CISSSP Process Guide v.21

CISSP Process Guide
V.21
I'm Fadi Sodah (aka madunix), and I'm an IT Director. I've been in the IT realm for over twenty-six years and have held a variety of
positions. I worked as a networks engineer, systems engineer and security engineer and I was among the Top 100 Hall of Fame
HackTheBox. I'm an active member of Experts-Exchange (EE) since 2004. I have been awarded the Most Valuable Expert (EE MVE) in
2019. You can find me on Experts-Exchange (EE), LinkedIn, Facebook, Telegram, Discord and Twitter @madunix. I hold certifications in
many areas of the IT field such as networking, systems, audit, IoT, AI and security: PCCSA, PCNSA, PCNSE, CCNP, CCIP, CISA, CISSP,
CFR, CSC, ACE, CIoTSP, CAIP, CISM, eJPT, CyberSafe, SCSC, KCSP, KCTP, OCIF, OADCS, ADCI and ICATE.
To benefit others with the knowledge and experienced I gained during my study term, I have summarized the main underlying concepts
in a general overview. I am hoping this consolidation of core concepts and processes would benefit those interested in becoming security
experts.
This document intends to be supplementary, not a replacement for officially published study guides and books. I may have added
multiple definitions of the same process or procedure due to the varying definitions from different resources such as the Official CBK,
Sybex, NIST publications, SANS papers, or the AIO Shon Harris books. If you encounter any conflicts, please refer to the latest Official
books CISSP CBK, AIO and Sybex. Being a CISSP candidate, you should fully understand CISSP concepts, methodologies and their
implementations within the organization.
The CISSP exam is designed to test your presence of mind, knowledge, experience, concept and hardworking.
 Use Sybex as a baseline for your study
 In case of misconception keep referring to CBK CISSP book and index
 Review the notes from Sunflower powered by Nick Gill
 Review CISSP Process Guide powered by madunix
 Review Memory Palace CISSP Notes powered by Prashant
 If you study by yourself, you will always see your material from the same perspective; I recommend to choose a study group
telegram and discord.
 Review NIST publication
 Check CISSP references www.isc2.org/Certifications/References
 Measure your progress through quizzes and practice exams, be aware don’t go by the score try to fill your gaps
 Keep checking the (ESG) Elite Security Groups
 https://thorteaches.com/cissp/
 https://www.studynotesandtheory.com/
 https://wentzwu.com/
 https://prabhnair.in/
 https://www.experts-exchange.com/members/madunix
Do not try any shortcut when it comes to reading books and gaining knowledge. This quick reference should be utilized as a fast recap of
security concepts. It’s essential that you read Official CISSP books first and then use these notes to get a recap of what you have
learned. I wish you good luck for the CISSP exam.
You can send me a donation to my account to keep this document updated: paypal.me/FadiSodah
Email:madunix@gmail.com
CISSP is registered certification marks of (ISC)², Inc.

Discalamer: Fadi Sodah is not affiliated with or endorsed by (ISC)2
Title. CISSP Process Guide powered by madunix https://www.experts-exchange.com/members/madunix Version. 21 Release. 2020 1
Corporate Governance: The importance of following Infosec standards:
Corporate governance is the set of responsibilities and practices Creating and using common, proven practices is an important part
exercised by the board and executive management with the goal of of a successful information security program. Not only do
providing strategic direction, ensuring that objectives are achieved, standards support proactive management and efficient risk
ascertaining that risk is managed appropriately and verifying that mitigation, adopting and consistently following a standard can
the enterprise's resources are used responsibly. bring additional benefits to any organization.
• Auditing supply chains • TRUST & CONFIDENCE. When organizations obtain certifications
• Board and management structure and process that demonstrate compliance, they create a sense of trust and
• Corporate responsibility and compliance confidence among employees and third parties with whom they
• Financial transparency and information disclosure interact.
• Ownership structure and exercise of control rights • BETTER RESULTS. When you speak the same jargon, results are
Governance, Risk and Compliance (GRC): more productive, effective, and cohesive. E.g., vendor assessments
The process of how an organization manages its information can be smoother and faster with a formal infosec program in place.
resources. This process usually includes all aspects of how • COMPETITIVE ADVANTAGE. Developing a formal infosec program
decisions are made for that organization, such as policies, roles and obtaining certification boosts client and stakeholder confidence
and procedures the organization uses to make those decisions. It is in how infosec risks are managed and aligned with their own risk
designed to ensure the business focuses on core activities, clarifies appetite.
who in the organization has the authority to make decisions, • CORPORATE RESPONSIBILITY. Holding an infosec certification
determines accountability for actions and responsibility for can help organizations demonstrate due diligence and due care,
outcomes, and addresses how expected performance will be which are mandatory requirements for company officers and
evaluated. essential for mitigating corporate negligence.
Areas of focus for IT Governance: Note: Information security standards offer best practices and
• Strategic alignment share expert information. These standards allow organizations to
• Value delivery adopt, tailor, and implement a valuable infosec program without
• Resource management having to hire full time experts, reinventing the wheel, and learning
• Risk management by trial and error, which is costly, time consuming and dangerous.
• Performance management Challenges of implementing and maintaining standards:
Governance vs. Management: • Time: Implementing and maintaining information security
• Oversight vs. Implementation standards is not a one-time project. Rather, it is a process that
• Assigning authority vs. authorizing actions requires dedicated, qualified personnel, support from senior
• Enacting policy vs. enforcing leadership, and continuous monitoring and improvement. A
• Accountability vs. responsibility successful effort will require buy-in from the entire organization.
• Strategic planning vs. project planning • Cost: Standards can be expensive to implement and just as
• Resource allocation vs. resource utilization costly to maintain. In the case of ISO 27001, for example, in
Note: Governance: (What do we need to accomplish). Governance addition to the time and effort necessary to meet the standard
typically focuses on the alignment of internal requirements, such as requirements, organizations must budget for annual audit fees,
corporate policies, business objectives, and strategy. Management: which can be substantial.
(How) • Buy-in: Senior leadership buy-in and program ownership at the
C-level are critical elements for an organization to deploy an
Security Policy:
information security program effectively. The information security
• Define the scope
team must share metrics, report the effectiveness of the program,
• Identify all assets
and demonstrate its value and strategic alignment with the
• Determine level of protection
organization’s business objectives to maintain senior leadership
• Determine personal responsibility
support.
• Develop consequences for noncompliance
• Change management: In general, everyone appreciates the value
Securing the Infrastructure:
of securing information until it requires a change. Security teams
• Framework for Governance
implementing standards are challenged to strike a delicate balance
• Risk Management
between security and convenience.
• The Security Program
• Continuous improvement: Standards have life cycles. When a
• Data Protection
standard is updated, it is the responsibility of all compliant
• System and Data Management
organizations to be aware of the updates and implement them by
• Security Awareness Training
specified dates, or as soon as possible if a time line is not
• User Provisioning
mandated. In some cases, a standard might become obsolete, and
• Monitoring and Enforcement
a new standard must be researched and presented to senior
• Incident Response
leadership for approval for implementation.
Access Control Review: Data Protection:
The following is a review of the basic concepts in access control. When you think about data protection, there are essentially 5 key
Identification: trends to be aware of:
• Subjects supplying identification information  As always, the ability to recover data in the event of a loss
• Username, user ID, account number or corruption is critical to why business does back up. It is
Authentication: a must.
• Verifying the identification information  Next is disaster recovery (DR). In much the same way as
• Passphrase, PIN value, thumbprint, smart card, one-time application or data recovery, in the event of a natural
password disaster, the ability to get the business up and running is
Authorization: paramount. Statistically, businesses that can’t recover
• Using the identity of the subject together with other criteria to from a disaster within 72 hours go out of business, so
make a determination of operations that a subject can carry out having a plan is critical, no matter the size of the
on objects business.
• “I know who you are, now what am I going to allow you to do?”  Business continuity is a superset of DR and having a
Accountability: business continuity plan would mean having a good DR
• Audit logs and monitoring to track subject activities with objects plan. It is imperative that not only are applications
Authorization approval procedure: protected, but users can access the data and applications
• Formalized in the event of a disaster.
• Approval by the direct manager, data owner, security  The ability to reuse existing data for other business
professional purposes. With the latest talk about “data being the new
• Access permissions follow the principle of least privilege oil” or “natural useable resource,” companies that can
• Balance security with the need for access take advantage of this data are more likely to be
• Avoid allowing too much privilege — Conflicts of interest successful. Having the ability to spin up copies of this data
• Remove privilege when no longer needed quickly for other business uses such as DevOps, analytics,
Due Diligence vs. Due Care: or reporting as well as supporting a good DR strategy has
• Due Diligence: "Researching" -- Investigating and understanding become a way to take further advantage of your backup
risks solution.
• Due Diligence: “Doing” all the necessary tasks required to  The latest entry to the list is cyber resiliency. While cyber
maintain the due care resiliency has been important for a long time, it is now top
• Due Care: "Doing" -- Developing policies and procedures to of everyone’s mind due to the most recent attacks and the
address risk statistics that talk about how cyber attacks cost
• Due Care is to act responsibly businesses a lot of money. The ability to recover from one
of these attacks is not as simple as just a data recovery,
so new planning has to be part of how businesses protect
their data.
Data at Rest: Business Impact Assessment:
The term data at rest refers to data that lives in external or • Identify Priorities
auxiliary storage devices, • Identify Risk
such as hard disk drives (HDDs), solid-state drives (SSDs), optical • Likelihood Assessment
discs (CD/DVD), or even on magnetic tape. A challenge to protect • Impact Assessment
the data in these states is, it is vulnerable, not only to threat actors • Resource prioritization
attempting to reach it over our systems and networks but also to Risk can never be mitigated to zero (there is no such thing as “no
anyone who can gain physical access to the device. Data protection risk” or “perfect security”)
strategies include secure access controls, the segregation of duties, Business Impact Analysis:
and the implementation of the need to know mechanisms for • Identify critical functions
sensitive data. • Identify critical resources
Data in Use: • Calculate MTD for resources
Data in use refers to the information that is currently in use. It is • Identify threats
used by staff, as in laptops or portable devices, and information • Calculate risks
that is being printed or copied to a USB stick. This is the data • Identify backup solutions
available in endpoints. Data security controls for data in use would Business Impact Analysis:
include port protection and whole disk encryption. Controls against • Select individuals to interview for data gathering
shoulder surfing, such as clear screen and clear desk policies, are • Create data-gathering techniques
also applicable to data in user controls. • Identify critical business functions
Security: • Identify resources these functions depend upon
Security is a continuous process, not a one-shot project. The • Calculate how long these functions can survive without these
security life cycle or the security wheel is a continuous process that resources
consists of several consequent phases (stages). The word cycle • Identify vulnerabilities and threats
indicates the continuous and endless nature of such process. The • Calculate the risk for each different business function
ISO 27001 defines the cycle of the information security • Document findings and report them to management
management system ISMS as PCDA: Plan-Do-Check-Act. Key Performance Indicator KPI based on:
Samples of testing CIA Triad: • BIA
• Security Functionality: Verify that the software behaves • Effort to implement
according to requirements, which should include security. • Reliability
• Fuzz-testing (or fuzzing): Enter a wide variety of out-of-range • Sensitivity
• Dynamic Validation: Use variable data in the code to ensure the Security Programs Metrics:
integrity of the software. • KPI looks backward at historical performance
• Risk-Based Testing: Prioritize what features to test based on their • KRI looks forward, show how much risk exists that may
potential risk and the impact of their failure. jeopardize the future security of the organization.
• Penetration Testing: Play the role of an attacker, finding Business Continuity Planning (BCP):
weaknesses and attempting exploits. • Project Initiation
• Authentication Testing: Verify that communication over a • Business Impact Analysis
network such as the Internet is protected by secure identification • Recovery Strategy
methods. • Plan design and development
• Regression Testing Confirm that newer patches, updates, and • Implementation
fixes work with older code. • Testing
Considerations for Security Controls include: • Continual Maintenance
• Accountability (can be held responsible) BCP (NIST 800-34):
• Auditability (can it be tested?) • Develop a planning policy;
• A trusted source (source is known) • BIA
• Independence (self-determining) • Identify preventive controls
• Consistently applied • Create contingency strategies
• Cost-effective • Develop contingency plans
• Reliable • Test
• Independence from other security controls (no overlap) • Maintenance
• Ease of use
Business Continuity Planning (BCP):
• Automation
• Provide immediate and appropriate response to emergency
• Sustainable
situations
• Secure
• Protect lives and ensure safety
• Protects confidentiality, integrity, and availability of assets
• Reduce business impact
• Can be “backed out” in the event of an issue
• Resume critical business functions
• Creates no additional issues during operation
• Work with outside vendors and partners during the recovery
• Leaves no residual data from its function
period
Business Impact Assessment (BIA): • Reduce confusion during a crisis
A systematic process to determine and evaluate the potential • Ensure survivability of the business
effects of an interruption to critical business operations as a result • Get "up and running" quickly after a disaster
of exploitation, disaster, accident or emergency.
DRP vs. BCP: Business Continuity Planning (BCP):
• BCP - Corrective Control • Project scope and planning
• DRP - Recovery Control •• Business Organization Analysis
• Both BCP and DRP - fall under the category of Compensating •• BCP team selection
Control •• Resource Requirements
• BCP – is not a preventive control as it can NOT prevent a disaster •• Legal and regulatory requirements
• BCP - helps in the continuity of organization function in the event • Business impact assessment
of a disaster •• Identify priorities
• BCP - maintaining critical functions during a disruption of normal •• Risk Identification
operations •• Likelihood Assessment
• DRP - recovering to normal operations after a disruption •• Impact Assessment
Business Continuity Planning (BCP): •• Resource Prioritization
• Continuity Policy • Continuity planning
• Business Impact Assessment (BIA) •• Strategy Development
• Identify Preventive Controls •• Provisions and Processes
• Develop Recovery Strategies •• Plan Approval
• Develop BCP •• Plan Implementation
• Exercise/Drill/Test •• Training and Education
• Maintain BCP • Approval and implementation
DR Team: •• Approval by senior management (APPROVAL)
• Rescue Team: Responsible for dealing with the immediacy of the •• Creating an awareness of the plan enterprise-wide
disaster –employee evacuation, crashing the server room, etc. (AWARENESS)
• Recovery Team: Responsible for getting the alternate facility up •• Maintenance of the plan, including updating when needed
and running and restoring the most critical services first. (MAINTENANCE)
• Salvage Team: Responsible for the return of operations to the •• Implementation
original or permanent facility (reconstitution) – (get us back to the Development of Disaster Recovery Plan (DRP):
stage of normalcy) • Plan Scope and Objectives
Business Continuity Planning (BCP) Documents: • Business Recovery Organization (BRO) and Responsibilities
• Continuity of planning goals (Recovery Team)
• Statement of importance and statement of priorities • Major Plan Components - format and structure
• Statement of Organizational responsibilities • Scenario to Execute Plan
• Statement of Urgency and Timing • Escalation, Notification and Plan Activation
• Risk assessment, Risk Acceptance, and Risk mitigation document • Vital Records and Off-Site Storage Program
• Vital Records Program • Personnel Control Program
• Emergency Response Guidelines • Data Loss Limitations
• Documentation for maintaining and testing the plan • Plan Administration
Disaster Recovery Plan (DRP) procedures:
DRP/BCP document plan should be:
• Respond to disaster by a pre-defined disaster level
• Created for an enterprise with individual functional managers
• Assess damage and estimate time required to resume operations
responsible for plans specific to their departments
• Perform salvage and repair
• Copies of the plan should be kept in multiple locations
• Both Electronic and paper copies should be kept Elements of Recovery Strategies:
• The plan should be distributed to those with a need to know • Business recovery strategy
• Most employers will only see a small portion of the plan •• Focus on the recovery of business operations
• Facility & supply recovery strategy
•• Focus on facility restoration and enable alternate recovery
site(s)
• User recovery strategy
•• Focus on people and accommodations
• Technical recovery strategy
•• Focus on the recovery of IT services
• Data recovery strategy
•• Focus on the recovery of information assets
The eight R’s of a successful Recovery Plan:
• Reason for planning
• Recognition
• Reaction
• Recovery
• Restoration
• Return to Normal
• Rest and Relax
• Re-evaluate and Re-document
Disaster Recovery Program: Risk Analysis:
• Critical Application Assessment • Analyzing the environment for risks
• Backup Procedures • Creating a cost/benefit report for safeguards
• Recovery Procedures • Evaluating threat
• Implementation Procedures Elements of risk:
• Test Procedures • Threats
• Plan Maintenance • Assets
Post-Incident Review: • Mitigating factors
The purpose is how we get better; after a test or disaster has Risk Analysis methodology:
taken place: • CRAMM (CCTA Risk Analysis and Management Method)
• Focus on how to improve • FMEA (Failure modes and effect analysis methodology)
• What should have happened? • FRAP (Facilitated Risk Analysis Process)
• What should happen next? • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability
• Not who´s fault it was; this is not productive Evaluation)
Continuity Planning: • PUSH
Normally applies to the mission/business itself; Concerns the ability • Spanning Tree Analysis
to continue critical functions and processes during and after an • SOMAP (Security Officers Management and Analysis Project)
emergency event. • VAR (Value at risk)
Contingency Planning: RMF CSIAAM: (NIST 800-37):
Applies to information systems, and provides the steps needed to The risk management framework (RMF) encompasses a broad
recover the operation of all or part of the designated information range of activities to identify, control, and mitigate risks to an
system at an existing or new location in an emergency. information system during the system development life cycle. One
Business Continuity Plan (BCP): of the activities is the development of an ISCP. Implementing the
BCP focuses on sustaining an organization's mission/business risk management framework can prevent or reduce the likelihood
process during and after a disruption. It May be used for long-term of the threats and limit the consequences of risks. RMF include:
recovery in conjunction with the COOP plan, allowing for additional • Categorize the information system and the data
functions to come online as resources or time allows. • Select an initial set of baseline security controls
Occupant Emergency Plan (OEP): • Implement the security controls and describe how the controls
It outlines first-response procedures for occupants of a facility in are employed
the event of a threat or incident to the health and safety of the • Assess the security controls
personnel, the environment, or property. • Authorize systems to be launched
• Monitor the security controls
Cyber Incident Response Planning (CIRP):
It’s A type of plan that normally focuses on detection, response, Risk Management Process: (FARM):
and recovery to a computer security incident or event. It • Framing risk
establishes procedures to address cyber-attacks against an • Assessing risk
organization's information system(s). • Responding to risk
• Monitoring risk
Information System Contingency Plan (ISCP):
It provides established procedures for the assessment and Risk management Policy Document:
recovery of a system following a system disruption. Provides key • Objectives of the policy and rationale for managing risk
information needed for system recovery, including roles and • Scope and charter of information risk management
responsibilities, inventory info, assessment procedures, detailed • Links between the risk management policy and the organizations
recovery procedures, and testing of a system. strategic and corporate business plans-Extent and range of issues
to which the policy applies
Continuity of Operations Plan (COOP):
• Guidance on what is considered acceptable risk levels
It focuses on restoring an organization's mission essential function
• Risk management responsibilities
of an alternate site and performing those functions for up to 30
• Support expertise available to assist those responsible for
days before returning to normal operations.
managing risk
Disaster Recovery Plan (DRP):
• Degree of documentation required for various risk-management
Applies to major physical disruptions to service that deny access to
related activities, e.g., change management
the primary facility infrastructure for an extended period. An
• A plan for reviewing compliance with the risk management policy
information system-focused plan designed to restore operability of
• Incident and event severity levels
the target system, application, or computer facility infrastructure at
• Risk reporting and escalation procedures, format and frequency
an alternate site after an emergency. Only addresses information
Risk Management Life Cycle:
system disruptions that require relocation.
• Continuously monitoring
Risks to the organization found in:
• Evaluating
• Financial
• Assessing and reporting risk.
• Reputational
Risk management:
• Regulatory
• Risk Assessment — Identify Assets, Threats Vulnerabilities
• Risk Analysis — Value of Potential Risk
• Risk Mitigation — Responding to Risk
• Risk Monitoring — Risk is forever
Risk management entails evaluating: Damage assessment:
• Threats • Determine the cause of the disaster.
• Vulnerabilities • Determine the potential for further damage.
• Countermeasures • Identify the affected business functions and areas.
Methodologies of Risk Assessment: • Identify the level of functionality for the critical resources.
• Prepare for the assessment. • Identify the resources that must be replaced immediately.
• Conduct the assessment: • Estimate how long it will take to bring critical functions back
•• Identify threat sources and events. online.
•• Identify vulnerabilities and predisposing conditions. • If it will take longer than the previously estimated MTD values
•• Determine the likelihood of occurrence. to restore operations, then a disaster should be declared and BCP
•• Determine the magnitude of impact. should be put into action.
•• Determine risk. Note:
• Communicate results. • The first activity in every recovery plan is damage assessment,
• Maintain assessment. immediately followed by damage mitigation.
Preparing Risk Assessment: • The final step in a damage assessment is to declare a disaster.
• Purpose of the assessment • The decision to activate a disaster recovery plan is made after
• The scope of the assessment damage assessment and evaluation is completed.
• Assumptions and constraints associated with the assessment Configuration Management:
• Sources of information to be used as inputs to the assessment • Plan
• Risk model and analytic approaches • Approve Baseline
Risk Assessment (NIST 800-30): • Implement
• System / Asst. Characterization • Control Changes
• Threat Identification • Monitor
• Vulnerability Identification • Report
• Control Analysis • Repeatable
• Likelihood Determination Configuration Management:
• Impact Analysis • Configuration Identification
• Risk Determination • Configuration Control
• Control Recommendations • Configuration Status Accounting
• Results Documentation • Configuration Audit
Key Challenges in Third-Party Risk Management: Change Control:
• Increases the complexity of third-party network & it's managnt. • Implement changes in a monitored and orderly manner.
• Risk of failure to manage regulatory compliances • Changes are always controlled
• Additional Cost for monitoring third-parties • Formalized testing
• Lack of collaboration among parties • Reversed/rollback
• Risk of information / data leakage • Users are informed of changes before they occur to prevent loss
Key Components of Third-Party Risk Management of productivity.
Framework: • The effects of changes are systematically analyzed.
Following are the key components of Third-Party Risk Management • The negative impact of changes in capabilities, functionality,
(TPRM) Framework: performance
• Planning & process definition • Changes are reviewed and approved by a CAB (change approval
• Segmentation & Screening board).
• Qualification Change Management:
• Security & Permissions • Request for a change to take place
• Workflows • Approval of the change
• Risk Mitigation • Documentation of the change
• Continuous Monitoring • Tested and presented
• Reports & Dashboard • Implementation
• Centralized Repository • Report change to management
• Alert & Notification Change Management:
Damage assessment: • Request
• Determining the cause of the disaster is the first step of the • Review
damage assessment • Approve
• How long it will take to bring critical functions back online • Schedule
• Identifying the resources that must be replaced immediately • Document
• Declare a disaster
Change Management: Enterprise Security Architecture (ESA):
• Request • Presents a long-term, strategic view of the system
• Evaluate • Unifies security controls
• Test • Leverages existing technology investments
• Rollback Implement Fail-Safe Design:
• Approve To implement fail-safe design, make sure that your software:
• Document • Denies access by default in error-handling logic for security
• Determine Change Window controls. Failure should not result in elevated rights for an attacker.
• Implement • Put limits on recovery retry attempts. If your software continually
• Verify attempts to do something that isn't working, it may overfill caches,
• Close bog the process down trying to retry overwhelming numbers of
Patch Management: backed-up tasks, and so forth.
• Patch Information Sources • Doesn't make assumptions about ways to remediate when failure
• Prioritization occurs. Fail bad inputs rather than attempting to correct them
• Scheduling when you have no way to know what was intended. Suspend the
• Testing affected transaction and report it, so users and system operators
• Installation are clear that the transaction did not go through.
• Assessment Integrate Security Into Your Development Processes:
• Audit • Examine each phase or aspect of your development processes,
• Consistency and identify how you can address security.
• Compliance • Make sure security is included in your business requirements,
Patch Management: software requirements specifications, and any other documentation
• Evaluate and tools you use to define the scope and requirements of the
• Test project.
• Approve • Identify functional as well as non-functional security
• Deploy requirements, and make sure that these security requirements flow
• Verify into test cases.
Patch Management: • Use a threat modeling process ("architectural risk analysis") to
• Inventory identify specific risks and prioritize how you will handle them.
• Allocate Resources • Include security reviews in your development phase and use code
• Pursue updates analysis tools to help identify security defects as they emerge.
• Test • Use a variety of testing methods throughout development to
• Change Approval ensure that security problems don't appear as the project
• Deployment plan progresses.
• Rollback plan • As you fix security defects, create new automated unit tests to
• Deploy and verify the updates with policy requirements alert you if the problem you fixed reappears.
• Document • Establish processes and software features so you are notified
Problem Management: immediately when security issues are found.
• Incident notification • Establish ongoing monitoring and testing to identify when new
• Root cause analysis security issues emerge over time.
• Solution determination • Stay apprised of vulnerabilities in systems and modules that your
• Request for change code depends on, such as the operating system it runs on, web
• Implement solution servers, database servers, cloud services, and so forth.
• Monitor/report
Information Systems Security Engineering (ISSE) Process:
• Discover Information Protection Needs; ascertain the system
purpose.
• Identify information asset needs protection.
• Define System Security Requirements; Define requirements
based on the protection needs.
• Design System Security Architecture; Design system architecture
to meet security requirements.
• Develop Detailed Security Design; Based on security architecture,
design security functions and features of the system.
• Implement System Security; Implement designed security
functions and features into the system.
• Assess Security Effectiveness; Assess the effectiveness of ISSE
activities.
Secure the Development Environment: Perform Dynamic Analysis:
• Keep development, testing, and production environments • Recognize benefits of, and uses for, dynamic code analysis:
completely separated, and control access to them by network users • Analyze code functioning in real world scenarios, minimizing the
and deployment scripts through different assignable roles. need to create artificial scenarios to find errors.
• If possible, separate responsibilities and access to different • Find certain types of vulnerabilities that static code analysis
environments so only those who require access to a particular might not find, such as race conditions.
environment have access. • Validate findings in the static code analysis.
• Protect development, testing, and production environments from • Recognize limitations of dynamic analysis:
physical access. • May produce false negatives (not reporting problems that actually
• Protect the computers that developers use for development. For exist) and false positives (reporting problems that don't actually
example, encrypt local storage, require developers to log out when exist).
walking away from their desk, and so forth. • May provide a false sense that all security problems have been
• Avoid using public code repositories. found.
• Make sure your code repository is on a secure system that is • Require the code to run, so they can't identify issues in code that
protected from unauthorized physical and network access. won't compile.
• Store code backups only in a secure storage location. • Typically require more expertise than static code analysis to
• Maintain secure logs of all code check-ins and check-outs. perform properly.
• Monitor who accesses the repository, when, and from where. • Depend on scripts to automate tasks or users manually
• Audit code frequently to verify that no malicious functions or performing steps, so you can't guarantee full coverage of the
vulnerabilities are added into production. source code.
• Provide developers with realistic sample data to use for Perform Automated Security Testing:
programming and testing instead of actual data. • Use automated testing to supplement, rather than replace,
• When it is necessary to destroy any source code, sensitive data, manual testing and code review.
assets, or backups, make sure they are destroyed securely. Follow • To support test-driven development (TDD), create security tests
compliance requirements, if applicable. within your automated unit tests to ensure that security tests are
Perform Code Analysis: continually performed during the development process.
When you perform static or dynamic code analysis: • As much as possible, try to design tests to be repeatable across
• Combine static and dynamic code analysis to reveal more projects to save time, provide consistency, and facilitate testing
security defects than performing either type of code analysis alone. process improvements over time.
• Combine automated code analysis with static and dynamic code
analysis to reveal even more security defects.
Perform Static Analysis:
• Recognize benefits of, and uses for, static code analysis:
• Quick operation, functioning much faster than a manual (human)
code reviewer.
• Scalable, can be run frequently (at each daily build, for example).
• Robotic consistency and rigor in checking for specific types of
security problems.
• Low cost to operate, typically at a much lower cost than using
experienced security architects and reviewers (whose efforts can
be reserved for analysis tasks that benefit from human insight and
creativity).
• Ability to quickly scan for a huge range of problems, drawing the
developer's focus to potential problem areas.
• Recognize limitations of static analysis:
• May produce false negatives (not reporting problems that actually
exist) and false positives (reporting problems that don't actually
exist).
• Inability to identify certain kinds of security problems, such as
authentication and access control problems and incorrect use of
cryptography APIs.
• Inability to identify some problems due to other data values or
resources not represented in code, such as misconfiguration of the
host platform.
• Inability to analyze some code that would not be able to compile
due to missing libraries, incomplete code, missing resources, and
so forth.
• May provide a false sense that all security problems have been
found.
The Systems Development Life Cycle: SDLC:
• Initiation (considers value, sensitivity, regulatory compliance, • Initiation- Identifying the need for a project
classification, etc. of application/data). • System Concept Development- Defining the project scope and
• Define Functional Requirements (documents user and security boundaries
needs). • Planning- Creating the project management plan
• Design Specifications (system architecture/software designed). • Requirements Analysis- Defining user requirements
• Development/Implementation/Testing (source code and test • Design- Creating a Systems Design Document that describes how
cases generated, quality/reliability addressed). to deliver the project
• Documentation/Program Controls (controls related to editing • Development- Converting the design into a functional system
data, logging, version, control, integrity checks, etc.). • Integration and Test- Verifying that the system meets the
• Certification/Accreditation (independently testing data/code requirements
ensuring requirement are met, data validation, bounds checking, • Implementation- Deploying the system into the production
sanitizing, management's authorization for implementation). environment
• Production/Implementation (systems are live). • Operations and Maintenance- Monitoring and managing the
Build Security into Your Design Processes: system in production
• Be sure that you understand what you are trying to build. Some • Disposition - Migrating the data to a new system and shutting the
developers document the software concept in a "theory of system down
operations" document that describes what the software will do, and Note: The system life cycle (SLC) extends beyond the SDLC to
how it will do it. This may be recorded in more detail in include two:
requirements documents. • Operations and maintenance support (post-installation).
• Identify the environment in which your software will run. • Revisions and system replacement.
• Identify the major modules in your software. Development Methodologies:
• List all of the errors that might occur in various modules, and • Build and fix
how you will deal with them. Lacks architecture design. Problems are fixed as they occur. Lacks
• Resist adding features that are not driven by requirements. a formal feedback cycle. Reactive instead of proactive.
• Obtain, read, and follow secure coding standards defined for the • Waterfall
specific programming languages and environments you use Linear sequential lifecycle. Each phase is completed before
SDLC: continuing.
• Project initiation and planning Lacks a formal way to make changes during a cycle. The project is
• Functional requirements definition completed before collecting feedback and starting again.
• System design specifications • V-shaped
• Development and implementation Based on the waterfall model. Each phase is complete before
• Documentation and common program controls continuing.
• Testing and evaluation control, (certification and accreditation) Allows for verification and validation after each phase. Does not
• Transition to production (implementation) contain a risk analysis phase.
SDLC: • Prototyping
• Request/Gather information Rapid prototyping uses a quick sample to test the current project.
•• Security risk assessment Evolutionary prototyping uses incremental improvements to
•• Privacy risk assessment design. Operational prototypes provide incremental improvements
•• Risk-level acceptance but are intended to be used in production.
•• Informational, functional, and behavioral requirements • Incremental
• Design Uses multiple cycles for development like multiple waterfalls. The
•• Attack surface analysis + Threat modeling entire process can restart at any time as a different phase. Easy to
• Develop introduce new requirements. Delivers incremental updates to the
•• Automated CASE tools + Static analysis software.
• Test/Validation • Spiral
•• Dynamic analysis + Fuzzing + Manual Testing Continual approach to development. Performs risk analysis during
•• Unit, integration, acceptance, and regression testing development.
• Release/Maintenance Future information and requirements are guided into the risk
•• Final security review analysis. Allows for testing early in development.
Note: Fuzz testing used to describe the use of known bad or • Rapid Application Development
randomized inputs to determine what unintended results may Uses rapid prototyping. Designed for quick development. Analysis
occur. and design are quickly demonstrated. Testing and requirements
are often revisited.
• Agile
Umbrella term for multiple methods. Highlights efficiency and
iterative development.
User status describes what a user does and why. Prototypes are
filtered down to individual features.
Systems Development Life Cycle: Security Considerations in SDLC:
• Initiation: During the initiation phase, the need for a system is • Prepare a Security Plan
expressed and the purpose of the system is documented. • Initiation
• Development/Acquisition: During this phase, the system is •• Survey & understand the policies, standards, and guidelines
designed, purchased, programmed, developed, or otherwise •• Identify information assets (tangible & intangible)
constructed. •• Define information classification & the protection level
• Implementation/Assessment: After system acceptance testing, •• Define rules of behavior & security
the system is installed or fielded. •• Conduct preliminary risk assessment
• Operation/Maintenance: During this phase, the system performs • Development/Acquisition
its work. The system is almost always modified by the addition of •• Determine Security Requirements
hardware and software and by numerous other events. •• Conduct risk assessment
• Disposal: Activities conducted during this phase ensure the •• Perform cost/benefit analysis
orderly termination of the system, safeguarding vital system •• Incorporate Security Requirements into Specifications
information, and migrating data processed by the system to a new •• Security planning (based on risks & CBA)
system, or preserving it in accordance with applicable records •• Obtain the System and Related Security Activities
management regulations and policies. •• Develop security test
Systems Development Life Cycle: • Implementation
• Conceptual definition •• Install/Turn on Controls
• Functional requirements determination •• Security Testing
• Control specifications development •• Perform Security Certification & Accreditation of target system.
• Design review • Operation/Maintenance
• Code review walk-through •• Security Operations and Administration
• System test review •• Operational Assurance
• Maintenance and change management •• Audits and Continuous monitoring
Insecure Code Practices: •• Configuration management & performs change control
• Comments in source code • Disposal
• Lack of error handling •• Information transfer or destruction
• Overly verbose error handling •• Media Sanitization
• Hard-coded credentials •• Dispose of hardware
• Race conditions Identify Sources of Security Requirements:
• Unauthorized use of functions/unprotected APIs • User expectations
• Hidden elements • Standards and compliance requirements
• Sensitive information in the DOM • Business requirements
• Lack of code signing • Requirements for platforms, services, and APIs that your
Dynamic Code Analysis: software uses
• Finds problems in code while the code is executing. • Identification of where your software is vulnerable, and identify
• Like static analysis, can be very helpful to see the source of how you will address each vulnerability
quality and security defects. Positive/Negative Test:
• May be performed manually as a series of testing steps by a • Positive Test - Work as expected (Output as per given input -
developer or tester working in the software development goes as per plan)
environment. • Negative Test - Even unexpected inputs are handled gracefully
• Debuggers are a good tool for analyzing code as it runs. with tools like Exception Handlers
• The dynamic analysis may also be scripted and monitored using Coverage Testing:
automated testing tools. For analyzing, you should be aware of the following coverage
testing types:
• Black box testing: The tester has no prior knowledge of the
environment being tested.
• White box Testing: The tester has full knowledge before testing.
• Dynamic Testing: The system that is being tested is monitored
during the test.
• Static Testing: The system that is being tested is not monitored
during the test.
• Manual Testing: Testing is performed manually by hands.
• Automated Testing: A script performs a set of actions.
• Structural Testing: This can include statement, decision,
condition, loop, and data flow coverage.
• Functional Testing: This includes normal and anti-normal tests of
the reaction of a system or software. Anti-normal testing goes
through unexpected inputs and methods to validate functionality,
stability, and robustness.
• Negative Testing: This test purposely uses the system or
software with invalid or harmful data, and verifies that the system
responds appropriately
Code Repository Security: API Security:
• System security • Use same security controls for APIs as for any web application on
• Operational security the enterprise.
• Software security • Use Hash-based Message Authentication Code (HMAC).
• Secure communications • Use encryption when passing static keys.
• File system and backups • Use a framework or an existing library to implement security
• Employee access solutions for APIs.
• Maintaining security • Implement password encryption instead of a single key-based
• Credit card safety authentication.
The Life Cycle of any Process: Forensic:
• Plan and organize The forensic investigation process must demonstrate that
• Implement information handling procedures and actions performed did not
• Operate and maintain alter the original data throughout the custody chain. This may
• Monitor and evaluate include:
Regression and Acceptance Testing include: • Recording the name and contact information of those charged
• Test fixed bugs promptly. with maintaining a chain of custody
• Watch for side effects of fixes. • Details of the timing of the event
• Write a regression test for each bug fixed. • Purpose of moving the data
• If two or more tests are similar, determine which is less effective • Identification of evidence through recording of serial numbers
and get rid of it. and other details
• Identify tests that the program consistently passes and archive • Sealing the evidence with evidence tape
them. • Documenting the location of storage
• Focus on functional issues, not those related to design. • Documenting the movement of the information
• Make changes (small and large) to data and find any resulting Concepts unique to the forensic analysis:
corruption. • Authorization to collect information
• Trace the effects of the changes on program memory. • Legal defensibility
RUM vs. Synthetic: • Confidentiality
• RUM harvests information from actual user activity, making it the • Evidence preservation and evidence security
most realistic depiction of user behavior. • Law enforcement involvement
• Synthetic monitoring approximates user activity, but is not as Forensic Process:
exact as RUM • Identification
Software Acquisition: • Preservation
• Planning • Collection
• Contracting • Examination
• Monitoring • Analysis
• Acceptance • Presentation
• Follow on • Decision
Software Requirements: Generic Computer Forensic Investigation Model:
• Informational model • Pre-process
• Functional model • Acquisition and preservation
• Behavioral model • Analysis
Software Protection Mechanisms: • Presentation
• Security Kernels • Post-process
• Processor privilege states E-discovery Process:
• Security controls for buffer overflow • Information Governance
• Controls for incomplete parameter check and enforcement • Identification
• Memory protection • Preservation
• Covert channel controls • Collection
• Cryptography • Processing
• Password protection techniques • Review
API formats: • Analysis
• Representational State Transfer (REST) - is a software • Production
architecture style, consisting of guidelines and best practices for • Presentation
creating scalable web services.
• Simple Object Access Protocol (SOAP) - is a protocol specification
for exchanging structured information in the implementation of
web services in computer networks.
CSIRT: Data Classification Procedures:
Organizations will often form a cybersecurity incident response • Define classification levels.
team (CSIRT) to help identify and manage information security • Specify the criteria that will determine how data are classified.
incidents. The individuals that make up the CSIRT are trained in • Identify data owners who will be responsible for classifying data.
proper collection and preservation techniques for investigating • Identify data custodian who will be responsible maintaining data
security incidents. National Institute of Standards and Technology and sec. level.
Special Publication (NIST SP) 800-61r2 identifies the following • Indicate the security controls, protection mechanisms, required
models for organizing such a team. for each class level
• Central team One team handles incidents on behalf of the entire • Document any exceptions to the previous classification issues.
organization. • Indicate the methods that can be used to transfer custody of info
• Distributed team For larger or geographically dispersed to diff owner.
organizations, it may be more appropriate to have individual • Create a procedure to periodically review the classification and
CSIRTs for different segments of the organization or different ownership.
geographic locations. • Communicate any changes to the data custodian.
• Coordinating team An overarching central team can be added to • Indicate procedures for declassifying the data.
provide guidance and coordination among distributed teams. • Integrate these issues into the security-awareness program.
CSIRT Tools: Data Collection Limitations:
The CSIRT has a number of tools they can use to help handle • Data collection only for legal and fair means.
security incidents. Keeping the toolkit up-to-date will contribute to • Data collection with the knowledge and approval of the subject.
the CSIRT working optimally. The following table lists a few • Do not use personal data for other purposes.
common examples. • Collection of personal data should be relevant for the purpose.
• The Sleuth Kit (TSK) / Cross-platform • Collected data to be accurate and kept up to date.
• EnCase / Windows • Do not disclose personal data with other parties without the
• Forensic Toolkit (FTK) / Windows permission of the subject.
• Forensics Explorer / Windows • Secure personal data against intentional or unintentional access,
• SANS Investigative Forensic Toolkit (SIFT) / Ubuntu (Linux) use, disclosure,
• Digital Forensics Framework (DFF) / Cross-platform destruction, and modification.
• Computer Online Forensic Evidence Extractor (COFEE) / Windows Note: The following are some of the important privacy-related
• WindowsSCOPE / Windows practices and rules across the
• HashMyFiles / Windows world that provide frameworks and limitations relating to personal
• Volatility / Windows, Linux data.
• TestDisk / Cross-platform • General Data Protection Regulation (European Union)
• Wireshark / Cross-platform • Data Protection Directive (EU)
Data Classification Scheme: • Data Protection Act 1998 (U.K)
• Identify custodian • Data Protection Act, 2012 (Ghana)
• Specify evaluation criteria • Data protection (privacy) laws in Russia
• Classify and label each resource • Personal Data Protection Act 2012 (Singapore)
• Document any exceptions • Privacy Act (Canada)
• Select security controls The goal of Incident Handling and Response Planning:
• Specify the procedures for declassifying • Detects compromises as quickly and efficiently as possible.
• Create enterprise awareness program • Responds to incidents as quickly as possible.
Data Classification: • Identifies the cause as effectively as possible.
• Scope (value, Age) Purpose of Incident Response:
• Classification Controls • Restore normal service
• Assurance • Minimize impact on business
• Marking and labeling • Ensure service quality and availability are maintained
Classify Information: Incident Response:
• Specify the classification criteria • Triage (assesses the severity of the incident and verify)
• Classify the data • Investigation (contact law enforcement)
• Specify the controls • Containment (limit the damage)
• Publicize awareness of the classification controls • Analysis
Classification program: • Tracking
• Define classification level Incident Response:
• Identify owner • Preparation
• Determine security level • Detection -- Identification
• Develop a procedure to declassifying • Response -- Containment
• Mitigation
• Reporting -- Report to Sr. Management
• Recovery -- Change Management & Configuration. Management
• Remediation -- RCA & Patch M. & Implement controls
• Lessons Learned -- Document and knowledge transfer
Incident Response: Incident Response Plans Models:
• Preparation Compliance Driven:
• Detection • Designed to evaluate a response after the fact.
• Containment • Reflects an approach from an audit and compliance (HIPAA,
• Eradication GLBA, PCI-DSS).
• Recovery • Security engineers and analysts do not refer to them during an
• Post Incident Review/Lesson learned incident, except possibly in retrospective reports.
Incident Handling Steps (NIST 800-61): Technical Driven:
• Preparation People • Elaborate playbooks that communicate techniques for data
• Identification Identify analysis and are often unwieldy and intentionally vague about
• Containment Containers accountability.
• Eradication Ending • Developed by security or network engineers, but can be
• Recovery Real frustrating when evaluating a response to reports to the Board of
• Lessons Learned Lives Directors or executives.
Incident Response Process (PIC-ERL): Coordinated (Compliance Driven + Technically Driven):
• Preparation • Provides a framework for activities where they are more
• Identification ambiguous: between teams and roles. The coordinated plan
o Detection/analysis describes communication and authority so they are not in question
o Collection during an incident, but also allows the expertise of a team to be
• Containment applied without micromanagement by the plan.
• Eradication Incident Investigation Methodology:
• Recovery • Analysis and Imaging
• Post-incident • Dead box forensics
o Lessons learned • Volatile data collection
••••• Root cause analysis • Server handling
o Reporting and documentation • Endpoint imaging
Note: Gap analysis includes reviewing the organization’s current • Live system handling (Volatile data collection)
position/performance as revealed by an audit against a given • Write-block
standard. • Controlled forensic boot (Volatile data considerations)
Incident Response Process: Respond Appropriately to Data Breaches:
• Plan for and identify the incident. A data breach should be followed up with an appropriate response.
• Initiate incident handling protocols. For example, you should limit the extent of the leak, you should
• Record the incident. inform those who are affected, and you should remedy any defects
• Evaluate and analyze the incident. or problems that made the breach possible. To avoid this defect:
• Contain the effects of the incident. • Provide continuous monitoring and logging features to monitor
• Mitigate and eradicate the negative effects of the incident. for situations that might indicate personal data leakage and loss.
• Escalate issues to the proper team member, if applicable. • Provide features to warn users of possible suspicious activity in
• Recover from the incident. their accounts.
• Review and report the details of the incident. • Create, maintain, and periodically test an incident response plan.
• Draft a lessons-learned report. • Continuously monitor for personal data leakage and loss.
Incident Response Plans: • When a breach occurs:
A usable IR plan is dynamic enough to address many incidents, but • Validate that the breach occurred.
simple enough to be useful. Some characteristics of a plan are: • Determine the most effective way to prevent further leakage, and
• Brief During an incident, there is little time to read and implement it.
understand large documents and find highlighted portions that may • Assign an incident manager to be responsible for the
be relevant. investigation.
• Clear Incidents are complex and often, are not well understood in • Decide how to investigate and respond to the data breach to
the beginning. ensure that evidence is appropriately handled.
• Resilient Rigid and prescriptive incident response plans can fail • Assemble an incident response team.
when key participants are absent. • Notify affected people as appropriate.
• Living This is not just a plan to be reviewed and (potentially) • Determine whether to notify the authorities as appropriate.
updated once annually. • Remedy any defects or problems that made the breach possible.
Visibility challenges: Threat Modelling:
• Discovering and monitoring assets • Assessment scope
• Seeing and protecting end-user devices oﬀ the network • System Modeling
• Finding vulnerabilities in application code that the organization • Identify Threat
builds itself • Identify Vulnerability
• Identifying weaknesses in IoT devices that could lead to • Exam Threat history
compromise • Impact
• Assessing critical infrastructure systems without disrupting • Response
operations
Information Security Continuous Monitoring: Threat modeling: (STRIDE):
• Define • Spoofing: Attacker assumes the identity of the subject
• Establish • Tampering: Data or messages are altered by an attacker
• Implement • Repudiation: Illegitimate denial of an event
• Analyze • Information Disclosure: Information is obtained without
• Respond authorization
• Review • Denial of Service: Attacker overload system to deny legitimate
• Update access
• Repeat • Elevation of Privilege: Attacker gains a privilege level above what
Capture Security Requirement: is permitted
• Threat modeling Threat
• Data classification DREAD:
• Risk assessments The Microsoft DREAD ranking model builds upon the traditional risk
Threat modeling: model: Risk = Likelihood x
Works to identify, communicate, and understand threats and Impact. For example, suppose you evaluated a particular threat
mitigations within the context of protecting assets of value. STRIDE and assigned a 10-point value to
threat model: System for classifying known threats based on the each of the following questions as shown.
kinds of exploits used or the motivation of the attacker. • Ease of Exploitation:
• Discoverability—How easily can an attacker discover this threat?
(8, relatively easy)
• Reproducibility—How easy is it to reproduce an attack to work?
(10, very easy)
• Exploitability—How much time, effort, and expertise is needed to
exploit the threat? (7, relatively easy)
• Impact:
• Affected Users—What percentage of users would be affected?
(10, affects all users)
• Damage—How great would the damage be in a successful attack?
(9, very high)
Threat Modeling:
• Assessment Scope
• System Modeling
• Identify Threats
• Identify Vulnerabilities
• Examining the Threat History
• Evaluation of Impact on the Business
• Developing a Security Threat Response Plan
Threat Modeling Tools:
• Microsoft - Threat Modeling Tool
• MyAppSecurity - Threat Modeler
• IriusRisk Threat - Modeling Tool
• Scandinavian - securiCAD
• Security Compass - SD Elements
Threat Modeling Process: o Establish ongoing monitoring to identify when
• Define general security objectives and scope new security issues arise over time.
o Know your assets/data (not just physical). o Test the mitigation, in case threats not mitigated
o Collect data such as existing documentation, become security bugs in your bug repository.
policy, framework, guideline, DB, users stories,
errors Check the accuracy of the collected data. Cyber Kill Chain:
o Gather security requirements already defined for • Reconnaissance
you via compliance, government regulations, and • Weaponization
industry standards. • Delivery
o Identify how you can address security and • Exploitation
implement security requirements from a • Installation
regulatory/data privacy perspective. • Command and Control
• Decompose • Actions on Objectives
o Know your organization connectivity models. The Cyber Security Operational Life Cycle:
Ensure that no elements have been forgotten by • DISCOVER: Identify and map every asset across any
identifying sub-components, dependencies and environment. From here you can
interaction points. baseline the current and desired operational state.
o Identify assets an attacker might be interested • ASSESS: With every change, automatically assess the current
in, who should be allowed to access each area, state against the baseline state
and how access is controlled. of the environment, including misconfigurations, vulnerabilities and
o Break up your application/system into conceptual other key indicators of security health, such as out of date antivirus
entry points, components, and boundaries where or high risk users.
an attacker might interact with it. • ANALYZE: Add context to the asset’s exposure to prioritize
o Mark all untrusted data inputs. remediation based on the asset’s business criticality and the
o Diagram how data flows through the severity of the vulnerability.
application/system using data flow diagrams • FIX: Prioritize which exposures to fix first, if at all, and select the
(DFDs). DFD will represent how data moves appropriate
between processes, storage, and external remediation technique, whether it’s a temporary security control or
systems/services. a complete fix.
• Identify and rank threats
Data Exfiltration:
o List all threats categories as possible, e.g.,
• Covert channels
reconnaissance, social engineering, systems
• File sharing services
hacking, web-based threats, malware, hijacking
TOCTOU:
and impersonation, denial of service Mobile-
A type of race condition called Time of Check to Time of Use
based threats, cloud-based threats, etc.
because the problem arises when shared data is changed between
o Existing threats should be identified before
the time when it is initially checked, and when it is used. Race
controls are listed for each threat, but the
conditions are often non-deterministic, meaning that you can't
ranking of those threats will determine which
predict the outcome since it is based on timing. Race conditions are
controls will be implemented. Ranking threats is
often hard to debug, since running in a debugger adds timing
a key because the likelihood or impact of a threat
delays that change the outcome. Prevent race conditions by
may be so low that performing a control is not
preventing multiple simultaneous requests (locking) or through a
worth the cost.
synchronization mechanism.
o Think like an attacker. It is terrible to crash, but
it is worse to have wrong information and not Storage vs. Timing Channels:
even know about it. Examine your application Covert channels can also be thought of in terms of two different
and identify where threats exist such as checking categories: storage and timing. A
return codes, errors, level of access, data sharing covert storage channel includes one process writing to a storage
and all input if possible. location and another process
o Ensure security requirements flow into test cases. reading from that location. A covert timing channel includes one
o Use root cause analysis. process altering system resource so that changes in response time
o Use methodology like STRIDE (Spoofing, can signal information to the recipient process. Some usage of
Tampering, Repudiation, Information Disclosure, covert channels combines both aspects of storage and timing.
Denial of Service, and Escalation of Privileges) to
help you identify and rank threats.
o If you are using third-party components, libraries
and services consider and include their own
threat models.
• Counter each threat
o Follow security design patterns to deal with
specific types of threats.
o Provide countermeasures for each threat you
need to address.
Examples of covert channels include the following: Audit Report:
• Transmitting data over a rarely used port that the firewall does • Purpose
not block. • Scope
• Concealing data in the headers of TCP/IP packets so as to evade • Results discovered or revealed by the audit
signature analysis by intrusion • Problems, events, and conditions
detection systems. • Standards, criteria, and baselines
• Breaking the data up into multiple packets to be sent at different • Causes, reasons, impact, and effect
times in order to evade • Recommended solutions and safeguards
signature analysis. IT security audit is designed to find:
• Transmitting data over a shared resource that is not typically • Malfunctioning controls
used as a communication channel • Inadequate controls
(i.e., file system metadata). • Failure to meet target standards/guidelines
• Transmitting encrypted data that cannot be inspected as it leaves Software-Defined Everything (SDx):
the network. Extension of virtualization that abstracts an application or function
Steganography: from its underlying hardware, separating the control and data
Similar to using a covert channel, one technique for hiding data for planes and adding programmability. Beginning with software-
exfiltration is steganography. Using steganography, an attacker defined networking (SDN), SDx now encompasses software defined
might be able to evade intrusion detection and data loss storage (SDS), software-defined computing, software-defined
countermeasures if they hide information within images or video. security, and software-defined data centers (SDDC), among others.
Modern tools hide digital information so well that the human eye Software-Defined networking (SDN):
cannot tell the difference; likewise, computer programs not • Application
equipped for steganographic analysis may also fail to spot the • Control
hidden information. • Infrastructure
Information Systems Auditor: Software-Defined networking (SDN):
• Audits information security activities for compliance; Verifies • Network administrators can adjust network traffic on the fly.
adherence to security objectives, policies, procedures, standards, • Provide the ability to better detect network traffic anomalies.
regulations, and related requirements. • They add a higher level of complexity to the network that
• Verifies whether information security activities are managed and requires special skills.
operated to ensure achievements of state security objectives.
Communication Characteristics Asynchronous:
• Provides independent feedback to senior management.
• No timing component
Auditing uses: • Surrounds each byte with processing bits
• Record review • Parity bit used for error control
• Adequacy of controls • Each byte requires three bits of instruction (start, stop, parity)
• Compliance with policy
Communication Characteristics Synchronous:
• Detect malicious activity
• Timing component for data transmission synchronization
• Evidence of persecution
• Robust error checking, commonly through cyclic redundancy
• Problem reporting and analysis
checking (CRC)
Audit: • Used for high-speed, high-volume transmissions
The systematic process by which a competent, independent person • Minimal overhead compared to asynchronous communication
objectively obtains and evaluates the evidence regarding assertions
Networking Hardware:
about an economic entity or event for the purpose of forming an
• Modems (converts digital to analog/analog to digital signals)
opinion about and reporting on the degree to which the assertion
• Hubs (operate at the physical layer, retransmit signals)
conforms to an identified set of standards. Audit: Evaluate security
• Repeaters (operate at the physical layer, re-amplify signals)
controls - Report on their effectiveness - Recommend
• Bridges (operate at layer 2, filters traffic)
improvements
• Switches (operate at layer 2, forwards broadcasts and frames)
Audit Plan: • Routers (forwards packets)
• Define audit objectives
Content-Distribution Network (CDN) benefits:
• Define the audit scope
• On-demand scaling
• Conduct audit
• Cost efficiency
• Refine the audit process
• Locality of Content
Audit Process: • Security Enhancement
• Determine goals • Filter out DDOS attacks
• Involve right business unit leader
The main protocols of IPSec suite:
• Determine Scope
• Authentication Header (AH) Provides data integrity, data origin
• Choose audit Team
authentication, and protection from replay attacks
• Plan audits
• Encapsulating Security Payload (ESP) Provides confidentiality,
• Conduct audit
data origin authentication, and data integrity
• Document result
• Internet Security Association and Key Management Protocol
• Communicate result
(ISAKMP) Provides a framework for security association creation
and key exchange
• Internet Key Exchange (IKE) Provides authenticated keying
material for use with ISAKMP
Point-to-Point Tunneling Protocol (PPTP): Data Center Site Infrastructure Tier Standard Topology:
• Works in a client/server model Four-tiered architecture, each progressively more secure, reliable,
• Extends and protects PPP connections and redundant:
• Works at the data link layer  Tier 1: Basic data center site infrastructure (basic
• Transmits over IP networks only protection)
Layer 2 Tunneling Protocol (L2TP):  Tier 2: Redundant site infrastructure capacity components
• Hybrid of L2F and PPTP  Tier 3: Concurrently maintainable site infrastructure
• Extends and protects PPP connections  Tier 4: Fault-tolerant site infrastructure (life-dependent
• Works at the data link layer applications and services)
• Transmits over multiple types of networks, not just IP
• Combined with IPSec for security Temperature and Humidity Guidelines:
IPSec: American Society of Heating, Refrigeration, and Air Conditioning
• Handles multiple VPN connections at the same time Engineers (ASHRAE) Technical Committee 9.9 provides guidelines
• Provides secure authentication and encryption for data center temperature and humidity.
• Supports only IP networks  Temperature: 64.4-80.6°F, 18-27°C (at equipment
• Focuses on LAN-to-LAN communication rather than user-to-user intake)
communication  Humidity: 40% @ 41.9°F (5.5'C) to 60% @ 59°F (15°C)
• Works at the network layer, and provides security on top of IP
Transport Layer Security (TLS): Common Criteria CC:
• Works at the session layer and protects mainly web and e-mail • PP - what the customer needs
traffic • ST - what Vendor provides
• Granular access control and configuration are available • TOE - The actual product
• Easy deployment since TLS is already embedded into web • EAL - Rating which provides Evaluation and Assurance
browsers Note: The EAL is a measure of how thoroughly the security
• Can only protect a small number of protocol types features the product vendor claims the product offers have been
Drawbacks multilayer protocols: tested and reviewed, and by whom. The EAL does not offer any
• Covert channels are allowed true measure of how well those security features will work in a
• Filters can be bypassed production environment, whether those features are preferable to
• Logically imposed network segment boundaries can be other features offered by competing products, or whether the
overstepped product is “good.”
Benefits multilayer protocols: EAL:

• A wide range of protocols can be used • EAL1 - Functionally tested (lowest rating)
• Encryption • EAL2 - Structurally tested
• Flexibility and resiliency • EAL3 - Methodically tested and checked
• EAL4 - Methodically designed, tested and reviewed (medium
MPLS feature:
rating)
• Traffic engineering
• EAL5 - Semi-formally designed and tested
• Better router performance
• EAL6 - Semi-formally verified, designed and tested
• Built-in tunneling
• EAL7 - Formally verified, designed and tested (highest rating)
Two main MPLS routing protocols:
Before selecting a Security Monitoring Tool type:
• Label Distribution Protocol (LDP) - No Traffic Engineering
• It should collect information from numerous sources.
• Resource Reservation Protocol with Traffic Engineering (RSVP-TE)
• It should be able to inter-operate with other systems, such as a
Label Switched Path (LSP) MPLS Router Roles/Positions
help desk or change management program.
are:
• It should comply with all relevant laws and industry regulations.
• Label Edge Router (LER) or "Ingress Node" - The router that first
• It should offer scalable reporting so you get both a high-level and
encapsulates a packet inside an MPLS LSP; Also the router that
low-level perspective on your security
makes the initial path selection.
Security Information and Event Management (SIEM):
• Label Switching Router (LSR) or "Transit Node" - A router that
• Correlation
only does MPLS switching in the middle of an LSP.
• Compliance
• Egress Node - The final router at the end of an LSP, which
• Alert
removes the label.
Generic Routing Encapsulation (GRE) Tunnel
Tunneling protocol developed by Cisco that can encapsulate a wide
variety of network layer protocols inside virtual point-to-point links
over an internet protocol network.
What SIEMs Provide: Tasks may be performed automatically for you with tools
 Data aggregation: Bringing many logs from operating such as SIEMs:
system, network devices, and applications together for • Filter out unnecessary or duplicate data
analysis • Combine sources
 Correlation: Looking for common attributes within the logs • Synchronize events logged in different sources
that may be used to chain together events • Normalize data formats
 Alerting • Store data securely
 Dashboards: Much quicker than reading through reports • Data Collection, Analysis, and Correlation
 Compliance: Can generate compliance reports based on SIEM on Cloud ....the benefits are:
event log data • No capital expenditure
 Retention: Long-term storage - Most SIEMs don't provide • No need to invest on premise machines
long-term storage in an active manner. They tend to • No need to invest in technical support for hardware
offload events after a certain age to an internal archival • No installation charges
area. This is due to the fact that you could end up with • Only fine tuning
billions upon billions of events over time, and most • Upgrades rolled out automatically by the cloud provider
systems cannot manage that much data efficiently. Security Mode:
 Forensic analysis: Searching through logs from many • Dedicated security mode (All users can access all data).
systems by specific date, time, or other criteria • System high-security mode (on a need-to-know basis, all users
can access limited data).
• Compartmented security mode (on a need-to-know basis, all
users can access limited data as per the formal access approval).
• Multilevel security mode (on a need-to-know basis, all users can
access limited data as per formal access approval and clearance).
Prevent SQL Injection (SQLi):
• Perform Input Validation
• Limit Account Privileges
• Use Stored Procedures
In a SQL injection attack, an attacker could:
• Harvest and crack password hashes
• Delete and modify customer records
• Read and write system files
Injection attacks:
SQL injection attack consists of insertion or "injection" of a SQL
query via the input
• HTML injection is a type of injection issue that occurs when a
user is able to control an input point and is able to inject arbitrary
HTML code into a vulnerable web page
• Command injection is an attack in which the goal is the execution
of arbitrary commands on the host operating system via a
vulnerable application
• Code injection allows the attacker to add his own code that is
then executed by the application.
Web App Threats:
• Cookie Poisoning
• Insecure Storage
• Information Leakage
• Directory Traversal
• Parameter/Form Tampering
• DOS Attack
• Buffer Overflow
• Log tampering
• SQL Injection
• Cross-Site (XSS)
• Cross-Site Request Forgery
• Security Misconfiguration
• Broken Session Management
• DMZ attack
• Session Hijacking
• Network Access Attacks
DNSSEC: Social Engineering:
Adds security to DNS by enabling DNS responses to be validated. It’s important for any user to understand social engineering and
DNSSEC uses a process called zone signing that uses digital their tactics. Additionally, by understanding the underlying
certificates to sign DNS records. principles, it becomes easier to avoid being tricked by them. The
Threats to DNS: following sections introduce these principles.
 Footprinting: An attacker attempts to gather all DNS • Authority
records for a domain via domain transfer in order to map • Intimidation
out the target environment. • Consensus / Social Proof
 Denial of Service (DoS): Flooding of DNS servers can • Scarcity
prevent the server from responding to DNS requests. • Urgency
 Redirection: An attacker redirects queries to a server • Familiarity/Liking
under the attacker's control. • Trust
 Spoofing: Also known as DNS poisoning where the Wireless and RF Vulnerabilities:
attacker provides incorrect DNS information for a domain • Evil Twin
to a DNS server, which will then give out that incorrect • Karma Attack
information. • Downgrade attack
• Dauth. Attack
• Fragmentation Attack
• Credential Harvesting
• WPS Implementation Weakness
• Bluejacking
• Bluesnarfing
• RFID Cloning
• Jamming
• Repeating
Basic MALWARE Analysis:
• Malware assessment
• String analysis
• Dependency analysis
• Encountering files with wiped logical data
• Sandbox analysis
• Online malware scanner / sandbox
Basic TCB function:
• Process activation
• Execution domain switching
• Memory protection
• I/O operation
Memory Manager:
• Relocation
• Protection
• Sharing
• Logically Organization
• Physical Organization
Memory Protection:
• DEP (Data Execution Prevention)
• ASLR (Address Space Layout Randomization)
• ACL (Access Control List)
Memory Protection:
• Segmentation
• Paging
• Protection keying
Attacks (Mitigation):
• Eavesdropping (encryption)
• Cyber-squatting (Secure your domain registration)
• SPAM (email filtering)
• Teardrop (patching)
• Overlapping fragment (not allowing fragments to overwrite)
• Source routing Attack (block source-routed packets)
• SYN flood Attack (vendor support in securing network stack)
• Spoofing (patching, firewalls, strong authentication mechanisms)
• Session hijacking (encryption, regular re-authentication)
Attacks Phase: Reduce XSS:
• Gaining Access • Data validation
• Escalating Privileges • Data Sanitization
• System Browsing • Cookies security
• Install Additional Tools • Output Escaping
• Additional Discovery Facility Attacks
WLAN attacks: • Piggybacking
• Confidentiality Attacks • Fence jumping
•• Traffic Analysis • Dumpster diving
•• Eavesdropping • Lockpicking
•• Man-in-the-Middle Attack • Lock bypass
•• Evil Twin AP • Egress sensor
• Access Control Attacks • Badge cloning
•• War Driving Man-in-the-middle:
•• Rogue Access Point • ARP spoofing
•• MAC addresses spoofing • ICMP redirect
•• Unauthorized Access • DHCP spoofing
• Integrity Attacks • NBNS spoofing
•• Session Hijacking • Session hijacking
•• Replay Attack • DNS poisoning
•• Frame Injection Attack Isolating CPU processes:
• Availability Attacks • Encapsulation of objects
•• Denial-of-Service Attack • Time multiplexing of shared resources
•• Radiofrequency (RF) Jamming • Naming distinctions
•• Beacon Flood • Virtual memory mapping
•• Associate/Authentication Flood
Security mechanisms:
•• De-authentication & Disassociation
• I/O operations
•• Queensland DoS / Virtual carrier-sense attack
• Process activation
•• Fake SSID
• Domain switching
•• AP theft
• Memory protection
• Authentication Attack
• Hardware management
•• Dictionary & Brute force attack
Hacking Website: (Deface Websites)
Securing WLANs:
• SQL injection
• Change the default SSID.
• XSS / CSRF
• Implement WPA2 and 802.1X to provide centralized user
• Remote file inclusion
authentication
• Local file inclusion
• Use separate VLANs
• DDOS
• Deploy a wireless intrusion detection system (WIDS).
• Exploiting vulnerability
• Physically put the AP at the center of the building.
• Directory traversal
• Logically put the AP in a DMZ with a firewall between the DMZ
• Command injection
and internal network.
Emergency-Response Guidelines include:
• Implement VPN for wireless devices to use. This adds another
• Immediate response procedures
layer of protection for data being transmitted.
• List of the individuals who should be notified of the incident
• Configure the AP to allow only known MAC addresses into the
• Secondary response procedures that first responders should take
network.
• Carry out penetration tests on the WLAN. ISC2 - Code of Ethics:
• Protect Society, Commonwealth Infrastructure
Threats to the DNS Infrastructure:
• Act honorably, honestly, justly, responsibly and legally
• Footprinting
• Provide diligent, competent service to the Principles
• Denial-of-Service Attack
• Advance and protect the profession
• Data modification
• Redirection Background Checks:
• Spoofing • Credit History
• Criminal History
Attacks against DNS servers:
• Driving Records
• Zone transfer: Information gathering shortcut
• Drug and Substance Testing
• Zone poisoning: Breach primary server and alter the zone file to
• Prior Employment
the corrupt domain
• Education, Licensing, and Certification Verification
• Cache poisoning: Send false answers to cache servers until they
• Social Security Number Verification and Validation
store them
• Suspected Terrorist Watch List
• Reflection DoS: Send bogus requests into a chain of servers that
do recursive queries
Vulnerability management: Penetration Test:
• Inventory • Goal
• Threat • Recognizance
• Asses • Discovery
• Prioritize • Exploitation
• Bypass • Brute-Force
• Deploy • Social Engineering
• Verify • Taking Control
• Monitor • Pivoting
Vulnerability Assessment: • Evidence
• Collect • Reporting
• Store • Remediation
• Organize Penetration Testing:
• Analysis • External testing
• Report • Internal testing
Consideration of vulnerability scanning: • Blind testing - Limited information on the PT team
• Time to run a scan • Double-blind testing - No information to the internal security
• Protocols used team
• Network topology • Targeted testing - Both internal and PT team aware.
• Bandwidth limitations Penetration Testing:
• Query throttling • Reconnaissance
• Fragile systems/non-traditional assets • Scanning
Vulnerability Assessment and Pen Testing: • Gaining Access
• Scope • Maintaining Access
• Information gathering • Covering Tracks
• Vulnerability detection Penetration Testing:
• Information analysis and planning • Performing basic reconnaissance to determine system function
• Penetration testing • Network discovery scans to identify open ports
• Privilege escalation • Network vulnerability scans to identify unpatched vulnerabilities
• Result analysis • Web application vulnerability scans to identify web application
• Reporting flaws
• Cleanup • Use of exploit tools to automatically attempt to defeat the system
Note: Vulnerability assessments should be done on a regular basis security
to identify new vulnerabilities. VA scanners usually don’t have more • Manual probing and attack attempts
than a Reading privilege. Penetration Testing Key Components:
Penetration Test: • Threat Emulation
• Discovery - Obtain the footprint and information about the target. • Attack Surface
• Enumeration - Perform ports scans and resource identification. • Attack Vectors
• Vulnerability mapping - Identify vulnerabilities in systems and • Attack Scenarios
resources. • Methodology
• Exploitation - Attempt to gain unauthorized access by exploiting Penetration Testing Techniques:
the vulnerabilities. • Wardriving/dialing
• Report - Report the results to management with suggested • Eavesdropping
countermeasures • Network sniffing
Main sections defined by the standard as the basis for • Physical security testing
penetration testing execution: • Social engineering
• Pre-engagement Interactions Penetration Testing Rules of Engagement:
• Intelligence Gathering • Identifies and fines the appropriate testing method(s) and
• Threat Modeling techniques with exploitation of the relevant devices and/or services
• Vulnerability Analysis • While scope defines the start and the end of an engagement, the
• Exploitation rules of engagement define everything in between
• Post Exploitation Rules of engagement (ROE) in Pen Test:
• Reporting • Introduction
• Logistics
• Communication
• Targets
• Execution
• Reporting
• Signatures
Types of Penetration Tests:
• Network Penetration Test Red vs. Blue:
• Application Penetration Test Red teams test the effectiveness of a security program or system
• Appliance / Internet Of Things (IoT) Penetration Test by acting like attackers. Red teams are sometimes called tiger
• Enterprise Penetration Test teams. Blue teams are defenders and may operate against red
• Red Team teams or actual attackers.
• Reverse Engineering / Zero-day Research • Red team
Penetration Testing: A red team is an inside group that explicitly challenges a
• Requires one or more objectives for a successful test company's strategy, products, and preconceived notions. It frames
• The scope is based on the attack scenarios a problem from the perspective of an adversary or sceptic, to find
• The effort is ‘time-boxed.’ gaps in plans, and to avoid blunders, the red team simulates the
• Discovers both technical and logical vulnerabilities hackers.
• Reports should be concise • Blue Team
• Recommendations are strategic A blue team is an inside group that works to defend a company's
• Enhances internal security operations processes assets. Ideally, this is a group
There are a few elements that are common to most effective of network security experts, they defend stuff from the hacking
Pen Testing reports: team.
• Preparation: Red Team Operations:
•• Identify the objectives and purpose of the penetration test. • Emulate the tactics of real-world threat actors
•• Consider how best to address the audience you are writing to. • Training of Blue Team / Incident Response staff
•• Ensure that you can place all relevant events in the context of • Actively exercise the full incident response loop
time. • Gauge minimum time to detect, minimum time to recover
• Content: • Post-exploitation offensive data analysis
•• Detail the test methodology you used in your tests. Different types of hackers:
•• Detail the results of each test, identifying specific assets and •White hat—Hacks software primarily for benevolent purposes,
vulnerabilities that you id such as security research, to find ways to improve software
• Provide your analysis and interpretation of the results. security.
• Suggest remediation techniques to employ. •Blackhat—Hacks mainly for criminal purposes (such as extortion,
• Formatting: theft, and cyberterrorism).
•• Format your report to comply with all of the applicable gov. •Gray hat—Doesn’t fit in the other two categories. Primarily
regulations and with standards. motivated by profit, selling information they have uncovered to
•• Write in clear, practical language. Avoid technical jargon. government agencies, for example.
•• Format your report with groups and sections to enhance Firewall:
readability. • 1st generation: Packet filtering firewalls.
• Reviewing: • 2nd generation: application (proxy) firewalls
•• Proofread your document before sending it out. • 3rd generation: state full packet firewalls
•• Ask another expert to provide a second opinion on the report • 4th generation: dynamic filtering
before sending it out. • 5th generation: kernel proxy
Enumeration: Firewall Logs:
• Extracting usernames using emails IDs, default passwords • Connections permitted or denied
• Extracting usernames using SNMP • IDS activity
• Extracting information using DNS zone transfer, Finger OS, and • Address translation audit trail
ports • User activity
Scanning Types: • Cut-through-proxy activity
• DISCOVERY SCANNING: A discovery scan can be performed with • Bandwidth usage
very simple methods, for example, by sending a ping packet (ping • Protocol usage
scanning) to every address in a subnet. More sophisticated The PCI Data Security Standard goals:
methods will also discover the operating system and the services of • Build and Maintain a Secure Network
a responding device. • Protect Cardholder Data
• COMPLIANCE SCANNING: A compliance scan can be performed • Maintain a Vulnerability Management Program
either from the network or on the device (for instance, as a • Implement Strong Access Control Measures
security health check). If performed on the network, it will usually • Regularly Monitor and Test Networks
include testing for open ports and services on the device. • Maintain an Information Security Policy
• VULNERABILITY SCANNING: A vulnerability scan can either test Note: PCI DSS allows for cardholder information at rest to be
for vulnerability conditions or try an active exploitation of the secured with either tokenization or encryption, but the use of one
vulnerability. A vulnerability scan can be performed in a non- is mandatory.
disruptive manner, or under acceptance of the fact that even a test
for certain vulnerabilities might affect the target’s availability or
performance.
Provide Secure Communication in Web Mobile devices are prime vectors for data loss; areas the
• Make sure the network is securely configured, but program as professional should focus on:
though network security will eventually be compromised. • Secure communications
• Use transport layer encryption (e.g., HTTPS, TLS, SSL) whenever • Antimalware
possible—especially for communicating any sensitive data or • Strong authentication
session tokens to APIs and services. • Passwords
• Protect data and requests transmitted between a client and • Control 3rd party software
server. For example, use parameterized queries to avoid • Separate secure mobile gateways
Structured Query Language (SQL) injection. • Lockdown, audits
• Do not send sensitive data over inappropriate channels, such • Penetration tests
SMS, MMS, or notification services. • Mobile security policy
• Account for outside entities (e.g., third-party analytics services, Basic Types of Mobile Threats:
social networks) by using their SSL versions for routines run in the • Denial of service Deny or degrade service to users. Jamming of
browser/webkit. wireless communications, overloading networks with bogus traffic,
• Use strong, industry standard encryption algorithms with ransomware, theft of mobile devices or mobile services.
appropriate key lengths. • Geolocation Physical tracking of users. Passively or actively
• Use certificates signed by a trusted CA provider, and use obtaining accurate three-dimensional coordinates of target,
certificate pinning for security conscious applications. possibly including speed and direction.
• Require SSL chain verification, and establish a secure connection • Information disclosure Unauthorized access to information or
only after you verify the identity of the endpoint server using services.
trusted certificates in the key chain. Interception of data in transit, leakage or exfiltration of users, app,
• Fail safely, blocking communication and alerting the user if the or enterprise data, tracking of user location, eavesdropping on
application detects an invalid certificate. voice or data communications, surreptitiously activating the
• If practical, encrypt sensitive data before providing it to the SSL phone’s microphone or camera to spy on the user.
channel to provide an extra layer of defense in case the SSL/TLS • Spoofing Impersonating something or someone. Email or SMS
layer is compromised. message pretending to be from the boss or colleague (social
engineering); a fraudulent Wi-Fi access point or cellular base
station mimicking a legitimate one.
• Tampering Modifying data, software, firmware, or hardware
without authorization. Modifying data in transit, inserting tampered
hardware or software into the supply chain, repackaging legitimate
apps with malware, modifying network or device configuration
(e.g., jailbreaking or rooting a phone).
Cybersecurity Framework: • Chosen-Ciphertext Attack: Attacker can choose different
• Identify – Develop the organizational understanding to manage ciphertexts to be decrypted and has access to the decrypted
cybersecurity risk to systems, assets, data, and capabilities. The plaintext. This is a harder attack to carry out, and the attacker
activities in the Identify Function are foundational for effective use would need to have control of the system that contains the
of the Framework. Understanding the business context, the cryptosystem
resources that support critical functions, and the related • Adaptive Attacks: Each of the attacks has a derivative with the
cybersecurity risks enables an organization to focus and prioritize word adaptive in front of it. This means that an attacker can carry
its efforts, consistent with its risk management strategy and out one of these attacks, and depend on what is gleaned from the
business needs. Examples of outcome Categories within this first attack, the next attack can be modified. This is the process of
Function include: Asset Management; Business Environment; reverse-engineering or cryptanalysis attacks.
Governance; Risk Assessment; and Risk Management Strategy. • Birthday attack: a Cryptographic attack that exploits the math
• Protect – Develop and implement the appropriate safeguards to behind the birthday problem in the probability theory forces
ensure delivery of critical infrastructure services. The Protect collisions within hashing functions.
Function supports the ability to limit or contain the impact of a • Brute force attacks: continually tries different inputs to achieve a
potential cybersecurity event. Examples of outcome Categories predefined goal. Brute force is defined as “trying every possible
within this Function include: Access Control; Awareness and combination until the correct one is identified".
Training; Data Security; Information Protection Processes and • Buffer overflow: Too much data is put into the buffers that make
Procedures; Maintenance; and Protective Technology. up a stack. Common attacks vector are used by hackers to run
• Detect – Develop and implement the appropriate activities to malicious code on a target system.
identify the occurrence of a cybersecurity event. The Detect • Cross-site scripting: refers to an attack where vulnerability is
Function enables timely discovery of cybersecurity events. found on a website that allows an attacker to inject malicious code
Examples of outcome Categories within this Function include: into a web application
Anomalies and Events; Security Continuous Monitoring; and • Dictionary attacks: Files of thousands of words are compared to
Detection Processes. the user’s password until a match is found.
• Respond – Develop and implement the appropriate activities to • DNS poisoning: Attacker makes a DNS server resolve a hostname
take action regarding a detected cybersecurity event. The Respond into an incorrect IP address
Function supports the ability to contain the impact of a potential • Fraggle attack: A DDoS attack type on a computer that floods the
cybersecurity event. Examples of outcome Categories within this target system with a large amount of UDP echo traffic to IP
Function include: Response Planning; Communications; Analysis; broadcast addresses.
Mitigation; and Improvements. • Pharming: redirects a victim to a seemingly legitimate, yet fake,
• Recover – Develop and implement the appropriate activities to web site
maintain plans for resilience and to restore any capabilities or • Phishing: type of social engineering with the goal of obtaining
services that were impaired due to a cybersecurity event. The personal information, credentials, credit card number, or financial
Recover Function supports timely recovery to normal operations to data. The attacker's lure, or fish, for sensitive data through various
reduce the impact from a cybersecurity event. Examples of different methods
outcome Categories within this Function include: Recovery • Mail Bombing: This is an attack used to overwhelm mail servers
Planning; Improvements; and Communications. and clients with unrequested e-mails. Using e-mail filtering and
Attacks: properly configuring email relay functionality on mail servers can
• Passive Attacks – hard to detect because the attacker is not be used to protect this attack.
affecting the protocol. Examples are Eavesdropping, network • Ping of Death: A DoS attack type on a computer that involves
sniffing, and capturing data as it passes, used to gather data prior sending malformed or oversized ICMP packets to a target.
to an active attack. • Replay attack: a form of network attack in which a valid data
• Active Attacks – Altering messages, modifying system files, and transmission is maliciously or fraudulently repeated with the goal
masquerading are examples because the attacker is actually doing of obtaining unauthorized access.
something. • Replay Attack: an attacker capturing the traffic from a legitimate
• Ciphertext Attacks - The attacker obtains ciphertext of several session and replaying it to authenticate his session
messages, with each message being encrypted using the same • Session hijacking: If an attacker can correctly predict the TCP
encryption algorithm. Attacker’s goal is to discover the key. Most sequence numbers that the two systems will use, then she can
common attacks are easy to get ciphertext, but hardest attack to create packets containing those numbers and fool the receiving
be successful at. system into thinking that the packets are coming from the
• Known-Plaintext Attack - The attacker has the ciphertext of authorized sending system. She can then take over the TCP
several messages, but also the plaintext of those messages. The connection between the two systems.
goal is to discover the key by reverse-engineering and trial/error • Side-channel attacks: Nonintrusive and are used to uncover
attempts sensitive information about how a component works, without trying
• Chosen Plaintext Attack - The attacker not only has access to the to compromise any type of flaw or Weakness. A noninvasive attack
ciphertext and associated plaintext for several messages, he also is one in which the attacker watches how something works and
chooses the plaintext that gets encrypted. More powerful than a how it reacts to different situations instead of trying to “invade” it
known-plaintext attack because the attacker can choose specific with more intrusive measures. side-channel attacks are fault
plaintext blocks to encrypt, ones that might yield more info about generation, differential power analysis, electromagnetic analysis,
the key. timing, and software attacks.
• Smurf attack: A DDoS attack type on a computer that floods the
target system with spoofed broadcast ICMP packets.
• Social engineering: An attacker falsely convinces an individual Prevent Race Conditions:
that she has the necessary authorization to access specific To prevent race conditions:
resources. • Lock the shared resource when the process is modifying it, and
• Spoofing at Login: an attacker can use a program that presents unlock it when the process is done. Note that this approach can get
the user with a fake login screen, which often tricks the user into quite complicated.
attempting to log on • Example: An error occurs in the process that has locked the
• SYN flood: DoS attack where an attacker sends a succession of resource, so you will deadlock other processes that use that
SYN packets with the goal of overwhelming the victim system so resource. In some cases, it may be preferable to leave the
that it is unresponsive to legitimate traffic. resource locked than to continue in an undefined state.
• TOC/TOU attack: Attacker manipulates the “condition check” step • Write code that doesn't depend on side effects. A side effect is
and the “use” step within the software to allow for unauthorized when a function changes a variable outside of its own scope. If
activity. possible, only modify data inside of the local scope of the thread or
• War dialing: war dialer inserts a long list of phone numbers into process.
war dialing program in hopes of finding a modem to gain • Write temporary files in a data store that is available only to a
unauthorized access. single thread or process.
• Wormhole attack: This takes place when an attacker captures • Research best practices for writing multiple threading or multiple
packets at one location in the network and tunnels them to another processing code in the language and system you are developing in.
location in the network for a second attacker to use against a Tools you might use (if available) include semaphores, mutexes,
target system. and others.
• Denial-Of-Service (Dos) Attack: An attacker sends multiple Sandboxing:
service requests to the victim’s computer until they eventually A sandbox is an isolated environment in which untrusted data can
overwhelm the system, causing it to freeze, reboot, and ultimately be tested; Allows for analysis of applications and data in a secure
not be able to carry out regular tasks. environment without risk to the production environment.
• Man-In-The-Middle Attack: An intruder injects herself into an Hardening Best Practices:
ongoing dialog between two computers so she can intercept and  Defense in depth: Use the tools as an additional layer of
read messages being passed back and forth. These attacks can be defense.
countered with digital signatures and mutual authentication  Access control: Tightly control and monitor access to
techniques. these tools.
• Teardrop: This attack sends malformed fragmented packets to a  Auditing and monitoring: Track and validate usage of the
victim. The victim’s system usually cannot reassemble the packets tools.
correctly and freezes as a result. Countersues to this attack is to  Maintenance: Update tools as necessary and follow vendor
patch the system and use ingress filtering to detect these packet recommendations
types.
Review of Network Security Controls:
Guidelines to Prevent Buffer Overflow Defects: • Vulnerability assessments
• Validates user input for type and length to ensure it will not • Network security groups (access lists)
overflow the legitimate data boundaries. • VLANs
• Uses the least privileges possible for the accounts in which your • Access control
processes run. • Use of secure protocols, such as TLS and IPSec
• Is especially careful when passing input parameters to other • IDP/IPS systems
code, especially unmanaged code, DLLs, etc. • Firewalls
• (If you use third-party libraries) uses only libraries that you have • Honeypots
researched very carefully to ensure they are free from buffer • Zoning of storage traffic (like VLANs for storage data)
overflow vulnerabilities. • Vendor-specific security products (VMware vCloud
Prevent Buffer Overread Defects: Networking and Security or NSX products)
• Make sure that the start location for each read operation remains • Keep public data and private data on separate virtual
within the buffer boundaries. switches
• Make sure that the end location for each read operation remains
within the buffer boundaries.
Prevent Uncontrolled Format String Defects:
• You heed compiler messages that warn about potential format
string problems.
• Your software does not create format strings from user input.
Wireless Attack: Common vulnerabilities and threats of Security
• Rogue AP Architecture:
• Interference • Poor memory management
• Jamming • Covert channels (storage and timing)
• Evil Twin • Insufficient system redundancy
• War Driving • Poor access control
• War Chalking • Hardware failure
• IV attack • Misuse of privileges
• WEP/WPA attacks • Buffer overflows
Secure configuration of Hardware devices: • Memory attacks
• Secure build • DoS
• Secure initial configuration • Reverse engineering
• Host hardening - remove all non-needed • Hacking
• Host Patching • Emanations
• Host lockdown • State attacks (race conditions)
• Secure ongoing configuration, maintenance A honeypot can be used:
RFID Attacks: • Gathering threat intelligence
• RFID Counterfeiting • Distracting attackers
• RFID Sniffing • Delaying attackers
• Tracking Endpoint Protection:
• Denial of Service • Built-in firewall functionality.
• Spoofing • Intrusion detection system (IDS) /intrusion prevention system
• Repudiation (IPS) functionality.
• Insert Attacks • Data loss prevention (DLP) functionality.
• Replay Attacks • Application whitelisting / blacklisting functionality.
• Physical Attacks • Full disk encryption.
• Viruses • Management interfaces for configuration of each endpoint or
RFID attacks: groups of endpoints.
• Eavesdropping/Skimming • A centralized in-house server for distributing malware signature
• Traffic Analysis updates.
• Spoofing Note: A discovery tool is a primary component of a DLP solution.
• Denial of Service Attack/Distributed Denial of Service Attack This might be employed for purposes of identifying and collecting
• RFID Reader Integrity pertinent data.
• Personal Privacy DLP Architecture
Attacks on VLAN:  Data in motion (DIM): Network-based or gateway DLP.
• MAC Flooding Attack Monitors SMTP, HTTP, HTTPS, SSH, FTP, etc., for sensitive
• 802.1Q and Inter-Switch Link Protocol (ISL) Tagging Attack data and prevents it from leaving the organization.
• Double-Encapsulated 802.1Q/Nested VLAN Attack  Data at rest (DAR): Storage-based. Used for tracking and
• ARP Attacks identification data as it's installed on the system where
• Multicast Brute Force Attack the data resides. Generally needs another mechanism for
• Spanning-Tree Attack any enforcement.
• Random Frame Stress Attack  Data in use (DIU): Client- or endpoint-based. Resides on
Methods of Cryptanalytic Attacks: users' workstations. Requires great amount of
• Cipher text-Only Attack (Only Ciphertext) management. Not easy to deploy and manage.
• Known Plaintext (Both Plaintext and Ciphertext available)
• Chosen Plaintext (Known algorithm, Adaptive where Plaintext can
be changed) DLP Policy Considerations:
• Chosen Ciphertext (Known algorithm, Adaptive where Ciphertext  What classification of data is permitted to be stored in the
can be changed) cloud?
 Where can this data be stored (geographical locations)?
 How should this data be stored (encrypted)?
 What type of access controls need put in place?
 Who, what, where, when, can data be accessed by or
from?
 When can data leave the cloud, if ever?
Block Storage:
 Primary role of storage is to group disks together into
logical volumes ( LUNs, virtual disks, generic volume
storage, and elastic block storage)
 None of these have a file system when created
 It's up to the OS on the VM to create the file system
Object Storage: General types of viruses:
 Has a flat file system on it • File Infectors – Infects program or object files.
 Provides for simple object storage (files of nearly any • Boot sector infectors – Attach or replace boot records
type) • System Infectors – Attaches to system files or system structure
 Objects are accessible via browser and REST API • Companion virus – Does not physically touch the target file
 AWS refers to these as buckets in their S3 service • Email Virus – Aware of the email system.
 Rackspace offers cloud files • Multipartite – Reproduces in more than one way
 Object storage is typically the best way to store an OS • Macro Virus – Uses macro programming of the app. Infect data
(image) files
 Data can be replicated across multiple object storage • Script Virus – Standalone files that can be executed by an
servers or sites interpreter
 Offer basic file usage, nothing fancy • Script host – .vbs as host to script virus.
RAID:
Some of the RAID protection options are:
• RAID0 – Striped
• RAID 1 withstands failure of one drive within one of the mirrored
pairs. The number of required drives is twice the amount required
to store data.
• RAID2 - Hamming Code requires either 14 or 39 disks
• RAID3 - Striped Set with Dedicated Parity (Byte Level)
• RAID4 - Striped Set with Dedicated Parity (Block Level)
• RAID 5 protection is also available. Data blocks are striped
horizontally across the members of a RAID 5 group, and each
member owns some data tracks and some parity tracks.
• RAID 6 protects data with failures of up to 2 drives per RAID
group.
• RAID1+0 - striped set of mirrored disks
Power:
• Blackout: Generator
• Brownout: (UPS) Uninterruptible Power Supply
• Surge: Surge protector
• Spike: Surge protector
• Noise: Power conditioner
• Clean power: No solution is needed
Hashing:
• MDS Message-Digest Algorithm - 128-bit digest
• SHA - 160-bit digest
• HAVAL
• RIPEMD-160
• Birthday attacks possible
Symmetric Algorithms:
• Data Encryption Standard (DES)
• 3DES (Triple DES)
• Blowfish
• Twofish
• International Data Encryption Algorithm (IDEA)
• RC4, RCS, and RCG
• Advanced Encryption Standard (AES)
• Secure and Fast Encryption Routine (SAFER)
• Serpent
• CAST
Asymmetric Algorithms:
• RSA - factoring the product of two large prime numbers
• Diffie-Hellmann Algorithm
• EI Gamal- discrete logs
• Elliptic Curve Cryptography (ECC)
Encryption:
• Use encryption that is strong enough to protect the data. Masking and Obfuscation:
• But the stronger encryption is, the longer it will take to decrypt. • Data obfuscation is the process of changing data so it
• Whatever encryption you use, it shouldn't slow down doesn't appear to be what it is.
performance unacceptably for most of your users. • Generally used to comply with standards by masking
Other uses for encryption include: sensitive data (SSN, DOB, etc.).
• Non-repudiation • Digital Rights Management (DRM) • Digital • Sometimes used to turn production data into testing data
Signature • Tunneling by masking sensitive data points.
Certificate Revocation: Black/White List:
•Certificates revoked when: • The blacklist is an explicit deny.
•• They expire. • The whitelist is an implicit deny.
•• Security of private key is in doubt. • The blacklist = "If you are on the list, then you are NOT allowed
•CRL in."
•• List issued periodically by CA of certificate serial numbers that • The whitelist = "If you are NOT on the list, then you are NOT
have been revoked. allowed in."
•• Provides reasons for revocation. Client-based vulnerabilities, Client system should have:
•• CRL has a digital signature to prevent spoofing or DoS attacks. • Licensed as running
•• List has a short lifetime. • Current antivirus and antimalware
•OCSP • HIDS
•• Uses HTTP request to obtain revocation status from CA. • Strong encryption
•• Provides faster confirmation than CRL. • Limited accounts without administrative privileges
Cryptography: • Continuous monitoring
• Privacy • Hardened mobile devices
• Authentication Server-based vulnerabilities, Server system should:
• Integrity • Determine how remote access will be established
• Non-repudiation • Check configuration management be performed
Security Concepts: • Control data flow
• Need-to-Know (access only to what's needed to perform Methods for defeating a switch:
task/job). • MAC Spoofing Set the MAC address of a NIC to the same value as
• Separation of Duties (one person cannot execute all steps of another
critical processes or engage in a malicious activity without • MAC Flooding Overwhelm the CAM table of the switch so it
collusion). coverts to hub mode
• Monitor special privileges (audit logs for system operators • ARP Poisoning Inject incorrect information into the ARP caches of
/administrators/data center employees ensure privileged users two or more endpoints.
cannot circumvent security policy, should not have access to their Most important elements that record state data on network
logged activity, conduct background investigations). devices:
• Job rotation (reduces collusion). • Routing tables
• Information lifecycle: (creation, use, destruction of data, • CAM tables
information/data owner helps safeguard data by classifying and • NAT tables
determining its criticality and sensitivity). • DNS cache
Hashing: • ARP cache
• Provides a way to hide sensitive data Logical Security:
• Allows for an integrity check of the data by checking it • Fail Open/Soft (availability is preserved, but data may not be
against the hashed value secure)
• The hashed value in no way can be used to identify the • Fail Secure/Closed (data is secure, but availability is not
original data preserved) Physical Security
• Fail Safe/Open (systems are shut down / entrances unlocked -
humans are safe)
• Fail Secure/Closed (entrances are locked)
• Failover is a fault tolerance (redundancy) concept. If you have
two redundant NICs; a primary and a backup – and the primary
fails, the backup is used.
Database Model should provide:
• Transaction persistence
• Fault tolerance/recovery
• Sharing
• Security controls
Threats to a DBMS include: Token Threats:
• Aggregation (combining data to form sensitive information) • Something you have may be lost, damaged, stolen from the
• Bypass attacks (avoiding controls to access information) owner or cloned by the Attacker.
• Compromising database views (modifying/accessing restricted • Something you know may be disclosed to an Attacker. Attacker
views) might guess a password/PIN.
• Concurrency (processes running at the same time without proper • Something you are may be replicated.
locks) Token Threat Mitigation Strategies:
• Contamination (corruption) • Multiple factors make successful attacks more difficult to
• Deadlocking (denying users who access information at the same accomplish.
time) • Physical security mechanisms may be employed to protect a
• DoS (preventing authorized access) stolen token from duplication.
• Improper modification (accidental/intentional) • Imposing password complexity rules may reduce the likelihood of
• Inference (deducing restricted information by observation) a successful guessing attack.
• Interception of data • System and network security controls may be employed to
• Server access prevent an Attacker from gaining access to a system or installing
• Polymorphism malicious software.
• Polyinstantiation • Periodic training may be performed to ensure the Subscriber
• TOC/TOU (malicious changing data at a certain time) understands when and how to report compromise (or suspicion of
• Web security issues compromise) or otherwise recognize patterns of behavior that may
• Unauthorized access signify an Attacker attempting to compromise the token.
Aggregation vs. Inference: • Out of band techniques may be employed to verify proof of
Inference (understand business, risk analysis, interview owner); by possession of registered devices (e.g., cell phones).
combining multiple reports or source of information, you succeed in Token Threat/Attack:
guessing or making up new information. Aggregation (understand • Theft - Use multi-factor tokens which need to be activated
data and fields); the sum may represent a level of security higher through a PIN or biometric.
than each of the parts. Be aware of these terms: • Duplication - Use tokens that are difficult to duplicate, such as
• Polyinstantiation: Prevents inference attacks hardware cryptographic tokens.
• Database Views: Constrained interfaces, restrictive interface • Discovery - Use methods in which the responses to prompts
• Context-dependent access control: Content dependent controls cannot be easily discovered.
• Noise and perturbation: Addresses inference attacks • Eavesdropping
• Cell suppression: A technique used against the inference •• Use tokens with dynamic authenticators where knowledge of
Noise and perturbation: A technique of inserting bogus information one authenticator
in the hopes of misdirecting an attacker or confusing the matter does not assist in deriving a subsequent authenticator.
enough that the actual attack will not be fruitful. •• Use tokens that generate authenticators based on a token
Tokens - "Synchronous" vs. "Asynchronous": input value.
• Synchronous Dynamic Password Tokens Hardware tokens that •• Establish tokens through a separate channel.
create synchronous dynamic passwords are time-based and • Offline cracking
synchronized with an authentication server. They generate a new •• Use a token with a high entropy token secret
password periodically, such as every 60 seconds. This does require •• Use a token that locks up after a number of repeated failed
the token and the server to have accurate time. activation attempts.
• Asynchronous Dynamic Password Tokens does not use a clock. • Phishing or pharming - Use tokens with dynamic authenticators
Instead, the hardware token generates passwords based on an where knowledge of one authenticator does not assist in deriving a
algorithm and an incrementing counter. When using an subsequent authenticator.
incrementing counter, it creates a dynamic one-time password that • Social engineering - Use tokens with dynamic authenticators
stays the same until used for authentication. Some tokens create a where knowledge of one authenticator does not assist in deriving a
one-time password when the user enters a PIN provided by the subsequent authenticator.
authentication server into the token. • Online guessing - Use tokens that generate high entropy
Token Usage: authenticators.
• Single-token authentication Key States and Transitions:
• Multi-token authentication • The pre-activation state: The key has been generated, but not
Types of tokens for e-authentication: yet authorized for use
• Memorized Secret Token • The active state: The key may be used to cryptographically
• Pre-registered Knowledge Token protect information
• Look-up Secret Token • The deactivated state: The crypto period of the key is expired,
• Out of Band Token but the key still needs to perform cryptographic operations
• Single-factor (SF) One-Time Password (OTP) Device • The destroyed state: The key is destroyed here
• Single-factor (SF) Cryptographic Device • The compromised state: The key is released or determined by an
• Multi-factor (MF) Software Cryptographic Token unauthorized entity
• Multi-factor (MF) One-Time Password (OTP) Device • The destroyed compromised state: The key is destroyed after a
• Multi-factor (MF) Cryptographic Device compromise or the compromise is found after the key is destroyed
Key Management: • PMO manages the methodologies, standards, overall
• Secure generation of keys risks/opportunities, metrics, and interdependencies between
• Secure storage of keys projects at the enterprise level. Supportive, Controlling and
• Secure distribution of keys Directive are the types of PMO structures in organizations.
• Secure destruction of keys • UNILATERAL: this is a special class of contract in which the seller
Secure Key Management: doesn't have to explicitly accept the offer in order for a contract to
• Key Generation: How, when, and on what device keys are be established. This is a unilateral contract, and the best example
generated is a purchase order (PO)
• Key Derivation Constructing cryptographic keys from other keys • Force Majeure Risks, such as Earthquakes, Floods, Acts of
and variables Terrorism, Etc., should be covered under Disaster Recovery
• Key Establishment: Two parties algorithmic computation of Procedures instead of Risk Management.
keying material Quality of Service Metrics:
Secure wrapping and sending keys from one device to another • Availability
• Key Storage: Secure storage of keys (frequently encrypted using • Outage Duration
‘key encryption keys’) and in what type of device(s) • Mean Time Between Failures (MTBF)
• Key Lifetime: How long a key should be used before being • Capacity Metric
destroyed (zeroized) • Performance Metrics
• Key Zeroization: the Secure destruction of key material • Reliability Percentage Metric
• Accounting: Identifying, tracking and accounting for the • Storage Device Capacity Metric
generation, distribution, and destruction of key material between • Server Capacity Metric
entities • Instance Startup Time Metric
Key Management Factors: • Response Time Metric
• Key control measures: Determine who has access to keys and • Completion Time Metric
how they are assigned. • Mean Time to Switchover Metric
• Key recovery: How lost keys are recovered. • Mean Time System Recovery Metric
• Key storage: A secure repository for key assignment records. • Scalability Component Metrics
• Key retirement/destruction: How keys are removed from use and • Storage Scalability Metric
how they are destroyed. • Server Scalability Metric
• Key change: How keys are changed on a periodic basis. Identity and Access Management (IAM) Lifecycle:
• Key generation: How keys are generated to ensure they are • Provisioning: Applying appropriate rights to users for files/folders
random. • Review: Periodic monitoring of existing rights for the continued
• Key theft: What to do when keys have been compromised. need
• The frequency of key use: How to limit the time that keys are • Revocation: Removal of rights when no longer needed warranted
used and frequency of key reuse. Phases of IAM:
• Key escrow—Provides law enforcement and other agencies • Provisioning and de-provisioning
authorized access to encrypted information. Keys may have to be • Centralized directory services
stored at different locations • Privileged user management
Project Management Quick Reference: • Authentication and access management
• The work package is the LOWEST level on a WBS.
• The WBS doesn’t show the order of the work packages or any
dependencies between them.
• WBS Dictionary – Detailed description of the WBS component
• Cost Benefit: Looking at how much your quality activities will cost
• Stakeholders are ONLY the interested entities that are internal or
external to the organization.
• Project life cycle approach is Project governance and is described
in the project management plan.
• Risk and uncertainty are greatest at the start of the project.
• Analysis of project forecasts (including time and cost) is also part
of Performance Reporting.
• Risk appetite is the degree of uncertainty an entity is willing to
take on in anticipation of a reward.
• Risk tolerance is the degree, amount, or volume of risk that an
organization or individual will withstand.
• Risk threshold refers to measures along the level of uncertainty
or the level of impact at which a stakeholder may have a specific
interest.
• Positive and negative risks are commonly referred to as
opportunities and threats.
• Project risk could exist at the moment a project is initiated.
• The procurement SOW describes the prospective sellers if they
are capable of providing the products, services, or results.
Key issues with Identity Services: • Managing the information risk for outsourced services on a day to
• APIs: While IAM vendors offer connectors to the most common day basis
cloud services, they are unlikely to provide all the connectors you • Ensuring that material changes to the relationship are flagged
need. and new risk assessments are performed as required.
• Authorization Mapping: There are many possible ways to specify • Ensuring that proper processes are followed when relationships
authorization rules, such as by role vs. by attribute. are ended.
• Audit: In-house systems can be linked with log management and Contracts with third parties include:
SIEM systems to produce compliance reports and provide • Agreement that the vendor will comply with applicable
monitoring and detection of security events. information security and privacy laws and regulations.
• Privacy: Users, user attributes, and other information are often • Information security and privacy safeguards.
pushed outside your corporate network and into one or more cloud • Right-to-audit
data repositories. • Notification in the event of a data breach.
• Latency: Propagating rule changes from internal IAM to cloud • Where the data will be accessed, stored, and/or processed. It is
IAM can take some time. Latency is a subject to discuss with both important to know the specific locations and ensure that the
your IAM provider and cloud service provider. vendor will notify the primary entity if there is a need to add,
• Privileged User Management: This has been a problem for a long change, or remove a location.
time, and the cloud adds a new wrinkle. Historically privileged • Data return or destruction when a contract terminates.
users were all employees, and if things went pear-shaped, you • Employee background checks/employment verification.
could handle it as an HR event. In the cloud that breaks down. • Expectations for employee training.
• App Identity: Once you have the user logged in you might still • The ability of the vendor to subcontract work.
need to verify the application they are using — or perhaps there is • Business continuity/disaster recovery plans. Within what time
no user at all, just middleware. frame must the vendor’s function be operational in the event of a
• Mobile: mobile connections to cloud services occur outside of the disaster?
boundaries of normal. Third Party Contracts:
• Identity Store Location: If companies are moving their • NDA/NDC
applications and data to cloud services, will they also move existing • Regulatory Compliance
identity stores? • Incident notification
A comprehensive and effective security intelligence process • SLA/SLC
can produce: Evaluate the Third party:
• Faster detection and remediation of threats. • On-Site Assessment
• Improved regulatory compliance. • Document Exchange and Review
• Reduction of fraud, theft, and data leakage. • Process/Policy Review
• Reduction of effort needed to provide security and deal with
Popular services:
fallout related to breaches.
• IaaS: Amazon EC2, Windows Azure, Rackspace (backup)
• The ability to detect potential weaknesses before an exploit
• PaaS: Google App Engine, Cloud Foundry, force.com
actually occurs.
• SaaS: Office 365, Dropbox, salesforce.com, Google Apps
Security Intelligence Collection Lifecycle:
• Cloud management: CloudStack, OpenStack
• Planning and direction
Evaluating Cloud Service Security:
• Collection
• What is the security of the facility running the servers?
• Processing
• Is client data encrypted? If so, what encryption method is being
• Analysis and production
used?
• Dissemination and integration
• Is the cloud provider’s internal system segregated from its
Cloud Service Models:
internet-facing cloud servers?
• Software as a Service (SaaS)
• Does the provider have a security audit they can share with us?
•• Provider's applications run in the cloud
• What safeguards do they employ on their web service interface
•• Clients use thin apps (like a browser) to access SaaS
and/or API?
• Platform as a Service (PaaS)
• Do they back up their data regularly and perform test restores for
•• Client apps deployed into and running in the cloud
proper disaster recovery?
• Infrastructure as a Service (IaaS)
• What general data breach and protection policies are in place?
•• Processing, storage, and network services
• Is client data shared with any third parties?
•• Client controls operating systems and host configurations
Data Retention Policy in Cloud:
Note: You remain accountable and responsible – regardless of any
• Regulation
cloud service used.
• Data mapping
Outsourcing:
• Data Classification
• Ensuring that the organization has appropriate controls and
• Procedures
processes in place to facilitate outsourcing.
• Monitoring and maintenance
• Ensuring that there are appropriate information risk management
clauses in the outsourcing contract.
• Ensuring that a risk assessment is performed for the process to
be outsourced.
• Ensuring that an appropriate level of due diligence is performed
prior to contract signature.
The Cloud Secure (SDLC): Critical issues to cloud security:
• Defining • Data Breaches
• Designing • Weak Identity, Credential, and Access Management
• Development • Insecure APIs
• Testing • System and Application Vulnerabilities
• Secure Operations • Account Hijacking
• Disposal • Malicious Insiders
Cloud computing impacts four areas of Governance and Risk • Advanced Persistent Threats (APTs)
Management: • Data Loss
• Governance includes the policy, process, and internal controls • Insufficient Due Diligence
that comprise how an organization is run. • Abuse and Nefarious Use of Cloud Services
• Enterprise risk management includes managing overall risk for • Denial of Service
the organization, aligned with the organization’s governance and • Shared Technology Issues
risk tolerance. Cloud Risk:
• Information risk management covers managing the risk to • Privileged user access
information, including information technology. • Regulatory compliance
• Information security is the tools and practices to manage risk to • Data Location
information. • Data Segregation
Cloud security – general areas of concern: • Recovery
• Governance and Enterprise Risk Management • Long-term viability
• Legal Issues: Contracts and Electronic Discovery SLA in Cloud:
• Compliance and Audit • Availability
• Information Management and Data Security • Performance (e.g. Maximum response times)
• Portability and Interoperability • Security/privacy of the data (e.g. Encrypting all stored and
• Traditional Security, Business Continuity and Disaster Recovery transmitted data)
• Data Center Operations • Disaster Recovery expectations (e.g. Worse case recovery
• Incident Response, Notification and Remediation commitment)
• Application Security • Location of the data (e.g. Consistent with local legislation)
• Encryption and Key Management • Access to the data (e.g. Data retrievable from a provider in
• Identity and Access Management readable format)
• Virtualization • Portability of the data (e.g. Ability to move data to a different
• Security as a Service provider)
ENISA Cloud Security Document: • The process to identify problems and resolution expectations
• LOSS OF GOVERNANCE; CSP does not commit to the necessary • Change Management process (e.g. Changes – updates or new
task services)
• VENDOR LOCK-IN, the high cost of moving to a different vendor • Dispute mediation process (e.g. escalation process,
• ISOLATION FAILURE: one tenant influences another. consequences)
• COMPLIANCE RISKS: i.e. Audit impossible, or no evidence • Exit Strategy with the expectations of the provider to ensure a
• MANAGEMENT INTERFACE COMPROMISE smooth transition
• DATA PROTECTION; protection cannot be demonstrated
• INSECURE OR INCOMPLETE DATA DELETION Preparing for Cloud Use:
• MALICIOUS INSIDER: i.e. Cloud provider or auditor • Framework for Cloud Governance
Cloud Storage Security: • Planning for Cloud use
• Encryption • Security controls for Cloud use
• Authentication • Security Awareness Training for Cloud Users
• Authorization • Performing due diligence on intended Cloud Service Providers
Security in Cloud Computing: (CSPs)
• Data segregation The CSP Agreement:
• Identity Management • Required services, service levels, uptime, redundancy, recovery
• Availability Management • Confidentiality / Non-Disclosure / Ownership / Access
• Vulnerability Management • Compliance guarantees with notification and penalties for
• Access Control Management violations
Steps to take on the cloud to avoid vendor lock-in: • Breach / Incident detection, notification, response, and
• Do your due diligence remediation
• Plan early for an exit • Prudent management of the CSP business
• Design your application to be loosely coupled • Monitoring, auditing, inspections, maintaining metrics, reports
• Maximize portability of your data Essential characteristics of Cloud:
• Consider a multi-cloud strategy • Resource pooling. Multiple customers
• Implement DevOps tools and processes • On-demand self-service. Unilateral provisioning
Note: A poorly crafted contract can lead to vendor lock-in • Broad network access. Network and client
• Rapid elasticity. Speedy provisioning and deprovisioning
• Measured Service. Pay per use
Cloud Data Life Cycle:  Infrastructure as a Service (IaaS): A computer
• Create: Creation is the generation of new digital infrastructure being delivered as a service. This includes
• Store: Storing is the act committing the digital data compute, storage, network, and internet access. Simply a
• Use: Data is viewed, processed, or otherwise used fully functional virtual environment on which customers
• Share: Information is made accessible to others provision virtual hosts.
• Archive: Data leaves active use and enters long-term storage  Managed service provider (MSP): Managed service
• Destroy: Data is permanently destroyed providers (MSPs) provide various IT services to customers
Identity as a Service IDaaS: such as monitoring, patching, help desk, and network
Identity as a Service (IDaaS) is an authentication infrastructure operations center.
that is built, hosted and managed by a third-party service provider.  Multi-tenant: Having multiple customers using the same
IDaaS can be thought of as single sign-on (SSO) for the cloud. This public cloud. Data is logically separated by security
can provide benefits including integration with cloud services and controls but still runs on the same shared underlying
remove overhead for maintenance of traditional on-premise hardware.
identity systems, but it can also create risk due to the third-party  On-demand services: Service model allowing customers to
control of identity services and reliance on an offsite identity scale their consumed resources without assistance from
infrastructure. An IDaaS solution via a cloud provider usually the provider in real time.
includes the following:  Platform as a Service (PaaS): A cloud-based platform on
• Single sign-on which clients deploy their applications. The CSP will
• Provisioning manage all underlying infrastructure, including operating
• Password management system, compute hardware, and network. The customer is
• Access governance only responsible for managing their application code.
Cloud:  Private cloud: Also known as internal or corporate cloud,
 Anything as a Service (XaaS): The understanding that this cloud compute platform is protected by the corporate
there is a vast amount of services available across the firewall under the control of the IT department, not a CSP.
internet so you don't need to stand up an on-premises Allows the IT department to control the security of the
solution. data and meet regulatory compliance. May be a
 Cloud app: A cloud application accessed across the corporate-owned data center referred to as a corporate
internet, not installed locally. Cloud Application cloud or can also be provided by a CSP offering isolated
Management Platform (CAMP): A specification designed to cloud services.
ease management of applications across public and  Public cloud storage: Cloud storage in which the
private cloud platforms. enterprise and storage services provider are separate and
 Cloud computing: A type of computing that shares the data is stored outside the enterprise data center.
computing resources of remote environments to  Software as a Service (SaaS): Cloud-based software
accomplish work, instead of using local servers. offered to clients accessed across the internet, most often
 Cloud database: A database accessible to clients across as a web-based service. Think web-based applications you
the internet. Also refers to Database as a Service log in to and use.
(DBaaS). These cloud databases use cloud computing to  Vertical cloud computing: The optimization of cloud
achieve optimization, scaling, high availability, and multi- computing and services for a specific industry. An example
tenancy. would be cloud resources for the entertainment industry,
 Cloud enablement: Making cloud services available to a which may have GPUs available to increase compute
client. power for rendering of images and video.
 Cloud management: Software and technology used to Cloud API Security Concern:
monitor and operate cloud environments. These tools help A cloud API is basically used to integrate applications in order to
ensure cloud resources are working optimally. enhance the cloud experience and provide inter-cloud
 Cloud portability: The ability to move applications and compatibility. They are broadly classified into two categories: in-
data between different cloud service providers (CSPs) or process APIs and remote APIs.
between public and private cloud environments. • Ensuring proper security measures to safeguard hypervisor to
 Cloud provisioning: The deployment of cloud services to any sort of security threat.
meet a need. • Careful assessment of the security practices as implemented by
 Cloud service provider (CSP): Company providing cloud the cloud service providers need to be done before adopting any of
services to customers. them
 Desktop as a Service (DaaS): A virtual desktop • Proper SLAs between the customer and the CSP, defining the
infrastructure (VDI), also called a hosted desktop service. organizations’ security requirements that need to be addressed.
Simply a desktop in the cloud you connect to and use with • APIs in use need to be looked after and screened carefully. In the
applications installed on it. current scenario, most of the organizations prefer an integration of
 Enterprise application: Applications or software used by security techniques with their service models. They should be
large organizations. Generally refers to large-scale aware of the security implications associated with the usage of
applications not suited for small business or individual these cloud services. Reliance on weak APIs may jeopardize the
needs. security of important organizational data.
 Hybrid cloud storage: A combination of public and private
cloud storage. Sensitive data will reside in the private
cloud, while other data or applications may reside in the
public cloud.
Provide Secure Password Management: • Do not store passwords, connection strings, or other sensitive
• Send non-temporary passwords only over an encrypted information in cleartext on the client side.
connection or as encrypted data (such as in an encrypted email). • Disable auto-complete features on forms expected to contain
Temporary passwords associated with email resets may be an sensitive information, including authentication.
exception. • Disable client-side caching on pages containing sensitive
• Enforce password complexity requirements established by policy information.
or regulation. • Establish and follow a policy and process for managing encryption
• Prevent password re-use. keys.
• Hide password entry on the user's screen by default. Cloud services are broken down into three capabilities:
• Disable accounts after an established number of failed login  Application capability: The cloud service customer uses
attempts to prevent brute force attacks. the cloud service provider's applications.
• Require the same level of security controls for password reset  Infrastructure capability: The cloud service customer can
and changing operations as you require for account creation and provision and use processing, storage, or networking
authentication. resources.
• Support sufficiently random answers for password reset  Platform capability: The cloud service customer can
questions. deploy, manage, and run their own applications using one
• If using email-based resets, only send email to a pre-registered or more programming languages and one or more
address with a temporary link/password. execution environments supported by the CSP.
• Provide a short expiration time for temporary passwords and
links. Cloud deployment model:
• Require temporary passwords to be changed on the next use. The cloud deployment model you select will be based on:
• Notify users when their password has been reset (outside of the  Risk appetite
application, using their preregistered email address, for example).  Cost
• Enforce password changes based on requirements established in  Compliance and regulatory requirements
policies and regulations.  Legal obligations
• Change all default passwords and user IDs provided with the  Business strategy
development platform or services.
Protect Data in Transit and at Rest: Cloud Computing Roles
• Minimize the need for encryption by eliminating collection and Cloud customer: An individual or organization that uses cloud-
storage of sensitive data as much as possible. based services. Cloud service auditor: A third party that verifies
• Base your selection of cryptographic and key management CSPs are meeting service-level agreements (SLAs). Cloud service
algorithms to use on the objectives of the application, and use the brokerage (CSB): Organization that looks to add value to cloud
most appropriate algorithm suite for the objectives. (Don't default services through relationships with multiple CSPs. They are used to
to simply using libraries that are already available to you.) help customers identify the best cloud solution for them. CSBs
• Implement all cryptographic functions on a trusted system, such sometimes resell cloud services. Cloud service provider: Company
as a server. providing cloud services to customers. Cloud service partner:
• Generate random numbers, random file names, random GUIDs, Includes other roles, such as cloud service auditor and cloud
and random strings using your encryption library’s approved service broker.
random number generator.
• Use encryption libraries that comply with FIPS 140-2 or an
CapEx vs. OpEx:
equivalent standard.
 CapEx:
• Ensure that cryptographic modules fail securely.
Capital expenditure (CapEx) is an upfront investment of a
• Utilize a single standard TLS implementation that is configured
sum of money into a business requirement, such as a
appropriately.
building, server farm, network environment, or network
• Use encryption (such as provided by TLS) to protect all sensitive
operations center (NOC)
information (such as credentials) sent over the network.
 OpEx:
• Pre-encrypt files you must transmit over unencrypted channels.
An OpEx is an operational expenditure where you are
• When encrypted channels fail, do not fall back to an unsecure
paying for a service on a schedule. An example of this
connection, unless you encrypt data before sending.
would be a building lease or utilities. However, this applies
• Make sure TLS certificates are valid and have the correct domain
to services as well, such cloud services or hosting services
name, not expired, and installed with intermediate certificates
 CapEx vs. OpEx:
when required.
Businesses may not have large amounts of capital at their
• Specify character encodings for all connections.
disposal, so instead of building out an on-premises
• Protect all sensitive data stored on the server (include caches and
compute solution that could cost large amounts of money,
temporary copies) from unauthorized access.
they may instead look into a cloud solution. If the
• Remove any sensitive data from the system as soon as it is no
business stands up their compute needs in the cloud, they
longer required.
are paying month to month on only what is needed.
• Purge temporary working files as soon as they are no longer
Whereas, if they built out their on-premises solution, they
needed.
would have to invest large amounts of capital upfront and
• Use strong encryption algorithms.
then pay for ongoing costs, such as electricity, warranties,
• Protect server-side source-code from being downloaded by a
support contracts, and eventually replacement.
user.
Public Cloud Benefits: Security Considerations for SaaS:
 Easy and inexpensive to set up (provider has paid for the  Access control to applications
upfront startup costs)  Controlling devices where application is installed (BYOD)
 Easy to use  Monitoring for availability, security, and audit purposes
 Scalable
 Pay as you go, no wasted resources Security Considerations for PaaS:
 System and resource isolations (due to multitenancy)
Private Cloud benefits:  Access control to applications and permissions
 Increased control over data, underlying systems, and  Secure coding practices for customer build applications
applications  Monitoring for availability, security, and audit purposes
 Ownership and retention of governance controls  Protection against malware
 Assurance of data location, which simplifies legal and
compliance requirements For All of These Cloud Categories:
 Know where your data is
Hybrid Cloud benefits:  Review contracts and SLAs so you know what to expect
 Ability to retain ownership and management of critical  Great reference document for keeping up with web
tasks and processes application vulnerabilities
 Reuse technology already owned  Should read through them and understand prevention
 Control critical business components methods
 Cost-effective by using public cloud for non-critical/non-
compliance functions Cloud Data Life Cycle Phases:
 Use cloud bursting and disaster recovery functions of the There are six phases of the Cloud Data Lifecycle:
cloud  Create: Data creation, acquisition or altering. Preferred
time to classify data.
Abuse of Cloud Services:  Store: Committing data to storage. At this point,
 If willing to pay for resources, attackers can use cloud implement security controls to protect data (encryption,
services for harm, such as: Dictionary attacks, DoS attack access policies, monitoring, logging, and backups).
and Password cracking  Use: Data being viewed or processed not altered. Data is
 CSPs do watch for some of these activities (specifically most vulnerable at this point. Controls such as data loss
DoS) and do work to mitigate them. prevention (DLP), information rights management (IRM),
and access monitoring should be implemented to protect
Data governance terms to be familiar with: data at this phase.
 Information classification: Description of valuable data  Share: Difficult to manage data once it leaves the
categories (confidential, regulated, etc.) organization. DLP and IRM can be helpful to manage what
 Information management policies: What activities are data can be shared.
allowed for different information classifications (cannot  Archive: Data no longer actively used is moved to long-
leave premise, cannot be copied to external media, etc.) term storage. Archived data must still be protected and
 Location and jurisdictional policies: Where can data be meet regulatory requirements.
geographically located and any regulatory or legal  Destroy: Removal of data from a CSP.
concerns
 Authorizations: Who is permitted to access different types Cloud-Based DLP Considerations:
of data  Data movement (replication): Can be challenging for DLP
 Custodianship: Who is responsible for managing specific systems to deal with
data  Administrative access: Discovery and classification can be
difficult in dispersed cloud environments
Important SLA Components in Cloud:  Performance impact: Network or Gateway DLP solutions
 Undocumented single points of failure should not exist. can impact network performance, while workstation DLP
 Migration to another CSP should be permitted within an solutions can slow down endpoints
agreed-upon timeframe.  CSP approval: May need CSP approval to deploy a DLP
 If alternate CSPs cannot provide necessary services, an solution. If it's a hardware solution, this would be hard to
on-premises solution may be required. get approval for. If it's CSP product, no approval is
 Customer should be able to verify data integrity via necessary. If it's software you're deploying into PaaS,
automated controls. then approval is not likely necessary. If deploying a virtual
 Data backup solutions should allow for granular settings. image DLP into IaaS, it's best to check with the CSP.
 Regular reviews of the SLA should occur to ensure cloud
services continue to meet the needs of the business.
Security Considerations for IaaS:

 Controlling network access
 Failover or other redundancy
 Monitoring for availability, security, and audit purposes
 Patching of applications and VM OS
Cloud-Specific Risks: Benefits of Identity as a Service IDaaS:
 Management plane breach: Most important risk because • SSO authentication
this would give the attacker access to the entire • Federation
infrastructure. • Granular authorization controls
 Resource exhaustion: Oversubscription by the CSP may • Administration
result in a lack of resources for your cloud services, which • Integration with internal directory services
may cause an outage • Integration with external services
 Isolation control failure: When one tenant is able to access SSO Technologies:
another tenant's resources or affect another tenant's • Kerberos
resources. • SESAME
 Insecure or incomplete data deletion: Be sure to use • LDAP
crypto shredding. • Microsoft Active Directory
 Control conflict risk: Implementing excessive controls can OAuth Flow:
cause a lack of visibility. • Ask for a request token
 Software-related risk: Software is prone to vulnerabilities • Get Temporary credentials
and must be kept up to date. • Exchange for an access token
 Man-in-the-middle attacks: Cloud solutions increase the
Virtualization Risks:
risk of man-in-the-middle attacks.
• VM Sprawl
• Sensitive Data within a VM
• Security of Offline and Dormant VMs
Multi-cloud: • Security of Pre-Configured (Golden Image) VM / Active VMs
MC is where a business wants to spread their IT across multiple • Lack of Visibility Into and Controls Over Virtual Networks
clouds, public and private to get the required levels of privacy, • Resource Exhaustion
security and resilience, avoiding a single vendor lock-in. However, • Hypervisor Security
adopting a multi-cloud approach introduces many challenges • Unauthorized Access to Hypervisor
around the management and interoperability of applications and • Account or Service Hijacking Through the Self-Service Portal
services. • The workload of Different Trust Levels Located on the Same
Server
• Risk Due to Cloud Service Provider API
Prevent Vulnerabilities in Virtual Machine Infrastructure:
• Make sure that a patch management system is in place.
• Provide the minimum access needed in virtual machines and
virtual networks.
• Log and review user and system activities in the virtual
environment.
• Pay special attention to how you configure virtual networking
devices.
• Consistently capture snapshots or the state of the virtual
environment.
• Carefully monitor the number of virtual machines to avoid VM
sprawl.
• Protect against VM escape
Prevent Vulnerabilities in Virtual Machine Infrastructure Provide Secure Session Management:
• Make sure that a patch management system is in place to ensure • Create session IDs only on trusted systems, such as a server.
that all relevant patches are installed. This is especially important • In session IDs, do not include any information that is descriptive
for any patches released that apply to the virtualization software of the application environment or any user information that would
itself. Also, carefully determine when and if general operating be useful to an attacker performing reconnaissance.
system patches should also be installed on the host and guests. • Make session IDs random and long enough (e.g., 20 bytes or
• Provide the minimum access needed in virtual machines and longer) to prevent guesswork or brute force attacks.
virtual networks to meet requirements. This will limit potential • Use the session management controls provided by the server or
damage if security is breached. Monitor access to all environments framework that use algorithms that produce sufficiently random
on a regular basis to prevent unauthorized access. session IDs.
• Log and review user and system activities in the virtual • Set a restrictive domain and path for cookies containing
environment to check for irregular activity and any possible authenticated session IDs.
security breaches. • Fully terminate the associated session or connection upon logout.
• Pay special attention to how you configure virtual networking • Provide the ability to log out from all pages protected by
devices, enabling network connectivity between systems only when authorization.
necessary. Note that the security capabilities of virtual networking • Establish a session inactivity timeout that is as short as possible
appliances may not be exactly the same as a physical device. For to support business functional requirements.
example, virtual switches in certain modes may fail to isolate traffic • Enforce periodic session terminations, even when the session is
between host and guest or guest and guest in a virtual active, providing warnings to the user as needed.
infrastructure. • Close any sessions established before login and establish a new
• Consistently capture snapshots, or the state of the virtual session after successful login.
environment at a certain point in time, to provide a quick and easy • Generate a new session ID and deactivate the old one
way to recover the entire environment should it be compromised. periodically:
• Carefully monitor the number of virtual machines to avoid VM • Upon reauthentication
sprawl, which occurs when the number of virtual machines exceeds • If the connection security changes from HTTP to HTTPS
the organization's ability to control or manage all of those virtual • Locate session IDs only in the HTTP cookie header, and do not
machines. A compromised VM could easily slip by your notice if expose them in URLs (e.g., GET parameters), error messages, or
you're dealing with VM sprawl. One of the best ways to avoid VM logs.
sprawl is to use a VM lifecycle management (VMLM) solution. VMLM • Within an application, consistently utilize HTTPS rather than
solutions provide you with a centralized dashboard for maintaining switching between HTTP and HTTPS.
and monitoring all of the virtual environments in your organization. • Supplement standard session management for sensitive or
• Protect against VM escape, which occurs when an attacker critical operations such as account management—for example,
executes code in a VM that allows an application running on the VM using per-session strong random tokens or parameters.
to "escape" the virtual environment and interact directly with the • Set the secure attribute for cookies transmitted over a TLS
hypervisor. The attacker may be able to access the underlying host connection.
operating systems and thereby access all other VMs running on • Protect session data on the server from unauthorized access by
that host machine. The best way to protect against VM escape is to implementing appropriate access controls on the server.
ensure that your virtualization software is kept up-to-date. You can • Apply the HttpOnly attribute to cookies, unless you specifically
also attempt to limit the resource sharing functionality between require client-side scripts within your application to read or set a
host and guest. cookie's value.
Authentication and Authorization Protocols: Implement Logging:
• SAML: • Maintain logs on a trusted system, such as a server.
•• Authentication and Authorization/Enterprise • Protect logs from attackers.
•• Single sign-on for enterprise users • Log both success and failure of specified security events.
• SPML: • Ensure log entries that document input data provided by users
•• Account Provisioning/Account Management, SPML paired with will not execute as code within the log viewing interface.
SAML • Include information that will be helpful to security analysts:
• XACML: • Precise time of the event (in UTC format).
•• Control policies • Name or ID of the process that logged the event.
• OAuth: • An informative (if brief) description of the event.
•• Resource Access integrated with OpenID • Name or code for the type of event being logged.
•• API authorization between applications • Do not store sensitive information in logs, including unnecessary
• OpenID: system details, session identifiers, or passwords.
•• Authentication and Authorization/Commercial/Mobile App • Log the types of events that will be helpful to security analysts:
•• Single sign-on for consumers • Potential security violations, such as file upload virus detection,
MDM solutions include: access of unauthorized ports and protocols, and cryptographic
• Device enrollment and authentication. module failures.
• Remote locks and wipe. • Access to protected resources, including the user, the resource
• Locating devices through GPS and other technologies. being accessed, and whether the access attempt failed or
• Pushing out OS, app, and firmware updates to devices. succeeded.
• Preventing root access or jailbreaking of the device. • Session management failures, such as invalid or expired session
• Constructing an encrypted container on devices in which to keep tokens.
sensitive organization data. • Authentication attempts, including the user and whether the
• Restricting certain features and services based on access control attempt failed or succeeded.
policies. • User opt-ins, such as terms of use, consent to use personal data,
Threats in BYOD Environments: email lists, and so forth.
• De-perimeterization • Input validation failures, such as unacceptable length, characters,
• Unpatched and insecure devices and encodings.
• Strained infrastructure • Output validation failures, such as invalid data encoding and
• Forensic complications database record set mismatch.
• Lost or stolen devices • Application and related systems startup and shutdown.
• Data file reads, including what portion of data was read, and who
Management Controls for Privacy and Data Protection
read it.
measures:
• Data file modifications, including what portion of data was
• Separation of Duties
modified, and who modified it.
• Training
• Data file deletion, including what portion of data was deleted, and
• Authentication and Authorization procedures
who deleted it.
• Vulnerability Assessments
• Data attribute modification, such as access permissions, labels,
• Backup and Recovery processes
ownership, including what data was affected, and who modified it.
• Logging
• General errors and system events, such as system exceptions,
• Data-retention control
connection and performance issues, errors reported from external
• Secure disposal
services, file system errors, and backend TLS connection failures.
Data Protection (How To...):
• Performance of any administrative tasks, including changes to
• Physical Security - Locked doors, security guards, access controls
settings and configuration, user account management, changes to
• Network Security - Authentication, authorization, auditing,
privileges, enabling or disabling logging or debugging features,
firewalls, IDS/IPS
viewing user information.
• System Security - Patching, AV, configuration controls, approved
• Network communication, including attempts to use unauthorized
applications
ports and protocols.
• Application Security - Secure coding, code review, design
• Use of any high risk functionality, such as access to payment
standards
cardholder data, data import and export, file uploads, and so forth.
• User Security - Policies, training, provisioning, monitoring,
• Centralize your logging functions in a secure module that handles
enforcement
logs in a consistent way:
• Administrator Security - Policies, supplemental training,
• Uses a cryptographic hash function to validate the integrity of log
provisioning, monitoring, specialized auditing, enforcement
entries.
Logging: • Enables new records to be added, but prevents older records
Make sure you log security events when you implement application from revision or deletion.
logging. System operators and • Uses a standard naming convention for log files, to facilitate
security specialists find this information helpful for: sorting and searching.
• Detecting attacks and other security-related events • Implements functions to automatically verify on a regular basis
• Obtaining data for incident investigation that logging is still active.
• Establishing baselines for security monitoring systems • Restrict unauthorized individuals from accessing logs.
• Tracking repudiation and implementing related controls • Synchronize all logging components with a timeserver that has
• Monitoring policy violations been hardened and isolated from other services.
• Ensure that a mechanism exists to conduct log analysis and that Security of Logs:
logs are written in a readable format. • Control the volume of data
• Make secure offsite backups of logs on a regular basis. • Event filtering or clipping level determines the amount of log
• Delete and dispose of log files properly and in accordance with • Auditing tools can reduce log size
company policy and compliance regulations. • Establish procedures in advance
Data Discovery Approaches: • Train personnel in pertinent log review
• Big data: A way of analyzing very large data sets to • Protect and ensure unauthorized access
extract information • Disable auditing or deleting/clearing logs
• Real-time analytics: Looking for patterns of usage • Protect the audit logs from unauthorized changes
• Agile analytics: Freeform adaptive analysis that focuses on • Store/archive audit logs securely
a single problem and doesn't analyze all of the data Frameworks:
• Business intelligence: Analyzing data and presenting • Zachman Framework - not specific to security architecture
useful information to help decision makers • Sherwood Applied Business Security Architecture (SABSA)
Data Discovery Techniques: Framework - Chain of traceability
• Metadata: Information about the file (owner, size, create • IT Infrastructure Library (ITIL) - service strategy, service design,
date, etc.) service transition, service operations, and continuous service
• Labels: Labels assigned to data by the owner improvement. Processes to allow for IT service management
• Content analysis: Analyzing data content, looking for developed by the United Kingdom’s Office of Government
keywords Commerce
Multi-factor Authentication (MFA): • TOGAF: Model and methodology for the development of
Use multiple factors to authenticate. These factors are based on: enterprise architectures developed by The Open Group
• What they know (password, PIN) • Six Sigma: Business management strategy that can be used to
• What they have (token, card, Yubikey) carry out process improvement
• What they are (biometrics) • Capability Maturity Model Integration (CMMI): Organizational
One-time passwords fall under MFA and are highly encouraged for development for process improvement developed by Carnegie
use with first-time logins. Mellon
Step-up authentication is also used for MFA when accessing a high- Capability Maturity Model (IRDMO):
risk transaction or violations have occurred in the transaction: • Initial Stage - unpredictable, poorly controlled, and reactive
• Challenge questions • Repeatable Stage - characterized for projects, repeatable
• Out-of-band authentication (SMS, text, phone call, etc.) • Defined Stage - characterized by the entire organization and is
• Dynamic knowledge-based authentication (question proactive.
unique to the individual, previous address, etc.) • Managed Stage - quantitatively measured and controlled
• Optimizing the Stage - continuous improvement. (Budget)
Capability Maturity Model (IRDMO):
• Level 1: Initial - The software development process is
characterized as ad-hoc. Success depends on individual effort and
heroics.
• Level 2: Repeatable -Basic project management (PM) processes
are established to track performance, cost, and schedule.
• Level 3: Defined - Tailored software engineering and
development processes are documented and used across the
organization.
• Level 4: Managed - Detailed measures of product and process
improvement are quantitatively controlled.
• Level 5: Optimizing - Continuous process improvement is
institutionalized.
Other Maturity Models: SOC report may cover a shorter period of time, such as six
• DevOps Maturity Model: Another way to think of an organization’s months. A SOC report may also cover only the design of controls at
maturity (at least in terms of software development) is to consider a specified point in time for a new system/service or for the initial
how effective it is at integrating its development and operations examination (audit) of a system/service.
teams (DevOps). This model is noteworthy in that it focuses on • SOC1: Focused on Financial Controls
culture and people in addition to development and business issues. • SOC2: Focused on CIA and Privacy -- Private
• Open Source Maturity Model (OSMM): For organizations that • SOC3: Focused on CIA and Privacy – Public
embrace open-source software, the OSMM allows them to measure SOC :
and improve the effectiveness of their processes. The focus here is • The purpose of a SOC 1 report scope should cover the
not just on developing (or even just using) open-source software, information systems (both manual and automated) processes that
but on being part of the are utilized to deliver the services under review. There are two
movement by developing it, using it, and actively participating in types of SOC 1 reporting options:
the community. •• SOC 1 Type 1: A design of controls report. This option
• Software Product Management Maturity Model: This model evaluates and reports on the design of controls put into operation
focuses on the business issues surrounding the development of as of a point in time.
software products. For example, it considers issues like market •• SOC 1 Type 2: Includes the design and testing of controls to
conditions, product lines and portfolios, and partnering report on the operational effectiveness of controls over a period of
agreements. time (typically 12 months).
DevOps: • The purpose of a SOC 2 report is to evaluate an organization’s
DevOps and cloud computing work together to help organizations information systems relevant to security, availability, processing
bring new services and applications to market more quickly, at less integrity, confidentiality, and/or privacy.
cost. DevOps is about streamlining the development, while cloud •• SOC 2 Type 1: Reports concern policies and procedures that
oﬀers on-demand resources, automated provisioning, and easy were placed in operation at a specific moment in time.
scaling, to accommodate application changes. Many DevOps tools •• SOC 2 Type 2: Reports concern policies and procedures over a
can be acquired on-demand in the cloud or as part of a larger cloud period of at least – systems must be evaluated (normally 6 – 12
platform. To support hybrid cloud deployment (workloads with an months in duration).
ability to move between clouds), enterprises should select DevOps This generally makes SOC 2 type 2 reports more comprehensive
platforms with an interface to the cloud providers they will use. and useful than type I reports when considering a possible service
DevOps promotes lean and agile delivery of quality software that provider’s credentials.
adds value to business and customers. SOC 2 framework includes 5 key sections:
DevOps reference: • Security - The system is protected against unauthorized physical
• Plan and measure and logical access.
• Develop and test • Availability - The system is available for operation and use as
• Release and deploy committed or agreed.
• Monitor and optimize • Processing Integrity - System processing is complete, accurate,
DevOps Principles: timely, and authorized.
• Develop and test against production-like systems • Confidentiality - Information designated as confidential is
• Deploy with repeatable, reliable processes protected as committed or agreed.
• Monitor and validate the operational quality • Privacy - Personal information is collected, used, retained,
• Amplify feedback loops disclosed, and destroyed in conformity with the commitments in
DevOps Practices: the entity’s privacy notice.
• Release planning Information Security Strategies:
• Continuous integration • Strategic planning – Long-term (3 to 5 years) and must be
• Continuous delivery aligned with business objectives.
• Continuous testing • Tactical planning – Short-term (6 to 18 months) used to achieve
• Continuous monitoring and feedback specific goals. May consist of multiple projects.
Note: DevOps and cloud computing work together to help • Operational and project planning – Specific plans with milestones,
organizations bring new services and applications to market more dates, and accountabilities provide communication and direction for
quickly, at less cost. DevOps is about streamlining the project completion.
development, while cloud offers on-demand resources, automated Confinement, Bounds, and Isolation:
provisioning, and easy scaling, to accommodate application • Confinement- restricts a process to reading from and writing to
changes. Many DevOps tools can be acquired on-demand in the certain memory locations.
cloud or as part of a larger cloud platform. To support hybrid cloud • Bounds - are the limits of memory a process cannot exceed when
deployment (workloads with an ability to move between clouds), reading or writing.
enterprises should select DevOps platforms with an interface to the • Isolation - is the mode a process runs in when it is confined
cloud providers they will use. through the use of memory bounds.
SOC:
SOC reports most commonly cover the design and effectiveness of
controls for a 12- month period of activity with continuous
coverage from year to year to meet user requirements from a
financial reporting or governance perspective. In some cases, a
Markup Language: Establish Information and Asset Handling Requirements:
• GML: Generalized Markup Language - a Top level markup • Secure disposal of media: Media containing sensitive data has to
language be disposed off in a secure manner. Shredding in the case of paper
• SGML: Standardized Generalized Markup Language - Derived documents and pulverizing in the case of digital media are some of
from GML the methods used in media disposal.
• SPML: Service Provisioning Markup Language -Allows exchange • Labeling: Appropriate labeling is important for sensitive data
of provisioning data between systems. SPML: XML based format for without disclosing the type of
exchanging user and resource information and controlling content.
provisioning. • Access Restrictions: Understand the principle to adopt in
• SAML: Security Assertion Markup Language - Standard that designing and implementing access restrictions to sensitive data.
allows the exchange of Authentication and Authorization data to be • Authorized Recipient’s Data: Recipients who are authorized to
shared between security domains. SAML can expose the system to access the data should be documented and approved.
poor identification or authorization. SAML: provides an XML-based • Storage of media: Media storage should be accordingly
framework for exchanging security-related information over manufacturers' specifications and industry best practices.
networks. • Data Distribution: Appropriate controls should be established to
• XACML: Extensible Access Control Markup Language - Used to ensure that the data is distributed only to approved and authorized
express security policies and access rights provided through web personnel with respect to the authorized recipient's list.
services and applications • Clear Marking Marking on sensitive data has to be clear and
• XML: Can include tags to describe data as anything desired. understandable for appropriate
Databases from multiple vendors can import and export data to identification and handling. Marking may use codes to compare
and from an XML format, making XML a common language used to labeling that may only
exchange information. XML is vulnerable to injection attacks. XML be used for identification purposes.
is a universal format for storing information. • Review of Distribution Lists: Periodic review of the distribution
Life Cycle of Evidence: lists is necessary to ensure that the data is shared only with
• Collection and Identification authorized individuals.
• Storage, preservation, and transportation • Publicly Available Sources: Suitable controls should be proven to
• Presentation in court ensure that sensitive data is not disclosed or posted to publicly
• Return of the evidence available repositories or websites.
Equipment Life Cycle: Media control:
• Defining requirements • Accurately and promptly mark all data storage media
• Acquiring and implementing • Ensure proper environmental storage of the media
• Operations and maintenance • Ensure the safe and clean handling of the media
• Disposal and decommission • Log data media to provide a physical inventory control
Decommissioning: Steps Data retention:
When an organization decides to decommission a system or service • Evaluate Statutory Requirements, Litigation obligations, and
or when they reach the end of their service life, these services business needs
must be decommissioned without leaving data, other systems, or • Classify types of records
personnel at risk. Systems and services must be properly • Determine retention periods and destruction policies
terminated to eliminate the risk to remaining systems. There are • Draft and justify record retention policy
some steps in the process of decommissioning with conversion • Train staff
outlined below: • Audit retention and destruction practices
• Migration Plan • Periodically review policy
• Perform Migration • Document policy, implementation, training, and audits
• Decommissioning Plan Retention policies should address:
• Perform Decommissioning • Storage
• Post Decommissioning Review • Retention
Data Removal: • Destruction / Disposal
• Erasing: delete operation Documentation:
• Clearing: overwriting operation All kind of documentation should be subject to an effective version
• Purging: more intensive form of clearing by repetition control process as well as a standard approach to marking and
• Declassification: purge media to be suitable for use for the secure handling; and conspicuously labeled with classification level,
environment revision date and number, effective dates, and document owner.
• Sanitization: combination of a process that removes data from a General Data Backup Considerations:
system or media • The scope of Backups/ Total size
• Degaussing: use of a strong magnetic field • Importance
• Destruction: crushing, Incineration, Shredding, disintegration • Security
Data Archiving: • Frequency of change
• Format • Recovery time
• Regulatory requirements • Testing the Integrity of Backups
• Testing
Sensitivity vs. Criticality: Major control components of industrial control systems
• Sensitivity describes the amount of damage that would be done (ICS):
should the information be disclosed • Control Server
• Criticality describes the time sensitivity of the data. This is • SCADA Server or Master Terminal Unit (MTU)
usually driven by the understanding of how much revenue a • Remote Terminal Unit (RTU)
specific asset generates, and without that asset, there will be lost • Programmable Logic Controller (PLC)
revenue • Intelligent Electronic Devices (IED)
Factors effective Biometrics Access Control System: • Human-Machine Interface (HMI)
• Accuracy • Data Historian
• Speed/Throughput • Input / Output (IO) Server
• Data storage requirements Platform vulnerabilities in industrial control systems (ICS):
• Reliability • Platform Configuration Vulnerabilities
• Acceptability • Platform Hardware Vulnerabilities
Downsides biometric: • Platform Software Vulnerabilities
• User acceptance • Platform Malware Protection Vulnerabilities
• Enrollment timeframe Developing a Comprehensive Security Program for (ICS):
• Throughput • Obtain senior management buy-in
• Accuracy over time • Build and train a cross-functional team
Defense-in-depth strategy: • Define charter and scope
• Developing security policies, procedures • Define specific ICS policies and procedures
• Addressing security throughout the lifecycle • Define and inventory ICS assets
• Implementing a network topology has multiple layers • Perform a risk and vulnerability assessment
• Providing logical separation between the corporate and network • Define the mitigation controls
devices • Provide training and raise security awareness for ICS staff
• Employing a DMZ network architecture ICS Security:
• Ensuring that critical components are redundant and are on • Disable unnecessary ports & services
redundant networks. • Network Segmentation
• Designing critical systems for graceful degradation (fault • Enforce Encryption where applicable
tolerant) • Enforce patch management
• Disabling unused ports and services • Risk management application to ICS
• Restricting physical access to network and devices. • Implementation of least privileges policy
• Restricting user privileges • Audits
• Considering the use of separate authentication mechanisms and • Redundancy & Fault Tolerance
credentials Big Data:
• Using modern technology Data collections that are so large and complex that they are
• Implementing security controls difficult for traditional database tools to manage. Businesses are
• Applying security techniques often prompted to restructure their existing architecture to handle
• Expeditiously deploying security patches it.
• Tracking and monitoring audit trails Big Data:
Physical Security: Cloud Secure Alliance (CSA) has categorized the different security
• Protecting life is the primary goal of physical security and privacy challenges into four different aspects of the Big Data
• Physical security helps prevent operational interruptions ecosystem. These aspects are Infrastructure Security, Data
• The primary goal of the physical program is facility access control Privacy, Data Management and, Integrity and Reactive Security.
• Arrange barriers in layers with progressive security closer to Each of these aspects faces the following security challenges,
center/highest protective area according to CSA:
• Conduct a security risk/vulnerability assessment to identify • Infrastructure Security
threats (natural and man-made) to assets and impacts of the loss •• Secure Distributed Processing of Data
• During assessment address security control during/after hours, •• Security Best Actions for Non-Relational DataBases
access control, surveillance, policies/procedures, BCP, etc. • Data Privacy
• Apply defense in depth •• Data Analysis through Data Mining Preserving Data Privacy
System engineering management: •• Cryptographic Solutions for Data Security
• Decision Analysis •• Granular Access Control
• Technical Planning • Data Management and Integrity
• Assessment Requirements •• Secure Data Storage and Transaction Logs
• Configuration, Interface •• Granular Audits
• Technical Data •• Data Provenance
• Risk Management • Reactive Security
Industrial control system key-components (ICS): •• End-to-End Filtering & Validation
• Control Loop •• Supervising the Security Level in Real-Time
• Human-Machine Interface (HMI)
• Remote Diagnostics and Maintenance Utilities
Common threats to Big Data: Machine learning (ML), Blockchain and artificial intelligence
• Breach of privacy (AI):
• Privilege escalation Using pattern recognition and computational learning to
• Repudiation make predictions. Many cloud vendors are now offering ML and AI
• Forensic complications as a service. Cloud vendors have the resources to build out
Secure life cycle for big data environments suited for this type of data analysis.
The life cycle of big data has six main stages: creation and Blockchain: A protocol that uses a decentralized framework to
discovery, access and data flow, process, share, store, and maintain integrity within the data Cloud was originally the
destroy. offloading of service from on-premises to a cloud vendor's
• The key challenges in creation and discovery are: premises where customers use resources from one or more data
•• Identifying all endpoints in the network centers. Blockchain could be used to manage globally distributed
•• Identifying intellectual property and determining the value workloads between data centers so that the data resides in
and business impact of each data in the big data cluster. multiple data centers at once. Not only would this allow for a new
•• Defining data provenance. type of decentralized cloud, but it would also be used to guarantee
• The security challenges in access and data flow are: integrity of the data.
•• Implementing security in distributed frameworks. Quantum computing:
•• Implementing granular access controls Quantum computing gets its massive compute power by tapping
•• Defining security controls for non-relational data sources. into quantum physics and not the use of micro-transistors.
•• Identifying end-to-end data flow. Traditional computing uses the values of 0 and 1 in bits, but
• Security challenges while data processing are: quantum computing can store multiple values in qubits. Vendors
•• Implementing scalable, privacy and security during data such as Rigetti, Google, IBM, and Microsoft have made quantum
mining and data analytics. CPUs, but they are still in the infancy of the projects and are
•• Implementing granular data audits. working to build applications that can take advantage of the
• The security challenges while sharing data are: processing power so they can measure the processing power.
•• Implementing granular data audits. Eventually, cloud service providers will offer quantum computing
•• Implementing reactive security to secure the integrity services to their customers. We can only imagine that with the
• The security challenges while storage data are: shared resource framework, providers will be able to offer quantum
•• Implementing secure data storage and transaction data computing services at a much more affordable rate than
logs and files. attempting to purchase a quantum computing server.
• Data disposal is the most crucial stage in the life cycle of big Artificial Intelligence, Machine Learning and Deep Learning:
data. Data in the wrong hands may be catastrophic. Organization- • Artificial intelligence: Any technique which enables computers to
level security policies to implement secure data disposal methods mimic human behavior
and removal of access rights on employee/user exit interviews • Machine Learning: Subset of AI techniques which use statistical
should be in place to ensure the data is available only to authorized methods to enable machines to improve with experiences.
users. • Deep Learning: Subset of ML, which make the computation of
Challenges of current Big Data: multi-layer neural networks feasible.
• There are limited levels of protection in the majority of Artificial Intelligence (AI):
distributed systems computations. • Expert Systems
• Security solutions are not being able to tackle the demand with • Artificial Neural Networks
several non-relational databases constantly • Real Neural Networks
• There is a lack of appropriate security processes for the transfer • Bayesian Filtering
of automated data. • Genetic Algorithms and Programming
• System updates, audits, patches are not always carried out. AI/ML projects:
• Information coming in should be constantly validated, to ensure They are heavily based on data, and often that data involves
its credibility and accuracy personally identifiable information (PII), which must be protected
• The attack on systems that contain sensitive information of the to ensure the privacy of the people described by that data. PII is
customers can put the customers at risk. associated with an individual person, such as an employee,
• Some organizations do not deploy any kind of access controls to customer, or patient. PII can be used to uniquely identify, contact,
differentiate between the confidentiality or locate an individual. Examples include a person's name, email
• Monitoring and tracking of systems are difficult with the current address, home address, Social Security number (even if it's just
scale of Big Data application. the last 4 digits), and so forth.
OWASP Top 10 IoT Vulnerabilities: • Requires users to change passwords periodically and not reuse
• Insecure Web Interface old passwords.
• Insufficient Authentication/Authorization • Does not log passwords entered on failed login attempts. Since a
• Insecure Network Services legitimate user may occasionally mistype their password, keeping a
• Lack of Transport Encryption/Integrity Verification log of "almost correct" passwords can provide clues to an attacker
• Privacy Concerns who manages to gain access to a compromised security log.
• Insecure Cloud Interface • Blocks repeated failed attempts. Brute force attacks are
• Insecure Mobile Interface facilitated when different passwords can be tried repeatedly and
• Insufficient Security Configurability quickly. Disable the account (at least temporarily) after a few failed
• Insecure Software/Firmware logins, log a security event, and notify system operators that an
• Poor Physical Security attack may be underway. Help users monitor their own account
Following is OWASP's list of the Top 10 Privacy Risks: security. For example, when users successfully log in, show them
• P1: Web Application Vulnerabilities the date and time they last logged in, as well as the number of
• P2: Operator-sided Data Leakage failed access attempts on their account since the last login.
• P3: Insufficient Data Breach Response • Provides a single, careful mechanism through which passwords
• P4: Insufficient Deletion of Personal Data can be changed. Require users to re-authenticate (using their
• P5: Non-transparent Policies, Terms and Conditions current password) when changing their password (or any other
• P6: Collection of data not required for the primary purpose account information), even if they are already logged in.
• P7: Sharing of data with third party • Does not store passwords. If you must validate a password, store
• P8: Outdated personal data a hash, not the password itself.
• P9: Missing or Insufficient Session Expiration Provide a Secure Web Interface
• P10: Insecure Data Transfer To avoid this defect, make sure web-based administrative
OWASP: consoles:
The Open Web Application Security Project (OWASP) has • Are configured to install with the safest default settings,
incorporated these principles into its list of ten "Security by Design assuming that many users will not change the configuration.
Principles” The principles are: • Enable default user names and passwords to be changed, and
• Minimize attack surface area. prompt the user to do so upon first use.
• Establish secure defaults. • Require strong passwords.
• Least privilege. • Provide an account lockout feature after a certain number of
• Defense in depth. failed access attempts.
• Fail securely. • Do not include common web vulnerabilities (XSS, CSRF, SQL
• Don't trust services. injection, and so forth).
• Separation of duties. • Use HTTPS to protect transmitted information.
• Avoid Security by Obscurity. • Use web application firewalls.
• Keep security simple. • Provide a means to receive upgrades and security fixes.
• Fix security issues correctly • Adhere to all general patterns for preventing web vulnerabilities.
OWASP threat risk modeling process steps: Provide Secure Authentication
• Identify Security Objectives • Require authentication for all pages and resources that are not
• Survey the Application meant to be public.
• Decompose it • Reauthenticate users prior to performing critical operations.
• Identify Threats • Authenticate all connections to external systems involving
• Identify Vulnerabilities sensitive information or functions.
Provide Secure Authentication and Session Management • Enforce all authentication controls on a trusted system, such as a
When authentication and session management are implemented server.
incorrectly, an attacker can compromise passwords, keys, or • Use standard, tested authentication services whenever possible.
session tokens, or exploit other implementation flaws to assume • If using third-party code for authentication, inspect the code
the identity of another user. Resources used to establish and carefully to ensure it does not contain malicious code.
maintain secure sessions (such as Session IDs, passwords, and • Use a centralized implementation for all of your authentication
other credentials) must be properly protected. If attackers obtain controls.
control of these resources, they can gain privileged access, like an • Keep authentication logic separate from the resource being
authorized user. To avoid authentication and session management requested.
defects, make sure your software: • Use redirection to and from the centralized authentication
• Bases its authentication and session management capabilities controls.
upon a single set of strong authentication and session management • Ensure that authentication controls fail to the most secure state.
controls. Instead of writing your own routines to authenticate, • Ensure that administrative and account management functions
create and end sessions, store tokens, and so forth, consider using are at least as secure as the primary authentication mechanism.
well-tested libraries and frameworks such as the ESAPI • Use strong hashing algorithms for credential stores.
Authenticator and User APIs provided by OWASP. • Ensure that the credential store is writeable only by the
• Requires strong passwords. More complex passwords are harder application.
to identify through brute force or automated methods. For • Validate authentication data only after all inputs are provided,
example, you might require a minimum length and the use of especially for sequential authentication implementations.
alphabetic, numeric, and special symbols in a user's password. • When an authentication fails, give no clues as to which part of
the authentication data was incorrect. For example, show no
differences between the message displayed for incorrect user name IoT Attack Areas:
and incorrect password. The following are the most common attack areas for IoT network:
• Encrypt and store authentication credentials that your software • Access Control.
uses to access external services in a protected location on a • Firmware Extraction.
trusted system—not within the source code. • Privileges Escalation.
• Use only secure channels to transmit authentication credentials— • Resetting to an insecure state.
for example, use a POST request over HTTPS. • Web Attacks.
• Disable "remember me" functionality for password fields. • Firmware Attacks.
• Report the date and time of the last successful or unsuccessful • Network Services Attacks.
login attempt of a user account to the user at the next successful • Unencrypted Local Data Storage.
login. • Confidentiality and Integrity issues.
• Monitor the system for attacks against multiple user accounts • Cloud Computing Attacks.
that use the same password. • Malicious updates.
• Use multifactor authentication for highly sensitive or high value • Insecure APIs.
transactional accounts. • Mobile Application threats.
• Do not permit concurrent logins using the same ID. Securing IoT: (Seven Steps to Minimize IoT Risk in the
Physically Secure IoT Devices: Cloud)
IoT devices should be protected from direct physical access by an • Secure Cloud Infrastructure
attacker. Make sure your devices: • Leverage Standards-Based Best Practices
• Provide external ports (e.g., USB) only when absolutely essential. • Design for Security
• Limits access to external ports (through an authentication • Secure IoT Devices
process, for example). • Secure Device Connections
• Have operating systems that are properly protected. • Secure IoT Services and Apps
• Can be configured to limit administrative capabilities, preferably • Secure Users and Access
defaulting to least privilege. IoT Device Security Challenges:
• Are tamper resistant. • IoT products may be deployed in insecure or physically exposed
• Do not expose any testing or debugging interfaces that can be environments
used to gain unauthorized access. • Security is new to many manufacturers and there is limited
• Account for the transfer of ownership of devices to ensure that security planning in development methodologies
data is not transferred along with the ownership. • Security is not a business driver and there are limited security
IoT architecture: sponsorship and management support in the development of IoT
• The perception layer products
• The network layer • There is a lack of defined standards and reference architecture
• The application layer for secure IoT development
IoT Characteristics: • There are difficulties recruiting and retaining requisite security
• Existence skills for IoT development teams, including architects, secure
• Sense of self software engineers, hardware security engineers, and security
• Connectivity testing staff
• Interactivity • The low price point increases the potential adversary pool
• Dynamicity • Resource constraints in embedded systems limit security options
• Scalability Guidance for Secure IoT Development:
• Limitations of Computational • Secure Development Methodology
• Limitations of Resources • Secure Development and Integration Environment
The IoT building block consists of five main modules: • Identity Framework and Platform Security Features
• Sensor Module • Establish Privacy Protections
• Processing Module • Hardware Security Engineering
• Actuation Module • Protect Data
• Communication Module • Secure Associated Apps
• Energy Module • Protect Interfaces/APIs
• Provide Secure Update Capability
• Implement Secure Authn/z
• Establish Secure Key Management
• Provide Logging Mechanisms
• Perform Security Reviews
IoT Security (BEST PRACTICES): Attacks in IoT:
• Make hardware tamper resistant • Node Tampering / Node Compromised
• Provide for firmware updates/patches • Denial of Service (DoS)
• Perform dynamic testing • Distributed DoS
• Specify procedures to protect data on device disposal • Device Spoofing
• Use strong authentication • The Breach of Privacy
• Use strong encryption and secure protocols • Malware
• Minimize device bandwidth • Application-based Attacks
• Divide networks into segments • Man in the Middle Attacks
• Protect sensitive information NIST:
• Encourage ethical hacking and vulnerability disclosure • NIST 800-12 NIST Handbook Intro to Computer Security
• Institute an IoT Security and Privacy Certification Board • NIST 800-13 Telecomm Security Guidelines for Telecomm
Product vendors/developers should consider steps below to • NIST 800-14 Generally Accepted Principles and Practices
improve IoT security: • NIST 800-18 AUP / Rules of Behavior
• Secure web/desktop/mobile applications with proper • NIST 800-30 Risk Management/Assessments
authentication and authorization. • NIST 800-34 Contingency Planning
• If feasible, Implement and enable 2-factor authentications by • NIST 800-37 Risk Management Framework
default, it will considerably improve IoT device security. • NIST 800-40 Creating a Patch and Vulnerability Management
• Follow secure coding methods and always perform input • NIST 800-41 Guidelines on Firewalls and Firewall Policy
validation to avoid Cross-site scripting (XSS), SQL injection and • NIST 800-44 Guidelines on Securing Public Web Servers
Buffer Overflow vulnerabilities. • NIST 800-45 Guidelines on Electronic Mail Security
• Enforce an effective password policy • NIST 800-47 Security Guide for Interconnecting IT Systems
• Use captcha, account lockout policy methods to avoid brute force • NIST 800-48 Guide to Securing Legacy IEEE 802.11 Wireless
attacks. • NIST 800-50 Building an IT Security Awareness
• Vendors should provide security updates including details on • NIST 800-53 Security and Privacy Controls for Federal IS
security fixes, the impact of the vulnerability and provide simple • NIST 800-54 Border Gateway Protocol Security
steps to deploy security updates. • NIST 800-55 Security metrics IS
• If feasible, always use encryption for communication. • NIST 800-57 Recommendation for Key Management
• Ensure regular backups (at least two or more data) in a secure • NIST 800-60 Guide for Mapping Types of Information
place. • NIST 800-61 Computer Security Incident Handling
• Avoid information disclosure. i.e avoid publishing customer’s data • NIST 800-63 Electronic Authentication
• While adding new features, vendors should make sure it will not • NIST 800-64 Security Considerations in SDLC
create security hole. • NIST 800-66 Healthcare privacy issues
• Vendors should think on ease of use vs. security • NIST 800-86 Guide to Integrating Forensic Techn. into IR
• Apply OWASP Top 10 IoT Vulnerabilities should be addressed, • NIST 800-82 Guide to Industrial Control Systems (ICS)
during IoT design. • NIST 800-83 Guide to Malware Incident Prevent and Handling
Types of tests that can be employed for IoT device • NIST 800-86 Guide to Integrating Forensic Tech. into IR
developments: • NIST 800-88 Media Sanitization
• Static Application Security Testing (SAST) • NIST 800-94 IDS/1PS
• Dynamic Application Security Testing (DAST) • NIST 800-115 IS Security Testing and Assessment
• Interactive Application Security Testing (IAST) • NIST 800-119 Guidelines for Secure Deployment of IPv6
• Attack Surface and Vectors • NIST 800-122 Protect PII
• 3rd Party Library • NIST 800-137 Information Security Continuous Monitoring
• Fuzzing • NIST 800-145 Cloud computing
• Customized per threat vector ISO:
IoT Forensics Challenges: • ISO 7498: OSI Model
• The Investigation Framework • ISO 27000: ISMS-Overview and Vocabulary
• Diversity of Devices • ISO 27001: ISMS-Requirement
• IoT Constraints • ISO 27002: Code of practice
• Lack of Standardization • ISO 27003: ISMS implementation
• Improper Evidence Handling • ISO 27004: Measurement and metrics framework
•• Evidence identification, collection, and preservation • ISO 27005: Risk management
•• Evidence analysis and correlation • ISO 27006: Certification body requirements
• Securing the Chain of Custody • ISO 27007: ISMS-Auditing
• ISO 27008: Information Security Control
• ISO 27011: ISMS guideline telecom organization
• ISO 27014: Governance of information security
• ISO 27017: Use of cloud services
• ISO 27018: Cloud privacy protection overview
• ISO 27031: Communications technology readiness for BC
• ISO 27032: Cyber Security Resilience
• ISO 27034: Security applications
• ISO 27035: Security incident management
• ISO 27037: Covers identifying, gathering, and preserving DE • Security Rule: Specifies administrative, physical, and technical
• ISO 27799: Directives on protecting personal health information safeguards for covered entities to use to assure the confidentiality,
• ISO 31000: Risk Management Framework integrity and availability of electronic protected health information.
• ISO 22301: BCM - Business continuity • National Identifier Requirements: Requires that health care
• ISO 15408: Common Criteria providers, health plans, and employers have standard national
• ISO 28000: Supply Chain Management numbers that identify them on standard transactions.
• ISO 42010: Systems and Software Engineering Architecture • Enforcement Rule: Provides standards for enforcing all the
• ISO 14443: Smart card standardizations Administrative Simplification Rules.
IEEE: Important HITECH Features:
• IEEE 802.11: Wireless LANs • Expansion of HIPAA security standards to "business associates"
• IEEE 802.15: Wireless PANs that perform activities involving the use or disclosure of individually
• IEEE 802.16: Broadband Wireless MANs identifiable health information.
• IEEE 802.20: Mobile Broadband Wireless Access • Increased civil penalties for "willful neglect."
Wireless: • Data-breach notification requirements for unauthorized uses and
IEEE proposed the 802.11 standards for wireless communications. disclosures of "unsecured PHI."
Various versions have been developed in wireless networking • Stronger individual rights to access electronic medical records
hardware, including 802.11a 802.11b, 802.11g, 802.11n, 802.11ac and restrict the disclosure of certain information.
as described in the table below: • New limitations on the sale of protected health information, as
802.11 2 Mbps 2.4 GHz well as marketing and fundraising communications.
802.11a 54 Mbps 5 GHz EU Data Protection Directive Features:
802.11b 11 Mbps 2.4 GHz • Notice: Data subjects should be given notice when their data are
802.11g 54 Mbps 2.4 GHz being collected.
802.11n 200+ Mbps 2.4 GHz or 5 GHz • Purpose: Data should only be used for the purpose stated.
802.11ac 1 Gbps 5 GHz • Consent: Data should not be disclosed without the subject's
ISO 27002 includes: consent.
• Security Policy • Security: Collected data should be kept secure from any potential
• Organization and Information Security abuses.
• Asset Management • Disclosure: Data subjects should be informed as to who is
• Human Resources Security collecting their data.
• Physical and Environmental Security • Access: Data subjects should be allowed to access their data and
• Communications and Operations Management make corrections to any inaccurate data.
• Access Control • Accountability: Data subjects should have an available method to
• Information Systems Acquisitions, Development, and hold data collectors accountable for following these six principles
Maintenance above.
• Information Security Incident Management COBIT :
• Business Continuity Management • Principle 1: Meeting Stakeholder Needs
• Compliance • Principle 2: Covering the Enterprise End to End
Important FISMA Features: • Principle 3: Applying a Single, Integrated Framework
• Periodic risk assessments. • Principle 4: Enabling a Holistic Approach
• Policies and procedures based on assessments. • Principle 5: Separating Governance from Management
• Qualitative risk rating-data-driven security model. ITIL Benefits:
• Subordinate plans for information security for networks, facilities, • Increased user and customer satisfaction with IT services.
and other subsystems. • Improved service availability, directly leading to increased
• Security awareness training for personnel. business profits and revenue.
• Periodic testing and evaluation of the effectiveness of information • Financial savings from reduced rework, lost time, improved
security policies, procedures, practices, and controls at least resource management and usage.
annually. • Improved time to market for new products and services.
• A process to address deficiencies in information security policies • Improved decision-making and optimized risk.
(POAM). OECD:
• Procedures for detecting, reporting, and responding to security Organization for Economic Cooperation and Development (OECD)
incidents. suggests that privacy laws include:
• Procedures and plans to ensure continuity of operations for • Collection limitation principle
information systems that support the organization's operations and • Data quality principle
assets. • Purpose specification principle
Important HIPAA Features: • Use limitation principle
• Electronic Transaction and Code Sets Standards: Requires the • Security safeguards principle
same health care transactions, code sets, and identifiers. • The openness principle
• Privacy Rule: Provides federal protections for personal health
information held by covered entities and gives patients an array of
rights with respect to that information.
Information Security: The GDPR defines three relevant entities:
The key goal of information security is to reduce adverse impacts • Data subject The individual to whom the data pertains
on the organization to an acceptable level. Following are some • Data controller Any organization that collects data on EU
other security management framework & methodologies for residents
security professionals, which includes development standards, • Data processor Any organization that processes data for a
security architect, security controls, governance methods & data controller
management process: GDPR:
•ISO/IEC 17799:2005 Information technology - Security GDPR requires that organizations adhere to the rules of Privacy by
techniques - Code of practice for information security management Design. Privacy by Design is an approach to software development
• ISO/IEC 27000 Series family of Information Security that takes privacy into account throughout every phase of
Management Systems development. The underlying premise of Privacy by Design is not
• ISO/IEC 27001 Information Security Management simply protecting data, but as much as possible designing systems
• ISO/IEC 27002 Code of practice for information security controls so data doesn't need protection—for example, minimizing data
• Common Criteria (CC) or ISO/IEC 15408 collected in the first place.
• Information Technology Infrastructure Library (ITIL) Identify Personal Data as Defined by GDPR:
• Zachman framework GDPR defines personal data as "any information relating to an
• TOGAF identified or identifiable natural person (data subject). An
• DoDAF identifiable natural person is one who can be identified, directly or
• MODAF indirectly, in particular by reference to an identifier" such as:
• COBIT • A name
The structure of the TOGAF documentation: • An identification number
• PART I: (Introduction)- This part provides a high-level • Location data
introduction to the key concepts of enterprise architecture and,in • An online identifier
particular, the TOGAF approach. It contains the definitions of terms • One or more factors specific to the data subject's physical,
used throughout TOGAF and release notes detailing the changes physiological, genetic, mental, economic, cultural, or social identity
between this version and the previous version of TOGAF.
• PART II: (Architecture Development Method) - This part is the
core of TOGAF. It describes the TOGAF Architecture Development
Method (ADM), a step-by-step approach to developing an
enterprise architecture.
• PART III: (ADM Guidelines and Techniques) - This part contains a
collection of guidelines and techniques available for use in applying
TOGAF and the TOGAF ADM.
• PART IV: (Architecture Contenf Framework) - This part describes
the TOGAF content framework, including a structured meta-model
for architectural artifacts,. The use of re-usable architecture,
building blocks, and an overview of typical architecture
deliverables.
• PART V: (Enterprise Continuum & Tools) - This part discusses
appropriate taxonomies and tools to, categorize and store the
outputs of architecture activity within an enterprise.
• PART VI: (TOGAF Reference Models) - This part provides a
selection of architectural reference models, which includes the
TOGAF Foundation Architecture, and the Integrated Information
Infrastructure Reference Model (III-RM).
• PART VII: (Architecture Capability Framework) - This part
discusses the organization, processes, skills, roles, and
responsibilities required to establish and operate an architecture
function within an enterprise.
SABSA:
SABSA is comprised of a series of integrated frameworks, models,
methods, and processes used independently, or as a holistic
integrated enterprise solution, including:
• Business Requirements Engineering Framework (known as
Attributes Profiling)
• Risk and Opportunity Management Framework
• Policy Architecture Framework
• Security Services-Oriented Architecture Framework
• Governance Framework
• Security Domain Framework
• Through-life Security Service Management & Performance
Management Framework
The GDPR set of protected types of privacy data: Meet PCI DSS Requirements:
• Name • Maintain secure networks. Enable payment card transactions to
• Address be conducted safely over the
• ID numbers network. Employ user-friendly firewalls to protect cardholder
• Web data (location, IP address, cookies) information without inconveniencing cardholders. Change all
• Health and genetic data passwords and PIN codes for hosts and network
• Biometric data devices from default values to values that cannot be guessed by an
• Racial or ethnic data attacker.
• Political opinions • Secure cardholder data in transit and in storage. Encrypt
• Sexual orientation sensitive cardholder data such as
Key provisions of the GDPR include: social security numbers, birth dates, phone numbers, addresses,
• Consent Data controllers and data processors cannot use and so forth.
personal data without explicit consent of the data subjects. • Provide malware protection on client and host systems. Keep
• Right to be informed Data controllers and data processors must malware protection up to date.
inform data subjects about how their data is, will, or could be used. Regularly update and patch operating systems and other software
• Right to restrict processing Data subjects can agree to have their dependencies.
data stored by a collector but disallow it to be processed. • Restrict access to cardholder data to authorized personnel. All
• Right to be forgotten Data subjects can request that their users should have a unique ID on the system, so their activities
personal data be permanently deleted. can be logged. Provide physical protection of data in systems and
• Data breaches Data controllers must report a data breach within in hard copy. Use document shredders and provide locks on
72 hours of becoming aware of it. dumpsters to prevent unauthorized access.
CIS: • Continually monitor for vulnerabilities. This includes all networks,
The Center for Internet Security's (CIS) Critical Security Controls systems, and applications.
for Effective Cyber Regularly scan memory and storage to detect potential threats.
Defense (CSC) is a recommended set of actions for cyber defense • Implement and follow a comprehensive information security
that provide specific and actionable ways to stop today's most policy. Implement systems to ensure that policies are understood
pervasive and dangerous attacks. and followed by everyone. Impose penalties for noncompliance.
• Basic CIS Controls Perform auditing on a regular basis.
•• Inventory and Control of Hardware Assets Provide Sufficient Attack Protection:
•• Inventory and Control of Software Assets The majority of applications and APIs lack the basic ability to
•• Continuous Vulnerability Management detect, prevent, and respond to both manual and automated
•• Controlled Use of Administrative Privileges attacks. Attack protection goes far beyond basic input validation
•• Secure Configuration for Hardware and Software for and involves automatically detecting, logging, responding to, and
Mobile Devices, Laptops, Workstations and Servers even blocking exploit attempts. Application owners also need to be
•• Maintenance, Monitoring and Analysis of Audit Logs able to deploy patches quickly to protect against attacks. To avoid
• Foundational CIS Controls this defect, make sure your software:
•• Email and Web Browser Protections • Detects attacks and responds appropriately. For example, events
•• Malware Defenses might occur that a legitimate user is not likely to cause (such as
•• Limitation and Control of Ports, Protocols and Services high-speed input, odd input patterns, repeated requests, etc.). The
•• Data Recovery Capabilities application can help to protect itself, data, and users by monitoring
•• Secure Configuration for Network Devices, such as for such events and providing appropriate interventions, such as
Firewalls, Routers and Switches ignoring requests, blocking IP addresses, or IP ranges, logging and
•• Boundary Defense notifying the user and/or system operator, disabling user accounts,
•• Data Protection and so forth.
•• Controlled Access Based on the Need to Know • Is patched quickly. Push protections out quickly. When you can't
•• Wireless Access Control push out patches and updates immediately, implement provisional
•• Account Monitoring and Control protections such as blocking certain traffic patterns to prevent
• Organizational CIS Controls vulnerabilities from being exploited.
•• Implement a Security Awareness and Training Program Protect Privacy:
•• Application Software Security To ensure that personal information and privacy are protected:
•• Incident Response and Management • Minimize data collection.
•• Penetration Tests and Red Team Exercises • Consult with data scientists and legal and compliance teams to
determine risk of data collection and storage.
• Provide end users the option to specify what data will be
collected.
• Anonymize collected data.
• Use encryption to protect all collected personal data at rest and
in transit.
• Ensure that collected personal information is accessible only by
authorized users.
• Ensure that a data retention policy is in place.
Protect Sensitive Information: • Provide evidence (such as logging and messaging to the user) to
Some information may require special care and handling in your verify deletion according to policy.
application to protect users. Identify any information that is • Identify deletion policies (circumstances under which data must
sensitive, and apply appropriate controls to ensure it remains be deleted, and the timeframe for deletion), and implement
private. A good place to start is to always consider all personally automation and/or manual procedures to ensure that happens.
identifiable information (PII) sensitive, as it can be used to Make Sure Privacy Policies, Terms and Conditions are Clear:
establish a person's identity and might be used to cause them The software may not make it clear to users what it will do with
substantial harm, embarrassment, inconvenience, or unfairness. their data so users can make good decisions about how to manage
Refer to privacy guidelines for your country, municipality, or their data within the software. To avoid this defect:
organization for specific lists of PII you may be legally required to • Provide release notes with software updates to clearly and simply
protect. A typical list is provided here. explain how terms and conditions change over time.
• User name • Track which users have consented to the terms and conditions,
• Email address including the version if terms and conditions have changed over
• Home address time.
• Phone number • Implement a Do Not Track feature on the server side, so users
• Social Security number (even if it's just the last 4 digits) can disable tracking, and provide an opt-out capability for users.
• Driver's license or state ID# • Provide users with a list of all tracking mechanisms used in the
• Passport number software, explaining how and by whom the information is used.
• Alien registration number • Inform users (through a clear and well-written terms and
• Financial account number conditions page, for example) how data is processed, including
• Biometric identifiers collection, storage, processing, and deletion.
• Citizenship or immigration status Do Not Collect Non-Essential Data:
• Medical information When data that is not needed to meet requirements is collected, it
• Ethnic or religious association needlessly puts privacy at risk. To avoid this defect:
• Sexual orientation • Do not collect descriptive, demographic, or any other user-
• Account passwords related data that are not needed for the purposes of the system.
• Date of birth • Enable users to opt out of providing additional data to improve
• Criminal history the service.
• Mother's maiden name
Do Not Share Data without Consent:
Anonymize Personal Data: The software should not provide data to a third party without
To anonymize personal data: obtaining the user's consent. To avoid this defect:
• Use one of the following techniques to mask the identifying data: • Acquire and document the user's consent for any data collected
• Replacement—Substitute any values that could be used to before the data is actually collected.
identify the user with different values. • Acquire and document the user's consent for any additional data
• Suppression—Omit (all or in part) any values that could be used that is collected later (due to software feature updates or new
to identify the user. compliance requirements, for example).
• Generalization—Substitute specific values that could be used to • Mark web requests as Do Not Track, complying with the latest
identify the user with something less specific. For example, W3C standards.
generalize the date of birth to the year or decade in which the user • Anonymize personal data before sharing it with a third party.
was born. • Do not share data inadvertently by embedding third party
• Perturbation—Make random changes to the data to corrupt resources such as third party hosted JavaScript, JavaScript
values that could be used to identify the user. widgets, analytics components, advertisements, and so forth.
• Anonymize non-sensitive data as well, if it could be used for the
reverse anonymization of sensitive data.
• Make sure that the masking process is not reversible.
• Make sure that the same masking process will produce the same
results each time.
• Make sure that data types remain compliant with the schema.
• Preserve the meaning of the data.
Delete Private or Sensitive Data That is No Longer Needed:
Defects make the software fail to delete private or sensitive data
that is no longer needed, putting privacy at risk. To avoid this
defect:
• Design the software to minimize data that is stored in the first
place.
• Promptly delete data that is no longer needed.
• Properly delete data when a user issues a rightful request.
• Securely lock the data from any access until deletion is possible,
if prompt deletion is not possible due to technical restrictions.
• Ensure prompt deletion of data in backups, copies, cloud storage,
or data shared with third-party sources.
• Clearly inform users when backups must be kept, as required by
law.

CISSSP Process Guide v.21

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSSP Process Guide v.21

Uploaded by

Copyright:

Available Formats

CISSP Process Guide

CISSP is registered certification marks of (ISC)², Inc.

Benefits multilayer protocols: EAL:

Security Considerations for IaaS:

You might also like