Information Security Handbook: Enhance your proficiency in information security program development [2 ed.] 1837632707, 9781837632701

Table of contents :
Cover
Title Page
Copyright and Credits
Dedicated
Contributors
Table of Contents
Preface
Chapter 1: Information and Data Security Fundamentals
Introduction
Information security challenges
Evolution of cybercrime
The modern role of information security
Information technology security engineering
Information assurance
The CIA triad
Organizational information security assessment
Risk management
Information security standards
Information security policies
Information security training
Summary
Chapter 2: Defining the Threat Landscape
Understanding the organizational context
Threats
Phishing attacks
Ransomware
Malware
Distributed denial-of-service attacks
Insider threats
Advanced Persistent Threats
Social engineering attacks
Supply chain attacks
Hackers and hacking
White hat/ethical hacker
Black hat hacker
Gray hat hacker
Blue hat hacker
Script kiddie
Hacktivist
Nation-state attacker
Penetration testing
Cybercrime
Exploits
Hacker techniques
Closing information system vulnerabilities
Vulnerability management
Summary
Chapter 3: Laying a Foundation for Information and Data Security
Developing a comprehensive information security program
Leveraging existing frameworks instead of building from scratch
Essential factors for information security program success
Aligning information security with the organization’s mission
Optimizing information security measures for your organization
Enhancing security through comprehensive awareness and training programs
Building information security into the SDLC/SELC process
Understanding and enhancing your information security program maturity
Information security policies
Information security program policy
Enterprise information security policies
Information security system-specific policy
Planning policy
Access controls policy
Awareness and training policy
Auditing and accountability policy
Configuration management policy
Contingency planning policy
Identification and authentication policy
Incident response policy
Maintenance policy
Media protection policy
Personnel security policy
Physical and environmental protection policy
Risk assessment policy
Assessment, authorization, and monitoring policy
System and communications protection policy
System and information integrity policy
Systems and services acquisitions policy
Personally identifiable information policy
Supply chain risk management policy
Summary
Chapter 4: Information Security Risk Management
What is information security risk?
Understanding the ownership and management of information security risk
Identifying and protecting your organization’s valuable data
Conducting a quick risk assessment
Risk management is an organizational-wide activity
The life cycle of risk management in information security
Information classification and its importance in information security
Steps in the data classification process
Determining information assets
Finding information in the environment
Organizing information into categories
Valuing information
Establishing impact
Security control selection
Security control implementation
Assessing implemented security controls
Authorizing information systems to operate
Monitoring information system security controls
Calculating risk – a comprehensive look at qualitative and quantitative risk assessments
Qualitative risk analysis – subjective evaluation of threats
Quantitative risk analysis – objective measurements and calculations
Identifying threats and choosing the right approach
Identifying your organization’s vulnerabilities
Pairing threats with vulnerabilities
Estimating likelihood
Estimating impact
Conducting the risk assessment
Exploring management approaches to risk
Quantitative analysis
Summary
Chapter 5: Developing Your Information and Data Security Plan
Determining your information security program objectives
Foundational information security activities to consider
Successful information security program elements
Rightsizing your information security program
Compliance requirements
Is your organization centralized or decentralized?
Business risk appetite
Organizational maturity
Principles to guarantee the success of your information security program
Business alignment
Communication strategies
Information security program plan elements
Developing an information security program strategy
Establishing key initiatives
Defining roles and responsibilities
Establishing enforcement areas
Summary
Chapter 6: Continuous Testing and Monitoring
Types of technical testing
SDLC considerations for testing
Project initiation
Requirements analysis
System design
System implementation
System testing
Operations and maintenance
Disposition
SDLC summary
Continuous monitoring
Information security assessment automation
Effectively reporting information security metrics
Alerting to information security weaknesses
Vulnerability assessment
Vulnerability scanning process
Vulnerability resolution
Penetration testing
Phases of a penetration test
Difference between vulnerability assessments and penetration testing
Summary
Chapter 7: Business Continuity/Disaster Recovery Planning
Introduction to BCDR
Integrating BC planning and DR planning
Scope of a BCDR plan
Focus areas for BCDR planning
Designing a BCDR plan
Requirements and context gathering – BIA
Inputs to the BIA
Outputs from the BIA
Sample BIA form
Defining technical DR mechanisms
Identifying and documenting required resources
Conducting a gap analysis
Developing DR mechanisms
Developing your plan
Testing the BCDR plan
Summary
Chapter 8: Incident Response Planning
What is an IRP?
Do I need an IRP?
Components of an IRP
Preparation of an IRP
Understanding what is important
Prioritization
Determining what normal network activity looks like
Observe, orient, decide, and act
Incident response procedure development
Identification – detection and analysis
Identification – incident response tools
Observational technical tools
Orientation tools
Decision tools
Remediation – containment/recovery/mitigation
Remediation – incident response tools
Act (response) tools
Post-incident activity
Remediation – root cause analysis
Lessons-learned sessions
IRP testing
Summary
Chapter 9: Developing a Security Operations Center
What is a SOC?
What are the responsibilities of the SOC?
Management of SOC tools
SOC toolset design
Using already implemented toolsets
SOC roles
Log/information aggregation
Log/information analysis
Processes and procedures
Identification – detection and analysis
Remediation – containment/eradication/recovery
SOC tools
Benefits of a SOC – in-house and MSSP
Summary
Chapter 10: Developing an Information Security Architecture Program
What is information security architecture?
Information security architecture and SDLC/SELC
Initiation phase
Requirement analysis phase
Design phase
Implementation phase
Testing phase
Operations and maintenance phase
Disposition phase
Conducting an initial information security analysis
Purpose and description of the information system
Determining compliance requirements
Documenting key information system and project roles
Defining the expected user types
Documenting interface requirements
Documenting external information systems access
Conducting a business impact assessment (BIA)
Conducting information categorization
Developing a security architecture advisement program
Information security architecture process
Example information security architecture process
Architecture special considerations
Summary
Chapter 11: Cloud Security Considerations
Importance of cloud computing
Cloud computing characteristics
Cloud computing service models
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Cloud computing deployment models
Public cloud
Private cloud
Community cloud
Hybrid cloud
Cloud computing management models
Managed service providers
Cloud service providers
Special considerations for cloud computing
Cloud computing data security
Identification, authentication, and authorization in the cloud
Monitoring and logging considerations
Security automation considerations
Secure application development considerations
Summary
Chapter 12: Zero Trust Architecture in Information Security
Zero Trust and its principles
The history of Zero Trust
Importance of Zero Trust in cybersecurity
Shifting from traditional perimeter-based security
The pillars of Zero Trust
Identity pillar
Devices
Networks
Applications and Workloads
Data
Summary
Chapter 13: Third-Party and Supply Chain Security
Understanding C-SCRM and its importance
The challenges in managing supply chain cybersecurity risks
The risks associated with supply chains
The consequences of supply chain risks
Methods to identify supply chain risks
Assessing the severity and likelihood of C-SCRM risks
Strategies to mitigate supply chain risks
Developing C-SCRM policies and plans
Integrating C-SCRM into security program and business activities
Stakeholders that support the integration
Monitoring and reviewing C-SCRM practices
Summary
Index
Other Books You May Enjoy

Citation preview

Information Security Handbook

Enhance your proficiency in information security program development

Darren Death

BIRMINGHAM—MUMBAI

Information Security Handbook Copyright © 2023 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Pavan Ramchandani Publishing Product Manager: Khushboo Samkaria Book Project Manager: Ashwini Gowda Senior Editor: Roshan Ravi Kumar Technical Editor: Rajat Sharma Copy Editor: Safis Editing Proofreader: Safis Editing Indexer: Tejal Daruwale Soni Production Designer: Shankar Kalbhor DevRel Marketing Coordinator: Marylou De Mello First published: December 2017 Second edition: October 2023 Production reference: 1061023 Published by Packt Publishing Ltd. Grosvenor House 11 St Paul’s Square Birmingham B3 1RB, UK ISBN 978-1-83763-270-1 www.packtpub.com

I want to thank my amazing wife and children for supporting me and sacrificing the time it took to write this book.

Contributors About the author Darren Death is ASRC Federal’s Chief Information Security Officer. He is responsible for managing the enterprise cybersecurity program across a 3-billion-dollar portfolio of business sectors, including financial services, government contracting, and construction. A proven technology leader with over 20 years of experience deploying enterprise systems for large private and public organizations, Darren Death has led, designed, and implemented large-scale, organizational-wide enterprise IT systems with far-reaching impact. Before joining ASRC Federal, while at the Department of Justice, he was responsible for creating a nationwide enterprise processing capability across the US Attorney, Marshalls Service, and the Bureau of Alcohol, Tobacco, and Firearms divisions. At the Library of Congress, Darren was responsible for all emerging technologies related to information security. He holds a doctoral degree in information technology, specializing in information assurance and cybersecurity.

About the reviewers Rahul Gupta is a distinguished authority and expert in the field of cybersecurity and brings a wealth of knowledge and experience to the world of cybersecurity, privacy, and compliance. With over 15 years at the forefront of protecting organizations from digital threats, Rahul has cemented his reputation as a trailblazer in the domain of InfoSec. Throughout his career, he has held pivotal roles in a diverse array of industries, ranging from Fortune 500 companies to cutting-edge start-ups. With a strong academic background and many industry certifications including CISSP, Rahul has contributed extensively to the cybersecurity community and is very passionate about shaping the future of cybersecurity strategies and products.

Abhinav Rai has a proven track record of providing insightful reviews for similar books in the past. Abhinav brings a wealth of experience and a keen understanding of the subject matter. His commitment to maintaining the highest standards of accuracy and relevance is evident in his prior contributions. Abhinav plays a pivotal role in ensuring that this new book not only upholds but also builds upon the quality and credibility he has previously helped to achieve. His continuity in reviewing Packt titles solidifies the trust that readers can place in the expertise and thoroughness of this content.

Table of Contents Prefacexv

1 Information and Data Security Fundamentals

1

Introduction1 Information security challenges 2 Evolution of cybercrime 4 The modern role of information security 6

8

The CIA triad

Organizational information security assessment 9

Risk management

11 12 14 14

Information technology security engineering

7

Information security standards Information security policies Information security training

Information assurance

7

Summary15

2 Defining the Threat Landscape Understanding the organizational context17 Threats19 Phishing attacks 19 Ransomware20 Malware20 Distributed denial-of-service attacks 21 Insider threats 22 Advanced Persistent Threats 22 Social engineering attacks 23 Supply chain attacks 23

17 Hackers and hacking

24

White hat/ethical hacker 24 Black hat hacker 24 Gray hat hacker 25 Blue hat hacker 25 Script kiddie 25 Hacktivist26 Nation-state attacker 26 Penetration testing 26 Cybercrime27 Exploits27 Hacker techniques 30

viii

Table of Contents

Closing information system vulnerabilities38

Vulnerability management

39

Summary39

3 Laying a Foundation for Information and Data Security Developing a comprehensive information security program Leveraging existing frameworks instead of building from scratch Essential factors for information security program success Aligning information security with the organization’s mission Optimizing information security measures for your organization Enhancing security through comprehensive awareness and training programs Building information security into the SDLC/SELC process Understanding and enhancing your information security program maturity

41 42 43 44 44 45 46 50

Information security policies

51

Information security program policy Enterprise information security policies Information security system-specific policy

52 54 55

41

Planning policy 59 Access controls policy 60 Awareness and training policy 61 Auditing and accountability policy 62 Configuration management policy 63 Contingency planning policy 64 Identification and authentication policy 65 Incident response policy 65 Maintenance policy 67 Media protection policy 68 Personnel security policy 69 Physical and environmental protection policy 69 Risk assessment policy 70 Assessment, authorization, and monitoring policy71 System and communications protection policy 71 System and information integrity policy 72 Systems and services acquisitions policy 73 Personally identifiable information policy 74 Supply chain risk management policy 74

Summary76

4 Information Security Risk Management

77

What is information security risk? Understanding the ownership and management of information security risk

79 80

78 78

Identifying and protecting your organization’s valuable data Conducting a quick risk assessment Risk management is an organizational-wide activity

81

Table of Contents

The life cycle of risk management in information security 83 Information classification and its importance in information security 84 Steps in the data classification process 86 Determining information assets Finding information in the environment Organizing information into categories Valuing information

Establishing impact Security control selection

87 88 93 99

100 103

Security control implementation 104 Assessing implemented security controls 105 Authorizing information systems to operate 106 Monitoring information system security controls107

Calculating risk – a comprehensive look at qualitative and quantitative risk assessments

108

Qualitative risk analysis – subjective evaluation of threats Quantitative risk analysis – objective measurements and calculations

109 109

Identifying threats and choosing the right approach

109

Identifying your organization’s vulnerabilities Pairing threats with vulnerabilities Estimating likelihood Estimating impact Conducting the risk assessment

Exploring management approaches to risk Quantitative analysis

111 113 114 115 116

118 119

Summary122

5 Developing Your Information and Data Security Plan Determining your information security program objectives Foundational information security activities to consider Successful information security program elements Rightsizing your information security program

123

123

Principles to guarantee the success of your information security program 139

124

Business alignment Communication strategies

126

Information security program plan elements

129

Compliance requirements 129 Is your organization centralized or decentralized?132 Business risk appetite 136 Organizational maturity 137

139 140

140

Developing an information security program strategy140 Establishing key initiatives 141 Defining roles and responsibilities 142 Establishing enforcement areas 144

Summary145

ix

x

Table of Contents

6 Continuous Testing and Monitoring Types of technical testing SDLC considerations for testing

148 149

Project initiation 150 Requirements analysis 150 System design 151 System implementation 153 System testing 153 Operations and maintenance 154 Disposition155

SDLC summary Continuous monitoring Information security assessment automation

156 157 158

147 Effectively reporting information security metrics Alerting to information security weaknesses

158 159

Vulnerability assessment

160

Vulnerability scanning process Vulnerability resolution

161 163

Penetration testing Phases of a penetration test

165 166

Difference between vulnerability assessments and penetration testing 168 Summary169

7 Business Continuity/Disaster Recovery Planning Introduction to BCDR Integrating BC planning and DR planning Scope of a BCDR plan Focus areas for BCDR planning

Designing a BCDR plan Requirements and context gathering – BIA Inputs to the BIA Outputs from the BIA Sample BIA form

172 173 174 180

182 182 182 183 184

Defining technical DR mechanisms

171 185

Identifying and documenting required resources185 Conducting a gap analysis 186 Developing DR mechanisms 186

Developing your plan 187 Testing the BCDR plan 188 Summary188

8 Incident Response Planning What is an IRP? Do I need an IRP?

189 189 190

Components of an IRP

Preparation of an IRP

190

191

Table of Contents Understanding what is important 191 Prioritization193 Determining what normal network activity looks like 194 Observe, orient, decide, and act 195 Incident response procedure development 197

Identification – detection and analysis Identification – incident response tools Observational technical tools Orientation tools

202 204 204 204

Decision tools

205

Remediation – containment/ recovery/mitigation206 Remediation – incident response tools 208 Act (response) tools

Post-incident activity Remediation – root cause analysis Lessons-learned sessions IRP testing

208

209 209 210 210

Summary212

9 Developing a Security Operations Center What is a SOC? What are the responsibilities of the SOC?

Management of SOC tools SOC toolset design Using already implemented toolsets

SOC roles Log/information aggregation Log/information analysis

213 214

215 216 217

218 222 224

Processes and procedures

213 225

Identification – detection and analysis 226 Remediation – containment/eradication/ recovery228

SOC tools Benefits of a SOC – in-house and MSSP

230 232

Summary234

10 Developing an Information Security Architecture Program What is information security architecture?235 Information security architecture and SDLC/SELC 237

Implementation phase Testing phase Operations and maintenance phase Disposition phase

Initiation phase Requirement analysis phase Design phase

Conducting an initial information security analysis

238 239 239

235 240 241 241 242

243

xi

xii

Table of Contents Purpose and description of the information system245 Determining compliance requirements 246 Documenting key information system and project roles 247 Defining the expected user types 249 Documenting interface requirements 250 Documenting external information systems access 251 Conducting a business impact assessment (BIA) 252

Conducting information categorization

253

Developing a security architecture advisement program 253 Information security architecture process254 Example information security architecture process255 Architecture special considerations 256

Summary260

11 Cloud Security Considerations Importance of cloud computing Cloud computing characteristics

Cloud computing service models Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)

Cloud computing deployment models Public cloud Private cloud Community cloud Hybrid cloud

261 261 262

263 264 265 266

268 268 269 270 271

Cloud computing management models272 Managed service providers Cloud service providers

272 272

Special considerations for cloud computing273 Cloud computing data security 273 Identification, authentication, and authorization in the cloud 279 Monitoring and logging considerations 282 Security automation considerations 283 Secure application development considerations285

Summary286

12 Zero Trust Architecture in Information Security Zero Trust and its principles 287 The history of Zero Trust 289 Importance of Zero Trust in cybersecurity290

Shifting from traditional perimeter-based security The pillars of Zero Trust Identity pillar

287 291 292 293

Table of Contents Devices298 Networks301 Applications and Workloads 303

Data307

Summary310

13 Third-Party and Supply Chain Security Understanding C-SCRM and its importance The challenges in managing supply chain cybersecurity risks The risks associated with supply chains The consequences of supply chain risks Methods to identify supply chain risks Assessing the severity and likelihood of C-SCRM risks

312 313 314 315 316

Strategies to mitigate supply chain risks

311 319

Developing C-SCRM policies and plans

320

Integrating C-SCRM into security program and business activities

321

Stakeholders that support the integration

322

Monitoring and reviewing C-SCRM practices323 Summary324

317

Index325 Other Books You May Enjoy

344

xiii

Preface Information security has become a global challenge impacting organizations across every industry sector. C-Suite and board-level executives are beginning to take their obligations seriously and, as a result, require competent business-focused advice and guidance from the organization’s information security professionals. Establishing a fully developed, risk-based, and business-focused information security program to support your organization is critical to ensuring your organization’s success moving into the future. This book is not just a compilation of theories and principles but also a practical guide that will empower you to take meaningful actions in securing your organization’s assets. Whether you are an experienced security professional seeking to refine your skills or someone new to the field looking to build a strong foundation for the future, this book is designed to meet you where you are and guide you toward improving your understanding of information security. Each chapter addresses key concepts, practical techniques, and best practices for establishing a robust and effective information security program. This book offers a holistic perspective on securing information, from risk management to incident response cloud security to supply chain considerations. This book has distilled years of experience and expertise into clear, actionable insights you can apply directly to your organization’s security efforts. Whether you work in a large enterprise, a government agency, or a small business, the principles and strategies presented in this book are adaptable and scalable to suit your specific needs. Information security is not a one-time endeavor but an ongoing commitment to protect what matters most. It is a discipline that requires vigilance, adaptability, and a continuous pursuit of knowledge. This book provides the tools and guidance to fortify your organization’s defenses and expand your capabilities as an information security practitioner.

Who this book is for This book is targeted at the information security professional looking to understand the critical success factors needed to build a successful business-aligned information security program. Additionally, this book is suited for anyone looking to understand the key aspects of an information security program and how they should be implemented within an organization.

xvi

Preface

What this book covers Chapter 1, Information and Data Security Fundamentals, provides you with an overview of key concepts that will be examined throughout this book. You will understand the history, key concepts, and components of information and data security. Additionally, you will see how these concepts should be balanced with business needs. Chapter 2, Defining the Threat Landscape, shows how understanding the modern threat landscape will help you develop a highly effective information security program to defend against current adversaries in support of your organization’s goals and objectives. In this chapter, you will learn how to determine what is important to your organization, potential threats to your organization, the types of hackers/adversaries, the methods used by hackers and adversaries, and the techniques for conducting training and awareness as it relates to threats. Chapter 3, Laying a Foundation for Information and Data Security, teaches you the essential activities required to establish an enterprise-wide information security program, focusing on executive buy-in, policies, procedures, standards, and guidelines. Additionally, you will learn about the planning concepts associated with information security program establishment, the success factors for information security program development, integration of the SDLC in the information security program, information security program maturity concepts, and best practices related to policies, procedures, standards, and guidelines. Chapter 4, Information Security Risk Management, outlines the fundamentals of information security risk management, which provides the primary interface for prioritization and communication between the information security program and the business. Additionally, you will learn about some key concepts related to information security risk management, how to determine where valuable data is in your organization, some quick risk assessment techniques, how risk management affects different parts of the organization, how to perform information categorization, security control selection, implementation, and testing, and what’s involved in authorizing information systems for production operation. Chapter 5, Developing Your Information and Data Security Plan, teaches you the concepts necessary to develop your information security program plan. Your program plan will be a foundational document to establish how your information security program will function and interact with the rest of the business. Additionally, you will learn how to develop the objectives for your information security program, elements of a successful information security program, information security program business/mission alignment, information security program plan elements, and establishing information security program enforcement. Chapter 6, Continuous Testing and Monitoring, explains how it is essential for the information security professional to understand that vulnerabilities in information systems are a fact of life that is not going away anytime soon. The key to protecting the modern information system is continued vigilance through continuous technical testing. In this chapter, you will learn about the technical testing capabilities at your disposal, testing integration into the SDLC, continuous monitoring considerations, vulnerability assessment considerations, and penetration testing considerations.

Preface

Chapter 7, Business Continuity/Disaster Recovery Planning, explores how these two topics encompass separate but related disciplines that work together. Business continuity planning ensures an organization can understand what business processes and information are essential to continued operations and success. Disaster recovery planning serves to develop a technical solution that supports the organization’s business needs in the event of a system outage. In this chapter, you will learn the scope and focus areas of the BCDR plan and the design, implementation, testing, and maintenance of the BCDR plan. Chapter 8, Incident Response Planning, explains how an incident response plan is the plans and procedures that your information security program implements to ensure that you have adequate and repeatable processes to respond to an information security incident against your organizational network or information systems. In this chapter, you will learn about why you need an incident response plan, what components make up the incident response plan, tools and techniques related to incident response, the incident response process, and the OODA loop and how it can be applied to incident response. Chapter 9, Developing a Security Operations Center, talks about how the Security Operations Center serves as your centralized view into your enterprise information systems. The security operations center aims to ensure this view is in real time so your organization can identify and respond to internal and external threats as quickly as possible. In this chapter, you will learn what comprises the responsibilities of the Security Operations Center; Security Operations Center tool management and design; Security Operations Center roles, processes, and procedures; and internal versus outsourced Security Operations Center implementation considerations. Chapter 10, Developing an Information Security Architecture Program, shows how to establish rigorous and comprehensive policies, procedures, and guidelines around the development and operationalization of an information security architecture across the enterprise information technology deployed within an organization. Additionally, you will learn about incorporating security architecture into the system development life cycle process, conducting an initial information security analysis, and developing a security architecture advisement program. Chapter 11, Cloud Security Consideration, discusses how cloud computing enables on-demand and ubiquitous access to a shared pool of configurable outsourced computing resources such as networks, servers, storage, and applications. In this chapter, you will learn about cloud computing characteristics and services, deployment and management models, and special information security considerations as they relate to cloud computing. Chapter 12, Zero Trust Architecture in Information Security, notes that Zero Trust has emerged as a key architectural framework in modern information security, challenging traditional models by fundamentally shifting how organizations perceive trust and access to data and information systems. In this chapter, you will learn about Zero Trust and its principles, the history of Zero Trust, the importance of Zero Trust in cybersecurity, the shift from traditional perimeter-based security, and the pillars of Zero Trust.

xvii

xviii

Preface

Chapter 13, Third-Party and Supply Chain Security, recognizes that cybersecurity is not a singular, one-off effort but a continuous process that must be integrated into the entire life cycle of supply chain operations. It forces organizations to look beyond their internal cybersecurity practices and assess their partners’ practices. In this chapter, you will learn about C-SCRM and its importance, understand the challenges in managing supply chain cybersecurity, and consider the risks associated with supply chains, the consequences of supply chain risks, the methods for identifying supply chain risks. You’ll also learn about assessing the severity and likelihood of C-SCRM risks, strategies for mitigating supply chain risks, integrating C-SCRM into security programs and business activities, and monitoring and reviewing C-SCRM practices.

To get the most out of this book To be as practical in our approach as possible, we’ve made a few assumptions about you, your skill level, and your needs. We assume you have a foundational understanding of cybersecurity and information security. This means you should be familiar with common security controls and concepts. If terms such as “firewalls,” “antivirus software,” “encryption,” and “password security” ring a bell, you’re on the right track. If not, don’t worry; we’ll provide explanations and guidance along the way. In addition to basic cybersecurity concepts, we assume a baseline of enterprise technology knowledge. This doesn’t mean you need to be an IT expert, but it does imply a general understanding of how technology is used in organizational settings. If you’ve worked in an office environment, used business software, or interacted with enterprise-level systems, you have the foundational knowledge we’re referring to for this book. As with the assumption mentioned previously, we will provide explanations and guidance as we describe enterprise technology to support you. If you meet these prerequisites, you’re well prepared to begin. If you find some concepts still unfamiliar, don’t be discouraged; this book is designed to bridge gaps in your knowledge and build a solid understanding from the ground up.

Conventions used There are a number of text conventions used throughout this book. Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select System info from the Administration panel.” Tips or important notes Appear like this.

Preface

Get in touch Feedback from our readers is always welcome. General feedback: If you have questions about any aspect of this book, email us at customercare@ packtpub.com and mention the book title in the subject of your message. Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form. Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about Packt, please visit packtpub.com.

xix

xx

Preface

Share Your Thoughts Once you’ve read Information Security Handbook, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback. Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Preface

Download a free PDF copy of this book Thanks for purchasing this book! Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice? Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost. Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily Follow these simple steps to get the benefits: 1. Scan the QR code or visit the link below

https://packt.link/free-ebook/9781837632701 2. Submit your proof of purchase 3. That’s it! We’ll send your free PDF and other benefits to your email directly

xxi

1 Information and Data Security Fundamentals Throughout the book, you will be introduced to the various aspects of information security, including key concepts such as confidentiality, integrity, and availability (CIA); the role of governance, risk management, and compliance (GRC); and the importance of creating and maintaining a strong security culture within an organization. The book addresses the technical aspects of information security and delves into the human element, discussing the importance of security awareness and training in building a resilient security posture. The first chapter will provide you with an overview of critical concepts examined throughout this book. You will understand the history, key concepts, and components of information and data security. Additionally, you will understand how these concepts should balance with business needs. In this chapter, we will cover the following topics: • Information security challenges • The evolution of cybercrime • The modern role of information security • Information assurance • The CIA triad • Risk management

Introduction For more than 50 years, computers have aided in advancing humankind. As these devices have become more sophisticated, they have come under increasing attack from those looking to disrupt organizations using these systems. From the first boot sector virus to highly complex nation-state advanced persistent threats, the ability for an adversary to impact an organization negatively has never

2

Information and Data Security Fundamentals

been greater. While the attacker has become more sophisticated, so has our ability to prepare for and defend against the attacker. To ensure that a company is adequately protected, we will go over what it takes to set up an information security program throughout this book.

Information security challenges The dangers that today’s corporations must deal with are extraordinarily complex and pose a serious risk to an organization’s ability to function. These are some of the reasons why mounting an assault has become easy for an adequately motivated adversary: • Phishing and social engineering attacks: Attackers use social engineering tactics to trick users into giving up sensitive information or installing malware. • Malware attacks: Malware is malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. These attacks can be delivered through emails, websites, or other means. • Ransomware attacks: Ransomware is malware that encrypts files on a victim’s computer and then demands payment for the decryption key. • Insider threats: Employees, contractors, or other insiders with access to sensitive information may intentionally or unintentionally cause security breaches. • Advanced Persistent Threats (APTs): These are long-term targeted attacks aimed at stealing sensitive information or disrupting operations. They are often difficult to detect and may involve multiple stages. • Internet of Things (IoT) security: The growing number of internet-connected devices has increased the potential attack surface and created new vulnerabilities for cybercriminals to exploit. • Cloud security: As more organizations move their data and applications to the cloud, they face new security challenges related to the shared responsibility model and data privacy regulations. • Supply chain attacks: These attacks target the vendors, suppliers, and third-party partners that organizations rely on for their products or services. • Mobile device security: Mobile devices are increasingly used for work purposes, and as a result, they are a growing target for cyber attacks. • Artificial intelligence (AI) security: As AI becomes more prevalent in cyber security, attackers find ways to manipulate or evade AI-based security systems. Threats, like the ones mentioned above, can jeopardize an organization by undermining the security of its systems, data, and networks, leading to substantial financial losses and damage to its reputation. Thus, organizations must implement robust security measures to prevent these threats from becoming a reality.

Information security challenges

From a historical perspective, the initial design and development of computer systems did not prioritize security. Early computers were used for research and academic purposes, and the threat of cyber attacks was relatively low. The focus at the time was on developing the functionality and performance of the systems, with little consideration given to security. The significance of security became increasingly clear over time as computer systems grew and became more integrated. However, retrofitting security measures onto existing systems was often complex and costly. Moreover, many early computer systems were developed using programming languages not designed to provide adequate security. This lack of focus on security made it easy for attackers to exploit vulnerabilities and gain unauthorized access to systems and data. The design of computer systems was also heavily influenced by the desire to make them easy to use and accessible to as many people as possible. As a result, many security features were sacrificed in favor of convenience, leading to insecure systems. Additionally, the internet and the growing reliance on networked systems created more security challenges. The internet was not originally intended to provide a secure environment and many protocols and standards used for communication at the time were not designed with security in mind. In the past, computers were built with trust in mind. Designers did not consider that criminals would exploit their systems to harvest the valuable assets they contained. Therefore, security became bolt-ons or bandages to solve an inherent problem. This problem started with the first computers and still continues today. If you look at a modern computer science program, cybersecurity is often not included. This lack of focus on security, where products are expected to have bugs and vulnerabilities when released to the consumer, leads us to a modern internet overflowing with vulnerable software and operating systems that require constant patches. The typical person’s access to computational power has significantly increased over the past few decades. The processing of organizational data and connecting to corporate networks using individually owned devices—both authorized and unauthorized—has increased. Unfortunately, many of these devices are not properly secured and have been set up with the needs of individual convenience in mind rather than the security precautions that businesses require. This results in an exploitable point of entry into an organization’s enterprise network that is challenging to monitor. Many businesses consider information security to be a productivity killer. Business leaders of all levels—from CEOs to IT implementers—often avoid discussing security out of concern that it would impede their organization from fulfilling its objective. Implementing security within a project Systems Development Life Cycle (SDLC) may be resisted, as team members may believe security will prevent a project from being completed on time. Users may oppose capabilities such as Secure Access Service Edge (SASE) or multi-factor authentication because they worry they won’t be able to access business data when needed to perform their tasks.

3

4

Information and Data Security Fundamentals

Tip SASE is a cloud-based approach to technical cybersecurity services for organizations with distributed data, devices, and users. Key features include a cloud-native architecture, identity-driven policies, support for “edges” such as endpoints and branch offices, integrated SD-WAN, and comprehensive security functions such as SSL decryption, malware detonation, and data loss prevention. Overcoming these challenges requires a security leader to understand the organizations they support and be involved in all lines of business. The information security professional must ensure that they work with business leaders to understand the needs of their specific mission area. Information security must offer solutions to the business leader’s challenges rather than adding new challenges for the business leader to solve. Additionally, the information security professional must collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is needed—which is fostering a relationship where the information security group is sought out for answers rather than avoided.

Evolution of cybercrime The evolution of cybercrime is a complex and ever-changing landscape. With the advent of the internet and its widespread adoption, the opportunities for cybercriminals have grown exponentially. As technology advances rapidly, so do the techniques and tactics employed by those seeking to exploit vulnerabilities in the digital world. As computer systems have become integral to the daily functioning of businesses, organizations, governments, and individuals, we have learned to put tremendous trust in these systems. As a result, we have placed critical and valuable information on them. Where there is value, you will find someone willing to take advantage of the situation and attempt to profit from someone else’s misfortune. Before these highly interconnected computer systems, people had to interact physically with the world to commit a crime, significantly increasing their risk of being apprehended. A criminal would have to physically attack an institution, as with a bank robbery, or an individual on the street to access valuables immediately. In the case of data theft, the criminal would need to break into a building and sift through files looking for information of the most significant value and profit. In our modern world, criminals can attack their victims from a distance, providing them with greater safety and less chance of getting caught. In the early days of the internet, cybercrime primarily revolved around hacking and the creation of computer viruses. Hackers aimed to penetrate computer systems without authorization, with motivations ranging from curiosity to financial gain. These early hackers typically worked independently, and many in technology viewed their actions as a minor annoyance. In the 1970s, criminals began exploiting the tone system utilized on the phone network, a technique known as phreaking. Attackers could make long-distance calls without incurring charges by reverse-engineering the telephone companies’ tones.

Evolution of cybercrime

The first computer worm on the internet occurred in 1988. Named the Morris worm after its creator, Robert Morris, it caused severe damage to organizations. Despite not being initially intended as malicious, the worm still caused significant harm. The US Government Accountability Office estimated the damages as severe as $10 million. The following year, 1989, saw the emergence of the first-known ransomware attack, which targeted the healthcare industry. The attacker, evolutionary biologist Joseph Popp, distributed 20,000 floppy disks across 90 countries, claiming that the disks contained software that could analyze an individual’s risk factors for contracting the AIDS virus. However, the disk also included malware that, when executed, displayed a message demanding payment for a software license. Over time, ransomware attacks have evolved to target many industry sectors, posing a significant threat to organizations. The 1990s marked the advent of the web browser and email, providing cybercriminals with new tools to exploit and expand their reach. Before this, cybercriminals had to make physical transactions, such as giving a floppy disk to their intended target. With the widespread adoption of web browsers, cybercriminals could transmit virus code over the internet, exploiting the vulnerabilities in these newly developed tools. They leveraged their knowledge from the earlier era and adapted it to operate over the internet with devastating results. Additionally, cybercriminals began employing phishing attacks, enabling them to reach out and con people from a distance. They no longer had to engage with individuals directly but could attempt to trick millions of users simultaneously. Even if only a tiny percentage of people took the bait, cybercriminals stood to make a substantial profit. The 2000s saw the rise of social media, which in turn resulted in the emergence of identity theft as a significant cybercrime. The creation of internet-connected databases containing millions of user records was an irresistible target for cybercriminals. The general public’s lack of awareness of cybersecurity and the abundance of personal information on social media platforms allowed cybercriminals to commit various types of financial fraud. These crimes included opening bank accounts and credit cards in the name of others and taking advantage of stolen personal information. Today, the increasing sophistication of cybercriminals and the vast opportunities provided by the internet have resulted in the proliferation of cybercrime across multiple fronts. As computer systems advance in speed and complexity, cybercriminals have grown increasingly sophisticated in their methods, making it more challenging to identify and apprehend them. One of the most common forms of cybercrime we see today is phishing. These attacks are often highly targeted and can be challenging to detect, making them a favorite tool of cybercriminals. An example of a highly targeted phishing attack is a Business Email Compromise (BEC) scam. With a BEC scam, cybercriminals impersonate senior executives or key personnel to request payments or access sensitive information. BEC scams are often highly sophisticated and can result in significant financial losses. Another important concern in the world of cybercrime is the use of botnets. Botnets are networks of compromised devices that are controlled remotely by cybercriminals. Botnets can be used for various purposes, including launching Distributed Denial of Service (DDoS) attacks, mining cryptocurrency, and spreading malware. In addition to the preceding examples, cybercriminals have targeted online banking systems, cloud storage services,

5

6

Information and Data Security Fundamentals

and other online platforms. They can use a variety of tactics, such as social engineering, malware, and hacking, to gain access to sensitive data and carry out criminal activities. The following figure offers an overview of the evolution of cybercrime from the 1970s to the present day.

Figure 1.1 – Evolution of cybercrime

Cybercrime is a complex and ever-changing threat that affects individuals and organizations worldwide. It encompasses various forms of criminal activity, including phishing, ransomware, financial fraud, and the exploitation of Internet of Things (IoT) devices. To combat the threat of cybercrime, it is essential to remain vigilant, informed, and proactive in implementing robust security measures to protect yourself and your organization.

The modern role of information security Information security has changed over the years and now plays an important role in information technology and as a part of business operations. When information security first became a discipline, it focused on securing IT configurations and putting security tools in place. As time progressed, it became apparent that you cannot properly secure an IT environment without understanding the needs of an organization’s business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by embedding information security protection in business operations.

Information assurance

Information technology security engineering Information technology security engineering is the application of security principles to information technology to protect against potential cyber threats and attacks. The practice involves designing, implementing, and maintaining security measures to safeguard critical data, systems, and networks from unauthorized access, modification, or destruction. Security engineering is a crucial part of an organization’s overall security strategy. Ensuring that an organization’s systems are secure from the outset is essential to ensuring that an infrastructure is developed without vulnerabilities and that any necessary countermeasures are implemented to reduce the risk of a successful cyber attack for a given architectural component. The scope of information technology security engineering is vast today, encompassing devices ranging from servers in your organization to refrigerators in your customers’ homes or break rooms. With the emergence of IoT devices, appliances such as refrigerators may require security engineering to be part of their overall design life cycle. With the explosion of IP-addressable devices, these IoT systems are essentially mini servers that can present potential vulnerabilities. In addition, it is essential to consider the security requirements for non-networked or air-gapped devices. Although such devices are not connected to the internet, they can still be configured and may report back through out-of-band means, such as USB thumb drives, providing an avenue for attackers to exploit. The role of information technology security engineers is critical in today’s rapidly evolving cyber landscape, where new threats and attack vectors are constantly emerging. To address these potential threats, a mature organization should have dedicated staff focused on information technology security concerns. They must stay current with the latest security technologies, best practices, and regulations to ensure that systems are secure and compliant with relevant security standards. These professionals work closely with business and information technology leadership and team members to secure IT systems and safeguard the environment from attackers. They work to align security measures with business objectives and ensure that security risks are effectively managed. By doing so, organizations can effectively manage security risks, ensure compliance with relevant standards, and protect their digital assets.

Information assurance Information assurance (IA) maintains the confidentiality, integrity, and availability of information and protects information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. IA professionals work closely with business and IT leadership to thoroughly understand the confidentiality, integrity, and availability requirements for a given dataset, business process, or IT system to implement adequate security controls and ensure compliance with relevant laws, regulations, and industry standards. IA is critical to the success of organizations where cyber threats are constantly evolving and becoming more sophisticated. A successful IA program requires a holistic approach considering people, processes, and technology. Ultimately, IA is essential for maintaining the trust and confidence of customers, stakeholders, and partners in the organization’s ability to protect sensitive information. The activities related to IA guide IT security activities on the specific technical

7

8

Information and Data Security Fundamentals

controls required to safeguard business and mission systems. The following figure visually illustrates the responsibilities and roles of IA professionals.

Figure 1.2 – The role of IA

The CIA triad The CIA triad is at the core of information security. This model is used to help the information security professional think about how best to protect organizational data. The CIA triad describes the fundamental objectives of information security and guides the implementation of security measures to protect information and information systems: • Confidentiality pertains to the secrecy or privacy of data. To ensure confidentiality, mechanisms such as encryption should be implemented to render data useless if accessed without authorization. Confidentiality ensures that sensitive information is only accessible to authorized individuals or entities. • Integrity refers to the accuracy and consistency of information. Data mustn’t be modified in an unauthorized manner, and appropriate safeguards must be in place to detect and respond to unauthorized changes in a timely manner. Integrity ensures that information is accurate, complete, and trustworthy. Measures such as data validation, checksums, digital signatures, and backups can be employed to ensure data integrity. • Availability ensures that information is accessible to authorized individuals or entities when required and that information systems are available when needed and are not subject to disruptions or downtime. Availability can be achieved by implementing various capabilities, such as redundancy, fault tolerance, disaster recovery planning, and backup systems. This model, which focuses on confidentiality, integrity, and availability, enables organizations to implement security measures that protect sensitive data and information:

The CIA triad

Figure 1.3 – The CIA triad

To effectively implement the CIA triad, organizations must first identify their most sensitive information and systems and then implement appropriate security measures based on the level of risk and threat.

Organizational information security assessment Developing a viable information security program requires a thorough assessment of your organization and a deep understanding of implementing the most effective security controls that add value to your business while considering financial responsibility and organizational risk. Instead of starting by criticizing and pointing out flaws, it’s crucial to listen and understand how your organization operates. There are often valid reasons behind established practices, and it’s necessary to comprehend these reasons to effectively introduce change in your organization. However, it’s essential to note that, if you identify high-risk items during the initial assessment, you should inform management promptly to ensure timely remediation. In today’s digital economy, sharing information is often necessary for organizations to succeed. However, to implement a successful information security program, it’s crucial to categorize data correctly and ensure that only authorized individuals have access. To determine which data should be accessible to whom within your organization, you must examine your data and consider your staff, business partners, vendors, and customers. This process will enable you to identify which individuals require access to particular data types.

9

10

Information and Data Security Fundamentals

Two primary methods for assessing the information security of an organization’s IT and business processes are internal assessment and third-party assessment: • Internal assessment: This approach involves evaluating an organization’s security posture using internal resources. An internal security team can review and analyze the organization’s IT and business processes through surveys, interviews, and documentation reviews. An internal assessment can provide a more detailed analysis of the organization’s security posture, as the internal team is already familiar with its IT and business processes. Furthermore, it may be more cost-effective than an external assessment. However, it has some limitations, such as expertise and objectivity concerns. If an organization’s information security program lacks the necessary skills to conduct a comprehensive information security assessment or prioritizes third-party assessments over internal ones, an initial internal evaluation can be performed to provide context for a more detailed third-party review. If your organization does not require a third-party assessment and if you have the resources and skills to complete an information security assessment, the internal information security program can plan and execute its assessment without planning for third-party resources. • Third-party assessment: This method involves hiring an external security firm or consultant to assess the organization’s security posture. A third-party assessment can be conducted using vulnerability scans, penetration testing, and compliance/security audits. This assessment can provide an unbiased and objective analysis of the organization’s security posture. A third-party assessment provides an objective view of the organization and can often be used to arbitrate between the information security group and IT operations. The third party brings an unbiased observer to develop the organization’s assessment, alleviating potential internal conflict. This is usually the only mechanism for an assessment relating to compliance where an unbiased third party is required. Based on my experience, the most effective approach to starting an information security program is a hybrid approach that involves both an initial internal assessment and a third-party assessment. The following steps can be taken: 1. Initially conduct an initial internal assessment. As an information security leader, it is essential to understand the organization’s business and IT processes. Meeting with business and IT leaders and subject-matter experts to do this is recommended. Conducting these meetings will help identify areas for improvement but also where you can celebrate current success and where activities are already being undertaken securely. Documenting these findings is crucial to help you brief leadership of your conclusions. Based on your assessment, it may be necessary to recommend that a third-party assessment be conducted to dig deeper.

Risk management

2. Conduct a third-party assessment utilizing the information gathered from the internal assessment. When performing a third-party assessment, work with IT leadership and subject-matter experts to discuss the purpose of the assessment. It should be clear that the assessment is not punitive and aims to build a plan and roadmap for improvement. The goal is not to point out mistakes or target individuals. Top-level management within the organization should approve and show their buy-in and support to ensure the success of the assessment. This support will ensure that everyone involved takes the assessment seriously and that appropriate resources are applied to review the organization. Once everything is in place, conduct the assessment and produce the findings. Once this is completed, the results can be used to develop an effective plan to improve the organization’s security posture. 3. A hybrid approach combining an initial internal assessment and a third-party assessment is an effective way to assess an organization, whether you are in the start-up phase of an information security program or already have one in place. A comprehensive organizational information security assessment is needed when developing an information security program for your organization. Utilizing a hybrid approach that combines an initial internal assessment and a third-party assessment can effectively identify areas for improvement and provide a roadmap for enhancing the organization’s security posture. By thoroughly evaluating the organization’s security posture both internally and with an external party, leaders can identify areas for improvement and develop a plan to improve the security posture of the organization.

Risk management Once you have assessed the organization, it is necessary to conduct a risk assessment using the assessment data. Prioritizing the activities to be implemented in your security program can be done during the risk assessment process. To ensure that your prioritization aligns with the organization’s goals, you should incorporate the input of organizational leaders during the risk assessment. Since implementing an information security program involves organizational change, presenting your plan in business and IT terms is crucial. This approach will help you gain the approval of leadership and provide the authority and funding to make the required organizational changes. Effective management of an information security program revolves around risk management. The organization’s ability to manage risk determines how it handles vulnerabilities in its IT systems, business processes, and staff. Organizational leaders must grasp how vulnerabilities uncovered during the assessment could affect the organization’s operations and ability to serve customers. Additionally, leadership needs to comprehend the probability of a risk occurring and the extent of the potential impact if such an event happens.

11

12

Information and Data Security Fundamentals

Equipped with the insights gained from the information security and risk assessments, you can create a plan that outlines the specific IT implementations required by the organization. This plan will be based on the priorities established during the risk assessment. The risk assessment enables you to identify the following things: • The top risks within the organization • The most valuable assets of the organization • The risks that are likely to occur • The potential impacts of a risk event With this information, you have all the necessary components to create a robust, evidence-based plan to guide your organization toward implementing contemporary information security practices.

Information security standards Information security standards are comprehensive documents created by professional organizations that guide how to secure an IT system effectively. These standards vary in relevance across different industries, from payment cards to healthcare. They typically encompass all the relevant components associated with the system, including network devices, workstations and servers, software, usersystem interactions, system process interactions, and data transmission and storage. It is crucial to note that information security standards are not mere checklists. Instead, they provide a framework of recommended practices and guidelines to help organizations develop a robust and effective information security program. When incorporating a security standard into your organization, you must carefully examine it and determine how best to integrate it into your enterprise. Typically, security standards do not offer a precise prescription of which tools to use and how to use them. Therefore, it would be prudent to collaborate with your IT and business teams to establish the most suitable tools for the job and how to incorporate them into your infrastructure. It is also critical to remember that implementing a standard does not guarantee that your organization is entirely secure. Falling into the trap of viewing a standard as a checklist could be detrimental. Instead, you must regard information security standards as a starting point. Information security experts ensure they implement standards effectively to secure the organization and mitigate risks to acceptable levels. The following are some of the popular standards used globally for information security: • ISO 27001 and ISO 27002: These requirements offer a framework for organizations to plan and evaluate their security measures. The ISO 27001 standard outlines the requirements for creating and maintaining an Information Security Management System (ISMS). The ISO 27002 standard provides guidelines for implementing an effective ISMS. Additionally, ISO 27001 has a mechanism whereby an organization can contract a third party to verify their security controls and be deemed compliant with the standard.

Risk management

• NIST Cybersecurity Framework: The NIST Cybersecurity Framework is a set of guidelines developed to help private sector entities and critical infrastructure develop a practical, riskbased approach to cybersecurity. The Cybersecurity Framework is flexible and can be adapted to the needs of any organization, regardless of its size, industry, or type. The framework is based on established industry standards and best practices and is designed to be integrated into an organization’s existing cybersecurity program. The framework provides information security activities, outcomes, references, and detailed guidance necessary for planning a well-functioning information security program. • Health Insurance Portability and Accountability Act (HIPAA): The HIPAA of 1996 requires the US Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. The HIPAA Privacy Rule establishes national standards for safeguarding specific health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) outlines a set of security standards for protecting certain health information held or transferred in electronic form. • Payment Card Industry Data Security Standard (PCI-DSS): The PCI-DSS offers a framework for developing data security processes for payment cards, including prevention, detection, and response to security incidents. Major credit card companies created PCI-DSS to protect against credit card fraud and protect the sensitive information of cardholders. PCI-DSS compliance is required for any organization that handles cardholder data, such as merchants, processors, and service providers. The standard outlines specific security requirements that all organizations that process, store, or transmit credit card information must follow to ensure the security of credit card transactions. • Cybersecurity Maturity Model Certification (CMMC): The CMMC is a cybersecurity framework developed by the US Department of Defense (DoD) to assess and enhance the cybersecurity posture of companies that do business with the DoD. CMMC is designed to provide a standardized method for evaluating the cybersecurity practices and procedures of contractors who work on DoD projects. The model establishes three levels of cybersecurity maturity, ranging from basic cyber hygiene practices to advanced cybersecurity practices. CMMC utilizes NIST SP 800-171 as its security standard. 800-171 is a publication created by the National Institute of Standards and Technology (NIST) to provide guidelines for protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal information systems and organizations. • Cloud Controls Matrix (CMM): The CMM is a cybersecurity framework developed by the Cloud Security Alliance (CSA) to provide a standardized way to evaluate cloud computing services and to help organizations ensure that their cloud environments meet their security and compliance requirements. The CCM is intended to evaluate Cloud Service Providers (CSPs) and assess the security and compliance of cloud environments. Organizations can use the CCM to determine the security posture of their cloud.

13

14

Information and Data Security Fundamentals

Incorporating these standards into your organization can provide a solid foundation for developing an effective information security program. However, it is essential to note that implementing these standards alone does not guarantee your organization’s security. It requires a continual effort by information security professionals to assess risks, identify vulnerabilities, and take necessary actions to mitigate potential security threats.

Information security policies Developing a solid information security program requires a foundational aspect of policy. There are a few fundamental principles to ensure your policies are effective. It is crucial to create policies that you intend to follow. Creating policies for documentation’s sake will not help anyone if they are never implemented. Moreover, policies that are not followed can be used against your organization during audits. It is essential only to create policies that you plan to follow. Ensure that your policies are implementable. There are various ways to meet a security standard, and your policies should reflect how your organization plans to implement them. Avoid including unnecessary points in policies that you do not intend to implement. Instead, focus on the policies that provide adequate risk mitigation and serve to secure your organization. Policy development needs to consider the organization’s appetite for risk. Consider the value of your organization’s information and the consequences if you lose control over that data’s confidentiality, integrity, and availability. Ask yourself whether you are safeguarding trade secrets or sensitive proprietary information for confidentiality. For integrity, does information need to be accurate at all times? Lastly, can the organization effectively operate without its information for availability? You can develop policies that provide practical risk mitigation strategies by answering these questions and understanding your organization’s risk appetite.

Information security training Through techniques such as phishing, human interaction is a primary way to exploit information systems. Attackers use social engineering tactics such as tricking users into running malicious software or providing information system credentials. Knowing this makes establishing a practical training and awareness program a critical defense mechanism. Several key components need to be included to create an effective training and awareness program. Primary media products such as email newsletters, websites, and inclusions in corporate magazines should not overwhelm users. Sending out an email newsletter every week may cause it to end up in the spam folder. Secondary media products such as posters, social media, and giveaways remind users of the information security principles you communicate through other means. The key is to keep the information brief and manageable.

Summary

Yearly information security awareness training is essential, which should include all the information security requirements for users in a single presentation. Computer-based training through a learning management system is preferred as it helps record users who have completed the training and their scores. The training should also include a mechanism to test the user’s understanding without overwhelming them with vocabulary tests. For example, this training should contain information such as understanding not to click on URLs or attachments they do not trust rather than focusing on security industry jargon. Use the yearly training to validate or revalidate users’ acceptance of your organization’s acceptable use policy, covering every aspect. Additionally, events such as lunchtime presentations, webinars, and presenting at corporate, divisional, or team meetings are essential to bringing the information security message to the organization. Webinars are helpful for geographically distributed organizations. Speaking at meetings of teams such as finance or HR can help answer questions that an entire group may have, such as payroll and benefit processors’ concerns about Personally Identifying Information (PII) handling and protections.

Summary This chapter explored the fundamentals of information and data security and set up many topics that will be discussed in greater detail throughout the book. Information security challenges for maintaining information security in modern businesses were discussed. A comprehensive overview of cybercrime, including the historical progression of cyber threats, their nature, and the way they have shaped the information security landscape was provided. This background set the stage for understanding the modern role of information security, demonstrating the need for proactive and comprehensive data protection strategies for organizations. Information assurance, the CIA triad, and risk management were discussed to prepare you for later chapters that will use and further expand on the concepts that serve to ensure information is kept secure and reliable. As we proceed to the next chapter, we will review modern organizational information security threats. This exploration will equip you with the understanding necessary to identify potential vulnerabilities and threats in your information systems and provide insights on preparing for, responding to, and mitigating these threats effectively.

15

2 Defining the Threat Landscape As technology advances, so does the complexity and sophistication of cyber threats. This chapter delves into the ever-changing landscape of information security, aiming to provide a comprehensive understanding of the many threats that information systems face. By exploring the diverse range of adversaries, attack vectors, and motivations driving cyber threats, you will learn how to develop defense strategies to mitigate risks and protect against cyber threats effectively. The following topics will be covered in this chapter: • Understanding organizational context • Threats • Hackers and hacking • Closing information system vulnerabilities

Understanding the organizational context To effectively protect an organization from potential threats, information security professionals must understand what is important to the organization beyond its information technology. To begin this process, information security professionals should examine the organization’s mission and vision statements to understand what the organization does and who its customers are. Understanding this information can help identify the business-critical processes of the organization’s operations and the technology assets that support them. For example, a hospital’s business-critical processes may include medical records on an external internet-facing technology asset. In contrast, a financial institution’s business-critical process may consist of customer financial data on an internally facing technology asset. To take this understanding a step further, information security professionals must also work with all levels of management within the organization. This type of engagement involves reaching out to mission-driven parts of the organization to understand how they apply their mission and vision to their day-to-day work. Through this engagement, information security professionals can identify sensitive information, trade secrets, intellectual property, and business processes to understand the potential impact on the organization if this information were to be provided to a competitor, altered, or

18

Defining the Threat Landscape

destroyed. By focusing on business processes and important data within those functions, information security professionals can establish mission-focused relationships within the organization and find allies who share their concerns. When the highly sensitive processes and information the organization needs to operate have been identified, information security professionals can analyze this information regarding compliance requirements and the organization’s threats. This analysis must consider the organization’s specific context. Organizations may have vastly different responses to securing information systems depending on their industry, the types of information they are trying to protect, and the threats they face. Understanding what is essential for the successful business operations of an organization, as well as establishing mission-focused relationships with the organization’s various mission units, is critical for information security professionals to protect the organization from potential threats effectively. Gathering this information requires focusing on business functions, the essential data within those functions, and a contextual understanding of the organization’s specific industry and compliance requirements. Once the critical business processes and data have been identified, the next step is to evaluate the potential impact of a security breach on each technology asset that supports these business processes. This includes considering a successful attack’s financial, reputational, and operational consequences on an organization. For example, a data breach that results in the loss of customer financial information could result in a significant financial loss and damage to the organization’s reputation. Cybersecurity threats can significantly impact an organization’s business operations and reputation. Understanding how these threats can impact the organization from a business perspective is crucial to prioritizing and allocating resources to address them adequately. One of the most obvious impacts of a cybersecurity breach is financial losses. A breach can result in stolen funds, lost revenue, and legal fees associated with remediation efforts. For example, suppose customer credit card data is compromised in a data breach. In that case, the organization may be liable for fraudulent charges made with those cards, which can result in significant financial losses. Another potential impact of a cybersecurity breach is damage to the organization’s reputation. A breach can erode customer trust and confidence in the organization, leading to decreased sales and difficulty attracting new customers. In some cases, a breach can result in legal action or regulatory fines, further damaging the organization’s reputation. In addition to financial losses and damage to reputation, a cybersecurity breach can also impact an organization’s ability to carry out its business operations. A breach can result in systems downtime or data loss, disrupting normal business processes and resulting in lost productivity. A breach can have a ripple effect throughout the organization and impact multiple areas, such as supply chain management, customer service, and marketing. Once the organizational context has been determined, it is essential to integrate cybersecurity with business operations. Alignment involves ensuring that cybersecurity measures align with the organization’s goals and objectives and do not disrupt business processes. One of the key ways to integrate cybersecurity with business operations is to involve key stakeholders in the process. This

Threats

engagement includes business leaders, IT professionals, and cybersecurity professionals. By involving key stakeholders in the process, it is possible to ensure that cybersecurity measures are designed with the organization’s goals and objectives in mind and integrated into existing business processes.

Threats Cybersecurity threats are risks or vulnerabilities compromising the confidentiality, integrity, or availability of digital information, systems, or networks. Cyber threats can be caused by various sources, including cybercriminals, hackers, insiders, or even accidental actions by employees. With the proliferation of technology and the growing reliance on digital infrastructure, cybersecurity threats have become more sophisticated, frequent, and costly, posing significant risks to individuals, organizations, and even entire nations. The cybersecurity threat landscape is constantly evolving, and the specific threats that organizations face can vary depending on factors such as industry, size, location, and other factors. Coming up are some of the most common and dangerous cybersecurity threats that organizations may face.

Phishing attacks Phishing is a common cyber-attack that aims to trick individuals into providing sensitive information, such as usernames, passwords, credit card details, or personal information. Phishing attacks are typically carried out through deceptive email messages, including links and attachments that mimic legitimate sources, such as banks, social media, or online stores. Phishing attacks rely on social engineering tactics to exploit human weaknesses, such as curiosity, urgency, or trust, and can cause significant damage to individuals and organizations. A common type of phishing attack is spear-phishing, which targets specific individuals or organizations with personalized messages tailored to their interests, job roles, or relationships. Spear-phishing attacks often involve extensive research and surveillance to gather information about the target, such as their social media profiles, job titles, or recent events, to make the message appear more convincing and relevant. Business email compromise (BEC) is another type of phishing attack that targets organizations with messages that appear to be from a trusted source, such as an internal organizational division, a supplier, or a partner. BEC attacks often involve impersonating a legitimate group or individual or using social engineering tactics to trick employees into providing sensitive information or authorizing fraudulent payments. BEC attacks can cause significant financial losses, especially involving wire transfers or electronic payments. The consequences of phishing attacks can be severe for individuals and organizations. Phishing attacks can result in financial losses, identity theft, or reputational damage, especially if they involve sensitive data or high-profile targets. Phishing attacks can also lead to further cyber-attacks, such as malware infections or ransomware attacks, that can cause even more damage. Technical measures such as antivirus software or spam filters can help block or detect phishing messages. Organizational measures, such as policies, procedures, or training, can help raise awareness and promote good cybersecurity practices, such as using strong passwords, verifying sources, or reporting suspicious activities.

19

20

Defining the Threat Landscape

Ransomware Ransomware is malicious software (malware) that encrypts an organization’s data and demands payment for the decryption key. Ransomware attacks can devastate an organization. These attacks can cause significant financial losses, reputational damage, or even operational shutdowns. No organization is immune to the threat of ransomware, as small businesses and large enterprises can fall victim to these attacks. Ransomware attacks typically begin with the infection of a single device or system, such as a workstation, server, or mobile device, through a vulnerability or a phishing attack. Once the malware is installed, it encrypts the infected machine’s data, making it inaccessible to the user or the organization. The ransomware then displays a message or a warning, usually in the form of a pop-up window or a text file, that demands payment in exchange for the decryption key. The ransomware message may also threaten to delete or leak the data if the ransom is not paid within a specific time frame. Ransomware attacks can be carried out through various types of malware. Some examples of these malware variants are CryptoLocker, WannaCry, and Locky. Some ransomware attacks may use advanced techniques, such as obfuscation, encryption, or polymorphism, to evade detection by security software or to make it more difficult to recover the encrypted data. Ransomware attacks can also involve anonymous payment methods, such as Bitcoin or other cryptocurrencies, making tracking the attacker’s payment or identity more difficult. The consequences of a ransomware attack can be severe, both for the affected organization and its customers, partners, or suppliers. Ransomware attacks can cause significant financial losses, as organizations may need to pay a ransom or incur additional costs for data recovery, forensic analysis, or legal fees. Protection can include anti-malware software, intrusion prevention systems, and verified data backups, allowing organizations to recover their data in case of a ransomware attack. It is important to note that data backups must be regularly tested and updated to ensure their effectiveness and that a ransomware attack has not adversely affected an organization’s backups. In addition to prevention and mitigation activities, an organization can prepare for a ransomware attack by ensuring the cybersecurity incident response plan includes ransomware-specific considerations. This plan will help an organization detect, contain, and recover from a ransomware attack, minimizing damage and reducing downtime.

Malware Malware is a broad term that describes any software designed to harm or disrupt computer systems, networks, or devices. Malware is a significant cybersecurity threat that can take many forms, including viruses, worms, trojans, spyware, adware, and ransomware. Malware can cause substantial damage to organizations and individuals by stealing data, damaging systems, or disrupting operations. A common type of malware is a virus. A virus is a self-replicating program that can infect files, applications, or system boot sectors. Once a virus infects a system, it can spread rapidly, causing significant damage to a system’s files. Another type of malware is a worm, a self-replicating program that can quickly spread across networks, infecting multiple devices and systems. Worms can cause

Threats

significant damage to networks by consuming bandwidth or causing system crashes. Trojans are a type of malware that masquerades as legitimate software or applications. Once a trojan infects a system, it can steal data, create backdoors, or download additional malware. Spyware is malware that collects data from a device or system without the user’s knowledge or consent. Spyware can collect sensitive data such as passwords, credit card numbers, or personal information. Malware attacks can cause a range of problems for both individuals and organizations, including financial losses, reputational harm, and identity theft. The impact can be especially severe if the malware targets or exfiltrates sensitive data or high-profile targets. Additionally, malware attacks can trigger further cyber-attacks, such as ransomware attacks, which can result in even more significant damage.

Distributed denial-of-service attacks Distributed denial-of-service (DDoS) attacks are a significant cybersecurity threat that can disrupt online services and cause substantial financial losses for businesses. DDoS attacks involve overwhelming a website, server, or network with traffic from multiple sources, rendering it inaccessible to legitimate users. DDoS attacks can be carried out through various means, such as botnets, DNS amplification attacks, or application layer attacks. Botnets can be used to execute DDoS attacks. Botnets are networks of compromised devices, such as computers, smartphones, or IoT devices, that a single attacker or group of attackers controls. Botnets can launch DDoS attacks by sending a large volume of traffic to the target, overwhelming its resources, and making it unavailable to legitimate users. Botnets can be created through malware infections, phishing scams, or social engineering tactics. A DNS amplification attack exploits Domain Name System (DNS) vulnerabilities to generate massive traffic and overwhelm a target server or network. In a DNS amplification attack, the attacker sends a large number of DNS queries to open DNS resolvers, requesting information about a specific domain name. The attacker spoofs the source IP address of the requests so they appear to come from the target server or network. When the open DNS resolver receives the request, it responds with a much larger packet of data than the original query. This attack can occur because many DNS responses are larger than the corresponding queries due to the use of Domain Name System Security Extensions (DNSSEC) and other security measures. The attacker can then use the amplified response to flood the target server or network with traffic, overwhelming its resources and making it inaccessible to legitimate users. Application layer DDoS attacks, also known as Layer 7 DDoS attacks, are DDoS attacks that target the application layer of a website or server. Unlike other DDoS attacks that focus on the network layer, application layer attacks aim to exhaust the resources of the target server or website by overwhelming it with requests that mimic legitimate user traffic. Application layer DDoS attacks use bots or malware that flood the target website or server with HTTP, HTTPS, or other application layer requests, such as database queries or user registrations. These requests can be challenging to distinguish from legitimate traffic because they resemble legitimate user activity, making them hard to block or filter.

21

22

Defining the Threat Landscape

Content Delivery Networks (CDNs) can be used to defend against DDoS attacks by distributing the traffic across multiple servers, reducing the attack’s impact on any single server. CDNs work by caching content on multiple servers geographically so that users can access the content from a server closest to their location. This architecture not only speeds up the delivery of content but also provides redundancy, making it more difficult for attackers to overwhelm any single server.

Insider threats Insider threats refer to malicious activities or negligence by employees, contractors, or business partners who access sensitive information, systems, or networks and can be challenging to detect and mitigate. There are several types of insider threats, including accidental or unintentional, negligent, and malicious insider threats: • Accidental or unintentional insider threats occur when an employee or contractor inadvertently causes harm or damage to the organization by misconfiguring a system or sending an email to the wrong recipient. • Negligent insider threats occur when employees or contractors disregard security policies or procedures, such as using weak passwords or clicking suspicious links. • Malicious insider threats are the most dangerous and occur when employees or contractors intentionally cause harm or damage to the organization. Malicious insider threats can take many forms, including the theft of sensitive information, sabotage of systems or networks, or unauthorized access to sensitive data. Organizations can implement security controls to monitor and detect insider threats. These controls can include access controls, such as role-based access control, multi-factor authentication, or privilege escalation monitoring, to ensure that employees only have access to the information and systems they need to perform their job duties. Organizations can also implement security monitoring and auditing tools, such as log analysis and anomaly detection, to detect unusual behavior or activity by employees or contractors.

Advanced Persistent Threats Advanced Persistent Threats (APTs) are a type of cyber-attack that targets specific organizations, governments, or individuals to gain unauthorized access to sensitive information or cause harm to the target. Unlike cyber-attacks that use simple and indiscriminate techniques, APTs are highly targeted and sophisticated, often relying on multiple stages of attacks and leveraging zero-day vulnerabilities to evade detection. APTs typically involve a well-funded, well-organized, and highly skilled group of hackers willing to invest significant time and resources in their attack campaigns. Several characteristics define APTs. Some of them are as follows: • APTs are highly targeted, allowing the attackers to understand the target’s infrastructure, operations, and vulnerabilities, making it easier to develop customized attack strategies

Threats

• APTs are also persistent and designed to remain undetected for an extended period • APTs may use lateral movement techniques, moving laterally across the network, exploiting different vulnerabilities, and hiding their activities Detecting APTs can be challenging, as they are designed to remain undetected for an extended period. Traditional security measures such as firewalls and anti-malware software may not be sufficient to detect APTs. Instead, organizations must adopt a more proactive approach involving continuous monitoring, threat intelligence, and advanced analytics. This approach can help organizations detect APTs early in the attack life cycle, allowing them to take appropriate action before significant damage occurs.

Social engineering attacks Social engineering attacks are cybersecurity threats that target human vulnerabilities rather than exploit technical weaknesses in an organization’s infrastructure. Social engineering attacks rely on psychological manipulation to deceive individuals into disclosing sensitive information or performing actions that may compromise an organization’s security. Social engineering attacks typically involve using various tactics to deceive individuals, including phishing. Social engineering attacks rely on deception and manipulation to achieve their objectives. Attackers use various tactics, such as phishing emails, pretexting phone calls, and baiting schemes, to deceive individuals into performing actions that may compromise an organization’s security. These attacks are typically low-tech and do not require significant technical expertise. Attackers can use simple tactics such as sending a convincing phishing email or a pretexting phone call to achieve their objectives. Detecting social engineering attacks can be challenging as they rely on deception and manipulation to achieve their objectives. Organizations must embrace a security culture with regular employee training on cybersecurity best practices and incident response procedures. This training can help employees identify and respond to social engineering attacks, reducing the risk of successful attacks.

Supply chain attacks Supply chain attacks are cybersecurity threats that target the interconnected network of vendors and suppliers supporting an organization’s operations. These attacks typically exploit vulnerabilities in the supply chain to gain access to sensitive information or systems within the organization. Supply chain attacks often exploit vulnerabilities in third-party vendors or suppliers that access an organization’s systems or data. These vendors may be small or medium-sized businesses with limited security resources, making them attractive targets for attackers. Supply chain attacks can be challenging to detect, as they often involve a series of compromises across multiple organizations. Attackers may use multiple layers of obfuscation and encryption to evade detection and gain access to sensitive information. Compromised vendors can be used as entry points into an organization’s network, allowing attackers to move laterally and access sensitive information or systems.

23

24

Defining the Threat Landscape

Detecting supply chain attacks can be challenging as such organizations need to adopt a more proactive approach that includes supply chain risk assessments, vendor management, and threat intelligence. Supply chain risk assessments can help organizations identify and mitigate potential vulnerabilities in their supply chain. Assessments may include evaluating the security practices of vendors and suppliers and analyzing the potential impact of a supply chain compromise on the organization’s operations. Organizations must establish clear policies and procedures for working with vendors and suppliers, including security controls, data protection, and incident response requirements. Regular monitoring and auditing of vendor activities can help detect suspicious behavior and mitigate the risk of a supply chain attack. Safeguarding sensitive information, systems, and networks is a shared responsibility that demands constant vigilance and adaptability. By staying informed about the latest threat trends, individuals and organizations can improve their defenses and navigate the ever-changing cybersecurity landscape more confidently.

Hackers and hacking Hackers can be broadly categorized into several types with unique motives, skills, and methods. Understanding these different types of hackers is essential for individuals and organizations to protect against the various cybersecurity threats they pose. Knowing the workings of different kinds of hackers can enable organizations to anticipate potential cybersecurity threats and create better strategies to secure their systems. As technology continues to evolve, new types of hackers may emerge. By staying informed about the latest trends and the methods hackers use, individuals and organizations can remain vigilant and implement proactive security measures. It is essential to have conversations about different types of hackers to understand an organization’s threats and foster a security culture in which individuals know the risks and take measures to protect their digital assets.

White hat/ethical hacker A white hat or ethical hacker is an individual who applies their expertise in computer systems to identify and expose vulnerabilities in information security protocols, with the consent and knowledge of the system owner. Unlike black hat hackers, who engage in malicious activities, white hat hackers typically provide their services as penetration testers, simulating attacks on information systems to help organizations strengthen their security defenses. These professionals use their technical skills to uncover weaknesses in computer networks, software applications, and other digital infrastructures to improve the security of the systems they are testing.

Black hat hacker A black hat hacker is an individual who exploits vulnerabilities in a computer system for personal gain or malicious intent without the knowledge or consent of the system’s owner. These individuals are

Hackers and hacking

involved in criminal activities, such as stealing confidential information, spreading malware, or even blackmailing individuals or organizations for financial gain. Black hat hackers are the driving force behind the widespread proliferation of cybercrime and pose a significant threat to global cybersecurity. The term black hat was inspired by Western movies, in which the antagonists often wore black hats to symbolize their evil intentions. Black hat hackers use various techniques, including social engineering, phishing, and brute force attacks, to gain unauthorized access to computer systems. They exploit software, hardware, and human behavior weaknesses to bypass security measures and steal sensitive data.

Gray hat hacker A gray hat hacker is an individual who falls somewhere between a black hat and a white hat hacker. These individuals typically hack into a computer system to identify vulnerabilities, but their intentions may not always be clear. Some gray hat hackers may notify a system owner of their discovered weakness and offer to fix it for a fee. Other gray hat hackers may publish their findings to the internet to showcase their skills or force a vendor to fix a software package. However, it is essential to note that hacking without the permission of the information system owner is illegal and can result in severe consequences. Even gray hat hackers with good intentions may be subject to legal action if they do not have explicit permission to test or assess a system’s security.

Blue hat hacker A blue hat hacker is an information security professional invited by software or hardware vendors to test their products for vulnerabilities. Blue hat hackers are similar to white hat hackers in that they are committed to improving the security of computer systems and protecting against cyber threats. Their testing involves identifying potential security flaws or bugs that attackers could exploit. By finding these vulnerabilities before the product is released, vendors can address them and improve the security of their products.

Script kiddie A script kiddie is an individual who uses automated hacking tools and scripts developed by other, more skilled hackers to attack computer systems. These individuals often lack the knowledge and experience to create tools or develop sophisticated attack methods, so they rely on pre-existing scripts and tools to carry out their attacks. This access to tools means that even individuals with minimal technical knowledge can launch attacks on a computer system. Script kiddies are often motivated to cause chaos. However, their lack of knowledge and experience can often result in unintended damage or even compromise their computer systems. Experienced hackers know how to avoid detection and cover their tracks, making it difficult for law enforcement to apprehend them. On the other hand, script kiddies may be much easier to track down because they lack this skill set. While script kiddies may threaten computer systems, their lack of skill and knowledge limits their ability to carry out sophisticated attacks. However, their impact can still be substantial.

25

26

Defining the Threat Landscape

Hacktivist A hacktivist is an individual who uses their computer security knowledge to promote a political or social agenda by attacking organizations that they believe represent a threat to society. While hacktivists may use similar techniques to black hat hackers, their motivations and goals are different. Hacktivists often launch cyber-attacks against government agencies, corporations, or other organizations that they believe are engaging in unethical or illegal activities. They may deface websites, steal confidential information, or use other cyber vandalism to draw attention to their cause.

Nation-state attacker A nation-state attacker is an individual or group sponsored by a government to carry out cyberattacks on other countries, organizations, or individuals. These adversaries are highly skilled and have access to significant resources, including advanced technology and funding. Nation-state activities are best described as cyber warfare, where the attacker is motivated to engage in espionage and sabotage against another country or target. Nation-state actors may seek to compromise military targets, critical infrastructure, political organizations, or private sector/non-profit intellectual property. Their motivations may range from political or economic gain to national security concerns or even acts of terrorism. Nation-state attackers often use sophisticated and advanced techniques, including zero-day exploits, social engineering, and APTs, to infiltrate their targets’ computer systems. Nation-state attacks pose a significant threat to global cybersecurity and can have far-reaching consequences. Therefore, governments, organizations, and individuals must remain vigilant against these threats and take appropriate measures to protect themselves.

Penetration testing Penetration testing is an authorized simulation of an information system attack designed to identify vulnerabilities a black hat hacker could exploit. It is an essential component of an information security program and helps organizations find hidden vulnerabilities that cannot be easily detected through automated means. While many organizations implement vulnerability assessment tools, penetration testing is crucial because it allows information security professionals to systematically break into an information system even when a vulnerability scanner has not found any vulnerabilities. The penetration testing process requires highly skilled and experienced professionals to use their knowledge of information security to assess the security posture of a system. A penetration testing engagement conducted by a white hat or ethical hacker can include social engineering activities. Those activities may consist of collecting trash from trash cans and dumpsters to look for passwords and intellectual property, pretending to be a helpdesk technician to retrieve user passwords, and launching social engineering attacks such as phishing and spear-phishing. Penetration testing can also include web-based application attacks, vulnerability scanning, port scanning, and more. The penetration testing process is designed to simulate a real-world attack and

Hackers and hacking

identify the vulnerabilities that attackers could potentially exploit to gain unauthorized access to a system or sensitive data. The results of a penetration testing engagement are used to inform information security program stakeholders, including executives, IT professionals, and developers, about the vulnerabilities that have been identified and provide recommendations on how to remediate them. Organizations can improve their overall security posture and reduce the risk of a successful cyber-attack by identifying and addressing vulnerabilities before they can be exploited. Organizations should consider incorporating penetration testing into their overall testing methodology to ensure the security of their systems and data.

Cybercrime Cybercrime is any criminal activity involving a computer, either as the target or as a tool to carry out the crime. Cybercrime can be committed by individuals and organized criminal gangs, significantly impacting the global economy. The threat of cybercrime is increasing at an alarming rate. According to Cybersecurity Ventures, the cost of cybercrime is expected to reach $8 trillion by 2023 and is projected to grow to $10.5 trillion by 2025. These staggering numbers highlight the urgent need for organizations and individuals to take proactive steps to protect themselves against cyber threats. One of the most common types of cybercrime is fraud and financial crime. These crimes involve the misrepresentation of facts intending to manipulate another individual or organization into doing or not doing an activity that causes a financial loss. Computer fraud can occur in various ways, including altering, suppressing, destroying, or exfiltrating electronic data. Forms of computer fraud include identity theft, extortion, and bank fraud. Cyber extortion is another form of cybercrime that occurs when an organization is subjected to repeated attacks by an attacker who demands money to stop the attacks. These crimes can take the form of Denial of Service (DoS) attacks or ransomware attacks, where the attacker blocks access to a system or data until the victim pays a ransom. Cybercrime is a constantly evolving threat, requiring a coordinated and multi-layered approach to combat. Organizations must take measures to protect their systems and data.

Exploits Exploits are among the primary tools attackers use to gain unauthorized access to an information system. These techniques take advantage of vulnerabilities in an information system by utilizing custom software, operating system commands, and open source tools. Web applications are particularly vulnerable to exploitation, with numerous well-defined vulnerabilities cataloged by organizations such as the Open Web Application Security Project (OWASP). For many years, OWASP has maintained a top 10 list of the most pervasive and destructive web application vulnerabilities, providing a valuable resource for developers to understand and mitigate these issues in their applications.

27

28

Defining the Threat Landscape

Visiting the OWASP website can provide a wealth of information that can be used to enhance the security of your information and application security programs. By understanding common exploits and vulnerabilities, developers and IT professionals can take proactive measures to prevent attacks and protect against unauthorized access to sensitive information. Note For more information on OWASP, please refer to https://owasp.org/Top10/. The OWASP Top 10 vulnerabilities for 2021 are as follows: • Broken access control: Broken access control is a vulnerability that occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do. This flaw can allow attackers to access unauthorized functionality and sensitive data, such as other users’ accounts and confidential files, or modify other users’ data and change access rights. Attackers can exploit these weaknesses to access information or actions they are not authorized to have, resulting in severe consequences for the organization or individuals affected. Developers must implement robust access control mechanisms to prevent unauthorized access and ensure the security of sensitive information. • Cryptographic failures: Cryptographic failures cover various issues related to cryptography. This category includes using weak or outdated encryption algorithms, insecure key management practices, storing sensitive information in plaintext, and improperly implementing SSL/TLS protocols. Cryptographic failures can lead to serious security breaches and compromise sensitive information’s confidentiality, integrity, and availability. To mitigate these risks, developers are advised to follow best practices for cryptography, including using robust encryption algorithms, secure key management, and proper SSL/TLS implementation. • Injection: Injection flaws refer to vulnerabilities when an interpreter, such as SQL, OS, XXE, or LDAP, receives untrusted data as part of a command or query. Attackers can exploit these weaknesses by sending hostile data that can deceive the interpreter into executing unintended commands or accessing data without proper authorization. To prevent these attacks, developers must use parameterized queries and input validation to ensure that the interpreter processes only trusted data. Other strategies, such as object-relational mapping tools and special character escaping, can also effectively prevent injection vulnerabilities. • Insecure design: Insecure design covers various issues related to software design. This category includes weak or ineffective access control mechanisms, lack of encryption or hashing, insecure authentication and session management, and poor error handling and logging. Developers must follow secure design principles to prevent issues such as strong access control mechanisms, secure authentication and session management, and proper error handling and logging. Developers should also regularly review their software design to identify and address any potential vulnerabilities.

Hackers and hacking

• Security misconfiguration: Security misconfiguration highlights the importance of having a secure configuration defined and deployed for all system components, including the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained for each component, as default configurations are often insecure. It is essential to establish and maintain secure configurations to minimize the risk of security breaches, protect sensitive information from unauthorized access or data theft, and prevent system compromise. • Vulnerable and outdated components: The category of vulnerable and outdated components underscores the risk posed by components such as libraries, frameworks, and other software modules that run with the same privileges as the application. If a vulnerable component is exploited, it can enable attackers to facilitate severe data loss or server takeover. Applications and APIs that use components with known vulnerabilities may weaken application defenses and allow various types of attacks with severe consequences. To prevent these vulnerabilities, it is essential to update components to the latest version that has been appropriately tested and reviewed. Developers should also have a process for monitoring and managing component updates and vulnerabilities. • Identification and authentication failures: Identification and authentication failures are the risks posed by the incorrect implementation of application functions related to authentication and session management. If authentication and session management functions are implemented incorrectly, attackers can exploit vulnerabilities to compromise passwords, keys, or session tokens. This misconfiguration can enable the attacker to assume the identity of other users temporarily or permanently and to access sensitive information or perform unauthorized actions. To prevent these vulnerabilities, developers should follow best practices related to authentication and session management, including using strong and unique passwords, secure session management, and properly handling sensitive data. Implementing multi-factor authentication and using secure communications protocols can also help to prevent authentication and identification failures. • Software and data integrity failures: Software and data integrity failures can occur due to a lack of proper validation, input sanitization, or other security measures. Software and data integrity failures can result in severe consequences for an application. Such failures may occur due to coding, bugs, or configuration errors, among other factors. It is essential to implement proper input validation and sanitization and ensure that software components are up to date and that the application and data are adequately backed up. Security testing, including fuzz testing and other automated tools, can also help to identify vulnerabilities and prevent software and data integrity failures. • Security logging and monitoring failures: Security logging and monitoring failures can lead to difficulties in detecting and responding to security incidents and a lack of visibility into system activity. This vulnerability can enable attackers to carry out attacks undetected and remain on a system for extended periods. To prevent these vulnerabilities, developers should ensure that logging and monitoring functionality is implemented correctly and that logs are stored securely and protected from tampering. Organizations should also have processes in place for regularly reviewing and analyzing logs, as well as for responding to incidents and performing forensic analysis when necessary.

29

30

Defining the Threat Landscape

• Server-side request forgery: Server-side request forgery vulnerabilities occur when an attacker can send a request to a server or service from within a targeted application, bypassing any security measures. To prevent these vulnerabilities, developers should ensure that input validation is implemented correctly and that requests can only go to trusted external.

Hacker techniques Hackers are finding new and more creative ways to breach computer systems and networks as technology advances. From exploiting vulnerabilities in software to tricking users into giving away sensitive information, hackers use a wide range of techniques to carry out their attacks. Understanding these techniques and what measures can be taken to prevent them is essential. This section will explore common hacker techniques.

Password cracking Password cracking is a technique attackers use to gain unauthorized access to a system or application. This technique involves using specialized software to recover passwords transmitted over the network, stored in password databases, or implemented within application software. Attackers often use automated guessing methods, such as dictionary attacks, to crack passwords. Dictionary attacks involve trying common passwords, such as password or 123456, to guess the correct password. Other passwordcracking methods include brute-force attacks, where the attacker tries every possible combination of characters until a valid password is found. It is important to use strong and complex passwords that are difficult to guess to prevent passwordcracking attacks. Passwords should be changed regularly and should not be reused across multiple accounts. Additional measures, such as multi-factor authentication and password denylisting, can also help to prevent password cracking attacks. Let’s now look at some of the password cracking tools that we can use: • Brutus: http://sectools.org/tool/brutus • RainbowCrack: http://sectools.org/tool/rainbowcrack • Wfuzz: http://sectools.org/tool/wfuzz • Cain and Abel: http://sectools.org/tool/cain • John the Ripper: http://sectools.org/tool/john • THC Hydra: http://sectools.org/tool/hydra • Medusa: http://sectools.org/tool/medusa • Ophcrack: http://sectools.org/tool/ophcrack • L0phtCrack: http://sectools.org/tool/l0phtcrack • Aircrack-NG: https://www.aircrack-ng.org/downloads.html

Hackers and hacking

Vulnerability assessment Vulnerability assessment scanners are tools that are used to identify potential weaknesses in a network or information system. These scanners use specialized software and databases of known vulnerabilities to scan the network and identify any matches. Once a vulnerability is identified, the tool creates a listing that ties the exposure to a specific IP address, making it easier for administrators to locate and fix the issue. For administrators, vulnerability assessment scanners can be an essential tool for maintaining the security of their networks and systems. By regularly scanning for vulnerabilities and addressing them promptly, administrators can reduce the risk of successful attacks and protect sensitive data. However, vulnerability assessment scanners can also be used by attackers as a means of identifying potential targets. By scanning a network or system for vulnerabilities, attackers can identify weaknesses that can be exploited to gain unauthorized access or cause damage to the system. By using vulnerability assessment scanners proactively and responsibly, administrators can enhance the security of their networks and systems while minimizing the risk of successful attacks. Manual vulnerability assessment tests information systems based on a hacker’s knowledge, experience, and intuition to identify potential weaknesses and vulnerabilities that automated scanners may not detect. Unlike automated scanners that use predefined databases of known vulnerabilities, manual testing relies on hackers’ creativity and ingenuity to find vulnerabilities that attackers could exploit. While automated scanners can help identify common vulnerabilities, they may not be able to detect more sophisticated and less well-known vulnerabilities that experienced hackers could exploit. The following are some of the tools we can use for scanning vulnerability assessment: • OpenVAS: http://www.openvas.org/ • Burp Suite: https://portswigger.net/burp/freedownload/ • W3af: http://w3af.org/ • NMAP: https://nmap.org/ • Qualys Community Edition: https://www.qualys.com/community-edition/

Keystroke logging Keystroke logging is a technique attackers use to capture all keystrokes entered on a computer. There are two types of keystroke loggers, namely software-based and hardware-based. Software-based key loggers are installed on a computer through manual and automated mechanisms and can be categorized into hypervisor-based and kernel-based key loggers. The hypervisor-based key logger operates at the hypervisor level of a virtualized infrastructure. It can avoid detection by antivirus tools as it sits below the operating system. On the other hand, the kernel-based key logger operates at the kernel mode of the operating system as a rootkit and can also avoid detection by anti-virus tools as they do not have access to the layer of the operating system.

31

32

Defining the Threat Landscape

As the name suggests, hardware-based keyloggers are connected physically to a computer system to capture keystrokes. There are two types of hardware-based key loggers: keyboard hardware and wireless keyboard sniffers. The keyboard hardware-based key logger is connected between a computer and a keyboard. It has internal memory and can intercept keystrokes from the keyboard to the computer. This type of key logger requires physical access to the computer. The wireless keyboard sniffer is a specialized hardware and software device that can intercept keystrokes sent between a wireless keyboard and the computer it is attached to. This type of key logger requires the attacker to be close to the computer being attacked.

Rootkit A rootkit is a type of malware that a hacker installs to gain control of an operating system. The term root refers to the rootkit giving the attacker root-level access to the system, allowing them to perform various malicious activities. Rootkits are notoriously difficult to detect, as they are designed to operate covertly and remain hidden from the operating system and any security software that may be installed. Rootkits are often used to perform various malicious activities. They achieve this by replacing or modifying critical operating system software, such as device drivers or system libraries, to hide their presence and evade detection. The following figure depicts a computer infected with a rootkit.

Figure 2.1 – Computer infected with a rootkit

There are several types of rootkits, including kernel mode, user mode, and firmware rootkits. Kernelmode rootkits operate at the lowest level of the operating system, allowing them to intercept system calls and hide their presence from the operating system and any security software. On the other hand, user mode rootkits operate at a higher level of the operating system and are easier to detect but still

Hackers and hacking

can hide their presence from many security tools. Finally, firmware rootkits are stored in the firmware of a device, such as a BIOS or a network card, and are particularly difficult to detect and remove.

Spoofing Hackers use spoofing to deceive users by mimicking another system or person. In a spoofing attack, the hacker may install software or create a system that appears to be a trusted client system to gain unauthorized access to a backend server environment. Alternatively, the hacker may pose as the underlying information system infrastructure to trick unsuspecting users into sharing sensitive information or passwords. The following figure provides an example of a spoofing attack.

Figure 2.2 – Example spoofing attack

Spoofing attacks can take many forms, including email, IP address, and caller ID. In email spoofing, the attacker forges the From address in an email to make it appear as if it came from a trusted source. In IP address spoofing, the attacker changes the source IP address in an IP packet to make it appear as if it originated from a trusted source. In caller ID spoofing, the attacker manipulates the phone number displayed on the recipient’s caller ID to make it appear that the call is from a trusted source. Spoofing attacks can harvest sensitive company information.

33

34

Defining the Threat Landscape

Social engineering Social engineering is a hacking technique that doesn’t rely on technical tools but manipulates human psychology to gain unauthorized access to sensitive information or systems. It involves deception and persuasion, exploiting an individual’s natural inclination to trust others. Social engineering attackers can use a variety of tactics, such as phishing scams, pretexting, baiting, and water-holing, to gather sensitive information. The following depicts the social engineering life cycle.

Figure 2.3 – The social engineering life cycle

Pretexting Pretexting is a social engineering attack where the attacker creates a false scenario or pretext to trick the victim into divulging sensitive information. The attacker will typically establish a position of authority, trust, or familiarity to make the victim feel more comfortable and willing to share information. This scenario can include posing as a victim’s company or organization member, a trusted vendor or partner, or even a friend or family member. One common example of pretexting involves an attacker posing as a victim’s IT department member. The attacker may contact the victim via email, phone, or in person, claiming there is a problem with the victim’s account or computer system. They may then request that the victim provide their username and password to resolve the issue. The victim, thinking they are helping resolve a legitimate problem, may willingly give this information. However, the attacker has no legitimate reason to request this information and is using it to gain unauthorized access to the victim’s account or system. With this information, the attacker can move further into the organization’s information system and potentially cause damage or steal sensitive information. Pretexting attacks can be challenging to detect, as the attacker may use sophisticated techniques to create a convincing pretext and establish trust with the victim. It’s essential for individuals and organizations to be aware of these types of attacks and to establish protocols for verifying requests for sensitive information. This verification can include verifying the requester’s identity, checking with a supervisor or IT department, or requiring additional authentication before providing sensitive information.

Hackers and hacking

Phishing Phishing is a social engineering attack that uses deception and technology to trick users into providing sensitive information such as login credentials, credit card numbers, and personal data. Unlike pretexting, which targets individuals one at a time, phishing campaigns can target millions of users simultaneously, making it a highly effective tactic for hackers. In a phishing attack, the attacker typically sends an email that appears to be from a trusted source, such as a bank, an online retailer, or a social media site. The email will usually contain a message that creates a sense of urgency or alarm, such as a warning that the user’s account has been compromised or a request to update their account information. The email may also contain a link or attachment the user is directed to click on. In the case of the link, it will take the user to a fake website. The website looks like a legitimate website but is controlled by the attacker. The phony website will typically prompt the user to enter their login credentials or other sensitive information, which the attacker then captures. In some cases, the phishing email may also contain a malicious attachment that, when opened, installs malware on the user’s computer or device. Phishing attacks can be challenging to detect, as emails and fake websites can be designed to look very convincing. It’s important for individuals and organizations to be aware of the signs of a phishing attack, such as suspicious email addresses or URLs, and to verify the legitimacy of any requests for sensitive information before responding. Here is an example of a phishing campaign. Notice that the email appears to come from Netflix and generically addresses the user. The link would take the user to the attacker’s website if clicked. The following figure is taken from an actual phishing message.

Figure 2.4 – Phishing message example

35

36

Defining the Threat Landscape

Spear phishing Spear phishing is a highly targeted phishing attack focusing on specific individuals or groups rather than sending out mass emails like traditional phishing campaigns. In spear phishing attacks, the attacker performs extensive reconnaissance on the victim to gather personal details to make their attack more convincing. Unlike phishing campaigns, which typically use generic messages sent out to many potential victims, spear phishing emails are highly customized to the individual victim. The attacker will use their gathered personal details to create a message tailored to the victim’s interests, job position, or personal relationships. For example, an attacker might send a spear phishing email to an employee at a company, posing as a senior executive and requesting sensitive financial information. The email might include details about a recent company project or event that the attacker has gleaned from the victim’s social media profile or public information online, making the email appear more legitimate. Spear phishing attacks can be highly effective, as the customized nature of the attack makes it more difficult for victims to identify it as fraudulent. The attacker’s attention to detail and personalization can create a sense of trust between the victim and the attacker, making it more likely that the victim will provide the requested information.

Awareness training to combat phishing Phishing attacks continue to be a significant threat to organizations of all sizes, and it’s essential to have effective countermeasures in place to combat them. The most effective countermeasure is to raise awareness among your user population about phishing and spear phishing threats.

Figure 2.5 – Do your users understand phishing?

As an information security professional, it’s easy to become complacent and assume everyone is already aware of phishing. However, it’s important to remember that other parts of the organization have their specialized work and may not be as familiar with the risks. It’s crucial to communicate the importance of phishing awareness to all organization members, including those in HR, finance, manufacturing, and other departments.

Hackers and hacking

There are several methods for conducting training and raising awareness about phishing threats. One practical approach is to include specific phishing training in your yearly information security training. If you don’t currently conduct annual training, it’s important to start doing so. Another approach is to develop a cycle for communicating with your entire user base via targeted communications such as emails and internal social media. You can create a plan where several communications are used to deliver targeted phishing awareness training. Conducting phishing exercises is also an effective way to test your user base’s awareness of phishing. You can utilize automated tools to test your user base for their awareness of phishing threats. These tools should allow you to import your user population from your user directory rather than manually inputting them into the tool. You should also be able to build multiple campaigns to target different user groups simultaneously. Additionally, the tool should allow you to track exploited users as part of the training so they can be scheduled for additional training. It’s important to note that users should not be treated negatively if they are determined to need additional training. The process should be positive, and users should feel they are learning a new skill rather than being reprimanded. By implementing these training and awareness strategies, you can help to protect your organization from the devastating consequences of phishing attacks.

Water-holing Water-holing exploits vulnerabilities in trusted websites frequently used by a particular user or group within an organization. To execute a water-holing attack, the attacker first conducts reconnaissance to identify websites the target users regularly visit. The attacker then attempts to compromise the trusted website, potentially by exploiting vulnerabilities in the website’s code or by compromising a third-party service that the website relies on. Once the website has been compromised, it can be used as a platform to install malware on unsuspecting users’ machines. The attacker may wait for the users to visit the compromised website, or they may use a spear phishing email to lure the users to the site. The spear phishing email could be designed to appear as if it comes from a trusted source or contain a link to a fake login page that looks like the real thing. Water-holing attacks can be particularly effective because they exploit users’ trust in familiar websites. They can also be difficult to detect because the attack comes from a trusted website rather than a suspicious or unknown source.

Baiting Baiting uses physical media, such as DVDs or USB drives, to entice users into inserting the drives into their computers. The bait may be disguised as a free software or music download, a coupon or discount offer, or other enticing content. Many users insert removable media into their computers without properly verifying its source or content. The best defense against baiting attacks is to train users about the risks and how to avoid them. Training would include ensuring that users understand the importance of not inserting removable media into their computers unless it comes from a trusted source, such as their employer or a reputable vendor.

37

38

Defining the Threat Landscape

Closing information system vulnerabilities A vulnerability refers to a weakness in a piece of technology, such as a workstation, server, router, software, cloud, or process, that undermines the system’s ability to provide adequate security assurance that the threat actors will use that have been previously discussed. Three aspects must be considered to assess a vulnerability properly: 1. First, the information system’s susceptibility to a particular flaw must be determined. This review involves ascertaining whether the specific version of the technology or software in question meets the criteria for the vulnerability to exist. 2. Next, it must be determined whether an attacker can access the information system to exploit the flaw. Depending on the technology and location, an attacker may not have immediate access to the system. This information helps prioritize vulnerabilities as it relates to enterprise vulnerability management. 3. Finally, whether sufficient means exist to exploit the flaw must be determined. If an active exploit exists in the wild for a given vulnerability, it should be considered a high-priority vulnerability to be addressed immediately. After carefully reviewing the characteristics of vulnerabilities related to a specific information system, an information security professional can determine the attack surface for a given vulnerability and prioritize how the enterprise should mitigate the vulnerability. Hundreds of vulnerabilities may exist in an information system at any time. Therefore, the information security professional must be able to prioritize critical vulnerabilities that must be addressed immediately, while other vulnerabilities can be managed more methodically and reasonably over time. The following table provides more details related to this concept. Example Triage Chart for Vulnerabilities All Hands on Deck

Planned Methodical Deployment

• Vulnerability can be executed over the network • Information system is exposed to the internet • An information system is not patched correctly and is running an old version of server software or operating system software Table 2.1

• Vulnerability requires physical access to be exploited • The information system is well protected within the network • The server is maintained and adequately patched

Summary

Vulnerability management It is essential to understand that many situations that require an all hands on deck response in information security are often a result of poor management of the enterprise information system. If an organization’s information system is not regularly patched, it can create serious vulnerabilities that must be addressed immediately. Vulnerability management is identifying and addressing vulnerabilities within an organization’s information system. The process involves several steps: 1. Firstly, the organization must identify vulnerabilities in its specific information system. This identification can be made through enterprise vulnerability management tools, such as Nessus, as well as staying up to date with information security blogs and subscribing to security sites for the vendors they use. 2. Secondly, the organization must triage the vulnerabilities and determine the level of risk they pose to the organization. The information security professional must communicate this risk effectively and determine whether an all hands on deck or a planned approach to a vulnerability is needed. 3. Thirdly, the organization must research, plan, and deploy the appropriate mitigations for applicable vulnerabilities. There may be multiple tasks involved in vulnerability mitigation. The information security professional must fully understand these steps, communicate them to stakeholders, and adequately deploy the appropriate countermeasures to mitigate the vulnerability. 4. Finally, the organization must continuously monitor the information system to ensure that vulnerabilities have been fully mitigated. Utilizing a vulnerability assessment tool during the vulnerability mitigation process will allow the organization to continuously assess its information system, track progress, and understand when they have successfully met its goal.

Summary This chapter offered a foundational understanding of the information security threats organizations face. Understanding your organizational context is central to this, as it shapes a specific business’ unique vulnerabilities and challenges. The chapter provided a detailed look into the various threats that systems might encounter and discussed the world of hackers, shedding light on their techniques and motivations. The chapter discussed the importance of addressing information system vulnerabilities to mitigate these challenges. The next chapter will discuss the critical elements needed when planning and building an information security program.

39

3 Laying a Foundation for Information and Data Security Safeguarding sensitive information and critical data has emerged as a critical concern for organizations across diverse sectors. With the relentless proliferation of cyber threats, laying a solid foundation for information and data security has become essential in modern business practices. This chapter discusses the fundamental aspects of constructing an effective information security program, by examining the need for an information security program, optimizing development through utilizing existing frameworks, identifying key success factors for information security program success, and establishing effective information security policies. The following topics will be covered in this chapter: • Developing a comprehensive information security program • Leveraging existing frameworks instead of building from scratch • Essential factors for information security program success • Information security policies

Developing a comprehensive information security program Organizations must prioritize the creation and effective management of an information security program. When designing your information security program, it is essential to consider the distinctive characteristics of your organization, which will influence the program’s structure and operation. Consider the following key factors: • Organization size: The scale of your organization will significantly impact the scope and complexity of your information security program. For instance, a small custom metal fabricator will require a different approach than a large-scale automobile manufacturer.

42

Laying a Foundation for Information and Data Security

• Industry specifics: The industry in which your organization operates will also determine the unique security concerns that must be addressed. For example, an oil and gas exploration company will face distinct challenges compared to a frozen-TV-dinner producer. • Compliance requirements: The regulatory obligations of your organization will significantly influence the structure of your information security program. • Consider these questions: ‚ Do you handle credit card transactions? ‚ Do you collaborate with government agencies? ‚ Are you a publicly traded company? The response to questions and factors like these will influence the design, implementation, and ongoing management of your information security program, ensuring it meets the necessary compliance standards and safeguards your organization’s sensitive data. Considering these aspects when developing your information security program, you can create a robust and tailored framework that effectively addresses your organization’s unique security needs and challenges.

Leveraging existing frameworks instead of building from scratch When initiating the development of your information security program, it is recommended not to start from scratch. Numerous well-established frameworks are available that can serve as a solid foundation for your information security program. Widely accepted standards include the following: • NIST Cybersecurity Framework: The NIST Cybersecurity Framework is a comprehensive set of guidelines for organizations to manage and reduce cybersecurity risks. It includes a framework for managing cybersecurity risk and standards, guidelines, and best practices for cybersecurity management. • ISO 27000-series: This series encompasses several standards and frameworks for information security management, of which ISO 27001 is perhaps the most recognized. It provides a systematic approach to managing and protecting sensitive information using a risk management process. Other standards in the series, such as ISO 27017 - Cloud Computing, 27018 - Protection of Personally Identifiable Information (PII) in Public Clouds, 27701 - Privacy Information Management, and so forth, offer guidance on best practices, measures, and controls related to various aspects of information security. • CIS Controls: The Center for Internet Security (CIS) Controls is a set of guidelines designed to help organizations protect their networks and systems from cyber-attacks. It provides a prioritized list of best practices for organizations to implement to improve their cybersecurity posture.

Essential factors for information security program success

• NIST SP 800-53: NIST SP 800-53 is a framework that provides a catalog of security and privacy controls for federal information systems and organizations. It includes a set of standards and guidelines for managing and securing information systems. • SOC 2: SOC 2 is a framework for auditing and reporting on an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. Service organizations commonly use it to demonstrate their security and privacy practices to customers and stakeholders. • PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a framework for securing payment card data. It includes a set of requirements for organizations that handle payment card data to ensure the security and privacy of this information. • HITRUST: HITRUST is a framework for managing and protecting sensitive healthcare information. It includes a set of security controls and requirements for healthcare organizations to comply with HIPAA and other regulatory requirements. The organizations mentioned above invested significant resources in creating and refining these frameworks. Furthermore, they have been extensively peer-reviewed by many industry subject-matter experts. Attempting to replicate this level of expertise and resource within your organization to design a new framework would be impractical. Instead, capitalize on the knowledge and experience these proven frameworks provide. By adopting and adapting an existing framework, you can efficiently establish a robust information security program tailored to your organization’s needs. This approach saves time and resources and ensures that you leverage industry best practices and benefit from the collective wisdom of countless security professionals.

Essential factors for information security program success A critical element for the success of an information security program lies in cultivating a solid relationship with your organization’s senior leadership. The effectiveness of your information security program is heavily reliant on the commitment of these senior leaders. Information security is fundamentally about facilitating organizational change. Establishing an organization’s new information security program leads to transformations across a broad spectrum, encompassing people, processes, and technology. These changes can potentially be perceived as disruptive to the standard way of operating within the organization. Without the support of executive leadership for information security initiatives, it may prove challenging to implement the necessary changes. However, it is crucial to understand that executive support does not equate to a free rein to create chaos within the organization. As an information security professional, it remains your responsibility to collaborate effectively with all levels of the organization. This collaboration entails communicating the importance of information security in a manner that describes how the program safeguards the organization and supports its ongoing ability to serve customers effectively. Engaging in meaningful conversations with organizational team members at various levels is essential to achieve this. This focus on teamwork and collaboration will help promote understanding and buy-in for the information security program, ensuring everyone

43

44

Laying a Foundation for Information and Data Security

is aligned with its goals and objectives. By fostering strong senior management support and effectively communicating the benefits of the information security program, you can lay the foundation for a resilient security program within your organization.

Aligning information security with the organization’s mission While developing the information security program, it is crucial to collaborate closely with your organization’s senior management, business leaders, and system owners to identify and address the needs of mission-focused groups within your organization. Including these stakeholders in the decision-making process ensures that the security measures implemented do not hinder the organization’s core functions. Failing to involve them may result in an information system that is highly secure but ultimately ineffective for your business users. The following are some recommended guidelines to consider when working with organizational stakeholders: • Engage in open dialogue with stakeholders: Initiate open and ongoing discussions with various stakeholders about their mission-critical activities. Doing so will give you valuable insights into their specific needs, objectives, and concerns, enabling you to develop a comprehensive security solution tailored to their requirements. • Balance security with functionality: Strive to balance security and functionality, ensuring that the implemented security measures do not impede the organization’s ability to accomplish its mission. By incorporating stakeholder feedback, you can create an information security program that supports the organization’s mission while maintaining a secure environment. • Foster collaboration and mutual understanding: Promote a collaborative atmosphere and mutual understanding among stakeholders to create a shared vision of the information security program. By fostering strong relationships and maintaining open communication channels, you can ensure everyone’s needs are considered, resulting in an effective and practical security program. Aligning the information security program with your organization’s mission is vital to its success. By engaging with stakeholders, balancing security and functionality, and fostering collaboration and mutual understanding, you can create a security solution that protects your organization and enables it to thrive.

Optimizing information security measures for your organization Achieving the right balance between implementing security measures, maintaining system usability, and catering to an organization’s risk tolerance is paramount. By customizing information security strategies to meet an organization’s unique needs, businesses can better protect their digital assets while avoiding common pitfalls. An effective information security program should balance robust security controls and ease of use for the information system. Over-implementing security measures can result in unneeded complexity, which may negatively affect the organization. The consequences of excessive security controls can

Essential factors for information security program success

include decreased operational efficiency, unnecessary financial costs, and, ultimately, a loss of trust in the information security program. To avoid these potential issues, it is essential to carefully consider the organization’s risk appetite and tailor the security strategy accordingly. This strategy means considering the organization’s specific threats and vulnerabilities and its financial and operational constraints. By doing so, the information security program will be better equipped to safeguard critical data and infrastructure without hindering business operations.

Enhancing security through comprehensive awareness and training programs A well-designed information security awareness and training program is indispensable to a successful information security program. Everyone within the organization, from the CEO to the most recent hire, plays a crucial role in maintaining a secure environment. To ensure the effectiveness of such a program, it must convey the organization’s expectations and the potential threats that users may encounter. An impactful awareness and training program employs a multi-faceted approach, utilizing various media channels to effectively communicate the information security message. This approach includes email, social media, computer-based training, and in-person workshops or seminars. By employing diverse communication methods, the program can better engage employees and ensure that the security message resonates with individuals across the organization. To maximize the effectiveness of a security awareness and training program, it is essential to do the following: • Regularly update the program content to reflect evolving threats and organizational needs, ensuring the training remains relevant and up to date • Foster a security culture within the organization where employees feel responsible for the company’s security and understand their critical role in maintaining it • Provide training opportunities tailored to different organizational roles and levels, addressing each position’s security concerns and responsibilities • Measure the program’s success through assessments, surveys, and employee feedback, enabling continuous improvement of the training content and delivery methods A company that values the safety and security of its employees can empower them to contribute to maintaining a safe working environment by utilizing various media channels and tailoring the content to meet the organization’s unique needs. By involving employees in the process and creating engaging and relevant content, the company can foster a culture of safety and security, benefiting both the workforce and the organization.

45

46

Laying a Foundation for Information and Data Security

Building information security into the SDLC/SELC process Organizations must build products that meet customers’ needs and ensure their systems are secure and resistant to malicious attacks. One way to achieve this is by incorporating information security into the Software Development Life Cycle (SDLC) or Systems Engineering Life Cycle (SELC) process. The SDLC/SELC process ensures that software products or systems are designed, developed, and tested consistently and effectively. It is a repeatable process that provides a framework for technology development, from initial planning to deployment and maintenance. When combined with strong security policies, the SDLC/SELC process ensures a well-designed system with security features integrated from the project’s initiation. The typical SDLC/SELC process comprises several phases with specific objectives and deliverables. These phases include initiation, requirements analysis, design, implementation, testing, operations, maintenance, and disposition. Each stage highlighted in the following figure has activities and deliverables that help ensure the final product is high quality.

Figure 3.1 – SDLC/SELC phases

By integrating information security into the SDLC/SELC process, organizations can improve the predictability that a quality product will come out of the engineering or development process.

Initiation phase The initiation phase marks the beginning of a project, where the organization defines the need for an information system. Information security planning begins in this phase, where the information security professional works with the project team to understand the security considerations that must be applied to the system. This phase is critical as it sets the foundation for the entire project. The information security professional must work closely with the project team to identify security requirements, threats, and vulnerabilities that must be addressed throughout the project. The information security professional must identify the security requirements for the system to be considered secure. They must also work with the project team to understand the system’s intended use, potential risks, and the impact of security risks on the system. The information security professional must ensure that all stakeholders, including the business owners, users, and developers, understand the importance of security and are committed to addressing security concerns throughout the project.

Essential factors for information security program success

Requirements analysis phase The requirements analysis phase is a critical stage in the SDLC/SELC process. The project team works with users and business stakeholders to develop the requirements for the new system. The information security professional’s job is to ensure that security requirements are included in the design and given high priority. During this phase, the project team must identify the functional and non-functional requirements of the system. The information security professional must ensure that security requirements are integrated into these requirements. The information security professional must ensure the security requirements are well defined, achievable, and measurable. They must also ensure the security requirements are consistent with organizational policies and standards. All stakeholders, including business owners, users, and developers, must review and approve the security requirements. The security requirements must be prioritized based on their impact on the system and the potential risk to the organization. High-priority security requirements must be given special attention during the development and implementation of the system. During the requirements analysis phase, the information security professional must also identify and ensure the system complies with all applicable laws and regulations, such as data privacy and cybersecurity regulations.

Design phase The design phase is where the requirements gathered during the requirements analysis phase are used to construct the new system. The role of the information security professional in this phase is to ensure that the proper security controls are implemented as part of the system design. They must work closely with the project team to identify potential security threats and vulnerabilities and develop security controls to mitigate them. The design phase can be further broken down into sub-phases where the project team develops various deliverables. These deliverables include the Concept of Operation, High-Level Design, Detailed Design, and Proof-of-Concept System. Each deliverable is crucial in ensuring the system is well designed and secure: • The Concept of Operation (ConOps) is a critical component of the design phase of the SDLC/SELC process. The ConOps document communicates between the project team and the business stakeholders and describes the system’s overall purpose and how it will meet the organization’s needs. The ConOps describes the characteristics of a system from a user perspective and articulates how the system will operate to business stakeholders. The ConOps documents essential design characteristics such as user types; user roles within the system; functionality; interfaces; and the operational environment. The information security professional must ensure the ConOps document includes the organization’s security requirements. The ConOps document must be reviewed and approved by all stakeholders, including business owners, users, and developers. Any changes to the ConOps document must be communicated to all stakeholders and examined to ensure they do not compromise the security objectives.

47

48

Laying a Foundation for Information and Data Security

• The High-Level Design outlines the system’s logical components and interactions, encompassing data flows and connections within internal and external systems. As a project blueprint, the High-Level Design must incorporate essential security controls. Security professionals ensure the design adheres to organizational policies, standards, and legal and regulatory requirements. Any changes to the High-Level Design must be communicated to all stakeholders and assessed to ensure that security objectives remain uncompromised. • The Detailed Design document takes the High-Level Design and applies the specific components and configurations that will be part of the system. The Detailed Design document outlines the technical details of how the system will be built, including hardware and software components, data storage, and interfaces. The security professional must ensure that security controls are adequately integrated into the system design and meet organizational policies, standards, and legal and regulatory requirements. They must also identify and address potential security threats and vulnerabilities in the Detailed Design and work to address these issues by adequately implementing security controls. The Detailed Design document must be detailed enough to understand how the system will be built and how the different components will interact. The information security professional must ensure the Detailed Design document is complete, accurate, and meets the security requirements developed during the requirements phase. The information security professional must ensure the security controls are integrated into the system design and will work effectively once implemented. Like the previous deliverables, any changes to the Detailed Design must be communicated to all stakeholders and reviewed to ensure they do not compromise the security objectives. • The Proof-of-Concept System is a scaled-down version of the proposed system defined in the detailed design. It is implemented to determine whether the designed system meets the user, business, stakeholder, and security requirements. The Proof of Concept System serves as a way to test the system’s functionality without incurring the total cost of the final system. It is also an opportunity to identify any potential issues or areas for improvement before the system is fully developed. The Proof of Concept System must be designed to simulate the real-world environment in which the system will be used. It must be tested thoroughly to ensure it meets the requirements and functions as intended. Any issues or deficiencies must be identified and addressed before the system is fully developed. The information security professional must work closely with the project team to ensure that the necessary security controls are implemented as part of the Proof of Concept System and that the implementation meets organizational policies, standards, and legal and regulatory requirements. It must also be determined that the security controls work as designed and effectively.

Essential factors for information security program success

Implementation phase During the implementation phase, the project team is responsible for building the production information system according to the design specifications developed in the previous phase. This stage in the project is crucial in ensuring the designed security controls are implemented. At this phase, the project team executes the designed security controls and ensures the intended security functionality is in place as planned. This process involves implementing the security controls and ensuring they are correctly configured and operating as expected. The security team must work closely with the project team to identify any potential security issues that may arise during the implementation process.

Testing phase Once the system has been built, it must be thoroughly tested to ensure it functions as expected. This process involves executing an agreed-upon test plan to validate that the system operates as intended and meets all functional requirements. To ensure the system’s security, validating that the implemented security controls are working as expected is essential. This collaboration may include conducting penetration testing or vulnerability assessments to determine any vulnerabilities in the system that attackers could exploit. Any deficiencies identified during testing must be flagged for repair to ensure the system’s security is not compromised. Testing is a critical phase of the project because it ensures the system is secure and reliable. By thoroughly testing the system and validating that the implemented security controls are functioning as intended, organizations can confidently launch the system, knowing it is secure and reliable.

Operations and maintenance phase Once the system is built, it moves into the operations and maintenance phase, where it is under configuration management. During the operations and maintenance phase, the system is in production, and it is crucial to maintain the security controls implemented during the implementation phase. Any new changes or updates made to the system must be carefully assessed to ensure they do not compromise the system’s security. By ensuring that any recent changes are thoroughly examined for their impact on security controls, organizations can maintain the security and reliability of the system. This review helps reduce the likelihood of security breaches or incidents occurring and helps ensure that the system continues functioning as expected.

Disposition phase Once the system has reached the end of its useful life and the business has decided to decommission it, it is essential to ensure that the system is archived correctly and sanitized following organizational policy and applicable laws. The disposition phase is the final stage of the SDLC/SELC process. It is crucial to properly decommission the system to ensure that any sensitive data or information stored on the system is adequately secured. This process may involve removing data from the system, destroying storage devices or media, and ensuring all security controls are correctly disabled. Organizations can reduce the risk of exposing or compromising sensitive data by adequately sanitizing the system.

49

50

Laying a Foundation for Information and Data Security

Understanding and enhancing your information security program maturity When implementing an effective information security program, it is crucial to understand that it is not a one-size-fits-all approach. Instead, it requires a customized approach based on your organization’s unique needs, goals, and existing infrastructure. While working on your program, avoiding doing too much all at once is essential. A boiling-the-ocean approach can result in doing nothing at all or even causing harm to the organization. Instead, prioritize critical areas significantly impacting your organization’s security posture. To help prioritize your efforts, evaluating your information security program maturity is vital. This assessment will enable you to determine where you are currently and what steps you must take to progress along the maturity life cycle. A maturity model provides a framework for measuring the effectiveness of your program and identifying areas for improvement. The maturity of your security program can be broken down into five levels, each representing a different stage of development: 1. Initial: At this level, no formal security program is in place. Security controls are implemented in an ad hoc manner or not at all, and the program is unstaffed or understaffed. 2. Developing: In this stage, basic governance and risk management policies, standards, procedures, and guidelines are in place, and information security leadership is present. However, communication is still informal, and security controls are beginning to be developed and implemented. 3. Defined: At this level, information security roles such as system owner and data owner are defined, and organizational-wide policies are in place. However, verification is inadequate, and automation is not yet fully utilized. 4. Managed: This stage has clearly defined roles and responsibilities, accompanied by role-based training. Formal communication with business stakeholders is established, and controls are measured and monitored for compliance. However, automation is still not entirely used throughout the environment. 5. Optimized: There is a culture of organization-wide support for information security improvements in people, processes, and technology. A risk-based management program is implemented for information security, and controls are comprehensively implemented across the environment. Automation is utilized to support repeatable processes and continuous monitoring. The following diagram provides an example of information security program maturity over the different stages.

Information security policies

Figure 3.2 – Example information security program maturity schema

As discussed in the preceding section, senior leadership support, collaboration, and effective communication are indispensable for establishing a strong foundation for your information security program. information security professionals can safeguard valuable assets while maintaining operational efficiency by aligning the program with the organization’s mission. However, these efforts are incomplete without implementing carefully crafted information security policies. In the upcoming section, we will discuss the importance of information security policies in guiding employees, managing risks, and improving an organization’s security posture.

Information security policies Information security policies are statements, rules, or assertions governing how an organization manages its security risks. They are designed to protect the organization’s information assets from unauthorized access, use, disclosure, disruption, modification, or destruction. These policies should be developed in consultation with all levels of the organization, including senior management, information security professionals, and employees. They should be based on a risk assessment that identifies the organization’s information assets and the risks to those assets. Information security policies should be documented and communicated to all employees. They should be reviewed and updated regularly to ensure that they remain effective. To create and maintain robust information security policies, consider the following steps: 1. Identify compliance and legal obligations: Assess your organization’s compliance requirements and legal obligations, including industry-specific regulations, privacy laws, and contractual agreements with clients or partners.

51

52

Laying a Foundation for Information and Data Security

2. Analyze existing policies and practices: Review your organization’s current policies and practices to identify any gaps or weaknesses in information security. This analysis should encompass technical and non-technical aspects of the organization’s security posture. 3. Develop a security policy framework: Create a comprehensive framework outlining key information security policy areas, such as access control, risk management, incident response, and data protection. This framework will serve as the foundation for developing specific policies and guidelines. 4. Draft policies and guidelines: Develop detailed policies and guidelines for each identified area within the security policy framework. Ensure these documents are clear, concise, and aligned with your organization’s compliance requirements and legal obligations. 5. Obtain buy-in and approval: Engage stakeholders including senior management, legal counsel, and department leaders to review, provide feedback, and approve the proposed policies and guidelines. This step ensures that the policies will be well received and supported throughout the organization. 6. Implement and enforce policies: Establish processes to implement and enforce the approved policies and guidelines. The implementation may include training programs, communication campaigns, and regular policy reviews to ensure ongoing compliance. 7. Monitor and update policies: Continuously monitor the effectiveness of your information security policies and update them as needed to address emerging threats, changes in the regulatory landscape, or shifts in organizational priorities.

Information security program policy The information security program policy is the cornerstone of an organization’s information security initiatives. This type of policy sets the strategic direction for the organization and assigns specific resources, roles, and responsibilities to establish and implement a comprehensive information security program. Key components of the information security program policy include the following: • Comprehensive information security strategy: Develop a thorough strategy incorporating policies, guidelines, and stakeholder roles. Regularly update and review the plan to ensure continued effectiveness and alignment with organizational objectives. Additional examples include organizing quarterly workshops for stakeholders to discuss potential improvements and creating a centralized repository for security policy documents. • Chief Information Security Officer (CISO): Appoint a high-ranking official to oversee and coordinate the information security program throughout the organization. In addition to creating a CISO role, consider establishing a cross-functional security committee to support the CISO and organizing annual security summits to discuss progress and challenges. • Resource allocation for security initiatives: Devise a method for allocating required resources, including staffing, technology, and budget, to maintain the information security program effectively. Also, consider prioritizing investments in security tools based on risk assessments, conduct periodic resource allocation reviews, and engage with vendors for potential cost-saving opportunities.

Information security policies

• Remediation action plan process: Establish a process for formulating and maintaining a remediation action plan to address identified security weaknesses and monitor progress. Set up a Plan of Action and Milestones (POAM) review board and consider integrating the remediation action plan process into the organization’s project management methodology. • Secure information system registry: Maintain a current register of information systems, ensuring compliance with security policies and proper protection. Apart from using a centralized inventory management tool, implement a regular system review process to validate the inventory’s accuracy and assign ownership of systems to designated individuals. • Security performance metrics: Develop performance indicators for the security program to assess the effectiveness of the information security program and identify areas for improvement. Perform activities including monitoring the average time to detect and respond to security incidents, tracking the percentage of security incidents resolved within predefined timeframes, and measuring user awareness and understanding of security risks. • Security integration in Enterprise Architecture (EA): Incorporate security controls within the organization’s EA framework, defining stakeholder roles and responsibilities. Also, include security requirements in the design phase of new projects, conduct security architecture reviews, and integrate security considerations into procurement processes. • Protection of critical assets: Formulate a plan to protect the organization’s essential infrastructure, enhancing resilience against potential threats. Besides establishing redundancy measures for critical systems, develop a robust incident response plan to address potential disruptions and implement real-time monitoring of essential components of infrastructure. • Comprehensive risk management approach: Embrace a thorough risk management strategy to identify, assess, and mitigate risks to information assets. Perform regular risk assessments, establish a risk management steering committee to guide risk mitigation efforts, and engage third-party vendors to conduct independent risk assessments. • Secure system authorization: Create a process for granting security authorizations for information systems, ensuring compliance with security requirements. In addition to developing a checklist of required security controls for each system type, implement a periodic reauthorization process and engage an independent third party to audit the authorization process. • Security integration in business processes: Define mission and business processes, including related information security requirements and responsibilities. Along with incorporating data classification and handling procedures into relevant processes, create a cross-functional team to ensure security requirements are communicated and understood across the organization. • Proactive insider threat management: Develop and maintain a program to identify, prevent, and mitigate insider threats to information systems and data. Additionally, implement user behavior analytics tools, establish an incident reporting mechanism for employees to report potential insider threats, and periodically review and update insider threat policies.

53

54

Laying a Foundation for Information and Data Security

• Skilled and trained security personnel: Guarantee that the workforce has the necessary skills and training in information security practices and responsibilities. Provide regular security awareness training and role-specific education and create a mentorship program to foster knowledge sharing and skill development. • Continuous security improvement: Adopt a persistent approach to testing, training, and monitoring the information security program’s effectiveness. Conduct regular penetration tests and security audits, implement continuous monitoring practices, and create a feedback loop for employees to suggest improvements to the security program. • Collaboration with security organizations: Build relationships with relevant security groups and associations to exchange information and best practices. Establish partnerships with academic institutions to promote research and development in information security and participate in regional and international security conferences. • Cultivating threat awareness: Implement a program to educate the workforce about potential risks and appropriate responses. Besides regular briefings on emerging threats and providing guidelines on responding to phishing attacks, organize annual cybersecurity awareness events to engage employees in security awareness. This policy sets the stage for developing more specific policies and controls that address various aspects of information security, such as access control, data protection, incident response, and risk management.

Enterprise information security policies Enterprise information security policies aim at safeguarding an organization’s information assets, systems, and infrastructure from a wide range of internal or external threats. These policies create a comprehensive framework that enables an organization to preserve its information’s confidentiality, integrity, and availability while reducing the risk of security incidents, data breaches, and other cyber threats. Senior management often establishes the foundation of enterprise information security policies and sets the strategic direction and priorities for the organization’s information security initiatives. This top-down approach ensures that information security is embedded within the organizational culture and aligns with the organization’s overall business objectives. Enterprise information security policies serve as a roadmap for implementing and maintaining a robust information security program. They provide a structured approach to identifying, assessing, and mitigating risks while ensuring compliance with legal and regulatory requirements. Areas to consider when developing effective information security policies are the following: • Make sure the policies are tailored to the organization’s specific needs. The policies should be based on a risk assessment that identifies the organization’s information assets and the risks to those assets.

Information security policies

• Get buy-in from senior management. Information security policies will only be effective if they are supported by senior management. Senior management should be involved in the development of the policies and should communicate their support to employees. • Communicate the policies to employees. Employees need to know the policies and how they are expected to comply with them. The policies should be communicated to employees clearly and concisely. • Train employees on the policies. Employees must be trained on the policies to understand and comply with them. Training should be provided regularly, and employees should be tested on their knowledge of the policies. • Monitor and enforce the policies. The organization should monitor and enforce the policies to ensure they are followed. Employees who violate the policies should be disciplined. • Review and update the policies regularly. The policies should be reviewed and updated periodically to remain effective. The review should consider changes in the organization’s business, changes in technology, and changes in the threat landscape. The following diagram provides a visual representation of the interplay of technical and management decisions considered during information security policy development.

Figure 3.3 – Enterprise information security policy considerations

Information security system-specific policy An information security system-specific policy outlines the rules for operating and maintaining a particular information system. It provides security policies that supplement the enterprise information security policies focusing on the specific system’s unique characteristics and requirements.

55

56

Laying a Foundation for Information and Data Security

The policy aims to ensure that the information system is secure, reliable, and efficient, minimizing the risks and threats to the system and the information it stores, processes, or transmits. It covers various topics, including access control, authentication, authorization, data protection, backup and recovery, incident response, and auditing. In developing a system-specific policy, the organization should consider various factors, such as the system’s function, the sensitivity and criticality of the data processed by the system, the regulatory and compliance requirements, and the organization’s overall security posture.

Information security standards Information security standards refer to the measurable criteria an organization can use to evaluate and ensure compliance with internal policies and external regulations. These standards provide a clear and consistent framework for assessing and managing information security risks and ensuring security objectives are met. Standards provide a basis for measuring and evaluating security performance, identifying areas for improvement, and implementing adequate security controls. They can also determine whether specific performance Service-Level Agreements (SLAs) are being met. Organizations should adopt established standards, such as those from NIST or ISO, rather than developing their own standards. Creating a standard from scratch can be a complex and time-consuming process. It may not be necessary if an appropriate standard can be tailored to the organization’s needs. By adopting established standards, organizations can leverage the collective experience and expertise of the wider industry and ensure that they are adopting best practices in information security. They can also benefit from the wider recognition and credibility established standards provide, which can be important for demonstrating compliance to external stakeholders such as clients or regulators. When tailoring an existing standard, organizations should ensure that it is aligned with their specific security requirements, considering the nature of the data being protected, the organization’s risk appetite, and the regulatory and compliance requirements that apply.

Information security procedures Procedures are essential to an organization’s information security framework, providing clear and concise step-by-step guidance for performing specific tasks and activities. They are designed to support policies by providing technical instructions on implementing them consistently and effectively. Procedures are critical for ensuring that repeatable and consistent processes exist for executing policies promoting efficiency, and reducing the risk of errors or omissions. These documents provide a structured and organized approach to performing specific activities and tasks, ensuring they are completed accurately, timely, and securely. Procedures typically answer three key questions: how, when, and who. They outline how a particular activity should be performed, such as account creation, password reset, or firewall rule change. They also specify when the activity should be performed, whether hourly, daily, weekly, or monthly. Finally, they define who performs the action, such as a system administrator, network administrator, or incident responder. Procedures can take many forms, from checklists to flowcharts to detailed

Information security policies

technical instructions. Regardless of the format, procedures should be well defined, concise, and easy to follow, guiding specific tasks and activities. Regular reviews and procedure updates are necessary to ensure they remain relevant and effective in addressing emerging threats and risks. They should also be communicated and enforced consistently across the organization, ensuring all personnel who perform the activities understand their roles and responsibilities.

Information security guidelines Information security guidelines are instructions and recommendations designed to help users within an organization understand and comply with the organization’s information security policies and procedures. They provide practical guidance and best practices for users to follow, ensuring they know their roles and responsibilities in maintaining the security of the organization’s information assets. Guidelines are typically provided as Frequently Asked Questions (FAQs) or how-to manuals, covering various topics such as password management, email security, mobile device usage, and social engineering awareness. They provide step-by-step instructions and practical advice on how to perform specific tasks and activities securely and efficiently. The following diagram visually represents how policies, standards, procedures, and guidelines interact.

Figure 3.4 – Policies, standards, procedures, and guidelines interaction

57

58

Laying a Foundation for Information and Data Security

The purpose of guidelines is to help users navigate complex information security requirements and ensure they know the best practices for protecting the organization’s information assets. They are designed to be user-friendly and accessible, providing clear and concise information that is easy to understand and follow. In addition to providing practical guidance, guidelines can serve as a communication tool for the organization’s information security policies and procedures. They help to reinforce the importance of information security and educate users on the potential risks and threats they may encounter.

Recommended enterprise information security policy An effective enterprise information security policy should clearly define the roles and responsibilities of various stakeholders, including senior management, IT staff, and employees. The policy should also specify the security requirements for different types of information, such as confidential, proprietary, or personal data. Additionally, the policy should provide guidelines for handling security incidents, including reporting, investigation, and remediation. Information security policies can be broken down into three categories: • Technical controls are security measures applied to an information system’s hardware, software, or firmware components to safeguard the system against unauthorized access, alteration, or damage. Examples of technical controls include firewalls, encryption, access control mechanisms, intrusion detection and prevention systems, and anti-malware software. • Management controls are the policies and procedures organizations implement to manage information security risks effectively. These controls may include developing a comprehensive security program, risk management processes, incident management procedures, and employee security awareness training. • Operational controls refer to the day-to-day practices that employees and contractors follow to ensure the security of information systems. These controls may include the use of strong passwords, regular backups, and secure disposal of sensitive information. Operational controls may also involve physical security measures such as access control, video surveillance, and alarms. Policy Area

Policy Families

Policy Topic Examples

Technical

Access Control

Account Management

Audit and Accountability

End User Device Security

Identification and Authentication

Server Security Controls

System and Communications Protection Network Security Controls Web-Based Application Controls

Information security policies

Policy Area

Policy Families

Policy Topic Examples

Management Planning

Information Security Program

Risk Assessment

Establishment of Official Roles

Security Assessment

Information Security Metrics

Systems and Services Acquisitions

Conducting Risk Assessments Vulnerability Scanning Penetration Testing Account Rights Reviews

Operational

Awareness and Training

Training Topics

Configuration Management

Expected and Prohibited Behavior

Contingency Planning

Employee Screening

Incident Response

Account Termination

Maintenance

Business Continuity Planning

Media Protection Personnel Security

Disaster Recovery

Physical and Environmental Protection

Incident Response Planning

System and Information Integrity

Workplace Security Removable Device Security Data Security

Table 3.1

Planning policy A planning policy in information security focuses on establishing the foundation for an organization’s information security program. It helps define stakeholders’ roles, responsibilities, and expectations and establish guidelines for developing and maintaining the information security program plan and related artifacts. A well-structured planning policy should address the following components: • Establishment of organizational roles: Clearly defined roles and responsibilities are crucial for effectively implementing and managing an information security program. The planning policy should establish organizational functions such as the Chief Information Officer (CIO), Chief Information Security Officer (CISO), system owner, data owner, and data custodian. Each role should have specific responsibilities and authority levels, ensuring accountability and facilitating efficient communication and decision-making.

59

60

Laying a Foundation for Information and Data Security

• Information security program plan guidelines: The planning policy should provide guidelines on what should be included in the information security program plan and establish the required update frequency. The plan should cover risk management strategies, resource allocation, personnel roles and responsibilities, training and awareness programs, and incident response procedures. Regular updates should be mandated to ensure the plan remains current and reflects changes in the organizational environment, technology, and regulations. • Development of artifacts for repeatable information security processes: The planning policy should also specify the artifacts that must be developed to ensure repeatable processes around information security control selection, development, and implementation. These artifacts may include the following: ‚ System Security Plans (SSPs): Documents that provide an overview of each information system’s security requirements, controls, and operational environment. ‚ Risk assessment reports: Periodic assessments of the organization’s risk landscape, identifying threats, vulnerabilities, and potential impacts on the organization’s information systems. ‚ Risk register: A structured tool used to identify, assess, and manage risks throughout the life of a project or within an organization. It offers a centralized repository to capture, document, and prioritize identified risks and their mitigation strategies. ‚ Security control selection and implementation guidelines: Detailed procedures for selecting, implementing, and maintaining security controls aligned with the organization’s risk tolerance and regulatory requirements. ‚ Security and privacy policies and procedures: Comprehensive documentation outlining the organization’s approach to security and privacy, including the rules of behavior for personnel with access to information systems. ‚ Privacy Impact Assessments (PIAs): Assess the privacy risks associated with processing personally identifiable information (PII) and the proposed mitigating measures.

Access controls policy The purpose of access controls in an information system is to determine which activities are allowed and which are prohibited, providing a structured method to manage user access. Access control policies are critical for maintaining the security of an organization’s information systems. They provide guidelines for limiting access to authorized users, devices, and processes and controlling the transactions and functions authorized users can execute. Organizations must establish rules to regulate user access to information systems, ensuring users do not have unfettered access to sensitive data and resources. A comprehensive access control policy addresses various aspects of user access, from authorization and authentication to session management and remote access control.

Information security policies

A well-defined access control policy includes the following components: • Information system access limitations: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). This constraint ensures that only legitimate users can access the system, preventing unauthorized access and potential data breaches. • Defining authorized transactions and functions: Specify the types of transactions and functions authorized users can execute. This includes controlling the flow of information in accordance with approved authorizations and ensuring that users can access only the data and resources required for their job roles. • Separation of duties and the least-privilege principle: Enforce the separation of duties and the principle of least privilege. Separation of duties reduces the risk of malicious activity without collusion by distributing responsibilities across multiple individuals. The principle of least privilege ensures that users have the minimum level of access required to perform their tasks, minimizing the potential damage from unauthorized access or misuse. • Control of privileged functions and accounts: Prevent non-privileged users from executing privileged functions and audit the execution of such operations. Users should use non-privileged accounts or roles when accessing non-security functions, and the policy should enforce limits on unsuccessful login attempts. • Session management and remote access control: Implement session management measures, such as session lock with pattern-hiding displays and automatic termination of user sessions after a defined condition. Remote access should be monitored and controlled, with cryptographic mechanisms employed to protect the confidentiality of remote sessions. Remote execution of privileged commands and access to security-relevant information should be authorized, and wireless access should be protected using authentication and encryption. • Mobile device and external information system control: Regulate the connection of mobile devices, encrypt information on mobile devices, and verify and control connections to external information systems. The use of organizational portable storage devices on external systems should also be limited, along with having control over the information posted or processed on publicly accessible systems.

Awareness and training policy A robust awareness and training policy lays the foundation for effective communication regarding cybersecurity throughout the organization. It aims to create a culture of security awareness and equip employees with the knowledge and skills needed to protect organizational information systems. The policy should speak to every level of the organization, from top management to line employees, and encompass various technical roles such as system, network, and database administrators. Organizations can enhance their cybersecurity posture and better manage risks by outlining the types of training to

61

62

Laying a Foundation for Information and Data Security

be conducted and their frequency. A comprehensive awareness and training policy should address the following components: • Ensuring awareness of security risks: Ensure that managers and users of organizational information systems are aware of the security risks associated with their activities. This includes the provision of information on applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems. Employees should understand their roles and responsibilities in maintaining the security and privacy of the organization’s data. • Adequate training for assigned information security duties: Personnel should receive sufficient training to carry out their duties and responsibilities. Training activities include role-specific training for individuals in technical roles, such as system administrators, network administrators, and database administrators, to ensure they possess the necessary knowledge and skills to secure the organization’s information systems effectively. • Security awareness training for insider threat recognition and reporting: Provide security awareness training that covers recognizing and reporting potential indicators of insider threats. Train employees to identify unusual or suspicious behavior, unauthorized access to sensitive information, or attempts to bypass security controls. • Recurrence of training and continuous learning: Establish guidelines for the frequency and types of training conducted. Regular training helps keep employees up to date with the latest threats, security best practices, and organizational policies. • Evaluation and adaptation: Include methods for evaluating the effectiveness of awareness and training programs, such as assessments, feedback from employees, and analysis of security incidents. Based on these evaluations, the organization should adapt and improve its training programs to address gaps or weaknesses, ensuring the training remains relevant and practical.

Auditing and accountability policy Auditing and accountability policies establish the rules for securely alerting, recording, storing, and allowing access to auditable events critical to information security. It provides a framework for monitoring user activities, detecting potential security incidents, and holding users accountable for their actions. This policy also governs audit log management, enabling information security professionals to effectively manage the high volume of audit logs produced by information systems. An auditing and accountability policy should include the following components: • Creation, protection, and retention of audit records: Establish guidelines for creating, protecting, and retaining audit records, allowing for effective monitoring, analysis, investigation, and reporting of any unlawful, unauthorized, or inappropriate activities within the information system. • Unique traceability of user actions: Ensure that the actions of individual information system users can be uniquely traced to those users, allowing them to be held accountable for their actions.

Information security policies

• Review and update of audited events: Require regular reviews and updating of audited events, ensuring that audit records remain current and relevant to the organization’s information security needs. • Alerting for audit process failures: Implement mechanisms to alert in the event of an audit process failure, enabling prompt detection and remediation of any issues that may compromise the integrity of audit records. • Correlation of audit processes for investigation and response: Establish guidelines for correlating audit review, analysis, and reporting processes, enabling effective investigation and response to indications of inappropriate, suspicious, or unusual activity. • Audit reduction and on-demand reporting: Provide audit reduction and report generation capabilities to support on-demand analysis and reporting. This control allows information security professionals to focus on relevant data and identify potential security incidents more efficiently. • Time synchronization and timestamping: Ensure that information systems can compare and synchronize internal system clocks with an authoritative source such as an approved Network Time Protocol (NTP) server, generating accurate timestamps for audit records. • Protection of audit information and tools: Protect audit information and tools from unauthorized access, modification, and deletion, ensuring the integrity and confidentiality of audit records. • Limited management of audit functionality: The management of audit functionality should be limited to a subset of privileged users, preventing unauthorized users from tampering with or disabling audit mechanisms.

Configuration management policy The configuration management policy provides a structured approach to managing changes and helps prevent unauthorized modifications that could lead to security vulnerabilities or system failures. A configuration management policy establishes rules to ensure that changes to information systems are minimally disruptive to their functionality and the users they support. This policy also requires IT professionals to document and track changes to information systems, promoting a controlled and secure environment. An effective configuration management policy includes the following: • Baseline configurations and inventories: Establish and maintain baseline configurations and inventories of organizational information systems throughout system development life cycles, including hardware, software, firmware, and documentation. • Security configuration settings: Establish and enforce security configuration settings for information technology products employed on information systems to ensure a consistent security posture across all components. • Change tracking, review, approval, and auditing: Mandate tracking, reviewing, approving, or disapproving, and auditing changes to information systems. This process helps maintain system stability and security by preventing unauthorized or harmful modifications.

63

64

Laying a Foundation for Information and Data Security

• Security impact analysis: Analyze the security impact of changes to ensure they do not introduce new vulnerabilities or compromise existing security measures. • Access restrictions for changes: Define, document, approve, and enforce physical and logical access restrictions associated with changes to information systems, limiting the potential for unauthorized modifications. • Principle of least functionality: Employ the principle of least functionality, configuring information systems to provide only essential capabilities and minimizing potential attack vectors. • Restriction of nonessential elements: Require restricting, disabling, and preventing the use of nonessential programs, functions, ports, protocols, and services, reducing the organization’s attack surface. • Software control policies: Apply deny-by-exception (deny lists) policies to prevent the use of unauthorized software. Permit-by-exception (allow list) policies can also be implemented, ensuring only approved applications run on information systems. • Control and monitoring of user-installed software: Mandate the control and monitoring of user-installed software to prevent unauthorized applications from introducing security vulnerabilities or negatively impacting system performance.

Contingency planning policy Contingency planning is essential for maintaining business operations and safeguarding an organization’s valuable information assets in the face of unexpected events. A contingency planning policy establishes the rules for an organization to effectively recover from IT events ranging from minor service disruptions to catastrophic incidents, rendering data processing capabilities inaccessible. A comprehensive policy helps organizations prepare for, respond to, and recover from incidents impacting their IT infrastructure, minimizing downtime, and mitigating potential losses. An effective contingency planning policy should address the following: • Emergency response plans: Require the development and maintenance of emergency response plans that outline the actions to be taken during an IT incident, assigning roles and responsibilities, and specifying communication and escalation procedures. • Backup operations: Establish and maintain backup operation plans that define the processes for creating, storing, and testing backups of critical information resources. These plans ensure data is recoverable during system and data access failures. • Post-disaster recovery plans: Mandate developing and implementing post-disaster recovery plans to guide organizations in restoring normal operations following a catastrophic event. These plans should identify the critical systems and services prioritized for recovery and outline the necessary steps to regain their functionality. • Plan testing and updating: Regularly test and update contingency plans to effectively address current and emerging risks. Tests include conducting regular exercises, evaluating the results, and incorporating lessons learned into plan revisions.

Information security policies

• Training and awareness: Emphasize the importance of training and awareness for all personnel involved in contingency planning and response activities. This communication ensures that employees know their roles and responsibilities and can effectively execute the plans during an emergency. • Coordination with external organizations: Establish coordination mechanisms with relevant external organizations, such as first responders, suppliers, and service providers, to facilitate effective response and recovery efforts during an IT incident.

Identification and authentication policy Identification and authentication are foundational aspects of information security. The identification and authentication policy defines an organization’s rules for provisioning and managing information system identifiers and the mechanisms allowed for positive authentication of these identifiers. A practical approach reduces the risk of unauthorized access and ensures that users, processes, and devices are appropriately identified and authenticated before gaining access to organizational information systems. This policy should address the following components: • Identifying users, processes, and devices: Require uniquely identifying information system users, processes acting on behalf of users, and devices to ensure accurate attribution of actions and accountability • Authentication mechanisms: Implement authentication mechanisms to verify users’ identities, processes, or devices before granting access to information systems • Replay-resistant authentication: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts, reducing the risk of unauthorized access through replay attacks • Identifier management: Prevent the reuse of identifiers for a defined period and disable identifiers after a specified period of inactivity to minimize security risks

Incident response policy Incident response is crucial to information security management, helping organizations detect, contain, and recover from security incidents. The incident response policy outlines the necessary actions related to reporting, responding, and handling information security incidents. An effective policy ensures that organizations can quickly identify and respond to threats. An effective incident response policy should address the following components: • Incident-handling capability: Mandate the establishment of an operational incident-handling capability for organizational information systems. This capability should include adequate preparation, detection, analysis, containment, recovery, and user response activities to manage security incidents effectively.

65

66

Laying a Foundation for Information and Data Security

• Tracking, documenting, and reporting incidents: Implement procedures for monitoring, documenting, and reporting incidents to appropriate organizational officials and authorities. This process ensures that relevant stakeholders are informed about incidents and can take necessary actions to address them. • Incident response team: Require the formation of a dedicated incident response team responsible for coordinating and executing incident response activities. The team should be composed of individuals with appropriate skills, knowledge, and experience in information security, and should be provided with ongoing training and support to maintain their expertise. • Incident response plan: Require the development, maintenance, and periodic review of an incident response plan. This plan should outline the roles and responsibilities of the incident response team, communication protocols, incident escalation procedures, and steps for containment, eradication, and recovery. • Incident classification and prioritization: Establish a process for classifying and prioritizing incidents based on their potential impact on the organization, its operations, and its information systems. This process should consider factors such as the severity of the incident, the sensitivity of affected data, and the potential consequences of not addressing the incident promptly. • Testing and exercises: Require regular testing and exercises of the organizational incident response capability. These tests should be conducted in a controlled environment, simulating real-world scenarios to assess the effectiveness of the incident response plan and identify potential areas for improvement. • Post-incident analysis: After an incident has been resolved, conduct a post-incident analysis to determine the root cause of the incident, identify any lessons learned, and implement necessary improvements to the incident response plan and processes. This analysis should be documented and used to inform future incident response efforts. • Continuous improvement and incident response metrics: Collect relevant metrics to assess the effectiveness of incident response activities. These metrics will enable organizations to adapt and evolve their incident response capabilities as the threat landscape changes and new challenges emerge. • Continuous improvement: Periodically review and update the incident response plan and provide ongoing training and support to the incident response team to ensure their skills and knowledge remain up to date. • Incident response metrics: Require the collection and analysis of incident response metrics to evaluate the effectiveness of the incident response process. Some key metrics include the following: ‚ Time to detect: The duration between the occurrence of an incident and its detection ‚ Time to respond: The duration between the detection of an incident and the initiation of a response

Information security policies

‚ Time to contain: The duration between the initiation of a response and the containment of the incident ‚ Time to recover: The duration between containment and the full recovery of affected systems and processes ‚ Cost of incident response: The financial impact of incidents, including direct costs (e.g., equipment replacement, external support) and indirect costs (e.g., downtime, loss of reputation)

Maintenance policy A maintenance policy sets the foundation for managing information systems with a strong focus on information security. It works with other IT policies concerning operations and maintenance to create a comprehensive approach to managing an organization’s information infrastructure. The maintenance policy establishes rules for managing information systems, focusing on information security. The maintenance policy should address the following: • Scheduled maintenance: Perform periodic and timely maintenance on information systems. Maintenance activities include updating software, applying patches, and conducting other necessary maintenance tasks to ensure the ongoing security and integrity of the systems. • Maintenance controls: Effective controls should be in place for the tools, techniques, mechanisms, and personnel used to maintain information systems. These controls include vetting maintenance personnel, ensuring appropriate access permissions, and utilizing secure tools and methods. • Sanitization of equipment: Ensure sensitive information is sanitized from any equipment removed for off-site maintenance. This process involves securely erasing or destroying data on storage devices to prevent unauthorized access during maintenance procedures. • Malicious code prevention: Media containing diagnostic and test programs should be checked for malicious code before being used on the information system. This review helps prevent the introduction of malware or other security threats during maintenance activities. • Remote maintenance security: Terminate remote connections to minimize potential security risks when nonlocal maintenance is complete. Also, requiring multifactor authentication to establish nonlocal maintenance sessions via external network connections helps to secure remote maintenance activities. • Supervision of maintenance activities: Establish processes to monitor and audit maintenance activities for compliance with security policies and guidelines. Supervising the maintenance activities of personnel without required access authorization helps ensure information system security during maintenance procedures.

67

68

Laying a Foundation for Information and Data Security

Media protection policy The media protection policy defines how physical and digital media will be managed, protected, and disposed of within the organization. By focusing on managing, protecting, and disposing of physical and digital media, the policy ensures that sensitive and critical data is safeguarded from unauthorized access, disclosure, or loss throughout its life cycle. This policy encompasses safe handling practices, authorized media usage, media protection requirements, and guidelines for media destruction. Aspects the media protection policy should address include the following: • Media inventory and classification: Require the development of an inventory for all media used within the organization, including the type, purpose, location, and assigned custodian. It should also establish a media classification system that identifies the sensitivity of information stored on media and the appropriate protection requirements. • Media handling and storage: Define the procedures for securely handling and storing media, including guidelines for transporting media between locations, storing media in secure areas, and ensuring access controls are in place to prevent unauthorized access to media. • Media sanitization and destruction: Establish processes for sanitizing or destroying media before disposal or reuse. This process includes guidelines for selecting appropriate sanitization methods based on the media type, classification, and risk of unauthorized disclosure. • Media marking and labeling: Require proper marking and labeling of media to indicate the sensitivity of the information stored, distribution limitations, and any special handling instructions. • Media transportation and accountability: Develop procedures for controlling access to media and maintaining accountability for media during transport outside of controlled areas. This includes implementing cryptographic mechanisms to protect the confidentiality of the information stored on digital media during transport unless alternative physical safeguards are in place. • Removable media usage and restrictions: Establish rules for using removable media on information system components, including restrictions on the types of media allowed, authorized usage scenarios, and requirements for media encryption. • Prohibition of unauthorized storage devices: Prohibit the use of portable storage devices with no identifiable owner or when such devices pose a risk to the organization’s information security. • Backup information protection: Require measures to protect the confidentiality of backup information stored at off-site or on-site storage locations, ensuring appropriate access controls, encryption, and physical security measures are in place.

Information security policies

Personnel security policy The personnel security policy sets forth the rules and procedures necessary to ensure that all individuals with access to sensitive information and IT systems can be trusted to perform their duties securely and responsibly. The personnel security policy should address the following areas: • Ensuring trustworthiness: Establish procedures for vetting individuals who occupy positions of responsibility within the organization or have access to sensitive information or IT systems. These procedures should include third-party service providers with access to organizational systems or data. The policy should specify the criteria for determining trustworthiness, such as the following: ‚ Background checks ‚ Credit checks ‚ Reference checks These criteria should be based on risk assessments and aligned with the organization’s security objectives. The personnel security policy should also outline the procedures for granting access to sensitive information or IT systems. Access should be given on a need-to-know basis and following established security criteria for each position. The policy should specify the process for reviewing and updating access privileges based on changes in job responsibilities or other factors that may affect an individual’s trustworthiness. • Protecting information and systems: Address the need to protect organizational information and information systems during and after personnel actions such as terminations and transfers. The policy should specify procedures for disabling or revoking access to sensitive information or IT systems when an individual leaves the organization or changes positions. The policy should also establish procedures for ensuring that sensitive data is appropriately handled and protected during personnel actions. • Enforcing compliance: Enforce formal sanctions for personnel failing to comply with organizational security policies and procedures. These sanctions should be commensurate with the severity of the violation and may include disciplinary action, termination, or legal action.

Physical and environmental protection policy The physical and environmental protection policy sets forth the rules necessary to ensure that the building where sensitive data processing occurs is secure from a personnel and physical plant perspective.

69

70

Laying a Foundation for Information and Data Security

The policy should address the following areas: • Limiting physical access: Limit the physical access of authorized individuals to information systems, equipment, and operating environments. Access controls such as key cards, biometric readers, and security guards can be implemented to ensure that only authorized individuals gain access. • Protecting the physical plant and infrastructure: Protect the physical plant and infrastructure against physical threats, such as theft, vandalism, and terrorism. These measures may involve the establishment of physical barriers and the regular evaluation of security protocols. • Protecting information systems against environmental hazards: Protect information systems against environmental hazards including floods, fires, and earthquakes. The policy should outline measures to safeguard information systems against these hazards, including installing fire suppression systems and backup generators. • Enforcing safeguarding measures: Enforce safeguarding measures for information at alternate work sites, such as telework sites. These policies should specify measures to secure equipment and data when not in use and ensure that data is encrypted during transmission.

Risk assessment policy This policy aims to ensure the effective implementation of risk assessment procedures to reduce the likelihood and impact of security incidents and improve the organization’s overall information security posture. The risk assessment policy should address the following key areas: • Assessing risk: Establish steps to evaluate the risk to organizational operations, assets, and individuals resulting from operating organizational information systems. These steps include identifying threats, vulnerabilities, and impacts on the organization’s mission, functions, image, or reputation. Additionally, the policy should specify the criteria for assessing risks, such as likelihood and impact, to ensure effective implementation. • Scanning for vulnerabilities: Implement capabilities for monitoring information systems and applications periodically and when new system vulnerabilities are identified. The policy should specify the criteria for determining the frequency of scanning and the types of tools to be used. • Remediating vulnerabilities: Remediate discovered vulnerabilities commensurate with the risk posed by the findings. Remediation activities include prioritizing vulnerabilities based on risk, developing remediation plans, and implementing corrective actions. • Continuous monitoring: Develop procedures for continuously monitoring the information system and assessing risk based on changes to the system, its environment, and any other factors that may affect its security posture.

Information security policies

Assessment, authorization, and monitoring policy The assessment, authorization, and monitoring policy formulates the necessary guidelines for performing information security testing on new information systems or components and establishing information security continuous monitoring and reporting within an organization. The policy should cover these crucial areas: • Routine evaluation of security controls: Regularly review security controls within organizational information systems to gauge their effectiveness. The process encompasses conducting security testing, examining the results to pinpoint deficiencies and vulnerabilities, and establishing criteria for evaluating security controls, such as frequency and scope. • Formulation and execution of action plans: Create and execute action plans to rectify deficiencies and mitigate or eradicate vulnerabilities in organizational information systems. The approach includes prioritizing remediation efforts and monitoring progress toward security objectives. • Operational authorization: Set the approach for granting operating authorization to organizational information systems and related system connections by management. This approach involves assessing the system’s security posture and determining its operational acceptability. The policy should outline the criteria for granting operating authorization, such as risk assessments and system categorization. • Ongoing surveillance: Continuously monitor information system security controls to maintain their effectiveness. Gather and analyze security-related information and report the findings to management.

System and communications protection policy The system and communications protection policy establishes the guidelines for network segmentation, boundary protection, cryptographic implementation within an organization, and rules regarding acceptable communication methods and mechanisms. The policy should address the following: • Organizational communication supervision, regulation, and safeguarding: Define the process for overseeing, regulating, and safeguarding organizational communications at external and critical internal boundaries of information systems. The policy should detail the criteria for supervising and regulating digital communications, including a definition of the boundary protection scope and monitoring of communication protocols. • Incorporating architectural design, software development techniques, and systems engineering principles: Develop an approach for incorporating architectural designs, software development techniques, and systems engineering principles into your organization’s SDLC that fosters effective information security within organizational information systems. This principle includes creating secure network architectures, employing secure software development practices, and utilizing secure systems engineering practices.

71

72

Laying a Foundation for Information and Data Security

• Establishing subnetworks for public system components: Create subnetworks for publicly accessible system components, physically or logically separated from internal networks. The policy should specify the criteria for creating subnetworks, such as defining network zones and boundaries, tie-ins with organizational data classifications, and determining corporate high-value assets. • Cryptography application: Apply cryptographic mechanisms to prevent unauthorized information disclosure during transmission unless alternative physical safeguards exist. This control includes encryption, digital signatures, and other cryptographic techniques to protect sensitive information. The policy should detail the criteria for applying cryptography, such as protected data types and cryptographic mechanism usage. • Mobile code and VoIP technology control and monitoring: Define the process for regulating and overseeing mobile code and Voice over Internet Protocol (VoIP) technology usage. The policy should establish the criteria for regulating and monitoring these technologies, such as security control implementation and allowed or denied mobile code and VoIP technology types. • Safeguarding communication session authenticity: Develop an approach for ensuring communication session authenticity. This approach includes implementing authentication mechanisms such as digital certificates and secure communication protocols such as Transport Layer Security (TLS) to prevent unauthorized access and guarantee communication session authenticity. • Securing information-at-rest confidentiality: Define the process for ensuring the confidentiality of information at rest. This process includes utilizing encryption and other cryptographic techniques to protect sensitive data stored in information systems.

System and information integrity policy The system and information integrity policy establishes the requirements to ensure that an information system’s critical IT hygiene components are functioning and well maintained. The policy should address the following: • Identification, reporting, and correcting of information and information system flaws: The policy should specify the criteria for identifying and reporting system and application flaws, such as the types of vulnerabilities to be identified and the types of testing to be conducted. This criterion includes implementing vulnerability scanning and management tools, establishing incident response procedures, and conducting periodic system and application testing. • Providing protection from malicious code: The policy should specify the criteria for delivering malicious code protection, such as the types of information systems to be protected and the types of malicious code protection mechanisms to be used. This capability includes implementing anti-virus, anti-malware, and other malicious-code protection mechanisms.

Information security policies

• Monitoring information system security alerts and advisories: The policy should establish rules for monitoring security alerts and advisories, such as the types of alerts and advisories to be monitored and the types of response actions to be taken. Monitoring activities include establishing security incident and event management systems, implementing security monitoring tools, and conducting periodic security reviews. • Updating malicious code protection mechanisms: The policy should specify the criteria for updating malicious code protection mechanisms, such as the types of tools to be updated and the frequency of updates. This control includes implementing automatic update mechanisms, establishing change management procedures, and conducting periodic system and application testing. • Performing periodic scans of the information system: Establish procedures for performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Scanning activities include implementing vulnerability scanning and management tools, establishing incident response procedures, and conducting periodic system and application testing. • Monitoring the information system: The policy should specify the criteria for monitoring the information system, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. This monitoring includes implementing intrusion detection and prevention systems, establishing security incident and event management systems, and conducting periodic automated and manual security reviews. • Identifying unauthorized use of the information system: Specify the criteria for determining unauthorized use, such as the types of access to be controlled. This capability includes implementing access control mechanisms, establishing incident response procedures, and conducting periodic system and application testing.

Systems and services acquisitions policy The systems and services acquisitions policy lays down the rules necessary for integrating information security throughout the acquisitions life cycle of an organization. Specifically, the systems and services acquisitions policy should focus on the following key areas: • Resource allocation for organizational information system protection: Define the process for allocating adequate resources to protect organizational information systems during the acquisition life cycle. The policy should detail resource allocation criteria, such as the types of acquisitions to be evaluated and the controls to be implemented. • System development life cycle processes with information security considerations: Define how to use system development life cycle (SDLC) processes that incorporate information security considerations. This process entails establishing security testing requirements, implementing security controls, and integrating security requirements throughout the SDLC.

73

74

Laying a Foundation for Information and Data Security

• Software usage and installation restrictions: Set guidelines for applying software usage and installation restrictions to ensure software aligns with organizational policies and procedures. Implement software configuration management, set installation guidelines, and ensure appropriate controls protect information systems. • Third-party provider security measures: Ensure third-party providers utilize sufficient security measures to protect information, applications, and services outsourced from your organization, including setting procurement guidelines, and conducting vendor risk assessments.

Personally identifiable information policy The personally identifiable information (PII) policy addresses the secure processing, storage, and management of PII. The policy also emphasizes the importance of transparency, enabling individuals to understand how their data is used and managed. This policy considers data privacy areas such as data collection, storage, access control, data subject rights, and breach response procedures. In doing so, the PII policy aims to establish a robust foundation for organizations to navigate the complex landscape of personal data protection that regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) impose on organizations. The PII policy should cover the following: • Data collection minimization: Limit the collection of PII to the minimum amount necessary to accomplish the intended purpose. Activities to this end include implementing data minimization techniques, establishing data collection procedures, and conducting periodic data collection audits. • Safeguarding PII storage: Ensure the security and integrity of stored PII. Implement encryption for data storage, segregating PII storage from other sensitive business data, and enforce data retention policies that automatically remove PII from storage after a specified period or upon the request of the data subject. • Managing PII access controls: Determine who can access PII and under what conditions. Implement role-based access controls, require two-factor authentication for any system containing PII, and restrict access to PII only to employees working on specific projects, with access revoked once the project is completed. • Data breach response strategy: Establish procedures for responding to data breaches involving PII. Define the roles and responsibilities of the incident response team, outline notification procedures for affected individuals, and implement measures to prevent future breaches.

Supply chain risk management policy The Supply Chain Risk Management (SCRM) policy identifies, assesses, and mitigates risks associated with an organization’s supply chain. Recognizing that supply chain disruptions can significantly impact the organization’s ability to function, the SCRM policy emphasizes the need for a proactive approach to managing risks throughout the entire life cycle of products and services. The policy encompasses

Information security policies

various aspects of supply chain management, including supplier selection, ongoing monitoring, performance evaluation, secure disposal, end-of-life management, and training and awareness initiatives. The policy should address the following: • Assessing and identifying supplier risks: Identify and evaluate the risk levels associated with suppliers, such as the products and services being procured, the supplier’s security posture, and their compliance with industry standards. Implement supplier risk assessment processes, establish supplier qualification criteria, and conduct periodic supplier audits. • Establishing supplier security agreements: Establish security agreements with suppliers, determining things such as the types of security controls to be implemented and the reporting obligations in case of security incidents. Define security clauses in supplier contracts, establish monitoring mechanisms, and periodically review the effectiveness of security agreements. • Monitoring supply chain security: Monitor the security of the supply chain, including the types of threats to be detected and the kinds of response actions to be taken. Implement supplier monitoring practices and conduct periodic automated and manual security reviews of suppliers. • Managing supplier incident response and remediation: Establish procedures for responding to security incidents involving suppliers. Procedures should include the roles and responsibilities of the incident response team and the actions taken internally with the organization and externally with the supplier. • Ensuring supply chain continuity: Develop guidelines for a stable and continuous supply chain, emphasizing the importance of proactive contingency planning and identifying alternative suppliers when necessary. Implement supply chain resiliency measures, establish backup supplier arrangements, and conduct periodic risk assessments. • Evaluating supplier performance: Establish processes for evaluating supplier performance, including the types of metrics to be used and the frequency of evaluations. Implement a supplier performance management system, set performance targets for suppliers, and conduct periodic supplier performance reviews. • Secure disposal and end-of-life management: Securely dispose of end-of-life products and services procured through the supply chain. Implement secure disposal procedures, ensure data sanitization, and establish end-of-life management plans for procured products and services. • Developing an SCRM training and awareness program: Create a comprehensive training and awareness program focused on supply chain risk management. The program should outline the various training topics and establish a suitable schedule for training sessions. Develop targeted training courses and integrate ongoing awareness initiatives to ensure a well-rounded understanding of supply chain risk management.

75

76

Laying a Foundation for Information and Data Security

Summary This chapter equipped you with a comprehensive understanding of the core elements necessary to build a strong information security program. By embracing a holistic approach, leveraging existing frameworks, focusing on critical success factors, and implementing effective policies, organizations can establish a resilient and proactive security posture that protects their valuable information and data assets. The upcoming chapter will introduce you to information security risk management concepts and how these concepts can be applied to your organization.

4 Information Security Risk Management This chapter will discuss information security risks, beginning with a review of the foundational concepts, which will lead to a detailed understanding of risk ownership and management. It will offer insights into identifying and safeguarding your organization’s vital data and provide guidelines for conducting risk assessments. We will explore the significance of information classification and the steps involved in the data classification process. Drawing on these building blocks, we will discuss establishing impact, choosing suitable security controls, and calculating risk using qualitative and quantitative assessments. The following topics will be covered in this chapter: • What is information security risk? • Understanding the ownership and management of information security risk • Identifying and protecting your organization’s valuable data • Conducting a quick risk assessment • Risk management is an organizational-wide activity • The life cycle of risk management in information security • Information classification and its importance in information security • The steps in the data classification process • Establishing impact • Security control selection • Calculating risk – a comprehensive look at qualitative and quantitative risk assessments • Identifying threats and choosing the right approach • Exploring management approaches to risk

78

Information Security Risk Management

What is information security risk? Information security risk encompasses the possible events or circumstances that could lead to disruptions within an organization, harm its reputation, or result in financial losses due to failures in information systems. These risks can arise from various factors related to people, processes, and technology associated with the organization’s information systems. Risk mitigation involves addressing the organization’s risks associated with people, processes, and technology. Risk management is a multifaceted process that requires all organization members’ participation, ranging from senior executives to frontline employees. Successfully managing information security risks necessitates a comprehensive understanding of how people, processes, and technology interact and function at every level of the organization. To achieve this, organizations must first identify potential risks and assess their severity and likelihood of occurrence. They must then prioritize the identified risks and develop strategies to accept, transfer, mitigate, or avoid them. Throughout this process, organizations must maintain open lines of communication to ensure all stakeholders are aware of the risks and the measures being taken to manage them. Ultimately, organizations must continuously monitor and review their risk management efforts to adapt to the ever-evolving landscape of information security threats.

Understanding the ownership and management of information security risk Information security risk is critical for organizations, especially in light of the growing number of large-scale government and private sector information systems breaches. In the past, many organizations viewed information security risk as solely owned by the IT division. However, this is not an acceptable practice, and it is crucial to understand the concept of risk ownership versus risk management. The ability to own risk is tied to authority and the ability to commit funds to reduce risk. Senior leaders can fund risk reduction efforts, as well as change the direction of organizational actions and culture. It is critically important that risks to the organization be effectively communicated to senior leadership with well-thought-out plans to reduce risk. While risk ownership sits with an organization’s executive team, it is the responsibility of the information security professional to deliver the facts regarding organizational risk, coupled with the necessary plans of action to reduce the risk to acceptable levels. This analysis is where a practical understanding of the organization comes into play. Senior leadership will not be receptive to your risk reduction strategies if they do not align with the organizational mission. Risk management is a team sport that spans from the most junior frontline employees to senior management. Risk management duties are delegated down from senior management. However, risk acceptance cannot be delegated down. Risk acceptance decisions must be made by the risk owners, which the risk managers must effectively communicate.

Identifying and protecting your organization’s valuable data

It is essential to note that IT professionals should not assume that they are the risk owners simply because they are responsible for an information system. Making decisions about the risk of an IT system they are not authorized to make can lead to accidental exposure for the organization. Instead, risk should be communicated up the organizational hierarchy via a repeatable risk management process.

Identifying and protecting your organization’s valuable data A comprehensive understanding of your organization’s valuable data is critical to a successful information security program. Without it, you, as the information security professional, cannot adequately protect your organization’s interests. Your information security program must align with key business stakeholders so that you understand the most valuable pieces of information in the organization and work with the business and IT teams to secure the data. One crucial area to consider is intellectual property (IP) and trade secrets. Does your organization have IP or trade secrets? Does your organization have competitors that would benefit from having access to this information? Does your organization maintain IP or trade secrets on digital systems? Another vital area to consider is personally identifiable information (PII). Does your organization collect PII for your employees, customers, or partners? PII is information that can be gathered from a telephone book, including name, birth date, and address. Does your organization collect sensitive PII, which is information not readily available to the public and includes social security numbers (SSNs), tax ID numbers, or unlisted telephone numbers? It is also important to ask general questions about the organization’s valuable data. Does the organization have any information that, if exposed, would cause customers to lose confidence in the organization? For example, in retail, losing payment card data could cause customers to lose trust in the organization. Another example is that if a government contractor loses government customer information, it could damage their relationship with the government and lead to a loss of revenue. As an information security professional, it is vital to ask business managers about the information required to function and its impact. Are there any critical pieces of information that, if lost, could result in job loss for business managers? Is there any specific information that is essential for their business unit to function, without which the business unit will come to a halt? Are there any particular pieces of information that cause them to lose sleep at night if lost? Understanding your organization’s valuable data is crucial to a successful information security program. IP and trade secrets, PII, and general business-critical information should all be considered when identifying and securing valuable data. By working with key stakeholders, you can ensure that the organization’s interests are adequately protected.

79

80

Information Security Risk Management

Conducting a quick risk assessment A quick risk assessment aims to provide a high-level overview of your organization’s information security status. It is not intended to replace a more detailed risk assessment but can be helpful as a preliminary evaluation. You can use the results of this assessment to provide a pulse check to your management and give them an idea of what to expect regarding information security risk. To use this assessment, answer each question with a yes, unsure, or no response, and assign 5 points for yes, 5 for unsure, and 0 for no. The following are the questions that you should consider when conducting this quick risk assessment: 1. Does your organization use an internal unsecured guest wireless network? 2. Does your organization allow the use of personal devices on the organizational network? 3. Does your organization enable high-risk information systems connected to the internet? 4. Is your organization unable to securely dispose of sensitive hardcopy media, and are your employees trained on how to dispose of the media? 5. Does your organization allow regular users (non-IT users) to have privileged (administrative) access to any network device or computer? 6. Does your organization allow unrestricted Universal Serial Bus (USB) connections? 7. Do employees or customers access internal information systems remotely with a VPN unfettered and without multi-factor authentication (MFA)? 8. Are information security policies developed for the organization, and are they fully enforced? 9. Does your organization use cloud-based software or storage? 10. Does your organization allow personal devices for business use or on a company network? 11. Does your organization use information systems to store the PII of customers or employees? 12. Does your organization have third-party suppliers, vendors, or partners that are network-interconnected? 13. Does your organization conduct business with foreign countries? 14. Is an acceptable use policy (AUP) missing for the organization, and is it fully enforced? 15. Is anti-malware software missing or not adequately managed by the organization? 16. Is a password expiration policy missing or not adequately enforced? 17. Is information security awareness training missing for every user accessing organizational information systems? 18. Does your organization store sensitive information that could compromise its ability to continue business if exfiltrated (IP, government information, financial records, payment card data, and so on)?

Risk management is an organizational-wide activity

19. Are access controls missing into and out of buildings, utilizing a mechanism to positively ID everyone? 20. Is an implemented and tested disaster recovery capability for critical systems missing? Once you have answered all these questions, add the scores to determine your organization’s risk level. Scores between 55 and 100 indicate critical risk, scores between 30 and 50 indicate high risk, scores between 15 and 25 indicate moderate risk, and scores between 0 and 10 indicate low risk.

Risk management is an organizational-wide activity Information security professionals must develop a comprehensive risk management strategy that enables an organization to establish consistent mechanisms for continuous assessment, response, and monitoring of information security risks. This approach allows the information security professional to engage the organization transparently and systematically, fostering greater acceptance within the organization. To gain a deeper understanding of your organization, consider the following examples and insights from various parts of the business:

Figure 4.1 – Relationships between information systems and the organization

81

82

Information Security Risk Management

Let’s take a closer look: • Business operations: Key areas to explore include finance, HR, and manufacturing. Examining business operations is crucial for understanding the following: ‚ The acceptable risk levels for each business unit concerning information systems. For example, an e-commerce unit may tolerate a higher risk for an internal collaboration server than its e-commerce website. Conversely, a manufacturing unit may highly value an internal collaboration server containing sensitive proprietary information. ‚ The criticality of data processed by each information system. Not all data requires the same level of protection. While publicly accessible information needs protection for integrity and availability, confidentiality concerns may be low. However, systems containing IP may require high-risk ratings to protect confidentiality, integrity, and availability. • IT operations: Assess your enterprise IT architecture by asking questions such as the following: ‚ Does a web-based application for internal employees need to be accessible from the internet for remote employees? ‚ Can a VPN be used if external access is required? ‚ Is MFA available to secure user authentication? • Personnel: Examine your organization’s processes for onboarding and offboarding staff, contractors, and partners. Ensure that processes are consistent and comprehensive, including the following: ‚ Appropriate permissions and access to necessary information and systems ‚ Notification and revocation of access for staff departures ‚ Monitoring personnel through policies, training, and technological capabilities such as data loss prevention (DLP) solutions, information rights management, and cloud access security brokers (CASBs) • External organizations: Investigate relationships with vendors, subcontractors, partners, and subsidiaries or divisions to understand their impact on information security: ‚ Inspect vendor tools and monitor third-party connections for potential malware infections or data exfiltration ‚ Ensure that subcontractors follow the same information security requirements and use appropriate equipment ‚ Determine whether your IT organization is centralized or decentralized and whether corporate IT policies are enforced across the entire organization

The life cycle of risk management in information security

By considering these factors within the risk management process, an information security professional can gain a holistic understanding of how the organization operates concerning people, processes, and technology from both business and IT perspectives. This knowledge better informs the information security professional when they’re assessing the risk of introducing new IT components to the organization.

The life cycle of risk management in information security Effective risk management is crucial to the successful execution of an organization’s information security program. The Risk Management Framework (RMF), as outlined in the NIST Special Publication 800-37 Revision 1, provides a comprehensive life cycle model for identifying, evaluating, and addressing risks related to information and information systems. The life cycle of risk management consists of several essential stages, which are integral to safeguarding an organization’s information security. You can see this in the following figure:

Figure 4.2 – Risk management framework process

83

84

Information Security Risk Management

Let’s look at the stages involved: 1. Categorizing information systems: In this initial phase, organizations classify their information systems based on the impact a security breach would have on their operations, assets, and individuals. This process helps prioritize risk management efforts and allocate resources efficiently. 2. Selecting security controls: Once the information systems have been categorized, organizations can choose appropriate security controls from a predefined set of guidelines, such as the NIST Special Publication 800-53. These controls are tailored to meet the specific security requirements of each system, ensuring robust protection. 3. Implementing security controls: After selecting the necessary security controls, organizations must deploy them within their information systems. Deploying controls includes configuring hardware, software, and procedural elements while following the chosen security controls to mitigate potential risks effectively. 4. Assessing security controls: Regular assessments of the implemented security controls are vital to ensure their effectiveness in addressing the identified risks. Organizations must conduct thorough evaluations and document the results to verify that the controls function as intended. 5. Authorizing information systems: Based on the assessment results, senior management must make an informed decision to authorize the operation of the information systems. This process involves weighing the security risks against the benefits of operating the systems and accepting the residual risk. 6. Continuous monitoring: As the risk landscape evolves, organizations must continuously monitor to maintain a strong security posture. This capability involves ongoing assessments, updates to security controls, and regular communication of the risk management status to stakeholders. In the next section, we will discuss how organizations can effectively safeguard sensitive information and address evolving risks by considering information classification and its crucial role in information security.

Information classification and its importance in information security As an information security professional, it is vital to collaborate with an organization’s business and IT departments to classify the data necessary to fulfill its mission accurately. Data classification is a crucial first step in building a robust information security program. Engaging business leaders in the data classification process allows them to participate in decision-making regarding data security within the organization and the allocation of resources. This process enables the information security professional to emphasize the organization’s critical information assets and apply security controls that support the organization’s mission.

Information classification and its importance in information security

This book will devote more time to the information categorization phase of the risk management life cycle than any other part. Although this phase may not be technically glamorous, it is undoubtedly one of the most crucial risk management life cycle stages. This foundational phase involves working closely with business leaders to develop requirements for securing the organization’s future IT environment. Data classification aims to do the following: • Identify the information assets within the organization • Determine the value of these assets to the organization • Establish what it takes to secure these assets in proportion to their value The following figure provides an example of data that may exist within an organization and how it may be treated differently. In this example, the data on the outermost ellipse is the least critical to the organization. The further you move inward, the more critical the data becomes to the organization:

Figure 4.3 – Example data classification

85

86

Information Security Risk Management

An organization’s information systems contain vast amounts of data that’s essential for accomplishing its mission. However, it is crucial to recognize that not all data is created equal; thus, not all data has the same value to the organization. Consequently, applying the same security controls to protect all data throughout the organization would result in wasted resources. Allocating the most challenging to implement and costliest security controls for data with the highest value helps establish an efficient and cost-conscious information protection program. A successful information security program hinges on the following: • Trust in the information security program: A reliable program should differentiate between sensitive and non-sensitive information and offer tailored guidance on protecting various data types. Failing to do this will lead to unnecessary work for specific subsets of corporate data, causing frustration among project and finance teams. • Fiscal responsibility: Gaining senior leadership support is essential for a successful information security program. Wasting resources is one way to lose that support. By selecting only the necessary security controls for specific types of organizational data, you demonstrate to leadership your commitment to saving money and valuing your allocated resources. As an information security professional, conducting data classification ensures the proper identification of organizational data, appropriate application of prudent security controls, and efficient utilization of the organization’s resources. Now that we understand the importance of data classification in information security, let’s delve into the steps involved in the data classification process.

Steps in the data classification process Data classification is an integral part of establishing a solid information security program. There are four key steps involved in the data classification process: 1. Determining information assets: The first step is determining the various information assets within your organization. These could include employee records, financial documents, IP, customer data, or other information vital to the organization’s operations. 2. Finding information in the environment: After identifying the information assets, the next step is to locate them within the organization’s information system. This process could involve searching through databases, file storage systems, or cloud services to pinpoint where the essential data resides. 3. Organizing information into categories: Once the information has been located, it is crucial to organize it into distinct protection categories. These categories should be based on sensitivity, confidentiality, and regulatory requirements. For example, you could classify data as public, internal, confidential, or highly restricted. This categorization allows for the appropriate allocation of resources and security controls.

Steps in the data classification process

4. Valuing the information: The final step in the data classification process is to assign a value to the information assets. This value should reflect the importance of the data to the organization and the potential impact of a security breach. Factors to consider when assigning value may include the cost of replacing the data, the possible financial loss in case of a breach, and the legal or reputational repercussions of unauthorized access. By assigning value to your information assets, you can better prioritize your security efforts and allocate resources effectively. The following figure illustrates the data classification process:

Figure 4.4 – Data classification process

Let’s explain this in more detail.

Determining information assets Determining an organization’s information assets can be a complex task. It is common for organizations to turn to their IT departments to understand their information. However, in this case, it is crucial to collaborate with the organization’s business groups. The IT group usually focuses on storage volume size and read/write speed, lacking the context behind the data they store. On the other hand, the business units can provide insights into the data’s meaning and significance for their business functions. Here are some sample questions to ask when identifying your organization’s information assets: • Does your organization process transactional information such as orders, payments, or invoices? • Does the organization possess sensitive sales and marketing information about its products and services? • Does the organization have specific product offerings, and is there information related to product development? • Does your organization store information about its customers, suppliers, or partners?

87

88

Information Security Risk Management

Information to gather When identifying information assets, it is essential to gather the following details: • Information type: Provide a clear, descriptive title for the information • Information purpose: Explain the business purpose of the information typically provided by the information owner • Information owner: Identify the individual in management who is ultimately responsible for the data (usually not a person in IT) Here are some examples: Information Type

Information Purpose

Information Owner

Design specifications

Specifications for the new transgalactic star destroyer Suzie Sunshine

Product pricing information

The cost to develop the medium-sized space laser John Doe versus the actual selling price Table 4.1

Finding information in the environment Now that we have identified the different types of data that’s processed within the organization, it is essential to determine where information is stored across the various information systems. Although business users might not be as helpful when locating information within the IT environment, they can still offer valuable guidance. Engage them in conversations about their interactions with the IT organization to obtain IT services, how they access their information, and the path to its location. While this might be the extent of the information they can provide, it is a valuable starting point to further explore with the IT team and track down where business information resides. Armed with this foundational information from business users, you can now approach the IT department and search for the data’s physical location. Collaborating with various IT department members will likely be necessary, including the following: • Information and systems architects • Database administrators • System administrators • Network administrators It is important to note that the data you uncovered during your discussions with business users may not be confined to a single server. Information systems often have components distributed across multiple

Steps in the data classification process

physical servers. For example, in the case of a web-based application, a well-designed application will be structured across three tiers:

Figure 4.5 – Example 3-tier web application

Let’s take a closer look: 1. Presentation tier: This is the uppermost level of the application stack and includes the user interface. It is responsible for displaying information and facilitating user interaction. 2. Logic tier: This middle level of the application stack mediates communication between the presentation and data tiers. It performs calculations, processes commands, makes decisions, and performs other vital functions. 3. Data tier: This is the lowest level of the application stack and is where the application’s data is stored and managed.

89

90

Information Security Risk Management

It is worth noting that each of these tiers might contain multiple servers for redundancy purposes, ensuring that the application remains operational, even during server failures or other technical issues. The preceding example shows that a straightforward URL provided by a business user could correspond to a complex infrastructure involving an extensive collection of servers, application interconnections, and security zones. This level of detail is beyond an average business user’s knowledge scope but is readily available within the IT team’s domain. Although the actual storage of information takes place within the database tier, it is crucial to consider the entire application when examining information management. Data processing and manipulation occur throughout the application, involving all tiers and components. By understanding the interconnected nature of the application and its components, you can better appreciate the complexity and intricacies of information management within an organization’s IT environment. This comprehensive perspective is essential for data protection, access control, and overall system maintenance decisions.

Disaster recovery considerations Incorporating a well-designed disaster recovery architecture is paramount when determining the storage location for sensitive business data. Consistent security measures must be implemented across every facet of the architecture to safeguard vital information and maintain the integrity of your organization’s operations. These measures should be tailored to specific business requirements and industry best practices. Implementing a disaster recovery site has significantly impacted the infrastructure’s complexity in the following scenario. Including this secondary site has led to doubling the number of servers and applications compared to the initial example. This particular example also features a backup internet connection, providing an additional layer of redundancy to ensure continuous connectivity. Moreover, data replication has been implemented for the applications at the backup site, ensuring the availability of up-to-date information in case the primary site becomes compromised. However, it is crucial to note that the backup internet connection may pose a potential risk without proper security measures. If not adequately secured, this connection could be a gateway for unauthorized access to the backup application, compromising the integrity of the entire disaster recovery strategy. The following figure provides a simple example of a disaster recovery architecture:

Steps in the data classification process

Figure 4.6 – Example disaster recovery architecture

Backup storage considerations When determining the location of business data within an organization’s enterprise information system, backup storage is vital to address and you must ensure it is adequately protected. Protecting the backup storage environment to the same extent as the business information requires is essential. This focus ensures that backup media, services, and data remain secure from unauthorized access. Additionally, it is important to adhere to the organization’s policies regarding destroying unnecessary backup copies. Over time, mismanagement of redundant copies may lead to unauthorized access. As a best practice, dispose of any unneeded backups promptly and securely.

91

92

Information Security Risk Management

Various storage options are available to cater to different organizational needs and preferences: • Virtual machine snapshot: This backup method creates a point-in-time copy of a virtual machine disk file, restoring a virtual machine to a specific moment. • Tape backup: Tape backups employ a linear storage mechanism, making them suitable for long-term archival storage. However, tape backups are becoming less popular due to the declining costs of disk-based backups. • Disk backup: Unlike tape storage, disk backup offers non-linear storage, enabling direct access to individual files and faster recovery times. This option provides higher capacities and speeds compared to tape backups. • Cloud backup: Cloud-based solutions offer backup services as an alternative to in-house backup mechanisms. When opting for a cloud backup provider, it is vital for information security professionals to thoroughly review the contract to ensure that the provider meets all the necessary security requirements for the business’s data.

Key questions to assess information locations To effectively manage and secure an organization’s data, it is essential to understand its location within the information system. Engaging business users and IT personnel in this process will help ensure a comprehensive assessment. Here are some questions to consider when evaluating information locations. Questions for business users: • Do business users have designated IT contacts for the information system where their data resides, such as managerial, administrative, or help desk personnel? • Do business users rely on a Windows file share to store or process their information? • Do business users utilize web applications to store or process their information? Questions for the IT organization: • Is the information shared across multiple information systems? ‚ For example, a financial system may provide human resources and external business partners’ data • Is the information synchronized or replicated across multiple servers? • What is the backup strategy for the information? A clearer picture of the information’s location and associated risks can be obtained by posing these questions to business users and the IT organization. This information can then be used to implement appropriate security measures and safeguards, ensuring the organization’s critical data is protected and accessible when needed. Here is an example of the information you would collect based on this question:

Steps in the data classification process

Information Type Information Purpose Information Location Provide a clear, Provide the business descriptive title for description for the information. the information. The information owner would typically provide this description.

Information Owner

Provide the specific location Provide the name where the information resides of the individual in on the information system. management who is ultimately responsible for this information. This person is not typically a person in IT.

Examples Design specifications

Specifications for the new transgalactic star destroyer

Application name: Windows Suzie Sunshine File Share IP address: 10.53.11.6 Server name: SenFS Server UNC path: \\SenFS\ Designs\Destroyer

Product pricing information

The cost to develop the Application name: Product John Doe medium-sized space Pricing Application laser versus the actual IP address: 10.53.11.1 selling price. Server name: ProdP Application URL: https:// prodp.org.local/ product_pricing Table 4.2

Organizing information into categories After identifying your organization’s information assets and locations within your information system, the next crucial step is further categorizing the information. The primary objective of categorizing information is to enable business and IT organizations to better understand the sensitivity and importance of the data in question. By assigning information to specific categories, stakeholders can assess the potential risks and impacts associated with each data type, allowing for the implementation of appropriate security measures. Categorization also promotes more efficiently allocating resources within the organization. Organizations can prioritize security efforts and investments to protect the most critical information assets by understanding the varying levels of sensitivity and importance across different data types. Classifying

93

94

Information Security Risk Management

information helps ensure compliance with industry-specific regulations and standards. Many industries are subject to strict data protection requirements, necessitating specific security controls for certain data types. Organizations can more easily ensure they align with these regulatory obligations by categorizing information.

Examples of information type categories Here are some examples of information categories and their respective security considerations based on the confidentiality, integrity, and availability (CIA) triad: • Publicly available information includes information on a company’s website or social media platforms. Here are the CIA triad considerations for publicly available information: ‚ Confidentiality: Generally low, as the information is intended for public access without authentication. ‚ Integrity: Moderate to high, depending on organizational policies, since it is essential to prevent unauthorized modifications to the publicly available content. ‚ Availability: Dependent on organizational policy. For example, an e-commerce site would require high availability, whereas a blog might be designated low or moderate based on its criticality to the organization. • Credit card information: This category encompasses information related to credit cards, whether it’s printed, stored within the card, or processed and transmitted as part of an electronic transaction. Here are the CIA triad considerations for credit card information: ‚ Confidentiality: This is typically high, given the sensitive nature of credit card data and the need to protect it from unauthorized access or misuse. Organizations must comply with industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS), to ensure the secure handling and storage of credit card information. ‚ Integrity: High, as it is essential to maintain the accuracy and consistency of credit card data to ensure smooth transaction processing and prevent fraudulent activities. ‚ Availability: Moderate to high, depending on organizational policies and the importance of processing credit card transactions for operations. • Trade secrets: The Uniform Trade Secret Act describes a trade secret as information encompassing a formula, pattern, compilation, program, device, method, technique, or process. This information holds independent economic value due to its unknown or difficult-to-discover nature and is protected through reasonable efforts to keep it confidential. Here are the CIA triad considerations for trade secrets: ‚ Confidentiality: Typically high due to the critical nature of the data and the need to protect it from unauthorized disclosure

Steps in the data classification process

‚ Integrity: High, as preserving the accuracy and reliability of trade secrets is crucial for maintaining their value and competitive advantage ‚ Availability: Moderate to high, depending on organizational policies and the importance of the trade secret to ongoing business operations Creating information categories aims to strike a balance between specificity and simplicity. Establishing too many categories can complicate managing your information security architecture. Instead, the aim should be to create broader categories encompassing multiple types of data requiring similar levels of protection. For instance, consider the information category of publicly available information mentioned earlier. In this example, the organization’s public website and the data posted on social media can both be placed into this category. Creating separate categories for the public website and social media would be counterproductive. Using a single category, such as publicly available information, we can potentially consolidate hundreds of information assets requiring similar security measures. The following figure highlights how data can be consolidated into common information categories:

Figure 4.7 – Example information category consolidation

95

96

Information Security Risk Management

While broader categories can simplify information security management, it’s essential to acknowledge that some IT systems may have unique requirements within each category. Continuing with the example of publicly available information, as we translate this category into architecture, we will define the rules governing how the publicly available data network segment communicates with network segments at higher security levels and the untrusted internet. This publicly available network segment will provide the foundation for network security for the data and IT systems contained within it. However, each IT system will still have its requirements related to allowable ports and protocols, application interconnections, and so on. In the example provided, the information categories of publicly accessible data and internal company data are expressed in real-world IT implementations. Equipment has been deployed, and configurations have been established to protect information based on a thorough analysis of business requirements. This approach allows for more efficient and effective information security management while still addressing the unique needs of individual IT systems within the broader architecture. Remember that information systems should be built based on business requirements rather than the personal preferences of IT professionals. Engaging with business stakeholders and developing information systems that cater to their needs is a fundamental responsibility of IT professionals. The earlier example highlights specific application configurations that extend beyond the network segment configurations that are established through information categorization. These additional requirements ensure the application can effectively communicate with end users and backend processes. A crucial factor when deploying an application within a segmented network environment is to adhere to segmentation rules and avoid compromising them for convenience or inadequate planning. Remember that if organizational leaders have been consulted to establish these network segmentation rules, they exist to fulfill management’s requirements. When developing an application in a secure environment, including the environment’s information security requirements in the planning stage is essential. By doing so, you can adequately account for these requirements in the application design, creating a more secure and efficient information system tailored to your organization’s needs. An important point to revisit, as mentioned earlier in this discussion, is the inclusion of information security professionals during the initiation phase of the design process as part of your organization’s system design life cycle (SDLC). Involving security experts early on will help ensure that proper security requirements are integrated into the overall application functional requirements. This approach will minimize or eliminate the negative impact of convenience-driven and poorly planned decisions during the application design process. While designing your application, consider how it interconnects with various components and how users will access it. The principle of least privilege should be employed as part of the design process, aiming to ensure that the application components expose the minimum amount of functionality necessary to satisfy the business users’ requirements fully. By adhering to this approach, you can create a robust and secure application that meets your organization’s needs while adhering to established security standards. Involving information security professionals from the outset and following best practices, such as the principle of least privilege, will result in a

Steps in the data classification process

more secure and efficient application that meets the demands of your organization’s business and IT requirements. The following figure shows the architecture of a simple web application with publicly accessible and non-public components:

Figure 4.8 – Example of the public and non-public components of an information system

When designing an application, it is essential to consider different aspects of user access and the interconnections between application components. Some key questions to consider include the following: • How will users access the application? ‚ Is the application intended for internal use only? In this case, it may not require internet access. ‚ Does the application require remote access? If so, consider whether it can be accessed via a cloud-based application proxy for secure access.

97

98

Information Security Risk Management

• How will the application components be interconnected? ‚ Determine whether the application requires access to other applications to function correctly and if so, consider the information security requirements of those applications. ‚ Identify the minimum number of ports, protocols, and services needed for the application to function effectively. This information will help ensure that the application’s design adheres to the principle of least privilege, providing only the necessary access for its operation. The following example demonstrates consolidating the previously defined information assets into smaller segments. This process simplifies network segmentation deployment and facilitates the business’s development of data protection requirements:

Figure 4.9 – Information categorization

Steps in the data classification process

There is no strict limitation on the number of information assets that can be included in a particular information category, provided that the category can be effectively managed. The primary consideration is to ensure that the assets within a single category share a similar level of importance to the organization and require comparable protection measures. The preceding example shows that various data types are grouped within the same categories. The organization opted for a straightforward approach to creating these categories to manage its environment efficiently. As we progress from public to proprietary information, the organization’s concern for information protection increases, as does the IT department’s level of information security protection. This method of organizing information assets into distinct categories, based on their importance and required protection level, streamlines network segmentation, and enables the organization to develop targeted data protection strategies. By doing so, businesses can achieve a more effective and manageable environment, ultimately leading to enhanced security and a better understanding of their data’s value. Keep two key points in mind to ensure a practical and efficient approach: • Avoid having too many information categories: ‚ Excessive categories can result in confusion among organizational leaders and an increase in IT spending • Don’t force an unnecessarily small number of information categories: ‚ If more categories are needed, create them, but only when necessary ‚ Creating too few categories could increase IT spending as information systems might have needless security controls applied to them Maintaining a balanced approach to information categorization can establish an organized and efficient system that supports the organization’s goals and optimizes IT resource allocation.

Valuing information By assigning an appropriate value to the information assets within your organization, you can make informed decisions on the proper allocation of resources for their protection. Take into account any regulatory and compliance requirements associated with specific information assets. Be aware of potential consequences, such as fines or other penalties arising from non-compliance. Additionally, consider the potential impact on contracts with clients, partners, or suppliers. Non-compliance could lead to losing valuable business relationships or even legal ramifications. Also, contemplate the repercussions for your organization if data is compromised through loss, theft, or unauthorized modification. Reflect on the initial investment in developing the information or capability as this can help gauge the financial implications of a security breach. Assess the potential impact of increased competition if sensitive information falls into the hands of a competitor. By addressing these questions and incorporating the answers into a comprehensive assessment, your organization can more accurately assign value to its information assets.

99

100

Information Security Risk Management

Establishing impact An essential part of assessing information value is assigning a qualitative score representing the potential impact on the organization if the information is lost, stolen, or destroyed. This score helps inform the information security professional about the importance of a dataset to the organization. Using the potential impact definitions from NIST Special Publication 199 as a reference, we will apply the information that was gathered during the categorization process to assign an impact rating to the data. The potential impact levels are categorized as Low, Moderate, and High based on the three core security objectives – that is, confidentiality, integrity, and availability: • Confidentiality: This objective focuses on preserving authorized information access and disclosure restrictions, including measures for protecting personal privacy and proprietary information: ‚ Low impact: Unauthorized disclosure of the information would likely result in limited adverse effects on organizational operations, assets, or individuals ‚ Moderate impact: Unauthorized disclosure of the information would likely result in serious adverse effects on organizational operations, assets, or individuals ‚ High impact: Unauthorized disclosure of the information would likely result in severe or catastrophic adverse effects on organizational operations, assets, or individuals • Integrity: This objective aims to guard against improper information modification or destruction and ensures information’s non-repudiation and authenticity: ‚ Low impact: Unauthorized modification or destruction of information would likely result in limited adverse effects on organizational operations, assets, or individuals ‚ Moderate impact: Unauthorized modification or destruction of information would likely result in serious adverse effects on organizational operations, assets, or individuals ‚ High impact: Unauthorized modification or destruction of information would likely result in severe or catastrophic adverse effects on organizational operations, assets, or individuals • Availability: This objective ensures timely and reliable access to and use of information: ‚ Low impact: Disruption of access to or use of information or an information system would likely result in limited adverse effects on organizational operations, assets, or individuals. ‚ Moderate impact: Disruption of access to or use of information or an information system would likely result in serious adverse effects on organizational operations, assets, or individuals ‚ High impact: Disruption of access to or use of information or an information system would likely result in severe or catastrophic adverse effects on organizational operations, assets, or individuals.

Establishing impact

We will illustrate the application of impact levels to our data using the design specification information type from the previous example. In this case, a thorough analysis by business, IT, and security stakeholders has assigned impact levels to the CIA triad. The overall impact for the information type is determined by the highest watermark, which in this instance is High. This level will be used to establish the future security control baseline for the information type. The following table illustrates the concept of the high watermark related to this information: Information Type

Confidentiality Integrity

Availability High Watermark

Design specifications

High

Moderate

Moderate

High

Table 4.3

Choosing the right impact level is crucial for information protection and financial considerations. Systems may be inadequately protected if the impact value is set too low. On the other hand, selecting a higher impact level than necessary may lead to allocating more resources than required for the data being safeguarded. The following table provides sample data to illustrate the information that should be collected: Information Type

Information Purpose

Information Location

Provide a clear, descriptive title for the information.

Provide the business description for the information. The information owner would typically provide this description.

Provide the specific location where the information resides on the information system.

Example

Information Information Risk Owner if Disclosed

Information Impact Value if High Disclosed Watermark

Provide the name of the individual in management that is ultimately responsible for this information. This is not typically a person in IT.

Provide the estimated value the business assigns to the information.

Provide a brief description regarding the business risk of information disclosure.

Provide the high watermark value that was defined as part of establishing the information impact if lost.

101

102

Information Security Risk Management

Information Type

Information Purpose

Design Specifications specifications for the new transgalactic star destroyer

Information Location

Information Information Owner Risk if Disclosed

Information Impact Value if High Disclosed Watermark

Application name: Windows File Share

Suzie Sunshine

If this information is disclosed, potential competitors can build their own star destroyers

$100 billion

If this information is disclosed, competitors will understand our pricing strategy, allowing them to underprice our organization

$15 million

IP address: 10.53.11.6 Server name: SenFS

High

Server UNC path: \\ SenFS\ Designs\ Destroyer Product pricing information

The cost to develop the mediumsized space laser versus the actual selling price

Application John Doe name: Product Pricing Application IP address: 10.53.11.1 Server name: ProdP Application URL: https:// prodp. org. local/ product_ pricing

Moderate

Table 4.4

Undertaking an information valuation exercise enables an organization to understand its information’s value. This insight is crucial for garnering support for implementing appropriate security controls within the organization’s enterprise information systems.

Security control selection

When protecting an information asset valued at $5 billion, for example, it becomes easier to justify and defend the establishment of security controls that cost the organization $10 million. However, if the information asset is worth only $500,000, an expenditure of $10 million on security controls might be deemed excessive and unwarranted. By accurately assessing the value of information assets, organizations can strike the right balance between investing in security measures and ensuring their financial resources are efficiently allocated. This balanced approach to information security management helps maintain an effective defense against potential threats while avoiding unnecessary expenditures.

Security control selection Upon finishing the information categorization process, you have successfully identified your organization’s information assets, pinpointed their locations within the information system, organized them into separate protection categories, and assigned a monetary value to each. You can now implement security controls to safeguard your organization’s information. Before defining the security controls for your information systems, it’s essential to review your organization’s regulatory and compliance requirements to ensure the development of a compliant security framework. As you build your organization’s framework, consider the following: • Existing security frameworks: Many security frameworks have been developed to address specific compliance requirements. Using these frameworks as a guide will help ensure you’re on the right track. • Leverage expertise: Thousands of combined hours have been invested into creating these security frameworks. Instead of starting from scratch, benefit yourself and your organization by utilizing one or more of these well-established frameworks. • Recommended framework: Based on my experience, the NIST Framework is a reliable choice and will be used as the framework in this book. You can map the NIST Framework to any other specific compliance requirements based on your organization’s needs. Drawing from the analysis conducted during the information categorization phase, you can now develop a baseline set of controls for your information system. These controls will be tailored to the unique needs and characteristics of your organization’s information assets, ensuring robust protection and compliance. Based on your analysis as part of the information categorization step, you can now develop the baseline set of controls for your information system: 1. Determine the appropriate baseline set of controls using the high watermark value you obtained from the information categorization step. This analysis will help you identify the minimum level of security necessary for your information system.

103

104

Information Security Risk Management

2. Customize the selected controls to fit your specific environment and requirements: A. Common controls: Implementing a security control in your environment is not always necessary if another team, such as the network team, has already applied it. However, you must ensure that the common control is maintained and effectively securing your data. B. Scoping considerations: Assess whether specific controls apply to your information system. For example, if a control baseline requires wireless networking but your system does not utilize it, you can scope out this requirement as it would not be relevant. C. Compensating controls: In cases where implementing a security control as intended would render the information system unusable, opt for compensating controls. These provide alternative security measures that compensate for unimplemented controls while maintaining the desired functionality. D. Additional security controls: Your security control baseline may not cover all the necessary controls. You may need to address other compliance requirements, depending on your organization’s mission, or implement controls specific to your organization. Ensure that these additional security controls are integrated at this stage. 3. Develop a comprehensive security control package for your information system, which will serve as a guide to ensure that security controls do the following: ‚ Are incorporated as requirements during information system planning ‚ Are designed as part of the system’s architecture ‚ Are integrated throughout the system’s development process ‚ Are tested and verified during system acceptance ‚ Are monitored and maintained throughout the entire life cycle of the system

Security control implementation This stage builds upon the foundation laid by information categorization and security control selection and involves collaboration between business and IT users. Planning and communicating the implementation strategy with the project team responsible for deploying the new information system is crucial. This focus will help ensure that all necessary security controls are incorporated effectively. In the SDLC, developing the information system necessitates implementing security control within the project scope. Although information security professionals play a vital role in the execution of security controls, it is a collaborative team effort. Delegating security controls to the relevant IT team members guarantees that the right subject matter expert is engaged in the process.

Security control selection

To ensure that the proper security control is assigned to the appropriate experts, it is essential to categorize them according to relevant domains. This process enables easier management and coordination with IT teams. Here are some suggested categories for organizing security controls: • Physical and environmental: This category encompasses aspects such as electrical systems, data centers, physical access, and environmental controls • Documentation categories: These involve user rules of behavior, requirements documents, configuration management plans, design documents, and IT contingency plans • Roles: Key personnel in this category include the chief information officer, chief information security officer, ISSO, system administrator, application developer, network engineer, project manager, information security personnel, and application administrator • Technical controls: This category covers access controls, collaborative computing, wireless technology, encryption, account management, auditing, authentication, DMZ, disaster recovery, mobile devices, VoIP, servers, and workstations

Assessing implemented security controls The primary objective of assessing implemented security controls is to confirm that they have been adequately integrated into the information system and are functioning as intended. To effectively evaluate the information system’s security controls, consider the following questions: • Are the controls implemented as expected? Have the agreed-upon security control designs been incorporated into the production information system? • Are the controls operating appropriately? Do the security controls avoid negatively impacting the production system while providing the necessary security functionality? Implementing a formalized testing procedure for security controls within your organization is crucial. Security control implementation can be complex, with numerous requirements to be addressed. A structured plan is necessary to thoroughly test newly implemented security controls, ensuring essential details aren’t overlooked. Here are some critical activities that are involved in the security control assessment phase: 1. Develop a security control assessment plan: Create a detailed plan outlining the assessment process, including the following: ‚ The requirements to be tested ‚ The procedures to conduct the tests ‚ The tools used for testing

105

106

Information Security Risk Management

2. Execute the security control assessment plan: Implement the previously developed plan for the production information system. 3. Develop a security assessment report: Based on the findings from the security control assessment, document the following: ‚ Weaknesses: Identify specific security-related issues that negatively impact the overall security posture of the information system ‚ Recommendations: Provide guidance for subject matter experts to address and mitigate the identified issues 4. Remediate and reassess weaknesses: Act on the recommendations in the security assessment report to mitigate weaknesses. Reevaluate the information system after addressing each weakness to ensure the issue has been resolved effectively.

Authorizing information systems to operate After thoroughly testing your information system’s security controls, ensuring their effective implementation, and verifying that they are operating as intended, it is time to move forward with getting your system approved for production use. This phase in the process is known as system authorization. Its primary goal is to enable a designated senior leader within the organization to determine whether an information system should be authorized for production use or whether a current operating environment can continue to be utilized. An authorizing official has several options when deciding how to handle a system that requests permission to operate on a production network: • Authorizing the system to operate: In this scenario, the authorizing official grants approval for the system to enter production based on the provided evidence. The system might have one or more plans of action and milestones (POAMs) associated with it, as well as deficiencies requiring mitigation. POAMs don’t just identify weaknesses in IT systems. A POAM aims to set clear milestones for remedying a defect and establish definite funding for identified remediation activities. This information allows authorizing officials to make informed decisions about the remaining work on an IT system and the plan for completing it. • Denying authorization to operate and requiring remediation of deficiencies: In this situation, the authorizing official decides not to authorize the system immediately. The IT team is directed to address high-risk POAMs before proceeding. Once these POAMs have been resolved, the IT team can return to the authorizing official with a new request. An authorizing official may require all POAMs to be addressed or only a subset. As this decision is risk-based and depends on the specific authorizing official, the outcome may vary.

Security control selection

The steps for obtaining authorization are as follows: 1. Develop your plan of action and milestones based on the security assessment report: A. Exclude any remediated activities from the POAMs since you have already fixed any discovered weaknesses. B. Inform your approving official of any uncovered weaknesses and their subsequent mitigation. 2. Compile the security authorization package for your authorizing official to review: A. Collaborate with your authorizing official to determine what they would like to see in their authorization package and how they would like it presented. B. Remember that this process is highly dependent on the individual authorizing official. C. This document provides the authorizing official with a recommendation from an information security perspective regarding the risk to reputation, IT operations, and mission. D. At a minimum, you should expect to include the following items:  Failed tests from the security assessment report  Plan of action and milestones  Statement of residual risk  Authorization decision document

Monitoring information system security controls Once an executive leader with the appropriate authority has fully authorized the operation of a production information system, initiating the operations and maintenance process is essential to monitor the ongoing security functionality of the information system. This phase is significant for information security professionals and is often called continuous monitoring. The main objective of continuous monitoring is to guarantee that the security controls that were designed and tested during the information system’s development remain effective throughout its life cycle. In the past, information security professionals would ensure adequate protection as the system went into production. Subsequently, the system would be considered secure until it was time to review the security documentation again, either at a predetermined interval or as mandated by compliance requirements. However, an information system’s security can quickly erode without careful monitoring. Factors that undermine information system security include the following: • The need for patching: New vulnerabilities are constantly discovered and must be addressed • System changes: Introducing a new server service, web application, or office automation tool could expose the organization to new weaknesses and risks

107

108

Information Security Risk Management

• Technological advancements: Today’s best practices may not be effective tomorrow • Path of least resistance: To meet customer expectations, system operators may take shortcuts in information security Establishing a program that provides comprehensive visibility from a security perspective is essential to ensure the continued security of your organization’s information systems. Here are some mechanisms you should consider for the continuous monitoring of information systems: • Configuration management: A configuration management tool is essential in modern enterprises to manage the myriad of settings available in an information system: ‚ These tools enable the operations team to monitor changes to information system settings effectively ‚ These tools should also facilitate the application and reapplication of appropriate security control baselines, as needed • Process: Implement a robust change management system that allows stakeholders to discuss information system changes and assess potential risks to the system and the organization. • Vulnerability management tools: These tools can detect configuration changes from security baselines and identify new vulnerabilities that may arise due to newly discovered technological flaws. • Patch management tools: These tools ensure that new patches required by the information system are available and automatically installed: ‚ Some patches may not install correctly, requiring manual intervention. ‚ Not all information systems are supported by patch management systems. In such cases, monitor your vendor’s software distribution news and manually download and install security patches as needed. • Asset management tools: These tools ensure that new devices added to the network or information system are documented in a comprehensive asset inventory. • Periodic audits: For items that cannot be easily tested through automation, develop procedures to ensure those controls are tested periodically. In the following section, we will explore the world of risk assessment, which encompasses both qualitative and quantitative approaches, allowing us to effectively evaluate and manage the risks associated with these controls.

Calculating risk – a comprehensive look at qualitative and quantitative risk assessments Effective information security risk management requires a thorough understanding of an organization’s potential threats. To address this need, security professionals rely on risk assessments, which can be

Identifying threats and choosing the right approach

broadly classified into two main categories: qualitative and quantitative. We will delve deeper into these methodologies’ characteristics, advantages, and disadvantages while also providing insights into identifying threats and selecting the most suitable approach for your organization.

Qualitative risk analysis – subjective evaluation of threats Qualitative risk assessments rely on subjective evaluations, where experts estimate the likelihood of a risk occurring and its potential impact on the organization. This method does not involve any mathematical calculations or specific numerical values. Instead, it allows security professionals to rank risks on a subjective scale, typically categorized as High, Medium, or Low. While qualitative assessments may lack the precision and objectivity offered by quantitative assessments, they provide several advantages. They are generally less expensive, can be completed more quickly, and provide decision-makers with actionable information to guide their risk mitigation strategies. Moreover, qualitative assessments facilitate stakeholder collaboration and discussion, enabling a more comprehensive understanding of the organization’s risk landscape.

Quantitative risk analysis – objective measurements and calculations Quantitative risk assessments, on the other hand, involve using numerical data and calculations to measure and compare risks objectively. This method assigns specific values to risks, allowing organizations to quantify their potential impact and prioritize mitigation efforts accordingly. Some common techniques that are used in quantitative risk analysis include statistical modeling, simulations, and decision tree analysis. Quantitative assessments offer the advantage of precision as they rely on objective data rather than subjective opinions. However, they can be more time-consuming, costly, and complex. Additionally, quantitative assessments may not be suitable for all types of risks as some threats may be difficult to quantify accurately.

Identifying threats and choosing the right approach When conducting a risk assessment, the first step is identifying potential threats your organization may encounter. This list should include the following: • Threat: A threat refers to any situation or event that has the potential to cause harm to your organization’s operations, resources, reputation, personnel, other organizations, or even national security through an information system • Threat source: The intent and method aimed at intentionally exploiting a vulnerability or a situation that may accidentally lead to vulnerability exploitation • Description: A brief narrative that defines the threat and threat source pairing, ensuring consistent application of this information throughout the risk management process

109

110

Information Security Risk Management

The choice between qualitative and quantitative risk assessments depends on the organization’s needs and the evaluated risks. Organizations may choose to use a combination of both qualitative and quantitative risk assessment methods. This hybrid approach enables them to take advantage of the unique strengths of each method while addressing their drawbacks. Ultimately, a well-executed risk assessment, whether qualitative or quantitative, enables organizations to proactively address potential threats and make informed decisions about their information security strategies. By understanding the nuances of these methodologies, organizations can select the most appropriate approach to safeguard their valuable assets and ensure the security of their information systems. The following table presents a sample of identified threats that can serve as a basis for further analysis: Threat

Threat Source

Threat Description

Storage failure

Structural (IT equipment)

Storage critical to your organization’s operations ceases to function, disrupting your organization’s operations

Internet outage

Structural (IT equipment)

An internet outage disrupts communication between customers, business partners, and critical applications

Human

A trusted user within your organization uses their knowledge to circumvent technical security controls and organizational policy to harm the organization

Insider threat Human privileged user

Like the preceding example, but in this case, the user has elevated privileges on the information system, allowing them to impact the organization significantly

External hacking Human

An external user or organization targets your organization to exfiltrate sensitive information or to cause a disruption in your organization’s operations

Flood

Natural disaster

A flood event occurs that disrupts your organization’s operations

Fire

Natural disaster

A fire event occurs that disrupts your organization’s operations

Hurricane

Natural disaster

A hurricane event occurs that disrupts your organization’s operations

Insider threat

Table 4.5

After identifying potential threats, a more in-depth analysis is needed to determine whether an active threat source could target your organization. An effective way to do this is by evaluating each threat against specific criteria. A legitimate threat source can be characterized by the following: • A source that intentionally targets your organization to exploit a vulnerability • A situation where a vulnerability may be accidentally exploited in the system

Identifying threats and choosing the right approach

With these criteria in mind, you can now scrutinize your list of threats and assess whether any fulfill these conditions. For instance, in our example, we will exclude floods and hurricanes as threats to our organization, given that our geographic location renders them irrelevant. However, we will retain the remaining threats on our list as we have determined that they could be targeted intentionally or accidentally exploited. By carefully examining each threat and evaluating its potential impact on your organization, you can ensure that your risk assessment is comprehensive and well informed. This focus, in turn, will enable you to prioritize mitigation efforts and effectively address the most pressing threats to your information security.

Identifying your organization’s vulnerabilities A key component of the risk assessment process is identifying vulnerabilities within your information systems. As part of this review, it is essential to examine various information sources, deploy different testing methods, and engage stakeholders from multiple organizational departments. A comprehensive approach will help you uncover potential weaknesses in your systems, ensuring that your organization is well equipped to counter threats and maintain robust information security.

Example information sources and testing methods The following are some examples of information sources and testing methods: • Business team: Collaborate with business users to understand their daily activities, workflows, and procedures. This analysis will provide insights into how they use information systems and may reveal vulnerabilities that must be addressed. Consider conducting interviews, workshops, and surveys to gather diverse perspectives from departments and organizational roles: ‚ Are business users accessing critical systems remotely without adequate security measures, such as a VPN or MFA? ‚ Evaluate the security awareness of employees and identify areas where additional training or communication may be required • IT team: Work closely with your IT team to better understand the organization’s operations, system configurations, and infrastructure. This collaboration will help you identify potential vulnerabilities within your technology stack and allow you to address them proactively: ‚ Evaluate the security measures and assess whether these security controls are sufficient and aligned with your organizational policies ‚ Review system configurations, patch management processes, and software updates to ensure potential vulnerabilities are addressed on time ‚ Assess whether changes to production systems undergo a thorough review by a change control board and ensure that all stakeholders, including security personnel, approve these modifications

111

112

Information Security Risk Management

• Technical tools: Leverage various technical security tools to discover and validate vulnerabilities across your network, applications, and infrastructure. Employ a combination of automated scanning and manual testing methods to ensure a comprehensive assessment: ‚ Network vulnerability scanning: Identify weaknesses within your network infrastructure, including outdated software and misconfigurations ‚ Web application vulnerability scanning: Uncover vulnerabilities within your web applications, such as injection attacks and cross-site scripting ‚ Source code vulnerability scanner: Analyze the source code of your applications for potential security flaws, including insecure coding practices and hidden vulnerabilities ‚ Configuration reviews: Assess the security settings of your devices, applications, and systems to ensure they align with industry best practices and organizational policies • Third-party auditing and testing: Utilize the expertise of third-party auditors and testers to detect vulnerabilities within your information systems and validate the effectiveness of your security measures. Outsourcing certain assessment tasks can provide an unbiased perspective and access to specialized knowledge: ‚ Compliance auditing and testing: Engage a third party to examine your information system for compliance with industry-specific regulations and organizational standards. ‚ Risk assessment: Work with external experts to assess potential risks to your organization. ‚ Vulnerability assessment: Request a third party to evaluate your organization for vulnerabilities and provide recommendations for addressing them. ‚ Penetration test: A more intensive evaluation than a vulnerability assessment, penetration testing involves simulating real-world attacks to determine whether specific devices and systems can be exploited. The following table provides an example list of information system vulnerabilities and reference information to aid in vulnerability mitigation: Vulnerabilities Discovered Point of Contact The utilized storage mechanisms are not redundant

Storage team

A single provider for internet Network team access is utilized

Method of Discovery • Interviewed team members and observed the configuration • Artifact exists in the form of a configuration screenshot • Interviewed team members and observed the configuration • Artifact exists in the form of a configuration screenshot and services contract

Identifying threats and choosing the right approach

Vulnerabilities Discovered Point of Contact

Method of Discovery

No mechanism exists to Systems team monitor user behavior on the information system

• Interviewed team members and observed the configuration

No mechanism for privileged access management exists

Systems team

• Interviewed team members and observed the configuration

Development and test servers have been placed on the internet and forgotten

Development team

• Documented that there is no mechanism in place to conduct user behavior analytics

• Documented that there is no mechanism in place to enforce privileged access management External penetration team

A wet pipe sprinkler in the Facilities team data center

• Interviewed team members and observed the configuration • An artifact exists in the form of a penetration test report and concurrence by the development team • Interviewed team members • An artifact exists in the form of design information obtained from the facilities team

Table 4.6

Pairing threats with vulnerabilities After identifying your information security vulnerabilities, pairing them with the previously defined threats is the next critical step. This process enables you to determine your organization’s specific risks, helping you prioritize and address them accordingly. It is important to note that a threat without a vulnerability does not pose a risk to the organization. The same holds for a vulnerability without a corresponding threat. The risk potential emerges only when a valid pairing of threats and vulnerabilities exists. By establishing these pairings, you can better understand and address the vulnerabilities most susceptible to your organization’s threats. In the following table, we have paired the previously identified threats and vulnerabilities, allowing us to better understand and address our organization’s specific risks. By following a structured process for combining threats and vulnerabilities, you can effectively identify the risks that must be addressed and prioritize your organization’s risk mitigation efforts:

113

114

Information Security Risk Management

Vulnerability

Threat

Threat Source

The storage mechanisms that have been utilized are Storage failure not redundant

Structural (IT equipment)

A single provider for internet access is utilized

Structural (IT equipment)

Internet outage

No mechanism exists to monitor user behavior on the Insider threat information system

Human

No mechanism for privileged access management exists

Human

Insider threat privileged user

Development and test servers have been placed on the internet External hacking and forgotten

Human

A wet pipe sprinkler in the data center

Natural disaster

Fire Table 4.7

Estimating likelihood Once you have identified valid threat and vulnerability pairings, the next step is to estimate the likelihood that a threat source will exploit a given vulnerability. This estimation process is needed to effectively prioritize your organization’s risk mitigation efforts and allocate resources. Organizations can gather and analyze relevant data, such as historical incident reports, industry threat intelligence, and insights from security experts, to estimate likelihood. As your information security program evolves, estimating likelihood should become standardized and repeatable. While there may be different categories to choose from, it is recommended to stick to three categories (Low, Medium, and High) for simplicity and ease of decision-making. Be cautious when considering more than three categories as it can lead to disagreements over minor details, distracting from the primary objective of addressing security risks. However, the number of categories ultimately depends on your organizational culture and policies. A three-category likelihood scenario can be defined as follows: • High likelihood: The threat source is highly capable and motivated, and the security controls in place are ineffective. In this case, the vulnerability is more likely to be exploited, and immediate action should be taken to address the potential risk. Consider conducting a thorough review of the security controls in place and implementing additional safeguards or enhancements to mitigate the risk. • Medium likelihood: The threat source is capable and motivated, but the security controls in place may impede the successful exploitation of the vulnerability. Here, the risk is moderate, and attention should be given to improving security measures as needed. Managing this risk area may involve adjusting existing security controls, conducting regular audits and reviews, or investing in staff training to enhance security awareness.

Identifying threats and choosing the right approach

• Low likelihood: The threat source is not capable or motivated, and there are adequate security controls in place that impede the successful exploitation of the vulnerability. The risk is relatively low in this scenario, and maintaining current security measures should be sufficient. Continuously monitor and review the effectiveness of the security controls to ensure that the low likelihood remains accurate over time.

Estimating impact Assessing the potential impact of a security incident on an organization is necessary for understanding the disruption the organization might experience due to unauthorized modification, theft, destruction, or loss of information. These disruptions can affect the organization or be targeted at specific business units. Carefully assessing the business impact is essential as rushing through this process may lead to overlooking significant consequences. For instance, an incident affecting the entire organization might have a more negligible impact than one within a specific business unit due to the critical data or processes housed within the business unit. For example, an organization might reasonably tolerate the loss of availability of the corporate network due to contingency plans in place, even though it affects the entire organization. However, losing a single file in a business unit containing highly valuable IP could cause the organization to lose business, potentially leading to its eventual closure. Similar to estimating likelihood, defining how you will measure impact is important. A recommended approach is to use three categories (Low, Medium, and High): • High impact: The event is expected to have multiple severe or catastrophic adverse effects on organizational operations or assets. The effects may include significant financial losses, harm to individuals, damage to critical infrastructure, or loss of competitive advantage. • Medium impact: The event is expected to seriously affect organizational operations or assets. Consequences in this category might involve moderate financial losses, temporary disruptions in operations, or reputational damage. • Low impact: The event is expected to have a limited adverse effect on organizational operations or assets. This level of impact might include minor financial losses, short-term disruptions, or negligible harm to the organization’s reputation. Potential organizational impacts to consider when estimating impact include the following: • Financial loss: Calculate the potential monetary losses, including costs associated with incident response, recovery, and potential fines or legal fees • Harm to individuals: Consider the potential harm to employees, customers, or other stakeholders, including physical injury, identity theft, or loss of privacy

115

116

Information Security Risk Management

• Damage to organizational assets: Evaluate the potential damage to physical or digital assets, such as facilities, equipment, or data • Loss of operating capability: Assess the potential impact on the organization’s ability to continue normal operations, including disruptions to critical business processes or services

Conducting the risk assessment After developing the lists of threats and vulnerabilities and establishing the rules for measuring likelihood and impact, it’s time to analyze risk using a systematic approach. A risk assessment matrix is an effective tool that incorporates the likelihood and impact rules defined previously, enabling organizations to identify and prioritize risks that need to be addressed: Impact Low

Medium

High

Low risk

Low risk

Medium risk

Medium

Low risk

Medium risk

High risk

High

Medium risk

High risk

High risk

Probability Low

Table 4.8

Now, we will take the previously developed threat and vulnerability pairs table and include the preceding table’s likelihood, impact, and risk ratings: Vulnerability

Threat

The storage mechanisms that are utilized are Storage failure not redundant

Threat Source Structural (IT equipment)

A single provider for Structural Internet outage internet access is utilized (IT equipment) No mechanism exists to monitor user behavior on Insider threat the information system No mechanism for privileged access management exists

Human

Insider threat Human privileged user

Likelihood Impact

Risk Rating

Low

High

Medium

Medium

Medium

Medium

Low

Medium

Low

Low

High

Medium

Identifying threats and choosing the right approach

Vulnerability

Threat

Development and test servers have been placed on the internet and forgotten

External hacking

A wet pipe sprinkler in Fire the data center

Threat Source

Likelihood Impact

Risk Rating

High

High

High

Low

Medium

Low

Human

Natural disaster Table 4.9

Having finished creating the risk assessment table, it is evident that certain priorities have emerged, providing us with a distinct hierarchy to focus on when addressing potential risks. This clarity allows us to manage and mitigate these risks effectively, ensuring the security of our systems and data: • High risk: ‚ Development and test servers have been placed on the internet and forgotten: This poses a significant risk as these servers may contain sensitive data, making them vulnerable to cyberattacks • Medium risk: ‚ No mechanism for privileged access management exists: The absence of privileged access management increases the risk of privileged credentials being used in a way that can harm the information system ‚ A single provider for internet access is utilized: Relying on a single internet service provider (ISP) could lead to service interruptions and downtime ‚ The storage mechanisms that are utilized are not redundant: The lack of redundant storage can lead to data loss in the event of hardware failure or other issues • Low risk: ‚ No mechanism exists to monitor user behavior on the information system: Implementing a user behavior monitoring solution can help with detecting unusual patterns or activities, potentially preventing data breaches or unauthorized access ‚ A wet pipe sprinkler in the data center: Using a wet pipe sprinkler system in the data center can result in accidental water damage to sensitive equipment Let’s now delve into various management approaches to mitigate and address risks in an organization.

117

118

Information Security Risk Management

Exploring management approaches to risk When addressing risk in an organization, there is no one-size-fits-all solution. However, an organization can choose four approaches when responding to a newly discovered risk. Understanding these approaches can help organizations make informed decisions about addressing potential risks. An organization can choose to do the following: • Mitigate risk: Mitigation involves addressing the root cause of a vulnerability or implementing a compensating security control if the specific issue cannot be resolved. This approach aims to reduce the likelihood or impact of a risk. Example: Effective patch management is a crucial aspect of any well-functioning IT organization. If a missing patch creates a vulnerability, the system should be patched to mitigate the risk. However, specific IT devices (for example, point-of-sale systems and healthcare devices) may require operating on the enterprise network without regular patching due to vendor limitations or compliance requirements. These devices must be tightly controlled through network segmentation and monitored by the organization’s security operations center. These mitigating controls can enable the continued operation of vulnerable devices without posing an excessive risk. • Transfer risk: Transferring risk involves purchasing insurance to reduce the financial burden of a vulnerability being exploited by a threat source. There are some critical points to consider related to information security insurance: ‚ Organizations must demonstrate due diligence and care regarding their information security responsibilities to obtain insurance. This concept means implementing foundational security controls before seeking coverage. ‚ Standard business information security policies are increasingly excluding information security incidents. Organizations should verify their coverage with their provider to ensure they are adequately protected. • Accept risk: Accepting risk is appropriate when the cost of addressing a specific vulnerability exceeds the value of the asset being protected. In such cases, executive leadership must decide to accept the risk and forgo closing the vulnerability. Note The concept of risk ownership is crucial when accepting risk. Decision-making should reside with executive leadership and not with the IT implementors. The IT organization should develop and present the most cost-effective plan to management, but the ultimate decision to accept the risk is management’s prerogative.

Exploring management approaches to risk

• Avoid risk: By avoiding risk, the organization chooses not to engage in the behavior causing the risk. For example, an organization may disconnect a vulnerable server from the internet until it can be patched. Note Although risk avoidance is an option, it is not commonly exercised. It can be challenging for management to remove essential business systems from the network. When avoidance is used, it may be more applicable to less critical functions or as a temporary measure until more sustainable solutions can be implemented.

Quantitative analysis Quantitative analysis focuses on objective data that can be measured instead of qualitative assessment based on the opinions of individuals conducting the assessment. Quantitative assessment involves mathematical calculations to express risk in terms of financial loss, which can be valuable when seeking acceptance and financial support from business leaders for information security initiatives. This data-driven approach can facilitate more informed decision-making and communication with executive leadership, as it presents risks regarding measurable monetary values. Quantitative risk management employs methodologies, such as the Factor Analysis of Information Risk (FAIR) model, emphasizing structured and data-driven analyses. By focusing on quantifiable data and using specialized methodologies, quantitative risk management enables organizations to make more accurate predictions and informed decisions, distinguishing itself from the more subjective nature of qualitative risk management. The quantitative approach offers several advantages: • Providing a precise risk score based on mission-specific information derived from an organization’s business units enables a more accurate and comprehensive understanding of risk • Facilitating communication and decision-making with executive leadership by expressing risk in monetary terms allows them to assess the cost per year for a given risk and determine whether a specific security control is worth the investment

119

120

Information Security Risk Management

To conduct a quantitative risk assessment, you must understand and gather information from the organization related to the following key concepts: • Single loss expectancy (SLE): The amount of money the organization will lose if a specific incident occurs once. SLE is calculated by considering the following aspects: ‚ Asset value: As a component of SLE, asset value represents the worth of an asset to an organization. This value can encompass the financial value, IP, or significance of the asset in the organization’s daily operations. ‚ Exposure factor: A second component of SLE, the exposure factor indicates the proportion of the asset value that could be lost due to a particular threat. • Annual rate of occurrence (ARO): The estimated number of times a specific incident is expected to occur within the organization over a year. This metric can be derived from historical data, industry averages, or expert opinions. • Annual loss expectancy (ALE): Once the SLE and ARO have been calculated, the ALE is the amount of money that the organization would expect to lose over a single year due to a specific risk. ALE is calculated by multiplying the SLE by the ARO. Note ALE is the quantified risk value that complements the qualitative assessment, providing a more robust understanding of the organization’s risk exposure.

Qualitative risk assessment example Here’s an example to get you started: 1. Start by identifying the threat, vulnerability, and risk: ‚ Threat: Loss of customer information ‚ Vulnerability: Web application vulnerabilities ‚ Risk: Loss of information 2. Calculate the asset value (AV): ‚ AV = $200,000.00. ‚ Collaborate with various business units when determining asset value. Data loss may have different implications for IT users, business users, and information security personnel.

Exploring management approaches to risk

3. Estimate the exposure factor (EF): ‚ EF = 1.0 ‚ 100% = 1.0 ‚ In this scenario, the organization has determined that losing this information is missioncritical, resulting in a total loss and an exposure factor of 100% 4. Compute the single loss expectancy (SLE): ‚ SLE = AV x EF ‚ $200,000 = $200,000 x 1.0 5. Determine the annual rate of occurrence (ARO): ‚ ARO = 0.5 ‚ 1/2 = 50% = 0.5 ‚ The estimated ARO represents an occurrence once every two years 6. Calculate the annual loss expectancy (ALE): ‚ ALE = SLE x ARO ‚ $100,000 = $200,000 x 0.5 ‚ The organization faces an annual risk of losing $100,000 if it loses customer information ‚ This calculation allows the organization to understand that they are still making a good investment if they spend less than the ALE to protect this information Here are some challenges with the quantitative approach: • Information may not be readily available to conduct the assessment: ‚ The organization might be too immature to comprehend the value of its data ‚ Business users may not have a clear understanding of their asset values • The quantitative approach tends to be slower A recommended approach is to combine both qualitative and quantitative risk assessment methods. Utilize the qualitative risk assessment approach to identify relevant risks within the organization quickly. Employ the quantitative risk assessment approach to investigate relevant risks further and develop a more robust justification for risk mitigation efforts. This combination can give organizations a comprehensive understanding of their risk landscape and enable them to make well-informed decisions on allocating resources for risk mitigation.

121

122

Information Security Risk Management

Summary This chapter examined information security risk management and introduced various tools and strategies to help identify and address potential organizational risks. We explored the fundamental principles of information security risk management and how they apply in a business setting. The impact of risk management across an organization was underscored, highlighting the importance of a unified and comprehensive strategy to manage and reduce risks effectively. A key component of risk management involves identifying and safeguarding valuable data. To assist with this, we provided a set of methods to locate this critical information within your organization. We also detailed the process of information categorization, which aids in achieving a better understanding of your organization’s most valuable assets. We wrapped up this chapter by providing an overview of how to perform information security risk management. This critical groundwork paves the way for our next chapter, where the focus will shift toward crafting an information security plan. Such a plan serves as the foundation of a successful information security program.

5 Developing Your Information and Data Security Plan This chapter discusses the core tenets required to shape an effective information security program plan. This foundational concept will outline your information security program’s capabilities to your organization and its interplay with broader business operations. You’ll gain insights into formulating objectives for your program, understanding the elements of a successful information security program, aligning it with your business or mission, crafting a detailed program plan, and establishing enforcement mechanisms. The following topics will be covered in this chapter: • Determining your information security program objectives • Foundational information security activities to consider • Successful information security program elements • Rightsizing your information security program • Principles to guarantee the success of your information security program • Information security program plan elements

Determining your information security program objectives To effectively implement an information security program within your organization, it is essential to first establish a clear set of objectives. A well-defined set of objectives will guide the development of your plan and help ensure its success in the long run. Merely stating that your goal is to secure your organization’s information assets is insufficient. You must thoroughly understand your organization’s culture, maturity level, and operational processes and use these insights to inform the creation of a tailored program.

124

Developing Your Information and Data Security Plan

As an example, if your organization is relatively immature in its approach to information security, characterized by ad hoc processes and a lack of structured processes, it may be counterproductive to introduce a program that demands strict adherence to rigorous policies and procedures from the outset. In such cases, it is crucial to align your security program with the current state of your organization, delivering services that address immediate needs while laying the groundwork for more sophisticated security measures as your organization evolves and matures. It is important to consider short-term and long-term objectives to develop a comprehensive and effective information security program. This understanding will enable you to create a roadmap that addresses immediate security concerns while preparing for future challenges and opportunities for improvement.

Foundational information security activities to consider Some of the activities to consider when developing an effective information security program are set out as follows: • Information security program charter: Developing a well-defined charter is the foundation for an effective information security program. This document specifies the program’s role within the organization and delineates its scope, purpose, and objectives. A charter is important for ensuring the success of the information security program, as it confers the necessary authority and legitimacy to drive change within the organization. Creating a comprehensive charter involves your organization’s executive team in the process. This collaborative approach fosters alignment between the information security program and the broader goals and objectives of the organization. Additionally, it helps secure the necessary support and commitment from top management, which is crucial for the program’s long-term viability. • Continual risk assessment and adaptation: Organizations must continually assess and update their risk assessment methodologies as the threat landscape evolves and new technologies emerge. This capability ensures that the information security program remains relevant, effective, and responsive to the organization’s changing needs and risk environment. • Asset discovery and management: A comprehensive understanding of your organization’s assets is crucial for effectively managing and protecting enterprise resources. This activity includes creating and maintaining an up-to-date inventory of your organization’s hardware, software, data, and other critical assets. • Secure configurations and best practices: Implementing industry-standard security practices across your organization’s information systems is essential for mitigating potential threats and vulnerabilities. This capability involves configuring tools, devices, and software following security best practices and ensuring that all systems adhere to secure configuration guidelines.

Foundational information security activities to consider

• Patch management and vulnerability remediation: Prioritizing the timely application of security patches and updates to all information systems is essential for addressing known vulnerabilities and reducing the risk of exploitation by threat actors. • Privilege restriction and access control: Limiting administrative privileges and implementing strict access controls are crucial for minimizing the potential damage caused by unauthorized access or insider threats. The principle of least privilege (PoLP) should be adopted across the organization, ensuring that users are granted the minimum access required to perform their job functions. • Foster a culture of security awareness: Developing a culture of security awareness that permeates all levels of your organization is crucial for the long-term success of your information security program. This offering involves providing employees with the necessary knowledge and tools to protect your organization’s information assets and fostering a sense of shared responsibility and commitment to information security. The following diagram illustrates the ongoing and iterative process of maintaining an organization’s cyber hygiene:

Figure 5.1 – Iterative approach to cyber hygiene

125

126

Developing Your Information and Data Security Plan

Successful information security program elements Establishing and maintaining a successful information security program is crucial for organizations to safeguard sensitive information. An effective information security program comprises several vital elements that work together to secure the organization’s critical assets. The elements are explained next: • Policy: A well-defined policy serves as the cornerstone of an information security program, outlining the rules and regulations that govern the program’s behavior. This policy should be aligned with the organization’s broader policies and objectives, ensuring consistency across all aspects of the business. • Information security services: These are the technical and operational capabilities provided to the organization as a service to bolster its security posture. Key services include the following: ‚ Vulnerability management service: Employ vulnerability scanners to proactively identify and address weaknesses in the organization’s systems and networks ‚ Malware detection services: Utilize anti-virus and anti-malware solutions to detect and neutralize malicious software that may compromise the integrity of sensitive data ‚ Log monitoring services: Implement security information and event management (SIEM) systems or log aggregation tools to collect, analyze, and correlate log data for timely threat detection and response ‚ Threat detection services: Leverage host and network intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to identify and mitigate potential security threats • Security architecture: Collaborating with business and IT teams, the information security program ensures that new IT systems are designed and architected to adequately protect the information they contain and be commensurate with the information’s value. • Information security guidance: The information security program works closely with business and IT teams to foster a security-conscious culture within the organization, helping staff understand and implement security requirements effectively. Key guidance initiatives include the following: ‚ Information security awareness and training: Conduct targeted training sessions to educate information system users on the acceptable use of the system, potential risks, and best practices for safeguarding sensitive data ‚ Information security advisement: Implement activities and resources to ensure business and IT users understand and implement information security requirements correctly ‚ Information security categorization: Assist business and IT users in correctly categorizing information assets, helping prioritize protection efforts and allocate resources accordingly

Successful information security program elements

Organizations must implement a combination of security controls to protect their sensitive data and systems effectively. These controls can be broadly classified into three categories: operational controls, management controls, and technical controls. Each class plays a distinct role in maintaining a comprehensive and resilient security posture, addressing specific risk management and mitigation aspects. • Operational controls: Operational controls focus on an organization’s day-to-day activities and procedures that help maintain a secure environment. These controls ensure the proper functioning of security measures and consistent adherence to established policies. Key examples of operational controls include the following: ‚ Access control: Implement strict procedures for granting, modifying, and revoking access to sensitive information, applications, or systems, ensuring that only authorized personnel have access based on their job responsibilities ‚ Incident response (IR) plan: Develop and maintain a comprehensive plan for handling security incidents, outlining roles, responsibilities, communication channels, and procedures to ensure a timely and coordinated response ‚ Security awareness training: Provide regular training and awareness sessions to employees, teaching them about information security best practices, potential threats, and their roles in maintaining a secure environment ‚ Backup and recovery: Implement a robust backup strategy to ensure the availability and integrity of critical data, including regular data backups, off-site storage, and periodic testing of recovery procedures ‚ Vendor management: Establish and maintain a thorough vendor evaluation and monitoring process, ensuring that third-party providers adhere to the organization’s security requirements and industry best practices • Management controls: Management controls encompass the policies, processes, and oversight mechanisms that govern the organization’s overall information security strategy. These controls ensure that security measures align with the organization’s objectives, risk tolerance, and regulatory requirements. Examples of management controls include the following: ‚ Risk assessment: Periodically assess the organization’s information security risks, identifying potential threats, vulnerabilities, and the potential impact of security incidents ‚ Security policy development: Establish comprehensive security policies that define the organization’s approach to information security, including roles, responsibilities, and acceptable-use guidelines ‚ Compliance management: Ensure the organization’s information security program complies with relevant laws, regulations, and industry standards

127

128

Developing Your Information and Data Security Plan

‚ Performance measurement: Regularly evaluate the effectiveness of the organization’s security controls and practices, using metrics and key performance indicators (KPIs) to drive continuous improvement (CI) ‚ Resource allocation: Strategically allocate financial, human, and technological resources to support the organization’s information security initiatives and address identified risks • Technical controls: Technical controls involve deploying hardware, software, and other technological solutions to protect an organization’s digital assets from threats and vulnerabilities. These controls provide a direct, tangible layer of security, actively preventing unauthorized access, data breaches, and other cyberattacks. Important examples of technical controls include the following: ‚ Encryption: Employ encryption technologies to protect sensitive data, both in transit and at rest, ensuring that unauthorized parties cannot access or tamper with the information. ‚ IDSs/IPSs: Utilize IDSs/IPSs to monitor network traffic and system activities for signs of malicious activity, allowing for real-time detection and response to potential threats. ‚ Patch management: Regularly update software, operating systems, and firmware to address known security vulnerabilities, reducing the risk of exploitation by attackers. ‚ Firewalls: Implement firewalls and other network security devices to segregate and control traffic flow between network segments, preventing unauthorized access and potential attacks. ‚ Multi-factor authentication (MFA): Requires users to provide multiple forms of verification (for example, password, security token, or biometric ID) when accessing sensitive systems or data. An information security program should implement a sophisticated and comprehensive methodology, defense in depth (DiD), to safeguard sensitive information throughout the enterprise network. This multi-tiered approach is designed to provide optimal protection by utilizing various layers of defense mechanisms, which are achieved by integrating operational, management, and technical controls. These controls work in concert to build a robust and resilient security infrastructure. DiD is borrowed from military tactics that emphasize the importance of creating multiple layers of protection. This approach ensures that even if one security measure is compromised, others are in place to maintain the system’s overall integrity. An organization can address various threats and vulnerabilities effectively by incorporating multiple security controls and best practices. This concept is depicted in the following diagram, where multiple controls work together and complement each other to protect the organization:

Rightsizing your information security program

Figure 5.2 – DiD

To successfully implement a DiD approach, an organization identifies, assesses, and deploys a range of security measures tailored to meet the specific needs of each layer within the enterprise network. This approach seamlessly integrates operational, management, and technical controls, ensuring the organization’s security infrastructure remains robust and adaptive.

Rightsizing your information security program Rightsizing your information security program ensures it aligns seamlessly with your organization’s specific needs. As you devise strategies to expand and refine your security program, consider several essential data points that will guide you in establishing a business-focused and tailored approach to information security.

Compliance requirements Compliance requirements significantly influence the overall structure and implementation of an organization’s information security program. Various laws and frameworks impose different requirements, making it crucial to understand the relevant regulations to ensure your organization remains compliant and avoids severe fines or shutdowns. Here are some frameworks that impact organizations, their fundamental requirements, and affected entities. • The Sarbanes-Oxley Act (SOX) – 2002 ‚ Intended to protect the public and investors by ensuring the accuracy and reliability of financial disclosures ‚ Impacts on US public companies and public accounting firms

129

130

Developing Your Information and Data Security Plan

‚ Key requirements include auditor independence, public company accounting oversight, analyst conflicts of interest, enhanced financial disclosures, corporate fraud accountability, corporate responsibility, commission resources and authority, corporate tax returns, white-collar crime penalty enhancements, corporate and criminal fraud accountability, and studies and reports • Payment Card Industry Data Security Standard (PCI DSS) ‚ Established to enhance the security of customer payment card data, developed by the PCI Security Standards Council (PCI SSC) ‚ Impacts credit card companies, retailers, and any other entities handling payment card information ‚ Key requirements involve using and regularly updating anti-virus software, maintaining information security policies, developing secure systems and applications, not using vendor-supplied defaults for system passwords and security parameters, restricting physical access to cardholder data, protecting stored cardholder data, assigning unique IDs to individuals with computer access, regularly testing security systems and processes, tracking and monitoring all access to network resources and cardholder data, installing and maintaining firewall configurations to protect cardholder data, encrypting the transmission of cardholder data across open public networks, and restricting access to cardholder data based on a business need-to-know basis • The Gramm-Leach-Bliley Act (GLBA) – 1999 ‚ It aims to protect consumers’ personal financial information held by financial institutions ‚ Impacts security firms, insurance companies, banks, brokers, lenders, and other financial institutions ‚ Key requirements include the financial privacy rule, safeguards rule, and pretexting provision • Electronic Fund Transfer Act (EFTA) – 1978 ‚ Established to protect consumers using electronic fund transfers from errors and fraud ‚ Impacts merchants and financial institutions providing electronic fund transfer services or managing consumer accounts ‚ Key requirements involve defining access devices, acceptance of devices by consumers, responsibilities of financial institutions, rights and responsibilities of consumers, processes for error resolution, and electronic check transaction and preauthorized debit rules • Fair and Accurate Credit Transactions Act (FACTA) – 2003 ‚ Established to help consumers combat identity fraud ‚ Impacts financial institutions, credit reporting agencies, credit bureaus, and creditors

Rightsizing your information security program

‚ Key requirements include obtaining a free credit report once a month, establishing fraud alerts, payment card data truncation in financial files, victim access to financial fraud information, victim protection from collection agencies, implementing early warning fraud detection mechanisms, proper disposal of consumer report information, and consumer credit information disputing mechanisms • Federal Information Security Management Act (FISMA) – 2002 ‚ Requires federal agencies to develop an information security program and safeguard their information and information systems ‚ Impacts federal agencies ‚ Key requirements include developing policies and procedures, conducting periodic tests of information security controls, conducting periodic risk assessments, developing information security plans, conducting security awareness training, responding to information security incidents, and ensuring the continuity of operations of information systems • Health Insurance Portability and Accountability Act (HIPAA) – 1996 ‚ Requires organizations to adopt standards for securing patient health records and ensuring standardized IDs for providers ‚ Impacts health plans, healthcare providers, and organizations managing personal health information ‚ Key requirements include using the same code sets and IDs when doing business electronically, federal protections for personal health information under the control of a healthcare provider, specifying operational, management, and technical security controls required to safeguard personal health information, and standard IDs on medical transactions • European Union General Data Protection Regulation (EU GDPR) – 2018 ‚ Replaced the EU Data Protection Directive of 1995, aiming to protect EU citizens’ personal data and privacy rights ‚ Impacts European businesses or non-European businesses that offer goods or services to EU citizens or monitor their behavior ‚ Key requirements include obtaining explicit consent for processing personal data, providing clear and easily accessible information on data processing, implementing the right to be forgotten, ensuring data portability, implementing privacy by design, appointing a data protection officer, and complying with breach notification requirements within 72 hours of discovery

131

132

Developing Your Information and Data Security Plan

• California Consumer Privacy Act (CCPA) – 2018 and California Privacy Rights Act (CPRA) – 2020 ‚ The CCPA was established in 2018 as the cornerstone of privacy regulations for California residents, followed by the CPRA in 2020 to further strengthen consumer privacy rights ‚ These acts apply to businesses that operate in California and either have a gross revenue exceeding $25 million; buy, sell, or share personal information of 50,000 or more consumers, households, or devices; or derive 50% or more of their annual revenue from selling consumers’ personal information ‚ Key requirements include granting consumers the right to know what personal information is collected, used, shared, or sold, allowing consumers to opt out of the sale of their personal information, enabling consumers to request deletion of their personal information, implementing appropriate security measures to safeguard consumers’ personal data, and under the CPRA, providing consumers with the right to correct their personal data, limitations on data retention, and additional protections for sensitive personal information The complexity and diversity of requirements across the various legal frameworks cannot be overstated. These examples only scratch the surface of the numerous laws worldwide that address information data protection and the responsibilities they place on an organization. It is crucial to thoroughly analyze your organization’s compliance requirements, considering potential overlaps and interactions between multiple legal frameworks or industry sectors. For example, if your organization is a holding corporation, it may be involved in various businesses, such as manufacturing engines, running a hospital, and producing baked goods. Each sector has unique compliance requirements, meaning your enterprise information security program must be flexible and adaptable enough to manage these distinct obligations. By carefully examining your organization’s operations, industry sectors, and potential interactions with various legal frameworks, you can design a tailored security strategy that satisfies the unique demands of each applicable regulation. This approach ensures that your organization maintains a robust, compliant security posture and positions it to anticipate and adapt to the evolving regulatory environment and the ever-changing landscape of cybersecurity threats.

Is your organization centralized or decentralized? In a centralized management structure, policy and IT infrastructure are managed from a central location, typically under a chief information officer (CIO) who oversees a shared services environment that provides most of the IT services for the entire organization. This approach offers several advantages and can streamline the organization’s implementation and maintenance of information security services.

Rightsizing your information security program

The advantages of centralized management are outlined as follows: • Cost savings: By consolidating IT services and infrastructure, a centralized management approach can lead to cost savings through economies of scale and reduced duplication of resources. Organizations can optimize their IT budgets and allocate resources more effectively. • Consistency: A centralized approach promotes consistency in policies, procedures, and security measures throughout the organization. It ensures that all business units (BUs) adhere to the same standards, making monitoring compliance and enforcing security policies easier. • Simplified management: Centralized management simplifies decision-making and coordination, as there is a single point of authority for IT-related matters. This can lead to faster and more efficient decision-making and the implementation of security measures. • Easier monitoring and reporting: Centralized management allows for more straightforward monitoring and reporting of IT security performance and incidents. It helps organizations understand their security posture comprehensively and respond more effectively to potential threats. • Better resource allocation: With a centralized management structure, organizations can more efficiently allocate resources to address security needs and prioritize investments in security technologies and solutions. The following diagram illustrates a centralized approach to IT management:

Figure 5.3 – Centralized approach to IT management

133

134

Developing Your Information and Data Security Plan

The challenges of centralized management are set out as follows: • Limited flexibility: A centralized management approach may not provide the flexibility needed to address the unique security requirements of individual BUs or departments. This approach can lead to potential gaps in security coverage and create challenges in implementing security measures tailored to specific needs. • Potential for bureaucracy: Centralized management can sometimes result in bureaucratic delays and slower decision-making processes, hindering the organization’s ability to respond quickly to emerging threats or changing security requirements. • Resistance to change: Employees in individual BUs or departments may resist changes imposed by a centralized IT management structure, particularly if they perceive the changes as reducing their autonomy or control over their IT systems and processes. In a decentralized organization, organizational units (OUs) fully provide their own or most of their IT services with supplementation from an enterprise-shared service organization. The degree of decentralization depends on the organization’s history, culture, and evolution over time. This management approach can offer certain advantages regarding flexibility and autonomy but may also present challenges in implementing and maintaining consistent security measures across the organization. The advantages of decentralized management are set out as follows: • Flexibility: Decentralized management allows individual BUs or departments to tailor their IT systems and processes to their specific needs, offering greater flexibility. • Autonomy: With decentralized management, BUs or departments have greater independence and control over their IT systems and processes, which can foster a sense of ownership and accountability. • Responsiveness: Decentralized management can enable organizations to respond quickly to emerging threats or changing security requirements. Individual BUs or departments can make decisions and implement security measures without waiting for approval from a centralized authority. • Innovation: Decentralized management can promote innovation, as individual BUs or departments can explore and implement new security solutions and approaches tailored to their specific needs. The following diagram illustrates a decentralized approach to IT management:

Rightsizing your information security program

Figure 5.4 – Decentralized approach to IT management

The challenges of decentralized management are set out as follows: • Inconsistency: Decentralized management can result in inconsistencies in security policies, procedures, and measures across different BUs or departments. This approach can make it challenging to ensure compliance and enforce security policies throughout the organization. • Complexity: With decentralized management, coordination and decision-making processes can become more complex, potentially slowing the implementation of security measures and reducing the organization’s responsiveness to threats. • Difficulty in monitoring and reporting: Decentralized management can make it more challenging to monitor and report on IT security performance and incidents across the organization, as different BUs or departments may have varying reporting requirements and systems in place. • Increased costs: Decentralized management can lead to increased costs, as individual BUs or departments may need to invest in IT infrastructure, systems, and security measures. This approach can result in duplication of resources and reduced economies of scale.

135

136

Developing Your Information and Data Security Plan

Ultimately, whether an organization chooses a centralized or decentralized management approach will depend on its unique needs, objectives, and circumstances. By carefully considering the advantages and challenges of each approach and implementing the appropriate strategies and measures, organizations can successfully develop and maintain an effective information security program that aligns with their overall business objectives.

Business risk appetite Business risk appetite refers to the degree of risk a company is willing to accept to pursue its objectives. This concept is not confined to information security but extends to all business areas. As such, grasping your organization’s risk appetite is crucial for creating a well-balanced and effective risk management strategy. Two primary components need to be examined when assessing an organization’s risk appetite: • Risk tolerance: This relates to the amount of risk an organization is willing to accept during its operations. Risk tolerance is essential in determining the type and extent of security measures that must be implemented to manage potential risks. • Risk mitigation investment: This aspect revolves around the financial resources a company is willing to allocate to reduce and manage risks. The amount of money invested in risk mitigation measures is directly linked to the organization’s risk appetite. The organization’s risk appetite is established by the highest-ranking members of an organization, such as the chief executive officer (CEO), chief operating officer (COO), and other executive-level personnel who own and pay for risk reduction measures. It is essential to recognize that risk appetite is not a function to be determined solely within the IT department. Instead, it is a management concept that requires business leaders to articulate the level of risk they are willing to accept for the organization and subsequently determine the appropriate information security controls to be implemented. The following diagram illustrates the differing levels of business risk appetite:

Rightsizing your information security program

.

Figure 5.5 – Levels of business risk appetite

Organizational maturity The maturity of your organization plays an important role in determining the progress and success of planning and implementing an information security program. To evaluate your organization’s current maturity, you should consider the following aspects: • People: Examine your organization’s existing information security capabilities, including technical expertise and relationships with business users • Process: Assess whether your information security program is supported by senior leadership and whether organization-wide policies are in place • Technology: Evaluate the information security tools your organization has implemented, how they are managed, and whether continuous monitoring is active By asking yourself these questions and others like them, you can identify the current state of your organization’s maturity, which will help you establish a roadmap for your information security program.

137

138

Developing Your Information and Data Security Plan

In addition to evaluating your organization’s current maturity, defining your goals and determining the desired future state for your information security program is essential. Breaking your plan into manageable timeframes and tasks can help avoid overwhelming your organization and ensure a more systematic approach. The following sample goals demonstrate a potential roadmap for an information security program: • Short-term goals (first 90 days): ‚ Comprehensive information security training: In the initial stages of your information security program, prioritize training users in information security principles and best practices. This includes educating employees about potential threats, safe online behavior, and proper incident reporting procedures. ‚ Integrating information security into decision-making: Ensure that information security becomes integral to your organization’s decision-making process. Collaborate with senior leadership to establish a consistent approach to evaluating and addressing potential risks. ‚ Conducting an organizational risk assessment: Undertake a comprehensive assessment of your organization’s risk landscape to identify vulnerabilities, threats, and potential consequences. This evaluation should encompass various aspects of your business, including technology, processes, and human resources. • Goals (6 months): ‚ Development and acceptance of information security policies: Collaborate with key stakeholders to develop comprehensive policies tailored to your organization’s needs and risk appetite. These policies should cover critical aspects such as data protection, access control, and IR. ‚ Incorporating information security into the systems development life cycle (SDLC) and change management process: Ensure that information security is seamlessly integrated into your organization’s SDLC and change management processes. This will help identify potential vulnerabilities early in the development process, minimize security risks, and promote a proactive approach to information security. • Long-term goals (year 1): ‚ Full adoption of information security policies: Work to fully integrate your organization’s information security policies throughout the enterprise. Regularly review and update these policies to keep them relevant in the face of evolving threats and changing business needs. Continuously monitor compliance to ensure that your organization maintains a strong security posture.

Principles to guarantee the success of your information security program

‚ Establishing repeatable information security metrics reporting: Develop and implement a system for measuring and reporting critical information security metrics. Tracking performance indicators allows you to evaluate your security program’s effectiveness, identify improvement areas, and demonstrate progress to stakeholders. ‚ Developing operational security measures: Invest in developing operational security measures, such as implementing advanced security tools and establishing a security operations center (SOC). These measures will enable your organization to proactively detect and respond to threats, minimize potential damage, and maintain the integrity and availability of critical systems and data.

Principles to guarantee the success of your information security program The following are some guiding principles that you should use to help ensure that your information security program plan is well accepted by your organization.

Business alignment The success of your information security program relies heavily on its acceptance within your organization. Business alignment is a critical aspect of modern information security programs, as it seamlessly integrates security solutions with the organization’s objectives and processes. By ensuring that the program addresses the unique needs of your business, you can present relevant and easily understood solutions. Achieving this level of alignment requires consistent communication, collaboration with your business users, and a commitment to understanding their perspectives and concerns. Remember—you have one mouth and two ears, so prioritize listening over speaking to gain valuable insights. Consider implementing the following strategies: • Regular collaboration with business users: Engage with your business users consistently to discuss information security topics that directly impact them. By fostering open dialogue, you can identify potential issues and develop tailored solutions that address their unique needs. • Integrating information security into business decision-making: Embed information security principles into your organization’s decision-making processes. This will ensure that security considerations become second nature for your team and are consistently addressed during critical decision-making moments. • Educating business leaders on information security responsibilities: Provide training and resources to help business leaders understand their role in maintaining information security within the organization. They can make informed decisions supporting the security strategy by equipping them with the necessary knowledge.

139

140

Developing Your Information and Data Security Plan

Communication strategies Effective communication plays a crucial role in successfully implementing an information security program. It is vital to ensure that your users understand the program’s purpose and the rationale behind its various components. You can foster greater trust and cooperation within your organization by emphasizing transparency and clear communication. One of the essential communication concepts to consider is articulating the goals related to enterprise security initiatives and the information security program. This involves developing a clear vision, communicating it to the organization, and presenting a roadmap that illustrates its current state and expected trajectory. By offering this context, you help employees understand the importance of the information security program and the goals it aims to achieve. Creating committees or stakeholder groups can further enhance the success of your information security program. Establish a steering committee composed of senior leadership to demonstrate executive support and ensure that leadership has input in the program’s development and implementation. Additionally, form a user group with representatives from across the organization to ensure that the information security program and its components remain user-friendly and accessible. Develop targeted marketing and communication strategies to address the diverse needs of your organization. For senior leadership, create concise, easy-to-understand materials, and demonstrate the program’s alignment with the organization’s mission. For IT staff, provide technical details, the purpose and impact of changes, and how new changes will be measured and reported to management. For general users, explain the meaning and implications of changes without technical jargon, provide ongoing updates on the program’s status, and communicate any change dates and user responsibilities.

Information security program plan elements After gathering the necessary information to tailor and establish the vision for your information security program, it’s time to create your plan. The information security program plan serves as a management document that outlines critical decisions and planning details related to the execution of the program.

Developing an information security program strategy Creating a comprehensive and business-aligned information security program requires formulating a well-defined strategy. This strategy is essential in ensuring the program aligns with your organization’s objectives and addresses its security needs. By establishing clear and concise strategic goals, you can effectively guide your future program planning efforts and maintain a consistent focus on enhancing the overall security posture of your organization.

Information security program plan elements

Some strategic goals your organization may consider include the following: • Information security risk assessment: Conduct regular reviews of information security risks and implement appropriate responses to address these risks effectively • Information security governance: Set up a governance function to deliver assurance information to management, assisting them in making informed decisions concerning risk management • Information security operations: Implement proactive and reactive measures to respond to attempted security breaches or penetrations • Information security architecture: Support engineering and development teams in the secure design and implementation of information systems, ensuring that security measures are integrated from the outset • Information security awareness and training: Offer information security awareness and training programs to personnel, ensuring they are equipped to recognize and address potential security threats • Information security guidance: Protect information systems and data by providing IT security policies, procedures, and supporting guidance that facilitate a secure working environment

Establishing key initiatives Key initiatives are essential components of your information security program that break down your strategy into actionable tasks. These initiatives aim to enhance the overall security posture of your organization while ensuring alignment with its unique needs and objectives. To create a robust and effective information security program, consider the following example initiative that can be used as a template for your information security program: • Initiative: Security policy, standards, and guidelines framework. The primary objective of this initiative is to facilitate the protection of information systems and data by providing comprehensive IT security policies, procedures, and supporting guidance. This initiative is instrumental in establishing an organization-wide responsibility for information protection. • Description: Develop, approve, and implement information security policies, standards, and guidelines. To successfully implement this initiative, develop, approve, and implement information security policies, standards, and guidelines based on the chosen information security standards (for example, ISO/IEC 27001, NIST SP 800-53, and so on). These documents will form the foundation for your organization’s information security program and create a consistent approach to information protection.

141

142

Developing Your Information and Data Security Plan

• Key benefits: ‚ Information security policy based on business needs: Tailoring your organization’s information security policies to your specific business requirements ensures that the policies are relevant and practical. By aligning your information security program with your organization’s unique requirements, you can create a customized approach to information protection that addresses your organization’s culture and risks. ‚ Establishing an information security baseline: By implementing a security policy, standards, and guidelines framework, your organization will have a foundation for its information security program. This will serve as a baseline for the organization, ensuring that the requirements for protecting sensitive information are standardized and communicated. ‚ Repeatable implementation of information security controls: A well-defined framework allows for the consistent and repeatable implementation of information security controls across your organization. This ensures that every aspect of your business adheres to the same security best practices, thereby reducing potential vulnerabilities and risks.

Defining roles and responsibilities Establishing clear roles and responsibilities is crucial for a smooth planning process and effective execution of an information security program. By defining where specific functions sit within the organization to relevant personnel, you can ensure that information security responsibilities are implemented consistently. Some key roles and responsibilities to consider for your information security program plan include the following: • Executive management: These senior business managers own the IT security risk for the organization within their areas of responsibility. They ensure their teams support compliance with all information security policies and may be tasked with the following: ‚ Identifying and classifying data within their purview ‚ Allocating necessary resources to support information security initiatives ‚ Collaborating with the chief information security officer (CISO) and other key stakeholders to set strategic goals and objectives for the information security program • CISO: The CISO manages the information security program on a day-to-day basis and is responsible for tasks such as the following: ‚ Developing and disseminating information security policies ‚ Educating and training personnel on information security matters ‚ Communicating policy updates and ensuring compliance

Information security program plan elements

‚ Executing the risk management program and coordinating with various departments to identify, assess, and mitigate risks ‚ Translating policies into technical requirements, standards, and procedures ‚ Collaborating with data owners and system owners to determine the appropriate use of information resources ‚ Authorizing exceptions to policies, standards, or procedures and reporting them to the proper senior leaders ‚ Continuously monitoring the security landscape and updating the program to address emerging threats and vulnerabilities • Data owners: Data owners are managers who work with the information security program to classify data, assess risks, and develop appropriate procedures to implement information security policies. Their tasks include the following: ‚ Appropriately identifying and classifying data in their respective areas of responsibility ‚ Establishing and implementing security requirements for the data in consultation with the information security program ‚ Where possible, clearly labeling sensitive data and confidential data ‚ Approving appropriate access to data and regularly reviewing access rights ‚ Ensuring that proper sanitization and disposal procedures are followed ‚ Collaborating with IT custodians and system owners to ensure secure handling, storage, and data processing • System owners: System owners are managers responsible for determining computing needs, hardware, and software. They ensure the functionality and security of each system under their purview. Their tasks include the following: ‚ Classifying systems based on the identification and classification of data by the applicable data owner ‚ Implementing security requirements for each system in consultation with the information security program ‚ Implementing audit mechanisms, log review schedules, and log retention periods ‚ Maintaining an inventory of systems and monitoring for unauthorized access or changes ‚ Approving appropriate access to systems and regularly reviewing access rights

143

144

Developing Your Information and Data Security Plan

Establishing enforcement areas Part of an effective information security program is the establishment of clearly defined enforcement areas. These areas serve as the foundation for determining the scope of the program’s authority and help to delineate the specific segments of the organization that must adhere to information security policies. The following list highlights various enforcement areas that should be considered when developing an information security program, including people, technology, and the broader organizational environment. By addressing these areas comprehensively, organizations can ensure that their security program is effective and consistently applied: • People: Define the types of users bound by information security policies, such as staff, contractors, students, and so on. Establish a framework for managing user access and permissions and monitoring compliance with security policies. Implement a process for handling violations and applying appropriate sanctions. • Technology: Define the enterprise technology scope under the authority of the information security program, including hardware, software, networks, and other IT assets. Develop and maintain a comprehensive inventory of technology resources and ensure they are subject to appropriate security controls, assessments, and monitoring. • Processes: Identify and document critical business processes involving sensitive or confidential data, and ensure they are designed and operated with security in mind. Implement a CI approach to identify and address security weaknesses in business processes and integrate security best practices into standard operating procedures. • Risk management and assessment: Establish a formal risk management process that identifies, assesses, and prioritizes information security risks. Regularly conduct risk assessments to evaluate the organization’s security posture and ensure that security controls are aligned with the organization’s risk tolerance. Use the results of risk assessments to inform decision-making and guide investments in security measures. • Legal and regulatory compliance: Ensure your information security program is designed to comply with applicable laws, regulations, and industry standards. Establish processes for monitoring changes in the legal and regulatory landscape, updating policies and procedures as needed, and demonstrating compliance to auditors, regulators, and other stakeholders. • Privacy and data protection: Develop a comprehensive privacy and data protection program to safeguard the personal information of customers, employees, and other stakeholders. Implement appropriate data handling and storage practices, access controls, and other measures to protect sensitive data. Ensure compliance with data protection laws and regulations and establish processes for responding to data breaches and other privacy-related incidents. • Third parties: Establish a risk-based approach to managing relationships with third parties with access to your organization’s data or systems. Develop processes for assessing the security posture of vendors, suppliers, and partners, and implement contractual protections to ensure that third parties adhere to your organization’s security requirements.

Summary

• Vendor and supply chain security: Evaluate the security posture of your organization’s supply chain, including vendors, partners, and service providers (SPs). Implement controls to mitigate supply chain risks, such as conducting regular audits and assessments, enforcing security requirements through contracts, and monitoring vendor performance. Establish a process for responding to security incidents involving supply chain partners and collaborate with them to continuously improve supply chain security. • Awareness and training: Implement a comprehensive information security awareness and training program to educate employees, contractors, and other stakeholders on their roles and responsibilities in protecting the organization’s information assets. Tailor training to the needs of different groups within the organization and provide ongoing updates and refreshers to keep security top-of-mind. • Metrics and reporting: Develop a set of meaningful and actionable information security metrics that can be used to track the performance of the information security program and support decision-making. Regularly report on these metrics to senior management, the board of directors, and other stakeholders, and use the insights gained to drive CI in the organization’s security posture. • CI and adaptation: Recognize that information security is an ongoing effort that requires constant attention and adaptation to evolving threats and changing business requirements. Implement a process for reviewing and updating the information security program regularly, incorporating lessons learned from incidents, risk assessments, audits, and other sources of feedback.

Summary This chapter looked at crafting an enterprise-wide information security program plan. This plan is more than just a document; it is fundamental to your entire information security program, orchestrating its operation and integration with your business. We discussed how to develop the objectives for your information security program. Formulating these objectives is an essential step as it sets the trajectory of your program, laying the groundwork for a successful implementation. We explored the important elements contributing to a successful information security program and the need to align your information security program with your overall business strategy. Our next chapter will discuss the critical role of continuous testing and monitoring. We’ll explore various testing methodologies that can assess the effectiveness of your information security controls and provide insights on how to incorporate these tests throughout the life cycle of your information system.

145

6 Continuous Testing and Monitoring Vulnerabilities have become an inescapable part of the life cycle of modern information systems. Rapid software and hardware development and deployment often lead to inadequately tested products. This approach to technology development often results in an amalgamation of potentially vulnerable systems within an organization. Information security professionals must understand that these vulnerabilities are an inherent aspect of information systems that cannot be eliminated. Continuous vigilance through regular technical testing and monitoring is the key to safeguarding these systems. Continuous testing and monitoring are essential practices in ensuring the security of an organization’s information systems. This approach involves regularly assessing the systems for potential weaknesses, implementing necessary security measures, and validating the effectiveness of those measures. This continuous cycle helps identify vulnerabilities and mitigate risks, enhancing the organization’s security posture. This chapter aims to present the concepts of continuous testing and monitoring so that you can implement them within your organization. The following topics will be covered in this chapter: • Types of technical testing • SDLC considerations for testing • Continuous monitoring • Vulnerability assessment • Penetration testing • Difference between vulnerability assessment and penetration testing

148

Continuous Testing and Monitoring

Types of technical testing Here are some examples of technical testing that can be employed within an organization: • Vulnerability assessment: A vulnerability assessment involves examining a specific information system or an entire network to identify weaknesses in its security posture. This process typically includes automated scanning tools that detect potential vulnerabilities and manual verification to confirm the findings. Vulnerability assessments help organizations understand their security risks and develop appropriate strategies to address them. • Web application vulnerability assessment: Web application vulnerability assessments are a specialized form of vulnerability assessment that focuses on web-based applications rather than servers and networks. These assessments aim to identify application code and logic weaknesses that attackers could exploit. By pinpointing potential flaws in the design, implementation, or configuration of web applications, organizations can take proactive measures to secure their online assets. • Static code analysis: Static code analysis is an essential technique in ensuring the security of an application’s source code. This method involves inspecting the code to identify potential flaws an attacker could exploit. Static code analysis tools can automatically check the code for common vulnerabilities, such as SQL injection or cross-site scripting, and provide recommendations for remediation. Organizations can reduce the risk of introducing vulnerabilities into their applications by incorporating static code analysis into the development process. • Dynamic code analysis Dynamic code analysis is an important method for assuring the security of a running application. Unlike static code analysis, which examines the source code without executing it, dynamic code analysis evaluates the application during its runtime to identify vulnerabilities that might be exploited in real-world scenarios. Dynamic code analysis tools can automatically simulate attacks on an application to identify vulnerabilities, such as insecure session management or insecure direct object references. • Penetration testing: Penetration testing is a process where security professionals simulate realworld attacks to test the effectiveness of an organization’s security measures. This type of testing takes the results of vulnerability assessments and validates whether an identified weakness is exploitable. Penetration testing can help organizations uncover hidden vulnerabilities, evaluate the impact of potential attacks, and determine the effectiveness of their security controls. In addition to continuous testing, organizations should also implement continuous monitoring to maintain a strong security posture. Continuous monitoring involves collecting and analyzing security-related data from various sources, such as network traffic, log files, and user activities. This information can help organizations detect unusual patterns or suspicious activities, enabling them to respond to potential threats.

SDLC considerations for testing

Some technical components of a continuous monitoring strategy include the following: • Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs): IDS and IPS solutions monitor network traffic and system activities to detect and block potential intrusions or attacks. These tools are critical in identifying and mitigating threats in real time, enhancing an organization’s overall security posture. • Security Information and Event Management (SIEM): SIEM solutions collect, analyze, and correlate security-related data from multiple sources, enabling organizations to detect and respond to potential threats more effectively. SIEM tools help organizations maintain a strong security posture by consolidating security information and providing actionable insights. • Endpoint Detection and Response (EDR): EDR solutions monitor endpoint devices, such as laptops and mobile phones, for potential security threats. EDR tools allow organizations to detect, investigate, and respond to security incidents quickly and effectively by providing real-time visibility into endpoint activities. • Security Orchestration, Automation, and Response (SOAR): SOAR platforms integrate security tools and processes to streamline threat detection, investigation, and response. By automating routine tasks and facilitating collaboration between different security teams, SOAR solutions can significantly improve an organization’s ability to identify and address potential threats. • Regular Security Audits: Regular security audits are essential for maintaining a strong security posture. These audits assess an organization’s security policies, procedures, and controls to identify potential weaknesses and areas for improvement. Security audits can help organizations stay updated with the latest threats, ensure compliance with industry standards, and make informed decisions about their security investments. The next section will delve into the significance of SDLC in the context of testing.

SDLC considerations for testing The importance of security testing throughout the system development life cycle (SDLC) cannot be overstated. As information systems grow increasingly complex and cyber threats become more prevalent, organizations must prioritize security testing from the earliest stages of a project until the system’s eventual disposal. By considering security testing during every phase of the SDLC, organizations can safeguard valuable data and resources, maintain the confidentiality, integrity, and availability of information systems, and mitigate risks. The following discussion highlights the crucial role of security testing across the various stages of the SDLC and outlines best practices for integrating security considerations into each phase.

149

150

Continuous Testing and Monitoring

Project initiation During the project initiation phase, information security professionals can collaborate closely with business/mission users and IT staff to understand the requested solution. By thoroughly analyzing business needs, information security professionals can add value to the project team by providing alternative suggestions and advocating for a secure proposal: • Analyzing business needs: In the early stages of project initiation, the focus is on evaluating business requirements and identifying potential solutions. Information security professionals should participate actively in these discussions, working alongside business and IT stakeholders to comprehensively understand the project’s scope and objectives. This collaborative approach ensures the team can identify and address potential security concerns before they become significant. • Identifying potential security risks: By engaging with business and IT stakeholders, information security professionals can better understand the potential security risks associated with the proposed solution. This understanding allows them to suggest alternative approaches, technologies, or methodologies to mitigate these risks. For example, suppose a proposed solution involves using a public cloud infrastructure. In that case, information security professionals can advise the team on selecting a provider with strong security controls and a proven track record of protecting customer data. • Developing a secure proposal: Once potential security risks have been identified, information security professionals can work with the project team to establish a secure proposal that addresses these concerns. This activity might involve revising the project’s technical direction, incorporating security best practices, or suggesting new technologies that enhance the overall security posture of the solution.

Requirements analysis The requirements analysis phase lays the groundwork for building a secure and reliable information system. During this phase, information security professionals collaborate with business and IT stakeholders to develop testable security requirements, which will serve to establish a secure system: • Perform an initial security risk assessment: An information security professional collaborating with business and IT stakeholders to conduct an initial security risk assessment is essential. By gathering information on potential business needs and threats, security professionals can better inform the project and identify areas requiring attention. As discussed in Chapter 4, Information Security Risk Management, this stage is an ideal time to perform data categorization, further supporting establishing the new information systems security requirements. The risk assessment should consider various factors, such as data sensitivity, system architecture, potential threats, and regulatory requirements. By identifying these factors, the team can develop a risk-based approach to establishing information security requirements for the new system.

SDLC considerations for testing

• Ensure security requirements are testable: Developing testable security requirements is crucial for a successful information system. Testable requirements enable verification of the implemented security controls and ensure that the system can withstand potential threats. A requirement that cannot be tested is likely poorly defined and could lead to inadequate security measures. For example, a vague requirement such as The information system must implement logging does not provide sufficient detail to ensure proper security. A better requirement would specify the logging features and criteria, such as The information system must audit events related to successful login and logout of privileged users. This requirement is testable and can be used to build a more secure information system than the previous example. • Collaborate with stakeholders and establish clear communication channels: Involving all relevant stakeholders in the requirements analysis process is essential for establishing a shared understanding of the system’s security needs. Collaboration helps ensure that security requirements are well-defined, testable, and effectively integrated into the system design. Open communication facilitates a more accurate representation of the system’s security needs, allowing for the development of a more adequately secured solution. • Utilize industry best practices and standards: When developing security requirements, utilize existing standards such as NIST, ISO/IEC, and OWASP. Ideally, your security requirements are based on your organizational policies, and your policies are derived from these standards. By adhering to established standards, information security professionals can ensure their security requirements align with recognized best practices. • Continuously review and refine security requirements: Security requirements may need to evolve as the project progresses and new information is gathered. Regular reviews and updates to the security requirements will ensure they remain relevant and effective in protecting the system. This process helps identify any gaps in the security controls and allows for timely adjustments to maintain a secure information system.

System design System design takes the foundation of the security requirements that were previously developed and applies them to the information system’s security and functionality. Information security professionals must develop comprehensive test plans, procedures, and reporting mechanisms to ensure the system’s security is designed and functioning as intended. They must also be actively involved in the design process, working closely with the design team to evaluate and refine security measures throughout development.

151

152

Continuous Testing and Monitoring

The following methods are used to conduct testing in the system design process: • Developing a test plan: With testable requirements established for the information system, information security professionals must create a test plan that outlines the scope, participants, resources, and data handling procedures for security testing. Here are some key questions to address in the test plan: ‚ What is the scope of the test? ‚ Who will be conducting the test? ‚ What resources are needed for the test (tools, personnel, and so on)? ‚ How should the testing outputs be managed (proprietary, confidential, and so on)? ‚ Who should be contacted if a system outage or security event occurs? • Test procedures: The procedures should detail the necessary steps for conducting each test, including the criteria for determining whether a test has passed or failed. For instance, when testing a web application for cross-site scripting (XSS) vulnerabilities, a tester might enter an XSS exploit code into an input field and assess the response from the web browser. If the browser returns an alert box, the test has failed, indicating the input field is vulnerable to XSS. Testers should then continue to evaluate all input fields using this method to ensure comprehensive security. The following figure illustrates the iterative approach to technical testing:

Figure 6.1 – Iterative approach to technical testing

• Reporting mechanisms: Information security professionals must develop clear reporting mechanisms to convey the results of security tests to the project team. Reports should include identified vulnerabilities, recommended mitigations, and passed and failed tests with supporting evidence. Reports should be provided to the appropriate stakeholders, following the data handling guidelines specified in the test plan. • Continuous testing in the design process: Information security professionals should actively engage with the design team throughout development. While the SDLC includes a distinct phase for acceptance testing, security professionals must also perform testing services during the design process to verify that security measures are functioning as expected and do not negatively impact the system’s performance.

SDLC considerations for testing

Active engagement during the design phase is crucial for information security professionals. This involvement ensures that security measures are effectively integrated into the information system and adequately protect the system once it is in production. Failing to participate in the design process may lead to inadequate security implementation, leaving the system vulnerable to threats.

System implementation It is not uncommon for unexpected challenges to arise during the system implementation phase of the SDLC. To address these challenges and maintain an acceptable level of security, information security professionals must be available and prepared to adapt to changes in the design and implementation of an information system. The following are the roles of information security professionals during system implementation: • Providing guidance on unanticipated changes: During the system implementation phase, unforeseen challenges may necessitate changes to the original design. Information security professionals support providing security guidance for these modifications. Their expertise helps ensure that any adjustments made to the system design maintain or enhance the system’s security. • Validating security controls: As changes are made during the implementation phase, it is crucial to validate that the security controls are still functioning as expected. Information security professionals should test the modified system, verifying that security measures have not been compromised or weakened due to the alterations. • Ensuring no negative impact on system performance: Besides validating security controls, information security professionals must ensure that any changes made during the implementation phase do not adversely affect the system’s performance. • Collaborating with stakeholders: Effective communication and collaboration with stakeholders are essential during the system implementation phase. Information security professionals should maintain open lines of communication with project managers, developers, and other team members to keep them informed about potential security risks and address any concerns that may arise. • Establishing a process for emergency changes: In some cases, emergency changes may be required to address critical security vulnerabilities or other urgent issues. Information security professionals should establish a process for managing and testing these emergency changes, ensuring that they are implemented quickly and effectively while maintaining the overall security and stability of the system.

System testing System testing is where the information security professional formally assesses the implemented security controls. This assessment aims to ensure that the information system’s confidentiality, integrity, and availability are appropriately protected and commensurate with the value of the data it contains. A

153

154

Continuous Testing and Monitoring

comprehensive testing approach such as the following considers the information system’s operational, management, and technical aspects: • Executing the test plan: The information security professional develops the test plan during the system design phase. This plan outlines the scope, personnel, tools, and procedures required to thoroughly evaluate the information system’s security controls. • Technical testing: Security-specific tools are utilized to conduct vulnerability assessments and penetration testing of the new production information system. These technical tests help identify potential weaknesses in the system’s security infrastructure and verify that implemented security measures effectively safeguard the system against various threats. • Management and operational testing: In addition to technical testing, the information security professional conducts security assessments to evaluate management and operational controls. This process involves interviews, documentation reviews, observations, and testing security controls that cannot be readily assessed through automated means. • Reporting and remediation: Once the test plan has been fully executed, the tester returns the results to the implementation team and management as appropriate. Any security controls that were not adequately implemented or are missing will be addressed at this stage. This iterative process involves validating changes and testing those adjustments until all tests have passed or management has accepted the risk associated with failed tests. • Finalizing the testing phase: The system testing phase concludes when all tests have passed, or management has accepted the risk associated with failed tests. This milestone signifies that the information security professional has successfully assessed the system’s security controls, and the information system is ready to transition into the operations and maintenance phase.

Operations and maintenance The operations and maintenance phase spans the years between the implementation and disposition phases of the SDLC. During this time, the information system provides valuable services to the organization. Regular testing is conducted to ensure that the information system’s security is maintained and that it remains resilient against evolving threats. During this phase, the two primary triggers for testing the information system are scheduled assessments and significant system changes: • Scheduled assessments: Organizations should perform periodic vulnerability assessments and penetration testing based on their corporate policies. These scheduled assessments help identify new vulnerabilities that may have emerged due to changes in the threat landscape or updates in the underlying technologies. Regular testing ensures that the information system’s security remains robust and up to date, minimizing the risk of security breaches.

SDLC considerations for testing

• Significant system changes: When changes occur in the information system, it is crucial to conduct tests to ensure its security remains adequate. Significant changes may include new version releases of software packages, operating system updates, or modifications to the system architecture. These changes can introduce new vulnerabilities or weaken existing security controls, making reassessing the system’s security posture essential. Here are some examples of significant system changes that warrant testing: ‚ Software updates: When a software package or operating system is updated, new features or modifications may introduce unknown security risks. These updates must be thoroughly tested to verify that the system remains secure and that the new features do not compromise the system’s overall security. ‚ Infrastructure changes: Changes to the underlying infrastructure, such as hardware upgrades or network modifications, can impact the information system’s security. Comprehensive testing should be conducted to evaluate the effects of these changes on the system’s security and to identify any potential new vulnerabilities. ‚ Policy and procedure updates: As organizations evolve, they may adopt new security policies and procedures to align with industry standards, regulatory requirements, or internal risk assessments. These policy and procedure updates may necessitate changes to the information system, which should be tested to ensure continued compliance with the updated security requirements. ‚ Incident response: In the event of a security incident or breach, organizations should conduct a thorough assessment of the affected information system to identify the root cause of the breach, evaluate the effectiveness of their security controls, and implement any necessary remediation measures.

Disposition The disposition phase marks the end of an information system’s life cycle when it is no longer useful to the organization. During this phase, it is important to properly decommission the system, ensuring that sensitive data is securely deleted and that media devices are thoroughly sanitized to prevent unauthorized access to the organization’s information assets. The information security professional collaborates with the IT staff to manage the disposition process effectively and securely while following industry best practices and regulatory requirements: 1. Decommissioning the information system: The first step in the disposition phase is to decommission the information system, which involves shutting down services, disconnecting the system from the network, and ensuring that any backups or replicated data are securely managed. Decommissioning must be done carefully to avoid disrupting other systems and services while protecting sensitive data.

155

156

Continuous Testing and Monitoring

2. Media sanitization: After decommissioning the system, sanitize all media devices, including hard drives, solid-state drives, and removable media such as USB drives and CDs. Media sanitization involves securely erasing data to prevent unauthorized access. There are several methods for sanitizing media devices, including the following: ‚ Clearing: This method involves overwriting data with a pattern of ones and zeros or using specialized software to remove the data. Clearing is typically adequate for magnetic media and is often used when devices are to be reused within the organization. ‚ Purging: Purging involves using more advanced techniques, such as degaussing or cryptographic erasure, to eliminate data from media devices. This method is more effective than clearing and is recommended for highly sensitive data or when devices are to be repurposed outside the organization. ‚ Physical destruction: In some cases, physically destroying media devices is the most secure method for sanitizing data. This method can involve shredding, crushing, or incinerating devices to render them unusable and ensure that data cannot be recovered. 3. Asset disposal: Once media devices have been sanitized, they can be disposed of while following the organization’s asset disposal policies and applicable regulations. This task may involve recycling, donating, or selling the devices, or disposing of them as electronic waste. Proper documentation and tracking of disposed assets are essential for compliance and auditing purposes. 4. Updating documentation and records: The disposition process also involves updating documentation and records related to the decommissioned information system. This activity may include updating asset inventories, removing the system from network diagrams, and archiving relevant documentation for future reference or compliance purposes.

SDLC summary Integrating security testing throughout an information system’s SDLC is important. This approach helps identify and address potential vulnerabilities, ensuring systems are designed and implemented with security in mind. The following diagram provides a high-level visual representation of some information security testing responsibilities for security professionals in their organization:

Continuous monitoring

Figure 6.2 – High-level representation of information security testing responsibilities

As you integrate security testing into your organization’s SDLC, consider the following key success factors: • Integrate security testing into existing processes: Work with your development and IT teams to incorporate security testing into their existing testing and quality assurance gates. This approach ensures that security is considered at every project stage without imposing an arbitrary schedule that might disrupt the team’s workflow. • Collaborate with subject matter experts (SMEs): No one person can be an expert in every aspect of information security. Recognize your limitations and collaborate with SMEs to develop workable solutions for addressing failed security tests. By involving experts with relevant experience and knowledge, you can ensure that your security testing efforts are effective. • Provide clear guidance on security requirements: Many development and IT teams are eager to build secure systems but may not have the necessary expertise or understanding of security requirements. By providing clear guidance and resources, you can equip these teams with the required tools and knowledge to design and implement secure information systems. Now that we’ve discussed the importance of SDLC, let’s shift our focus to the concept of continuous monitoring.

Continuous monitoring The concept of continuous monitoring stems from the understanding that an information system, if left unchecked, will gradually develop vulnerabilities that can be exploited. While IT and information security teams may excel in developing, securing, and testing a new information system, these efforts only capture a snapshot in time and can quickly become outdated. As new patches are released, and new exploit techniques emerge, information systems must be updated to address these evolving threats.

157

158

Continuous Testing and Monitoring

Continuous monitoring operates within the operations and maintenance phase of the SDLC. A continuous monitoring program should be established within an organization to ensure that security controls relating to people, processes, and technology are effectively monitored and continue to provide a robust defense against the ever-changing information security threat landscape.

Information security assessment automation Information security assessment automation uses specialized tools that automatically evaluate an organization’s adherence to its information security program’s standards. These tools streamline the assessment process, help identify vulnerabilities, ensure compliance with security policies, and maintain the organization’s overall security posture. Here are some key areas of focus for information security assessment automation: • Vulnerability and patch compliance: Automated tools can validate information system patch levels and vulnerabilities across the enterprise, including servers and workstations operating systems (Windows, Linux, and others), network devices (routers, switches, and so on), server software applications (database, email, DNS, and so on), and desktop applications (Microsoft Word, Adobe Acrobat, and others). • Network and configuration management: Automated tools can ensure compliance with change and configuration management policies and information security baselines. These tools can manage the thousands of configuration items related to information systems, allowing for common secure configurations. They can also perform discovery and inventory of information system assets and detect and restrict unauthorized software and hardware. • Software assurance: Ensuring software is developed and implemented free from exploitable vulnerabilities and functions as intended is crucial for maintaining a strong security posture. Automated tools can perform static code analysis, web application vulnerability scanning, and database vulnerability scanning. These tools help organizations identify and address potential vulnerabilities in their software, reducing the likelihood of successful cyberattacks. • License and asset management: Automated tools can help organizations maintain an inventory of hardware and software on the enterprise network or individual information systems. These tools can manage software deployment and provisioning, asset discovery, and information collection, as well as monitor software and hardware usage. While these functions may be integrated into other tools the organization implements (for example, network or configuration management tools), they are essential in ensuring that all assets are accounted for and managed effectively.

Effectively reporting information security metrics A clear understanding of your organization’s information security metrics is crucial for maintaining its security posture. Effective reporting tools and dashboards can help you gain visibility into your overall security posture, allowing you to identify and address any potential risks associated with an information system.

Continuous monitoring

Governance, risk, and compliance (GRC) tools are essential in effectively reporting information security status. These tools enable the information security program to carry out various tasks, ensuring the organization remains compliant and secure. Here are some characteristics of GRC tools: • Distribute information security policies: GRC tools can help disseminate information security policies to project teams, ensuring everyone knows the expectations and guidelines for maintaining a secure environment. • Map organizational policies to compliance standards: GRC tools can maintain mappings of an organization’s information security policies against applicable compliance standards, making it easier to identify gaps and areas for improvement. • Test the implementation of controls: GRC tools can assess how well an information system implements controls based on the organization’s information security policies. This helps identify weaknesses in the system that may need to be addressed. • Perform risk assessments and schedule mitigations: GRC tools can help perform risk assessments for various aspects of an organization’s information security program. These assessments can identify potential risks and vulnerabilities, allowing the organization to schedule and prioritize mitigations. • Report on the organizational information security risk posture: GRC tools can provide comprehensive reports on an organization’s information security risk posture. These reports can help decision-makers understand the current state of their security program and make informed decisions about resource allocation and future initiatives.

Alerting to information security weaknesses Tools designed to monitor information systems for changes that introduce exploitable vulnerabilities continuously play a crucial role in maintaining an organization’s information security. These tools can help detect and prevent incidents while protecting the organization’s data: • Incident and event management: These tools constantly inspect enterprise systems and applications for indicators of compromise. Examples include the following: ‚ Intrusion detection systems (IDSs) ‚ Security Information and Event Management (SIEM) ‚ Log management

159

160

Continuous Testing and Monitoring

• Malware detection tools: These are tools that are designed to detect Trojans, spyware, viruses, and other malicious code throughout the enterprise information system. A layered approach is ideal for effective malware detection and includes the following aspects: ‚ Server and workstation operating system: Traditional antivirus software installed on operating systems ‚ Gateway-level protection: Email message transfer agents, web proxies, and virtualized malware detonation appliances • Information management: These are tools that protect information within the organization, both at rest within organizational information systems and from unauthorized exfiltration by attackers. Data loss prevention (DLP) tools protect information from theft or misuse by internal employees or external attackers. When properly configured, these tools defend an organization’s information and alert information security professionals to potential compromises. Let’s now delve into the realm of vulnerability assessment.

Vulnerability assessment Vulnerability assessment is a methodology that aims to identify exploitable weaknesses within information systems. It’s important to emphasize that vulnerability assessment is not just a tool; it requires multiple tools and relies heavily on the tester’s skill and adherence to a systematic process to ensure a high-quality assessment. Due to their complexity and insecure design, modern information systems often develop many vulnerabilities over time. A vulnerability assessment may uncover hundreds or thousands of these vulnerabilities across your environment. To effectively secure your organization, you must have an efficient means of triaging and prioritizing the discovered vulnerabilities. Understanding your business’s priorities will help you protect information systems in an order that reduces risk most effectively for your organization. Several methods can be used to scan your network for existing vulnerabilities, including the following: • Port scanning: This scan determines whether a computer has open TCP or UDP ports. Open ports on a computer indicate that a network service is running and listening on that port. • Network tracing: This scan aims to build a network map based on the results returned by the scan. • Version scanning: This scan adds to the port scan by attempting to determine which service and what version of that service is running on a given port. • Network sweeping: This type of scan determines which IP addresses are used by network-connected devices.

Vulnerability assessment

• OS fingerprinting: Similar to version scanning, the scanner attempts to guess the version of the operating system based on data returned by the scan. An organization must utilize a combination of these scanning methods to perform a thorough vulnerability assessment. This comprehensive approach identifies potential weaknesses in information systems, providing essential insights into an organization’s security posture.

Vulnerability scanning process The vulnerability scanning process is essential to an organization’s information security program. It follows a systematic workflow in which each scan builds upon the previous one, providing increasingly detailed information. This iterative process allows the tester to develop an accurate understanding of the environment, ultimately leading to the actual vulnerability scan. The following figure outlines this process:

Figure 6.3 – Vulnerability scanning process

Let’s take a closer look at this workflow.

Device discovery The first phase of the workflow involves mapping out the devices present on the network and determining the network topology. This step is crucial in identifying the devices that need to be assessed and understanding the context in which they operate. Let’s look at some of the scans that are performed: • Network tracing: This scan aims to build a network map based on the results returned by the scan. It helps the tester visualize the network’s structure and identify its connected devices. • Port scanning: A port scan determines whether a computer has open TCP or UDP ports. Open ports indicate that a network service is running and listening on that port. This information is crucial in understanding the attack surface of a given device. • Network sweeping: This type of scan determines which IP addresses are used by networkconnected devices. It helps identify active devices on the network and can provide information about the number of devices present, their IP addresses, and potentially their roles within the network.

161

162

Continuous Testing and Monitoring

Service enumeration During this workflow phase, the tester determines the services and operating systems on the scanned target machines. This information is vital to ensure an accurate vulnerability assessment. Some of the scans that are performed are as follows: • Version scanning: This scan attempts to determine the specific service and its version running on a given port. Accurate version scanning is essential for identifying potential vulnerabilities associated with software versions. • OS fingerprinting: This scan aims to identify the operating system of a target device based on the data returned by the scan. Different operating systems may have distinct vulnerabilities, making OS fingerprinting critical for accurate vulnerability assessments. Ineffective service enumeration can lead to inaccurate results during the vulnerability scan. For example, a vulnerability on a specific open port for a Linux system may not exist on a Windows system. If OS fingerprinting does not accurately identify the operating system, the vulnerability scan may report false positives because the scanner assumes it is scanning a different system.

Vulnerability scanning The primary objective of vulnerability scanning is to determine whether exploitable weaknesses exist in the information systems being scanned. The device discovery and service enumeration phase results serve as input for the vulnerability scanning tool. The vulnerability scanner uses various methods to determine whether a specific vulnerability exists, including the following: • Validating configuration: The scanning tool examines the operating system and service configuration, verifying that it meets a specified security standard. • Organizational policies: Vulnerability scanners typically come preloaded with a base set of security scans for checking information systems based on best practices. However, you should configure your vulnerability scanner to inspect your information systems against your organization’s security policy. • Unauthenticated scans: These scans are performed without administrative privileges, meaning configurations requiring elevated permissions cannot be accessed. While unauthenticated scans can provide a snapshot of what an attacker might see, authenticated scans are preferred for a more accurate picture of system vulnerabilities. • Authenticated scans: Authenticated scans have the necessary operating system permissions to deeply examine the information system’s configuration and accurately test for invalid configurations. While these scans pose a higher risk to the information system, they provide a more comprehensive assessment of vulnerabilities: ‚ Running authenticated scans with potentially unsafe options may pose a risk to the information system. Obtain approval from the information system owner and ensure appropriate backup measures are in place before conducting such scans.

Vulnerability assessment

• Validating service behavior: Examining service behavior can help you identify outdated and potentially vulnerable software in the information system. For example, suppose an open port 22 is detected, and SSH is running on this port. In that case, the vulnerability scanner can interact with the service to determine whether it behaves like an older, vulnerable version of SSH: ‚ Validating the version: Version validation performed by the vulnerability scanner delves deeper into the information system than during service enumeration. The scanner inspects installed software packages for outdated versions, including those not listening on network ports.

Vulnerability validation After the vulnerability scanner has completed its operation, reviewing and validating the results is crucial. Handing over a vulnerability assessment report fresh from the scanning tool without validating its accuracy can cause frustration for your project team. Understanding that vulnerability scanners identify weaknesses based on signatures or rules in the tool’s database is essential. It is possible, and often occurs, that a vulnerability scanner will report a vulnerability that does not exist. This can happen because a valid signature or rule in the vulnerability scanning tool finds a match on the information system for software or configurations that resemble the signature or rule but are not vulnerable. Here are some examples of common issues and their resolutions: • Problem: A Windows system is incorrectly identified as a Linux system. The vulnerability scanner then flags an open port as vulnerable based on the assumption that the system is Linux. However, the actual Windows system is not vulnerable: ‚ Resolution: Correctly identify the system as Windows and perform a rescan • Problem: The vulnerability scanner reports that a patch is not installed on a Windows system. However, a rollup patch containing the patch in question has been installed. This means the scanner did not recognize the rollup patch containing the required patch: ‚ Resolution: Enable the scanner’s ability to detect rollup patches and rescan the system By validating the vulnerability assessment results, you can provide your project team with more accurate and actionable information. This process helps you avoid wasting time and resources on addressing false positives and allows your team to focus on genuine vulnerabilities that pose a risk to your organization’s information security.

Vulnerability resolution The vulnerability resolution process begins after the information security professional has completed their testing and validated the findings in the vulnerability scanning report. The information security professional’s role does not end with handing over a report and metrics for mitigation. They

163

164

Continuous Testing and Monitoring

should collaborate closely with these teams, providing the necessary support to explain uncovered vulnerabilities and how they were discovered. The vulnerability resolution process workflow consists of the following stages: • Investigate vulnerabilities: The operations and development team must review the information system to verify that the vulnerabilities identified in the vulnerability scan report exist. The technical teams responsible for the information system will work through the identified vulnerabilities to do the following: ‚ Confirm the validity of vulnerabilities. Although the information security professional has validated the vulnerabilities, the SMEs responsible for the information system still need to confirm and ensure their validity. ‚ If a vulnerability is deemed invalid, the information security professional should work with the technical team to verify that there is no vulnerability and note this accordingly in the vulnerability assessment report. • Determine a plan of action: In collaboration with the information security professional, the technical team will develop the necessary steps to mitigate the vulnerability. These steps may include mitigation activities such as the following: ‚ Installing a patch ‚ Upgrading an operating system ‚ Closing a network port ‚ Changing a server or service configuration • Resolve the vulnerability: The technical team for the information system implements the plan of action to mitigate the discovered vulnerability. • Report the status: After implementing the plan of action to resolve the vulnerability, the technical team reports the status as successful or unsuccessful back to the information security team: ‚ If the vulnerability is not resolved successfully, the information security professional should work with the technical team to address the issue and develop a new plan • Retest the information system: Once the vulnerability has been satisfactorily resolved, the information security professional will retest the information system to ensure that the vulnerability has been fixed. The vulnerability will be noted in the assessment report and closed if resolved. If the vulnerability hasn’t been resolved, this process will be started over with the technical team. The following figure illustrates the iterative process of vulnerability remediation:

Penetration testing

Figure 6.4 – The iterative vulnerability remediation process

Let’s now shift our focus to penetration testing, another critical aspect of information security assessment.

Penetration testing Penetration testing is a deliberate and planned attack on an information system that’s designed to simulate the experience of an actual information system under attack by a hacker. This proactive approach helps organizations identify vulnerabilities and assess their security posture. There are various types of penetration tests that organizations can choose to implement, each focusing on different aspects of the organization’s security. These include the following: • Social engineering: This type of test attempts to manipulate users into revealing information that would benefit an attacker in further exploiting the organization. The attacker aims to gain sensitive information, such as passwords, confidential documents, or access credentials, by exploiting human trust and curiosity. Social engineering techniques include phishing, pretexting, baiting, and tailgating. • Client-side: This type of test focuses on assessing the security of end user environments by testing applications and systems within the desktop environment. This may involve testing web browsers, email clients, and other client-side software for vulnerabilities that attackers could exploit to gain unauthorized access, escalate privileges, or exfiltrate sensitive data.

165

166

Continuous Testing and Monitoring

• Wireless security: This test aims to discover and exploit an organization’s wireless network capabilities, including Wi-Fi, Bluetooth, and other wireless communication technologies. The goal is to identify weaknesses in the organization’s wireless infrastructure, such as weak encryption, default configurations, and unauthorized access points, which could allow attackers to intercept sensitive information or gain unauthorized access to the network. • Network services: This type of test focuses on identifying and exploiting vulnerabilities in systems and services within the enterprise network. This may include targeting network devices, such as routers, switches, firewalls, server-based applications, databases, and other critical infrastructure components. The objective is to assess the organization’s ability to detect, prevent, and respond to attacks targeting its internal network infrastructure. • Physical security: This test aims to evaluate the effectiveness of an organization’s physical security measures, such as locks, access control systems, surveillance cameras, and alarm systems. The tester attempts to bypass these security measures and gain unauthorized access to restricted areas, sensitive information, or critical infrastructure. This type of test highlights potential weaknesses in the organization’s physical security posture and emphasizes the importance of maintaining a comprehensive approach to security. Penetration testing is essential to an organization’s security strategy, allowing businesses to proactively identify vulnerabilities and mitigate potential risks before malicious actors can exploit them. Regular penetration testing and continuous monitoring and improvement of security measures will help organizations stay ahead of emerging threats.

Phases of a penetration test Penetration testing involves a series of steps designed to identify and exploit vulnerabilities in an organization’s information systems, simulating the actions of a real-world attacker. The process consists of several distinct phases: • Reconnaissance: In the reconnaissance phase, the penetration tester seeks to gather information about the organization so that they can exploit and penetrate its defenses. Types of reconnaissance include the following: ‚ Active: The tester actively gathers data about the organization. Examples of active reconnaissance include port scanning and directly interacting with the target system. ‚ Passive: The tester passively gathers data about the organization without directly interacting with the information system they intend to exploit. Examples include dumpster diving and phishing emails.

Penetration testing

• Scanning: In this phase, the tester seeks to gain additional information about the network they are attempting to infiltrate. During this phase, vulnerability scanning and network mapping are performed to identify potential entry points and weaknesses. • Gaining access: The tester seeks to gain control of the information system they are testing. After uncovering vulnerabilities during the scanning phase, the tester exploits those vulnerabilities to gain access. They may also attempt to compromise other devices on the network using the initially exploited machine as a foothold. It is essential to consider all devices on the network, including IoT devices, as potential targets for exploitation. • Maintaining access: Once the tester has acquired access to the network, they will ensure they retain access. The tester may install software or use techniques that allow them to access the compromised device, even if the initial vulnerability is closed. Here are some tools and methods you can use to maintain access: ‚ Backdoors: Tools running in the background on the affected system, allowing the tester to access the system remotely and without detection. ‚ Malware (viruses, Trojans, worms, botnets, and more): These tools are used for exploitation and data exfiltration. They can maintain access during a penetration test or attack scenario if they’re crafted appropriately. ‚ Purpose-built software packages: Tools such as Core Impact and Metasploit enable the tester to maintain access to a compromised system. • Covering tracks: A successful penetration test should involve covering tracks, as a skilled attacker would do in a real-world scenario. The tester must take great care to avoid detection, ensuring that their actions do not trigger security alarms or leave evidence of their activities. An example of covering tracks at the network level would be to use a reverse HTTPS shell: ‚ In this scenario, the tester installs software on the compromised machine, causing it to reach out to the tester’s command and control device at regular intervals. To an internal monitoring team, this appears as normal secured web traffic when, in reality, it is a compromised system receiving commands from the tester/attacker. The following figure illustrates the penetration testing workflow:

167

168

Continuous Testing and Monitoring

Figure 6.5 – Penetration testing workflow

Let us now understand the difference between vulnerability assessments and penetration testing.

Difference between vulnerability assessments and penetration testing While vulnerability assessments and penetration tests play crucial roles in an organization’s security posture, their objectives, methodologies, and results significantly differ. Understanding these differences is essential to ensure the organization employs the most suitable approach to identify and address potential threats. The primary purpose of a vulnerability assessment is to identify potential weaknesses within an organization’s information systems. This assessment involves scanning and evaluating systems, networks, and applications to detect vulnerabilities that may expose the organization to potential threats. The focus is determining vulnerabilities and providing information to the technical team to remediate the identified issues. Vulnerability assessments typically end at the scanning phase, where the technical team is engaged to address any identified weaknesses. In contrast, penetration testing goes beyond simply identifying vulnerabilities. Its goal is to understand whether the identified vulnerabilities can be exploited to gain unauthorized access to systems and sensitive organizational information. Penetration testing simulates real-world attacks, attempting to compromise target systems and networks using identified weaknesses.

Summary

A penetration test offers a more in-depth analysis than a vulnerability assessment as it illustrates the possible effects of vulnerabilities on an organization’s security. This test aims to prove that an attacker can gain access to an information system and use that access to infiltrate other systems within the company network, ultimately extracting sensitive data. In contrast, a vulnerability assessment does not aim to provide such extensive insight into information security. Let’s compare the workflows of vulnerability assessments and penetration tests to highlight their distinct objectives and approaches: • Scope: Vulnerability assessments focus on identifying weaknesses in the target systems, while penetration tests aim to exploit those weaknesses and simulate the actions of an attacker. • Methodology: Vulnerability assessments involve scanning and evaluating systems, networks, and applications for potential vulnerabilities. Penetration testing includes reconnaissance, scanning, gaining and maintaining access, and covering tracks replicating real-world attack scenarios. • Results: Vulnerability assessments provide a list of identified vulnerabilities to be addressed by the technical team. Penetration tests, in contrast, demonstrate the potential impact of those vulnerabilities on the organization, including unauthorized access to sensitive information and the compromise of internal systems. With this, we have come to the end of this chapter.

Summary This chapter explored various technical testing types, highlighting the importance of integrating security considerations within the SDLC. It emphasized the role of automation in information security assessments to streamline vulnerability identification and remediation efforts. By delving into vulnerability assessments and penetration testing, this chapter underscored the significance of these methodologies in identifying weaknesses and simulating real-world attacks on information systems. Continuous testing and monitoring are critical components in an organization’s defense strategy, ensuring robust security and protection against potential threats. In the next chapter, we will learn about business continuity and disaster recovery (BCDR) planning. We will discuss the many considerations around implementing a successful BCDR plan to ensure continued business operations in the event of a disaster.

169

7 Business Continuity/Disaster Recovery Planning This chapter provides the reader with the tools to design a Business Continuity and Disaster Recovery (BCDR) plan for their organization. This chapter will discuss BCDR’s role in enterprise planning from a technical and business perspective. We will then discuss developing your BCDR plan, which involves careful assessment, strategy, and planning. Finally, methods for testing your BCDR plan to ensure it’s ready to protect your organization will be discussed. By the end of this chapter, you’ll be well equipped to create a resilient, robust BCDR plan that secures your business in the face of uncertainty. The following topics will be covered in this chapter: • Introduction to BCDR • Designing a BCDR plan • Defining technical DR mechanisms • Developing your plan • Testing the BCDR plan

172

Business Continuity/Disaster Recovery Planning

Introduction to BCDR BCDR planning is a critical component of an organization’s overall risk management strategy. These two disciplines aim to help organizations prepare for, respond to, and recover from various types of disasters, including natural disasters, cyberattacks, equipment failures, and human errors. By having a comprehensive plan, companies can minimize the potential impact of disasters on their operations and ensure the continuity of their services. Let us now understand the two main important components of BCDR planning, as follows: • BC planning is the process of identifying critical business functions, determining how these functions can be maintained or quickly restored in the event of a disaster, and developing plans and procedures to ensure their continued operation. The primary goal of planning is to minimize disruptions to business operations and reduce the potential financial and reputational impacts of a disaster. BC planning involves several key steps, as set out here: I.

Risk assessment: The first step in BC planning is to conduct a thorough risk assessment, which involves identifying the organization’s potential threats and vulnerabilities. This may include natural disasters, cyberattacks, equipment failures, and human errors.

II.

Business impact assessment (BIA): The next step is to conduct a BIA, which assesses the potential consequences of various disaster scenarios on critical business functions. The BIA helps prioritize recovery efforts by identifying the most crucial processes and systems that must be restored first.

III. Recovery strategy development: The organization develops recovery strategies for each critical business function based on the risk assessment and BIA findings. This may include alternative work locations, backup systems, and arrangements with third-party vendors. IV.

Plan documentation and testing: Finally, the organization documents the BC plan, detailing the specific actions to be taken during a disaster. Regular testing and updating of the plan are essential to ensure its effectiveness and adaptability to changing circumstances.

• DR planning DR planning focuses on the technical aspects of recovering from a disaster— specifically, the processes and systems that support critical business functions. DR planning aims to minimize downtime and data loss, ensuring the availability of essential IT infrastructure and services during and after a disaster. Critical components of DR planning include the following: ‚ Technology inventory: A comprehensive inventory of the organization’s IT infrastructure, including hardware, software, data, and network components, is crucial for effective DR planning. ‚ Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs): These metrics help define acceptable downtime and data loss levels during a disaster. RTO refers to the maximum time a system or application must be restored, while RPO determines the maximum amount of data loss that can be tolerated.

Introduction to BCDR

‚ Backup and recovery strategies: Organizations must develop and implement robust data backup and recovery strategies to ensure that critical data can be restored quickly in the event of a disaster. This may include off-site backups, cloud-based storage, and redundant systems. ‚ DRP documentation and testing: As with a BCP, a DRP should be documented and regularly tested to ensure its effectiveness. This includes conducting simulated disaster exercises and periodically reviewing and updating the plan as necessary.

Integrating BC planning and DR planning Although BC planning and DR planning are distinct disciplines, they are closely related and must be integrated to ensure a comprehensive approach to disaster preparedness. Key steps in integrating BC planning and DR planning include the following: • Coordination and communication: BC planning and DR planning teams must work together to develop a cohesive and coordinated plan that addresses the organization’s overall disaster preparedness needs. Regular communication and collaboration between the groups are crucial for effective integration. • Consistent objectives and priorities: BC planning and DR planning teams should share common goals and priorities, ensuring recovery strategies align with the organization’s broader objectives. This includes aligning RTOs and RPOs with the priorities identified in the BIA and ensuring that critical systems and processes are prioritized for recovery. • Cross-functional team involvement: Involving representatives from various functional areas in BC and DR planning helps ensure a comprehensive understanding of the organization’s needs and interdependencies. This may include representatives from IT, finance, human resources, operations, and other relevant departments. • Unified documentation and training: Integrating BCP and DRP documentation into a single, unified plan simplifies communication, training, and implementation. All employees should receive training on the plan, understand their roles and responsibilities in the event of a disaster, and be familiar with the procedures to be followed. • Regular reviews and updates: As the organization evolves, so should the BCP and DRP. Regularly reviewing and updating the plans to reflect changes in the business environment, technological advancements, and regulatory requirements are essential to maintaining their effectiveness. BCDR planning is an essential component of an organization’s risk management strategy. By proactively planning for potential disasters, organizations can minimize the impact on their operations and ensure the continuity of their services.

173

174

Business Continuity/Disaster Recovery Planning

Scope of a BCDR plan As mentioned, BCDR ensures the continuity of enterprise operations during a disaster. This approach involves the BCP and DRP, focusing on business functions and supporting technology.

BC planning The primary goal of BC planning (BCP) is to identify potential risks and threats facing an organization and establish mechanisms to ensure business functions can continue to operate during a disaster. The focus should be on the business functions rather than the technology itself. To develop a comprehensive BCP, consider the following key points: • Organizational risks: As part of your information security program, it is crucial to understand the negative impacts your organization may face. Assessing organizational risks will help guide the development of a BCP. Consider the following questions: ‚ Are there geographical risks that could affect the operations of your organization (hurricanes, wildfires, floods, blizzards)? ‚ What will the impact of a significant disruption be? What will the consequences to the organization from a revenue and reputation perspective be? ‚ How will the organization continue to earn revenue in a disaster (e-commerce website failure; manufacturing plant control systems compromise)? • Location and availability: Determine whether your organization could continue operating if key areas became unavailable. Does your organization rely too heavily on a single site? What approaches could be taken to address this issue? Consider the following: ‚ Establish satellite locations that will take over critical capabilities in a disaster. Key team members would move to these locations and continue their roles from these satellite locations. ‚ Develop a plan to establish an emergency command center at a predefined location, such as a hotel, where team members will move to re-establish operations. ‚ Move the organization to a full telework capability until operations can be reinstated in the affected work facility. • Succession planning: Ensure that you have plans to manage human resources in the event of the unavailability of key team members. Consider the following questions: ‚ Who takes over key executive leadership roles if top-level positions are unavailable or incapacitated? ‚ Do you have team members cross-trained in duties to perform at least minimal functionality (or more) during a disaster? ‚ How will you continue to pay your staff?

Introduction to BCDR

By addressing questions such as these, organizations can develop a comprehensive BCP that focuses on ensuring the ongoing operation of business functions, even in the face of potential disasters.

DR planning A DRP is a well-documented set of steps that outline the processes and procedures necessary for an organization to recover its information systems during a disaster. The plan translates the concerns and requirements of your organization’s business or mission leaders, developed during BC planning, into actionable steps to ensure continued operation during a disaster. Key questions that should be addressed as part of the DR planning process will be covered in this section.

Funding and resource allocation Resources are crucial for an effective DRP. Implementing DR measures will incur costs for your organization. These costs should align with the risk appetite of senior leadership and the value of the information you aim to maintain during a disaster. Consider the following aspects of resource allocation: • Expected expenses: As part of the planning process, you will derive concrete expectations regarding the resources required to establish alternate operations for your organization. These funds should be approved and incorporated into the expected organizational budget to ensure BC. Key elements to consider include the following: ‚ Staffing: Determine the personnel needed to execute the DRP and ensure they are adequately trained and prepared. ‚ Equipment and infrastructure: Identify the hardware, software, and network components required to restore critical systems and infrastructure. ‚ Facilities: Assess the costs associated with acquiring or leasing alternate facilities, such as data centers, offices, or manufacturing plants, to continue operations during a disaster. ‚ Service providers (SPs): Evaluate the expenses of engaging third-party SPs for data recovery, system restoration, or other DR services. • Unexpected expenses: A plan is only good the moment it is completed. After that, unexpected scenarios may arise, causing your plans to change. To address unplanned resource requirements during a disaster and ensure BC, consider the following: ‚ Contingency fund: Establish a contingency fund or emergency budget that can be accessed during a disaster to cover unforeseen expenses. This fund should be periodically reviewed and adjusted to reflect changes in the organization’s risk profile and financial capabilities. ‚ Insurance coverage: Assess your organization’s insurance policies to determine whether they provide adequate coverage for disaster-related expenses, such as property damage, loss of revenue, or the costs of implementing your DRP. If necessary, adjust your coverage to align with your organization’s needs and risk tolerance.

175

176

Business Continuity/Disaster Recovery Planning

 Flexible procurement processes: Develop flexible procurement processes that can be quickly activated during a disaster to acquire necessary resources or services. This may involve establishing pre-approved vendor contracts or streamlining internal approval processes to expedite decision-making.

Roles and responsibilities Define the roles and responsibilities of the DR team members to ensure a smooth and effective DR process. A well-structured team with clearly defined roles helps maintain order and prevent confusion during a disaster. Consider the following aspects when outlining your DR team’s roles: • Leadership and organization: Designate organizational leaders and leaders within each business unit (BU) to guide the DR effort. Include the following: ‚ DR coordinator: Appoint an overall coordinator responsible for overseeing the DR process, ensuring all BUs are aligned and working toward a common goal ‚ BU leaders: Assign leaders within each BU to manage their respective teams, coordinate efforts, and report progress to the DR coordinator • Clear role definitions: Clearly define roles and responsibilities for each team member, addressing the following aspects: ‚ Reporting structure: Establish a clear reporting hierarchy to ensure efficient communication and decision-making. Identify who reports to whom and how information should flow through the organization during the DR process. ‚ Emergency declaration: Determine who can declare an emergency and initiate the DRP. This individual should be able to assess the situation and make timely decisions based on the organization’s best interests. ‚ Functional roles: Assign specific tasks and responsibilities to each team member, such as system restoration, data recovery, communication, or facilities management. Ensure that individuals have the necessary skills and training to fulfill their roles effectively. • Communication and contact information: Effective communication is vital during DR. Consider the following aspects to ensure that team members can stay connected and informed: ‚ Call tree: Develop a call tree that outlines the order in which team members should be contacted in the event of a disaster. This call tree should include contact information for each team member, alternate contact methods, and backup contact information in case the primary method fails. ‚ Communication cadence: Establish a communication cadence or schedule for BUs to share status updates and disseminate information. This could include regular conference calls, email updates, or instant messaging platforms.

Introduction to BCDR

‚ Alternate communication channels: Identify alternate communication channels that can be used in case primary channels become unavailable during a disaster. This may include satellite phones, ham radios, or messaging apps that do not rely on the organization’s primary communication infrastructure.

Data management and protection Proper data management and protection are critical for identifying mission-critical data and implementing strategies to safeguard information from potential disasters. Consider the following aspects when evaluating your data management and protection strategies: • Data location and redundancy: Evaluate where your data is stored and ensure it is not concentrated in a single, vulnerable location. Implementing redundancy and geographically separated storage solutions can help minimize the risk of data loss in a disaster. Consider the following options: ‚ Failover site capability: Establish additional IT infrastructure at geographically separate locations to take over information processing capabilities in case the primary site is compromised. This could include off-site data centers, colocation facilities, or DR-as-aservice (DRaaS) providers. ‚ Data replication: Implement data replication strategies to create and maintain copies of critical data at multiple locations. This could involve synchronous or asynchronous replication, depending on your organization’s RPO and RTO requirements. • Cloud-based data storage: Using cloud-based data storage solutions can offer numerous benefits, including flexibility, scalability, and reduced reliance on physical data centers. Consider the following aspects: ‚ Cloud provider evaluation: Not all cloud providers offer the same fault tolerance, redundancy, and DR capabilities. Carefully review your contracts and service-level agreements (SLAs) to ensure that your cloud provider can meet your organization’s needs in case of a disaster. ‚ Shared responsibility model: Understand that DR is a shared responsibility between your organization and the cloud provider. While the cloud provider is responsible for the infrastructure, your organization is responsible for implementing data management and protection strategies, such as data encryption, access controls, and backup and recovery plans. ‚ Cloud-to-cloud backup: Consider implementing cloud-to-cloud backup solutions to ensure the redundancy and availability of your data in the event of an outage or disaster at your primary cloud provider.

Ensuring the DRP does not introduce vulnerabilities A well-crafted DRP should prioritize not only the continuity of business operations but also the security of the organization. Ensure that your DRP does not inadvertently introduce vulnerabilities

177

178

Business Continuity/Disaster Recovery Planning

or weaken your organization’s security posture. Consider the following aspects to maintain a secure and effective DRP: • Data backup consistency and integrity: Data backups are critical in DR efforts. Ensuring that backups are consistent and maintain data integrity is essential for seamless recovery. The following are some areas you could look at to achieve this: ‚ Regular backup testing: Conduct regular tests to validate the integrity and consistency of your data backups. This could involve data restoration tests, backup verification checks, and monitoring backup logs for errors or inconsistencies. ‚ Backup storage security: Implement strong encryption and access controls for your backup storage to prevent unauthorized access and tampering. Ensure that the storage medium, whether on-site, off-site, or in the cloud, adheres to your organization’s security standards. • Minimizing data exfiltration opportunities: A DRP should not create opportunities for data exfiltration. To minimize such risks, consider the following: ‚ Secure architectural decisions: Ensure that the DRP incorporates architectural decisions that do not compromise your organization’s security measures. This includes maintaining network segmentation, encryption, and access controls throughout recovery. ‚ Data transfer security: When moving data between primary and secondary sites or between cloud providers, ensure that the data transfer methods are secure and encrypted to prevent unauthorized access or interception. ‚ Vendor security: If using third-party services or vendors for DR, perform due diligence to ensure they meet your organization’s security requirements and have acceptable security measures in place. • Maintaining security during a prolonged emergency status: While it is tempting to prioritize expedited recovery over security during an emergency, it is crucial to remember that the duration of the emergency status is uncertain. To maintain security during a prolonged emergency condition, consider the following: ‚ Security policies and procedures: Ensure your organization’s security policies and procedures remain effective during DR. This includes maintaining access controls, incident response (IR), and security monitoring throughout recovery. ‚ Training and awareness: Provide DR training and awareness for employees to understand their roles and responsibilities in maintaining security during emergencies. ‚ Continuous security monitoring: Implement continuous security monitoring and auditing processes during DR operations to promptly detect and respond to potential threats or vulnerabilities.

Introduction to BCDR

Testing the DRP The effectiveness of a DRP relies heavily on thorough testing and validation to ensure it is ready to support the organization in a crisis. Without regular testing, organizations risk adopting ad hoc procedures during an emergency, which may result in a lack of BC and the introduction of security vulnerabilities. Here are essential aspects to consider when testing a DRP: • Types of testing: There are various methods to test a DRP, each with benefits and challenges. Organizations should consider employing a combination of testing approaches to ensure comprehensive validation of the plan, which could include the following: ‚ Tabletop exercises: This involves a group discussion to walk through the DRP and identify potential issues, gaps, or inconsistencies. It is an efficient and cost-effective way to review the plan without disrupting normal business operations. ‚ Walk-through drills: These are step-by-step simulations of disaster scenarios, during which team members perform their assigned tasks as outlined in the DRP. This helps identify areas for improvement and ensures that everyone understands their roles and responsibilities. ‚ Full-scale testing: This is the most complete form of testing, where the organization simulates an actual disaster event and enacts the entire recovery process. This test can be resource-intensive but provides valuable insights into the effectiveness of the DRP and the organization’s readiness to face a real crisis. • Test frequency: Regular testing is essential to maintain an effective DRP. The testing frequency should be determined by the organization’s risk profile, industry regulations, and the complexity of its IT infrastructure. At a minimum, organizations should aim to conduct tabletop exercises and walk-through drills annually, with full-scale testing scheduled every few years or after significant changes to the IT environment. • Test evaluation and improvement: Testing is not only about identifying weaknesses in the DRP but also about learning from the results and making improvements. The following could help you with this: ‚ Documentation: Thoroughly document the results of each test, including any issues, gaps, or inconsistencies identified during the exercise. This documentation will be valuable for future tests and plan updates. ‚ Debriefing: Conduct a debriefing session with all involved parties to discuss the results and gather feedback after each test. This helps identify areas for improvement and ensures that everyone clearly understands the plan’s strengths and weaknesses. ‚ Plan updates: Based on the test results and feedback, update the DRP accordingly. Regularly review and update the plan for organizational structure, technology, and risk environment changes.

179

180

Business Continuity/Disaster Recovery Planning

• Key to success: The key to successful BCDR planning is maintaining a business-centric rather than an IT-centric approach. If the information security professional effectively focuses on critical business functions, organizational leadership should be supportive and engaged in the process. Moreover, since the process begins with BC rather than IT continuity, it’s essential to carefully select your project sponsor and promote the activity to align with business goals. As emphasized throughout this book, the primary objective is to enable the business, not just to perform IT tasks for their own sake. This process should be led and championed by an executive business leader within your organization, with the IT team supporting and ensuring that the business remains operational in the event of a disaster. The following diagram illustrates the ongoing nature of BCDR planning. When executed effectively, your organization will constantly be engaged in some aspect of the cycle. This does not imply that the process will be overwhelming but instead emphasizes the importance of dedicating time to address critical business components:

Figure 7.1 – Different stages of a BCDR plan

Focus areas for BCDR planning Now that you have a solid understanding of the basics of BCDR planning, it’s time to delve deeper into the focus areas required to develop an effective plan. BCDR planning can be divided into three

Introduction to BCDR

main categories: management, operational, and technical controls. When combined, these provide a holistic approach to ensuring BC. Let’s look at them in more detail: • Management controls: Policies, practices, and procedures at the organizational, information system, and personnel levels, including the following: ‚ Risk management: BCDR explicitly addresses the risk associated with the outage of critical business services. It is recommended that BCDR risk management activities be integrated into a more comprehensive risk management program within a mature information security program. ‚ Policies and strategies: Policies and strategies are the outputs developed to ensure your business can continue functioning in a disaster. These should outline how the organization will respond to a disaster. • Operational controls: The organization implements security controls that deal with the day-today operations of organizational information systems: ‚ Organizational BC: Clearly defining your organization’s BC objectives as an operational capability will inform lower-level BU and information system BCPs ‚ Individual BCPs: Each BU should develop specific BCPs that align with overall organizational plans, ensuring a clear understanding of what is needed to keep individual BUs operating in the event of a disaster ‚ Policies and procedures: These detailed plans relate to DR, where the organization, BUs, and IT team collaborate to build the steps necessary to keep the organization operating during a disaster • Technical controls: Security controls implemented on the information system protect it from unauthorized access. These controls are installed and managed by the IT team. The technical aspect of BCDR involves actual implementations before a disaster occurs to ensure a smooth transition during an emergency. Depending on the organization’s risk appetite and requirements established during BC discussions, the organization may choose to have a fully functioning mirror of the current operating environment, a reduced capability providing the minimum services necessary to get through a disaster, or a hybrid of the two. To achieve these goals, the IT group will implement services, including the following: • Off-site replication: Off-site replication ensures that essential information services exist at multiple data centers or cloud instances in real time. If one site is disrupted, another instance can be used in its place to continue business operations. • Data backups: Data backups are implemented to ensure a system can be effectively restored. • Infrastructure (network, systems, storage): This encompasses all the architecture that goes into planning, designing, and implementing an effective DRP.

181

182

Business Continuity/Disaster Recovery Planning

The following diagram emphasizes how BC and DR processes seamlessly intertwine, culminating in a comprehensive strategy that ensures the business has the necessary personnel, procedures, and technology to recover from a disaster and maintain BC:

Figure 7.2 – Integration of BC and DR

Designing a BCDR plan A BCDR plan is an indispensable component of your organization’s risk management strategy, acting as a safeguard and helping your organization maintain resilience in the face of potential disasters and disruptions.

Requirements and context gathering – BIA A BIA is pivotal in supporting BC. The primary goal of a BIA is to collect all pertinent information to facilitate well-informed resource allocation decisions, ultimately contributing to the effective development of appropriate BCPs and DRPs. The BIA process involves several key steps, which, when executed, can significantly enhance an organization’s preparedness.

Inputs to the BIA The inputs to the BIA come from your business and mission team members, providing valuable information to inform the BCDR process. These inputs encompass various aspects that help develop and prioritize the BCDR plan, as follows: • Business process supported: Identifying the business processes supported is essential when developing a BIA. This information is considered when determining the rationale behind allocating resources to maintain specific functions during a disaster. • Information and services criticality: Define the specific data and information systems that support the identified business processes. This step helps prioritize resources and efforts during the BCDR planning process.

Designing a BCDR plan

• Business impact: Encourage the business to consider and document the potential impact on the organization if the information or information systems identified in the BIA become unavailable. This assessment helps you to understand the consequences of system downtime and the importance of maintaining these systems during a disaster. • Information systems utilized: Specify the information systems used to support the data and processes critical to the business. This information assists in developing targeted recovery strategies for each system. • Allowable outage: Ask the business to determine the maximum acceptable downtime for the information and information systems. This value can vary significantly depending on the type of information and the specific BU in question. Understanding the allowable outage helps prioritize recovery efforts and allocate resources effectively. For example, the allowable outage for an organization’s payroll system may be very different from an e-commerce application. The organization may decide that a 24-hour outage is acceptable for payroll processing requirements. In contrast, the e-commerce application might only be able to endure an outage of a few minutes before the impact becomes too severe. • Recovery priority: Have the BU establish its desired recovery priority for information and information systems from an IT perspective. This is typically achieved by implementing a tiering system, where a higher tier number represents a lower recovery priority. Continuing the example, the e-commerce application mentioned earlier might be assigned as a Tier 1 application, indicating a high recovery priority with significant resources dedicated to ensuring effective recovery. The payroll system may be designated as a Tier 2 application, receiving fewer resources for its recovery due to its longer allowable outage window. Assigning recovery priorities is crucial for several reasons, as it communicates to the IT team the business’s perspective on the criticality of the information system and their expectations for recovery. It also ensures the company understands the impact of resources and costs associated with different recovery priorities. A Tier 1 application may require a substantial investment to build a DR solution. If a system is genuinely business-critical, this expenditure is warranted; however, reducing its tier level can save the organization resources and money if it is not genuinely critical.

Outputs from the BIA The BIA outputs are crucial for developing a comprehensive DR strategy. This information aids businesses in creating their BCPs and supports IT teams in devising their DR policies. Various outputs emerge from the BIA, each serving a specific purpose in the overall BCDR planning process, as outlined here: • RPO: The RPO refers to the maximum tolerable period of data loss after a disruption. In other words, it is the time the IT team must be able to restore data following an incident. The RPO can be understood as the time between the most recent backup and the disruption.

183

184

Business Continuity/Disaster Recovery Planning

• RTO: The RTO represents the maximum tolerable period within which the IT team must restore past data and bring systems back online after an event. It is a crucial metric for gauging the efficiency and effectiveness of the recovery process. • Enterprise prioritization: This output involves the IT and business teams discussing and determining the restoration priority for each application within the various prioritization tiers. This step helps ensure that resources are effectively allocated during recovery and that the most critical systems are restored first. • SLAs: SLAs are established to create clear expectations and guidelines for the recovery process between the business and IT teams. They define the levels of service required for each system and ensure that both parties have a shared understanding of their respective roles and responsibilities during a disaster. The following diagram illustrates the inputs and outputs of a BIA:

Figure 7.3 – Inputs and outputs of a BIA

A BIA is a valuable document that fosters a clear understanding of the business criticality associated with data and the required steps for restoring information in the event of failure. By engaging in the BIA process, business and IT teams can work together to develop a comprehensive and effective BCDR plan that ensures the organization’s resilience in the face of potential disruptions.

Sample BIA form The sample BIA form shown next is designed to catalog business processes and information related to information systems and their associated data. The BIA process should not be overly bureaucratic, and the form aims to demonstrate that the procedure can be straightforward and uncomplicated. The essential information needed to determine BC and DR requirements can be captured using this simple form:

Defining technical DR mechanisms

Date:

Organization

Point of Contact:

System Name

System Owner: System Description: System Points of Contact

Business Impact Process

Role

Allowable Recovery Outage Priority

Software Hardware

Dependencies / Interfaces

Table 7.1

Remember—the BIA form aims to help you gather the necessary information to develop a BCDR plan without getting bogged down in excessive documentation or complexity. By focusing on this critical information, you can effectively assess your organization’s needs and priorities, ultimately ensuring a more efficient and targeted approach to BCDR planning.

Defining technical DR mechanisms Now that you have established precise requirements from your business stakeholders, it is time to develop a strategy to technically restore data and information systems in an outage or disaster.

Identifying and documenting required resources At this stage, you will examine the options based on your business user requirements and the technical resources available to effectively meet your BCDR needs, as follows: 1. Assess business user requirements: Begin by carefully reviewing the needs identified by your business users during the BIA process. This will help you understand the expectations and priorities for restoring data and information systems in a disaster. 2. Develop a technical design: Create a detailed technical design that addresses the requirements established by your business users. This should include the choice of technologies, tools, and processes necessary to ensure a seamless and efficient recovery process. 3. Maintain information security: Ensure the proposed technical design does not compromise the organization’s information security or increase its risk exposure. The design should comply with security policies, procedures, and established risk management practices.

185

186

Business Continuity/Disaster Recovery Planning

Conducting a gap analysis After developing a design for your DR approach, it is crucial to perform a gap analysis to identify any discrepancies between your proposed strategy and the existing resources and infrastructure. This will help you determine whether your organization already has the necessary tools and capabilities to implement the DRP or if gaps must be addressed. The following steps outline the process of conducting a comprehensive gap analysis: 1. Review the DRP design: Begin by thoroughly examining your proposed design, which should include the technical, operational, and management aspects necessary for successful implementation. 2. Analyze the current state: Assess your organization’s existing DR capabilities, resources, and infrastructure. This should involve evaluating the available tools, technologies, processes, and personnel that are in place to manage and recover from a disaster. 3. Identify gaps: Compare the proposed DR design with the current state of your organization to pinpoint any gaps or discrepancies. This might involve identifying areas where new resources, tools, or processes are needed, or where existing capabilities are insufficient to meet the requirements of the proposed design.

Developing DR mechanisms After designing your DR strategy and conducting a thorough gap analysis, it’s time to refine your approach, obtain management approval, and explore various DR options. This stage is crucial in determining the most suitable and cost-effective solutions that meet IT and business requirements. Here are the steps to develop and finalize your DR mechanisms: • Review and refine the DR design: Revisit the proposed design and make any necessary adjustments based on the findings from the gap analysis. Ensure that your final approach addresses all identified gaps and aligns with your organization’s business objectives and risk tolerance. • Engage stakeholders and management: Collaborate with key stakeholders and management to discuss the DR options, weighing the benefits and drawbacks of each approach. This will help you gain valuable insights and ensure the chosen solution aligns with business needs and expectations. • Obtain management approval: Present your final DR approach to management for support, outlining the costs, benefits, and potential risks associated with each option. Be prepared to address any concerns or questions during the approval process. • Adjust the approach based on management feedback: After receiving management’s input, make any necessary adjustments to the DR approach. This may involve exploring alternative solutions, revising cost estimates, or re-evaluating the organization’s risk tolerance. • Develop the final architecture: With an approved DR approach, create the final architecture incorporating all necessary components, such as hardware, software, and network infrastructure.

Developing your plan

Developing your plan A well-thought-out and coordinated DRP supports restoring critical business functions in a disaster. Here’s an outline of the components and steps to develop a comprehensive DRP: • Plan framework: Your DRP should cover the following areas: ‚ Business-critical operations ‚ Business-critical assets ‚ DR processes and procedures ‚ Assigned roles and responsibilities ‚ Communication procedures • Develop recovery teams: Form recovery teams with clearly assigned roles and responsibilities to ensure smooth execution during a disaster. A well-defined structure helps eliminate confusion and streamlines the recovery process. • Develop a communication plan: Establish a communication plan that outlines how information will be shared among team members and stakeholders during a disaster. If primary channels fail, this plan should include communication channels, protocols, and backup methods. • Establish relocation plans: Determine how your organization will continue to operate and where IT services will be provided in case of a disaster. Consider the following points: ‚ Will employees work from a new business location, or will they telework? ‚ Will IT services be provided from an alternate data center, or will you utilize a cloud service? • Address key requirements: Ensure that your DRP covers the following requirements: ‚ Storage requirements: Do you have enough storage capacity for new services? ‚ Network connectivity: Can your users access the DR IT site? Does the new site have appropriate bandwidth? How will external users access the alternate site (for example, an e-commerce site)? ‚ Licensing: How will the software used at the alternate processing facility be licensed? Will you pay for using the site and its technology while it is not in use? This may vary depending on whether you use a traditional data center or a cloud-based DR solution. • Develop detailed recovery procedures: IT systems can be complex, and standing up an alternate processing facility in support of BC is no simple task. Develop detailed, step-by-step plans to ensure nothing is missed during the recovery operation. Most information systems must be restored in a specific order, with certain services installed and started, before others can function correctly. A detailed plan will help implement services in the correct order, saving valuable troubleshooting time during a crisis.

187

188

Business Continuity/Disaster Recovery Planning

Testing the BCDR plan Thorough testing of your BCDR plan is a critical component of ensuring its effectiveness and instilling confidence that your business can continue to operate in the event of a disaster. Regularly testing your BCDR plan can identify gaps or weaknesses and address them accordingly. The benefits of testing your BCDR plan include the following: • Verifying that everyone knows their communication responsibilities in the event of a disaster • Confirming that necessary equipment, technical tools, and facilities are available • Certifying that individuals understand their role and specific responsibilities during an emergency • Identifying gaps or weaknesses in the plan and enabling updates with the appropriate people, processes, or technology to address these issues The primary objective of testing is to ensure that the plan functions as intended and that your organization and team members are prepared to implement the plan when needed. If you discover a missing component or a flawed approach, it is time to revise the plan. To pinpoint the cause of the issue, go back to the drawing board and review your procedures. Consider the following questions: • Did you overlook a crucial communication step? • Did you attempt to bring up an IT service out of order? • Is there a problem with your alternate facility or cloud service? Once you have identified the ineffective component, replace it and retest the plan. Continue this process until you can successfully transition to DR operations and revert to normal operations. Achieving this milestone demonstrates that you have effectively tested your BCDR plan and can assure your business that operations can be maintained during a disaster.

Summary This chapter delved into creating and maintaining an effective BCDR plan. A comprehensive BCDR plan is essential to an organization’s risk management strategy, ensuring that the business can continue operating and recovering from potential disasters. A well-designed and thoroughly tested BCDR plan is vital to ensure the continuity and resilience of an organization in the face of potential disasters. By following the steps outlined in this chapter and continually reviewing and updating the plan, businesses can minimize the impact of disasters and maintain the trust and confidence of their stakeholders. In the next chapter, we will be discussing the concepts around IR planning and how your organization should prepare for detecting and responding to an intrusion attempt by an attacker.

8 Incident Response Planning Incident response planning is a critical component of information security. This chapter covers the essential aspects of an incident response plan (IRP): its definition, preparation, identification process, including detection and analysis, and the tools for these tasks. We also address the stages of remediation, from containment to recovery and mitigation, supported by specific capabilities. The chapter concludes by discussing post-incident activities to prepare organizations for future incidents. The following topics will be covered in this chapter: • What is an IRP? • Preparation of an IRP • Identification – detection and analysis • Identification – incident response tools • Remediation – containment/recovery/mitigation • Remediation – incident response tools • Post-incident activity

What is an IRP? An IRP outlines the steps and procedures to be followed in the case of a security breach or incident affecting the organization’s network or information systems. The primary objective of an IRP is to ensure that the organization has a repeatable process in place to respond to any potential information security threats rapidly and effectively. An IRP is an organization’s carefully crafted set of processes and procedures during an information security incident. These incidents can range from a simple malware infection to a full-scale data breach. The response plan helps the organization minimize the impact, contain the threat, and swiftly restore normal operations. In essence, the IRP serves as a roadmap for the organization’s information security team, outlining the actions to be taken and the resources to be utilized in the face of a security incident.

190

Incident Response Planning

Do I need an IRP? It is essential to have a well-thought-out IRP in place to protect your organization from potential cyber threats. Regardless of the size or complexity of your organization, an IRP is vital to ensure that you have the necessary processes and procedures for identifying, containing, eradicating, and recovering from threats to your environment. The following are some benefits of an IRP: • Threat containment and eradication: An IRP provides a systematic process to contain and eliminate threats swiftly, minimizing their impact on your organization. • Business continuity: An effective IRP helps ensure your organization can quickly recover and restore normal operations following a security incident. This reduces downtime and ensures your business can continue operating with minimal disruption. • Regulatory compliance: Many industries and jurisdictions have regulations and standards that mandate organizations to have a comprehensive IRP. Implementing an IRP helps your organization meet these regulatory requirements. • Improved coordination and collaboration: A well-defined IRP outlines the roles and responsibilities of various organizational stakeholders, promoting a collaborative approach to incident response. The size and complexity of your IRP will depend on the unique characteristics of your organization, such as the size of your business, the industry you operate in, and the types of information assets you manage. However, an effective IRP should be concise, focused, and easy to understand, enabling all stakeholders to follow the plan when responding to security incidents.

Components of an IRP An IRP is vital to any organization’s information security program. Its primary purpose is to ensure that the organization can continue operating and providing services in the event of a security incident. The plan consists of several phases forming the IRP life cycle. The phases of the IRP life cycle include the following: • Initial activities: These activities initiate, plan, and implement the incident response capability within the organization. They include the following: ‚ Ongoing dialogue: Regular communication with IT and business stakeholders is crucial to ensure the incident response capability aligns with business objectives ‚ Planning: Involves establishing the organization’s incident response capability as a functioning business program ‚ Life cycle establishment: Involves setting up the repeatable life cycle that will characterize the incident response process for the organization

Preparation of an IRP

• Operational processes: These are the repeatable operational processes involved in enterprise incident response, focusing on the tactical procedures executed during an incident to mitigate the threat. • Continuous improvement: Processes to gather lessons learned from both programmatic and operational perspectives are essential to update and improve the overall incident response capability. As you operate your incident response capability, you will undoubtedly find areas for improvement and no-longer-needed activities. Be willing to reevaluate your plans and adjust as necessary to ensure that you operate as efficiently and effectively as possible. A crucial aspect of an effective IRP is that it should be focused on minimizing the impact on the organization while ensuring that the threat is fully mitigated and normal operations can resume. The incident response activities should not cause additional disruption or impact beyond what is necessary to resolve the security incident. This approach helps maintain business continuity and ensures the organization can recover quickly from security breaches.

Preparation of an IRP Preparation plays a crucial role in establishing a successful enterprise incident response capability. Preparing involves the foundational requirements for an IRP and emphasizes the importance of IT and cybersecurity hygiene in adequately defending the organization’s information systems. Integrating incident response planning with other IT and information security functions is essential for a comprehensive and practical program. As part of the preparation phase for incident response, it is essential to assess the organization’s current cybersecurity posture and identify any necessary technical updates or improvements. Any vulnerabilities or weaknesses discovered during this process should be captured and addressed as part of the organization’s risk management program. By proactively mitigating these risks, the organization can enhance its overall security posture and reduce the likelihood of security incidents. An effective IRP should not be isolated from other IT and information security planning initiatives. Fostering cross-functional collaboration between the incident response team, IT departments, and information security teams is essential. This integrated approach ensures a more comprehensive and coordinated response to potential security incidents.

Understanding what is important Your incident response capability will rely heavily on thoroughly understanding the organization’s mission-critical elements. Knowing what is most important to your business or mission is essential as part of your preparation activities. If you have followed the guidance provided up to this point, you should have collaborated with your stakeholders to identify key information, such as sensitive organizational data, IT assets, risk appetite, allowable business process disruption, and the interconnectivity of information systems. If you have not conducted these activities, now is the time to engage your business and IT stakeholders. By delving into the intricacies of your organization, you can better prepare for and respond to potential security incidents.

191

192

Incident Response Planning

Key concepts to understand for effective incident response include the following: • Sensitive organizational data: Identify the data types that are most valuable and sensitive to your organization, such as customer information, intellectual property, and financial records. Understanding the nature and location of this data is crucial for implementing appropriate security measures and prioritizing response efforts during a security incident. • Sensitive information technology assets: Determine the IT assets that are critical for your organization’s operations, such as servers, databases, and network infrastructure. Recognizing these assets can help you prioritize their protection and focus on their recovery during an incident. • Your organization’s risk appetite: Understanding your organization’s risk tolerance helps develop an IRP that aligns with your organization’s objectives and risk management strategy. This understanding ensures that your response efforts are proportionate to the severity of the incident and the potential impact on the organization. • Allowable business process disruption: Identify the acceptable disruption to your organization’s business processes during a security incident. This information can guide your response strategy, helping you allocate resources efficiently and prioritize recovery efforts. • Interconnectivity and communication of information systems: Gaining insight into how your information systems are interconnected and communicate is vital for effective incident response. This knowledge enables you to understand the potential impact of an incident on various systems and assess the risk of an incident spreading across your organization. The following are some additional concepts that help you further enhance your incident response capability: • Interaction between business applications and databases: Analyze how your business applications and databases interact. This information is crucial for identifying vulnerabilities and understanding a security incident’s potential impact. • Information sharing between business applications: Investigate how different business applications share information, as this can help you identify potential attack vectors and inform your incident response strategy. • Server configuration: Understanding how the servers supporting your business applications are configured is essential for implementing appropriate security measures and responding effectively to incidents. • Network configuration: Gaining insight into your network’s configuration is vital for ensuring effective communication between business applications and identifying potential vulnerabilities.

Preparation of an IRP

Prioritization In incident response planning, understanding and prioritizing the critical elements of your organization is essential. Engaging closely with your business or mission stakeholders allows you to gain valuable context and enables you to prioritize what is most important to the organization. This, in turn, helps you respond effectively to potential security incidents. Based on business input, develop a list of crucial components, including the following: • Business applications and databases: Identify your organization’s critical applications and databases. These are the systems that the business relies on to function properly. A disruption in confidentiality, integrity, or availability could seriously affect the organization’s ability to operate. Understand the importance of these systems and prioritize their protection in your IRP. • Critical users: Develop a list of users essential to the organization’s successful operation. These users typically have access to sensitive information or hold key positions, and their actions could significantly negatively impact the organization if manipulated by a threat actor. Critical users may include the following: ‚ VIPs: C-suite executives and board members who make high-level decisions and have access to sensitive information. ‚ Key business users: Individuals with access to crucial organizational data, such as comptrollers or HR directors, who could cause significant harm if they were to release or manipulate this information. ‚ IT administrators: IT personnel managing and maintaining the organization’s information systems, networks, and infrastructure. These individuals have elevated privileges, and their actions could significantly impact the organization’s security posture. • Critical network and system services: Identify the essential components of your enterprise network environment necessary to maintain the availability requirements for business data and applications. These may include the following: ‚ Network infrastructure: Routers, switches, firewalls, and other networking equipment that enable the flow of data between systems and ensure secure communication ‚ Servers: Physical or virtual machines that host applications, databases, and other services crucial to the organization’s operations ‚ Security solutions: Intrusion detection systems/intrusion prevention systems (IDSs/IDPs), anti-malware software, and other security tools that help protect the organization from threats ‚ Backup and recovery systems: Solutions that facilitate regular data backups and enable the organization to restore critical information and systems during a security incident or disaster

193

194

Incident Response Planning

You can develop a more targeted and effective IRP by working closely with your stakeholders to understand and prioritize these critical elements. This focused approach allows you to allocate resources efficiently and respond quickly to security incidents.

Determining what normal network activity looks like To effectively identify and respond to potential threats actively exploiting your network, it is essential first to understand what normal network activity looks like for your organization. Establishing a baseline for normal behavior allows you to detect anomalies and irregularities that may indicate a security incident, thus enabling your incident response identification phase to begin. As outlined next, utilize various tools and techniques to develop an automated view of your network’s behavior and user population: • Network monitoring and analysis: Implement network monitoring and analysis tools to continuously observe the traffic and activity on your organization’s network. These tools can help you gather information about typical patterns of data flow, communication between systems, and the usage of network resources. By establishing a baseline for normal network activity, you can more easily identify deviations that may signify an ongoing security incident. • User behavior analytics (UBA): Employ UBA tools to analyze and understand the typical behavior of users within your organization. UBA solutions monitor and track user activities, such as login patterns, resource access, and data manipulation, and create profiles for each user based on their regular activities. By understanding the normal behavior patterns of users, you can quickly detect anomalies, such as unusual login attempts or unauthorized access to sensitive data, which could indicate a security breach. • Endpoint detection and response (EDR): EDR solutions provide continuous monitoring and analysis of endpoint activities within your organization. EDR tools can help you establish a baseline for normal endpoint behavior, including software usage, file access, and system configuration changes. By identifying deviations from this baseline, you can detect potential security incidents and initiate appropriate incident response measures. • Security information and event management (SIEM): SIEM systems aggregate and analyze log data from various sources within your organization, such as network devices, servers, and applications. SIEM solutions can help you comprehensively view normal activities across your environment and detect potential security incidents through real-time correlation and analysis of log data. • Regular audits and reviews: In addition to utilizing automated tools, conduct regular audits and reviews of your organization’s systems, processes, and security posture. Examine access logs, configuration settings, and security policies to align with established baselines and best practices. Regular reviews can help you identify potential weaknesses and maintain a current understanding of your organization’s normal operating state.

Preparation of an IRP

By employing these tools and techniques, you can clearly understand what normal looks like within your organization’s network and user population. This understanding enables you to detect abnormal activities and potential security incidents more effectively, allowing you to initiate the incident response identification phase promptly.

Observe, orient, decide, and act The observe, orient, decide, and act (OODA) loop is a valuable concept that can help guide the planning and execution of your incident response capabilities. Initially developed by military strategist John Boyd, the OODA loop is a foundation for dealing with adversaries, precisely what information security professionals do when developing and executing an incident response plan. Here’s a breakdown of the loop: • Observe – gain visibility into your information systems: The first step in the OODA loop is ensuring you have as much visibility as possible into your information systems. Implementing advanced and layered monitoring technologies is the best defense against modern, well-funded, and highly motivated adversaries. You aim to have in-depth visibility into your information systems’ normal operations to effectively identify and detect abnormal behavior. • Orient – triage and prioritize actions: The orientation phase involves taking the vast amount of information gathered through your layered monitoring capabilities and applying additional tools and techniques to analyze the data. This process allows you to triage and prioritize actions based on the severity and potential impact of the identified security incidents. • Decide – make informed decisions: Once you have ingested information from your network and distilled it into actionable, prioritized work, it’s time to make decisions based on various factors, including the following: ‚ Corporate policy: Ensure your response aligns with your organization’s established policies and guidelines ‚ Incident response plan and procedures: Adhere to your IRP’s predefined steps and processes ‚ Regulatory requirements: Comply with regulations governing your organization’s operations and data handling ‚ Applicable laws: Respect the legal boundaries and obligations relevant to your organization and industry

195

196

Incident Response Planning

• Act – contain, eradicate, and recover: The final phase of the OODA loop involves taking the following necessary steps to address the security incident: ‚ Contain the threat: Prevent the threat from spreading any further within your organization’s systems ‚ Eradicate the threat: Remove the threat from the affected information systems, ensuring no traces of the adversary remain ‚ Recover from the threat: Restore the information systems to a fully operational state, ensuring business operations can continue as usual The following figure graphically represents the OODA loop regarding an effectively implemented incident response capability.

Figure 8.1 – OODA loop applied to incident response

The OODA loop is designed to be iterative, with each phase feeding into the next and allowing for a return to the beginning if necessary. This flexibility accounts for the possibility that additional information may be uncovered during the incident response investigation, requiring further analysis and adaptation.

Preparation of an IRP

Incident response procedure development Incident response provides documented and repeatable processes for incident responders to perform the necessary activities, such as detecting and analyzing threats and containing, eradicating, and recovering from them. To achieve this, your organization should adopt a checklist approach, offering clear instructions and guidance for specific incident response activities. The following are some of the recommended checklists to implement: • Emergency contact checklist: One significant issue many organizations face during an incident or emergency is knowing who to contact. In a crisis, this uncertainty can lead to mistakes and chaos. A well-crafted checklist communicates who, what, when, why, and how communications should be conducted during an incident response activity. A communication checklist should include the following: ‚ Information for the entire incident response team, including the information security team, IT team (network, systems, apps, etc.), and business team ‚ Call tree – key roles for incident response and their order of contact • Security analysis checklists: Incident responders should develop checklists for various technologies and business applications on their network. These checklists are tactical guides for incident handlers to delve deeper into affected systems. Focus areas for security analysis checklists include the following: ‚ OSs: macOS, Windows, and Linux ‚ Network services: DNS, DHCP, and Microsoft Active Directory ‚ Business applications: Salesforce, Oracle, and SAP • Incident handler bag checklists: All incident responders should have a ready-to-go bag containing all the information and tools they need to perform their job duties if displaced or required to go to another facility for incident response activities. The bag should include the following: ‚ A physical emergency contact checklist (USB drives and laptops can fail) ‚ Physical copies of any other checklists or policies deemed mission-critical ‚ An empty lined notebook for documenting the incident ‚ Necessary tools and utilities for performing incident response and forensic functions per your organization’s IRP ‚ Blank USB thumb drives ‚ An incident response laptop – organizations may provide a laptop for each incident responder or have one laptop for multiple responders to use

197

198

Incident Response Planning

The following example illustrates a simple high-level checklist that characterizes the incident response process. In step 7, an emergency contact checklist will be used. The key takeaway is that you will not have a single checklist for conducting incident response activities. Instead, you will use multiple checklists to close out an incident successfully: Action

Completed

Identification (Detection and Analysis Phase) 1

Determine whether an incident occurred

2

Analyze precursors and indicators of compromise

3

Perform information correlation

4

Perform open source research (forums, search engines, etc.)

5

If it is determined that an incident has occurred, do the following: • Begin comprehensively documenting the investigation • Fully document and gather evidence

6

Triage incident based on impact on the business/mission: • Recovery requirements • Application criticality • Data criticality

7

Report the incident to the following: • Appropriate internal personnel • Authorized external organizations

Remediation (Containment, Eradication, and Recovery) 8

Acquire, preserve, secure, and document evidence

9

Conduct necessary activities to contain the incident

11

Identify and mitigate all vulnerabilities that were exploited

12

Remove malware, inappropriate materials, and other components

13

For each affected system and service, repeat identification steps 2 and 3 and remediation steps 8–12

14

Restore affected system(s) to an operational state

15

Validate that affected systems are operating normally

Preparation of an IRP

Action

Completed

Post-Incident Activity 16

If needed, implement additional information security monitoring to detect similar activity

17

Create after-action report

18

Hold lesson learned meeting Table 8.1

The following is a sample incident response form that would be used to collect information related to an incident: Sample Incident Reporting Form Contact Information for This Incident Name: Email Address: Title: Program Office: Mobile Phone: Work Phone: Incident Description Provide a brief description of the incident: Who has been notified? Name

Notes: Sensitivity of Data/Information Check All That Apply

Title

Email

Phone

199

200

Incident Response Planning

Sample Incident Reporting Form F Public F Internal Use Only F Restricted/Confidential (Privacy Violation) F Unknown/Other – Please Describe:

Public Information

Information that has been approved for public release. Unauthorized disclosure of this information will not have a business impact. Examples include the following: • Marketing brochures • Public web pages

Internal Use Only

Information intended for use within the organization or between business partners. Unauthorized disclosure of this information may cause a business impact. Examples include the following: • Internal communications • Policies • Procedures

Restricted/Confidential (Privacy Violation)

This information is private to the organization or is considered sensitive and must be restricted to those with a legitimate business need for access. Unauthorized disclosure of this information to people without a business need for access may cause a serious business impact. Examples include the following: • Customer transactions • Account information

• Employee performance evaluations Provide a brief description of the data that was compromised: Impact/Potential Impact Check All That Apply

Preparation of an IRP

Sample Incident Reporting Form F System downtime F Loss/compromise of data F Damage to systems F Other organizations’ systems affected F Violation of legislation/regulation F Financial loss F Damage to the integrity or delivery of critical goods, services, or information F Unknown at this time Provide a brief description of the impact: What Steps Have Been Taken? Check All That Apply F System disconnected from the network F Log files examined (saved and secured) F Restored backup from tape F Updated virus definitions and scanned system F No action taken F Other – please describe: Provide a brief description of the steps taken: Incident Details Date and time of incident: Physical location of system(s): The number of systems affected: The number of sites affected: The number of users affected: Has the incident been resolved? Provide any additional information required to document the incident properly. Table 8.2

201

202

Incident Response Planning

Now that we have gone through the preparation process, we are prepared to discuss the activities around detection and analysis.

Identification – detection and analysis A crucial concept to understand and develop as a core component of your incident response capability is the concept of incident triage. The reality is that not all incidents are treated the same, and by using a triage approach, you can focus on important events while ignoring irrelevant noise. The following list offers a sampling of potential attack vectors that an attacker might use and an incident responder must be prepared to address. Each category is distinct in terms of exploitation and will require different mechanisms to discover abnormal behavior: • Compromised credentials: Attacks made possible due to harvesting information system credentials: ‚ System (OS)/service account compromises ‚ User account compromises • Web attacks: Attack vectors that use a web browser to install malware or harvest credentials: ‚ Drive-by downloads ‚ Cross-site scripting • Removable media: Attacks delivered via removable media: ‚ USB thumb drives or DVDs left in a parking lot ‚ Unsecured USB thumb drives used by unauthorized individuals • Email attacks: Attacks that use email as a vector to deliver malware: ‚ Business email compromise ‚ Phishing emails/spear phishing emails • Loss or theft of equipment: The loss of a device allowing unauthorized users to access intellectual property: ‚ Laptops without hard drive encryption ‚ Mobile devices improperly configured to encrypt sensitive information

Identification – detection and analysis

• Information system misconfigurations: Attack vectors that take advantage of misconfigurations in the information system: ‚ Vulnerable software configurations ‚ Anonymous File Transfer Protocol (FTP) servers ‚ Open proxy servers ‚ Inadequate patch management • Improper usage: Incidents generated by authorized users performing unauthorized actions: ‚ Insider threats ‚ Employee exfiltration of intellectual property A significant concept related to detection and analysis is the importance of automation and the proper configuration of automation tools. Tools can be beneficial, but an improperly configured tool can make your job more difficult. Some key considerations when configuring your automated tools include the following: • Don’t collect everything: Sometimes, as information security professionals, we want to ensure that every aspect of an information system is fully logged and available for search. However, this approach can be costly, making it nearly impossible to find actionable information in your automated tool. Additionally, false alerts are usually very high because the information is not targeted enough to perform searches against. Instead, perform a requirements analysis and ingest only the information you need into your incident response tools. This approach will enable you to do more with better data. • Craft effective rules: Many professionals purchase security tools and rely solely on the inbuilt rules. While these rules may be helpful, they do not address the specific concerns related to your information system or consider your work with your business stakeholders to determine what is critical to the organization. If you have critical information and information systems, ensure your automation is used to analyze those assets. • Regularly update and fine-tune your tools: Security landscapes constantly evolve, with new threats and vulnerabilities emerging daily. To keep your incident response tools effective, it is essential to regularly update them and fine-tune their configurations to address the changing environment. Stay informed about the latest security trends, threat intelligence, and best practices to ensure your tools remain relevant and effective. • Integrate tools and share information: Leverage integration capabilities between different security tools to enable seamless information sharing. This approach enhances the overall efficiency and effectiveness of your incident response process. By integrating tools and sharing relevant data across your security ecosystem, you can create a more comprehensive view of your organization’s security posture and enable faster, more informed decision-making.

203

204

Incident Response Planning

Identification – incident response tools By leveraging technical observational tools, organizations can comprehensively understand their networks, making detecting and responding to security incidents more manageable. Each tool serves a unique purpose: monitoring network and server activity, analyzing logs, tracking system availability, inspecting network packets, analyzing web traffic, or scanning for vulnerabilities. Let us now learn about each of these tools.

Observational technical tools Observational technical tools play a crucial role in incident response by providing visibility into the network, enabling responders to establish a baseline for normal behavior, and making it easier to detect anomalous activities. These tools can be classified into several categories: • Host- and network-based IDSs/IPSs: These tools monitor real-time network and server/ workstation activity. Typically signature-based, they detect suspicious activities matching preconfigured signatures and either block (IPS) or alert (IDS) when a match occurs. • SIEM, log analysis, and log management: These tools offer visibility into networks, systems, and applications by analyzing and managing logs. As part of the preparation phase, ensuring complete visibility into your information systems is important. • Availability monitoring: These tools monitor the uptime and responsiveness of information systems. They can help identify patterns of outages that may lead to incident detection. • NetFlow analyzers: These tools inspect packets on the network, enabling the detection of abnormal behavior. They can be deployed at any point on the network, including its boundaries. • Web traffic analysis: These tools monitor and log various types of traffic between clients and servers. They enable the analysis of traffic patterns, particularly in HTTP traffic streams between web browsers and web servers. • Vulnerability scanners: These tools identify vulnerable systems within your enterprise network and offer potential remediation options for detected vulnerabilities.

Orientation tools Orientation tools are crucial in shaping our perspective on the vast data available in modern information systems. These tools enable us to distinguish between routine information system activities and potential threats that could compromise confidentiality, integrity, or availability.

Identification – incident response tools

Two areas of importance when orienting your IRP are asset management and threat intelligence: • Asset management: Asset management tools provide a comprehensive view of the components that constitute your enterprise information systems, including networks, workstations, servers, software, and enterprise applications. A functional asset inventory establishes clear boundaries around high-risk and business-critical processes, data, and information systems. Asset management tools assist in managing the thousands of individual technology components in your inventory. This focused approach allows you to prioritize incident investigations effectively. For instance, if you observe an event originating from a system critical to business operations, you can assign it a higher priority. • Threat intelligence: Threat intelligence delivers information about various threats, including the following: ‚ Global threats that indiscriminately impact everyone ‚ Regional threats targeting specific geographic regions or countries ‚ Industry-specific threats affecting sectors, such as energy or retail ‚ Organization-specific threats where adversaries specifically target your organization for compromise Threat intelligence feeds the incident response process with indicators of compromise (IoCs), providing context and helping to reduce enterprise log data to a more manageable level. Here’s an example: ‚ A web proxy generates millions of access logs to internet web servers daily, based on requests from your organizational team members ‚ Among those logs, there’s a request to access a command and control server for a botnet network ‚ Your threat intelligence toolset contains information that enables your logging tools to alert when this botnet server is accessed ‚ You can initiate the triage process to determine whether a compromise occurred

Decision tools Decision tools enable you to take the triaged threat information from your observation and orientation tools and make risk-based decisions to protect your organization. Unlike other tools we’ve discussed, decision tools are not something you can download and begin running against your information system. Decision tools encompass the policies, procedures, and plans you develop as part of your information security and incident response plans. Although numerous templates and samples are available online, you will quickly realize that they may not address your organization’s unique needs. This is because each organization has its distinct culture and business and mission objectives, which cannot be catered to by a standard template.

205

206

Incident Response Planning

As you develop tools to support your incident response decision-making process, adhering closely to your organization’s corporate policies, regulatory requirements, and applicable laws is crucial. To create a practical set of decision tools, consider the following components: • Incident response policy: An incident response policy outlines the organization’s approach to managing and responding to security incidents. This policy should define roles and responsibilities, establish reporting procedures, and set expectations for communication during an incident. It should also be aligned with the organization’s overall security strategy and comply with relevant laws and regulations. • Incident response plan: The IRP is a step-by-step guide for responding to security incidents. It should include detection, assessment, containment, eradication, and recovery procedures. The plan should also cover communication protocols, escalation processes, and post-incident review and improvement activities. Regularly review and update the plan to ensure it remains relevant and effective. • Incident response procedures: Incident response procedures provide detailed instructions for executing the IRP. These procedures should be tailored to your organization’s needs and address various incidents, such as data breaches, malware infections, or insider threats. Ensure that the procedures are clear, concise, and easy to follow, and regularly update them based on lessons learned from previous incidents and evolving threats. • Incident response team: Establish an incident response team with clearly defined roles and responsibilities. This team should include members from various departments, such as IT, legal, human resources, and communications. Ensure that team members are well trained and have the skills and expertise to manage security incidents effectively. • Incident response training and awareness: Regularly conduct training and awareness sessions for employees to ensure they understand the organization’s incident response policies, procedures, and plans. This training should cover topics such as incident reporting, phishing attacks, and social engineering tactics. Conduct periodic tabletop exercises and simulations to test and refine incident response capabilities. • Legal and regulatory compliance: Ensure that your incident response policies, procedures, and plans comply with applicable laws and regulations. This may include data breach notification laws, industry-specific regulations, and privacy requirements. Work closely with your organization’s legal and compliance teams to ensure your incident response activities align with these requirements.

Remediation – containment/recovery/mitigation Remediation is where you, as the incident responder, actively engage with the threat to protect the organization from further harm. This phase is possible due to the observation and orientation tools’ high-quality data. After analyzing the data and making an appropriate decision based on the organization’s mission and legal requirements, you can implement the necessary information security measures to address the threat.

Remediation – containment/recovery/mitigation

The remediation phase can be broken down into three main actions: 1. Contain the threat: ‚ Initially limiting damage: The primary objective at this stage is to ensure that the attacker is unable or finds it highly challenging to cause harm to other information systems. This could involve isolating affected systems, implementing temporary access controls, or blocking specific IP addresses or domains. ‚ Fully containing the threat: In reality, you may not be able to fully contain the threat within the first few minutes of the incident. However, your ultimate goal is complete containment, which allows you to start the eradication process. 2. Eradicate the threat: ‚ During this phase, the primary focus is completely removing the threat from your information systems. This may involve removing malware, patching vulnerabilities, or updating software to eliminate security flaws. ‚ Care must be taken to fully understand the threat, ensuring it is entirely removed from the information system. Failing to do this could result in the attacker maintaining a foothold on your information system and causing a future outbreak based on an improperly remediated incident. 3. Recover from the threat: ‚ An essential part of the incident response process is restoring the information system to its full operational capability. This may involve recovering data from backups, repairing damaged systems, or updating software configurations. ‚ The incident response team must conduct tests to ensure the following:  The information system operates as expected, and the business processing capability has resumed. This may include verifying that all services function correctly, checking the system’s performance, and confirming that users can access the required resources.  The threat has been completely neutralized, and there are no indications that the threat has resurfaced. This could involve monitoring system logs, analyzing network traffic, or conducting vulnerability scans to validate that the threat has been effectively eliminated. Throughout the remediation process, it is essential to maintain clear communication with relevant stakeholders, including IT teams, management, and potentially affected users. Keeping them informed about the progress of the remediation efforts and any potential impact on the organization can help build trust and ensure a coordinated response.

207

208

Incident Response Planning

After completing the remediation process, conducting a thorough post-incident review is crucial. This review should analyze the incident’s cause, the effectiveness of the response, and any potential improvements to the organization’s IRP and security measures. This continuous improvement process helps strengthen your organization’s security posture and better prepare for future incidents.

Remediation – incident response tools Remediation is a vital component of incident response. Remediation incident response tools have features designed to provide an efficient and repeatable way to respond to a cyberattack. These tools help organizations streamline their responses, ensuring that they address not just the symptoms of a breach but also the root causes.

Act (response) tools Several tools should be part of your response toolkit to respond to incidents effectively. These tools aid in various aspects of incident response, including forensics, data preservation, and recovery. The following are some of the essential tools and their functions: • Forensics tools: Forensics tools enable you to accurately examine digital media while maintaining a legally sound audit trail. This ensures that you can do the following: ‚ Identify crucial investigative information for backup ‚ Preserve the identified information for future analysis ‚ Analyze preserved information to uncover facts ‚ Act on the facts through further investigation, response, or reporting • Backup tools: In most cases, restoring an environment from a backup is safer than attempting to clean it after an intrusion. This is because a high risk is associated with determining whether an affected device has been properly cleaned. Backup tools enable you to recover from an incident with a fully restored environment, including your data. Many considerations for planning the proper use of backup tools come from the concepts of business continuity and disaster recovery (BCDR). One idea not covered in Chapter 7, Business Continuity/Disaster Recovery Planning, is ensuring you have enough backups to avoid restoring problems such as backed-up malware. Make sure you have sufficient backup data to go back in time to restore data that was available before an incident. • Incident management and ticketing systems: These tools help you manage and track incident response activities, ensuring that all tasks are adequately assigned, documented, and completed. They also facilitate collaboration among team members and provide valuable insights for post-incident analysis and improvement.

Post-incident activity

• Malware analysis tools: Malware analysis tools allow you to dissect and understand the behavior of malicious software, identify its capabilities, and develop effective countermeasures. They can be vital in understanding the extent of a threat and informing your incident response strategy. • Network security tools: Network security tools help you secure your network and detect potential vulnerabilities. They can be instrumental in preventing and mitigating incidents by identifying weaknesses in your network infrastructure and assisting with patch management.

Post-incident activity Thorough post-incident reviews and IRP testing are foundational for any incident response capability. The review and testing conducted in support of the IRP is an opportunity to assess the IRP tools’ efficacy, response speed, and the team’s overall coordination.

Remediation – root cause analysis Root cause analysis is the process used to determine the primary cause of a security incident or breach. By identifying the root cause, organizations can address and rectify the underlying vulnerabilities and shortcomings, strengthening their security posture and minimizing the risk of future incidents. Understanding the incident’s origin is essential regardless of its type or scale. This understanding aids organizations in designing and implementing more effective countermeasures. Root cause analysis is not just about determining what happened but also, more critically, why it happened. Without a comprehensive understanding of the “why,” organizations might only address symptoms rather than the actual vulnerabilities. As a result, organizations may remain exposed to the same types of threats as the root cause of the security incident has not been determined. The following steps can be used to conduct root cause analysis.

Steps in conducting root cause analysis The following are the steps in conducting root cause analysis: 1. Data collection: The first step involves gathering all relevant data about the incident. This can include logs from firewalls, IDSs, OSs, applications, and reports from end users. 2. Timeline creation: Developing a comprehensive timeline of events can help trace back the actions that led to the incident. This chronological understanding can highlight unexpected patterns or anomalies that preceded the breach. 3. Identify contributing factors: Beyond the direct causes, several contributing factors might make the environment conducive to the breach. This could include outdated software, misconfigured systems, or employee training. 4. Determine the root cause: Using data-driven techniques, analysts can pinpoint the root cause. Techniques such as the “five whys” analysis, fishbone diagrams, or fault tree analysis can be leveraged depending on the incident’s complexity.

209

210

Incident Response Planning

5. Recommend and implement fixes: Once the root cause is identified, specific solutions should be proposed and implemented. This can range from modifying technical security controls to revising company policies and training.

Lessons-learned sessions After successfully closing out an incident, conducting a lessons-learned session is crucial to determine areas for improvement and enhancement. Some key aspects to consider during this session include the following: • Identifying areas where improvements need to be made in the process. • Do new procedures need to be created? • Do new alerts, signatures, and search parameters need to be added to automation tools? • Were the plans followed? Did the team panic or remain calm? • Is additional training required? Conducting thorough lessons-learned sessions and assigning tasks to perform updates helps instill confidence in your IRP. It demonstrates that you are committed to addressing shortcomings and improving your processes. Once you have identified actions for improvement, ensure that you work on these activities to completion. Develop tasks or projects as necessary to mitigate any discovered shortcomings in your incident response process.

IRP testing Similar to BCDR, testing your overall incident response capability periodically rather than during an active incident is essential. Incident response testing refers to proactive training events and simulations designed to prepare organizations for real-world cybersecurity incidents. By running these tests, organizations can better understand their strengths and weaknesses, improve their incident response plans, and ensure that team members know their roles during an incident: • Red/blue/purple teams: ‚ Red team: Utilize information security experts skilled in penetrating networks to simulate an actual network attack ‚ Blue team: Engage your information security defenders and automation tools to identify and remediate network intrusion ‚ Purple team: Combine the efforts of the red and blue teams, fostering collaboration to dive deeper and uncover more significant vulnerabilities

Post-incident activity

• Tabletop exercises: ‚ A tabletop exercise focuses on testing the plan rather than the technology ‚ Individual team members work through the planning phases, testing communication channels ‚ Team members work through scenarios and discuss their actions instead of performing them on the information system As mentioned in the Lessons-learned sessions section, if you discover an issue with your incident response capability, ensure that you adequately capture it and develop an appropriate mitigation plan. The following diagram summarizes the content of this chapter, illustrating the interrelation and cyclical nature of the various phases and components of a well-functioning IRP:

Figure 8.2 – Incident response planning

Developing and implementing a comprehensive information security IRP is critical in protecting an organization’s digital assets and infrastructure. As cyber threats evolve and increase in sophistication, a well-structured and adaptable IRP becomes indispensable. By incorporating the various phases, components, and tools discussed in this chapter, organizations can effectively prepare for, identify, and manage potential security incidents. Emphasizing continuous improvement, regular testing, and learning from past experiences will bolster an organization’s security posture and resilience against

211

212

Incident Response Planning

cyber threats. Ultimately, a proactive and agile approach to incident response will play a vital role in safeguarding an organization’s valuable assets and preserving its reputation.

Summary The IRP is designed to ensure that the information security plan is equipped with the appropriate personnel, processes, and technologies to address any information security incidents targeting your organization’s systems. In this chapter, you’ve learned about the components of the IRP, its importance, the essentials for creating an effective one, and the automation, tools, and techniques that enhance response activities. The next chapter will introduce you to the security operations center (SOC). The SOC is crucial in offering visibility and timely responses within the enterprise network, facilitating swift action when any malicious activity is detected.

9 Developing a Security Operations Center A security operations center (SOC) serves as the nerve center for cybersecurity, where teams continuously monitor, detect, and respond to security threats to protect an organization’s information systems. In this chapter, we’ll define what a SOC is, discuss the management of SOC tools, explore the design of the SOC toolset, outline the various roles within a SOC, and examine the processes and procedures that ensure operational efficiency. Additionally, we’ll take a closer look at the specific tools that underpin SOC functions and contribute to its overall effectiveness. The following topics will be covered in this chapter: • What is a SOC? • Management of SOC tools • SOC toolset design • SOC roles • Processes and procedures • SOC tools

What is a SOC? A SOC is a centralized facility within an organization that serves as the central hub for overseeing and managing the security of its information systems and overall infrastructure. The primary objective of a SOC is to provide a real-time, comprehensive view of the organization’s security posture, enabling swift identification and response to internal and external threats. The SOC can be seen as the digital counterpart to the physical security measures an organization has in place.

214

Developing a Security Operations Center

In physical security, organizations implement various measures to prevent unauthorized access to buildings and protect assets. Some examples of these measures include the following: • Guard stations: These serve as checkpoints where security personnel monitor and control access to the premises • Guards: Trained security professionals who patrol the premises, respond to incidents, and enforce security protocols • Cameras: Surveillance systems that capture footage of activities within and around the facility, allowing for monitoring and investigation • Motion detectors: Sensors that detect movement within secured areas, triggering alarms or other responses when unauthorized activity is detected Similarly, the SOC employs a range of technological capabilities to ensure the security of an organization’s information systems. These capabilities include the following: • SOC facility: A dedicated space where SOC analysts, equipment, and resources are housed, providing a centralized location for security monitoring and management. • SOC analysts: Skilled professionals who monitor security alerts, analyze threats, and coordinate incident response efforts. They play a critical role in identifying potential breaches and mitigating risks. • Security information and event management (SIEM) tools: These software solutions collect, analyze, and correlate data from various sources to identify security incidents, helping SOC analysts detect and respond to threats effectively. • Intrusion prevention and detection tools: A combination of hardware and software solutions that monitor network traffic for signs of unauthorized access, malware, or other threats. These tools can automatically block or alert analysts to potential issues. The key difference between physical security controls and the SOC’s capabilities lies in focusing on information systems rather than physical spaces. By leveraging state-of-the-art technology and skilled personnel, the SOC provides an organization with a comprehensive, real-time view of its security landscape, which is crucial for preventing and mitigating cyber threats.

What are the responsibilities of the SOC? The SOC encompasses many tasks overlapping with those outlined in an organization’s incident response plan. The SOC team is primarily responsible for executing significant portions of the incident response plan, making it an integral part of an organization’s security strategy. No matter the size or nature of an organization, establishing an effective SOC is essential for maintaining its information systems’ security and protecting against internal and external threats. A well-designed SOC is a key investment in an organization’s information security program, ensuring comprehensive protection of valuable assets.

Management of SOC tools

As previously mentioned, the SOC shares some similarities with the world of physical security. For instance, most businesses employ physical alarm systems and door locks to prevent unauthorized access, regardless of size. Similarly, a SOC protects an organization’s data and information system investments. Investing in a SOC should be proportional to the value of the data and assets an organization seeks to protect. This investment encompasses many responsibilities, such as the following: • Threat detection and analysis: The SOC monitors an organization’s network for potential threats, analyzing incoming data and alerts to identify any signs of malicious activity • Incident response: In the event of a security breach or incident, the SOC team is responsible for coordinating and executing the incident response plan, mitigating the impact of the threat, and ensuring a swift recovery • Vulnerability management: The SOC team identifies and assesses vulnerabilities within the organization’s systems and networks, working to remediate these vulnerabilities and prevent potential exploits • Threat intelligence: The SOC collects and analyzes threat intelligence from various sources, utilizing this information to improve the organization’s defenses and stay ahead of emerging threats Having explored the SOC’s responsibilities, let’s now shift our focus to the management of SOC tools, which plays a pivotal role in ensuring an effective security posture.

Management of SOC tools For a SOC team to effectively monitor and protect an organization’s information systems, they must ensure their tools are properly secured and well maintained. Achieving comprehensive security without leveraging a suite of well-functioning information security tools is virtually impossible. The SOC team must have a capable and versatile toolset to maintain optimal visibility across the information systems they monitor. Despite implementing well-developed security controls and a strong risk management program, intrusions will inevitably occur. How an organization responds to a future intrusion determines the potential impact of a costly data exposure, which could ultimately lead to the organization’s demise. As such, careful attention must be paid to the selection, management, and utilization of the SOC tools employed by the organization. Key considerations in managing SOC tools include the following: • Tool selection: The SOC team must choose tools that provide comprehensive visibility across the organization’s information systems. These tools should cover various security aspects, such as intrusion detection and prevention, vulnerability scanning, SIEM, and threat intelligence. • Tool integration: The selected tools and the organization’s existing infrastructure must be integrated to ensure seamless functionality and efficient information sharing. Proper integration enables the SOC team to have a unified view of the security landscape and respond to threats more effectively.

215

216

Developing a Security Operations Center

• Tool maintenance: Regular maintenance and updates of the security tools are vital for optimal performance. The SOC team must keep track of software updates, patches, and potential compatibility issues to ensure the tools effectively detect and mitigate threats. • Tool configuration: The SOC team must configure the tools according to the organization’s security requirements and risk appetite. This includes setting up alerts and thresholds that align with the organization’s policies and objectives. • Tool evaluation and improvement: The SOC team should continuously evaluate the effectiveness of the tools and make necessary adjustments to improve their performance. This may involve adopting new tools, updating existing ones, or fine-tuning configurations based on the organization’s evolving security needs.

SOC toolset design The design of this toolset should focus on the organization’s mission, priorities, and the essential aspects required to maintain its ability to function effectively. During development, careful consideration must be taken to ensure the toolset is tailored to the organization’s specific needs and risk profile. Work closely with stakeholders to determine key information, such as the following: • Sensitive organizational data: Identify the data types that are most valuable to the organization and require the highest level of protection. This may include customer information, intellectual property, or trade secrets. • Sensitive information technology assets: Determine the critical IT assets that support the organization’s operations, such as servers, databases, and network infrastructure. • The organization’s risk appetite: Understand the level of risk the organization is willing to accept and incorporate this into the design of the SOC toolset. • Allowable business process disruption: Evaluate the organization’s tolerance for disruption to business processes and operations and ensure that the SOC toolset addresses these concerns. • Information system interconnectivity and communication: Gain insight into how the organization’s information systems are interconnected and communicate to ensure comprehensive visibility and protection. In addition to gathering input from stakeholders, it is vital to collaborate with organizational leaders and users to develop an in-depth understanding of the technical aspects of the business, such as the following: • Business application and database interactions: Examine how various business applications and databases interact and their dependencies • Information sharing between business applications: Understand how different business applications share information and collaborate to support organizational processes

SOC toolset design

• Server configurations supporting business applications: Assess the designs of servers that support business applications, ensuring they adhere to best practices and security standards • Network configuration for effective communication: Evaluate the network infrastructure and its configuration to ensure efficient and secure communication between business applications and other components Understanding the information just listed and other relevant factors will help ensure that the SOC toolset provides visibility into the critical aspects of the organization’s network and information systems.

Using already implemented toolsets A defense-in-depth approach to your organization’s information security control implementation may reveal an array of tools already at your disposal to effectively detect and defend against threats. These tools, deployed throughout your enterprise, are used to manage your environment from multiple perspectives, including network, server, workstation, and application. The layers of defense applied to your organization’s network, servers, workstations, and applications depicted in the following figure offer protection from threats while also providing reporting and alerting capabilities when a threat targets an information system.

Figure 9.1 – Information security defense-in-depth layers

217

218

Developing a Security Operations Center

Protection and visibility within these defensive layers include the following: • Policies, procedures, and awareness layer: Policies and procedures help define what is considered normal from both business risk and technical implementation perspectives. Although they do not provide reporting or alerts, they supply essential information for ensuring effective alerting. Awareness training for leadership, general users, and technical users regarding their responsibilities related to policies and procedures helps inform alert implementation, as users should be aware of and adhere to established policies. • Physical layer: Examples include ID badges, motion detectors, cameras, and additional security measures that control access to physical spaces and assets. • Perimeter layer: Examples include web proxies, denial of service prevention, SMTP proxies, and firewalls that protect the organization’s network from external threats. • Internal network layer: Examples include IPSec tunnels, network access control, network segmentation, and network intrusion prevention/detection systems that secure internal communications and infrastructure. • Host layer: Examples include operating system security controls, malware tools, host intrusion prevention/detection systems, and vulnerability management systems that protect individual devices and workstations. • Application layer: Examples include reverse application proxies, Security Assertion Markup Language (SAML), single sign-on, and web application firewalls that safeguard applications and the data they process. • Data layer: Examples include information rights management, database security, mobile device encryption, and data loss prevention (DLP) that protects sensitive data throughout its life cycle. Organizations can optimize their security strategy by leveraging existing toolsets within these layers and effectively defending against potential threats. It is essential to evaluate the effectiveness of these tools, update them as needed, and integrate them to provide a comprehensive view of the security landscape.

SOC roles An effective SOC requires appropriate personnel roles to ensure proper operation and maintenance. The following roles are crucial for a fully functional SOC. Remember that each organization may have unique naming conventions based on its culture: • SOC analysts: ‚ Tier 1: These are more junior information security analysts with a few years of experience in the field. They have a basic understanding of networking, systems, and applications. Their responsibilities include the following:  Monitor information security tools

SOC roles

 Conduct basic investigations and mitigations  Open tickets ‚ Tier 2: Analysts with a deeper understanding of SOC tools, networking, systems, and applications. Their responsibilities include the following:  Employ deeper investigative techniques  Implement threat mitigation  Recommend changes to information systems ‚ Tier 3: Highly skilled analysts with expertise in forensics, malware analysis, threat intelligence, and more. Their responsibilities include the following:  Conduct advanced investigations  Perform malware analysis  Engage in threat hunting  Implement counter-intelligence measures  Conduct digital forensics SOC analysts serve as the primary team members for incident response, which includes preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. As required, SOC analysts may also do the following: ‚ Implement additional information security tools in support of the SOC (security engineers typically perform complex implementations) ‚ Create new operational procedures related to threat detection, analysis, containment, eradication, and recovery

219

220

Developing a Security Operations Center

Figure 9.2 – SOC analyst tiers

• Information security engineers: ‚ Responsible for the systems development/engineering life cycle, including initiation, requirements analysis, design, implementation, testing, operations and maintenance, and disposition of security operations tools. ‚ Security engineers typically support both the SOC and the enterprise organization. They do the following:  Develop capabilities for the SOC, such as SIEM systems and vulnerability management systems  Develop capabilities for the enterprise, such as firewall and intrusion detection system/ intrusion prevention system (IDS/IPS) designs and implementation of security requirements within enterprise projects

SOC roles

Figure 9.3 – SOC and information security engineering

• SOC manager: ‚ The SOC manager oversees the overall management of the SOC and its daily operations. Additionally, they are responsible for the following:  Creating new SOC-related policies  Developing and approving new SOC-related procedures and processes  Manages SOC analysts, who typically report directly to the SOC manager  Coordinates with information security engineers, who often work within a different part of the information security program, although they could also be part of the SOC • Chief information security officer (CISO): ‚ Responsible for developing the overall organizational information security program, including the SOC. Their responsibilities include the following:  Approve all new policies, procedures, and processes related to the SOC

221

222

Developing a Security Operations Center

 Ensure that the SOC’s capabilities align with the organization’s information security and compliance programs  Communicate SOC threat data to organizational management in support of the overall information security program goals By implementing appropriate personnel roles and fostering collaboration between different parts of the information security program, organizations can ensure their SOC effectively detects, prevents, and responds to threats.

Log/information aggregation Collecting and analyzing logs from various sources is a vital design attribute for an effective SOC. Your design should include a mechanism to aggregate, correlate, and triage the logging information, allowing you to prioritize and identify active threats on your network. When establishing this capability, ensure that you adhere to the following guidelines: • Receive logging events from their original source or a logging service that forwards logs to their destination without altering the log data: ‚ If log data is changed in transit, your ability to accurately assess your information system will be severely compromised. ‚ Include logs and information from throughout your organization’s information systems to maximize visibility:  Security-relevant log events from on-premises infrastructure include Active Directory, database servers, file servers, firewalls, Domain Name System, email servers, and web servers  Security-relevant log events from the cloud and third-party hosting providers, including Amazon AWS, Google for Business, Microsoft Azure, third-party web providers, server and workstation virtualization services, and so on  Vulnerability data from your vulnerability management system  Alerts from host-based and network-based IPSs/IDSs  Real-time network information from NetFlow analyzers  Alerts from web proxies  Threat intelligence from third-party and organizational sources By implementing a comprehensive log and information aggregation strategy, your SOC can better detect, analyze, and respond to threats.

SOC roles

Figure 9.4 – Log aggregation

• To ensure that your organization’s SOC can efficiently process and analyze log data, consider the following best practices: ‚ Standardize log formats across different sources, enabling more straightforward analysis and correlation ‚ Implement log retention policies that align with your organization’s compliance requirements and operational needs ‚ Regularly review and update logging configurations to ensure all relevant data is captured and analyzed ‚ Employ SIEM systems to automate log aggregation, correlation, and analysis ‚ Establish a centralized log management system to facilitate secure storage, retrieval, and analysis of log data

223

224

Developing a Security Operations Center

By following these best practices, your organization’s SOC can leverage log and information aggregation to enhance its overall security posture. This approach will enable your SOC to promptly detect and respond to incidents, reducing the potential for damage and minimizing the impact on your organization’s operations.

Log/information analysis After achieving visibility into your production environment by accessing information system data and log sources, the next critical step is performing log reduction and analytics. These processes help streamline data analysis and allow your SOC to identify potential threats more effectively: • Log reduction: Log reduction involves processing all available information from a log source and distilling it to only the essential data required to determine whether a network threat exists. This process enhances efficiency and reduces the volume of data that analysts need to review. • Log analytics: Log analytics includes automated and human interactions associated with log review and the work necessary to establish analytics automation. Key activities in log analytics include the following: ‚ IOC analysis: Examining various indicators to identify potential threats, such as the following:  Internet domain names  File hashes  Geographic location irregularities  IP addresses  Privileged user account anomalous behavior  Potential data exfiltration • Designing, testing, and implementing correlation rules: Creating and refining rules for events and alerts to identify relationships between seemingly unrelated incidents or activities, which may indicate a more significant threat. • Conducting triage on events and alerts: Evaluating events and alerts generated by correlation rules to prioritize and manage incidents based on their potential impact: ‚ Establishing threat attribution: Determining the source or origin of the threat ‚ Documenting details related to the threat: Compiling and maintaining a record of relevant information about the threat, including its nature, potential impact, and any mitigating factors

Processes and procedures

‚ Communicating findings: Sharing information about identified threats with relevant stakeholders and transitioning the incident response activity from the identification phase to the remediation phase

Figure 9.5 – Log analysis

The backbone of an effectively managed SOC is developing and implementing well-thought-out processes and procedures. The next section will delve into that.

Processes and procedures A SOC must consistently implement effective identification and remediation activities. These processes and procedures ensure that these activities are carried out in a repeatable, reliable, and efficient manner. Key categories of processes and procedures crucial to ensuring an effectively managed and operational SOC include the following: • Detection: This involves promptly defining the mechanisms to recognize a potential security incident. Processes must be in place to flag unusual activities, anomalies, or patterns that may signify an attack or breach. These could be automated alerts from security tools or manual reports from users or IT staff. • Analysis: Once a potential incident has been detected, analysis begins. Procedures should outline how to examine the incident, gather evidence, and determine the scope of the threat. This might involve threat intelligence, log analysis, or forensics.

225

226

Developing a Security Operations Center

• Containment: After an incident has been identified and analyzed, the SOC team needs to act swiftly to contain it to prevent further damage or data loss. Procedures may involve isolating affected systems, blocking malicious IP addresses, or changing user access permissions. • Eradication: This stage involves removing the threat from the compromised system. Procedures could include cleaning infected systems, deleting malicious files, or removing compromised user accounts. • Recovery: The next step is to restore the affected systems to regular operation once the threat has been eradicated. Procedures should outline how to verify the systems are clean, restore from backups, or reinstall system components if necessary. As an illustration, let’s consider a sample process that identifies the roles and responsibilities in the case that a cross-site scripting (XSS) vulnerability is detected on an organizational web application: 1. Detection: The SOC team receives an alert of a potential XSS vulnerability from an automated security tool or a manual report. The detection process triggers the incident response life cycle. 2. Analysis: The SOC analysts assess the alert, corroborating the details with additional data sources such as logs, network traffic data, or threat intelligence feeds. The analysts determine the scope of the vulnerability – which systems are affected and what data might be at risk. 3. Containment: Once the vulnerability is confirmed, the SOC team initiates containment procedures to limit potential damage. This could involve temporarily taking the affected web application offline or implementing additional security measures. 4. Eradication: In coordination with IT staff or external vendors, the SOC team works on removing the XSS vulnerability. This could involve patching the web application or modifying its code to eliminate the vulnerability. 5. Recovery: After removing the vulnerability, the web application returns to normal operation. This includes verifying that the vulnerability has been removed and monitoring the application for any signs of recurring issues. The preceding scenario emphasizes the importance of transparent, comprehensive processes and procedures. Not only do they guide the SOC team’s response to incidents but they also ensure consistency and effectiveness in managing security threats.

Identification – detection and analysis In a SOC, the goal is not merely to accumulate a vast amount of log data from an organization’s information systems. Instead, the primary objective is to analyze this information effectively, systematically, and consistently to detect whether an information security threat exists on the enterprise network.

Processes and procedures

An essential resource in this endeavor is IoCs. These clues inform your information security tools (via correlation rules) and personnel to look for potential threats on the enterprise network. IoCs can be discovered within various data sources, such as the following: • System events: These could include network events, application events, and more • Firewall connections: Unusual or unexpected connections could indicate a potential security threat • User activity: Anomalies in user behavior can often signal a potential compromise • Suspicious system file or registry changes: Unauthorized or unexpected changes could indicate a breach • Untimely information system usage: Usage at odd hours or unusual frequencies can be a red flag • DDoS activity: Large amounts of traffic could indicate a DDoS attack Handling these events effectively depends on the SOC’s capacity to triage and categorize events. This enables the prioritization of SOC activities, ensuring that critical threats are addressed before tackling less urgent ones. This prioritization process should align closely with business needs so that any investigations initiated focus initially on business-critical issues. The processes executed by the SOC analysts during this phase might look like this: • Tier 1 analysts: ‚ Review events with the highest severity or criticality defined by the organization’s SIEM tool rules. ‚ Establish a help desk ticket once it’s determined that an event warrants further investigation. If the event requires deeper analysis, it’s escalated to a tier 2 SOC analyst. • Tier 2 analysts: ‚ Conduct a comprehensive investigation and triage of the event, comprehensively documenting the identified threat for remediation ‚ The documented information should include critical aspects such as the date and time of the event/incident, points of contact, a description of the event/incident, individuals notified, identification of VIPs/executives, data sensitivity, the potential impact of the event/incident, steps taken as part of the investigation, the physical location of systems, number of systems/ sites/users affected, incident resolution status, and any additional information required to document the event/incident properly

227

228

Developing a Security Operations Center

Let us now delve into the definitions and significance of events, alerts, and incidents, as well as the distinctions between true and false positives and negatives: • Events, alerts, and incidents: ‚ An event is a change to the expected behavior of an information system, process, environment, workflow, or person ‚ An alert is a notification provided by an information security monitoring system, such as an SIEM system, to identify an event or combination of events ‚ An incident is a malicious event with some business impact that must be remediated • False and true positives/negatives: ‚ False positive: This is a false alarm when an information security tool identifies normal information system behavior as an attack. ‚ False negative: This is the most dangerous condition when an information security tool misidentifies attack behavior as usual operations. In this situation, the attack goes unnoticed by the security tools. This underscores the need for a robust defense-in-depth strategy, where one tool’s false negative may be detected by another tool. ‚ True positive: This is when an information security tool correctly identifies attack behavior. While many tools can catch millions of threats with out-of-the-box behavior, security professionals must constantly tune their tools to maintain a true positive state. ‚ True negative: This is when an information security tool correctly identifies acceptable information system behavior. Effective detection and analysis are critical to successfully operating a SOC. It is not the quantity of the log data collected but the quality of the analysis performed on this data that ultimately defines the effectiveness of a SOC.

Remediation – containment/eradication/recovery The primary goal of establishing a SOC is to ensure the organization’s security by containing, eradicating, and recovering from internal and external threats. The ability to respond swiftly to a threat could be the determining factor between a minor, manageable incident and a severe, damaging breach. It’s important to note that your remediation strategy is closely tied to your organization’s mission. The actions taken to neutralize a threat can differ significantly from one organization to another, depending on the specific business strategy, the nature of the threat, and the systems involved. However, regardless of the diversity in approach, there are three essential steps that every SOC team must effectively execute: • Containment of the threat: This step limits the attacker’s ability to inflict further damage on other information systems within the network. Containment might involve isolating affected systems, restricting user access, or altering network configurations to disrupt the attacker’s movements.

Processes and procedures

• Eradication of the threat: This involves eliminating the threat from your information system. It could mean removing malicious code, eliminating backdoors, or updating and patching systems to close vulnerabilities. In some instances, it might be necessary to reimage or reset devices to ensure the complete removal of attacker software. • Recovery from the threat: The final step is restoring the information system to its full operational capability. This might involve repairing or replacing affected systems, restoring backup data, and reinstating regular operations. During the remediation phase, various strategies might be used, including the following: • Updating and patching: This could involve network components, servers, workstations, or applications. Patching closes vulnerabilities that attackers could exploit. • Updating system access: This might be necessary to remove an attacker’s privileges, limiting their access to your systems. • Changing network access: Altering network configurations can disrupt attacker communications and limit their ability to maneuver within your network. • Reimaging or resetting devices: In some cases, this might be the most effective way to ensure the complete removal of attacker software. • SOC monitoring tuning: After an incident, reviewing and adjusting SOC monitoring capabilities is essential based on lessons learned. This ensures more efficient detection of similar threats in the future. • Additional security controls: These could be applied to the information systems to prevent future attacks. This could include implementing additional firewall rules, IDSs, or other security measures. An integral part of a SOC strategy includes a standard operating procedure (SOP) outlining the steps to perform operations in response to a potential threat. The SOP ensures a structured, consistent approach to dealing with threats, enhancing the efficacy of the SOC team’s response. The following is a sample SOC SOP, which provides the steps an organization could use to block network access to a threat during normal operations or in response to an incident: 1. Threat identification: The process initiates when a SOC analyst identifies or receives a report about suspicious IP addresses or URLs. These could be perceived as potential threats, requiring further investigation and prompt action. 2. Ticket creation and notification: Upon receiving or identifying a threat, the SOC analyst is tasked with creating a help desk ticket detailing the threat. This ticket triggers the remediation process. Concurrently, the SOC manager should be notified about the ticket, ensuring awareness and enabling oversight.

229

230

Developing a Security Operations Center

3. Threat analysis: The SOC analyst analyzes the reported or identified threat. This involves determining the systems that could potentially be affected and require updates. It’s a crucial step in understanding the severity and scope of the threat. 4. Compilation of threat data: After the analysis, the SOC analyst generates a list of the suspicious IP addresses or URLs. This list will be added to the appropriate network blocking tool to prevent any possible breach. 5. IoC information update: To further enhance the organization’s defense mechanism, the SOC analyst ensures that all tracking databases and information security tools are updated with the IoC information. 6. Stakeholder communication: The SOC analyst then communicates with all appropriate business and IT stakeholders about the impending information system update. This ensures that all relevant parties are aware and prepared for any potential impacts on the system. The following is an example of SOP additions for a firewall block: 1. Firewall block request: The SOC analyst generates a list of the IP addresses to be added to the firewall. This list is then attached to a help desk ticket requesting a firewall IP address block. 2. Firewall update: Once the help desk ticket is received, the firewall administrator applies the suspect IP addresses to the firewall, thereby blocking the potential threat. 3. Completion notification: The firewall administrator notifies the SOC upon completion, confirming the successful execution of the firewall block. Here is another example that shows SOP additions for a web proxy block: 1. Web proxy block request: Similar to the firewall block, the SOC analyst generates a list of the IP addresses or URLs to be added to the web proxy. This list is then attached to a help desk ticket requesting a web proxy IP address or URL block. 2. Web proxy update: Upon receiving the help desk ticket, the web proxy administrator applies the suspect IP addresses or URLs to the web proxy, effectively blocking the potential threat. 3. Completion notification: Finally, the web proxy administrator notifies the SOC upon completion, confirming the successful execution of the web proxy block. This SOP sample provides a systematic and repeatable process for the SOC team to follow when dealing with potential threats. It ensures a coordinated and effective response, enhancing the organization’s ability to mitigate risks and safeguard its information systems.

SOC tools The SOC is the nerve center of an organization’s cybersecurity infrastructure. It is equipped with various tools that provide comprehensive visibility into the network, systems, and applications, enabling the

SOC tools

SOC to detect, analyze, and respond to security incidents in real time. The following are some of the key tools commonly utilized in a SOC to maintain an organization’s cybersecurity posture: • SIEM: The SIEM tool is arguably the linchpin of the SOC’s operations. It provides extensive visibility into an organization’s network, systems, and applications, collating data from various sources into a centralized platform. This allows the SOC to monitor and manage the organization’s security landscape from a single dashboard. The SIEM integrates with other security tools, such as malware analysis and IPSs, to produce alerts. These insights enable the SOC to conduct proactive identification and remediation activities. • IPS/IDS: These tools monitor network activities and server or workstation operations. Host- and network-based systems are used to provide a comprehensive view of potential security threats. An IPS actively blocks detected threats, while an IDS only provides alerts for the SOC of potential security incidents. These systems form a robust line of defense against a wide range of cyber threats. • Vulnerability scanners: These tools are crucial for identifying vulnerable systems within the organization’s network. They scan the network for known vulnerabilities, such as outdated software, misconfigurations, or unpatched systems. The output of a vulnerability scan typically includes a list of identified vulnerabilities along with their severity ratings and potential remediation recommendations. This information empowers the SOC to prioritize and address the most critical vulnerabilities. • NetFlow analyzers: These tools examine the data packets traveling across the network. They provide a granular view of network traffic, enabling the SOC to identify unusual or suspicious patterns that may signify a potential security incident. By inspecting the network traffic at the packet level, NetFlow analyzers can detect anomalies that might otherwise go unnoticed, such as covert data exfiltration or command-and-control communication related to a botnet. • Threat intelligence platforms: Threat intelligence platforms are essential to the SOC toolkit. They gather data from various external sources about the latest threats and vulnerabilities, enriching the SOC’s understanding of the current threat landscape. This information can be used to proactively update defense mechanisms and stay one step ahead of potential attackers. • Endpoint detection and response (EDR) tools: EDR tools provide visibility into endpoint activities, detecting and responding to threats that target workstations, servers, mobile devices, and other endpoints. They can detect advanced threats that evade traditional defenses and provide detailed forensic data for incident response. • Automation and orchestration tools: These tools streamline and automate repetitive SOC tasks, freeing analysts to focus on more complex issues. They also orchestrate actions across different security tools, ensuring that the SOC responds to incidents in a coordinated, efficient manner. When properly integrated and managed, these tools form the backbone of a well-equipped SOC. They provide the technical capability to defend an organization against various cyber threats.

231

232

Developing a Security Operations Center

When navigating the complex cybersecurity landscape, organizations often face a critical decision: should they establish an in-house SOC or outsource their security needs to a managed security service provider (MSSP)? Both approaches offer unique advantages, and the choice between them depends on many factors, including the organization’s size, industry, resources, and specific cybersecurity needs.

Benefits of a SOC – in-house and MSSP One of the primary aspects that every organization strives to achieve is a robust security posture that guards against external and internal threats. Establishing an in-house SOC can provide many benefits in this pursuit: • Tailored security infrastructure: Running an in-house SOC allows organizations to implement and utilize tools aligned explicitly with their unique requirements. The selection of security software and hardware can be tailored to the organization’s distinct security needs, operational context, and budget considerations. This level of customization enables a security posture specifically designed to address the organization’s unique threats and vulnerabilities. • In-depth knowledge and control of staff resources: An in-house SOC offers complete control of staff resources. Organizations can hire, train, and manage a dedicated team of cybersecurity professionals entirely committed to protecting the organization’s information assets. This approach fosters a deep understanding of the organization’s systems, processes, potential vulnerabilities, and security landscape. As part of the organization, the SOC staff can better understand the business context, making them more effective in managing threats. • Complete customization of security tools: An in-house SOC allows the complete customization of security tools. This flexibility enables fine-tuning parameters, rules, and alerts to align perfectly with the organization’s risk profile and operational realities. It allows for a more dynamic and responsive security approach, capable of rapidly adapting to changes in the threat landscape or operational environment. • Absolute control of log data: Maintaining control of log data is crucial for analysis and compliance. An in-house SOC ensures all log data containing sensitive information remains under the organization’s management. This allows for comprehensive investigations and audits and reduces the risk of mishandling or exposing sensitive data. • Integration with business processes: A SOC that is part of the organization can align its operations closely with business processes. This enables a security approach considering the organization’s specific operational, strategic, and risk considerations.

SOC tools

While an in-house SOC has numerous benefits, organizations may consider outsourcing their security operations to an MSSP. There are several compelling reasons why an organization might choose this path: • Cost-effective and rapid deployment: For many organizations, particularly small and mediumsized enterprises, setting up and running an in-house SOC can be prohibitive. In such cases, outsourcing to an MSSP can provide a more cost-effective solution. The MSSP model eliminates the need for significant upfront investment in hardware, software, and recruitment of skilled personnel. It also enables the rapid deployment of security operations, which can be particularly valuable in a fast-evolving threat environment. • Access to expertise and advanced technologies: MSSPs typically employ a wide range of security experts and utilize advanced security technologies. Outsourcing to an MSSP allows an organization to access this pool of expertise and cutting-edge technologies, which might otherwise be beyond its reach. The MSSP can bring to bear a broad perspective gained from serving multiple clients across various sectors. • Scalability and flexibility: As an organization grows and its operations become more complex, its security needs also evolve. MSSPs typically have the capacity and capabilities to scale their services in line with the changing needs of the client organization. This flexibility can be a significant advantage in a dynamic business environment. • 24/7/365 monitoring: Cyber threats do not adhere to business hours. Attacks can occur anytime, and prompt detection and response are crucial. Maintaining a 24/7/365 security monitoring capability in-house can be challenging and costly for many organizations due to the significant human resources and operational overheads involved. An MSSP can provide continuous monitoring and immediate response capabilities, ensuring the organization’s systems are protected around the clock. • Compliance and reporting: MSSPs often have extensive experience in dealing with various regulatory standards and can help ensure that an organization’s security posture complies with relevant regulations. Additionally, they typically provide comprehensive reporting services, giving organizations valuable insights into their security status and helping them demonstrate compliance to auditors, regulators, and other stakeholders. • Focus on core business: By outsourcing security operations to an MSSP, an organization can free up internal resources to focus on its core business operations. This can be particularly beneficial for smaller organizations, allowing them to devote more time and energy to growth and development activities while knowing that their security is in expert hands. The decision between establishing an in-house SOC or outsourcing to an MSSP involves careful consideration of various factors. These include the organization’s security needs, operational context, resource availability, risk tolerance, and strategic objectives. Both options have distinct advantages and can provide an effective security posture if implemented correctly.

233

234

Developing a Security Operations Center

An in-house SOC offers high customization, control over data and resources, and deep integration with the organization’s operations. On the other hand, an MSSP provides a cost-effective and rapid solution, access to expert resources and advanced technologies, scalability, continuous monitoring, and compliance support for organizations with limited resources. This can be an attractive option for organizations that must establish robust security operations quickly and cost-effectively without recruiting, training, and managing a dedicated in-house team. Choosing an in-house SOC or an MSSP will ultimately depend on each organization’s unique circumstances and requirements. Considering the immediate and long-term implications, both options should be reviewed to make an informed decision that best supports the organization’s security and business objectives. It’s worth noting that these approaches are not mutually exclusive, and a hybrid model, which combines elements of both, can sometimes offer the best solution. This allows an organization to leverage the strengths of both models.

Summary This chapter discussed the role of the SOC in overseeing an enterprise’s information security visibility and response. We explored the SOC’s various responsibilities and the management and design considerations when planning for SOC tools. We also touched upon the different personnel roles within the SOC and the essential processes and procedures required for its operation. Additionally, we weighed the pros and cons of having an internal SOC versus outsourcing it. In the upcoming chapter, we will focus on the concepts of information security architecture and guide you through the steps to implement an information security architecture program.

10 Developing an Information Security Architecture Program This chapter delves into the fundamentals of creating an information security architecture program for an organization. The chapter defines information security architecture before discussing its integration into the system development life cycle (SDLC) or system engineering life cycle (SELC). The chapter then guides you through conducting an initial information security analysis to inform architectural decisions. Then, we explore how to develop a security architecture advisement program that assists in creating a repeatable process for developing secure architectures. Finally, the chapter outlines the overall information security architecture process, which contributes to an organization’s technical architecture. The following topics will be covered in this chapter: • What is information security architecture? • Information security architecture and SDLC/SELC • Conducting an initial information security analysis • Developing a security architecture advisement program • Information security architecture process

What is information security architecture? Information security architecture is a coherent and comprehensive framework encompassing well-defined policies, procedures, and guidelines designed to regulate the development, implementation, and ongoing operation of a security architecture across the enterprise IT deployed within an organization.

236

Developing an Information Security Architecture Program

For the information security architecture to be successful, it must be tightly intertwined with the organization’s mission. This alignment ensures that the architecture supports, rather than hinders, the organization’s stride toward its strategic goals. If the information security architecture program becomes an obstacle, it will inevitably be side-stepped. The consequences of this can be very severe – not only will the effectiveness of the information security architecture be compromised but also the organization’s overall risk profile may increase. When aligning your information security architecture with your business’s mission, ask yourself similar questions as you asked yourself throughout the development of your information security program: • Question 1: ‚ What is your organization’s business risk appetite? ‚ How much risk is your organization willing to tolerate? ‚ What investment is your organization ready to make to mitigate these risks? Answer: Understanding your organization’s risk appetite is the initial step toward establishing a robust information security architecture program. It provides a clear perspective on the extent of risks your organization will bear and the resources it is prepared to expend to manage and reduce those risks. • Question 2: ‚ How mature is your organization? ‚ Is your organization a start-up? ‚ Or is your organization a well-established entity, such as a 40-year-old manufacturing company with 15,000 employees and 200 locations? Answer: The maturity of an organization significantly influences the design and implementation of an information security architecture. For instance, a start-up might lean toward a flexible and scalable architecture catering to its dynamic and growing nature. On the other hand, an established organization might require a more comprehensive and robust architecture, reflecting its larger size and complex operations. • Question 3: Is your organization’s IT centralized or decentralized? Answer: The organization of your IT department affects the design of your information security architecture. A centralized IT department is more suited to a uniform and consistent architecture. In contrast, a decentralized IT structure might require a more flexible and adaptable architecture to cater to the diverse needs of various departments or units.

Information security architecture and SDLC/SELC

• Question 4: ‚ How does your organization approach foundational IT/hygiene issues? ‚ Does your organization ensure that IT systems are consistently maintained? ‚ Are IT solutions designed and then overlooked until they fail? ‚ Or does your organization fall somewhere in between? Answer: The organization’s approach to IT hygiene is another critical factor when developing your information security architecture. A sophisticated information security architecture might be suitable if your organization proactively maintains its IT systems and ensures secure configurations. Conversely, if your IT solutions are typically neglected until a problem arises, special care will need to be taken to manage the architecture and ensure secure outcomes. Understanding the responses to these questions is essential in designing an information security architecture program suitable for your organization’s current condition while also possessing the adaptability to evolve as the organization matures.

Information security architecture and SDLC/SELC The security architecture program depends on integrating security practices into the organization’s SDLC or SELC. The SDLC/SELC is a systematized approach implemented to enhance the repeatability and predictability of the engineering or development process. The information security architect plays a significant role in integrating security measures into these processes and working with the IT, engineering, and developer teams. A strong collaboration between the information security architect and the team members involved in the SDLC/SELC process helps to design a system with built-in security right from the project’s initiation. A typical SELC/SDLC process contains the following phases: • Initiation phase • Design phase • Implementation phase • Testing phase • Operations and maintenance phase • Disposition phase Let us understand each of the phases in detail.

237

238

Developing an Information Security Architecture Program

Initiation phase The initiation phase lays the groundwork for the rest of the project. During this phase, the organization clearly defines the need for an information system, marking the beginning of the information security planning from a project perspective. At this stage, the information security architect collaborates with the project team to understand the security considerations that must be applied to the system, laying the foundation for a secure system. The roles of the information security architect in the initiation phase are as follows: • Communications and education: The information security architect works closely with project stakeholders to educate them about the need for information security. This education is not just a one-time session but a continuous process to ensure that everyone involved understands the importance of security considerations in the project. It is recommended that a formalized and structured education and training plan be developed to communicate the role of the information security architect to the project stakeholders and team members. The training doesn’t have to be extensive or lengthy. Still, it should be designed to ensure the message being communicated to the project team is consistent, repeatable, and aligns with the vision and goals of the business and the information security program management. • Conducting an initial security analysis: The information security architect conducts an initial security analysis of the project, which includes the following: ‚ Understanding the purpose and description of the information system ‚ Identifying compliance requirements ‚ Documenting key information system and project roles ‚ Defining the expected user types ‚ Documenting interface requirements ‚ Documenting external information systems access ‚ Conducting a business impact assessment ‚ Conducting an information data categorization This security analysis step helps initially capture as much information about the project’s goals as possible. This enables the information security architect to start making security recommendations immediately. It’s important to remember that the project team may not have all the answers initially, which is normal. As the information security architect, you will refine this information as the project progresses. This approach gives you the insight you need into the business and operational aspects of the information system you are designing security controls for. • Active participation in project activities: The information security architect collaborates with the project team to ensure their active involvement in all relevant project activities. This is essential because it gives the architect a clear understanding of the project as it progresses, enabling them to provide valuable security input when needed.

Information security architecture and SDLC/SELC

Requirement analysis phase During the requirements analysis phase, the information security architect works with users and business stakeholders to develop the requirements for the new system. It’s the information security architect’s responsibility to ensure that security requirements are included in the system’s design and prioritized. The roles of the information security architect in the requirements analysis phase are as follows: • Select information security requirements: The information security architect’s task is to provide the project team with information security requirements. These requirements should be integrated into the project’s requirements, ensuring a seamless blend of functionality and security. Including these security requirements at this stage allows for an inherently secure system rather than one where security is an afterthought. • Tailoring security requirements to system needs: The security requirements should be custom-fit to the needs of the information system being implemented. The information security architect should consider the unique features and functions of the system to create a security architecture that suits the needs of the business. For instance, if the information system does not implement a specific technology, the security requirements should not include a requirement for the unused technology. • Communication and collaboration: The information security architect should be prepared to discuss the requirements with the project team, answering questions during the requirements phase and at any point in the system’s development. The information security architect should be ready to explain the rationale behind each requirement. This transparency helps the team understand the importance of each security measure, encouraging them to implement each one thoroughly.

Design phase Within the design phase, the requirements gathered during the requirements analysis phase are transformed into a tangible framework for the new system. The information security architect plays a pivotal role in this phase, ensuring that the appropriate information security controls are incorporated into the system design. The design phase comprises several sub-phases where the engineering team supports the development of the following: • Concept of operation: The concept of operation is a document that describes a proposed system’s characteristics from an end user perspective. It serves as a communication tool, providing business stakeholders with an understanding of how the system will operate. • High-level design: The high-level design is a document that presents the logical components of a system and their interaction. It includes data flows and the interconnectivity of different parts of the system. This document visualizes how the system components will work together to accomplish the desired goals.

239

240

Developing an Information Security Architecture Program

• Detailed design: The detailed design is a comprehensive document that takes the high-level design and drills it down into specific configurations and costs associated with the system. This document provides a granular view of the system design, highlighting every detail that contributes to the system’s functionality. • Proof of concept system: The proof of concept system embodies the detailed design by implementing a system that can be used to determine whether the design meets the user and business stakeholder requirements. Often, the proof of concept is a scaled-down version of the proposed system, allowing the functionality to be tested without incurring the total cost of the final system. The roles of the information security architect in the design phase are as follows: • Collaboration with engineering and development teams: The information security architect works closely with the engineering and development teams during this phase, ensuring that the information security requirements are materialized in the form of operational, management, and technical security controls. • Ensuring security in final system design: The information security architect is responsible for ensuring that the final system design correctly implements the organization’s information security requirements and that they are functioning as expected. This role involves carefully reviewing the system design to ascertain that security has been seamlessly integrated into every aspect of the system. • Development of mitigating security controls: In cases where specific information security requirements cannot be fully implemented, the information security architect works with the engineering and design teams to develop mitigating security controls. These controls reduce the risk associated with the incomplete implementation of security requirements to an acceptable level.

Implementation phase The implementation phase is where the production information system is built based on the design defined in the preceding phases. The key role of the information security architect during this phase is to ensure that the designed security controls are correctly implemented and function as intended. The roles of the information security architect in the implementation phase are as follows: • Ensuring accurate translation of design into implementation: The information security architect verifies that the finalized design is aptly translated into the implemented production system. This requires meticulously examining the implemented system to confirm that all elements align with the original design and that the intended security controls have been successfully integrated. • Collaborating with engineering and development teams: The information security architect works with the engineering and development teams to resolve any production implementation issues that may necessitate a deviation from the initial design. Any changes required at the

Information security architecture and SDLC/SELC

implementation stage are carefully considered, keeping the information system’s security requirements at the forefront. This collaborative approach ensures the system remains secure even when deviating from the original design due to implementation issues.

Testing phase In the testing phase, the project team executes an agreed-upon test plan to verify that the system operates as expected. The information security architect has to ensure that the implemented security controls work as anticipated. The affected security control must be identified and flagged for rectification if any deficiencies are discovered. The roles of the information security architect in the testing phase are as follows: • Development of security testing documentation: The information security architect is responsible for developing the security testing documentation for the information system. This document outlines the testing procedures and expected outcomes for operational, management, and technical security controls. • Ensuring compliance: The information security architect ensures that all necessary compliance requirements are met during testing. This requires a comprehensive understanding of the regulatory landscape relevant to the system and the ability to apply this knowledge in the testing process. • Identification and repair of deficient security controls: If any security control is found to be deficient during testing, the information security architect flags it for immediate repair or mitigation through a planned implementation. This helps to ensure that no security vulnerabilities are left unmitigated, thereby maintaining the information security architecture of the new system.

Operations and maintenance phase In the operations and maintenance phase, the system is in production and is managed according to configuration management principles. The information security architect’s task during this phase is to ensure that any recent modifications to the system are thoroughly reviewed for their impact on the security controls applied during the implementation phase and that any new capability meets the security requirements of the organization and system. The roles of the information security architect in the operations and maintenance phase are as follows: • Providing continuous advisory services: The information security architect’s role extends beyond the initial implementation of the information system. As a trusted advisor, the information security architect continues advising the information system owner on the system’s ongoing security posture. This includes keeping the system owner abreast of the latest security threats, vulnerabilities, and updates that could affect the system.

241

242

Developing an Information Security Architecture Program

• Reviewing and recommending system changes: As part of the maintenance process, changes to the system may become necessary to improve functionality, resolve issues, or keep up with evolving business needs. The information security architect reviews these proposed changes and provides recommendations based on their potential impact on the system’s security. This involves assessing risk to determine whether the changes could introduce new vulnerabilities or compromise existing security controls. • Developing new security controls: If the functionality or scope of the information system changes, it might necessitate the development of new security controls. The information security architect takes the lead in developing these additional security measures to ensure the system maintains its security posture in the face of changes. • Conducting regular security audits: Part of the ongoing maintenance involves regular security audits. The information security architect oversees these audits to ensure that all security controls work as intended and that the system complies with all relevant regulations and standards. The information security architect is responsible for coordinating remediation efforts if any issues are identified during these audits.

Disposition phase The disposition phase signifies the end of the system’s life cycle. At this point, the system’s utility has been exhausted, and the decision to decommission it has been made. In this phase, the information security architect ensures that the system is correctly archived and sanitized in compliance with the organization’s policies and applicable laws. The roles of the information security architect in the disposition phase are as follows: • Overseeing data sanitization: The information security architect ensures that all data and information contained in the system are removed in a way that withstands forensic recovery. This process, often known as data sanitization, involves complete and irreversible data removal. The objective is to eliminate any potential security risks arising from unauthorized access or data breaches after decommissioning the system. • Validation of data removal: The information security architect also verifies that the data sanitization process has been effective. It’s not just about deleting files but ensuring they cannot be restored or retrieved using various data recovery methods. • Archiving necessary data: While it’s necessary to remove all data from the system, there may be certain information that the organization might need in the future. The information security architect ensures this data is appropriately archived for future use. This involves determining what data needs to be retained, securely transferring it to an appropriate storage solution, and ensuring it remains accessible and usable for future requirements.

Conducting an initial information security analysis

• Compliance with legal and organizational policies: The information security architect ensures the disposition process complies with all relevant organizational policies and legal requirements. Different jurisdictions have different laws regarding data disposal and retention, and the information security architect must be well versed in these to avoid any legal complications.

Figure 10.1 – Information security architecture throughout the SDLC/SELC

Up next, let us understand how to conduct an initial security analysis.

Conducting an initial information security analysis As an information security architect, one of your primary roles involves helping shape technology projects to align with the organization’s business objectives and security requirements. The first step in this process is conducting an initial information security analysis. Establishing a process like this at project initiation will allow you, as the information security architect, to gather the necessary information to properly support your project and provide the most relevant guidance possible.

243

244

Developing an Information Security Architecture Program

The following are the steps: 1. Understanding the purpose and description of the information system: The first step in an initial information security analysis is understanding the purpose and description of the information system being designed. This involves a detailed analysis of what the system is intended to do, its scope, and its potential users. Understanding these fundamental aspects is essential to define the potential security risks and necessary controls that must be in place for the successful implementation of the project. 2. Identifying compliance requirements: Next, as an information security architect, you need to identify the compliance requirements that the system must meet. These requirements could be legal, regulatory, or internal company policies. A thorough understanding of these requirements ensures that the system design aligns with the requisite standards and can mitigate potential legal and reputational risks. 3. Documenting key information system and project roles: A clear definition and understanding of roles and responsibilities is essential in any project. This clarity can prevent misunderstandings and ensure that each project team member knows what is expected of them. 4. Defining user types: The types of users interacting with the system also impact information security considerations. Different user types have different access levels, each with a different risk level. Defining these user types early in the project can help shape the necessary security controls and access management systems. 5. Determining interface and external system access requirements: The way the system interacts with other systems, both internally and externally, also requires careful consideration. It’s essential to document all interface requirements and the access needs of external information systems. This documentation can help identify potential points of vulnerability and inform decisions about necessary security controls. 6. Conducting a business impact assessment (BIA): Understanding the system’s potential impact on business operations is another critical component of the initial information security analysis. Conducting a BIA can help identify the potential risks and the associated costs to the organization should a security breach occur. This assessment is needed for prioritizing security controls and contingency plans. 7. Carrying out information categorization: Finally, carrying out information categorization is essential. This involves classifying the information that the system will handle based on its sensitivity and the potential impact should a breach occur. This classification can guide decisions about the level of security controls necessary for each category of information. Now, let us explain each of these steps in detail.

Conducting an initial information security analysis

Purpose and description of the information system The process of fully understanding a system from an information security perspective involves multiple layers of analysis and evaluation. The first step is to clarify and document the system’s purpose from a business standpoint. For instance, consider a document management system’s purpose: to store and make accessible various manufacturing plans and diagrams securely. The key aspect to understand here is the business requirement that the system is designed to fulfill. If your organization utilizes a project management framework, the project chartering process information could be invaluable for gathering this data. If not, engaging in detailed discussions with the business and IT stakeholders is recommended. Topics to discuss with your business team members include the following: • Business purpose: A sample purpose could be implementing a document management system that securely archives manufacturing plans and diagrams and makes them easily searchable. • System description: Once the business purpose has been defined, the next step is to flesh out the intended implementation. For instance, if your organization uses SharePoint and plans to employ this platform to meet the defined business purpose, you should document this along with other available facts. Here’s how you might describe a SharePoint-based system implementation: ‚ In non-technical language, describe the system. This section should be easily understandable to non-technical stakeholders:  Mention the technology being used – in this case, SharePoint  Discuss whether the capability will be hosted internally or outsourced  Describe how the business unit plans to use this capability ‚ If applicable, outline the proposed system architecture at a high level, including an architecture drawing. This could include the following:  The subsystems of the information system  Interfaces to external systems  Hardware architecture of the system  Software architecture of the system  Storage architecture  Backup/disaster recovery architecture  Internal communications architecture  User input  User output

245

246

Developing an Information Security Architecture Program

The goal is to create a clear, high-level architecture narrative and drawing. This can facilitate better communication about the system’s different aspects with all stakeholders, confirm your understanding of the system with project stakeholders, and pinpoint areas where information security controls are necessary to maintain the system’s interaction. This high-level architecture also enables the identification of system elements and their functions that fall within the security boundary for the information system. Understanding these boundaries is crucial for a comprehensive security strategy, as it helps pinpoint the areas that require added attention and security controls.

Figure 10.2 – High-level system architecture example

Determining compliance requirements Before providing information security architecture guidance for your information system, you must look at your organization’s regulatory and compliance requirements to ensure that you are building a set of security requirements that results in a secure and compliant information system.

Conducting an initial information security analysis

The compliance requirements that an organization must adhere to significantly influence an information system’s overall shape and structure. Various laws, standards, and compliance frameworks impose a range of stipulations, and understanding these rules is pivotal for ensuring that the organization can continue its operations successfully without the threat of non-compliance. The services offered by your information system impact the combination of compliance requirements that your system must adhere to. The system might be subjected to various regulations or standards based on its function and the nature of the data it processes. For instance, consider a point-of-sale system located within a gift shop of a US federal government facility. In this scenario, the organization typically needs to comply with the following standards: • Federal Information Security Modernization Act (FISMA): As the system operates within a US federal government agency, it needs to adhere to the compliance standards set by FISMA. • Payment Card Industry Data Security Standard (PCI DSS): As the system accepts credit card payments, it must comply with PCI DSS. This standard aims to secure credit card transactions against data theft and fraud. It’s essential to note that this example simplifies the compliance scenario, assuming that the federal agency operates the gift shop directly, not a third party. Situations like these, with multiple overlapping compliance standards, introduce complexity and demand special considerations from the perspective of an information security architect.

Documenting key information system and project roles Understanding the roles and responsibilities of the key individuals in an information system project is essential to the project’s successful execution and the system’s management in its operational phase. As an information security architect, you need to understand who is accountable for various functions within the information system: • Project roles: Project roles encapsulate the individuals primarily responsible for steering the information system project from inception to implementation: ‚ Project manager: The project manager is responsible for developing the project plan for the information system. Their duties encompass leading and managing the project team, recruiting and overseeing project staff, ensuring the delivery of project deliverables, assigning tasks to team members, and providing status updates to stakeholders. ‚ Project team members: These individuals support the project by undertaking one or more tasks throughout its life cycle. The team may consist of business or technical staff from the organization, external consultants, or in-house team members. Their roles may vary throughout the project’s life.

247

248

Developing an Information Security Architecture Program

‚ Project sponsor: This individual makes business-related decisions for the information system, approves the system’s budget, ensures the project manager has the necessary resources, and communicates the project’s goals throughout the organization. ‚ Executive sponsor: As the person in the organization that is ultimately responsible for the project, the executive sponsor establishes and approves changes to the project’s scope, provides funding, and signs off on the final delivery of project deliverables. • Information system roles: Information system roles relate to the technical management of the system and its continuous operations post-implementation: ‚ System owner: The system owner manages and maintains the information system. The system may contain data owned by the system owner, and there may be one or multiple data owners. The system owner ensures the implementation of organization-wide policies, standards, and baselines, including security policies, establishes system-specific policies, standards, and baselines, and ensures adherence to these established norms. ‚ Data owner: The data owner sets policies, standards, and data usage and protection baselines. They collaborate with the system owner to develop a secure platform for data access that aligns with organizational requirements. They decide who may access the information and the extent of access privileges for each user. ‚ Administrator: The administrator manages user access to the information system, adding and removing users as needed. They assign permissions within the system, adhere to the least privilege principle, and perform IT-related functions to maintain the system’s health. Each role brings a unique perspective and set of skills to the table, facilitating a collaborative effort toward successful project execution. By understanding these roles, you can better advise and collaborate with your team and stakeholders, resulting in an information system that effectively meets the organization’s needs. The following is a sample form that can be used to document these roles for any project: Role

Name

Project Roles Project Manager Project Team Member (add lines as needed) Project Sponsor Executive Sponsor Business Analyst Information System Roles System Owner Data Owner Administrator (add lines as needed) Table 10.1

Title

Phone

Email

Conducting an initial information security analysis

Defining the expected user types Determining the expected types of users interacting with the information system is important. User types can broadly be categorized into the following: • General information system users: These individuals will use the system regularly for their daily tasks. They are typically employees within the organization but could also include contractors or other individuals with a legitimate business need to use the system. • External business partners: This group represents other organizations or businesses that must interact with the system. These could include suppliers, vendors, business affiliates, or other partners who share a business relationship with your organization. • External users/customers: These users represent your customer base or public users who interact with your system. They could be individuals or businesses that are your clients or customers. • System administrators: System administrators are responsible for managing the system’s infrastructure. Their duties include maintaining server health, managing system resources, and ensuring system availability. • Application administrators: This category includes individuals who manage web applications and APIs. Their role typically involves maintaining application functionality, managing user permissions, and troubleshooting issues with the application or API. For each of these user types, it’s important to identify the following: • Access location: Determine from where users will be accessing the information system. This could be from within the organization’s internal network, via a VPN, or directly over the internet. • Client software: Identify the software each class of users will employ to interact with the system. Is the application web-based, and hence browser-dependent, or does it necessitate a dedicated thick client? Also, pay attention to specific client access requirements, such as IP addresses, URLs, or TCP ports that need to be opened. Understanding your user types, needs, and interaction mechanisms with your system allows you to design a more secure, efficient, and effective information system. It also enables you to plan and implement security controls tailored to each user type, ensuring a balanced approach between security and user-friendliness. The following is an illustration of a completed form where the user types have been identified and the methodologies used to offer access to the underlying information system have been recorded:

249

250

Developing an Information Security Architecture Program

User Type

Access Type

Client Software

IP Address TCP Port URL

General User Internal Network Web Browser N/A

N/A

https://thewebapp

External Business Partner

Internet

Web Browser N/A

N/A

https://thewebapp

Customers

Internet

Web Browser N/A

N/A

https://thewebapp

System VPN Administrator

W i n d o w s 10.0.0.1 42 Operating System Tools Internal Network Thick Client 10.0.0.2 24

N/A

Application Administrator

N/A

Table 10.2

Documenting interface requirements An interface refers to the point of interaction between different software components, hardware devices, or even between the system and its users. Documentation of these interface requirements provides a clear understanding of data movement, interactions, and transactions, allowing for better risk management and the implementation of adequate security controls. The following are the steps to documenting the various interface requirements: 1. Interface overview: Start by detailing the general functionality of the interface. What is its purpose, and what does it achieve within the system? Outline the hardware and software components integral to the interface’s operation. This could include specific equipment, servers, or software programs that enable or facilitate the interface. 2. Functional description: Delve into the specific operations conducted by the interface. How do end users interact with it? Are there specific events or triggers that initiate data movement through the interface? The more granular the details, the better your understanding of how the interface fits into the broader system operations and user interactions. 3. Data transfer: Detail how data traverses a particular interface on a system. Describe how system-to-system connectivity is established and maintained. Explain the mechanisms used to move data throughout the architecture – this could involve APIs, protocols, or specific data formats. Understanding the data transfer process helps identify potential points of vulnerability and ensure adequate data protection measures are in place.

Conducting an initial information security analysis

4. Transactions: Detail the types of transactions employed to move data along the interface’s component systems. Transactions could range from simple data fetch operations to more complex business transactions involving multiple data exchanges. This process should be undertaken for each interface within the information system. As an architect, being familiar with the system’s interfaces gives you the advantage of accurately identifying areas that need security controls, potential points of data leakage, and vulnerabilities that might be exploited.

Documenting external information systems access Understanding how your information system interacts with other external systems is critical to protecting your information system. Identify and document all external systems that interface with the information system. Proper documentation of external systems access helps design the system architecture by maintaining security across all connections and also aids in troubleshooting issues and identifying potential vulnerabilities. To document external information system access, follow these steps: • Interfacing system and its ownership: Document the external system interfacing with your system. This includes identifying the system by its name or other identifiable attributes. Also, indicate the owner of the interfacing system. The owner can be an individual, a team, or an organization that is responsible for the system’s operation and maintenance. • Purpose and notes: Describe the purpose of the interconnection. Why does it exist, and what functionality does it bring to the system? This should also include any specific observations or essential details concerning the interconnection. It could be related to the frequency of data transfer, the type of data transferred, or the dependency of certain functionalities on this interconnection. • Data transfer direction: Note the direction of data transfer through the interconnection. Is it one-way, where data only moves from the system you support to the external system (or vice versa), or is it two-way, where data can move in both directions? Understanding the movement of data flow can help implement appropriate security controls to safeguard sensitive information. To gather this information, you can use the following form, which can be filled out for each interconnection. This form should include fields for all the preceding points, enabling clear and organized documentation of external information system access: Interconnection Purpose/Notes Name

Direction Interfacing System Owner of Interfacing System Information System

Table 10.3

251

252

Developing an Information Security Architecture Program

Conducting a business impact assessment (BIA) As discussed in Chapter 7, Business Continuity/Disaster Recovery Planning, the primary aim of conducting a BIA for an information system is to account for its availability, backup, and disaster recovery requirements. In an unforeseen situation or failure, performing and acting on a BIA can provide a business with the necessary safeguards to protect its crucial data and keep its systems running. The following is a review of the activities that comprise a BIA: 1. Identify business processes: Start by clearly identifying the business processes supported by the information system. These can range from day-to-day operational tasks to long-term strategic activities. Understanding these processes can help assess how the interruption of these activities can impact the organization. 2. Determine business impact: Next, assess the potential impact on the business if the information system becomes unavailable. Consider the consequences of different levels of disruption, from minor outages to catastrophic system failures. This impact could be measured regarding financial loss, reputational damage, operational inefficiencies, legal implications, or customer dissatisfaction. 3. Identify information systems used: Identify the specific components of the information system or the entire system if there are no particular subsystems to identify. This information will be instrumental in understanding which elements of your architecture are most critical to maintaining business continuity. 4. Define allowable outage: Determine the maximum allowable outage time for the information system – that is, how long the business can continue operating without the system. This will depend on the nature of your business and the specific processes the system supports. 5. Prioritize recovery: Identify the priority tier in which the information system should be placed for recovery. This classification should be based on the system’s importance to business continuity and the potential impact of its outage. It aids in ensuring that the most critical systems are recovered first in the event of a disaster. A well-conducted BIA helps mitigate risks and enhances your business’s resilience and readiness to respond to any eventualities. Use the following form to conduct a BIA as part of your information security architecture activities: Business Process Impact

Dependencies/ Allowable Recovery Software Hardware Outage Priority Interfaces

Table 10.4

Developing a security architecture advisement program

Conducting information categorization As an information security architect, one of your responsibilities is collaborating with business and project stakeholders to categorize the information processed by the information system being analyzed. This process, which we discussed earlier in the Chapter 4, Information Security Risk Management, is information categorization. The process of information categorization for the architect involves the following components: 1. Identification of information assets: Identify what information assets will be processed by the information system. Information assets can range from customer databases and product information to internal communications and financial records. Understanding the range and type of data the system processes is the first step in categorizing your information assets. 2. Valuation of information assets: After identifying your information assets, you must determine their value to your organization. This can be a complex process, as it requires understanding the tangible and intangible benefits each asset provides. Factors such as the asset’s role in business operations, its contribution to competitive advantage, its legal and regulatory importance, and its potential impact on reputation and customer trust all play a part in determining its value. 3. Securing information assets: With an understanding of what information assets will be processed by the system and their value to the organization, the next step is to consider what measures will be needed to secure those assets. Security measures should be commensurate with the value of the assets – high-value assets may require more stringent controls, while lower-value assets may require less extensive measures. This process should involve a thorough risk assessment to identify potential threats and vulnerabilities and determine the appropriate controls to mitigate these risks. It’s important to note that data in an organization is not homogenous in terms of its importance or value. Certain data elements might be pivotal to business operations, while others might be less crucial. Consequently, your information categorization process fundamentally shapes your information security requirements and subsequent security controls.

Developing a security architecture advisement program A well-designed security architecture advisement program will support your information security program by consistently offering valuable information security advice to your business and project stakeholders in support of building secure information systems. The effectiveness of your architecture program is contingent on the value it confers to your business and project stakeholders. It should not obstruct but rather streamline project success. Incorporating a customer-centric approach as a fundamental principle of your architecture program is vital in securing this success.

253

254

Developing an Information Security Architecture Program

To achieve this, you should consider the following: • Policies, procedures, or guidance: Ensure you have well-developed policies, procedures, and guidance to support your business and project stakeholders: ‚ Policies that enforce the need for information security architecture should be implemented and stipulate the requirement to request resources from the information security program for architectural guidance ‚ The delivery of information security architecture to the organization should be facilitated by a repeatable process, ensuring consistency and reliability ‚ Various templates and guidance documents should be created to collect the necessary information efficiently and generate the output required for architectural decisions ‚ Examples of guidance that should be created for your organization include high-level and detailed information system design templates, contingency, business continuity, disaster recovery templates, configuration and change management templates, and more • Awareness program: Develop an awareness program related to information security architecture, ensuring that stakeholders have a thorough understanding of the following: ‚ The services the information security program provides in terms of information security architecture. You should have consistent training and slides that can be presented to stakeholders explaining the available services. ‚ The best ways to access these services and the most opportune times. Detail how the stakeholders should engage with your architecture program to access services. ‚ The significance of these services and the benefits of utilizing information security architecture services. Be prepared to elaborate on the benefits of information security architecture for the organization and explain how implementing a secure information system contributes to the success of our business missions.

Information security architecture process An information security architecture program’s effectiveness largely hinges on its harmonization with an organization’s SDLC or SELC. This integration is a critical aspect of the process, aiming to embed information security architecture into an information system as early as possible. If your organization lacks a well-defined SDLC or SELC process, make it your responsibility to integrate yourself into the initial phases of projects or tasks within your different business operating units. This proactive participation ensures that your knowledge and expertise in information security architecture are integrated from the project’s inception, thus assisting in shaping the project’s trajectory.

Information security architecture process

This approach ensures that information security architecture is embedded into the information system during the nascent stages. Early integration enables us to better serve the interests of stakeholders and the organization by creating the most secure system achievable. The reasoning behind this strategy lies in the well-accepted adage that prevention is better than cure – it is far more efficient and effective to build a system with security as a foundational component rather than attempting to patch security holes after a system is fully developed. It is important to emphasize that constructing security into the system from the start ensures a seamlessly integrated security solution rather than a clumsily added layer that could end up as an inefficient and poorly performing capability. This results in the more efficient and superior performance of security controls that can better protect your organization’s valuable information assets.

Example information security architecture process The following process provides an example of how to tie many of the concepts discussed in this chapter and this book into an integrated information security architecture process that complements an organization’s SDLC/SELC process: Task

Responsible Party

Audience

SDLC Phase

Request Security Architect

Project Manager

Information Security Program

Initiation

Assignment of Security Architect

CISO/IT Security Manager

Information Security Program

Initiation

Contact Project Manager/Team Lead Security Architect

Project Manager/ Team Lead

Initiation

Conduct meeting to kick off Security Security Architect Architecture Engagement

Project Manager/Team Initiation Lead/Project Team

Conduct Initial Information Security Architect Security Analysis

Project Manager/Team Initiation Lead/Project Team

Provide tailored Information Security Architect Security Requirements

Project Manager/Team Requirements Lead/Project Team Analysis

Development and Review of Information System Design (Technical)

Security Architect/ Project Manager/Team Design Project Team Lead/Project Team

Development and Review of Security Architect/ Project Manager/Team Design Information Operational and Project Team Lead/Project Team Management-related information system artifacts Develop Information Security Security Architect Testing and Planning Documents

Project Manager/Team Design Lead/Project Team

255

256

Developing an Information Security Architecture Program

Task

Responsible Party

Audience

SDLC Phase

Support the implementation of Security Architect the information system from an information security perspective

Project Manager/Team Implementation Lead/Project Team

Conduct Security Testing

Security Architect

Project Manager/Team Testing Lead/Project Team

Mitigate Security testing Findings

Project Manager/Team Lead/Project Team

Security Architect

Testing

Table 10.5

Architecture special considerations Cybersecurity architecture establishes and protects an organization’s data and ensures its systems run smoothly with designed-in security measures. We’ll explore some key points to consider when designing security features for your organization.

Confidentiality – ensuring that sensitive information is protected from unauthorized access Confidentiality involves protecting sensitive information from unauthorized access. A well-designed system integrates data encryption, both at rest and in transit. Data at rest refers to information stored in databases, files, or disks. Data in transit means moving between systems or over a network. Segmentation is another critical concept. Networks can be divided into segments, ensuring sensitive data is isolated from general access areas. Systems with highly confidential data should reside in their own segments, protected by dedicated security controls. Some best practices include the following: • Use strong encryption algorithms: Implementing algorithms such as AES-256 ensures data remains unreadable if intercepted. This is important for protecting sensitive information from unauthorized access. • Implement data masking: Masking data, especially in development environments, obscures specific data within a database, ensuring sensitive data isn’t exposed. • Avoid hardcoded secrets: Hardcoded secrets can be easily extracted by malicious actors, making applications vulnerable. • Rotate encryption keys: Regular rotation of encryption keys reduces the risk of a key being compromised.

Information security architecture process

Availability – ensuring that systems and resources are accessible to authorized users when needed Availability refers to ensuring that information and resources are accessible to authorized users when needed. It’s about guaranteeing uninterrupted and reliable access to data, systems, and networks. Availability is crucial to ensuring a system’s operational performance and reliability and is achieved by designing resilient and fault-tolerant systems. Some best practices include the following: • Set up load balancers: Distributing incoming application traffic across multiple targets ensures high availability and fault tolerance • Regular backups: Scheduling automated backups protects against data loss • Implement disaster recovery plans: Regularly testing and updating these plans ensures rapid system recovery after disruptions • Utilize content delivery networks (CDNs): CDNs enhance the user experience and can provide protection from distributed denial of service (DDoS)

Authentication – ensuring that users are who they claim to be Authentication refers to the process of verifying the identity of a user, system, or device. It’s a way to ensure that the entity requesting access is who or what it claims to be before granting access. Authentication prevents unauthorized users or systems from accessing sensitive data or functionalities. By implementing best practices in authentication, cybersecurity architects can enhance the security of their systems and reduce the risk of unauthorized access. Some best practices include the following: • Enable multi-factor authentication (MFA): MFA adds an extra layer of security and requires users to provide two or more verification methods, making unauthorized access significantly harder • Implement token-based authentication: Provides an added layer of security by generating a token allowing the user to verify their identity • Implement password policies: Policies that mandate periodic changes and complexity reduce the risk of brute-force attacks • Single sign-on (SSO) systems: Allow users to authenticate once and gain access to multiple related but independent systems, improving user experience while maintaining security

257

258

Developing an Information Security Architecture Program

Authorization – ensuring that users have the appropriate access rights to perform their tasks After authentication, a user must be granted the correct privileges to the systems. Authorization establishes the parameters for users to access specific resources once their identity is confirmed through authentication. By design, the primary purpose of authorization is to define and enforce boundaries that ensure users cannot access data or functions beyond their allocated permissions: • Implement the principle of least privilege: Granting only necessary permissions minimizes potential security breaches • Utilize role-based access control (RBAC): RBAC ensures users have permissions suitable to their roles, safeguarding against unauthorized actions • Segregate administrative tasks: Keeping admin operations separate from regular user operations minimizes potential breach impacts • Implement discretionary access control (DAC): DAC allows access to be granted or denied based on a policy set by the object’s owner, its associated group, or specific users

Non-repudiation – ensuring that users cannot deny their actions or transactions Non-repudiation refers to the assurance that a party involved in a communication or transaction cannot later deny their participation. It provides evidence of the origin or delivery of data, confirming the identities of both the sender and the recipient. Non-repudiation is a critical component in the design of secure communications systems, as it helps prevent fraud, misinformation, and disputes. Some best practices include the following: • Implement digital signatures: Signatures verify the sender’s identity and ensure data integrity • Utilize public key infrastructure (PKI): PKI ensures secure, scalable, and verified digital signatures and encryption • Timestamp transactions: A timestamp provides a clear chronology of events and chain of custody • Hardware security modules (HSMs): Use HSMs to securely manage and store cryptographic keys

Auditing and accountability – tracking and logging user activity Centralizing logging involves creating a unified view of log data, making it easier to detect and analyze security threats. This consolidation allows security teams to have a comprehensive perspective on all the events that transpire in the system. By designing a central log repository, architects can streamline log analysis, reducing the time needed to discover cybersecurity events. Logging user activity allows for reconstructing events in the event of a security incident. Logs include information such as user IDs, timestamps, source IP addresses, and executed operations.

Information security architecture process

Some best practices include the following: • Centralize logging: Consolidated views of logs for better analysis • Ensure comprehensive log entries: Capturing detailed log data facilitates accurate forensic investigations • Make logs immutable: Preventing log tampering ensures accurate event tracking • Retain logs: A strategic retention policy ensures logs are available for historical analysis • Implement SIEM solutions: Real-time threat detection and response can reduce the time to discover cybersecurity events

Risk management – identifying, assessing, and mitigating potential security threats Risk management in cybersecurity architecture involves identifying, assessing, and mitigating potential security threats in the design. It is a continuous activity throughout the SDLC that requires collaboration between various stakeholders, including other security team members, IT staff, management, and end users. Effective risk management ensures a system design has minimal risk associated with its operation and has the appropriate security controls applied commensurate with its value. Some best practices include the following: • Risk review and updates: Continuously review and update risk assessments and security controls to address changes throughout the SDLC • Security controls implementation: Implement appropriate security controls per organizational policies and mitigate identified risks • Penetration testing: Simulate attacks to identify system vulnerabilities

Incident response – having a plan in place to respond to and recover from security incidents quickly Incident response should be considered as part of the architecture and design process. Incident response plans should be designed with a clear and well-defined structure, establishing a systematic approach to incident management for your developing system or program. These plans should also be created with consideration for industry best practices and regulatory compliance requirements. Some best practices include the following: • Conduct threat modeling: Identify common threats and create specific procedures for each. Different threats such as DDoS attacks, ransomware, or data breaches may require tailored response strategies. • Have forensic tools ready: Prompt forensic analysis can help understand the breach’s nature and origin.

259

260

Developing an Information Security Architecture Program

Compliance – adhering to industry standards, laws, and regulations related to security Cybersecurity architects must comprehensively understand the regulatory requirements pertinent to their industry. Embracing a security-by-design approach, often advocated by regulatory frameworks, integrates security measures from the outset, proving both effective and cost-efficient compared to later-stage security implementations. Additionally, it prevents potential legal consequences, such as significant fines or sanctions, from non-compliance. Some best practices include the following: • Stay updated on relevant standards: When released, review updates to standards such as NIST 800-171, PCI-DSS, ISO27001, and others • Automate compliance checks: Tools can verify system configurations against industry benchmarks • Document compliance measures: Clear documentation requirements and how the architecture achieves these requirements

Summary In this chapter, we explored the concept of information security architecture, which lays down policies, procedures, and guidelines for creating and deploying an information security architecture within an organization’s enterprise. Key takeaways from this chapter include learning how to integrate information security architecture into the SDLC or SELC, conducting an information security analysis to inform architecture decisions, and the steps to establishing an information security architecture advisement program. The upcoming chapter will dive into cloud computing and its associated information security considerations. You will be introduced to the technologies that underpin cloud systems and the tools and techniques essential for securing them.

11 Cloud Security Considerations This chapter will discuss the concepts related to safeguarding data, applications, and systems hosted on cloud platforms. As cloud computing is a critical component of the modern enterprise, understanding its various service, deployment, and management models is essential. Equally important are the unique security nuances that cloud capabilities introduce. This chapter provides an overview of the cloud security landscape, offering insights into challenges and best practices that can be implemented in your organization. The following topics will be covered in this chapter: • Importance of cloud computing • Cloud computing service models • Cloud computing deployment models • Cloud computing management models • Special considerations for cloud computing

Importance of cloud computing Cloud computing has fundamentally changed the way we utilize enterprise digital resources. In most cases, it enables ubiquitous, on-demand access to a shared pool of configurable computing resources hosted by a third party. In most cases, these resources are outsourced, meaning they are provided by third-party companies known as cloud service providers. This shared pool of resources can comprise many distinct elements, including networks, servers, storage, and applications. Cloud computing networks are typically high-speed connections that link the client’s computer systems with the cloud service provider’s infrastructure. These networks provide the essential data conduit on which information is transported to and from the cloud. They must be robust and reliable to ensure consistent and uninterrupted access to cloud resources.

262

Cloud Security Considerations

Servers, another important component of cloud computing, are robust computing infrastructure that stores data and runs applications. Within the cloud computing infrastructure, these servers are physically housed in data centers managed by the cloud service provider. They perform the data processing tasks and run the software applications the client organization requires. As the term implies, storage is the cloud-based equivalent of local storage on a personal computer or a company’s on-premises servers. Cloud storage provides a virtual location where businesses can store and retrieve data. It’s scalable, secure, and easily accessible, allowing organizations to keep large volumes of data without needing substantial on-premises storage infrastructure. Applications in the cloud environment are software programs hosted on the cloud provider’s servers and accessed over the internet. These can range from business productivity tools, such as email and word processing programs, to more specialized applications for business analytics, customer relationship management, or enterprise resource planning. One of the defining characteristics of cloud computing is the rapidity with which these services can be provisioned and released. This means an organization can quickly scale up its use of cloud resources when demand increases and then scale down again when demand decreases. This flexibility eliminates the need for businesses to invest heavily in their IT infrastructure, which may sit idle during periods of low demand. Furthermore, this provisioning and releasing of services require minimal management effort or interaction with the cloud service provider. Automation and service management tools allow for the seamless expansion or contraction of resources based on the organization’s current needs. This hands-off approach allows organizations to focus on their core business functions while the cloud provider oversees the IT resources.

Cloud computing characteristics Cloud computing has several essential characteristics that distinguish it from traditional on-premises computing. In the following list, we will look in more depth into these distinctive features, including rapid elasticity, broad network access, on-demand self-service, resource pooling, and measured service: • Rapid elasticity refers to the ability of cloud resources to be dynamically provisioned and released, adapting flexibly to an organization’s fluctuating needs. Rapid elasticity can be implemented manually, semi-automatically, or fully automatically. • Manual scaling requires the organization’s operations team to anticipate future workloads in the cloud environment and manually add resources to support the company’s mission. Although this approach can be labor-intensive and requires a high degree of foresight, it offers precise control over the allocation of resources. • Semi-automated scaling still necessitates forecasting to ensure adequate resources are configured to support an organization’s information system. Based on system events, new services, such as virtual servers, can be initialized to handle increased application loads. This strategy combines automation with manual oversight, balancing efficiency and control.

Cloud computing service models

• Fully automated, or elastic, scaling is the most advanced form of resource management. This approach allows an organization to increase or decrease capacity without performing the manual labor and configuration necessary to establish the infrastructure beforehand. Automated scaling harnesses sophisticated algorithms and real-time performance data to anticipate and respond to changes in demand, offering maximum efficiency and adaptability. Regardless of the chosen scaling method, the organization can control the system’s elasticity, preventing uncontrolled growth that could lead to high costs. By setting appropriate thresholds and rules, companies can ensure they only use and pay for the needed resources, optimizing their return on investment. • Broad network access is another fundamental attribute of cloud computing. This feature ensures that cloud resources can be accessed over various networks and user devices. A well-architected cloud environment facilitates increased network access and scalability, allowing users to interact with cloud services from virtually anywhere at any time. • On-demand self-service is an aspect of cloud computing that refers to an organization’s ability to provision cloud computing capabilities autonomously. This provisioning can be carried out without human interaction from the cloud services provider, offering convenience and flexibility for organizations. • Resource pooling is another important capability in cloud computing, whereby the cloud provider utilizes a multi-tenant architecture to serve multiple organizations. In this model, computing resources such as storage, processing power, memory, and network bandwidth are pooled and dynamically allocated to different clients. Physical and virtual resources can be assigned and reassigned based on each organization’s requirements. • Measured service is another characteristic of cloud computing. The consumption of pooled cloud computing resources is monitored and reported to the organization, providing visibility into resource usage and associated costs. This approach ensures accurate measurement of cloud computing resource consumption, enabling transparency for both the provider and consumer of the cloud computing service. Let’s now delve into the various cloud computing service models that offer different levels of service and management.

Cloud computing service models Three central models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) – offer varying levels of flexibility and control to businesses. Each model defines distinct responsibilities shared between the organization and the cloud service provider. This section discusses the specifics of these models, detailing their characteristics and benefits.

263

264

Cloud Security Considerations

Infrastructure as a Service (IaaS) IaaS is a model where a cloud service provider delivers virtualized computing infrastructure over the internet. This means that organizations can access high-level computing resources without the necessity of owning, managing, or maintaining on-premises hardware. By adopting IaaS, businesses can effectively rent virtual servers, storage, and networks, paying only for the resources they use. There’s a clear delineation of responsibilities between the organization and the cloud computing service provider. The organization controls certain aspects of the IT environment, while the cloud service provider manages the underlying infrastructure. The organization takes responsibility for managing server operating systems. This means that the organization can select the operating system that best suits its needs, such as a particular version of Windows, Linux, or another OS. It also allows the organization to configure the operating system to meet specific security, performance, and functionality requirements. Data storage management also falls under the organization’s domain in the IaaS model. The business can determine how data is structured and stored, define access controls, and set up backup and recovery processes. This responsibility ensures data management aligns with the organization’s operational needs and compliance requirements. The organization also oversees the deployment of applications to the servers. These applications can range from web-based enterprise applications to database servers to management agents such as host intrusion prevention systems. As with server operating systems, this control allows the organization to tailor its application environment to meet its unique business needs.

Figure 11.1 – Infrastructure as a Service

Cloud computing service models

The cloud service provider handles the underlying cloud infrastructure as part of this relationship. This responsibility includes managing processing capabilities, physical storage, and networks. The provider ensures that the processing capabilities – the computing power of the virtual servers – meet the performance specifications set out in the service- level agreement. This arrangement means the provider must monitor performance, manage workloads, and scale resources up or down to meet the organization’s demands. The physical storage management by the provider entails maintaining the actual hardware on which the organization’s data and applications are stored. Network management in the IaaS model involves the provider ensuring that the network infrastructure (including routers, switches, and other networking equipment) operates smoothly and securely. This responsibility consists of managing the physical hardware and the software-defined networking technologies that enable the virtualized network capabilities of the cloud. IaaS provides organizations with a flexible, scalable, and cost-effective way to access high-level IT infrastructure resources. By clearly defining the division of responsibilities between the organization and the cloud provider, the IaaS model allows businesses to focus on their core competencies, leaving the management of complex infrastructure to the experts.

Platform as a Service (PaaS) PaaS is a cloud computing service model in which a provider delivers hardware and software tools typically designed to aid an organization’s application development and hosting needs. By opting for PaaS, organizations can create, execute, and manage applications without getting entangled in the complexities of constructing and maintaining the associated infrastructure. The client organization controls the applications it deploys within the PaaS environment. This degree of control covers a wide array of elements, including the choice of programming languages, the use of development libraries, the integration of application services, and the deployment of development tools. This flexibility makes PaaS an attractive solution, allowing developers to utilize the tools and techniques they’re most familiar and proficient with. From an application development language perspective, the organization can choose from a broad range of programming languages supported by the PaaS provider. This flexibility allows developers to use languages they are most comfortable with, whether Python, Ruby, Java, or any other language. The freedom to select the most appropriate language can significantly impact the efficiency of the development process, the complexity of the resultant code, and the overall performance of the final application. Similarly, development libraries and application services are at the organization’s disposal. Development libraries offer a wealth of pre-existing code blocks that developers can incorporate into their applications, saving precious time that would otherwise be spent writing code from scratch. On the other hand, application services provide an array of functionalities such as user authentication or database access, which can be directly integrated into the applications being developed.

265

266

Cloud Security Considerations

The organization can also deploy various development tools in the PaaS environment. These include integrated development environments (IDEs), version control systems, and testing tools. With access to these tools, developers can streamline the development process, enhancing productivity and security. In a PaaS environment, application security is the customer’s responsibility. Organizations should ensure that all cloud-based applications are developed using secure coding practices and are regularly tested for vulnerabilities.

Figure 11.2 – Platform as a Service

The cloud service provider takes care of the underlying cloud infrastructure, which includes processing capabilities, physical storage, networks, and the operating system. The service provider ensures the operating system is secure, correctly configured, and updated. This role is a critical aspect of the PaaS model as it relieves the organization of the complexities of operating system management. This way, developers can concentrate on developing applications instead of troubleshooting infrastructure issues.

Software as a Service (SaaS) SaaS is a cloud computing service model characterized by a provider offering fully operational web-based applications to organizations. The beauty of SaaS lies in its simplicity – organizations can utilize sophisticated, enterprise-level applications without worrying about the intricacies of software development, maintenance, or infrastructure management. By adopting SaaS solutions, organizations can focus on their core business objectives and operations, leaving the technical details of software management to the cloud service provider. This shift optimizes operational efficiency and significantly reduces the costs and resources associated with managing on-premise software systems. The demarcation of responsibilities in the SaaS model further enhances its appeal. The client organization is responsible for managing the data provided to the application environment and configuring the

Cloud computing service models

application per the options provided by the SaaS provider. The cloud service provider manages the underlying infrastructure, including processing capabilities, physical storage, networks, operating systems, and enterprise applications.

Figure 11.3 – Software as a Service

Data management essentially involves controlling data input into the SaaS application environment. This includes managing data entry, data integrity, and data privacy. The organization also ensures that the data fed into the SaaS applications is accurate, up to date, and compliant with relevant regulations. Moreover, the organization must implement security measures to protect its data from breaches and unauthorized access. As for application configuration, the organization can modify the settings of the SaaS applications based on its specific needs and operational requirements. Most SaaS providers offer a degree of customization, enabling organizations to adapt the application features to align with their business processes. This may include configuring user access levels, customizing the application’s interface, setting up notifications, defining workflows, and more. The cloud service provider manages the foundational components that support the SaaS applications. This includes providing processing power, ensuring adequate storage space, maintaining network connectivity, overseeing the operating system, and managing the enterprise applications offered to the client organization. The provider’s role is crucial in ensuring the seamless operation of the SaaS applications. They must ensure the processing power matches the application’s needs and can handle the user load. They must also ensure enough storage space is available to store all application data and effectively manage this storage space to ensure optimal performance. Any disruptions in network connectivity can hinder access to the SaaS applications, leading to potential losses for the client organization. Providers must invest in robust network infrastructure to ensure high availability and low latency.

267

268

Cloud Security Considerations

Managing the operating system and the enterprise applications is also within the provider’s purview. The provider ensures the operating system, which forms the backbone for running the SaaS applications, is secure, stable, and updated. They also handle updates and maintenance of enterprise applications, ensuring they’re equipped with the latest features and security patches.

Cloud computing deployment models Cloud computing is versatile and offers several deployment models tailored to meet different organizations’ specific needs and requirements. These models have pros, cons, and unique security challenges. The chosen deployment model should align with the organization’s business goals and mission requirements. Let us have a look at some of the deployment models that cloud computing has to offer.

Public cloud A public cloud is a cloud computing model where a cloud service provider provides services and infrastructure off-site over the internet. The public cloud is a multi-tenant environment, meaning that resources such as servers, storage, and network devices are shared among multiple users or ‘‘tenants.’’ While resources are shared, each tenant’s data and applications remain isolated from others to ensure privacy and security.

Figure 11.4 – Public cloud

Public cloud services are typically sold on-demand, allowing customers to pay per usage for the CPU cycles, storage, or bandwidth they consume. This flexibility is one of the main reasons why public clouds are so popular. They allow for scalability to meet workload and user demands, and customers only pay for the resources they use.

Cloud computing deployment models

Service providers in the public cloud model offer resources such as virtual machines (VMs), applications, and storage. This means organizations using the public cloud do not need to invest in hardware or software, reducing these costs and maintenance burdens. Instead, they can focus on their core business operations while enjoying the advantages of a wide array of up-to-date, ready-to-use resources. However, using a public cloud also means that organizations have to trust the service provider with the security and privacy of their data. Although reputable service providers implement robust security measures, data in a public cloud environment is transmitted over the internet and stored in shared environments, which can be a concern for some organizations.

Private cloud A private cloud is deployed within a company’s internal infrastructure, and the services are maintained on a private network. Organizations with unique data security, corporate governance, or compliance requirements may choose this deployment model. In contrast to a public cloud, a private cloud provides dedicated resources such as servers, storage, and networks to a single tenant or organization. This means that resources are not shared, providing higher levels of control and security. It’s essentially a scalable and customizable environment that offers the benefits of cloud technology, such as elasticity and self-service capabilities while retaining greater security, control, and performance. In a private cloud environment, an organization can manage its resources more effectively, tailor them to suit its specific business needs, and modify them as required. This customization is one of the main attractions of the private cloud model. Also, because the infrastructure is not shared with other organizations, the private cloud can offer improved levels of security, making it a popular choice for businesses handling sensitive or regulated data.

Figure 11.5 – Private cloud

269

270

Cloud Security Considerations

Private clouds can either be on-premise, managed internally by the organization’s IT team, or hosted externally by a third-party provider. In both scenarios, the private cloud environment is solely for the use of one organization, offering the most control over data, applications, and security.

Community cloud A community cloud can be viewed as a subset of a public cloud. The difference here is that it is exclusive to specific entities such as business groups, research organizations, or government agencies with aligned interests, often regarding security, compliance, jurisdiction, or industry-specific considerations. In this model, the member organizations share the cost of constructing and maintaining the cloud infrastructure, making it more cost-effective than private cloud models while offering greater control and security than a public cloud. Much like the public and private clouds, a community cloud provides significant scalability, self-service, and elasticity. However, it also offers a higher level of privacy, security, and policy compliance, often tailored to the unique needs of the specific community. One of the key advantages of a community cloud is that it addresses the specific requirements of a business community. For instance, a group of healthcare providers might establish a community cloud to comply with stringent HIPAA regulations. Similarly, financial institutions may set up a community cloud that meets their specific compliance mandates.

Figure 11.6 – Community cloud

Cloud computing deployment models

Hybrid cloud In a hybrid cloud, an organization operates a private cloud for sensitive operations or workloads and uses the public cloud for high-volume, less- sensitive operations. The private and public clouds operate independently, communicating over an encrypted connection, allowing for the portability of data and applications. This cloud computing model is often chosen by organizations that want the flexibility of the public cloud, along with the security and control of a private cloud. It enables an organization to use the public cloud’s resources to meet temporary needs in demand. This prevents the organization from investing in and maintaining costly infrastructure that would otherwise remain unused. One of the key advantages of a hybrid cloud model is its balance between cost effectiveness, high scalability, and security. It allows businesses to maximize their spending by utilizing the public cloud for all non-sensitive operations and relying on the private cloud for business-critical operations or when additional security is required.

Figure 11.7 – Hybrid cloud

In the next section, we will see the various strategies organizations use to efficiently oversee their cloud resources and services.

271

272

Cloud Security Considerations

Cloud computing management models Two business models play a primary role in enabling the transition of businesses to cloud platforms: managed service providers (MSPs) and cloud service providers (CSPs). While MSPs oversee the daily operations and security of an organization’s cloud-based assets, CSPs deliver the foundational services that make cloud computing viable. This section will explore these concepts in more detail.

Managed service providers MSPs are third-party companies that organizations hire to manage, maintain, and ensure the operations of their IT assets within their cloud environment. They also assist companies in their transition to the cloud. When an organization migrates to a cloud computing environment, the traditional IT infrastructure — servers, network equipment, enterprise applications, end-user systems, and security measures — also transitions. This is where MSPs come in, ensuring these cloud-based assets are secured, maintained, and run efficiently. MSPs can manage an organization’s virtual servers, ensuring they’re appropriately configured, updated, and secured. Network management is another area an MSP can have responsibility for within the cloud. As networks in the cloud differ from traditional networks, MSPs ensure effective and secure network operations in this unique environment. MSPs can also manage enterprise applications that have been migrated to the cloud. They ensure these applications operate as expected and meet business requirements for availability. Security operations in the cloud can also fall under the domain of MSPs. They deploy and manage cloud-based security systems, conduct regular security audits, implement security protocols, and handle cloud-specific threats. MSPs can be invaluable for organizations that may not possess the internal expertise or staff required to manage their cloud services.

Cloud service providers CSPs are integral to cloud computing, providing essential services that underpin an organization’s cloud-based operations. CSPs can be massive global corporations or smaller niche firms, each offering various services suited to different business needs and goals. It’s common to group the services they offer into the three broad categories covered earlier (IaaS, PaaS, and SaaS). But it’s worth noting that the portfolio of a CSP typically extends well beyond these categories. CSPs tailor their offerings to meet specific needs, from services such as machine learning capabilities and data analytics to services focused on disaster recovery. Many CSPs don’t only provide technical services but also guide a company’s transition to the cloud. They offer necessary tools, resources, and expert advice, supporting organizations through each stage of the migration process. This can include the initial assessment phase, planning and implementation of the migration, and continued support post-migration.

Special considerations for cloud computing

In addition to facilitating cloud migration, CSPs also offer services to streamline the operation of cloud infrastructure. They provide tools that allow organizations to monitor resource usage, track costs, enhance performance, and manage security effectively. Security is a key concern when considering cloud adoption. The security measures a CSP implements to protect the cloud environment should be carefully scrutinized by organizations. A suitable CSP ensures adequate security practices, and their cloud environment is secure.

Special considerations for cloud computing Significant challenges can often accompany the promise of cloud computing. Businesses considering a transition to the cloud must grapple with many critical considerations, spanning the business, technical, and security domains. Amid the allure of increased efficiency and reduced costs, avoiding complacency is essential. An ill-planned move to the cloud can lead to unexpected difficulties and, in the worst case, security breaches.

Cloud computing data security One of the foremost concerns as an organization shifts its data to the cloud is, unsurprisingly, data security. The pressing need to secure organizational data doesn’t disappear with a transition to the cloud; it often becomes more pronounced. The shift to a cloud-based IT infrastructure will necessitate a range of critical decisions on how best to ensure the security of your organization’s information.

Data location Where your data resides in the cloud isn’t just a matter of convenience or cost; it carries substantial implications for security and compliance. One key consideration is whether your organization’s compliance requirements mandate that your data remains within a specific country or geographical region. The intricacies of data sovereignty and privacy laws mean that the physical location of your data is more critical than ever. It’s vital to work closely with your cloud service provider to understand your data center’s location and that it aligns with your organization’s requirements. The application of security controls across locations is another factor to examine carefully. It’s a common misconception that security measures will automatically apply uniformly across all geographic areas within a cloud environment. However, the reality can be far more complex. You’ll need to engage in depth with your vendor to fully understand how data security controls are implemented across different locations. Understanding how data moves between locations within the cloud is another aspect that warrants scrutiny. As data travels from one point to another, security controls must remain intact during transmission. Understanding the mechanisms by which data is transferred and the measures to secure that data during transit is fundamental to your cloud security strategy.

273

274

Cloud Security Considerations

Data access The benefits of cloud computing—scalability, accessibility, cost-efficiency—become a double-edged sword if data access is not properly understood and controlled. Developing a comprehensive understanding of your data usage, the parties accessing the data, and the requisite security controls is integral to a successful and secure cloud implementation. There are several key questions to address in terms of data access: • The first pertains to how your organization’s data will be utilized. This involves understanding the needs of your business or mission and conducting appropriate data categorization exercises. The nature of the data—financial records, customer data, or internal communication—significantly affects how it should be handled and protected. Understanding the sensitivity of your data relative to your organization’s objectives is critical in shaping an effective cloud architecture that meets your needs. • The second question is who will be accessing the data? Your cloud data’s permissions and user roles must be meticulously managed. This isn’t just about preventing unauthorized access but also about ensuring authorized users can access the data they need quickly and easily. Are only internal employees accessing the data, or do external partners also require access? Are there different levels of access depending on the user’s role in the organization? You need to consider these types of questions to manage data access appropriately. • The final question to understand revolves around the locations where users access data. This could range from your corporate network to partner networks or public Wi-Fi hotspots. Understanding all potential access scenarios is critical for developing robust conditional access policies. Based on factors including the user’s role, device, location, and the data they’re attempting to access, the level of security applied can be dynamically adjusted during each access attempt.

Storage considerations The chosen service model (IaaS, PaaS, or SaaS) significantly influences the data storage options available to you. Furthermore, the level of control you can exert over your data and its underlying storage can differ depending on the chosen model. Consequently, selecting suitable security controls for your organization’s storage must be carefully reviewed for the selected cloud service model.

Storage types Each model requires a different approach to securing data storage: • With IaaS, you’re in charge of securing your data at both rest and transit. This means implementing encryption, managing keys, and setting up secure data-transmission connections.

Special considerations for cloud computing

In IaaS, the service provider provides storage resources based on the customer’s needs for the organization’s cloud infrastructure. These resources are typically allocated to virtualized hosts and are often presented to operating systems as filesystems. Two key storage types exist within this model: ‚ Object storage: This storage type uses an Application Programming Interface (API) or a web-based file storage approach. Examples of this storage type include Amazon S3 and Microsoft Azure. Object storage is designed for storing vast amounts of unstructured data, such as multimedia content and web application data, providing scalability, data redundancy, and high availability. ‚ Volume storage: This operates the same way as physical hard drives and attaches to virtualization host software such as VMware or Linux kernel-based virtual machines (KVM). It’s beneficial for use cases where data needs to be frequently accessed and changed, as it provides high-performance read and write operations. • PaaS requires similar considerations but adds another layer of complexity. Since you’re also handling application data, you’ll need to ensure that the application handles data securely when storing and retrieving it from the storage layer. In this model, the service provider takes care of all the underlying infrastructure aspects and exposes APIs, allowing developers to store data on the provided storage. PaaS storage types are as follows: ‚ Structured data storage: This type is characterized by its high level of organization and searchability. Structured data storage is typically used to manage data that can be easily categorized in a fixed schema, such as a database for customer information or transactional data. ‚ Unstructured data storage: This storage type caters to data that does not adhere to a particular format or structure, encompassing items such as text files, videos, and social media posts. It is often deployed for storing and analyzing large volumes of diverse data that don’t fit neatly into a table. • With SaaS, your control over data security is more limited. However, you should ensure that the SaaS provider has robust security measures, such as data encryption at rest and in transit. In this model, the CSP bundles the web-based application and the cloud storage as a single, unified offering. This implies that managing cloud storage is usually accomplished via an administrative web-application component. This model abstracts all the complexity associated with data storage management, allowing users to focus solely on using the application. The storage type here is typically a blend of structured and unstructured data storage, managed and maintained by the SaaS provider.

275

276

Cloud Security Considerations

Storage threats Identifying and understanding potential threats to data stored in the cloud is essential. While these threats often resemble the risks encountered in traditional organization-hosted systems, addressing them in the context of cloud storage can demand a more innovative approach, particularly due to the lack of direct access to the underlying storage infrastructure: • Unauthorized data access can occur when the CSP systems are incorrectly configured or infiltrated by hackers. • Data exfiltration signifies unauthorized data transfer from the cloud. Causes of this can range from system misconfigurations and cyber attacks to intentional misconduct by the CSP. • The improper sanitization or destruction of data is another concern. When a cloud asset has fulfilled its purpose and is decommissioned, its data must be thoroughly cleaned to avoid unintentional exposure or recovery. Failure to do this properly opens the door to potential data leaks or breaches. • Regulatory non-compliance can occur if the CSP’s configuration is incorrect or lacks the requisite elements to fulfill data protection and privacy regulations. This can have severe repercussions, including hefty fines and reputational damage, emphasizing the importance of selecting a CSP compliant with regulatory requirements. • Data integrity compromise occurs when data is manipulated, deleted, or damaged, which impacts its trustworthiness and usefulness.

Encryption Encryption is vital for safeguarding data and maintaining data confidentiality within the cloud. When adopting encryption capabilities for your cloud computing environment, you must ensure that the chosen technologies are compatible with your specific cloud platform, abide by your organization’s policies and rules, support your business and mission objectives, and meet all relevant regulatory requirements. Encryption has numerous use cases in the cloud environment: • Data in transit: Employ encryption when data is being moved within and outside the cloud. This helps prevent unauthorized access during the data transmission process. • Data at rest: All data residing on cloud storage should be encrypted. This measure ensures that even if data were physically removed, it would remain inaccessible without the correct decryption key. • Data destruction: Once a cloud resource has exhausted its useful life, encryption can be used to render the data it contains unrecoverable. This prevents any residual data from being exploited after resource retirement.

Special considerations for cloud computing

• Multitenancy: In a multitenant cloud environment, encryption aids in maintaining clear separations between different customers’ data, enhancing privacy and data security. • Compliance with regulatory requirements: Numerous compliance standards necessitate data encryption at rest and in transit. However, you should be aware of specific challenges associated with encryption: • Encryption key management: In many cases, the CSP fully manages the cloud infrastructure’s encryption capability, including the encryption keys. If the CSP is in charge of your encryption keys, you might not fully trust your encryption mechanisms as the CSP could potentially decrypt your organization’s data. As a solution, consider managing your encryption keys if your CSP provides this functionality. Additionally, have customer key management as a requirement when choosing a cloud service provider. However, it’s worth noting that managing your own encryption keys can add an administrative burden to the IT department, and you will need to account for this from a resource perspective. • Data in use: Typically, when data is in use, it’s unencrypted somewhere in the information systems, either in memory or physical/virtual storage. While this data is being processed, it’s vulnerable to unauthorized access by individuals with elevated privileges within the cloud computing infrastructure. • Performance: Encryption may adversely affect performance depending on the cloud computing implementation. This impact is especially significant in high-performance and mission-critical applications. • Complexity: Encryption can affect how data replication, backups, and disaster recovery occur. It is important to devise an encryption strategy that adequately secures information and ensures that business/mission processes continue functioning effectively.

Data loss prevention Data loss prevention (DLP) in the cloud is critical to managing and securing sensitive organizational data. DLP tools provide a comprehensive approach to protect, monitor, and manage data across various cloud environments. These tools are engineered to deter unauthorized access, loss, and exfiltration of valuable data, thus serving as a substantial line of defense for cloud-based data security. At its core, a DLP solution incorporates stringent access control rules to regulate who can access the data and to what extent. This functionality is important to prevent unauthorized access to information, ensuring only approved users can interact with the data based on their defined roles and privileges. Along with access controls, DLP tools typically generate extensive logs and audit trails that provide detailed visibility into the data life cycle. These logs capture every interaction with the data, such as who accessed it, when, from where, and what actions were performed on it. This comprehensive visibility allows organizations to monitor data in real time.

277

278

Cloud Security Considerations

DLP solutions employ sophisticated rule sets that generate alerts when certain conditions are met. These rule sets are customizable to fit specific organizational requirements and risk thresholds. They can be designed to trigger alerts for various scenarios, such as unauthorized data access, suspicious data transfers, and potential regulatory compliance violations. DLP tools provide preventative measures to prevent unauthorized data from being accessed or extracted. They accomplish this through various methods, such as data encryption, masking, and anonymization. For instance, encryption converts data into an unreadable format that can only be deciphered with a unique decryption key, making it practically inaccessible to unauthorized users. Similarly, data masking and anonymization techniques remove or replace sensitive data elements, ensuring that the data remains valid for legitimate users but useless for potential attackers.

DLP life cycle The Data Loss Prevention (DLP) life cycle consists of several stages, each of which plays an important role in maintaining data security, especially in a cloud computing environment. The phases of this life cycle provide a framework for implementing DLP strategies that cater to your organization’s specific needs. The DLP process begins with Discovery and Classification. It involves identifying and categorizing the data that your organization generates and manages. You cannot determine the appropriate security measures or rules without a thorough understanding of your data. By mapping your internal information (intellectual property) to the cloud computing architecture components (hardware/software), you can visualize how data moves and where potential vulnerabilities may lie. In this phase, leverage the guidance related to data categorization provided earlier in the book. Following the classification, the Monitoring phase begins. In this stage, the DLP system constantly monitors your data usage, examining both inbound and outbound data flow. Usage policies guide this monitoring based on business requirements and data criticality. Your DLP system must be architecturally sound and able to supervise all available ingress and egress points for your data. It should also promptly detect any unusual activities or potential threats. The final stage is Enforcement, where your pre-established DLP policies come into play. In this phase, the DLP system grants access or triggers restrictions and alerts for data requests based on the set rules. When a violation of a predefined policy occurs, the DLP system leaps into action, taking an enforcement measure to protect organizational information. Enforcement actions can take various forms, including the following: • Alerting: If there is a policy violation or security issue, alerts can be dispatched to the DLP system administrator, the relevant managers, or the Security Operations Center (SOC). Prompt alerts ensure a swift response and the mitigation of potential damage.

Special considerations for cloud computing

• Logging: For forensic purposes and in-depth analysis, maintaining logs is crucial. They can be forwarded to a Security Information and Event Management (SIEM) system, which provides a consolidated view of security threats and incidents. • Blocking: In case of severe policy violations, requests to access certain information can be blocked outright, adding another layer of security. • Requesting additional permissions: Depending on the circumstances, workflows can be triggered to either positively identify the requesting user or to require permission from a higher authority for data access.

Cloud computing DLP considerations When architecting a Data Loss Prevention (DLP) strategy for your cloud computing environment, several key considerations come into play, especially concerning policy development. These considerations form the foundation of your DLP policy, determining how, where, and by whom your organizational data is accessed, stored, and used in the cloud: • Determine when and under what circumstances data is allowed to leave the cloud environment. • Consider how organizational data should be stored and the protective measures the DLP system should implement for storage. • Determine what kind of data should be stored in the cloud. Depending on your policies, not all data may be suited for cloud storage. • Identify whether your organization possesses certain information that should never be stored in the cloud environment. • Determine how data should be accessed. • Understand what compliance requirements, rules, and laws need to be enforced.

Identification, authentication, and authorization in the cloud Using cloud services within your organization necessitates effective management of your organization’s user identities. One practical approach to managing user identities is federation, which involves integrating your organization’s identity provider with your cloud services. This approach ensures that your cloud services depend on a single source of identity. It also allows you to establish and enforce security policies and access controls.

279

280

Cloud Security Considerations

Figure 11.8 – Federated identity

Identification considerations Cloud service providers have adopted several standards that facilitate the sharing of identity credentials. Key among these are OpenID, OAuth, and Security Assertion Markup Language (SAML). OpenID is an open standard and decentralized protocol for authentication, enabling users to be authenticated using a third-party service. OAuth is another open standard for access delegation. It primarily allows internet users to grant websites or applications access to their authentication information on other sites without disclosing their passwords. SAML, predominantly used within corporate environments, enables the federation of internal directory services with cloud services. It provides a standardized means of exchanging authentication and authorization data between different parties, typically an identity provider and a service provider. When selecting a cloud service provider, ensuring they support federation standards is important. Adherence to these standards is beneficial for interoperability and the ease of identity management and contributes significantly to the cloud environment’s security. If a cloud vendor doesn’t support these standards, exploring alternatives that support federation is recommended.

Authentication configurations Managing authentication configurations effectively is crucial in securing your cloud environment’s security. This process happens as part of the federation between your cloud service provider and your enterprise’s backend directory service. It verifies the identity of users attempting to access your systems.

Special considerations for cloud computing

An essential part of this process is the addition of multi-factor authentication (MFA) capabilities to your architecture. MFA is a security measure that requires users to provide two or more verification factors to gain access to a resource, such as an application, online account, or VPN. This enhances the level of security beyond what a simple username and password can provide. Implementing MFA should be an obvious consideration when you decide to federate your internal directory with external cloud services. This is because a federation with an external service amplifies your overall threat surface due to the necessity for most cloud services to be accessible via the internet. With your cloud platforms accessible to the entire internet, your usernames and passwords become potential targets for malicious actors who might attempt to breach your security. These bad actors can test your credentials across your cloud platforms, creating potential vulnerabilities. In such scenarios, MFA serves as an added layer of protection by requiring more information beyond just the username and password pair for authentication. By adding a second factor (and often a third) to your authentication process, you ensure that the user associated with the account needs to be present and available to validate their login attempt. This could be anything from a text message sent to their mobile device to a fingerprint scan or a hardware token. These additional authentication factors make it significantly more challenging for potential attackers to gain unauthorized access to your accounts.

Authorization considerations The authorization process occurs within the cloud service provider’s infrastructure after completing an application or service’s identification and authentication procedures. Essentially, authorization governs an authenticated user’s permissions within a system or network. Unlike some elements of the cloud environment, managing authorization typically falls within the purview of the customer rather than the CSP. This means that the onus of managing and controlling who has access to what data, services, and resources within your cloud infrastructure falls to the organization. The level of access that each user, group of users, or service has must be managed to ensure that they only have the access they need to perform their tasks and no more. This principle is often called the principle of least privilege. Creating and maintaining authorization policies is critical to protecting your organization’s data and assets in the cloud. These policies define who has access to specific datasets, services, or resources, under what circumstances that access is allowed, and what they can do with it once granted. Policies should be routinely reviewed and updated to align with evolving business needs, regulatory requirements, and threat landscapes. Any changes to your cloud infrastructure, such as the addition of new services, adjustments to user roles, or shifting business operations, could impact your authorization policies. These changes must be effectively reviewed, managed, and reflected in your authorization configurations. Monitoring should also be in place to track and review authorization decisions, looking for anomalies that could indicate a misconfiguration or a potential security threat.

281

282

Cloud Security Considerations

Navigating the cloud computing environment presents an intricate landscape of opportunities and challenges. As cloud technologies continue to evolve and increase in adoption, the significance of data security grows concurrently. By understanding the threats, leveraging the available mitigations, and staying abreast of advancements in cloud security technologies, organizations can ensure they’re well prepared to secure their data and optimize their operations in the cloud environment.

Monitoring and logging considerations Ensuring comprehensive, efficient, and secure logging in a cloud environment can help organizations detect and respond to security incidents, comply with regulatory requirements, and gain insights into the overall health of their cloud infrastructure. Cloud environments can differ significantly from traditional on-premises systems in their architecture, scale, and rate of change. One key difference is that cloud environments are often highly distributed and involve multiple data centers, regions, or more than one cloud provider. This distribution makes logging more challenging, requiring collecting logs from all parts of the cloud infrastructure, including virtual machines, containers, and other cloud resources. Another challenge for cloud logging is the volume of data generated. Cloud environments can produce vast amounts of log data, making storing, processing, and analyzing all the information difficult. Organizations must manage their log data volume to ensure they capture the necessary information without being overwhelmed by the sheer volume of data. Depending on your configuration, resources can be created and destroyed on demand in a cloud environment, leading to a constantly changing environment. This dynamic nature can make it challenging to keep track of log data sources and ensure that logs are captured from all relevant resources. Furthermore, the ephemeral nature of some cloud resources, such as containers, adds a layer of complexity to logging, as logs must be captured and retained even after the resource has been terminated. The number of cloud services and providers can also pose challenges for logging. Different services may generate logs in different formats, making it difficult to correlate data across services. Furthermore, cloud providers may have varying levels of support for logging features, and organizations may need to adapt their logging practices to fit the capabilities and limitations of their chosen providers. In addition to the technical challenges of cloud logging, organizations must also contend with regulatory requirements. Many industries and regions have specific regulations governing cloud environment monitoring and logging. Organizations must ensure that their logging practices comply with these regulations, which may include requirements for log retention, encryption, and access controls. Despite these challenges, effective cloud logging is essential for a robust security and compliance posture. Organizations can adopt several best practices to overcome the difficulties of cloud logging: • Distributed architecture: Resources may be spread across multiple regions or cloud providers in cloud environments. This can make centralized logging more challenging. Use log collection agents that can be deployed across multiple regions or cloud providers to collect and forward logs. Additionally, use centralized log management systems that support data aggregation and correlation capabilities across distributed environments. The system should be able to ingest logs from different sources and centralize them in a single repository.

Special considerations for cloud computing

• Log data volume: Cloud environments can generate massive amounts of log data. Handling this volume of data can be challenging regarding storage, processing, and analysis. Employ log filtering capabilities to select only relevant logs based on specific criteria such as keywords, source, or severity level. Log rotation and archiving capabilities automatically move older logs to less expensive storage or delete them. Enable log compression to reduce storage space requirements. • Dynamic infrastructure: Cloud environments can be highly dynamic, creating and destroying resources on demand. This can make it difficult to track the source of log data. Utilize resource tagging capabilities in your cloud environment to assign metadata to each resource, making it easier to identify the source of logs. Leverage automated discovery capabilities in your log management system to detect new resources and start collecting logs from them automatically. The system should be able to adapt to changes in the environment without manual intervention. • Lack of standardization: Different cloud services may generate logs in different formats, making it difficult to correlate data across services. Use log normalization capabilities in your log management system to convert logs from different sources into a standard format. Implement log parsing capabilities to extract key information from unstructured logs and structure them according to a predefined schema. • Ephemeral containers: In containerized environments, containers can be short-lived, making capturing and retaining logs difficult. Implement log forwarding capabilities in your container environment, where logs are immediately sent to a separate log management system as soon as they are generated. Use log collection agents that can run alongside containers and capture logs even from short-lived containers. Configure the agents to forward logs to the central log management system immediately.

Security automation considerations Security tasks need to be automated in cloud environments due to the complexity inherent in cloud environments. Automation offers the advantage of reducing human errors, streamlining security operations, and providing a more rapid response to security incidents. Security automation involves integrating security tools, processes, and workflows to automate tasks previously done manually. This includes vulnerability assessments, incident response, log analysis, and configuration management, among other tasks. Automation tools can be configured to detect abnormal behavior, respond to security alerts, or enforce security policies without human intervention. One challenge related to automation is dealing with the sheer volume of data. In a cloud environment, vast amounts of data are generated, transmitted, and stored. It becomes impossible for a security team to manually analyze all the data to identify potential threats or anomalies. Another challenge is the dynamic nature of cloud environments. With virtual machines, containers, and microservices, the cloud infrastructure is constantly changing. This makes it difficult for security teams to keep track of the various components and their configurations. Cloud environments often comprise multiple cloud providers, security tools, and platforms, making interoperability a significant challenge in security automation. It is important to ensure that all of the components in an organization’s cloud

283

284

Cloud Security Considerations

infrastructure can be adequately monitored and that proper context can be established between tools to better understand whether anomalies exist. The implementation of security automation in a cloud environment requires a well-thought-out strategy. Organizations should start by identifying the security tasks that can be automated and the tools that can be used to accomplish these tasks. It is essential to evaluate and improve the security automation strategy continuously. Just as threats evolve, security automation must evolve to meet the challenges your organization’s adversaries bring. Security automation requires maintenance and attention and must be monitored to ensure it is appropriately tuned to support your organization’s requirements and threats. This involves regularly reviewing the effectiveness of automation tools, updating threat intelligence, and adjusting automation rules. Organizations can adopt several best practices to overcome the difficulties of cloud security automation: • Infrastructure as Code (IaC) and Policy as Code (PaC): The dynamic nature of cloud environments, marked by constant changes in infrastructure and configurations, makes manual management prone to errors. The capability to automate the deployment, configuration, and management of infrastructure and security policies is critical. By defining infrastructure and security policies in code, organizations can ensure that resources are provisioned securely and consistently, minimizing the risk of misconfigurations. • Automated vulnerability management capabilities: Resources and services in an organization should be continuously assessed for vulnerabilities and misconfigurations. Automating vulnerability scanning of cloud resources, applications, and configurations is essential. This capability allows organizations to integrate security assessments throughout the SDLC, ensuring vulnerabilities are detected during the development and deployment phases for systems, services, and applications. • Integration with SIEM capabilities: The ability to automatically integrate cloud security data with SIEM solutions facilitates real-time correlation and analysis of security events. Automating the ingestion of logs into SIEM systems allows organizations to detect and respond to security incidents by correlating security events. • Automated incident response capabilities: Rapid containment and mitigation of security incidents are vital in minimizing their impact. Automating incident response workflows enables organizations to respond to security incidents quickly. Automating predefined actions using security orchestration, automation, and response tools in response to specific security alerts, such as isolating compromised resources or revoking access credentials, enhances an organization’s incident response capabilities. • Compliance automation capabilities: Compliance requirements often mandate continuous monitoring and reporting of cloud security controls. The ability to automate compliance assessments streamlines this process by automatically collecting and analyzing evidence of security controls, generating reports, and alerting on non-compliance.

Special considerations for cloud computing

Secure application development considerations The expanded attack surface cloud platforms present results from their inherent complexity and distributed architecture, often spanning multiple services and sometimes different providers. Cloud environments introduce unique vulnerabilities, unlike traditional systems, where security measures might be concentrated on physical hardware or specific networks. One key concept in cloud security is the shared responsibility model. Cloud service providers and their clients share specific security duties in this framework. While providers typically focus on securing the underlying infrastructure or platform, clients are responsible for securing the applications they develop and deploy. This distinction emphasizes the importance of proactive security practices in application development for the cloud. Ensuring application security goes beyond just following conventional security guidelines. It demands a specific approach, considering the cloud’s unique attributes and potential vulnerabilities and the specific requirements of the application being developed. Developers must be well acquainted with the cloud environment they are working in and understand the potential threats specific to that environment. By embedding security practices at every stage of the SDLC, developers can reduce risks and create resilient applications that can withstand possible attacks. Organizations can adopt several best practices to overcome the challenges of secure application development: • Implement a DevSecOps approach: Integrate security into the DevOps pipeline. This ensures that security considerations are not tacked on at the end but are integral to the SDLC. Tools that automatically check code for security vulnerabilities can be integrated into the Continuous Integration/Continuous Deployment (CI/CD) pipeline, ensuring security checks occur at multiple stages of development. • Educate development teams: Continuous training of development teams on the latest cloud and application security best practices is critical. Equip these teams with the knowledge and tools to identify and address potential security concerns in their code. • Incorporate secure coding from the start: Security should be a primary consideration from the initial stages of application development. Using secure coding practices tailored to cloud platforms helps counteract common vulnerabilities. • Secure APIs: Cloud applications rely on APIs. Ensure that APIs have strong authentication mechanisms in place. Regularly review and update API permissions and monitor API access logs for suspicious activity. • Routinely test for vulnerabilities: Regularly schedule static application security testing (SAST) and dynamic application security testing (DAST). While SAST can identify potential vulnerabilities in the application’s code base without running the application, DAST tests the application in its operational environment, spotting vulnerabilities that manifest only during runtime.

285

286

Cloud Security Considerations

• Ensure secure configurations: Misconfigurations can lead to unnecessary vulnerabilities. Ensure that cloud resources, such as storage buckets or databases, are not inadvertently left open to the public. Utilize automated tools to scan and flag potential misconfigurations in the cloud environment. With this, we have come to the end of the chapter.

Summary In this chapter, we discussed concepts of cloud security architecture, focusing on considerations for creating a secure and reliable cloud solution tailored to your organization’s specific requirements. Our discussion also encompassed the unique characteristics of cloud computing; the varied service, deployment, and management models adopted by cloud service providers; some critical points concerning cloud application security; and some best practices to address security concerns that may arise. As we transition to the next chapter, we will discuss the concept of zero trust. In the next chapter, we will provide you with an understanding of many of the best practices needed to support a practical understanding of the zero trust framework, focusing on the pillars that comprise the framework.

12 Zero Trust Architecture in Information Security Zero Trust has emerged as a key architectural framework in modern information security, challenging traditional models by fundamentally shifting how organizations perceive trust and access to data and information systems. This chapter discusses the principles that underpin Zero Trust, traces its historical evolution, underscores its critical role in contemporary cybersecurity, contrasts it with conventional perimeter-based security paradigms, and details the pillars that comprise Zero Trust. The following topics will be covered in this chapter: • Zero Trust and its principles • The history of Zero Trust • The importance of Zero Trust in cybersecurity • Shifting from traditional perimeter-based security • Pillars of Zero Trust

Zero Trust and its principles Zero Trust is a security architecture approach that starts with the premise that every element on the network could potentially be harmful or already compromised. Therefore, access to any application is only provided after the user’s identity, the status of the device, and the relevant business context have been thoroughly validated and policy checks have been applied. Under this system, all traffic must be logged and scrutinized. This approach starkly contrasts with the traditional “trust but verify” model, which assumes that users, devices, and networks within an organization’s perimeter are inherently trustworthy.

288

Zero Trust Architecture in Information Security

The need for a Zero Trust approach has become increasingly apparent as organizations grapple with the reality of data breaches, insider threats, and the growing complexity of modern IT environments. With the rise of cloud computing, mobile devices, and remote work, the traditional perimeter has blurred, making it difficult for organizations to maintain a clear boundary between trusted and untrusted networks. Zero Trust moves from the conventional “trust but verify” approach to a more skeptical “never trust, always verify” mindset. Rooted in the belief that organizations cannot fully trust any user, device, or network, regardless of their origin or position within the organization’s perimeter, Zero Trust fundamentally alters how security is implemented and managed. At the core of Zero Trust is the assumption that breaches are inevitable, and therefore, organizations must implement multiple layers of security and access control to minimize the potential damage. By treating every access request as a potential threat, a Zero Trust architecture shifts organizations to scrutinize all users, devices, and network traffic, both internal and external, to ensure that only legitimate, authorized entities are granted access to sensitive resources. The Zero Trust philosophy hinges on several fundamental principles that, when combined, offer a robust, granular approach to cybersecurity: • Never trust, always verify: No user, device, or network should be trusted by default, even if it originates within the organization’s network or has previously been verified. Every access request must be authenticated, authorized, and encrypted before being granted access to resources. • Least-privilege access: Users, devices, and applications should be granted the minimum access to perform their designated tasks. By limiting access to sensitive data and systems, organizations can reduce the risk of unauthorized access and the potential for lateral movement within the network. • Microsegmentation: Network segmentation is taken to a more granular level, dividing the network into smaller, isolated segments based on factors such as user roles, device types, and application requirements. This compartmentalization minimizes the potential impact of a breach, as attackers are restricted to accessing only the compromised segment. • Continuous monitoring and analytics: Zero Trust requires ongoing monitoring and analysis of network activity to identify anomalies, potential threats, and compromised assets. By continuously tracking and analyzing user behavior, device status, and network traffic, organizations can detect and respond to threats more rapidly and effectively. • Data-centric security: Zero Trust focuses on protecting data, not just network perimeters. Organizations must prioritize data encryption, both at rest and in transit, and implement strong access controls to ensure that sensitive data is only accessible by authorized users. • Adaptive and risk-based policies: Zero Trust security policies should be dynamic and adjusted in real time based on the risk level of each access request. Factors such as user behavior, device health, and network context should be considered when determining the appropriate level of access and security measures to be applied.

The history of Zero Trust

While implementing a Zero Trust architecture can be challenging, particularly for organizations with complex legacy IT environments, the benefits are substantial. By adopting a Zero Trust approach, organizations can better protect their sensitive data and systems, minimize the potential impact of breaches, and ensure they remain compliant with ever-evolving data protection regulations.

The history of Zero Trust The history of Zero Trust spans several decades and can be traced back to the early days of computer networks. While the term “Zero Trust” was not coined until 2010 by John Kindervag, a former analyst at Forrester Research, the underlying principles have evolved since then, shaped by technological advancements and the changing threat landscape. To fully understand the concept’s development, we must delve into the milestones that contributed to its inception and growth. Initially, computer networks were designed with an inherent level of trust. The idea was that internal systems and users within a network were secure, and any threat would come from external sources. This was the foundation of the traditional “castle-and-moat” approach to network security, which focused on creating a strong perimeter around an organization’s resources to keep external threats at bay. However, as technology evolved and the internet began to take shape, the limitations of this approach became increasingly apparent. The widespread adoption of new technologies such as cloud computing, mobile devices, and the Internet of Things (IoT) expanded the network perimeter beyond traditional boundaries, making it difficult for organizations to maintain a secure environment. In addition, insider threats, whether intentional or accidental, further exposed the weaknesses of the castle-and-moat model. The need for a new network security approach culminated in the Zero Trust concept. The foundation for this paradigm shift can be traced back to the late 1990s and early 2000s when a series of papers and research studies began to question the efficacy of the traditional security model. Among these, the “De-perimeterisation” paper, published by the Jericho Forum in 2005, argued that organizations should focus on securing data rather than relying on network perimeters. In 2009, Google introduced the “BeyondCorp” initiative, a pioneering project to revolutionize how the company approached network security. The BeyondCorp model was based on the principle that access to resources should be determined by contextual information from the user and their device, regardless of location, rather than relying on a traditional VPN-based model. This approach was one of the first practical implementations of the Zero Trust principles and served as a blueprint for other organizations. In 2010, John Kindervag formally coined the term “Zero Trust” and further developed the concept by introducing the “Zero Trust Network Architecture.” This model focused on the idea that organizations should “never trust, always verify” when granting access to their resources. It advocated for a data-centric approach, in which security measures were applied at the data level rather than solely at the network perimeter.

289

290

Zero Trust Architecture in Information Security

The Zero Trust concept began to gain even more attention and traction, partly due to the increasing number and sophistication of cyber-attacks Among these, the SolarWinds supply chain attack exposed the vulnerabilities of traditional security models and emphasized the importance of adopting a Zero Trust approach. In response to the ever-increasing threat landscape and current security architectures’ inability to cope, the US Government published the Cybersecurity Executive Order in May 2021, which called for federal agencies to adopt a Zero Trust architecture. This executive order played a crucial role in promoting Zero Trust principle adoption within the public and private sectors. Also, in 2021, the National Institute of Standards and Technology (NIST) released the “Zero Trust Architecture” (NIST SP 800-207) publication, which provided a comprehensive framework for implementing Zero Trust in organizations. The NIST guidance helped standardize the concept and provided organizations with a roadmap for adopting Zero Trust. By 2023, the Zero Trust concept has become integral to the cybersecurity landscape, shaping how organizations approach security and access control. As technology evolves and the threat landscape becomes more complex, the Zero Trust model is expected to remain an essential aspect of cybersecurity strategy for many years.

Importance of Zero Trust in cybersecurity The importance of Zero Trust in cybersecurity cannot be overstated. As cyber threats continue to grow in number and sophistication, it has become increasingly clear that traditional security models are no longer sufficient to protect organizations from attack. The Zero Trust model, with its “never trust, always verify” approach, provides several critical strategic advantages that support an organization’s security posture: • Changing threat landscape: The rapidly evolving threat landscape necessitates a security model that can adapt to new and emerging threats. With advanced persistent threats (APTs), insider attacks, and supply chain attacks becoming more prevalent, Zero Trust’s focus on continuous validation of trust and granular access control is essential for mitigating these risks. • The proliferation of remote work: The widespread adoption of remote work due to the COVID-19 pandemic has increased reliance on cloud services and remote access to organizational resources. This shift has further blurred the traditional network perimeter and rendered perimeter-based security models inadequate. The Zero Trust model, which assumes that threats can originate from anywhere, provides a more effective means of securing resources in this distributed environment. • Cloud adoption and digital transformation: As organizations increasingly adopt cloud services and undergo digital transformation, the complexity of their IT environments grows, making it more challenging to maintain comprehensive security. The Zero Trust model provides a mechanism for securing data and applications across multi-cloud environments. It ensures access to resources is granted based on a user’s identity and context rather than their location within the network.

Shifting from traditional perimeter-based security

• Compliance and regulatory requirements: Regulatory bodies and industry standards, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), mandate organizations to implement strict security measures to protect sensitive data. Implementing a Zero Trust architecture can help organizations achieve compliance by ensuring that access to protected resources is limited to authorized users and devices and continuously monitored for potential breaches. • Improved security posture: Organizations can significantly improve their security posture by adopting Zero Trust. This approach requires continuous monitoring and evaluation of user and device behavior, which enables organizations to proactively identify and mitigate potential threats before they can cause significant damage. • Reducing the attack surface: Zero Trust focuses on securing resources at the data level rather than just at the network perimeter. Organizations can effectively reduce their attack surface by implementing granular access control policies and segmenting networks, making it more difficult for adversaries to gain a foothold.

Shifting from traditional perimeter-based security As discussed, Zero Trust represents a fundamental shift from the traditional perimeter-based security approaches that have long dominated cybersecurity. This paradigm shift is driven by the recognition that traditional security models are no longer sufficient to protect organizations from the rapidly evolving threat landscape and the transformation of IT infrastructure brought about by new innovations. The “castle-and-moat” approach relies on the premise that internal systems and users within a network are inherently trustworthy, while external threats must be kept at bay. This approach focuses on establishing a strong perimeter around the organization’s resources, using firewalls, intrusion detection and prevention systems (IDPS), and other security measures to prevent unauthorized access. However, the perimeter-based model has several significant limitations that have become increasingly apparent as technology has evolved: • Eroding network boundaries: Maintaining a clear and secure boundary around an organization’s assets becomes nearly impossible as users and devices connect to resources from various locations and across multiple networks. • Insider threats: Perimeter-based security models do not adequately address the risk of insider threats, whether malicious or accidental. By implicitly trusting users and devices within the network, these models can leave organizations vulnerable to attacks that originate from within their walls. • Lateral movement: Once attackers have breached the network perimeter, they can move laterally within the network with relative ease, as internal systems and resources are typically not as well-protected as the perimeter. This can enable attackers to expand their foothold and access sensitive data and resources.

291

292

Zero Trust Architecture in Information Security

In contrast, Zero Trust operates under the assumption that no user or device, whether internal or external, should be inherently trusted. Instead, resource access is granted based on the principle of “never trust, always verify.” This approach has several key advantages over traditional perimeter-based security: • Identity and context-based access control: Zero Trust strongly emphasizes verifying the identity of users and devices before granting access to resources. This involves implementing multi-factor authentication (MFA), risk-based authentication, and attribute-based access control (ABAC) policies that consider the context of each access request, such as the user’s role, device, and location. • Micro-segmentation: Zero Trust advocates for segmenting networks and resources, limiting access to only those users and devices requiring it. This approach minimizes the potential attack surface and makes it more difficult for attackers to move laterally within a network if they manage to breach the perimeter. • Continuous monitoring and validation: Zero Trust emphasizes the need for continuous monitoring and validation of user and device behavior rather than relying on a static security perimeter. This approach enables organizations to proactively identify and mitigate potential threats before they can cause significant damage. • Data-centric security: Zero Trust focuses on securing resources at the data level rather than just at the network perimeter. This involves implementing encryption, data loss prevention (DLP) tools, policy enforcement tools, and other data-centric security measures that protect sensitive information, regardless of where it is stored or accessed. The concept of Zero Trust is built on several key pillars that shape its principles and implementation. These pillars provide the foundation for establishing trustworthiness and security in modern network environments. This will be covered in the next section.

The pillars of Zero Trust The pillars of Zero Trust as defined in the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model constitute the underpinning architecture of a robust cybersecurity strategy that adheres to the principle “never trust, always verify.” These pillars encompass various aspects of an organization’s digital infrastructure, including identity, devices, networks, applications and workloads, and data: • The Identity pillar emphasizes user identity, authentication, authorization, and risk assessment related to securing access • The Device pillar focuses on device trust, asset management, and endpoint security considerations • For the Networks pillar, the emphasis lies on network location, micro-segmentation, network isolation, and Secure Access Service Edge (SASE)

The pillars of Zero Trust

• The Applications and Workloads pillar focuses on the importance of application visibility, control, and the security of workloads in various environments, alongside the role of containerization and virtualization • Data underscores data classification, protection strategies, encryption, tokenization, and data loss prevention In addition to the five pillars, a well-defined Zero Trust architecture relies heavily on enabling capabilities that support the pillars. These capabilities include governance, visibility and analytics, and automation and orchestration. Governance is the overarching rules, policies, and guidelines that shape an organization’s cybersecurity approach. It ensures that there’s a clear structure and procedure in place for every security-related action. Governance ensures that all components, whether applications, datasets, or user access protocols, align with predefined security standards. Additionally, governance is pivotal in ensuring that the organization’s internal security protocols align with any broader external regulations, whether industry-specific standards or national cybersecurity directives. Visibility and analytics give organizations a clear view of all activities within their enterprise. This means continuously monitoring and interpreting data, such as user behaviors, network interactions, and system events. By doing so, an organization can make informed security decisions based on realtime data. When applied to Zero Trust pillars such as identity or networks, this capability analyzes telemetry such as user logins, access requests, and traffic patterns, ensuring any unusual activity is alerted and reviewed. Automation and orchestration involve the leveraging of tools to improve security response times across the organization. This translates into streamlined processes that are both efficient and secure. For instance, automation can be deployed to ensure consistent security configurations, timely updates, and immediate responses to detected threats. All of these automated processes, while minimizing manual intervention, still operate under the strict oversight of the organization. These three enabling capabilities will be discussed throughout our examination of the pillars and best practices in the following sections, highlighting how the enabling capabilities support the pillars to provide a cohesive framework.

Identity pillar The Identity pillar, a fundamental aspect of Zero Trust architecture, serves to ensure that only authorized users are granted access to the resources they require while also blocking access against potential malicious actors. This element of the Zero Trust approach highlights the importance of rigorous identification and authorization controls, ensuring that every entity’s identity is scrutinized and authenticated, regardless of their location or role. This strict validation protocol prevents unauthorized individuals or entities from penetrating the network.

293

294

Zero Trust Architecture in Information Security

Enterprise-wide identity policies For a successful implementation of the Identity pillar in a Zero Trust framework, it is important to establish identity policies that cover the entire organization. These policies should be comprehensive, setting standards for managing and protecting identity information. Including every identity in these policies, regardless of type, strengthens the entire organization’s security. The system should always verify and authenticate any user or device before granting access, irrespective of location or relationship to the organization. Some of the best practices for enterprise-wide identity policies include the following: • Alignment with cybersecurity strategy: The identity policies should align with the organization’s broader cybersecurity strategy. These policies should also be updated as threats evolve to secure the organization. • Clear communication: The policies should be clear and well communicated to ensure everyone in the organization understands their role in maintaining security. This can be achieved through training sessions and regular communications. • Automation: To ensure consistent enforcement of these policies, consider using automation. Automated systems can continuously verify, update, and enforce these policies, reducing the chance of human error and improving overall security. • Regular reviews: Policies should be reviewed and updated regularly for new security developments, technological advancements, and organizational changes. This ensures the policies remain relevant and effective.

Continuous validation of identity Continuous identity validation is critical for maintaining robust security within a Zero Trust framework. No user or device, whether internal or external, should be automatically trusted. They must be verified each time they request access to a system’s resources, not just the first time that access is requested. Continuous validation of identity aligns directly with this principle. Instead of granting long-term or indefinite access after a single verification, continuous validation checks the user’s identity regularly during their session. This means that even if a user’s session is hijacked after being verified, the attacker may not be able to proceed once the information system initiates the next validation check. Some of the best practices for continuous identity verification are as follows: • Use of MFA: Implement MFA throughout your system, choosing phishing-resistant methods such as biometric identification or hardware tokens. This helps to ensure the identity of the user is legitimate. • Continuous authentication: Use systems capable of verifying user identities beyond the initial access point. This continuous authentication helps to ensure that the user is who they claim to be, even if their session has been hijacked.

The pillars of Zero Trust

• Seamless integration: Make sure your MFA systems integrate seamlessly with the various access points within your organization. This helps ensure consistent security regardless of where or how users access the system. • User education: Provide training to ensure users understand the importance of MFA and how to use it. This helps to enhance compliance and reduce the risk of successful phishing attacks.

Real-time identity risk determination Real-time identity risk assessment involves the information system consistently evaluating potential security threats linked to each identity, using ongoing analysis and adaptive rules. Such real-time risk assessment can spot and mitigate threats immediately. Real-time identity risk assessments involve continuously analyzing user behaviors and access patterns to determine their potential risk. This allows for quick identification of any abnormal behavior or access request that deviates from the norm, which could indicate a security threat. By identifying and assessing threats in real time, organizations can respond to and mitigate threats immediately, preventing potential breaches or limiting their impact. Some of the best practices for real-time identity risk assessments are the following: • Deploy real-time risk analysis tools: Use systems capable of instantly analyzing user activities and access patterns as they occur. These tools can promptly spot risky behavior and raise flags for potential threats. • Utilize anomaly detection systems: Incorporate AI/ML-powered technologies to pinpoint deviations from typical behavior patterns. These systems can recognize abnormal activities, which could be a potential security threat. • Activate automated remediation measures: Employ automated tools to respond quickly to identified risks. For example, these tools can immediately limit or revoke a user’s access upon detecting a potential risk.

Automated orchestration of identities Automated orchestration of identities allows for enforcing strict access rules consistently, reliably, and efficiently. It ensures that only authorized users are granted access for the duration required to perform their job. Moreover, it can make these access decisions in real time based on various factors such as user behavior, their role in the organization, and current threat levels. By establishing identity orchestration on behaviors, enrollments, and deployment needs, organizations can align access privileges more closely with actual requirements, reducing the ‘‘attack surface’’ that can be exploited by malicious actors. Some of the best practices for automated orchestration of identities are the following: • Implement Identity and Access Management (IAM) solutions: Use IAM tools that can manage and orchestrate identities across all environments. These tools should allow you to define roles and access permissions and ensure these are consistently applied.

295

296

Zero Trust Architecture in Information Security

• Utilize behavioral analytics: Implement tools that can analyze user behavior to inform the management of digital identities. This can help identify potential risks and ensure access permissions align with observed behaviors. • Employ identity life cycle management tools: Use solutions to automate routine tasks, such as creating, modifying, and deleting user accounts. This not only streamlines workflows but also reduces the risk of human error.

Comprehensive visibility and situational awareness Visibility and awareness ensure you know who is doing what within your enterprise. In practice, this means tracking and analyzing all activities within your environment. These could range from regular day-to-day actions to abnormal behaviors indicating potential security threats. By constantly monitoring these activities, you can spot issues before they become serious problems. Maintaining comprehensive visibility is about having the ability to observe everything that’s happening within your information systems and the understanding to know when something’s not right. This allows you to act swiftly against anomalies, minimizing potential damage. Best practices for comprehensive visibility and situational awareness include the following: • Utilize advanced SIEM systems: Implement SIEM systems that can log and monitor user activity across the enterprise. This allows you to keep track of what is happening within your network and aids in detecting potential security threats. • Implement User and Entity Behavior Analytics (UEBA) tools: Use UEBA tools that focus on behavior-based analysis. This will help you spot anomalies and unusual activity that could signify a potential security breach. • Leverage threat intelligence capabilities: Integrate your analytics tools with other security systems to enable real-time threat detection and response. This will allow you to react promptly to potential threats and minimize the damage they can cause.

Secure integration of identity stores Secure integration of identity stores across all partners and environments is essential to provide seamless user experiences while ensuring consistent identity security. The identities used by your organization, whether they’re employees, partners, or information systems, need to be handled with care. These identities have access rights, which, if used by an attacker, can lead to security breaches. When you securely integrate your identity stores, you create a uniform system where every identity is accounted for, regardless of where it originates or is used. This helps prevent unauthorized access, as you can control and monitor every identity. It also simplifies management, as you have a consistent way of managing identities across different environments.

The pillars of Zero Trust

Best practices for secure integration of identity stores include the following: • Implement Identity Federation: Use Identity Federation capabilities to link identity stores across different environments and partners. This provides a unified way of managing identities and access controls across multiple systems and organizations. • Use secure data transmission protocols: To protect identity data during transport, use secure data transmission protocols. These protocols help ensure that the identity data remains confidential and integral while in transit. • Adopt System for Cross-domain Identity Management (SCIM) solutions: SCIM solutions allow for overseeing and controlling access to identity data across different environments. These tools help create unified access policies and procedures across your organization and partner networks. • Use partner agreements: When sharing identity stores with partners, ensure that agreements specify the security measures each party is responsible for.

Just-in-time and just-enough access Automation can be used to grant access rights precisely when they’re needed and only to the extent necessary. This approach minimizes the exposure of resources to potential security threats. Organizations can effectively limit potential vectors for unauthorized access or data breaches by aligning access privileges with individual actions and resource needs. The “just-in-time” component ensures access rights are granted when needed. This reduces the window of time in which a user can misuse their access privileges or become the target of an attack. The “just-enough” aspect restricts access to the minimum required for the user to complete their tasks. By limiting the extent of access, the potential damage from misuse or a breach is contained. Best practices for implementing just-in-time and just-enough access include the following: • Utilize Privileged Access Management (PAM) systems: PAM systems control and monitor privileged access based on specific actions and individual resource needs. These systems ensure that users have only the necessary level of access for their tasks, preventing them from having broad or unnecessary access rights. • Implement Attribute-Based Access Control (ABAC): ABAC capabilities allow for more refined access control. With ABAC, access rights are granted based on factors such as the user’s role, the resource accessed, and the current context. • Adopt time-based access control tools: These tools ensure access rights are only granted for the necessary duration. Once a user’s task is completed, their access rights are revoked, reducing the window of opportunity for unauthorized access.

297

298

Zero Trust Architecture in Information Security

Devices The Devices pillar in Zero Trust establishes the framework to identify, manage, and reduce the risks associated with the devices that have access to your network and resources. This pillar focuses on securing all devices that can access your organization’s data and services since any device, regardless of location or network, could be compromised. Therefore, each device is treated as untrusted by default. This means every device attempting to access resources needs to be authenticated and continuously validated to ensure it complies with the organization’s security policies.

Enterprise-wide policies for device and virtual asset life cycles These policies guide how devices and virtual assets, such as virtual machines, are managed from procurement to retirement. Organizations can better understand their attack surface and ensure all devices comply with security requirements by maintaining a complete and up-to-date inventory of all assets and their configuration. The life cycle management policy aids in maintaining device integrity and security by establishing the conditions that support the reduction of risks and vulnerabilities that could be exploited on devices and virtual assets. Best practices for implementing enterprise-wide policies for device and virtual asset life cycle management include the following: • Adopt device registration and management capabilities: Effective management of devices and virtual assets begins with proper registration. Utilize tools that facilitate simple yet comprehensive registration and ongoing management of all devices and virtual assets. • Use asset tagging and tracking: Keep a precise inventory of all assets by implementing asset tagging and tracking mechanisms. This approach helps maintain an accurate view of all devices and virtual assets, enhancing accountability and aiding in risk management. • Implement life cycle management: The life cycle of devices and virtual assets includes several stages, such as procurement, use, maintenance, and retirement. Implementing a comprehensive life cycle management plan ensures that each step is appropriately managed.

Automated inventory collection and anomaly detection Automated inventory collection provides the visibility needed to manage network-based devices effectively, and anomaly detection offers the tools to swiftly identify and respond to security threats on those managed assets. By having an automated and up-to-date inventory, the organization knows what devices are connected to its network at any given time and can verify the authenticity and configuration of each device before granting access to the network. The security team can detect unusual behavior that might signal a security breach by continuously monitoring network activities and using machine learning technologies to analyze patterns.

The pillars of Zero Trust

Best practices for implementing automated inventory collection and anomaly detection include the following: • Adopt comprehensive inventory discovery and tracking: A complete and accurate record of all devices and virtual assets is vital. This involves regularly scanning your network to identify new devices, keeping track of all known devices, and maintaining detailed information about each one (including device type, operating system, installed software, patches, vulnerabilities, and so on). • Use real-time device and network monitoring: Continuous monitoring of all devices and network activities is key. This allows you to spot potential problems as they happen and react swiftly. This might include monitoring login attempts, software installations, data transfers, and other activities. • Implement anomaly detection capabilities: Leveraging technologies that use ML can help identify unusual behavior that might indicate a security threat. To help you respond to potential threats quickly, set up alerts that notify your security team when unusual activities are detected.

Continuous device verification and enforcement of compliance Continuous verification and compliance enforcement mean you’re consistently checking the security status of your devices and assets and not assuming they’re secure just because they were at one point. Maintaining continuous verification of your devices provides accurate, real-time information about every device and its associated characteristics, such as cryptographic keys, software, patches, vulnerabilities, and security configuration. Enforcing compliance with your devices and assets ensures they always adhere to the necessary security standards and configurations. This offers a proactive approach to security, ensuring all devices and assets meet required standards at all times and any anomalies or risks are detected and managed promptly. Best practices for continuous device verification and enforcement of compliance include the following: • Continuous monitoring and reporting: Establish a system for constantly monitoring and reporting device characteristics and compliance status. This allows for early detection of non-compliance or potential security threats. • Immediate remediation capabilities: Be prepared to correct non-compliant devices and assets swiftly. This could include automated patching, configuration changes, or removing the device from the network until it becomes compliant. • Use a centralized threat protection platform: Establish a unified platform that aggregates threat intelligence and monitoring. This allows quicker detection and response to threats across all devices and virtual assets.

299

300

Zero Trust Architecture in Information Security

Monitoring and enforcement mechanisms for non-compliant devices When devices don’t meet the required security standards, they can pose significant risks to the enterprise. Security systems should be in place that detect these non-compliant devices and immediately act when they’re discovered. Organizations can quickly identify and address risks by continuously monitoring devices and enforcing compliance standards. Non-compliant devices, whether due to outdated software, vulnerabilities, or unauthorized configurations, can pose significant threats. Implementing strict monitoring and enforcement ensures that only compliant and verified devices can access sensitive data and systems, enhancing the organization’s overall security. Best practices for monitoring and enforcement mechanisms for non-compliant devices include the following: • Utilize real-time network access control: Implement systems that assess a device’s compliance level in real time as it attempts to access the network/information system. Non-compliant devices should be denied access automatically. • Implement identification and isolation capabilities: Once a non-compliant device is detected, the system should be able to isolate it, ensuring it doesn’t pose a risk to other devices or the network. • Ongoing patch management and automated compliance checks: Ensure patches and updates are applied, and the configuration status of devices aligns with the required standards and policies across all devices and assets. This will help to ensure that device health characteristics are monitored and updated routinely to support the continuous monitoring and remediation efforts mentioned in the previous bullets.

Consolidated threat protection for devices and virtual assets By bringing everything under a unified platform, organizations can obtain a more precise and efficient view of their security posture. A centralized approach ensures that all device threats are detected and handled uniformly, regardless of where they emerge. Instead of managing multiple, possibly conflicting security systems, organizations have one integrated system. When it comes to enforcing security policies and ensuring compliance, a consolidated approach provides consistency. Every device and virtual asset is subjected to the same rigorous standards through a single consolidated environment. Best practices for consolidated threat protection for devices and virtual assets include the following: • Use a centralized threat protection platform: Establish a unified platform aggregating threat intelligence and monitoring. This allows quicker detection and response to threats across all devices and virtual assets. • Integrated policy enforcement: Link your threat protection platform with policy enforcement tools. This ensures that any device or asset not adhering to security policies is promptly addressed or isolated. • Interoperability with other systems: Ensure that the centralized solution can integrate with other systems in the organization. This facilitates a more cohesive and efficient response to threats.

The pillars of Zero Trust

Networks The Zero Trust framework requires a reevaluation of network design. Instead of the traditional emphasis on perimeter security, where defenses are concentrated at the boundaries of the network, Zero Trust emphasizes protection at every point within the network. This focus reframes traditional network security by moving from perimeter-centric defenses to a comprehensive, multi-layered strategy. The Zero Trust model intends that every data interaction be scrutinized and validated continuously via capabilities such as segmentation, continuous monitoring, and dynamic policy management capabilities. These capabilities secure network traffic between the data and the consumer regardless of location, rather than simply at an arbitrary network perimeter.

Enterprise-wide network policies Organizations must prioritize creating tailored network policies, reflecting their unique requirements and challenges. Instead of solely relying on predefined firewall rules or generic security configurations, a deeper understanding of the operational environment, asset interactions, and user behaviors is needed. While perimeter defenses, just like firewalls and intrusion detection systems, have their place, they’re insufficient in today’s threat environment as threats can emerge from outside and inside the organizational boundaries. Best practices for enterprise-wide network policies include the following: • Control granularity: Tailor policies to specify access permissions at a detailed level, ensuring that users and devices only have the minimum necessary access to perform their functions. • Attack surface reduction: Develop policies that govern how, when, and where data can be accessed and limit the potential points of exploitation. • Adaptability to evolving threats: Enterprise-wide policies must be updated as new threats emerge.

Network architecture principles Incorporating Zero Trust principles into network architecture is not merely about adding more security checkpoints or increasing the frequency of authentication requests. It’s a holistic reimagining of how security is integrated into the very structure of the network. For example, the potential attack surface is drastically reduced by micro-segmentation. This segmentation ensures that even if a part of the network is compromised, the breach remains isolated, preventing it from spreading. Also, with the rise of remote work and cloud services, network boundaries have become increasingly challenging. Zero Trust addresses this challenge by offering dynamic and contextual access controls. Instead of static permissions, access is based on real-time assessments, considering variables such as user behavior, device security status, and request location. Such a dynamic approach ensures that security is adaptable and responsive to the risk being posed by a particular network session.

301

302

Zero Trust Architecture in Information Security

Best practices for network architecture principles include the following: • Use network tools that support micro-segmentation: Micro-segmentation involves breaking the network into smaller segments or zones, each with distinct security controls and access rights. Network tools should facilitate this process, ensuring clear demarcation of these segments. • Dynamic connectivity control mechanisms: Connectivity within the network should not be static. Dynamic control mechanisms allow for real-time connectivity adjustments based on user behavior, data access, and the threat landscape. • Manage distributed ingress/egress micro-perimeters: In a distributed network environment, there are multiple points where data enters (ingress) or exits (egress) the network. Tools should be in place to manage these micro-perimeters, ensuring tight control over data flow.

Encryption of all applicable traffic The starting point for encryption is a review of network communication protocols within the organization. Protocols should be assessed for their encryption needs, whether for internal communication within the organization or external communication with partners, customers, or the wider internet. By undertaking this review, an organization can pinpoint potential vulnerabilities or unencrypted pathways that could become targets for attackers. Managing the tools and mechanisms that underpin encryption, such as keys and certificates, is equally important. Even the best encryption algorithms can become compromised without a secure key issuance and rotation system. Best practices for encryption of all applicable traffic include the following: • Adopt strong cryptographic algorithms: The strength of encryption largely depends on the cryptographic algorithms used. Implementing recognized and industry-approved cryptographic algorithms ensures that the encrypted data is shielded against unauthorized access. • Implement certificate and key management systems: Certificates and keys are foundational elements of encrypted communication. Adopting comprehensive certificate and key management systems ensures the safe creation, distribution, storage, and renewal of encryption credentials. • Institute secure key rotation protocols: Key rotation is the process of retiring an old key and introducing a new one. Regularly rotating encryption keys ensures that even if a key gets compromised, it’s usable for only a limited period.

Visibility of communication across networks A key aspect of this approach is network monitoring and management tools. By deploying these tools, organizations gain a view of their network activities, enabling them to identify irregularities or deviations that might indicate a security threat. Gathering, integrating, and analyzing data from diverse network segments allows security teams to see normal behavior and separate it from potentially malicious actions. Anomaly detection capabilities take the data from network monitoring and work to determine whether unauthorized access attempts, malware activity, and other forms of cyber threats exist within the enterprise.

The pillars of Zero Trust

Best practices for getting visibility of communication across networks include the following: • Utilize network monitoring and management tools: These tools provide insights into data flows, integrating insights from various parts of the network. These tools correlate telemetry from across the organization and work to uncover threats that might go unnoticed when sources are viewed in isolation. • Deploy anomaly detection capabilities: Anomaly detection recognizes deviations from standard network behavior. Anomaly detection capabilities can discover unexpected or suspicious activities, which might indicate potential security threats. • Engage in continuous network traffic analysis: Regularly analyzing network traffic helps discern patterns and understand what constitutes “normal” for an organization. Such a baseline allows for easier identification of potential threats or anomalies.

Applications and Workloads Securing applications is no longer a debatable topic. At the heart of the Applications and Workloads pillar is application security. This process involves implementing measures designed to shield applications from potential cyber threats. Practices such as secure coding ensure that the code forming the backbone of the application is resilient to possible attacks. Another critical component of the Applications and Workloads pillar is application security testing. This process involves conducting exhaustive tests on applications to identify potential vulnerabilities and weaknesses that cyberattackers could exploit. Several techniques fall under this umbrella. Penetration testing, for example, involves simulated attacks on the application to assess its security. Application code reviews entail thoroughly examining an application’s code to spot potential vulnerabilities.

Policies regarding application development and deployment Organizations must embrace establishing structured information security policies covering all application development and deployment phases within the SDLC. Using a tiered and tailored approach allows for adaptability across the enterprise, ensuring that the specific requirements of each component of the application life cycle are addressed. Whether it’s the initial design, coding, testing, or deployment to production, each phase possesses unique challenges and risks. Best practices for policies in application development and deployment include the following: • Utilize cross-functional teams: Just as threats and technologies evolve, so should the policies governing application development and deployment. Regular reviews, ideally involving a cross-functional team of developers, security professionals, and stakeholders, will ensure that policies stay relevant and effective. • Policy enforcement in DevOps tools: DevOps tools that incorporate policy automation streamline the development and deployment process, ensuring that security requirements are not overlooked or bypassed. Organizations can ensure consistent security application throughout the software development life cycle by automating policy enforcement within these tools.

303

304

Zero Trust Architecture in Information Security

• Integrated policy management with automated compliance checks: By integrating policy management systems and automating compliance checks, organizations can monitor the alignment of applications with established security standards in real time. Such integrations ensure deviations from predefined policies are promptly detected, logged, and addressed.

Automating application access decisions When access decisions are handled manually or based on static rules, the likelihood of errors, oversights, or delays increases. Automation, on the other hand, allows for consistent, immediate, and accurate decisions. It ensures access rights are granted or revoked based on a comprehensive evaluation of real-time data points, such as user identity, device health, location, and other contextual factors. By doing so, automation significantly reduces the window of vulnerability, ensuring that only legitimate users can access the resources they need when needed. Best practices for automating application access decisions include the following: • Implement IAM systems with automation: IAM systems are used for granting and revoking access rights. By automating access decisions, organizations can ensure that decisions are timely, accurate, and free from manual intervention mistakes. • Utilize just-in-time access management: Dynamic privilege access management tools that support time-bound access rights allow organizations to grant temporary access based on immediate needs. Such time-limited permissions reduce the window of opportunity for malicious activities since access expires after a specified duration. • Deploy application User Behavior Analytics (UBA) tools: UBA tools analyze patterns related to user behavior to provide deeper insights into how users interact with systems. Gathering and analyzing this contextual information can allow organizations to detect and act upon anomalies swiftly.

Integrating application security testing Application security testing refers to a comprehensive set of practices and tools that aim to identify and address vulnerabilities within an application. If left unchecked, attackers can leverage applications to steal data or provide an entryway to the rest of the organization. Organizations can mitigate potential vulnerabilities by embedding rigorous security testing throughout the application’s life cycle, from development to deployment. Additionally, this testing should be conducted continuously. This means that an application can be updated as new threats or vulnerabilities emerge. Continuous testing ensures that applications remain resilient and adapt to the evolving threat landscape. Best practices for integrating application security testing include the following: • Integrate automated security testing tools: Incorporating automated security testing tools directly into the DevOps pipeline ensures that security checks are executed seamlessly within the CI/CD process. This means that every code push, merge, or deployment triggers a set of predefined security tests, preventing vulnerabilities from progressing further in the development cycle.

The pillars of Zero Trust

• Utilize both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools: SAST and DAST tools offer complementary security assessments. While SAST reviews the application’s source code to identify vulnerabilities, DAST evaluates the running application in real time to identify potential security threats. By employing both methodologies, an organization can comprehensively understand potential risks at both the code and operational levels. • Implement security tools that support routine automated testing for deployed applications: After deployment, applications are exposed to many threats. Tools that enable routine automated testing ensure that post-deployment applications remain secure, and any newly discovered vulnerabilities are promptly addressed.

Incorporating Advanced Threat Protection Advanced Threat Protection (ATP) tools detect, prevent, and respond to sophisticated cyber threats that often bypass conventional security measures and occur in real time. ATP solutions offer real-time visibility of network and application activities. These tools also allow organizations to observe and assess behaviors and patterns within their systems as they occur. ATP solutions should also have contentaware protection features, which means they understand the context and nuances of the data flow. Best practices for incorporating ATP include the following: • Adopt ATP solutions with real-time visibility and content-aware features: ATP solutions that offer real-time visibility allow organizations to detect and respond to threats as they occur. Coupled with content-aware features, these solutions can discern the nature and intent of data flows, enabling them to differentiate between legitimate activities and potential threats. • Use Cloud Access Security Brokers (CASB) for enhanced visibility and control: CASB operate as intermediaries between users and cloud application workloads, offering a central point for policy enforcement across multiple cloud services. • API-level protection: API protection involves monitoring API calls for anomalies, ensuring secure authentication and authorization, and inspecting data payloads for potential threats.

Leveraging immutable workloads An immutable workload remains unchanged after its initial deployment. Therefore, any subsequent changes, updates, or modifications to the system or its components are not done by directly altering the current deployment. Instead, they are instituted through a fresh deployment. This concept supports an organization in preventing unsanctioned modifications. When changes can only be instituted through redeployment, there’s a straightforward, auditable trail of what has been altered, when, and potentially by whom. This eliminates ad hoc changes, often the weak links in change management, and an avenue for vulnerabilities and threats.

305

306

Zero Trust Architecture in Information Security

Best practices for leveraging immutable workloads include the following: • Adopt container orchestration platforms supporting immutable deployments: Container orchestration platforms, such as Kubernetes or Docker Swarm, are designed to manage the life cycles of containers. When these platforms are tailored to support immutable deployments, they ensure containers are not tampered with post-deployment. • Integrate DevOps tools that restrict administrator access: Using DevOps tools that limit administrator access and prioritize automated code deployment, human-induced errors or potential insider threats can be avoided. This approach enhances security by ensuring changes and deployments happen in controlled, predictable, and auditable manners. • Enforce rigorous version control practices: Utilizing version control systems such as Git or Mercurial ensures that every change to the software or configuration is tracked. With rigorous version control, every modification has an audit trail, making identifying and rectifying any unauthorized changes simpler.

Continuous application monitoring Organizations can detect anomalies or suspicious behaviors by consistently monitoring applications, ensuring they respond quickly to threats. The immediacy of detection and subsequent response is critical for minimizing potential damage and risk. This activity alerts the security team of potential threats and ensures they can respond immediately to neutralize any risk, safeguarding the system’s integrity. Best practices for continuous application monitoring include the following: • Real-time traffic analysis: Analyze the incoming and outgoing traffic of applications to identify patterns consistent with common attacks, such as SQL injection, Cross-Site Scripting (XSS), or Denial of Service (DoS). Organizations can quickly react by continuously monitoring applications and immediately alerting security personnel of any suspicious activities, minimizing potential damage. • Access control monitoring: Monitor and log every access request and granted access within the application. Monitoring who is accessing what and when can pinpoint unauthorized access or excessive privilege escalations. • Utilize SIEM tools: SIEM tools centralize the collection, analysis, and response mechanisms for security-related incidents for the enterprise, including applications. By aggregating logs and data streams from the various components of a system, SIEM systems provide a unified perspective on the security dynamics of an application.

Automating application configuration The scale and complexity of modern-day infrastructures mean an incredible number of configurations must be managed. Manual management of these configurations in large-scale environments is inefficient and nearly impossible to achieve with the desired level of accuracy and timeliness. Automation provides

The pillars of Zero Trust

the means to enforce security policies uniformly across various applications, workloads, and systems. Automation ensures that the configurations remain consistent, eliminating the vulnerabilities that might arise from human oversight or inconsistency in manual configurations. Best practices for automating application configurations include the following: • Deployment of configuration management tools: Configuration management tools facilitate automatically applying desired configurations across an organization’s infrastructure. By using these tools, organizations can ensure consistency in application configurations, reducing the risk of misconfigurations that can be exploited. • Use of automation tools for security baselines: Automation tools that apply security baselines and standards across applications are essential in ensuring that all applications meet a predetermined level of security. This is crucial for preventing vulnerabilities that potential threats could exploit. • Integration of continuous security assessment tools: Tools that facilitate continuous security assessment and remediation based on assessment results are essential for maintaining an organization’s security posture. These tools uncover vulnerabilities in the environment that can then be acted on through automation or manual activities.

Data The Data pillar identifies and classifies data according to its intrinsic sensitivity and value. As discussed in Chapter 4, Information Security Risk Management, categorizations guide the application of protective measures and dictate access controls, ensuring that data of varying sensitivities is safeguarded appropriately. Data governance is another important aspect of the Data pillar. It ensures that data is collected, stored, and accessed in a manner that guarantees secure and consistent handling. Classification and governance are tightly coupled and related to ensure that the appropriate technical controls are selected to ensure that data is protected commensurate with its value.

Unified data life cycle policies The first step towards implementing unified data life cycle policies is to institute a data governance model that can be applied universally across various departments, systems, and data repositories. This unified approach ensures no ambiguities or gaps in how different parts of the organization handle and protect data. By establishing a clear and integrated data life cycle policy enforcement capability, organizations can ensure that every piece of data, from its creation to its eventual disposal, is governed by a consistent set of rules. Best practices for the implementation of unified data life cycle policies include the following: • Establish a centralized governance body: The organization should have a centralized team specifically tasked with designing, implementing, and overseeing data life cycle policies. This ensures a single point of accountability and coordination for all data-related activities.

307

308

Zero Trust Architecture in Information Security

• Deploy real-time security policy enforcement tools: Real-time security policy enforcement tools monitor data activities continuously and ensure that any action that violates set policies is immediately alerted or halted. This reduces the window of vulnerability and ensures that potential malicious activities are addressed before they can cause significant harm. • Data classification and segmentation: Not all data is created equal. Some data is more sensitive and requires stricter controls. Organizations should classify their data based on sensitivity and importance and then segment their storage and access accordingly. By doing so, they ensure that the most critical data has the most stringent security controls, reducing the potential impact and costs.

Continuous data inventory and data loss prevention The organization must maintain an up-to-date awareness of where data resides and how it flows. An automated data inventory process for the entire organization should be implemented. Ensure all data repositories are included over time while initially focusing on your high-value assets. Once data is cataloged, the organization’s DLP strategies should be based on each dataset’s specific attributes, labels, and requirements. This granularity ensures that sensitive data is accorded higher protection levels based on the characteristics of the data. Best practices for continuous data inventory and DLP include the following: • Automated data discovery and inventory tools: These tools scan, identify, and catalog data across various organizational repositories. Such an approach ensures no critical data sources are missed, especially in large organizations with dispersed storage solutions. • Comprehensive DLP solutions: DLP tools should include data discovery, classification, and dynamic exfiltration prevention capabilities. Data discovery ensures the protection mechanisms of the DLP tool manage all sensitive information. Classification helps ensure that the DLP tools understand the data sensitivity so that protection mechanisms can be enforced. Dynamic exfiltration prevention adapts to changing threat vectors, ensuring that sensitive data is not leaked or stolen. • Regular data inventory audits: Even with automated tools, changes in organizational data storage, new repositories, or restructuring can lead to discrepancies. Regular audits ensure that the data inventory remains accurate and comprehensive.

Data categorization, labeling, and automation As previously discussed, data categorization involves breaking down organizational data into distinct categories based on characteristics such as sensitivity, purpose, source, or relevance. Also, as the organization’s data repositories are bound to contain many data types, from documents and spreadsheets to multimedia files and database entries, the mechanisms for categorization and labeling must be designed to handle these different media seamlessly. Once the data has been categorized, the next step is labeling. Data labeling involves attaching discernible tags or markers to data corresponding to

The pillars of Zero Trust

its assigned category. These labels act as identifiers, guiding subsequent processes including DLP and dynamic access controls. The labels should be clear, concise, and consistent across the organization to prevent ambiguity and allow automation to implement security decisions. Best practices for data categorization, labeling, and automation include the following: • Data categorization tools: Employ data categorization tools capable of classifying data based on predefined rules or policies. By relying on predefined rules, organizations can ensure consistency across large datasets. • Consistent data-labeling capabilities: Implement data-labeling capabilities that allow for precise and consistent tagging of data assets. The organization can quickly determine the appropriate access permissions for different datasets with clear labels. • Dynamic data access control systems: Utilize dynamic data access control systems that allow for just-in-time and just-enough access permissions with continuous review capabilities. This means granting users access only when needed and to the extent necessary for their tasks.

Encryption Encrypting data, both at rest (stored) and in transit (while being transmitted or moved), has become a commonly understood method to secure data. Organizations are increasingly leaning towards ubiquitous encryption strategies to achieve the desired state of data protection. This means that instead of hand-picking what to encrypt, organizations ensure that all data, irrespective of its perceived sensitivity, is encrypted at rest and during transit. Doing so significantly minimizes the chances of accidental data exposure or breaches due to overlooked assets. Best practices for encryption include the following: • Enable encryption for data in use: Data in use refers to active data being processed or consumed by end-user applications, in-memory databases, or other active processes. While often overlooked, encrypting this data ensures continuous protection, even when being utilized or processed. • Encryption for data at rest and in transit: Data at rest refers to inactive data stored physically in any digital form, whereas data in transit refers to data being moved from one location to another. Encryption for both scenarios ensures that data is always protected, whether sitting in storage or being transmitted across networks. • Implement regular key rotation: Encryption keys should not remain static. Instead, they should be rotated or changed regularly to ensure their lifespan is limited, even if a key is compromised. • Audit and monitor encryption and key access: Continuous auditing and monitoring of encryption policies and key access patterns ensure any anomalies or unexpected behaviors are quickly detected and dealt with.

309

310

Zero Trust Architecture in Information Security

• Separate key management from data storage: Encryption keys should be stored separately from the encrypted data to prevent simultaneous data breaches and their corresponding key. Storing keys away from data ensures that even if an attacker gains access to the encrypted data, they won’t have access to the decryption keys. This principle also carries to cloud technologies where you can bring your key to encrypt data, so it is not accessible to cloud service providers.

Comprehensive data visibility and automated analysis With the vast amount of data and points of access within an enterprise, relying solely on manual scrutiny is impractical and could compromise security. Automated analysis provides an immediate, repeatable, and reliable solution to this problem. This capability offers real-time data analysis, identifying patterns, behaviors, or discrepancies that might signal a potential threat. Automated analysis tools can handle the vast datasets generated by organizations, reviewing the data to highlight only the most relevant and actionable information. Additionally, with automation, correlation of data across various sources becomes feasible. This correlation can unearth hidden patterns or threats that might remain undetected when data sources are viewed in isolation. Best practices for comprehensive data visibility and automated analysis include the following: • Deploy advanced data visibility tools: These tools can seamlessly capture and present information from various parts of the organization. By achieving this comprehensive view, organizations can ensure the ability to monitor sensitive data for security-relevant information throughout the organization. • Automated analysis for data correlation: Automated analysis tools can aggregate data from sources across the organization, creating a cohesive picture that reveals patterns and anomalies. The organization is better equipped to prevent or respond to threats by quickly and automatically identifying and correlating these activities.

Summary This chapter provided insights into why and how Zero Trust has emerged as a cornerstone in contemporary information security practices. Beginning with its historical context, we traced the evolution of Zero Trust from its inception to the present day. As traditional perimeter-based security models become increasingly inadequate, the chapter illustrated the need for organizations to pivot to the Zero Trust model. Finally, the fundamental pillars that define and support Zero Trust were explored, offering you a comprehensive understanding of the pillars and the components that comprise the pillars. For more information on the topic of Zero Trust, refer the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model, the Department of Defense Zero Trust Strategy and Roadmap, and the National Institute of Standards and Technology’s Zero Trust Architecture. The next chapter will discuss Cybersecurity Supply Chain Risk Management (C-SCRM). This topic is integral for organizations as they establish the capabilities to ascertain and manage the risks associated with their suppliers.

13 Third-Party and Supply Chain Security Supply Chain Management (SCM) has evolved considerably, from a simple operational task to a strategic function critical to business success. In the early stages of SCM, the focus was on optimizing logistics and reducing costs. As global commerce grew and became more complex, companies began to realize the importance of managing the entire supply chain, which includes all processes, from sourcing raw materials to delivering finished goods to the customer. However, the increasing reliance on technology and interconnected systems has introduced new risks to the supply chain, particularly cybersecurity threats. With the advent of the internet, e-commerce, and other digital platforms, businesses are becoming more exposed to cyber threats. This has led to the emergence of cybersecurity as a critical factor in SCM. Understanding the importance of cybersecurity in the supply chain requires acknowledging the broad array of potential threats that can disrupt operations. For example, a hacker could infiltrate a supplier’s system to intercept sensitive information, disrupt production, or introduce product vulnerabilities. As a result, organizations are focusing on protecting their systems and ensuring their suppliers, vendors, and partners are secure. The following topics will be covered in this chapter: • Understanding C-SCRM and its importance • The challenges in managing supply chain cybersecurity • The risks associated with supply chains • The consequences of supply chain risks • Methods to identify supply chain risks • Assessing the severity and likelihood of C-SCRM risks

312

Third-Party and Supply Chain Security

• Strategies to mitigate supply chain risks • Integrating C-SCRM into security programs and business activities • Monitoring and reviewing C-SCRM practices

Understanding C-SCRM and its importance The concept of Cybersecurity Supply Chain Risk Management (C-SCRM) becomes even more critical when considering the far-reaching impacts of a compromised supply chain. In the interconnected world of today, a cyber breach at one point in the supply chain can cascade down to affect various players. A minor vulnerability in one supplier’s system could compromise the integrity of the entire supply chain, affecting the final product and causing untold damage to the reputation and finances of the companies involved. To understand the importance of C-SCRM, we must appreciate modern supply chains’ complexity and interdependence. The intricate network of suppliers, manufacturers, distributors, and customers, all linked through digital platforms and technologies, is a web of potential weak points. Malicious actors can exploit each of these points. The C-SCRM concept recognizes that cybersecurity is not a singular, one-off effort but a continuous process that must be integrated into the entire life cycle of supply chain operations. It forces organizations to look beyond their internal cybersecurity practices and assess their partners’ practices. It emphasizes collaboration, as all entities within the supply chain must work together to create a secure environment. In practice, C-SCRM involves several key steps: 1. Risk identification: This is the initial step in the C-SCRM process, where the aim is to identify potential cyber threats that could affect the supply chain. For example, a software manufacturing company might identify a risk that a malicious actor could introduce a backdoor or other vulnerability to its product during manufacturing. This could happen when the product code is accessible during coding, version control, or when updates are applied. 2. Risk assessment: After identifying potential risks, they are evaluated based on their likelihood of occurrence and the extent of the potential impact. For instance, an electronics manufacturing company that relies on multiple suppliers for its components might identify a risk associated with one of its key suppliers being compromised. This could occur if an attacker infiltrates the supplier’s systems, manipulating the firmware of components to include a hidden vulnerability. The potential impact of this event could be enormous, leading to product recalls, loss of customer trust, legal penalties, and the potential for serious harm if the electronics are used in critical systems. The likelihood of this event might be evaluated based on factors such as the supplier’s current cybersecurity measures, historical incidents, and the threat landscape of the region in which the supplier operates.

The challenges in managing supply chain cybersecurity risks

3. Risk mitigation: Once the risks have been identified and assessed, appropriate controls and measures must be implemented to mitigate them. For example, consider a software company that relies on an external supplier for its database management systems. The company has identified a risk that vulnerabilities in the supplier’s systems could lead to a data breach. To mitigate this risk, the company might adopt a strategy that includes enforcing strict security requirements in its contracts with suppliers, conducting regular third-party audits of the supplier’s security practices, and implementing incident response plans. 4. Risk monitoring and review: After mitigation strategies have been put in place, they must be continuously monitored and reviewed to ensure they remain effective. For example, an automobile manufacturer has identified a risk of introducing malware into their vehicle software. They’ve implemented a mitigation strategy that includes vendor security requirements and regular software audits. To monitor and review this strategy, they might establish a system to regularly check vendor adherence to security controls and conduct routine software audits, ensuring that malware is not introduced to vehicle software. The role of C-SCRM will only continue to grow. The ever-increasing digitization and interconnectivity of organizations and their supply chains will introduce new cyber threats and vulnerabilities. Organizations must remain vigilant and proactive in managing these risks to ensure their supply chains remain resilient and secure. Managing supply chain cybersecurity risks presents a range of challenges for organizations. These challenges can vary depending on the industry, the complexity of the supply chain, and the specific cybersecurity threats faced. We will discuss some of these challenges in the upcoming section.

The challenges in managing supply chain cybersecurity risks Managing cybersecurity risks in the supply chain is a complex and multifaceted task. The interconnected nature of supply chains and the ever-evolving landscape of cyber threats present several unique challenges to organizations: • The complexity of supply chains: Supply chains can be very complex, with numerous stakeholders, ranging from suppliers and logistics providers to manufacturers and end consumers. Each stakeholder might have their own set of IT systems, software, and cybersecurity measures, which vary in size and capability. • Visibility and transparency: A clear understanding of all the elements within a supply chain, including the security measures at each step, is essential for an effective C-SCRM. However, achieving this level of visibility and transparency is difficult, due to factors such as the use of subcontractors, proprietary business information, and the global scale of many supply chains.

313

314

Third-Party and Supply Chain Security

• The evolution of cyber threats: The world of cybersecurity is marked by rapidly evolving threats. Malicious actors continually develop new attack methods, and vulnerabilities can emerge in technologies previously considered secure. • The integration of emerging technologies: Technologies such as the Internet of Things (IoT), Artificial Intelligence (AI), and blockchain are being increasingly integrated into supply chains. While they offer significant benefits regarding efficiency and innovation, they also introduce new cyber risks. • Supplier compliance: Ensuring that all suppliers adhere to a specified set of cybersecurity standards can be difficult, especially when dealing with smaller businesses that may lack the necessary resources or expertise. • Incident response: Despite the best risk management efforts, incidents can still occur. The challenge lies in detecting these incidents promptly, minimizing their impact, and recovering operations swiftly. This is further complicated by the need to coordinate a response across multiple stakeholders in the supply chain. • Resource constraints: Implementing a robust C-SCRM strategy requires resources, including specialized personnel, technologies, and training. These resource requirements pose a significant challenge for many organizations, particularly smaller ones. Organizations must adopt a proactive, systematic, and collaborative approach to C-SCRM to combat these and other challenges. This involves investing in the necessary resources and working closely with all stakeholders to ensure the security and resilience of their supply chains. Despite these challenges, effective C-SCRM is needed to protect an organization’s operations, reputation, and bottom line.

The risks associated with supply chains Due to their interconnected nature and reliance on multiple parties, supply chains are exposed to various cybersecurity risks. These threats can originate from various sources and affect supply chain operations. Understanding these risks is essential to mitigate their potential impact. The following are some cybersecurity risks associated with the supply chain: • Hardware tampering: Hardware tampering occurs when a physical component of an IT system, such as a server or network device, is manipulated maliciously. This manipulation can introduce vulnerabilities in the hardware, which can then be exploited to compromise the system. For example, an attacker might tamper with a hardware component during manufacturing, implanting a malicious chip that allows them to access the system remotely once it is operational. • Software vulnerabilities: These are weaknesses or flaws in a software program that can be exploited to perform unauthorized actions within a system. These vulnerabilities might exist in the operating systems, applications, firmware, or other software used within the supply chain. They can be introduced intentionally by malicious actors, or unintentionally due to errors in the software development process.

The consequences of supply chain risks

• Counterfeit components: This risk involves using counterfeit hardware or software components within the supply chain. These fake components might not meet the required security standards, making them more susceptible to cyberattacks. Additionally, they might be designed to include hidden vulnerabilities or backdoors that the attackers can exploit. • Inadequate security practices: Suppliers with weak or ineffective cybersecurity practices pose a significant risk to the supply chain. For example, a supplier might fail to apply security patches promptly, use default or weak passwords, or neglect to encrypt sensitive data. These poor practices can leave the supplier’s systems – and by extension, the supply chain – vulnerable to cyberattacks. • Insider threats: These threats come from individuals within an organization or supply chain with authorized access to systems and data. Insider threats can be malicious, such as an employee selling sensitive data to a competitor, or unintentional, such as an employee falling for a phishing scam. • Third-party service providers: Many organizations rely on third-party service providers for various functions, such as cloud storage, data processing, or IT support. If these third parties have weak cybersecurity measures, they can become a weak point in the supply chain that attackers can exploit. • Advanced Persistent Threats (APTs): APTs are complex, stealthy cyber attacks in which an attacker gains unauthorized access to a system and remains undetected for an extended period. These attacks are typically carried out by well-resourced and skilled attackers, such as nation-state groups, with a specific objective, such as stealing sensitive information or disrupting operations. • Geopolitical risks: This involves the potential impact of political events, tensions, or policy changes on the supply chain’s cybersecurity. For example, a country might exploit cyber vulnerabilities to disrupt organizations’ supply chains within a rival nation.

The consequences of supply chain risks Cybersecurity breaches within a supply chain can lead to significant consequences for organizations. Real-world cases illustrate these risks and effects. Here are a few notable examples: • SolarWinds: One of the most high-profile cybersecurity incidents involving a supply chain in recent memory is the 2020 SolarWinds hack. SolarWinds, a provider of network management software, was compromised by what was believed to be a nation-state actor. The attackers manipulated software updates for SolarWinds’ Orion software, a platform used for IT infrastructure management, allowing the attackers to distribute a backdoor to the software’s users. This breach impacted several major organizations and government agencies in the U.S. The attack highlighted the vulnerability of software supply chains and the potential scale of an attack that leverages this vulnerability. It led to operational disruptions, investigation costs, reputational damage, and potential national security implications.

315

316

Third-Party and Supply Chain Security

• NotPetya malware: The 2017 NotPetya ransomware attack originated from a legitimate software update of the Ukrainian accounting software MEDoc. The malware was propagated via the software’s automatic update system. One of the most severely affected was Maersk, a shipping company. The attack forced Maersk to shut down multiple systems to prevent the malware from spreading, resulting in significant operational disruptions. The incident reportedly cost Maersk between $250 million and $300 million and demonstrated how malware propagation through the software supply chain can lead to significant operational and financial impacts. • Target data breach: The 2013 data breach at U.S. retailer Target is another example of a supply chain-related cyber incident. The breach, which resulted in the theft of credit and debit card information for more than 40 million customers, began with an attack on a third-party HVAC vendor. The attackers stole the vendor’s login credentials for Target’s network, allowing them to infiltrate the network and install malware on the point-of-sale systems. The incident cost the company over $200 million, including remediation costs, credit monitoring services for affected customers, and legal fees. The breach also led to significant reputational damage and ultimately contributed to the resignation of Target’s CEO and CIO. • ASUS Live Update: In 2019, it was discovered that the ASUS Live Update Utility, used to deliver BIOS, UEFI, and software updates to ASUS computers, had been compromised. The attackers injected a backdoor into the software and distributed it to users as a legitimate update. Kaspersky, the cybersecurity firm that discovered the breach, estimated that the malicious update may have been installed on over a million computers. This breach highlighted the risk of supply chain attacks targeting system-level software. Each of these examples underscores the significant risks that supply chain vulnerabilities can pose to cybersecurity. They highlight the need for robust cybersecurity supply chain risk management, including diligent vendor management, strong security controls, and proactive incident response planning.

Methods to identify supply chain risks Identifying cybersecurity risks in the supply chain is an essential first step in supply chain risk management. It involves understanding and documenting potential threats that impact a supply chain’s information systems, services, and products. The methods and techniques employed for risk identification can range from structured risk assessments to monitoring and intelligence gathering. Let us understand some of these methods: • Supply chain mapping: The starting point for identifying cybersecurity risks in the supply chain is to understand the supply chain itself fully. This involves mapping out all entities involved in the supply chain, from suppliers to distributors and customers, and understanding their roles and interdependencies. Detailed supply chain mapping helps recognize potential vulnerability areas, such as dependencies on single sources, suppliers with access to sensitive data, or weak links in security practices.

Assessing the severity and likelihood of C-SCRM risks

• Threat modeling: Threat modeling is a systematic process that involves identifying potential threats to a system and the possible ways these threats could be realized. Within the supply chain context, this might include modeling threats to different stages of the product life cycle, from design to distribution, or threats from various actors, such as malicious insiders or state-sponsored hackers. Techniques such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege (STRIDE) or the Process for Attack Simulation and Threat Analysis (PASTA) can be used for threat modeling. • Cybersecurity audits: Audits of suppliers and partners can help identify potential vulnerabilities and areas where cybersecurity practices may not meet an organization’s standards. This can involve reviewing the supplier’s security policies, procedures, and controls and their history of security incidents. • Cybersecurity ratings and intelligence services: These services provide insights into the cybersecurity posture of suppliers and partners by aggregating and analyzing data from various sources. This can include analysis of past incidents, security practice evaluation, or technical vulnerability assessments. By combining these and other methods and techniques, organizations can identify a broad range of cybersecurity risks in their supply chain. However, it’s essential to remember that risk identification is an ongoing process. The threat landscape is continuously evolving, and new vulnerabilities can arise as supply chains change and adapt. Organizations need to monitor and update their understanding of supply chain risks constantly.

Assessing the severity and likelihood of C-SCRM risks Assessing the severity and likelihood of cybersecurity supply chain risks is critical to C-SCRM. This process helps determine a cybersecurity event’s potential impact on an organization from its supply chain and the probability of such an event. The severity and likelihood are two primary factors that prioritize which risks require the most attention and resources. Let us understand these factors in detail: • Understanding the supply chain context: Before assessing the severity and likelihood of risks, it’s important to have a comprehensive understanding of the supply chain, including its components and operation. This understanding includes knowing the number of suppliers, their geographical locations, their interdependencies, and the nature of the goods or services they provide.

317

318

Third-Party and Supply Chain Security

• Determining the severity of risks: The severity of risks refers to the potential impact they could have on the organization. This could involve financial loss, reputational damage, regulatory penalties, or disruption to operations. Assessing severity includes factors such as the following: ‚ Business impact: Understanding the potential operational, financial, and reputational impact on a business is critical. This involves considering the potential costs of disruption or breach caused by the supply chain, including loss of revenue, legal fees, regulatory fines, and remediation expenses. ‚ Regulatory impact: Some cybersecurity risks can lead to breaches of regulatory requirements, resulting in fines or other penalties. ‚ Dependencies: The more dependent an organization is on a particular supplier, the more significant the potential impact is if that supplier experiences a cybersecurity incident. • Estimating the likelihood of risks: The likelihood of risks refers to the probability that a specific event will occur. Factors to consider when assessing the likelihood include the following: ‚ The threat landscape: Understanding the current threat landscape is essential. This includes knowledge of the types of prevalent threats, the tactics and techniques used by adversaries, and the targets they are likely to choose. ‚ The supplier security posture: The cybersecurity practices of suppliers play a significant role in determining the likelihood of risks. This involves considering the supplier’s history of cybersecurity incidents, its security policies and procedures, and its compliance with recognized security standards. ‚ The complexity of the supply chain: A more complex supply chain can increase the likelihood of cybersecurity risks. This is because there are more potential vulnerability points and more opportunities for errors or oversights. • Risk scoring and prioritization: Once the severity and likelihood of risks have been assessed, this information can be used to calculate a risk score. The risk score is a measure of risk that can be used for comparison and prioritization. • Continuous monitoring and assessment: Risk assessments are not a one-time activity. The threat landscape, as well as an organization’s supply chain, is continually changing. Therefore, risk assessments should be continuous, with regular reviews and updates based on changes in the supply chain, new information about threats, or changes in the organization’s risk appetite or strategy. Organizations can make informed decisions about where to focus their cybersecurity efforts and resources by assessing the severity and likelihood of risks. Let us now understand the strategies to mitigate supply chain risks.

Strategies to mitigate supply chain risks

Strategies to mitigate supply chain risks Mitigating supply chain risks requires a comprehensive and proactive approach. Effective C-SCRM is not just a beneficial addition but a fundamental necessity for modern business operations. Organizations must deploy various strategic measures to counter the risks associated with their supply chains. The following are several strategies that organizations can utilize to ensure that their supply chain remains resilient in the face of cybersecurity threats: • Comprehensive vendor assessment: Vendor risk management is a key component of supply chain risk mitigation. Organizations should vet potential vendors for their cybersecurity posture. This involves examining the vendor’s cybersecurity policies, incident response plans, and historical security performance. • Incorporating security requirements into vendor contracts: To ensure the­integrity of the supply chain, security requirements should be clearly defined in vendor contracts. Vendors should adhere to predefined security standards, and a mechanism should be in place for regular auditing and enforcement. • Regular security audits and testing: Regular audits and penetration testing of all software and hardware components coming from suppliers can help identify vulnerabilities before they are exploited. This ensures that any components incorporated into your products or services meet your organization’s security standards. • Secure development and operations practices: It is crucial for organizations that develop software or manage IT systems to ensure that development, security and operations (DevSecOps) practices are used across the supply chain. • Incident response planning: Incident response planning should extend to supply chain incidents. This involves a coordinated plan to handle and recover from incidents affecting any part of the supply chain. • Security training for supply chain personnel: All personnel involved in supply chain management should receive regular training on recognizing and mitigating potential cyber threats. • Cybersecurity insurance: Cybersecurity insurance can offer financial protection in the event of a cyberattack. While it does not prevent attacks from occurring, it can help cover the costs associated with an incident, such as system restoration, data recovery, and legal fees. • Redundancy and diversity in the supply chain: Building redundancy and diversity into the supply chain can also be a valuable risk mitigation strategy. This can involve sourcing key components from multiple suppliers or using different technologies for critical processes. These strategies are interrelated and should not be seen as standalone solutions. Instead, they should be part of a comprehensive, layered cybersecurity approach designed to protect the supply chain from multiple angles. Organizations can enhance their supply chain’s resilience by integrating these C-SCRM-focused strategies into their risk management practices.

319

320

Third-Party and Supply Chain Security

Developing C-SCRM policies and plans A comprehensive C-SCRM policy is the guiding document for organizations seeking to manage, mitigate, and prevent cybersecurity risks within their supply chain. The following are the aspects that should be considered when developing this policy: • Policy scope and objectives: Clearly define the policy’s purpose and how it is applied within the organization. The objectives should clearly explain why the policy exists, what it aims to achieve, and who within the organization it affects. It should also state the organization’s commitment to maintaining a secure supply chain. • Roles and responsibilities: Define the roles and responsibilities of key personnel, departments, and external parties (such as suppliers and partners). Clearly state who is accountable for implementing, managing, and maintaining the C-SCRM policy and responsibilities during an incident response. • Identification of critical assets: The policy should detail the process to identify and classify critical assets. These can include sensitive data, intellectual property, crucial systems, and vital services or products that, if compromised, could negatively affect an organization’s operations or reputation. • Risk management: The policy should outline the risk management approach to be taken. This includes the risk identification, assessment, mitigation processes, and a defined frequency to conduct these activities. • Supplier relationship management: Include guidelines to manage relationships with suppliers. This should outline the process for vendor selection, including necessary security criteria and guidelines for ongoing vendor management, such as monitoring supplier performance and conducting regular security audits. • Incident response plan: Outline procedures to respond to a security incident within the supply chain. This should cover detection, containment, eradication, and recovery steps, along with communication protocols to keep all stakeholders informed. • Training and awareness: Detail the programs for training and awareness to ensure that all relevant stakeholders understand the policy and their role in C-SCRM. • Continuous monitoring and improvement: Establish a continuous monitoring program to ensure the ongoing effectiveness of the policy and enable proactive detection and mitigation of emerging threats. • Legal and regulatory compliance: Address compliance requirements with local, national, and international laws and standards related to cybersecurity and supply chain management. • Consequences of non-compliance: Finally, clearly articulate the consequences of non-compliance, both for internal stakeholders and external suppliers. This can range from disciplinary action to termination of contracts.

Integrating C-SCRM into security program and business activities

Integrating C-SCRM into security program and business activities Integrating C-SCRM into existing organizational activities is critical for organizations seeking to maintain a secure supply chain. An organization can integrate C-SCRM into its activities through several key processes: • Risk management framework integration: An effective way of integrating C-SCRM into an existing risk management framework is to consider it a component of the overall risk to an organization. Extending the scope of risk assessments to include supply chain-related risks is essential. This requires identifying and assessing potential cyber threats that could impact the supply chain, including those related to vendors, suppliers, and third-party service providers. • Incorporation into procurement practices: Procurement practices play a significant role in managing supply chain risks. The procurement process should integrate considerations about potential cybersecurity risks. For example, the supplier’s cybersecurity posture should also be evaluated during vendor selection, apart from cost, quality, and reliability. This might involve investigating the supplier’s history of cybersecurity incidents, the maturity of their cybersecurity program, and their adherence to cybersecurity best practices. • Vendor Risk Management (VRM): VRM is a critical area where C-SCRM can be integrated. VRM should include assessments of a vendor’s cybersecurity measures. Regular audits and assessments can be performed to evaluate the cybersecurity practices of the vendor. These audits can evaluate the vendor’s data protection measures, incident response capabilities, and compliance with relevant cybersecurity standards and regulations. • Security policies and procedures: Incorporating C-SCRM into an organization’s security policies and procedures is also important. These policies might include requirements for data encryption, secure data transmission methods, and the use of secure hardware and software in the supply chain. Procedures can also be developed for response and recovery during a supply chain-related cyber incident. • Business continuity and disaster recovery planning: C-SCRM should be a part of an organization’s Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). These plans should consider scenarios where a cyber incident in the supply chain disrupts business operations. Developing strategies for alternative suppliers, data backup and recovery, and system redundancies can help ensure the organization can continue operating during a supply chain disruption. • Cybersecurity awareness and training programs: Cybersecurity awareness and training programs should include topics on supply chain risks. Training employees to identify potential risks, such as phishing attempts or suspicious network activity, can help prevent supply chain-related cyber incidents.

321

322

Third-Party and Supply Chain Security

• Integration with incident response planning: Incident response plans should incorporate procedures to respond to supply chain-related cyber incidents. This could include steps to isolate affected systems, notify suppliers or affected parties, investigate the incident, and restore operations. • Governance, Risk, and Compliance (GRC) programs: C-SCRM can be critical to an organization’s GRC program. Incorporating C-SCRM into GRC processes ensures that the organization’s approach to managing supply chain risks aligns with its overall risk tolerance, business objectives, and compliance requirements. Integrating C-SCRM into existing organizational activities requires an approach encompassing various areas of an organization. The goal should be to embed C-SCRM into the organization’s culture, processes, and procedures, making it an inherent part of the way the organization operates.

Stakeholders that support the integration As C-SCRM is integrated into the organizational management processes, a diverse group of stakeholders will emerge to support and execute the integration. These stakeholders span an organization, from high-ranking executives to boots-on-the-ground operational staff. Each of these individuals provides a perspective of the process: • Executive management: The commitment and involvement of executive management are essential to integrate C-SCRM. They are responsible for setting the strategic direction, establishing policies, and allocating the resources necessary for C-SCRM implementation. They also drive the adoption of C-SCRM by emphasizing its importance in the organization’s risk management efforts, thus shaping the organizational culture around this approach. • The risk management team: The risk management team plays a central role in integrating C-SCRM by incorporating supply chain-related cyber risks into the existing risk management framework. They identify, assess, and prioritize these risks and coordinate with relevant stakeholders to mitigate them. • The procurement team: Procurement teams are vital to C-SCRM, as they contact suppliers and vendors directly. Their role includes evaluating potential suppliers, based on their cybersecurity posture during procurement, and enforcing contract security requirements. • IT and cybersecurity teams: IT and cybersecurity teams are responsible for implementing technical controls and measures to mitigate supply chain risks. They also perform cybersecurity audits and assessments of suppliers, monitor security incidents, and respond to such incidents. • Supply chain managers: Supply chain managers coordinate activities across the entire supply chain and have a significant role in C-SCRM. They can facilitate communication and collaboration between an organization and suppliers regarding cybersecurity expectations and practices. • Legal and compliance teams: Legal and compliance teams ensure that C-SCRM aligns with relevant laws, regulations, and industry standards. They can also guide the creation of contracts that detail cybersecurity responsibilities and expectations of suppliers.

Monitoring and reviewing C-SCRM practices

• Suppliers and third parties: Suppliers and third-party service providers also have a role in C-SCRM. They are expected to adhere to an organization’s cybersecurity standards, protect sensitive information, and cooperate with the organization’s efforts to manage supply chain risks. • Employees: Every employee has a part to play in C-SCRM. Through proper training and awareness programs, employees at all levels can contribute to a culture of cybersecurity and take steps to prevent cyber threats that could affect the supply chain.

Monitoring and reviewing C-SCRM practices The cyber threat landscape that leaders must contend with makes regular monitoring and reviewing of C-SCRM practices necessary. It is not enough to merely implement a C-SCRM strategy; organizations must also ensure they periodically monitor and review these practices to maintain an effective security posture: • Adapting to the changing cyber threat landscape: Adversaries continuously seek new vulnerabilities to exploit in the systems of organizations and their supply chain partners. By regularly monitoring C-SCRM practices, organizations can keep abreast of the latest threats and vulnerabilities. This proactive stance allows them to adapt their practices and controls in response to these emerging risks. • Ensuring compliance: Regular reviews ensure that an organization and its supply chain partners adhere to the established C-SCRM policies and procedures. Compliance is crucial to maintaining the trust of customers and regulators, as well as avoiding the legal and financial repercussions that can arise from non-compliance with cybersecurity laws and regulations. Regular monitoring and reviews ensure suppliers and partners meet the organization’s cybersecurity requirements. • Continuous improvement: Monitoring and reviewing C-SCRM practices provides valuable feedback that can be used to improve these practices over time. Organizations can make necessary adjustments to enhance their effectiveness and efficiency by identifying shortcomings or inefficiencies in current practices. This continuous improvement approach is integral to maintaining a strong cybersecurity posture in a constantly changing cyber environment. • Risk visibility: Regular monitoring and reviewing offers organizations better visibility of supply chain risks. This enhanced visibility can give them a more comprehensive and accurate understanding of their risk profile, enabling them to make informed decisions about where to allocate resources for risk mitigation. • Mitigating consequences: Should a breach or incident occur, having a monitoring and review system can limit the impact’s severity. With continuous monitoring, organizations can detect incidents early and respond swiftly, preventing further damage and reducing recovery time. • Promoting responsibility and accountability: Regular monitoring and reviewing of C-SCRM practices promotes a culture of responsibility and accountability within an organization. It signals to all stakeholders, including employees, partners, and suppliers, that cybersecurity is not a one-time effort but a persistent commitment.

323

324

Third-Party and Supply Chain Security

C-SCRM is a comprehensive approach to securing an organization’s supply chain, characterized by constant change and increasing cyber threats. While it presents several challenges, the strategic implementation of C-SCRM practices, active involvement of various stakeholders, and regular monitoring and reviewing can help organizations effectively manage their supply chain risks and ensure business continuity, resilience, and growth.

Summary Organizations depend significantly on many suppliers and vendors to achieve their missions. It is essential to understand that vulnerabilities within any part of this supplier network can compromise the integrity and security of the whole system. This chapter discussed C-SCRM and emphasized its importance in supporting secure business operations. You gained insights into the challenges that arise when managing supply chain cybersecurity risks and were also introduced to the potential consequences when these risks materialize. Risk identification, assessment, and mitigation strategies were explored, ensuring businesses can effectively integrate C-SCRM into their broader security programs and operations. The chapter concluded with guidance on monitoring and reviewing C-SCRM practices to ensure their continued efficacy.

Index A

application security testing integration 304, 305

access controls policy 60 components 61 Act (response) tools 208 backup tools 208 forensics tools 208 incident management and ticketing systems 208

continuous application monitoring 306 immutable workloads, leveraging 305, 306 policies, in application development and deployment 303

malware analysis tools 209 network security tools 209 Advanced Persistent Threats (APTs) 2, 22, 290 characteristics 22, 23 Advanced Threat Protection (ATP) 305 alert 228 annual loss expectancy (ALE) 120, 121 annual rate of occurrence (ARO) 120, 121 Application Programming Interface (API) 275 Applications and Workloads pillar, Zero Trust 303 Advanced Threat Protection (ATP), incorporating 305 application access decisions automating 304 application configuration automating 306

application security testing 304 Artificial Intelligence (AI) 2, 314 assessment, authorization, and monitoring policy components 71 asset management tools 108 asset value (AV) 120 attribute-based access control (ABAC) 292 auditing and accountability policy 62 components 62, 63 automated inventory collection and anomaly detection 298 best practices 299 automated orchestration of identities 295 best practices 295 automation and orchestration tools 231 awareness and training policy 61 components 62

326

Index

B backup storage considerations 91 baiting 37 BC planning 172-174 business impact assessment (BIA) 172 location and availability 174 organizational risks 174 plan documentation and testing 172 recovery strategy development 172 risk assessment 172 succession planning 174 BC planning, and DR planning integrating 173 BeyondCorp model 289 black hat hacker 24 blue hat hacker 25 blue team 210 botnets 21 brute-force attacks 30 BU leaders 176 Business Continuity and Disaster Recovery (BCDR) plan 171-173, 208 business impact assessment (BIA) 182 designing 182 developing 187 focus areas 180 inputs, to business impact assessment (BIA) 182, 183 management controls 181 operational controls 181 outputs, from business impact assessment (BIA) 183, 184 sample BIA form 184, 185 scope 174 technical controls 181 testing 188

Business Continuity Plan (BCP) 321 Business Email Compromise (BEC) scam 5, 19 business impact assessment (BIA) 172, 182, 184 allowable outage, defining 252 business impact, determining 252 business processes, identifying 252 conducting 252 information system, identifying 252 recovery, prioritizing 252 business risk appetite 136 business units (BUs) 133, 176

C California Consumer Privacy Act (CCPA) 74, 132 California Privacy Rights Act (CPRA) 132 call tree 176 cameras 214 Center for Internet Security (CIS) Controls 42 centralized management advantages 133 challenges 134 chief executive officer (CEO) 136 chief information officer (CIO) 59, 132 chief information security officer (CISO) 59, 142, 221 chief operating officer (COO) 136 cloud access security brokers (CASBs) 82 cloud backup 92 cloud computing 261 authentication configurations 280 authorization considerations 281 characteristics 262, 263 identification considerations 280

Index

monitoring and logging considerations 282, 283

Confidentiality, Integrity, and Availability (CIA) triad 1, 8, 9, 94, 95

secure application development considerations 285, 286

configuration management policy 63 components 63, 64 configuration management tool 108 consolidated threat protection, for devices and virtual assets 300

security automation considerations 283, 284 special considerations 273 cloud computing data security 273 data access 274 data location 273 data loss prevention (DLP) 277, 278 encryption 276, 277 storage considerations 274 cloud computing deployment models 268 community cloud 270 hybrid cloud 271 private cloud 269, 270 public cloud 268, 269 cloud computing management models 272 cloud service providers (CSPs) 272, 273 managed service providers (MSPs) 272 cloud computing service models 263 Infrastructure as a Service (IaaS) 264, 265 Platform as a Service (PaaS) 265, 266 Software as a Service (SaaS) 266, 268 Cloud Controls Matrix (CCM) 13 cloud security 2 Cloud Security Alliance (CSA) 13 Cloud Service Providers (CSPs) 13, 272, 273 communication cadence 176 community cloud 270 comprehensive information security program considerations 41, 42 developing 41, 42 comprehensive visibility and situational awareness 296 best practices 296 Concept of Operation (ConOps) 47

best practices 300 Content Delivery Networks (CDNs) 22 contingency planning policy 64 components 64, 65 continuous device verification and enforcement of compliance 299 best practices 299 continuous identity validation 294 best practices 294, 295 Continuous Integration/Continuous Deployment (CI/CD) pipeline 285 continuous monitoring 107, 148, 157 alerting to information security weaknesses 159, 160 information security assessment automation 158 information security metrics, reporting effectively 158, 159 continuous monitoring strategy, components Endpoint Detection and Response (EDR) 149 intrusion detection systems (IDSs) 149 intrusion prevention systems (IPSs) 149 regular security audits 149 Security Information and Event Management (SIEM) 149 security orchestration, automation, and response (SOAR) 149 continuous testing 148 Controlled Unclassified Information (CUI) 13

327

328

Index

Cross-Site Scripting (XSS) vulnerability 152, 226 CryptoLocker 20 cybercrime 27 evolution 4-6 cyber extortion 27 cybersecurity breach 18 Cybersecurity Maturity Model Certification (CMMC) 13 cybersecurity risks, with supply chains Advanced Persistent Threats (APTs) 315 counterfeit components 315 geopolitical risks 315 hardware tampering 314 inadequate security practices 315 insider threats 315 software vulnerabilities 314 third-party service providers 315 Cybersecurity Supply Chain Risk Management (C-SCRM) 312 awareness and training programs 321 business continuity and disaster recovery planning 321 challenges 313, 314 consequences, of non-compliance 320 continuous monitoring and assessment 318 continuous monitoring and improvement 320 developing 320 GRC programs 322 identification, of critical assets 320 incident response plan 320 incorporation, into procurement practices 321 integrating, into security program and business activities 321, 322 integrating, with incident response planning 322

legal and regulatory compliance 320 likelihood, assessing 318 practices, monitoring 323, 324 practices, reviewing 323, 324 risk assessment 312 risk identification 312 risk management 320 risk management framework integration 321 risk mitigation 313 risk monitoring and review 313 risk scoring and prioritization 318 roles and responsibilities 320 scope and objectives 320 security policies and procedures 321 severity, assessing 317 significance 312 stakeholders, supporting integration 322 supplier relationship management 320 supply chain context 317 training and awareness 320 Vendor Risk Management (VRM) 321

D data classification 85, 86 information assets, determining 87, 88 information, finding in environment 88-92 information, organizing into categories 93 information, valuing 99 steps 86, 87 data loss prevention (DLP) 82, 218, 277, 278 considerations 279 life cycle 278 tools 160, 292 Data pillar, Zero Trust 307 comprehensive data visibility and automated analysis 310 continuous data inventory and data loss prevention 308

Index

data automation 309 data categorization 308 data labeling 308 encryption 309 unified data life cycle policies 307 data sanitization 242 data storage management 264 data tier 89 decentralized management 134 advantages 134 challenges 135 decision tools 205 Denial of Service (DoS) attacks 27 design phase, SELC / SDLC process Concept of Operation 239 Detailed Design 240 High-Level Design 239 Proof of Concept System 240 Detailed Design document 48 Devices pillar, Zero Trust 298 automated inventory collection and anomaly detection 298, 299 consolidated threat protection for devices and virtual assets 300 continuous device verification and enforcement of compliance 299 enterprise-wide policies for device and virtual asset life cycles 298 monitoring and enforcement mechanisms, for non-compliant devices 300 dictionary attacks 30 disaster recovery considerations 90 Disaster Recovery Plan (DRP) 321 disk backup 92 Distributed Denial of Service (DDoS) attacks 5, 21, 22 DNS amplification attack 21

Domain Name System (DNS) vulnerabilities 21 Domain Name System Security Extensions (DNSSEC) 21 DR-as-a-service (DRaaS) 177 DR coordinator 176 DR planning 172, 175 aspects, to maintain and secure 178 backup and recovery strategies 173 data management and protection 177 DRP documentation and testing 173 funding and resource allocation 175, 176 Recovery Point Objectives (RPOs) 172 Recovery Time Objectives (RTOs) 172 roles and responsibilities 176, 177 technology inventory 172 testing 179, 180 dynamic application security testing (DAST) 285 dynamic code analysis 148

E Electronic Fund Transfer Act (EFTA) 130 encryption 276 best practices, for encryption of all applicable traffic 302 challenges 277 compliance with regulatory requirements 277 data at rest 276 data destruction 276 data in transit 276 multitenancy 277 of applicable traffic 302 Endpoint Detection and Response (EDR) 149, 194 tools 231

329

330

Index

enforcement areas, information security program

F

awareness and training 145 CI and adaptation 145 establishing 144 legal and regulatory compliance 144 metrics and reporting 145 people 144 privacy and data protection 144 processes 144 risk management and assessment 144 technology 144 third parties 144 vendor and supply chain security 145 enterprise information security policy 54 considerations 54, 55 management controls 58 operational controls 58 technical controls 58 enterprise-wide identity policies 294 best practices 294 enterprise-wide network policies 301 best practices 301 enterprise-wide policies for device and virtual asset life cycle management 298

Factor Analysis of Information Risk (FAIR) model 119

best practices 298 ethical hacker 24 European Union General Data Protection Regulation (EU GDPR) 131 event 228 exploits 27 exposure factor (EF) 121 external information systems access documentation 251 data transfer direction 251 notes 251 purpose description 251 system and ownership, interfacing 251

Fair and Accurate Credit Transactions Act (FACTA) 130 false negative 228 false positive 228 Federal Information Security Management Act (FISMA) 131 Federal Information Security Modernization Act (FISMA) 247 firmware rootkits 33 Frequently Asked Questions (FAQs) 57 full-scale testing 179

G General Data Protection Regulation (GDPR) 74, 291 governance, risk, and compliance (GRC) tools 159 characteristics 159 Gramm-Leach-Bliley Act (GLBA) 130 gray hat hacker 25 guards 214 guard stations 214 guiding principles, information security program business alignment 139 communication strategies 140

H hackers 24 black hat hacker 24 blue hat hacker 25 gray hat hacker 25 white hat/ethical hacker 24

Index

hacker techniques 30 baiting 37 keystroke logging 31, 32 password cracking 30 phishing 35 pretexting 34 rootkit 32 social engineering 34 spoofing 33 vulnerability assessment 31 water holing 37 hacking 24 hacktivist 26 Health Insurance Portability and Accountability Act (HIPAA) 13, 131, 291 High-Level Design 48 HITRUST 43 hybrid cloud 271

I identification and authentication policy components 65 Identity pillar, Zero Trust 293 automated orchestration of identities 295 comprehensive visibility and situational awareness 296 continuous identity validation 294 enterprise-wide identity policies 294 just-in-time and just-enough access 297 real-time identity risk determination 295 secure integration of identity stores 296 impact levels 100-103 incident 228 incident response (IR) 178, 215 metrics 66, 67

incident response plan (IRP) 189, 206 benefits 190 containment/recovery/mitigation 206, 207 critical elements, prioritizing 193 detection and analysis 202, 203 life cycle, phases 190, 191 normal network activity 194 preparation 191-199 testing 210, 211 incident response policy 65, 206 components 65, 66 incident response procedure development 197 emergency contact checklist 197 incident handler bag checklists 197 security analysis checklists 197 incident response procedures 206 incident response team 206 incident response tools 204, 208 Act (response) tools 208, 209 decision tools 205, 206 observational technical tools 204 orientation tools 204, 205 Indicators of Compromise (IoCs) 205, 227 information assurance (IA) 7 information categorization conducting 253 information assets, identifying 253 information assets, securing 253 information assets valuation 253 information locations key questions to assess 92 information security challenges 2 policies 14 standards 12-14 training 14

331

332

Index

information security architect, in design phase collaboration, with engineering and development teams 240 final system design security, ensuring 240 mitigating security controls development 240 information security architect, in disposition phase compliance, with legal and organizational policies 243 data removal, validating 242 data sanitization, overseeing 242 necessary data, archiving 242 information security architect, in implementation phase collaboration, with engineering and development teams 240 finalized design implementation, ensuring 240 information security architect, in initiation phase active participation, in project activities 238 communications and education 238 initial security analysis, conducting 238 information security architect, in operations and maintenance phase continuous advisory services, providing 241 regular security audits, conducting 242 security controls, developing 242 system changes, reviewing 242 information security architect, in requirements analysis phase communication and collaboration 239 Information Security requirements selection 239 security requirements to system needs, tailoring 239

information security architect, in testing phase compliance, ensuring 241 identification and repair of deficient security controls 241 security testing documentation development 241 information security architecture 235-237 integrating, with SDLC/SELC 237 information security architecture considerations auditing and accountability 258 authentication 257 authorization 258 availability 257 compliance 260 confidentiality 256 incident response 259 non-repudiation 258 risk management 259 information security architecture program 254 considerations 256 example 255 information security assessment automation 158 license and asset management 158 network and configuration management 158 software assurance 158 vulnerability and patch compliance 158 information security defense-in-depth layers application layer 218 data layer 218 host layer 218 internal network layer 218 perimeter layer 218 physical layer 218 policies, procedures, and awareness layer 218

Index

information security engineers 220 information security integration, into SDLC/SELC process 46 design phase 47, 48 disposition phase 49 implementation phase 49 initiation phase 46 operations and maintenance phase 49 requirements analysis phase 47 testing phase 49 Information Security Management System (ISMS) 12 information security policies 51 access controls policy 60, 61 assessment, authorization, and monitoring policy 71 auditing and accountability policy 62, 63 awareness and training policy 61, 62 configuration management policy 63, 64 considerations 51, 52 contingency planning policy 64 enterprise information security policy 54 identification and authentication policy 65 incident response policy 65-67 information security program policy 52 information security systemspecific policy 55 maintenance policy 67 media protection policy 68 personally identifiable information (PII) policy 74

system and communications protection policy 71, 72 system and information integrity policy 72, 73 systems and services acquisitions policy 73, 74 information security professionals 17 information security program 86 activities, considering 124, 125 business risk appetite 136 centralized management 132-134 compliance requirements 129-132 comprehensive awareness and training programs 45 decentralized management 134-136 elements 126-129 guiding principles 139 information security, aligning with organization’s mission 44 information security, building into SDLC/SELC process 46 information security measures, optimizing 44 maturity, enhancing 50, 51 objectives, determining 123, 124 organizational maturity 137, 138 potential roadmap 138 rightsizing 129 success factors 43 information security program plan elements 140

personnel security policy 69 physical and environmental protection policy 69, 70

enforcement areas, establishing 144, 145 information security program strategy, developing 140

planning policy 59, 60 risk assessment policy 70 Supply Chain Risk Management (SCRM) policy 74, 75

key initiatives, establishing 141, 142 roles and responsibilities, defining 142

333

334

Index

information security program policy 52 Chief Information Security Officer (CISO) 52 collaboration, with security organizations 54 comprehensive information security strategy 52 comprehensive risk management approach 53 continuous security improvement 54 critical assets protection 53 information system registry security 53 proactive insider threat management 53 remediation action plan process 53 resource allocation, for security initiatives 52 secure system authorization 53 security integration, in business processes 53 security integration, in Enterprise Architecture (EA) 53 security performance metrics 53 skilled and trained security personnel 54 threat awareness cultivation 54 information security program strategy developing 140 information security architecture 141 information security awareness and training 141 information security governance 141 information security guidance 141 information security operations 141 information security risk assessment 141 information security risk 78 information security systemspecific policy 55 information security guidelines 57, 58 information security procedures 56 information security standards 56 recommended enterprise information security policy 58

information sources examples 111, 112 information system roles, initial information security analysis administrator 248 data owner 248 system owner 248 information systems authorizing, to operate 106, 107 information system security controls monitoring 107, 108 information technology security engineering 7 information type categories example 94-99 Infrastructure as a Service (IaaS) 263-265 Infrastructure as Code (IaC) 284 initial information security analysis business impact assessment (BIA), conducting 244, 252 compliance requirements determination 244, 246 conducting 243 expected user types, defining 244 external information systems access, documenting 251 information categorization, conducting 244, 253 information system description 244-246 information system, purpose 244, 245 information system roles, documenting 244, 248 interface requirements documentation 244, 250 project roles, documenting 244, 247 user types, defining 249

Index

insider threats 2, 22 malicious insider threats 22 negligent insider threats 22 unintentional insider threats 22 integrated development environments (IDEs) 266 intellectual property (IP) 79 interface 250 interface requirements data transfer 250 functional description 250 interface overview 250 transactions 251 Internet of Things (IoT) 2, 6, 289, 314 intrusion detection system/ intrusion prevention system (IDS/IPS) 149, 220, 231, 291 intrusion prevention and detection tools 214 ISO 27000-series 42 ISO 27001 12 ISO 27002 12

J just-in-time and just-enough access 297 best practices 297

K kernel-based virtual machines (KVM) 275 kernel-mode rootkits 32 key initiatives, information security program strategy description 141 establishing 141 initiative 141 key benefits 142 keystroke logging 31, 32

L Layer 7 DDoS attacks 21 legitimate threat source 110 lessons-learned sessions 210 likelihood, C-SCRM risks estimating 318 supplier security posture 318 supply chain complexity 318 threat landscape 318 Locky 20 log analytics 224 logic tier 89 log reduction 224

M maintenance policy 67 components 67 malicious insider threats 22 malware attacks 2, 20 Managed Security Service Provider (MSSP) 232 managed service providers (MSPs) 272 management approaches to risk 118, 119 maturity, information security program defined 50 developing 50 enhancing 50 initial 50 managed 50 optimized 50 media protection policy 68 components 68 mitigation strategies, supply chain risks comprehensive vendor assessment 319 cybersecurity insurance 319

335

336

Index

incident response planning 319 redundancy and diversity 319 regular security audits and testing 319 secure development and operations practices 319 security requirements, incorporating into vendor contracts 319 security training, for supply chain personnel 319 mobile device security 2 monitoring and enforcement mechanisms, for non-compliant devices 300 best practices 300 motion detectors 214 multi-factor authentication (MFA) 281, 292

N National Institute of Standards and Technology (NIST) 290 nation-state attacker 26 negligent insider threats 22 NetFlow analyzers 231 network architecture principles 301 best practices 302 network monitoring and analysis 194 Networks pillar, Zero Trust 301 encryption, of applicable traffic 302 enterprise-wide network policies 301 network architecture principles 301, 302 visibility, into communication across networks 302 network sweeping 160, 161 Network Time Protocol (NTP) 63 network tracing 161 NIST Cybersecurity Framework 13, 42 NIST SP 800-53 43 NIST SP 800-171 13

O OAuth 280 object storage 275 observational technical tools 204 availability monitoring 204 Host- and Network-Based Intrusion Prevention and Intrusion Detection Systems (IPSs/IDSs) 204 NetFlow analyzers 204 SIEM, log analysis, and log management 204 vulnerability scanners 204 web traffic analysis 204 Observe, Orient, Decide, Act (OODA) loop 195, 196 Open Web Application Security Project (OWASP) 27 URL 28 organization valueable data, protecting 79 organizational context 17-19 organizational information security assessment 9-11 internal assessment 10 third-party assessment 10 organizational maturity 137 valuable 137 organizational stakeholders guidelines, for working 44 organizational units (OUs) 134 orientation tools 204 asset management 205 threat intelligence 205 OS fingerprinting 161, 162 OWASP Top 10 Vulnerabilities for 2021 broken access control 28 cryptographic failures 28 identification and authentication failures 29

Index

injection 28 insecure design 28 security logging and monitoring failures 29 security misconfiguration 29 server-side request forgery 30 software and data integrity failures 29 vulnerable and outdated components 29

P password cracking 30 password cracking tools references 30 patch management tools 108 Payment Card Industry Data Security Standard (PCI DSS) 13, 43, 94, 130, 247 PCI Security Standards Council (PCI SSC) 130 penetration testing 26, 27, 148, 165 client-side 165 network services 166 phases 166, 167 physical security 166 social engineering 165 versus vulnerability assessments 168, 169 wireless security 166 periodic audits 108 personally identifiable information (PII) 60, 79 personally identifiable information (PII) policy 74 components 74 personnel security policy 69 components 69 phishing 2, 19, 35 awareness training, to combat 36, 37 spear phishing 36

physical and environmental protection policy 69 components 70 pillars, Zero Trust Applications and Workloads pillar 293, 303 Data pillar 293, 307 Device pillar 292, 298 Identity pillar 292, 293 Networks pillar 292, 301 planning policy 59 components 59, 60 plans of action and milestones (POAMs) 106 Platform as a Service (PaaS) 263, 265, 266 Policy as Code (PaC) 284 port scanning 160, 161 post-incident activity 209 root cause analysis 209 presentation tier 89 pretexting 34 private cloud 269, 270 project roles, initial information security analysis executive sponsor 248 project manager 247 project sponsor 248 project team members 247 Proof-of-Concept System 48 public cloud 268, 269 purple team 210

Q qualitative risk assessment 109, 110 example 120, 121 quantitative analysis 119, 120 quantitative risk assessments 109, 110 quick risk assessment 80 conducting 80, 81

337

338

Index

R

S

ransomware attacks 2, 20 real-time identity risk assessments 295 best practices 295 Recovery Point Objectives (RPOs) 172, 183 Recovery Time Objectives (RTOs) 172, 184 red team 210 regular security audits 149 risk assessment 108, 116, 117 impact, estimating 115, 116 likelihood, estimating 114, 115 organization’s vulnerabilities, identifying 111 threats, pairing with vulnerabilities 113 risk assessment policy 70 components 70 risk identification methods cybersecurity audits 317 cybersecurity ratings and intelligence services 317

sample BIA form 184, 185 Sarbanes-Oxley Act (SOX) 129 script kiddie 25 Secure Access Service Edge (SASE) 3, 4, 292 secure integration of identity stores 296 best practices 297 security architecture advisement program awareness program 254 considerations 253, 254 developing 253 Security Assertion Markup Language (SAML) 218, 280

supply chain mapping 316 threat modeling 317 risk management 11, 12, 78 organizational-wide activity 81-83 Risk Management Framework (RMF) 83, 84 risk mitigation 78 risk mitigation investment 136 risk ownership 78 risk tolerance 136 roles and responsibilities, information security program CISO 142, 143 data owners 143 defining 142 executive management 142 system owners 143 root cause analysis 209 steps 209, 210 rootkit 32

security control implementation 104, 105 implemented security controls, assessing 105, 106 selection 103, 104 Security Information and Event Management (SIEM) 149, 194, 214, 231, 279 Security Operations Center (SOC) 139, 213, 214, 278 benefits 232, 233 identification 226, 227 processes and procedures 225, 226 remediation 228-230 Security Operations Center (SOC), responsibilities 214 incident response 215 threat detection and analysis 215 threat intelligence 215 vulnerability management 215 security orchestration, automation, and response (SOAR) 149 SELC/SDLC process 46 design phase 239, 240 disposition phase 242

Index

implementation phase 240 information security, building 46 initiation phase 238 operations and maintenance phase 241, 242 requirements analysis phase 239 testing phase 241 servers 262 Service-Level Agreements (SLAs) 56, 177, 184 service providers (SPs) 145 severity, C-SCRM risks assessing 318 business impact 318 dependencies 318 regulatory impact 318 shared responsibility model 285 single loss expectancy (SLE) 120, 121 SOC 2 43 SOC analysts 214, 218, 219 SOC facility 214 social engineering attacks 2, 23, 34 social security numbers (SSNs) 79 SOC manager 221 SOC roles 218-222 log/information aggregation 222, 223 log/information analysis 224, 225 SOC tools already implemented toolsets, using 217, 218 automation and orchestration tools 231 design 216, 217 endpoint detection and response (EDR) tools 231 IPS/IDS 231 NetFlow analyzers 231 SIEM 231 threat intelligence platforms 231 vulnerability scanners 231

SOC tools management 215 configuration 216 evaluation and improvement 216 integration 215 maintenance 216 selection 215 Software as a Service (SaaS) 263, 266, 268 Software Development Life Cycle (SDLC) 46 spear phishing 19, 36 spoofing 33 spyware 21 stakeholders, for C-SCRM integration employees 323 executive management 322 IT and cybersecurity teams 322 legal and compliance teams 322 procurement team 322 risk management team 322 suppliers and third parties 323 supply chain managers 322 Standard Operating Procedure (SOP) 229, 230 static application security testing (SAST) 285 static code analysis 148 storage 262 storage considerations, cloud computing data security 274 storage threats 276 storage types 274, 275 structured data storage 275 supply chain attacks 2, 23, 24 consequences, of risks 315, 316 cybersecurity risks 314, 315 risks, identifying 316, 317 strategies, for risk mitigation 319 Supply Chain Management (SCM) 311 supply chain mapping 316

339

340

Index

Supply Chain Risk Management (SCRM) policy 74 components 75 supply chain risks, examples ASUS Live Update 316 NotPetya malware 316 SolarWinds 315 target data breach 316 system and communications protection policy 71 components 71, 72 system and information integrity policy 72 components 72, 73 system authorization 106 system design life cycle (SDLC) 96 system development life cycle (SDLC) 3, 149 disposition 155, 156 operations and maintenance 154, 155 project initiation 150 requirements analysis 150, 151 summary 156, 157 system design 151-153 system implementation 153 system testing 153, 154 systems and services acquisitions policy 73 components 73 System Security Plans (SSPs) 60 Systems Engineering Life Cycle (SELC) 46

T tabletop exercises 179, 206, 211 tape backup 92 technical DR mechanisms defining 185 developing 186 gap analysis, conducting 186 required resources, identifying and documenting 185

technical testing examples 148 testing methods examples 111, 112 threat detection and analysis 215 threat intelligence 215 threat intelligence platforms 231 threat modeling PASTA 317 STRIDE 317 threats 19, 109 Advanced Persistent Threats (APTs) 22 description 109 Distributed denial-of-service (DDoS) attacks 21, 22 insider threats 22 malware 20 pairing, with vulnerabilities 113 phishing attacks 19 ransomware 20 social engineering attacks 23 source 109 supply chain attacks 23, 24 trade secrets 79, 94 traditional perimeter-based security limitations 291 shifting from 291 Transport Layer Security (TLS) 72 trojans 21 true negative 228 true positive 228

U unintentional insider threats 22 unstructured data storage 275 user behavior analytics (UBA) 194 user-mode rootkits 32

Index

user types, initial information security analysis access location, determining 249 application administrators 249 client software, identifying 249 defining 249 external business partners 249 external users/customers 249 general information system users 249 system administrators 249

V version scanning 160, 162 virtual machine snapshot 92 virtual machines (VMs) 269 virus 20 visibility, into communication across networks 302 best practices 303 Voice over Internet Protocol (VoIP) 72 volume storage 275 vulnerability 38 vulnerability assessment 31, 148, 160 aspects, to consider 38 tools, references 31 versus penetration testing 168, 169 vulnerability management 39, 215 tools 108 vulnerability resolution process 163 workflow 164 vulnerability scanners 231 vulnerability scanning process 161 device discovery 161 service enumeration 162 vulnerability scanning 162, 163 vulnerability validation 163

W walkthrough drills 179 WannaCry 20 water holing 37 web application vulnerability assessments 148 white hat hacker 24 worm 20

Z Zero Trust 287 adaptive and risk-based policies 288 advantages 290-292 automation and orchestration 293 continuous monitoring and analytics 288 data-centric security 288 governance 293 history 289, 290 importance, in cybersecurity 290 least-privilege access 288 microsegmentation 288 need for 288 never trust, always verify 288 pillars 292 principles 287, 288 trust but verify approach 288 visibility and analytics 293

341

www.packtpub.com Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe? • Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals • Improve your learning with Skill Plans built especially for you • Get a free eBook or video every month • Fully searchable for easy access to vital information • Copy and paste, print, and bookmark content Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packtpub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub. com for more details. At www.packtpub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Other Books You May Enjoy If you enjoyed this book, you may be interested in these other books by Packt:

Fuzzing Against the Machine Antonio Nappa, Eduardo Blázquez ISBN: 978-1-80461-497-6 • Understand the difference between emulation and virtualization • Discover the importance of emulation and fuzzing in cybersecurity • Get to grips with fuzzing an entire operating system • Discover how to inject a fuzzer into proprietary firmware • Know the difference between static and dynamic fuzzing • Look into combining QEMU with AFL and AFL++ • Explore Fuzz peripherals such as modems • Find out how to identify vulnerabilities in OpenWrt

Other Books You May Enjoy

Practical Cybersecurity Architecture - Second Edition Diana Kelley, Ed Moyle ISBN: 978-1-83763-716-4 • Explore ways to create your own architectures and analyze those from others • Understand strategies for creating architectures for environments and applications • Discover approaches to documentation using repeatable approaches and tools • Delve into communication techniques for designs, goals, and requirements. • Focus on implementation strategies for designs that help reduce risk • Become well-versed with methods to apply architectural discipline to your organization.

345

346

Packt is searching for authors like you If you’re interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Share Your Thoughts Now you’ve finished Information Security Handbook, Second Edition, we’d love to hear your thoughts! If you purchased the book from Amazon, please click here to go straight to the Amazon review page for this book and share your feedback or leave a review on the site that you purchased it from. Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

347

Download a free PDF copy of this book Thanks for purchasing this book! Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice? Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost. Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily Follow these simple steps to get the benefits: 1. Scan the QR code or visit the link below

https://packt.link/free-ebook/9781837632701 2. Submit your proof of purchase 3. That’s it! We’ll send your free PDF and other benefits to your email directly