Section 2:
Cybersecurity Concepts
Topics covered in this section include:
1. Risk
2. Common attack types and vectors 3. Policies
4. Cybersecurity controls
Cybersecurity Fundamentals Study Guide, 2nd Edition 23
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
Page intentionally left blank
24 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
TOPIC 1—RISK
The core duty of cybersecurity is to identify, mitigate and manage cyberrisk to an organization’s digital assets. Cyberrisk is that portion of overall risk management that solely focuses on risk that manifests in the cyber (Interconnected Information Environments) domain. While most people have an inherent understanding of risk in their day-to-day lives, it is important to understand risk in the context of cybersecurity, which means knowing how to determine, measure and reduce risk effectively.
Assessing risk is one of the most critical functions of a cybersecurity organization. Effective policies, security implementations, resource allocation and incident response preparedness are all dependent on understanding the risk and threats an organization faces. Using a risk-based approach to cybersecurity allows more informed decision-making to protect the organization and to apply limited budgets and resources effectively. If controls are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.5
Too often, cybersecurity controls are implemented with little or no assessment of risk. ISACA’s worldwide survey of IT management, auditors and security managers showed that over 80 percent of companies believe “information security risks are either not known or are only partially assessed” and that “IT risk illiteracy and lack of awareness” are major challenges in managing risk.6 Therefore, understanding risk and risk assessments are critical requirements for any security practitioner.
KEY TERMS AND DEFINITIONS
A visual summary of the key terms is presented in International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27032 (figure 2.1).
5 Anderson, Kent, “A Business Model for Information Security,” ISACA® Journal, Vol. 3, 2008 6 ISACA, “Top Business/Security Issues Survey Results,” USA, 2011
Section 2: Cybersecurity Concepts
Figure 2.1—Security Concepts and Relationships
Stakeholders
value
wish to minimize
impose
controls
to reduce
may be aware of
Threat agents
vulnerabilities leading to
risk
that may be reduced by
that may possess
that exploit
give
rise to that increase
to
assets
threats to
wish to abuse and/or may damage
Source: International Organization for Standardization, ISO/IEC 27032:2012: Information technology—Security techniques—Guidelines for cybersecurity, Switzerland, 2012
©ISO. This material is reproduced from ISO/IEC 27032:2012 with permission of the American National Standards Institute (ANSI) on behalf of ISO. All rights reserved
Cybersecurity Fundamentals Study Guide, 2nd Edition 25
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
There are many potential definitions of risk—some general and others more technical. Additionally, it is important to distinguish between a risk and a threat. Although many people use the words threat and risk synonymously, they have two very different meanings. As with any key concept, there is some variation in definition from one organization to another. For the purposes of this guide, we will define terms as follows:
• Risk—The combination of the probability of an event and its consequence (ISO/IEC 73). Risk is mitigated through the use of controls or safeguards.
• Threat—Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that
can result in harm. ISO/IEC 13335 defines a threat broadly as a potential cause of an unwanted incident. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.
• Asset—Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation
• Vulnerability—A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events. Although much of cybersecurity is focused on the design, implementation and management of controls to mitigate risk, it is critical for security practitioners to understand that risk can never be eliminated. Beyond the general definition of risk provided above, there are other, more specific types of risk that apply to cybersecurity.
• Inherent risk—The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)
• Residual risk—Even after safeguards are in place, there will always be residual risk, defined as the remaining risk after management has implemented a risk response.
Figure 2.2 illustrates one example of how many of these key terms come into play when framing an approach to risk management.
Figure 2.2—Framing Risk Management
Threat Source
with
Characteristics
(e.g., capability, intent and targeting for adversarial threats)
with
Sequence
of actions, activities or scenarios
Degree
with Risk
as a combination of Impact and Likelihood
producing
ORGANIZATIONAL RISK
initiates with
Likelihood
of Initiation
exploits with
Likelihood
of success
with
Severity
In the context of
with
Pervasiveness Security Controls
Planned/Implemented
with
causing with
Threat Event
Vulnerability
Adverse Impact
Predisposing Conditions
Inputs from Risk Framing Step (Risk Management Strategy or Approach)
To organizational operations (mission, functions, image, reputation), organizational assets, individuals, other organizations, and
the nation.
Source: National Institute of Standards and Technology, “Generic Risk Model with Key Risk Factors,” NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments, USA, Sept 2012
Risk Identification and Classification Standards and Frameworks7
Several good sources for risk identification and classification standards and frameworks are available to the cybersecurity professional. The following list is not comprehensive, and many more standards are available. However, this list may allow the cybersecurity professional to consider a framework or standard that would be suitable for use in his/her organization. Many countries and industries have specific standards that must be used by organizations operating in their jurisdiction. The use of a recognized standard may provide credibility and
7 ISACA, CRISC Review Manual 6th Edition, USA, 2015
26 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
completeness for the risk assessment and management program of the organization and help ensure that the risk management program is comprehensive and thorough.
ISO 31000:2009 Risk Management—Principles and Guidelines
ISO 31000:2009 states:
This international standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting polices, values and culture.
Although the practice of risk management has been developed over time and within many sectors in order
to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help
to ensure that risk is managed effectively, efficiently and coherently across an organization. The generic approach described in this standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.8
COBIT® 5 for Risk
COBIT 5 for Risk is described as follows:
COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for
the governance and management of enterprise information technology (IT). Simply stated, COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility and considering the IT-related interests of internal and external stakeholders.
COBIT 5 for Risk … builds on the COBIT 5 framework by focusing on risk and providing more detailed and practical guidance for risk professionals and other interested parties at all levels of the enterprise.9
IEC 31010:2009 Risk Management—Risk Assessment Techniques
IEC 31010:2009 states:
Organizations of all types and sizes face a range of risks that may affect the achievement of their objectives.
These objectives may relate to a range of the organization’s activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of societal environmental, technological, safety and security outcomes, commercial, financial and economic measures, as well as social, cultural, political and reputation impacts.
All activities of an organization involve risks that should be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.10
ISO/IEC 27001:2013 Information Technology—Security Techniques—Information Security Management
Systems—Requirements ISO 27001:2013 states:
The organization shall define and apply an information security risk assessment process that: c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss of
confidentiality, integrity and availability for information within the scope of the information security
management system; and 2) identify risk owners.11
8 ISO; ISO 31000:2009 Risk Management—Principles and Guidelines, Switzerland, 2009
9 ISACA, COBIT 5 for Risk, USA, 2013
10 ISO; IEC 31010:2009 Risk Management—Risk Assessment Techniques, Switzerland, 2009
11 ISO; ISO/IEC 27001:2013 Information Technology—Security Techniques—Information Security Management Systems—Requirements,
Section 2: Cybersecurity Concepts
Switzerland, 2013
Cybersecurity Fundamentals Study Guide, 2nd Edition 27
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
ISO/IEC 27005:2011 Information Technology—Security Techniques—Information Security Risk Management
ISO/IEC 27005 states:
This international standard provides guidelines for information security risk management in an organization, supporting in particular the requirements of an information security management system (ISMS) according to ISO/IEC 27001. However, this standard does not provide any specific methodology for information security risk management. It is up to the organization to define their approach to risk management, depending for example on the scope of the ISMS, context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in this International standard to implement the requirements of an ISMS.12
NIST Special Publications
NIST has a wide range of special publications available at csrc.nist.gov. Some of the publications related to IT risk are discussed in the following sections.
NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments
NIST Special Publication 800-30 Revision 1 describes risk assessment in the following manner:
Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, mission/business process level, and information system level.
Because risk management is ongoing, risk assessments are conducted throughout the system development life cycle, from pre-system acquisition (i.e., material solution analysis and technology development), through system acquisition (i.e., engineering/manufacturing development and production/deployment), and on into sustainment (i.e., operations/support).13
NIST Special Publication 800-39: Managing Information Security Risk
NIST Special Publication 800-39 states:
The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.14
Risk Identification (Risk Scenarios)15
A risk scenario is a description of a possible event whose occurrence will have an uncertain impact on the achievement of the enterprise’s objectives, which may be positive or negative. The development of risk scenarios provides a way of conceptualizing risk that can aid in the process of risk identification. Scenarios are also used to document risk in relation to business objectives or operations impacted by events, making them useful as the basis for quantitative risk assessment. Each identified risk should be included in one or more scenarios, and each scenario should be based on an identified risk.
The development of risk scenarios is based on describing a potential risk event and documenting the factors and areas that may be affected by the risk event. Each scenario should be related to a business objective or impact. Risk events may include system failure, loss of key personnel, theft, network outages, power failures, or any other situation that could affect business operations and mission. The key to developing effective scenarios is to focus on real and relevant potential risk events.
12 ISO/IEC; ISO/IEC 27005:2011 Information Technology—Security Techniques—Information Security Risk Management, Switzerland, 2011. 13 NIST; NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments, USA, 2012
14 NIST; NIST Special Publication 800-39: Managing Information Security Risk, USA, 2011
15 ISACA, COBIT 5 for Risk, USA, 2013
28 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
The development of risk scenarios purely from imagination is an art that often requires creativity, thought, consultation and questioning. Incidents that have occurred previously may be used as the basis of risk scenarios with far less effort put into their development. Risk scenarios based on past events should be fully explored to ensure
that similar situations do not recur in ways that might have been avoided. Risk scenarios can be developed from a top-down perspective driven by business goals or from a bottom-up perspective originating from several inputs, as shown in figure 2.3.
Section 2: Cybersecurity Concepts
Figure 2.3—Risk Scenario Structure
Threat Type
• Malicious • Accidental • Error
• Failure
• Nature
• External requirement
Actor
• Internal (staff, contractor)
• External (competitor, outsider,
business partner, regulator, market)
Event
• Disclosure
• Interruption
• Modification
• Theft
• Destruction
• Ineffective design
• Ineffective execution • Rules and regulations • Inappropriate use
Risk Scenario
Asset/Resource
• People and skills
• Organisational structures • Process
• Infrastructure (facilities) • IT infrastructure
• Information
• Applications
Time
• Duration
• Timing occurrence (critical or non-critical) • Detection
• Time lag
Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 36
Top-down Approach
A top-down approach to scenario development is based on understanding business goals and how a risk event could affect the achievement of those goals. Under this model, the risk practitioner looks for the outcome of events that may hamper business goals identified by senior management. Various scenarios are developed that allow the organization to examine the relationship between the risk event and the business goals, so that the impact of the risk event can be measured. By directly relating a risk scenario to the business, senior managers can be educated and involved in how to understand and measure risk.
The top-down approach is suited to general risk management of the company, because it looks at both IT- and non- IT-related events. A benefit of this approach is that because it is more general, it is easier to achieve management buy-in even if management usually is not interested in IT. The top-down approach also deals with the goals that senior managers have already identified as important to them.
Bottom-up Approach
The bottom-up approach to developing risk scenarios is based on describing risk events that are specific to cybersecurity-related situations, typically hypothetical situations envisioned by the people performing the job functions in specific processes. The cybersecurity professional and assessment team start with one or more generic risk scenarios then refine them to meet their individual organizational needs, including building complex scenarios to account for coinciding events.
Bottom-up scenario development can be a good way to identify scenarios that are highly dependent on the specific technical workings of a process or system, which may not be apparent to anyone who is not intimately involved
with that work but could have substantial consequences for the organization. One downside of bottom-up scenario development is that it may be more difficult to maintain management interest in highly specialized technical scenarios.
Cybersecurity Fundamentals Study Guide, 2nd Edition 29
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
LIKELIHOOD AND IMPACT16
Likelihood (also called probability) is the measure of frequency of which an event may occur, which depends on
whether there is a potential source for the event (threat) and the extent to which the particular type of event can affect its target (vulnerability), taking into account any controls or countermeasures that the organization has put in place to reduce its vulnerability. In the context of risk identification, likelihood is used to calculate the risk that an organization faces based on the number of events that may occur within a given time period (often an annual basis).
The risk faced by organizations consists of some combination of known and unknown threats, directed against systems that have some combination of known and unknown vulnerabilities. A vulnerability assessment that identifies no vulnerabilities is not equal to the system being invulnerable in the absolute sense. It means only that the types of vulnerabilities that the assessment was intended to detect were not detected. Failure to detect a vulnerability may be the result of its absence, or it may be a false negative arising from misconfiguration of a tool or improper performance of a manual review. In the case of a zero-knowledge penetration test that fails to identify opportunities to exploit a system, it may be that the team was unlucky or lacked imagination, which may not be true of an outside attacker. Even if no known vulnerabilities exist within the system, the system may still remain vulnerable to unknown vulnerabilities, more of which are discovered every day (and some of these are stored or sold for future use as “zero-day” exploits). The likelihood of an attack is often a component of external factors, such as the motivation of the attacker, as shown in figure 2.4.
Figure 2.4—Influencing Risk Factors
Increases Likelihood
Threat Agents
Increases Likelihood
Leading to
Risk
To
Assets
Threats
Use
To Exploit
Vulnerabilities
Source: ISACA, CRISC Review Manual 6th Edition, USA, 2015
Given the combination of unknown threat and unknown vulnerability, it is difficult for the cybersecurity professional to provide a comprehensive estimate of the likelihood of a successful attack. Vulnerability assessments and penetration tests provide the cybersecurity practitioner with valuable information on which to partially estimate this likelihood, because:
• Although the presence of a vulnerability does not guarantee a corresponding threat, the all-hours nature of information systems and the rapid speed of processing makes it much more likely that an information system will come under an assortment of attacks in a short time than would be true of a physical system.
• A vulnerability known to an assessment tool is also knowable to threat agents, all but the most elite of whom tend to build their attacks to target common vulnerabilities.
• The presence of one or more known vulnerabilities—unless these have been previously identified and the risk is accepted by the organization for good reason—suggests a weakness in the overall security program.
16 ISACA, CRISC Review Manual 6th Edition, USA, 2015
30 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
Motivation
Presence of
Skill
Section 2: Cybersecurity Concepts
When assessing a threat, cybersecurity professionals often analyze the threat’s likelihood and impact in order to rank and prioritize it among other existing threats.
In some cases where clear, statistically sound data are available, likelihood can be a matter of mathematical probability. This is true with situations such as weather events or natural disasters. However, sometimes
accurate data are simply not available, as is often the case when analyzing human threat agents in cybersecurity environments. Some factors create situations where the likelihood of certain threats is more or less prevalent for a given organization. For example, a connection to the Internet will predispose a system to port scanning. Typically, qualitative rankings such as “High, Medium, Low” or “Certain, Very Likely, Unlikely, Impossible” can be used to rank and prioritize threats stemming from human activity. When using qualitative rankings, however, the most important step is to rigorously define the meaning of each category and use definitions consistently throughout the assessment process.
For each identified threat, the impact or magnitude of harm expected to result should also be determined. The impact of a threat can take many forms, but it often has an operational consequence of some sort, whether financial, reputational or legal. Impacts can be described either qualitatively or quantitatively, but as with likelihoods, qualitative rankings are most often used in cybersecurity risk assessment. Likewise, each ranking should be well- defined and consistently used. In cybersecurity, impacts are also evaluated in terms of confidentiality, integrity and availability.
The cybersecurity professional should ensure that senior management does not develop a false sense of cybersecurity as a result of vulnerability assessments and penetration tests that fail to find vulnerabilities, but both forms of testing do provide insight into the organization and its security posture.
APPROACHES TO RISK
A number of methodologies are available to measure risk. Different industries and professions have adopted various tactics based upon the following criteria:
• Risk tolerance
• Size and scope of the environment in question
• Amount of data available
It is particularly important to understand an organization’s risk tolerance when considering how to measure risk. For example, a general approach to measuring risk is typically sufficient for risk-tolerant organizations such as academic institutions or small businesses. However, more rigorous and in-depth risk assessment is required for entities with
a low tolerance for risk. This is especially relevant for any heavily regulated entity, like a financial institution or an airline reservation system, where any down time would have a significant operational impact
APPROACHES TO CYBERSECURITY RISK
There are three different approaches to implementing cybersecurity. Each approach is described briefly below: • Ad hoc—An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc
implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise,
knowledge or training when designing and implementing safeguards.
• Compliance-based—Also known as standards-based security, this approach relies on regulations or standards to
determine security implementations. Controls are implemented regardless of their applicability or necessity, which
often leads to a “checklist” attitude toward security.
• Risk-based—Risk-based security relies on identifying the unique risk a particular organization faces and designing
and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs. The risk-based approach is usually scenario-based.
In reality, most organizations with mature security programs use a combination of risk-based and compliance-based approaches. In fact, most standards or regulations such as ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes–Oxley Act (SOX) or the US Health Insurance Portability and Accountability Act (HIPAA) require risk assessments to drive the particular implementation of the required controls.
Cybersecurity Fundamentals Study Guide, 2nd Edition 31
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
THIRD-PARTY RISK
Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances. No organization exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand
third-party risk, such as information sharing and network access, as it relates to cybersecurity.
Outsourcing is common, both onshore and offshore, as companies focus on core competencies and ways to cut costs. From an information security point of view, these arrangements can present risk that may be difficult to quantify
and potentially difficult to mitigate. Typically, both the resources and skills of the outsourced functions are lost to the organization, which itself will present risk. Providers may operate on different standards and can be difficult to control. The security strategy should consider outsourced security services carefully to ensure that they either are not a critical single point of failure or that there is a viable backup plan in the event of service provider failure.17
Risk posed by outsourcing can also materialize as the result of mergers and acquisitions. Typically, significant differences in culture, systems, technology and operations between the parties present a host of security challenges that must be identified and addressed. Often, in these situations, security is an afterthought and the security manager must strive to gain a presence in these activities and assess the risk for management consideration.18
17 ISACA, CISM Review Manual 15th Edition, USA, 2016 18 Ibid.
32 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
TOPIC 2—COMMON ATTACK TYPES AND VECTORS
Attack vectors and methodologies continue to evolve, which represents a significant threat on the client side. Although some attacks are made at random with no particular target in mind, targeted attacks are made against recipients who have been researched and identified as useful by attackers. Phishing attacks are often directed toward recipients who have access to data or systems to which the attacker wishes to gain access. In other cases, malware is deployed in widespread attacks with the hope that it will hit as many vulnerable systems as possible, though these situations are not likened to cyberattacks. A number of distinct threat agents and attack patterns have emerged in the current threat landscape. It is essential for cybersecurity professionals to be able to identify these threats in order to manage them appropriately.
THREAT AGENTS
The European Union Agency for Network and Information Security (ENISA) has identified threat agents that currently exist in the threat landscape, shown in figure 2.5.
Section 2: Cybersecurity Concepts
Figure —2.5 Cybersecurity Threat Agents
Cyber Agent
Young, Unskilled
Soft Skilled
Internal, Low-Medium Skilled
Script Kiddies
Online Social Hacker
Insider (employee)
Low Tech/ Low-Medium Expertise
Friendly
(unintentional)
Hostile
(intentional)
(Threat Agent)
Low Capability
Researcher
Ethical Hacker
Security Agent
Law Enforcement Agent
Cyber-Soldier
Employee
End-user/ Customer
Research Community
Market
National Security
Law Enforcement
Military
Commercial Commercial
Current
Former
Internal
External (Contractor, Provider)
High Capability
High Tech/ High Expertise
Infrastructure Delivery
Infrastructure Use
Provider/ Developer/ Operator
Tools User/ Deployer
National Mission
State
Paid
Nonchalant Espionage
Corp.
Mission Corporation
Group/Category Individual Agent Group
Socially Motivated Citizens
Ideologically Motivated
Profit Oriented
Nationally Motivated Citizens
Hacktivist
Cyber Terrorist
Cyber Criminal
Cyber Fighter
Sector, Capability, Motive
Examples of Concurrent Roles
Legend
Source: Marinos, Louis, A. Belmonte, E. Rekleitis, “ENISA Threat Landscape 2015,” ENISA, January 2016, Greece
Common threat agents include the following:
• Corporations—Corporations have been known to breach security boundaries and perform malicious acts to gain a
competitive advantage.
• Cybercriminals—Motivated by the desire for profit, these individuals are involved in fraudulent financial transactions. • Cyberterrorists—Characterized by their willingness to use violence to achieve their goals, cyberterrorists
frequently target critical infrastructures and government groups.
• Cyberwarriors—Often likened to hacktivists, cyberwarriors, also referred to as cyberfighters, are nationally
motivated citizens who may act on behalf of a political party or against another political party that threatens them.
Cybersecurity Fundamentals Study Guide, 2nd Edition 33
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
• Employees—Although they typically have fairly low-tech methods and tools, dissatisfied current or former employees represent a clear cybersecurity risk. All of these attacks are adversarial, but some are not related to APT cyberattacks.
• Hacktivists—Although they often act independently, politically motivated hackers may target specific individuals or organizations to achieve various ideological ends.
• Nation states—Nation states often target government and private entities with a high level of sophistication to obtain intelligence or carry out other destructive activities.
• Online social hackers—Skilled in social engineering, these attackers are frequently involved in cyberbullying, identity theft and collection of other confidential information or credentials.
• Script kiddies—Script kiddies are individuals who are learning to hack; they may work alone or with others and are primarily involved in code injections and distributed denial-of-service (DDoS) attacks.
ATTACK ATTRIBUTES
While risk is measured by potential activity, an attack is the actual occurrence of a threat. More specifically, an attack is an activity by a threat agent (or adversary) against an asset. From an attacker’s point of view, the asset is
a target, and the path or route used to gain access to the target (asset) is known as an attack vector. There are two types of attack vectors: ingress and egress (also known as data exfiltration). While most attack analysis concentrates on ingress, or intrusion, hacking into systems, some attacks are designed to remove data (e.g., employees that steal data) from systems and networks. Therefore, it is important to consider both types of attack vectors.
The attacker must defeat any controls in place and/or use an exploit to take advantage of a vulnerability. Another attribute of an attack is the attack mechanism, or the method used to deliver the exploit. Unless the attacker is personally performing the attack, the attack mechanism may involve an exploit that delivers the payload to the target. An example can be a crafted malicious pdf, crafted by the attacker and delivered by email. The attributes of an attack are shown in figure 2.6.
Detailed analysis of cyberattacks requires significant technical and subject matter expertise and is an important part of cybersecurity. Each of the attack attributes (attack vector, exploit, payload, vulnerability, target) provides unique points where controls to prevent or detect the attack can be placed. It is also essential to understand each of these attributes when analyzing and investigating an actual attack. For example, the exploit used to deliver the payload often leaves artifacts or evidence that can be used by technical analysts and investigators to understand the attack and potentially identify the perpetrators. Analysis of the data exfiltration path may identify additional opportunities to prevent or detect the removal of data or obtain evidence, even if the attack was able to gain access to the target.
Attacks can be analyzed and categorized based on their type and patterns of use. From these characteristics, it is possible to make generalizations that facilitate better design and controls. There are two broad categories for threat events: adversarial and nonadversarial. An adversarial threat event is made by a human threat agent (or adversary), while a nonadversarial threat event is usually the result of an error, malfunction or mishap of some sort.19
Figure 2.6—Attack Attributes
Attack Exploit Payload Vulnerability Target Vector (Asset)
19 MITRE, Common Attack Pattern Enumeration and Classification (CAPEC), February 2014, http://capec.mitre.org
34 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
GENERALIZED ATTACK PROCESS
While each attack is different, most adversarial threat events follow a common process, as shown in figure 2.7 and described below.
1. Perform reconnaissance: The adversary gathers information using a variety of techniques, passive or active, which may include:
a. Passive:
i. Sniffing network traffic
ii. Using open source discovery of organizational information (news groups; company postings on IT design
and IT architecture) iii. Google hacking
b. Active:
i. Scanning the network perimeter
ii. Socialengineering(fakephonecalls,low-levelphishing)
2. Create attack tools: The adversary crafts the tools needed to carry out a future attack, which include:
a. Phishing or spear phishing attacks
b. Crafting counterfeit websites or certificates
c. Creating and operating false organizations and placing them in to the supply chain to inject malicious
components
3. Deliver malicious capabilities: The adversary inserts or installs whatever is needed to carry out the attack, which
includes the following:
a. Introducing malware into organizational information systems
b. Placing subverted individuals into privileged positions within the organization
c. Installing sniffers or scanning devices on targeted networks and systems
d. Inserting tampered hardware or critical components into organizational systems or supply chains
4. Exploit and compromise: The adversary takes advantage of information and systems in order to compromise them, which include:
a. Split tunneling or gaining physical access to organizational facilities
b. Exfiltrating data or sensitive information
c. Exploiting multitenancy (i.e., multiple customers on shared resources) in a public cloud environment (e.g., attacking open public access points; application program interfaces [APIs])
d. Launching zero-day exploits
5. Conduct an attack: The adversary coordinates attack tools or performs activities that interfere with
organizational functions. Potential methods of attack include:
a. Communication interception or wireless jamming attacks
b. Denial-of-service (DoS) or distributed DDoS attacks
c. Remote interference with or physical attacks on organizational facilities or infrastructures
d. Session-hijacking or man-in-the-middle attacks
6. Achieve results: The adversary causes an adverse impact, which may include:
a. Obtaining unauthorized access to systems and/or sensitive information
b. Degrading organizational services or capabilities
c. Creating, corrupting or deleting critical data
d. Modifying the control flow of information system (e.g., industrial control system, supervisory control and data acquisition (SCADA) systems)
7. Maintain a presence or set of capabilities: The adversary continues to exploit and compromise the system using the following techniques:
a. Obfuscating adversary actions or interfering with intrusion detection systems (IDSs)
b. Adapting cyberattacks in response to organizational security measures
Section 2: Cybersecurity Concepts
Figure 2.7—Threat Process
Perform Create attack Deliver malicious Exploit and Conduct an Maintain a presence Coordinate a
reconnaissance tools capabilities compromise attack Achieve results or set of campaign capabilities
Cybersecurity Fundamentals Study Guide, 2nd Edition 35
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
8. Coordinate a campaign: The adversary coordinates a campaign against the organization that may involve the following measures:
a. Multi-staged attacks
b. Internal and external attacks
c. Widespread and adaptive attacks
NONADVERSARIAL THREAT EVENTS
Although most attacks are the result of a coordinated effort, there are other events that can pose various types of risk to an organization and can aid an adversary in a possible cyber-attack. Some of the most common nonadversarial threat events are:
• Mishandling of critical or sensitive information by authorized users
• Incorrect privilege settings
• Fire, flood, hurricane, windstorm or earthquake at primary or backup facilities • Introduction of vulnerabilities into software products
• Pervasive disk errors or other problems caused by aging equipment
MALWARE, RANSOMWARE AND ATTACK TYPES20
Malware, also called malicious code, is software designed to gain access to targeted computer systems, steal
information or disrupt computer operations. There are several types of malware, the most important being computer viruses, network worms and Trojan horses, which are differentiated by the way in which they operate or spread.
For example, the computer worm known as Stuxnet highlights malware’s potential to disrupt SCADA systems and programmable logic controllers (PLCs), typically used to automate mechanical processes in factory settings or power plants. Discovered in 2010, Stuxnet was used to compromise Iranian nuclear systems and software. It has three components:
1. A worm that carries out routines related to the payload
2. A link file that propagates copies of the worm
3. A rootkit that hides malicious processes to prevent detection
Other common types of malware include:
• Viruses—A computer virus is a piece of code that can replicate itself and spread from one computer to another. It
requires intervention or execution to replicate and/or cause damage.
• Network worm—A variant of the computer virus, which is essentially a piece of self-replicating code designed to
spread itself across computer networks. It does not require intervention or execution to replicate.
• Trojan horses—A piece of malware that gains access to a targeted system by hiding within a genuine application.
Trojan horses are often broken down into categories reflecting their purposes.
– A common mobile Trojan is Hummer, a type of Android malware. In the first six months of 2016, nearly 1.4 million
devices daily were infected by Hummer. The malware uses one of 18 rooting methods to gain root privileges to the
device. It then pushes ads and installs games and pornographic applications on to the mobile device.21
• Botnets—Derived from “robot network,” a large, automated and distributed network of previously compromised
computers that can be simultaneously controlled to launch large-scale attacks such as DoS.
A number of further terms are also used to describe more specific types of malware, characterized by their purposes. They include:
• Spyware—A class of malware that gathers information about a person or organization without the knowledge of
that person or organization.
• Adware—Designed to present advertisements (generally unwanted) to users.
20 ISACA, Advanced Persistent Threats: How to Manage the Risk to Your Business, USA, 2013
21 Bisson, David; “Hummer Malware the No. 1 Mobile Trojan in the World,” Tripwire, 1 July 2016, www.tripwire.com/state-of-security/latest-
security-news/hummer-malware-the-1-mobile-trojan-in-the-world
36 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
• Ransomware—Also called “hostage code,” a class of extortive malware that locks or encrypts data or functions and demands a payment to unlock them. Several types are available for every operating system. Recent examples of ransomware attacks include:
– GhostCrypt—Using AES encryption, GhostCrypt scrambles the data on the infected device in order to obtain Bitcoins from the victim. Whenever the ransomware encrypts any piece of information, it attaches the .Z81928819 appendix. GhostCrypt also generates a READ_THIS_FILE.txt as a reminder of the ransom to be paid.22
– SNSLocker—Using AES encryption and adding a .RSNSlocked string at the end of affected data items, this ransomware encrypts data and demands a ransom of $300 (payable in Bitcoin) for the decryption solution.23
• Keylogger—A class of malware that secretly records user keystrokes and, in some cases, screen content.
• Rootkit—A class of malware that hides the existence of other malware by modifying the underlying operating system.
OTHER ATTACK TYPES
In addition to malware and ransomware, there are many other types of attacks. Some of the most common attack patterns are as follows:
• Advanced persistent threats (APTs)—Complex and coordinated attacks directed at a specific entity or
organization. They require a substantial amount of research and time, often taking months or even years to fully execute. APT is a term, indicating the class of complexity; however, it cannot be tested if a particular attack was APT or not. After an attack is discovered and the level of complexity is determined and the amount of time and resources spent on the attack is investigated, the attack can be classified as an attack by an APT.
• Backdoor—A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions.
• Brute force attack—An attack made by trying all possible combinations of passwords or encryption keys until the correct one is found.
• Buffer overflow—Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information—which has to go somewhere—can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes type of security attack on data integrity.
• Cross-site scripting (XSS)—A type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally
in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
• DoS attack—An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate.
• Man-in-the-middle attack—An attack strategy in which the attacker intercepts the communication stream between two parts of the victim system and then replaces the traffic between the two components with the intruder’s own, eventually assuming control of the communication.
• Social engineering—Any attempt to exploit social vulnerabilities to gain access to information and/or systems. It involves a “con game” that tricks others into divulging information or opening malicious software or programs.
• Phishing—A type of email attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering.
• Spear phishing—An attack where social engineering techniques are used to masquerade as a trusted party to obtain important information such as passwords from the victim.
• Spoofing—Faking the sending address of a transmission in order to gain illegal entry into a secure system.
22 Tripwire, “May 2016: The Month in Ransomware,” Tripwire, 6 June 2016, www.tripwire.com/state-of-security/security-data-protection/may- 2016-the-month-in-ransomware
23 Ibid. 24 OWASP, SQL Injection, www.owasp.org/index.php/SQL_Injection
Section 2: Cybersecurity Concepts
Cybersecurity Fundamentals Study Guide, 2nd Edition 37
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
• Structure Query Language (SQL) injection—According to OWASP,24 “A SQL injection attack consists of insertion or ‘injection’ of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.”
• Zero-day exploit—A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
38 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
TOPIC 3—POLICIES PURPOSE OF POLICIES
Information security policies are a primary element of cybersecurity and overall security governance. They specify requirements and define the roles and responsibilities of everyone in the organization, along with expected behaviors in various situations. Therefore, they must be properly created, accepted and validated by the board and senior management before being communicated throughout the organization. During this process, there may be occasions where other documents must be created to address unique situations separate from the bulk of the organization. This may be necessary when part of the organization has a specific regulatory requirement to protect certain types of information.
POLICY LIFE CYCLE
In addition to a policy framework, another important aspect of information security policies is their life cycle of development, maintenance, approval and exception.
Every compliance document should have a formal process of being created, reviewed, updated and approved at least once a year. Additionally, there may be legitimate need for an exception to a policy; therefore, a clear process of how an exception is approved by senior management and monitored during the life cycle is necessary.
GUIDELINES
There are several attributes of good policies that should be considered:
• Security policies should be an articulation of a well-defined information security strategy that captures the intent,
expectations and direction of management.
• Policies must be clear and easily understood by all affected parties. • Policies should be short and concise, written in plain language.
Most organizations should create security policies prior to developing a security strategy. Although many organizations tend to follow an ad hoc approach to developing security strategy, there are also instances, especially in smaller organizations, where effective practices have been developed that may not be reflected in written policies. Existing practices that adequately address security requirements may usefully serve as the basis for policy and standards development. This approach minimizes organizational disruptions, communications of new policies and resistance to new or unfamiliar constraints.
COMPLIANCE DOCUMENTS AND POLICY FRAMEWORKS
Compliance documents, such as policies, standards and procedures, outline the actions that are required or prohibited. Violations may be subject to disciplinary actions.
Some common compliance document types are shown in figure 2.8.
Some organizations may not implement all of these types of documents. For example, smaller organizations may simply have policies and procedures; others may have policies, standards and procedures, but not guidelines.
Section 2: Cybersecurity Concepts
Figure 2.8—Compliance Document Types
Type
Description
Policies
Communicate required and prohibited activities and behaviors
Standards
Interpret policies in specific situations
Procedures
Provide details on how to comply with policies and standards
Guidelines
Provide general guidance on issues such as “what to do in particular circumstances.” These are not requirements to be met but are strongly recommended.
Cybersecurity Fundamentals Study Guide, 2nd Edition 39
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
TYPES OF INFORMATION SECURITY POLICIES
The number and type of policies an organization chooses to implement varies based on the organization’s size, culture, risk, regulatory requirements and complexity of operations. However, following are some common examples and the type of information they might contain.25
General Information Security Policy
Most organizations have a general, high-level information security policy that may stand alone as a single policy
or serve as a foundation for other compliance documents. For larger enterprises, it is common practice to subdivide policies by topic to address all of the information security. An example of such a subdivision is shown in figure 2.9.
Figure 2.9—COBIT 5 Information Security Policy Set
Risk Management
Compliance
Communications and Operations
Business Continuity/ Disaster Recovery
Information Security
Vendor Management
Asset Management
Rules of Behavior
Acquisition/ Development/ Maintenance
Each of these policies requires the input of information security. Examples for a possible relevant scope for information security are as follows:26
• Business Continuity and Disaster Recovery:
– Business impact analysis (BIA)
– Business contingency plans with trusted recovery
– Recovery requirements for critical systems
– Defined thresholds and triggers for contingencies and escalation – Disaster recovery plan (DRP)
– Training and Testing
• Asset Management:
– Data classification and ownership
– System classification and ownership – Resource utilization and prioritization – Asset life cycle management
– Asset protection
• Rules of Behavior:
– At-work acceptable use and behavior, including privacy, Internet/email, mobile devices, BYOD, etc. – Offsite acceptable use and behavior, including social media, blogs
25 ISACA, COBIT® 5 for Information Security, USA, 2013 26 Ibid.
40 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
Section 2: Cybersecurity Concepts
• Acquisition/Development/Maintenance:
– Information security within the life cycle, requirements definition and procurement/acquisition processes – Secure coding practices
– Integration of information security with change and configuration management
• Vendor Management:
– Contract management
• Communication and Operations:
– IT information security architecture and application design – Service level agreements
• Compliance:
– IT information security compliance assessment process – Development of metrics
– Assessment repositories
• Risk Management:
– Organizational risk management plan – Information risk profile
The appearance and length of an information security policy varies greatly among enterprises. Some enterprises consider a one-page overview to be a sufficient information security policy. In these cases, the policy could be considered a directive statement, and it should clearly describe links to other specific policies. In other enterprises, the information security policy is fully developed, containing nearly all the detailed guidance needed to put the principles into practice. It is important to understand what the information stakeholders expect in terms of coverage and to adapt to this expectation.
Regardless of its size or degree of detail, the information security policy needs a clearly defined scope. This involves: • The enterprise’s definition of information security
• The responsibilities associated with information security
• The vision for information security, accompanied by appropriate goals, metrics and rationale of how the vision is
supported by the information security culture and awareness
• Explanation of how the information security policy aligns with other high-level policies
• Elaboration on specific information security topics such as data management, information risk assessment and
compliance with legal, regulatory and contractual obligations
In addition to the elements discussed above, a policy may potentially affect the security life cycle budget and cost management. Information security strategic plans and portfolio management can be added as well.
The policy should be actively communicated to the entire enterprise and distributed to all employees, contractors, temporary employees and third-party vendors. Stakeholders need to know the information principles, high-level requirements, and roles and responsibilities for information security. The responsibility for updating and revalidating the information security policy lies with the cybersecurity function.
Other possible security policies or procedures include access control, personnel information and security incidents.
Access Control Policy
The access control policy provides proper access to internal and external stakeholders to accomplish business goals. This can be measured by metrics such as, but not limited to, the:
• Number of access violations that exceed the amount allowed
• Amount of work disruption due to insufficient access rights
• Number of segregation of duties incidents or audit findings
Additionally, the access control policy should ensure that emergency access is appropriately permitted and revoked in a timely manner. Metrics related to this goal include the number of emergency access requests and the number of active emergency accounts in excess of approved time limits.
Cybersecurity Fundamentals Study Guide, 2nd Edition 41
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
The access control policy should cover the following topics, among others: • Physical and logical access provisioning life cycle
• Least privilege/need to know
• Segregation of duties
• Emergency access
This policy is meant for all corresponding business units, vendors and third parties. Updates and revalidation should involve HR, data and system owners, information security and senior management. A new or updated policy should be distributed to all corresponding business units, vendors and third parties.
Personnel Information Security Policy
The personnel information security policy objective includes, but is not limited to, the following goals:
• Execute regular background checks of all employees and people at key positions. This goal can be measured by
counting the number of completed background checks for key personnel. This can be amplified with the number of
overdue background check renewals based on a predetermined frequency.
• Acquire information about key personnel in information security positions. This can be followed up by counting the
number of personnel in key positions that have not rotated according to a predefined frequency.
• Develop a succession plan for all key information security positions. A starting point is to list all the critical
information security positions that lack backup personnel.
• Define and implement appropriate procedures for termination. This should include details about revoking account
privileges and access.
This policy is meant for all corresponding business units, vendors and third parties. Updates and revalidation should involve HR, the privacy officer, the legal department, information security and facility security. A new or updated policy needs to be distributed to employees, contract personnel, vendors under contract and temporary employees.
Security Incident Response Policy
This policy addresses the need to respond to (cybersecurity) incidents in a timely manner in order to recover business activities. The policy should include:
• A definition of an information security incident
• A statement of how incidents will be handled
• Requirements for the establishment of the incident response team, with organizational roles and responsibilities • Requirements for the creation of a tested incident response plan, which will provide documented procedures and
guidelines for:
– Criticality of incidents
– Reporting and escalation processes – Recovery (including):
Recovery point objectives (RPOs): The RPO is determined based on the acceptable data loss in case of disruption of operations. It indicates the most recent point in time to which it is acceptable to recover the data, which generally is the latest backup. RPO effectively quantifies the permissible amount of data loss in case of interruption. Depending on the volume of data, it may be advisable to reduce the time between backups to prevent a situation where recovery becomes impossible because of the volume of data to be restored. It may also be the case that the time required to restore a large volume of data makes it impossible to achieve the RTO.27
Recovery time objectives (RTOs) for return to the trusted state, including:
. Investigation and preservation of process
. Testing and training
. Post incident meetings to document root cause analysis and enhancements of information security practices
that prevent similar future events
– Incident documentation and closing
27 ISACA, CISM Review Manual 15th Edition, USA, 2016
42 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
Section 2: Cybersecurity Concepts
This policy is meant for all corresponding business units and key employees. Updates and revalidation should involve the information security function. A new or updated policy should be distributed to key employees.
Policy Frameworks
The way that compliance documents relate to and support each other is called a policy framework. A framework defines different types of documents and what is contained in each. Organizations may have simple or relatively complex policy frameworks depending on their unique needs. Organizations may define a separate cybersecurity policy, but this should always be part of the overarching information security policy framework.
Cybersecurity Fundamentals Study Guide, 2nd Edition 43
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
Page intentionally left blank
44 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
TOPIC 4—CYBERSECURITY CONTROLS
Cybersecurity is a dynamic and ever-changing environment and requires continuous monitoring, updating, testing, patching and changing as technology and business evolve. These controls are critical to maintaining security within any organization’s IT infrastructure. Failure to address these processes is one of the top causes of security breaches in organizations.
An excellent resource for gaining more in-depth knowledge on cybersecurity controls is the Center for Internet Security (CIS) Critical Security Controls for Effective Defense. It provides actionable guidance to stop the most pervasive and dangerous attacks in the current environment. The CIS Critical Security Controls are derived from common attack patterns as provided by leading threat reports from a wide community of industry practitioners. They provide an organized means for cybersecurity professionals to address these common threats and attacks.28
IDENTITY MANAGEMENT
Cybersecurity relies upon the establishment and maintenance of user profiles that define the authentication, authorization and access controls for each user. Today, organizations have a variety of ad hoc processes and tools to manage and provision user identity information. Identity management focuses on streamlining various business processes needed to manage all forms of identities in an organization—from enrollment to retirement.
The ability to integrate business processes and technology is critically important in the emerging model because it links people to systems and services. A key objective of identity management is to centralize and standardize this process so that it becomes a consistent and common service across the organization.
Identity management is comprised of many components that provide a collective and common infrastructure, including directory services, authentication services (validating who the user is) and authorization services (ensuring the user has appropriate privileges to access systems based on a personalized profile). It also includes user- management capabilities, such as user provisioning and deprovisioning, and can include the utilization of federated identity management (FIM).
FIM allows a user from one business entity to seamlessly access resources of another business entity in a secure and trustworthy manner. Federated single sign-on (SSO) between the issuing domain (identity provider) and a relying domain (service provider) facilitates the secure and trusted transfer of user identifiers and other attributes. FIM also supports standards-based trust and security for applications exposed as web services.
PROVISIONING AND DEPROVISIONING
User provisioning is part of the organization’s hiring process where user accounts are created. Passwords and access control rights are generally assigned based on the job duties of the users. This can be a complicated process, as users may need access to many different resources such as systems, databases, email, applications and remote services, each of which has its own access control, passwords, encryption keys or other authorization and authentication requirements. Additionally, access control rights often change based on shifting job requirements, so it is frequently necessary to update access controls and remove access that is no longer needed. Likewise, when a user leaves an organization, their accounts need to be deprovisioned—meaning that all accounts and accesses must be suspended or deleted in a timely manner.
AUTHORIZATION29
The authorization process used for access control requires that the system be able to identify and differentiate among
users. Access rules (authorizations) specify who can access what. For example, access control is often based on least privilege, which means granting users only those accesses required to perform their duties. Access should be on a documented need-to-know and need-to-do basis by type.
28 Center for Internet Security (CIS), The CIS Critical Security Controls for Effective Cyber Defense, www.sans.org/critical-security-controls 29 ISACA, CISA Review Manual 26th Edition, USA, 2015
Section 2: Cybersecurity Concepts
Cybersecurity Fundamentals Study Guide, 2nd Edition 45
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
Computer access can be set for various levels (e.g., files, tables, data items, etc.). When IS auditors review computer accessibility, they need to know what can be done with the access and what is restricted. For example, access restrictions at the file level generally include the following:
• Read only
• Write, create, update only
• Delete only
• Execute only
• A combination of the above
The least dangerous type of access is read-only, as long as the information being accessed is not sensitive or confidential. This is because the user cannot alter or use the computerized file beyond basic viewing or printing.
ACCESS CONTROL LISTS30
To provide security authorizations for the files and facilities listed previously, logical access control mechanisms
utilize access authorization tables, also referred to as access control lists (ACLs) or access control tables. ACLs refer to a register of:
• Users (including groups, machines, processes) who have permission to use a particular system resource
• The types of access permitted
ACLs vary considerably in their capability and flexibility. Some only allow specifications for certain preset groups (e.g., owner, group and global), while more advanced ACLs allow much more flexibility such as user-defined groups. Also, more advanced ACLs can be used to explicitly deny access to a particular individual or group.
With more advanced ACLs, access can be at the discretion of the policy maker (and implemented by the security administrator) or individual user, depending upon how the controls are technically implemented. When a user changes job roles within an organization, often their old access rights are not removed before adding their new required accesses. Without removing the old access rights, there could be a potential segregation of duties issue.
ACCESS LISTS31, 32
Access lists filter traffic at network interfaces based on specified criteria, thus affording basic network security.
Without access lists, network devices pass all packets. Conversely, after an access list is created and applied to an interface, it then only passes traffic permitted by rules due to an implied “deny all” statement automatically appended to the list. Understanding the placement and impact of an access list is essential because errors can halt network traffic entirely.
PRIVILEGED USER MANAGEMENT
Privileged access permits administrators to maintain and protect systems and networks. Privileged users can often access any information stored within a system, which means they can modify or circumvent existing safeguards such as access controls and logging. “Privileged user” typically refers to the administrators of systems, networks, servers or workstations.
Because of this elevated access, organizations need to think carefully about privileged users and accounts and apply additional controls to them. Common controls include:
• Limiting privileged access to only those who require it to perform their job functions
• Performing background checks on individuals with elevated access
• Implementing additional logging of activity associated with privileged accounts
• Maintaining accountability by never sharing privileged accounts
• Using stronger passwords or other authentication controls to protect privileged accounts from unauthorized access
• Regularly reviewing accounts for privileges and removing those no longer required
• Require privileged users to maintain two accounts (elevated and non-elevated) and mandate the use of non-elevated
access accounts to general duties, such as email, documenting, accessing the Internet, etc.
30 Ibid.
31 Wilson, Tracey, “Basics of Access Control Lists: How to Secure ACLs,” 16 May 2012, http://blog.pluralsight.com/access-control-list-concepts 32 Cisco; Access Control Lists: Overview and Guidelines, Cisco IOS Security Configuration Guide, www.cisco.com/c/en/us/td/docs/ios/12_2/
security/configuration/guide/fsecur_c/scfacls.pdf
46 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.
CHANGE MANAGEMENT
Change management is essential to the IT infrastructure. Its purpose is to ensure that that changes to processes, systems, software, applications, platforms and configuration are introduced in an orderly, controlled manner. Controls are implemented in the form of a structured review process intended to evaluate and minimize the potential for disruption that a proposed change, maintenance activity or patch may introduce. Effective controls ensure that all changes are categorized, prioritized and authorized. The process generally includes mechanisms for tracking and documenting changes to demonstrate accountability and compliance with best practices.
It is important to note that change management is not a stand-alone process; it draws upon a number of other processes and controls. Therefore, it requires a comprehensive knowledge of enterprise operations and infrastructure to be implemented effectively.
CONFIGURATION MANAGEMENT
Maintaining the security configurations of network devices, systems, applications and other IT resources is critically important to ensure security controls are properly installed and maintained. As organizations grow and evolve,
so does the potential for change and dysfunction. In order to manage such changes and minimize their potential
to disrupt operations, efficiency and profits, it is necessary to develop formal processes. These processes of configuration management can be quite complex, as they support many other activities within the enterprise.
Implementing a configuration management process has several benefits for security including:33 • Verification of the impact on related items
• Assessment of a proposed change’s risk
• Ability to inspect different lines of defense for potential weaknesses
• Tracking of configuration items against approved secure configuration baselines
• Insights into investigations after a security breach or operations disruption
• Version control and production authorization of hardware and software components
PATCH MANAGEMENT
Patches are solutions to software programming errors. In many cases, security vulnerabilities are introduced by coding errors. Therefore, it is vital that software bugs that are identified as security vulnerabilities be patched as soon as possible. Most software vendors release regular software updates and patches as the vulnerabilities are identified and fixed.
Failure to apply patches to known security vulnerabilities is the most common cause of security breaches. Therefore, patching is an important part of vulnerability management, and organizations must set up processes to identify patches that are relevant to their IT infrastructure. Once a necessary patch is identified, it should be tested to ensure it does not negatively impact operations. After the patch has been verified, it can be scheduled and installed where appropriate.
Section 2: Cybersecurity Concepts
33 ISACA, Configuration Management Using COBIT 5, USA, 2013
Cybersecurity Fundamentals Study Guide, 2nd Edition 47
ISACA. All Rights Reserved.
Personal Copy of: Dr. Byron Marshall
Section 2: Cybersecurity Concepts
SECTION 2—KNOWLEDGE CHECK
Directions: Select the correct answer to complete each statement below. Use each word only once.
WORD BANK
Asset
Attack vector Guidelines
Identity management Malware
Patches Payload Policies Procedure Cyberrisk
Rootkit Standards Threat Vulnerability
1. The core duty of cybersecurity is to identify, mitigate and manage __________________ to an organization’s digital assets.
2. A(n) ___________________ is anything capable of acting against an asset in a manner that can cause harm.
3. A(n) ___________________ is something of value worth protecting.
4. A(n) ___________________ is a weakness in the design, implementation, operation or internal controls in a
process that could be exploited to violate the system security.
5. The path or route used to gain access to the target asset is known as a(n) ___________________ .
6. In an attack, the container that delivers the exploit to the target is called a(n) ___________________ .
7. ___________________ communicate required and prohibited activities and behaviors.
8. ___________________ is a class of malware that hides the existence of other malware by modifying the
underlying operating system.
9. ___________________ provide details on how to comply with policies and standards.
10. ___________________ provide general guidance and recommendations on what to do in particular circumstances.
11. ___________________, also called malicious code, is software designed to gain access to targeted computer
systems, steal information or disrupt computer operations.
12. ___________________ are used to interpret policies in specific situations.
13. ___________________ are solutions to software programming and coding errors.
14. ___________________ includes many components such as directory services, authentication and authorization
services, and user management capabilities such as provisioning and deprovisioning.
See answers in Appendix C.
48 Cybersecurity Fundamentals Study Guide, 2nd Edition
Personal Copy of: Dr. Byron Marshall
ISACA. All Rights Reserved.