SECURITY 101

General Security Concepts

  • The CIA triad: Confidentiality, Integrity, and Availability
  • The OSI model (layers): Application – Presentation – Session – Transport – Network – Data Link – Physical
  • The three main elements of security organization: People, Process, Technology
  • Control types: Physical, Technical, Administrative
  • Control services: Preventative, Detective, Corrective
  • Administrative documents: Policies, Standards, Procedures/Processes, Baselines, & Guidelines
  • Ruling concept: Defense in depth, layered security. No one control can do the job
  • PDCA: Plan – Do – Check – Act
  • Segregation of duties: Avoiding having one individual responsible for multiple tasks that can undermine security
  • Asset valuation: Each asset must be identified and assigned a value
  • Least privilege and need to know: The default should be no access, and only grant what is needed to perform the job
  • OWASP Top 10 Vulnerabilities
  • SANS Top 20 Critical Security Controls

Key Terms and Definitions

  • Threat: Natural such as fire, floods, tornadoes, and Manmade such as viruses, hackers, and terrorism
  • Vulnerability: A weakness or absence of a control
  • Likelihood or Probability: How likely is it that a threat can exploit a vulnerability (ex. Remote, Likely, Frequent, Imminent)
  • Risk: The product of likelihood and magnitude of impact resulting from a threat exploiting a vulnerability (ex. Low, Medium, High, Critical)
  • Impact: Financial or Reputation (ex. Minor, Significant, Serious)
  • Due care: the degree of care which is expected from a reasonable person under the circumstances
  • Due diligence: adherence to the applicable legal and other requirements
  • Information assets: a definable piece of information, stored in any manner which is recognised as ‘valuable’ to the organisation

Business and Management

  • GRC (Governance, Risk, and Compliance)
  • Roles & Responsibilities (Owner, Custodian, End User)
  • Laws, regulations, and ethics
  • Managing Business Risk (vendor risk, incident management, fraud detection and investigations)
  • Data Classification Matrix covering company, customers, partner, employees, and vendors, regulators
  • Industry standards and frameworks (STIGS, CIS, SANS, UCF, ISO, NIST, COBIT)
  • Security management planning (business drivers, model and understand, technology infrastructure, identify major threats, create implementation strategy)
  • Risk management (exceptions) and consideration such as reputation, monetary, and legal/regulatory impact, Quantitative vs Qualitative; assessment, strategy, implementation, testing, monitoring and updates; Balancing cost and security
  • Risk management options (Mitigate, Accept, Transfer, and Avoid – Consequences of Reject or Ignore)
  • Risk assessment (SP 800-30)
  • Incident management and response
  • HR security (before hiring, during, and after)
  • Software licenses: open source vs proprietary

Technical

  • Operational Security (incident response, forensics and investigations, IPS/IDS, compliance monitoring, end point security, vulnerability assessment and management, intelligence gathering and analysis, security scans and penetration tests)
  • Encryption (strength, algorithm, key management)
  • Application Development security (input/output/processing validation, central management and control, change management and control, standards, reinforcing weakest links, defense in depth, secure failure, least privilege, RBAC/MAC)
  • Code Review (OWASP. SLACP)
  • Network Security Zones (DMZ, Internal, Partner, Management, etc..)
  • Tiers (Network, Operating Systems, Middleware, Databases, Supporting Tools)
  • Hacking techniques (reconnaissance, enumeration, exploitation, post-exploit, etc..)
  • Security Architecture (Fundamentals: strategies, policies, data classification, trust model, risk management) (Components: Access Controls and Identity Management, Cryptography, Operations Security, Perimeter Security)
  • Identification, Authentication, and Authorization

Information Security Essentials

  • Inventory all assets ( physical, IP, technical, people, skills)
  • Develop a classification matrix that takes into account asset value and sensitivity
  • Develop labeling & handling controls for each classification (take into account control type and service)
  • Assign ownership for each asset
  • Classify each asset according to the classification matrix (owner task)
  • Implement the labeling and handling controls (enforce when possible)
  • Monitor compliance, analyze trends, and refine controls as necessary

What are the administrative, technical, and physical controls that are typically present in a network environment?

  • Policies, standards, baselines, and guidelines
  • Domain Name Services
  • DHCP and Static IP
  • VPN/Remote access
  • Authentication and authorization
  • Directory services, Identification
  • Patch management and vulnerability scans
  • File and print services
  • Encryption in transit and at rest, and key management
  • Secure file transfers and storage
  • End point protection (anti virus/malware)
  • Intrusion detection and prevention (NIDS/HIDS/WIDS)
  • Firewalls, application gateways, proxies
  • Defense in depth, layers,
  • Logging, monitoring, and alerting
  • Compliance Checks
  • Email and Communications (VoIP, IM, Social, Conferencing, Fax)
  • Web servers, application servers, reporting servers, and database servers
  • Extract Transform Load ETL – Business Intelligence BI – Online Application Processing OLAP
  • Enterprise programs (change management and control, vendor, BCP/Incident response, Regulatory, Audit, Compliance, Project Management)
  • Supply chain and contracts
  • Training & Awareness
  • Security consulting services (architecture, risk assessments)
  • Data Classification Matrix
  • Cameras, security guards, turnstiles, gated entries, electronic badges
  • HVAC, backup batteries, power generators, diverse power inputs

THIS PAGE IS ALWAYS A WORK IN PROGRESS, PLEASE LEAVE A REPLY IF YOU HAVE ANY FEEDBACK OR COMMENTS

Leave a Comment