These are my notes for the common frameworks in cybersecurity for managing information, assessing risks, and IT-Governance. These frameworks are all best practices and standards for small to huge organizations.

It is not always required to work with those frameworks. However, to professionally manage Information it is highly recommended. They help you and your organization to structure processes, improve performance, and lowering chances of errors.

CobIT

CobIT is an IT governance framework to control the whole organization. It is also known as "Control Objectives for Information and Related Technology" and stems from auditors that used it as a tool to lead an organization.

CobIT contains three dimensions Business requirements, IT-Processes and IT-Resources. For a clearer structure, it is parted in the following domains
- Plan and organize
- Acquire and implement
- Deliver and support
- Monitor and evaluate

Those domains have been assigned 34 main processes, which also have sub-processes assigned again. to cope with business requirements and control objectives with the scope of quality (best practices of QM), compliance (regulative requirements) and security (IT-Management)

CobIT's IT-Resources

CobIT groups IT-Resources the following:
- Humans: Employees, customers, and suppliers
- Applications: Apps and services
- Infrastructure: Logistic, buildings, and IT-Infrastructure
- Information: Data

Cobit - Enterprise Architecture

ISO/IEC 27001

The infamous ISO/IEC 27001 provides the specification for an ISMS (Information and security management system). It can help your organization to comply with a host of laws such as GDPR and NIS regulations. It focuses on protecting the 3 key aspects of information CIA.

Annex A in ISO 27001 has a set of categories which are called reference control objectives and control. To be precise, there are 114 individual controls including:
- Physical access controls
- Firewall policies,
- Security staff awareness programs
- Procedure for monitoring threats
- Incident management processes
- Encryption

The standard requires organizations to compare the measures they have implemented with the Annex A controls. They are also required to implement the missing controls or else documents the reason for not implementing it.

It is essential to understand that ISO 27001 is only providing the specification of an effective ISMS whereas ISO 27002 provides the code of conduct, guidance, and best practices.

ITIL

The Information Technology Infrastructure Library is meanwhile a standard for IT-Service management and primarily used in user service. It structures service delivery, which is mostly from a management perspective, and service support, which is mainly incident and change management. Both combined is a service desk. The IT-security relevant parts can be found in the IT-continuity management of the service delivery category.
ITIL has a lot more to offer, but most of it is not part of IT-Security. ITIL alone probably will be a separate note in the future.

Common criteria

To assess the security levels of computers and their components the "Common Criteria for Information Technology Security Evaluation" (just call it CC) is widely used. It focuses on the scope of functionality and the trustworthiness of the systems. If you need to get certified, there are several levels. Those are called EAL ("Evaluation Assurance Level") and range from 1 to 7. You can compare them with the TCSEC-Levels

EAL1 - D-C1 | Functionality tested
EAL2 - C1 | Structured tests executed
EAL3 - C2 | Methodically tested and revised
EAL4 - B1 | Methodically developed, tested and reviewed
EAL5 - B2 | Semi-formally designed and tested
EAL6 - B3 | Semi-formal verified draft and tested
EAL7 - A |Formal verified draft and tested

Each level requires the requirements from previous levels.

FIPS 140

FIPS 140 (Federal Information Processing Standard) is used for products with cryptographic procedures. It certifies the strength of functions and applications.

OSSTMM

The OSSSTMM (Open Source Security Testing Methodology Manual) is a security auditing methodology that has been developed as a basis for assessing regulatory and industry requirements and is maintained by the Institute for Security and Open Methodologies (ISECOM).

OSSSTMM isn't meant to be a standalone framework, rather a basic concept and/or methodology to build upon.

The following activities are part of OSSSTMM:
- Project scope
- Confidentiality and non-disclosure assurance
- Emergency contact information
- Statement of the work change process
- Test plan
- Test process
- Reporting standards


There are also non-technical documents which are not covered by OSSSTMM but still important:
- Procurement
- Project risk identification
- Qualitative and quantitative risk assessment
- Human resources
- Cost estimates and contracts

With the methodology of OSSSTMM you can cover most of the 10 security domains. You can divide them into 5 channels:

Human Security

  • Assesses the possibility of social engineering attacks.
  • Focuses on individual security awareness and training effectiveness
  • Assesses the exposure of sensitive information about the organization

Physical Security

  • Access controls
  • Security processes
  • Security of buildings

Wireless Communication

Covers different forms of wireless technologies that can be sniffed, intercepted, or spoofed. This includes technologies such as WIFI and RFID

Telecommunications

Covers the communication channels such as VoIP, PBX and voicemail

Data Networks

This channel focuses on computer and network security
- Network surveying
- Identification
- Access process
- Service identification
- Authentication
- Spoofing
- Phishing
- Resource abuse

OSSSTMM uses four modules that are applicable to each channel. This means that OSSSTMM also uses the concept of modules to define a set of processes

Phase 1: Regulatory

  • Posture review: Review the relevant regulatory and legislative frameworks and standards
  • Logistics: Identify any physical and technical constraints to the process in the channel
  • Active detection: Evaluate interaction detection and response

Phase 2: Definitions

  • Visibility audit: Assesses the visibility of information, systems, and processes relevant to the target
  • Access verification: Assesses access points to the target
  • Trust verification: Assesses trust relationship between systems or people
  • Control verification: Assesses controls to maintain confidentiality, integrity, privacy, and non-repudiation within the systems

Phase 3: Information phase

  • Process verification: Review the security processes of the organization
  • Configuration verification: Evaluate the process under various security level conditions
  • Property validation: Examine the physical or intellectual property available at the organization
  • Segregation review: Determine the levels of personal information leaks
  • Exposure review: Evaluate sensitive information exposure
  • Competence intelligence: Determine information leaks which could aid competitors

Phase 4: Interactive controls test phase

  • Quarantive verification: Evaluate the effectiveness of quarantive functions in the target
  • Privileges audit: Review effectiveness of authorization and potential impact of unauthorized privilege escalation
  • Survivability validation: Assesses the system resilience and recovery
  • Alerts and log review: Review audit activities in ensuring reliable events trail
Last modified: September 11, 2020

Author

Comments

Write a Reply or Comment

Your email address will not be published.