1.5 Information Security Controls
Information Assurance (IA)
- IA refers to the assurance that the integrity, availability, confidentiality, and authenticity of information and information systems is protected during usage, processing, storage, and transmission of information.
Some of the processes that help in achieving information assurance include:
- Developing local policy, process, and guidance
- Designing network and user authentication strategy
- Identifying network vulnerabilities and threats
- Identifying problems and resource requirements
- Creating plan for identified resource requirements
- Applying appropriate information assurance controls
- Performing certification and accreditation
- Providing information assurance training
Information Security Management Program
- Programs that are designed to enable a business to operate in a state of reduced risk.
- It encompasses all organizational and operational processes, and participants relevant to information security.
- Information Security Management Framework: It is a combination of well-defined policies, processes, procedures, standards, and guidelines to establish the required level of information security.
Threat modeling is a risk assessment approach for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application.
- Identify Security Objectives: Helps to determine how much effort need to put on subsequent steps.
- Application Overview: Identify the components, data flows, and trust boundaries.
- Identify Vulnerabilities: Identify weaknesses related to the threats found using vulnerability categories.
- Decompose Application: Helps you to find more relevant and more detailed threats.
- Identify Threats: Identify threats relevant to your control scenario and context using the information obtained in steps 2 and 3.
3 major building blocks: understanding the adversary's view, characterizing the security of the system, and determining threats. 充份了解從對手的角度來看、描繪系統的特徵、決定威脅評估
Enterprise Information Security Architecture (EISA)
- EISA is a set of requirements, processes, principles, and models that determines the structure and behavior of an organization's information systems.
- EISA Goals:
- Helps in monitoring and detecting network behaviors in real time acting upon internal and externals security risks.
- Helps an organization to detect recover from security breaches.
- Helps in prioritizing resources of an organization and pays attention to various threats.
- Benefits organization in cost prospective when incorporated in security provisions such as incident response, disaster recovery, event correlation, etc.
- Helps in analyzing the procedure needed for the IT department to function properly and identify assets.
- Helps to perform risk assessment of an organization IT assets with the cooperation of IT staff.
Network Security Zoning
- Network security zoning mechanism allows an organization to manage a secure network environment by selecting the appropriate security levels for different zones of Internet and Intranet network.
- It helps in effectively monitoring and controlling inbound and outbound traffic.
- Examples of Network Security Zones:
- Internet Zone: Uncontrolled zone, as it is outside the boundaries of an organization.
- Internet DMZ: Controlled zone, as it provides a buffer between internal networks and Internet.
- Production Network Zone: Restricted zone, as it strictly controls direct access from uncontrolled networks.
- Intranet Zone: Controlled zone with no heavy restrictions.
- Management Network Zone: Secured zone with strict policies.
Defense in Depth
- Defense in depth is a security strategy in which several protection layers are placed throughout an information system.
- It helps to prevent direct attacks against an information system and data because a break in one layer only leads the attacker to the next layer.
- Policies, Procedures, and Awareness
- Internal Network
Information Security Policies
- Security policies are the foundation of the security infrastructure.
- Information security policy defines the basic security requirements and rules to be implemented in order to protect and secure organization's information systems.
- Goals of Security Policies:
- Maintain an outline for the management and administration of network security.
- Protect an organization's computing resources.
- Eliminate legal liabilities arising from employees or third parties.
- Prevent waste of company's computing resources.
- Prevent unauthorized modifications of the data.
- Reduce risks caused by illegal use of the system resource.
- Differentiate the user's access rights.
- Protect confidential, proprietary information from theft, misuse, unauthorized disclosure.
There are two types of security policies: technical security and administrative security policies. Technical security policies describe how to configure the technology for convenient use; administrative security policies address how all persons should behave.
Types of Security Policies (重要)
- Promiscuous Policy:
- No restrictions on usage of system resources.
- Permissive Policy(黑名單作法):
- Policy begins wide open and only known dangerous services/attacks or behaviors are blocked.
- It should be updated regularly to be effective.
- Prudent Policy(白名單作法):
- It provides maximum security while allowing known but necessary dangers.
- It blocks all services and only safe/necessary services are enabled individually; everything is logged.
- Paranoid Policy:
- It forbids everything, no Internet connection, or severely limited Internet usage.
Example of Security Policies
- Access Control Policy: It defines the resources being protected and the rules that control access to them.
- Remote-Access Policy: It defines who can have remote access, and defines access medium and remote access security controls.
- Firewall-Management Policy: It defines access, management, and monitoring of firewalls in the organization.
- Network-Connection Policy: It defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.
- Password Policy: It provides guidelines for using strong password protection on organization's resources.
- User-Account Policy: It defines the account creation process, and authority, rights and responsibilities of user accounts.
- Information-Protection Policy: It defines the sensitivity levels of information, who may have access, how is it stored and transmitted, and how should it be deleted from storage media.
- Special-Access Policy: This policy defines the terms of conditions of granting special access to system resources.
- Email Security Policy: It is created to govern the proper usage of corporate email.
- Acceptable-Use Policy: It defines the acceptable use of system resources.
Privacy Policies at Workplace
- Employers will have access to employees' personal information that may be confidential and they wish to keep private.
- Basic Rules for Privacy Policies at Workplace:
- Intimate employees about what you collect, why and what you will do with it.
- Limit the collection of information and collect it by fair and lawful means.
- Inform employees about the potential collection, use, and disclosure of personal information.
- Keep employees' personal information accurate, complete, and up-to-date.
- Provide employees access to their personal information.
- Keep employees' personal information secure.
Note: Employees' privacy rule at workplace may differ from country to country.
Steps to Create and Implement Security Policies
- Perform risk assessment to identify risks to the organization's assets.
- Learn from standard guidelines and other organizations.
- Include senior management and all other staff in policy development.
- Set clear penalties and enforce them.
- Make final version available to all of the staff in the organization.
- Ensure every member of your staff read, sign, and understand the policy.
- Deploy tools to enforce policies.
- Train your employees and educate them about the policy.
- Regularly review and update.
P.S.: Security policy development team in an organization generally consists of information Security Team (IST), Technical Writer(s), Technical Personnel, Legal Counsel, Human Resources, Audit and Compliance Team, and User Groups.
HR/Legal Implications of Security Policy Enforcement
- HR implications of Security Policy Enforcement:
- HR department is responsible to make employees aware of security policies and train them in best practices defined in the policy.
- HR department work with management to monitor policy implementation and address any policy violation issue.
- Legal implications of Security Policy Enforcement:
- Enterprise information policies should be developed in consultation with legal experts and must comply to relevant local laws.
- Enforcement of a security policy that may violate users rights in contravention to local laws may result in law suits against the organization.
- Physical security is the first layer of protection in any organization.
- It involves protection of organizational assets from environmental and man-made threats.
- Why Physical Security?
- To prevent any unauthorized access to the systems resources.
- To prevent tampering/stealing of data from the computer systems.
- To safeguard against espionage, sabotage, damage, or theft.
- To protect personnel and prevent social engineering attacks.
- Physical Security Threats:
- Natural/Environmental threats:
- Fire and Smoke
- Man-made threats:
- Random killings
- Dumpster diving and theft
- Natural/Environmental threats:
Physical Security Controls
- Premises and company surroundings: Fences, gates, walls, guards, alarms, CCTV cameras, intruder systems, panic buttons, burglar alarms, windows and door bars, deadlocks, etc.
- Reception area:
- Lock the important files and documents.
- Lock equipment when not in use.
- Server and workstation area: Lock the systems when not in use, disable or avoid having removable media and DVD-ROM drives, CCTV cameras, workstation layout design.
- Other equipment such as fax, modem, and removable media: Lock fax machines when not in use, file the faxes obtained properly, disable auto answer mode for modems, do not place removal media at public places, and physically destroy the corrupted removal media.
- Access control: Separate work areas, implement biometric access controls (fingerprinting, retinal scanning, iris scanning, vein structure recognition, vocie recognition), entry cards, man traps, faculty sign-in procedures, identification badges, etc.
- Computer equipment maintenance: Appoint a person to look after the computer equipment maintenance.
- Wiretapping: Inspect all the wires carrying data routinely, protect the wires using shielded cables, never leave any wire exposed.
- Environmental control: Humidity and air conditioning, HVAC, fire suppression, EMI shielding, and hot and cold aisles.
- Incident management is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident.
- Incident Management:
- Vulnerability Handling
- Artifact Handling
- Incident Handling:
- Incident Response
- Reporting and Detection
- Other Incident Management Services
Incident Management Process (重要，順序)
- Preparation for Incident Handling and Response
- Detection and Analysis
- Classification and Prioritization
- Containment (封鎖)
- Forensic Investigation
- Eradication and Recovery (清除與復原)
- Post-incident Activities
- Incident management is the process of logging, recording, and resolving incidents that take place in an organization.
- Objective: To restore the service to a normal state as quickly as possible for customers, while maintaining availability and quality of service.
Responsibilities of an Incident Response Team
- Managing security issues by taking a proactive approach towards the customers' security vulnerabilities and by responding effectively to potential information security incidents.
- Developing or reviewing the processes and procedures that must be followed in response to an incident.
- Managing the response to an incident and ensuring that all procedures are followed correctly in order to minimize and control the damage.
- Identifying and analyzing what has happened during an incident, including the impact and threat.
- Providing a single point of contact for reporting security incidents and issues.
- Reviewing changes in legal and regulatory requirements to ensure that all processes and procedures are valid.
- Reviewing existing controls and recommending steps and technologies to prevent future security incidents.
- Establish relationship with local law enforcement agency, government agencies, key partners, and suppliers.
What is Vulnerability Assessment?
- Vulnerability Assessment is an examination of the ability of a system or application, including current security procedures and controls, to withstand assault.
- It recognizes, measures, and classifies security vulnerabilities in a computer system, network, and communication channels.
- A vulnerability assessment may be used to:
- Identify weaknesses that could be exploited.
- Predict the effectiveness of additional security measures in protecting information resources from attack.
- Security bug: 已知Public (無法掃出zero day)
Types of Vulnerability Assessment
- Active Assessment: Uses a network scanner to find hosts, services, and vulnerabilities.
- Passive Assessment: A technique used to sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present.
- Host-based Assessment: Determines the vulnerabilities in a specific workstation or server.
- Internal Assessment: A technique to scan the internal infrastructure to find out the exploits and vulnerabilities.
- External Assessment: Assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world.
- Application Assessment: Tests the web infrastructure for any misconfiguration and known vulnerabilities.
- Network Assessment: Determines the possible network security attacks that may occur on the organization's system.
- Wireless Network Assessment: Determines the vulnerabilities in organization's wireless networks.
Network Vulnerability Assessment Methodology
- Phase 1: Acquisition
- Collect documents required to:
- Review laws and procedures related to network vulnerability assessment.
- Identify and review document related to network security.
- Review the list of previously discovered vulnerabilities.
- Collect documents required to:
- Phase 2: Identification
- Conduct interviews with customers and employees involved in system architecture design, and administration.
- Gather technical information about all network components.
- Identify different industry standards which network security system complies to.
- Phase 3: Analyzing
- Review interviews.
- Analyze the results of previous vulnerability assessment.
- Analyze security vulnerabilities and identify risks.
- Perform threat and risk analysis.
- Analyze the effectiveness of existing security controls.
- Analyze the effectiveness of existing security policies.
- Phase 4: Evaluation
- Determine the probability of exploitation of identified vulnerabilities.
- Identify the gaps between existing and required security measures.
- Determine the controls required to mitigate the identified vulnerabilities.
- Identify upgrades required to the network vulnerability assessment process.
- Phase 5: Generating Reports
- The result of analysis must be presented in a draft report to be evaluated for further variations.
- Report should contain:
- Task rendered by each team member.
- Methods used and findings.
- General and specific recommendations.
- Terms used and their definitions.
- Information collected from all the phases.
- All documents must be stored in a central database for generating the final report.
- The process of discovering vulnerabilities and design flaws that will open an operating system and its applications to attack or misuse.
- Vulnerabilities are classified based on severity level (low, medium, or high) and exploit range (local or remote).
- An administrator needs vulnerability research:
- To gather information about security trends, threats, and attacks.
- To find weaknesses, and alert the network administrator before a network attack.
- To get information that helps to prevent the security problems.
- To know how to recover from a network attack.
Severity -> Response Time: 不同風險等級的弱點，回應修補的時間也不相同。
Vulnerability Research Websites
- Penetration testing is a method of evaluating the security of an information system or network by simulating an attack to find out vulnerabilities that an attacker could exploit.
- Security measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities.
- A penetration test will not only point out vulnerabilities, but will also document how the weaknesses can be exploited.
- The results are delivered comprehensively in a report, to executive management and technical audiences.
Why Penetration Testing
- Identify the threats facing an organization's information assets.
- Reduce an organization's expenditure on IT security and enhance Return On Security Investment (ROSI) by identifying and remediating vulnerabilities or weaknesses.
- Provide assurance with comprehensive assessment of organization's security including policy, procedure, design, and implementation.
- Gain and maintain certification to an industry regulation (BS7799, HIPAA etc.).
- Adopt best practices in compliance to legal and industry regulations.
- For testing and validating the efficiency of security protections and controls.
- For changing or upgrading existing infrastructure of software, hardware, or network design.
- Focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management.
- Provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation.
- Evaluate the efficiency of network security devices such as firewalls, routers, and web servers.
Comparing Security Audit, Vulnerability Assessment, and Penetration Testing
- Security Audit: A security audit just checks whether the organization is following set of standard security policies and procedures.
- Vulnerability Assessment: A vulnerability assessment focues on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitabion of the vulnerability.
- Penetration Testing: Penetration testing is methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers.
Security Audit是審查企業公司是否有照著security policies和流程去做。
Penetration Testing包含security audit和VA，且能夠驗證此弱點是否會被攻擊者給利用。
Blue Teaming/Red Teaming (重要)
- Blue Teaming (防守者):
- An approach where a set of security responders performs analysis of an information system to assess the adequacy and efficiency of its security controls.
- Blue team has access to all the organizational resources and information.
- Primary role is to detect and mitigate red team (attackers) activities, and to anticipate how surprise attacks might occur.
- Red Teaming (攻擊者):
- An approach where a team of ethical hackers performs penetration test on an information system with no or a very limited access to the organization's internal resources.
- It may be conducted with or without warning.
- It is proposed to detect network and system vulnerabilities and check security from an attacker's perspective approach to network, system, or information access.
Types of Penetration Testing
- Black-box: No prior knowledge of the infrastructure to be tested:
- Blind Testing (盲打對方)
- Double Blind Testing (盲打對方且對方也不知道會被打)
- White-box: Complete knowledge of the infrastructure that needs to be tested.
- Grey-box: Limited knowledge of the infrastructure that needs to be tested.
There are two ways to perform above penetration tests:
- Announced Testing
- Unannounced Testing:
Phases of Penetration Testing (重要)
- Pre-Attack Phase:
- Planning and preparation
- Methodology designing => 此兩點就是RoE (Rule of Engagement)/RoB (Rule of Behavior)
- Network information gathering
- Attack Phase:
- Penetrating perimeter
- Acquiring target
- Escalating privileges
- Execution, implantation, retracting
- Post-Attack Phase:
- Artifact destruction
Security Testing Methodology
- A security testing or pen testing methodology refers to a methodological approach to discover and verify vulnerabilities in the security mechanisms of an information system; thus enabling administrators to apply appropriate security controls to protect critical data and business functions.
- Examples Security Testing Methodologies:
- OWASP: The Open Web Application Security Project (OWASP) is an open-source application security project that assist the organizations to purchase, develop and maintain software tools, software applications, and knowledge-based documentation for Web application security.
- OSSTMM: Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing high quality security tests such as methodology tests, data controls, fraud and social engineering control levels, computer networks, wireless devices, mobile devices, physical security access controls and various security processes.
- ISSAF: Information Systems Security Assessment Framework (ISSAF) is an open source project aimed to provide a security assistance for professionals. The mission of ISSAF is to "research, develop, publish, and promote a complete and practical generally accepted information systems security assessment framework."
- EC-Council LPT Methodology: LPT Methodology is a industry accepted comprehensive information system security auditing framework.