Implementing Policies to Mitigate Risks
CompTIA Security+ objectives covered in this chapter:
1.5 Explain different threat actors, vectors, and intelligence sources. • Vectors (Supply chain) 1.6 Explain the security concerns associated with various types of vulnerabilities. • Impacts (Data breaches, Reputation) Third-party risks (Vendor management, System integration, Lack of vendor support, Supply chain)
1.7 Summarize the techniques used in security assessments. • Security orchestration, automation, response (SOAR)
2.1 Explain the importance of security concepts in an enterprise environment. • Data protection (Masking, Tokenization)
2.5 Given a scenario, implement cybersecurity resilience. • Diversity (Vendors)
2.7 Explain the importance of physical security controls. • Secure data destruction, Burning, Shredding, Pulping, Pulverizing, Degaussing, Third-party solutions
3.2 Given a scenario, implement host or application security solutions. • Database (Tokenization)
4.1 Given a scenario, use the appropriate tool to assess organizational security. • Forensics (dd, Memdump, WinHex, FTK imager, Autopsy), Data sanitization
4.2 Summarize the importance of policies, processes, and procedures for incident response. • Incident response plans, Incident response process (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned), Stakeholder management, Communication plan, Incident response team, Retention policies
4.3 Given an incident, utilize appropriate data sources to support an investigation. • Log files (Dump files), Bandwidth monitors, Metadata (Email, Mobile, Web, File)
4.4 Given an incident, apply mitigation techniques or controls to secure an environment. • Isolation, Containment, SOAR (Runbooks, Playbooks)
4.5 Explain the key aspects of digital forensics. • Documentation/evidence (Legal hold, Video, Admissibility, Chain of custody, Tags, Reports, Event logs, Interviews), • Timelines of sequence of events (Time stamps, Time offset), • Acquisition (Order of volatility, Disk, Random-access memory (RAM), Swap/pagefile, OS, Device, Firmware, Snapshot, Cache, Network, Artifacts) • On-premises vs. cloud (Right to audit clauses, Regulatory/jurisdiction, Data breach notification laws), • Integrity (Hashing, Checksums, Provenance), Preservation, E-discovery, Data recovery, Non-repudiation Strategic intelligence/counterintelligence
5.2Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture. • Regulations, standards, and legislation (General Data Protection Regulation (GDPR), National, territory, or state laws)
5.3 Explain the importance of policies to organizational security. • Personnel (Acceptable use policy, Job rotation, Mandatory vacation, Separation of duties, Least privilege, Clean desk space, Background checks, Non-disclosure agreement (NDA), Social media analysis, Onboarding, Offboarding) • User training (Gamification, Capture the flag, Phishing campaigns, Phishing simulations, Computer-based training (CBT), Role-based training), Diversity of training techniques • Third-party risk management (Vendors, Supply chain, Business partners, Service level agreement (SLA), Memorandum of understanding (MOU), Measurement systems analysis (MSA), Business partnership agreement (BPA), End of life (EOL), End of service (EOSL), NDA) • Data (Classification, Governance, Retention)
5.4 Summarize risk management processes and concepts. • Risk analysis (Regulations that affect risk posture)
5.5 Explain privacy and sensitive data concepts in relation to security. • Organizational consequences of privacy breaches (Reputation damage, Identity theft, Fines, IP theft), Notifications of breaches (Escalation, Public notifications and disclosures) • Data types (Classifications, Public, Private, Sensitive, Confidential, Critical, Proprietary, Personally identifiable information (PII), Health information, Financial information, Government data, Customer data) • Privacy enhancing technologies (Data minimization, Data masking, Tokenization, Anonymization, Pseudo-anonymization) • Roles and responsibilities (Data owners, Data controller, Data processor, Data protection officer (DPO), Data custodian/steward) • Information life cycle, Impact assessment, Terms of agreement, Privacy notice
Organizations often develop written security policies. These provide guiding principles to the professionals who implement security throughout the organization. These policies include personnel management policies and data protection policies. Combined with training for personnel to raise overall security awareness, they help mitigate risk and reduce security incidents. However, security incidents still occur, and incident response policies and forensic data policies provide the direction on how to handle them.
Chapter 11 Exam Topic Review
When preparing for the exam, make sure you understand these key concepts covered in this chapter.
Exploring Security Policies • Written security policies are administrative controls that identify an overall security plan for an organization and reduce overall risk. Plans and procedures identify security controls used to enforce security policies. • An acceptable use policy defines proper system usage for users and spells out rules of behavior when accessing systems and networks. It often provides specific examples of unacceptable usage, such as visiting certain websites, and typically includes statements informing users that the organization monitors user activities. Users are required to read and sign an acceptable use policy when hired and in conjunction with refresher training. • Mandatory vacation policies require employees to take time away from their job. These policies help to reduce fraud and discover malicious activities by employees. • A separation of duties policy separates individual tasks of an overall function between different entities or different people and helps deter fraud. For example, a single person shouldn’t be able to approve bills and pay them or print checks and then sign them. • The principle of least privilege specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more. • Job rotation policies require employees to change roles regularly. Employees might swap roles temporarily, such as for three to four weeks, or permanently. These policies help to prevent employees from continuing with fraudulent activities and help detect fraud if it occurs. • Clean desk space policies require users to organize their desks and surrounding areas to reduce the risk of possible data theft and password compromise. • Background checks are performed before hiring an employee. Once hired, onboarding processes give employees access to resources. An exit interview is conducted before an employee departs the organization, and the account is typically disabled during the interview. • A non-disclosure agreement helps ensure that proprietary data is not shared. Social media analysis practices monitor employee activity on social media networks. • A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. • Memorandum of understandings (MOUs) expresses an understanding between two or more parties, indicating their intention to work together toward a common goal. • End of life (EOL) generally refers to the date when a vendor stops offering a product for sale. • End of service life (EOSL) indicates the date when a vendor will stop supporting a product with patches or upgrades. • A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements.
Incident Response Policies
• An incident response policy defines an incident and response procedures. Organizations review and update incidents periodically and after reviewing lessons learned after actual incidents. • A communication plan identifies who to inform when an incident occurs. It also outlines the roles and responsibilities of various personnel, including a communication expert that would communicate with the media. • The first step in incident response is preparation. It includes creating and maintaining an incident response policy and includes prevention steps such as implementing security controls to prevent malware infections. • Before acting, personnel verify an event is an actual incident. Next, they attempt to contain or isolate the problem. Disconnecting a computer from a network will isolate it. • Eradication attempts to remove all malicious components left after an incident. Recovery restores a system to its original state. Depending on the scope of the incident, administrators might completely rebuild the system, including applying all updates and patches. • A review of lessons learned helps an organization prevent a reoccurrence of an incident. • Secure Orchestration, Automation, and Response (SOAR) platforms use internal tools to respond to low-level security events automatically, reducing administrator workload. • A SOAR playbook provides a checklist of things to check for suspected incidents. • A SOAR runbook implements the playbook checklist using available tools within the organization.
Understanding Digital Forensics
• When collecting documentation and evidence, it’s important to follow specific procedures to ensure that the evidence is admissible in a court of law. • A chain of custody provides assurances that personnel controlled and handled evidence properly after collecting it. It may start with a tag attached to the physical item, followed by a chain of custody form that documents everyone who handled it and when they handled it. • A legal hold requires an organization to protect existing data as evidence. • Video surveillance systems (when available) should be used in forensic investigations. If personnel witnessed an incident, they should be interviewed. • Event logs often help investigators reconstruct the timeline of an event by looking at the timestamps of entries. However, investigators need to consider any time offsets based on the time zone used by the logs. • Investigators provide a report on their findings. They typically include tactics, techniques, and procedures (TTPs) used by attackers and recommendations based on the results. • When using a cloud provider, organizations should ensure that the contract includes a right to audit clause. Organizations should also know where their data is being housed so that the regulatory jurisdiction is known. If a data breach occurs, organizations need to comply with data breach notification laws based on the location of the data. • The order of volatility for data from most volatile to least volatile on a system is cache memory, regular RAM, a swap or paging file, and hard drive data. • Snapshots can capture data from almost any location, and the snapshot can be used for forensic analysis. • Forensic artifacts are pieces of data that most users are unaware of, but digital forensic experts can extract and analyze the artifacts. • Firmware forensics extract code from firmware and reverse engineer it. • Forensic experts capture an image of the data before analysis to preserve the original and maintain its usability as evidence. Hard drive imaging creates a forensic copy and prevents the forensic capture and analysis from modifying the original evidence. A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture. • Some tools used to capture data include dd, memdump, WinHex, and FTK imager. Autopsy is a graphical user interface that simplifies running command-line utilities from The Sleuth Kit. • Hashes or checksums are used to verify the integrity of captured data. They provide proof the capturing process did not modify data. • Electronic discovery (eDiscovery) is the identification and collection of electronically stored information. This includes files of any kind. • Forensic methods support the recovery of data after it has been deleted or a drive has been formatted.
• Information classification practices help protect sensitive data by ensuring users understand the value of data. Sensitive data is any data that isn’t public. An organization protects sensitive data. • Public data is available to anyone. Confidential data is information that an organization intends to keep secret among a certain group of people. Proprietary data is data that is related to ownership, such as patents or trade secrets. Private data includes PII and health information. • Personally Identifiable Information (PII) is used to identify an individual. Examples include a full name combined with a birth date, address, or medical information. Health information is PII that includes medical or health-related information. • Data governance refers to the processes an organization implements to manage, process, and protect data. Many laws require organizations to implement specific data governance methods. • PII requires special handling for data retention. Many laws mandate the protection of PII and require informing individuals when an attack results in the compromise of PII. • Data masking hides sensitive data such as PII by permanently converting it into usable but inauthentic data. Anonymization attempts to permanently remove all PII within a data set to protect the privacy of individuals. Pseudo-anonymization replaces data elements within a data set with pseudonyms or artificial identifiers. The pseudonyms and original data elements are retained in a separate data set. This second data set can be used to re-create the original data set. • Tokenization replaces data elements with a token, or substitute value. A tokenization system retains both the token and the original value. Tokenization is commonly used with credit cards. • Retention policies identify how long data is retained. They can limit a company’s exposure to legal proceedings and reduce the amount of labor required to respond to court orders. • Data sanitization and destruction methods ensure that sensitive data is removed from decommissioned systems. File shredders remove all remnants of a file. Wiping methods erase disk drives. Degaussing a disk magnetically erases all the data. Physically destroying a drive is the most secure method of ensuring unauthorized personnel cannot access proprietary information.
• User training includes training personnel on security policies and reducing risks by training users on current technologies and threats. • Computer-based training (CBT) allows students to learn at their own pace. • Phishing simulations mimic the type of phishing campaigns used by attackers and allow an organization to safely check to see if employees will respond to phishing emails. • Gamification adds game-design elements into training to increase user participation and interaction. • Role-based training ensures that personnel receive the training they need based on their roles within the organization. • Organizations doing business in the European Union (EU) must follow data privacy standards described in the General Data Protection Regulation (GDPR). The GDPR describes responsibilities for several specific roles. • Data owners are responsible for ensuring adequate security controls are in place to protect the data. • The data controller determines why and how personal data should be processed. • The data processor uses and manipulates the data on behalf of the data controller. • A data custodian/steward is responsible for routine daily tasks such as backing up data. • The data protection officer acts as an independent advocate for customer data.