Comptia CASP Notes – Module 6

DntH8Me

December 17, 2016 | Views: 2953

Save

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION Already a Member Login Here

Integration of Computing , Communications & Business Disciplines
MODULE 6: Organizational Security

Business Unit Collaboration

Identifying and Communicating Security Requirements to Stakeholders from other Areas

Sales
- Create VPN to separate business areas
- Implement remote lock & remote wiping on mobile devices
Programmers
- Periodic training on latest techniques
- Ensure programmers understand how devices communicate over the network
- Attend security awareness training for things that they will encounter i.e buffer overflow training, XXS
Database Admin
- Ensure DBAs understand security requirements, use database views to control visability
- TDE (Transparent Data Encryption) – provides protection for a database at rest without affecting existing application by encrypting the entire database
- Periodically provide training
Network Admin
- Primary concern to protect data from attackers
- Ensure all network devices are stored in a secure location
Management/ Executive Management (C-level Management)
- Security awareness training must provide a clear understanding of potential risks and threats, with the effects of security issues on organizational reputation and financial standing
Financial Dept
- Isolated from all other departments
- Adopt clean desk policy,Implement locking screensavers
- Security awareness training on asset disposal, social engineering & password protection
Human Resources
- Clean-desk policy, training understanding of laws and regulations
Emergency Response Team
- At least one team member with digital forensic investigations
- Specialized training needed in emergency response, specialized tools
Facilities Manager
- Needs to understand SCADA systems and importance of keeping systems updated

Security Controls (Three Types)

Administrative or management: implemented to administer the security policies, procedures, guidelines that are established by management
Logical or technical: Software or hardware components used to restrict access
Physical Controls: Implemented to protect facilities and personnel i.e fences, mantraps, cctv,

Secure Communication and Collaboration

Risk Management of New products

Periodically monitor user behaviors
Use training to mitigate, deter, and prevent risks
Anticipate behaviors by researching trends

Mergers, Demergers, Divestitures

Issues to consider: Rules, Policies, Regulations, Geography

3rd Party Providers

Outsourcing agreements must ensure that the information that is entrusted is protected
Downstream Liability – an organization understands the security risks it faces and has taken reasonable measures to meet those risks
Due Diligence – an organization understands the security risks it faces and has taken reasonable measures to meet those risks
Due Care – An organization takes all actions it can reasonably take to prevent security issues
Contract clauses should detail expected security measures
Periodically audit and test to ensure compliance
An ISA (Interconnection Security Agreement) should be considered

Impacts of De-perimeterization

Telecommuting, Cloud, BYOD, Outsourcing have all extended the boundaries of the organization.

Security Issues with Web Conferencing

Data leakage – due to data residing on a shared server there is a greater chance of leakage
Uninvited guests – Most systems only use a simple code for entrance; eavesdropping is a risk
Data Captured en route – Use encryption to mitigate the chance of data being captured en route
DoS Attack – possibility of DoS attacks
Use nondisclosure agreements

Email – Standard messaging protocols:

IMAP – use IMAPS (port 993)
POP – use POP over SSL (port 995)
SMTP – Use SMTP over SSL (port 465)
- Train users to regard all emails suspiciously and provide training for social engineering

Remote Access/VPN – protocols to use

PPTP (Point-to-Point Tunneling Protocol) – has built in encryption
L2TP (Layer 2 Tunneling Protocol) – used with IPSec

IPSec

AH (Authentication Header) – provides data integrity, data origin and anti-replay
ESP (Encapsulating Security Payload) – data integrity, data origin, anti-replay & encryption
ISAKMP (Internet Security Association and Key Management) – handles tag creation of the security association and the exchange of keys
IKE (Internet Key Exchange) – provides the authentication material used to create the keys
- IPSec is a framework that allows for choices; encryption, hashing, mode (tunnel or transport), protocol (AH, ESP or both)

IPSec Terms

Tunnel mode – exists only between gateways, but all traffic is protected
Transport mode – The SA is either between 2 end stations or between an end station & gateway or remote access server
SA (Security Association) – made up of SPI (security parameter index) and the AH/ESP combination
SPI (security parameter index) – a value contained in each IPsec header to help maintain the relationship between SAs
SP (Security Parameters) – the specific collection of settings that must match

802.11 (Over-the-Air)

FHSS (Frequency Hopping Spread Spectrum up to 2Mbps
DSSS ( Direct Sequence Spread Spectrum) up to 11Mbps
OFCM (Orthogonal Frequency Division Multiplexing) Up to 54Mbps

Security Across the Technology Life Cycle

End-to-End Solution Ownership

Operational
- Carried out on daily basis
- Installing applications, security awareness & training, impact analysis
Maintenance
- Ensuring systems are kept up to date: patches, hotfixes, service packs
- Create roll-back plan in case there are issues that cannot be resolved
Commissioning/decommissioning
- Security controls deployed when placed into production
- Back-up data & ensure that it has been completely removed from asset before decommissioning
Asset Disposal
- Data purging or physical destruction should be used depending on classification of data on asset
- Ensure there is no data remanence before disposal
Asset/object reuse
- Analysis of asset’s original use must be understood
- Data thoroughly cleared, return asset to factory configuration
General Change Management
- All changes should be formally requested using CM process
- After approval change steps should be developed
- Change Control Board should be used

SDLC (Systems Development Life Cycle) – applies to both software & hardware

Initiate – discover that something new is needed
Acquire/develop – make decision to buy or develop
Implement – purchase or develop
Operate/maintain – long period of use
Dispose – Dispose of system when no longer useful

SSDLC (Security System Development Life Cycle / SDL (Security Development Lifecycle

SSDLC – same as the SDLC and includes security activities from (NIST SP 00-64)
Identify sources of security requirements and standards
Provide security category for the system & assess the business impact of the system
Use secure development practices
Continuous monitoring through lifecycle/ have disposal plan

SRTM (Security Requirements Traceability Matrix) – table that documents security requirements of a particular object

Security Implications of Software Development Methodologies

Agile – risks (priority is customer satisfaction, not security
- Inadequate security testing, new assets may not be assessed for security impact
- Security issues may be ignored if they could cause delays, security is often secondary
- Software that functions correctly may not be necessarily secure
Waterfall ( team cannot return to previous stages
- Security is more likely to be overlooked due to schedule constraints
- Developers cannot return to earlier stages; possible to develop software that is no longer needed
Spiral Model – requirements are captured quickly and can be changed easily (less risky) as developers can return to earlier stages