Cybersecurity System Audits

Chapter 6– Information Asset Protection

Objectives

• Information Assets and it’s types
• Information Security Management
• Asset Classification and Asset Inventory
• Data Classification
• Access Control Management
• Human Resource Security
• Employee Life Cycle
• Access Control
• User Account Provistioning
• IoT Security
• 5G Security

Introduction to Information Assets

• Information assets refer to the combination of information (data, tools, and software) and the systems (hardware and devices) that manage and process this information to achieve business objectives.
  • Information: Includes databases, software applications, and documentation critical for operations.
  • Information Systems: Comprises servers, workstations, mobile devices, network devices, IoT devices, and gateways.
• These assets are integral to organizational workflows, enabling data processing, communication,and informed decision-making, thereby supporting business continuity and growth.

Types of Information Systems

• Physical Components:
  • Servers: Store and process data for enterprise applications.
  • Workstations and Devices: Facilitate user access and interaction with systems.
  • IoT Devices: Enhance automation and real-time data collection.
• Virtual Components:
  • Software Applications: Provide tools for data management and analysis.
  • Cloud-Based Platforms: Enable scalable and remote operations.

Information Security Management

• Information Security Management (ISM) is a framework of policies, processes, and procedures aimed at protecting information assets and ensuring their confidentiality, integrity, and availability.
• ISM serves as a foundation for maintaining trust, compliance, and operational excellence in the face of evolving cyber threats.
• Security management is composed of a number of distinct and interrelated processes, including policy development and enforcement, risk management, security awareness training
• Core Objectives:
  • Prevent unauthorized access and data breaches.
  • Mitigate vulnerabilities and threats.
  • Ensure resilience and continuity of operations.

Key Components of ISM

• Policy Development and Enforcement:
  • Frameworks define acceptable practices and responsibilities.
  • Updates ensure relevance to emerging threats and regulations.
• Risk Management:
  • Identifies, evaluates, and mitigates potential vulnerabilities.
  • Balances security priorities with business goals.
• Incident and Vulnerability Management:
  • Incident response minimizes impact during breaches.
  • Proactive vulnerability management strengthens defenses.

Information Security Policies

• An effective information security program depends upon a clear rule of law in the form of an information security policy. Security policies establish rules and guidelines for protecting information assets and systems.
  • Statement of Executive Support: Reinforces leadership commitment to security.
  • Roles and Responsibilities: Clarifies duties of stakeholders in safeguarding assets.
  • Acceptable Behavior: Outlines permitted, discouraged, and forbidden actions.
  • Enforcement and Consequences: Specifies disciplinary measures for non-compliance.
• A comprehensive policy ensures consistency, compliance, and alignment with organizational objectives.

Security Awareness Programs

• A formal security awareness program should include activities that will help employees better understand how information protection measures work and how they should be used.
  • Components:
    • Initial Training: Introduces security protocols to new hires.
    • Annual Refresher Courses: Updates employees on evolving threats and safeguards.
    • Signed Acknowledgements: Reinforces accountability for following security policies.
  • Delivery Methods:
    • Internal Websites: Provide easy access to resources.
    • Periodic Messages: Ensure timely dissemination of critical updates.
    • Posters and Flyers: Promote awareness in common areas.

Monitoring and Auditing Security Programs

• In an organization’s information security program, several key areas need to be monitored and audited. This will help management better understand whether its security policies and controls are effective.
• Security analysts and auditors should periodically test the organization’s policies and controls (including but not limited to its explicitly stated security controls) to see if they are working properly.
  • Regular monitoring ensures the effectiveness of security measures.
  • Auditing identifies gaps and provides recommendations for improvement.
• Processes:
  • Test security controls, policies, and systems.
  • Review compliance with regulatory standards and internal guidelines.
• Continuous monitoring and auditing strengthen the security framework and support long-term improvement.

Incident Response

• A security incident is an event where the confidentiality, integrity, or availability of information (or an information system) has been or is in danger of being compromised.
• A plan to address events compromising the confidentiality, integrity, or availability of information systems.
• Common Incidents:
  • Information Exposure or Theft: Loss of sensitive data due to weak controls.
  • System Damage or Destruction: Malware or attacks leading to disruptions.
  • Corruption of Data: Viruses or human errors affecting data reliability.
• Response Plan:
  • Define roles and responsibilities for handling incidents.
  • Test the plan periodically to ensure effectiveness.

Corrective and Preventive Actions

• Corrective and preventive actions are a part of a culture of continuous improvement. Organizations that adopt a culture of continuous improvement are more likely to have effective controls that protect assets.
• Processes to address security failures and prevent recurrence.
• Features:
  • Corrective Actions: Resolve existing issues.
  • Preventive Actions: Mitigate risks before they occur.
• Tracking Systems:
  • Simple spreadsheets or complex ticketing systems.
  • Ensure timely resolution and escalation of issues.

Business Alignment in Security Management

• An effective security management program must align with the organization’s mission, strategies, and objectives to ensure consistency and efficiency.
• Key Characteristics:
  • Board-Level Involvement: Directors monitor security metrics and impose requirements.
  • Executive Participation: Executives contribute to steering committees and program decisions.
  • Governance: Comprehensive executive control of security programs, aligning them with business functions.
  • Risk Tolerance: Aligning risk appetite with organizational goals ensures a balanced approach.
  • Employee Awareness: Staff should understand the role of security in supporting business goals.

Asset Inventory and Classification

• Information and information systems both need to be inventoried.
  • This helps management continue to be aware of their existence so that they can be properly managed and protected.
  • The inventory of sensitive data supports an organization’s privacy program.
• Information and information systems also need to be classified.
  • This will ensure that they will be properly handled according to their criticality, sensitivity, importance, and other criteria.

Components of Hardware Asset Inventory

More than that, IT needs to acquire and track several characteristics about every hardware asset, including

• Essential Characteristics:
  • Identification: Track make, model, serial number, and asset tags.
  • Value: Record initial and depreciated value for financial alignment.
  • Location: Specify asset location for verification and inventory audits.
  • Condition: Note operational status and maintenance needs.
  • Ownership and Custodianship: Clarify asset control for accountability.
• Verification:
  • Regular physical checks ensure inventory accuracy.
  • Audits identify unauthorized movements or theft, maintaining integrity.

Importance of Information Asset Classification

• Why?
  • Sensitive information must be classified based on criticality, sensitivity, and regulatory requirements.
  • Examples: HIPAA for healthcare data, GDPR for personal data, and PCI-DSS for financial information.
• Classification Levels:
  • Common levels include secret, restricted, confidential, and public.
  • Encryption, limited access, and secure disposal practices depend on the classification level.
• Clear classification minimizes risks and ensures efficient resource use.

Importance of Information Asset Classification

Table 6-1 Example of Information Handling Guidelines

Category	Secret	Restricted	Confidential	Public
Example Information Types	Passwords, merger and acquisition plans and terms	Credit card numbers, bank account numbers, Social Security numbers, detailed financial records, detailed system configuration, vulnerability scan reports	System documentation, end-user documentation, internal memos, network diagrams	Brochures, press releases
Storage on Server	Must be encrypted, store only on servers labeled sensitive	Must be encrypted	Access controls required	Access controls required for update
Storage on Mobile Device	Must never be stored on mobile device	Must be encrypted	Access controls required	No restrictions
Storage in the Cloud	Must never be stored in the cloud	Must be encrypted	Access controls required	Access controls required for update
E-mail	Must never be e-mailed	Must be encrypted	Authorized recipients only	No restrictions
Web Site	Must never be stored on any web server	Must be encrypted	Access controls required	No restrictions
Fax	Encrypted, manned fax only	Manned fax only, no e-mail-based fax	Manned fax only	No restrictions
Courier and Shipment	Double wrapped, signature and secure storage required	Signature and secure storage required	Signature required	No restrictions
Hardcopy Storage	Double locked in authorized locations only	Double locked	Locked	No restrictions
Hardcopy Distribution	Only with owner permission, must be registered	To authorized parties only, only with owner permission	To authorized parties only	No restrictions
Hardcopy Destruction	Cross-cut shred, make a record of destruction	Cross-cut shred	Cross-cut shred or secure waste bin	No restrictions
Softcopy Destruction	Erase with DoD 5220.22-M spec tool	Erase with DoD 5220.22-M spec tool	Delete and empty recycle bin	No restrictions

Access Control Mangement

• Access control governs who can access systems and data, ensuring protection and compliance.
• Key Processes:
  • Requests: Access is granted based on formal procedures with approvals.
  • Reviews: Periodic audits verify access validity and remove outdated permissions.
  • Transfers and Terminations: Adjust access based on role changes or employment status.
• Effective management prevents unauthorized access and ensures accountability. Access Control Logs track all access attempts, both successful and failed.
• Requirements:
  • Logs must be tamper-proof and protected from unauthorized access.
  • Systems should automatically record user activity to enhance traceability.
• Importance:
  • Provides evidence during audits and investigations.
  • Identifies patterns of misuse or suspicious activities.

Asset Inventory Verification

• Periodic verification of physical and virtual assets ensures inventory accuracy.
• Process:
  • Compare recorded inventory with actual assets.
  • Investigate discrepancies to identify unauthorized movements or theft.
• Frequency:
  • High-value or sensitive assets may require monthly checks, while others can be verified annually.
• Privacy ensures the protection of personal data from unauthorized access or misuse.
• Key Elements:
  • Sensitive Data: Includes personal identifiers (e.g., SSN, financial data).
  • Compliance: Align practices with GDPR, CCPA, or other regulations.
  • Processes:
    • Specify data collection, usage, retention, and sharing policies.
    • Ensure consent is collected and documented.

Human Resource Security

• Employees, while an asset, can introduce significant risks through negligence or malice.
• Major Risks:
  • Mishandling of sensitive information.
  • Unauthorized access or misuse of IT systems.
• Trust Factor:
  • Employees are entrusted with protecting organizational assets.
  • Employers reciprocate with fair treatment and clear expectations.
• Background Check and Screening verify candidate information to assess trustworthiness before hiring.
• Elements:
  • Identity and employment verification.
  • Criminal and financial background checks.
  • Professional reference validation and social media reviews.
• Recurring Checks:
  • Periodic checks for high-risk roles to identify new risks.

Job Descriptions and Employment Agreements

• Job Descriptions:
  • Clearly outline roles, responsibilities, and compliance requirements.
  • Include adherence to security and privacy policies.
• Employment Agreements:
  • Define duties, confidentiality, and compliance terms.
  • Specify consequences for violations and termination conditions.
• Employee Lifecycle management reduces insider threats and ensures compliance.
• During Employment:
  • Periodic renewal of agreements reinforces policies.
  • Security training keeps employees updated on best practices.
• Transfers and Terminations:
  • Adjust access rights promptly to prevent privilege accumulation.
  • Retrieve all organizational assets and revoke access upon termination.

Computer Crime and Cyber Crime

• Roles of Computers in Crime:
  • Target: Theft of data or equipment.
  • Instrument: Used for hacking, phishing, or distributing malware.
  • Support: Used for recordkeeping or facilitating crimes.
• Categories of Crime:
  • Financial, espionage, terrorism, and revenge-driven activities.
• Financial Threats:
  • Ransomware, phishing, and account hijacking target sensitive information.
• Reputational Damage:
  • Breaches damage trust and invite legal challenges.
• Sabotage:
  • Attacks can disrupt operations and require costly recovery efforts.

Security Incident Management

• A security incident is any event violating an organization's security policy. Examples include unauthorized access, malware infections, or data breaches.
• Types of Security Incidents:
  • Computer Account Abuse: Sharing or stealing login credentials.
  • Network Trespass: Unauthorized network access via malware or bypassing credentials.
  • Interception of Information: Eavesdropping on sensitive communications using malware or sniffers.
• Common Types of Security Incidents
  • Malware: Worms, viruses, and ransomware disrupt operations, damage systems, and steal sensitive data.
  • Ransomware: Encrypts sensitive data, demanding payment for decryption; often leads to data loss.
  • Denial-of-Service (DoS): Overwhelms networks, making them inaccessible.
  • Equipment Theft: Loss of physical devices containing sensitive information.
  • Sensitive Information Disclosure: Unauthorized sharing of confidential data.
  • Destructware: Targets data destruction and equipment damage (e.g., Stuxnet).

Developing Incident Response Plans

• Formalize a strategy to manage and mitigate security incidents efficiently. A structured plan reduces downtime, limits damage, and ensures compliance during incidents.

• Steps:

  • Policy Creation: Define monitoring and response protocols.
  • Roles and Responsibilities: Assign tasks across legal, IT, and business units.
  • Incident Procedures: Develop high-level and detailed playbooks for specific scenarios.
  • Training and Exercises: Prepare teams through regular simulations and drills.

• Phases of Incident Response

  1. Detection: Identifying incidents through alerts, logs, or external notifications.
  2. Initiation: Notifying response teams and beginning mitigation efforts.
  3. Evaluation: Analyzing the scope and impact using forensic tools.
  4. Containment: Preventing the incident from spreading further.
  5. Eradication: Removing malware, blocking intruders, or resolving vulnerabilities.
  6. Recovery: Restoring systems and data to pre-incident states.
  7. Closure and Review: Learning from incidents to improve future responses.

Prevention Strategies and Forensic Investigations

• Preventive measures reduce incidents and their impact, ensuring operational continuity.
• ** Major Components:**
  • Vulnerability Management: Regularly identify and patch system weaknesses.
  • Threat Monitoring: Use advisories from sources like US-CERT and Bugtraq.
  • System Hardening: Disable non-essential features to reduce attack surfaces.
  • Advanced Anti-Malware Tools: Protect endpoints and servers with modern solutions.
  • Intrusion Detection Systems (IDS): Identify threats in real time.
• Forensic Investigation is the process of gathering and analyzing evidence during security incidents for legal or internal purposes.
• Steps Involved:
  • Data Acquisition: Securely collect data from systems, networks, or logs.
  • Analysis: Use specialized tools to identify the root cause and extent of breaches.
  • Presentation: Document findings in a clear, legally admissible format.
• Chain of Custody:
  • Ensure data integrity through controlled handling and storage.
  • Maintain detailed records of evidence collection and access.

Logical Access Controls and Models

• LAC is a mechanism to manage and restrict access to systems and data based on user identity and permissions. Logical controls protect against unauthorized access and misuse.
• Types:
  • Subject Access: Authentication (e.g., user ID and passwords) controls access.
  • Service Access: Firewalls and routers regulate data flow based on rules.
• Concepts:
  • Least Privilege: Users have only the access needed for their roles.
  • Fail Closed/Open: Defines system behavior during failures for safety or accessibility.
• Mandatory Access Control (MAC):
  • Centralized administration enforces strict access rules.
  • Advantages: High security, users cannot override settings.
  • Disadvantages: Limited flexibility for end-users.
• Discretionary Access Control (DAC):
  • Object owners define access permissions.
  • Advantages: Flexible for collaborative environments.
  • Disadvantages: Increased risk of errors and misuse.

Access Control Threats

• Threats often target these mechanisms due to their critical role in safeguarding assets.
• Represent intent and ability to harm assets by bypassing, defeating, or exploiting access controls.
• Identifying and mitigating threats is vital for robust access control systems.
• Examples of Threats:
  • Malware: Exploits system weaknesses to steal credentials or disable controls.
  • Eavesdropping: Monitors network traffic to intercept sensitive information.
  • Logic Bombs: Code inserted during development, triggered to cause damage.
  • Scanning Attacks: Active or passive identification of system vulnerabilities.
  • Race Conditions: Exploiting timing gaps between resource requests and availability.

Vulnerabilities in Access Controls

• Common Vulnerabilities:
  • Unpatched Systems: Lacking security updates, exposing known weaknesses.
  • Default Settings: Pre-configured services or access permissions increasing exposure.
  • Default Passwords: Failure to change pre-set administrative credentials.
  • Incorrect Permissions: Overly permissive settings allowing unauthorized modifications.
• Countermeasures:
  • Patch Management: Regularly update software to fix known vulnerabilities.
  • Hardening: Disable unnecessary services and apply security configurations.
• Software Vulnerabilities: Applications or tools may have exploitable flaws, such as:
  • Inadequate Input Validation: Permits SQL injection or buffer overflow attacks.
  • Session Management Flaws: Allow session hijacking or unauthorized access.
  • Logic Flaws: Poor implementation of authentication or access rules.
• Best Practices:
  • Security Audits: Regular testing of applications and utilities for vulnerabilities.
  • Input Validation: Ensures data integrity and prevents exploitation.

User Account Provisioning

• The process of creating and managing user accounts to grant appropriate access to resources.
• Initial Password Challenges:
  • Security Concerns: Passwords should never be shared via unsecured methods like email or instant messages.
  • Best Practice: Use a one-time password (OTP) for initial access, requiring users to reset it on first use.
• Factors Influencing Password Delivery:
  • User Location: Nearby users can receive passwords in person; remote users may receive passwords securely over the phone.
  • System Limitations: Some systems lack functionality for expiring initial-use passwords.
  • Data Sensitivity: More secure methods should be used for high-value data.

Risks and MFAs

• Password-based authentication is common but susceptible to numerous risks.
• Risks:
  • Eavesdropping: Captures passwords transmitted in plaintext over a network.
  • Key Logging: Malware records typed credentials for unauthorized use.
  • Phishing: Deceptive emails trick users into revealing credentials.
  • Written Passwords: Paper notes can be found and misused.
  • Stored Passwords: Password files on workstations are prone to discovery.
  • Browser Exploits: Vulnerabilities may allow access to saved passwords.
• MFA is a process of authentication using a combination of:
  • Something You Know: User ID and password.
  • Something You Have: A token or smart card.
  • Something You Are: Biometric data.
• Types of MFA:
  • Hardware Tokens: Devices displaying one-time codes.
  • Soft Tokens: Mobile apps generating time-based codes.
  • SMS Tokens: One-time codes sent via text.
  • Smart Cards: Devices containing encrypted authentication data.
  • Digital Certificates: Electronic documents binding identity and encryption keys.
  • Biometrics: Fingerprints, iris scans, or facial recognition.

Backup and Best Practices

• ** Backup Media Risks**: Loss, theft, or damage during transportation.
• E-Vaulting: Cloud-based backups simplify management and reduce administrative overhead.
• Restoration Testing: Periodic tests ensure backups are functioning and recoverable.
• Media Inventory: Regular checks of backup volumes to ensure all are accounted for.
• Best Practices:
  • Provisioning: Use secure methods for initial passwords and enforce changes upon first use.
  • Authentication: Move beyond static passwords with MFA and biometrics.
  • Access Logging: Monitor and secure log files to detect and prevent misuse.
  • Backups: Ensure data integrity with frequent backups, off-site storage, and encryption.
  • SSO and ACLs: Streamline access while maintaining strict control over permissions.

Patch Management

Patch management is the process of acquiring, testing, and deploying software patches to keep systems updated and secure.

• Purpose:
  • Fix known vulnerabilities.
  • Enhance functionality and system stability.
• Approaches:
  • Install All Patches: Ensures all vulnerabilities are addressed but risks system instability.
  • Selective Patching: Requires risk analysis for each patch to determine urgency and applicability.
• Best Practices:
  • Test patches in a non-production environment before deployment.
  • Use patch management tools to automate and monitor patch application.

Vulnerability and Threat Management

• VM is a continuous process of identifying, assessing, and mitigating IT vulnerabilities comprises of
  • Security Alerts: Subscribe to vendor and independent sources (e.g., US-CERT, Secunia) for vulnerability updates.
  • System Hardening: Enforce standards to minimize attack surfaces.
  • Vulnerability Scanning: Regularly scan systems to detect and rank vulnerabilities.
  • Patch Management: Proactively apply updates and validate through scans.
  • Corrective Actions: Use incident tracking systems to document and address vulnerabilities.
• Threat Management is Identifying and mitigating potential threats through analysis and proactive measures.
  • Internal Sources: Security tools like IPS, firewalls, and DLP systems for threat detection.
  • External Sources: Subscribe to threat intelligence feeds to stay updated on global threats.
• Processes:
  • Threat Hunting: Proactively searching for indicators of compromise (IOCs).
  • Threat Modeling: Analyzing potential threats and their impacts.

System Hardening and Virtualization Security

• System Hardening helps to configure systems to minimize vulnerabilities and resist attacks.
• Principles:
  • Single-Function Servers: Isolate functions to reduce risks.
  • Remove Unnecessary Services: Reduce the attack surface by disabling unused features.
  • Limit Privileges: Apply the principle of least privilege to services and accounts.
  • Change Default Passwords: Prevent easy exploitation by attackers.
  • Nonessential Accounts: Remove or disable unused accounts to reduce risks.
• Examples:
  • Disable “guest” accounts.
  • Use service accounts without interactive login permissions.
• Virtualization Security is hardening virtualization environments to reduce risks.
• Key Measures:
  • Limit physical access and enable monitoring.
  • Use encrypted remote administration like SSH.
  • Regularly patch hypervisors and guest OSs.
  • Back up virtual machines and monitor logs for anomalies.

Password Management and Forgotten Password Solutions

• Passwords remain a critical layer of defense for access management.
• Challenges: Forgotten passwords, account lockouts, and password reuse increase operational burden.
• Password Controls:
  • Length: Minimum 8 characters; encourage passphrases.
  • Complexity: Require a mix of letters, numbers, and symbols.
  • Expiration: Rotate passwords periodically (e.g., 90 days).
  • Lockout Thresholds: Prevent brute-force attacks (4–10 failed attempts).
• Solution Methods:
  • Self-Service: Reset via secret questions or emailed links.
  • Assisted Reset: Service desk verifies identity before issuing a new password.
• Best Practices:
  • Avoid sharing or emailing passwords directly.
  • Require immediate password changes after resets.
  • Secure and monitor reset systems to prevent unauthorized use.

Protecting Mobile Computing

• Laptop Controls:
  • Whole-disk encryption, firewalls, advanced anti-malware.
  • Policies on physical security (e.g., cable locks, employee-only access).
• BYOD Challenges: Employee-owned devices increase risks.
• Mobile Device Management (MDM):
  • Remote wipe capabilities.
  • Encryption enforcement.
  • Application download restrictions.

Advanced Security Measures

• Web Content Filtering:
  Block access to harmful or unproductive websites.
• Data Loss Prevention (DLP):
  Detect and block unauthorized data transfers.
• Application Whitelisting:
  Allow only approved software to run on systems.
• Netflow Analysis:
  Monitor traffic patterns to detect anomalies.
• Microsegmentation:
  Isolate individual hosts to limit malware spread.

IoT Security

• Why?
  • Increased deployment in industries like healthcare (patient monitors), manufacturing (IP-connected machinery), and utilities (remote control systems).
  • Consumer IoT: "Smart" appliances such as refrigerators, thermostats, and cameras.
• Challenges:
  • Vulnerabilities by Design: Limited ability to update security configurations.
  • Privilege Escalation: Potential for lateral movement within networks.
  • Microsegmentation: Essential to isolate IoT devices and limit cross-device vulnerabilities.
• Best Practices:
  • Monitor segmentation points for potential attacks.
  • Implement firmware updates and disable unused services where possible.

Securing 5G Networks

• Advantages in Technology development:
  • Increased bandwidth (up to 500 Mbit/sec).
  • Supports a massive proliferation of IoT devices.
• Security Implications:
  • Expanded attack surfaces for DDoS attacks, data exfiltration, and over-the-air malware delivery.
• Mitigation Strategies:
  • Embed IoT devices in segmented, monitored networks.
  • Employ AI-driven threat detection for real-time responses.
  • Harden devices with firmware updates and strict access policies.