Cybersecurity policy for technical people
I took these notes from "Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats" for my current job in cybersecurity (which is my first), there is no CISO position nor even a senior security position in my company, so I decided to do the boring work myself, I did this, so you don't have to do it. To be fair the book was really good, and I enjoyed reading it.
I suggest every technical person to read the book I mentioned, you will have a foundation about security from a manager perspective, and you will understand why your CISO makes the decisions that he does.
Definitions
- Note taken on
Notes taken from chapter 2 of the book
Preventive controls
Reduces risk probability by blocking all the threats and preventing incidents from occurring.
Detective controls
Reduces risk impact by generating alerts when systems are compromised.
Forensic controls
Supports detective controls by collecting records to all activities related to the risk.
Audit controls
Investigates the presence of the risk
Red team
An independent group with no knowledge of current systems that tries to penetrate an enterprise architecture.
Blue team
Assures the security of the computer systems.
Functional Areas
I reduced functional areas from 11 mentioned in the book to 7.
- Note taken on
Notes from chapter 3 of the book
System administration
Goals
Preventive objective
Prevent attackers from gaining system control
Detective objective
Alert when a malicious system activity occurs
Forensic objective
Log every privileged administrator activities:
- Generate detective control alerts
- Support investigation of incidents
Audit objective
The System audit focuses on proving that user activities are not malicious
Threat vectors
- Attackers compromise logins to do lateral movement to other machines on the network
- Attackers compromise sensitive enterprise data
Capabilities
- Network isolation
- Users audit trail
- Analyze command logs
Network security
Goals
Preventive objective
Black malicious traffic from passing from one part of the network to another
Detective objective
Detect malicious intent from network traffic
Forensic objective
Log network traffic to detect user intent
Audit objective
Analyze network traffic in order to identify malicious intent
Threat vectors
- Attackers use compromised servers to move laterally to other servers
Capabilities
- TLS intercept
- Network traffic analysis
- Network Intrusion Detection System (IDS)
- Network Intrusion Prevention System (IPS)
Application security
Goals
Preventive objective
Block exploitation of web application exploitation
Detective objective
Detect compromises of web applications and attempts of exploitation
Forensic objective
Log data about application activity that can be used for audits and investigations
Audit objective
Prove that applications are safe
Threat vectors
- Attackers find vulnerabilities in in-house developed web apps
- Attackers use CVEs to attack web applications
- Attackers use zero day exploits
Capabilities
- Webshell detection
- Web Application Firewalls (WAF)
- Software code vulnerability analysis
- Database firewalls
Identity and authentication
Goals
Preventive objective
Make it harder for attackers to impersonate users or using legitimate users accounts
Detective objective
Alert the enterprise when accounts are being attacked
Forensic objective
Log all user data (connection time, ip address …), the data can be used to identify attack patterns
Audit objective
Prove that accounts are not being abused
Threat vectors
- Attackers use accounts that are no longer used but not removed from the enterprise systems
- Attackers use weak authentication methods to login as other users
- Attackers escalate privileges from normal user account to administrator
Capabilities
- Identity life cycle management (password rotation)
- Multi factor authentication
Data protection and cryptography
Goals
Preventive objective
Protecting the confidentiality and integrity of the enterprise by using cryptography
Detective objective
Detect weak or broken cryptography
Forensic objective
Track keys and algorithms used in enterprise to ease the audit phase
Audit objective
Collecting information about keys and algorithms that are used and the weaknesses that occur
Threat vectors
- Attackers steal keys to strong crypto and use it for login (ssh for example)
- Attackers brute force to compromise passwords encrypted using weak cryptography
- Ransomware
Capabilities
- TLS
- Key life cycle managment and rotation
- Complex passwords
- Brute force attack detection
Monitoring, vulnerability and patch management
Goals
Preventive objective
Ensure that vulnerabilities are fixed before that they could be exploited by attackers
Detective objective
Monitor all security automation systems to detect incidents so they could be investigated immediately
Forensic objective
Logging events that can be investigated
Audit objective
Centrally collecting forensic data that can be analyzed by auditors
Threat vectors
- Attackers use methods that are not detected by monitoring systems and invisible to the blue team
- Attackers exploit vulnerabilities that are not patched or even zero-day exploits
- Attackers attack the logging infrastructure to avoid detection
Capabilities
- Red team penetration testing
- Security Information and Event Management (SIEM)
- Log aggregation
- Honeypots and Honeytokens
- Privilege change detection
- Files change detection
Disaster recovering
Goals
Assess the ability to respond to a wide range of adversary situations
Threat vectors
- In a cyber attack, the integrity of certain systems is compromised for example injecting code into files
Capabilities
- Virtual machine snapshots
- Data mirroring and replication
Implementing Cybersecurity protocols
Organizing the personnel
IT and Security departments should be tightly coupled and be able to coordinate easily
Risk management
- Evaluates obscurity threats
- Defines policies to manage those risks
- Engaes with IT projects to manage risks
Security Operation Center
Involves routine controls to identify cyber incidents when they occur.
Cyber Incident Response Team
Responds to security incidents and supervises their investigation and remediation.
Compliance
Responsible for collecting security infrastructure and operations artifacts that provides evidence the security protocols are behaving as intended.
The anatomy of attacks
Usually attackers penetrate systems using 5 steps and use many paths
These steps are not always in sequence.
