“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 32-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

1. Which regulation was established in the European Union?

1. GDPR

2. SOX

3. GLB

4. None of these answers are correct.

2. Which act governs the disclosure of financial and accounting information?

1. GLB

2. SOX

3. HIPAA

4. All of these answers are correct.

3. Which act governs the disclosure and protection of health information?

1. HIPAA

2. GLB

3. SOX

4. None of these answers are correct.

4. Which of the following is a nonprofit organization established in 2000 to provide security best practice guidance for enhancing the security of cyberspace?

1. Cloud Security Alliance

2. International Organization for Standardization

3. National Institute of Standards and Technology

4. Center for Internet Security

5. Which of the following developed the Risk Management Framework in 2017?

1. Cloud Security Alliance

2. International Organization for Standardization

3. National Institute of Standards and Technology

4. Center for Internet Security

6. Which of the following developed the Cybersecurity Framework in 2014?

1. Cloud Security Alliance

2. International Organization for Standardization

3. National Institute of Standards and Technology

4. Center for Internet Security

7. Which of the following is a nonprofit organization established in 2008 with the goal of promoting security best practices in cloud computing environments?

1. Cloud Security Alliance

2. International Organization for Standardization

3. National Institute of Standards and Technology

4. Center for Internet Security

8. Which of the following was created to provide a standardized solution for security automation?

1. SOX

2. GLB

3. SCAP

4. OVAL

Foundation Topics

Regulations, Standards, and Legislation

There are myriad legislative laws and policies. For the Security+ exam, we are concerned only with a few that affect—and protect—the privacy of individuals. Here, we cover those and some associated security standards.

More important for the Security+ exam are organizational policies. Organizations usually define policies that concern how data is classified, how employees are expected to behave, and how to dispose of IT equipment that is no longer needed. These policies begin with a statement or goal that is usually short, to the point, and open-ended. These statements are normally written in clear language that can be understood by most everyone. They are followed by procedures (or guidelines) that detail how the policy will be implemented.

Table 32-2 shows an example of a basic policy and corresponding procedure.

Keep in mind that this is just a basic example; technical documentation specialists will tailor the wording to fit the feel of the specific organization. Plus, the procedure will be different depending on the size and resources of the organization and the type of authentication scheme used, which could be more or less complex. However, the policy (which is fairly common) is written in such a way as to be open-ended, allowing for the procedure to change over time. We discuss many different policies as they relate to the Security+ exam in the following sections. A regulation that is top of mind for many organizations these days is the General Data Protection Regulation.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a European Union (EU) law that was enacted in 2018. Its overall focus is on data protection and privacy for individuals. Although it is a law enacted in the EU, it applies to any organization collecting information about people in the EU. That means if your organization collects and handles the personal data of EU citizens, then this regulation applies to you. For instance, if you run a business that offers goods or services in the EU and that business requires you to collect information about your customers, then you would be required to follow the GDPR requirements. Not following them could result in large fines. This is one of the factors that makes GDPR a larger concern to organizations than many other laws that have been in place for many years. GDPR penalties can be very high. They are no slap on the wrist. For additional information on GDPR, refer to https://gdpr.eu/.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was enacted in 2006 as a joint effort by credit card industry partners such as Visa, Mastercard, American Express, Discover, and JCB. The overall goal of PCI DSS is to enhance the security around payment card data processing. The requirement applies to any organization that processes payment card data and enforces penalties for noncompliance on such organizations.

PCI compliance requirements can be summed up as the following:

• Protect cardholder data.

• Build and maintain a secure network.

• Maintain an information security policy.

• Maintain a vulnerability management program.

• Implement strong access control measures.

• Regularly monitor and test systems and networks.

Key Frameworks

Here we discuss some key frameworks, beginning with an overview of the Center for Internet Security (CIS). From there we discuss the National Institute of Standards and Technology (NIST) RMF/CSF. The discussion continues with a look at the International Organization for Standardization (ISO) 27001/27002/27701/31000 as well as SSAE SOC 2 Type I/II. We conclude with a discussion of the Cloud Security Alliance including the Cloud Controls Matrix and reference architecture.

Although an organization might opt to create its own framework, it makes sense for organizations—especially larger ones—to use standards that have already been thoroughly planned out, or at least to base their framework on those standards; for example, the ISO/IEC 27000 family of information security standards. In addition to ISO/IEC 27002:2013, you will find several others. You can find more information at www.iso.org/isoiec-27001-information-security.html.

Then, of course, there is NIST, which defines all kinds of guidelines and recommendations within the SP 800 and SP 1800 publication groups. For more information, see http://csrc.nist.gov/publications/PubsSPs.html.

Next, there is ISACA’s COBIT framework, which divides IT into four sections: (1) plan and organize; (2) acquire and implement; (3) deliver and support; and (4) monitor and evaluate. That pretty much sums up everything we’ve described in this book!

Also, you might be interested in the Information Technology Infrastructure Library (ITIL), Business Information Services Library (BiSL), and Project Management Body of Knowledge (PMBOK). You can find a good NIST document that combines the use of several of these at www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf. You will also find that the U.S. government and military have their own resources on the subject, or depending on the scenario, will use one of the aforementioned standards.

Some of these frameworks are regulatory, and you as an employee must abide by any of them that are applicable to your organization or profession. Some are nonregulatory, but usually the organization strongly urges its employees to accept them.

Reference frameworks can also be industry-specific or could define how precise tasks and problems within an organization are to be approached. For example, your company might repair mobile devices for corporations. This company would require a specific secure configuration guide detailing how the mobile devices are repaired, stored, handled, and so on. Or, you might be interested in benchmarking your servers. A detailed list of procedures is vital so that you obtain reliable results in a controlled environment. Then there is software development: When building software, you might embrace the concept of use case analysis, which is a requirement analysis technique practiced in software engineering. The use case analysis can benefit from well-written procedures within an IT security framework. Let’s not forget about software-defined networking (SDN), which is an approach to computer networking that allows administrators to programmatically control and manage network behavior via open interfaces such as OpenFlow and Cisco’s Open Network Environment. SDN can benefit greatly from a well-thought-out framework.

Your IT security framework might include risk analysis and vulnerability assessment tools and how to use them—for example, using the Security Content Automation Protocol (SCAP) to automate vulnerability management. The framework might also incorporate how to properly utilize enterprise resource planning (ERP) software, which is used to manage and automate many back-office technology functions in larger organizations. The examples are endless; just about anything we’ve described in this book can be incorporated into your IT security framework.

Consequently, the IT security framework could be large or small. It might deal with a specific task or many tasks within an organization. But often, the content in the framework can be applied to many different solutions and implementations. The goal is to organize a group of processes, procedures, and policies from your organization into a single cohesive agenda that all employees can easily understand and work within.

From a security perspective, the IT security framework—if designed properly—can help the organization provide for defense in depth of systems and networks, and increase the confidentiality, integrity, and availability of data.

The Statement on Standards for Attestation Engagements (SSAE) is a standard for the auditing of service organizations. It is produced by the American Institute of Certified Public Accountants (AICPA). The latest version as of this writing is SSAE 18, which superseded SSAE 16. You might be familiar with the Statement on Auditing Standards, also known as SAS 70, which has been around for a while. Many organizations have moved from utilizing SAS 70 to SSAE. SSAE 18 includes two different types of reports. An SOC 1 report is related to the secure handling of financial information about the company. SOC 1 has two different types of reports. A Type 1 report is meant to show that your company’s financial controls are designed properly, and a Type 2 report is meant to show that those controls are able to work effectively over time. SOC 2, which is more relevant to this book and further discussions, is a framework that an organization uses to demonstrate that its cloud and data center security controls are sufficient. This is something that you should expect from any service provider that you are doing business with.

Benchmarks and Secure Configuration Guides

In the following sections, we discuss benchmarks and secure configuration guides, including platform- and vendor-specific guides such as web server, operating system, application server, and network infrastructure devices. These guides are useful when hardening your systems and network. They can also be utilized to obtain compliance for regulatory purposes.

Security Content Automation Protocol

Security Content Automation Protocol (SCAP) was created to provide a standardized solution for security automation. The SCAP mission is to maintain system security by ensuring security configuration best practices are implemented in the enterprise network, verifying the presence of patches, and maintaining complete visibility of the security posture of systems and the organization at all times.

The current SCAP specifications include the following:

• Languages:

  • Open Vulnerability and Assessment Language (OVAL): OVAL is an international community standard to promote open and publicly available security content and to standardize the transfer of this information in security tools and services. More information about OVAL is available at https://oval.mitre.org.

  • Extensible Configuration Checklist Description Format (XCCDF): XCCDF is a specification for a structured collection of security checklists and benchmarks. More information about XCCDF is available at https://scap.nist.gov/specifications/xccdf.

  • Open Checklist Interactive Language (OCIL): OCIL is a framework for collecting and interpreting responses from questions offered to users. More information about OCIL is available at https://scap.nist.gov/specifications/ocil.

  • Asset Identification (AI): AI is a specification designed to quickly correlate different sets of information about enterprise computing assets. More information about AI is available at https://scap.nist.gov/specifications/ai.

  • Asset Reporting Format (ARF): ARF is a specification that defines the transport format of information about enterprise assets and provides a standardized data model to streamline the reporting of such information. More information about ARF is available at https://scap.nist.gov/specifications/arf.

• Enumerations:

  • Common Vulnerabilities and Exposures (CVE): CVE assigns identifiers to publicly known system vulnerabilities. Cisco assigns CVE identifiers to security vulnerabilities according to the Cisco public vulnerability policy at https://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. More information about CVE is available at https://cve.mitre.org.

  • Common Platform Enumeration (CPE): CPE is a standardized method of naming and identifying classes of applications, operating systems, and hardware devices. More information about CPE is available at https://nvd.nist.gov/cpe.cfm.

  • Common Configuration Enumeration (CCE): CCE provides unique identifiers for configuration guidance documents and best practices. The main goal of CCE is to enable organizations to perform fast and accurate correlation of configuration issues in enterprise systems. More information about CCE is available at https://nvd.nist.gov/cce/index.cfm.

Note

Other community-developed enumerators, such as the Common Weakness Enumeration (CWE), are currently being expanded and further developed. CWE is a dictionary of common software architecture, design, code, or implementation weaknesses that could lead to security vulnerabilities. More information about CWE is available from http://cwe.mitre.org. Another emerging enumerator is the Common Remediation Enumeration (CRE). More information about CRE is available at http://scap.nist.gov/specifications/cre.

• Metrics:

  • Common Vulnerability Scoring System (CVSS): CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine the urgency and priority of response. You can obtain the latest CVSS specification documentation, examples of scored vulnerabilities, and a calculator at first.org/cvss.

  • Common Configuration Scoring System (CCSS): More information about CCSS is available in the following PDF document: https://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf.

    Note

    Two emerging metrics specifications are the Common Weakness Scoring System (CWSS) and the Common Misuse Scoring System (CMSS). CWSS is a methodology for scoring software weaknesses. CWSS is part of CWE. More information about CWSS is available at https://cwe.mitre.org/cwss. CMSS is a standardized way to measure software feature misuse vulnerabilities. More information about CMSS is available at https://scap.nist.gov/emerging-specs/listing.html#cmss.

  • Integrity: Integrity is provided by the Trust Model for Security Automation Data (TMSAD), which is a trust model for maintaining integrity, authentication, and traceability of security automation data. More information about TMSAD is available in the following PDF document: https://csrc.nist.gov/publications/nistir/ir7802/NISTIR-7802.pdf.

Figure 32-1 summarizes the SCAP components.

Table 32-5 summarizes the benchmarks and secure configuration guides for platforms/vendors, web servers, operating systems, application servers, and network infrastructure devices.

Framework	Description	Examples of Guides Available
Platform/vendor-specific guides	Some guides are specific to vendor products, and many times are documented and provided by the vendors themselves.	Cisco Configuration guides available on Cisco.com: www.cisco.com/c/en/us/support/all-products.html Red Hat Enterprise Linux Security Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/index
Web server	Web server security hardening guides are available from organizations like the Center for Internet Security and DISA Security Implementation Guidelines.	Center for Internet Security (CIS) Apache Benchmark: www.cisecurity.org/benchmark/apache_http_server/ DISA Apache Server Security Technical Implementation Guide: www.stigviewer.com/stig/apache_server_2.4_unix_site/
Operating systems	Operating system security hardening guides are available from organizations like the Center for Internet Security and DISA Security Implementation Guidelines, as well as specific OS vendors.	Center for Internet Security (CIS) Windows Server Benchmark: www.cisecurity.org/benchmark/microsoft_windows_server/ DISA Technical Implementation Guides: https://public.cyber.mil/stigs/
Application server	Application server security hardening guides are available from organizations like the Center for Internet Security and DISA Security Implementation Guidelines.	Oracle Hardening Guide: https://docs.oracle.com/cd/E25178_01/fusionapps.1111/e16690/F371476AN1062D.htm DISA Technical Implementation Guides: https://public.cyber.mil/stigs/
Network infrastructure devices	Network infrastructure device hardening guides are available from organizations like the Center for Internet Security and DISA Security Implementation Guidelines, as well as specific device vendors.	VMWare Security Hardening Guides: www.vmware.com/security/hardening-guides.html Cisco CIS Benchmark: www.cisecurity.org/benchmark/cisco/ Cisco Security Hardening Guide: www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 32-6 lists a reference of these key topics and the page number on which each is found.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

General Data Protection Regulation (GDPR)

Privacy Act of 1974

Sarbanes–Oxley

Health Insurance Portability and Accountability Act

Gramm-Leach-Bliley Act

Help America Vote Act of 2002

California SB 1386

Payment Card Industry Data Security Standard (PCI DSS)

Center for Internet Security

National Institute of Standards and Technology

International Organization for Standardization

SSAE SOC 2 Type I/II

Cloud Security Alliance

Cloud Controls Matrix

reference architecture

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. What regulation was established in the European Union to protect data and privacy?

2. What act governs the disclosure of financial and accounting information?

3. What act governs the disclosure and protection of health information?

4. Which nonprofit organization enstablished in 2000 focuses on security best practices guides?

5. Which organization developed the Cybersecurity Framework in 2014?

6. Which nonprofit organization established in 2008 is focused on cloud security best practices?

7. _______________ was created to provide a standardized solution for security automation.