Play It Safe - Manage Security Risks

- CISSP security domains
  - Security and Risk Management
    - Defining security goals and objectives
      - Reduces risk to critical assets and data (e.g., PII)
    - Risk mitigation
      - Have the right procedures and rules in place to quickly reduce the impact of a risk like a breach
    - Compliance
      - Develop internal policies and meet regulatory and independent standards
    - Business continuity
      - Maintain productivity during disasters
      - Establish disaster recovery plans
    - Legal regulations
      - Follow global laws and ethical behavior
      - Minimize negligence, abuse, or fraud

  - Asset Security
    - Securing digital and physical assets
    - Storage, maintenance, retention, and destruction of data
    - Secure handling of PII/SPII
      - During storage, transfer, or physical collection
    - Policies for data lifecycle
      - Know what data is held and who has access
      - Includes secure disposal (e.g., hard drive destruction)

  - Security Architecture and Engineering
    - Optimizing data security
      - Through effective tools, systems, and processes
    - Share responsibility
      - All individuals play a role in:
        - lowering risk
        - maintaining both physical and virtual security
      - Encouraging users to report security concerns
    - Additional design principles:
      - Threat modeling
        - Identify and address potential threats early in the design phase
      - Lease privilege
        - Users have only the access necessary to do their jobs
      - Defense in depth
        - Layered security measures to protect assets even if one layer fails
      - Fail securely
        - Systems should default to a secure state in case of failure
      - Separation of duties
        - Split tasks among different people to prevent fraud or error
      - Keep it simple
        - Simple systems are easier to secure and manage
      - Zero trust
        - Never assume trust—always verify every access request
      - Trust but verify
        - Allow access but continuously monitor and audit activity

  - Communications and Network Security
    - Managing and securing physical networks and wireless communications
    - Secure communication channels
      - For on-site, cloud, and remote connections
    - Protecting remote workers
      - Avoid insecure Bluetooth or public Wi-Fi
    - Disable risky access at organizational level
      - Prevent unsafe user behavior

  - Identity and Access Management (IAM)
    - Access and authorization to keep data secure
      - Make sure users follow established policies
      - Limit access to only what users need (principle of least privilege)
      - Reduce overall risk to systems and data
      - Avoid shared credentials (e.g., admin logins)
    - Components:
      - Identification
        - Verifying identity (e.g., username, access card, biometrics)
      - Authentication
        - Verifying credentials (e.g., password, PIN)
      - Authorrization
        - Granting appropriate access based on role
      - Accountability
        - Monitor and record user actions (e.g., login attempts)

  - Security Assessment and Testing
    - Monitor for risks, threats, and vulnerabilities
      - Conducting security control testing
        - Evaluate effectiveness of current controls
        - Identify improvements or new mitigations
      - Collecting and analyzing data
        - Ongoing review helps prevent threats
      - Conducting security audits
        - Validate controls and compliance
        - Example: implement MFA as a new control

  - Security Operations
    - Conducting investigations
      - Initiated after a security incident is identified
      - Requires urgency to mitigate active attacks
    - Implementing preventative measures
      - Training and awareness
      - Reporting and documentation
      - Intrusion detection and prevention
      - SIEM tools   
      - Log management
      - Incident management
      - Playbooks
      - Post-breach forensics
        - Forensic investigation: when, how, why breach occurred
        - Collect digital and physical evidence
        - Identify areas for improvement
      - Reflecting on lessons learned

  - Software Development Security
    - Use secure coding practices
      - Follow recommended guidelines to build secure apps/services
    - Integrate security into Software Development Lifecycle (SDLC)
      - Security added as a step in each phase
        - Design: secure design review
        - Development & testing: secure code review
        - Deployment: penetration testing
      - Ensures protection of sensitive data
      - Reduces unnecessary organizational risk

-
  - Asset
    - An item perceived as having value to an organization.
    - Assets can be digital or physical.
    - Examples: personal information of employees, clients; servers, desktop computers.
  - Threat
    - Any circumstance or event that can negatively impact assets.
    - Example: Social engineering
      - Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables.
  - Risk
    - Anything that can impact the confidentiality, integrity, or availability of an asset.
    - Likelihood of a threat occurring.
    - Example: the lack of backup protocols for making sure its stored information can be recovered in the event of an accident or security incident.
  - Vulnerability
    - A weakness that can be exploited by a threat.
    - Example: weak password, an outdated firewall

- Threats:
  - Insider threats
    - Staff members or vendors abuse their authorized access to obtain data that may harm an organization.
  - Advanced persistent threats (APTs)
    - A threat actor maintains unauthorized access to a system for an extended period of time.
- Risks:
  - External risk
    - Anything outside the organization that has the potential to harm organizational assets.
    - Examples: threat actors attempting to gain access to private information
  - Internal risk
    - A current or former employee, vendor, or trusted partner who poses a security risk
  - Legacy systems
    - Old systems that might not be accounted for or updated, but can still impact assets.
    - Examples: workstations or old mainframe systems
  - Multiparty risk
    - Outsourcing work to third-party vendors can give them access to intellectual property
    - Example of intellectual property: trade secrets, software designs, and inventions
  - Software compliance/licensing
    - Software that is not updated or in compliance

- NIST's RMF
  - NIST is National Institute of Standards and Technology.
  - 7 steps:
    - Prepare
      - Activities necessary to manage security and privacy risks before a breach occurs.
    - Categorize
      - Develop risk management processes and tasks.
      - Focus on the impact to confidentiality, integrity, and availability of systems.
    - Select
      - Choose, customize, and document controls.
      - Update playbooks and other documentation to manage risks more efficiently.
    - Implement
      - Implement security and privacy plans to minimize risks.
      - Example: Change password requirements if employees need constant resets.
    - Assess
      - Determine if established controls are implemented correctly.
      - Analyze weaknesses and improve existing protocols, procedures, and controls.
    - Authorize
      - Take responsibility for security and privacy risks in the organization.
      - Tasks include generating reports, developing plans of action, and setting project milestones.
    - Monitor
      - Continuously assess and maintain technical operations.
      - Ensure systems are aligned with the organization’s security goals and adjust if needed.