Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security+ (Policies, Procedures, Awareness (Risk Management (Risk…
Security+
Policies, Procedures, Awareness
Security Policies
Security Policy
A security policy defines the overall security goals and processes for an organization
Security policy must be maintained
Security policy must be used
Security policy must be well planned
Regulation
A requirement published by a government or other licensing body that must be followed
Procedure
A step-by-step process that outlines how to implement a specific action
Baseline
Dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards
Guideline
A recommendation for use when a specific standard or procedure does not exist
Security Planning:
Complying with legal and regulatory compliance issues
Demonstrate ethical practices
Practicing due care
Practicing due dilligence
Implementing due process
Prudent man rule: due care and due diligence that demonstrates management has taken reasonable action to ensure safety standards according to accepted or best practices
Data Retention
Data Retention policies define how information in your possession is maintained and for how long
Archiving Information
Destroying Information
Handling information involved in litigation
Security Documentation
Acceptable Use Policy (AUP)
Authorized Access
Configuration Management
Code Escrow Agreement
Code of Ethics
Human Resource
Organizational Security
Password
Privacy
Resource Allocation
Service Level Agreement (SLA)
User education and awareness training
User Management
Security Management
The overall security vision for an organization as well as the ongoing implementation and maintenance of security
The goal is to preserve the confidentiality, integrity and availability of all critical and valuable assets
Senior Management defines corporate security posture or tone
Security professionals under senior management establish specific policies and plans related to the organizations security implementation.
Effective Policies
Assess the risk
Create a policy
Implement the policy
Train the organization on the policy
Audit the plan to make sure it is working
Defense in Depth
The premise that no single layer is completely effective in securing the organization
Change Control
Identify the need for a change and submit it for approval
Conduct a feasibility test
Design the method for implementing the change
Implement the change
Test the implementation to make sure it conforms to the plan and that changes do not adversely affect confidentiality, integrity and accessibility
Document the change
Analyze feedback
Employee Management
Reduces asset vulnerability from employees.
Security Awareness
Physical Security
The protection of assets from physical threats
Risk Management
The process of identifying vulnerabilities and threats and then deciding which countermeasures will reduce those risks to an acceptable level.
Asset
Threat Vector
Threat probability
Countermeasure
Exposure
Loss
Risk
Residual Risk
Risk Management Processes
Asset Identification
Asset Identification
Tangible Asset
Intangible Asset
Identifies an organizations resources
Asset Evaluation
Determines the worth of that resource to the organization
Threat Identification
External Threats
Internal Threats
Natural Events
Disasters
Vulnerability Evaluation
Evaluate common vulnerabilities to identify weaknesses that can be exploited.
Risk Assessment
The practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs.
Quantitative Analysis
Qualitative Analysis
Components
Single Loss Expectancy (SLE)
Exposure Factor
Annualized rate of occurrence (ARO)
Annual Loss Expectancy (ALE)
SLE X ARO X EF = ALE
Risk Response
Taking measures to determine how to best respond to the risk
Trasferrng risk (insurance)
Accepting risk and choosing to do nothing
Risk Rejection
Risk Deterrence
Distributive Allocation
Responds to risk by spreading it through redundancy and high availability techniques such as clustering, load balancing and redundant storage arrays
Asset Prioritization
Delphi
Anonymous survey
Sensitivity vs. Risk
Comparative
Asset Classification
Business Continuity
The activity performed by an organization to ensure that critical business functions are available to customers, suppliers, regulators, and other entities that must have access to those functions
Business Continuity Plan (BCP)
Identifies appropriate disaster responses that maintain business operations during reduced or restricted infrastructure and resource capabilities
Steps
Analysis
Solution Design
Implementation
Testing and organization acceptance
Maintenance
Roles/Functions
Identifies and prioritizes critical functions
Calculates Recovery timeframes
Identifies plans, including resource dependencies and response options, to bring critical functions online within an established timeframe
Specifies procedures for security of unharmed assets.
Identifies procedures for salvage of damaged assets.
Identifies BCP team members who are responsible for plan implementation
Should be tested on a regular basis.
Tabletop exercise
Medium Exercise
Complex exercise
Business Impact Analysis (BIA)
Focuses on the impact losses will have on the organization
Identifies threats that can affect processes/assets
Identifies mission-essential functions
Identifies critical systems
Establishes maximum down time (MDT) the corporation can survive without the process/asset.
Establishes other recovery benchmarks
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
Mean time between failures (MTBF)
Mean time to Repair (MTTR)
Estimates tangible (financial loss) and intangible (loss of customer trust) impact on the organization
Life
Property
Safety
Finance
Reputation
Disaster Recovery Plan (DRP)
Identifies short-term actions necessary to stop the incident and restore critical functions so the organization can continue to operate
Plans for resumption of applications, data, hardware, communications, and other ID infrastructure in case of a disaster
Attempts to take into consideration every failure possible
Plans for converting operations to alternate processing sites in case of a disaster
Plans for converting back to the original site after the disaster has concluded
Manageable Network Plan
A process created by the NSA to assist in making a network manageable, defensible, and secure.
Prepare to Document
Establishing the process you will use to document your network.
Must Be Easy to use
Include enough detail
Document the important things
Use timestamps
Be protected with restricted access and possibly encryption
Have a printed hard copy kept in a secure location
Protect Your Network (Network Architecture)
Identify and document each user on the network and the information the user has access to.
Identify the high-value network assets
Document the trust boundaries
Identify the choke points on the network
Segregate and isolate networks
Isolate server functions
Physically secure high-value systems
2-Map your network
Ensures that you are aware of all the components of the network and that you know where the physical devices are
Steps:
Create a map of the network topology
Create a list of all devices
Includes wireless devices
Use a network scanner and then confirm manually with a room-by-room walkthrough
Identify who is responsible for each device and detail other information, such as IP address, service tag, and physical location
Consider using a database file to store the information
Create a list of all protocols being used on the network by using a network analyzer
Reach Your Network (Device Accessibility)
Helps to ensure that all of the devices on your network can be easily accessed while still maintaining the device's security.
Do not use insecure protocols
Use Windows Group Policies to administer Windows systems
Make sure that remote access connections are secure
Automate administration as much as possible
Control Your Network (User Access)
Ensures network security, but restricts user access
Limit a user to the least privilege required for the user's job
Limit local admins to an absolute minimum
Use regular user accounts for day-to-day work
Use roll-based access controls
Dont let users install software
Set account expiration dates
Disable or remove accounts when a user leaves the organization
Manage Your Network - 1 (Patch Management)
Patch Management
Establishes an update management process for all software on your network
Patch all systems on a regular schedule
Apply critical patches whenever they are released
Include mobile devices thats connect to the network infrequently
Automate the patching process
(7) Baseline Management
Provides rules for establishing a baseline for all systems
Create an approved application list for each class of device on the network
Establish the criteria and process for getting an application on the approved list
Verify apps before adding them to the allowed list
Create device baselines
Secure Web browsers
Check baselines for security misconfigurations
Document Your Network
Document processes and procedures
Social Engineering
An attack that exploits human nature by convincing someone to reveal information or perform an activity.
Techniques:
Authority
Intimidation
Consensus / social proof
Scarcity
Familiarity
Trust
Urgency
Attacks
Shoulder Surfing
Eavesdropping
Dumpster Diving
Tailgating
Piggybacking
Impersonation
Phishing
Spear Phishing
Whaling
Vishing
Email Hoax
Virus Hoax
Watering Hole
Employee Management
Employee management is the implementation of processes to ensure that employees play a major role in protecting company assets
Principle of least privilege
The principle of separation of duties
The principle of two-man control, which specifies that certain tasks should be dual-custody in nature to prevent a security breach
Common employee-related security vulnerabilities
Fraud
Collusion
Employment Stages:
Pre-employment
Employment
Termination
Employee Documents
Employment agreements are the documents that explicitly identify the terms and conditions of employment
NDA
Non-Compte
Ownership of Materials Agreement
Data handling and classification policy
Clean Desk Policy
Acceptable Use Policy
Password Security policy
Employee Monitoring Agreement
Exit Interview Cooperation Agreement
Memorandum of Agreement
Standard Operating Procedure
On the first day of employment
Security Policy
Employee Handbook
Job Description
Ethics
Values
The beliefs and ideals of an organization that guide actions and performance in its day-to-day interactions with suppliers, employees and customers
Principles
Fundamental truths or rules that support the business values.
Management Support
Personal Responsibility
Compliance
Code of ethics
A set of rules or standards that help you to act ethically in various situations
Ethics is the concept and practice of behavior that builds and maintains responsibility and trust
Mobile Devices
Request Process
Asset Tracking and Inventory Control
Acceptable Use
Personal Identification Number
Unused Features
Lockout or Screen Lock
Encryption
Remote Wipe
Storage Segmentation
Reporting System
Third-party Integration
Onboarding
Ongoing Operations
Off-Boarding
App Development
Software Development Life Cycle (SDLC)
A systematic method for design, development, and change management used for software development and implementation of system and security projects
SDLC Phases
Project Initiation
An original/profitable idea is recognized, and a cost justification is made
Initial security objectives are defined
Functional Design
A project plan is developed
Security activities and checkpoints are identified
Design documentation is developed
Some limited resources are allocated to the project. The security framework is created
The evaluation criteria is identified
The framework of the application is designed, and a prototype of the most critical components is implemented
System Design
System Design Identifies:
Functional model
Behavior model
Informational model
Key output
Data design
Procedural design
Architectural design
Key Decisions made
Access Controls
Rights and permissions
Encryption algorithms
Software Development and Coding
Three main actions, each to be performed by different groups
Testing
Validation
Coding
Production phase developed by programmers.
Software should be tested in same environment where it will be used
Backdoors (maintenance hooks) are sometimes left behind, dont let it.
Using modular coding makes changes easier
Making sure no vulnerable function calls are used
Use dynamic code analysis to detect dependencies
Take advantage of peer code review
Use design and architectural patterns to cover recurring software limitations or vulnerabilities
Two modular coding concepts:
High cohesion: Implies that the functions are performed by a module are related and clearly defined
Low coupling: Indicates that a module is not defendent on another module and that changes in the module will not require changes in another module
Each task in this phase (coding, testing, and validation) should be performed by a different group.
Software Installation and Implementation
Formal functional testing is performed by users
All bugs, vulnerabilities, and risks should be evaluated and documented
User guides and operational manuals are created
Certification, accreditation, and auding are performed
Release
The application is released
Any bugs that are released in the program are discovered by hackers
Hackers publish the bugs and make them known to the public
Venders develop and release patches
Application users install the patches to their systems
Hackers continue to discover vulnerabilities, sometimes as a result of the patch inself. The cycle frequently repeats itself, starting at step two, until the application is no longer in production
Software should always be released to a librarian for disposition into production
Operations and Maintenance
As the software is operating in a live environment, operational testing and maintenance should be conducted
Different types of maintenance, such as patching and changes, might be necessary as the application evolves over time
Security functions should remain intact in order to efficiently respond to update requirements
Security-related patches and upgrades should be applied to a system as quickly as possible
End of Life
Implementation of disposal
Archiving
Overwriting
Destroying
The primary purpose of SDLC management concepts is to increase is to increase the quality of software, both from a functional and security perspective
Change Control:
Change control is necessary any time a production system is altered
Developers must be isolated from production.
Changes must be thoroughly documented
Security techniques must be implemented at all stages of the process
General Steps:
1.Recognize a need
Submit a request
Start a feasibility analysis that includes:
Technical feasibility
Cost justification
Security Review
Document the change plan
Approach management for approval
Submit the change plan to developers. Developers will then perform the coding for the change
Test the change for conformance to the plan and for security purposes
Document the change
Release the new revision to production through the librarian
Software Development Models
Ad Hoc
The most qualified developers are given a project without a consistent team, funding or schedule
Should be used as a last alternative
Waterfall Planning
Sequential in layout.
Consists of phases and each phase contains a series of instructions that must be executed and documented before the next phase can begin
Requirements
Design
Implementation
Testing
Deployment
Maintenance
Structured Programming
Used by programmers that allows for optimal control over coherence, security, accuracy, and comprehensibility.
Uses layering, modularity, and segmenting in its method and usually requires processes to be defined and each sequence or phase to be reviewed
One of the most widely used models
Prototype
Iterative model developed to combat the weaknesses of waterfall-based models. A segment of code is prototyped and tested using 4-steps:
Definition of initial concept
Implementation of initial prototype
Refinement of prototype until functional
Complete and release the final version
Spiral
A mix of waterfall model and the prototype model in which a prototype is developed and tested using the waterfall method.
Method also includes risk assessment.
Clean Room
Used for developing high-quality software. All levels of development are tested for bugs and defects with the goal of finding problems before they can mature
Extreme Programming
Values simplicity, feedback, courage, and communication
Simplifies planning to bring the entire team of developers, managers, and customers together so that adequate feedback and evaluations can be provided.
Object-Oriented Programming
Based on the organization of objects rather than actions
Objects can be reused
Computer-Aided Software Engineering (CASE)
Method of using computers to help with the systematic analysis, development, design, and implementation of software.
Security Basics
Understanding Attacks
Threat Agents
Internal
Authorized individuals that exploit their inherent privileges to carry out an attack.
Employees
Former and Current
Janitors, Security Guards, Customers
External
Any individuals or groups that attacks a network from the outside and seeks to gain unauthorized access to data
Persistent
Seek to gain access to a network and remain there undetected.
Non-Persistent
Only concerned with getting into a system and stealing information. Usually a one-time event.
OSINT
Open-Source intelligence
Media
Newspapers
Magazines
Advertisements
Internet
Public Government Data
Professional and academic publications
Information that is readily available to the public and doesn't require any type of malicious activity to obtain.
Threat Actor
Insider
An individual who has authorized access to an organization and either intentionally/unintentionally carries out an attack.
Solutions/Prevention
Require Mandatory vacations
Principle of least privilege
Appropriate physical security
Require Role-based Security Training
Data owner
System Administrator
System Owner
User
Privileged user
Executive user
Script-Kiddie
An individual who carries out an attack using tools created by more advanced hackers.
Organized Crime
A group of cybercriminals whose main goal is financial gain.
Nation State
Competitor
Hacktivist
Attacks are politically motivated
Vulnerability
Improper Input Handling
Improper Error Handling
Improperly Configured Accounts
Vulnerable Business Process
Weak Cipher Suites and Implementations
Improper Certificate and Key Management
Attack and Defense Strategy
Reconnaissance
The process of gathering information about an organization.
System hardware information.
Network configuration
Individual user information
Social Engineering
The process of manipulating others to give you sensitive information
Technical
Technical approach of using software or utilities to find vulnerabilities.
Breach
Penetration of system defenses, achieved through information gained through reconnaissance to penetrate system defenses and gain unauthorized access.
Escalate Privileges
Configuring additional rights to do more than just breaching
Create a Backdoor
An alternative method of accessing an application or operating system for troubleshooting.
Stage
Preparing to perform additional tasks in the attack, such as installing software designed to attack other systems
Exploit
Takes advantage of known vulnerabilities in software and systems.
Stealing information
Denying services
Crashing systems
Modifying/altering information
General Defense Methodologies
Layering
Implementing multiple security strategies to protect the same asset.
No layer of security is entirely secure. Eliminate single points of failure.
Principle of Least Privilege
Users or groups are given only the access they need to do their job and nothing more.
It is easier to give users more access when needed than to take away privileges that have been granted.
Variety
Defensive layers should have variety and be diverse.
Randomness
The constant change in personal habits and passwords to prevent anticipated events and exploitation.
Simplicity
Solutions cannot be so complex that you dont understand how to implement them.
Defense Planning
Security Layers (Layered Security)
Policies, Procedures, and Awareness
Includes user education, manageable network plans, and employee onboarding and off-boarding procedures
Physical
Includes fences, door locks, mantraps, turnstiles, device locks, server cages, cameras, motion detectors, and environmental controls.
perimeter
Includes firewalls using ACLs and securing the wireless network.
Network
Includes the installation and configuration of switches and routers, implementation VLANs, penetration testing, and virtualization use.
Host
Includes each individual workstation, laptop, and mobile device. The host layer includes log management, OS hardening, patch management and implementation, auditing, malware, and password attacks.
Application
Includes authentication and authorization, user management, group policies, and web application security.
Data
Includes storing data properly, destroying data, classifying data, cryptography, and data transmission security
Access Control
Principle of Least Privilege
Users or groups are given only the access they need to do their job (And nothing more)
Implicit Deny
Weakest
Users or groups who are not specifically given access to a resource are denied access.
Explicit Allow
Moderate
Specifically identifies users or groups who have access
Explicit Deny
Strongest
Identifies users or groups who are not allowed access.
Need to Know
Describes the restriction of data that is highly sensitive and is usually referenced in government and military
Separation of Duties
Concept of having more than one person required to complete the task
Reduces conflicts of interest
Job Rotation
Users are cross-trained in multiple job positions, and where responsibilities are regularly rotated between personnel
Cross trains staff in different functional areas in order to detect fraud
Exchanges positions of two or more employees to allow for an oversight of past transactions
Defense in Depth
Relies on multiple access control methods instead of a single method.
Identification
The act of claiming an identity.
Identification by itself is not very secure.
Multi-factor Authentication
The process of proving an identity, confirming a user is who they say they are
5-Categories
Something you are
Something you have
Something you know
Somewhere you are
Something you do
Mutual Authentication
When two communicating entities authenticate each other before exchanging data.
Requires Server to authenticate user and user to authenticate server
Transitive Trust
The concept that trust is hierarchical.
If A trusts B, and B trusts C, Then A trusts C.
Microsoft Active Directory
Authentication, Authorization, and Accounting (AAA)
Authentication verifies a user's identity.
Authorization is the process of determining whether an authenticated user has permission to carry out a specific task or access a system resource
Accounting tracks the actions of an authenticated user, including access to files and other user activities on the system
End-of-life Procedures
Media reserved for reuse in the same security environment.
Degaussing - Apply a magnetic field (Least secure)
Overwrite disk with 0's (Most secure)
Media reserved for use in a different security environment
Drive wipe, purge, or sanitization by overwriting the media a minimum of 7 times with random data.
Media that has reached the end of its useful life.
Destroy the media
Crushing, incineration, acid dripping, shredding
Cryptography Basics
Cryptography
The science of converting data into a secret code to hide a message's meaning during transmission.
Confidentiality by ensuring that only authorized parties can access data
Integrity by verifying that data has not been altered in transit
Authentication by proving the identity of the sender or receiver
Non-repudiation by validating that communications have come from a particular sender at a particular time
Plaintext
The readable form of an encrypted message
Cleartext is information that will not be encrypted
Plaintext is information that will eventually be input into an encryption algorithm
Key
A variable in a cipher text used to encrypt or decrypt a message. (Should be kept secret)
Ciphertext
The encrypted form of a message that makes it unreadable to all but those the message is intended for.
Algorithm
A cipher or algorithm is the process or formula used to convert a message or otherwise hide its meaning
Transposition cipher (Anagram)
Changes the position of the characters in the plaintext message
Substitution cipher
Replaces one set of characters with symbols or another character set. A code substitutes hidden words with unrelated terms
One-time pad
A method in which plaintext is converted to binary and combined with a string of randomly generated binary numbers. (A form of substitution)
Encryption
The process of using an algorithm to transform data from plain-text to cipher-text in order to protect the confidentiality, integrity, and authenticity of the message
Decryption
The procedure used to convert data from ciphertext into plaintext
Steganography
Hides data or message so that only the sender or the recipient suspects that the hidden data exists. Message is in cleartext
Embedding still pictures in a video stream
Hiding text messages or hiding alternate images within a photograph
Watermarking hides data embedded into an image or a file to prove ownership
Microdots are images shrunk down to the size of a period, then included in a seemingly harmless message
Cryptanalysis
The method of recovering original data that has been encrypted without having access to the key used in the encryption process.
Network Monitoring
Logs
A record of events that have occurred on a system
Load Tester
Simulates a load on a server or service
Throughput Tester
Measures the amount of data that can be transferred through a network or processed by a device.
Tests bandwidth
Packet Sniffer
Captures or records frames that are transmitted on the network
NIC must be in promiscuous mode.
Protocol Analyzer
A special type of packet sniffer that captures transmitted frames
Check for specific protocols on a network
Command Line Tools
Commands run from a terminal to determine the condition(s) of a network
Ping
Verifies network connectivity between two nodes
Can also test network latency
netstat
Displays statistical information describing TCP network connections, routing tables, network interfaces, and network protocols
tracert / traceroute
Displays the IP route to a destination host/node
nslookup
Query a DNS to obtain the IP address for a given domain name or to determine the domain name for a given IP address.
arp
Display and modify the ARP table entries on the local host
Maps internet IP addresses with physical MAC addresses
ipconfig
Displays a host's current TCP/IP configuration values, and to refresh DHCP and DNS settings
tcpdump
A network sniffer and analyzer.
Displays a description of packet contents on a network interface
nmap
Network scanner used to scan a system to determine which TCP ports are open.
netcat
A utility that can read and write data across both TCP and UDP network connections
Incident Response
An event or series of events that are a result of a security policy violation that has adverse effects on a company's ability to proceed with normal business.
Security Incidents:
Employee errors
Unauthorized acts by employees
Insider Attacks
External intrusion attempts
Virus and harmful code attacks
Unethical gathering of competitive information
Forensic Investigation
Physical Secruity
Perimeter Security
Network Security
Host Security
Application Security
Data Security