Chapter -5 Security Operations

Data Security

Data Security Lifecycle

1. Create: This is the initiation stage where data is generated or collected. It could be user-generated content, transaction records, sensor data, or any form of data that is being recorded or created for a specific purpose.

2. Store: After data is created, it needs to be stored securely in a system, database, or file storage for future access. The storage method will depend on factors like the type of data, security requirements, and access needs.

3. Share: In this phase, data is distributed or shared with authorized users, systems, or other stakeholders. This could involve sending data between departments, sharing with third parties, or making it accessible to users or applications.

4. Use: Data is accessed and processed to derive insights, make decisions, or perform tasks. This is where the data serves its purpose, whether it’s used in a report, decision-making, or operational processes.

5. Modify: Over time, data may need to be updated, edited, or enriched to ensure it remains relevant and accurate. This could involve correcting errors, adding new information, or refining data to meet changing needs.

6. Archive: When data is no longer actively used but must be retained for compliance, historical analysis, or other reasons, it is archived. Archived data is typically stored in a less accessible form but still preserved for future reference.

7. Destroy: Finally, when data is no longer needed, and retaining it poses a risk or is no longer required, it is securely destroyed. This ensures that sensitive or unnecessary data is permanently eliminated from systems to prevent unauthorized access or misuse.

Each step of this process is crucial for ensuring data is managed efficiently, securely, and in compliance with applicable regulations.

---

Data Sensitivity levels

Highly Restricted

Compromise of data with this sensitivity label could possibly put the organization’s future existence at risk. Compromise could lead to substantial loss of life, injury or property damage, and the litigation and claims that would follow.

Moderetly Restricted

Compromise of data with this sensitivity label could lead to loss of temporary competitive advantage, loss of revenue, or disruption of planned investments or activities.

Low Senstivity

(sometimes called “internal use only”): Compromise of data with this sensitivity label could cause minor disruptions, delays or impacts.

Public Data

As this data is already published, no harm can come from further dissemination or disclosure.

---

Encryption types

• Symmetric Encryption: A type of encryption where the same key is used for both the encryption of data (turning it into ciphertext) and the decryption of that data (converting it back to its original form). Both the sender and the receiver must have the same secret key, which must be kept confidential. Examples include AES and DES.

• Asymmetric Encryption: A type of encryption that uses a pair of keys: one public key for encrypting data and one private key for decrypting it. The public key can be shared openly, while the private key remains secret and is only known to the recipient. The keys are mathematically related but cannot be derived from one another. Examples include RSA and ECC.

---

Cryptographic Hash

Five functions of a cryptographic hash:

1. Useful: It is easy to compute the hash value for any given message.

2. Nonreversible: It is computationally infeasible to reverse the hash process or otherwise derive the original plaintext of a message from its hash value (unlike an encryption process, for which there must be a corresponding decryption process).

3. Content integrity assurance: It is computationally infeasible to modify a message such that re-applying the hash function will produce the original hash value.

4. Unique: It is computationally infeasible to find two or more different, sensible messages that hash to the same value.

5. Deterministic: The same input will always generate the same hash, when using the same hashing algorithm.

---

Network Ingress / Exgress Monitoring

Logging - Ingress Monitoring Tools:

Ingress refers to incoming network traffic, and ingress monitoring tools help track and secure data entering a network. Here's how the listed tools fit into ingress monitoring:

1. Firewalls: Monitor and control incoming network traffic based on predetermined security rules. They log any suspicious or unauthorized access attempts.

2. Gateways: Serve as entry points between different networks, often providing an additional layer of filtering or monitoring of incoming data. They can log and control access to specific services or applications.

3. Remote Authentication Servers: These servers authenticate users trying to access a network remotely. They log authentication attempts, including successful and failed login attempts, and are used to monitor potential unauthorized access.

4. IDS/IPS Tools (Intrusion Detection/Prevention Systems):

   • IDS detects potential malicious activity on the network by analyzing incoming traffic for known attack patterns and logging those events.

   • IPS not only detects but also actively blocks or prevents suspicious activity.

5. SIEM Solutions (Security Information and Event Management): SIEM tools aggregate, correlate, and analyze logs from various network devices (firewalls, IDS/IPS, servers, etc.) to identify security incidents, vulnerabilities, or policy violations.

6. Anti-malware Solutions: These tools monitor incoming data for known malware signatures, logging detected threats, and providing information about the type of threat and actions taken.

---

Logging - Egress Monitoring Data Types:

Egress refers to outgoing network traffic. Egress monitoring tools help track and control what data leaves the network. Here's how the listed data types relate to egress monitoring:

1. Email (Content and Attachments): Monitoring outbound email communications, including both the content and any attached files, to ensure that sensitive or unauthorized information isn't being sent outside the organization.

2. Copy to Portable Media: Tracking the movement of data to portable storage devices (e.g., USB drives or external hard drives). This is important for ensuring that sensitive data is not removed from the network without proper authorization.

3. File Transfer Protocol (FTP): Monitoring FTP sessions for the transfer of files from within the network to external locations. This includes logging which files are transferred and who initiated the transfer.

4. Posting to Web Pages/Websites: Monitoring when users post data (such as documents or personal information) to external websites or web pages, ensuring that no confidential or unauthorized information is shared online.

Both ingress and egress monitoring are crucial for maintaining network security and ensuring compliance with data protection policies.

---

System Hardening

Configuration management involves managing and maintaining the consistency of a system’s performance, functionality, and design throughout its lifecycle. The listed procedures are key steps in this process:

1. Identification: This involves identifying and documenting all the components of the system, including hardware, software, and their configurations. This step ensures that all assets are recognized and tracked.

2. Baseline: A baseline is a reference point in the system's configuration. It defines the standard or approved version of system components and configurations. Baselines are established for the system's state at specific points in time, allowing comparison with future changes.

3. Change Control: This is the process of managing changes to the system configuration. It ensures that any proposed changes are properly reviewed, approved, and documented to avoid introducing risks or instability into the system.

4. Verification & Audit: After changes are made, it is important to verify that the system remains consistent with the defined baselines and meets the required standards. Audits are conducted to ensure compliance with configuration management policies and procedures.

Inventory

Inventory: This refers to maintaining a comprehensive list of all system components, both hardware and software. The inventory is the foundation of configuration management, ensuring that every item is accounted for and properly tracked.

Baselines

Baselines: As mentioned in the procedures, baselines are key reference points that define the standard configuration. Baselines help in managing system consistency by providing a clear definition of the "normal" state of components.

Updates

Updates: Updates are changes or improvements to the system’s components, such as software updates or hardware upgrades. Configuration management ensures that updates are controlled, tested, and properly integrated into the system.

Patches

Patches: Patches are fixes for vulnerabilities or bugs in software. Configuration management ensures that patches are applied correctly and consistently across all systems to maintain security and functionality.

---

Best Practices Security policies

Data Handling Procedures

Data handling refers to the process of collecting, storing, managing, processing, and securing data throughout its lifecycle. It involves various activities, such as data creation, storage, sharing, modification, archiving, and destruction, with an emphasis on ensuring data security, privacy, and compliance with applicable regulations.

• Classify • Categorize • Label • Store • Encrypt • Backup • Destroy

Password Policies

Best practices password procedures

Password Creation:

1. Password Length: All user and admin passwords must be at least a certain minimum length (often 8-12 characters). Longer passphrases are encouraged for better security.

2. Uniqueness: Passwords must not be the same or similar to those used on other websites, systems, applications, or personal accounts. This prevents the risk of cross-site vulnerabilities if one password is compromised.

3. Avoid Common Words/Phrases: Passwords should not be a single word or a commonly used phrase. For example, simple passwords like "password123" or "admin" are vulnerable to attacks.

4. Avoid Easily Guessable Information: Avoid passwords based on easily guessed information such as names, birthdates, favorite bands, or catchphrases. These can be easily guessed or found through social engineering.

5. Dictionary Words: Dictionary words or common phrases should be avoided, as they are vulnerable to dictionary attacks.

6. Default Installation Passwords: Any default passwords that come with system installations must be changed immediately after installation. Failing to change these defaults poses a major security risk.

---

Password Aging:

1. User Passwords: User passwords must be changed on a schedule defined by the organization (e.g., every 60-90 days). This ensures that even if a password is compromised, it will only be valid for a limited time. Previously used passwords may not be reused to prevent the use of old, potentially compromised passwords.

2. System-Level Passwords: System-level (administrator or root) passwords must also be changed on a defined schedule to prevent prolonged access in case of compromise. These passwords should have stronger policies than regular user passwords due to their elevated privileges.

---

Password Protection:

1. No Sharing: Passwords must not be shared with anyone, even IT staff or supervisors, to maintain strict access control. Each user must be responsible for their own password and security.

2. No Electronic Transmission: Passwords must never be sent electronically via email, text, or other unsecure methods. They must always be transmitted through secure, encrypted channels.

3. No Writing Down: Passwords should not be written down on paper or stored in insecure locations. If password management tools are needed, organizations should use secure password managers to store and manage credentials.

BYOD (Bring Your Own Devices)

BYOD refers to a policy or practice where employees are allowed to bring and use their personal device such as smartphones, laptops, tablets, or desktops on their employer's network to access company resources, applications, or data.

BYOD policies are intended to provide flexibility, increase productivity, and reduce costs, as employees use devices they are already familiar with. However, it also introduces potential security risks, such as data breaches or unauthorized access, which need to be managed through strict security protocols like encryption, mobile device management (MDM), and access control measures.

Possible devices on the bring your own device (BYOD) policy: • Cell phone • Tablet • Laptop • Smartwatch • Bluetooth devices

Privacy Policies & Standards

Privacy policies are formal statements that outline how an organization collects, uses, stores, and protects personal data. They are intended to inform individuals about their privacy rights and ensure the organization complies with relevant legal and regulatory requirements. Privacy standards are frameworks and guidelines designed to help organizations manage and protect personal data effectively. These standards provide specific rules for protecting the privacy of individuals and ensuring that organizations handle data responsibly and securely.

Data Security Standards

1. HIPAA (Health Insurance Portability and Accountability Act):

   • A U.S. regulation that sets standards for the protection of sensitive patient data in the healthcare industry.

   • Focus: Protects the privacy and security of health information, requiring healthcare providers, insurers, and other entities to follow strict data handling practices.

2. PCI DSS (Payment Card Industry Data Security Standard):

   • A set of security standards designed to ensure that companies that handle credit card information maintain secure systems and processes.

   • Focus: Protects cardholder data by setting requirements for securing network infrastructure, encrypting payment information, and managing access control.

3. ISO (International Organization for Standardization):

   • ISO provides various standards, such as ISO/IEC 27001, which outlines requirements for an Information Security Management System (ISMS).

   • Focus: Ensures that organizations adopt best practices in information security to protect data, including personal and sensitive information.

4. GDPR (General Data Protection Regulation):

   • A regulation by the European Union that governs how organizations collect, process, store, and protect the personal data of EU citizens.

   • Focus: Strengthens data protection rights, mandates transparency, and requires organizations to ensure that personal data is processed securely and with consent.

These standards and regulations help organizations comply with legal requirements, build trust with consumers, and mitigate the risks associated with data breaches and unauthorized access.

Change Management Policy

Change management is a structured approach to managing changes within an organization. It ensures that changes are made in a controlled and systematic manner to minimize disruptions, reduce risks, and ensure the desired outcome. The change management policy typically consists of three major activities:

1. Deciding to Change:

   • This involves identifying the need for change, evaluating the potential impact, and obtaining the necessary approvals to proceed. It includes assessing risks, defining objectives, and determining whether the change aligns with organizational goals.

2. Making the Change:

   • This step involves implementing the change according to a planned and approved process. It may include developing the change, testing it, and deploying it in a controlled manner to minimize disruptions to the business operations.

3. Confirming that the Change Has Been Correctly Accomplished:

   • After the change is implemented, this phase involves verifying that the change has been successfully completed and that it meets the defined objectives. It includes testing, monitoring, and auditing to ensure the desired results are achieved and that the change has not caused any unintended issues.

By following this structured approach, organizations can ensure that changes are managed efficiently, risks are minimized, and the integrity of systems or processes is maintained.

Acceptable Use Policy

An Acceptable Use Policy (AUP) in cybersecurity is a set of rules and guidelines that define how an organization's IT resources, such as networks, systems, and data, should be used by employees, contractors, or other users. It ensures security, compliance, and responsible usage while mitigating risks such as cyber threats, data breaches, and unauthorized access.

Key Elements of an Acceptable Use Policy (AUP):

1. Authorized Use: Specifies who is allowed to access the organization's IT resources and for what purposes.

2. Prohibited Activities: Lists actions that are not permitted, such as accessing unauthorized data, downloading malicious software, or using the network for illegal activities.

3. Data Protection: Outlines how users should handle sensitive or confidential data, including encryption, sharing restrictions, and reporting breaches.

4. Device and Network Security: Defines acceptable usage of company-owned and personal devices, password policies, and VPN or remote access rules.

5. Email & Internet Usage: Specifies guidelines for using corporate email, web browsing restrictions, and social media policies.

6. Monitoring & Privacy: States that the organization may monitor user activities on its network for security and compliance purposes.

7. Consequences of Violations: Details disciplinary actions for policy breaches, such as warnings, account suspension, or termination.

A well-defined AUP helps protect an organization's IT infrastructure, ensures regulatory compliance (e.g., ISO 27001, GDPR, HIPAA), and minimizes cybersecurity risks.

---

Chapter Resources

420KB

CC-Chapter5.pdf

pdf