Mitigation of threats and attacks
COSO framework and its relationship with cyber risks and controls
Enterprise risk management of COSO 2017: used as a reference for organization to assess risk and develop strategies around risk and business performance
•objective:
operational objectives (set of performance measures and safeguards that can help increase the likelihood that an organizations IT assets are protected against cybersecurity threats and frauds. Focuses on the effectiveness and efficiency of business operations
reporting objectives: must be done in F.A.C.T= fairly, accurately, completely, and timely. And so it does not affect internal and external financial and nonfinancial reporting. Also should be transparent, reliable, trustworth
Compliance objective: hits compolience
•Tone at the top: CRIME, control environment, Risk assessment, information and communication (Like mandatory training) , monitoring (phishing emails), and existing control activities
•Where it is implemented: entity level, division, operating unit, and function
Security policies, standards, and procedures: to enhance cybersecurity defenses and enhance IT infrastructure resiliency, security rules must be carefully coupled with technology at multiple levels of an organization.
All can be reviewed by SOC 2 engagements:
•Top level overview of : security needs and strategic plan for what should be implemented
•Then set of standards that organizations use as a benchmark to accomplish the goal defined by security policies
•Then the standard operating procedures that are typicallly detailed document that specifically outline how to perform business processes
Security policies: foundation of an organizations security framework, which serves as a comprehensive guide for its implementation. outlines extent to which security measures are applied to various company resources providing clear terms, definitive roles and responsibilities, and acceptable levels of risk. They will provide evidence of due care.
•can be domain specific that help partition different organization focus points. Can be between user policies, regulatory policies, Data classification, and system based policies.
organizations often create acceptable use policies to govern these domains and carry out security policies
AUD/acceptable use policies: a control document that is created by an organization to regulate and protect tech resources by assigning levels of responsibilities, listing acceptable behaviors, and specifying consequences of those who violate the AUP. Common to have users to sign before granting access.
Mobile devices security policies: should have proper AUP , which is considered a subset of a company wide AUP. Recommended to have stipulate password protection, multi factor authentication, encryption, web browsing rules, parameter for connecting to networks.
Bring your own device (BYOD) policies: a common mobile device policy is a bring your own device policy, which allows employees to use their personally owned devices for work related activities and for connecting to a company's network.
•Should have AUP.
•should monitor and enforce actions on personal devices with a balance of privacy.
•Gen. Company data belong to company
•BYOD should stipulate who is personally liable, ie personal device personal liability.
Security Standard: either mandated by laws or derived from industry standards. A guideline for best practices. Next level security rules beneath policies that serve as a course of action to achieve objectives.
•National Institure of standards and. Technology
•Privacy laws like the general data protection regulation
•Industry standards like the payment card industry data security standards issued by PCI security standards council
Security Standard Operating procudedures: lowest level of documentations that provide detailed instruction on how to perform specific tasks or controls.
•don't have it all inn one document
break down to separate departments and its their responsibility to update
•usually involves a combo of system, software, and physical action so that goals are standard and achieved
Network protection method
network component: a network is a system of physical and virtual devices that are connected using wired cables or wireless tech that communicate using a mixtures of diff protocols so users can send, receive, and store data..
•protocols are sets of rules that govern how a device communicate with other devices in a network
Access Point: a wireless connection point for users to directly connect to a wired network using wireless-enabled devices.
bridges: a bridge connects separate networks that use the same protocol, even if those networks have different topologies or transmission speed. Operate at the data link layer of a network.
Gateway: connect multiple networks that use different protocols translate one protocol to another so that the two networks can interact. Can operate in all layers of a network but frequently operate in the application layer.
Computer: desktop and laptop computers are user end point devices that are the primary means of user interaction with a network.
Hubs: connection points that link multiple systems and devices using the same protocol within a single network. Receive data packets and forward them to all other devices.
Switches: similar to hub but instead of broadcasting received signals to every other networked devices, switches only route traffic to target destination, connecting various devices within a network for most modern organizations. (More robust then hubs)
Routers: devices that control data flow on a network using the same protocol by receiving incoming data packets and forwarding those to the correct destination based on IP addresses.
Mobile Phones and tablets:
Modems: devices that modulate between a digital information and an analog signal to support networks. Ie connect computers to internet.
Proxies: form of gateway that does not translate protocol but rather acts as a mediator that performs functions on behalf of another network using the same protocol instea of just connecting the networks
serversL devices that support computers and networks by performing different core functions such as running applications with application servers, or storing data using a database server
Singal modifiers: devices such as amplifier or reapater receive signals and then modify them by increasing the signal strength. Usually electrical, radio frequency, audio, or optical.
Network security methods available to companies that focus specifically on network security to defend against cyber attacks:
Network segmentation or isolation: Control network traffic so that it is inaccessible or separated from outside communication or other segments within an organizations own network
Firewall: physical or software that filter and monitor incoming and outgoing traffic to a public network to block malicious activities from attackers
Service set identifiers: the name assigned to a wireless network, if they don't know it they can't connect
Virtual private network: a virtual network uilt on top of existing physical networks that provides a means of secure communication using encryption protocols such as tunneling or internet protocol security. Process in which data or packet in one protocol are encrypted in another
uses cryptography to encrypt communication, provide access control, authenticate using IP protocol.
•IPsec: uses cryptography to encrypt communication, provide access control, and authenticate using IP protocol.
WiFi protection access: latest security protocol that cencrypts wireless internet connection between routers, switches, and mobile devices (not anything once its outside the wireless access point)
Endpoint security: notion that every device, also called hosts, connect to a network should have some form of local security that is separate from any other security measure in place on the network or communication channel. The following safeguard are examples of endpoint security that should be implemented: antivirus and malware screening software, auditing software.
system hardening: a multipronged comprehensive security approach that reduces risk by minimizing the number of access points/attack vendors through which a company can be attacked. Examples: database hardening, endpoint hardening.
media access control filtering: addresses are unique identifies found on devices in a network that are used as an address for communicating with other devices on that networks. Filters access point access to unauthorized devices using a list of approved MAC addresses.
SOC 2: service auditors may consider a. Company organizations control related to a network component in a scenario where the organization permits remote access by authorized employees only with multifactor authentication over an encrypted virtual private network connection.
Service auditors would observe a remote login session to determine that multifactor authentication over the virtual private network was required to access the network
Authorization and Authentication:
Cybersecurity practices: zero trust, least privileges, need to know principles, whitelisting.
zero trust: shifting focus away from one time authentication to continuous validation at every point of a users interaction with a network. National institute standards and technology implemented. All resources are considered even if it isn't yours.
•designed to prevent data breaches and limit internal lateral movement by implementing a set f system design principles and coordinate cyber security and system management strategy based on acknowledgment that threats exist both inside and outside traditional network bounties.
•eliminates implicit trust, instead continuous verification.
Least privileges:
need to know
Whitelisting: process of identifying a list of applications that are authorized to run on an orgnaizations systems and only allowing those programs to execute. Blacklisting is opposite.
Identifications and authentication techniques:
Identification: process of claiming or asserting ones identify through means such as a username or identification card.
authentication: validating like SSN or drivers license or passport
examples of form of id and authentication: username and password.
Authentication technology:
context aware authentication: used to identify mobile devices users by using contextual datapoints such as time, geo location, point of access
digital signature: electronic stamp of authentication through cryptography
single sign on: secure hand offs from one app to another app
multifactor authentication: uses two or more factors to validate some ones identify
personal identification number: numeric code that a cardholder memorizes and uses as a part of authentication their identify.
smart card: plastic cards containing a microprocessor that enables the holder to process the data or act as a certificate that can be used to purchase goods or services. Ie card or code
Token: devices that generate fixed digit password that are carried with users as a form of multifactor or secondary mechanism. Synchronous or asynchronous. Ie 7 digit code with 30 sec time limit (syncronys code preferred),
Biometrics: finger, eye, face.
Passwords: should be strong since its the most common form of authentication. Letters, numbers, special letters.
weakness: reuse passwords, share passwords, easy passwords, not changing password, avoid writing them down, short passwords, saving passwords in a database.
best: NIST recommends 8 character but most company's recommend 12. Should be stored in a password hashing program which converts it into illegible text.
Provisions: process in identify management when an organization creates a user account and provision it with privileges based on their job role. Automated yet protected process but it is critical in creating a valid identification. Part of onboarding process but no rights given until after.
SOC2: service auditors may inspect access request form for a sample for new employees during a period which received access in scope system components.
Device authentication not good but goodwith mulitfactor.
Definition and purpose of vulnerability management
Vulnerability management: the proactive security practice designed to prevent the exploitation of IT vulnerabilities that could potentially harm a system or organization.
•Identify, classify, mitigates, and fixes.
•An integral part of computer and network security and IT risk management.
•helps meet objectives that result in new vulnerabilities
How to:
•Way to identify vulnerability: vulnerability scans (in house or out of house)
tools such as vulnerability assessments and vulnerability scanners
Vulnerability assessment: done as part of a initial risk analysis, it gives an assessment and then continue to do it quarterly or annually after that.
Vulnerability scanners: check results against a database of known threats, and the database of known threats is periodically updated. Sophisticated hackers can use it to identify weakness and exploit it, or attack the moment the update occurs.
NIST cybersecurity framework: identify, protect, detect, respond, recover.
•mitigate
Common vulnerabilities and exposure dictionary: a database of security vulnerabilities that provides unique identifiers for different vulnerabilities and risk exposures. As more are found they are added by MITRE who organize and maintain dictionary. Standards recognition and naming.
"CVE compatible"
patch management: works in conjunction with vulnerability management system. Usually IT admin job, but application might send patches which should be recorded in a change management log. IT admins test, deploy, and validate.
SOC 2 engagements: patch management process is inspected by service auditors
Layered security in cyberdefense: to protect organization by using a diversified set of security tactics so that a single cyberattack or security vulnerability does not compromise an entire system. Provides redundancy and diversification to help with multi attacks and counter attacks.
Redundancy can be administrated through:
•layering process: adds redundancy by breaking up operating into smaller checks by managing by different people or tech
•isolating process: goes with layering process in how it isolates different processes when layering
•Abstraction data: hiding complexity of certain tasks so that only relevant info to a specific person performing a function is presented. Simplify complex tasks, by limiting user access to only a given level of detail needed to perform the job.
concealing data: similar to abstraction but primary focus is on hiding the data.
•segmenting hardware: archives the same goal as process isolation but instead of logically (electronically) its done physically.
Types of layered security:
Defense in depth: focuses on multilayered security approach that does not rely on technology alone but rather it combines personnel, policies, tech, as well as physical and logical access controls (like login identify credentials)
Common preventive, detective, or corrective control
Well-designed cybersecurity controls include policies, procedures, and technology that mitigate threats at all points of discover and stages of counterattacs
types:
•preventative controls: prevent before it happens.
safeguarding practices: strong preventive software and hardware controls coupled with policies
like strong passwords, multi factor authentication, performing background checks and locking devices
Education and training: informing employees about cyber security risk and the corporate tools in place to mitigate those risks serves as a preventive control that complements technical safeguards that have been deployed.
Regular security update: broad and comprehensive security enhancements should occur regularly in order for an organizations physical and logical security measures to be protected against the latest cybersecurity threats.
encryption: scrambling data at rest and in transit
Firewalls: set of predefined rules so only trusted parties can come through
patches: update or modification to an existing software program that is typically released by an applications creator and serves as a preventive and corrective control
physical barriers: deters and prevents unauthorized physical access
device and software hardening: implementing security tools so that the totality of vulnerable points or the surfaces that can be attacked are reduced.
Intrusion Prevention systems: intended to detect and stop a cyberattack before it reaches the targeted system. By receiving a direct feed of traffic so that all data coming into a network passes through the IPS, similar to firewalls.
access controls:
discretionary access controls: decentralized allowing data owners to set access to the data they own.
Mandatory access control: IT admin centrally managed controls based on a general set of rules to govern an entire system.
role based access controls: administer access based on job roles
rule based access controls: admins give predetermined set of rules independent of role or permission.
1. Access rules created by system admin
2. Integrated throughout the access control system
3. A user presents their access credentials
4. The control mechanism checks their credentials against the access rules
5. Grants or denies access
policy based access controls: uses a combo of roles and rules to maintain and evaluate users access dynamically. More flexible and subjective, better for growing organization.
risk adaptive access controls: applies controls based on the risk level of asset being accessed, identity of the user, intention of accessing the asset and the security risk that exists between the user or asset being accessed. Comes down to high risk v low risk. High risk means more stick, low risk may only require a password.
Access Control Lists: a list of rules that outlines which users has permission to access certain resources. Admin sets it up to decide who has restrictions and actions. Generally don't have ability to recognize where a data packers came from unless they are "stateful" ACLs.
File system ACL: more focused ACL.
Networking system ACL: more broad like a firewall. Controls access but also improves network performance by restricting or channeling the flow of data.
•detective controls: designed to detect a threat event while it is occurring and provide an assistance during investigations after it occured
Network Intrusion Detection System: a security solution that monitors incoming traffic on all devices on a network by matching specific elements of that traffic to a library of known attacks and sending system alerts when events meeting predefined criteria are detected.
Antivirus software monitoring
Packet sniffers: analyze data packets being transmitted
Network Performance monitoring tools: measure network statistic such as packet loss, system uptime, and avaliability
Simple Network Performance monitoring
Log Analysis:Performing a log analysis involving the recording and monitoring of a data to analyze it so that anomalies, trends, or patterns can be detected that may indicate that unauthorized events have occurred. Can be manual or automated process.
Intrusion detection system: scans environment to monitor and analyze network or system events for the purpose of finding and providing real time or near real time warning of attempts to access system resources in unauthorized manner. Only detects after it has started.
SOC 2: will inspect intrusion detection system monitoring, and detecting.
•corrective controls
Upgrades and patches: update or modification to an existing software program that is typically released by an applications creator and serves as a preventive and corrective control
Reconfiguration: modifying a application or system configuration to rectify known vulnerabilities can restore affected operations and prevent further damages
Revising policies and procedures
Updating employee training
recovery and continuity plans
antivirus software removal of malicious viruses
virus quarantining
SOC 2 guidance: has authorization definition as the process of granting access privileges to a user, program, or process by a person who has authority to grant such access.