Ftrsec

Personal security and procedures

VMS : Vendor Management System

Risk Maturity Model

  1. Ad hoc : chaotic starting point
  2. Preliminary : attempts to follow risk management processes. Each department perform uniquely
  3. Defined : Common or standardized risk framework world-wide
  4. Integrated : risk management operations are integrated into business process. Metrics are used and risk is considered an element in business strategy decisions
  5. Optimized : Proactive, archieving objectives, increased strategic planningm lessons learned are reintegrated.

Risk management Framework

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor

Control Framework

COBIT (Control Objectives for IT):

  • Provide stakeholder Value
  • Holistic Approach
  • Dynamic Governance System
  • Governance distinct from Management
  • Tailored to Enterprise Needs
  • End-to-End Governance system


 

ISO

  • ISO 27001 : covers cybersecurity control objectives
  • ISO 27002 covers cybersecurity control implementation
  • ISO 27701 cover privacy controls
  • ISO 31000 covers risk management progams

NIST

NIST 800-53

Nist Cybersecurity Framework (CSF) :
Identify – Protect – Detect – Respond – Recover


Security Policy Framework

mandatory / optional / mandatory depending circumstances

Policies : Foundation for a security program, clear expectations for data security, Guiance for requesting access to information, process for granting policy exceptions, written over a long period of time

  1. Data storage policies : appropriate storage locations
  2. Data transmission policies : protect data in motion
  3. Data lifecycle policies : describe end of life for data
  4. Data retention policies
  5. Data disposal policies
  6. Cloud security policies

Standards : Specific details of security controls. derice their authority from policies, rigorous approval process (i.e CIS Benchmarks)
Guidelines : Security advices, best practices from industry
Procedures : Step-by-step
Baseline : minimum level of security that a system must meet.


Business continuity planning

BCP focus on maintaining business operations with reduced or restricted infrastucture capabilities or resources.
BCP consists in 4 main steps. Here the full process :

  1. Project scope and planning :
    1. Perform a structured review of the business’s organization from a crisis planning point of view
    2. Create a BCP team with the approval of senior management
    3. Assess the resources available to participate in business continuity activities.
      1. BCP Develoment
      2. BCP Testing, Training and Maintenance
      3. BCP Implementation
    4. Analyze the legal and regulatory landscape that governs an organization’s responseto a catastrophic event.
  2. Business Impact Analysis (BIA)
    1. Identifying Priorities
    2. Risk Identification
    3. Likelihood Assessment
    4. Impact Analysis
      • ALE = ARO x SLE
      • SLE = EF*AV
    5. Resource Priorization
  3. Continuity planning
    1. Strategy Development
    2. Provisions and Processes
    3. Buildings and Facilities
    4. Infrastructure
  4. Approval and implentation
    • Plan implementation
    • Training and Education
    • BCP Documentation

Main point in BCP :

  • Continuity Planning Goals
  • Statement of Importance
  • Statement of priorities
  • Statement of Organizational Responsibility
  • Statement of Urgency and Timing
  • Risk Assessment
  • Risk Acceptance/Mitigation
  • Vital Records Program
  • Emergency Response Guidelines
  • Maintenance
  • Testing and Exercices

MTTF(Mean Time to Failure)
MTBF(Mean Time Between Failure)
MTTR(Mean Time to Repair)


Laws

Types of Law:

Criminal Law: Beyond a reasonable doubt
Administrative Law: don’t exige well domunented collection
Civil Law: Follow Prepronderance of the evidence standard

U.S. Privacy Law

– Fourth Amendment : this amendment prohibits government agents from searching private property without a warrant and probable cause
– Privacy Act of 1974: Governement Agency shall maintain only the records necessary.
– Electronic Communications Privacy Act of 1986 (ECPA) : crime to invade electronic privacy of an individual.
– Communications Assistance for Law Enforcement Act (CALEA) of 1994 : Amended ECPA of 1986.
– Economic Espionage Act of 1996: extends property to include proprietary economic information to consider industrial or corporate espionage.
– Health Insurance Portability and Accountability Act of 1996 (HIPAA): privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals. Protected Health Information (PHI) > must write a contract Business Associate Agreement (BAA)
Children’s Online Privacy Protection Act of 1998 (COPPA) : concerns children  information collection
Gramm-Leach-Biley Act of 1999(GLBA): Concerns financial institutions. Banks, insurance, credit providers were severely limited in the services they could provide and information share with each other.
USA PATRIOT Act of 2001: a
Family Educational Rights and Privacy Act (FERPA): affects any educational institution that accepts any form of funding from the federal governement
 –Identity Theft and Assumption Deterrance Act:

European Privacy Law

– European Union General Data Protection Regulation

Canadian Privacy Law

– Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

State Privacy Law

California Consumer Privacy Act (CCPA)

Compliance

Payment Card Industry ata Security Standard (PCI DSS)
Sarbanes-Oxley Act (SOX) :
Regulatory compliance mandated standards for financial reporting of publicly traded companies. Intentional violations can result in criminal penalties.


Intellectual Property

Copyrights : protected until 70 years after the death of last surviving author.

Works for hire provide 95years date of first publication, or 120 years date of creation, the one shorter,

Trademarks : Protect words,slogan logos

  • ™ : intend to protect words,slogan logos as trademarks
  • ® : Registered with the Uunited States Patents and Trademark Office (USPTO)

Patents : Protect IP of inventors for 20 years.
Trade secrets : Protect secret like Coca Cola recipe


Code of ethics ISC2 :

  1. I. Protect society, common goodm cessary public trust and confidencem and the infrastructure
  2. II. Act honorably, honestly, justy, responsibly, and legally
  3. III. Provide diligent and competent service to principals.
  4. IV. Advance and protect the profession

Asset security

Data security roles

Data Owner/Data controller : Business leadesrs. Overall responsibility for data -> set policies and guidelines for their data sets
Data stewards : day-to-day data governance activites. delegated by data owners
Data custodian : store and process information (often staff members).
Data users : work with information on daily basis
Data subjects: individuals referred to in collected  data

System ownership =/= data ownership


Data lifecycle:

Create -> Store -> Use -> Share -> Archive -> Destroy

Clearing = overwrite : VS casual analysis
Purging = advanced : VS laboratory analysis
destroying = completely destroy (burning, shredding…)

Security Architecture and Engineering
Service Level Agreement (SLA)
Service Level Requirement (SLR)

Large scale parallele data systems

Symmetric multiprocessing (SMP) : Processors share common OS, data bus, and memory ressources.

Asymmetric multiprocessing (AMP) : processors operate independently of each other.
Massive Parallel Processing (MPP):  Multiple AMP linked together. necessary when you need more processors for different OS


RADIUS : Free.

  • Network access control is the RADIUS client
  • Auhentication server : RADIUS server
  • Provides AAA
  • USes UDP By default, only encrypts password exchange

TACACS+ : Cisco.

  • Separate AAA in different process
  • Encrypt all the communications
  • Use TCP

Security Models

  • Trusted computing base (TCB): combination software hardware and principles to form a trusted base to secure policy. The security perimeter is the line that separate your TCB from your other system
  • State machine model: System that is always secure, no matter the state of the machine
  • Information flow model : Focus on securing flows, directions and types.
  • Noninterference model : Based on Information flow model, but concerning impact of actions of higher subjects to lower subjects
  • Take-grant model : Based on these 4 rules :
    • Take rule: Allows a subject to take rights over an object
    • Grant rule: Allows a subject to grant rights to an object
    • Create rule: Allows a subject to create new rights
    • Remove rule: Allows a subject to remove rights it has
  • Access control matrix (ACL) : table of permissions
  • Bell–LaPadula model (Protect confidentiality):
    • Simple Security Property : no read-up
    • * (star) Security Property : no write-down
    • Discretianory Security Property : use a matrix to enforce DAC.
  • Biba model (Protect Integriy) :
    • Simple Integrity Property : no read-down
    • * (star) Integrity Property : no write-up
  • Clark–Wilson model: 3-part relationship : subject/program/object.
    The subject acces object only through programs. Protect integrity first (but can protect confidentiality too)
    • Constrained Data Item (CDI) : data protected by the model
    • Unconstrained Data Item (UDI) : data not controlled by the model
    • Integrity Verification procedure (IVP) : process to scan items integrity
    • Transformation procedure (TP) : Only procedures allowed to modify CDI
  • Brewer and Nash model : Information security access controls change dynamically -> mitigate conflicts of interests.
  • Goguen–Meseguer model: Integrity model. determine a list of object that a subject has access
  • Sutherland model : Integrity model. Define a set of system state, initial state and state transitions
  • Graham–Denning model: Secure creation and deletion of objects, based on 8 primary rules
  • Harrison–Ruzzo–Ullman model (HRU): extension of Graham-Denning model

Protection Profiles (PP) : Product is to be evaluated (I want)

Security Targets (ST) : Security desires (I will provide)

Target of Evaluation (TOE) :

Evaluation assurance Levels (EAL):


Four types of ATO :

  • Authorization to operate
  • Common control authorization
  • Denial of authorization
  • Authorization to use

Privacy by Design (PbD)  :

  • Proactive not reactive, preventive not remedial
  • Privacy as the default
  • Privacy embedded into design
  • Full functionality
  • Positive sum, not zero-sum
  • End-to-end security – full lifecycle propection
  • Visibility and transparency
  • Respect for user privacy

 

Secure Network Architecture and Components

Trivial File Transfer protocol UDP 69

Line Printer Daemon : TCP 515

X-window, TCP 6000-6063

Network File System : TCP 2049


Fibre Channel over Ethernet (FCoE) : network data-storange solution (SAN).
High speed file tranfer
Network Layer (OSI layer 3)

MPLS (Multiprotocol Label Switching) : network technology that directs data based on short path labels, instead of network addresses.
Designed to handle a wide range of protocols through encapsulation (TCP/IP, t1,e1,atm,frame relay, sonet, Digital Subcriber Line (DSL)
iSCSI : operate at layer 3.

Voice over Internet Protocol (VoIP) :
– Caller ID >
– SRTP (Secure Real-Time Transport Protocol): security improvment to minimize DoS, on-path attacks, etc… Add robus encryption and reliable authentication.
Takes over after Session Initiation protocol (SIP) establishes the communication link between endpoints.

Software-Defined Networking

Network Access Control (NAC) :

  • Prevent/reduce known attacks directly and zero-day indirectly
  • Enforce security policy throughout the network
  • Use identities to perform access control

Authentication Protocols :

  • Password Authentication Protocol (PAP) : Transmists username/password in cleartext.
  • Challenge Handshake Authentication Protocol (CHAP): Based on MD5. Challenge-response using random number + password hash
  • Extensible Authentication Protocol (EAP) : Framework for authentication. Allows customized authentication security solutions. More than 40 EAP methods , including LEAP, PEAP, EAP-SIM, EAP-FAST, EAP-MD5, EAP-POTP, EAP-TLS, EAP-TTLS

Secure Voice Communications:

  • Public Switched Telephone Network (PSTN) : Vulnerable to interception, eavesdropping, tapping and other exploitations. Old telephone service
  • Voice over Internet Protocol (VoIP) :
    Securing VoIP :
    • Use strong Passwords and 2FA
    • Record all logs and inspect for unusual activity
    • Block international calling
    • Outsoure VOIP to a trusted SaaS
    • Update VoIP equipment firmware
    • Restrict physical access to VoIP-related networking equipment
    • Train users on VoIP security best practices
    • Prevent ghost or phantom calls on IP phones by blocking nonexistend or invalid-origin numbers.
    • Implement NIPS with VoIP evaluation features.

Cables :
Coaxial cable : center copper shielded, resistent to EMI

Twisted pair networks :

Shielded twisted-pair : STP
Unshielded twisted-pair : UTP


IPSEC

Authentication Header (AH) : Primary authentication, provide Integrity and nonrepudation.
add session access control & prevent replay attacks

Encapsulating Security Payload (ESP) : Provide confidentiality and integrity. periodic mid-session reauthentication.
Prevent from sessiom hijacking

HMAC : hashing used by IPSec

IP Payload Compression (IPComp) : compress before ESP

Internet Key Exchange (IKE): manage cryptography keys :

  • OAKLEY : Key generation & exchange(like Diffie-Hellman)
  • SKEME : Mean to exchange key securely (like digital envelope)
  • ISAKMP : Organize and manage encryption keys generated by OAKLEY and SKEME (like digital keyring)
    Each IPSec VPN use two simplex communication channel (1 for reception, 1 for transmission) -> Permit smultaneous VPNs

 

Identity and Access Management

    • NIST SP 800-63B Password Recommendatons :
      • Password must be hashed
      • Password shouldn’t expire
      • User should not be required to use special characters
      • Users should be able to copy/paste passwords
      • Users should be able to use all characters
      • > 8 characters
      • Password systems should verify its not in commonly used list.
    • PCIDSS Password recommendations :
      • Password expire at least every 90 days
      • Passwords > 7 characters longAuthentication Factors Overview :
      • Something you Know
      • Something you Have
      • Something you AreBiometrics factor error ratings :


        https://www.johndcook.com/blog/2018/10/31/biometric-security-error/

    • Federal identity Systems (FIM) : implemented on-premise (provide most control), via  3rd party cloud service
    • Just-in-time provisioning (JIT) : Create users account on 3rd party sites the first time a user log on onto the site => Reduce administrative workload

      Access Control Models :

    • Discretionary Access Control (DAC): Every object has an ownerm and owner can grant permission.
      implemented using Access Control List (ACL) i.e NTFS
    • Role-Based Access Control (RBAC):  user accounts are placed in roles. Administrator assign permission to the role. i.e Windows OS
    • Rule-Based Access Control : Global rules to all subjects. i.e Firewall
    • Attribute-Based Access Control (ABAC) : Use rules + attributes. i.e SDNs , more flexible
    • Mandatory Access Control (MAC) : use of labels applied to both subjects and objects. lattice-based model
    • Risk-Based Access Control : grant access after evaluation of risk. evaluates environment and situation to make risk-based decisions. use machine learning.

SPML, SAML XACML and SSO

  • SPML -> Federations, Provisioning
  • SAML -> SSP, Authenticate and Authorize
  • XACML -> standard language, enable ABAC.

OAuth : Authorization framework (NOT Authentication protocol)

RFC6749 describes OAuth 2.0

OpenID : Authantication standard, maintained by OpenID Foundation, provide decentralized authentication.

OIDC: Authentication layer using Oauth 2.0, built on OpenID standard

SOC REports

SOC 1 Engagement : Assess the organization’s controls that might impact the accuracy of financial reporting

SOC 2 Engagement :Asess the organization’s controls that affect the security (CIA triad) and privacy of information stored in a system.  SOC 2 audit results are confidential and only shared outside of organization under an NDA,
SOC 3 Engagement : Assess the organization’s controls that affect the security (CIA Triad) and privacy of informatio nstored in a system.
SOC 3 audit results are indented for public disclosure

TYPE I : Provide opinion of auditor, Only cover specific point in time.
More a documentation review

TYPE II : Auditor confirms that control function properly. cover extended perior of time : at least 6 months of operation.
More like traditional audit


Code review and testing

  • Static application Security testing (SAST) : analyze source code or compiled application.
  • Dynamic application Security testing (DAST) : evaluate security of software in runtime environment.
  • Fuzz testing : Dynamic technique, testing many inputs.
    • Mutation (Dumb) Fuzzing : Retake sample of previous input
    • Generational (Intelligent) Fuzzing : Create new inputs.
  • Interface Testing
  • Misuse case testing
  • Test coverage
    • branch coverage : Has every if statement been executed under all if and else conditions?
    • Condition coverage: Has every logical test in the code been executed under all sets of inputs?
    • Function coverage: Has every function in the code been called and returned results?
    • Loop coverage: Has every loop in the code been executed under conditions that cause code execution multiple times, only once and not at all?
    • Statement coverage: Has every line of code been executed during the test?

 

Security Operations

Preparation > Detection > Response > Mitigation > Reporting > Recovery > Remediation > lessons learned


Electronic Discovery Reference Model (EDRM)

  1. Information Governance : Ensure information is well organized for future eDisovery efforts
  2. Identification : Locates information that may be responsive to a discovery request when the organization believes that litigation is likely.
  3. Preservation : Ensures that potentially discoverable information is protected against alteration and deletion
  4. Collection: Gathers relevant information centrally for use in the eDiscovery process
  5. Processing: Screens the collected information to perform a « rough cut » of irrelevant information, reducing the amount of information requiring detailed screening.
  6. Review: Examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege.
  7. Analysis: Performs deeper inspection of the content and context of remaining information
  8. Production: Places information intot a format that may be shared with others and delivers it to other parties such as opposing counsel
  9. Presentation: Displays the information to witnesses, the court and other parties

Evidences

Real Evidence: things that may be brought to court ( item , knife, computer, fingerprints)

Documentary Evidence: Any written items brought into court to prove fact at hand.
Every evidence must be authenticated (computer logs needs to bring a witness like adminsys)

  • Best evidence rule : Original Document must be introduced for every document. copies or descriptions (secondary evidence) will not be accepted unless certain exceptions.
  • Parol evidence rule : Written agreement between two partie shold contain all the term of the agreeement. Verbal agreement can’t modify the written agreement

Testimonial evidence : testimony of witness.


Disaster Recovery Planning

  • Full backup : complete copy of data
  • Differential backup : store all files that have been modified since the most recent full backup
  • Incremental Backup : store only files that have been modified since the most recent full backup or incremental backup
  • Read-Through test : document to review
  • Structured Walk-Through : tabletop exercice
  • Simulation Test
  • Parallel Test
  • Full-Interruption Test

SoftWare Capability Maturity Model (SW-CMM)

Levels :

  1. Initial : disorganized, no or little software development process
  2. Repeatable : basic lifecycle management
  3. Defined : developers operate according to a set of documented processes.
  4. Managed : quantitative measures to understand  detail of development process
  5. Optimizing: continuous improvment