InfoDevSec

IT security Strategic examples

  •  Countermeasures such as encryption and data classification
    • Confidentiality
  • unauthorized alteration of data in a customer database
    • Integrity
  • nonrepudiation of emails sent from internal users
    • Use digital signatures on emails
  • higher availability
    • Implement a secondary internet connectivity solution at headquarters, which fails over when the primary connection is unavailable
  • Standard
    • The management team of an organization creates a document stating employees who access the company’s enterprise resource planning (ERP) system must use a certain browser and are required to have antivirus installed on their machines.
  • Guideline
    • Recommendations and suggestions on creating a strong password
  • Non-disclosure agreement
    • A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), proprietary information agreement (PIA) or secrecy agreement (SA), is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to. Doctor–patient confidentiality (physician–patient privilege), attorney–client privilege, priest–penitent privilege, bank–client confidentiality, and kickback agreements are examples of NDAs, which are often not enshrined in a written contract between the parties.
  • Employment agreement
    • An employment contract or contract of employment is a kind of contract used in labour law to attribute rights and responsibilities between parties to a bargain. The contract is between an “employee” and an “employer”. It has arisen out of the old master-servant law, used before the 20th century.
  • Noncompete agreement
    • In contract law, a non-compete clause (often NCC), or covenant not to compete (CNC), is a clause under which one party (usually an employee) agrees not to enter into or start a similar profession or trade in competition against another party (usually the employer). Some courts refer to these as “restrictive covenants”. As a contract provision, a CNC is bound by traditional contract requirements including the consideration doctrine.
  • Accountability
    • process of reviewing the activities of an identity
  • Authentication
    • comparing a user’s fingerprint against authorized fingerprints stored in a database
  • AAA
    • In Addition to CIA, security policies and to deploy security solutions for an organization
  • Time-based one-time password
    • A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers.
  • Hash-based one-time password
    • HMAC-based One-time Password (HOTP) is a one-time password (OTP) algorithm based on hash-based message authentication codes (HMAC). It is a cornerstone of the Initiative for Open Authentication (OATH).
  • Synchronous dynamic password tokens
    • One-time passwords (also called dynamic passwords) are more secure then static ones. Synchronous and asynchronous tokens can be used to generate one-time passwords. When tokens are used, it is recommended to use them together with PIN or static password to achieve two factor authentication.
    • “Synchronous” means with time and “asynchronous” means without time.
  • Asynchronous dynamic password tokens
    • Asynchronous tokens are also called Challenge/Response tokens. They do not need event counters or internal clocks to operate. Instead, the authentication process sends a challenge ⁠— short string of letters/numbers ⁠— which the user must enter into the token to generate a response.
  • Controls access to the network
    • Provide individuals access after they supply a username and password
  • Audit trail
    • An audit trail is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.
  • STRIDE Threat model
ThreatDesired property
SpoofingAuthenticity
TamperingIntegrity
RepudiationNon-repudiability
Information disclosureConfidentiality
Denial of ServiceAvailability
Elevation of PrivilegeAuthorization
  • Repudiation
    • Unsigned email from a coworker.
  • Risk management
    • The process identifies factors that could damage or disclose data, evaluates those factors considering data value and countermeasure cost, and implements cost-effective solutions.
    • Risk management is the process of identifying, assessing and controlling threats to an organization’s capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters.
  • Asset valuation
    • Asset valuation is the process of determining the fair market or present value of assets, using book values, absolute valuation models like discounted cash flow analysis, option pricing models or comparables.
  • Vulnerability identification
    • A vulnerability is a flaw that could lead to the compromise of the confidentiality, integrity or availability of an information system. Vulnerability identification involves the process of discovering vulnerabilities and documenting these into an inventory within the target environment.
  • Impact assessment
    • Impact assessments are commonly associated with businesses but in fact they are applicable to all areas of life. In short, an impact assessment will look at what possible outcome a specific action can have and how to minimize or prevent any negative outcomes.
  • Purpose of threat modeling tools
    • To consider the range of compromise concerns and focus on the end result of an attack
    • Threat modeling, the process of discovering potential security vulnerabilities in a design and eliminating those vulnerabilities before writing any code, fits best during the stage of planning and designing a new feature. When threat modeling is firing on all cylinders, an organization is creating more secure software.
  • Insider Threat
    • To identify employees who could be potential insider threats
  • Single loss expectancy (SLE)
    • Asset Value × Exposure Factor 
  • Annualized loss expectancy (ALE)
    • Single loss expectancy (SLE) multiplied by an annualized rate of occurrence (ARO)
  • Deterrence
    • the action of discouraging an action or event through instilling doubt or fear of the consequences.
  • Rejection
    • A threat has been reported to be attacking only government entities. The company’s board of directors has concluded that the threat will likely never materialize for private companies, and that nothing should be done about it.
  • Avoidance
    • he audit finds that the email servers are vulnerable to SMTP relay attacks. The company decides to migrate email services to a cloud-based provider and decommission the email servers.
    • Broadly speaking, a risk assessment is the combined effort of: identifying and analyzing potential events that may negatively impact individuals, assets, and/or the environment; and making judgments “on the tolerability of the risk on the basis of a risk analysis” while considering influencing factors.
  • Administrative Access Controls: 
    • Administrative access controls are the policies and procedures defined by an organization’s security policy and other regulations or requirements. They are sometimes referred to as management controls. These controls focus on personnel and business practices. Examples of administrative access controls include policies, procedures, hiring practices, background checks, classifying and labeling data, security awareness and training efforts, reports and reviews, personnel controls, and testing.
  • Logical/Technical Controls: 
    • Logical access controls (also known as technical access controls) are the hardware or software mechanisms used to manage access and to provide protection for resources and systems. As the name implies, they use technology. Examples of logical or technical access controls include authentication methods (such as passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems, and clipping levels.
  • Physical Controls: 
    • Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.
  • Directive Controls
    • actions taken to cause or encourage a desirable event to occur. They are broad in nature and apply to all situations.
  • Risk Assessment Process
  • Risk assessment life cycle
    • Security categorization
    • Security control selection
    • Security control implementation
    • Security control assessment
    • Information system authorization
    • Security control monitoring
  • Risk management framework
    • A guideline or recipe for how risk is to be assessed, resolved, and monitored
  • Risk Assessment
    • Document all risks identified at the assertion level in the risk assessment 
  • Private
    • classification of PII and PHI data
  • Public
    • There is no negative impact if documents are released outside the organization
  • Archive
    • unneeded patient records before those require years have passed
  • How should the backup tapes be secured to minimize unauthorized access?
    • Encrypt data, and then store it in a safe location
  • General Data Protection Regulation “GDPR”
    • Asset owner
      • “Information Asset Owners (IAOs) must be senior/responsible individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why.
    • Business Owner
      • This person, along with the mission owner (i.e., senior management), designs the entire information security program. They also cover vital day-to-day corporate aspects related to the real implementation of the information security program, such as funding, staffing activities (for example, finding security experts or other qualified personnel) and organizational priority. Last but not least, these types of owners need to ensure that every organizational asset is protected.
    • System Owner
      • This individual is in charge of one or more systems, each of which may contain and operate with data owned by various data owners. A system owner is in a position that predisposes him to participate in drafting security policies, supporting procedures, standard and baselines, and to disseminate them among the members of a division.
    • Data Custodian
      • A data custodian can deliver technical protection of information assets, such as data. Backing up data in line with the company’s backup policy., restoration of data, patching systems, and configuring antivirus software are some of the most common tasks within the scope of duties of data custodians.
    • Data owner
      • Data owners are either individuals or teams who make decisions such as who has the right to access and edit data and how it’s used. Owners may not work with their data every day, but are responsible for overseeing and protecting a data domain.
  • The department managers
    • owner of the data
  • Background checks
    •  administrative access control
  • Federated identity management (FIM)
    • identity management solution allows multiple organizations to share identities based on a common method
  • Identification
    • purpose of this username
  • Credential management system
    • Allow employees to store usernames and passwords
  • Administrative, technical, and physical
    • multiple layers of access control to achieve the strongest level of security possible.
  • Discretionary Access Control
    • only the vice president to manage who can edit corporate policies.
  • Role-Based Access Control
    •  only members of its database administrator team to have administrative access to all SQL server databases
  • Attribute-based access control
    • IF the requester is a manager, THEN allow read/write access to sensitive data. 
  • Mandatory Access Control
    • A word-processing program uses document labels to determine which users can access files
  • Access Aggregation Attacks
    • An access aggregation attack is carried out by collecting several pieces of insensitive information and drawing conclusions from them to devise sensitive information. In simple words, adversaries will gather multiple facts related to a system and study them to conduct an attack. A reconnaissance attack is an example. It involves hackers combining several tools to identify different elements of a target system, such as the operating system, IP address, open port, and more.
  • Database Aggregation
    • In database management, an aggregate function or aggregation function is a function where the values of multiple rows are grouped together to form a single summary value. Common aggregate functions include: Average (i.e., arithmetic mean) Count.
  • Information theft
    • The unauthorized taking or interception of computer-based information. Data theft is the act of stealing computer-based information from an unknowing victim with the intent of compromising privacy or obtaining confidential information.
  • Shoulder surfing
    • an attacker looking at a victim’s computer screen to capture sensitive information
  • Tailgating | Piggybacking
    • The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area that lacks the proper authentication. The attacker can simply walk in behind a person who is authorized to access the area.
    • Tailgating is when an unauthorized person follows an authorized person into the secure or restricted area WITHOUT the consent of the authorized person.
    • Piggybacking is when an unauthorized person follows an authorized person into the secure or restricted area WITH the consent of the authorized person.
  • Screen Scraping
    • Screen scraping is the act of copying information that shows on a digital display so it can be used for another purpose. Visual data can be collected as raw text from on-screen elements such as a text or images that appear on the desktop, in an application or on a website.
  • Vishing
    • exclusively uses the telephone system or VoIP to perform the attack
  • Rainbow Table
    • A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function up to a certain length consisting of a limited set of characters.
  • Side-Channel Attack
    • In computer security, a side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself.
    • passive and noninvasive and intended to observe the operation of a device.
  • Spear Phishing
    • Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.
  • Rule-based
    • A company secures its network by closing specific ports on its firewalls
  • Mandatory access control
    • allows a user to gain access to objects using classification labels in a compartmentalized environment
  • Control objectives for information and related technology (CoBIT)
    • framework achieves the needs of stakeholders and the goals of an enterprise
  •  The Open Group Architecture Framework (TOGAF)
    • Capability Maturity Model Integration (CMMI)
      • Capability Maturity Model Integration is a process level improvement training and appraisal program. Administered by the CMMI Institute, a subsidiary of ISACA, it was developed at Carnegie Mellon University. It is required by many U.S. Government contracts, especially in software development.
    • ITIL
      • ITIL is a set of detailed practices for IT service management that focuses on aligning IT services with the needs of business.
    • capability maturity model integration
    • COSO
      • The Framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. Engaged by COSO to lead the study, PricewaterhouseCoopers was assisted by an advisory council composed of representatives from the five COSO organizations.
    • security control should be employed to remedy access aggregation attacks
      • Applying need-to-know principle
    • Encryption
      Security control can be applied to prevent eavesdropping attacks
    • Privilege Creep
      • Privilege creep is the gradual accumulation of access rights beyond what an individual needs to do his or her job. In information technology, a privilege is an identified right that a particular end user has to a particular system resource, such as a file folder or virtual machine.
    • OpenID and OAuth
      • OpenID is a way to use a single set of user credentials to access multiple sites, while OAuth facilitates the authorization of one site to access and use information related to the user’s account on another site. Although OAuth is not an authentication protocol, it can be used as part of one.
    • Account lockout
      • help prevent an attack on the log-on page given an attacker has unlimited time