Please enable JavaScript.
Coggle requires JavaScript to display documents.
Play It Safe: Manage Security Risks - Coggle Diagram
Play It Safe: Manage Security Risks
Security Posture
Security posture refers to an organization's ability to manage its defense of critical assets and data and react to change. Security teams use CISSP to establish their security posture.
CISSP Security Domains
Security Architecture & Engineering
Optimizing Data Security
Shared Responsibility
Communication & Network Security
Managing & Securing Physical Networks
Managing & Securing Wireless Communications
Identity & Access Management
Access & Authorization
Identification
Authentication
Authorization
Accountability
Security Assessment & Testing
Security Control Testing
Help identify new & better ways to Mitigate TRVs
Collecting & Analyzing Data
Conducting Security Audits
Security Operations
Conducting Investigations
Mitigating the attack and preventing it from escalating further is essential
The collection of digital and physical evidence to conduct a forensic investigation
Implementing Preventative Measures
Software Development Security
Secure Coding Practices
Guidelines to Create Secure Applications & Services
Security is an essential step in the Software Development Lifecycle
Asset Security
Securing Digital & Physical Assets
Storage, Maintenance, Retention, and Destruction of Data
Security & Risk Management
Defining Security Goals and Objectives
Risk Mitigation
Compliance
Business Continuity
Following Legal Regulations
Maintaining Professional and Organizational Ethics
Threats, Risks & Vulnerabilities
Threats
Any circumstance or event that can negatively impact assets.
Insider threats
Advanced persistent threats (APTs)
Risks
Anything that can impact the Confidentiality, Integrity, or Availability of an asset.
Risk Levels
Low Risk
Information that would not harm the organization's reputation or ongoing operations.
Medium Risk
May cause some damage to the organization's finances, reputation, or ongoing operations.
High Risk
Any information protected by regulations or laws.
Have a severe negative impact on an organization's finances, ongoing operations, or reputation.
Risk Factors
External Risk
Internal Risk
Legacy Systems
Multiparty Risk
Software Compliance/Licensing
Vulnerabilities
A weakness that can be exploited by a threat.
ProxyLogon
ZeroLogon
Log4Shell
PetitPotam
Security Logging & Monitoring Failures
Server-Side Request Forgery
Three Key Impacts
Financial Impact
Interrupted Production & Services
Cost to Correct the Issue
Fines because of Non-Compliance with Laws & Regulations
Identity Theft
Storing Sensitive Data is Risky
PII can be Sold or Leaked on the Dark Web
Decide on Storage Duration for Private Sensitive Data
Reputation Damage
May cause Loss of Customers to Competitors
Can Create Bad Press
May Result in Legal Penalties & Fines
Frameworks & Controls
Support an organization’s ability to meet security goals and comply with laws and regulations.
Security Frameworks
Guidelines used for building plans to help mitigate risk and threats to data and privacy.
Cyber Threat Framework (CTF)
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001
Security Controls
Safeguards designed to reduce specific security risks.
Used alongside Frameworks to reduce the possibility & impact of a security TRVs.
Physical Controls
Gates, Fences & Locks
Security Guards
CCTV & Motion Detectors
Access Cards
Technical Controls
Firewalls
MFA
Antivirus Software
Administrative Controls
Separation of Duties
Authorization
Asset Classification
Encryption
The process of converting data from a readable format to an encoded format (From Plaintext to Cyphertext).
Ciphertext is the raw, encoded message that's unreadable to humans and computers.
Authentication
Authentication is the process of verifying who someone or something is.
MFA
OTP
Biometrics
Fingerprint
Voice
Vishing
Face Scan
Eye Scan
Palm Scan
Username/Password
Authorization
The concept of granting permission or access to specific resources within a system.
CIA Triad
A core security model that helps organizations manage security risks and maintain a strong security posture.
Confidentiality
Only authorized users can access specific assets or data.
Integrity
The data is correct, authentic, and reliable.
Availability
The data is accessible to those who are authorized to access it.
NIST Frameworks
NIST Risk Management Framework (RMF)
Prepare
Activities that are necessary to manage security and privacy risks before a breach occurs.
Categorize
Used to develop risk management processes and tasks that address impacts on system confidentiality, integrity, and availability.
Select
Choose, customize, and capture documentation of the controls that protect an organization. (Ex. Keeping a Playbook up to date)
Implement
Implement security and privacy plans for the organization.
Assess
Determine if established controls are implemented correctly.
Authorize
Being accountable for the security and privacy risks that may exist in an organization.
Monitor
To be aware of how systems are operating.
NIST Cybersecurity Framework (CSF)
Identify
The management of cybersecurity risk and its effect on an organization's people and assets.
Protect
The strategy used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats.
Detect
Identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections.
Respond
Making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
Recover
The process of returning affected systems back to normal operation.
OWASP Security Principles
Minimize Attack Surface Area
Attack surface refers to all the potential vulnerabilities a threat actor could exploit.
Principle of least Privilege
Users have the least amount of access required to perform their everyday tasks.
Defense in Depth
Organizations should have varying security controls that mitigate risks and threats.
Separation of Duties
Critical actions should rely on multiple people, each of whom follow the principle of least privilege.
Keep Security Simple
Avoid unnecessarily complicated solutions. Complexity makes security difficult.
Fix Security Issues Correctly
When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.
Establish Secure Defaults
The application’s default state should be its most secure state, requiring extra effort to make it insecure.
Fail Securely
When a control fails, it defaults to the most secure option. For instance, if a firewall fails, it should block all connections rather than allow unrestricted access.
Don’t Trust Services
Organizations shouldn’t fully trust third-party partners' security. For instance, an airline should verify a vendor’s reward points data before sharing it with customers.
Avoid Security by Obscurity
Key systems’ security shouldn’t depend on secrecy. Instead, it should rely on strong passwords, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.
Web Layers
Surface Web
The layer that most people use with a web browser.
Deep Web
Generally requires authorization to access it (Ex. Intranet).
Dark Web
Can only be accessed by using special software.
Risk Management
A primary goal of organizations is to protect assets.
Digital Assets
Social Security Numbers (SSNs)
Dates of birth
Bank Account Numbers
Mailing Addresses
Physical Assets
Payment Kiosks
Servers
Desktop Computers
Office Spaces
Strategies to Manage Risks
Acceptance
Accepting a risk to avoid disrupting business continuity.
Avoidance
Creating a plan to avoid the risk altogether.
Transference
Transferring risk to a third party to manage.
Mitigation
Lessening the impact of a known risk
Security Audits
Internal
Used to help improve an organization's security posture and help organizations avoid fines from governing agencies due to a lack of compliance.
Purposes
Identify Organizational Risk
Assess Controls
Correct Compliance Issues
Common Elements
1.0 Establishing the Scope & Goals of the Audit
Scope
refers to the specific criteria of an internal security audit.
Requires organizations to identify and assess people, assets, policies, procedures, and technologies that could impact their security posture.
Goals
are an outline of the organization's security objectives, or what they want to achieve in order to improve their security posture.
2.0 Conducting a Risk Assessment
A
Risk Assessment
identifies TRVs to monitor and implement security measures, ensuring asset safety, while analyzing controls and compliance to improve security posture.
3.1 Completing a Controls Assessment
A
Controls Assessment
involves closely reviewing an organization's existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective. There are three main categories of controls to review during an audit:
Control Categories
Technical Controls
Are hardware and software solutions used to protect assets, such as the use of intrusion detection systems, or IDS's, and encryption.
IDS/IPS
Encryption
Firewall
Backups
Password Management
Antivirus (AV) Software
Manual Monitoring, Maintenance & Intervention
Physical Controls
Refer to measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks.
Time-Controlled Safe
Adequate Lighting
Closed-Circuit Television (CCTV)
Locking Cabinets (For Network Gear)
Signage Indicating Alarm Service Provider
Locks
Fire Detection & Prevention (Fire Alarm, Sprinkler System, etc.)
Administrative Controls
Are related to the human component of cybersecurity. They include policies and procedures that define how an organization manages data, such as the implementation of password policies.
Password Policies
Access Control Policies
Disaster Recovery Plans
Account Management Policies
Least Privilege
Separation of Duties
Control Types
Corrective
Used to restore an asset after an incident.
Detective
Implemented to determine whether an incident has occurred or is in progress.
Preventative
Designed to prevent an incident from occurring in the first place.
Deterrent
Designed to discourage attacks.
4.0 Assessing Compliance
Assessing Compliance
is determining whether or not the organization is adhering to necessary compliance regulations.
5.0 Communicating Results
After an internal security audit, results and recommendations need to be communicated to stakeholders, highlighting risks, urgency, compliance needs, and recommendations to improve security posture.
3.0 Audit Questions
b. Which assets are most at risk?
c. Are current controls sufficient to protect those assets?
a. What is the audit meant to achieve?
d. If not, what controls and compliance regulations need to be implemented?
External
Factors that Affect Audits
Industry Type
Ties to the Applicable Government Regulations
A Business’s Geographical Location
Organization Size
A Business Decision to Adhere to a Specific Regulatory Compliance
Logs & SIEM Tools
Logs
A record of events that occur within an organization's systems and networks.
Firewall Logs
A record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network.
Network Logs
A record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network.
Server Logs
A record of events related to services such as websites, emails, or file shares. It includes actions such as login, password, and username requests.
SIEM
An application that collects and analyzes log data to monitor critical activities in an organization.
Real-Time Visibility
Event Monitoring & Analysis
Automated Alerts
Dashboard
Metrics
Key technical attributes used to assess the performance of a software application.
Availability
Response Time
Failure Rate
Types
Cloud-Hosted
Splunk Cloud
Cloud-Native
Chronicle
Self-Hosted
Splunk Enterprise
Hybrid
Splunk Cloud
Automation
Security Orchestration, Automation, and Response (
SOAR
) is a collection of applications, tools, and workflows that uses automation to respond to security events.
Chronicle
A cloud-native tool designed to retain, analyze, and search data.
It is specifically designed to take full advantage of cloud computing capabilities such as availability, flexibility, and scalability.
IOC Matches Dashboard
Highlights top threats and vulnerabilities, tracking domain, IP, and device IOCs over time. It helps security teams prioritize high-risk threats, such as unusual user logins from uncommon locations.
Main Dashboard
Provides a high-level summary of data ingestion, alerts, and events over time, enabling security teams to track trends like failed login spikes across various sources and locations.
Data Ingestion & Health Dashboard
Tracks event logs, sources, and data processing success rates, helping analysts ensure correct log configurations and error-free data access.
Rule Detections Dashboard
Shows statistics on incidents with the highest occurrences, severities, and detections. Analysts use it to review alerts triggered by specific rules, helping manage recurring incidents and develop risk mitigation strategies.
Enterprise Insights Dashboard
Highlights recent alerts and suspicious domains (IOCs), assigning confidence and severity scores to each threat. Analysts use it to monitor critical asset access attempts from unusual locations or devices.
User Sign in Overview Dashboard
Tracks user access behavior, helping analysts identify unusual activity, such as simultaneous sign-ins from multiple locations, to mitigate threats and risks to user accounts and applications.
Splunk
A tool used to collect, search, and monitor log data.
Helpful for organizations running hybrid or cloud-only environments, where some or all of the organization's services are in the cloud.
Executive Summary Dashboard
Monitors the organization's security health over time, helping teams reduce risk and providing high-level insights on incidents and trends for stakeholders.
Incident Review Dashboard
Helps analysts detect suspicious patterns, highlighting high-risk items for immediate review and offering a visual timeline of events leading to an incident.
Security Posture Dashboard
Designed for SOCs, displays the past 24 hours of security events, helping analysts assess infrastructure performance and investigate real-time threats like suspicious IP activity.
Risk Analysis Dashboard
Helps analysts assess risk for each object, tracking unusual behaviors like off-hours logins or high traffic. It aids in evaluating vulnerabilities' impact on critical assets, helping prioritize risk mitigation.
Playbook
A manual that provides details about any operational action.
It provides a predefined and up-to-date list of steps to perform when responding to an incident.
Incident Response Playbook
An organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach.
Containment
Prevent further damage and reduce immediate impact of incidents.
Eradication & Recovery
Completely remove artifacts of the incident so that an organization can return to normal operations.
Detection & Analysis
Detect and analyze events by implementing defined processes and appropriate technology.
Post Incident Activity
Document the incident, inform organizational leadership, and apply lessons learned.
Preparation
Before incidents occur, mitigate potential impacts on the organization by documenting, establishing staffing plans, and educating users.
Coordination
Report incidents and share information throughout the response process, based on established standards.
Teams-Specific Playbook
Security Alerts Playbook
Product-Specific Playbook