To secure an enterprise network, you must understand the general principles of network security. On Day 2, we look at the "big picture" threats to our systems and how to defend against them. We will learn that protections need to be layered leveraging a principle called defense-in-depth, and then explain the principles that will serve us well in protecting our systems.
The section starts with information assurance foundations. We look at security threats and how they have impacted confidentiality, integrity, and availability. The most commonly discussed aspect of defense-in-depth is predicated on access controls. As such, with a solid foundation on the aspects of information assurance in place, we move onto the aspects of identity and access management. Even though, for more than 30 years, passwords (the most commonly used form of authentication for access control) were to be deprecated and moved away from, we still struggle today with the compromises that result from credential theft. What we can do for modern authentication is the focus of our discussion on authentication and password security. Toward the end of the book we shift our focus to modern security controls that will work in the presence of the modern adversary. We do so by leveraging the Center for Internet Security (CIS) controls to help prioritize our risk reduction activities and gather metrics as we construct our security roadmap. While realizing that our networks are the foundation for both our (and the adversaries) activities, we might be naturally curious as to what else we can do from an overall environmental focus on how best to secure our data. This naturally leads to a discussion on Data Loss Prevention techniques. Last, but certainly not least, a discussion of defense-in-depth would not be complete without a discussion of, perhaps, the most important aspect of any security program - Security Plans and Risk Management. Cyber security is really just a different form of risk management. A modern-day defender will not be a capable defender without understanding the constitution of risk, how information security risk must tie back to organizational risk, and the methods used to appropriately address gaps in risk.
SEC401.2: Outline: Defense-in-Depth
Identity and Access Management
Authentication and Password Security
Data Loss Prevention
Security Plans and Risk Management
Module 7: Defense-in-Depth
In this module, we look at threats to our systems and take a "big picture" look at how to defend against them. We will learn that protections need to be layered, a principle called defense-in-depth, and explain some principles that will serve you well in protecting your systems.
Risk = Threats x Vulnerabilities
Confidentiality, Integrity, and Availability
Strategies for Defense-in-Depth
Core Security Strategies
Module 8: Identity and Access Management
This module discusses the principles of identity management and access control. Access control models vary in their approaches to security. We will explore their underlying principles, strengths, and weaknesses. The module includes a brief discussion on authentication and authorization protocols and control.
Identity Access Management
Module 9: Authentication and Password Security
A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various types of authentication: Something you know, something you have, some place you are, and something you are. We will also spend considerable time discussing the most common (and problematic) example of the "something you know" authentication type: the password. We will spend time delving into password files, storage, and protection.
Password (Passphrase) Policies
How Password Assessment Works
Password Cracking Tools
John the Ripper
Module 10: Center for Internet Security (CIS) Controls
In implementing security, it is important to have a framework with proper metrics. As is often said, you cannot manage what you cannot measure. The CIS controls were created to help organizations prioritize the most critical risks they face. In addition to a framework, the CIS controls also provide details to help organizations put together an effective plan for implementation of the controls they need.
Introduction to the CIS Controls
The CIS Controls
Case Study: Sample CIS Control
Module 11: Data Loss Prevention
Loss or leakage?
In essence, data loss will be any condition that results in data being corrupted, deleted, or made unreadable in any way by a user and/or software (application). A data breach is, in most cases, a security incident that can be intentional or unintentional. Security incidents can lead to (among other things) unintentional information disclosure, data leakage, information leakage and data spill. In this module we cover exactly what constitutes data loss or leakage, the various ways to properly categorize different types of data loss and leakage, and the methodologies that can be leveraged to implement an appropriate data loss prevention capability.
Loss or Leakage
Redundancy (On-Premise and Cloud)
Related Regulatory Requirements
Data Loss Prevention Tools
Defending Against Data Exfiltration
Module 12: Security Plans and Risk Management
In this module, we discuss the key elements of managing and governing risk within an organization. A key part of managing and governing risk is the formation of security plans built on a solid understanding of the "security risk' of the organization. We will learn how to identify a risk, quantify and assess the probability of the risk, and leverage the classification of an asset to determine impact.
How Do I Identify a Risk?
Risk Treatment Actions