Module 3: Key security concepts

Question 1

CIA Triad - Confidentiality
* Confidentiality is used to prevent any disclosure of data without prior authorization by the owner
* We can force confidentiality with encryption
* Elements such as authentication, access controls, physical security and permissions are normally used to enforce confidentiality

Answer 1

CIA Triad - Integrity
* Normally implemented to verify and validate if the information that we sent or received has not been modified by an unauthorized person, so that information has not been tampered with in transit
* We can implement technical controls such as mathematical encryption algorithms, called hashes

CIA Triad - Availability
* The basic principle is that we need to ensure that information and data are always available when needed
* Technical implementations: RAIDs, Clusters, ISP Redundancy, BackUps

Non-Repudiation - How does it apply to CIA?

• Non-Repudiation is about a valid proof of the identity of the data sender or receiver that has not been altered. How can we ensure that the person who says he is X is indeed X, and not an attacker?
• Technical implementations: digital signatures, logs

Question 2

Access Management:
* Access criteria: groups, timeframe and specific dates (eg Mon to Fri), physical location, transaction type
* “Need to know”: just allow to access info needed for this role
* Single sign-on (SSO)

Authentication concepts:
* Identity proof
* Kerberos (SSO)
* Mutual authentication (MS-CHAP v2)
* SID’s vs DACL’s (security ID, discretionary access control list)

Answer 2

Incident Response - key components:
1. Event: it is an observed change to the normal behavior of a system, process, environment, workflow, or person; examples: firewall policy was updated or login
2. Incident: it is an event that negatively affects confidentiality, integrity or availability (CIA) at an organization that impacts the business
3. Response team: it is a team that receives the reports of security breaches, conducts analyses and responds to sender, this team can be an established group or an ad-hoc assembly
4. Investigation: it seeks to determine the circumstances of the incident, every incident will warrant an investigation, collect evidence, keep in mind the chain of custody

Question 3

Key Concepts - Incident Response

1. E-Discovery: data inventory helps to understand the current tech status, data classification, understand how to control data retention and backup
2. Automated systems
3. BCP ( Business Continuity Plan) and Disaster recovery: understand whether the incident will trigger BCP or Disaster Recovery
4. Post-incident Root-Cause analysis: understand the difference between error, problem and isolated incident

Answer 3

Incident Response Process - 3 phases (created by Crest)

1. Prepare
2. Respond
3. Follow up

CREST is an international not-for-profit, membership body representing the global cyber security industry, established in 2006.

https://www.crest-approved.org/

Question 4

Introduction to Frameworks and Best Practices

Security standards and compliance:
1. Best practices, baselines and frameworks
2. Normative and compliance

Answer 4

IT Governance Process:
1. Policies: how users access Internet, what they can and cannot do
2. Procedures: eg what a new user should do to access Internet
3. Strategic and tactical plans
4. Others

Question 5

Cybersecurity Compliance and Audits (internal and external)

Compliance and Normative regulations that most organisations need to implement:
1. SOX: financial compliance
2. HIPPA: privacy of patients’ data in healthcare
3. GLBA: finance
4. PCI/DSS: management of credit cards on your server

Audits: Octave method
www.cert.org/octave

Answer 5

Pentest Process (ethical hacking) and Mile 2 CPTE Training

Pentest is a method of evaluating computer and network security by simulating an attack on a computer system or network from external or internal threats.

OWASP framework
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. The OWASP Foundation launched on December 1st, 2001, becoming incorporated as a United States non-profit charity on April 21, 2004.

Question 6

National Institute of Standards & Technology (NIST)

https://www.nist.gov/
https://www.nist.gov/itl/applied-cybersecurity/nice
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf