Foundations of Cybersecurity: Module 3 Part 1

-

Frameworks, Controls And Ethics.


Security Frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy 
Purpose of security frameworks:
  • Protecting PII 
  • Security financial information 
  • Identifying security weaknesses 
  • Managing organizational risks 
  • Aligning security with business goals
Four core components of frameworks:

1. Identifying and documenting security goals (e.g. EU general data protection regulation GDPR: A data protection law established to grant European citizens more control over their personal data.)

2. Setting guidelines to achieve security goals, e.g. when implementing guidelines to achieve GDPR compliance, your organization may need to develop new policies for how to handle data requests from individual users.

3. Implementing strong security processes. In the case of GDPR, a security analyst working for a social media company may help design procedures to ensure the organization complies with verified user data requests. An example of this type of request is when a user attempts to update or delete their profile information.

4. Monitoring and communicating results. As an example, you may monitor your organization's internal network and report a potential security issue affecting GDPR to your manager or regulatory compliance officer.

Asset

An asset is an item perceived as having value to an organization 
And value is determined by the cost associated with the asset in question 
For example, an application that stores sensitive data, such as social security numbers or bank accounts, is a valuable asset to an organization.

CIA Triad

CIA traid is a foundation model that helps inform how organizations consider risk when setting up systems and security policies.

CIA stands for confidentiality, integrity, and availability 

1. Confidentiality means that only authorized users can access specific assets or data. For example, strict access controls that define who should and should not have access to data, must be put in place to ensure confidential data remains safe.
2. Integrity means the data is correct, authentic, and reliable. To maintain integrity, security professionals can use a form of data protection like encryption to safeguard data from being tampered with.
3. Availability means data is accessible to those who are authorized to access it.

NIST Cybersecurity Framework (CSF).


A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk 

Specific controls, frameworks, and compliance

The National Institute of Standards and Technology (NIST) is a U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more aligned an organization is with compliance, the lower the risk.

Examples of frameworks include:

The NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF). 


Note: Specifications and guidelines can change depending on the type of organization you work for.

In addition to the 

NIST CSF: https://www.nist.gov/cyberframework

and

NIST RMF: https://csrc.nist.gov/projects/risk-management/about-rmf

There are several other controls, frameworks, and compliance standards that it is important for security professionals to be familiar with to help keep organizations and the people they serve safe.

1) The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC): FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC. 

2) The Federal Risk and Authorization Management Program (FedRAMP®): FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers. 

3) Center for Internet Security (CIS®): CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs. 

4) General Data Protection Regulation (GDPR): GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

5) Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud. 

6) The Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law prohibits patient information from being shared without their consent. It is governed by three rules: 

1) Privacy
2) Security
3) Breach notification 

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.

7) International Organization for Standardization (ISO): ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services. 

8) System and Organizations Controls (SOC type 1, SOC type 2): The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. 

The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies at different organizational levels such as: 

1. Associate 
2. Supervisor 
3. Manager 
4. Executive 
5. Vendor
6. Others

They are used to assess an organization’s financial compliance and levels of risk.

They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to research: 

A) The Gramm-Leach-Bliley Act 
And 
B) The Sarbanes-Oxley Act.

9) United States Presidential Executive Order 14028, On May 12, 2021, President Joe Biden released an executive order related to improving the nation’s cybersecurity to remediate the increase in threat actor activity.

Remediation efforts are directed toward federal agencies and third parties with ties to U.S. 


For additional information, review the: 


Comments

Post a Comment

Popular posts from this blog

Common Network Commands: Ping

-
Ping Command Overview The `ping` command is a fundamental utility used in network diagnostics. It checks the reachability of a host on an Internet Protocol (IP) network and measures the round-trip time for messages sent from the originating host to a destination computer. The command uses the Internet Control Message Protocol (ICMP) to send echo request packets and listens for echo replies. Origin and Development The `ping` command was developed in 1983 by Mike Muuss as a diagnostic tool for the ARPANET. Since then, it has become a standard utility available on most operating systems, including Linux, Windows, and macOS, making it an essential tool for network administrators and users. Basic Functionality The `ping` command serves several functions: - Tests connectivity to a specified host. - Measures the time taken for packets to travel to the destination and back. - Provides statistics about packet loss and round-trip time. Key Command Syntax 1. Basic Syntax:    ```    ping [options]
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ```    The -n option prevents DNS
Read more

John The Ripper

-
John the Ripper  Is one of the most well known, well-loved and versatile hash cracking tools out there. It combines a fast cracking speed, with an extraordinary range of compatible hash types. This room will assume no previous knowledge, so we must first cover some basic terms and concepts before we move into practical hash cracking. A hash is a way of taking a piece of data of any length and  representing it in another form that is a fixed length. This masks the original value of the data. This is done by running the original data through a hashing algorithm. There are many popular hashing algorithms, such as MD4,MD5, SHA1 and NTLM. Lets try and show this with an example: If we take "polo", a string of 4 characters- and run it through an MD5 hashing algorithm, we end up with an output of: b53759f3ce692de7aff1b5779d3964da a standard 32 character MD5 hash. Likewise, if we take "polomints", a string of 9 characters- and run it through the same MD5 hashing algorithm, w
Read more