Security Operations

Hardening is the process of applying secure configurations

In order to protect the data properly, you need to know all the relevant requirements for the type of data being protected in the various geographic areas

Data Handling Practices:

1. Classification

   1. classifications dictate rules and restrictions about how that information can be used, stored or shared with others.

   2. potential impact or loss to the organization needs to be assessed

   3. the process of recognizing the organizational impacts if the information suffers any security compromises related to its characteristics of confidentiality, integrity and availability

2. Labeling

   1. assigning a level of sensitivity to a data asset

   2. Highly restricted:

      1. Compromise of data with this sensitivity label could possibly put the organization’s future existence at risk. Compromise could lead to substantial loss of life, injury or property damage, and the litigation and claims that would follow.

   3. Moderately restricted:

      1. Compromise of data with this sensitivity label could lead to loss of temporary competitive advantage, loss of revenue or disruption of planned investments or activities.

   4. Low sensitivity (sometimes called “internal use only”):

      1. Compromise of data with this sensitivity label could cause minor disruptions, delays or impacts.

   5. Unrestricted public data:

      1. As this data is already published, no harm can come from further dissemination or disclosure.

3. Retention

   1. Information and data should be kept only for as long as it is beneficial, no more and no less.

   2. Records retention policies indicate how long an organization is required to maintain information and assets.

4. Destruction

   1. Data that might be left on media after deleting is known as remanence and may be a significant security concern.

   2. Clearing the device or system

   3. Purging the device or system

   4. Physical destruction of the device

Log reviews are an essential function not only for security assessment and testing but also for identifying security incidents, policy violations, fraudulent activities and operational problems near the time of occurrence.

Ingress monitoring refers to surveillance and assessment of all inbound communications traffic and access attempts

Devices and tools that offer logging and alerting opportunities for ingress monitoring include:

• Firewalls

• Gateways

• Remote authentication servers

• IDS/IPS tools

• SIEM solutions

• Anti-malware solutions

DLP data leak protection solution should be deployed so that it can inspect all forms of data leaving the organization, including:

• Email (content and attachments)

• Copy to portable media

• File Transfer Protocol (FTP)

• Posting to web pages/websites

• Applications/application programming interfaces (APIs)

Configuration management is a process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated.

Making an inventory, catalog or registry of all the information assets that the organization is aware of (whether they already exist, or there’s a wish list or need to create or acquire them) is the first step

The baseline is a total inventory of all the system’s components, hardware, software, data, administrative controls, documentation and user instructions.

Repairs, maintenance actions and updates are frequently required on almost all levels of systems elements, from the basic infrastructure of the IT architecture on up through operating systems, applications platforms, networks and user interfaces.

Patch management mostly applies to software and hardware devices that are subject to regular modification

A patch is an update, upgrade or modification to a system or component

You have to make sure you have a robust change management process and make sure you test in model environments before you make any change in a production or live environment

You must make sure there is a rollback plan that is restoring the system to the state it was in before the change was made

Data Handling Policy - defines whether data is for use within the company, is restricted for use by only certain roles or can be made public to anyone outside the organization.

Every organization should have a password policy in place that defines expectations of systems and users. The password policy should describe senior leadership's commitment to ensuring secure access to data, outline any standards that the organization has selected for password formulation, and identify who is designated to enforce and validate the policy.

The acceptable use policy (AUP) defines acceptable use of the organization’s network and computer systems and can help protect the organization from legal action. It should detail the appropriate and approved usage of the organization’s assets, including the IT environment, devices and data. Each employee (or anyone having access to the organization’s assets) should be required to sign a copy of the AUP, preferably in the presence of another employee of the organization, and both parties should keep a copy of the signed AUP.

Policy aspects commonly included in AUPs:

• Data access

• System access

• Data disclosure

• Passwords

• Data retention

• Internet usage

• Company device usage

An organization may allow workers to acquire equipment of their choosing and use personally owned equipment for business (and personal) use. This is sometimes called bring your own device (BYOD)

It is imperative that the organization documents that the personnel understand and acknowledge the organization’s policies and procedures for handling of that type of information and are made aware of the legal repercussions of handling such sensitive data.

Change management is the discipline of transitioning from the current state to a future state. It consists of three major activities: deciding to change, making the change, and confirming that the change has been correctly accomplished. Change management focuses on making the decision to change and results in the approvals to systems support teams, developers and end users to start making the directed alterations.

An acceptable use policy (AUP) defines acceptable use of the organization’s network

The acceptable use, privacy, BOYD and data handling policies help to protect the organization from legal action.

The data handling policy defines whether data is for use within the company, is restricted for use by only certain roles or can be made public to anyone outside the organization.

Change management requires a process to implement necessary changes so they do not adversely affect business operations.

Terms

• Application Server - A computer responsible for hosting applications to user workstations. NIST SP 800-82 Rev.2

• Asymmetric Encryption - An algorithm that uses one key to encrypt and a different key to decrypt the input plaintext.

• Checksum - A digit representing the sum of the correct digits in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data.

• Ciphertext - The altered form of a plaintext message so it is unreadable for anyone except the intended recipients. In other words, it has been turned into a secret.

• Classification - Classification identifies the degree of harm to the organization, its stakeholders or others that might result if an information asset is divulged to an unauthorized person, process or organization. In short, classification is focused first and foremost on maintaining the confidentiality of the data, based on the data sensitivity.

• Configuration management - A process and discipline used to ensure that the only changes made to a system are those that have been authorized and validated.

• Cryptanalyst - One who performs cryptanalysis which is the study of mathematical techniques for attempting to defeat cryptographic techniques and/or information systems security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.

• Cryptography - The study or applications of methods to secure or protect the meaning and content of messages, files, or other information, usually by disguise, obscuration, or other transformations of that content and meaning.

• Data Loss Prevention (DLP) - System capabilities designed to detect and prevent the unauthorized use and transmission of information.

• Decryption - The reverse process from encryption. It is the process of converting a ciphertext message back into plaintext through the use of the cryptographic algorithm and the appropriate key for decryption (which is the same for symmetric encryption, but different for asymmetric encryption). This term is also used interchangeably with the “deciphering.”

• Degaussing - A technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data.

• Digital Signature - The result of a cryptographic transformation of data which, when properly implemented, provides the services of origin authentication, data integrity, and signer non-repudiation. NIST SP 800-12 Rev. 1

• Egress Monitoring - Monitoring of outgoing network traffic.

• Encryption - The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.

• Encryption System - The total set of algorithms, processes, hardware, software, and procedures that taken together provide an encryption and decryption capability.

• Hardening - A reference to the process of applying secure configurations (to reduce the attack surface) and locking down various hardware, communications systems, and software, including operating system, web server, application server, application, etc. Hardening is normally performed based on industry guidelines and benchmarks, such as those provided by the Center for Internet Security (CIS).

• Hash Function - An algorithm that computes a numerical value (called the hash value) on a data file or electronic message that is used to represent that file or message and depends on the entire contents of the file or message. A hash function can be considered to be a fingerprint of the file or message. NIST SP 800-152

• Hashing - The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. Source CNSSI 4009-2015

• Ingress Monitoring - Monitoring of incoming network traffic.

• Message Digest - A digital signature that uniquely identifies data and has the property such that changing a single bit in the data will cause a completely different message digest to be generated. NISTIR-8011 Vol.3

• Operating System - The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations. NIST SP 800-44 Version 2

• Patch - A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component. Source: ISO/IEC 19770-2

• Patch Management - The systematic notification, identification, deployment, installation and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs. Source: CNSSI 4009

• Plaintext - A message or data in its natural format and in readable form; extremely vulnerable from a confidentiality perspective.

• Records - The recordings (automated and/or manual) of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items). NIST SP 800-53 Rev. 4

• Records Retention - A practice based on the records life cycle, according to which records are retained as long as necessary, and then are destroyed after the appropriate time interval has elapsed.

• Remanence - Residual information remaining on storage media after clearing. NIST SP 800-88 Rev. 1

• Request for change (RFC) - The first stage of change management, wherein a change in procedure or product is sought by a stakeholder.

• Security Governance - The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

• Social engineering - Tactics to infiltrate systems via email, phone, text, or social media, often impersonating a person or agency in authority or offering a gift. A low-tech method would be simply following someone into a secure building.

• Symmetric encryption - An algorithm that uses the same key in both the encryption and the decryption processes.

• Web Server - A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an “intranet server.” NIST SP 800-44 Version 2

• Whaling Attack - Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities.