Chapter 5: Security Operations

Understand Data Security

Data Handling

Data itself goes through its own life cycle as users create, use, share and modify
it. Many different models of the life of a data item can be found, but they all
have some basic operational steps in common. The data security life cycle
model is useful because it can align easily with the different roles that people
and organizations perform during the evolution of data from creation to
destruction (or disposal). It also helps put the different data states of in use,
at rest and in motion, into context. Let’s take a closer look.

All ideas, data, information or knowledge can be thought of as going through

six major sets of activities throughout its lifetime. Conceptually, these involve:

Data Handling Practices

Data itself has value and must be handled appropriately. In this section, we
will explore the basics of classifying and labeling data to ensure it is treated
and controlled in a manner consistent with the sensitivity of the data. In
addition, we will complete the data life cycle by documenting retention
requirements and ensuring data that is no longer in use is destroyed.

Classification

Businesses recognize that information has value and others might steal their
advantage if the information is not kept confidential, so they classify it. These
classifications dictate rules and restrictions about how that information can be
used, stored or shared with others. All of this is done to keep the temporary
value and importance of that information from leaking away. Classification of
data, which asks the question “Is it secret?” determines the labeling, handling
and use of all data.

Before any labels can be attached to sets of data that indicate its sensitivity or
handling requirements, the potential impact or loss to the organization needs
to be assessed. This is our first definition: Classification is the process of
recognizing the organizational impacts if the information suffers any security
compromises related to its characteristics of confidentiality, integrity and
availability. Information is then labeled and handled accordingly.

Classifications are derived from laws, regulations, contract-specified standards

or other business expectations. One classification might indicate “minor, may
disrupt some processes” while a more extreme one might be “grave, could lead
to loss of life or threaten ongoing existence of the organization.” These
descriptions should reflect the ways in which the organization has chosen (or
been mandated) to characterize and manage risks.

The immediate benefit of classification is that it can lead to more efficient

design and implementation of security processes, if we can treat the protection
needs for all similarly classified information with the same controls strategy.

Labeling

Security labels are part of implementing controls to protect classified

information. It is reasonable to want a simple way of assigning a level of
sensitivity to a data asset, such that the higher the level, the greater the
presumed harm to the organization, and thus the greater security protection
the data asset requires. This spectrum of needs is useful, but it should not be
taken to mean that clear and precise boundaries exist between the use of “low
sensitivity” and “moderate sensitivity” labeling, for example.

Data Sensitivity Levels and Labels

Unless otherwise mandated, organizations are free to create classification

systems that best meet their own needs. In professional practice, it is typically
best if the organization has enough classifications to distinguish between sets
of assets with differing sensitivity/value, but not so many classifications that
the distinction between them is confusing to individuals. Typically, two or three
classifications are manageable, and more than four tend to be difficult.

 Highly restricted: Compromise of data with this sensitivity label could

possibly put the organization’s future existence at risk. Compromise
could lead to substantial loss of life, injury or property damage, and the
litigation and claims that would follow.
 Moderately restricted: Compromise of data with this sensitivity label
could lead to loss of temporary competitive advantage, loss of revenue
or disruption of planned investments or activities.
 Low sensitivity (sometimes called “internal use only”): Compromise of
data with this sensitivity label could cause minor disruptions, delays or
impacts.
 Unrestricted public data: As this data is already published, no harm can
come from further dissemination or disclosure.

Retention

Information and data should be kept only for as long as it is beneficial, no more
and no less. For various types of data, certain industry standards, laws and
regulations define retention periods. When such external requirements are not
set, it is an organization’s responsibility to define and implement its own data
retention policy. Data retention policies are applicable both for hard copies and
for electronic data, and no data should be kept beyond its required or useful
life. Security professionals should ensure that data destruction is being
performed when an asset has reached its retention limit. For the security
professional to succeed in this assignment, an accurate inventory must be
maintained, including the asset location, retention period requirement, and
destruction requirements. Organizations should conduct a periodic review of
retained records in order to reduce the volume of information stored and to
ensure that only necessary information is preserved.

Records retention policies indicate how long an organization is required to

maintain information and assets. Policies should guarantee that:

 Personnel understand the various retention requirements for data of

different types throughout the organization.
 The organization appropriately documents the retention requirements
for each type of information.
 The systems, processes and individuals of the organization retain
information in accordance with the required schedule but no longer.

A common mistake in records retention is applying the longest retention period

to all types of information in an organization. This not only wastes storage but
also increases risk of data exposure and adds unnecessary “noise” when
searching or processing information in search of relevant records. It may also
be in violation of externally mandated requirements such as legislation,
regulations or contracts (which may result in fines or other judgments). Records
and information no longer mandated to be retained should be destroyed in
accordance with the policies of the enterprise and any appropriate legal
requirements that may need to be considered.

Destruction

Data that might be left on media after deleting is known as remanence and may
be a significant security concern. Steps must be taken to reduce the risk that
data remanence could compromise sensitive information to an acceptable
level. This can be done by one of several means:

 Clearing the device or system, which usually involves writing multiple

patterns of random values throughout all storage media (such as main
memory, registers and fixed disks). This is sometimes called
“overwriting” or “zeroizing” the system, although writing zeros has the
 risk that a missed block or storage extent may still contain recoverable,
sensitive information after the process is completed.
 Purging the device or system, which eliminates (or greatly reduces) the
chance that residual physical effects from the writing of the original data
values may still be recovered, even after the system is cleared. Some
magnetic disk storage technologies, for example, can still have residual
“ghosts” of data on their surfaces even after being overwritten multiple
times. Magnetic media, for example, can often be altered sufficiently to
meet security requirements; in more stringent cases, degaussing may not
be sufficient.
 Physical destruction of the device or system is the ultimate remedy to
data remanence. Magnetic or optical disks and some flash drive
technologies may require being mechanically shredded, chopped or
broken up, etched in acid or burned; their remains may be buried in
protected landfills, in some cases.

In many routine operational environments, security considerations may accept

that clearing a system is sufficient. But when systems elements are to be
removed and replaced, either as part of maintenance upgrades or for disposal,
purging or destruction may be required to protect sensitive information from
being compromised by an attacker.

Logging and Monitoring Security Events

Logging is the primary form of instrumentation that attempts to capture signals

generated by events. Events are any actions that take place within the systems
environment and cause measurable or observable change in one or more
elements or resources within the system. Logging imposes a computational cost
but is invaluable when determining accountability. Proper design of logging
environments and regular log reviews remain best practices regardless of the
type of computer system.

Major controls frameworks emphasize the importance of organizational logging

practices. Information that may be relevant to being recorded and reviewed
include (but is not limited to):
  user IDs.
 system activities.
 dates/times of key events (e.g., logon and logoff).
 device and location identity.
 successful and rejected system and resource access attempts.
 system configuration changes and system protection activation and
deactivation events.

Logging and monitoring the health of the information environment is essential

to identifying inefficient or improperly performing systems, detecting
compromises and providing a record of how systems are used. Robust logging
practices provide tools to effectively correlate information from diverse
systems to fully understand the relationship between one activity and another.

Log reviews are an essential function not only for security assessment and
testing but also for identifying security incidents, policy violations, fraudulent
activities and operational problems near the time of occurrence. Log reviews
support audits – forensic analysis related to internal and external investigations
– and provide support for organizational security baselines. Review of historic
audit logs can determine if a vulnerability identified in a system has been
previously exploited.

It is helpful for an organization to create components of a log management

infrastructure and determine how these components interact. This aids in
preserving the integrity of log data from accidental or intentional modification
or deletion and in maintaining the confidentiality of log data.

Controls are implemented to protect against unauthorized changes to log

information. Operational problems with the logging facility are often related to
alterations to the messages that are recorded, log files being edited or deleted,
and storage capacity of log file media being exceeded. Organizations must
maintain adherence to retention policy for logs as prescribed by law,
regulations and corporate governance. Since attackers want to hide the
evidence of their attack, the organization’s policies and procedures should also
address the preservation of original logs. Additionally, the logs contain valuable
and sensitive information about the organization. Appropriate measures must
be taken to protect the log data from malicious use.

Data Security Event Example

Here is a data security event example. It’s a raw log, and it is one way to see if
someone tried to break into a secure file and hijack the server. Of course, there
are other systems now that are a little more user-friendly. But security
engineers get very familiar with some of these codes and can figure out exactly
who was trying to log it, was it a secure port or a questionable port that they
were trying to use to penetrate our site.

Information security is not something that you just plug in as needed. You can
have some patching on a system that already exists, such as updates, but if you
don’t have a secure system, you can’t just plug in something to protect it. From
the very beginning, we need to plan for that security, even before the data is
introduced into the network.

Event Logging Best Practices

Different tools are used depending on whether the risk from the attack is from
traffic coming into or leaving the infrastructure. Ingress monitoring refers to
surveillance and assessment of all inbound communications traffic and access
attempts. Devices and tools that offer logging and alerting opportunities for
ingress monitoring include:

 Firewalls.
 Gateways.
 Remote authentication servers.
 IDS/IPS tools.
 SIEM solutions.
 Anti-malware solutions.

Egress monitoring is used to regulate data leaving the organization’s IT

environment. The term currently used in conjunction with this effort is data
loss prevention (DLP) or data leak protection. The DLP solution should be
deployed so that it can inspect all forms of data leaving the organization,
including:

 Email (content and attachments).

 Copy to portable media.
 File Transfer Protocol (FTP).
 Posting to web pages/websites.
 Applications/application programming interfaces (APIs).

Encryption Overview

Almost every action we take in our modern digital world involves cryptography.
Encryption protects our personal and business transactions; digitally signed
software updates verify their creator’s or supplier’s claim to authenticity.
Digitally signed contracts, binding on all parties, are routinely exchanged via
email without fear of being repudiated later by the sender.

Cryptography is used to protect information by keeping its meaning or content

secret and making it unintelligible to someone who does not have a way to
decrypt (unlock) that protected information. The objective of every encryption
system is to transform an original set of data, called the plaintext, into an
otherwise unintelligible encrypted form, called the ciphertext.

Properly used, singly or in combination, cryptographic solutions provide a range

of services that can help achieve required systems security postures in many
ways:

 Confidentiality: Cryptography provides confidentiality by hiding or

obscuring a message so that it cannot be understood by anyone except
the intended recipient. Confidentiality keeps information secret from
those who are not authorized to have it.
 Integrity: hash functions and digital signatures can provide integrity
services that allow a recipient to verify that a message has not been
altered by malice or error. These include simple message integrity
controls. Any changes, deliberate or accidental, will result in the two
results (by sender and by recipient) being different.
An encryption system is the set of hardware, software, algorithms, control
parameters and operational methods that provide a set of encryption services.

Plaintext is the data or message in its normal, unencrypted form and format.
Its meaning or value to an end user (a person or a process) is immediately
available for use.

Plaintext can be:

 image, audio or video files in their raw or compressed forms.

 human-readable text and numeric data, with or without markup
language elements for formatting and metadata.
 database files or records and fields within a database.
 or anything else that can be represented in digital form for computer
processing, transmission and storage.

It is important to remember that plaintext can be anything—much of which is

not readable to humans in the first place.

Symmetric Encryption

The central characteristic of a symmetric algorithm is that it uses the same key
in both the encryption and the decryption processes. It could be said that the
decryption process is just a mirror image of the encryption process. This image
displays how symmetric algorithms work.
The same key is used for both the encryption and decryption processes. This
means that the two parties communicating need to share knowledge of the
same key. This type of algorithm protects data, as a person who does not have
the correct key would not be able to read the encrypted message. Because the
key is shared, however, this can lead to several other challenges:

 If two parties suspect a specific communication path between them is

compromised, they obviously can't share key material along that path.
Someone who has compromised communications between the parties
would also intercept the key.
 Distribution of the key is difficult, because the key cannot be sent in the
same channel as the encrypted message, or the man-in-the-middle
(MITM) would have access to the key. Sending the key through a different
channel (band) than the encrypted message is called out-of-band key
distribution. Examples of out-of-band key distribution would include
sending the key via courier, fax or phone.
 Any party with knowledge of the key can access (and therefore change)
the message.
 Each individual or group of people wishing to communicate would need
to use a different key for each individual or group they want to connect
with. This raises the challenge of scalability — the number of keys
needed grows quickly as the number of different users or groups
increases. Under this type of symmetric arrangement, an organization of
1,000 employees would need to manage 499,500 keys if every employee
wanted to communicate confidentially with every other employee.
Primary uses of symmetric algorithms:

 Encrypting bulk data (backups, hard drives, portable media).

 Encrypting messages traversing communications channels (IPsec, TLS).
 Streaming large-scale, time-sensitive data (audio/video materials,
gaming, etc.).

Other names for symmetric algorithms, which you may encounter, include:

 Same key.
 Single key.
 Shared key.
 Secret key.
 Session key.

An example of symmetric encryption is a substitution cipher, which involves the

simple process of substituting letters for other letters, or more appropriately,
substituting bits for other bits, based upon a cryptovariable. These ciphers
involve replacing each letter of the plaintext with another that may be further
down the alphabet.

Asymmetric Encryption

Asymmetric encryption uses one key to encrypt and a different key to decrypt
the input plaintext. This is in stark contrast to symmetric encryption, which
uses the same key to encrypt and decrypt. For most security professionals, the
math of asymmetric encryption can be left to the cryptanalysts and
cryptographers to know.

A user wishing to communicate using an asymmetric algorithm would first

generate a key pair. To ensure the strength of the key generation process, this
is usually done by the cryptographic application or the public key infrastructure
(PKI) implementation without user involvement. One half of the key pair is kept
secret; only the key holder knows that key. This is why it is called the private
key. The other half of the key pair can be given freely to anyone who wants a
copy. In many companies, it may be available through the corporate website or
access to a key server. Therefore, this second half of the key pair is referred to
as the public key.

Note that anyone can encrypt something using the recipient’s public key, but
only the recipient —with their private key—can decrypt it.

Asymmetric key cryptography solves the problem of key distribution by allowing

a message to be sent across an untrusted medium in a secure manner without
the overhead of prior key exchange or key material distribution. It also allows
for several other features not readily available in symmetric cryptography, such
as the non-repudiation of origin and delivery, access control and data integrity.

Asymmetric key cryptography also solves the problem of scalability. It does

scale well as numbers increase, as each party only requires a key pair, the
private and public keys. An organization with 100,000 employees would only
need a total of 200,000 keys (one private and one public for each employee).
This is less than half of the number of keys that would be required for symmetric
encryption.

The problem, however, has been that asymmetric cryptography is extremely

slow compared with its symmetric counterpart. Asymmetric cryptography is
impractical for everyday use in encrypting large amounts of data or for frequent
transactions where speed is required. This is because asymmetric key
cryptography is handling much larger keys and is mathematically intensive,
thereby reducing the speed significantly.
Let’s look at an example that illustrates the use of asymmetric cryptography to
achieve different security attributes.

The two keys (private and public) are a key pair; they must be used together.
This means that any message that is encrypted with a public key can only be
decrypted with the corresponding other half of the key pair, the private key.
Similarly, signing a message with a sender’s private key can only be verified by
the recipient decrypting its signature with the sender’s public key. Therefore,
as long as the key holder keeps the private key secure, there exists a method
of transmitting a message confidentially. The sender would encrypt the message
with the public key of the receiver. Only the receiver with the private key would
be able to open or read the message, providing confidentiality.

This image shows how asymmetric encryption can be used to send a confidential
message across an untrusted channel.

Hashing

Hashing takes an input set of data (of almost arbitrary size) and returns a fixed-
length result called the hash value. A hash function is the algorithm used to
perform this transformation. When used with cryptographically strong hash
algorithms, this is the most common method of ensuring message integrity
today.

Hashes have many uses in computing and security, one of which is to create a
message digest by applying such a hash function to the plaintext body of a
message.
To be useful and secure, a cryptographic hash function must demonstrate five
main properties:

 Useful: It is easy to compute the hash value for any given message.
 Nonreversible: It is computationally infeasible to reverse the hash
process or otherwise derive the original plaintext of a message from its
hash value (unlike an encryption process, for which there must be a
corresponding decryption process).
 Content integrity assurance: It is computationally infeasible to modify a
message such that re-applying the hash function will produce the original
hash value.
 Unique: It is computationally infeasible to find two or more different,
sensible messages that hash to the same value.
 Deterministic: The same input will always generate the same hash, when
using the same hashing algorithm.

Cryptographic hash functions have many applications in information security,

including digital signatures, message authentication codes and other forms of
authentication. They can also be used for fingerprinting, to detect duplicate
data or uniquely identify files, and as checksums to detect accidental data
corruption. The operation of a hashing algorithm is demonstrated in this image.

This is an example of a simple hashing function. The originator wants to send a

message to the receiver and ensure that the message is not altered by noise or
lost packets as it is transmitted. The originator runs the message through a
hashing algorithm that generates a hash, or a digest of the message. The digest
is appended to the message and sent together with the message to the
recipient. Once the message is delivered, the receiver will generate their own
digest of the received message (using the same hashing algorithm). The digest
of the received message is compared with the digest sent by the originator. If
the digests are the same, the received message is the same as the sent message.

The problem with a simple hash function like this is that it does not protect
against a malicious attacker that would be able to change both the message
and the hash/digest by intercepting it in transit. The general idea of a
cryptographic hash function can be summarized with the following formula:
variable data input + hashing algorithm

= fixed bit size data output (the digest)

As seen in this image, even the slightest change in the input message results in
a completely different hash value.

Hash functions are very sensitive to any changes in the message. Because the
size of the hash digest does not vary according to the size of the message, a
person cannot tell the size of the message based on the digest.
Hashing Deep Dive

Hashing puts data through a hash function or algorithm to create an

alphanumeric set of figures, or a digest, that means nothing to people who
might view it. No matter how long the input is, the hash digest will be the same
number of characters. Any minor change in the input, a misspelling, or upper
case or lower case, will create a completely different hash digest. So you can
use the hash digest to confirm that the input exactly matches what is expected
or required, for instance, a password.

For example, we pay our rent through automatic withdrawal, and it’s $5,000 a
month. Perhaps someone at the bank or at the rental office thinks they can just
change it to $50,000 and keep the extra money. They think no one will notice
if they just add another zero to the number. However, that change will
completely change the digest. Since the digest is different, it will indicate that
someone corrupted the information by changing the value of the automatic
withdrawal, and it will not go through. Hashing is an extra layer of defense.

Before we go live with a software product provided by a third party, for

instance, we have to make sure no one has changed anything since it was tested
by you and the programmer. They will usually send you the digest of their code
and you compare that to the original. This is also known as a Checksum. If you
see a discrepancy, that means something has changed. Then the security coders
will compare the original one and the new one, and sometimes it’s very tedious,
but they have software that can do it for them. If it’s something a little more
intricate, they may need to go line by line and find out where the bugs are or
if some lines need to be fixed. Often these problems are not intentional; they
sneak in when you are making final adjustments to the software.

An incident occurred at the University of Florida many years ago, where a very
reputable software source, Windows 2000 or Millennium, was provided to
50,000 students via CD-ROMs, and the copies were compromised. The problems
were detected when the digests did not match on a distribution file.
Configuration Management Overview

Configuration management is a process and discipline used to ensure that the

only changes made to a system are those that have been authorized and
validated. It is both a decision-making process and a set of control processes.
If we look closer at this definition, the basic configuration management process
includes components such as identification, baselines, updates and patches.

Identification

Baseline identification of a system and all its components, interfaces and

documentation.

Baseline

A security baseline is a minimum level of protection that can be used as a

reference point. Baselines provide a way to ensure that updates to technology
and architectures are subjected to the minimum understood and acceptable
level of security requirements.

Change Control

An update process for requesting changes to a baseline, by means of making

changes to one or more components in that baseline. A review and approval
process for all changes. This includes updates and patches.
Verification and Audit

A regression and validation process, which may involve testing and analysis, to
verify that nothing in the system was broken by a newly applied set of changes.
An audit process can validate that the currently in-use baseline matches the
sum total of its initial baseline plus all approved changes applied in sequence.

Understand Best Practice Security Policies

All policies must support any regulatory and contractual obligations of the
organization. Sometimes it can be challenging to ensure the policy
encompasses all requirements while remaining simple enough for users to
understand.

Here are six common security-related policies that exist in most organizations.

Data Handling Policy

Appropriate use of data: This aspect of the policy defines whether data is for
use within the company, is restricted for use by only certain roles or can be
made public to anyone outside the organization. In addition, some data has
associated legal usage definitions. The organization’s policy should spell out any
such restrictions or refer to the legal definitions as required. Proper data
classification also helps the organization comply with pertinent laws and
regulations. For example, classifying credit card data as confidential can help
ensure compliance with the PCI DSS. One of the requirements of this standard
is to encrypt credit card information. Data owners who correctly defined the
encryption aspect of their organization’s data classification policy will require
that the data be encrypted according to the specifications defined in this
standard.

Password Policy

Every organization should have a password policy in place that defines

expectations of systems and users. The password policy should describe senior
leadership's commitment to ensuring secure access to data, outline any
standards that the organization has selected for password formulation, and
identify who is designated to enforce and validate the policy.
Acceptable Use Policy (AUP)

The acceptable use policy (AUP) defines acceptable use of the organization’s
network and computer systems and can help protect the organization from legal
action. It should detail the appropriate and approved usage of the
organization’s assets, including the IT environment, devices and data. Each
employee (or anyone having access to the organization’s assets) should be
required to sign a copy of the AUP, preferably in the presence of another
employee of the organization, and both parties should keep a copy of the signed
AUP.

Policy aspects commonly included in AUPs:

 Data access.
 System access.
 Data disclosure.
 Passwords.
 Data retention.
 Internet usage.
 Company device usage.

Bring Yout Own Device (BYOD) Policy

An organization may allow workers to acquire equipment of their choosing and

use personally owned equipment for business (and personal) use. This is
sometimes called bring your own device (BYOD). Another option is to present
the teleworker or employee with a list of approved equipment and require the
employee to select one of the products on the trusted list.

Letting employees choose the device that is most comfortable for them may be
good for employee morale, but it presents additional challenges for the security
professional because it means the organization loses some control over
standardization and privacy. If employees are allowed to use their phones and
laptops for both personal and business use, this can pose a challenge if, for
example, the device has to be examined for a forensic audit. It can be hard to
ensure that the device is configured securely and does not have any backdoors
or other vulnerabilities that could be used to access organizational data or
systems.

All employees must read and agree to adhere to this policy before any access
to the systems, network and/or data is allowed. If and when the workforce
grows, so too will the problems with BYOD. Certainly, the appropriate tools are
going to be necessary to manage the use of and security around BYOD devices
and usage. The organization needs to establish clear user expectations and set
the appropriate business rules.

Privacy Policy

Often, personnel have access to personally identifiable information (PII) (also

referred to as electronic protected health information [ePHI] in the health
industry). It is imperative that the organization documents that the personnel
understand and acknowledge the organization’s policies and procedures for
handling of that type of information and are made aware of the legal
repercussions of handling such sensitive data. This type of documentation is
similar to the AUP but is specific to privacy-related data.

The organization’s privacy policy should stipulate which information is

considered PII/ePHI, the appropriate handling procedures and mechanisms used
by the organization, how the user is expected to perform in accordance with
the stated policy and procedures, any enforcement mechanisms and punitive
measures for failure to comply as well as references to applicable regulations
and legislation to which the organization is subject. This can include national
and international laws, such as the GDPR in the EU and Personal Information
Protection and Electronic Documents Act (PIPEDA) in Canada; laws for specific
industries in certain countries such as HIPAA and Gramm–Leach–Bliley Act
(GLBA); or local laws in which the organization operates.

The organization should also create a public document that explains how
private information is used, both internally and externally. For example, it may
be required that a medical provider present patients with a description of how
the provider will protect their information (or a reference to where they can
find this description, such as the provider’s website).
Change Management Policy

Change management is the discipline of transitioning from the current state to

a future state. It consists of three major activities: deciding to change, making
the change, and confirming that the change has been correctly accomplished.
Change management focuses on making the decision to change and results in
the approvals to systems support teams, developers and end users to start
making the directed alterations.

Throughout the system life cycle, changes made to the system, its individual
components and its operating environment all have the capability to introduce
new vulnerabilities and thus undermine the security of the enterprise. Change
management requires a process to implement the necessary changes so they do
not adversely affect business operations.

Common Security Policies Deeper Dive

Policies will be set according to the needs of the organization and its vision and
mission. Each of these policies should have a penalty or a consequence attached
in case of noncompliance. The first time may be a warning; the next might be
a forced leave of absence or suspension without pay, and a critical violation
could even result in an employee’s termination. All of this should be outlined
clearly during onboarding, particularly for information security personnel. It
should be made clear who is responsible for enforcing these policies, and the
employee must sign off on them and have documentation saying they have done
so. This process could even include a few questions in a survey or quiz to
confirm that the employees truly understand the policy. These policies are part
of the baseline security posture of any organization. Any security or data
handling procedures should be backed up by the appropriate policies.
Change Management Components

The change management process includes the following components.

Request for Change

All of the major change management practices address a common set of core
activities that start with a request for change (RFC) and move through various
development and test stages until the change is released to the end users. From
first to last, each step is subject to some form of formalized management and
decision-making; each step produces accounting or log entries to document its
results.

Approval

These processes typically include: Evaluating the RFCs for completeness,

Assignment to the proper change authorization process based on risk and
organizational practices, Stakeholder reviews, resource identification and
allocation, Appropriate approvals or rejections, and Documentation of approval
or rejection.

Rollback

Depending upon the nature of the change, a variety of activities may need to
be completed. These generally include: Scheduling the change, Testing the
change, Verifying the rollback procedures, Implementing the change,
Evaluating the change for proper and effective operation, and Documenting the
change in the production environment. Rollback authority would generally be
defined in the rollback plan, which might be immediate or scheduled as a
subsequent change if monitoring of the change suggests inadequate
performance.

Understand Security Awareness Training

The purpose of awareness training is to make sure everyone knows what is

expected of them, based on responsibilities and accountabilities, and to find
out if there is any carelessness or complacency that may pose a risk to the
organization. We will be able to align the information security goals with the
organization’s missions and vision and have a better sense of what the
environment is.

Let’s start with a clear understanding of the three different types of learning
activities that organizations use, whether for information security or for any
other purpose:

 Education: The overall goal of education is to help learners improve their

understanding of these ideas and their ability to relate them to their own
experiences and apply that learning in useful ways.
 Training: Focuses on building proficiency in a specific set of skills or
actions, including sharpening the perception and judgment needed to
make decisions as to which skill to use, when to use it and how to apply
it. Training can focus on low-level skills, an entire task or complex
workflows consisting of many tasks.
 Awareness: These are activities that attract and engage the learner’s
attention by acquainting them with aspects of an issue, concern,
problem or need.

You’ll notice that none of these have an expressed or implied degree of

formality, location or target audience. (Think of a newly hired senior executive
with little or no exposure to the specific compliance needs your organization
faces; first, someone has to get their attention and make them aware of the
need to understand. The rest can follow.)
Security Awareness Training Examples

Let’s look at an example of security awareness training by using an

organization’s strategy to improve fire safety in the workplace:

 Education may help workers in a secure server room understand the

interaction of the various fire and smoke detectors, suppression systems,
alarms and their interactions with electrical power, lighting and
ventilation systems.
 Training would provide those workers with task-specific, detailed
learning about the proper actions each should take in the event of an
alarm, a suppression system going off without an alarm, a ventilation
system failure or other contingency. This training would build on the
learning acquired via the educational activities.
 Awareness activities would include not only posting the appropriate
signage, floor or doorway markings, but also other indicators to help
workers detect an anomaly, respond to an alarm and take appropriate
action. In this case, awareness is a constantly available reminder of what
to do when the alarms go off.

Translating that into an anti-phishing campaign might be done by:

 Education may be used to help select groups of users better understand

the ways in which social engineering attacks are conducted and engage
those users in creating and testing their own strategies for improving
their defensive techniques.
 Training will help users increase their proficiency in recognizing a
potential phishing or similar attempt, while also helping them practice
the correct responses to such events. Training may include simulated
phishing emails sent to users on a network to test their ability to identify
a phishing email.
 Raising users’ overall awareness of the threat posed by phishing, vishing,
SMS phishing (also called “smishing) and other social engineering tactics.
Awareness techniques can also alert selected users to new or novel
approaches that such attacks might be taking.
Phishing

The use of phishing attacks to target individuals, entire departments and even
companies is a significant threat that the security professional needs to be
aware of and be prepared to defend against. Countless variations on the basic
phishing attack have been developed in recent years, leading to a variety of
attacks that are deployed relentlessly against individuals and networks in a
never-ending stream of emails, phone calls, spam, instant messages, videos,
file attachments and many other delivery mechanisms.

Phishing attacks that attempt to trick highly placed officials or private

individuals with sizable assets into authorizing large fund wire transfers to
previously unknown entities are known as whaling attacks .

Social Engineering

Social engineering is an important part of any security awareness training

program for one very simple reason: bad actors know that it works. For the
cyberattackers, social engineering is an inexpensive investment with a
potentially very high payoff. Social engineering, applied over time, can extract
significant insider knowledge about almost any organization or individual.

One of the most important messages to deliver in a security awareness program

is an understanding of the threat of social engineering. People need to be
reminded of the threat and types of social engineering so that they can
recognize and resist a social engineering attack.

Most social engineering techniques are not new. Many have even been taught
as basic fieldcraft for espionage agencies and are part of the repertoire of
investigative techniques used by real and fictional police detectives. A short list
of the tactics that we see across cyberspace currently includes:

 Phone phishing or vishing: Using a rogue interactive voice response (IVR)

system to re-create a legitimate-sounding copy of a bank or other
institution’s IVR system. The victim is prompted through a phishing email
to call in to the “bank” via a provided phone number to verify
information such as account numbers, account access codes or a PIN and
to confirm answers to security questions, contact information and
 addresses. A typical vishing system will reject logins continually, ensuring
the victim enters PINs or passwords multiple times, often disclosing
several different passwords. More advanced systems may be used to
transfer the victim to a human posing as a customer service agent for
further questioning.
 Pretexting: The human equivalent of phishing, where someone
impersonates an authority figure or a trusted individual in an attempt to
gain access to your login information. The pretexter may claim to be an
IT support worker who is supposed to do maintenance or an investigator
performing a company audit. Or they might impersonate a coworker, the
police, a tax authority or some other seemingly legitimate person. The
goal is to gain access to your computer and information.
 Quid pro quo: A request for your password or login credentials in
exchange for some compensation, such as a “free gift,” a monetary
payment or access to an online game or service. If it sounds too good to
be true, it probably is.
 Tailgating: The practice of following an authorized user into a restricted
area or system. The low-tech version of tailgating would occur when a
stranger asks you to hold the door open behind you because they forgot
their company RFID card. In a more sophisticated version, someone may
ask to borrow your phone or laptop to perform a simple action when he
or she is actually installing malicious software onto your device.

Social engineering works because it plays on human tendencies. Education,

training and awareness work best to counter or defend against social
engineering because they help people realize that every person in the
organization plays a role in information security.

Password Protection

We use many different passwords and systems. Many password managers will
store a user’s passwords for them so the user does not have to remember all
their passwords for multiple systems. The greatest disadvantage of these
solutions is the risk of compromise of the password manager.
 These password managers may be protected by a weak password or passphrase
chosen by the user and easily compromised. There have been many cases where
a person’s private data was stored by a cloud provider but easily accessed by
unauthorized persons through password compromise.

Organizations should encourage the use of different passwords for different

systems and should provide a recommended password management solution for
its users.

Examples of poor password protection that should be avoided are:

 Reusing passwords for multiple systems, especially using the same

password for business and personal use.
 Writing down passwords and leaving them in unsecured areas.
 Sharing a password with tech support or a co-worker.

QUIZ FIM

1 1
Which of the following can be used to map data flows through
an organization and the relevant security controls used at each
point along the way? (D5.1, L5.1.1)
Question options:

A) Encryption

B) Hashing

C) Hard copy

D) Data life cycle

Hide question 1 feedback

Correct. The data life cycle is a notional tool that can be used to map data flows.

2 1
Why is an asset inventory so important? (D5.2, L5.2.1)
Question options:
 A) It tells you what to encrypt

B) You can't protect what you don't know you have

C) The law requires it

D) It contains a price list

Hide question 2 feedback

Correct. The inventory records which assets the organization has, which gives the organization the opportu

3 1
Who is responsible for publishing and signing the organization's
policies? (D5.3, L5.3.1)
Question options:

A) The security office

B) Human Resources

C) Senior management

D) The legal department

Hide question 3 feedback

Correct. Policies are direct organizational mandates from senior management.

4 1
Which of the following is always true about logging? (D5.1,
L5.1.3)
Question options:

A) Logs should be very detailed

B) Logs should be in English

 C) Logs should be concise

D) Logs should be stored separately from the systems they're logging

Hide question 4 feedback

Correct. It is important to store log data somewhere other than on the machine where the data is gathered.

5 1
A mode of encryption for ensuring confidentiality efficiently,
with a minimum amount of processing overhead (D5.1, L5.1.3)
Question options:

A) Asymmetric

B) Symmetric

C) Hashing

D) Covert

Hide question 5 feedback

Correct. Symmetric encryption provides confidentiality with the least amount of processing overhead.

6 1
A ready visual cue to let anyone in contact with the data know
what the classification is. (D5.1, L5.1.1)
Question options:

A) Encryption

B) Label

C) Graphics

D) Photos
 Hide question 6 feedback

Correct. The label reflects the classification of a given piece of data.

7 1
A set of security controls or system settings used to ensure
uniformity of configuration throughout the IT environment.
(D5.2, L5.2.1)
Question options:

A) Patches

B) Inventory

C) Baseline

D) Policy

Hide question 7 feedback

Correct. This is the definition of a baseline.

8 1
What is the most important aspect of security
awareness/training? (D5.4, L5.4.1)
Question options:

A) Protecting assets

B) Maximizing business capabilities

C) Ensuring the confidentiality of data

D) Protecting health and human safety

Hide question 8 feedback

Correct. There is nothing more important than health and human safety.
9 1
Which entity is most likely to be tasked with monitoring and
enforcing security policy? (D5.3, L5.3.1)
Question options:

A) The Human Resources office

B) The legal department

C) Regulators

D) The security office

Hide question 9 feedback

Correct. While the policy is dictated by senior management, the security office is often tasked with monito

10 1
Which organizational policy is most likely to indicate which types
of smartphones can be used to connect to the internal IT
environment? (D5.3, L5.3.1)
Question options:

A) The CM policy (change management)

B) The password policy

C) The AUP (acceptable use policy)

D) The BYOD policy (bring your own device)

Hide question 10 feedback

Correct. The BYOD policy typically describes which devices can be used to process data and access netwo