Preface What this book covers What you need for this book Who this book is for Conventions Reader feedback Customer support Downloading the color images of this book Errata Piracy Questions Information and Data Security Fundamentals Information security challenges Evolution of cybercrime The modern role of information security IT security engineering Information assurance The CIA triad Organizational information security assessment Risk management Information security standards Policies Training Key components of an effective training and awareness program Summary Defining the Threat Landscape What is important to your organization and who wants it? Compliance Hackers and hacking Black hat hacker White hat or ethical hacker Blue hat hacker Grey hat hacker Penetration testing Hacktivist Script kiddie Nation state Cybercrime Methods used by the attacker Exploits Hacker techniques Methods of conducting training and awareness Closing information system vulnerabilities Vulnerability management The case for vulnerability management Summary Preparing for Information and Data Security Establishing an information security program Don't start from scratch, use a framework Security program success factors Executive or board support Supporting the organization's mission Rightsizing information security for the organization Security awareness and training program Information security built into SDLC Information security program maturity Information security policies Information security program policy Operational policy System-specific policy Standards Procedures Guidelines Recommended operational policies Planning policy Access control policy Awareness and training policy Auditing and accountability policy Configuration management policy Contingency planning policy Identification and authentication policy Incident response policy Maintenance policy Media protection policy Personnel security policy Physical and environmental protection policy Risk assessment policy Security assessment policy System and communications protection policy System and information integrity policy Systems and services acquisitions policy Summary Information Security Risk Management What is risk? Who owns organizational risk? Risk ownership What is risk management? Where is your valuable data? What does my organization have that is worth protecting? Intellectual property trade secrets Personally Identifiable Information – PII Personal Health Information – PHI General questions Performing a quick risk assessment Risk management is an organization-wide activity Business operations IT operations Personnel External organization Risk management life cycle Information categorization Data classification looks to understand Data classification steps Determining information assets Finding information in the environment Disaster recovery considerations Backup storage considerations Types of storage options Questions you should ask your business users regarding their information's location Questions you should ask your IT organization regarding the information's location Organizing information into categories Examples of information type categories Publicly available information Credit card information Trade secrets Valuing the information and establishing impact Valuing information Establishing impact Security control selection Information security frameworks Security control implementation Assessing implemented security controls Authorizing information systems to operate Monitoring information system security controls Calculating risk Qualitative risk analysis Identifying your organizations threats Identifying your organizations vulnerabilities Pairing threats with vulnerabilities Estimating likelihood Estimating impact Conducting the risk assessment Management choices when it comes to risk Quantitative analysis Qualitative risk assessment example Summary Developing Your Information and Data Security Plan Determine your information security program objectives Example information security program activities Elements for a successful information security program Analysis to rightsizing your information security program Compliance requirements Is your organization centralized or decentralized? Centralized Decentralized What is your organization's business risk appetite? How mature is your organization? Helping to guarantee success Business alignment Information security is a business project not an IT project Organizational change management Key information security program plan elements Develop your information security program strategy Establish key initiatives Define roles and responsibilities Defining enforcement authority Pulling it all together Summary Continuous Testing and Monitoring Types of technical testing SDLC considerations for testing Project initiation Requirements analysis System design System implementation System testing Operations and maintenance Disposition SDLC summary Continuous monitoring Information security assessment automation Effective reporting of information security status Alerting of information security weakness Vulnerability assessment Business relationship with vulnerability assessment Vulnerability scanning Vulnerability scanning process Vulnerability resolution Penetration testing Phases of a penetration test Difference between vulnerability assessment and penetration testing Examples of successful attacks in the news Point of sale system attacks Cloud-based misconfigurations Summary Business Continuity/Disaster Recovery Planning Scope of BCDR plan Business continuity planning Disaster recovery planning Focus areas for BCDR planning Management Operational Technical Designing the BCDR plan Requirements and context gathering – business impact assessment Inputs to the BIA Outputs from the BIA Sample BIA form Define technical disasters recovery mechanisms Identify and document required resources Conduct a gap analysis Develop disaster recovery mechanisms Develop your plan Develop recovery teams Establish relocation plans Develop detailed recovery procedures Test the BCDR plan Summary Incident Response Planning Do I need an incident response plan? Components of an incident response plan Preparing the incident response plan Understanding what is important Prioritizing the incident response plan Determining what normal looks Like Observe, orient, decide, and act – OODA Incident response procedure development Identification – detection and analysis Identification – incident response tools Observational (OODA) technical tools Orientation (OODA) tools Decision (OODA) tools Remediation – containment/recovery/mitigation Remediation - incident response tools Act (Response) (OODA) tools Post incident activity Lessons-learned sessions Incident response plan testing Summary Developing a Security Operations Center Responsibilities of the SOC Management of security operations center tools Security operation center toolset design Using already implemented toolsets Security operations center roles Log or information aggregation Log or information analysis Processes and procedures Identification – detection and analysis Events versus alerts versus incidents False positive versus false negative/true positive versus true negative Remediation – containment/eradication/recovery Security operations center tools Security operations center advantages MSSP advantages Summary Developing an Information Security Architecture Program Information security architecture and SDLC/SELC Conducting an initial information security analysis Purpose and description of the information system Determining compliance requirements Compliance standards Documenting key information system and project roles Project roles Information system roles Defining the expected user types Documenting interface requirements Documenting external information systems access Conducting a business impact assessment Inputs to the BIA Conducting an information categorization Developing a security architecture advisement program Partnering with your business stakeholders Information security architecture process Example information security architecture process Summary Cloud Security Consideration Cloud computing characteristics Cloud computing service models Infrastructure as a Service – IaaS Platform as a Service – PaaS Software as a Service – SaaS Cloud computing deployment models Public cloud Private cloud Community cloud Hybrid cloud Cloud computing management models Managed service provider Cloud service provider Cloud computing special consideration Cloud computing data security Data location Data access Storage considerations Storage types Storage threats Storage threat mitigations Managing identification, authentication, and authorization in the cloud computing environment Identification considerations Authentication considerations Authorization considerations Integrating cloud services with the security operations center Cloud access security brokers Special business considerations Summary Information and Data Security Best Practices Information security best practices User accounts Limit administrator accounts Using a normal user account where possible Least privilege/role separation Password security Least functionality Updates and patches Secure configurations Step 1: Developing a policy that enforces secure configuration baselines Step 2: Developing secure configuration baselines Step 3: Integrating secure configuration baselines into the SDLC Step 4: Enforcing secure configuration baselines through automated testing and remediation Application security Conducting a web application inventory Least privileges Cookie security Web application firewalls Implementing a secure coding awareness program Network security Remote access Wireless Mobile devices Summary