🌌 arthurs.dev

Recent Notes

Cybersecurity - 2. Managing Security Risks

10 min read

This will expand on some concepts from Course 1, like the eight security domains, delve into NIST’s Risk Management Framework, security audits, and some specific tooling.

Security Domains

Security and Risk Management

Key focus: Defining security goals and objectives, risk mitigation, compliance, business continuity, legal regulations.

  1. By defining security goals and objectives, organizations can reduce risks to critical assets and data
  2. Risk mitigation means having the right procedures and rules in place to reduce the impact of a risk, like a breach
  3. Compliance is the primary method of determining an organization’s internal policies, regulatory requirements
  4. Business continuity refers to an organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans

Asset Security

Key focus: Securing digital and physical assets, related to the storage, maintenance, retention, and destruction of data.

This means SPII/PII should be securely handled and protected, whether stored on a computer, transferred over the internet, or physically collected. It is important to know what data you have and who has access to it to maintain a good security posture.

Security Architecture and Engineering

Key focus: Optimizing data security by ensuring effective tools, systems, and processes are in place to protect assets and data.

One tenet of this is shared responsibility, everybody takes an active role is contributing to security concerns, including users.

Communication and Network Security

Key focus: Managing and securing physical networks/wireless communication.

For example, employees working in public/private spaces remotely accessing the organization need special attention due to vulnerabilities like insecure bluetooth connections, or public WiFi hotspots. By removing access to those types of networks, or using software to protect data, we can mitigate these risks.

Identity and Access Management (IAM)

Key focus: Access and authorization to keep data secure, making sure users/employees follow established policies to control and manage assets.

This can mean connecting user activity to their actions, as opposed to a shared “admin” login, for example. This is helpful for forensic analysis in the event of a breach, helping identify a specific user or an unfamiliar threat actor. Four main components:

  1. Identification (username, access card, biometric data)
  2. Authentication (password, pin)
  3. Authorization (after confirmation, relates to their level of access)
  4. Accountability (monitoring and recording user actions, log in attempts)

Security Assessment and Testing

Key focus: Conducting security testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

Evaluates if a control being used actually achieves organizational security goals. Data analysis may involve various evaluations or reports to improve existing controls or suggest new controls. One example would be suggesting to implement multi-factor authentication.

Security Operations

Key focus: Conducting investigations and implementing preventative measures.

Investigations begin the moment an incident has been identified, involving a heightened sense of urgency. A forensic analysis will take place to determine when, why, and how an incident took place. This will allow for the implementation of new measures.

Software Development Security

Key focus: Using secure programming practices.

This may involve a regular security review in each stage of the product development lifecycle. Such as secure design review → secure code review → penetration testing when deployed/implemented.

NIST’s RMF (Risk Management Framework)

Seven steps:

  1. Prepare: Activities necessary to manage security and privacy risks before a breach occurs.
  2. Categorize: Develop risk management processes and tasks (think CIA model).
  3. Select: Choose, customize, and capture documentation of the controls that protect an organization, like keeping a playbook up to date.
  4. Implement: Implement security and privacy plans for the organization. E.g. employees regularly needing password resets, a change to password requirements may help solve this issue.
  5. Assess: Analyze whether the implemented protocols, procedures, and controls that are in place to monitor organizational needs, and determine whether they should be changed.
  6. Authorize: To be accountable for the security and privacy risks that may exist. Involving generating reports, developing plans of action, and establishing project milestones.
  7. Monitor: Be aware of how systems are operating.
  • Threat: A circumstance or event that can negatively impact assets.
  • Risk: Anything that can impact the confidentiality, integrity, and availability of an asset. It indicates the likelihood of a threat.
  • Vulnerability: A weakness that can be exploited by a threat.

NIST’s Cybersecurity Framework

A voluntary framework consisting of standards, guidelines, and best practices to manage security risk. It has 6 core functions: Govern [Identify, Protect, Detect, Respond, Recover]

Security Frameworks

Frameworks are guidelines used for building plans that implement security controls.

Controls

3 types come to mind:

  1. Encryption (ensures confidentiality, converting readable data to encoded data)
  2. Authentication (MFA, biometrics, username/password)
  3. Authorization (granting specific access to specific resources to a system)
    Others include fence/gate, CCTV, guards, firewalls, antivirus,

Six Functions

  • Govern: The newest function added in CSF 2.0, emphasizing strong “Governance”—ultimately setting clear cybersecurity objectives, implementing comprehensive risk management strategy, and continuously improving cybersecurity performance.
  • Identify: Understanding an organizations risks, assets, and policies to proactively monitor systems to identify potential security issues before they occur.
  • Protect: Strategy used to protect an organization through implementation of policies. Can mean analyzing data to implement new policies/safeguards.
  • Detect: Identify potential incidents as they occur and improve monitoring capabilities.
  • Respond: Step through the proper procedures to contain, neutralize, and analyze security incidents.
  • Recover: The process of returning affected systems back to normal operation

SP 800-53

An expansion of NIST’s CSF framework with specific regard to the U.S. federal government. This includes systems provided by private companies for federal us. It is important to understand the additional requirements of this framework when observing federal systems.

OWASP Principles

Referring to Open Web Application Security Project.

  • Minimize attack surface area: In other words, have less pathways for attackers to attempt to exploit. A common rule of thumb is less features == less attack vectors.
  • Principle of least privilege: Users have the least amount of privilege as they need to perform their tasks.
  • Defense in depth: An organization should have multiple security controls that address risks and threats in different ways.
  • Separation of duties: Nobody should be given comprehensive privileges; “checks and balances.”
  • Keep security simple: Overengineered solutions that inhibit collaboration or managing them.
  • Fix security issues correctly: Conduct tests to ensure the repairs are successful
  • Establish secure defaults: The optimal state of a security application is also the default state for users.
  • Fail securely: When a control fails or stops, it should default to the most secure option. E.g. if a firewall fails it should block all connections rather than start accepting everything.
  • Don’t trust services: 3rd party vendors cannot be trusted to hold the same security standards as you, you should work with this in mind, that security can be compromised from every stage of the process.
  • Avoid security by obscurity: Avoid hiding vulnerabilities rather than implementing direct security measures.

Security Audits

A review of an organization’s security posture. Two types: Internal and External.

An internal audit helps security teams identify organizational risk, assess controls, and correct compliance issues. It commonly includes the following elements:

  • Establishing scope and goals of the audit
    • List assets that will be assessed
    • Indicate how often audit should be performed
    • Note how the audit will help the organization achieve its desired goals
  • Conducting a risk assessment of assets (budget, controls in place, internal processes, regulations, etc.)
  • Completing a controls assessment
  • Assessing compliance
  • Conduct the audit
  • Create a mitigation plan
  • Communicating results to stakeholders

Example

Scope: The internal audit will assess the following:

  • Assess user permissions
  • Identify existing controls, policies, and procedures
  • Account for technology currently in use
    Goals: The goals for the audit are:
  • Adhere to the NIST CSF
  • Establish policies and procedures to comply with regulations
  • Fortify system controls

Log Types

  • Network Log: Record of all connections between devices and servers on the network
  • Firewall Log: A record of attempted or established connections for incoming traffic from the internet
  • Server Log: A record of events related to services such as websites, emails, or fire shares

Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that use automation to respond to security events

SIEM Tools

Can be self-hosted, cloud-hosted, or perhaps a hybrid solutions to leverage benefits of both. Common tools: Splunk Enterprise, Splunk Cloud, and Chronicle. Benefits of a cloud-hosted tool may include scalability, flexibility, and availability.

Splunk

A data analysis platform, with Splunk Enterprise serving as a self-hosted SIEM solution. It searches an organization’s log data to provide security information and alerts in real time. Splunk Cloud collects, searches, and monitors log data. Here are some dashboards it has:

  • Security posture dashboard: Designed for security operations centers, it displays the last 24 hours (or more) of an organization’s notable security-related events, allowing determination of whether security infrastructure and policies are performing as designed. Security analysts can monitor this dashboard in real time, such as for monitoring a suspicious IP address.
  • Incident review dashboard: Highlights risky items or incidents that need immediate review by an analyst. Can provide a timeline of events leading up to incident.
  • Risk analysis dashboard: Helps analysts identify risk for each risk object (specific user, computer, IP address, etc.), showing changes in risk-related behavior like a user logging in outside of business hours or larger than normal traffic.

Chronicle (by Google)

A cloud native tool designed to retain, analyze, and search data. It provides log monitoring, data analysis, and and data collection. Here are some dashboards it has:

  • Enterprise insights dashboard: Highlights recent alerts, like suspicious domain names in logs. Each incident is labeled with a confidence score to indicate the likelihood of a threat. An analyst might use this to monitor login or data access attempts related to a critical asset from unusual locations.
  • Data digestion and health dashboard: Number of event logs, log sources, and success rates of data processed into chronicle. An analyst might use this to ensure log sources are correctly configured and that logs are received without error.
  • IOC matches dashboard: Indicates top threats, risks, and vulnerabilities to the organization. Analysts might use this to search for additional activity related to an alert.
  • Main dashboard: Provides a high level summary related to other dashboards
  • Rule detections dashboard: Provides statistics related to incidents, relating to which rules triggered various alerts allowing the modification of rules to improve monitoring.
  • User sign in overview: Provides information about user access behavior across an organization

Playbooks

A manual that provides that details about any operational action. They help maintain urgency, efficiency, and accuracy to quickly identify and mitigate a security threat.

Incident Response Playbook

A common playbook with six phases:

  1. Preparation: Prepare to mitigate the likelihood, risk, and impact of a security risk by documenting procedures, establishing staffing plans, and educating users.
  2. Detection and analysis: Detect and analyze events using defined processes and tech.
  3. Containment: Prevent further damage and reduce immediate impact of a security incident.
  4. Eradication and recovery: Complete removal of an incident’s artifacts (e.g. malicious code) and restoration to a normal state.
  5. Post-incident activity: Documenting the incident, informing leader, and applying lessons learned. This may result in anything from a minor to major incident analysis.
  6. Coordination: Reporting incidents and sharing information throughout the process

Graph View

Backlinks