it can align easily with the different roles that people and
organizations perform during the evolution of data from creation to destruction (or
disposal). It also helps put the different data states of in use, at rest and in motion,
into context. Let’s take a closer look. 

All ideas, data, information or knowledge can be thought of as going through six
major sets of activities throughout its lifetime. Conceptually, these involve: 

Create
Creating the knowledge, which is usually tacit knowledge at this point.

Store
Storing or recording it in some fashion (which makes it explicit).

Use
Using the knowledge, which may cause the information to be modified,
supplemented or partially deleted.

Share
Sharing the data with other users, whether as a copy or by moving the data from
one location to another.

Archive
Archiving the data when it is temporarily not needed.

Destroy
Destroying the data when it is no longer needed.

Data Handling Deeper Dive

Narrator: Data handling is extremely important. As soon as we receive the assets,

the data we need to protect, we need to make sure we know the best practices for
handling this data.

First, we need to recognize which assets we need to protect. This is based on the
value of the data according to the owner of that data. Based on that, we see what
kind of risk we are facing with respect to the likelihood that this information could
be compromised, destroyed or changed by any means, and what vulnerabilities
exist that we need to account for. This is the life cycle of data handling, from create,
to store, to use, to share, to archive and finally to destroy. And at any point there
are different risks to the data and different practices for handling it. Some of these
procedures are mandated by government standards.

For example, in the US, the Occupational Safety and Health Administration (OSHA)
is the federal government agency that protects the well-being of workers. Under
the rules of the Healthcare Insurance Portability and Accountability Act (HIPAA),
medical records need to be kept for 10 years, but under OSHA, if we have a medical
record of an on-the-job injury, that record needs to be maintained for over 30
years, even after the last day of work in that particular organization. That’s a
regulatory requirement, and if you don’t know that or don’t abide by it, you can find
yourself in trouble as the result of an audit. So you can see that we have to be very
cautious when deciding how to handle data, as there may be multiple regulations
that apply to a single piece of data.

Also in the US there are also specific guidelines related to the Payment Card
Industry Data Security Standards (PCI DSS) requirements regarding credit card
information and how to maintain that information securely. In the European Union,
the GDPR also has specific requirements regarding the handling of financial data. In
order to protect the data properly, you need to know all the relevant requirements
for the type of data being protected in the various geographic areas.

Many countries and other jurisdictions have regulations that require certain data
protections throughout every stage of the data’s life cycle. These govern how the
data is acquired, processed, stored, and ultimately destroyed. And when looking at
the life cycle of the data, we need to keep a watchful eye and protect the
information at every stage, even if it’s ready to be legally destroyed at the end of
the life cycle. In some cases, multiple jurisdictions may impose rules affecting the
data we are charged with protecting. In these instances, we need to be aware of
any and all regulations that affect us.

Some data handling practices include classification and labeling, where you
determine the sensitivity of the data, what is available to everyone and what needs
to be restricted, and label the information accordingly so that your access controls
will allow the correct level of access.

Retention is how long we store the information and where, based on the
requirements of our organization and perhaps regulatory agencies as well. And
then there needs to be defensible destruction, meaning that we have the regulatory
mandate backing up our decision to destroy the data. Destruction can be physical,
of hard drives or computer chips, or destruction of digital records, which can be
done under a number of methodologies. We need to make sure we understand the
secure destruction of the data, because often we think we can just empty the virtual
trash can to delete the data. But when we do that, old emails and other data may
never be erased. To completely erase the data on physical media, you need to use
some technical equipment for degaussing, such as powerful magnets to erase the
data stored on tape and disk media such as computer and laptop hard drives,
diskettes, reels, cassettes and cartridge tapes.

However, an individual with sophisticated equipment could potentially still retrieve

that information, at least partially. So we must make sure we understand what
recovery tools are available, because if you are subject to regulatory compliance,
you have to follow through with specific protocols and processes to destroy that
information as required so that it can no longer be accessed in any way.

Data Handling Practices

Data itself has value and must be handled appropriately.  In this section, we will
explore the basics of classifying and labeling data to ensure it is treated and
controlled in a manner consistent with the sensitivity of the data. In addition, we
will complete the data life cycle by documenting retention requirements and
ensuring data that is no longer in use is destroyed. 

Classification
Businesses recognize that information has value and others might steal their
advantage if the information is not kept confidential, so they classify it. These
classifications dictate rules and restrictions about how that information can be
used, stored or shared with others. All of this is done to keep the temporary value
and importance of that information from leaking away. Classification of data, which
asks the question “Is it secret?” determines the labeling, handling and use of all
data. 

Before any labels can be attached to sets of data that indicate its sensitivity or
handling requirements, the potential impact or loss to the organization needs to be
assessed. This is our first definition: Classification is the process of recognizing the
organizational impacts if the information suffers any security compromises related
to its characteristics of confidentiality, integrity and availability. Information is then
labeled and handled
accordingly. 

Classifications are derived from laws, regulations, contract-specified standards or

other business expectations. One classification might indicate “minor, may disrupt
some processes” while a more extreme one might be “grave, could lead to loss of
life or threaten ongoing existence of the organization.” These descriptions should
reflect the ways in which the organization has chosen (or been mandated) to
characterize and manage risks.  

The immediate benefit of classification is that it can lead to more efficient design
and implementation of security processes, if we can treat the protection needs for
all similarly classified information with the same controls strategy. 

Labeling
Security labels are part of implementing controls to protect classified information. It
is reasonable to want a simple way of assigning a level of sensitivity to a data asset,
such that the higher the level, the greater the presumed harm to the organization,
and thus the greater security protection the data asset requires. This spectrum of
needs is useful, but it should not be taken to mean that clear and precise
boundaries exist between the use of “low sensitivity” and “moderate sensitivity”
labeling, for example. 
Data Sensitivity Levels and Labels 
Unless otherwise mandated, organizations are free to create classification systems
that best meet their own needs. In professional practice, it is typically best if the
organization has enough classifications to distinguish between sets of assets with
differing sensitivity/value, but not so many classifications that the distinction
between them is confusing to individuals. Typically, two or three classifications are
manageable, and more than four tend to be difficult. 

 Highly restricted: Compromise of data with this sensitivity label could

possibly put the organization’s future existence at risk. Compromise could
lead to substantial loss of life, injury or property damage, and the litigation
and claims that would follow.
 Moderately restricted: Compromise of data with this sensitivity label could
lead to loss of temporary competitive advantage, loss of revenue or
disruption of planned investments or activities.
 Low sensitivity (sometimes called “internal use only”): Compromise of data
with this sensitivity label could cause minor disruptions, delays or impacts.
 Unrestricted public data: As this data is already published, no harm can come
from further dissemination or disclosure.  

Retention
Information and data should be kept only for as long as it is beneficial, no more and
no less. For various types of data, certain industry standards, laws and regulations
define retention periods. When such external requirements are not set, it is an
organization’s responsibility to define and implement its own data retention policy.
Data retention policies are applicable both for hard copies and for electronic data,
and no data should be kept beyond its required or useful life. Security professionals
should ensure that data destruction is being performed when an asset has reached
its retention limit. For the security professional to succeed in this assignment, an
accurate inventory must be maintained, including the asset location, retention
period requirement, and destruction requirements. Organizations should conduct a
periodic review of retained records in order to reduce the volume of information
stored and to ensure that only necessary information is preserved. 

Records retention policies indicate how long an organization is required to

maintain information and assets. Policies should guarantee that: 

 Personnel understand the various retention requirements for data of

different types throughout the organization. 
  The organization appropriately documents the retention requirements for
each type of information.
 The systems, processes and individuals of the organization retain
information in accordance with the required schedule but no longer. 
A common mistake in records retention is applying the longest retention period to
all types of information in an organization. This not only wastes storage but also
increases risk of data exposure and adds unnecessary “noise” when searching or
processing information in search of relevant records. It may also be in violation of
externally mandated requirements such as legislation, regulations or contracts
(which may result in fines or other judgments). Records and information no longer
mandated to be retained should be destroyed in accordance with the policies of the
enterprise and any appropriate legal requirements that may need to be
considered. 

Destruction
Data that might be left on media after deleting is known as remanence and may be
a significant security concern. Steps must be taken to reduce the risk that data
remanence could compromise sensitive information to an acceptable level. This can
be done by one of several means:

 Clearing the device or system, which usually involves writing multiple

patterns of random values throughout all storage media (such as main
memory, registers and fixed disks). This is sometimes called “overwriting” or
 “zeroizing” the system, although writing zeros has the risk that a missed
block or storage extent may still contain recoverable, sensitive information
after the process is completed.
 Purging the device or system, which eliminates (or greatly reduces) the
chance that residual physical effects from the writing of the original data
values may still be recovered, even after the system is cleared. Some
magnetic disk storage technologies, for example, can still have residual
“ghosts” of data on their surfaces even after being overwritten multiple
times. Magnetic media, for example, can often be altered sufficiently to meet
security requirements; in more stringent cases, degaussing may not be
sufficient. 
 Physical destruction of the device or system is the ultimate remedy to data
remanence. Magnetic or optical disks and some flash drive technologies may
require being mechanically shredded, chopped or broken up, etched in acid
or burned; their remains may be buried in protected landfills, in some cases.
In many routine operational environments, security considerations may accept that
clearing a system is sufficient. But when systems elements are to be removed and
replaced, either as part of maintenance upgrades or for disposal, purging or
destruction may be required to protect sensitive information from being
compromised by an attacker.  
Logging and Monitoring Security Events

Logging is the primary form of instrumentation that attempts to capture signals

generated by events. Events are any actions that take place within the systems
environment and cause measurable or observable change in one or more elements
or resources within the system. Logging imposes a computational cost but is
invaluable when determining accountability. Proper design of logging environments
and regular log reviews remain best practices regardless of the type of computer
system. 

Major controls frameworks emphasize the importance of organizational logging

practices. Information that may be relevant to being recorded and reviewed include
(but is not limited to): 

 user IDs
 system activities
 dates/times of key events (e.g., logon and logoff)
 device and location identity
 successful and rejected system and resource access attempts
 system configuration changes and system protection activation and
deactivation events 
 Logging and monitoring the health of the information environment is essential to
identifying inefficient or improperly performing systems, detecting compromises
and providing a record of how systems are used. Robust logging practices provide
tools to effectively correlate information from diverse systems to fully understand
the relationship between one activity and another. 

Log reviews are an essential function not only for security assessment and testing
but also for identifying security incidents, policy violations, fraudulent activities and
operational problems near the time of occurrence. Log reviews support audits –
forensic analysis related to internal and external investigations – and provide
support for organizational security baselines. Review of historic audit logs can
determine if a vulnerability identified in a system has been previously exploited. 

It is helpful for an organization to create components of a log management

infrastructure and determine how these components interact. This aids in
preserving the integrity of log data from accidental or intentional modification or
deletion and in maintaining the confidentiality of log data. 
Controls are implemented to protect against unauthorized changes to log
information. Operational problems with the logging facility are often related to
alterations to the messages that are recorded, log files being edited or deleted, and
storage capacity of log file media being exceeded. Organizations must maintain
adherence to retention policy for logs as prescribed by law, regulations and
corporate governance. Since attackers want to hide the evidence of their attack, the
organization’s policies and procedures should also address the preservation of
original logs. Additionally, the logs contain valuable and sensitive information about
the organization.  Appropriate measures must be taken to protect the log data from
malicious use. 

Data Security Event Example

Here is a data security event example. It’s a raw log, and it is one way to see if
someone tried to break into a secure file and hijack the server. Of course, there are
other systems now that are a little more user-friendly. But security engineers get
very familiar with some of these codes and can figure out exactly who was trying to
log it, was it a secure port or a questionable port that they were trying to use to
penetrate our site. 

Information security is not something that you just plug in as needed. You can have
some patching on a system that already exists, such as updates, but if you don’t
have a secure system, you can’t just plug in something to protect it. From the very
beginning, we need to plan for that security, even before the data is introduced into
the network. 

Event Logging Best Practices

Different tools are used depending on whether the risk from the attack is from
traffic coming into or leaving the infrastructure. Ingress monitoring refers to
surveillance and assessment of all inbound communications traffic and access
attempts. Devices and tools that offer logging and alerting opportunities for ingress
monitoring include: 

 Firewalls
 Gateways
 Remote authentication servers
 IDS/IPS tools
 SIEM solutions
 Anti-malware solutions
Egress monitoring is used to regulate data leaving the organization’s IT
environment. The term currently used in conjunction with this effort is data loss
prevention (DLP) or data leak protection. The DLP solution should be deployed so
that it can inspect all forms of data leaving the organization, including: 

 Email (content and attachments)

 Copy to portable media
 File Transfer Protocol (FTP)
 Posting to web pages/websites
 Applications/application programming interfaces (APIs) 




Encryption Overview
Almost every action we take in our modern digital world
involves cryptography. Encryption protects our personal and business
transactions; digitally signed software updates verify their creator’s or supplier’s
claim to authenticity. Digitally signed contracts, binding on all parties, are routinely
exchanged via email without fear of being repudiated later by the sender. 
Cryptography is used to protect information by keeping its meaning or content
secret and making it unintelligible to someone who does not have a way to decrypt
(unlock) that protected information. The objective of every encryption system is to
transform an original set of data, called the plaintext, into an otherwise
unintelligible encrypted form, called the ciphertext. 

Properly used, singly or in combination, cryptographic solutions provide a range of

services that can help achieve required systems security postures in many ways: 

 Confidentiality: Cryptography provides confidentiality by hiding or obscuring

a message so that it cannot be understood by anyone except the intended
recipient. Confidentiality keeps information secret from those who are not
authorized to have it. 
 Integrity: hash functions and digital signatures can provide integrity
services that allow a recipient to verify that a message has not been altered
by malice or error. These include simple message integrity controls. Any
changes, deliberate or accidental, will result in the two results (by sender and
by recipient) being different. 

An encryption system is the set of hardware, software, algorithms, control

parameters and operational methods that provide a set of encryption services.

Plaintext is the data or message in its normal, unencrypted form and format. Its
meaning or value to an end user (a person or a process) is immediately available
for use.

Plaintext can be:

o image, audio or video files in their raw or compressed forms

o human-readable text and numeric data, with or without markup
language elements for formatting and metadata
o database files or records and fields within a database
o or anything else that can be represented in digital form for computer
processing, transmission and storage
It is important to remember that plaintext can be anything—much of which is not
readable to humans in the first place.
Symmetric Encryption

The central characteristic of a symmetric algorithm is that it uses the same key in
both the encryption and the decryption processes. It could be said that
the decryption process is just a mirror image of the encryption process. This image
displays how symmetric algorithms work.

The same key is used for both the encryption and decryption processes. This
means that the two parties communicating need to share knowledge of the same
key. This type of algorithm protects data, as a person who does not have the
correct key would not be able to read the encrypted message. Because the key is
shared, however, this can lead to several other challenges:

 If two parties suspect a specific communication path between them is

compromised, they obviously can't share key material along that path.
Someone who has compromised communications between the parties
would also intercept the key.

 Distribution of the key is difficult, because the key cannot be sent in the same
channel as the encrypted message, or the man-in-the-middle (MITM) would
have access to the key. Sending the key through a different channel (band)
than the encrypted message is called out-of-band key distribution. Examples
 of out-of-band key distribution would include sending the key via courier, fax
or phone.
 Any party with knowledge of the key can access (and therefore change) the
message.
 Each individual or group of people wishing to communicate would need to
use a different key for each individual or group they want to connect with.
This raises the challenge of scalability — the number of keys needed grows
quickly as the number of different users or groups increases. Under this type
of symmetric arrangement, an organization of 1,000 employees would need
to manage 499,500 keys if every employee wanted to communicate
confidentially with every other employee.

Primary uses of symmetric algorithms:

 Encrypting bulk data (backups, hard drives, portable media)

 Encrypting messages traversing communications channels (IPsec, TLS)
 Streaming large-scale, time-sensitive data (audio/video materials, gaming,
etc.)
Other names for symmetric algorithms, which you may encounter, include:

 Same key
 Single key
 Shared key
 Secret key
 Session key
An example of symmetric encryption is a substitution cipher, which involves the
simple process of substituting letters for other letters, or more appropriately,
substituting bits for other bits, based upon a cryptovariable. These ciphers involve
replacing each letter of the plaintext with another that may be further down the
alphabet.

Asymmetric Encryption
Asymmetric encryption uses one key to encrypt and a different key to decrypt the
input plaintext. This is in stark contrast to symmetric encryption, which uses the
same key to encrypt and decrypt. For most security professionals, the math of
asymmetric encryption can be left to the cryptanalysts and cryptographers to
know.

A user wishing to communicate using an asymmetric algorithm would first generate

a key pair. To ensure the strength of the key generation process, this is usually
done by the cryptographic application or the public key infrastructure (PKI)
implementation without user involvement. One half of the key pair is kept secret;
only the key holder knows that key. This is why it is called the private key. The other
half of the key pair can be given freely to anyone who wants a copy. In many
companies, it may be available through the corporate website or access to a key
server. Therefore, this second half of the key pair is referred to as the public key.

Note that anyone can encrypt something using the recipient’s public key, but only
the recipient —with their private key—can decrypt it.

Asymmetric key cryptography solves the problem of key distribution by allowing a

message to be sent across an untrusted medium in a secure manner without the
overhead of prior key exchange or key material distribution. It also allows for
several other features not readily available in symmetric cryptography, such as the
non-repudiation of origin and delivery, access control and data integrity.

Asymmetric key cryptography also solves the problem of scalability. It does scale
well as numbers increase, as each party only requires a key pair, the private and
public keys. An organization with 100,000 employees would only need a total of
200,000 keys (one private and one public for each employee). This is less than half
of the number of keys that would be required for symmetric encryption.

The problem, however, has been that asymmetric cryptography is extremely slow
compared with its symmetric counterpart. Asymmetric cryptography is impractical
for everyday use in encrypting large amounts of data or for frequent transactions
where speed is required. This is because asymmetric key cryptography is handling
much larger keys and is mathematically intensive, thereby reducing the speed
significantly.

Let’s look at an example that illustrates the use of asymmetric cryptography to

achieve different security attributes.

The two keys (private and public) are a key pair; they must be used together. This
means that any message that is encrypted with a public key can only be decrypted
with the corresponding other half of the key pair, the private key. Similarly, signing
a message with a sender’s private key can only be verified by the recipient
decrypting its signature with the sender’s public key. Therefore, as long as the key
holder keeps the private key secure, there exists a method of transmitting a
message confidentially. The sender would encrypt the message with the public key
of the receiver. Only the receiver with the private key would be able to open or read
the message, providing confidentiality.

This image shows how asymmetric encryption can be used to send a confidential
message across an untrusted channel.

Encryption Deeper Dive

Narrator: Examples of encryption persist throughout human history, from early

cryptic

depictions by cave dwellers of Magura Cave in Bulgaria to the Pyramids at Giza.

Even then, each group had its own primitive cryptographic approach, so that
members of the tribe or group could communicate with one another while keeping
secrets from the rival tribes regarding hunting grounds or sources of water and
food.

It is part of human nature to encrypt information. You start with clear text, which is
the information that you and I could easily read, and then you use an algorithm,
which is often a form of software that can be embedded in the system. But that
needs to be activated with an encryption key. A very simple example is if you are
trying to encrypt a PDF document; for example, perhaps your accountant is sending
you some documents to sign before submitting your taxes. Encryption would create
a ciphertext, which no one can use, and you and your accountant would have set
up a preset encryption key so that you could retrieve the information at either end
of the communication. You need to have good key management, which means you
safeguard the information, because imagine if you have thousands of keys in a
commercial environment. There is often a third party or external server where the
keys will be separately stored and managed, so you don’t have all your eggs in one
basket, so to speak. It will be protected through a hashing system, which we will
explore in a moment, and no one else can have access to those keys.

Asymmetric encryption is more secure because the sender and receiver each uses a
unique code, often a certificate, so you can confirm that the information has been
sent from the sender to the recipient in a secure manner.

Hashing

Hashing takes an input set of data (of almost arbitrary size) and returns a fixed-
length result called the hash value. A hash function is the algorithm used to
perform this transformation. When used with cryptographically strong hash
algorithms, this is the most common method of ensuring message integrity today.

Hashes have many uses in computing and security, one of which is to create
a message digest by applying such a hash function to the plaintext body of a
message. 

To be useful and secure, a cryptographic hash function must demonstrate five main
properties: 

 Useful: It is easy to compute the hash value for any given message.
 Nonreversible: It is computationally infeasible to reverse the hash process or
otherwise derive the original plaintext of a message from its hash value
(unlike an encryption process, for which there must be a corresponding
decryption process).
 Content integrity assurance: It is computationally infeasible to modify a
message such that re-applying the hash function will produce the original
hash value. 
 Unique: It is computationally infeasible to find two or more different,
sensible messages that hash to the same value.
 Deterministic: The same input will always generate the same hash, when
using the same hashing algorithm.
 ryptographic hash functions have many applications in information security,
including digital signatures, message authentication codes and other forms
of authentication. They can also be used for fingerprinting, to detect
duplicate data or uniquely identify files, and as checksums to detect
accidental data corruption. The operation of a hashing algorithm is
demonstrated in this image.

 This is an example of a simple hashing function. The originator wants to send

a message to the receiver and ensure that the message is not altered by
noise or lost packets as it is transmitted. The originator runs the message
through a hashing algorithm that generates a hash, or a digest of the
message. The digest is appended to the message and sent together with the
message to the recipient. Once the message is delivered, the receiver will
generate their own digest of the received message (using the same hashing
algorithm). The digest of the received message is compared with the digest
sent by the originator. If the digests are the same, the received message is
the same as the sent message.

 The problem with a simple hash function like this is that it does not protect
against a malicious attacker that would be able to change both the message
and the hash/digest by intercepting it in transit. The general idea of a
cryptographic hash function can be summarized with the following formula:

  

 variable data input + hashing algorithm

 = fixed bit size data output (the digest)

As seen in this image, even the slightest change in the input message results in a
completely different hash value.

Hash functions are very sensitive to any changes in the message. Because the size
of the hash digest does not vary according to the size of the message, a person
cannot tell the size of the message based on the digest.
Hashing Deep Dive

Hashing puts data through a hash function or algorithm to create an alphanumeric

set of figures, or a digest, that means nothing to people who might view it. No
matter how long the input is, the hash digest will be the same number of
characters. Any minor change in the input, a misspelling, or upper case or lower
case, will create a completely different hash digest. So you can use the hash digest
to confirm that the input exactly matches what is expected or required, for
instance, a password.

For example, we pay our rent through automatic withdrawal, and it’s $5,000 a
month. Perhaps someone at the bank or at the rental office thinks they can just
change it to $50,000 and keep the extra money. They think no one will notice if they
just add another zero to the number. However, that change will completely change
the digest. Since the digest is different, it will indicate that someone corrupted the
information by changing the value of the automatic withdrawal, and it will not go
through. Hashing is an extra layer of defense.

Before we go live with a software product provided by a third party, for instance, we
have to make sure no one has changed anything since it was tested by you and the
programmer. They will usually send you the digest of their code and you compare
that to the original. This is also known as a Checksum. If you see a discrepancy, that
means something has changed. Then the security coders will compare the original
one and the new one, and sometimes it’s very tedious, but they have software that
can do it for them. If it’s something a little more intricate, they may need to go line
by line and find out where the bugs are or if some lines need to be fixed. Often
these problems are not intentional; they sneak in when you are making final
adjustments to the software.

An incident occurred at the University of Florida many years ago, where a very
reputable software source, Windows 2000 or Millennium, was provided to 50,000
students via CD-ROMs, and the copies were compromised. The problems were
detected when the digests did not match on a distribution file.

Module 2: Understand System Hardening

Domain D5.2.1
Module Objective

 L5.2.1 Describe the concepts of configuration management.

Manny: With so much data to work with, and so many different software applications required
to handle it, how do companies keep track of everything?

Tasha: It's a challenge all right, that's why we need configuration management. It's part of
cybersecurity in that it protects the confidentiality, integrity, and availability of data by making
sure
that only authorized and validated changes are made to a system. Every change also needs to
be
tested to make sure it doesn't cause any disruption to any other part of the system.

Manny: I can understand that. It seems like every time we upgrade our computer systems at the
high
school, something else stops working.

Tasha: Let's find out how cybersecurity professionals work to prevent that from happening

Configuration Management Overview

Configuration management is a process and discipline used to ensure that the

only changes made to a system are those that have been authorized and validated.
It is both a decision-making process and a set of control processes. If we look closer
at this definition, the basic configuration management process includes
components such as identification, baselines, updates and patches.  
Configuration Management Overview

Effective use of configuration management gives systems owners, operators,

support teams and security professionals another important set of tools they can
use to monitor and oversee the configuration of the devices, networks, applications
and projects of the organization. An organization may mandate the configuration of
equipment through standards and baselines. The use of standards and baselines
can ensure that network devices, software, hardware and endpoint devices are
configured in a consistent way and that all such devices are compliant with the
security baseline established for the organization. If a device is found that is not
compliant with the security baseline, it may be disabled or isolated into a
quarantine area until it can be checked and updated.

Inventory

Making an inventory, catalog or registry of all the information assets that the
organization is aware of (whether they already exist, or there’s a wish list or need to
create or acquire them) is the first step in any asset management process. It
requires that we locate and identify all assets of interest, including (and especially)
the information assets:

You can’t protect what you don’t know you have.

It becomes even more challenging to keep that inventory, and its health and status
with respect to updates and patches, consistent and current, day in and day out. It
is, in fact, quite challenging to identify every physical host and endpoint, let alone
gather the data from them all.

Baselines

A commercial software product, for example, might have thousands of individual

modules, processes, parameter and initialization files or other elements. If any one
of them is missing, the system cannot function correctly. The baseline is a total
inventory of all the system’s components, hardware, software, data, administrative
controls, documentation and user instructions.

Once controls are in place to mitigate risks, the baselines can be referenced. All
further comparisons and development are measured against the baselines.

When protecting assets, baselines can be particularly helpful in achieving a minimal

protection level of those assets based on value. Remember, if assets have been
classified based on value, and meaningful baselines have been established for each
of the classification levels, we can conform to the minimum levels required. In other
words, if classifications such as high, medium and low are being used, baselines
could be developed for each of our classifications and provide that minimum level
of security required for each.
Updates

Repairs, maintenance actions and updates are frequently required on almost all
levels of systems elements, from the basic infrastructure of the IT architecture on
up through operating systems, applications platforms, networks and user
interfaces. Such modifications must be acceptance tested to verify that newly
installed (or repaired) functionality works as required. They must also be regression
tested to verify that the modifications did not introduce other erroneous or
unexpected behaviors in the system. Ongoing security assessment and evaluation
testing evaluates whether the same system that passed acceptance testing is still
secure.

Patches

Patch management mostly applies to software and hardware devices that are

subject to regular modification. A patch is an update, upgrade or modification to a
system or component. These patches may be needed to address a vulnerability or
to improve functionality. The challenge for the security professional is maintaining
all patches, since they can come at irregular intervals from many different vendors.
Some patches are critical and should be deployed quickly, while others may not be
as critical but should still be deployed because subsequent patches may be
dependent on them. Standards such as the PCI DSS require organizations to deploy
security patches within a certain time frame.

There are some issues with the use of patches. Many organizations have been
affected by a flawed patch from a reputable vendor that affected system
functionality. Therefore, an organization should test the patch before rolling it out
across the organization. This is often complicated by the lack of a testing
environment that matches the production environment. Few organizations have
the budget to maintain a test environment that is an exact copy of production.
There is always a risk that the testing will not always be able to test everything, and
problems may appear in production that were not apparent in the test
environment. To the extent possible, patches should be tested to ensure they will
work correctly in production.

If the patch does not work or has unacceptable effects, it might be necessary to roll
back to a previous (pre-patch) state. Typically, the criteria for rollback are previously
documented and would automatically be performed when the rollback criteria
were met.
Many vendors offer a patch management solution for their products. These
systems often have certain automated processes, or unattended updates, that
allow the patching of systems without interaction from the administrator. The risk
of using unattended patching should be weighed against the risk of having
unpatched systems in the organization’s network. Unattended (or automated)
patching might result in unscheduled outages as production systems are taken
offline or rebooted as part of the patch process.

The Risks of Change

Narrator: You have to make sure you have a robust change management process and make
sure you test in model environments before you make any change in a production or live
environment. Even with extensive planning and testing, there are sometimes unintended
consequences, so you must make sure there is a rollback plan. A rollback is restoring the system
to the state it was in before the change was made. To the point where we know it was working
properly before we introduced changes into the environment. We need to make sure we
review and test all the patches and can restore the previous configuration.

Maintaining a separate testing environment can be a logistical challenge for many

organizations; as such, many do not have separate production and testing environments to
properly vet all patches and system updates. In this case, they may rely on vendor third party
testing to certify a new software release based on a generic set of data. The rollback plan is
important in all environments, but it is absolutely critical in those who are unable to fully test a
change.

Module 3: Understand Best Practice Security Policies

Domain D5.3, D5.3.1, D5.3.2, D5.3.3, D5.3.4, D5.3.5, D5.3.6

Module Objective

 L5.3.1 Explain the application of common security policies.

An organization’s security policies define what “security” means to that organization,

which in almost all cases reflects the tradeoff between security, operability,
affordability and potential risk impacts. Security policies express or impose behavioral
or other constraints on the system and its use. Well-designed systems operating
within these constraints should reduce the potential of security breaches to an
acceptable level. 
Security governance that does not align properly with organizational goals can lead to
implementation of security policies and decisions that unnecessarily inhibit
productivity, impose undue costs and hinder strategic intent.

Manny: What kind of policies can organizations establish to help their employees or members
protect their data?
Tasha: Policies can include password requirements, limits on personal devices, and all kinds of
other policies to ensure privacy and security. In this module, we'll explore the most common
security policies found in organizations and identify some components of these policies.

Common Security Policies

All policies must support any regulatory and contractual obligations of the
organization. Sometimes it can be challenging to ensure the policy encompasses all
requirements while remaining simple enough for users to understand.

Here are six common security-related policies that exist in most organizations.

Data Handling Policy

Appropriate use of data: This aspect of the policy defines whether data is for use
within the company, is restricted for use by only certain roles or can be made public
to anyone outside the organization. In addition, some data has associated legal
usage definitions. The organization’s policy should spell out any such restrictions or
refer to the legal definitions as required. Proper data classification also helps the
organization comply with pertinent laws and regulations. For example, classifying
credit card data as confidential can help ensure compliance with the PCI DSS. One
of the requirements of this standard is to encrypt credit card information. Data
owners who correctly defined the encryption aspect of their organization’s data
classification policy will require that the data be encrypted according to the
specifications defined in this standard.

Password Policy
Every organization should have a password policy in place that defines expectations
of systems and users. The password policy should describe senior leadership's
commitment to ensuring secure access to data, outline any standards that the
organization has selected for password formulation, and identify who is designated
to enforce and validate the policy.

Acceptable Use Policy (AUP)

The acceptable use policy (AUP) defines acceptable use of the organization’s
network and computer systems and can help protect the organization from legal
action. It should detail the appropriate and approved usage of the organization’s
assets, including the IT environment, devices and data. Each employee (or anyone
having access to the organization’s assets) should be required to sign a copy of the
AUP, preferably in the presence of another employee of the organization, and both
parties should keep a copy of the signed AUP.
Policy aspects commonly included in AUPs:
• Data access
• System access
• Data disclosure
• Passwords
• Data retention
• Internet usage
• Company device usage

Bring Your Own Device (BYOD) Policy

An organization may allow workers to acquire equipment of their choosing and use
personally owned equipment for business (and personal) use. This is sometimes
called bring your own device (BYOD). Another option is to present the teleworker or
employee with a list of approved equipment and require the employee to select
one of the products on the trusted list.

Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors or
other vulnerabilities that could be used to access organizational data or systems.
All employees must read and agree to adhere to this policy before any access to the
systems, network and/or data is allowed. If and when the workforce grows, so too
will the problems with BYOD. Certainly, the appropriate tools are going to be
necessary to manage the use of and security around BYOD devices and usage. The
organization needs to establish clear user expectations and set the appropriate
business rules.

Privacy Policy
An organization may allow workers to acquire equipment of their choosing and use
personally owned equipment for business (and personal) use. This is sometimes
called bring your own device (BYOD). Another option is to present the teleworker or
employee with a list of approved equipment and require the employee to select
one of the products on the trusted list.
Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors or
other vulnerabilities that could be used to access organizational data or systems.
All employees must read and agree to adhere to this policy before any access to the
systems, network and/or data is allowed. If and when the workforce grows, so too
will the problems with BYOD. Certainly, the appropriate tools are going to be
necessary to manage the use of and security around BYOD devices and usage. The
organization needs to establish clear user expectations and set the appropriate
business rules.

Change Management Policy

An organization may allow workers to acquire equipment of their choosing and use
personally owned equipment for business (and personal) use. This is sometimes
called bring your own device (BYOD). Another option is to present the teleworker or
employee with a list of approved equipment and require the employee to select
one of the products on the trusted list.

Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors or
other vulnerabilities that could be used to access organizational data or systems.
All employees must read and agree to adhere to this policy before any access to the
systems, network and/or data is allowed. If and when the workforce grows, so too
will the problems with BYOD. Certainly, the appropriate tools are going to be
necessary to manage the use of and security around BYOD devices and usage. The
organization needs to establish clear user expectations and set the appropriate
business rules.
Common Security Policies Deeper Dive
Policies will be set according to the needs of the organization and its vision and
mission. Each of these policies should have a penalty or a consequence attached in
case of noncompliance. The first time may be a warning; the next might be a forced
leave of absence or suspension without pay, and a critical violation could even
result in an employee’s termination. All of this should be outlined clearly during
onboarding, particularly for information security personnel. It should be made clear
who is responsible for enforcing these policies, and the employee must sign off on
them and have documentation saying they have done so. This process could even
include a few questions in a survey or quiz to confirm that the employees truly
understand the policy. These policies are part of the baseline security posture of
any organization. Any security or data handling procedures should be backed up by
the appropriate policies. 

Change Management Components

The change management process includes the following components.
Documentation
All of the major change management practices address a common set of core activities that
start with a request for change (RFC) and move through various development and test
stages until the change is released to the end users. From first to last, each step is subject
to some form of formalized management and decision-making; each step produces
accounting or log entries to document its results. 
Approval
These processes typically include: Evaluating the RFCs for completeness, Assignment to the
proper change authorization process based on risk and organizational practices,
Stakeholder reviews, resource identification and allocation, Appropriate approvals or
rejections, and Documentation of approval or rejection.

Rollback
Depending upon the nature of the change, a variety of activities may need to be completed.
These generally include: Scheduling the change, Testing the change, Verifying the rollback
procedures, Implementing the change, Evaluating the change for proper and effective
operation, and Documenting the change in the production environment. Rollback authority
would generally be defined in the rollback plan, which might be immediate or scheduled as
a subsequent change if monitoring of the change suggests inadequate performance.

Change Management Components in the

Workplace
Narrator: Change management happens in a cycle. There is no real stopping point; it is
continuously going. This means that there must be continuous monitoring of that environment.
So, if you or anyone should request a change, it needs to go through the appropriate approvals.
The organization must be prepared for rollback if necessary, meaning that if that particular
change did not work, we need to be able to roll back to the legacy system.

While change management is an organization-wide process, it often falls on Information

Security professionals to coordinate the effort and maybe to provide oversight and governance.
Depending on the size of the organization, it may also fall under an IT or development area. In
organizations that have a quality or risk management department, it would be a great fit in
either of those areas too. The common theme is that change management acknowledges and
incorporates input from the end users as well as all areas of IT, Development, Information
Security and most importantly Management, to ensure that all changes are properly tested,
approved and communicated prior to being implemented.
Supporting Security Policies with
Procedures
Narrator: Different organizations will have different goals for their acceptable use policies.
Some organizations encourage employees to make wide personal use of the organization’s IT
assets, to improve morale and reduce interruptions between the user’s personal life and work.
Some organizations encourage users to use organizational assets to perform personal
educational tasks, as well—this way, the employee gets the benefit of the assets, and the
organization gets a higher-trained and happier employee. Some organizations severely limit
users' personal use of IT assets, in order to reduce risk within the organization.

All security related policies should align with the organization’s risk tolerance while ensuring
that regulatory requirements are met. An organization that does not store confidential data on
a laptop or workstation is likely to be more relaxed in their acceptable use policy, while a
healthcare facility, research institution or defense contractor may be much stricter, as they
have data that can be potentially devastating if compromised.

Module 4: Understand Security Awareness

Training

Domain D5.4, D5.4.1, D5.4.2, D5.3.2 

Module Objective

 L5.4.1 Discuss the importance of security awareness training.

To reduce the effectiveness of certain types of attacks (such as social engineering), it is crucial
that the organization informs its employees and staff how to recognize security problems and
how to operate in a secure manner. While the specifics of secure operation differ in each
organization, there are some general concepts that are applicable to all such programs. 

Manny: So what's the most important tool for cybersecurity, Tasha?

Tasha: I'd say the most important tool is your human resources—your people.
Manny: People more so than technology, firewalls, passwords, and all that stuff?
Tasha: Yes, Manny. It's people who develop that technology, install those firewalls, create those
passwords. Even more so, everyone must follow best practices and policies to ensure the secure
handling of the data they work with every day. That's why security awareness training is so
important.
Your people must know what to look for and what to do when they see it. They must stay
vigilant.
Complacency is the enemy when it comes cybersecurity.
Manny: If you see something, say something.
Tasha: Exactly. Let's find out more.
Purpose
The purpose of awareness training is to make sure everyone knows what is
expected of them, based on responsibilities and accountabilities, and to find out if
there is any carelessness or complacency that may pose a risk to the organization.
We will be able to align the information security goals with the organization’s
missions and vision and have a better sense of what the environment is. 

What is Security Awareness Training?

Let’s start with a clear understanding of the three different types of learning
activities that organizations use, whether for information security or for any other
purpose:

 Education: The overall goal of education is to help learners improve their

understanding of these ideas and their ability to relate them to their own
experiences and apply that learning in useful ways.
 Training: Focuses on building proficiency in a specific set of skills or actions,
including sharpening the perception and judgment needed to make decisions
as to which skill to use, when to use it and how to apply it. Training can focus
on low-level skills, an entire task or complex workflows consisting of many
tasks.
 Awareness: These are activities that attract and engage the learner’s attention
by acquainting them with aspects of an issue, concern, problem or need.
You’ll notice that none of these have an expressed or implied degree of formality,
location or target audience. (Think of a newly hired senior executive with little or no
exposure to the specific compliance needs your organization faces; first, someone
has to get their attention and make them aware of the need to understand. The
rest can follow.)

The Importance of Security Training

Narrator: Why does everyone need security training? The weakest link in any
organization is the human, and each one of us, regardless of if we are the new
intern or the executive in the corner office, each one of us has our own
responsibilities about security. Everyone contributes to improving the security
environment, administratively, physically and technically.

Employees cannot follow policies and procedures if they have not received training
on what the policies and procedures are. This is especially important for topics like
data handling and emergency response activities. For instance: fire drills are crucial
to protect health and human safety, and train users how to implement the process
of protecting themselves from danger. 

Security Awareness Training Examples

Let’s look at an example of security awareness training by using an organization’s
strategy to improve fire safety in the workplace: 

 Education may help workers in a secure server room understand the interaction of
the various fire and smoke detectors, suppression systems, alarms and their
interactions with electrical power, lighting and ventilation systems. 
 Training would provide those workers with task-specific, detailed learning about the
proper actions each should take in the event of an alarm, a suppression system
going off without an alarm, a ventilation system failure or other contingency. This
training would build on the learning acquired via the educational activities. 
  Awareness activities would include not only posting the appropriate signage, floor
or doorway markings, but also other indicators to help workers detect an anomaly,
respond to an alarm and take appropriate action. In this case, awareness is a
constantly available reminder of what to do when the alarms go off. 
Translating that into an anti-phishing campaign might be done by: 

 Education may be used to help select groups of users better understand the ways in
which social engineering attacks are conducted and engage those users in creating
and testing their own strategies for improving their defensive techniques. 
 Training will help users increase their proficiency in recognizing a potential phishing
or similar attempt, while also helping them practice the correct responses to such
events. Training may include simulated phishing emails sent to users on a network
to test their ability to identify a phishing email.
 Raising users’ overall awareness of the threat posed by phishing, vishing, SMS
phishing (also called “smishing) and other social engineering tactics. Awareness
techniques can also alert selected users to new or novel approaches that such
attacks might be taking. 
Let’s look at some common risks and why it’s important to include them in your
security awareness training programs. 

Phishing
The use of phishing attacks to target individuals, entire departments and even
companies is a significant threat that the security professional needs to be aware of
and be prepared to defend against. Countless variations on the basic phishing
attack have been developed in recent years, leading to a variety of attacks that are
deployed relentlessly against individuals and networks in a never-ending stream of
emails, phone calls, spam, instant messages, videos, file attachments and many
other delivery mechanisms.

Phishing attacks that attempt to trick highly placed officials or private individuals
with sizable assets into authorizing large fund wire transfers to previously unknown
entities are known as whaling attacks .

Social Engineering
Social engineering is an important part of any security awareness training
program for one very simple reason: bad actors know that it works. For the
cyberattackers, social engineering is an inexpensive investment with a potentially
very high payoff. Social engineering, applied over time, can extract significant
insider knowledge about almost any organization or individual.

One of the most important messages to deliver in a security awareness program is

an understanding of the threat of social engineering. People need to be reminded
of the threat and types of social engineering so that they can recognize and resist a
social engineering attack.

Most social engineering techniques are not new. Many have even been taught as
basic fieldcraft for espionage agencies and are part of the repertoire of investigative
techniques used by real and fictional police detectives. A short list of the tactics that
we see across cyberspace currently includes:

 Phone phishing or vishing: Using a rogue interactive voice response (IVR) system
to re-create a legitimate-sounding copy of a bank or other institution’s IVR system.
The victim is prompted through a phishing email to call in to the “bank” via a
provided phone number to verify information such as account numbers, account
access codes or a PIN and to confirm answers to security questions, contact
information and addresses. A typical vishing system will reject logins continually,
ensuring the victim enters PINs or passwords multiple times, often disclosing
several different passwords. More advanced systems may be used to transfer the
victim to a human posing as a customer service agent for further questioning.

 Pretexting: The human equivalent of phishing, where someone impersonates an

authority figure or a trusted individual in an attempt to gain access to your login
information. The pretexter may claim to be an IT support worker who is supposed
to do maintenance or an investigator performing a company audit. Or they might
impersonate a coworker, the police, a tax authority or some other seemingly
legitimate person. The goal is to gain access to your computer and information.
 Quid pro quo: A request for your password or login credentials in exchange for
some compensation, such as a “free gift,” a monetary payment or access to an
online game or service. If it sounds too good to be true, it probably is.
 Tailgating: The practice of following an authorized user into a restricted area or
system. The low-tech version of tailgating would occur when a stranger asks you to
hold the door open behind you because they forgot their company RFID card. In a
more sophisticated version, someone may ask to borrow your phone or laptop to
perform a simple action when he or she is actually installing malicious software
onto your device.
Social engineering works because it plays on human tendencies. Education, training
and awareness work best to counter or defend against social engineering because
they help people realize that every person in the organization plays a role in
information security.
Password Protection
We use many different passwords and systems. Many password managers will
store a user’s passwords for them so the user does not have to remember all their
passwords for multiple systems. The greatest disadvantage of these solutions is the
risk of compromise of the password manager.

These password managers may be protected by a weak password or passphrase

chosen by the user and easily compromised. There have been many cases where a
person’s private data was stored by a cloud provider but easily accessed by
unauthorized persons through password compromise.

Organizations should encourage the use of different passwords for different

systems and should provide a recommended password management solution for
its users.

Examples of poor password protection that should be avoided are:

o Reusing passwords for multiple systems, especially using the same

password for business and personal use.
o Writing down passwords and leaving them in unsecured areas.
o Sharing a password with tech support or a co-worker.

Module 5: Chapter 5 Summary

Domain 5.1.1, 5.1.2, 5.1.3, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.6, 5.4.1, 5.4.2 

Module Objective
L5.5.1 Practice the terminology and review concepts of access controls  

This chapter focused on the day-to-day, moment-by-moment, use of security controls and risk
mitigation strategies in an organization. We discovered ways to secure data and the systems they
reside on. Data (information) security as a process and discipline provides a structure for
protecting the value of data as the organization creates, stores, shares, uses, modifies, archives
and finally destroys that data (known as data handling). During data handling, an organization
classifies (assigns data sensitivity levels), categorizes (determines type of data), labels (applies a
name to the data), retains (determines how long to keep the data) and destroys (erases or
destroys) the data.  

A best practice for securing data is encrypting the data. We explored the process of encrypting
data in plaintext with a key and algorithm to create ciphertext then using either the same key
(symmetric) or a different key (asymmetric) and same algorithm to decrypt the ciphertext to
convert it back to plaintext. Then hashing was methodically described; hashing takes an input set
of data (of almost arbitrary size) and returns a fixed-length result called the hash value.  

System hardening is the process of applying secure configurations (to reduce the attack surface)
and locking down various hardware, communications systems and software, including operating
system, web server, application server, application, etc. We also discussed configuration
management, a process and discipline used to ensure that the only changes made to a system are
those that have been authorized and validated. Configuration management consists of
identification, baseline, change control, and verification and audit. During configuration
management, one must conduct inventory, baselines, updates, and patches.  

The following best practice security policies were examined: data handling (appropriate use of
data), password (appropriate use of passwords), acceptable use (appropriate use of the assets,
devices, and data), bring your own device (appropriate use of personal devices), privacy
(appropriate protection of one’s privacy), and change management (appropriate transition from
current state to a future state). Change management practices address a common set of core
activities: documentation, approval, and rollback. It starts with a request for change (RFC) and
moves through various development and test stages until the change is released to the end users. 

We ended the chapter by discussing the importance of security awareness training and how it
reduces the internal threat to an organization. By breaking down the levels of security awareness
training into education, training, and awareness, we identified that the training can be tailored to
the security topic(s), organization, position and/or individual. The module highlighted some of
the main threats, including phishing and social engineering and why it's important to include
them in your security awareness training programs. We also emphasized the importance of
password protection. 

Chapter 5: Terms and Definitions

 Application Server - A computer responsible for hosting applications to user
workstations. NIST SP 800-82 Rev.2
 Asymmetric Encryption - An algorithm that uses one key to encrypt and a
different key to decrypt the input plaintext.
 Checksum - A digit representing the sum of the correct digits in a piece of stored
or transmitted digital data, against which later comparisons can be made to
detect errors in the data.
 Ciphertext - The altered form of a plaintext message so it is unreadable for
anyone except the intended recipients. In other words, it has been turned into a
secret.
 Classification - Classification identifies the degree of harm to the organization,
its stakeholders or others that might result if an information asset is divulged to
an unauthorized person, process or organization. In short, classification is
focused first and foremost on maintaining the confidentiality of the data, based
on the data sensitivity.
 Configuration management - A process and discipline used to ensure that the
only changes made to a system are those that have been authorized and
validated.
 Cryptanalyst - One who performs cryptanalysis which is the study of
mathematical techniques for attempting to defeat cryptographic techniques
and/or information systems security. This includes the process of looking for
errors or weaknesses in the implementation of an algorithm or of the algorithm
itself.
 Cryptography - The study or applications of methods to secure or protect the
meaning and content of messages, files, or other information, usually by
disguise, obscuration, or other transformations of that content and meaning. 
 Data Loss Prevention (DLP) - System capabilities designed to detect and
prevent the unauthorized use and transmission of information. 
 Decryption - The reverse process from encryption. It is the process of
converting a ciphertext message back into plaintext through the use of the
cryptographic algorithm and the appropriate key for decryption (which is the
same for symmetric encryption, but different for asymmetric encryption).
This term is also used interchangeably with the “deciphering.”
 Degaussing - A technique of erasing data on disk or tape (including video
tapes) that, when performed properly, ensures that there is insufficient
magnetic remanence to reconstruct data.
 Digital Signature - The result of a cryptographic transformation of data
which, when properly implemented, provides the services of origin
authentication, data integrity, and signer non-repudiation. NIST SP 800-12
Rev. 1
 Egress Monitoring - Monitoring of outgoing network traffic.
 Encryption - The process and act of converting the message from its
plaintext to ciphertext. Sometimes it is also referred to as enciphering. The
two terms are sometimes used interchangeably in literature and have similar
meanings.
 Encryption System - The total set of algorithms, processes, hardware,
software, and procedures that taken together provide an encryption and
decryption capability. 
 Hardening - A reference to the process of applying secure configurations (to
reduce the attack surface) and locking down various hardware,
communications systems, and software, including operating system, web
server, application server, application, etc. Hardening is normally performed
based on industry guidelines and benchmarks, such as those provided by the
Center for Internet Security (CIS).
 Hash Function - An algorithm that computes a numerical value (called the
hash value) on a data file or electronic message that is used to represent that
file or message and depends on the entire contents of the file or message. A
hash function can be considered to be a fingerprint of the file or message.
NIST SP 800-152
 Hashing - The process of using a mathematical algorithm against data to
produce a numeric value that is representative of that data. Source CNSSI
4009-2015
 Ingress Monitoring - Monitoring of incoming network traffic.
 Message Digest - A digital signature that uniquely identifies data and has the
property such that changing a single bit in the data will cause a completely
different message digest to be generated. NISTIR-8011 Vol.3
 Operating System - The software “master control application” that runs the
computer. It is the first program loaded when the computer is turned on, and
its main component, the kernel, resides in memory at all times. The
operating system sets the standards for all application programs (such as the
Web server) that run in the computer. The applications communicate with
the operating system for most user interface and file management
operations. NIST SP 800-44 Version 2 
 Patch - A software component that, when installed, directly modifies files or
device settings related to a different software component without changing
the version number or release details for the related software component.
Source: ISO/IEC 19770-2
 Patch Management - The systematic notification, identification, deployment,
installation and verification of operating system and application software
code revisions. These revisions are known as patches, hot fixes, and service
packs. Source: CNSSI 4009
 Plaintext - A message or data in its natural format and in readable form;
extremely vulnerable from a confidentiality perspective.
  Records - The recordings (automated and/or manual) of evidence of
activities performed or results achieved (e.g., forms, reports, test results),
which serve as a basis for verifying that the organization and the information
system are performing as intended. Also used to refer to units of related
data fields (i.e., groups of data fields that can be accessed by a program and
that contain the complete set of information on particular items). NIST SP
800-53 Rev. 4
 Records Retention - A practice based on the records life cycle, according to
which records are retained as long as necessary, and then are destroyed
after the appropriate time interval has elapsed.
 Remanence - Residual information remaining on storage media after
clearing. NIST SP 800-88 Rev. 1
 Request for change (RFC) - The first stage of change management, wherein
a change in procedure or product is sought by a stakeholder. 
 Security Governance - The entirety of the policies, roles, and processes the
organization uses to make security decisions in an organization.
 Social engineering - Tactics to infiltrate systems via email, phone, text, or
social media, often impersonating a person or agency in authority or offering
a gift. A low-tech method would be simply following someone into a secure
building.
 Symmetric encryption - An algorithm that uses the same key in both the
encryption and the decryption processes.
 Web Server - A computer that provides World Wide Web (WWW) services on
the Internet. It includes the hardware, operating system, Web server
software, and Web site content (Web pages). If the Web server is used
internally and not by the public, it may be known as an “intranet server.” NIST
SP 800-44 Version 2
 Whaling Attack - Phishing attacks that attempt to trick highly placed officials
or private individuals with sizable assets into authorizing large fund wire
transfers to previously unknown entities. 

CRISTINA CRUZ (username:

[email protected])
Attempt 1
Written: Jun 25, 2023 8:49 PM - Jun 25, 2023 8:53 PM
Submission View
Your quiz has been submitted successfully.

Which of the following can be used to map data flows through an

organization and the relevant security controls used at each point along
the way? (D5.1, L5.1.1)
Question options:

A)  Encryption

B)  Hashing

C)  Hard copy

D)  Data life cycle

Hide question 1 feedback

Incorrect. Encryption is one type of control that can be used to protect data.

Why is an asset inventory so important? (D5.2, L5.2.1)

Question options:

A)  It tells you what to encrypt

B)  You can't protect what you don't know you have

C)  The law requires it 

D)   It contains a price list

Hide question 2 feedback

Correct. The inventory records which assets the organization has, which gives the organization the opportunity to
Who is responsible for publishing and signing the organization's
policies? (D5.3, L5.3.1)
Question options:

A)  The security office

B)  Human Resources

C)  Senior management

D)  The legal department

Hide question 3 feedback

Incorrect. The security office does not publish policy. 

Which of the following is always true about logging? (D5.1, L5.1.3) 

Question options:

A)  Logs should be very detailed 

B)  Logs should be in English

C)  Logs should be concise

D)  Logs should be stored separately from the systems they're logging

Hide question 4 feedback

Correct. It is important to store log data somewhere other than on the machine where the data is gathered.

A mode of encryption for ensuring confidentiality efficiently, with a

minimum amount of processing overhead (D5.1, L5.1.3) 
Question options:
 A)  Asymmetric

B)  Symmetric

C)  Hashing

D)  Covert

Hide question 5 feedback

Correct. Symmetric encryption provides confidentiality with the least amount of processing overhead. 

A ready visual cue to let anyone in contact with the data know what the
classification is. (D5.1, L5.1.1)
Question options:

A)  Encryption

B)  Label

C)  Graphics

D)  Photos

Hide question 6 feedback

Correct. The label reflects the classification of a given piece of data.

A set of security controls or system settings used to ensure uniformity

of configuration throughout the IT environment. (D5.2, L5.2.1)
Question options:

A)  Patches

B)  Inventory
 C)  Baseline

D)  Policy

Hide question 7 feedback

Correct. This is the definition of a baseline. 

What is the most important aspect of security awareness/training?

(D5.4, L5.4.1)
Question options:

A)  Protecting assets

B)  Maximizing business capabilities

C)  Ensuring the confidentiality of data

D)  Protecting health and human safety

Hide question 8 feedback

Correct. There is nothing more important than health and human safety.

Which entity is most likely to be tasked with monitoring and enforcing

security policy? (D5.3, L5.3.1)
Question options:

A)  The Human Resources office

B)  The legal department

C)  Regulators
 D)  The security office

Hide question 9 feedback

Correct. While the policy is dictated by senior management, the security office is often tasked with monitoring/e

Which organizational policy is most likely to indicate which types of

smartphones can be used to connect to the internal IT environment?
(D5.3, L5.3.1)
Question options:

A)  The CM policy (change management)

B)  The password policy

C)  The AUP (acceptable use policy)

D)  The BYOD policy (bring your own device)

Hide question 10 feedback

Correct. The BYOD policy typically describes which devices can be used to process data and access networks be

Congratulations, you passed the quiz!

You've achieved an overall grade of 70% or higher and completed this
activity.

80 %

80 %
Done