{"id":306,"date":"2020-05-25T19:49:06","date_gmt":"2020-05-25T19:49:06","guid":{"rendered":"http:\/\/www.spktechfit.com\/?p=306"},"modified":"2020-05-25T19:49:06","modified_gmt":"2020-05-25T19:49:06","slug":"security-course-3-1-security-design","status":"publish","type":"post","link":"https:\/\/www.spktechfit.com\/?p=306","title":{"rendered":"Security+ Course \u2013 3.1 Security Design"},"content":{"rendered":"<h2>1. Legislative and Regulatory Compliance<\/h2>\n<h3><strong>Compliance Obligations<\/strong><\/h3>\n<p>There are 4 main types:<\/p>\n<ol>\n<li><strong>Criminal law<\/strong>: deter and punish acts detrimental to society (murder, theft, hacking etc&#8230;). This can result in jail time<\/li>\n<li><strong>Civil law<\/strong>: designed to resolve disputes between civilians, organisations etc&#8230; This cannot result in jail time<\/li>\n<li><strong>Administrative law<\/strong>:\u00a0 Facilitate effective government by allowing agencies to carry out their duties. They proved procedural rules for the operation of government<\/li>\n<li><strong>Private regulations<\/strong>: Flow from contractual relationships. Govern activities between individuals and organisations<\/li>\n<\/ol>\n<h3>Federal Information Security Management Act (FISMA)<\/h3>\n<p>This is a law that governs information security matters for federal agencies and government contractors. It requires the creation of security programs throughout the federal government and provides details on the controls necessary to run information systems that are categorized as FISMA High, FISMA Moderate, or FISMA Low.<\/p>\n<hr \/>\n<h2>2. Security Frameworks and Reference Architectures<\/h2>\n<p>These are invaluable tools as they design security programs.<\/p>\n<p><strong>Security Frameworks:<\/strong> A collection of standards and practices designed to form a solid approach to information security. They&#8217;re high level, and they&#8217;re often focused on activities such as identifying risks and responding to attacks.<\/p>\n<p><strong>Reference Architecture:<\/strong> This provides a proposed design for security technology. This gets more into the technical details providing the specific controls that would achieve an organisations security objectives.<\/p>\n<h3>National Institute for Standards in Technology (NIST) Cybersecurity Framework<\/h3>\n<p>NIST publishes a cybersecurity framework that is free for anyone to use.<\/p>\n<ul>\n<li>Provides a common language for cybersecurity risks<\/li>\n<li>Helps organisations identify and prioritise actions<\/li>\n<li>Aligns security actions across control types<\/li>\n<li>Offers different value to different organisations<\/li>\n<\/ul>\n<p>Link to the Framework: <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf\">https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf<\/a><\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>3. Developing Security Baselines<\/h2>\n<p>Security baselines provide enterprises with an effective way to specify the minimum standards for computing systems and efficiently apply those standards across deployed devices.<\/p>\n<h3>Baseline Security Standard Elements<\/h3>\n<p>Baselines are generic that can apply to every device in the organisation.<\/p>\n<p>The device:<\/p>\n<ul>\n<li>Must be Administered by a named individual<\/li>\n<li>is Protected against unauthorised access<\/li>\n<li>Doesn\u2019t jeopardise other systems or data<\/li>\n<li>Remains under positive control of trained staff member<\/li>\n<li>Complies with data security requirements<\/li>\n<\/ul>\n<p>Baseline requirements can also be more specific, such as requiring devices that store sensitive information to be encrypted.\u00a0Another example of a specific standard may be that all Windows devices have the firewall turned on with all ports blocked except the necessary ports for the business\u00a0System Configuration Managers automate policy deployment. You can create a template for these policies and then deploy it using Group Policy objects.<\/p>\n<p><strong>Monitoring is Critical<\/strong><br \/>\nOnce the policies are set you must monitor to make sure they are in place.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>4. Leveraging Industry Standards<\/h2>\n<p>Most organisations don\u2019t have the time to create their own security standards. Fortunately there are lots of industry standards available for use.<\/p>\n<h3>Sources of Industry Standards<\/h3>\n<p><strong>Vendors<\/strong><br \/>\nThe companies that create the devices known the product better than anyone else and have a vested interest in making the product secure.<\/p>\n<p><strong>Government Agencies (NIST)<br \/>\n<\/strong>They have security baselines for different operating systems<\/p>\n<p><strong>Independent Organisations<\/strong><br \/>\nThese are 3rd parties that provide security advice. CIS is a good one:<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>5. Customising Security Standards<\/h2>\n<p>Organisations often start with the Industry Standard Baselines, then modify them to suit their own requirements.\u00a0More stringent settings may be required based up data sensitivity or system criticality.<\/p>\n<p>Instead of completely re-writing the standards you can reference them from your own. EG:<br \/>\n&#8220;Windows 2016 Server should be configured to the CIS benchmark dated 28\/5\/18, with the following exceptions\u2026&#8221;<br \/>\nDocument the reasons for any deviations.<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>6. Defense in Depth<\/h2>\n<p><strong>Defence in Depth Principle: <\/strong>Organisations should use multiple, overlapping controls to achieve each of their security objectives.\u00a0This is a layered approach that protects against the failure if any singular failure.<\/p>\n<h3><strong>Examples of Use<\/strong><\/h3>\n<p><strong>Defence in Depth: Eavesdropping<\/strong><br \/>\n&#8211; Encryption through VPNs<br \/>\n&#8211; Encryption at the application layer (using HTTPS)<br \/>\n&#8211; Segmentation with VLANs<\/p>\n<p><strong>Defence in depth: Access Control<\/strong><br \/>\n&#8211; Network access control using strong authentication<br \/>\n&#8211; Role appropriate VLANs (using 802.1x technology to place users on correct VLAN)<br \/>\n&#8211; MAC Filtering<br \/>\n&#8211; Port security<\/p>\n<p><strong>Defence in Depth: Perimeter<\/strong><br \/>\nThe following devices could be used together to protect your internal network. If one device fails you still have some protection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-309\" src=\"http:\/\/www.spktechfit.com\/wp-content\/uploads\/2020\/05\/PermieterDevices.png\" alt=\"\" width=\"773\" height=\"253\" \/><\/p>\n<p><em><strong>EXAM TIP: Remember to keep the defence in depth principle in the front of your mind during the exam!<\/strong><\/em><\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h2>7. Control Diversity<\/h2>\n<p>Diversity brings strength as people from different backgrounds bring different stories, styles and experiences to the table.<\/p>\n<h3>2 types of Cybersecurity Diversity<\/h3>\n<p><strong> 1. Control Type Diversity<br \/>\n<\/strong>This means using controls from different categories to control the same objective. An example of this may be trying to build defences against insider theft of sensitive information. The different categories here are Technical, Administrative and Physical. You could implement strategies\u00a0from each of these to reach your objective. EG:<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-310\" src=\"http:\/\/www.spktechfit.com\/wp-content\/uploads\/2020\/05\/ControlDiversities.png\" alt=\"\" width=\"784\" height=\"366\" \/><\/p>\n<p>The strength comes from the fact that all these controls work in different ways.<\/p>\n<p><strong>2. Vendor Diversity<\/strong><br \/>\nThis reduces susceptibility to vulnerabilities. An example of this may be using different brand firewalls at different control points in a network. One could be at the perimeter of the internal network, the other could be in front of the data centre.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-311\" src=\"http:\/\/www.spktechfit.com\/wp-content\/uploads\/2020\/05\/VendorDiversity.png\" alt=\"\" width=\"865\" height=\"196\" \/><\/p>\n<p>If there is a security flaw in Firewall X the attacker may gain access to the internal network. But as Firewall Y is a different brand they wont have access to the Data centre.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. Legislative and Regulatory Compliance Compliance Obligations There are 4 main types: Criminal law: deter and punish acts detrimental to society (murder, theft, hacking etc&#8230;). This can result in jail time Civil law: designed to resolve disputes between civilians, organisations etc&#8230; This cannot result in jail time Administrative law:\u00a0 Facilitate effective government by allowing agencies [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[11,10,3],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/306"}],"collection":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=306"}],"version-history":[{"count":3,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/306\/revisions"}],"predecessor-version":[{"id":312,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/306\/revisions\/312"}],"wp:attachment":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}