comptia advanced security practitioner course 01 the ... · slide 1 click to edit master title...
TRANSCRIPT
Slide 1
Click to edit Master title styleCourse 01: The Enterprise Security
Architecture
The Basics of Enterprise Security
The Enterprise Structure
Enterprise Security Requirements
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
Click to edit Master title styleTopic A: The Basics of Enterprise Security
The Enterprise
Enterprise Security
Business Goals and Security
Common Enterprise Security Principles
Enterprise Threat Intelligence
What to Protect?
Defense in Depth
Common Components of an Enterprise Security Solutions
Policies, Standards, and Procedures
Enterprise Policy Types
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
Click to edit Master title styleThe Enterprise
Large complex organization
Provides services or goods to consumers
Spans multiple geological locations
Employs a large number of individuals
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
Click to edit Master title styleEnterprise Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
Click to edit Master title styleBusiness Goals and Security
ObjectivesBusiness
Strategy
Enterprise
Security Solutions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
Click to edit Master title styleCommon Enterprise Security Principles
CIA triad
Least privilege
Job rotation
Dual control
Mandatory vacation
Separation of duties
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
Click to edit Master title styleEnterprise Threat Intelligence
Management Team
Development Team
Quality Team
Security Policy
Threat Intelligence
Enterprise
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
Click to edit Master title styleWhat to Protect?
Data
Resources
Personnel
Intangibles
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
Click to edit Master title styleDefense in Depth
Firewall
IDSs
Real-Time BackupsAttacker
Security Layers
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
Click to edit Master title styleCommon Components of an Enterprise
Security Solutions
Policies and Procedures
Hardware
Software
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11
Click to edit Master title stylePolicies, Standards, and Procedures
Guidelines Procedures Standards
Security Policy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12
Click to edit Master title styleEnterprise Policy Types
AUP
Planning policies
Security policy
Remote access policy
Wireless security policy
Password/authentication policy
Physical security policy
Network policy
Audit policy
Change management policy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
Click to edit Master title styleTopic B: The Enterprise Structure
Organizational Structures
The Management Team
Network Administrator
The DBA
Programmers
Stakeholders
Finance
Human Resources
Physical Security and Facilities Roles
Discipline Collaboration
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
Click to edit Master title styleOrganizational Structures
Organizational Structure
Based on business
processes and procedures
Assigned roles
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
Click to edit Master title styleThe Management Team
Responsible for giving strategic direction within an organization
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
Click to edit Master title styleNetwork Administrator
Responsible for the network infrastructure and components including:
Routers, switches, firewalls
LANs
WANs
Wireless networks
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
Click to edit Master title styleThe DBA
Responsible for designing, implementing, maintaining, and repairing
databases.
Duties include:
Managing physical data definitions.
Managing the implementation of database optimization tools.
Providing support to programmers.
Managing database controls.
Developing backup and recovery plans.
Monitoring and maintaining database usage, performance, and tuning
needs.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
Click to edit Master title styleProgrammers
Develop new applications.
Research new programming methods.
Research common application issues.
Deploy and test applications accurately.
Maintain and monitor live applications.
Support end-users on applications.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
Click to edit Master title styleStakeholders
Anyone who has a vested interest in the success of an enterprise.
May include:
Board of directors
Employees
Customers
Suppliers
Business owners
Investors
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20
Click to edit Master title styleFinance
Manages and monitors all enterprise financial transactions
Develops budgets, forecasting, monitoring, and analyzes the
organization's financial information
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21
Click to edit Master title styleHuman Resources
Hiring personnel
Managing employee handbooks, procedures, and policies
Training new and existing employees on enterprise-level policies
and procedures
Managing all employee terminations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
Click to edit Master title stylePhysical Security and Facilities Roles
Physical security manager is responsible for evaluating,
implementing, and monitoring all physical security controls
Facilities manager is responsible for managing and maintaining an
enterprises physical building and the surrounding grounds
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
Click to edit Master title styleDiscipline Collaboration
Security Policy
Quality Manager Financial Manager
Employees Employees
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
Click to edit Master title styleTopic C: Enterprise Security Requirements
Legal Compliance
PII
Privacy Requirements
Organizational Security Requirements
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
Click to edit Master title styleLegal Compliance
Adherence to a regulation or standard that dictates how procedures
are implemented.
Security professionals must review all laws and regulations.
Regulations can affect the way businesses store, transmit, and
process data.
Some may have specific laws and regulations to which they must
adhere in order to legally do business.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
Click to edit Master title stylePII
Black Box Test
Pat Smith,
1177, ABC Avenue,
25th Floor,
New York, NY 10063
212-555-2321
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
Click to edit Master title stylePrivacy Requirements
SOX
GLBA
FISMA
COSO
HIPAA
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
Click to edit Master title styleOrganizational Security Requirements
Data security, such as labeling, backup, and access control.
Separation of duties guidelines.
Remote office communication methods and guidelines.
Information sharing, access, and disclosure guidelines.
Physical security guidelines.
Privacy policies.
Security policies for multiple office locations.
Departmental security requirements.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
Click to edit Master title styleReflective Questions
1. What enterprise security components are familiar to you?
2. What is your experience with regulatory guidelines and standards?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. Customer support specialists in your organization provide telephone and chat
support to customers. Network access for these individuals is limited to relevant
customer service databases. What enterprise security principle is being enforced
in this situation?
A. CIA
B. Job rotation
C. Least privilege
D. M of N
2. The network administrator for your enterprise verifies that each network access
point is secured with both a firewall to block traffic and also an IDS to monitor
and detect anomalies in network activity. What security concept is applied in this
scenario?
A. Policies and procedures
B. Defense in depth
C. CIA
D. Least privilege
3. Within your large enterprise, there are a number of security measures that are
implemented and need to be maintained regularly. What discipline would be
responsible for the state of the doorway security systems for an enterprise?
A. Physical security manager
B. The finance department
C. Network administrator
D. Human resources
4. True or False: Enterprises that implement a solid organizational structure and
encourage collaboration between disciplines are more likely to be successful in
implementing security policies that employees will acknowledge and adhere to.
A. True
B. False
5. Which of these individual entries in the database would be considered sensitive
PII?
A. Name
B. Address
C. Phone number
D. Social Security number
6. Your organization requires internal audits of your database security, but the DBA
is not allowed to conduct this audit. What organizational security principle are you
implementing?
A. Backups
B. Separation of duties
C. Privacy policies
D. Information sharing
7. Which of the following regulatory requirements could a financial organization
potentially be required to follow?
A. SOX
B. HIPAA
C. FISMA
D. GLBA
Answer Key:
1. C
CIA is applied when configuring enterprise resources, not on individual job roles.
Job rotation does not involve assigning limited network access. The principle of
least privilege is used when assigning access rights to individuals to make sure
that the right level of access is granted based on job role. This scenario is not an
example of M of N. M of N is used to distribute responsibilities among users.
2. B
Policies and procedures provide enterprises with guidelines on implementing
security measures. This scenario illustrates how defense in depth is
implemented, by installing multiple layers of security measures to protect the
network. CIA is a higher level security concept used to verify that data and
resources are protected sufficiently. Least privilege is a security concept used
when assigning rights and privileges to users within a network.
3. A
The physical security manager is responsible for all physical security controls, as
they secure the physical access to the building. The finance department does not
manage the physical security controls. A network administrator is responsible for
the networking infrastructure of an enterprise, not the physical access to
buildings. The human resource department is responsible for managing
employee matters within the enterprise, not a physical security system.
4. A
True. With a strong organizational structure in place, managers know how
policies and procedures are disseminated among employees, and can enforce
the security guidelines.
5. D
Though the other three elements together could be considered sensitive PII, only
the Social Security number is sensitive on its own, because the Social Security
number can be used to perform identity theft.
6. B
Separating management and auditing is an example of separation of duties.