Transcription
Information Security HandbookDevelop a threat model and incident response strategy tobuild a strong information security frameworkDarren DeathBIRMINGHAM - MUMBAI
Information Security HandbookCopyright 2017 Packt PublishingAll rights reserved. No part of this book may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, without the prior written permission of thepublisher, except in the case of brief quotations embedded in critical articles or reviews.Every effort has been made in the preparation of this book to ensure the accuracy of theinformation presented. However, the information contained in this book is sold withoutwarranty, either express or implied. Neither the author, nor Packt Publishing, and itsdealers and distributors will be held liable for any damages caused or alleged to be causeddirectly or indirectly by this book.Packt Publishing has endeavored to provide trademark information about all of thecompanies and products mentioned in this book by the appropriate use of capitals.However, Packt Publishing cannot guarantee the accuracy of this information.First published: December 2017Production reference: 1071217Published by Packt Publishing Ltd.Livery Place35 Livery StreetBirminghamB3 2PB, UK.ISBN 978-1-78847-883-0www.packtpub.com
CreditsAuthorDarren DeathReviewersAbhinav RaiHeath RenfrowCopy EditorSafis EditingProject CoordinatorJudie JoseCommissioning EditorGebin GeorgeProofreaderSafis EditingAcquisition EditorHeramb BhavsarIndexerPratik ShirodkarContent Development EditorAbhishek JadhavGraphicsTania DuttaTechnical EditorMohd Riyan KhanProduction CoordinatorAparna Bhagat
About the AuthorDarren Death is an information security professional living in the DC Metropolitan Area.During his 17-year technology career, he has supported the private and public sector at thelocal, state, and national levels. Darren has worked for organizations such as theDepartment of Justice, Library of Congress, and the Federal Emergency ManagementAgency. Darren currently works for Artic Slope Regional Corporation as its chiefinformation security officer. In this role, Darren is responsible for the ASRC EnterpriseInformation Security program, where he manages the Information Security program acrossthe 3 billion dollar ASRC portfolio crossing many business sectors to include energy,financial services, hospitality, retail, construction, and federal government contracting.Darren is very active in the information security community and can be heard at manyconferences throughout the year speaking on many of the topics covered in this book.Infragard is an organization that is dedicated to sharing information and intelligenceworking to prevent hostile acts against the United States. In this role, he teaches studentsthe building blocks that go into establishing a successful information security program.I would like to thank my amazing wife and children for putting up with me and sacrificingthe time that it took to write this book.I would also like to thank the many executives that have walked alongside me throughoutmy career. These executives include: Leif Henecke, CIO at ASRC Federal; Ann-MarieMassenberg, Chief of Staff at the Office of Financial Management at the US Department ofTransportation; Jonathan Alboum, CIO at USDA; Steve Elky, Director of IT StrategicPlanning at the Library of Congress; Douglas Ament, CIO at the US Copyright Office;Kyle Holtzman, Deputy Assistant Director of Service Portfolio Management at the U.S.Department of Justice; and Oscar Jordan, Master Sergeant United States Air Force.Without learning the valuable lessons that I learned from these professionals, I would notbe where I am today. It is also because of these individuals that I strongly support andparticipate in mentoring opportunities for others who are staring in their IT careers andwork to teach and spread what I have learned to others regarding IT and InformationSecurity best practices.
About the ReviewersAbhinav Rai has been associated with information security professional and has experiencein web application security, network security, mobile application security, web servicessecurity, source code review, and configuration audit. He is currently working as aninformation security professional.He has completed his degree in computer science and his postgraduate diploma in ITinfrastructure, systems and security. He also holds a certificate in communication protocoldesign and testing. He can be reached at abhinav.rai.55@gmail.com.Mr. Heath Renfrow has served the Chief Information Security Officer for multiple globalorganizations, and most recently as the CISO for United States Army Medicine, where hewas awarded the 2017 Global CISO of the year by EC-COUNCIL, the largest cyber trainingbody in the world. Mr. Renfrow has 20 years of global cyber security professionalexperience, and is considered one of the leading cyber experts today. He holds Bachelors inScience in Information Technology, and a Master’s of Science in Cyber Studies. Mr. Renfrowalso holds numerous industry leading certifications, including Certified Chief InformationSecurity Officer (C CISO), Certified Information Systems Security Professional (CISSP), andCertified Ethical Hacker (C EH).All praise to my Lord and Savior, and as always a thank you to my loving and supportivewife, Kathy, as I would be nothing without both!
www.PacktPub.comFor support files and downloads related to your book, please visit www.PacktPub.com.Did you know that Packt offers eBook versions of every book published, with PDF andePub files available? You can upgrade to the eBook version at www.PacktPub.com and as aprint book customer, you are entitled to a discount on the eBook copy. Get in touch with usat service@packtpub.com for more details.At www.PacktPub.com, you can also read a collection of free technical articles, sign up for arange of free newsletters and receive exclusive discounts and offers on Packt books andeBooks.https:/ / www. packtpub. com/ maptGet the most in-demand software skills with Mapt. Mapt gives you full access to all Packtbooks and video courses, as well as industry-leading tools to help you plan your personaldevelopment and advance your career.Why subscribe?Fully searchable across every book published by PacktCopy and paste, print, and bookmark contentOn demand and accessible via a web browser
Customer FeedbackThanks for purchasing this Packt book. At Packt, quality is at the heart of our editorialprocess. To help us improve, please leave us an honest review of this book's Amazon pageat https:/ / www. amazon. com/ dp/ 1788478835/ .If you'd like to join our team of regular reviewers, you can e-mail usat customerreviews@packtpub.com. We award our regular reviewers with free eBooksand videos in exchange for their valuable feedback. Help us be relentless in improving ourproducts!
Table of ContentsPrefaceChapter 1: Information and Data Security FundamentalsInformation security challengesEvolution of cybercrimeThe modern role of information securityIT security engineeringInformation assuranceThe CIA triadOrganizational information security assessmentRisk managementInformation security standardsPoliciesTrainingKey components of an effective training and awareness programSummaryChapter 2: Defining the Threat LandscapeWhat is important to your organization and who wants it?ComplianceHackers and hackingBlack hat hackerWhite hat or ethical hackerBlue hat hackerGrey hat hackerPenetration testingHacktivistScript kiddieNation stateCybercrimeMethods used by the attackerExploitsHacker techniquesMethods of conducting training and awarenessClosing information system vulnerabilitiesVulnerability 272829292929303032394041
Table of ContentsThe case for vulnerability managementSummary4243Chapter 3: Preparing for Information and Data Security44Establishing an information security programDon't start from scratch, use a frameworkSecurity program success 758585960606161626263646465Executive or board supportSupporting the organization's missionRightsizing information security for the organizationSecurity awareness and training programInformation security built into SDLCInformation security program maturityInformation security policiesInformation security program policyOperational policySystem-specific policyStandardsProceduresGuidelinesRecommended operational policiesPlanning policyAccess control policyAwareness and training policyAuditing and accountability policyConfiguration management policyContingency planning policyIdentification and authentication policyIncident response policyMaintenance policyMedia protection policyPersonnel security policyPhysical and environmental protection policyRisk assessment policySecurity assessment policySystem and communications protection policySystem and information integrity policySystems and services acquisitions policySummaryChapter 4: Information Security Risk Management[ ii ]66
Table of ContentsWhat is risk?Who owns organizational risk?Risk ownershipWhat is risk management?Where is your valuable data?What does my organization have that is worth protecting?666767686869Intellectual property trade secrets69Personally Identifiable Information – PII69Personal Health Information – PHI69General questions70Performing a quick risk assessment70Risk management is an organization-wide activity72Business operations73IT operations74Personnel74External organization75Risk management life cycle77Information categorization77Data classification looks to understand78Data classification steps79Determining information assets80Finding information in the environment81Disaster recovery considerations83Backup storage considerations84Types of storage options85Questions you should ask your business users regarding their information's location 85Questions you should ask your IT organization regarding the information's location86Organizing information into categories87Examples of information type categories87Publicly available information87Credit card information87Trade secrets88Valuing the information and establishing impact93Valuing information93Establishing impact93Security control selection97Information security frameworks97Security control implementation99Assessing implemented security controls100Authorizing information systems to operate101Monitoring information system security controls103[ iii ]
Table of ContentsCalculating riskQualitative risk analysisIdentifying your organizations threatsIdentifying your organizations vulnerabilitiesPairing threats with vulnerabilitiesEstimating likelihoodEstimating impactConducting the risk assessmentManagement choices when it comes to riskQuantitative analysisQualitative risk assessment Chapter 5: Developing Your Information and Data Security Plan119Determine your information security program objectivesExample information security program activitiesElements for a successful information security programAnalysis to rightsizing your information security 37138138139141142142Compliance requirementsIs your organization centralized or decentralized?CentralizedDecentralizedWhat is your organization's business risk appetite?How mature is your organization?Helping to guarantee successBusiness alignmentInformation security is a business project not an IT projectOrganizational change managementKey information security program plan elementsDevelop your information security program strategyEstablish key initiativesDefine roles and responsibilitiesDefining enforcement authorityPulling it all togetherSummaryChapter 6: Continuous Testing and MonitoringTypes of technical testingSDLC considerations for testingProject initiationRequirements analysis[ iv ]143144144144145
Table of ContentsSystem designSystem implementationSystem testingOperations and maintenanceDispositionSDLC summaryContinuous monitoringInformation security assessment automationEffective reporting of information security statusAlerting of information security weaknessVulnerability assessmentBusiness relationship with vulnerability assessmentVulnerability scanningVulnerability scanning processVulnerability resolutionPenetration testingPhases of a penetration testDifference between vulnerability assessment and penetration testingExamples of successful attacks in the newsPoint of sale system attacksCloud-based misconfigurationsSummaryChapter 7: Business Continuity/Disaster Recovery PlanningScope of BCDR planBusiness continuity planningDisaster recovery planningFocus areas for BCDR planningManagementOperationalTechnicalDesigning the BCDR planRequirements and context gathering – business impact assessmentInputs to the BIAOutputs from the BIASample BIA formDefine technical disasters recovery mechanismsIdentify and document required resourcesConduct a gap analysisDevelop disaster recovery 174175175175177178178179179179
Table of ContentsDevelop your planDevelop recovery teamsEstablish relocation plansDevelop detailed recovery proceduresTest the BCDR planSummaryChapter 8: Incident Response PlanningDo I need an incident response plan?Components of an incident response planPreparing the incident response planUnderstanding what is importantPrioritizing the incident response planDetermining what normal looks LikeObserve, orient, decide, and act – OODAIncident response procedure developmentIdentification – detection and analysisIdentification – incident response toolsObservational (OODA) technical toolsOrientation (OODA) toolsDecision (OODA) toolsRemediation – containment/recovery/mitigationRemediation - incident response toolsAct (Response) (OODA) toolsPost incident activityLessons-learned sessionsIncident response plan testingSummaryChapter 9: Developing a Security Operations CenterResponsibilities of the SOCManagement of security operations center toolsSecurity operation center toolset designUsing already implemented toolsetsSecurity operations center rolesLog or information aggregationLog or information analysisProcesses and proceduresIdentification – detection and analysisEvents versus alerts versus incidents[ vi 218220221222224
Table of ContentsFalse positive versus false negative/true positive versus true negativeRemediation – containment/eradication/recoverySecurity operations center toolsSecurity operations center advantagesMSSP advantagesSummaryChapter 10: Developing an Information Security Architecture ProgramInformation security architecture and SDLC/SELCConducting an initial information security analysisPurpose and description of the information systemDetermining compliance requirementsCompliance standardsDocumenting key information system and project rolesProject rolesInformation system rolesDefining the expected user typesDocumenting interface requirementsDocumenting external information systems accessConducting a business impact assessmentInputs to the BIAConducting an information categorizationDeveloping a security architecture advisement programPartnering with your business stakeholdersInformation security architecture processExample information security architecture 242242243245246247247247248249249250251252Chapter 11: Cloud Security Consideration253Cloud computing characteristicsCloud computing service modelsInfrastructure as a Service – IaaSPlatform as a Service – PaaSSoftware as a Service – SaaSCloud computing deployment modelsPublic cloudPrivate cloudCommunity cloudHybrid cloudCloud computing management modelsManaged service provider253255256257258259259259260261262262[ vii ]
Table of ContentsCloud service providerCloud computing special considerationCloud computing data securityData locationData accessStorage considerationsStorage typesStorage threatsStorage threat mitigationsManaging identification, authentication, and authorization in the cloud computingenvironmentIdentification considerationsAuthentication considerationsAuthorization considerationsIntegrating cloud services with the security operations centerCloud access security brokersSpecial business considerationsSummaryChapter 12: Information and Data Security Best PracticesInformation security best practicesUser accountsLimit administrator accountsUsing a normal user account where possibleLeast privilege/role separationPassword securityLeast functionalityUpdates and patchesSecure configurationsStep 1: Developing a policy that enforces secure configuration baselinesStep 2: Developing secure configuration baselinesStep 3: Integrating secure configuration baselines into the SDLCStep 4: Enforcing secure configuration baselines through automated testing andremediationApplication securityConducting a web application inventoryLeast privilegesCookie securityWeb application firewallsImplementing a secure coding awareness programNetwork securityRemote accessWireless[ viii 291291292293294295296
Table of ContentsMobile devicesSummary297297Index298[ ix ]
PrefaceInformation security has become a global challenge that is impacting organizations acrossevery industry sector. C-Suite and board level executives are beginning to take theirobligations seriously and as a result require competent business-focused advice andguidance from the organization's information security professionals. Being able to establisha fully developed, risk-based, and business-focused information security program tosupport your organization is critical to ensuring your organization's success moving intothe future.In this book, we will explore what it takes to establish an information security program thatcovers the following aspects:Focusing on business alignment, engagement, and supportUtilizing risk-based methodologiesEstablishing effective organizational communicationImplementing foundational information security hygiene practicesImplementing information security program best practicesWhat this book coversChapter 1, Information and Data Security Fundamentals, provides the reader with anoverview of key concepts that will be examined throughout this book. The reader willunderstand the history, key concepts, components of information, and data security.Additionally, the reader will understand how these concepts should balance with businessneeds.Chapter 2, Defining the Threat Landscape, understanding the modern threat landscape, helpsyou as the information security professional in developing a highly effective informationsecurity program that can mount a secure defense against modern adversaries in support ofyour organization's business/mission goals and objectives. In this chapter, you will learn:How to determine what is important to your organization, potential threats to yourorganization, Types of hackers/adversaries, methods used by the hacker/adversary, andmethods of conducting training and awareness as it relates to threats.
PrefaceChapter 3, Preparing for Information and Data Security, helps you to learn the importantactivities required to establish an enterprise-wide information security program with afocus on executive buy-in, policies, procedures, standards, and guidelines. Additionally,you will learn: Planning concepts associated with information security programestablishment; Information security program success factors; SDLC Integration of theinformation security program; Information security program maturity concepts; and bestpractices related to policies, procedures, standards, and guidelines.Chapter 4, Information Security Risk Management, explains the fundamentals of informationsecurity risk management, which provides the main interface for prioritization andcommunication between the information security program and the business. Additionally,you will learn: Key information security risk management concepts; How to determinewhere valuable data is in your organization; Quick risk assessment techniques; How riskmanagement affects different parts of the organization; How to perform informationcategorization; Security control selection, implementation, and testing; and Authorizinginformation systems for production operations.Chapter 5, Developing Your Information and Data Security Plan, speaks about the conceptsnecessary to develop your information security program plan. Your program plan will be afoundational document that will establish how your information security program willfunction and interact with the rest of the business. Additionally, you will learn: How todevelop the objectives for your information security program, elements of a successfulinformation security program, information security program business / mission alignment,information security program plan elements, and establishing information security programenforcement.Chapter 6, Continuous Testing and Monitoring, explains that it is important for theinformation security professional to understand that vulnerabilities in information systemare a fact of life that is not going away anytime soon. The key to protecting the moderninformation system is continued vigilance through continuous technical testing. In thischapter, you will learn: Technical testing capabilities at your disposal, Testing integrationinto the SDLC, Continuous monitoring considerations, Vulnerability assessmentconsiderations, and Penetration testing considerations.[2]
PrefaceChapter 7, Business Continuity/Disaster Recovery Planning, encompasses two separate butrelated disciplines that work together. Business Continuity Planning serves to ensure thatan organization can effectively understand what business processes and information areimportant to the continued operations and success of the organization. Disaster RecoveryPlanning serves to develop a technical solution that supports the business needs of theorganization in the event of a system outage. In this chapter, you will learn: The scope andfocus areas of the BCDR plan and designing, implementing, testing, and maintaining theBCDR plan.Chapter 8, Incident Response Planning, speaks about an incident response plan andprocedures that your information security program implements to ensure that you haveadequate and repeatable processes in place to respond to an information security incidentthat occurs against your organizational network or information systems. In this chapter,you will learn: Why you need an incident response plan, What components make up theincident response plan, Tools and techniques related to incident response, The incidentresponse process, and the OODA loop and how it can be applied to incident response.Chapter 9, Developing a Security Operations Center, serves as your centralized view into yourenterprise information systems. The security operations center goal is to ensure that thisview is real-time so that your organization can identify and respond to internal and externalthreats as quickly as possible. In this chapter, you will learn: What comprises theresponsibilities of the security operations center; security operations center toolmanagement and design; security operations center roles, processes, and procedures; andinternal versus outsourced security operations center implementation considerations.Chapter 10, Developing an Information Security Architecture Program, explains that SecurityArchitecture establishes rigorous and comprehensive policies, procedures, and guidelinesaround the development and operationalization of an Information Security Architectureacross the enterprise information technology deployed within an organization.Additionally, you will learn about: Incorporating security architecture into the systemdevelopment life cycle process, conducting an initial information security analysis, andDeveloping a security architecture advisement program.Chapter 11, Cloud Security Consideration, enables on-demand and ubiquitous access to ashared pool of configurable outsourced computing resources such as networks, servers,storage, and applications. In this chapter, you will learn: cloud computing characteristics;Cloud computing service, deployment, and management models; and Special informationsecurity consideration as it relates to Cloud Computing.[3]
PrefaceChapter 12, Information and Data Security Best Practices, speaks about a selection of bestpractices to help ensure the overall information security health of your organization'sinformation systems. The topics covered in this chapter include information security bestpractices related to: user account security, least functionality, updates and patching, secureconfigurations, application security, and network security.What you need for this bookThis book will guide you through the installation of all the tools that you need to follow theexamples. You will need to install Webstorm version 10 to effectively run the code samplespresent in this book.Who this book is forThis book is targeted at the information security professional looking to understand the keysuccess factors needed to build a successful business-aligned information security program.Additionally, this book is well suited for anyone looking to understand the key aspects ofan information security program and how they should be implemented within anorganizational culture.ConventionsIn this book, you will find a number of text styles that distinguish between different kindsof information. Here are some examples of these styles and an explanation of their meaning.Code words in text, database table names, folder names, filenames, file extensions,pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The nextlines of code read the link and assign it to the script 123 /script .New terms and important words are shown in bold.Warnings or important notes appear like this.Tips and tricks appear like this.[4]
PrefaceReader feedbackFeedback from our readers is always welcome. Let us know what you think about thisbook-what you liked or disliked. Reader feedback is important for us as it helps us developtitles that you will really get the most out of. To send us general feedback, simplyemailfeedback@packtpub.com, and mention the book's title in the subject of yourmessage. If there is a topic that you have expertise in and you are interested in eitherwriting or contributing to a book, see our author guide atwww.packtpub.com/authors.Customer supportNow that you are the proud owner of a Packt book, we have a number of things to help youto get the most from your purchase.Downloading the color images of this bookWe also provide you with a PDF file that has color images of the screenshots/diagrams usedin this book. The color images will help you better understand the changes in the output.You can download this file from https:/ / www. packtpub. com/ sites/ default/ files/downloads/ InformationSecurityHandbook ColorImages. pdf.ErrataAlthough we have taken every care to ensure the accuracy of our content, mistakes dohappen. If you find a mistake in one of our books-maybe a mistake in the text or the codewe would be grateful if you could report this to us. By doing so, you can save other readersfrom frustration and help us improve subsequent versions of this book. If you find anyerrata, please report them by visiting http:/ / www. packtpub. com/ submit- errata, selectingyour book, clicking on the Errata Submission Form link, and entering the details of yourerrata. Once your errata are verified, your submission will be accepted and the errata willbe uploaded to our website or added to any list of existing errata under the Errata section ofthat title. To view the previously submitted errata, go to https:/ / www. packtpub. com/books/ content/ support and enter the name of the book in the search field. The requiredinformation will appear under the Errata section.[5]
PrefacePiracyPiracy of copyrighted material on the internet is an ongoing problem across all media. AtPackt, we take the protection of our copyright and licenses very seriously. If you comeacross any illegal copies of our works in any form on the internet, please provide us withthe location address or website name immediately so that we can pursue a remedy. Pleasecontact us atcopyright@packtpub.com with a link to the suspected pirated material. Weappreciate your help in protecting our authors and our ability to bring you valuablecontent.QuestionsIf you have a problem with any aspect of this book, you can contact usat questions@packtpub.com, and we will do our best to address the problem.[6]
1Information and Data SecurityFundamentalsComputers have been instrumental to human progress for more than half a century. Asthese devices have become more sophisticated they have come under increasing attack fromthose looking to disrupt organizations using these systems. From the first boot sector virusto advanced, highly-complex, nation-state threats, the ability for an adversary to negativelyimpact an organization has never been greater. While the attacker has become moresophisticated, our ability to prepare for and defend against the attacker has also becomevery sophisticated. Throughout this book, I will discuss what it takes to establish aninformation security program that helps to ensure an organization is properly defended.The first chapter will provide the reader with an overview of key concepts that will beexamined throughout this book. The reader will learn the history, key concepts,components of information, and data security. Additionally, the reader will understandhow these concepts should balance with business needs.The topics covered in this chapter include the following:Information security challengesThe ev
Chapter 3: Preparing for Information and Data Security. 44. Establishing an information security program. 44. Don't start from scratch, use a framework. 45. Security program success factors. 45 Executive or board support 45 Supporting the organization's mission 46 Rightsizing information security for the organization 46 Security awareness and .
