Cybersecurity policy for technical people

I took these notes from "Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats" for my current job in cybersecurity (which is my first), there is no CISO position nor even a senior security position in my company, so I decided to do the boring work myself, I did this, so you don't have to do it. To be fair the book was really good, and I enjoyed reading it.

I suggest every technical person to read the book I mentioned, you will have a foundation about security from a manager perspective, and you will understand why your CISO makes the decisions that he does.

Definitions

  • Note taken on [2019-01-23 Wed 09:58]
    Notes taken from chapter 2 of the book

ip1.png

Preventive controls

Reduces risk probability by blocking all the threats and preventing incidents from occurring.

Detective controls

Reduces risk impact by generating alerts when systems are compromised.

Forensic controls

Supports detective controls by collecting records to all activities related to the risk.

Audit controls

Investigates the presence of the risk

Red team

An independent group with no knowledge of current systems that tries to penetrate an enterprise architecture.

Blue team

Assures the security of the computer systems.

Functional Areas

I reduced functional areas from 11 mentioned in the book to 7.

  • Note taken on [2019-01-23 Wed 09:14]
    Notes from chapter 3 of the book

System administration

Goals

Preventive objective

Prevent attackers from gaining system control

Detective objective

Alert when a malicious system activity occurs

Forensic objective

Log every privileged administrator activities:

  • Generate detective control alerts
  • Support investigation of incidents
Audit objective

The System audit focuses on proving that user activities are not malicious

Threat vectors

  • Attackers compromise logins to do lateral movement to other machines on the network
  • Attackers compromise sensitive enterprise data

Capabilities

  • Network isolation
  • Users audit trail
  • Analyze command logs

Network security

Goals

Preventive objective

Black malicious traffic from passing from one part of the network to another

Detective objective

Detect malicious intent from network traffic

Forensic objective

Log network traffic to detect user intent

Audit objective

Analyze network traffic in order to identify malicious intent

Threat vectors

  • Attackers use compromised servers to move laterally to other servers

Capabilities

  • TLS intercept
  • Network traffic analysis
  • Network Intrusion Detection System (IDS)
  • Network Intrusion Prevention System (IPS)

Application security

Goals

Preventive objective

Block exploitation of web application exploitation

Detective objective

Detect compromises of web applications and attempts of exploitation

Forensic objective

Log data about application activity that can be used for audits and investigations

Audit objective

Prove that applications are safe

Threat vectors

  • Attackers find vulnerabilities in in-house developed web apps
  • Attackers use CVEs to attack web applications
  • Attackers use zero day exploits

Capabilities

  • Webshell detection
  • Web Application Firewalls (WAF)
  • Software code vulnerability analysis
  • Database firewalls

Identity and authentication

Goals

Preventive objective

Make it harder for attackers to impersonate users or using legitimate users accounts

Detective objective

Alert the enterprise when accounts are being attacked

Forensic objective

Log all user data (connection time, ip address …), the data can be used to identify attack patterns

Audit objective

Prove that accounts are not being abused

Threat vectors

  • Attackers use accounts that are no longer used but not removed from the enterprise systems
  • Attackers use weak authentication methods to login as other users
  • Attackers escalate privileges from normal user account to administrator

Capabilities

  • Identity life cycle management (password rotation)
  • Multi factor authentication

Data protection and cryptography

Goals

Preventive objective

Protecting the confidentiality and integrity of the enterprise by using cryptography

Detective objective

Detect weak or broken cryptography

Forensic objective

Track keys and algorithms used in enterprise to ease the audit phase

Audit objective

Collecting information about keys and algorithms that are used and the weaknesses that occur

Threat vectors

  • Attackers steal keys to strong crypto and use it for login (ssh for example)
  • Attackers brute force to compromise passwords encrypted using weak cryptography
  • Ransomware

Capabilities

  • TLS
  • Key life cycle managment and rotation
  • Complex passwords
  • Brute force attack detection

Monitoring, vulnerability and patch management

Goals

Preventive objective

Ensure that vulnerabilities are fixed before that they could be exploited by attackers

Detective objective

Monitor all security automation systems to detect incidents so they could be investigated immediately

Forensic objective

Logging events that can be investigated

Audit objective

Centrally collecting forensic data that can be analyzed by auditors

Threat vectors

  • Attackers use methods that are not detected by monitoring systems and invisible to the blue team
  • Attackers exploit vulnerabilities that are not patched or even zero-day exploits
  • Attackers attack the logging infrastructure to avoid detection

Capabilities

  • Red team penetration testing
  • Security Information and Event Management (SIEM)
  • Log aggregation
  • Honeypots and Honeytokens
  • Privilege change detection
  • Files change detection

Disaster recovering

Goals

Assess the ability to respond to a wide range of adversary situations

Threat vectors

  • In a cyber attack, the integrity of certain systems is compromised for example injecting code into files

Capabilities

  • Virtual machine snapshots
  • Data mirroring and replication

Implementing Cybersecurity protocols

Organizing the personnel

IT and Security departments should be tightly coupled and be able to coordinate easily

ip2.png

Risk management

  • Evaluates obscurity threats
  • Defines policies to manage those risks
  • Engaes with IT projects to manage risks

Security Operation Center

Involves routine controls to identify cyber incidents when they occur.

Cyber Incident Response Team

Responds to security incidents and supervises their investigation and remediation.

Compliance

Responsible for collecting security infrastructure and operations artifacts that provides evidence the security protocols are behaving as intended.

The anatomy of attacks

Usually attackers penetrate systems using 5 steps and use many paths

ip3.png

These steps are not always in sequence.


Author: Mohamed Aziz Knani

Date: 2019-10-27 Sun 17:01

Emacs 26.3 (Org mode 9.2.3)

Validate

hacker emblem