Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security Governance Through Principles and Policies (Understand and Apply…
Security Governance Through Principles and Policies
Confidentiality, Integrity, and Availability
Confidentiality
Definition
Restriction to unauthorized objects
Attacks
Capture network traffic
Stealing password files
Social engineering
Port scanning
Shoulder surfing
Eavesdropping
Sniffing, etc. :
Countermeasures
Encryption
Network traffic padding
Strict access control
Rigorous authentication
Authentication procedures
Data classification
Personnel training
Aspects of Confidentiality
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation
Availability
Definition
Authorized subjects are granted timely and uninterrupted access to objects
Threats
Device failure
Software Errors
Environmental issues
Attacks
DoS attacks
Object destruction
Communication interruption
Human errors
Deleting files
Overutilizing hardware or software
Underallocating resources
Milabeling or incorrectly classifying objects
Oversight of security policies or controls
Countermeasures
Deleting files
Overutilizing hardware or software
Underallocating resources
Milabeling or incorrectly classifying objects
Oversight of security policies or controls
Aspects of Availability
Usability
Accessibility
Timeliness
Integrity
Definition
Unaltered object from the original protected state
Examination perspectives
Preventing unauthorized subjects from making modifications
Preventing authorized subjects from making unauthorized modifications
Maintaining internal and external consistency of objects
Attacks
Viruses
Unauthorized access
Errors in coding and applications
Malicious modification
System backdoors
Human error
Oversight
Ineptitude
Accidentally deleting files
Entering invalid data
Altering configurations
Including errors in commands, code and scripts
Introducing viruses
Oversight in a security policy or misconfigured security control
Countermeasures
Strict Access Controls
Authentication procedures
Intrusion Detection Systems
Object/Data encryption
Hash verification
Interface restrictions
Input/Function checks
Personnel training
Aspects of Integrity
Accuracy
Truthfulness
Authenticity
Validity
Nonrepudiation
Accountability
Responsibility
Completeness
Comprehensiveness
Other Security Concepts
Identification
Definition
Professing an identity to a system
Examples
Username
Swiping a smart card
Speaking a phrase
Positioning a face, hand or finger in an scanning device
Providing ID number
Authentication
The process of verifying that the claimed identity is valid
Auditing
Recording a log of the events and activities related to the system and subjects
Authorization
Once the subject is authenticated, it must be authorized
The system compares an access control matrix to determine the rights
Accountability
Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
Nonrepudiation
Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
Can be achieved by
Digital Certificates
Session identifiers
Transaction logs
Access Control Mechanisms
Protection Mechanisms
Abstraction
Classifying objects or assigning roles to subjects
Data Hiding
Definition
Preventing data from being discovered
Forms
Preventing unauthorized access to databases
Restricting a subject access at a lower classification from accessing data at a higher classification level
Preventing an application from accessing hardware directly
Layering
Defense in depth
Encryption
Hiding the meaning or intent of a communication from unintended recipients
Security Governance Principles
Organizational Processes
Change Control/Management
Ensure that any change does not lead to reduced or compromised security
Make all changes subject to detailed documentation and auditing
Goals
Implement changes in a monitored and orderly manner
A formalized testing process
All changes can be reversed
Users are informed of changes
The effects of changes are systematically analyzed
The negative impact of changes is minimized
Changes are reviewed and approved by a CAB (Change Approval Board)
Example
Parallel run: 2 same systems working in parallel
Data Classification
Definition
Is used to determine how much effort, money, and resources are allocated to protect data and control access to it.
Classification Scheme Steps
Identify the custodian, and define their responsibilities
Specify the evaluation criteria of how the information will be classified and labeled
Classify and label each resource (The owner conducts this step, reviewed by the supervisor)
Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria
Select the security controls that will be applied to each classification level to provide the necessary level of protection
Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity
Create an enterprise-wide awareness program to instruct all personnel about the classification system.
Goverment/Military Classification
Top Secret
Grave damage on national security
Secret
Critical damage to national security
Confidential
Serious damage to national security
Sensitive but Unclassified
Unclassified
Does not compromise confidentiality
Commercial Classification
Confidential (Propietary)
Significant negative impact to company
Private
Internal use only information (Individual information)
Sensitive
Public
Ownership
Formal assignment of responsibility to an individual or group
Security Roles and Responsibilities
Data Owner
Responsible for classifying information for protection and placement
Delegates responsibility to a custodian
Data Custodian
Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy
Security Professional
Responsible for following the directives mandated by senior management
Writing the security policy and implementing it.
Not decision makers but implementer
User
Person who has access to the secured system
Senior Manager
Liable for the overall success or failure of a security solution
Must sign off on all policy issues
Decision makes
Auditor
Reviewing and verifying that the security policy is properly implemented
Alignment of Security Function to Strategy, Goals, Mission, and Objectives
Elements of Security Management
Defining security roles
Prescribing how security will be managed
Who will be responsible for security
How will security be tested for efectiveness
Developing security policies
Performing risk analysis
Requiring security education for employees
Planning
Tactical plan
Midterm plan (~1 year)
Can be crafted upon unpredictable events
Examples
Project plans
Acquisition plans
Hiring plans
Budget plans
Maintenance plans
Support plans
System development plans
Strategic Plan
Long-term plan (~5 years)
Aligns it to goal, mission and objectives
Should include Risk Analysis
Operational Plan
Short-term plan (months)
How to accomplish organizational goals
Examples
Training plans
System deployment plans
Product design plans
Top-down approach
Operational mgmt: Implement configurations prescribed in the sec. policy
End user: comply with all the sec. policy
Middle mgmt: Deepens the sec. policy into standards, baselines, guidelines and procedures
Senior mgmt: Initiates and defines the policy
Control Frameworks
Examples
Control Objectives for Information and Related Technology (COBIT 5)
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
Open Source Security Testing Methodology Manual (OSSTMM)
ISO/IEC 27002
Information Technology Infrastructure Library (ITIL)
Due Care and Due Diligence
Due diligence
Using reasonable care to protect the interests of an organization
Due care
Practicing the activities that maintain the due care effort
Security Policy, Standards, Procedures, and Guidelines
Security Policies
Definition
Document that defines the scope of the security needed by the organization
Discusses the assets that require protection
Outlines the security framework of an organization
Focused-types
Organizational Security Policy
Issue-specific Security Policy
System-specific Security Policy
Categories
Regulatory
Whenever industry or legal standards are applicable
Informative
Provides knowledge of a specific subject
Advisory
Defines acceptable behaviour and acceptable activities. Defines consequences of violations
Notes
A security policy does not define who is to do what but rather defines what must be done by the various roles within the security infrastructure
Security Standards, Baselines, and Guidelines
Standards
Define compulsory requirements for use of hw, sw, technology, sec controls
Define steps or methods to accomplish the goals defined by sec policy
Baselines
Defines a minimum level of security every system must meet
Establishes a common foundational secure state
They refer to industry or government standards like NIST, ITSEC
Guidelines
Recommendations on how standards and baselines are implemented
They outline methodologies, suggested actions
Not compulsory
Security Procedures
Detailed step-by-step description of necessary actions
Understand and Apply Threat Modeling
Process of Threat Modeling
Identify potential harm
Probability of occurrence
Priority of concern
Means to eradicate or reduce threat
Type of approaches
Defensive approach
Predicting threats during design phase
Reactive approach/Adversarial approach
Threat modelling happens after a product has been released
Eg: Ethical hacking, pentesting, source code review, fuzz testing
Identifying Threats
Focused on Assets
Identify threats to the valuable asset
Focused on Attackers
Identify the threat based on the attacker's goals
Focused on Software
If an organization develops their own software
Categorization scheme (STRIDE)
Spoofing
False identity as valid user
Tampering
Unauthorized change of data. Violate integrity and availability
Repudiation
Ability to deny having performed an action. Third parties are blamed for sec violations
Information disclosure
Revelation of private or confidential info
Denial of service (DoS)
Prevent authorized use of resources
Elevation of privilege
When a limited user account is transformed into an account with greater privileges
Determining and Diagramming Potential Attacks
Visual representation of how data flows
Performing Reduction Analysis
Definition
Decomposing the application, system or environment
Understand the logic of the product and interactions w/ external elements
Decomposition process
Trust Boundaries
Data Flow Paths
Input Points
Privileged Operations
Details about Security Stance and Approach
Prioritization and Response
Document the threats
Means, target, consequences of a threat, techniques of exploitation, countermeasures
Rank the threats
Probability × Damage Potential
1 to 10. 10 most severe risk
High/medium/low rating
High prio need to be addressed immediately
DREAD system
Damage potential
How severe
Reproducibility
How complicated
Exploitability
How difficult
Affected users
number of affected users
Discoverability
How difficult to discover
text