Comptia CASP Notes – Module 6

December 17, 2016 | Views: 2883

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Integration of Computing , Communications & Business Disciplines
MODULE 6: Organizational Security 

Business Unit Collaboration

Identifying and Communicating Security Requirements to Stakeholders from other Areas

  • Sales

    • Create VPN to separate business areas

    • Implement remote lock & remote wiping on mobile devices

  • Programmers

    • Periodic training on latest techniques

    • Ensure programmers understand how devices communicate over the network

    • Attend security awareness training for things that they will encounter i.e buffer overflow training, XXS

  • Database Admin

    • Ensure DBAs understand security requirements, use database views to control visability

    • TDE (Transparent Data Encryption) – provides protection for a database at rest without affecting existing application by encrypting the entire database

    • Periodically provide training

  • Network Admin

    • Primary concern to protect data from attackers

    • Ensure all network devices are stored in a secure location

  • Management/ Executive Management (C-level Management)

    • Security awareness training must provide a clear understanding of potential risks and threats, with the effects of security issues on organizational reputation and financial standing

  • Financial Dept

    • Isolated from all other departments

    • Adopt clean desk policy,Implement locking screensavers

    • Security awareness training on asset disposal, social engineering & password protection

  • Human Resources

    • Clean-desk policy, training understanding of laws and regulations

  • Emergency Response Team

    • At least one team member with digital forensic investigations

    • Specialized training needed in emergency response, specialized tools

  • Facilities Manager

    • Needs to understand SCADA systems and importance of keeping systems updated

Security Controls (Three Types)

  • Administrative or management: implemented to administer the security policies, procedures, guidelines that are established by management

  • Logical or technical: Software or hardware components used to restrict access

  • Physical Controls: Implemented to protect facilities and personnel i.e fences, mantraps, cctv,

Secure Communication and Collaboration

Risk Management of New products

  • Periodically monitor user behaviors

  • Use training to mitigate, deter, and prevent risks

  • Anticipate behaviors by researching trends

Mergers, Demergers, Divestitures

Issues to consider: Rules, Policies, Regulations, Geography

3rd Party Providers

  • Outsourcing agreements must ensure that the information that is entrusted is protected

  • Downstream Liability – an organization understands the security risks it faces and has taken reasonable measures to meet those risks

  • Due Diligence – an organization understands the security risks it faces and has taken reasonable measures to meet those risks

  • Due Care – An organization takes all actions it can reasonably take to prevent security issues

  • Contract clauses should detail expected security measures

  • Periodically audit and test to ensure compliance

  • An ISA (Interconnection Security Agreement) should be considered

Impacts of De-perimeterization

  • Telecommuting, Cloud, BYOD, Outsourcing have all extended the boundaries of the organization.

Security Issues with Web Conferencing

  • Data leakage – due to data residing on a shared server there is a greater chance of leakage

  • Uninvited guests – Most systems only use a simple code for entrance; eavesdropping is a risk

  • Data Captured en route – Use encryption to mitigate the chance of data being captured en route

  • DoS Attack – possibility of DoS attacks

  • Use nondisclosure agreements

Email – Standard messaging protocols:

  • IMAP – use IMAPS (port 993)

  • POP – use POP over SSL (port 995)

  • SMTP – Use SMTP over SSL (port 465)

    • Train users to regard all emails suspiciously and provide training for social engineering

Remote Access/VPN – protocols to use

  • PPTP (Point-to-Point Tunneling Protocol) – has built in encryption

  • L2TP (Layer 2 Tunneling Protocol) – used with IPSec

IPSec

  • AH (Authentication Header) – provides data integrity, data origin and anti-replay

  • ESP (Encapsulating Security Payload) – data integrity, data origin, anti-replay & encryption

  • ISAKMP (Internet Security Association and Key Management) – handles tag creation of the security association and the exchange of keys

  • IKE (Internet Key Exchange) – provides the authentication material used to create the keys

    • IPSec is a framework that allows for choices; encryption, hashing, mode (tunnel or transport), protocol (AH, ESP or both)

IPSec Terms

  • Tunnel mode – exists only between gateways, but all traffic is protected

  • Transport mode – The SA is either between 2 end stations or between an end station & gateway or remote access server

  • SA (Security Association) – made up of SPI (security parameter index) and the AH/ESP combination

  • SPI (security parameter index) – a value contained in each IPsec header to help maintain the relationship between SAs

  • SP (Security Parameters) – the specific collection of settings that must match

802.11 (Over-the-Air)

  • FHSS (Frequency Hopping Spread Spectrum up to 2Mbps

  • DSSS ( Direct Sequence Spread Spectrum) up to 11Mbps

  • OFCM (Orthogonal Frequency Division Multiplexing) Up to 54Mbps

Security Across the Technology Life Cycle

End-to-End Solution Ownership

  • Operational

    • Carried out on daily basis

    • Installing applications, security awareness & training, impact analysis

  • Maintenance

    • Ensuring systems are kept up to date: patches, hotfixes, service packs

    • Create roll-back plan in case there are issues that cannot be resolved

  • Commissioning/decommissioning

    • Security controls deployed when placed into production

    • Back-up data & ensure that it has been completely removed from asset before decommissioning

  • Asset Disposal

    • Data purging or physical destruction should be used depending on classification of data on asset

    • Ensure there is no data remanence before disposal

  • Asset/object reuse

    • Analysis of asset’s original use must be understood

    • Data thoroughly cleared, return asset to factory configuration

  • General Change Management

    • All changes should be formally requested using CM process

    • After approval change steps should be developed

    • Change Control Board should be used

SDLC (Systems Development Life Cycle) – applies to both software & hardware

  1. Initiate – discover that something new is needed

  2. Acquire/develop –  make decision to buy or develop

  3. Implement – purchase or develop

  4. Operate/maintain – long period of use

  5. Dispose – Dispose of system when no longer useful

SSDLC (Security System Development Life Cycle / SDL (Security Development Lifecycle

  • SSDLC – same as the SDLC and includes security activities from (NIST SP 00-64)

  • Identify sources of security requirements and standards

  • Provide security category for the system & assess the business impact of the system

  • Use secure development practices

  • Continuous monitoring through lifecycle/ have disposal plan

SRTM (Security Requirements Traceability Matrix) – table that documents security requirements of a particular object

Security Implications of Software Development Methodologies

  • Agile – risks (priority is customer satisfaction, not security

    • Inadequate security testing, new assets may not be assessed for security impact

    • Security issues may be ignored if they could cause delays, security is often secondary

    • Software that functions correctly may not be necessarily secure

  • Waterfall ( team cannot return to previous stages

    • Security is more likely to be overlooked due to schedule constraints

    • Developers cannot return to earlier stages; possible to develop software that is no longer needed

  • Spiral Model – requirements are captured quickly and can be changed easily (less risky) as developers can return to earlier stages

Vulnerability Cycle – Explains the order of vulnerability types that attackers run through over time

  • Human/Organization → Network → Service/Server → Application → Client

Asset Management (Inventory Control) – involves the tracking of devices that the organization owns

  • Geolocation/GPS

Inventory Control involves tracking and containing inventory

  • Geotagging/Geofencing

  • RFID

    • ARPT (Active Reader/Passive Tag)

    • ARAT (Active Reader/Active Tag)

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel