CS205 Handouts by CS World

CS205 Information Security
Handouts
Prepared by
CS World
1
What is Information Security ?
Week 01 • Protecting information

Module 2 and information
systems from
unauthorized access,
use, disclosure,
disruption, modification,
or destruction.
(SANS)
2
• IT Security is
information security
applied to technology
• Information security
also covers physical
security, human
resource security, legal
& compliance,
organizational, and
process related aspects
3
• IT Security functions:
– Network security
– Systems security
– Application &
database security
– Mobile security
• InfoSec functions:
– Governance
– Policies & procedures
– Risk management
– Performance reviews
4
• What is Cyber Security ?

– Precautions taken to
guard against
unauthorized access
to data (in electronic
form) or information
systems connected
to the internet
– Prevention of crime
related to the
internet
5
• Three Pillars of
Information Security:
– Confidentiality:
keeping information
secret
– Integrity: keeping
information in its
original form
– Availability: keeping
information and
information systems
available for use
6
Why Is Information Security Needed ?
Module 3 • Bangladesh Bank

SWIFT Hack – Feb
2016: Hackers used
SWIFT credentials of
Bangladesh Central
Bank employees to
send more than three
dozen fraudulent
money transfer
requests
REF: WIRED.COM
7
Contd…
• Requests sent to the
Federal Reserve Bank of
New York asking the bank
to transfer millions of the
Bangladesh Bank’s funds
to bank accounts in the
Philippines, Sri Lanka and
other parts of Asia.
• USD 81 million stolen
• Total impact could have
been USD 1 billion
REF: WIRED.COM 8
Recent Cyber Attack – May 2017
9
REF: TELEGRAPH
10
REF: GUARDIAN
• The Importance Of
Information
– IT is pervasive in our
society & critical to
the Ops & Mngmt of
all organizations
– IT is an enabler for
business and govt
– Personal information
is vital for individuals
to function in society
– Information holds
11
value
IMPORTANCE OF INFORMATION SECURITY • As per PWC Global

Economic Crime
Report 2016, Cyber
Crime was amongst the
top 3 most commonly
reported types of
economic crime
• As per Europol 2013

report, Cyber Crime is
now more profitable
than the drug trade
12
Who Is Information Security For ?
Module 4 • Personal:
– Social media
passwords and safe
usage
– Online banking and
email account
passwords
– Home PC/laptop
security
– Mobile security
13
• Organizational:
– Board and executive
leadership
(management
commitment)
– CISO (responsible to
drive security
program)
– IT staff and business
users (following
policies & procedures)
14
• Govt and national:
– Law enforcement
– Legal and policy
making
– National database
– Critical infrastructure
– Regulation
– Standards and
certification
– Capacity-building and
coordination
15
• Legal
• Technical
• Organizational
• Capacity building
• Cooperation
16
17
18
• Pakistan ranked almost

at the bottom of the
table in International
ranking by ITU
• Information security is
everyone’s
responsibility
• Pakistan Cyber Security
END Association (PCSA)
formed to address
Pakistan’s international
ranking
19
How Is Information Security Implemented ?
Module 5 • Three pillars of

information security:
– People
– Process
– Technology
20
REF: LINKEDIN
21
• Leadership
commitment:
– “Tone at the top”
– Information security
policy and objectives
– Assigning
responsibility and
authority
– Resource allocation
– Ensuring
accountability
22
• Information Security
Manager or CISO:
– Heads department
responsible for
implementing
program
– Directs planning,
implementation,
measurement,
review, and continual
improvement of
program
23
• IT user:
– Understand policies
– Conduct security/risk
assessment
– Design effective
security architecture
– Develop SOPs and
checklists
– Implement controls
– Report incidents
– Conduct effective
change management
24
• Business user:
– Security awareness
and training
– Follow information
security policy
– Develop and
implement secure
business processes
– Role-based access
control and periodic
reviews
– Reporting incidents
25
• Information security
program
– Assessing security
risks and gaps
– Implementing security
controls
– Monitoring,
measurement, &
analysis
END – Management reviews
and internal audit
– Accreditation/testing
26
Who Are The Players In Information Security ?
Module 6 • Government
• Industry & sectors
• International
organizations
• Professional
associations
• Academia and research
organizations
• Vendors and suppliers
27
• Government:
– Policy making
– Law enforcement
– Legal system
– National cyber
security strategy and
standards
– International
coordination
– Computer Incident
Response Team
(CIRT)
28
• Industry & sectors:

– Financial institutions
– Telecoms
– Armed forces
– Federal and provincial
IT boards
– Enterprises
– Various other sectors
(manufacturing,
automotive, health,
insurance, etc)
29
• International
organizations:
– APCERT
(www.apcert.org)
– European Union
Agency for Network
& Information
Security - ENISA
(www.enisa.org)
30
• International
organizations:
– ITU IMPACT
(http://www.impact-
alliance.org)
https://www.itic.org/dotAsset/c/c/cc91d8
3a-e8a9-40ac-8d75-0f544ba41a71.pdf
31
• Professional
associations:
– ISACA (isaca.org)
– ISC2 (www.isc2.org)
– OWASP
(www.owasp.org)
– Cloud Security
Alliance
– Pakistan Cyber
Security Association
(PCSA)
http://cybersecurityventures.com/cybersecurity-associations/
32
• Academia & research

organizations:
– Universities and
research programs
– SANS
(www.sans.org)
– Center for Internet
Security
(www.cisecurity.org)
END
http://cybersecurityventures.com/cybersecurity
-associations/
33
Infosec Transformation Framework 4 Layers
Module 7 1. Security hardening

2. Vulnerability
management
3. Security engineering
4. Security governance
34
4. Security
Governance
3. Security
Engineering
2.
Vulnerability
Management
1. Security
Hardening
35
• 1: Security hardening:
– Compile IT assets
– Establish minimum
security baseline
(MSB)
– Research security
controls and
benchmarks
– Pilot (test)
– Implement controls
– Monitor and update
controls
36
• 2: Vulnerability
management:
– Purchase internal tool
(NESSUS, Qualys, etc)
– Conduct vulnerability
assessment
– Prioritize and
remediate
– Report
– Repeat cycle on
quarterly/monthly
basis
37
• 3: Security engineering:
– Assess risk profile
– Research security
solutions
– Design security
architecture
– Implement security
controls & solutions
– Test and validate
security posture
38
• 4: Security governance:
– Policies and
procedures
– Risk management
– Core governance
activities (change
management,
incident
management,
END
internal audit)
– Training & awareness
39
What Is Information Security Hardening ?
• IT assets (network,
Module 8
systems, application,
databases, mobile,
physical security) come
with default settings
which are not suitable
for security
• Security hardening is
the process of
configuring IT assets to
maximize security of the
IT asset and minimize
security risks
40
• Security in the
“trenches:”
– Security at the most
fundamental
operational layer
– Security where it
matters most
– Usually (but not
always) involves
junior staff who need
extra guidance,
training, and scrutiny
41
1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD
2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup
3. Checklist of
4. Document
applicable
controls into SOP
controls
42
• Why is security
hardening at the first
step in the security
transformation model ?
– Most basic security
settings
– If not adequately
addressed here, rest
of the security
measures hardly
matter
43
• Short example of Cisco
router security
hardening:
– Remote access
through SSH and not
through telnet
– Turn of all unused
services
– Session timeout and
password retry
lockout
http://www.cisco.com/c/en/us/suppor
t/docs/ip/access-lists/13608-21.html
44
What Is Information Security Governance ?
Module 9 • Information security

governance in simpler
terms just means
effective management
of the security program
• Responsibility for
governance is
associated with the
Board and senior
management
45
• IT Governance Institute
Definition:
– "Security governance
is the set of
responsibilities and
practices exercised
by the board and
executive
management, with
the goal of providing
strategic direction,…
46
• IT Governance Institute
Definition (contd.):
– “…ensuring that
objectives are
achieved,
ascertaining that risks
are managed
appropriately and
verifying that the
enterprise's
resources are used
responsibly."
47
• ISO27001:2013 – ISMS
(Information Security
Management System) is
the world’s leading and
most widely adopted
security governance
standard
48
• ISO27001 "provides a
model for establishing,
implementing,
operating, monitoring,
reviewing, maintaining
and improving an
management system.”
49
• Ten short clauses and a
long Annex with 114
controls in 14 groups
• 27000+ certifications
globally in 2015
50
Difference Between Policy, SOP, & Guideline
Module 10 • Policy:
– Formal and high level
requirement for
securing the
organization and its
IT assets (mandatory)
51
https://www.linkedin.com/pulse/20140611162901-223517409-difference-
between-guideline-procedure-standard-and-policy
52
• Policy:
– Scope is across
organization so
should be brief and
focusing on desired
results
– Signed off by senior
management
53
• Procedure / SOP:
– More detailed
description of the
process; who does
what, when, and how
– Scope is
predominantly at a
department level
having specified
audience
– May be signed off by
departmental head
https://www.slu.edu/its/policies
54
• Guideline:
– General
recommendation or
statement of best
practice
– Not mandatory
– Further elaborates
the related SOP
55
• Standard:
– Specific and
mandatory action or
rule
– Must include one or
more specifications
for an IT asset or
behavior
– Yardstick to help
achieve the policy
goals
56
• In practice:
– Policy recommended
to be a single
document applicable
at the organizational
level (wide audience)
– Sub-policies may be
defined at a
departmental level
– Policies and standards
are mandatory
(exception approval)
57
• Examples:
policy
– System administrator
password sub-policy
– User ID & Access
Management SOP
– Vulnerability
Management
standard
– Social engineering
prevention guideline
58
What Is An Information Security Program ?
Module 11 • Project definition:

– A project has a
defined start and end
point and specific
objectives that, when
attained, signify
completion
pmtips.net/blog-new/difference-projects-
programmes
59
• Program definition:
– A program is defined
as a group of
related projects
managed in a
coordinated way to
obtain benefits not
available from
managing
the projects
individually
programmes
60
• Security program:
– Sum-total of all
activities planned and
executed by the
organization to meet
its security objectives
programmes
61
https://www.gartner.com/doc/2708617/information-security-program-management-key
62
8. Communications 9. Incident
1. Policy
security management
ISO27001:2013 (ISMS) REQUIREMENTS
2. Management
7. Operations 10. Business
commitment &
security continuity
performance review
AND CONTROLS
6. Physical &
3. Risk management 11. Compliance
environmental
4. Asset 12. Third-party

5. Access control
management reviews
63
4 Layer Security
Transformation Model
4. Security
Governance
3. Security
Engineering
2. Vulnerability
Management
1. Security
Hardening
64
• 4-layer security
transformation model
may be implemented as
an ideal security
program
• After establishing a
basic policy, the
sequence of the
program (steps 1
through 4) is paramount
in order to achieve
constructive results
65
Role of People, Process, and Tech In InfoSec
• People, process, and
Module 12 technology are together
referred to as the
Information Security
Triad
• All three aspects help to
form a holistic view of
• All three are important
and cannot be
overlooked in an
program or activity
66
• People:
– People must be
trained to effectively
& correctly follow
policies, information
security processes,
and implement
technology
– Social engineering
and phishing are
aspects that people
must be trained to
handle appropriately
67
• Processes are
fundamental to effective
– User access
management
– Backups
– Incident management
– Change management
– Vulnerability
management
– Risk management
68
• Technology plays a
central role in the
program:
– Firewalls
– Antivirus
– Email anti-spam
filtering solution
– Web filtering solution
– Data loss prevention
(DLP) solution
69
https://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf
70
Role Of An Information Security Manager
Module 13 • The Information Security

Manager (Head Of
Information Security or
CISO) is delegated and
authorized by senior
management to run the
program and meet its
objectives
71
• The Information Security
Manager develops a
policy to regulate the
program which is signed
off by senior
management
• Assigned resources and
authority to plan, assess,
implement, monitor, test,
and accredit the
activities
72
http://www.shortinfosec.net/2009/11/role-of-information-security-manager.html
73
• InfoSec Manager Tasks:

– Develop policy
– Training & awareness
– Design security
architecture
– Design security
controls
– Ensure controls are
implemented
– Conduct risk
assessment
74
• InfoSec Manager Tasks

(Contd):
– Conduct security
testing
– Monitor vulnerability
management
program
– Facilitate incident
management process
– Sign-off critical
change management
activities
75
What Is Information Security Awareness ?
Module 14 • Ensure employees are

aware of :
– The importance of
protecting sensitive
information
– What they should do
to handle information
securely
– Risks of mishandling
information
REF: PCI Best Practices For Implementing Security Awareness
https://www.pcisecuritystandards.org/documents/
76
77
• NIST Special Publication

800-50 (Building An IT
Security Awareness &
Training Program)
– Awareness
– Training
– Education
78
• Awareness:
– Awareness is not
training
– Purpose of
awareness is simply
to focus attention on
security
– Change behavior or
reinforce good
security practices
REF: NIST SP800-50, PAGE 8
79
• Training:
– “Strives to produce
relevant and needed
security skills and
competencies”
– Seeks to teach skills
– E.g. IT Security course
for system
administrators
covering all security
aspects
REF: NIST SP800-50, PAGE 9
80
• Education:
– Integrates all of the
skills and
competencies into a
common body of
knowledge
– E.g. a degree
program
81
NIST-SP-800-50
IMPLEMENTATION STEPS
82
• Don’ts:
– Share your password
– Click on suspicious
email links
– Install unlicensed
software on your PC
• Do’s:
– Logout when getting
up from your system
– Report security
incidents
83
Leading Security Standards & Frameworks
Module 15 • A standard or
framework is a blueprint
or roadmap for
achieving Information
Security objectives
• Examples are
ISO27001:2013 (ISMS),
PCI DSS, & COBIT
84
• ISO27001:2013 (ISMS)
– Specifies the
requirements for
establishing,
implementing,
maintaining and
continually improving
an information
security management
system
– Ten short clauses
– Long annex
85
ISO27001:2013 MANDATORY CLAUSES
https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%20Management%20System%20%28ISMS%29%20Overview.pdf
86
ISO27001:2013 DISCRETIONARY CONTROLS
TOTAL: 113
87
• PCI Data Security

Standard (DSS):
– Designed to ensure
that ALL companies
that accept, process,
store or transmit
credit card
information maintain
a secure environment
– Managed by Security
Standards Council
https://www.pcicomplianceguide.org/pci-faqs-2/
88
• PCI DSS:
– SSC is an
independent body
that was created by
the major payment
card brands (Visa,
MasterCard,
American Express,
Discover and JCB
– 6 Broad goals and 12
requirements
REF: PCI Best Practices For Implementing Security Awareness
https://www.pcisecuritystandards.org/documents/
89
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
90
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
91
• COBIT:
– ISACA framework for
IT Governance
– COBIT 5 helps
enterprises to create
optimal value from IT
by maintaining a
balance between
realising benefits and
optimising risk levels
and resource use
(ISACA)
92
• COBIT 5 brings together

five principles that allow
the enterprise to build
an effective governance
and management
framework (ISACA)
• Based on a holistic set of
seven enablers that
optimises IT investment
and use for the benefit
of stakeholders (ISACA)
93
94
95
• A standard or
framework is a blueprint
or roadmap for
achieving Information
Security objectives
• Examples are
ISO27001:2013 (ISMS),
PCI DSS, & COBIT
96
What Is Information Security Risk ?
Module 16 • Risk is a fundamental

concept that drives all
security standards,
frameworks, and
activities
• In simple terms,
Risk refers to the
potential damage or loss
that may be caused to
an organization in the
absence of appropriate
controls 97
• A process aimed at
achieving an optimal
balance between
realizing opportunities
for gain and minimizing
vulnerabilities and loss
• Usually accomplished by
ensuring that impact of
threats exploiting
vulnerabilities is within
acceptable limits at an
acceptable cost
REF: ISACA CISM MANUAL
98
• Risk is managed so that:

– It does not materially
impact the business
process in an adverse
way
– Acceptable level of
assurance and
predictability to the
desired outcomes of
any organizational
activity
99
100
• Risk Assessment:
– Foundation for
effective risk
management
– Solid understanding
of the risk universe
– Nature and extent of
risk to IT resources
and potential impact
on organizations
activities
101
102
• Challenges with risk

focused approach:
– In an environment
where controls are
absent, a risk based
approach may
become too
academic
– Effort should focus
on 4-Step Security
Transformation
Framework
103
Information Security Lifecycle
Extra Module • An Information Security

lifecycle represents the
recommended sequence
to adequately address
security during any
project or activity
• It is a process to ensure
that all security projects
and activities
consistently follow the
same sequence and
steps
104
1.
Requirements
7. Monitor & 2. Assess

Audit Current Posture
3. Remediation
6. Accredit
Plan
4. Implement
5. Test/Validate
Controls
105
• Step 1: Requirements
– Established by policy,
or security program
– Could also be driven
by security
transformation
program
– Establish security
exposure, determine
risk and priority
106
• Step 2: Assess Current

Security Posture
– Conduct gap analysis
– Could also be a risk
assessment and
evaluation
107
• Step 3: Remediation
Plan
– Methodology &
framework
– Controls
– Resources
– Approvals and
communication
– Timeline
– Project monitoring
and review
– Develop SOP 108
• Step 4: Implement
Controls
– Pilot
– Test/validate in pilot
– Implement in
production/live
environment
– Roll-back if
unexpected response
– Maintain SOP
109
• Step 5: Test/Validate
– Security team or
independent review
of correctness and
coverage of security
control
implementation
– Ensure SOP/checklist
developed and
followed
110
• Step 6: Security
Accreditation
– Review process has
been followed
(change
management, SOP,
sign-offs)
– Establish monitoring
mechanism
– Awareness training
– Issue formal
accreditation
111
• Step 7: Monitor & Audit

– Monitoring
mechanism (KPIs,
reporting, review)
– Incident
management
– Internal audit
112
Management Commitment
Module 17 • What is management

commitment ?
– Management
commitment is the
expression of the
intent, relevant
actions, and
allocation of
sufficient resources
to ensure the InfoSec
program is properly
implemented
113
• ISO2700:2013 (ISMS)
Clause 5.1:
a) Policy and objectives
are established
(compatible with
strategic direction)
b) Integration of ISMS
reqmts into processes
c) Resources
d) Communicating
importance
114
• ISO2700:2013 (ISMS)
Clause 5.1:
e) Intended outcomes are
achieved
f) Directing and
supporting persons
g) Promoting continual
improvement
h) Supporting other
management roles
115
• “Tone at the top”

– Management closely
watches the actions
of executive
leadership (culture)
– The importance given
to InfoSec by the
executive leadership
becomes the
minimum threshold
for rest of the
organization
116
• In practice:
– Security policy
– Security responsibility
delegated to head
(CISO) or dept
– Security steering
committee (board
level)
– Quarterly or frequent
management reviews
of information
security program
117
Information Security Responsibility
Week 02 • Default organizational

Module 18 perception:
– Security is
responsibility of one
person or one
department
– Can get away with
“security as an after-
thought”
– Reactive
118
• Security is everyone’s
responsibility:
– Management
commitment & tone
at the top
– Security awareness
campaigns/program
– A strong and
effective security
program
– Allocation of
sufficient resources
119
• Security involvement &

accountability:
– Effective security
implementation
should be built into
the performance KPIs
of key team members
(management,
technical, business)
– Annual appraisals,
security awards and
recognition
120
INFOSEC PROJECT
REPORTING STRUCTURE Board
[QTR]
InfoSec Steering Comm.

[MONTHLY]
Management Committee (ISMC)
[WEEKLY]
IT / InfoSec Teams [DAILY]
121
• Security is everyone’s
responsibility and has to
gradually take its place
in org culture
122
Cyber Security Breaches
Module 19 • Fox News Video:

“World’s Biggest Cyber
Attacks”
– http://video.foxnews.c
om/v/5435057924001/?
#sp=show-clips
• World’s Biggest Data
Breaches:
– http://www.informatio
nisbeautiful.net/visuali
zations/worlds-
biggest-data-breaches-
hacks/
123
• Leading Global Reports:

– Verizon 2017 Data
Breach Investigations
Report (DBIR)
– Symantec 2017
Internet Security
Threat Report (ISTR)
124
125
126
127
128
129
130
131
132
• Leading Global Reports:

– Verizon 2017 Data
Breach Investigations
Report (DBIR)
– Symantec 2017
Internet Security
Threat Report (ISTR)
133
Challenges Of InfoSec Implementation
Module 20 • Challenges Of IT:

– Complex and difficult
to manage
– Under pressure from
business groups
– Lack of sufficient
competent resources
– Lack of process
culture
– IT not aligned to
perform diligent
security work
134
InfoSec
Audit
IT Compliance
Risk
135
• Challenges Of InfoSec:
– Silos & lack of
coherent ownership
– Lot of time & energy
wasted in traversing
dept boundaries
– Enabling
environment for
tough security work
missing
– Security hardening
glaringly absent
136
• Pakistan Industry
Security Characteristics:
– Wavering
management
commitment
– Superficial “dressing”
security
– Reactive to regulator
audit/compliance
mandate
– Industry in denial
137
InfoSec
Transformation Model 4. Security
Governance
3. Security
Engineering
2. Vulnerability
Management
1. Security
Hardening
138
• Challenges Of InfoSec
139
Role Of A Regulator
Module 21 • Cyber attack can have

devastating
consequences causing
financial loss and
disruption of critical
infrastructure
• Cyber security has
become a key risk factor
putting under threat not
only consumer rights
protection, but also
viability and health of
the industry itself 140
Role Of A Regulator
• A cybersecurity
regulation comprises
directives that
safeguard information
technology and comput
er systems with the
purpose of forcing
companies and
organizations to protect
their systems and
information from cyber-
attacks (Wikipedia)
141
Role Of A Regulator
• Industry regulators
including banking
regulators have taken
notice of the risk from
cybersecurity and have
either begun or are
planning to begin to
include cybersecurity as
an aspect of regulatory
examinations
(Wikipedia)
142
Role Of A Regulator
• Role Of Regulator In
Cyber Security:
– Regulations,
guidelines, and audit
– Engagement of key
stakeholders
– Technical and
industry expertise
– Regional and
international
cooperation
143
Role Of A Regulator
• Regionally, the most

well developed cyber
security strategy and
framework developed
by Singapore (ITU rank #
1), Malaysia (ITU rank #
3), and Oman (ITU rank
# 4)
144
Role Of A Regulator
• Singapore:
– Cyber Security
Agency (2015);
strategy, education,
outreach, eco-system
development
– National Cyber
Security Master Plan
2018 (created 2013)
– Cyber Security
Strategy (created
2016)
145
Role Of A Regulator
• Pakistan; Ministry of IT
(MOIT):
– National IT Policy
2016 (draft)
– Digital Pakistan
Policy 2017
146
Role Of A Regulator
• Pakistan; State Bank Of

Pakistan (SBP):
– Enterprise
Technology
Governance & Risk
Management
Framework for
Financial Institutions
(30 May 2017)
147
Role Of A Regulator
• Pakistan lacks:
– National cyber
security strategy
– National cyber
security master plan
– National cyber
security agency
– National certification
& accreditation body
– National Computer
Emergency Response
Team (CERT)
148
Status Of InfoSec in Pakistan
Module 22 • Pakistan Electronic

Crimes Act (PECA)
enacted as late as 2016
• Cyber security strategy,
eco-system still missing
• Research program,
capacity building,
standardization, &
certification bodies
absent
• Condition of InfoSec in
industry largely dismal
149
Global Cyber Security Index 2017 (ITU):
Pakistan ranked 67th with a score of 0.44/1

Bangladesh ranked 53rd with a score of 0.524/1
India ranked 23rd with a score of 0.683/1
https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf
150
• Pakistan cyber security

posture (industry):
– Superficial security
– Reactive
– Emphasis on
governance
– Security hardening of
IT assets largely
absent
– Industry has been in
denial for last decade
151
• Reasons for poor

security posture:
– Archaic digitalization
and commerce
– Perception that
Pakistan is immune
– Lack of awareness
and management
commitment
– Lack of effective
regulations
152
• Changing dynamics (PK):

– Pakistan financial
industry rocked by
Bangladesh SWIFT
hack 2016
– Wannacry (May 2017)
badly hit several
dozen organizations
in Pakistan
– Increasing e-
commerce, electronic
banking
153
• Pakistan needs:
– Necessary measures
by the Government in
line with what
Malaysia, Oman have
done for cyber
security
– Development of the
security eco-system
as an enabler in order
to drive strong
security posture
154
Solution For InfoSec Improvement (PK)
Module 23 • Generally, Pakistan

Information Security is
one generation behind
IT deployment
• Four-layer security
provides the correct
sequence and focus in
order to address
organizational security
gaps
155
4. Security
Governance
3. Security
Engineering
2. Vulnerability
Management
1. Security
Hardening
156
1. Security Hardening;
Security controls on IT
assets & process
2. Vulnerability
Management; patching
3. Security Engineering;
More complex security
design & solutions
4. Security Governance;
Managing the
program
157
• Solution for strong

security posture:
– Management
commitment (Board)
– 4 layer
transformation
model as security
program
– Allocation of
resources
– Periodic reviews for
assessing progress
158
• Don’t repeat the same

mistakes:
– Too much
governance without
the underlying
security hardening
– Reactive rather than
intrinsic
– Lack of resources
(10% of what
allocated for IT)
– Management interest
159
Typical Enterprise IT Network
Module 24 • Chapter 2:
– Typical Enterprise IT
Architecture &
Security Overlay
160
• What does a typical

enterprise IT network
look like ?
161
162
• Edge router
• NGN FW
• DMZ:
– Web security
GW/Proxy
– Application security
FW
– Web server
– Email antispam GW
• IPS & N-DLP
• Distribution switch
163
• Data center switch & FW

• Access switch
• NAC
• SOC:
– SIEM
– VM
– Other SOC tools
• System AV
• Server HIPS
• UTM
• Mobile device - MDM
164
Major Components: Enterprise IT Network
Module 25 • Edge router

– WAN interfaces
– Edge filtering (access
lists)
– DDOS protection
• NGN FW
– Capable of APT attack
prevention, malware
filtering, web
security, email
security, application
bandwidth filtering
165
166
• DMZ:
– Security zone with
placement of
published web server,
web & email security
GWs, app security GW
• IPS:
– Intrusion prevention
(signature based)
– May be feature in
NGN-FW
167
• Distribution switch
– Connectivity to
access switches,
external exit point
(WAN), and DC
switch
• Data center switch & FW
– Data center filtering
(malware & access-
lists)
168
• Access switch
– User connectivity
– Switchport security &
access switch security
• NAC
– Network admission
control (IEEE802.1X)
• SIEM
– Logging & dashboard
for events, root cause
analysis, event
correlation 169
• Vulnerability Manager
– Vulnerability scanning
and asset tracking
• System AV
– Signature based
malware prevention
• Server HIPS
– IPS features for
servers, also file
integrity checking
170
• UTM
– Multi-featured NGN
FW device
• Mobile device – MDM
– Security features for
mobile devices
171
OSI Security Architecture
Module 26 • ITU-T X.800, Security

Architecture For OSI
(‘91)
• Defines a technique for
defining security
requirements, and
characterizes the
approaches to satisfy
those requirements
• Defines security attack,
mechanism, and service
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/CO
MP522-SecurityArchitecture_07.pdf
172
• Security attack: action

that compromises the
security of information
owned by an
organization (or person)
– Passive: aims to learn
or make use of
system information
only
– Active: attempts to
alter system
resources/operation
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP522-
SecurityArchitecture_07.pdf
173
• Security service is a
service that ensures
adequate security of the
system or data transfer
– Authentication
– Access control
– Data confidentiality
– Data integrity
– Non-repudiation
– Availability
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP52
2-SecurityArchitecture_07.pdf
174
175
• Security mechanism:
– Feature designed to
detect, prevent, or
recover from a
security attack
– Cryptography
underlies many of the
mechanisms
176
177
178
• ITU-T X.800, Security

Architecture For OSI is
dated from 1991
179
New IT Frontiers: Cloud, Mobile, Social, IOT
Module 27 • IT dynamics are

changing the way we
communicate, work, and
live
• These disruptive new IT
frontiers have significant
security consequences
180
Cloud
Changing
IOT Face Of Mobile
IT
Social
181
https://www.mcafee.com/us/re
sources/reports/rp-threats-
predictions-2016.pdf
182
https://www.mcafee.com/us/resources/
reports/rp-threats-predictions-2016.pdf
183
184
185
• For cloud, mobile, and

IOT security guidance,
checklists, and other
details visit:
– www.cloudsecurityallianc
e.org
– www.owasp.org
186
• Useful URLs:
– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
– https://www.owasp.org/index.php/OWASP_Internet_of_Things_Proje
ct
– https://downloads.cloudsecurityalliance.org/assets/research/security-
guidance/csaguide.v3.0.pdf
– https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile
_Guidance_v1.pdf
– https://downloads.cloudsecurityalliance.org/assets/research/mobile/
MAST_White_Paper.pdf
– https://downloads.cloudsecurityalliance.org/whitepapers/Security_Gu
idance_for_Early_Adopters_of_the_Internet_of_Things.pdf
– https://downloads.cloudsecurityalliance.org/assets/research/internet-
of-things/connected-vehicle-security.pdf
187
Virtualization Environment Security
Module 28 • Cloud Security Alliance:

“Best Practices For
Mitigating Risks In
Virtual Environments”
(PDF)
• Virtualization security
classified into three
areas:
– Architectural
– Hypervisor software
– Configuration
188
1. VM Sprawl
2. Sensitive data within
VM
3. Security of offline and
dormant VMs
4. Security of Pre-
configured (Golden
Image) VMs
5. Lack of visibility into
virtual networks
189
• Risk # 1 (VM Sprawl)

– Impact: VMs can be
created quickly, self-
provisioned, or
moved between
physical servers,
avoiding
conventional change
management process
– Proliferation of VMs
causing performance
and security risks
190

– Controls: Policies,
procedures and
governance of VM
lifecycle management
– Control creation,
storage and use of
VM images with a
formal change
management process
– Discover VMs & apply
security controls
191

– Controls: keep a small
number of identified,
good and patched
images of a guest
operating system
separately for fast
recovery &
restoration of
systems
192
• Risk # 2 (Sensitive Data

Within a VM)
– Impact: VM images
and snapshots can be
copied easily via USB
or console of
hypervisor installed
elsewhere
193
• Risk # 2 (Sensitive Data

Within a VM)
– Controls: Encrypt
data stored on virtual
and cloud servers
– Policies to restrict
storage of VM images
and snapshots
– Image change
management process
with approvals
– Logging & monitoring
194
Case Study – Enterprise Network (Small Org)
Module 29 • Organizational
characteristics:
– Location: Karachi
– 70 total staff
– 10 IT staff
– 8 servers
– 1 main DC, no DR site
– IT service oriented
business delivered to
banks, telcos,
enterprises
195
• Organizational culture:
– Small IT oriented
profitable business
– Mostly chaotic
culture with no
defined or
documented
processes
– Organization lacks
discipline (execution)
– Quality of resources:
average
196
• IT setup:
– Windows 2010/2012,
Linux server OS
– ASP.net 4.x, PHP
applications (total 10)
– Windows 8/10
desktops (50+)
– 1 Cisco ASA FW in DC
– No DR site or offsite
backup
– Free AV, no AD, no
licenses 197
• Security posture:
– Completely absent
– No hardening done
– No vulnerability
management
– No security
management or
governance
– No policy or staff
dedicated for
– No management
commitment (prior)198
• Security requirement:
– Customers are banks
and telcos
– Desired
ISO27001:2013 (ISMS)
certification for
customer RFPs
199
• Driving change ?
– Executive
management facing
security questions
from top clients
– COO approaches
security consulting
company for pen-
testing
– Consultant advises
project for security
transformation
200
• Security transformation
project:
– Project initiation: 2
Mths
– Layer 1: security
hardening of IT assets
(6 Mths)
– Layer 2: VM (1 Mth)
engineering (1 Mth)
– Layer 4: Governance
& ISO cert.(3 Mths)
201
• Conclusion:
– Absence of a process
oriented, organized
culture makes it
difficult for security
implementation
– Adhoc culture is
difficult to transform
– Executive
management support
and commitment was
the success factor
202
Case Study – Enterprise (Medium Org)
characteristics:
– Location: Lahore
– 350 total staff
(group)
– 15+ IT staff
– 25 servers
– 1 main DC, 1 DR site, 1
backup site
– IT service business in
media industry
203
– Medium sized,
profitable IT business
– Good internal culture
(several employees
with org since 10 yrs)
processes
– Teams have
execution discipline
– Senior resources are
experienced
204
• IT setup:
– Windows 2010/2012,
Linux server OS
– Oracle & MS-SQL
databases
– ASP.net 4.x
applications (total 15)
– Windows 8/10
desktops (300+)
– 1 Cisco ASA FW in DC;
MicroTik routers as
edge routers
205
• IT setup (contd):
– Asterisk voice server
for call center (10
seats, 6-8 lines)
– 1 DR site (offshore)
and 1 backup site (PK)
– Panda AV, AD,
unlicensed windows
– Mdaemon for email
server, migrating to
MS Exchange
206
– Completely absent
– No vulnerability
management
– No security
management or
governance
– No policy or staff
dedicated for security
– No management
commitment (prior)207
– Security incident;
competitive data
leakage to third-party
by internal employee
– License renewal due
by regulator;
demonstration of
security commitment
imperative
208
– Executive
management
concerned about
& security culture
– CEO approaches
security consulting
company
– Consultant advises
project for security
transformation
209
project:
days
(3 Mths)
engineering (4 Mths)
& ISO cert.(3 Mths)
210
• Conclusion:
– Senior resources in
the organization
were committed
– Demonstration of
security commitment
was essential for
organizations survival
– ISO27001:2013 (ISMS)
serves as credible
credential for
customers/regulator
211
Case Study – Enterprise (Large Org)
characteristics:
– Location: Karachi
– 10,000+ total staff
– 150 IT staff
– 200 servers
– 1 main DC, 1 DR site
– Energy & distribution
sector
212
– Large sized privatized
org
– Strong internal
culture
process culture
– Teams have high
– Good quality &
qualification of IT
resources
213
• IT setup:
– Windows 2010/2012,
Linux, AIX OS
– Oracle & MS-SQL
databases
– Over 100 internal
applications
(Sharepoint, GIS,
ASP.net)
– Windows 7/8/10
desktops (5500+)
214
• IT setup (contd):
– Asterisk voice server
for voice
communication
– 1 DR site (hosted)
– Licensed AV, AD, &
windows
– Complete SAP ERP
suite & internal
development
215
– Superficial
– Weak vulnerability
management
– Poor security
management/
governance
– Security team exists
– No management
commitment (prior)
216
– Security incident;
servers hacked
causing financial loss
217
– Executive
management
concerned about
& security culture
– Board drives IT to hire
consultant
– Consultant convinces
IT to go for security
transformation
218
project:
days
(6 Mths)
engineering (1 Mths)
& ISO cert.(5 Mths)
219
• Conclusion:
– Strong commitment
of the Board & IT
Director drove the
implementation of
the security
transformation
project
– ISO27001:2013 (ISMS)
achieved as a security
credential
220
Structure Of An IT Team
Module 32 • Typical organogram of

an IT team
• Job functions
• Additional tasks
• Large sized org
• Medium sized org
• Small sized org
221
GENERAL STRUCTURE
CIO
Executive Asst.
GM Networks Procurement/
GM IT GM Software GM PMU/
& GM IT Services IT Security
Operations Development Business Tech Finance
Infrastructure
222
JOB FUNCTIONS
CIO
Executive Asst.
GM Networks IT Procurement/
Infrastructure
Networks, Software Web Proxy, Project Vendor

Data Center Security
Capacity Acquisition & Email, Service Management/ Interaction,
Servers Uptime Business Interface function
Planning Dev. Desk Procurement
223
ADDITIONAL TASKS
CIO
Executive Asst.
Infrastructure
Networks, Software Web Proxy, Project Vendor Security

Data Center
Capacity Acquisition & Email,, Service Management/ Interaction,
Nationwide Database ops, Thin Clients, Call

Steering
application Software CRs Center Vendor IT accounting Compliance
connectivity Committee
support Mngmt
224
LARGE ORG
(150 IT Staff)
CIO
Executive Asst.
Infrastructure
Networks, Software Web Proxy, Project Vendor

Data Center Security
Capacity Acquisition & Email, Service Management/ Interaction,
225
MEDIUM ORG
(15-20 IT Staff) Head Of IT
Head Of
Head Of Applications Head Of IT Support
IT Infrastructure
All IT Infrastructure, All Internal &

Servers, Software Acquisition
Customer Support
& Dev., Databases
Data Center Functions, Helpdesk
226
SMALL ORG
COO
(7-8 IT Staff)
Head Of
IT Infrastructure & Head Of Applications
Support
All IT Infrastructure,
Software Acquisition
Servers, Data Center,
& Dev., Databases
IT Helpdesk & Support
227
• IT teams come in various

structures, however
there are set industry
best-practices and
organizations should
follow tried & tested
best-practices
• IT is today an enabler
forming the engine for
business automation,
but also carries with it
security hazards
228
Objectives, Performance KPIs, Priorities Of IT
Module 33 • IT is a challenging
domain which requires
skill, experience,
structure, and spending
to run efficiently
• Business is making steep
demands on IT for agile
delivery of applications
in order to keep up with
competition
• Running IT requires a
diverse skillset
229
• Primary objective set for

IT by management is to:
– Setup the
infrastructure with
least cost in the
minimum time
– To maintain the
network with
minimum disruption
and maximum
performance
requiring the least
resources 230
• Performance KPIs:
– Minimal network
disruption
– Timely completion of
new projects
– Quick and efficient
changes to existing
applications (change-
requests) to meet
business
requirements
231
• Priorities of IT:
– To meet the
performance KPIs
– To meet adhoc and
unplanned business
requirements
• Note that security

figures nowhere in the
objectives, performance
KPIs, or priorities of IT
teams
232
• General IT teams
performance in Banking:
– Extremely large
number of
applications
(hundreds) & legacy
– Heavy-weight
business teams and IT
seen as a cost-center
– Technologists
generally poor at
banking (business)
233
performance in Telcos:
– More professional
and qualified
workforce
– Most telco have been
setup in the last 10
years so have clean
greenfield networks
(no legacy)
– Fewer applications; IT
supports business
234
performance in
Enterprise:
– Competence and
professionalism of IT
teams matches
culture of
organization
– IT efficiency driven by
top management
commitment and
interest
235
– Surprisingly in 95% of
all orgs in Pakistan
(all types and sizes),
security posture has
been found to be
deficient
– Lack of awareness in
the country has
contributed to this
deficient and poor
security posture
236
IT Team Interaction With Other Stakeholders
Module 34 • IT budget/projects
approved by IT Steering
Committee (annual)
• Business requirements &
new projects
• Audit & compliance
requirements
• Expansion (branches) &
maintenance
• IT support for
computing (helpdesk)
• Business continuity & DR
237
• IT budget/projects
approved by IT Steering
Committee (annual):
– Capex and opex
layout
– Includes new projects
& licensing /
maintenance of
operations
– New hirings
238
• Business requirements &

new projects:
– New upcoming
business projects
– Change requests
(CRs) and expansion
of existing business
projects
– Vendor management
for business solutions
– UAT (testing) of
business applications
239
• Audit & compliance

requirements:
– External audit
– Internal audit
– Compliance
& risk depts
240
• Expansion (branches) &

maintenance:
– IT requirements for
business expansion
(new branches, new
locations, new
territories)
– Maintenance of
existing IT
infrastructure (UPS,
networking,
bandwidth circuits)
241
• IT support for
computing (helpdesk):
– New software and
versions rollout (e.g.
migration of AV or
email program)
– IT support for
business functions
(application not
working, speed slow,
etc)
– Software bugs
242
• Business continuity &

DR:
– DR is a technology
function for which
interaction with
business functions is
required (testing)
– Business continuity is
handled under
business operations
for which IT also
participates
243
Security Overlay Of Enterprise (Part 1)
Module 35 • How is the enterprise

secured with the help of
various components and
security design ?
244
Regional Office ISP

CHOKED CIRCUIT, WEB ATTACKS, DDOS,
MALWARE Web Security
USER GW APT ATTACKS
UTM PRODUCTIVITY Router
ZERO-DAY ATTACKS
PROTECTION
Web Server
WEBSITE
HACKING App FW DMZ FW
& DEFACEMENT
DATA LEAKAGE
SPAM, SPEAR-
Email Antispam
PHISHINGGW IPS
ATTACKS N-DLP
WAN/Extranet
& DR Switch
Access
Switch
SIEM
NAC DC Switch/FW
INFECTED SYSTEM NON-COMPLIANT INFECTED SERVER DATA THEFT,
SYSTEM UNAUTHORIZED
ACCESS
MALICIOUS
USER VM NMS
245
Security Challenge Location/Device Security Solution

Perimeter Filtering Edge Router Access Lists &
Various RFCs
DDOS Attack Edge Router/DDOS DDOS Protection
Protection Solution
Zero-Day Attack / Edge Device / Edge Zero-Day/APT
APT Attack NGN FW Attack Prevention
Web Server Attacks DMZ / Web Web Application
Application FW Attack Prevention
Email SPAM & DMZ / Email Email Security
Malware/Phishing Security GW
246

Web-based User DMZ / Web Security Web Filtering &
Attacks GW Malware Protection
System Malware System AV
User Network Access At Aggregation Point Network Admission
Control Of User Access Control (NAC)
User Controls For System Data Loss Prevention
USB/Media, HDD (DPL) – System Level
Encrypt
Remote Branch Intranet-Extranet Unified Threat
Connectivity/ Edge / UTM Management (UTM)
Malware Solution
247

Data Center Data Center FW Data Center FW
Unauthorized Access Filtering & Malware
/ Malware Protection
Data Exfiltration Edge / Network DLP Network DLP Solution
Event Monitoring & Data Center / SIEM Security Info. & Event
Detection Management
Unpatched Systems Data Center / VM Vulnerability Scanner
Server Integrity Data Center / HIPS Host Intrusion
Monitoring & IPS Prevention System
Filtering (HIPS)
248
• How is the enterprise

secured with the help of
various components and
security design ?
249
Week 03 • What are the traffic

Module 36 flows specific to good
security design ?
250
251
252
253
254
255
256
257
258
259
• Granular access list

filtering and a well
planned and tested
security design are keys
to success
260
Module 37 • General security design

principles
261
262
1. Block unauthorized
traffic at edge (direct
public www traffic to
DMZ web server)
2. Edge malware
protection & DMZ
3. Web & email are
important vectors to
secure against malware
and attacks
4. NGN-FW (may be found
in a UTM as well)
263
5. Web security GW and

email anti-spam GW
solutions
6. Granular access list
filtering in edge and
data center FWs
(source, destination,
and traffic type/port)
7. A good AV solution,
and keep virus
definitions updated
8. Monthly VM scans
264
More Advanced Security:

• APT & zero-day attack
prevention
• SIEM solution
• Network DLP and
system DLP
• Network admission
control (NAC)
• Server HIPS
• Web application FW
(WAF)
265
Even More Advanced

Security:
• Network forensics
• Host-based APT / IoC
solution
• Identity & access
management (IAM)
• Privileged identity
management (PIM)
• Database security
solution
266
• Further guidelines for

strong security controls:
– CIS 20 critical security
controls
267

controls
268

controls
269
High Availability (HA)
Module 38 • What is high availability

(HA) ?
– High availability of a
system or component
assures a high level of
operational
performance
(uptime) for a given
period of time
https://www.digitalocean.com/community/tutorials/
what-is-high-availability
270
• High availability is a
strategy
• Fault tolerance refers to
a system designed in
such a way that when
one component fails, a
backup component
takes over operations
immediately to avoid
loss of service
271
https://jazz.net/wiki/bin/view/Deployment/HighAvailability
272
• High availability is
designed in the
following manner:
– System level (data
center or service)
– Device level (within
single device)
– Device level
(combination of
multiple redundant
devices)
– Alternate site level
273
• High availability and

fault tolerance:
– Designed to minimize
downtime with the
help of redundant
components
• Disaster Recovery:
– A pre-planned
approach for re-
establishing IT
functions at an
alternate site
274
High Availability Design
Module 39 • Lets look at various HA

designs
275
ACTIVE-STANDBY SERVER CONFIGURATION
https://www.getfilecloud.com/blog/2015/12/architectural-patterns-for-high-availability/#.WVeex4SGPIU
276
ACTIVE-ACTIVE SERVER CONFIGURATION
277
N+1 UPS REDUNDANT CONFIGURATION
278
ACTIVE-STANDBY SUN SERVER CLUSTER
https://docs.oracle.com/cd/E19693-01/819-0992/6n3cn7p3n/index.html
279
NETWORK REDUNDANT CONFIGURATION
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html
280
DATA CENTER REDUNDANT CONFIGURATION
281
• Don’t forget to test the

failover and fault
tolerant capabilities of
our network
282
Site Redundancy
Module 40 • Three types of

redundant site models:
• Hot site
• Cold site
• Warm site
283
Site Redundancy
• Hot site (expensive):

– Mirror of primary
data center
– Populated with
servers, cooling,
power, and office
space
– Running concurrently
with main/primary
data center
(synching)
– Minimal impact
http://www.seguetech.com/three-stages-disaster-recovery-sites/
284
Site Redundancy
• Cold site (cheapest):

– Office or data center
space without any
server related
equipment installed
– Power, cooling and
office space
– Servers/equipment
migrated in event of
primary site failure
285
Site Redundancy
• Warm site (middle

ground):
– Middle ground
between hot site and
cold site
– Some pre-installed
server hardware
(ready for installation
of production
environments)
– Requires engineering
support to activate
286
Site Redundancy
HYBRID SITE REDUNDANCY

ARCHITECTURE
DR SITE
PRIMARY SITE
SECONDARY SITE
287
Site Redundancy
• RTO:
– Max amount of time,
following a disaster,
for an organization to
recover files from
backup storage and
resume normal
operations (max
amount of downtime
an organization can
handle)
http://searchdisasterrecovery.techtarget.com/definition/disaster-
recovery
288
Site Redundancy
• RPO:
– Max age of files that
an organization must
recover from
backup storage for
normal operations to
resume after a
disaster (minimum
frequency
of backups)
recovery
289
Site Redundancy
• Example:
– If an organization has
an RTO of two hours,
it cannot be down for
longer than that.
– if an organization has
an RPO of four hours,
the system must back
up at least every four
hours.
recovery
290
High Availability & Redundancy Case Study
Module 41 • Mid-sized enterprise

• 3000 total staff
• 2000 IT users
• 30 IT team
• One DC, one secondary
(regional) data center
(warm site & backup
site), and one DR site
• 99.9 % uptime designed
291
HYBRID SITE REDUNDANCY

ARCHITECTURE
DR SITE
PRIMARY SITE
SECONDARY SITE
292
• IT setup:
– Oracle ERP system
– Sharepoint portal for
workflow automation
– Head office in Karachi
– Primary DC in Karachi
(hosted with 3rd
party)
– DR site in Lahore
(hosted with 3rd
party)
– Secondary DC in ISB293
• Primary DC:
– Fully redundant (HA)
design for network,
systems, and storage
– Cisco HA (active-
standby)
– Oracle cluster
technology for
servers and DBs
(active-active)
294
• Secondary DC (ISB):
– All network, systems,
and storage backups
maintained here
(also mirrored in DR)
– Regional servers (AD,
file servers, etc)
– Test & staging
environment here
(segregated from
main DC)
– Office working space
295
• DR site
– Bare minimum HA (as
DR site) for network,
systems, and storage
– Mirror of all backups
from secondary site
maintained here
– Office working space
– Some additional
computing capacity
(minimum for
unforeseen events)
296
• DR site
– All critical systems
and devices
maintained in active
mode (hot) for
immediate DR
failover
– Data maintained as
per org RTO/RPO for
immediate utility
– Monthly DR
testing/drill
297
• Backup strategy:
– Primary backup at
secondary DR site
– Mirror at DR site
– For critical systems:
monthly full backup,
daily incremental
backup
– For critical network
devices: weekly full
backup; backups
based on change
298
Backup Strategies
Module 42 • Backup considerations:

– What to backup ?
– Backup location ?
– Freq of backup ?
– Backup operator ?
– Backup checker
(verification) ?
– Backup test & security
methods ?
– Technology & tools
used for backup ?
http://www.techsoup.org/support/articles-and-how-
tos/your-organizations-backup-strategy
299
Backup Strategies
• What to backup ?
– Network
configuration files
– OS backups
– Database &
application data
– Other critical data
300
Backup Strategies
• Backup location ?
– Onsite for faster
recovery
– Offsite for DR
purposes
– Intermediate site
(secondary site) as a
middle-ground
301
Backup Strategies
• Backup frequency ?
– Depends entirely on
criticality of data,
nature of the
information being
backed up (how
frequently does info
change ?), storage
space available, and
overall backup plan
302
Backup Strategies
• Backup operator and

checker ?
– Backups should
ideally be automated
– Operator should
ensure that backups
have taken place
– Verifier should sign-
off that check has
been made
303
Backup Strategies
• Backup testing &

security considerations:
– Backup testing
should be performed
on a periodic basis
and greater than the
frequency of the DR
drill (e.g. DR drill once
a QTR, & testing once
a month)
– Encryption &
compression
304
Backup Strategies
• Backup tools and

technology:
– Consider NAS, SAN,
SCSI/IDE/SATA drives
– Various tools and
technology to
perform full,
differential, and
incremental backups
– Encryption
– Access control
– Alerts & reporting
305
Security Tools Used In An Enterprise
Module 43 • Typical security tools

used in an enterprise:
– Enterprise antivirus
– MS Active Directory
(AD)
– Vulnerability manager
– Logs management
– Network &
performance
monitoring
– Automated backups
306
• Typical security tools
used in an enterprise:
– Microsoft Windows
Server Update
(WSUS) & SCM/SCCM
– Asset management
software
– Trouble-ticket system
– SIEM
– DLP
– Encryption software
– 2FA
307
Tool Function Complexity Examples
level
Enterprise System Low Sophos, Avast,
Antivirus antivirus and Kaspersky,
malware Symantec,
protection McAfee
MS AD (GP) Pushing out Low Pushing out

security windows
policies password
through AD settings
GPO
VM Vulnerability Medium OpenVAS,
scanning Nessus, Qualys
308
level
Log Logs Medium OSSEC
Management collection &
analysis
Network & NOC Low CACTI, ORION
Performance
Management
Automated Backups Medium Veritas
Backups
Windows Windows Low WSUS, SCCM,
Updates Updates & SCM
Configs
309
level
Asset Dtect, Track, Medium Asset Explorer,
Management Manage Assets PulseWay
Trouble Ticket TT Workflow Medium BMC Track-IT,

System SysAid
SIEM Event High OSSEC, Splunk,
Management Q-Radar
DLP Data Loss High Symantec,
Prevention
Encryption Encryption High TrueCrypt
Software
310
• Lots of tools available

• People, process,
technology
311
Security Tools – Typical Enterprise (Part 1)
Module 44 • Gartner Magic Quadrant

reports
• List of some other
industry reports
312
Endpoint
Protection
Jan, 2017
Gartner
Trend Micro
Sophos
Kaspersky
Symantec
https://www.gartner.com/doc/reprints?id=1-3SCOKCW&ct=170131&st=sb
313
Secure Web
GW
June, 2017
Gartner
Symantec
Zscaler
314
UTM
(SMB Multi-function
FW)
June, 2017
Gartner
Fortinet
Checkpoint
315
Enterprise
Network FWs
May 2016
Gartner
Palo Alto
Networks
https://www.gartner.com/doc/reprints?id=1-3805JH8&ct=160525&st=sb
316
SIEM
AUGUST 2016
GARTNER
IBM
Splunk
LogRhythm
https://www.gartner.com/doc/reprints?id=1-2JNR3RU&ct=150720&st=sb
317
DLP
FEB 2017
GARTNER
-Symantec
-Digital
Guardian
-Forcepoint
https://www.gartner.com/doc/reprints?id=1-3UKD88K&ct=170301&st=sb
318
APPLICATION
SECURITY
TESTING
FEB 2017
GARTNER
HPE
Veracode
IBM
https://www.gartner.com/doc/reprints?id=1-3UKD88K&ct=170301&st=sb
319
• View and read various

industry reports for
security tools
comparisons:
– Gartner
– Forrestor
– Security Awards
– Lab reports: ICSA,
END NSS
320
Module 45 • NSS Labs Security Value

Map (SVM)
• Some additional Gartner
Magic Quadrant reports
321
NGFW
NSS Labs
2016
Hillstone
Huawei
Fortinet
https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/Brochure-NSS-Lab-Independent-Validation.pdf
322
Enterprise
Mobility
Management
(EMM)
June 2017
VMWARE
MobileIron
IBM
Blackberry
https://www.gartner.com/doc/reprints?id=1-42A6Q84&ct=170607&st=sb
323
DC Backup
& Recovery
June 2016
Commvault
IBM
EMC
Veritas
https://www.gartner.com/doc/reprints?id=1-38JSYOW&ct=160602&st=sb
324
Identity,
Governance
Feb 2017
Sailpoint
Oracle
CA
IBM
https://www.sailpoint.com/identity-governance-leader-gartner-magic-quadrant/
325
Network Perf
Monitoring
& Diagnostics
Feb 2017
NetScout
Viavi
Riverbed
https://www.gartner.com/doc/reprints?id=1-3TYUQFH&ct=170221&st=sb
326
Web App FW
July 2016
Imperva
https://www.gartner.com/doc/reprints?id=1-3TYUQFH&ct=170221&st=sb
327
• Gartner
• Forrestor
• NSS labs
• ICSA Labs
END
328
What Does “Box Security” Mean ?
Module 46 • “Box Security” refers to

a prevalent approach in
the industry, especially
in larger organizations in
which the solution for
every security challenge
is in the form of a “box”
or device
329
• Box for :
– Email security
– Web security
– FW
– IPS
– APT attack
prevention
– DDOS prevention
– Network DLP
– Network Forensics
– Others
330
• Security is a
combination of people,
process, and technology
• Industry observation:
most of the devices are
not used to full
capability or capacity
after purchase
• Case in point: SIEM
solution or DB security
solution
331
• “Box security” is not the

silver bullet
• Although many devices
and boxes are required,
they do not ensure a
good security posture
• This approach is
unfortunately promoted
by many vendors who
have equipment to sell
• Consider organizational
maturity & readiness
332
• Other challenges with

“box security”
approach:
– Shortage of staff (IT
& security)
– Training and skill
required to operate
the sophisticated
devices and features
333
1. Security
requirement study
8. Ongoing operations,
change mngmt, audits 2. Solution research
7. Development of 3. Budgeting &

SOP & SECURITY SOLUTION approvals
Commissioning LIFECYCLE
6. Acceptance & Sign- 4. RFP, HLD,

Off (Meeting HLD) Vendor/Tool Selection
5. Installation &
Commissioning +
Training
334
• Device objectives, and

high-level-design (HLD)
should be planned prior
to commissioning
• Min operational baseline
and configuration
should be documented
in SOP
• Device feature set and
configuration audits
should be conducted on
a periodic basis (annual)
335
Best Approach: IT Enterprise Security ?
Module 47 • The 4-layer security

transformation model is
the only way to
effectively and
practically address
security posture
• 4-layer security
transformation model is
tried & tested for
geographies where the
overall security
awareness & posture is
weak 336
4. Security
Governance
3. Security
Engineering
2.
Vulnerability
Management
1. Security
Hardening
337
1. Security hardening:
address security
configuration of all IT
assets which security
“boxes” won’t do for
you
2. Vulnerability
management: scanning
to inspect patching of
IT assets (essential)
3. Security engineering
4. Security governance
338
3. Security engineering:
this is where more
serious investments
may be made once
layers 1 & 2 have been
completed
satisfactorily (or are
being addressed)
339
4. Security governance:
ensure the proper
utilization (as
intended), ROI, and
audits of purchased
devices & solutions
Also ensure configs are

as per design, and
SOPs.
340
What Is Disaster Recovery (DR) ?
Module 48 • What is a disaster ?

– Any significant event
that causes
disruption of
information
technology
processing facilities,
thus affecting the
operations of the
business
https://www.sans.org/reading-
room/whitepapers/recovery/disaster-
recovery-plan-strategies-processes-564
341
• What is disaster
recovery (DR) ?
– DR is an area of
security that allows
an organization to
maintain or quickly
resume mission-
critical (IT) functions
following a disaster
http://searchdisasterrecovery.techtarge
t.com/ definition/disaster-recovery
342
• What could cause the

invocation of a DR
failover to DR site ?
– Natural disasters such
as flood, earthquake,
lightning, storm
– Disaster caused by
human actions such
as riot, fire, terrorist
act, etc
343
• What is the difference

between DR and
business continuity (BC)?
– DR is an IT function,
whereas business
continuity addresses
keeping all essential
aspects of a business
functioning despite
disruptive events (DR
is a part of BC)
https://en.wikipedia.org/wiki/
Disaster_recovery
344
http://grcbizassurance.com/services/disaster-recovery/
345
• Three step process:

– Failover to the DR
site (DR invocation)
– Restoration of the
services/facilities on
primary site
– Recovery (switchover
back to primary site)
room/whitepapers/recovery/disaster-
recovery-plan-strategies-processes-564
346
• What is a DR plan ?
– A documented,
structured approach
to dealing with
unplanned incidents
http://searchdisasterrecovery.techt
arget.com/definition/disaster-
recovery-plan
347
• DR plan checklist:
– Scope of the activity
– Gathering relevant
network
infrastructure
documents
– Identifying the most
serious threats and
vulnerabilities, and
the most critical
assets
http://searchdisasterrecovery.techtarget.co
m/definition/disaster-recovery-plan
348
– Identifying current
DR strategies
– Identifying
emergency response
team
– Management review
& approval of DR plan
– Testing the plan (drill)
– Updating the plan
– Implementing a DR
plan audit
http://searchdisasterrecovery.techtarget.co
m/definition/disaster-recovery-plan
349
• Sample DR plan
template:
– http://www.it.miami.
edu/_assets/pdf/secur
ity/ITPol_A135-
Disaster%20Recovery
%20Plan%20Example%
202.pdf
350
What is Business Continuity (BC) ?
Module 49 • What is business

continuity ?
– Business Continuity
(BC) is the capability
of the org to continue
delivery of products or
services at acceptable
predefined levels
following a disruptive
incident (Source: ISO
22301:2012)
http://www.thebci.org/index.php/resource
s/what-is-business-continuity
351
• What is business
continuity management?
– Holistic management
process that identifies
potential threats to an
organization and the
impacts to business
operations those
threats, if realized,
might cause, and
which provides a …
http://www.thebci.org/index.php/resourc
es/what-is-business-continuity
352
• What is business
continuity management?
– …framework for
building org resilience
with an effective
response that
safeguards interests
of key stakeholders,
reputation, brand and
value-creating
activities. (Source: ISO
22301:2012)
http://www.thebci.org/index.php/resourc
es/what-is-business-continuity
353
http://www.thebci.org/index.php/resources/what-is-business-continuity
354
• What is a BC plan ?
– A document that
consists of critical
information an
organization needs to
continue operating
during an unplanned
event
http://searchdisasterrecovery.techtarget
.com/definition/business-continuity-
action-plan
355
• What is a BC plan ?
– The BCP should state
essential functions of
the business, identify
which systems and
processes must be
sustained, & detail
how to maintain
them. It should take
into account any
possible business
disruption
http://searchdisasterrecovery.techtarget.com/definition/busine
ss-continuity-action-plan
356
DR In Enterprise Architecture – Part 1
Module 50 • DR considerations:
– DR plan
– RTO & RPO
357
• DR plan:
– A disaster recovery
policy statement,
plan overview and
main goals of the
plan
– Key personnel and
DR team contact
information
http://searchdisasterrecovery.techtarg
et.com/definition/disaster-recovery
358
• DR plan (contd)…:
– Description of
emergency response
actions immediately
following an incident.
– A diagram of the
entire network and
recovery site.
– Directions for how to
reach the recovery
site.
359
– A list of software and
systems that will be
used in the recovery.
– Sample templates for
a variety of
technology
recoveries, including
technical
documentation from
vendors.
360
– Summary of
insurance coverage.
– Proposed actions for
dealing with financial
and legal issues.
– Ready-to-use forms
to help complete the
plan.
361
http://grcbizassurance.com/services/disaster-recovery/
362
• RTO:
– Max amount of time,
following a disaster,
for an org to recover
files from backup
storage and resume
normal operations;
max amount of
downtime an org can
handle.
363
• RTO:
– If an organization has
an RTO of two hours,
it cannot be down for
longer than that
364
• RPO:
– RPO is the max age of
files that an
organization must
recover from
backup storage for
normal operations to
resume after a
disaster; determines
the minimum
frequency of backups.
http://searchdisasterrecovery.techtarget.
com/definition/disaster-recovery
365
• RPO:
– For example, if an
organization has an
RPO of four hours,
the system must back
up at least every four
hours
366
Module 51 • DR considerations:
– DR facility
– DR drills & testing
– DR testing checklist
– BC plan alignment
367
• DR facility:
– Location
– Media circuits and
backup circuits
– Power and
environment
– IT data center design
– Based on DR plan
– Operations &
maintenance
368
• DR drills & testing:

– Frequency and
execution of DR drills
as per IT policy of the
org
– Min twice a year and
preferable quarterly
for critical business
reqmts
– Backup testing
369
• DR testing checklist:
– Secure management
approval and funding
for the test.
– Provide detailed
information about
the test.
– Make sure the entire
test team is available
on the planned test
date.
370
• DR testing checklist …:
– Ensure your test does
not conflict with
other scheduled tests
or activities.
– Confirm test scripts
are correct.
– Verify that the test
environment is ready.
– Schedule a dry run of
the test.
371
• DR testing checklist…:
– Be ready to halt the
test if needed.
– Have a scribe take
notes.
– Complete an after-
action report about
what worked and
what failed.
– Use the test results
to update DR plan
372
• BC plan alignment:
– DR is under IT
ownership, whereas
BC is under business
operations ownership
– DR is part of overall
BC
– Both plans must
integrate and align
seamlessly
373
Role Of An IT Asset In Enterprise Security
Module 52 • What is an IT asset ?

– An IT asset is any
resource such as
hardware, software,
information, human
resource, or facility
owned or utilized by
the organization for
IT processing
374
1. Planning
7. Retirement
2. Procurement
& Disposal
IT ASSET LIFECYCLE
6. Support &
3. Installation
Maintain
5. Acceptance 4. Secure
375
1. PLANNING 2. PROCUREMENT 3. INSTALLATION
- Requirements - RFP - Site Preparation
- Owner & Risk Owner - Vendor Selection - Delivery
- High Level Design - PO - Configuration
- Budget Approvals - Contract & SLA - Testing
- Project Planning - Kick-Off Meeting - Commissioning
4. SECURE 5. ACCEPTANCE 6. SUPPORT/MAINTAIN
- Security Controls - Test Scripts - Vendor Support
- Security Checklist - UAT - Maintenance/Repair
- Security SOP - Security Accreditation - Change Requests
- Security Testing - Commissioning Sign-off - Renewals & Upgrades
- Change Management - Regular Updates
7. RETIRE/DISPOSE - Monitoring & Audits
- Decommission
- Dispose/Salvage
- Update Inventory
376
1. Planning
7. Retirement
2. Procurement
& Disposal
SECURITY DURING
ASSET LIFECYCLE
6. Support &
3. Installation
Maintain
5. Acceptance 4. Secure
377
• Asset Owner: a person

in the org responsible
for managing an asset
(e.g. for laptop)
• Risk owner: manages
risks associated with the
IT asset. Authorized to
make decisions
associated with
managing risks, and in a
management position
378
• Acceptable Use (Of IT

Assets):
– Laptops
– Mobiles
– Web browsing
– Email usage
– Servers
– Company data
379
How To Determine Security Posture ?
Module 53 • Questions to ask:

policy ?
– Organization security
culture and tone at
the top ?
– Clearly designated
responsibility for
security ?
– How many staff in
security team [10%]
and their roles ?
380
Case Study: Typical Security Posture
– Security hardening
done on IT assets ?
– Which standard used
for hardening ?
– Internal VM program
?
– Frequency of VM
scanning ?
– Licensed software for
OS/DB/Programs ?
381
– Last time penetration

test was conducted
by 3rd party ?
– Maturity of system
security policies
pushed through
AD/GP
– DR and/or backup site
?
– When was the last
time a DR drill was
performed ?
382
– Is internal software
developed ? (Secure -
SDLC)
– What is the
mechanism to take
backups of IT assets
and to test backups ?
– What is the maturity
of access control for
users, admins
– Regular audits for
access control ?
383
– What type of security

controls
implemented on any
transactional systems
such as mobile
banking or internet
banking (2FA) ?
– Is critical data in org
encrypted ?
– How do you protect
test data ?
384
– What is the
mechanism to
perform security
accreditation of new
applications or
systems ?
– Is security embedded
in critical business
processes ?
– Is there a business
continuity and DR
policy / mechanism ?
385
– Security standard or
framework followed
for governance ?
– Internal security
awareness program ?
– Maturity of change
management and
incident management
– Board Steering
Committee
(Information
Security)
386
• Note: the
implementers of the
security measures are
often not the ones
giving the best answers
• Auditors & compliance
team should also be
queried
• Important question:
have there been any
recent incidents ?
387
Driving Successful Security Transformation
Week 04 • Critical factors for

Module 54 successful security
transformation projects:
– Board-level buy-in
and sponsorship
– Regular Board or
Executive
management project
reviews and decisions
– Allocation of
sufficient priority &
resources
388
• Projects either fail or

succeed before they
begin !
389
Infosec Head
Manager IT Infra Networks

ISMC
(Linux/Oracle) Manager
Manager IT
Infra
(Win/SQL)
390
INFORMATION
SECURITY
STAKEHOLDERS MANAGEMENT
COMMITTEE
(ISMC)
IT
SECURITY STEERING
IT TEAMS
PROGRAM COMMITTE
E
BOARD/EXEC
UTIVE
391
Security
Governance
Security
Engineering
Vulnerability
Management
Security
Hardening
392
Board
[QTR]
InfoSec Steering
Comm.
[MONTHLY]
Management Committee
(ISMC) [WEEKLY]
393
1. Establish
Track
5. Continuous
2. MSB
Improvement
4. Implement
3. Pilot
Across IT
394
Weekly ISMC
status
update
Monthly
status
update
Quarterly
IT STEERING COMM. status update
BOARD
395
• Successful security
transformation projects
can be made successful
with correct
sponsorship, structure,
strategy, and strong
project management
396
Difference Between Patching & Hardening
Module 55 • Chapter 3
– Security
Transformation Stage
1: Security Hardening
Of IT Assets
397
Revisit Of Security Transformation Model
4. Security
Governance
3. Security
Engineering
2.
Vulnerability
Management
1. Security
Hardening
398
• Security hardening:
– IT assets such as
hardware and
software come with
default (insecure)
configurations which
become the basis for
attacks
– Typical case in point:
username and
password: “admin,
admin”
399
• Security hardening:
– Process of securing a
system by reducing
its surface of
vulnerability, which is
larger when a system
performs more
functions; in principle
a single-function
system is more
secure than a
multipurpose one
(Wikipedia) 400
• Patching: Fixing
vulnerabilities (which
may be exploited by
malware or attackers) in
software or firmware
with vendor released
patches (auto or manual
updates)
• Patches are also called
fixes
https://www.kenexis.com/patching-hardening-
cybersecurity/
401
• Patching considerations:
– Vendors release
patch when they
become aware of a
vulnerability
– Patches may be rolled
up into a release
– Off-the shelf
software works well
but testing reqd for
customized instances
cybersecurity/
402
• Hardening: includes
additional steps beyond
patching to limit the
ways a hacker or
malware could gain
entry.
• Accomplished by turning
on only the ports and
services required, secure
configuration of services
& additional steps to
limit system access
cybersecurity/
403
• Note that both

hardening & patching
are required
– Hardening prevents
existing and future
vulnerabilities by
tightening
configuration
– Patching is more of a
vendor driven
process but essential
nonetheless
404
Security Hardening Strategy
Module 56 • Depending upon the size

and type of the
organization, there will
be dozens, hundreds, or
even thousands of IT
assets to secure
• Priority is a key factor in
all security undertakings
• Prioritize what is most
important and needs to
be done first
• Cascade as we go along
405
406
• Separate security
engineering (Step 3)
from security hardening
(step 1)
• Security engineering
requires more thorough
working so will slow
down the security
implementation
• Do the low hanging fruit
first (security hardening)
407
• Minumum security
baseline (MSB) refers to
the obvious assets
which need to be
secured and the
threshold which is the
minimum expectation
from the security
program
408
409
TRACK 1: IT INFRASTRUCTURE
TRACK 2: ISMS DOC & PROCESSES
TRACK 3: SOFTWARE APP
TRACK 4: OTHER APPS/UTILITIES/3RD PARTIES
TRACK 5: DESKTOPS & BROWSERS
TRACK 6: VULNERABILITY MANAGEMENT
TRACK 7: MOBILE SECURITY
410
• For a successful security

transformation project,
good planning,
organization, and
effective project
management is essential
411
Pre-requisites For Security Hardening
Module 57 1. Security program

approved
2. Consultant on board
3. Project kick-off
meeting held
4. ISMC team identified
and their loading for
this project
communicated
5. Appraisal linkage of
core resources
announced by CIO
412
1. Security program
approved
– Project director
– Timeline
– General project
sequence and
strategy
– Understanding of
main players and
roles
– Understanding of
project structure
413
2. Consultant on board
– Expert consultants
in security
transformation can
facilitate the project
success
– Third party &
independent
– Bring a focus on
delivering results
– Strong domain
knowledge
414
3. Project kick-off
meeting held
– Project goals &
mission
– All key stakeholders
made aware of their
roles
– Responsibilities &
authority
– Success criteria &
reporting
mechanism
415
4. ISMC team identified

and their loading for
this project
communicated
– ISMC plays a critical
role
– Cooperation &
teamwork
– Security leadership
culture
– Clarity on goals
416
5. Appraisal linkage of
core resources
announced by CIO
– Broader team
– Announcement by
CIO
– Clarity on evaluation
mechanism
417
Who Will Conduct The Security Hardening ?
Module 58 • Involvement of various

stakeholders for security
hardening
– Operations teams
– Security team
– IT management
– Consultant
– Business
418
Security IT
IT Ops teams
team management
Consultant Business
419
• IT Operations teams:
– Study the security
controls (CIS/DISA)
– Apply the security
controls in pilot/test
environment
– Report the
completion of control
implementation to
ISMC
– Assist InfoSec team
with validation
420
• InfoSec team:
– Conduct validation of
security controls
implementation
– Acquire checklist of
controls from
relevant IT team
– Document the status
of controls in the
form of a checklist
– Forward validation
report to ISMC
421
• IT management:
– Ensure IT operations
teams receive
required guidance
and support
– Sign-off on change
management
requests
– Assist with planning
down-time and
business related
downtime
422
• Consultant or project
director:
– Drives the security
program
– Ensures that strategy
is aligned with project
objectives
– Ensures process and
activities are moving
at good momentum
as per timeline
423
• Business stakeholders:
– Provide downtime
approvals if required
– Help to engage other
vendors if applicable
424
8 Step Methodology – Security Hardening (1)
Module 59 • What is the 8 step

security hardening
methodology ?
425

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
426
• Purpose:
– Many assets need to
be hardened at
various times, by
various teams, for
various requirements
and projects
– Standardize and
follow a consistent
approach
427
• Benefits:
– Process for security
hardening
– Discipline to always
follow the same steps
– Helps avoid missing
any steps in the
process
– Gives team clarity on
what to do and what
sequence to follow
428
• If You Skip This Process:

– Will follow a new
approach every time
– Every resource has
their own method
– Dependence on
resource rather than
the process
– Complicate rather
than simplify
– Divergence in
security activities
429
HEAD OF DEPT
INFOSEC
ISMC TEAM LEAD IT OPS TEAM
TEAM
• DRIVES THE • MEMBER OF • TEAM THAT • REPORTS TO
PROGRAM ISMC WILL CISO OR
• DECISION • REPORTS TO IMPLEMENT INFOSEC
MAKING HEAD OF THE HEAD
• INCLUDES THE DEPT SECURITY • OR LED BY
ALL 3-4 CONTROLS CONSULTAN
DOMAIN T
TEAM LEADS
430
STEP DESCRIPTION PERFORMED BY FACILITATED BY
1 IDENTIFY CRITICAL ASSETS ISMC HEAD OF IT SECTION
(& ASSET OWNER)
2 RESEARCH APPLICABLE SECURITY INFOSEC TEAM ISMC
CONTROLS
3 CHECLIST OF APPLICABLE SECURITY INFOSEC TEAM TEAM LEAD
CONTROLS
4 DOCUMENT CONTROLS INTO SOP TEAM LEAD INFOSEC TEAM
5 IMPLEMENT CONTROLS ON TEST IT OPERATIONS TEAM LEAD

SETUP TEAM
6 VALIDATION OF CONTROL INFOSEC TEAM IT OPERATIONS
IMPLEMENTATION TEAM
7 CHANGE MANAGEMENT PROCESS TEAM LEAD ISMC
FOR PRODUCTION
8 PRODUCTION & MONITOR IT OPERATIONS TEAM LEAD
TEAM
431
• Lets look at the steps in

detail in the next
module
END
432
Module 60 • Step 1: Identify Critical

Assets & Asset Owner:
– Asset inventory &
infrastructure
diagram
– Examine risks
– Analyze assets at a
high level and
prioritize
– Minimum security
baseline (MSB)
– Break into phases
433

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
434
• Step 2: Research on
applicable security
controls
– CIS, DISA
– Search on google
– Review
standards/framework
s (ISO27001, PCI, etc)
– Look at OWASP, CSA,
NIST, CIS Top 20
– Selection of controls
435
• Step 3: Checklist of
applicable security
controls
– Checklist for
progress tracking
– Share with
appropriate IT team
– Forms record for
controls trail
436
• Step 4: Document
controls into SOP
– Enter controls set
into draft SOP
– Who will do what
when, (and briefly
how)
– Get Dept Head
agreement and sign-
off on checklist and
END SOP
437
Module 61 • Step 5: Implement

controls on test setup
– Relevant IT team to
implement controls
on test setup
– Update checklist
– Update SOP (if
necessary)
– Send checklist back
to InfoSec team
438

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
439
• Step 6: Validation of
control implementation
(by InfoSec team)
– InfoSec resource with
relevant domain
knowledge
– Conduct preparation
before actual
validation (study
controls)
– Update checklist with
status column
440
• Step 7: Change
management process
for PRODUCTION:
– ISMC receives
validation status from
InfoSec team
– Relevant dept head
takes up change
management process
and prepares for
shifting to PROD
– Rollback, impact etc
441
• Step 8: Implement on
PROD & monitor:
– Monitor closely for
24-48 hours after
moving to PROD
– Rollback in case of
unforeseen
circumstances
– IT team SOP finalized
END
and now ops task
442
A Look At CIS Security Benchmarks (1)
Module 62 • Center for Internet

Security (CIS)
– https://www.cisecurit
y.org/cis-benchmarks/
– Fill out your details
and will receive an
email with link
443
444
# OVERALL CIS BENCHMARK CATEGORIES TOTAL

1 OPERATING SYSTEMS 36
2 SERVER SOFTWARE 33
3 CLOUD PROVIDERS 2
4 MOBILE DEVICES 8
5 NETWORK DEVICES 6
6 DESKTOP SOFTWARE 21
7 MULTIFUNCTION PRINT DEVICES 1
GRAND TOTAL CIS BENCHMARKS 107
445
# OPERATING SYSTEMS TOTAL

1 DISTRIBUTION INDEPENDENT LINUX 1
2 MICROSOFT WINDOWS DESKTOP 5
3 DEBIAN LINUX 2
4 UBUNTU LINUX 3
5 AMAZON LINUX 1
6 CENTOS LINUX 2
7 ORACLE LINUX 2
446
# OPERATING SYSTEMS (CONTD)… TOTAL

8 REDHAT LINUX 3
9 SUSE LINUX 2
10 APPLE OS (UNIX) 5
11 IBM AIX (UNIX) 1
12 ORACLE SOLARIS (UNIX) 3
13 MS WINDOWS SERVER 6
TOTAL BENCH MARKS OPERATING 36
SYSTEMS
447
448
449
# SERVER SOFTWARE TOTAL

1 MICROSOFT IIS (WEB SERVER) 3
2 VMWARE (VIRTUALIZATION) 2
3 MONGODB (DATABASE SERVER) 3
4 IBM DB2 (DATABASE SERVER) 3
5 BIND (DNS SERVER) 1
6 APACHE TOMCAT (WEB SERVER) 2
7 MICROSOFT SQL SERVER (DB SERVER) 3
450
# SERVER SOFTWARE (CONTD)… TOTAL

8 APACHE (HTTP SERVER) 2
9 DOCKER (VIRTUALIZATION) 5
10 ORACLE (DATABASE SERVER) 3
11 KUBERNETES (VIRTUALIZATION) 1
12 MIT KERBEROS (AUTHENTICATION) 1
13 ORACLE MySQL (DB SERVER) 4
TOTAL BENCH MARKS SERVER 33
SOFTWARE
451
452
# CLOUD PROVIDERS TOTAL

1 AMAZON WEB SERVICES 2
TOTAL CLOUD PROVIDERS 2
453
• Next
module…remaining
categories
END
454
Module 63 • Mobile devices, network

devices, desktop
software, multifunction
print devices
455
# MOBILE DEVICES TOTAL

1 APPLE IOS 5
2 GOOGLE ANDROID 3
TOTAL BENCH MARKS MOBILE DEVICES 8
456
# NETWORK DEVICES TOTAL

1 CISCO 4
2 PALO ALTO NETWORKS 2
TOTAL BENCH MARKS NETWORK 6
DEVICES
457
# DESKTOP SOFTWARE TOTAL

1 MICROSOFT OFFICE 13
2 GOOGLE CHROME (WEB BROWSER) 1
3 MS EXCHANGE SERVER 3
4 MS INTERNET EXPLORER 2
5 MOZILLA FIREFOX 2
TOTAL BENCH MARKS DESKTOP 21
SOFTWARE
458
# MULTIFUNCTION PRINT DEVICES TOTAL

1 MULTIFUNCTION DEVICE 1
TOTAL BENCH MARKS MULTIFUNCTION 1
PRINT DEVICES
459
460
461
462
463
464
• Next module…further
details
END
465
Module 64 • CIS Benchmarks

example (Network
Devices)
466

3 CLOUD PROVIDERS 2
4 MOBILE DEVICES 8
5 NETWORK DEVICES 6
467
• June 29, 2016

• 174 pages PDF doc
468
• Control content:
– Profile applicability
(ASA 8.X, ASA 9.X)
– Description
– Rationale
– Audit
– Remediation
– Default value
– References
469
• 1.8 (page 88); Session

Timeout
– Profile applicability:
Level 1, Cisco ASA9.X
– Description: Sets the
idle timeout for a
console session
before the security
appliance terminates
it.
470

Timeout
– Rationale: Limiting
session timeout
prevents
unauthorized users
from using
abandoned sessions
to perform malicious
activities.
471
472
473

Timeout
– Default Value: The
default timeout is 0,
which means the
console session will
not time out
474

Timeout
– Reference: CLI Book
1: Cisco ASA Series
General Operations
CLI Configuration
Guide, 9.1
475
Module 65 • CIS Benchmarks

example (Operating
Systems)
– MS Windows Server
2012-R2
476

3 CLOUD PROVIDERS 2
4 MOBILE DEVICES 8
5 NETWORK DEVICES 6
477
• January 31, 2017

478
• Profile applicability:
– Level 1 domain
controller
– Level 1 member
server
– Level 2 domain
controller
– Level 2 member
server
479
• Level 1: Items in this

profile intend to:
– be practical and
prudent;
– provide a clear
security benefit; and
– not inhibit the utility
of the technology
beyond acceptable
means
480
• Level 2: extends the

Level 1 - profile
– intended for
environments or use
cases where security
is paramount
– acts as defense in
depth measure
– may negatively inhibit
the utility or
performance of the
technology
481
• Control content:
– Profile applicability
(ASA 8.X, ASA 9.X)
– Description
– Rationale
– Audit
– Remediation
– Impact
– Default value
– References
482
• 1.1.2 [L1]: Ensure

'Maximum password age'
is set to '60 or fewer
days, but not 0' (Scored)
– Profile applicability:
Level 1 Domain
Controller, Level 1
Member Server
483
• 1.1.2 [L1] Description:

– This policy setting
defines how long a
user can use their
password before it
expires.
– Values for this policy
setting range from 0
to 999 days. If you set
the value to 0, the
password will never
expire.
484
• 1.1.2 [L1] Audit:

– Navigate to the UI
Path articulated in
the Remediation
section and confirm it
is set as prescribed.
485
486
• 1.1.2 [L1] Default Value:

42 days
• 1.1.2 [L1] Reference: CCE-
37167-4
– Common
Configuration
Enumeration (Unique
identifiers for
common system
config issues)
END
487
A Look At DISA STIGs (1)
Module 66 • USA DoD

• Security Technical
Implementation Guides
(STIGs)
• Most expansive security
benchmarks available
• Most regularly updated
• Unclassified version
• http://iase.disa.mil/stigs/
Pages/index.aspx
• 425 STIGs available
488
• STIGs master list (A-Z):

– http://iase.disa.mil/sti
gs/Pages/a-z.aspx
• STIG viewer:
– http://iase.disa.mil/sti
gs/Pages/stig-
viewing-
guidance.aspx
489
STIGs HOME
490
STIGs Master List
491
STIGs Viewer
492
STIG Viewer Download
493
STIG Library Compilation
494
STIG Viewer Window
495
Import STIG
496
• Completely different
mechanism for DISA
STIGs
END
497
Module 67 • STIG content:

– General information
(title)
– Discussion
– Check content
– Fix text
– CCI (References)
498
SEVERITY DISA CATEGORY CODE GUIDELINES
CAT 1 Any vulnerability, the exploitation of which
will directly and immediately result in loss
of Confidentiality, Availability, or Integrity.
CAT 2 Any vulnerability, the exploitation of which

has a potential to result in loss of
Confidentiality, Availability, or Integrity.
CAT 3 Any vulnerability, the existence of which
degrades measures to protect against loss
of Confidentiality, Availability, or Integrity
499
FILTER PANEL
500
CREATE CHECKLIST
501
CHECKLIST
502
• Checklist screens:
– Overall totals
– Target data
– Role
– Finding details
– Comments
503
• Checklist screens
(STATUS):
– Not reviewed
– Open
– Not a finding
– Not applicable
504
Totals
505
Target Data
506
Status
507
Vuln Information
508
• In the next module lets

look at further details
END
509
Module 68 • Windows Server 2012 R2

Member Server
– Import STIG
– V1099 (Lockout
duration)
510
511
512
• Rule Title:
– The lockout duration
must be configured
to require an
administrator to
unlock an account
– Severity: CAT II
513
• Discussion:
– The account lockout
feature, when
enabled, prevents
brute-force password
attacks on the
system. This
parameter specifies
the period of time
that an account will
remain locked after
the specified number
514
• Discussion…:
– of failed logon
attempts. A value of
0 will require an
administrator to
unlock the account.
515
• Check Content:
– Verify the effective
setting in Local Group
Policy Editor.
Run "gpedit.msc".
516
• Check Content:
– Navigate to Local
Computer Policy ->
Computer
Configuration ->
Windows Settings ->
Security Settings ->
Account Policies ->
Account Lockout
Policy.
517
• Check Content…:
– If the "Account
lockout duration" is
not set to "0",
requiring an
administrator to
unlock the account,
this is a finding.
518
• Fix Text:
– Configure the policy
value for Computer
Configuration ->
Windows Settings ->
Security Settings ->
Account Policies ->
Account Lockout
Policy -> "Account
lockout duration" to
"0" minutes,
519
• Fix Text….:
– "Account is locked
out until
administrator unlocks
it".
• CCI: NIST SP 800-53
Revision 4 :: AC-7 b
END
520
Module 69 • Firewall Security

Technical
Implementation Guide
• Vulnerability ID: V-3967
• Rule name: The console
port does not timeout
after 10 mins
521
STIGVIEWER WINDOW
522
• General Information:
– Rule Title: The
network devices
must time out access
to the console port at
10 minutes or less of
inactivity
– STIG ID: NET1624
523
• Discussion:
– Terminating an idle
session within a short
time period reduces
the window of
opportunity for
unauthorized
personnel to take
control of a
management session
enabled on the
console or console…
524
• Discussion…:
– port that has been
left unattended. In
addition quickly
terminating an idle
session will also free
up resources
committed by the
managed network
device. Setting the
timeout of the
session to 10 minutes
525
• Discussion…:
– or less increases the
level of protection
afforded critical
network components
526
• Check Content:
– Review the
configuration and
verify a session using
the console port will
time out after 10 mins
or less of inactivity.
– If console access is
not configured to
timeout at 10 minutes
or less, this is a
finding.
527
• Fix Text:
– Configure the
timeout for idle
console connection
to 10 minutes or less.
END
528
Comparison of CIS Vs DISA
Module 70 • Many controls are

common
• Approaches are
different
• Organization styles are
different
529
FEATURE CIS DISA
CONTROL GOOD EXCELLENT
COVERAGE
ORG SUITABILITY SMALL AND LARGE ORGS
MEDIUM ORGS
USER GOOD SATISFACTORY
FRIENDLINESS
UNUSABLE NO YES
TERMINOLOGY
CONTROL DETAIL GOOD SATISFACTORY
TOOLS CAT (COMMERCIAL) SCAP
(MILITARY USE)
530
FEATURE CIS DISA
CONTROL LEVEL 1, LEVEL 2 CAT I - CAT III
PRIORITIZATION
TRACKING EASE CAT TOOL FREE STIG
(COMMERCIAL) VIEWER
(CHECKLIST)
FREQUENCY OF FAIR QUARTERLY
UPDATES
INDUSTRY HIGH VERY HIGH
CREDIBILITY
INDUSTRY HIGH MODERATE
ADOPTION
531
• How to select CIS/DISA:

– Size of organization
– IT infrastructure
extent
– Nature of business
– Security program
goals
– Maturity of IT &
security staff
532
• Rule of thumb:
– Smaller orgs use CIS
– Larger orgs use DISA
– CIS is part of
Homeland Security,
DISA is part of US
Military
– DISA more frequently
updated and
END maintained with
wider coverage
533
Security Hardening – Windows Server 2012R2
Week 05 • Windows Server 2012 –

Module 71 R2
• DISA, Release 8
– 28 April 2017
• Domain Controller
534
STIGVIEWER WINDOW
535
– Rule Title: Autoplay
must be disabled for
all drives
– STIG ID: WN12-CC-
000074
– Severity: CAT I
536
• Discussion:
– Allowing Autoplay to
execute may
introduce malicious
code to a system.
Autoplay begins
reading from a drive
as soon media is
inserted into the
drive. As a result, the
setup file of
programs or ….
537
• Discussion…:
– music on audio media
may start. By default,
Autoplay is disabled
on removable drives,
such as the floppy
disk drive (but not
the CD-ROM drive)
and on network
drives.
538
• Discussion…:
– Enabling this policy
disables Autoplay on
all drives.…
539
• Check Content:
– If the following
registry value does
not exist or is not
configured as
specified, this is a
finding:
– Registry Hive:
HKEY_LOCAL_MACHI
NE
540
• Check Content:
– Registry Path:
\SOFTWARE\Microsof
t\Windows\CurrentVe
rsion\policies\Explore
r\
– Value Name:
NoDriveTypeAutoRun
– Type: REG_DWORD
Value: 0x000000ff
(255)
541
• Fix Text:
– Configure the policy
value for Computer
Configuration ->
Administrative
Templates ->
Windows
Components ->
AutoPlay Policies ->
"Turn off AutoPlay"
to "Enabled:All
Drives".
542
• CCI (Control Correlation

Identifier):
– CCI: CCI-001764
The information
system prevents
program execution in
accordance with
organization-defined
policies regarding
software program
usage and
restrictions…
543

Identifier):
– …and/or rules
authorizing the terms
and conditions of
software program
usage.
NIST SP 800-53
Revision 4 :: CM-7 (2)
END
544
Case Study Security Hardening – Linux
Module 72 • CIS Benchmarks case

study (Red Hat
Enterprise Linux 7)
545
• January 31, 2017

546
• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
– Level 1, Server
– Level 1, Workstation
547
• 5.2.2 (page 258); Ensure

(Scored)
– Description: SSH
supports 2 different
and incompatible
protocols: SSH1 and
SSH2. SSH1 was the
original protocol &
was subject to
security issues. SSH2
is more advanced and
secure. 548
• 5.2.2 (page 258); Ensure

(Scored)
– Rationale: SSH v1
suffers from
insecurities that do
not affect SSH v2.
549
• 5.2.2 (page 258); Ensure

(Scored)
– Audit: Run the
following command
and verify that output
matches:
# grep "^Protocol"
/etc/ssh/sshd_config
Protocol 2
550
• 5.2.2 (page 258); Ensure

(Scored)
– Remediation: Edit the
/etc/ssh/sshd_config
file to set the
parameter as follows:
Protocol 2
551
• 5.2.2 (page 258); Ensure

(Scored)
– Critical Controls: 3.4
Use Only Secure
Channels For Remote
System
Administration
552
– Critical Controls: 3.4

Perform all remote
administration of
servers, workstation,
network devices, and
similar equipment
over secure channels.
Protocols such as
telnet, VNC, RDP, or
others that do not
actively support
strong encryption
553
Case Study - Security Hardening – Linux
– …should only be
used if they are
performed over a
secondary encryption
channel, such as SSL,
TLS or IPSEC.
554
Security Hardening – Case Study – Solaris
Module 73 • Solaris 10 X86

• DISA, Release 18
– 28 April 2017
555
STIGVIEWER WINDOW
556
– Rule Title: All shell
files must have mode
0755 or less
permissive
– STIG ID: GEN002220
– Severity: CAT I
557
• Discussion:
– Shells with
world/group-write
permissions give the
ability to maliciously
modify the shell to
obtain unauthorized
access.
558
• Check Content:
– If /etc/shells exists,
check the group
ownership of each
shell referenced.
# cat /etc/shells |
xargs -n1 ls -lL
– Otherwise, check any
shells found on the
system.
# find / -name "*sh" |
xargs -n1 ls -lL
559
• …Check Content:
– If a shell has a mode
more permissive than
0755, this is a finding
560
• Fix Text:
– Change the mode of
the shell
# chmod 0755
<shell>
561

Identifier):
– CCI-000225
The organization
employs the concept
of least privilege,
allowing only
authorized accesses
for users (and
processes acting on
behalf of users)
which are necessary...
562
• …CCI (Control
Correlation Identifier):
– …to accomplish
assigned tasks in
accordance with
organizational
missions and business
functions
563
• …CCI (Control
– …NIST SP 800-53 ::
AC-6
NIST SP 800-53A ::
AC-6.1
NIST SP 800-53
Revision 4 :: AC-6
564
Case Study Security Hardening – Apache

study (Apache Tomcat 7)
565
• April 26, 2016

566
• 7.7 (page 65); Configure

log file size limit (Scored)
– Level 2
567

– Description: By
default, the
logging.properties
file will have no
defined limit for the
log file size. This is a
potential denial of
service attack as it
would be possible
to…
568

– Description: …fill a
drive or partition
containing the log
files
569

– Rationale:
Establishing a
maximum log size
that is smaller than
the partition size will
help mitigate the risk
of an attacker
maliciously
exhausting disk space
570

– Audit: Validate the
max file limit is not
greater than the size
of the partition
where the log files
are stored.
571

– Remediation: Create
the following entry in
your
logging.properties
file. This field is
specified in bytes:
java.util.logging.FileHa
ndler.limit=10000
572

– Default Value: No
limit by default
573
Security Hardening – Case Study – Oracle
Module 75 • Oracle Database 12c

– 28 April 2017
574
STIGVIEWER WINDOW
575
– Rule Title: The Oracle
Listener must be
configured to require
administration
authentication
– STIG ID: O121-BP-
022700
– Severity: CAT I
576
• Discussion:
– Oracle listener
authentication helps
prevent unauthorized
administration of the
Oracle listener.
Unauthorized
administration of the
listener could lead to
DoS exploits;
577
• Discussion…:
– …loss of connection
audit data,
unauthorized
reconfiguration or
other unauthorized
access. This is a
Category I finding
because privileged
access to the listener
is not restricted to
authorized users.
578
• Discussion…:
– …Unauthorized
access can result in
stopping of the
listener (DoS) and
overwriting of
listener audit logs.
579
• Check Content:
– If a listener is not
running on the local
database host server,
this check is not a
finding
580
– For Windows hosts,
view all Windows
services with
TNSListener
embedded in the
service name
– The service name
format is:
Oracle[ORACLE_HOM
E_NAME]TNSListener
581
– View the STIGVIEWER
for Unix hosts…
582
• Fix Text:
– By default, Oracle Net
Listener permits only
local administration
for security reasons.
As a policy, the
listener can be
administered only by
the user who started
it. This is enforced
through local
operating system
authentication. 583
• Fix Text:
– For example, if user1
starts the listener,
then only user1 can
administer it. Any
other user trying to
administer the
listener gets an error.
The super user is the
only exception.
584
• Fix Text:
– Remote administ. of
the listener must not
be permitted. If
listener administ.
from a remote
system is required,
granting secure
remote access to the
Oracle DBMS server
and performing local
administration is
preferred. 585

Identifier):
– CCI: CCI-000366
The organization
implements the
security configuration
settings.
586
• …CCI (Control
– …NIST SP 800-53 ::
CM-6 b
NIST SP 800-53A ::
CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6 b
END
587
Case Study Security Hardening – MS SQL

study (MS SQL Server
2012)
588
• September 30, 2016

589
• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Level 1 database
engine
590

Account has been
renamed (Scored)
– Description: The sa
account is a widely
known and often
widely used SQL
Server account with
sysadmin privileges.
591

Account has been
renamed (Scored)
– Rationale: It is more
difficult to launch
password-guessing
and brute-force
attacks against the sa
account if the
username is not
known.
592

Account has been
renamed (Scored)
– Audit: Use the
following syntax to
determine if the sa
account is renamed:
SELECT name
FROM
sys.server_principals
WHERE sid = 0x01;
593

Account has been
renamed (Scored)
– Audit: …A name of sa
indicates the account
has not been
renamed
594

Account has been
renamed (Scored)
– Remediation: Replace
the different_user
value within the
below syntax and
execute rename the
sa login:
ALTER LOGIN sa WITH
NAME =
<different_user>;
595

Account has been
renamed (Scored)
– Impact: It is not a
good security
practice to code
applications or scripts
to use the sa
account…
596

Account has been
renamed (Scored)
– Impact: …However, if
this has been done
renaming the sa
account will prevent
scripts and
applications for
authenticating to the
database server and
executing required
tasks or functions. 597

Account has been
renamed (Scored)
– Default Value: By
default, the 'sa‘
account name is 'sa'
598

Account has been
renamed (Scored)
– References:
https://msdn.microso
ft.com/en-
us/library/ms144284(v
=sql.110).aspx
(Choose An
END Authentication
Mode)
599
Module 77 • Oracle database 11.2g

– 28 April 2017
600
STIGVIEWER WINDOW
601
– Rule Title: The Oracle
REMOTE_OS_ROLES
parameter must be
set to FALSE.
– STIG ID: O112-BP-
022000
– Severity: CAT I
602
• Discussion:
– Setting
REMOTE_OS_ROLES
to TRUE allows
operating system
groups to control
Oracle roles. The
default value of
FALSE causes roles to
be identified and
managed by the
database…
603
• Discussion…:
– …If
REMOTE_OS_ROLES
is set to TRUE, a
remote user could
impersonate another
operating system
user over a network
connection.
604
• Check Content:
– From SQL*Plus:
select value from
v$parameter where
name =
'remote_os_roles';
– If the returned value
is not FALSE or not
documented in the
System Security Plan
as required, this is a
Finding
605
• Fix Text:
– Document remote OS
roles in the System
Security Plan.
– If not required,
disable use of remote
OS roles.
– From SQL*Plus:
alter system set
remote_os_roles =
FALSE scope = spfile;
606
• Fix Text:
– The above SQL*Plus
command will set the
parameter to take
effect at next system
startup
607

Identifier):
– CCI: CCI-000366
The org implements
the security
configuration
settings.
NIST SP 800-53 :: CM-
6b
END NIST SP 800-53A ::
CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6 b 608
Case Study Security Hardening – Windows 8

study (Windows 8.1)
609
• January 31, 2017

610
• 18.9.70.3 Ensure
'Automatically send
memory dumps for OS-
generated error reports'
is set to 'Disabled'
(Scored)
– Level 1
– Level 1 + BitLocker
611
• 18.9.70.3 Ensure
'Automatically send
memory dumps for OS-
generated error reports'
is set to 'Disabled'
(Scored)
• Description: This policy
setting controls whether
memory dumps in
support of OS-
generated error reports
can be sent to..
612
• Description…:
…Microsoft
automatically. This
policy does not apply to
error reports generated
by 3rd-party products, or
additional data other
than memory dumps.
– The recommended
state for this setting
is: Disabled.
613
– Rationale: Memory
dumps may contain
sensitive information
and should not be
automatically sent to
anyone.
614
– Audit: Navigate to the

UI Path articulated in
the Remediation
This group policy
setting is backed by
the following registry
location:
615
– Audit:
HKEY_LOCAL_MACH
INE\SOFTWARE\Poli
cies\Microsoft\Win
dows\Windows
Error
Reporting:AutoAppr
oveOSDumps
616
– Remediation: To
establish the
recommended
configuration via GP,
set the following UI
path to Disabled:
617
– Remediation:
Computer
Configuration\Policie
s\Administrative
Templates\Windows
Components\Windo
ws Error
Reporting\Automatic
ally send memory
dumps for OS-
generated error
reports
618
– Impact: All memory

dumps are uploaded
according to the
default consent and
notification settings
619
– Default Value:
Enabled. (Any
memory dumps
generated for error
reports by Microsoft
Windows are
automatically
uploaded, without
notification to the
user.)
620
• References:
– CCE-33927-5
– Critical Controls:
13 Data Protection
END
621
Security Hardening – Case Study – Win 10
Module 79 • Windows 10
• DISA, Release 9
– 28 April 2017
622
STIGVIEWER WINDOW
623
– Rule Title: The
antivirus program
must be configured
to update signature
files on a daily basis.
– STIG ID: WN10-00-
000046
– Severity: CAT I
624
• Discussion:
– Virus scan programs
are a primary line of
defense against the
introduction of
viruses and malicious
code that can destroy
data and even render
a computer
inoperable. Using a
virus scan program
provides the ability
to… 625
• Discussion…:
– …detect malicious
code before
extensive damage
occurs. Updated virus
scan data files help
protect a system, as
constantly changing
malware is identified
by the antivirus
software vendors
626
• Check Content:
– This requirement is
NA if McAfee
VirusScan Enterprise
(VSE) is used. It will
be addressed with
the corresponding
McAfee VSE STIG.
– Configurations will
vary depending on
the product.
627
• Fix Text:
– Configure the
antivirus program to
update signature files
at least daily. Ensure
the updates are
occurring on timely
basis and are not
more than a week
old.
628

Identifier):
– CCI: 000366
The org implements
the security config
settings.
NIST SP 800-53 :: CM-
6b
NIST SP 800-53A ::
END CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6
629
Case Study Security Hardening – MS Exchange

study (MS Exchange
Server 2016)
630
• November 16, 2015

631
• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Level 1 - Mailbox
Services Security
632
• 2.5 Set 'Do not

(Scored)
– Description: This
setting allows you to
ensure that items are
not permanently
deleted until the
database has been
backed up.
633
• 2.5 Set 'Do not

(Scored)
– Rationale: To ensure
that accidentally
deleted items can be
recovered, they
should not be
permanently deleted
until the database is
backed up. 634
• 2.5 Set 'Do not

(Scored)
– Audit: Execute the
following cmdlet and
ensure
RetainDeletedItemsU
ntilBackup is set to
'True':
635
• 2.5 Set 'Do not

(Scored)
– Audit: …Get-
MailboxDatabase
<Mailbox Database
Name> | fl -property
RetainDeletedItemsU
ntilBackup
636
• 2.5 Set 'Do not

(Scored)
– Remediation: To
implement the
recommended state,
execute the following
PowerShell cmdlet:
637
• 2.5 Set 'Do not

(Scored)
– Remediation: Set-
MailboxDatabase
<Mailbox Database
Name> -
RetainDeletedItems
UntilBackup $true
638
• 2.5 Set 'Do not

(Scored)
– Impact: The impact of
enabling this setting
should be minimal.
More storage space
will be required until
any pending items
are permanently
deleted. 639
• 2.5 Set 'Do not

(Scored)
– Default Value: False
END
640
Security Hardening – Case Study – AD
Module 81 • Active Directory Domain

• DISA, Release 8
– 27 January, 2017
641
STIGVIEWER WINDOW
642
– Rule Title :
Membership to the
Domain Admins
group must be
restricted to accounts
used only to manage
the Active Dir domain
and domain
controllers
643
– STIG ID: AD.0002
– Severity: CAT I
644
• Discussion:
– The Domain Admins
group is a highly
privileged group.
Personnel who are
system
administrators must
log on to Active
Directory systems
only using accounts
with the level of
authority necessary.
645
• Discussion:
– …Only system
administrator
accounts used
exclusively to
manage an Active
Directory domain and
domain controllers
may be members of
the Domain Admins
group. A separation
of administrator…
646
• Discussion:
– …responsibilities
helps mitigate the
risk of privilege
escalation resulting
from credential theft
attacks.
647
• Check Content:
– Review the Domain
Admins group in
Active Directory
Users and
Computers. Each
Domain
Administrator must
have a separate
unique account
specifically for…
648
– …managing the
Active Directory
domain and domain
controllers.
– If any account listed
in the Domain Admins
group is a member of
other administrator
groups including the
649
– …Enterprise Admins
group, domain
member server
administrators
groups, or domain
workstation
administrators
groups, this is a
finding.
650
• Fix Text:
– Create the necessary
documentation that
identifies the
members of the
Domain Admins
group. Ensure that
each member has a
separate unique
account that can only
be used to manage
the Active Directory...
651
• Fix Text:
– …domain and
domain controllers.
Remove any Domain
Admin accounts from
other administrator
groups.
652

Identifier):
– CCI-000366
The organization
implements the
security configuration
settings.
NIST SP 800-53 :: CM-
6b
END NIST SP 800-53A ::
CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6 b 653
Case Study Security Hardening – IE Browser

study (MS Internet
Explorer 11)
654
• January 12, 2014

655
• 1.5 Configure 'Do not

allow users to enable or
disable add-ons' (Not
Scored)
– Level 1
656

Scored)
policy setting allows
you to manage
whether users have
the ability to allow or
deny add-ons
through Add-On
Manager.
657
– …Description: If you
enable this policy
setting, users cannot
enable or disable
add-ons through
Add-On Manager.
The only exception
occurs if an add-on
has been specifically
entered into the
'Add-On List' policy
setting in such a way
as to allow…
658
– …Description: users
to continue to
manage the add-on.
In this case, the user
can still manage the
add-on through the
Add-On Manager. If
you disable or do not
configure this policy
setting, the
appropriate controls
in the Add-On…
659
– …Description:
Manager will be
available to the user.
Configure this setting
in a manner that is
consistent with
security and
operational
requirements of your
organization.
660
– Rationale: Users
often choose to
install add-ons that
are not permitted by
an organization's
security policy. Such
add-ons can pose a
significant security
and privacy risk to
your network.
661
– Audit: Navigate to the

UI Path articulated in
the Remediation
This group policy
setting is backed by
the following registry
location:
662
– Audit:
HKEY_LOCAL_MACH
INE\Software\Polici
es\Microsoft\Intern
et
Explorer\Restriction
s\NoExtensionMana
gement
663
– Remediation: To
establish the
recommended
configuration via
Group Policy, set the
following UI path to
Not Configured.
664
– Remediation:
Computer
Configuration\Admini
strative
Templates\Windows
Components\Internet
Explorer\Do not
allow users to enable
or disable add-ons
665
– Impact: When the Do

not allow users to
enable or disable add-
ons setting is
enabled, users will
not be able to enable
or disable their own
Internet Explorer
add-ons. If your
organization uses
add-ons,
666
– Impact: …this
configuration may
affect their ability to
work.
667

Scored)
– Default Value:
Disabled
668
Security Hardening – Case Study - Chrome
Module 83 • Google Chrome

• DISA, Release 8
– 27 April, 2017
669
STIGVIEWER WINDOW
670
– Rule Title : Session
only based cookies
must be disabled.
671
– Vuln ID: V-44799
– STIG ID: DTBC-0045
– Severity: CAT I
672
• Discussion:
– Policy allows you to
set a list of URL
patterns that specify
sites which are
allowed to set
session only cookies.
If this policy is left not
set the global default
value will be used for
all sites…
673
• Discussion:
– …either from the
'DefaultCookiesSettin
g' policy if it is set, or
the user's personal
configuration
otherwise. If the
'RestoreOnStartup'
policy is set to restore
URLs from…
674
• Discussion:
– …previous sessions
this policy will not be
respected and
cookies will be stored
permanently for
those sites
675
• Check Content:
– Universal method:
1. In the omnibox
(address bar) type
chrome://policy
2. If the policy
'CookiesSessionOnlyF
orUrls' exists, and has
any defined values,
this is a finding…
676
• Check Content:
– …Windows method:
1. Start regedit
2. Navigate to
HKLM\Software\Polici
es\Google\Google
Chrome\Content
Settings\CookiesSessi
onOnlyForUrls
3. If this key exists
and has any defined
values, this is a
finding 677
• Fix Text:
– Windows group
policy:
1. Open the group
policy editor tool with
gpedit.msc
678
• Fix Text…:
– 2. Navigate to Policy
Path: Computer
Configuration\Admini
strative
Templates\Google\Go
ogle Chrome\Content
Settings
Policy Name: Allow
session only cookies
on these sites
Policy State: Disabled
Policy Value: N/A... 679

Identifier):
– CCI-000166
The information
system protects
against an individual
(or process acting on
behalf of an
individual) falsely
denying having
performed…
680

Identifier):
– …organization-
defined actions to be
covered by non-
repudiation.
NIST SP 800-53 :: AU-
10
NIST SP 800-53A ::
AU-10.1
NIST SP 800-53
Revision 4 :: AU-10
681
Case Study Security Hardening – Firefox

study (Mozilla Firefox)
682
• December 31, 2015

683
• 3.5 (L2) Enable IDN Show

Punycode (Scored)
– Level 2
684

Punycode (Scored)
feature determines
whether all
Internationalized
Domain Names
(IDNs) displayed in
the browser are
displayed as
Punycode or as
Unicode.
685

Punycode (Scored)
– Rationale: IDNs
displayed in
Punycode are easier
to identify and
therefore help
mitigate the risk of
accessing spoofed
web pages.
686

Punycode (Scored)
– Audit: Perform the
following procedure:
1. Type about:config in the
address bar
2. Type
network.IDN_show_punyc
ode in the filter
3. Ensure the preferences
listed are set to the values
specified below:
687
– …Audit:
network.IDN_show_
punycode=true
688

Punycode (Scored)
– Remediation:
Perform the
following procedure:
1. Open the mozilla.cfg file
in the installation directory
with a text editor
2. Add the following lines
to mozilla.cfg:
lockPref("network.IDN_sh
ow_punycode", true);
689

Punycode (Scored)
– Default Value: false
END
690
Security Hardening – Case Study - FW
Module 85 • Firewall STIG

– 28 April, 2017
691
STIGVIEWER WINDOW
692
– Rule Title : The device
must be configured
to protect the
network against
denial of service
attacks such as Ping
of Death, TCP SYN
floods, etc.
693
– Vuln ID: V-3156
– STIG ID: NET0375
694
• Discussion:
– A SYN-flood attack is
a denial-of-service
attack where the
attacker sends a huge
amount of please-
start-a-connection
packets and then
nothing else. This
causes the device
being attacked to be
overloaded with the..
695
• …Discussion:
– …open sessions and
eventually crash.
– A ping sweep (also
known as an ICMP
sweep) is a basic
network scanning
technique used to
determine which of a
range of IP addresses
map to live hosts
(computers)
696
• Check Content:
– Review the device
configurations to
determine if denial
of service attacks
guarded against.
– If the device is not
configured to
mitigate denial of
service attacks, this
is a finding.
697
• Fix Text:
– If the firewall support
SYN-flood or ping
sweep protection
then enable these
features. If the
firewall does not
support these
features, enable the
security features on
the router to protect
the network from
these attacks. 698

Identifier):
– (Misc info)
END
699
Security Hardening – Case Study - Switch
Module 86 • Layer 2 Switch STIG

– 28 Oct, 2016
700
STIGVIEWER WINDOW
701
– Rule Title : The IAO
to that all
switchports
configured using
MAC port security
will shutdown upon
receiving a frame
with a different layer
2 source address
than what has been
configured or learned
for port security 702
– Vuln ID: V-18565
– STIG ID: NET-NAC-032
– Severity: CAT III
703
• Discussion:
– The Port Security
feature remembers
the Ethernet MAC
address connected to
the switch port and
allows only that MAC
address to
communicate on that
port…
704
• …Discussion:
– …If any other MAC
address tries to
communicate
through the port,
port security will
disable the port.
705
• Check Content:
– A shutdown action
puts the interface
into the error-
disabled state
immediately and
sends an SNMP trap
notification if it
receives a frame with
a different layer 2
source address that
what has been…
706
• Check Content:
– …configured or
learned for port
security. The
following Catalyst IOS
interface command
will shutdown the
interface when such
an event occurs:
switchport port-
security violation
shutdown
707
• Fix Text:
– Configure the port to
shutdown when
insecure hosts are
connected to the wall
jack.
END
708
Case Study Security Hardening – Cisco IOS 15

study (Cisco IOS 15)
• For Cisco routers
running IOS 15M
709
• June 30, 2015

710
• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Level 2
711

(Scored)
– Description: Enable
Open Shortest Path
First (OSPF) Message
Digest 5 (MD5)
authentication.
712

(Scored)
– Rationale: This is part
of the OSPF
authentication setup
713

(Scored)
– Audit: Verify the
appropriate md5 key
is defined on the
appropriate
interface(s)
hostname#sh run int
{interface}
714

(Scored)
– Remediation:
Configure the
appropriate
interface(s) for
Message Digest
authentication
715

(Scored)
– Remediation:…
hostname(config)#inte
rface {interface_name}
hostname(config-if)#ip
ospf message-digest-
key {ospf_md5_key-id}
md5 {ospf_md5_key}
716

(Scored)
– Impact:
Organizations should
plan and implement
enterprise security
policies that require
rigorous
authentication
methods for routing
protocols…
717

(Scored)
– Impact:
…Configuring the
proper interface(s)
for 'ip ospf message-
digest-key md5'
enforces these
policies by restricting
exchanges between
network devices.
718

(Scored)
– Default Value: Not
set
END
719
Security Hardening – Case Study - WLAN
Module 88 • WLAN Controller STIG

– 28 Oct, 2016
720
STIGVIEWER WINDOW
721
– Rule Title : WLAN
must use EAP-TLS
722
– Vuln ID: V-3692
– STIG ID: WIR0115-01
723
• Discussion:
– EAP-TLS provides
strong cryptographic
mutual
authentication and
key distribution
services not found in
other EAP methods,
and thus provides
significantly more
protection against
attacks than other…
724
• …Discussion:
– …methods.
Additionally, EAP-TLS
supports two-factor
user authentication
on the WLAN client,
which provides
significantly more
protection than
methods that rely on
a password or
certificate alone.
725
• …Discussion:
– …EAP-TLS also can
leverage DoD CAC in
its authentication
services, providing
additional security
and convenience.
726
• Check Content:
– NOTE: If the
equipment is WPA2
certified, then it is
capable of supporting
this requirement.
– Review the WLAN
equipment
configuration to
check EAP-TLS is
actively used and no
other methods are
enabled. 727
• Check Content:
– …Mark as a finding if
either EAP-TLS is not
used or if the WLAN
system allows users
to connect with other
methods.
728
• Fix Text:
– Change the WLAN
configuration so it
supports EAP-TLS,
implementing
supporting PKI and
AAA infrastructure as
necessary.
729
• Fix Text:
– If the WLAN
equipment is not
capable of supporting
EAP-TLS, procure new
equipment capable of
such support.
END
730
Security Hardening – Case Study – L3 Switch
Week 06 • Infrastructure Layer 3

Module 89 Switch STIG
– 28 April, 2017
731
Security Hardening – Case Study - L3 Switch
STIGVIEWER WINDOW
732
– Rule Title : The
administrator must
ensure the that all
L2TPv3 sessions are
authenticated prior
to transporting
traffic.
733
– Vuln ID: V-30744
– STIG ID: NET-TUNL-
034
734
• Discussion:
– L2TPv3 sessions can
be used to
transport layer-2
protocols across an
IP backbone. These
protocols were
intended for link-
local scope only and
are therefore less
defended and not
as well-known.
735
• …Discussion:
– …As stated in DoD
IPv6 IA Guidance for
MO3 (S4-C7-1), the
L2TP tunnels can also
carry IP packets that
are very difficult to
filter because of the
additional
encapsulation.
736
• …Discussion:
– …Hence, it is
imperative that L2TP
sessions are
authenticated prior
to transporting traffic
737
• Check Content:
– Review the router or
multi-layer switch
configuration and
determine if L2TPv3
has been configured
to provide transport
across an IP network.
If it has been
configured, verify
that the L2TPv3
session requires
authentication. 738
• Check Content:
– …see detailed
explanation in Check
Content…(configurat
ions)
739
• Fix Text:
– Configure L2TPv3 to
use authentication
for any peering
sessions.
END
740
Case Study Security Hardening – VMware

study (Vmware ESXi 5.5)
741
• December 16, 2014

742
• 5.1 Disable DCUI to

prevent local
administrative control
(Scored)
– Level 2
743

prevent local
(Scored)
– Description: The
Direct Console User
Interface (DCUI) can
be disabled to
prevent any local
administration from
the Host;
744

prevent local
(Scored)
– Description: …Once
the DCUI is disabled
any administration of
the ESXi host will be
done through
vCenter.
745
• Rationale:
– The DCUI allows for
low-level host
configuration such as
configuring IP
address, hostname
and root password as
well as diagnostic
capabilities such as
enabling the ESXi
shell, viewing log
files, restarting…
746
• Rationale:
– …agents, and
resetting
configurations.
Actions performed
from the DCUI are
not tracked by
vCenter Server. Even
if Lockdown Mode is
enabled, users who
are members of the
DCUI.Access list can..
747
• Rationale:
– …perform
administrative tasks
in the DCUI bypassing
RBAC and auditing
controls provided
through vCenter.
DCUI access can be
disabled. Disabling it
prevents all local
activity and thus
forces actions to be...
748
• Rationale:
– …performed in
vCenter Server where
they can be centrally
audited and
monitored.
749
• Audit: Perform the

following:
1. From the vSphere web
client select the host.
2. Select "Manage" ->
"Settings" -> "System" ->
"Security Profile".
3. Scroll down to
"Services".
4. Click "Edit...".
5. Select "Direct Console
UI".
750
• Audit: …Perform the

following:
6. Verify the Startup Policy
is set to "Start and Stop
Manually“
751
• Audit: …Additionally,
the following PowerCLI
command may be used:
– # List DCUI settings
for all hosts Get-
VMHost | Get-
VMHostService |
Where { $_.key -eq
"DCUI" }
752
• Remediation: Perform
the following:
1. From the vSphere web
client select the host.
2. Select "Manage" ->
"Settings" -> "System" ->
"Security Profile".
3. Scroll down to
"Services".
4. Click "Edit...".
5. Select "Direct Console
UI".
753
• Remediation:…
6. Click "Stop".
7. Change the Startup
Policy "Start and Stop
Manually".
8. Click "OK".
754
• Impact:
– Disabling the DCUI
can create a potential
"lock out" situation
should the host
become isolated from
vCenter Server.
Recovering from a
"lock out" scenario
requires re-installing
ESXi. Consider leaving
DCUI enabled and…
755
• Impact:
– …instead enable
lockdown mode and
limit the users
allowed to access the
DCUI using the
DCUI.Access list.
756
• Default Value:
– The prescribed state
is not the default
state.
757
• References:
– http://pubs.vmware.c
om/vsphere-
55/topic/com.vmware
.vsphere.security.doc/
GUID-6779F098-48FE-
4E22-B116-
A8353D19FF56.html
END
758
Case Study Security Hardening – Cloud AWS

study (Cloud – Amazon
Web Services
Foundations)
759
• November 29, 2016

760
• 1.14 Ensure hardware

MFA is enabled for the
"root" account (Scored)
– Level 2
761

– Description: The root
account is the most
privileged user in an
AWS account. MFA
adds an extra layer of
protection on top of
a user name and
password;
762

– Description: …With
MFA enabled, when a
user signs in to an
AWS website, they
will be prompted for
their user name and
password as well as
for an
authentication…
763

– Description: …code
from their AWS MFA
device. For Level 2, it
is recommended that
the root account be
protected with a
hardware MFA.
764
• Rationale:
– A hardware MFA has
a smaller attack
surface than a virtual
MFA. For example, a
hardware MFA does
not suffer the attack
surface introduced by
the mobile
smartphone on which
a virtual MFA resides;
765
• Rationale:
– …Note: Using
hardware MFA for
many, many AWS
accounts may create
a logistical device
management issue. If
this is the case,
consider
implementing this
Level 2
recommendation…
766
• Rationale:
– …selectively to the
highest security AWS
accounts and the
Level 1
recommendation
applied to the
remaining accounts.
767
• Audit: Perform the

following to determine
if the root account has a
hardware MFA setup:
1. Run the following
command to list all virtual
MFA devices:
aws iam list-virtual-mfa-
devices
768
• Audit: …
2. If the output contains
one MFA with the
following Serial Number, it
means the MFA is virtual,
not hardware and the
account is not compliant
with this recommendation:
"SerialNumber":
"arn:aws:iam::<aws_accou
nt_number>:mfa/root-
account-mfa-device"
769
• Remediation: [8 step
process…check the
benchmark]
770
• References:
– http://docs.aws.amaz
on.com/IAM/latest/Us
erGuide/id_credential
s_mfa_enable_virtual
.html
– http://docs.aws.amaz
on.com/IAM/latest/Us
erGuide/id_credential
END s_mfa_enable_physic
al.html#enable-hw-
mfa-for-root
771
Software Security Fundamentals-SAMM
Module 92 • Software Assurance

Maturity Model
(SAMM) developed by
OWASP
– A guide to building
security into
software
development
– 96 page PDF
http://www.opensamm.org/downl
oads/SAMM-1.0.pdf
772
773
774
• OWASP Software
Assurance Maturity
Model (SAMM)
Governance Phase:
– Strategy & Metrics
– Education &
Guidance
– Policy & Compliance
775
• Strategy & Metrics:

– Focused on
establishing the
framework within an
organization for a
software security
assurance program.
776
• Strategy & Metrics:

– …This is the most
fundamental step in
defining security
goals in a way that’s
both measurable and
aligned with the
organization’s real
business risk.
777
778
• Education & Guidance:

– Focused on arming
personnel involved in
the software lifecycle
with knowledge and
resources to design,
develop, and deploy
secure software
779
• Education & Guidance:

– …With improved
access to
information, project
teams will be better
able to proactively
identify and mitigate
the specific security
risks that apply to
their organization.
780
781
• Policy & Compliance:

– Focused on
understanding and
meeting external
legal and regulatory
requirements while
also driving internal
security standards to
ensure compliance in
a way that’s aligned
with the business
purpose of the org.
782
• Policy & Compliance:

– A driving theme for
improvement within
this Practice is focus
on project-level
audits that gather
information about
the organization’s
behavior in order to
check that
expectations are
being met.
783
784
• Lets look at SAMM

Construction Phase in
the next module…
END
785
Software Security Fundamentals-SAMM-2
Module 93 • Software Assurance

Maturity Model
(SAMM) developed by
OWASP
security into
software
development
– 96 page PDF
oads/SAMM-1.0.pdf
786
787
788
• OWASP Software
Assurance Maturity
Model (SAMM)
Construction Phase:
– Security
Requirements
– Threat Assessment
– Secure Architecture
789
• Security
Requirements:
– Focused on
proactively specifying
the expected
behavior of software
with respect to
security
790
• Security
Requirements:
– …Through addition
of analysis activities
at the project level,
security requirements
are initially gathered
based on the high-
level business
purpose of the
software
791
792
• Threat Assessment:
– Centered on
identification and
understanding the
project-level risks
based on the
functionality of the
software being
developed and
characteristics of the
runtime environment
793
• Threat Assessment:
– …From details about
threats and likely
attacks against each
project, the
organization as a
whole operates more
effectively through
better decisions
about prioritization
of initiatives for
security
794
795
• Secure Architecture:
– Focused on proactive
steps for an
organization to
design and build
secure software by
default
796
• Secure Architecture:
– By enhancing the
software design
process with
reusable services
and components,
the overall security
risk from software
development can be
dramatically
reduced.
797
798
• SAMM is an excellent
model for software
security and we look
at the verification and
deployment phases
as part of testing and
validation (future
module)…
END
799
SECURITY HARDENING – SOFTWARE APPLICATIONS
Module 94 • Two types of security

hardening:
– IT assets (systems,
network devices,
databases,
applications)
– Software developed
internally or by third
party
800
• Typical enterprise
software:
– ERP (Oracle, SAP,
IBM, etc)
– Internally or 3rd
party developed
software in
ASP.NET, PHP,
Android/IOS, or
other platform
801
8 STEP SECURITY HARDENING METHODOLOGY

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
802
1. Research
Security Controls
5. Pen Test & 2. Apply Security

Accreditation Controls
(Move to PROD) (Hardening)
SOFTWARE SECURITY
WORKFLOW
3. Code Review &
4. Harden Server Automated
Environment Testing
(Validation)
803
SECURITY HARDENING–SOFTWARE APPLICATIONS
• Useful resources:
– www.OWASP.org
– www.cloudsecurityal
liance.org
– MS Technet
– OWASP Top 10
– OWASP Secure
Coding Practices
Quick Reference
Guide
– SAMM
804
17 pages document
805
Latest version is currently under review

806
Latest version 20 SEPT ‘17
807
• Conclusion
– Software security
hardening is a
challenging activity
– Build software
security program &
integrate with QA
– Domain specific
knowledge required
– Build capabilities and
END
process following
SAMM
808
CASE STUDY – ASP.NET SECURITY HARDENING
Module 95 • OWASP ASP.NET

Cheat Sheet
• https://www.owasp.or
g/index.php/.NET_Sec
urity_Cheat_Sheet
809
• .NET Framework
Guidance
• ASP.NET Web Forms
Guidance
• ASP.NET MVC
Framework Guidance
810
• .NET Framework
Guidance
– Data access
– Encryption
– General guidelines
811
.NET FRAMEWORK, DATA ACCESS GUIDANCE:

• Use Parameterized SQL commands for all data
access, without exception.
• Do not use SqlCommand with a string parameter
made up of a concatenated SQL String.
• Whitelist allowable values coming from the user.
Use enums, TryParse or lookup values to assure
that the data coming from the user is as
expected.
812
• Apply the principle of least privilege when

setting up the Database User in your database
of choice. The database user should only be
able to access items that make sense for the
use case.
• Use of the Entity Framework is a very effective
SQL injection prevention mechanism. When
using SQL Server, prefer integrated
authentication over SQL authentication.
• Use Always Encrypted where possible for
sensitive data (SQL Server 2016 and SQL Azure)
813
.NET FRAMEWORK, GENERAL GUIDANCE:

• Lock down the config file.
• Remove all aspects of configuration that are not
in use.
• Encrypt sensitive parts of the web.config using
aspnet_regiis -pe
• For Click Once applications the .Net Framework
should be upgraded to use version 4.6.2 to ensure
TLS 1.1/1.2 support.
814
• ASP.NET Web Forms

Guidance
– HTTPS & some
general configuration
– HTTP validation &
encoding
– Forms authentication
815
• ASP.NET MVC Guidance

– ASP.NET MVC
(Model-View-
Controller) is a
contemporary web
application
framework that uses
more standardized
HTTP communication
– Based on OWASP Top
END 10
816
CASE STUDY – PHP SECURITY HARDENING
Module 96 • PHP Security Guidelines

• https://docs.php.earth/s
ecurity/intro/
817
1. Cross site scripting (XSS)

2. Injections
– SQL injection
– Directory traversal
(path injection)
– Command injection
– Code injection
3. Cross site request
forgery (XSRF/CSRF)
4. Public files
818
5. Passwords
6. Uploading files
7. Session hijacking
8. Remote file inclusion
9. PHP configuration
– Error reporting
– Exposing PHP version
– Remote files
– Open_basedir
– Session settings
819
10. Use HTTPS

11. Things not listed
820
9. PHP Configuration
Always keep the installed
PHP version updated. You
can use versionscan to
check for possible
vulnerabilities of your PHP
version. Update open
source libraries and
applications, and keep
your web server well
maintained.
821
9. PHP Configuration…
Here are some of the
important settings
from php.ini that you
should check out. You can
also use iniscan to scan
your php.ini files for best
security practices.
822
9. Error Reporting
In your production
environment, you must
always turn off displaying
errors to the screen. If
errors occur in your
application and they are
visible to the outside
world, an attacker could
get valuable data for
attacking your application.
823
https://docs.php.earth/security/intro/#php-configuration
824
• PHP Security Guidelines

• https://docs.php.earth/s
ecurity/intro/
END
825
CASE STUDY – ASP.NET MVC SECURITY HARDENING
Module 97 • ASP.NET MVC Security

Guidelines
• https://www.owasp.org/
index.php/.NET_Security
_Cheat_Sheet#ASP.NET
_MVC_Guidance
826
• ASP.NET MVC (Model-

View-Controller) is a
contemporary web
application framework
that uses more
standardized HTTP
communication than the
Web Forms postback
model.
827
• The OWASP Top 10 lists

the most prevalent and
dangerous threats to
web security in the
world today and is
reviewed every 3 years.
• After covering the top
10 it is generally
advisable to assess for
other threats or get a
professional Penetration
Test.
828
• Your approach to
securing your web
application should be to
start at the top threat A1
below and work down,
this will ensure that any
time spent on security
will be spent most
effectively and cover the
top threats first and
lesser threats
afterwards.
829
A.6 Sensitive data

exposure
• DO NOT: Store
encrypted passwords.
• DO: Use a strong hash to
store password
credentials. Use
PBKDF2, BCrypt or
SCrypt with at least
8000 iterations and a
strong key.
830
A.6 Sensitive data

exposure…
• DO: Enforce passwords
with a minimum
complexity that will
survive a dictionary
attack i.e. longer
passwords that use the
full character set
(numbers, symbols and
letters) to increase the
entropy.
831
A.6 Sensitive data

exposure…
• DO: Use a strong
encryption routine such
as AES-512 where
personally identifiable
data needs to be
restored to it's original
format. Do not encrypt
passwords. Protect
encryption keys more
than any other asset.
832
A.6 Sensitive data

exposure…
• Apply the following test:
Would you be happy
leaving the data on a
spreadsheet on a bus for
everyone to read.
Assume the attacker can
get direct access to your
database and protect it
accordingly.
833
A.6 Sensitive data

exposure…
• DO: Use TLS 1.2 for your
entire site. Get a free
certificate
from StartSSL.com or Le
tsEncrypt.org.
• DO NOT: Allow SSL, this
is now obsolete
834
A.6 Sensitive data

exposure…
• DO: Have a strong TLS
policy (see SSL Best
Practises), use TLS 1.2
wherever possible. Then
check the configuration
using SSL Test
• DO: Ensure headers are
not disclosing
information about your
application.
835
A.6 Sensitive data

exposure…
• See HttpHeaders.cs , Dio
nach StripHeaders or
disable via web.config:
END
836
Security Hardening – Case Study-SharePoint
Module 98 • Sharepoint 2013 STIG

• DISA, Release 3
– 22 April, 2016
• Sharepoint server side
configurations
837
STIGVIEWER WINDOW
838
– Rule Title : For
environments
requiring an Internet-
facing capability, the
SharePoint
application server
upon which Central
Administration is
installed, must not be
installed in the DMZ.
839
– Vuln ID: V-59995
– STIG ID: SP13-00-
000155
840
• Discussion:
– Information flow
control regulates
where information is
allowed to travel
within an information
system and between
information systems
(as opposed to who is
allowed to access the
information) and
without explicit…
841
• …Discussion:
– …regard to
subsequent accesses
to the information.
– SharePoint installed
Central Administrator
is a powerful
management tool
used to administer
the farm. This server
should be installed on
a trusted network…
842
• …Discussion:
– …segment. This
server should also be
used to run services
rather than user-
oriented web
applications.
843
• Check Content:
– For environments
facing capability,
ensure the
SharePoint Central
Administration
application server is
not in the DMZ.
– Inspect the logical
location of the server
farm web front end…
844
• Check Content:
– …servers.
– Verify the Central
Administration site is
not installed on a
server located in a
DMZ or other publicly
accessible segment
of the network.
– If Central
Administrator is…
845
• Check Content:
– installed on a publicly
facing SharePoint
server, this is a
finding.
846
• Fix Text:
– For environments
facing capability,
remove the
SharePoint Central
Administration
application server
upon which Central
END
Administration is
installed from the
DMZ.
847
CASE STUDY – C APPLICATIONS SECURITY HARDENING
Module 99 • Carnegie Mellon

Software Engineering
Institute
• https://wiki.sei.cmu.edu/
confluence/display/secc
ode/SEI+CERT+Coding+S
tandards
confluence/display/c/SEI
+CERT+C+Coding+Stand
ard
848
https://wiki.sei.cmu.edu/confluence/display/seccode/SE
I+CERT+Coding+Standards
849
• There are existing

compiler implementatio
ns that allow const-
qualified objects to be
modified without
generating a warning
message.
850
• Avoid casting
away const qualification
because doing so makes
it possible to modify
const-qualified objects
without issuing
diagnostics.
851
852
• The first assignment is

unsafe because it allows
the code that follows it
to attempt to change
the value of the const
object i.
853
854
• The compliant solution

depends on the intent of
the programmer. If the
intent is that the value
of i is modifiable, then it
should not be declared
as a constant, as in this
compliant solution:
855
• If the intent is that the

value of i is not meant to
change, then do not
write noncompliant
code that attempts to
modify it.
• Risk Assessment
• Automated detection
• Related vulnerabilities
END
856
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

Institute
confluence/pages/viewp
age.action?pageId=8804
6682
857

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
858
• Rule 01. Declarations

and Initialization (DCL)
• Rule 02. Expressions
(EXP)
• Rule 03. Integers (INT)
• Rule 04. Containers
(CTR)
• Rule 05. Characters and
Strings (STR)
859
• Rule 06. Memory

Management (MEM)
• Rule 07. Input Output
(FIO)
• Rule 08. Exceptions and
Error Handling
(ERR)Page:
• Rule 09. Object Oriented
Programming (OOP)
• Rule 10. Concurrency
(CON)
860
• Rule 10. Concurrency

(CON)
• CON50-CPP. Do not
destroy a mutex while it
is locked
861
• Mutex objects are used

to protect shared data
from being concurrently
accessed. If a mutex
object is destroyed
while a thread is
blocked waiting for the
lock, critical
sections and shared
data are no longer
protected.
862
• The C++
Standard, [thread.mutex
.class], paragraph 5
[ISO/IEC 14882-2014],
states the following:
• The behavior of a
program is undefined if
it destroys
a mutex object owned
by any thread or a
thread terminates while
owning a mutex object.
863
864
• Non-Compliant Code
Example:
• This noncompliant code
example creates several
threads that each invoke
the do_work() function,
passing a unique number
as an ID.
• Unfortunately, this code
contains a race
condition, allowing the
mutex to be destroyed
865
• …while it is still owned,

because start_threads()
may invoke the mutex's
destructor before all of
the threads have exited.
866
867
• Compliant Code
Example:
• This compliant solution
eliminates the race
condition by extending
the lifetime of the
mutex.
END
868
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

Institute
confluence/display/java/
SEI+CERT+Oracle+Codin
g+Standard+for+Java
869

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
870
871
• Rule 7
• ERR02-J. Prevent
exceptions while
logging data
• Exceptions that are
thrown while logging is
in progress can prevent
successful logging
unless special care is
taken. Failure to account
for exceptions during
the logging process can
872
• …cause security
vulnerabilities, such as
allowing an attacker to
conceal critical security
exceptions by
preventing them from
being logged. Hence,
programs must ensure
that data logging
continues to operate
correctly even when
exceptions are thrown
873
• …during the logging

process.
874
875
• Non-compliant Code
Example:
example writes a critical
security exception to
the standard error
stream:
876
• Writing such exceptions

to the standard error
stream is inadequate for
logging purposes. First,
the standard error
stream may be
exhausted or closed,
preventing recording of
subsequent exceptions.
Second, the trust level
of the standard error
stream may be
877
• …insufficient for
recording certain
security-critical
exceptions or errors
without leaking sensitive
information. If an I/O
error were to occur
while writing the
security exception,
the catch block would
throw
an IOException and the
878
• …critical security
exception would be lost.
Finally, an attacker may
disguise the exception
so that it occurs with
several other innocuous
exceptions.
879
880
• Compliant Solution:
• This compliant solution
uses java.util.logging.Lo
gger, the default logging
API provided by JDK 1.4
and later. Use of other
compliant logging
mechanisms, such as
log4j, is also permitted.
• Typically, only one
logger is required for
END the entire program.
881
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

Institute
confluence/display/perl/
SEI+CERT+Perl+Coding+
Standard
882

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
883
884
• Rule 1
• IDS30-PL. Exclude user
input from format
strings
885
• Never call any formatted

I/O function with a
format string containing
user input.
• An attacker who can
fully or partially control
the contents of a format
string can crash the Perl
interpreter or cause a
denial of service. She
can also modify values,
perhaps by using
886
• …the %n|| conversion

specifier, and use these
values to divert control
flow. Their capabilities
are not as strong as in C
[Seacord 2005];
nonetheless the danger
is sufficiently great that
the formatted output
functions {{sprintf() and
printf() should never be
passed unsanitized
format strings. 887
888

example tries to
authenticate a user by
having the user supply a
password and granting
access only if the
password is correct.
889
890
• This compliant code

example avoids the use
of printf(),
since print() provides
sufficient functionality.
END
891
Case Study Security Hardening – Android

study (Google Android
7)
892
• January 24, 2017

893
• 1.15 Ensure Android

Device Manager is set to
Enabled (Not Scored)
– Level 2
894
• 1.15 Ensure Android

Device Manager is set to
Enabled (Not Scored)
– Description: Setup
Android Device
Manager as a Device
Administrator.
895
• Rationale:
– If you lose your
Android device, you
could use Android
Device Manager to
find your device and
also ring, lock, or
erase your device
data remotely.
896
• Audit: Follow the below

steps to verify that
Android Device Manager
is enabled:
1. Tap the System Settings
Gear Icon.
2. Scroll to Personal.
3. Tap Security.
4. Scroll to Device
administration;
897
• Audit: …
5. Tap Device
administrators.
6. Verify that Android
Device Manager is
enabled.
898
• Remediation: Follow the

below steps to enable
Android Device
Manager:
1. Tap the System Settings
Gear Icon.
2. Scroll to Personal.
3. Tap Security.
4. Scroll to Device
administration;
899
• Remediation: …
5. Tap Device
administrators.
6. Tap Android Device
Manager.
7. Tap Activate this device
administrator.
900
• Impact:
– Google may track
your device location
anytime.
901
• Default Value:
– By default, Android
Device Manager is
not enabled.
902
• References:
– https://support.googl
e.com/pixelphone/an
swer/3265955
END
903
Case Study Security Hardening – Apple IOS 10

study (Apple IOS 10)
904
• May 15, 2017

905
• 3.2.1.12 (L2) Ensure 'Allow

modifying cellular data
app settings' is set to
'Disabled' (Not Scored)
– Level 2 -
Institutionally Owned
Devices
906
• 3.2.1.12 (L2) Ensure 'Allow

app settings' is set to
'Disabled' (Not Scored)
recommendation
pertains to modifying
the use of cellular
data by apps.
907
• Rationale:
– It is appropriate for
an institution to have
remote locating and
erasure capability
with their devices.
Forcing cellular data
to remain active is a
means of supporting
this goal.
908
• Audit:
– From the
Configuration Profile:
1. Open Apple Configurator
2. Open the Configuration
Profile
3. In the left windowpane,
click on the Restrictions
tab.
4. In the right windowpane,
verify that under the tab…
909
• Audit: …
– …Functionality, that
the checkbox for
Allow modifying
cellular data app
settings is unchecked.
910
• Audit: …
…Or, from the device:
1. Tap Settings.
2. Tap General.
3. Tap Profile.
4. Tap <_Profile Name_>.
5. Tap Restrictions.
6. Confirm Changing app
cellular data usage not
allowed is displayed.
911
• Remediation:
1. Open Apple
Configurator.
2. Open the Configuration
Profile.
3. In the left windowpane,
click on the Restrictions
tab;
912
• Remediation…:
4. In the right
windowpane, under the
tab Functionality, uncheck
the checkbox for Allow
app settings.
5. Deploy the
Configuration Profile.
913
• CIS Controls:
– 5.1 Minimize And
Sparingly Use
Administrative
Privileges Minimize
administrative
privileges and only
use administrative
accounts when they
are required;
914
• CIS Controls:
– … Implement
focused auditing on
the use of
administrative
privileged functions
and monitor for
anomalous behavior
END
915
CASE STUDY – ASTERISK VOIP SECURITY HARDENING
Module 105 • http://www.ipcomms.ne

t/asteriskblog/1-11-steps-
to-secure-your-asterisk-
pbx
916

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
917
1. Physically secure your IP

PBX and network
hardware
• The first step to security
of your system
918
2. Never, Never, Never use

the default passwords on
any system. (Use Strong
Passwords)
• This will stop most of
the attacks as hackers
use weak passwords to
break in
919
3. Never use the same

Username and password
on your extensions
• “This is another VERY
common issue,
especially within the
Asterisk
community. Using
password 101 for
extension 101 is asking
for big trouble. DON’T
DO IT!”
920
3. Never use the same

Username and password
on your extensions
• “This is another VERY
common issue,
especially within the
Asterisk
community. Using
password 101 for
extension 101 is asking
for big trouble. DON’T
DO IT!”
921
4. Place your PBX behind a

Firewall
• Use VPNs for remote
access and limit to
specific IP addresses
• Allow access on ports
which are absolutely
necessary
• Disable anonymous
WAN requests (ICMP or
PING) access to your IP
PBX
922
5. Use the “permit=” and

“deny=” lines in sip.conf
• “Use the “permit=” and
“deny=” lines in sip.conf
to only allow a small
range of IP addresses
access to extension/user
in your sip.conf file. This
is true even if you decide
to allow inbound calls
from “anywhere”
(default),
923
5. …it won't let those

users reach any
authenticated elements!”
924
6. Keep inbound and

outbound routing separate
(asterisk)
• This is probably the
biggest cause and
source of toll fraud. By
keeping your inbound
call routing in a different
context than your
outbound routing, if an
intruder does happen
to…
925
6. …make it into your

system, he can’t get back
out again.
END
926
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)
Week 07 • http://www.ipcomms.ne
Module 106 t/asteriskblog/1-11-steps-
to-secure-your-asterisk-
pbx
927

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
928
7. Limit registration by
extensions to your local
subnet.
• Restrict the IP addresses
your extensions can
register onto the local
subnet. Asterisk PBXs
can use the ACL
(permit/deny) in
SIP.conf to block IP
addresses. This can fend
off brute force
registration attempts. 929
8. Disable channels and

services that are not in use
• Disable channels that
you aren’t using like
skinny and MGCP. For
Asterisk PBXs, you can
“unload” these modules
in the /etc/modules.conf
file
930
9. Make it harder for sip

scanners (Set
“alwaysauthreject=yes” )
• Set
“alwaysauthreject=yes”
in your sip configuration
file. What this does is
prevent Asterisk from
telling a sip scanner
which extensions are
valid by rejecting
authentication requests
931
• …on existing usernames

with the same rejection
details as with
nonexistent
usernames. If they can't
find you they can't hack
you!
• Another way to make it
hard for SIP scanners is
to install a SIP port
firewall. This will block
932
• …“scanning” of port
5060 and 5061 and can
disable the attempting
endpoint for a specific
time when it detects a
violation.
933
10. Limit and restrict

routing and phone number
dial plans
• Restrict calling to high-
cost calling destination
and don’t allow calling
to 0900 + Premium
numbers)
934
11. Audit your system

security regularly
END
935
Version Control For IT Assets
Module 107 • Benefits of version

control
• Security implications
936
• Benefits of version
control
– http://its.unl.edu/best
practices/version-
management
937
control
– 1. Organized,
coordinated
management of
changes to software
assets by one or
many individuals,
some of whom may
be geographically
dispersed
http://its.unl.edu/bestpractice
s/version-management
938
control
– 2. Organized,
coordinated
management of
changes to software
assets for emergency
hot-fixes, routine
maintenance,
upgrades…
939
control
– 2. …& new features
with potentially
overlapping dev
timeframes (e.g.,
work on new features
occurs
simultaneously with
work on routine
maintenance and/or
hot-fixes)
http://its.unl.edu/bestpractices/version
-management
940
control
– 3. An auditable
change history (e.g.,
what changed, when,
and by whom)
941
control
– 4. A reliable master
copy of what assets
are currently in
production
942
control
– 5. A reliable master
copy of assets from
which to build and/or
configure the
production
environment
943
control
– 6. Reliable copies of
previous production
versions of assets
944
control
– 7. Ability to see the
specific differences
between distinct
versions of a given
asset
945
• Security controls:
– Access control
measures
– Privileged
management
– Backups
END
946
Version Control Best Practices
Module 108 • Version control best

practices
– https://intland.com/blog/s
dlc/source-control-
management-best-
practices/
947
1. Starting with the basics,

choose a source control
system.
2. Keep your source code
in source control (but
not files generated /
compiled from it).
3. Ensure the working file
is from the latest
version of the source
file.
https://intland.com/blog/sdlc/source-
control-management-best-practices/
948
4. Only Check-out the file

being worked upon.
5. Check in immediately
after alterations are
completed.
6. Review every change
before committing,
utilize the diff function!
7. Commit often, – every
commit provides a
rollback position.
949
8. Make extensive, –
detailed notes in the
check-in comments
about why the changes
were made.
9. Developers must
commit their own
changes (only).
950
10. Use the ignore button

for files that should not
be committed,
consider adding pre-
commit filters to
prevent the wrong
kinds of file (such as
accidental check-in of
personal user settings
docs) from entering
the source control
951
11. Ensure external

dependencies are
added to the source
control, a common
problem where
everything works great
on the contributing
developers system but
not elsewhere because
they forgot to add
END dependent files to the
system.
952
SECURITY HARDENING - SECURE SOFTWARE IMAGES
Module 109 • CIS 20 CRITICAL

SECURITY CONTROLS
• CONTROL 5, VERSION 7
• Secure Configuration
for Hardware and
Software on Mobile
Devices, Laptops,
Workstations and
Servers
953
5.1 Establish Secure

Configurations
• Maintain documented,
standard security
configuration standards
for all authorized
operating systems and
software.
954
5.2 Maintain Secure

Images
• Maintain secure images
or templates for all
systems in the
enterprise based on the
organization's approved
configuration standards.
Any new system
deployment or existing
system that becomes
compromised should be
955
5.2 Maintain Secure

Images
• …imaged using one of
those images or
templates.
956
5.3 Securely Store Master

Images
• Store the master images
and templates on
securely configured
servers, validated with
integrity monitoring
tools, to ensure that
only authorized changes
to the images are
possible.
957
5.4 Deploy System

Configuration
Management Tools
• Deploy system
configuration
management tools that
will automatically
enforce and redeploy
configuration settings to
systems at regularly
scheduled intervals.
958
5.5 Implement Automated

Configuration Monitoring
Systems
• Utilize a Security
Content Automation
Protocol (SCAP)
compliant configuration
monitoring system to
verify all security
configuration elements,
catalog approved
exceptions, and alert..
959
5.5 Implement Automated

Configuration Monitoring
Systems
• …when unauthorized
changes occur.
END
960
SECURITY HARDENING – MANUAL & AUTOMATED WORK
Module 110 • Manual & Automated

mechanisms for security
hardening & validation
961

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
962
• Step 1: Scan an IT asset

using Qualys
compliance scan,
NESSUS compliance
scan, or CIS CAT PRO
Tool
• Acquire report of failed
controls
963
• Step 2: Apply the failed

controls using AD (for
Windows) or manually
for other systems &
devices
964
• Step 3: Use the

automated feature of
Qualys compliance scan,
Nessus compliance scan
or CIS CAT Pro Tool to
verify that the applied
controls are in place
• Compare the ‘before’
and ‘after’ report
965
• Step 4: manually verify

if any discrepancy is
found (control should
be in place but not
being validated by the
tool)
966
• Step 5: For any system

or device for which the
Qualys compliance scan,
Nessus compliance scan,
or CIS CAT Pro Tool scan
cannot be performed,
conduct the validation
of control
implementation
manually
967
• Use sampling where

necessary during
manual validation work
to reduce workload
• For example, 15-20 % of
assets may be checked
at random
• Or 15-20% of controls
may be checked on an
asset
END
968
QUALYS DEMO – SECURITY HARDENING
Module 111 • Lets have a look at how

Qualys can aid in the
security hardening
process
969
QUALYS WEBSITE – FREE TRIAL
970
QUALYS GUARD – HOME SCREEN
971
POLICY COMPLIANCE – HOME SCREEN

972
POLICY COMPLIANCE – 5 STEPS
973
HELP OPTIONS
974
ONLINE HELP – POLICY COMPLIANCE

975
RESOURCES
976
QUALYS WEBSITE - TRAINING
977
TRAINING VIDEOS - VIMEO
978
• Qualys is an excellent
tool with detailed online
help, training, and
resources to aid the new
user
END
979
QUALYS DEMO – SECURITY HARDENING II
Module 112 • Lets have a detailed look

at Qualys interface for
Policy Compliance
980
1. ADD IP ADDRESSES TO SCAN

981
1. ADD IP ADDRESSES TO SCAN
982
2. CONFIGURE SCAN SETTINGS

983
2. CONFIGURE SCAN SETTINGS

984
NEW COMPLIANCE PROFILE
985
‘CIS SCAN TEST PROFILE’ CREATED
986
3. CONFIGURE AUTHENTICATION
987
988
989
990
COMPLIANCE LIBRARY: CIS RED HAT ENT. LINUX 7
991
POLICY EDITOR
992
POLICY EDITOR
LAUNCH COMPLIANCE SCAN

993
• The scan features may

also be adjusted from
the main Qualys
dashboard
END
994
SECURITY HARDENING – LIFECYCLE
Module 113 • Security Hardening

Lifecycle: Maintaining
An Integrated & Current
Program
995
1. Harden IT Asset
5. Pursue Controls
2. Periodic
That May Require
Validation
Additional Working
3. Seek Updates
4. Implement
On Hardening
Additional Controls
Benchmarks
996
1: Harden IT Asset
Pursue the 8 step
hardening methodology
997

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
998
2: Periodic Validation
Check periodically (every
quarter) for changes to the
established standard or
baseline
999
3: Seek Updated On
Hardening Benchmarks
• Benchmarks are
periodically updated
• Subscribe to feeds from
CIS, DISA, NIST NCP
(National Checklist
Program) Repository
1000
4: Implement Additional
Controls
• Update the security
controls by studying the
changes
1001
5: Pursue & Implement

Controls That May Require
Additional Working
• Some controls may have
caused a crash or
malfunction
• Some controls may have
not been possible due to
dependencies or missing
utilities
END • Enhance the % of
implemented controls
1002
Hardening When CIS/DISA STIG Not Available
Module 114 • What type of IT assets

do not have a CIS/DISA
STIG ?
– Software applications
(ASP.NET, PHP,
Other)
– Other applications
such as asterisk
deployments
1003

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
1004
• Step 2: Research:
– Look up google
– Look for case studies
and whitepapers
1005
• Other considerations:
– Implement on test
setup
– Test the controls
– Security testing tools
– Perform third-party
security testing
(penetration testing)
– Vendor best-practices
for application
security hardening
1006

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
1007
• With efforts and by

following the 8-step
methodology, all types
of assets can be
hardened
END
1008
QUALYS POLICY LIBRARIES
Module 115 • Lets have a detailed look

at Qualys built-in
libraries for creating
scanning policies
• CIS
• QUALYS
• MANDATE
• DISA
• VENDOR
1009
EXPLORE THE CONTROLS LIBRARY
1010
Security Hardening For Outsourced IT Assets
• IT Outsourcing
• Mechanism to harden
outsourced IT assets
• Important
considerations
1011
• IT Outsourcing
examples:
– Call centers
– Hosted servers
– Software
development
– Workstation helpdesk
functions
– Network services
– Any other
arrangement
1012
• Mechanism:
– Information Security
Policy
– Vendor contract
(right-to-audit clause)
– Set up security
project with security
project manager
– Periodic reviews
– Penalties for non-
compliance
1013
• Important
considerations:
– Enter security
requirements into
RFP
– Part of vendor
evaluation
– Proceed with
contract including
InfoSec clauses
– Awareness training
1014
• Security evaluations:
– Include outsourced
scope in periodic
internal audit
– Ask for third-party
security review
– Vulnerability
assessment and
penetration test (if
END applicable)
– Spot security checks
1015
Module 116
CREATE NEW POLICY > IMPORT FROM LIBRARY
1016
CREATE A NEW POLICY

1017
CIS > RED HAT ENT. LINUX 7.X
1018
POLICIES DASHBOARD
1019
DISA STIG
1020
QUALYS SAP ADAPTIVE SERVER ENT 16

1021
VENDOR POLICIES
1022
• Qualys has a vast

number of options for
Compliance Scans, and
these should be fully
explored through the
Qualys trial
END
1023
What is Vulnerability Management ?
Module 117 • What is a vulnerability ?

– Vulnerability is a
cyber-security term
that refers to a flaw
in a system that can
leave it open to
attack. A vulnerability
may also refer to any
type of weakness in a
computer system
itself, in a set of
procedures…
1024
• What is a vulnerability ?
– …or in anything that
leaves information
security exposed to a
threat.
https://www.techopedia.com/definition/13
484/vulnerability
1025
• How do you fix

vulnerabilities ?
– Computer users and
network personnel
can protect computer
systems from
vulnerabilities by
keeping software
security patches up
to date. These
patches can remedy
flaws or security
holes that were… 1026
• How do you fix

vulnerabilities ?
– …found in the initial
release. Computer
and network
personnel should also
stay informed about
current vulnerabilities
in the software they
use and seek out
ways to protect
against them.
https://www.techopedia.com/definition/13
484/vulnerability 1027
• What is vulnerability
management ?
– Vulnerability
management is the
"cyclical practice of
identifying,
classifying,
remediating, and
mitigating vulnerabiliti
es"
Foreman, P: Vulnerability Management,
page 1.
1028
• What is vulnerability
assessment (VA) ?
– A process that
defines, identifies,
and classifies the
security holes
(vulnerabilities) in a
computer, network,
or communications
infrastructure.
http://searchmidmarketsecurity.techtarget
.com/definition/vulnerability-analysis
1029
• What are some of the

common vulnerability
scanners ?
– OpenVAS
– Nessus
– Qualys
– Rapid7
END
1030
What Are The Steps In VM Lifecycle ?
Module 118 VM Steps:

1. Analyze assets
2. Prepare scanner
3. Run vulnerability scan
4. Assess results
5. Patch systems
6. Verify (re-scan)
1031
1. Analyze Assets
– Examine assets to
scan
– Gather details on IP
subnet
– Look at potential
issues with network
traffic
– Inform asset owners
and relevant
department heads
1032
2. Prepare Scanner
– Set scanner
parameters
– Select type of scan
– Look at credentials-
based scan
– Explore and research
plug-ins
– Do a test run
– Coordinate with asset
owner
1033
3. Run Vulnerability
Scanner
– Run the automated
scan
– Monitor network
performance
degradation issues
– Generate report
1034
4. Assess Results:
– Evaluate results
– Prioritize according
to the risk level
– Collate results for
asset owners
– Communicate the
results and
remediation timelines
1035
5. Patch Systems:
– Research
vulnerabilities
– Evaluate fixes and
remediation method
– Test the patches and
fixes
– Apply patches/fixes
– Monitor results
1036
6. Verify (Re-scan)
– Re-scan to confirm
that the vulnerability
scanner gives a
positive report
– Collate results of
vulnerability scan
– Report findings
END
1037
Why Is Software Insecure ?
Module 119 • Software is everywhere

in IT
• Software is being
developed in a manner
which leaves many
defects which may be
exploited by attackers
• Race to meet software
deadlines with little
emphasis on security
• Result: insecure
software
1038
• Gary McGraw, “trinity

of trouble” for
software security:
– Connectivity; ever-
increasing computer
connectivity & to
the internet
enhances exposure
to attacks
https://newrepublic.com/article/115145/us-
cybersecurity-why-software-so-insecure
1039
• Extensibility: “Second,
an extensible system is
one that supports
updates and extensions
and thereby allows
functionality to evolve
incrementally.
• Web browsers, for
example, support plug-
ins that enable users to
install extensions for
new document types.
1040
• Extensibility:
…Extensibility is
attractive for purposes
of increasing
functionality, but also
makes it difficult to keep
the constantly-adapting
system free of software
vulnerabilities.”
1041
• Complexity: Software
systems are growing
exponentially in size and
complexity, which
makes vulnerabilities
unavoidable.
1042
• Carnegie Mellon
University's CyLab
Sustainable Computing
Consortium estimates
that commercial
software contains 20 to
30 bugs for every 1,000
lines of code…
1043
• —and Windows XP
contains at least 40
million lines of code
• That’s 1 million bugs in
Windows XP !
https://newrepublic.com/article/1151
45/us-cybersecurity-why-software-so-
insecure
1044
• Monoculture: Dan
Greer: “The security
situation is
deteriorating, and that
deterioration
compounds when nearly
all computers in the
hands of end users rely
on a single operating
system subject to the
same vulnerabilities the
END
world over.”
https://newrepublic.com/article/115145/u
s-cybersecurity-why-software-so-insecure
1045
Why Is A VM Program Required ?
Module 120 • What is a patch ?

– “A patch is a piece of
software designed to
update a computer
program or its
supporting data, to
fix or improve it. This
includes
fixing security
vulnerabilities and
other bugs”
https://en.wikipedia.org/wiki/Patch_(
computing)
1046
• What is patch
management ?
– Patch management is
an area of systems
management that
involves acquiring,
testing, and installing
multiple patches
(code changes) to an
administered
computer system.
http://searchenterprisedesktop.techtarget.
com/definition/patch-management
1047
• Patch management
tasks :
– Maintaining current
knowledge of
available patches,
deciding what
patches are
appropriate for
particular systems,
ensuring that patches
are installed…
http://searchenterprisedesktop.techtarget.
com/definition/patch-management
1048
• Patch management
tasks:
– properly, testing
systems after
installation, and
documenting all
associated
procedures, such as
specific configs
required.
http://searchenterprisedesktop.techtarget.com/
definition/patch-management
1049
Risk of not patching:

• By not applying a patch
you might be leaving the
door open for
a malware attack
• Malware exploits flaws
in a system in order to
do its work. In addition,
the timeframe between
an exploit and when a
patch is released is
getting shorter
1050
Risk of not patching…:

• Defects in clients like
web browsers, email
programs, image
viewers, instant
messaging software,
and media players may
allow malicious
websites, etc. to infect
or compromise your
computer with no action
on your part other than
1051
Risk of not patching…:

• …viewing or listening to
the website, message,
or media
https://ist.mit.edu/security/patches
1052
A VM program addresses
timely management of
patching to ensure that
vulnerabilities are not
present for hackers to
exploit…
END
1053
What Is CVE & Vulnerability Database ?
Module 121 • What is CVE ?

– CVE is a list of
information
security vulnerabilitie
s and exposures that
aims to provide
common names for
publicly known cyber
security issues. The
goal of CVE is to make
it easier to share
data…
1054
• What is CVE ?
– …across separate
vulnerability
capabilities (tools,
repositories, and
services) with this
"common
enumeration."
https://cve.mitre.org/about/faqs.html#c
ve_identifier_descriptions_created
1055
SNAPSHOT OF US-CERT VULNERABILITY BULLETINS
1056
What is NVD ?
• The NVD is the CVE
dictionary augmented
with additional analysis,
a database, and a fine-
grained search engine.
The NVD is a superset of
CVE. The NVD is
synchronized with CVE
such that any updates to
CVE appear immediately
on the NVD.
https://nvd.nist.gov/general/faq
1057
SNAPSHOT OF NATIONAL VULNERABILITY DATABASE - NVD
1058
What is the NVD severity

score ?
• The NVD uses the
Common Vulnerability
Scoring System (CVSS)
Version 2, which is is an
open standard for
assigning vulnerability
impacts that is used by a
variety of organizations
1059
What is the NVD severity

score ?
• NISTIR 7946 - CVSS
Implementation
Guidance describes
methodologies
developed by the
NVD for using CVSS, and
along with Appendix B
describes the NVD’s
entire vulnerability
assessment process.
1060
SNAPSHOT OF CVE-2017-10788
https://nvd.nist.gov/vuln/detail/CVE-2017-10788#vulnDescriptionTitle
1061
1062
1063
• Note that all the major

vendors publish their
security vulnerabilities
online
– Microsoft
– Oracle
– Cisco
– Etc
END
1064
What Is An Exploit ?
Module 122 • What is an exploit ?

– Program or some
code that takes
advantage of a
security hole (i.e. a
vulnerability) in an
application or system,
so that an attacker
can use it for their
benefit.
https://www.welivesecurity.com/2015/02
/27/exploits-work/
1065
• Remote exploit:
– A remote exploit
works over a network
and exploits the
security vulnerability
without any prior
access to the
vulnerable system.
https://en.wikipedia.org/wiki/Exploit_
(computer_security)
1066
• Local exploit:
– A local exploit
requires prior access
to the vulnerable
system and usually
increases the
privileges of the
person running the
exploit past those
granted by the
system administrator.
https://en.wikipedia.org/wiki/Exploit_
(computer_security)
1067
• Exploit database:
– The Exploit Database
is a CVE compliant
archive of public
exploits and
corresponding
vulnerable software,
developed for use by
penetration testers
and vulnerability
researchers. Our aim
is to serve the most
https://www.exploit-db.com/about/
1068
– …comprehensive
collection of exploits
gathered through
direct submissions,
mailing lists, as well
as other public
sources, and present
them in a freely-
available and easy-to-
navigate database.
1069
– The Exploit Database
is a repository
for exploits and proof-
of-concepts rather
than advisories,
making it a valuable
resource for those
who need actionable
data right away.
1070
1071
SNAPSHOT OF EXPLOIT CODE
1072
• Zero-day exploit:
– A zero day
vulnerability refers to
a hole in software
that is unknown to
the vendor. This
security hole is then
exploited by hackers
before the vendor
becomes aware and
hurries to fix
1073
• Zero-day exploit:
– it-this exploit is called
a zero day attack.
http://www.pctools.com/security-
news/zero-day-vulnerability/
END
1074
Effective Vulnerability Management: Stage 2
Module 123 • Another look at the

security transformation
model…
1075
4 – LAYER SECURITY
TRANSFORMATION 4. Security
MODEL Governance
3. Security
Engineering
2. Vulnerability
Management
1. Security
Hardening
1076
• Stage 1: Security
hardening
– Taking stock of your
assets
– Prioritizing the assets
– Establishing an MSB
controls with
CIS/DISA/Other
benchmarks
– Basic/broader
security hardening
1077
• Note that Stage 1

(Hardening) and Stage 2
(Patching) are shown
sequentially to show
priority
• In practical terms, the
two efforts may be done
slightly staggered
depending upon
resources available
• Establish one program
and then the other…
1078
• Stage 1 (Hardening) is
equivalent to tightening
all the screws on
machinery and will
reduce impact of an
attack (like a shield)
• Stage 2 (Patching) will
seal all the entry points
for an attacker to gain
access or to penetrate a
system
1079
• Note that both Stage 1

and Stage 2 are equally
important and necessary
and assist in enhancing
the security posture in
their unique manner
END
1080
Security Breach Case Study 1: Home Dept 2014
Week 08 • 56 million payment

Module 124 cards compromised
• Early September 2014
1081
• Sequence of events:
– The attackers were
able to gain access to
one of Home Depot’s
vendor environments
by using a third-party
vendor’s logon
credentials
1082
– Then they exploited a
zero-day vulnerability
in Windows, which
allowed them to
pivot from the
vendor-specific
environment to the
Home Depot
corporate
environment.
1083
– Once they were in the
Home Depot
network, they were
able install memory
scraping malware on
over 7,500 self-
checkout POS
terminals (Smith,
2014).
1084
– This malware was
able to grab 56
million credit and
debit cards. The
malware was also
able to capture 53
million email
addresses (Winter,
2014).
1085
– The stolen payment
cards were used to
put up for sale and
bought by carders.
The stolen email
addresses were
helpful in putting
together large
phishing campaigns.
room/whitepapers/breaches/case-study-home-
depot-data-breach-36367
1086
• Home Depot didn’t have

secure configuration of
the software or
hardware on the POS
terminals.
• There was no proof of
regularly scheduled
vulnerability scanning of
the POS environment.
1087
• They didn’t have proper

network segregation
between the Home
Depot corporate
network and the POS
network.
1088
• Overall: several controls

missing, vendor
management of IDs and
access management
missing, and monitoring
of the network was
missing
END
1089
Security Breach Case Study 2: Anthem
Module 125 • Health Insurer Anthem

• Affected 78.8 million
individuals
http://www.bankinfosecurity.com/new-
in-depth-analysis-anthem-breach-a-9627
1090
– Data breach began
on Feb. 18, 2014,
when a user within
one of Anthem's
subsidiaries opened a
phishing email
containing malicious
content
1091
– Opening the email
launched the
download of
malicious files to the
user's computer and
allowed hackers to
gain remote access to
that computer and
dozens of other
systems within the…
1092
– Anthem enterprise,
including Anthem's
data warehouse
1093
– Starting with the
initial remote access,
the attacker was able
to move laterally
across Anthem
systems and escalate
privileges, gaining
increasingly greater
ability to access
information and
make changes in the
environment 1094
– The attacker utilized
at least 50 accounts
and compromised at
least 90 systems
within the Anthem
enterprise
environment
including, eventually,
the company's
enterprise data
warehouse -
1095
– a system that stores a
large amount of
consumer personally
identifiable
information
– Queries to that data
warehouse resulted
in access to an
exfiltration of
approximately 78.8 m
unique user records
1096
• Vulnerabilities:
– Exploitable
vulnerabilities were
found in anthem
network
– User security
awareness training
conducted to prevent
phishing and social
engineering
1097
• Remediation measures:
– Implemented two-
factor authentication
on all remote access
tools, deployed a
privileged account
management solution
and added enhanced
logging resources to
its security event and
incident management
solutions
1098
• Remediation measures:
– Further, the company
conducted a
complete reset of
passwords for all
privileged users,
suspended all remote
END access pending
implementation of
two-factor
authentication and
created new Network
Admin IDs 1099
Best Practices For Applying Security Patches
Module 126 • "The risk of

implementing the service
pack, hotfix and security
patch should ALWAYS be
LESS than the risk of not
implementing it."
https://msdn.microsoft.com/en-
us/library/cc750077.aspx
1100
• “You should never be

worse off by
implementing a service
pack, hotfix and security
patch. If you are unsure,
then take steps to ensure
that there is no doubt
when moving them to
production systems.”
1101
1. Use a change control

process
– A good change
control procedure
has an identified
owner, a path for
customer input, an
audit trail for any
changes, a clear
announcement and
review period,
testing procedures,
1102
1. Use a change control

process
– and a well-
understood back-
out plan.
– Change control will
manage the process
from start to finish
1103
2. Read all related

documentation:
– Before applying any
service pack, hotfix or
security patch, all
relevant
documentation
should be read and
peer reviewed. The
peer review process
is critical as it
mitigates the risk of..
1104
2. Read all related

documentation:
– …a single person
missing critical and
relevant points when
evaluating the update
1105
2. Read all related

documentation:
• Ensure the update is
relevant, and will resolve
an existing issue
• Ensure adoption won't
cause other issues
resulting in a
compromise of the
production system
1106
2. Read all related

documentation:
• There are dependencies
relating to the update,
(i.e. certain features
being enabled or
disabled for the update
to be effective.)
1107
2. Read all related

documentation:
• Potential issues will arise
from the sequencing of
the update, as specific
instructions may state or
recommend a sequence
of events or updates to
occur before the service
pack, hotfix or security
patch is applied
1108
3. Apply updates on a
need-only basis
4. Testing
5. Plan to uninstall
6. Working backup and
production downtime
7. Always have roll-back
plan
8. Don’t get more than 2
service packs behind
1109
Who Conducts Vulnerability Management
Module 127 • A number of teams and

resources may be
involved in the VM
lifecycle
1110
SN ACTIVITY TEAM SUPPORTED

BY
1 ANALYZE ASSETS INFOSEC IT OPS TEAM
2 PREPARE SCANNER INFOSEC -
3 RUN VULNERABILITY INFOSEC -
SCAN
4 ASSESS RESULTS INFOSEC IT OPS TEAM
5 TEST & PATCH SYSTEMS IT OPS TEAM INFOSEC
6 VERIFY (RE-SCAN) INFOSEC IT OPS TEAM
7 REPORT FINDINGS INFOSEC IT STEERING
COMMITTEE
1111
• Role of Infosec team:

– Takes the primary
ownership of the
vulnerability
management process
– Runs scanning after
coordinating with the
relevant IT Ops team
– Shares scanning
reports with IT teams
and management
1112
• …Role of Infosec team:

– Tracks remediation
timelines
– Understands
criticality issues and
helps to prioritize
– Studies the security
patch details as a
backup resource
– Assists with change
management process
1113
• Role of IT Ops team:

– Owner of the IT asset
– Receives the
vulnerability scan
report from Infosec
team
– Studies the
vulnerability
– Understands
criticality, impact, &
dependencies
1114

– Helps Infosec team
develop a project
plan (if required) and
timelines for the
patching
– Tests the patches in
test environment
– Takes backups,
develops roll-back
plan
1115

– Takes downtime and
takes ownership of
the change
management process
– Implements the
patches
– Monitors the systems
after patch
implementation
– Rolls-back if
necessary
1116

– Creates the necessary
documentation
END
1117
Nessus Features
Module 128 • Lets take a look at

Nessus features
1118
Nessus Features
• Nessus (Reports):
– Customize reports to
sort by vulnerability
or host
– Create an executive
summary or compare
scan results
– Targeted email
notifications of scan
results
1119
Nessus Features
• Nessus (Scan Types):

– Asset discovery
– Un-credentialed
vulnerability
discovery
– Credentialed
scanning for system
hardening & missing
patches
1120
Nessus Features
• Nessus (Compliance &

Config Scans):
– Compliance auditing:
FFIEC, FISMA,
CyberScope, GLBA,
HIPAA/ HITECH,
NERC, PCI, SCAP, SOX
– Configuration
auditing: CERT, CIS,
COBIT/ITIL, DISA
STIGs, FDCC, ISO,
NIST, NSA
1121
Nessus Features
• Nessus (Risk scores):

– Vulnerability ranking
based on CVE, five
severity levels
(Critical, High,
Medium, Low, Info),
customizable severity
levels for recasting of
risk
1122
Nessus Features
1123
Nessus Features
1124
Nessus Features
1125
Nessus Features
• Nessus is a cost-
effective scanner that
gets most of the job
done for vulnerability
scanning
• It has CIS and DISA
compliance templates
• Has some flaws and
bugs but overall useful
tool
1126
Qualys Features

Qualys features
1127
Qualys Features
• Qualys:
– Cloud-based service
– On-premise device
– Complete suite
– Scalable and
immediate
deployment
1128
Qualys Features
• Qualys:
– Asset discovery; find
and organize hosts
– Prioritize & manage
remediation tickets
– Continuous
monitoring service
– Policy compliance
scanning
– Qualys Secure Seal
for websites
1129
Qualys Features
1130
Qualys Features
1131
Qualys Features
1132
Qualys Features
1133
Qualys Features
1134
Qualys Features
• Qualys:
– Website scanning
– compliance
– Annual subscription
service model
1135
Qualys Features
• Qualys is a convenient
and scalable VM tool
that comes with several
modules
• Subscription-based
pricing model which can
be expensive
• Several advantages due
to cloud-based service
1136
Nessus Demo - 1

Nessus Demo
• https://www.tenable.co
m/products/nessus/ness
us-professional/evaluate
• Download free 7 day
trial
• Get activation key from
website
1137
Nessus Demo - 1
LOGIN SCREEN
1138
Nessus Demo - 1
DASHBOARD
1139
Nessus Demo - 1
NEW SCAN
1140
Nessus Demo - 1
WANNACRY RANSOMWARE SCAN
1141
Nessus Demo - 1
NEW SCAN WINDOW
1142
Nessus Demo - 1
DASHBOARD VIEW WITH SCANS
1143
Nessus Demo - 1
NEW SCAN…
1144
Nessus Demo - 1
ENTER SCAN DETAILS
1145
Nessus Demo - 1
CREDENTIAL SCAN
1146
Nessus Demo - 1
COMPLIANCE SCAN
1147
Nessus Demo - 1
WINDOWS COMPLIANCE MENU (CIS)
1148
Nessus Demo - 1
WINDOWS COMPLIANCE MENU (CIS)…
1149
Nessus Demo - 1
• Lets take a look at

Nessus Demo
trial
website
1150
Nessus Demo - 2

Nessus Demo
trial
website
1151
Nessus Demo - 2
ADVANCED SCAN / COMPLIANCE
1152
Nessus Demo - 2
ADVANCED SCAN / PLUG-INS
1153
Nessus Demo - 2
SCAN…IN PROGRESS
1154
Nessus Demo - 2
SCAN REPORT [43 INFO]
1155
Nessus Demo - 2
SCAN REPORT [DETAILS]
1156
Nessus Demo - 2
SCAN REPORT [DETAILS…]
1157
Nessus Demo - 2
WEB APPLICATION TEST
1158
Nessus Demo - 2
WEB APPLICATION TEST - CREDENTIALS
1159
Nessus Demo - 2
CREDENTIALED PATCH AUDIT
1160
Nessus Demo - 2
CREDENTIALED PATCH AUDIT
1161
Nessus Demo - 2
SCANS DASHBOARD
1162
Nessus Demo - 2
CREDENTIALED AUDIT SCAN RESULTS [61 INFO]
1163
Nessus Demo - 2
CREDENTIALED AUDIT SCAN RESULTS [61 INFO]
1164
Nessus Demo - 2
CREDENTIALED AUDIT SCAN RESULTS [DETAILS]
1165
Nessus Demo - 2
• Lets take a look at

Nessus Demo
trial
website
1166
Nessus Demo - 3

Nessus Demo
trial
website
1167
Nessus Demo - 3
SYSTEM MALWARE SCAN
1168
Nessus Demo - 3
SYSTEM MALWARE SCAN
1169
Nessus Demo - 3
SCAN DASHBOARD
1170
Nessus Demo - 3
SYSTEM MALWARE SCAN [2 INFO]
1171
Nessus Demo - 3
SYSTEM MALWARE SCAN
1172
Nessus Demo - 3
• Nessus is an easy to use

and powerful scanner
• Dozens of scans on
dashboard
• Setup a new scan
• Setup a profile as scan
template
• Credentialed scan
• Thousands of plugins
END
from CIS/DISA etc
1173
Qualys Demo - 1

Qualys Demo
• Free Qualys tools:
– BrowserCheck
– SSL
• Qualys FreeScan
– Vulnerability
– OWASP
– Patch Tuesday
– SCAP
1174
Qualys Demo - 1
QUALYS BROWSER CHECK
1175
Qualys Demo - 1
SSL LABS REPORT
1176
Qualys Demo - 1
SSL LABS REPORT
1177
Qualys Demo - 1
PROTOCOL DETAILS
1178
Qualys Demo - 1
QUALYS FREESCAN
1179
Qualys Demo - 1
QUALYS FREESCAN
1180
Qualys Demo - 1
OWASP SCAN PATCH REPORT
1181
Qualys Demo - 1
THREAT REPORT
1182
Qualys Demo - 1
THREAT REPORT
1183
Qualys Demo - 1
• Qualys is a powerful
cloud-based
vulnerability
management tool
• Several online free tools
• Advanced web
application security
testing
END
1184
QUALYS DEMO - PART 2
Module 134 • Lets have a look at the

Qualys features
1185
QUALYS
14 APPLICATIONS
1186
VULNERABILITY MANAGEMENT DASHBOARD
1187
LAUNCH VULNERABILITY SCAN

1188
SCAN INITIATED
1189
1190

SCAN TUTORIALS
1191
WANNACRY & SHADOW BROKERS SCAN

1192
Module 135 • Lets have a look at some

further features of
Qualys:
• Qualys Continuous
Monitoring
1193
QUALYS CONTINUOUS MONITORING INTERFACE
1194
RULESET BUILDER
1195
RULETYPES & CONFIGURATION

1196
RULESETS INTERFACE
1197
QUALYS CONTINUOUS MONITORING INTERFACE
1198
PROFILE CREATION
1199
CHOOSE RULESET
1200
NOTIFICATIONS
1201
MONITORING PROFILE ACTIVE
1202
• Qualys Continuous
Monitoring is very useful
for watching critical
changes that may
impact security
END
1203
How Do VM Scanners Work ?

Qualys scanning
technique:
https://community.qualys.com/docs/DOC-
1068
1204
• QualysGuard scanning
methodology mainly
focuses on the different
steps that an attacker
might follow in order to
perform an attack.
• It tries to use exactly the
same discovery and
information gathering
techniques that will be
used by an attacker.
https://community.qualys.com/docs/DOC-
1068
1205
1. Checking if the remote

host is alive
– The first step is to
check if the host to
be scanned is up and
running in order to
avoid wasting time
on scanning a dead
or unreachable host
https://community.qualys.com/docs/DOC-1068
1206
1. Checking if the remote

host is alive
– This detection is
done by probing
some well-known
TCP and UDP
ports. If the scanner
receives at least one
reply from the
remote host, it
continues the scan
1207
2. Firewall detection
The second test is to check
if the host is behind any
firewalling/filtering device.
This test enables the
scanner to gather more
information about the
network infrastructure and
will help during the scan of
TCP and UDP ports.
1208
3. TCP / UDP Port scanning

The third step is to detect
all open TCP and UDP ports
to determine which
services are running on this
host. The number of ports
is configurable, but the
default scan is
approximately 1900 TCP
ports and 180 UDP ports.
1209
4. OS Detection
Once the TCP port
scanning has been
performed, the scanner
tries to identify the
operating system running
on the host.
This detection is based on
sending specific TCP
packets to open and
closed ports.
1210
5. TCP / UDP Service

Discovery
Once TCP/UDP ports have
been found open, the
scanner tries to identify
which service runs on each
open port by using active
discovery tests
1211
6. Vulnerability
assessment based on the
services detected
Once the scanner has
identified the specific
services running on each
open TCP and UDP port, it
performs the actual
vulnerability assessment.
The scanner first tries to
check the version of the
service in order to detect...
1212
6. Vulnerability
assessment based on the
services detected
…only vulnerabilities
applicable to this specific
service version. Every
vulnerability detection is
non-intrusive, meaning
that the scanner never
exploits a vulnerability if it
could negatively affect the
host in any way.
1213
• Limitations:
– Vulnerability scanners
work in the same
manner as antivirus
programs do by using
databases that store
descriptions of
different types of
vulnerabilities
– False positive or false
negative rate
http://www.spamlaws.com/how-
vulnerability-scanning-works.html
1214
QUALYS WEB APPLICATION SCANNING
Module 137 • Lets have a look at

Qualys Web Application
Scanning
1215
DASHBOARD
1216
CREATION – BLANK OR EXISTING ASSET
1217
ASSET DETAILS
1218
CRAWL SCOPE
1219
SCAN SETTINGS
1220
MALWARE MONITORING
1221
QUALYS ADDITIONAL FEATURES

Qualys additional
features
1222
QUALYS THREAT PROTECTION

1223
QUALYS VULNERABILITY DESCRIPTION
1224
FILE INTEGRITY MONITORING

1225
QUALYS CLOUD AGENT

1226
WEB APPLICATION FIREWALL
1227
iDefense Intelligence
1228
SEARCH KNOWLEDGEBASE
1229
CISCO VULNERABILITIES – PATCH AVAILABLE
1230
• Have a look at additional

features in your Qualys
free trial
END
1231
Open Source Vulnerability Scanners

OpenVAS
• http://www.openvas.org
/livedemo.html
• Login and password:
livedemo
1232
DASHBOARD VIEW
1233
SCANS DASHBOARD
1234
ASSETS DASHBOARD
1235
OS BY VULNERABILITY SCORE
1236
ASSETS>HOSTS CLASSIC VIEW
1237
CONFIGURATION > TARGETS
1238
OPENVAS ARCHITECTURE
APPROXIMATELY 50k NETWORK VULNERABILITY TESTS

http://www.openvas.org/software.html
1239
• OpenVAS is a simple,
free (opensource) VA
scanner
• It has source code
documentation, virtual
images for download,
and mailing lists on its
website
END
1240
Suggested Frequency For VM Scanning
Module 140 • Pre-requisites

team
– Vulnerability
management policy
– Inhouse scanner or
openvas tool
– Trained staff
1241
• At the start:
– Organizations
scanning once a year
or not at all
– Vulnerabilities
identified by internal
scanning or external
VA report
– Not remediated
– Lack of discipline and
management support
1242
• As organizations get
more mature in scanning
discipline:
– Quarterly scan
– Quarterly
remediation by IT
teams
– Quarterly report to IT
Steering Committee
1243
• Mature organizations:
– Monthly scan
– Monthly remediation
– Quarterly or bi-annual
external VA/PT
– Monthly reports to IT
Steering Committee
1244
• Most mature
organizations:
– Fortnightly scan
– Fortnightly
remediation
– Monthly reporting
1245
VM Challenges & Pitfalls
Module 141 • Challenges:

– Internal expertise on
VM tool
– Not enough support
from IT teams
– Vulnerability patching
causing application
failure
– Management support
1246
• Internal expertise on VM
tool
– Not too much
expertise required
– Create testbed
– Monitor traffic
pattern
– Train staff if possible
– Patch small portions
of the network first
1247
• Not enough support

from IT teams:
– Create reports and
share among IT
management
– Highlight and educate
risks to IT
management and
board
– Create departmental
competition and
relationship-building
1248
• Patching causing
application failure:
– In test environment
create work around
or compensating
controls
– Test the
compensating
controls
– Document the
compensating
controls
1249
• Not enough
management support:
– Share reports with
management
highlighting recent
incidents
– Share industry-
specific or
geographically
relevant breach
reports
– Create awareness
1250
IT Asset Management Challenges
Module 142 • The typical enterprise

has hundreds or
thousands of IT assets
with a fast-paced
business environment
• Tough challenge to keep
all IT assets tracked and
updated with all the
right software patches
and updates
1251
• Challenges:
– Asset discovery &
tracking
– Antivirus status
– Windows & OS
updates
– Patch management
1252
• Asset discovery &

tracking
– New assets added &
old assets removed
– Temporary or
replacement
machines
– Travelling staff
– Test beds
– Vendor environments
1253
• Antivirus status:
– Working and updated
antivirus critical to a
security managed
network
– Geographically
dispersed network
– Some stations not
responding or
updating
1254
• Windows & OS updates:

– Windows, Linux,
Unix, AIX and
database systems
– Vendor patches from
multiple sources
– Testing the patches
– Acquiring downtime
windows
– Monitoring the
performance
1255
• Patch management:
– Scanning for
vulnerabilities
– Passing on reports to
IT teams
– Tracking the
remediation
– Re-scanning for
verification
– Reporting to
management
1256
• Change management:
inherent to all change
processes
requires reviews and
approvals
– Configuration
management
END
database or
repository
1257
ASSET MANAGEMENT THROUGH QUALYS
Week 09 • Lets have a look at

Module 143 Qualys asset
management
capabilities
1258
QUALYS ASSET OVERVIEW DASHBOARD
1259
QUALYS ASSET OVERVIEW DASHBOARD

ASSETS LIST
1260
ADD NEW ASSET WIDGET TO DASHBOARD

1261
CREATE A NEW DASHBOARD
1262
NEW DASHBOARD CREATED
1263
ASSETS WITH EXPLOITS AVAILABLE
1264
• Qualys allows various

reporting and views on
assets and their
characteristics
END
1265
ASSET MANAGEMENT TOOLS FOR SECURITY FUNCTIONS
Module 144 • Asset management

helps with the following
security functions:
1. Patch management
2. Software
whitelisting
3. Software assets
discovery and
management
4. Enterprise tracking
and reporting
1266
• Gartner refers to this

area as Unified endpoint
management (UEM):
1267
GARTNER MAGIC QUADRANT FOR

UNIFIED ENDPOINT MANAGEMENT 2018 1268
• Unified endpoint
management (UEM)
tools combine the
management of multiple
endpoint types in a
single console. UEM
tools perform the
following functions:
GARTNER UEM 2018
REPORT
1269
1. Configure, manage and

monitor iOS, Android,
Windows 10 and
macOS, and manage
some Internet of
Things (IoT) and
wearable endpoints.
2. Unify the application of
configurations,
management profiles,
device compliance and
data protection.
1270
3. Provide a single view of

multidevice users,
enhancing efficacy of end-
user support and gathering
detailed workplace
analytics.
4. Act as a coordination
point to orchestrate the
activities of related
endpoint technologies
such as identity services
and security infrastructure.
1271
https://www.ibm.com/security/endpoint-security/bigfix
1272
MICROSOFT SOFTWARE
RESTRICTION POLICIES
(SRP) FOR WHITELISTING
• Software Restriction
Policies (SRP) is Group
Policy-based feature
that identifies software
programs running on
computers in a domain,
and controls the ability
of those programs to
run.
1273
• …Software restriction
policies are part of the
Microsoft security and
management strategy to
assist enterprises in
increasing the reliability,
integrity, and
manageability of their
computers.
1274
• …You can also use

software restriction
policies to create a
highly restricted
configuration for
computers, in which you
allow only specifically
identified applications to
run. Software restriction
policies are integrated
with Microsoft Active
Directory and Group
Policy. 1275
• You can also create

software restriction
policies on stand-alone
computers. Software
restriction policies are
trust policies, which are
regulations set by an
administrator to restrict
scripts and other code
that is not fully trusted
from running.
https://docs.microsoft.com/en-us/windows-
END server/identity/software-restriction-
policies/software-restriction-policies
1276
WHAT IS SECURITY ENGINEERING ?
Module 145 • Security Engineering is

the third layer of the
Security Transformation
Model
• Consists of more in-
depth and complicated
security activities which
take more time and
effort
• Many times related to
1277
SECURITY
TRANSFORMATION 4. Security
Governance
MODEL
3. Security
Engineering
2.
Vulnerability
Management
1. Security
Hardening
1278
• Types of activities for

security engineering:
– FW granular access
lists
– Building an effective
DMZ architecture
– Segregating the
network with VLANs
– Adding a security tool
such as SIEM, FW,
DLP, NAC, etc
– App-DB encryption 1279
• DMZ Architecture Case

Study:
– DMZ is an important
zone in the overall
– Devices which need
to communicate to
outside world placed
in DMZ
– Web servers, email
gateways, web
gateways
1280
1281
• FW Access List Case

Study:
– Most of the industry
has not worked on
building granular
access lists
– Most FWs have
“allow all” for traffic
– Granular access lists
need to be built
based on servers, or
traffic flows
1282
• Why at Layer 3 of
Model ?
– Low hanging fruit
first
– Teams tend to get
bogged down with
advanced security
tasks
– These take time,
END
effort, and often
budget approval
1283
WHAT IS THE OBJECTIVE OF SECURITY ENGINEERING ?
Module 146 • Security architecture as

per best-practices
• The right security
devices in the right
places
• Effective security
configuration of security
devices (features)
• Optimum operation of
security devices
• Aggregate controls
1284
SECURITY ENGINEERING
STRUCTURE
OPERATION
FEATURES & CONFIG
ARCHITECTURE
1285
• Examples:
– FW first and then IPS
– Edge FW, data center
FW
– Malware protection
at the network edge
– VPN termination on
remote access VPN
device
– VPN tunnels for
extranet connectivity
1286
1287
• The right time for

setting up security
engineering is when a
new network is being
designed &
implemented
• Fixing a poorly
architected operational
network is an arduous
task
END
1288
WHOSE RESPONSIBILITY IS SECURITY ENGINEERING ?
Module 147 • Security Engineering can

best be accomplished
with effective team
work
1289
TYPICAL STRUCTURE OF AN INFORMATION SECURITY TEAM

Head Of
Information
Security
Program
Manager
Security Security ISO27001 (ISMS)

Governance
Operations Engineering Implementation
1290
ACTIVITY TEAM
SECURITY REQUIREMENTS INFORMATION SECURITY WITH IT

CONSULTATION
SECURITY DESIGN NETWORK/IT SECURITY ASSISTED
BY VENDOR
VALIDATING SECURITY DESIGN INFORMATION SECURITY
SECURITY IMPLEMENTATION NETWORK/IT SECURITY ASSISTED

BY VENDOR
VALIDATING SECURITY REQMTS INFORMATION SECURITY TEAM

MET
1291
• As Security Engineering
involves in-depth
knowledge of IT &
Security, the necessary
resources, knowledge,
skills, and people need
to be pooled to achieve
the objectives
effectively
END
1292
CIS 20 CRITICAL SECURITY CONTROLS
Module 148
• What are the CIS 20

Critical Security
Controls ?
1293
https://www.cisecurity.org/controls/
1294
1295
https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf
1296
• CSC 1: Inventory of
Authorized and
Unauthorized Devices
• CSC 2: Inventory of
Authorized and
Unauthorized Software
• CSC 3: Secure
Configurations for
Hardware and Software
on Mobile Devices,
Laptops, Workstations,
and Servers
1297
• CSC 4: Continuous
Vulnerability
Assessment and
Remediation
• CSC 5: Controlled Use
of Administrative
Privileges
• CSC 6: Maintenance,
Monitoring, and
Analysis of Audit Logs
1298
• CSC 8: Malware
Defenses
• CSC 9: Limitation and
Control of Network
Ports, Protocols, and
Services
• CSC 10: Data Recovery
Capability
1299
• CSC 11: Secure

Configurations for
Network Devices such
as Firewalls, Routers,
and Switches
• CSC 12: Boundary
Defense
• CSC 13: Data Protection
1300
• CSC 14: Controlled

Access Based on the
Need to Know
• CSC 15: Wireless Access
Control
• CSC 16: Account
Monitoring and Control
1301
• CSC 17: Security Skills

Assessment and
Appropriate Training to
Fill Gaps
• CSC 18: Application
Software Security
• CSC 19: Incident
Response and
Management
1302
• CSC 20: Penetration

Tests and Red Team
Exercises
END
1303
CSC1: Inventory Of Authorized & Unauthorized Devices
Module 149 • 1.1: Deploy an

automated asset
inventory discovery
tool and use it to build
a preliminary inventory
of systems connected
to an organization’s
public and private
network(s).
1304
• 1.1: …Both active tools

that scan through IPv4
or IPv6 network
address ranges and
passive tools that
identify hosts based
on analyzing their
traffic should be
employed.
1305
• 1.2: If the organization

is dynamically
assigning addresses
using DHCP, then
deploy dynamic host
configuration
protocol (DHCP) server
logging, and use this
information to
improve the asset
inventory and help
detect unknown
systems. 1306
• 1.3: Ensure that all

equipment acquisitions
automatically update
the inventory system as
new, approved devices
are connected to the
network.
1307
• 1.4: Maintain an asset

inventory of all
systems connected to
the network and the
network devices
themselves, recording
at least the network
addresses, machine
name(s), purpose of
each system, an asset
owner responsible for
each device…
1308
• 1.4: …and the

department associated
with each device.
• The inventory should
include every system
that has an Internet
protocol (IP) address
on the network,
including but not
limited to desktops,
laptops, servers…
1309
• …network equipment
(routers, switches,
firewalls, etc.),
printers, storage area
networks, Voice Over-
IP telephones, multi-
homed addresses,
virtual addresses, etc.
1310
• The asset inventory

created must also
include data on
whether the device is a
portable and/or
personal device.
1311
• Devices such as mobile

phones, tablets,
laptops, and other
portable electronic
devices that store or
process data must be
identified, regardless of
whether they are
attached to the
organization’s
network.
1312
• 1.5: Deploy network

level authentication via
802.1x to limit and
control which devices
can be connected to the
network. The 802.1x
must be tied into the
inventory data to
determine authorized
versus unauthorized
systems.
1313
• 1.6: Use client

certificates to validate
and authenticate
systems prior to
connecting to the
private network.
END
1314
CSC2: Inventory Of Authorized & Unauthorized Software
Module 150 • 2.1: Devise a list of

authorized software
and version that is
required in the
enterprise for each
type of system,
including servers,
workstations, and
laptops of various kinds
and uses.
1315
• 2.1: …This list should be

monitored by file
integrity checking tools
to validate that the
authorized software has
not been modified.
1316
• 2.2: Deploy application

whitelisting
technology that allows
systems to run
software only if it is
included on the
whitelist and prevents
execution of all other
software on the
system.
1317
• 2.2: …The whitelist may

be very extensive (as is
available from
commercial whitelist
vendors), so that users
are not inconvenienced
when using common
software.
1318
• 2.2: …Or, for some

special-purpose systems
(which require only a
small number of
programs to achieve
their needed business
functionality), the
whitelist may be quite
narrow.
1319
• 2.3: Deploy software

inventory tools
throughout the
organization covering
each of the operating
system types in use,
including servers,
workstations, and
laptops.
1320
• 2.3: …The software

inventory system should
track the version of the
underlying operating
system as well as the
applications installed on
it.
1321
• 2.3: ... The software

inventory systems
must be tied into the
hardware asset
inventory so all devices
and associated
software are tracked
from a single location.
1322
• 2.4: Virtual machines

and/or air-gapped
systems should be
used to isolate and run
applications that are
required for business
operations but based
on higher risk should
not be installed within
END a networked
environment.
1323
CSC3-I: Secure Configurations For HW & SW
Module 151
1324
• 3.1 Establish standard

secure configurations of
your operating systems
and software
applications.
• Standardized images
should represent
hardened versions of
the underlying operating
system and the
applications installed on
the system.
1325
• 3.1…: These images

should be validated and
refreshed on a regular
basis to update their
security configuration in
light of recent
vulnerabilities and
attack vectors.
1326
• 3.2: Follow strict

configuration
management, building
a secure image that is
used to build all new
systems that are
deployed in the
enterprise.
• Any existing system
that becomes
compromised should
be re-imaged with the
secure build.
1327
• 3.2: Regular updates or

exceptions to this image
should be integrated
into the organization’s
change management
processes.
• Images should be
created for
workstations, servers,
and other system types
used by the
organization.
1328
• 3.3: Store the master

images on securely
configured servers,
validated with integrity
checking tools capable
of continuous
inspection, and change
management to ensure
that only authorized
changes to the images
are possible.
1329
• 3.3…: Alternatively,
these master images
can be stored in offline
machines, air-gapped
from the production
network, with images
copied via secure media
to move them between
the image storage
servers and the
production network.
1330
• 3.4: Perform all remote

administration of
servers, workstation,
network devices, and
similar equipment over
secure channels.
1331
• 3.4…: Protocols such as

telnet, VNC, RDP, or
others that do not
actively support strong
encryption should only
be used if they are
performed over a
secondary encryption
channel, such as SSL,
TLS or IPSEC.
END
1332
CSC3-II: Secure Configurations For HW & SW
Module 152
1333
• 3.5: Use file integrity

checking tools to ensure
that critical system files
(including sensitive
system and application
executables, libraries,
and configurations)
have not been altered.
1334
• 3.5…: The reporting

system should have the
ability to account for
routine and expected
changes; highlight and
alert on unusual or
unexpected alterations;
show the history of
configuration changes
over time and identify
who made the
change…
1335
• 3.5: (including the

original logged-in
account in the event of
a user ID switch, such as
with the su or sudo
command).
1336
• 3.5…: These integrity

checks should identify
suspicious system
alterations such as:
owner and permissions
changes to files or
directories; the use of
alternate data streams
which could be used to
hide malicious
activities;
1337
• 3.5…: and the

introduction of extra
files into key system
areas (which could
indicate malicious
payloads left by
attackers or additional
files inappropriately
added during batch
distribution processes).
1338
• 3.6: Implement and test

an automated
configuration
monitoring system that
verifies all remotely
testable secure
configuration elements,
and alerts when
unauthorized changes
occur.
1339
• 3.6…: This includes

detecting new listening
ports, new
administrative users,
changes to group and
local policy objects
(where applicable), and
new services running on
a system.
1340
• 3.6…: Whenever
possible use tools
compliant with the
Security Content
Automation Protocol
(SCAP) in order to
streamline reporting
and integration.
1341
• 3.7: Deploy system

configuration
management tools,
such as Active Directory
Group Policy Objects for
Microsoft Windows
systems or Puppet for
UNIX systems that will
automatically enforce
and redeploy
configuration settings
to systems at regularly
scheduled intervals. 1342
• 3.7…: They should be

capable of triggering
redeployment of
configuration settings
on a scheduled, manual,
or event-driven basis.
END
1343
CSC4-I: Continuous Vuln. Assessment & Remediation
Module 153
1344
• 4.1: Run automated

vulnerability scanning
tools against all systems
on the network on a
weekly or more
frequent basis and
deliver prioritized lists
of the most critical
vulnerabilities to each
responsible system
administrator…
1345
• 4.1…: along with risk

scores that compare
the effectiveness of
system administrators
and departments in
reducing risk.
1346
• 4.1…: Use a SCAP-

validated vulnerability
scanner that looks for
both code-based
vulnerabilities (such as
those described by
Common
1347
• Vulnerabilities and
Exposures entries) and
configuration-based
vulnerabilities (as
enumerated by the
Common Configuration
Enumeration Project).
1348
• 4.2: Correlate event

logs with information
from vulnerability
scans to fulfill two
goals.
• First, personnel should
verify that the activity
of the regular
tools is itself logged.
1349
• 4.2…: Second,
personnel should be
able to correlate attack
detection events with
prior vulnerability
scanning results to
determine whether the
given exploit was used
against a target known
to be vulnerable.
1350
• 4.3: Perform
vulnerability scanning in
authenticated mode
either with agents
running locally on each
end system to analyze
the security
configuration or with
remote scanners that
are given administrative
rights on the system
being tested.
1351
• 4.3…: Use a dedicated

account for
authenticated
vulnerability scans,
which should not be
used for any other
administrative activities
and should be tied to
specific machines at
specific IP addresses.
1352
• 4.3…: Ensure that only

authorized employees
have access to the
vulnerability
management user
interface and that roles
are applied to each user
1353
• 4.4: Subscribe to
vulnerability intelligence
services in order to stay
aware of emerging
exposures, and use the
information gained from
this subscription to
update the
organization’s
activities on at least a
monthly basis.
1354
• 4.4…: Alternatively,
ensure that the
tools you use are
regularly updated with
all relevant important
security vulnerabilities.
END
1355
CSC4-II: Continuous Vuln. Assessment & Remediation
Module 154
1356
• 4.5: Deploy automated

patch management
tools and software
update tools for
operating system and
software/applications on
all systems for which
such tools are available
and safe.
1357
• 4.5…: Patches should be

applied to all systems,
even systems that are
properly air gapped.
• 4.6: Monitor logs
associated with any
scanning activity and
associated administrator
accounts to ensure that
this activity is limited to
the timeframes of
legitimate scans.
1358
• 4.7: Compare the results

from back-to-back
vulnerability scans to
verify that vulnerabilities
were addressed either
by patching,
implementing a
compensating control,
or documenting and
accepting a reasonable
business risk.
1359
• 4.7…: Such acceptance

of business risks for
existing vulnerabilities
should be periodically
reviewed to determine if
newer compensating
controls or subsequent
patches can address
vulnerabilities that were
previously accepted, or
if conditions have
changed, increasing the
risk. 1360
• 4.8: Establish a process

to risk-rate
vulnerabilities based on
the exploitability and
potential impact of the
vulnerability, and
segmented by
appropriate groups of
assets (example, DMZ
servers, internal
network servers,
desktops, laptops).
1361
• 4.8…: Apply patches for

the riskiest
vulnerabilities first.
• A phased rollout can be
used to minimize the
impact to the
organization.
• Establish expected
patching timelines
based on the risk rating
level.
END
1362
CSC5-I: Controlled Use Of Administrative Privileges
Module 155
1363
• 5.1: Minimize
administrative
privileges and only use
administrative
accounts when they
are required.
Implement focused
auditing on the use of
administrative
privileged functions
and monitor for
anomalous behavior.
1364
• 5.2: Use automated

tools to inventory all
administrative
accounts and validate
that each person with
administrative
privileges on desktops,
laptops, and servers is
authorized by a senior
executive.
1365
• 5.3: Before deploying

any new devices in a
networked
environment, change
all default passwords
for applications,
operating systems,
routers, firewalls,
wireless access points,
and other systems to
have values consistent
with administration-
level accounts. 1366
• 5.4: Configure systems

to issue a log entry and
alert when an account
is added to or removed
from a domain
administrators’ group,
or when a new local
administrator account
is added on a system.
1367
• 5.5: Configure systems

to issue a log entry and
alert on any
unsuccessful login to an
administrative account.
END
1368
CSC5-II: Controlled Use Of Administrative Privileges
Module 156
1369
• 5.6: Use multifactor

authentication for all
administrative access,
including domain
administrative access.
1370
• 5.6…: Multi-factor
authentication can
include a variety of
techniques, to include
the use of smart cards,
certificates, One Time
Password (OTP) tokens,
biometrics, or other
similar authentication
methods.
1371
• 5.7: Where multi-factor

authentication is not
supported, user
accounts shall be
required to use long
passwords on the
system (longer than 14
characters).
1372
• 5.8: Administrators
should be required to
access a system using a
fully logged and non-
administrative account.
1373
• 5.8…: Then, once

logged on to the
machine without
administrative
privileges, the
administrator should
transition to
administrative privileges
using tools such as Sudo
on Linux/UNIX, RunAs
on Windows, and other
similar facilities for other
types of systems. 1374
• 5.9: Administrators
shall use a dedicated
machine for all
administrative tasks or
tasks requiring
elevated access.
1375
• 5.9…: This machine

shall be isolated from
the organization's
primary network and
not be allowed
Internet access. This
machine shall not be
used for reading e-
END mail, composing
documents, or surfing
the Internet.
1376
Information Security Transformation
Module 157
• CSC6-1: Maintenance,
Monitoring, Analysis of
Audit Logs
1377
CSC6-1: Maintenance, Monitoring, Analysis of Audit Logs
1378
• 6.1: Utilize Three

Synchronized Time
Sources:
• Use at least three
synchronized time
sources from which all
servers and network
devices retrieve time
information on a regular
basis so that time stamps
in logs are consistent
1379
• 6.2: Activate audit

logging
• Ensure that local
logging has been
enabled on all systems
and networking devices.
1380
• 6.3: Enabled Detailed

Logging:
• Enable system logging
to include detailed
information such as a
event source, date,
user, timestamp, source
addresses, destination
addresses and other
useful elements.
1381
• 6.4: Ensure adequate

storage for logs
• Ensure that all systems
that store logs have
adequate storage space
for the logs generated.
1382
Week 10
Module 158 • CSC6-II: Maintenance,
Monitoring, Analysis of
Audit Logs
1383
CSC6-II: Maintenance, Monitoring, Analysis of Audit Logs
1384
• 6.5: Central Log

Management:
• Ensure that appropriate
logs are being
aggregated to a central
log management
system for analysis and
reveiw.
1385
• 6.6: Deploy SIEM or Log

Analytic tools:
• Deploy security
information and Event
Management(SIEM) or
log analytic tool for log
correlation and analysis.
1386
• 6.7: Regularly Review

Logs
• On a regular basis,
review logs to identify
anomalies or abnormal
events.
1387
• 6.8: Regularly Tune

SIEM
• On a regular basis, tune
your SEIM system to
better identify
actionable events and
decrease event noise.
1388
Module 159
• CSC7-1: EMAIL AND
WEB BROWSER
PROTECTION
1389
CSC7-1: EMAIL AND WEB BROWSER PROTECTION
1390
• 7.1: Ensure Use of Only

Fully Supported
Browser & Email Clients
• Ensure that only fully
supported web browser
& email clients are
allowed to execute in
the org, ideally only
using the latest version
of the browser & email
clients provided by the
vendor.
1391
• 7.2: Disable
Unnecessary or
Unauthorized Browser
or Email Client Plugins
• Uninstall or disable any
unauthorized browser
or email client plugins
or add-on applications.
1392
• 7.3: Limit Use of

Scripting Languages in
Web Browser and
Email Clients
• Ensure that only
authorized scripting
languages are able to
run in all web browser
and email clients.
1393
• 7.4: Maintain and enforce

Network based URL
Filters
• Enforce network based
URL filters that limit a
systems ability to connect
to websites not approved
by the organization. This
filtering shall be enforced
for each of the
organization’s
systems(whether at org
facility or not)
1394
• 7.5: Subscribe to URL-

categorization service
• Subscribe to URL
categorization services
to ensure that they are
up-to-date with the
most recent website
category definitions
available. Uncategorized
websites shall be
blocked by default.
1395
Module 160
• CSC7-II: EMAIL AND
WEB BROWSER
PROTECTION
1396
CSC7-II: EMAIL AND WEB BROWSER PROTECTION
1397
• 7.6: Log all URL

requests
• Log all URL requests
from each of the
organization’s systems,
whether onsite or a
mobile device, in order
to identify potentially
malicious activity and
assist incident handlers
with identifying
potentially
compromised system.
1398
• 7.7: Use of DNS

Filtering Services
• Use DNS filtering
service to help block
access to known
malicious domains.
1399
• 7.8: Implement DMARC

and Enable Receiver-
side Verification
• To lower the chance of
spoofed or modified
emails from valid
domains, implement
Domain-based Message
Authentication,
Reporting and
conformance(DMARC)
policy and verification…
1400
• 7.8: Implement
DMARC and Enable
Receiver-side
Verification
• …starting by
implementing the
sender policy
Framework(SPF) and
the Domain keys
Identified Mail(DKIM)
standards.
1401
• 7.9: Block
Unnecessary File
Types
• Block all email
attachments entering
email gateway if the
files types are
unnecessary for the
organization’s
business.
1402
• 7.10: Sandbox All

Email Attachments
• Use sandboxing to
analyze and block
inbound email
attachments with
malicious behavior.
1403
Module 161
• CSC8-I: MALWARE
DEFENSES
1404
CSC8-I: Malware Defenses
1405
• 8.1: Utilize Centrally

Managed Anti-
malware Software:
• Utilize centrally
managed anti-
malware software to
continuously monitor
and defend each of
workstations and
servers.
1406
• 8.2: Ensure Anti-

Malware Software
and Signatures are
Updated
• Ensure that the
organization’s anti-
malware software
updates its scanning
engine and signature
database on a regular
basis.
1407
• 8.3: Enable Operating

System Anti-
Exploitation
Features/Deploy Anti-
Exploit Technologies
• Enable anti-exploitation
features such as Data
Execution
Prevention(DEP) or
Address Space Layout
Randomization(ASLR)
that are available in an
operating system….
1408
• 8.3: Enable Operating

System Anti-
Exploitation
Features/Deploy Anti-
Exploit Technologies
• ….or Deploy appropriate
toolkits that can be
configured to apply
protection to a broader
set of applications and
executables.
1409
• 8.4: Configure Anti-

Malware Scanning of
Removable Devices
• Configure devices so
that they
automatically conduct
an anti-malware scan
of removable media
when inserted or
connected.
1410
• 8.5: Configure devices

not to auto-run
content
• Configure devices to
not auto-run content
from removable
media.
1411
Module 162
• CSC8-II: MALWARE
DEFENSES
1412
CSC8-II: Malware Defenses
1413
• 8.6: Centralize Anti-

malware Logging
• Send all malware
detection events to
enterprise anti-
malware
administration tools
and event log servers
for analysis and
alerting.
1414
• 8.7: Enable DNS

Query logging
• Enable Domain Name
System(DNS) query
logging to detect
hostname lookups for
known malicious
domains.
1415
• 8.8: Enable
Command-line Audit
Logging
• Enable Command-line
audit logging for
command shells, such
as Microsoft
PowerShell and Bash.
1416
CIS CONTROL 9: LIMITATION & CONTROL OF NETWORK
Module 163 CIS 20 Critical Security

Controls
1417
1418
1419
9.1: Associate Active Ports,

Services and Protocols to
Asset Inventory
• Associate active ports,
services and protocols
to the hardware assets
in the asset inventory.
1420
9.2: Ensure Only Approved

Ports, Protocols and
Services Are Running
• Ensure that only
network ports,
protocols, and services
listening on a system
with validated business
needs, are running on
each system.
1421
9.3: Perform Regular

Automated Port Scans
• Perform automated port
scans on a regular basis
against all systems and
alert if unauthorized
ports are detected on a
system.
1422
9.4: Apply Host-based

Firewalls or Port Filtering
• Apply host-based
firewalls or port filtering
tools on end systems,
with a default-deny rule
that drops all traffic
except those services
and ports that are
explicitly allowed.
1423
9.5: Implement
Application Firewalls
• Place application
firewalls in front of any
critical servers to verify
and validate the traffic
going to the server. Any
unauthorized traffic
should be blocked and
logged.
1424
PROCEDURES & TOOLS:

• Port scanning tools are
used to determine which
services are listening on
the network for a range
of target systems. In
addition to determining
which ports are open,
effective port scanners
can be configured to
identify the version of
the protocol and service
1425
• …listening on each
discovered port. This list
of services and their
versions are compared
against an inventory of
services required by the
organization for each
server and workstation
in an asset management
system.
1426
• Recently added features

in these port scanners
are being used to
determine the changes
in services offered by
scanned machines on
the network since the
previous scan, helping
security personnel
END identify differences over
time.
1427
CIS CONTROL 10: DATA RECOVERY CAPABILITIES
Module 164 CIS 20 Critical Security

Controls
1428
1429
1430
10.1: Ensure Regular

Automated Back Ups
• Ensure that all system
data is automatically
backed up on regular
basis.
1431
10.2: Perform Complete

System Backups
• Ensure that each of the
organization's key
systems are backed up
as a complete system,
through processes such
as imaging, to enable
the quick recovery of an
entire system.
1432
10.3: Test Data on Backup

Media
• Test data integrity on
backup media on a
regular basis by
performing a data
restoration process to
ensure that the backup
is properly working.
1433
10.4: Ensure Protection of

Backups
• Ensure that backups are
properly protected via
physical security or
encryption when they
are stored, as well as
when they are moved
across the network. This
includes remote
backups and cloud
services.
1434
10.5: Ensure Backups Have

At least One Non-
Continuously Addressable
Destination
• Ensure that all backups
have at least one backup
destination that is not
continuously
addressable through
operating system calls.
1435
Procedures & Tools:

• Once per quarter (or
whenever new backup
equipment is
purchased), a testing
team should evaluate a
random sample of
system backups by
attempting to restore
them on a test bed
environment. The
restored systems should
1436
• …be verified to ensure

that the operating
system, application, and
data from the backup
are all intact and
functional.
• In the event of malware
infection, restoration
procedures should use a
version of the backup
that is believed to
END predate the original
infection. 1437
CIS CONTROL 11: SECURE CONFIG FOR NETWORK DEVICES
Module 165 • SECURE

CONFIGURATION FOR
NETWORK DEVICES
SUCH AS FIREWALLS,
ROUTERS, AND
SWITCHES
1438
1439
1440
11.1: Maintain Standard

Security Configurations
for Network Devices
• Maintain standard,
documented security
configuration standards
for all authorized
network devices.
1441
11.2: Document Traffic

Configuration Rules
• All configuration rules
that allow traffic to flow
through network
devices should be
documented in a
configuration
management system
with a specific business
reason for each rule,
1442
11.2: Document Traffic

Configuration Rules
• …a specific individual’s
name responsible for
that business need, and
an expected duration of
the need.
1443
11.3: Use Automated Tools

to Verify Standard Device
Configurations and Detect
Changes
• Compare all network
device configuration
against approved
security configurations
defined for each
network device in use
and alert when any
deviation is discovered
1444
11.4: Install the Latest

Stable Version of Any
Security-related Updates
on All Network Devices
• Install the latest stable
version of any security-
related updates on all
network devices.
END
1445
CIS CONTROL 11: SECURE CONFIG FOR NETWORK DEVICES-II
Module 166 • SECURE

CONFIGURATION FOR
NETWORK DEVICES
SUCH AS FIREWALLS,
ROUTERS, AND
SWITCHES
1446
1447
1448
11.5: Manage Network

Devices Using Multi-Factor
Authentication and
Encrypted Sessions
• Manage all network
devices using multi-
factor authentication
and encrypted sessions.
1449
11.6: Use Dedicated

Machines For All Network
Administrative Tasks
• Ensure network
engineers use a
dedicated machine for
all administrative tasks
or tasks requiring
elevated access. This
machine shall be
segmented from the…
1450
11.6: Use Dedicated

Machines For All Network
Administrative Tasks
• …organization's primary
network and not be
allowed Internet access.
This machine shall not
be used for reading e-
mail, composing
documents, or surfing
the Internet.
1451

Infrastructure Through a
Dedicated Network
• Manage the network
infrastructure across
network connections
that are separated from
the business use of that
network, relying on
separate VLANs or,
preferably, on entirely
different physical…
1452

Infrastructure Through a
Dedicated Network
• …connectivity for
management sessions
for network devices.
END
1453
CIS CONTROL 12: BOUNDARY DEFENSE - I
Module 167 • BOUNDARY DEFENSE
1454
1455
1456
12.1: Maintain an Inventory

of Network Boundaries
• Maintain an up-to-date
inventory of all of the
organization's network
boundaries.
1457
12.2: Scan for

Unauthorized Connections
across Trusted Network
Boundaries
• Perform regular scans
from outside each
trusted network
boundary to detect any
unauthorized
connections which are
accessible across the
boundary.
1458
12.3: Deny
Communications with
Known Malicious IP
Addresses
• Deny communications
with known malicious or
unused Internet IP
addresses and limit
access only to trusted
and necessary IP
address ranges at
each…
1459
12.3: Deny
Communications with
Known Malicious IP
Addresses
• …of the organization's
network boundaries.
1460
12.4: Deny Communication

over Unauthorized Ports
• Deny communication
over unauthorized TCP
or UDP ports or
application traffic to
ensure that only
authorized protocols are
allowed to cross the
network boundary in or
out of the network at…
1461
12.4: Deny Communication

over Unauthorized Ports
• …each of the
boundaries.
END
1462
CIS CONTROL 12: BOUNDARY DEFENSE - II
1463
1464
1465
12.5: Configure Monitoring

Systems to Record
Network Packets
• Configure monitoring
systems to record
network packets passing
through the boundary at
each of the
boundaries.
1466
12.6: Deploy Network-

based IDS Sensor
• Deploy network-based
Intrusion Detection
Systems (IDS) sensors to
look for unusual attack
mechanisms and detect
compromise of these
systems at each of the
boundaries.
1467
12.7: Deploy Network-

Based Intrusion
Prevention Systems
• Deploy network-based
Intrusion Prevention
Systems (IPS) to block
malicious network
traffic at each of the
boundaries.
1468
12.8: Deploy NetFlow

Collection on Networking
Boundary Devices
• Enable the collection of
NetFlow and logging
data on all network
boundary devices.
END
1469
CIS CONTROL 12: BOUNDARY DEFENSE - III
1470
1471
1472
12.9: Deploy Application

Layer Filtering Proxy
Server
• Ensure that all network
traffic to or from the
Internet passes through
an authenticated
application layer proxy
that is configured to
filter unauthorized
connections.
1473
12.10: Decrypt Network

Traffic at Proxy
• Decrypt all encrypted
network traffic at the
boundary proxy prior to
analyzing the content.
However, the
organization may use
whitelists of allowed
sites that can be…
1474
12.10: Decrypt Network

Traffic at Proxy
• …accessed through the
proxy without
decrypting the traffic.
1475
12.11: Require All Remote

Login to Use Multi-factor
Authentication
• Require all remote login
access to the
to encrypt data in transit
and use multi-factor
authentication..
1476
12.12: Manage All Devices

Remotely Logging into
Internal Network
• Scan all enterprise
devices remotely
logging into the
prior to accessing the
network to ensure that
each of the
organization's
security…
1477
12.12: Manage All Devices

Remotely Logging into
Internal Network
• …policies has been
enforced in the same
manner as local network
devices.
END
1478
CIS CONTROL 13: DATA PROTECTION-I
Module 170 • DATA PROTECTION
1479
1480
1481

of Sensitive Information
• Maintain an inventory of
all sensitive information
stored, processed, or
transmitted by the
organization's
technology systems,
including those located
onsite or at a remote
service provider.
1482
13.2: Remove Sensitive

Data or Systems Not
Regularly Accessed by
Organization
• Remove sensitive data
or systems not regularly
accessed by the
organization from the
network. These systems
shall only be used as
stand alone systems…
1483
13.2: Remove Sensitive

Data or Systems Not
Regularly Accessed by
Organization
• …(disconnected from
the network) by the
business unit needing to
occasionally use the
system or completely
virtualized and powered
off until needed.
1484
13.3: Monitor and Block

Unauthorized Network
Traffic
• Deploy an automated
tool on network
perimeters that
monitors for
unauthorized transfer of
sensitive information
and blocks such
transfers while
alerting…
1485
13.3: Monitor and Block

Unauthorized Network
Traffic
• …information security
professionals.
END
1486
CIS CONTROL 13: DATA PROTECTION-II
1487
1488
1489
13.4: Only Allow Access to

Authorized Cloud Storage
or Email Providers
• Only allow access to
authorized cloud
storage or email
providers.
1490
13.5: Monitor and Detect

Any Unauthorized Use of
Encryption
• Monitor all traffic
leaving the organization
and detect any
unauthorized use of
encryption.
1491
13.6: Encrypt the Hard

Drive of All Mobile
Devices.
• Utilize approved whole
disk encryption software
to encrypt the hard
drive of all mobile
devices.
END
1492
CIS CONTROL 13: DATA PROTECTION-III
1493
1494
1495
13.7: Manage USB Devices

• If USB storage devices
are required, enterprise
software should be used
that can configure
systems to allow the use
of specific devices. An
inventory of such
devices should be
maintained.
1496
13.8: Manage System's

External Removable
Media's Read/write
Configurations
• Configure systems not
to write data to external
removable media, if
there is no business
need for supporting
such devices.
1497
13.9: Encrypt Data on USB

Storage Devices
• If USB storage devices
are required, all data
stored on such devices
must be encrypted while
at rest.
END
1498
CIS CONTROL 14: CONTROLLED ACCESS-NEED TO KNOW-I
Module 173 • CONTROLLED ACCESS

BASED ON THE NEED TO
KNOW
1499
1500
1501
14.1: Segment the Network

Based on Sensitivity
• Segment the network
based on the label or
classification level of the
information stored on
the servers, locate all
sensitive information on
separated Virtual Local
Area Networks (VLANs).
1502
14.2: Enable Firewall

Filtering Between VLANs
• Enable firewall filtering
between VLANs to
ensure that only
authorized systems are
able to communicate
with other systems
necessary to fulfill their
specific responsibilities.
1503
14.3: Disable Workstation

to Workstation
Communication
• Disable all workstation
to workstation
communication to limit
an attacker's ability to
move laterally and
compromise
neighboring systems, …
1504
14.3: Disable Workstation

to Workstation
Communication
• …through technologies
such as Private VLANs or
microsegmentation.
1505
14.4: Encrypt All Sensitive

Information in Transit
• Encrypt all sensitive
information in transit.
1506
14.5: Utilize an Active

Discovery Tool to Identify
Sensitive Data
• Utilize an active
discovery tool to identify
all sensitive information
stored, processed, or
transmitted by the
organization's
technology systems,
including those
located…
1507
14.5: Utilize an Active

Discovery Tool to Identify
Sensitive Data
• … onsite or at a remote
service provider and
update the
organization's sensitive
information inventory.
END
1508
CIS CONTROL 14: CONTROLLED ACCESS-NEED TO KNOW-II
Module 174 • CONTROLLED ACCESS

BASED ON THE NEED TO
KNOW
1509
1510
1511
14.6: Protect Information

through Access Control
Lists
• Protect all information
stored on systems with
file system, network
share, claims,
application, or database
specific access control
lists. These controls
will…
1512
14.6: Protect Information

through Access Control
Lists
• …enforce the principle
that only authorized
individuals should have
access to the
information based on
their need to access the
information as a part of
their responsibilities.
1513
14.7: Enforce Access

Control to Data through
Automated Tools
• Use an automated tool,
such as host-based Data
Loss Prevention, to
enforce access controls
to data even when data
is copied off a system.
1514
14.8: Encrypt Sensitive

Information at Rest
• Encrypt all sensitive
information at rest using
a tool that requires a
secondary
authentication
mechanism not
integrated into the
operating system, in
order to access the
information.
1515
14.9: Enforce Detail

Logging for Access or
Changes to Sensitive Data
• Enforce detailed audit
logging for access to
sensitive data or
changes to sensitive
data (utilizing tools such
as File Integrity
Monitoring or Security
END
Information and Event
Monitoring).
1516
CIS CONTROL 15: WIRELESS ACCESS CONTROL-I
Module 175 • WIRELESS ACCESS

CONTROL
1517
1518
1519

of Authorized Wireless
Access Points
authorized wireless
access points connected
to the wired network.
1520
15.2: Detect Wireless

Access Points Connected
to the Wired Network
• Configure network
tools to detect and alert
on unauthorized
wireless access points
connected to the wired
network.
1521
15.3: Use a Wireless

Intrusion Detection
System
• Use a wireless intrusion
detection system
(WIDS) to detect and
alert on unauthorized
wireless access points
connected to the
network.
1522
CIS CONTROL 15: WIRELESS ACCESS CONTROL-II
Week 11 • WIRELESS ACCESS

Module 176 CONTROL
1523
1524
1525
15.4: Disable Wireless

Access on Devices if Not
Required
• Disable wireless access
on devices that do not
have a business purpose
for wireless access.
1526
15.5: Limit Wireless Access

on Client Devices
• Configure wireless
access on client
machines that do have
an essential wireless
business purpose, to
allow access only to
authorized wireless
networks and to restrict
access to other wireless
networks.
1527
15.6: Disable Peer-to-peer

Wireless Network
Capabilities on Wireless
Clients
• Disable peer-to-peer
(adhoc) wireless
network capabilities on
wireless clients.
END
1528
CIS CONTROL 15: WIRELESS ACCESS CONTROL-III
Module 177 • WIRELESS ACCESS

CONTROL
1529
1530
1531
15.7: Leverage the

Advanced Encryption
Standard (AES) to Encrypt
Wireless Data
• Leverage the Advanced
Encryption Standard
(AES) to encrypt
wireless data in transit.
1532
15.8: Use Wireless

Authentication Protocols
that Require Mutual,
Multi-Factor
Authentication
• Ensure that wireless
networks use
authentication protocols
such as Extensible
Authentication Protocol-
Transport Layer Security
(EAP/TLS), …
1533
15.8: Use Wireless

Authentication Protocols
that Require Mutual,
Multi-Factor
Authentication
• …that requires mutual,
multi-factor
authentication.
1534
CIS CONTROL 16: ACCOUNT MONITORING & CONTROL-I
Module 178
• ACCOUNT MONITORING &

CONTROL
1535
1536
1537

of Authentication Systems
each of the
organization's
authentication systems,
including those located
onsite or at a remote
service provider.
1538
16.2: Configure Centralized

Point of Authentication
• Configure access for all
accounts through as few
centralized points of
authentication as
possible, including
network, security, and
cloud systems.
1539
16.3: Require Multi-factor

Authentication
Require multi-factor
authentication for all user
accounts, on all systems,
whether managed onsite
or by a third-party
provider.
1540
16.4: Encrypt or Hash all

Authentication Credentials
Encrypt or hash with a salt
all authentication
credentials when stored.
END
1541
CIS CONTROL 16: ACCOUNT MONITORING & CONTROL-II
Module 179 • ACCOUNT MONITORING

& CONTROL
1542
1543
1544
16.5: Encrypt Transmittal

of Username and
Authentication Credentials
• Ensure that all account
usernames and
authentication
credentials are
transmitted across
networks using
encrypted channels.
1545
16.6: Maintain an
Inventory of Accounts
all accounts organized
by authentication
system.
1546
16.7: Establish Process for

Revoking Access
• Establish and follow an
automated process for
revoking system access
by disabling accounts
immediately upon
termination or change
of responsibilities of an
employee or contractor .
Disabling these
accounts, instead of…
1547
16.7: Establish Process for

Revoking Access
• …deleting accounts,
allows preservation of
audit trails.
1548
16.8: Disable Any

Unassociated Accounts
• Disable any account that
cannot be associated
with a business process
or business owner.
1549
CIS CONTROL 16: ACCOUNT MONITORING & CONTROL-III
Module 180 • ACCOUNT MONITORING

& CONTROL
1550
1551
1552
16.9: Disable Dormant

Accounts
• Automatically disable
dormant accounts after
a set period of inactivity.
1553
16.10: Ensure All Accounts

Have An Expiration Date
• Ensure that all accounts
have an expiration date
that is monitored and
enforced.
1554
16.11: Lock Workstation

Sessions After Inactivity
• Automatically lock
workstation sessions
after a standard period
of inactivity.
1555
16.12: Monitor Attempts to

Access Deactivated
Accounts
• Monitor attempts to
access deactivated
accounts through audit
logging.
1556
16.13: Alert on Account

Login Behavior Deviation
• Alert when users deviate
from normal login
behavior, such as time-
of-day, workstation
location and duration.
END
1557
CIS CONTROL 17: SECURITY AWARENESS & TRAINING-I
Module 181 • IMPLEMENT A

SECURITY AWARENESS
& TRAINING PROGRAM
1558
1559
1560
17.1: Perform a Skills Gap

Analysis
• Perform a skills gap
analysis to understand
the skills and behaviors
workforce members are
not adhering to, using
this information to build
a baseline education
roadmap.
1561
17.2: Deliver Training to Fill

the Skills Gap
• Deliver training to
address the skills gap
identified to positively
impact workforce
members' security
behavior.
1562
17.3: Implement a Security

Awareness Program
• Create a security
awareness program for
all workforce members
to complete on a regular
basis to ensure they
understand and exhibit
the necessary behaviors
and skills to help ensure
the security of the
organization.
1563
17.3: Implement a Security

Awareness Program
• The organization's
security awareness
program should be
communicated in a
continuous and
engaging manner…
1564
17.4: Update Awareness

Content Frequently
• …Ensure that the
organization's security
awareness program is
updated frequently (at
least annually) to
address new
technologies, threats,
standards and business
requirements.
END
1565
CIS CONTROL 17: SECURITY AWARENESS & TRAINING-II
Module 182 • IMPLEMENT A

SECURITY AWARENESS
& TRAINING PROGRAM
1566
1567
1568
17.5: Train Workforce on

Secure Authentication
• Train workforce
members on the
importance of enabling
and utilizing secure
authentication.
1569

Identifying Social
Engineering Attacks
• Train the workforce on
how to identify different
forms of social
engineering attacks,
such as phishing, phone
scams and
impersonation calls.
1570

Sensitive Data Handling
• Train workforce on how
to identify and properly
store, transfer, archive
and destroy sensitive
information.
1571

Causes of Unintentional
Data Exposure
• Train workforce
members to be aware of
causes for unintentional
data exposures, such as
losing their mobile
devices or emailing the
wrong person due to
autocomplete in email.
1572
17.9: Train Workforce

Members on Identifying
and Reporting Incidents
• Train employees to be
able to identify the most
common indicators of an
incident and be able to
report such an incident.
END
1573
CIS CONTROL 18: APPLICATION SOFTWARE SECURITY-I
Module 183 • APPLICATION

SOFTWARE SECURITY
1574
1575
1576
18.1: Establish Secure

Coding Practices
• Establish secure coding
practices appropriate to
the programming
language and
development
environment being
used.
1577
18.2: Ensure Explicit Error

Checking is Performed for
All In-house Developed
Software
• For in-house developed
software, ensure that
explicit error checking is
performed and
documented for all
input, including for size,
data type, & acceptable
ranges or formats.
1578
18.3: Verify That Acquired

Software is Still Supported
• Verify that the version of
all software acquired
from outside your
organization is still
supported by the
developer or
appropriately hardened
based on developer
security
recommendations.
1579
18.4: Only Use Up-to-date

And Trusted Third-Party
Components
• Only use up-to-date and
trusted third-party
components for the
software developed by
the organization.
END
1580

SOFTWARE SECURITY
1581
1582
1583
CIS CONTROL 18: APPLICATION SOFTWARE SECURITY-II
18.5: Use Only

Standardized and
Extensively Reviewed
Encryption Algorithms
Use only standardized and
extensively reviewed
encryption algorithms.
1584
18.6: Ensure Software

Development Personnel
are Trained in Secure
Coding
Ensure that all software
development personnel
receive training in writing
secure code for their
specific development
environment and
responsibilities.
1585
18.7: Apply Static and

Dynamic Code Analysis
Tools
Apply static and dynamic
analysis tools to verify that
secure coding practices are
being adhered to for
internally developed
software.
1586
18.8: Establish a Process to

Accept and Address
Reports of Software
Vulnerabilities
Establish a process to
accept and address reports
of software vulnerabilities,
including providing a
means for external entities
to contact your security
group.
END
1587
CIS CONTROL 18: APPLICATION SOFTWARE SECURITY-III

SOFTWARE SECURITY
1588
1589
1590
18.9: Separate Production

and Non-Production
Systems
• Maintain separate
environments for
production and
nonproduction systems.
Developers should not
have unmonitored
access to production
environments.
1591
18.10: Deploy Web

(WAFs)
• Protect web
applications by
deploying web
application firewalls
(WAFs) that inspect all
traffic flowing to the
web application for
common web
application attacks.
1592
18.10: Deploy Web

(WAFs)
• …For applications that
are not web-based,
specific application
firewalls should be
deployed if such tools
are available for the
given application type. If
the traffic is encrypted,
the device should…
1593
18.10: Deploy Web

(WAFs)
• ...either sit behind the
encryption or be
capable of decrypting
the traffic prior to
analysis. If neither
option is appropriate, a
host-based web
application firewall
should be deployed.
1594
18.11: Use Standard

Hardening Configuration
Templates for Databases
• For applications that rely
on a database, use
standard hardening
configuration templates.
All systems that are part
of critical business
processes should also be
tested.
1595
CIS CONTROL 19: INCIDENT RESPONSE & MANAGEMENT-I
Module 186 • INCIDENT RESPONSE &

MANAGEMENT
1596
1597
1598
19.1: Document Incident

Response Procedures
• Ensure that there are
written incident
response plans that
defines roles of
personnel as well as
phases of incident
handling/management.
1599
19.2: Assign Job Titles and

Duties for Incident
Response
• Assign job titles and
duties for handling
computer and network
incidents to specific
individuals and ensure
tracking and
documentation
throughout the incident
through resolution.
1600
19.3: Designate
Management Personnel to
Support Incident Handling
• Designate management
personnel, as well as
backups, who will
support the incident
handling process by
acting in key decision-
making roles.
1601
19.4: Devise Organization-

wide Standards for
Reporting Incidents
• Devise organization-
wide standards for the
time required for system
administrators and
other workforce
members to report
anomalous events to the
incident handling team,
…
1602
19.4: Devise Organization-

wide Standards for
Reporting Incidents
• …the mechanisms for
such reporting, and the
kind of information that
should be included in
the incident notification.
1603
CIS CONTROL 19: INCIDENT RESPONSE & MANAGEMENT-II
Module 187 • INCIDENT RESPONSE &

MANAGEMENT
1604
1605
1606
19.5: Maintain Contact

Information For Reporting
Security Incidents
• Assemble & maintain
information on third-
party contact
information to be used
to report a security
incident, such as Law
Enforcement, relevant
govt departments,
vendors, etc
1607
19.6: Publish Information

Regarding Reporting
Computer Anomalies and
Incidents
• Publish information for
all workforce members,
regarding reporting
computer anomalies and
incidents to the incident
handling team. Such
information should be…
1608
19.6: Publish Information

Regarding Reporting
Computer Anomalies and
Incidents
• …included in routine
employee awareness
activities.
1609
19.7: Conduct Periodic

Incident Scenario Sessions
for Personnel
• Plan and conduct
routine incident
response exercises and
scenarios for the
workforce involved in
the incident response to
maintain awareness and
comfort in responding
to real world threats.
1610
19.7: Conduct Periodic

Incident Scenario Sessions
for Personnel
• …Exercises should test
communication
channels, decision
making, and incident
responders technical
capabilities using tools
and data available to
them.
1611
19.8: Create Incident

Scoring and Prioritization
Schema
• Create incident scoring
and prioritization
schema based on known
or potential impact to
your organization.
Utilize score to define
frequency of status
updates and escalation
procedures.
1612
CIS CONTROL 20: PEN TESTS & RED TEAM EXERCISES-I
Module 188 • PENETRATION TESTS &

RED TEAM EXERCISES
1613
1614
1615
20.1: Establish a
Penetration Testing
Program
• Establish a program for
penetration tests that
includes a full scope of
blended attacks, such as
wireless, client-based,
and web application
attacks.
1616
20.2: Conduct Regular

External and Internal
Penetration Tests
• Conduct regular
external and internal
penetration tests to
identify vulnerabilities
and attack vectors that
can be used to exploit
enterprise systems
successfully.
1617
20.3: Perform Periodic Red

Team Exercises
• Perform periodic Red
Team exercises to test
organizational readiness
to identify and stop
attacks or to respond
quickly and effectively.
1618
20.4: Include Tests for

Presence of Unprotected
System Information and
Artifacts
• Include tests for the
presence of
unprotected system
information and artifacts
that would be useful to
attackers, including
network diagrams, …
1619
20.4: Include Tests for

Presence of Unprotected
System Information and
Artifacts
• …configuration files,
older penetration test
reports, e-mails or
documents containing
passwords or other
information critical to
system operation.
1620
CIS CONTROL 20: PEN TESTS & RED TEAM EXERCISES-II
Module 189 • PENETRATION TESTS &

RED TEAM EXERCISES
1621
1622
1623
20.5: Create Test Bed for

Elements Not Typically
Tested in Production
• Create a test bed that
mimics a production
environment for specific
penetration tests and
Red Team attacks
against elements that
are not typically tested
in production, such as
attacks against…
1624
20.5: Create Test Bed for

Elements Not Typically
Tested in Production
• …supervisory control
and data acquisition and
other control systems.
1625
20.6: Use Vulnerability

Scanning and Penetration
Testing Tools in Concert
• Use vulnerability
scanning & penetration
testing tools in concert.
The results of
assessments should be
used as a starting point
to guide & focus pen
testing efforts.
1626
20.7: Ensure Results from

Penetration Test are
Documented Using Open,
Machine-readable
Standards
• Wherever possible,
ensure that Red Teams
results are documented
using open, machine-
readable standards (e.g.,
SCAP). Devise a scoring
…
1627
20.7: Ensure Results from

Penetration Test are
Documented Using Open,
Machine-readable
Standards
• …method for
determining the results
of Red Team exercises
so that results can be
compared over time.
1628
20.8: Control and Monitor

Accounts Associated with
Penetration Testing
• Any user or system
accounts used to
perform penetration
testing should be
controlled and
monitored to make sure
they are only being used
for legitimate purposes,
…
1629
20.8: Control and Monitor

Accounts Associated with
Penetration Testing
• …and are removed or
restored to normal
function after testing is
over.
END
1630
What Is IT Governance ?
Module 190 • What is IT Governance ?

– The primary goals of
IT Governance are to
assure that the
investments in IT
generate business
value, and to mitigate
the risks that are
associated with IT
http://www.intosaiitaudit.org/intoi
t_articles/25_p30top35.pdf
1631
• What is IT Governance ?
– Simply put, it’s
putting structure
around how
organizations align IT
strategy with
business strategy,
ensuring that
companies stay on
track to achieve their
strategies and goals,
http://www.cio.com/article/2438931/governance/it
-governance-definition-and-solutions.html
1632
– …and implementing
good ways to
measure IT’s
performance.
– It makes sure that all
stakeholders’
interests are taken
into account and that
processes provide
measurable results.
1633
– An IT governance
framework should
answer key questions
such as how the IT
dept is functioning
overall, what key
metrics management
needs and what
return IT is giving
back to the business
from investments
1634
• Frameworks which
cover IT Governance:
– ISO27001: 2013
(Information Security
Management System
- ISMS)
– ITIL (IT Infrastructure
Library)
– COBIT (Control
Objectives for
Information &
Related Technology)
https://www.itgovernance.co.uk/it_governance
1635
IT Governance
Resource
Management
1636
• What is COBIT ?
– Simply stated, COBIT
5 helps enterprises to
create optimal value
from IT by
maintaining a balance
between realising
benefits and
and resource use.
END
1637
Module 191 • What is Information

Security governance ?
– "Security governance
is the set of
responsibilities and
practices exercised by
the board and
executive
management with the
goal of providing
strategic direction,
IT Governance Institute (ITGI), Guidance
For Boards of Directors & Executive
Management, 2nd Edition
1638
• What is Information
Security governance ?
– ensuring that
objectives are
achieved, ascertaining
that risks are
managed
appropriately and
verifying that the
enterprise's resources
are used responsibly."
IT Governance Institute (ITGI), Guidance
For Boards of Directors & Executive
Management, 2nd Edition
1639
governance is the
mechanism how the
function is managed by
the organization
1640
IT Governance
IT Service
Information Business Management
IT Project
Security Continuity & &
Management
Governance DR Performance
Management
1641
• The leading framework

for Information Security
governance is
ISO27001:2013 (ISMS)
– Considered gold
standard
– Most widely
deployed Information
Security governance
framework
1642
• “Provides a model for

establishing,
implementing,
operating, monitoring,
reviewing, maintaining
and improving an
management system.”
ISO27001:2013 (ISMS)
1643
• Clauses 4 to 10 of
ISO27001:2013
– 4: Organization &
context, scope
– 5: Leadership &
commitment, policy,
organizational roles &
responsibilities
– 6: Planning; Infosec
objectives and
planning to achieve
them
1644
ISO27001:2013
– 7: Support; resources,
competence,
awareness
– 8: Operations; risk
assessment and risk
management
ISO27001:2013 (ISMS)
1645
ISO27001:2013
– 9: Performance
evaluation;
monitoring,
measurement &
analysis; internal
audit
– 10: Non-conformities
& corrective actions,
continual
END
improvement
ISO27001:2013 (ISMS)
1646
Why Is InfoSec Governance At Stage 4 ?

Model
1647
INFORMATION
SECURITY 4. Security
TRANSFORMATION Governance
MODEL
3. Security
Engineering
2. Vulnerability
Management
1. Security
Hardening
1648
• Why is security
governance at stage 4?
– First build a building
and then manage it
– First 2 stages build up
the essential
foundation
– 3rd stage implements
advanced security
measures
– Then (4th stage) it is
time to manage ….
1649
• Limited organizational
bandwidth ?
– Governance is a
broad function
– May get lost in
governance if
implement at the
wrong time
– Spend limited
resources where they
count most (in
security hardening)
1650
• Pakistan’s InfoSec
paradigm –
– Governance overkill
– Reactive
– Superficial
– Complete absence of
underlying security
controls
– …that is why security
transformation is
required
1651
• Once the basic

foundations of security
hardening, vulnerability
management, and
security engineering are
in place it is time to
manage the “system”
• If we try to establish
governance first, our
entire energies will be
consumed in managing a
system that has not yet
been built…. 1652
• Organizational security
maturity…when does
governance make sense
?
• Governance is important
but only after security
hardening & controls
(stage 1, 2, and 3) are in
place…
END
1653
Can InfoSec Governance Be Before Stage 4 ?

Model
1654
INFORMATION
4. Security
SECURITY Governance
TRANSFORMATION
MODEL
3. Security
Engineering
2. Vulnerability
Management
1. Security
Hardening
1655
• Implications of
implementing Stage 4
before first 3 stages:
– Expending project
energy, resources,
and time in
governance whereas
they should have
been spent on
building fundamental
security foundation
(which later requires
management) 1656
• Implications of
– Getting caught up in
intangible
“governance” activity
– Getting caught up in
policy & management
without essential and
fundamental
underlying security
controls
1657
• Implications of
– Setting unrealistic
expectations
– Note that
governance consists
of documentation
and process which
tends to bog down
and dis-interest tech
resources
1658
• Security controls (Stage

1-3) once they are
implemented by
following security
hardening &
vulnerability
management
international best-
practices can be better
documented and
regulated through
governance (policy,
SOP)…
1659
• Why ?
– We know what works
and is implementable
in terms of security
controls
– Controls are
implemented
incrementally
(practical)
– Minimal policy in
place at initial stages
as a starting point
1660
• However:
– Certain projects may
have governance
stipulations by the
regulator/customers
– Deadline to achieve
certain governance or
security milestones
– In such cases tailor
security
transformation
project
1661
• The sequence of the

model (stages 1 through
4) should be followed
wherever possible as it
is a tried and tested
model
• The security
may be tailored as per
your unique
END
requirements
1662
Pakistan’s InfoSecurity Posture & Challenges
Week 12 • Lets have a look at the

Module 194 typical IT & Information
Security challenges
1663
InfoSec
Audit
IT Complian
ce
Risk
1664
IT CHALLENGES SUMMARY
1665
INFORMATION SECURITY CHALLENGES
1666
PAKISTAN INDUSTRY CHARACTERISTICS
1667
PAKISTAN INDUSTRY CHARACTERISTICS
Security
Harden ? Manage
Security ?
1668
• Pakistan is now almost

one entire technology
generation behind in
• IT progressed during the
last 10-12 years but
InfoSec was ignored
Transformation Model is
the only way to catch up
END
1669
InfoSec Governance Building Blocks

governance building
blocks
1670
INITIAL GOVERNANCE BUILDING BLOCKS
Respon-
Policy
sibility
Resource Periodic
& Priority Review
1671
INTERMEDIATE GOVERNANCE BUILDING BLOCKS
CHANGE
SOPs
MANAGEMENT
INTERM-
EDIATE
AWARENESS MONITORING
1672
MATURE GOVERNANCE BUILDING BLOCKS
INTERNAL AUDIT
1673
CONTINUAL IMPROVEMENT CYCLE
CONTINUAL
IMPROVEMENT
CORRECTIVE
ASSESSMENT
ACTION
1674
• Governance
implementation should
be broken up into
phases
– Essential (initial)
activities first
– Gradually progress
with activities that
match organizational
readiness & maturity
END
1675
Whose Responsibility Is InfoSec Governance ?
Module 196 • Information security

governance has
responsibilities at
different layers of the
organization
• In Pakistan, the
governance functions
are slightly different
than practice in more
mature markets
1676
TYPICAL ORGANIZATIONAL TIERS AND MEMBERS

TIER MEMBERS
BOARD BOARD MEMBER, CIO, CISO, IT
(STEERING COMMITTEE) MANAGEMENT, (SOME KEY
BUSINESS MEMBERS)
IT MANAGEMENT (CIO) GMs BELONGING TO IT
MANAGEMENT, CISO
CISO/SECURITY HEAD CISO AND ISMC
IT & SECURITY TEAMS IT TEAMS AND PROJECT
TEAMS
1677
TYPICAL ORGANIZATIONAL TIERS AND RESPONSIBILITIES

TIER RESPONSIBILITY
BOARD ORGANIZATIONAL
(STEERING COMMITTEE) COMMITMENT, APPROVE
BUDGET, DIRECT
IT MANAGEMENT (CIO) REVIEW, MONITOR, PROPOSE
CISO/SECURITY HEAD PLAN, BUILD, RUN
IT & SECURITY TEAMS IMPLEMENT/EXECUTE
1678
• Based on experience
with real Information
projects in the Pakistan
industry, we have set a
more practical structure
as shown in the
following slides
• Well-suited to drive the
project successfully
1679
STRUCTURE FOR SECURITY Board EXECUTIVE

TRANSFORMATION PROJECT [QTR] MANAGEMENT
InfoSec Steering
Comm. IT MANAGEMENT
& CISO
[MONTHLY]
CISO
Management Committee
(ISMC) [WEEKLY]
TEAMS
1680
STRUCTURE FOR SECURITY Board

MANAGEMENT COMMITMENT
TRANSFORMATION PROJECT [QTR]
InfoSec Steering
Comm. ASSURANCE
[MONTHLY]
STRATEGY &
Management Committee PLANNING
(ISMC) [WEEKLY]
IT / InfoSec Teams [DAILY] EXECUTION
1681
STRUCTURE FOR SECURITY Board COMMITMENT,

TRANSFORMATION PROJECT [QTR] APPROVE BUDGET, DIRECT
InfoSec Steering
Comm. REVIEW, MONITOR,
PROPOSE
[MONTHLY]
PLAN, BUILD,
Management Committee RUN
(ISMC) [WEEKLY]
IT / InfoSec Teams [DAILY] IMPLEMENT
1682
• When working in the

practical industry in a
market where the
security posture is sub-
par, we should be open
to adopt structures and
strategies relevant for
such a level of market
• ISACA and other
frameworks propose
mechanisms that do not
END always make sense in an
unprepared market 1683
How Is InfoSec Governance Implemented ?

governance building
blocks
1684
Respon-
Policy
sibility
Resource Periodic
& Priority Review
1685

ACTIVITY RESPONSIBLE DETAIL
POLICY DEVELOPED BY CISO SETS THE SCOPE, OBJECTIVES,
SIGNED OFF BY FRAMEWORK, REQUIREMENTS
BOARD/EXECUTIVE
RESPONSIBILITY & BOARD/EXECUTIVE ASSIGNS ROLES, RESPONSIBILITIES,
AUTHORITY AND AUTHORITY FOR INFOSEC
PROGRAM
RESOURCE BOARD/EXECUTIVE ALLOCATION OF RESOURCES AND
ASSIGNMENT & BUDGET FOR THE INFOSEC
PRIORITY SETTING FUNCTIONS
PERIODIC REVIEW BOARD/EXECUTIVE MONITOR AND REVIEW THAT THE
GOALS OF THE INFOSEC PROGRAM
ARE BEING MET
1686
CHANGE
SOPs
MANAGEMENT
INTERM-
EDIATE
AWARENESS MONITORING
1687
CHANGE IT MANAGEMENT ESTABLISHING AND ENFORCING
MANAGEMENT A CHANGE MANAGEMENT
PROCESS
SOPs IT MANAGEMENT DEVELOPING STANDARD
OPERATING PROCEDURES BASED
ON ACTUAL PRACTICE
AWARENESS CISO/ CONDUCTING SECURITY
SECURITY TEAMS AWARENESS TRAINING
MONITORING/ IT MANAGEMENT GAUGING THE PERFORMANCE

REVIEW AND PROGRESS OF THE INFOSEC
PROGRAM AGAINST AGREED
PROJECT PLAN/MILESTONES
1688
INTERNAL AUDIT
1689

RISK DRIVEN BY INFOSEC RISK ASSESSMENT, RISK
MANAGEMENT SUPPORTED BY IT TREATMENT & RISK
MANAGEMENT MANAGEMENT LIFECYCLE
INTERNAL AUDIT INTERNAL AUDIT IMPLEMENT PERIODIC AUDIT
DEPT, OR INFOSEC PROGRAM
INCIDENT IT MANAGEMENT & INCIDENT MANAGEMENT
MANAGEMENT INFOSEC LIFECYCLE
1690
CONTINUAL
IMPROVEMENT
CORRECTIVE
ASSESSMENT
ACTION
1691
CONTINUAL BOARD/ CONTINUAL STEPS FOR THE
IMPROVEMENT EXECUTIVE EFFECTIVENESS OF INFOSEC
PROGRAM
CORRECTIVE IT MANAGEMENT CORRECTIVE ACTIONS FOR NON-
ACTIONS / INFOSEC CONFORMITIES AND GAPS
THIRD-PARTY BOARD/INFOSEC CONDUCT THIRD-PARTY
ASSESSMENTS ASSESSMENTS SUCH AS VA/PT,
GAP ANALYSIS
1692
governance can quickly
become a challenge as
governance is
considered an intangible
– How do you achieve
governance ?
– When do you know
you have achieved it ?
– How you drive
process and
documentation in IT ?
1693
• The key is to align

governance as closely as
possible with
ISO27001:2013 (ISMS),
and to go for crisp clear
actions which are always
measurable
• Certify against
ISO27001:2013 (ISMS) for
best-practices
END
implementation
1694
How To Build Effective InfoSec Governance ?
Module 198 • Key success factors:

– Leadership
– Strategy
– Structure
– Reporting
– Project management
– Culture
1695
Leadership
Culture Strategy
InfoSec
Governance
Project
Structure
Mngmt
Reporting
1696
• Leadership:
– Executive
management role
– Tone at the top
– Drive pressing
priority
– Approves budgets
and resources
– Periodic review of
progress
1697
• Strategy:
– How the objectives
will be practically
achieved while
achieving the
technical,
governance, and
performance goals
– How the organization
will gear up and focus
for the security
transformation
1698
• Structure:
– What hierarchies,
team structures,
reporting lines, and
resources will come
together
– How will different
teams work together
to achieve the
common goals ?
1699
• Reporting:
– What will be
reported?
– What will be the
frequency of reports?
– Who will perform
review and
assurance?
– Who will monitor and
track progress?
1700
• Project Management:
– How will an
exceptional
be built ?
– How will milestones
and performance be
tracked ?
– How will project
management best-
practices be utilized?
1701
• Culture:
– How will an open,
cooperative,
authentic, and
committed culture be
built ?
– How will contention
and conflict be
eliminated ?
– How will a
performance driven
culture be promoted?
1702
• Building effective
governance or an
effective information
project are based on
good management,
execution and project
management skills
END
1703
InfoSec Dept Structure (Large-Sized Org)
Module 199 • Lets look at the

recommended structure
for a large organization
1704
CISO
Program
Manager
Security
Security Security Security
Frameworks &
Engineering Operations Governance
Standards
1705
CISO
Program
Manager
Security
Frameworks &
Standards
AV, SOC, Policies, Security

Domain
Security Tools, Procedures, Programs (ISMS,
Knowledge
VM Training COBIT, CMMI)
1706
CISO
Program
Manager
Security
Frameworks &
Standards
POLICIES,
NETWORK, RUNNING
SOPS, ISO27001,
SYSTEMS, VARIOUS
COMPLIANCE, COBIT,
APPLICATION, SECURITY OPS
AUDITS, CMMI
DB TOOLS, SOC
TRAINING
1707
TOTAL:
1 CISO
30
Program
1 Manager
Security
Frameworks &
Standards
6 15 4 3
1708
• A large organization can

have an Infosec team
ranging between 25-30
staff
• 10% of IT (250 to 300 IT
staff)
1709
InfoSec Dept Structure (Mid-Sized Org)

for a mid-sized
organization
1710
CISO

1711
CISO
Security Engineering Security Operations Security Governance
Policies, Procedures,
AV, SOC, Security
Domain Knowledge Training,
Tools, VM
Frameworks
1712
CISO

NETWORK, POLICIES/SOPS,
RUNNING
SYSTEMS, COMPLIANCE,
VARIOUS
APPLICATION, AUDITS,
SECURITY OPS
DB TRAINING,
TOOLS, SOC
FRAMEWORKS
1713
TOTAL:
1 CISO 12

4 4 3
1714
• A mid-sized organization
can have an Infosec
team ranging between
10-15 staff
• 10% of IT (100 to 150 IT
staff)
END
1715
InfoSec Dept Structure (Small Org)

for a small organization
1716
CISO
Security Security
Operations Governance
1717
CISO
Security
Security Technology
Governance
AV, Security Tools, Policies, Procedures,

VM, Domain Training,
Expertise Frameworks
1718
CISO
Security Security
Technology Governance
RUNNING POLICIES/SOPS,
VARIOUS COMPLIANCE,
SECURITY OPS AUDITS,
TOOLS, TECH TRAINING
1719
TOTAL:
1 CISO 6
Security Security
Technology Governance
3 2
1720
• A small-sized
organization can have
an Infosec team ranging
between 2-4 staff
• 10% of IT (15 to 50 IT
staff)
END
1721
Role Of CISO In Driving Infosec Program
Module 202 • The CISO plays a crucial

role in successfully
driving the Information
Security program
• Two factors:
– CISO skills
– Placement in
organizational
hierarchy
1722
Technology
Domain
Knowledge
Governance
Domain
CISO Leadership
& Strategy
Knowledge Skills
People Skills
1723
• Leadership & strategy:

– Good understanding
of IT & Information
security challenges
– Experience of driving
critical projects in
organizations
1724

– Ability to build
program strategy,
structure, reporting
mechanism , and
to achieve results
– Ability to work with
Board and senior
executive
management to drive
program
1725

– Ability to motivate
and communicate
security vision to
team
– Ability to infuse
credibility &
authenticity in IT
environment
– Ability to build team
work & cooperation
culture
1726
• Technology Domain
Knowledge
– CISOs or security
heads usually have 5-
10 years experience in
IT followed by 3-5
years in Information
Security
– CISOs are typically
strong in 2-3 domain
areas such as…
1727
Knowledge
– …networking +
infrastructure OR
software + databases
OR software QA &
process engineering
– A good CISO is able to
build a good team to
cover all major
domain areas and all
functional reqmts
1728
Knowledge
– Having a solid
technical base, good
CISOs are able to
easily build a security
competence layer on
top of it
1729
• Governance domain
knowledge:
– Working with
regulators &
compliance
– Policies & SOPs
– Frameworks &
standards
– A passion for training
& awareness
1730
• Governance domain
knowledge:
– A process oriented
mindset to
successfully build a
strong InfoSec
program
– Ability to balance
people, process, and
technology
1731
• Good people skills:

– A CISO requires good
people management
skills as the security
transformation
project is all about
motivating, directing,
and organizing
people to achieve a
focused goal
– Personal discipline &
commitment
1732
• Placement
– Within IT
– Within risk
– Reporting to board
committee
1733
Key Inhibitors For Security Program Failure
Module 203 • There may be several

inhibitors to achieving a
successful security
transformation project
1734
Poor
executive
commitment
Poor
Poor
structure &
execution
strategy
Failed
Project
1735
• Executive management
– Allocates budget and
approves resources
– Sets organizational
priority & “tone at
the top”
– Even if you start a
program without
executive
management
support, it may not
last long
1736
• Executive management:
– Periodic reviews by
executive
management drive
the execution in the
IT organization
– Organizational
priorities may change
quickly if executive
management does
not sustain its
commitment
1737
• Strategy & structure:

– A good or poor
strategy & structure
will make or break
any project, in any
discipline, in any
organization
– Addressing the needs
and inter-linkages to
make the entire
machinery work in a
streamlined manner
1738
• Strategy & structure:

– Understanding roles
of various
stakeholders and
taking them all along
– Having sufficient
experience to work at
various levels of the
organization
1739
• Execution:
– All information
security projects boil
down to strong
execution & project
management once
leadership
commitment and
strategy/structure
issues are addressed
1740
• Execution:
– Allocating tasks to
run different phases
in parallel &
sequentially
– Prioritizing tasks
– Tracking progress
– Reporting
dashboards
– Team/Steering
Committee/Board
presentations
1741
• Failure of the
program will be
imminent if any one of
these three elements
(leadership,
strategy/structure,
execution) is not
adequately addressed
END
1742
InfoSec Strategy For Smaller Organizations
Module 204 • Smaller & newer

organizations face
unique challenges which
may require a creative
approach to implement
a successful security
transformation program
1743
Limited
budget
Adhoc Untrained
culture staff
Smaller
Orgs
1744
• Limited budget:
– Limited priority with
limited resources
– Break up project into
phases matching
resource allocation &
organizational
bandwidth available
– Limit scope to 1
location,
department, team, or
even to 1 application
1745
• Limited budget:
– Consider hiring one
competent security
or IT member in the
team
– Provide management
support and periodic
review
– 12 to 15 months for
security
transformation
1746
• Untrained staff:
– Consider hiring a
consultant
– Train, incentivize,
and motivate team
– Give time to the team
to adopt the security
culture & processes
– Periodic
management reviews
& corrective actions
1747
• Adhoc culture:
– Smaller & newer
organizations may
have a chaotic and
adhoc culture
– Lack of process
approach
– Resources not
disciplined for
consistent delivery
1748
• Adhoc culture:
– Rapidly changing
focus and attention
span
– May be resolved with
a good project leader
or competent
consultant
– Training & setting
organizational vision
1749
• The leaders of small

organizations are
usually aware of their
organizational capacity
and limitations with
experience
• Work with the
organziational
leadership to deploy
competent project lead
and team members
END
1750
Common Challenges: Security Documentation
Module 205 • Common challenges

with security
governance
documentation
1751
• As we have seen in the

previous modules,
policies, SOPs,
checklists, guidelines,
and records are all
important parts of the
Management System
(ISMS) and are based on
documentation usually
with an associated
process
1752
Defective &
Process
voluminous
culture absent
documents
Roles & Training &

responsibilities awareness
Documentation
Challenges
1753
• Process culture absent:

– Adhoc culture
– Rapidly changing
priorities
– Inhibits time &
concentration
required for
documentation
– Requires executive
support to build
process oriented
culture
1754
• Process culture absent:

– Requires business
transformation as
well as security
transformation as
the style in which the
organization works
needs to be
addressed
– New focus on quality,
process, and
assurance for results
1755
• Defective & voluminous

documentation:
– Effective writing &
documentation is a
rare skill
– No one likes to read
long, winding, poorly
structured
documentation
– No one likes to read !
1756

documentation:
– Documentation
appetite &
organizational
maturity
– Gradually build
organizational
appetite for
documentation with
extremely concise
documents
1757

documentation:
– Documentation has a
close relationship
with process culture
and quality – is your
organizational going
after the right goals
with balance ?
1758
• Training & awareness:

– There may be a fear
for documentation,
and staff may be
unaware or not
possessing the skills
or experience of
documentation
– Train and raise
awareness in a
friendly environment
– Incentivize
1759
• Training & awareness:

– Create working
templates which are
easily accessible on
organizational portal
– Create how-to videos
& FAQs, etc
– Invest in raising
competence & skills
of staff
1760
• Roles & responsibilities:

– Is right person
working at the right
place ?
– Do key people tasked
with security
governance &
documentation have
the right skills and
experience to build
documentation ?
1761
• Roles & responsibilities:

– Are staff aware of
their responsibilities
related to security
governance
documentation
…policies, SOPs,
checklists, etc ?
– Is documentation and
process approach
part of staff JDs &
END
appraisal ?
1762
Security Documentation: Policies
Module 206 • Policies

• Standards
• Procedures
• Guidelines
https://frsecure.com/blog/dif
ferentiating-between-
policies-standards-
procedures-and-guidelines/
1763
https://frsecure.com/blog/differentiating-between-policies-standards-
1764
• Policies
Policies are formal
statements produced
and supported by senior
management. They can
be organization-wide,
issue-specific or system
specific. Your
organization’s policies
should reflect your
objectives for your
program. 1765
• Policies
Your policies should be
like a building
foundation; built to
last and resistant to
change or erosion.
1766
• Policies
1. Driven by business
objectives and convey
the amount of risk
senior management is
willing to accept.
1767
• Policies
2. Easily accessible and
understood by the
intended reader
1768
• Policies
3. Created with the intent
to be in place for
several years and
regularly reviewed with
approved changes made
as needed.
1769
TITLE
DOC #
VERSION #
CLASSIFICATION
DATE
1770
HEADER
REVISION HISTORY
REVIEW HISTORY
APPROVED BY
1771
1772
INTRODUCTION
SCOPE
POLICY DESCRIPTION
1773
POLICY COMMUNICATION
REVIEW
ENFORCEMENT
1774
1775
• Policies
• Standards
• Procedures
• Guidelines
https://frsecure.com/blog
/differentiating-between-
policies-standards-
procedures-and-
guidelines/
END
1776
Security Documentation: Standards

• Standards
• Procedures
• Guidelines
policies-standards-
procedures-and-
guidelines/
1777
https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/
1778
• Standards
Standards are mandatory
actions or rules that give
formal policies support
and direction. One of the
more difficult parts of
writing standards for an
program is getting a
company-wide consensus
on what standards need
to be in place.
1779
• Standards
This can be a time-
consuming process but
is vital to the success of
your information
security program.
1780
• Standards
1. Used to indicate
expected user
behavior. For example,
a consistent company
email signature.
1781
• Standards
2. Might specify what
hardware and software
solutions are available
and supported.
1782
• Standards
3. Compulsory and must
be enforced to be
effective. (This also
applies to policies!)
END
1783
Security Documentation: Procedures

• Standards
• Procedures
• Guidelines
https://frsecure.com/blog/d
ifferentiating-between-
policies-standards-
1784
https://frsecure.com/blog/differentiating-between-policies-standards-
1785
• Procedures
Procedures are detailed
step by step
instructions to achieve
a given goal or
mandate. They are
typically intended for
internal departments
and should adhere to
strict change control
processes.
1786
• Procedures
Procedures can be
developed as you go. If
this is the route your
organization chooses to
take it’s necessary to
have comprehensive and
consistent
documentation of the
procedures that you are
developing.
1787
• Procedures
1. Often act as the
“cookbook” for staff
to consult to
accomplish a
repeatable process.
1788
• Procedures
2. Detailed enough and
yet not too difficult
that only a small
group (or a single
person) will
understand.
1789
• Procedures
3. Installing operating
systems, performing
a system backup,
granting access rights
to a system and
setting up new user
accounts are all
example of
procedures.
1790
TITLE
DOC #
VERSION
CLASSIFICATION
DATE
1791
HEADER
REVISION HISTORY
REVIEW HISTORY
APPROVED BY
1792
HEADER
TOC
1793
HEADER
PURPOSE
SCOPE
REF POLICY
1794
HEADER
PROCEDURE
DETAIL
…ACCESS
CONTROL
1795
• Policies
• Standards
• Procedures
• Guidelines
policies-standards-
procedures-and-
END guidelines/
1796
Security Documentation: Guidelines

• Standards
• Procedures
• Guidelines
policies-standards-
procedures-and-
guidelines/
1797
https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/
1798
• Guidelines
Guidelines are
recommendations to users
when specific standards do
not apply. Guidelines are
designed to streamline
certain processes
according to what the best
practices are.
1799
• Guidelines
Guidelines, by nature,
should be open to
interpretation and do not
need to be followed to the
letter.
1800
• Guidelines
1. Are more general vs.
specific rules.
2. Provide flexibility for
unforeseen
circumstances.
3. Should NOT be
confused with formal
policy statements.
END
1801
How To Develop Effective Security Policies
Module 210 6 Steps To Security Policy

Excellence
http://www.infosectoday.c
om/Articles/Security_Policy
_Excellence.htm
1802
Purpose Of Policies &

Procedures
• Policies and procedures
establish guidelines to
behavior and business
processes in accordance
with an organization's
strategic objectives.
While typically
developed in response
to legal and regulatory
requirements, their…
1803
Purpose Of Policies &

Procedures
• …primary purpose
should be to convey
accumulated wisdom on
how best to get things
done in a risk-free,
efficient and compliant
way.
1804
Policy Pitfalls
1. Poorly worded policies
2. Badly structured
policies
3. Out-of-date policies
4. Inadequately
communicated policies
5. Unenforced policies
6. Lack of management
scrutiny
1805
Six Steps:
1. Create & Review
Documents must be
written using language
that is appropriate for the
target audience and should
spell out the consequences
of non-compliance.
Smaller, more manageable
documents are easier for
an organization to review
and update, while also…
1806
Six Steps:
1. Create & Review
…being more palatable for
the intended recipients.
1807
Six Steps:
2. Distribute
Organizations need to
effectively distribute
policies, both new and
updated, in a timely and
efficient manner. These
need to be consistently
enforced across an
organization.
1808
Six Steps:
3. Achieve Consent
A process needs to be
implemented that
monitors users' response
to policies. Policy
distribution should be
prioritised, ensuring that
higher risk policies are
signed off earlier by users
than other lower risk
documents.
1809
Six Steps:
3. Achieve Consent
For example, an
organization may want to
ensure that a user signs up
to their Information
Governance policy on the
first day that they start
employment, whilst having
up to two weeks to sign up
to the Travel & Expense
Policy.
1810
Six Steps:
3. Achieve Consent
Systems need to in place
to grant a user two weeks
to process a particular
document, after which the
system should
automatically force the
user to process it.
1811
Six Steps:
4. Understanding
To monitor and measure
staff comprehension and
effectiveness of policies
and associated
documentation,
organizations should test
all, or perhaps a subset of,
users.
1812
Six Steps:
4. Understanding
Any areas that show
weaknesses can be
identified and corrected
accordingly. Additional
training or guidance may
be necessary or, if it's the
policy that is causing
confusion, it can be
reworded or simplified.
1813
Six Steps:
5. Auditability
The full revision history of
all documents needs to be
maintained as well as who
has read what, when & if
possible, how long it took;
who declined a policy and
why. This record should be
stored for future reference
& may be stored in
conjunction with test
results. 1814
Six Steps:
6. Reporting
To affect change and
improve compliance it
helps if key performance
indicators relating to policy
uptake are clearly visible
across all levels of an
enterprise.
1815
Six Steps:
6. Reporting
Dashboard visibility of
policy uptake compliance
by geographical or
functional business units
helps to consolidate
information and highlights
exceptions.
END
1816
ISMS:Leading InfoSec Governance Framework
Module 211 • ISO27001:2013 (ISMS)

– Specifies the
requirements for
establishing,
implementing,
maintaining and
continually improving
an information
security management
system
– Ten short clauses
– Long annex
1817
1818
TOTAL: 113
1819
• Merits of ISO27001:2013
(ISMS):
– Exceptional
framework with
comprehensive
coverage of
mandatory
requirements
(clauses 4-10) and
discretionary controls
(annex)
1820
(ISMS):
– Highly beneficial as a
framework for
security program
– Covers all domain
areas
– Provides a structure
and organized
sequence for security
controls
1821
(ISMS):
– Complements
security
transformation
model as serves as a
reference and
guideline for activities
and controls
1822
• De-merits of
ISO27001:2013 (ISMS):
– Very broad
– Generic framework –
leaves it to
organization how to
implement the
measures and
controls
– Not suited for orgs
that are new to
security program
1823
• How to best use

advantages of
ISO27001:2013 (ISMS):
transformational
model
– Cap off security
transformation
project with
ISO27001:2013 (ISMS)
certification
1824
• How to best use

advantages of
ISO27001:2013 (ISMS):
– ISMS as a
complementary
reference and
checklist rather than
main framework
1825
Clauses 4-6 Of ISO27001:2013 (ISMS)
Week 13 • Lets have a look at

Module 212 clauses 4-6
1826
1827
• 4: Context:
– Understanding org
and its context;
internal and external
issues relevant to its
purpose and that
affect its ability to
achieve intended
outcomes of ISMS
1828
• 4: Context:
– Needs and
expectations of
interested parties
(e.g. legal and
regulatory reqmts
and contractual
obligations)
– Scope (boundaries);
interfaces and
dependencies
1829
• 5: Leadership &
Commitment
– Policy & objectives
are established and
are compatible with
strategic direction of
org
– Integrating ISMS into
org processes
– Resources for ISMS
available
1830
• 5: Leadership &
Commitment
– Communicating
importance
– Ensuring ISMS
achieves intended
outcomes
– Directing &
supporting persons
– Promoting continual
improvement
1831
• 5: Leadership &
Commitment
– Assign and
communicate roles,
responsibilities &
authorities
1832
• 6: Planning
– Address org risks &
opportunities &
prevent or reduce
undesired effects
– Ensure risk
assessment is
conducted
– Identify, analyze,
evaluate risks
– Ensure risk treatment
is effective
1833
• 6: Planning
– Address org risks &
opportunities &
prevent or reduce
undesired effects
– Ensure risk
assessment is
conducted
– Identify, analyze,
evaluate risks
– Ensure risk treatment
is effective
1834
• 6: Planning
– Ensure information
security objectives
are measurable,
communicated
– For objectives
determine what will
be done, what
resources reqd, who
will be responsible,
when completed,
how to evaluate
results 1835

clauses 7-10
1836
1837
• 7: Support
– Org shall provide the
resources necessary
for the
establishment,
implementation,
maintenance and
continual
improvement of the
ISMS
– Ensure competence
of staff for the ISMS
1838
• 7: Support
– Awareness related to
the policy and ISMS
will be ensured
among staff
– Communication
mechanisms related
to ISMS internal and
external to the org
1839
• 7: Support
– Documentation with
appropriate
identification,
description, format,
review & approval
mechanism
– Documentation
change control,
protection,
distribution,
retention, & disposal
1840
• 8: Operations
– Plan, implement, and
control processes
– Control planned
changes
– Outsourced
processes controlled
– Risk assessment and
risk treatment &
retain documented
information
1841
• 9: Performance
Evaluation
– Monitoring,
measurement,
analysis, and
evaluation
– What needs to be
monitored, methods,
who will monitor,
when to monitor,
who shall analyze and
evaluate results ?
1842
• 9: Performance
Evaluation
– Internal audit
implemented at
planned intervals
– Define audit criteria
and scope for each
audit
– Reporting of auditing
results
– Retain auditing docs
1843
• 9: Performance
Evaluation
– Internal audit
implemented at
planned intervals
– Define audit criteria
and scope for each
audit
– Reporting of auditing
results
– Retain auditing docs
1844
• 9: Management Review
– Planned intervals
– Status of actions
– Changes in external
and internal
environment
– Review non-
conformities and
corrective actions,
monitoring &
measurement results,
audit reports, other
1845
• 10: Improvement
– Non-conformities and
corrective actions
– Continual
improvement
END
1846
ISO27001:2013 Controls Appendix; Part 1

ISO27001:2013 (ISMS)
controls (appendix) in
more detail
1847
TOTAL: 114
https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20
Security%20Management%20System%20%28ISMS%29%20Overview.pdf
1848
A.5 INFORMATION SECURITY POLICIES
A.5.1 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Objective: To provide management direction and support for information
security in accordance with business requirements and relevant laws and
regulations.
Control:
POLICIES FOR A set of policies for information security shall
A.5.1.1 INFORMATION be defined, approved by management,
SECURITY published and communicated to employees
and relevant external parties.
REVIEW OF Control:
THE POLICIES The policies for information security shall be
A.5.1.2 FOR reviewed at planned intervals or if significant
INFORMATION changes occur to ensure their continuing
SECURITY suitability, adequacy and effectiveness.
1849
A.6 ORGANIZATION OF INFORMATION SECURITY
A.6.1 INTERNAL ORGANIZATION
Objective: To establish a management framework to initiate and control

the implementation and operation of information security within the
organization.
Control:
INFOSEC ROLES &
A.6.1.1 All information security responsibilities
RESPONSIBILITIES
shall be defined and allocated.
Control:
Conflicting duties and areas of
SEGREGATION OF responsibility shall be segregated to
A.6.1.2
DUTIES reduce opportunities for unauthorized or
unintentional modification or misuse of
the organization’s assets.
1850
A.6.1 INTERNAL ORGANIZATION

A.6.1.1 INFOSEC ROLES & RESPONSIBILITIES
A.6.1.2 SEGREGATION OF DUTIES
A.6.1.3 CONTACT WITH AUTHORITIES
A.6.1.4 CONTACT WITH SPECIAL INTEREST GROUPS
A.6.1.5 INFORMATION SECURITY IN PROJECT MNGMT
1851
CONTACT Control:
A.6.1.3 WITH Appropriate contacts with relevant
AUTHORITIES authorities shall be maintained
Control:
CONTACT
Appropriate contacts with special
WITH SPECIAL
A.6.1.4 interest groups or other specialist
INTEREST
security forums and professional
GROUPS
associations shall be maintained.
1852
A.6.2 MOBILE DEVICES & TELEWORKING

A.6.2.1 MOBILE DEVICE POLICY
A.6.2.2 TELEWORKING
A.6.2.2 TELEWORKING Control:

A policy and supporting security
measures shall be implemented to
protect information accessed,
processed or stored at teleworking
sites.
1853
• Gradually you will

develop the skill to use
the ISO27001:2013
standard quickly and
with ease for your
benefit…
END
1854
Module 215 • Lets continue to have a

look at the
ISO27001:2013 (ISMS)
more detail…
1855
TOTAL: 114
https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%
20Management%20System%20%28ISMS%29%20Overview.pdf
1856
A.7 HUMAN RESOURCES SECURITY

A.7.1 PRIOR TO EMPLOYMENT
Objective: To ensure that employees and
contractors understand their responsibilities and are
suitable for the roles for which they are considered.
1857
A.7 HUMAN RSOURCES SECURITY

A.7.1 PRIOR TO EMPLOYMENT
A.7.1.1 SCREENING
A.7.1.2 TERMS & CONDITIONS OF EMPLOYMENT
A.7.2 DURING EMPLOYMENT

A.7.2.1 MANAGEMENT RESPONSIBILITIES
INFOSEC AWARENESS, EDUCATION &
A.7.2.2
TRAINING
A.7.2.3 DISCIPLINARY PROCESS
1858

A.7.1.1 SCREENING Control:
Background verification
checks on all candidates for
employment shall be
carried out in accordance
with relevant laws,
regulations & ethics and
shall be proportional to the
business requirements,
the classification of the
information to be accessed
and the perceived risks.
1859
A.7.1.2 TERMS & Control:

CONDITIONS OF The contractual agreements
EMPLOYMENT with employees and
contractors shall state their
and the organization’s
responsibilities for
information security.
1860
A.7.2 DURING EMPLOYMENT

A.7.2.1 MANAGEMENT RESPONSIBILITIES
INFOSEC AWARENESS, EDUCATION &
A.7.2.2
TRAINING
A.7.2.3 DISCIPLINARY PROCESS
1861
A.7.2.1 MANAGEMENT Control:

RESPONSIBILITIES Management shall require
all employees and
contractors to apply
information security in
accordance with the
established policies
and procedures of the
organization.
1862
A.7.3 TERMINATION & CHANGE OF EMPLOYMENT

TERMINATION OR CHANGE OF
A.7.3.1
EMPLOYMENT RESONSIBILITIES
1863
A.7.3.1 TERMINATION OR Control:

CHANGE OF Information security
EMPLOYMENT responsibilities and duties
that remain valid after
RESONSIBILITIES
termination or change of
employment shall be
defined, communicated to
the employee or
contractor and enforced
1864
• Lets look at asset

management in the next
module…
END
1865
Module 216 • Lets continue to have a

look at the
ISO27001:2013 (ISMS)
more detail…
1866
TOTAL: 114
1867
A.8 ASSET MANAGEMENT
A.8.1 RESPONSIBILITY FOR ASSETS

A.8.1.1 INVENTORY OF ASSETS
A.8.1.2 OWNERSHIP OF ASSETS
A.8.1.3 ACCEPTABLE USE OF ASSETS
A.8.1.4 RETURN OF ASSETS
1868
A.8.1.1 INVENTORY OF Control:

ASSETS Assets associated with
information and
information processing
facilities shall be identified
and an inventory of these
assets shall be drawn up
and maintained.
1869
A.8.1.3 ACCEPTABLE USE Control:

OF ASSETS Rules for the acceptable use
of information and of assets
associated with information
and information processing
facilities shall be identified,
documented and
implemented.
1870
A.8.2 INFORMATION CLASSIFICATION

A.8.2.1 CLASSIFICATION OF INFORMATION
A.8.2.2 LABELLING OF INFORMATION
A.8.2.3 HANDLING OF ASSETS
1871
A.8.2.1 CLASSIFICATION Control:

OF INFORMATION Information shall be
classified in terms of legal
requirements, value,
criticality and sensitivity to
unauthorised disclosure or
modification.
1872
A.8.2.3 HANDLING OF Control:

ASSETS Procedures for handling
assets shall be developed
and implemented
in accordance with the
information classification
scheme adopted by the
organization.
1873
A.8.3 MEDIA HANDLING

A.8.3.1 MANAGEMENT OF REMOVABLE MEDIA
A.8.3.2 DISPOSAL OF MEDIA
A.8.3.3 PHYSICAL MEDIA TRANSFER
1874

OF REMOVABLE Procedures shall be
MEDIA implemented for the
management of removable
media in accordance with
the classification scheme
adopted by the
Organization.
1875
A.8.3.3 PHYSICAL MEDIA Control:

TRANSFER Media containing
information shall be
protected against
unauthorized
access, misuse or
corruption during
transportation
1876
• Lets look at access

control in the next
module…
END
1877
Module 217 • In this module lets look

at ISO27001:2013 (ISMS)
related to access control
….
1878
TOTAL: 114
1879
A.9 ACCESS CONTROL

A.9.1 BUSINESS REQUIREMENTS OF ACCESS
CONTROL
A.9.1.1 ACCESS CONTROL POLICY
ACCESS TO NETWORKS AND NETWORK
A.9.1.2
SERVICES
1880
A.9 ACCESS CONTROL
A.9.1.2 ACCESS TO Control:

NETWORKS & Users shall only be provided
NETWORK with access to the network
and network services that
SERVICES
they have been specifically
authorized to use.
1881
A.9 ACCESS CONTROL

A.9.2 USER ACCESS MANAGEMENT
A.9.2.1 USER REGISTRATION & DE-REGISTRATION
A.9.2.2 USER ACCESS PROVISIONING
A.9.2.3 MNGMT OF PRIVILEGED ACCESS RIGHTS
MANAGEMENT OF SECRET
A.9.2.4
AUTHENTICATION INFO OF USERS
A.9.2.5 REVIEW OF USERS ACCESS RIGHTS
REMOVAL OR ADJUSTMENT OF ACCESS
A.9.2.6
RIGHTS
1882
A.9 ACCESS CONTROL

OF PRIVILEGED The allocation and use of
ACCESS RIGHTS privileged access rights shall
be restricted and
controlled.
1883
A.9 ACCESS CONTROL
A.9.2.5 REVIEW OF USER Control:

ACCESS RIGHTS Asset owners shall review
users’ access rights at
regular intervals.
1884
A.9 ACCESS CONTROL
A.9.2.6 REMOVAL OR Control:

ADJUSTMENT OF Access rights of all
ACCESS RIGHTS employees and external
party users to info & info
processing facilities shall be
removed upon termination
of their employment,
contract or agreement, or
adjusted upon change.
1885
A.9 ACCESS CONTROL

A.9.3 USER RESPONSIBILITIES
USE OF SECRET AUTHENTICATION
A.9.3.1
INFORMATION
1886
A.9 ACCESS CONTROL
A.9.3.1 USE OF SECRET Control:

AUTHENTICATION Users shall be required to
INFORMATION follow the organization’s
practices in the use of
secret authentication
information.
1887
A.9 ACCESS CONTROL

A.9.4 SYSTEM & APPLICATION ACCESS CONTROL
A.9.4.1 INFORMATION ACCESS RESTRICTION
A.9.4.2 SECURE LOG-ON PROCEDURES
A.9.4.3 PASSWORD MANAGEMENT SYSTEM
A.9.4.4 USE OF PRIVILEGED UTILITY PROGRAMS
ACCESS CONTROL TO PROGRAM SOURCE
A.9.4.5
CODE
1888
A.9 ACCESS CONTROL
A.9.4.3 PASSWORD Control:

MANAGEMENT Password management
SYSTEM systems shall be interactive
and shall ensure quality
passwords.
A.9.4.5 ACCESS CONTROL Control:
TO PROGRAM Access to program source
SOURCE CODE code shall be restricted.
1889
• Lets look at
cryptography, and
physical &
environmental security
in the next module…
END
1890

at ISO27001:2013 (ISMS)
related to cryptography,
and physical &
environmental
security…
1891
TOTAL: 114
1892
A.10 CRYPTOGRAPHY
A.10.1 CRYPTOGRAPHIC CONTROLS
POLICY ON THE USE OF CRYPTOGRAPHIC
A.10.1.1
CONTROLS
A.10.1.2 KEY MANAGEMENT
1893
A.10 CRYPTOGRAPHY
A.10.1.2 KEY Control:

MANAGEMENT A policy on the use,
protection and lifetime of
cryptographic keys
shall be developed and
implemented through their
whole lifecycle.
1894
A.11 PHYSICAL & ENVIRONMENTAL SECURITY

A.11.1 SECURE AREAS
A.11.1.1 PHYSICAL SECURITY PERIMETER
A.11.1.2 PHYSICAL ENTRY CONTROLS
SUCURING OFFICES, ROOMS, AND
A.11.1.3
FACILITIES
PROTECTING AGAINST EXTERNAL &
A.11.1.4
ENVIRONMENTAL THREATS
A.11.1.5 WORKING IN SECURE AREAS
A.11.1.6 DELIVERY & LOADING AREAS
1895
A.11.1.1 PHYSICAL Control:

SECURITY Security perimeters shall be
defined and used to protect
PERIMETER
areas that contain either
sensitive or critical info &
facilities.
1896

A.11.1.2 PHYSICAL ENTRY Control:
CONTROLS Secure areas shall be
protected by appropriate
entry controls to
ensure that only authorized
personnel are allowed
access.
A.11.1.5 WORKING IN Control:
SECURE AREAS Procedures for working in
secure areas shall be
designed and applied.
1897

A.11.2 EQUIPMENT
A.11.2.1 EQUIPMENT SITING & PROTECTION
A.11.2.2 SUPPORTING UTILITIES
A.11.2.3 CABLING SECURITY
A.11.2.4 EQUIPMENT MAINTENANCE
A.11.2.5 REMOVAL OF ASSETS
SECURITY OF EQUIPMENT & ASSETS OFF-
A.11.2.6
PREMISES
1898

A.11.2.2 SUPPORTING Control:
UTILITIES Equipment shall be
protected from power
failures and other
disruptions
caused by failures in
supporting utilities.
A.11.2.4 EQUIPMENT Control:
MAINTENANCE Equipment shall be
correctly maintained to
ensure its continued
availability and integrity.
1899

A.11.2 EQUIPMENT…
SECURE DISPOSAL OR RE-USE OF
A.11.2.7
EQUIPMENT
A.11.2.8 UNATTENDED USER EQUIPMENT
A.11.2.9 CLEAR DESK & CLEAR SCREEN POLICY
1900
A.11.2.9 CLEAR DESK & Control:

CLEAR SCREEN A clear desk policy for
papers and removable
POLICY
storage media and
a clear screen policy for
facilities shall be
adopted.
1901
• Lets look at operations

security in the next
module…
END
1902

at ISO27001:2013 (ISMS)
related to operations
security…
1903
TOTAL: 114
1904
A.12 OPERATIONS SECURITY

A.12.1 OPERATIONAL PROCEDURES &
RESPONSIBILITIES
A.12.1.1 DOCUMENTED OPERATING PROCEDURES
A.12.1.2 CHANGE MANAGEMENT
A.12.1.3 CAPACITY MANAGEMENT
SEPARATION OF DEVELOPMENT, TESTING,
A.12.1.4
AND OPERATIONAL ENVIRONMENTS
1905
A.12.1.1 DOCUMENTED Control:

OPERATING Operating procedures shall
be documented and made
PROCEDURES
available to all users who
need them.
1906
A.12.1.2 CHANGE Control:

MANAGEMENT Changes to the
organization, business
processes, information
processing facilities and
systems that affect
information security shall
be controlled.
1907
A.12.1.3 CAPACITY Control:

MANAGEMENT The use of resources shall
be monitored, tuned and
projections
made of future capacity
requirements to ensure the
required system
performance.
1908
A.12.1.4 SEPARATION OF Control:

DEVELOPMENT, Development, testing, and
operational environments
TESTING, AND
shall be separated to
OPERATIONAL reduce the risks of
ENVIRONMENTS unauthorized access or
changes to the operational
environment.
1909
• Lets continue to look at

operations security in
the next module…
END
1910

at ISO27001:2013 (ISMS)
security…
1911
TOTAL: 114
1912

A.12.2 PROTECTION FROM MALWARE
A.12.2.1 CONTROLS AGAINST MALWARE
A.12.2.1 CONTROLS Control:

AGAINST Detection, prevention and
recovery controls to protect
MALWARE
against malware shall be
implemented, combined
with appropriate user
awareness.
1913

A.12.3 BACKUP
A.12.3.1 INFORMATION BACKUP
A.12.3.1 INFORMATION Control:

BACKUP Backup copies of
information, software and
system images shall be
taken and tested regularly
in accordance with an
agreed backup policy.
1914

A.12.4 LOGGING & MONITORING
A.12.4.1 EVENT LOGGING
A.12.4.2 PROTECTION OF LOG INFORMATION
A.12.4.3 ADMINISTRATOR & OPERATOR LOGS
A.12.4.4 CLOCK SYNCHRONISATION
1915
A.12.4.1 EVENT LOGGING Control:

Event logs recording user
activities, exceptions, faults
and information
security events shall be
produced, kept and
regularly reviewed.
1916
A.12.4.3 ADMINISTRATOR Control:

& OPERATOR System administrator and
system operator activities
LOGS
shall be logged and the logs
protected and regularly
reviewed.
1917

A.12.5 CONTROL OF OPERATIONAL SOFTWARE
INSTALLATION OF SOFTWARE ON
A.12.5.1
OPERATIONAL SYSTEMS
A.12.5.1 INSTALLATION Control:

OF SOFTWARE Procedures shall be
implemented to control the
ON
installation of software
OPERATIONAL on operational systems.
SYSTEMS
1918

A.12.6 TECHNICAL VULNERABILITY MANAGEMENT
MANAGEMENT OF TECHNICAL
A.12.6.1
VULNERABILITIES
RESTRICTIONS ON SOFTWARE
A.12.6.2
INSTALLATION
1919

OF TECHNICAL Information about
VULNERABILITIES technical vulnerabilities of
information systems
being used shall be
obtained in a timely
fashion, the organization’s
exposure to such
vulnerabilities evaluated
and appropriate measures
taken to address the
associated risk.
1920
A.12.6.2 RESTRICTIONS Control:

ON SOFTWARE Rules governing the
installation of software by
INSTALLATION
users shall be
established and
implemented.
1921

A.12.7 INFORMATION SYSTEMS AUDIT
CONSIDERATIONS
INFORMATION SYSTEMS AUDIT
A.12.7.1
CONTROLS
1922

SYSTEMS AUDIT Audit requirements and
activities involving
CONTROLS
verification of operational
systems shall be carefully
planned and agreed to
minimise disruptions to
business processes.
1923
• Lets look at
communications
security in the next
module…
END
1924

at ISO27001:2013 (ISMS)
security…
1925
TOTAL: 114
1926
A.13 COMMUNICATIONS SECURITY

A.13.1 COMMUNICATIONS SECURITY
A.13.1.1 NETWORK CONTROLS
A.13.1.2 SECURITY OF NETWORK SERVICES
A.13.1.3 SEGREGATION IN NETWORKS
1927
A.13.1.1 NETWORK Control:

CONTROLS Networks shall be managed
and controlled to protect
information in systems and
applications.
1928
A.13.1.2 SECURITY OF Control:

NETWORK Security mechanisms,
service levels and
SERVICES
management requirements
of all network services shall
be identified and included
in network services
agreements, whether these
services are provided
in-house or outsourced.
1929
A.13.1.3 SEGREGATION IN Control:

NETWORKS Groups of information
services, users and
information systems
shall be segregated on
networks.
1930

A.13.2 INFORMATION TRANSFER
INFORMATION TRANSFER POLICIES &
A.13.2.1
PROCEDURES
AGREEMENTS ON INFORMATION
A.13.2.2
TRANSFER
A.13.2.3 ELECTRONIC MESSAGING
CONFIDENTIALITY OR NON-DISCLOSURE
A.13.2.4
AGREEMENTS
1931

TRANSFER Formal transfer policies,
procedures and controls
POLICIES &
shall be in place to protect
PROCEDURES the transfer of information
through the use of all types
of communication facilities.
1932
A.13.2.2 AGREEMENTS Control:

ON Agreements shall address
the secure transfer of
INFORMATION
business information
TRANSFER between the organization
and external parties.
1933
• Lets look at system

acquisition,
development &
maintenance in the next
module…
END
1934

at ISO27001:2013 (ISMS)
related to system
acquisition,
development, and
maintenance….
1935
TOTAL: 114
1936
A.14 SYSTEM ACQUISITION, DEVELOPMENT, & MAINTENANCE

A.14.1 SECURITY REQMTS OF INFORMATION
SYSTEMS
INFORMATION SECURITY REQMTS
A.14.1.1
ANALYSIS & SPECIFICATION
SECURING APPLICATION SERVICES ON
A.14.1.2
PUBLIC NETWORKS
PROTECTING APPLICATION SERVICES
A.14.1.3
TRANSACTIONS
1937

SECURITY The information security
related requirements shall
REQMTS
be included in the
ANALYSIS & requirements for new
SPECIFICATION information systems or
enhancements to
existing information
systems.
1938
A.14.1.2 SECURING Control:

APPLICATION Information involved in
application services passing
SERVICES ON
over public networks shall
PUBLIC be protected from
NETWORKS fraudulent activity, contract
dispute and unauthorized
disclosure and modification.
1939

A.14.2 SECURITY IN DEV. & SUPPORT PROCESSES
A.14.2.1 SECURE DEVELOPMENT POLICY
A.14.2.2 SYSTEM CHANGE CONTROL PROCEDURES
TECHNICAL REVIEW OF APPLICATIONS
A.14.2.3
AFTER OPERATING PLATFORM CHANGES
RESTRICTIONS ON CHANGES TO
A.14.2.4
SOFTWARE PACKAGES
SECURE SYSTEM ENGINEERING
A.14.2.5
PRINCIPLES
1940

A.14.2 SECURITY IN DEV. & SUPPORT PROCESSES
A.14.2.6 SECURE DEVELOPMENT ENVIRONMENT
A.14.2.7 OUTSOURCED DEVELOPMENT
A.14.2.8 SYSTEM SECURITY TESTING
A.14.2.9 SYSTEM ACCEPTANCE TESTING
1941
A.14.2.3 TECHNICAL Control:

REVIEW OF When operating platforms
are changed, business
APPLICATIONS
critical applications
AFTER shall be reviewed and
OPERATING tested to ensure there is no
PLATFORM adverse impact on
CHANGES organizational operations or
security.
1942
A.14.2.4 RESTRICTIONS Control:

ON CHANGES TO Modifications to software
packages shall be
SOFTWARE
discouraged, limited to
PACKAGES necessary changes and all
changes shall be strictly
controlled.
1943
A.14.2.5 SECURE SYSTEM Control:

ENGINEERING Principles for engineering
secure systems shall be
PRINCIPLES
established,
documented, maintained
and applied to any
information system
implementation efforts.
1944
A.14.2.8 SYSTEM Control:

SECURITY Testing of security
functionality shall be
TESTING
carried out during
development.
1945

A.14.3 TEST DATA
A.14.3.1 PROTECTION OF TEST DATA
A.14.3.1 PROTECTION OF Control:

TEST DATA Test data shall be selected
carefully, protected and
controlled.
1946
• Lets look at supplier

relationships in the next
module…
END
1947

at ISO27001:2013 (ISMS)
related to supplier
relationships…
1948
TOTAL: 114
1949
A.15 SUPPLIER RELATIONSHIPS

A.15.1 INFORMATION SECURITY IN SUPPLIER
RELATIONSHIPS
INFORMATION SECURITY POLICY FOR
A.15.1.1
SUPPLIER RELATIONSHIPS
ADDRESSING SECURITY WITHIN SUPPLIER
A.15.1.2
AGREEMENTS
INFORMATION & COMMUNICATION
A.15.1.3
TECHNOLOGY SUPPLY CHAIN
1950

SECURITY POLICY Information security
requirements for mitigating
FOR SUPPLIER
the risks associated
RELATIONSHIPS with supplier’s access to the
organization’s assets shall
be agreed with the supplier
and documented.
1951
A.15.1.2 ADDRESSING Control:

SECURITY All relevant information
security requirements shall
WITHIN
be established
SUPPLIER and agreed with each
AGREEMENTS supplier that may access,
process, store,
communicate, or provide IT
infrastructure components
for, the organization’s
information.
1952

A.15.2 SUPPLIER SERVICE DELIVERY MANAGEMENT
MONITORING & REVIEW OF SUPPLIER
A.15.2.1
SERVICES
MANAGING CHANGES TO SUPPLIER
A.15.2.2
SERVICES
1953
A.15.2.1 MONITORING & Control:

REVIEW OF Organizations shall regularly
monitor, review and audit
SUPPLIER
supplier service delivery.
SERVICES
1954
A.15.2.2 MANAGING Control:

CHANGES TO Changes to the provision of
services by suppliers, including
SUPPLIER
maintaining & improving
SERVICES existing information security
policies, procedures & controls,
shall be managed, taking
account of the criticality of
business information, systems
and processes involved
and re-assessment of risks.
1955
• Lets look at incident

management in the next
module…
END
1956

at ISO27001:2013 (ISMS)
related to information
security incidents…
1957
TOTAL: 114
1958
A.16 INFORMATION SECURITY INCIDENT MANAGEMENT

A.16.1 MNGMT OF INFOSEC INCIDENTS &
IMPROVEMENTS
A.16.1.1 RESPONSIBILITIES & PROCEDURES
A.16.1.2 REPORTING INFOSEC SECURITY EVENTS
A.16.1.3 REPORTING INFOSEC WEAKNESSES
ASSESSMENT OF & DECISION ON
A.16.1.4
INFOSEC EVENTS
1959

A.16.1 MNGMT OF INFOSEC INCIDENTS &
IMPROVEMENTS
A.16.1.5 RESPONSE TO INFOSEC INCIDENTS
A.16.1.6 LEARNING FROM INFOSEC INCIDENTS
A.16.1.7 COLLECTION OF EVIDENCE
1960
A.16.1.2 REPORTING Control:

INFORMATION Information security events
shall be reported through
SECURITY
appropriate management
EVENTS channels as quickly as
possible.
1961
A.16.1.3 REPORTING Control:

INFORMATION Employees and contractors
using the organization’s
SECURITY
information systems and
WEAKNESSES services shall be required to
note and report any
observed or suspected
weaknesses in systems or
services.
1962
A.16.1.5 RESPONSE TO Control:

INFORMATION Information security
incidents shall be
SECURITY
responded to in accordance
INCIDENTS with the documented
procedures.
1963
A.16.1.6 LEARNING FROM Control:

INFORMATION Knowledge gained from
analysing and resolving
SECURITY
INCIDENTS incidents shall be used to
reduce the likelihood or
impact of future incidents.
1964
• Lets look at business

continuity in the next
module…
END
1965

at ISO27001:2013 (ISMS)
related to business
continuity…
1966
TOTAL: 114
1967
A.17 INFOSEC ASPECTS OF BUSINESS CONTINUITY MNGMT
A.17.1 INFORMATION SECURITY CONTINUITY

A.17.1.1 PLANNING INFOSEC CONTINUITY
A.17.1.2 IMPLEMENTING INFOSEC CONTINUITY
VERIFY, REVIEW, & EVALUATE INFOSEC
A.17.1.3
CONTINUITY
1968
A.17.1.1 PLANNING Control:

INFOSEC The organization shall
determine its requirements
CONTINUITY
for information security and
the continuity of
management in adverse
situations, e.g. during a
crisis or disaster.
1969
A.17.1.2 IMPLEMENTING Control:

INFOSEC The organization shall
establish, document,
CONTINUITY
implement and maintain
processes, procedures and
controls to ensure the
required level of continuity
for information security
during an adverse situation.
1970
A.17.1.3 VERIFY, REVIEW, Control:

& EVALUATE The organization shall verify
the established and
INFOSEC
implemented info security
CONTINUITY continuity controls at
regular intervals in order to
ensure that they are valid
and effective during
adverse situations.
1971

A.17.2 REDUNDANCIES
AVAILABILITY OF INFORMATION
A.17.2.1
PROCESSING FACILITIES
A.17.2.1 AVAILABILITY OF Control:
INFORMATION Information processing
facilities shall be
PROCESSING
implemented with
FACILITIES redundancy sufficient to
meet availability
requirements.
1972
• Lets look at compliance

in the next module…
END
1973

at ISO27001:2013 (ISMS)
related to compliance…
1974
TOTAL: 114
1975
A.18 COMPLIANCE
A.18.1 COMPLIANCE WITH LEGAL & CONTRACTUAL
REQUIREMENTS
IDENTIFICATION OF APPLICABLE
A.18.1.1
LEGISLATION & CONTRACTUAL REQMTS
A.18.1.2 INTELLECTUAL PROPERTY RIGHTS
A.18.1.3 PROTECTION OF RECORDS
PRIVACY & PROTECTION OF PERSONALLY
A.18.1.4
IDENTIFIABLE INFORMATION
REGULATION OF CRYPTOGRAPHIC
A.18.1.4
CONTROLS
1976
A.18 COMPLIANCE
A.18.1.1 IDENTIFICATION Control:

OF APPLICABLE All relevant legislative
statutory, regulatory,
LEGISLATION &
contractual requirements
CONTRACTUAL and the organization’s
REQMTS approach to meet these
requirements shall be
explicitly identified,
documented and kept up to
date for each information
system and the organiz.
1977
A.18 COMPLIANCE
A.18.1.2 INTELLECTUAL Control:

PROPERTY Appropriate procedures
shall be implemented to
RIGHTS
ensure compliance with
legislative, regulatory and
contractual requirements
related to intellectual
property rights and use of
proprietary software
products.
1978
A.18 COMPLIANCE
A.18.2 INFORMATION SECURITY REVIEWS
INDEPENDENT REVIEW OF INFORMATION
A.18.2.1
SECURITY
COMPLIANCE WITH SECURITY POLICY &
A.18.2.2
STANDARDS
A.18.2.3 TECHNICAL COMPLIANCE REVIEW
1979
A.18 COMPLIANCE
A.18.2.1 INDEPENDENT Control:
REVIEW OF The organization’s approach
to managing information
INFORMATION
security & its implementation
SECURITY (i.e. control objectives,
controls, policies, processes &
procedures for info security)
shall be reviewed
independently at planned
intervals or when significant
changes occur.
1980
A.18 COMPLIANCE
A.18.2.2 COMPLIANCE Control:
WITH Managers shall regularly review
the compliance of information
SECURITY
processing and procedures
POLICY & within their area of
STANDARDS responsibility with the
appropriate security policies,
standards and any other
security requirements.
1981
A.18 COMPLIANCE
A.18.2.3 TECHNICAL Control:
COMPLIANCE Information systems shall be
regularly reviewed for
REVIEW
compliance with the
organization’s information
security policies and standards.
1982
• That completes an in-

depth overview of the
controls and structure of
ISO27001:2013 (ISMS)
END
1983
How to Use ISO27002:2013
Module 227 • What is ISO27002:2013 ?

– Information
technology -- Security
techniques -- Code of
practice for
controls
– Renamed from ISO
17799
1984
• 0.1 Background &

Context
– This Int’l Standard is
designed for orgs to
use as a reference for
selecting controls
within the process of
implementing an
Management System
(ISMS) based on
ISO/IEC 27001;
1985
• 0.1 Background &

Context
– or as a guidance
document for
organizations
implementing
commonly accepted
controls.
1986
STRUCTURE OF ISO27002:2013
http://www.iso27001security.com/html/27002.html
1987
• Lets have a look at

control A.5.1.2 (Review
Of The Policies Of
Information Security)
1988
ISO27001:2013
Control:
REVIEW OF The policies for information
THE POLICIES security shall be reviewed at
A.5.1.2 FOR planned intervals or if significant
INFORMATION changes occur to ensure their
SECURITY continuing suitability, adequacy
and effectiveness.
1989
ISO27002:2013
TITLE
1990
ISO27002:2013 CONTROL
1991
ISO27002:2013
27002 IMPLEMENTATION GUIDANCE

1992
ISO27002:2013
27002: Implementation Guidance:
Each policy should have an owner who
has approved mngmt responsibility for
REVIEW OF the development, review and
THE evaluation of the policies. The review
A.5.1.2 POLICIES should include assessing opportunities
FOR for improvement of the org’s policies
INFOSEC and approach to managing Infosec in
response to changes to the org
environment, business circumstances,
legal conditions or tech environment.
1993
• Practically:
– ISO27001:2013
controls are brief and
generic
– 27002 clarifies
further what is being
referred to, gives
further context &
very useful
implementation
END guidance
1994
PCI DSS V3
Module 228 • PCI Data Security

Standard (DSS):
– Designed to ensure
that ALL companies
that accept, process,
store or transmit
credit card info
maintain a secure
environment
– Managed by Security
Standards Council
https://www.pcicomplianceguide.org/
pci-faqs-2/
1995
PCI DSS V3
• PCI DSS:
– SSC is an
independent body
that was created by
the major payment
card brands (Visa,
MasterCard,
American Express,
Discover and JCB
– 6 Broad goals and 12
requirements
REF: PCI Best Practices For Implementing
Security Awareness;
https://www.pcisecuritystandards.org/doc
uments/
1996
PCI DSS V3
https://www.pcisecuritystandards.org/documents/P
CI%20SSC%20Quick%20Reference%20Guide.pdf
1997
PCI DSS V3
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Refere
nce%20Guide.pdf
1998
PCI DSS V3
REQUIREMENT
1999
PCI DSS V3
TESTING PROCEDURES
2000
PCI DSS V3
GUIDANCE
2001
PCI DSS V3
REQMT TEST PROCEDURES GUIDANCE

7.1.4 Documented
7.1.4 Select a sample of
Require approval (for
user IDs & compare with
documente example, in writing
documented approvals to
d approval or electronically)
verify that:
by assures that those
-Documented approval
authorized with access and
exists for the assigned
parties privileges are
privileges
specifying known and
-The approval was by
required authorized by
authorized parties
privileges. management, and
-That specified privileges
that their access is
match the roles assigned to
necessary for their
the individual.
job function.
2002
PCI DSS V3
REQMT TEST PROCEDURES GUIDANCE

8.1.4 8.1.4 Observe user Accounts that are not
Remove/ accounts to verify that used regularly are often
disable any inactive accounts targets of attack since it
inactive over 90 days old are is less likely that any
user either removed or changes (such as a
accounts disabled. changed password) will
within 90 be noticed. As such,
days. these accounts may be
more easily exploited
and used to access
cardholder data.
2003
PCI DSS V3
• PCI is specific to the card

environment to protect
cardholder data
• PCI controls are very
specific and in-depth
compared to generic
and high-level controls
of ISO27001
END
2004
SANS/CIS CRITICAL SECURITY CONTROLS
Module 229 • A very useful collection

of controls for
improving security
posture
2005
SN CONTROL
Inventory of Authorized and Unauthorized
1
Devices
Inventory of Authorized and Unauthorized
2
Software
Secure Configurations for Hardware and
3
Software
Continuous Vulnerability Assessment and
4
Remediation
5 Controlled Use of Administrative Privileges
2006
SN CONTROL
Maintenance, Monitoring, and
6
Analysis of Audit Logs
7 Email and Web Browser Protections
8 Malware Defenses
Limitation and Control of Network
9
Ports
10 Data Recovery Capability
2007
SN CONTROL
Secure Configurations for Network
11
Devices
12 Boundary Defense
13 Data Protection
Controlled Access Based on the Need
14
to Know
15 Wireless Access Control
2008
SN CONTROL
16 Account Monitoring and Control
Security Skills Assessment and
17
Appropriate Training to Fill Gaps
18 Application Software Security
19 Incident Response and Management
Penetration Tests and Red Team
20
Exercises
2009
CONTROL 1.1: INVENTORY OF AUTH & UNAUTH DEVICES

Deploy an automated asset inventory
discovery tool and use it to build a
preliminary inventory of systems
connected to an organization’s public and
private network(s). Both active tools that
scan through IPv4 or IPv6 network address
ranges and passive tools that identify hosts
based on analyzing their traffic should be
employed.
2010
CONTROL 2.1: INVENTORY OF AUTH & UNAUTH SW

Devise a list of authorized software
and version that is required in the
enterprise for each type of system,
including servers, workstations, and
laptops of various kinds and uses.
This list should be monitored by file
integrity checking tools to validate
that the authorized software has not
been modified. 2011
CONTROL 3.1: SECURE CONFIGS FOR HW & SW

Establish standard secure configurations
of your operating systems and software
applications. Standardized images should
represent hardened versions of the
underlying operating system and the
applications installed on the system.
These images should be validated and
refreshed on a regular basis to update
their security configuration in light of
recent vulnerabilities and attack vectors. 2012
CONTROL 4.1: CONTINUOUS VULNERABILITY

ASSESSMENT & REMEDIATION
Run automated vulnerability scanning
tools against all systems on the network
on a weekly or more frequent basis and
deliver prioritized lists of the most critical
vulnerabilities to each responsible system
administrator along with risk scores that
compare the effectiveness of system
administrators and departments in
reducing risk.
2013
CONTROL 4.1: CONTINUOUS VULNERABILITY

ASSESSMENT & REMEDIATION
….Use a SCAP-validated vulnerability

scanner that looks for both code-based
vulnerabilities (such as those described
by Common Vulnerabilities and
Exposures entries) and configuration-
based vulnerabilities (as enumerated by
the Common Configuration Enumeration
Project).
2014
CONTROL 5.1 CONTROLLED USE OF ADMIN

PRIVILEGES
Minimize administrative privileges

and only use administrative accounts
when they are required. Implement
focused auditing on the use of
administrative privileged functions
and monitor for anomalous behavior.
2015
27002
How to do
27001 it ? CIS CC
What to do Tech
? guidance
BEST
CONTROL
GUIDANCE
2016
• An ideal framework for

more detailed and
specific guidance on
deeper and more
stringent security
controls
END
2017
NIST FRAMEWORK
Week 14 • The Computer Security

Module 230 Resource Center (CSRC)
website guides users to
NIST resources on
computer, cyber, and
and privacy.
2018
NIST FRAMEWORK
• Its content includes

publications, projects,
research, news and
events from the NIST
Information Technology
Laboratory's (ITL) two
security divisions
2019
NIST FRAMEWORK
2020
NIST FRAMEWORK
• SP 800, Computer
Security (December 1990-
present):
NIST's primary mode of
publishing
computer/cyber/informa
tion security guidelines,
recommendations and
reference materials
(SP 800s are also
searchable in the NIST
Library Catalog);
2021
NIST FRAMEWORK
2022
NIST FRAMEWORK
2023
NIST FRAMEWORK
AUGUST 2014
32 PAGES DOC
2024
NIST FRAMEWORK
• NIST has a tremendous

library of free
documentation on a
diverse range of topics
• Relevance is often
average, however,
depth and detail of
material is extra-
ordinary
END
2025
COBIT
Module 231 • COBIT:

– ISACA framework for
IT Governance
– COBIT 5 helps
enterprises to create
optimal value from IT
by maintaining a
balance between
realising benefits and
and resource use
(ISACA)
2026
COBIT
IT Governance
Resource
Management
2027
COBIT
• COBIT 5 brings together

five principles that allow
the enterprise to build
an effective governance
and management
framework (ISACA)
• Based on a holistic set of
seven enablers that
optimises IT investment
and use for the benefit
of stakeholders (ISACA)
2028
COBIT
2029
COBIT
2030
COBIT
• Governance ensures
that enterprise
objectives are achieved
by evaluating
stakeholder needs,
conditions & options;
setting direction
through prioritisation &
decision making;
2031
COBIT
• …& monitoring
performance,
compliance and
progress against agreed
direction and objectives
(EDM)
2032
COBIT
• Management plans,
builds, runs and
monitors activities in
alignment with the
direction set by the
governance body to
achieve the enterprise
objectives (PBRM)
2033
COBIT
2034
COBIT
• COBIT 5 is a detailed
framework for IT
governance developed
by ISACA which has
principles, enablers, and
processes
• These tools assist
implementers and
customer organizations
to successfully deploy
the framework
END
• Certifiable framework
2035
CMMI
Module 232 • The Capability

Maturity Model (CMM)
is a methodology used
to develop & refine an
org's software dev
process. The model
describes a five-level
evolutionary path of
increasingly organized
& systematically more
mature processes.
http://searchsoftwarequality.techtarg
et.com/definition/Capability-
Maturity-Model
2036
CMMI
https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration
2037
CMMI
• CMM was developed

and is promoted by
the Software
Engineering Institute
(SEI), a research and
development center
sponsored by the U.S.
Department of Defense
(DoD)
• Now CMMI Institute
(ISACA)
et.com/definition/Capability-
Maturity-Model
2038
CMMI
• The Capability Maturity

Model Integration
(CMMI®) is a
performance
improvement model for
competitive
organizations that want
to achieve high-
performance
operations.
http://cmmiinstitute.com/about-
cmmi-institute
2039
CMMI
• Building upon an org’s

business performance
objectives, CMMI
provides a set of
practices for improving
processes, resulting in a
performance
improvement system
that paves the way for
better operations and
performance.
cmmi-institute
2040
CMMI
• More than any other
approach, CMMI doesn’t
just help to improve org
processes. CMMI also
has built-in practices
that help to improve the
way you use any
performance
improvement approach,
setting you up to
achieve a positive return
on your investment
cmmi-institute
2041
CMMI
• CMMI does not provide

a single process. Rather,
the CMMI provides
guidance on what to do
to improve your
processes, not define
your processes. CMMI is
designed to compare an
organization’s existing
processes to proven
best practices…
http://cmmiinstitute.com/about-cmmi-
institute
2042
CMMI
• …developed by
members of industry,
govt, & academia; reveal
possible areas for
improvement; &
provide ways to
measure progress.
• CMMI helps you to build
& manage performance
improvement systems
that fit your unique
environment.
•http://cmmiinstitute.com/about-
cmmi-institute 2043
CMMI
THREE COMPLEMENTARY CONSTELLATIONS
http://www.sei.cmu.edu/library/assets/cmmi-
overview071.pdf
2044
CMMI
• CMMI is a very well

regarded framework
especially in the
software industry
• Very useful for
demonstrating process
& quality capabilities to
customers, partners,
and investors
END
2045
ISO31000:2018 – RISK MANAGEMENT – AN INTRO
Module 233 A Risk Practitioners Guide

To ISO31000:2018
https://www.theirm.org/m
edia/3513119/IRM-Report-
ISO-31000-2018-v3.pdf
2046
2047
Framework
5 components
2048
8 PRINCIPLES
2049
RISK
MANAGEMENT
PROCESS
2050
ISO31000 objectives:
• ISO 31000 states that
the guidelines should be
used by people who
create and protect value
in organisations by
managing risks, making
decisions, setting and
achieving objectives and
improving performance.
https://www.iso.org/obp/ui/#iso:std:
iso:31000:ed-2:v1:en
2051
ISO31000 purpose:
the purpose of risk
management is the
creation and protection
of value.
END 2052
ISO31000:2018 – RISK MANAGEMENT – 8 PRINCIPLES

To ISO31000:2018
ISO-31000-2018-v3.pdf
2053
2054
8 PRINCIPLES
2055
PRINCIPLES:
1. Framework and
processes should be
customized and
proportionate.
2. Appropriate and timely
involvement of
stakeholders is
necessary.
3. Structured and
comprehensive
approach is required.
2056
PRINCIPLES:
4. Risk management is an
integral part of all
organizational activities.
5. Risk management
anticipates, detects,
acknowledges and
responds to changes.
6. Risk management
explicitly considers any
limitations of available
information.
2057
PRINCIPLES:
7. Human and cultural
factors influence all
aspects of risk
management.
8. Risk management is
continually improved
through learning and
experience.
2058
• The first five principles

provide guidance on
how a risk management
initiative should be
designed, and principles
six, seven and eight
relate to the operation
of the risk management
initiative.
2059
• The latter principles

confirm that the best
information available
should be used; human
and cultural factors
should be considered;
and the risk
management
arrangements should
ensure continual
improvement.
2060
• The first five principles

are concerned with the
design and planning of
the risk management
initiative and these
principles are often
summarized as
proportionate, aligned,
comprehensive,
embedded and dynamic
(PACED), as shown in
Table 1.
2061
2062
A Risk Practitioners Guide

To ISO31000:2018
ISO-31000-2018-v3.pdf
END
2063
ISO31000:2018 – RISK MANAGEMENT – FRAMEWORK

To ISO31000:2018
ISO-31000-2018-v3.pdf
2064
2065
Framework
5 components
2066
• The principles of risk

management and the
framework are closely
related.
• For example, one of the
principles is that risk
management should be
integrated and one of
the components of the
framework is
integration.
2067
• The principle outlines

what must be achieved,
and the framework
provides information on
how to achieve the
required integration.
2068
• The ISO 31000 guidelines

are centered on
leadership and
commitment.
• The effectiveness of risk
management will
depend on its
integration into all
aspects of the
organization, including
decision-making.
2069
• The remaining
components of the
framework are design,
implementation,
evaluation and
improvement. This
approach is often
represented in
management literature
as plan-do-check-act.
2070
• ISO 31000 provides

narrative description of
how the framework
should support risk
management activities
in an organization.
• This is often referred to
as the risk architecture,
strategy and protocols
of the organization, as
set out in Table 2.
2071
RISK
MANAGEMENT
FRAMEWORK
• ARCHITECTURE
• STRATEGY
• PROTOCOLS
2072
A Risk Practitioners Guide

To ISO31000:2018
ISO-31000-2018-v3.pdf
END 2073
ISO31000:2018 – RISK MANAGEMENT – PROCESS

To ISO31000:2018
ISO-31000-2018-v3.pdf
2074
2075
RISK
MANAGEMENT
PROCESS
2076
At the center of the risk

management process are
the activities of risk
assessment and risk
treatment.
Risk assessment is
described as having the
three stages of risk
identification, risk analysis
and risk evaluation.
2077
• Each of the three stages

is described in detail in
ISO 31000 and it
provides valuable insight
into how risks can be
identified, how they can
be analyzed in terms of
likelihood and
consequences and
finally, how they can be
evaluated in relation to
2078
• ..the established risk

criteria (risk appetite)
to determine whether
additional action is
required.
2079
• Risk treatment is also a

vitally important part of
the risk management
process and ISO 31000
provides information on
the selection of risk
treatment options, the
preparation and
implementation of risk
treatment plans.
2080

the selection of risk
treatment options
involves balancing the
potential benefits of
introducing further risk
treatment (controls)
against the associated
cost, effort or
disadvantages.
2081
• The risk treatment plan

should clearly identify
the timescale and
responsibilities for
implementing the
selected risk
treatments.
END
2082
ISO31000:2018 – RISK MANAGEMENT – HOW TO IMPLEMENT

To ISO31000:2018
ISO-31000-2018-v3.pdf
2083
2084
Successful implementation
of a risk management
initiative is an ongoing
process that involves
working through 10
activities below on a
continuous basis. These
activities relate to:
(1) Plan;
(2) Implement;
(3) Measure; and
(4) Learn.
2085
Plan:
1. Identify intended
benefits of the RM
initiative and gain board
support
2. Plan the scope of the RM
initiative and develop
common language of risk
3. Establish the RM
strategy, framework and
the roles and
responsibilities
2086
Implement:
4. Adopt suitable risk
assessment tools and an
agreed risk classification
system
5. Establish risk
benchmarks (risk criteria)
& undertake risk
assessments
6. Determine risk appetite
and risk tolerance levels
and evaluate the existing
controls 2087
Measure:
7. Evaluate effectiveness of
existing controls and
introduce improvements
8. Embed risk-aware
culture and align RM with
other activities in the
organization
2088
Learn
9. Monitor and review risk
performance indicators to
measure RM contribution
10. Report risk
performance in line with
obligations and monitor
improvement
2089
Although ISO 31000 covers

the full scope of
requirements for a
management system, it is
for the organization to
convert those
requirements into a
checklist and action plan.
END
2090
INCIDENT MANAGEMENT-I
Module 238 Information Security

Incident Management
• Have a look at ISO27002:

2013 (Page 67+) for best
practices guidance
2091
Objective:
• “To ensure a consistent
and effective approach
to the management of
incidents, including
communication on
security events and
weaknesses.”
ISO27001:2013 (16.1)
2092
Top 10 Considerations For

Incident Response
https://www.owasp.org/im
ages/9/92/Top10Considerat
ionsForIncidentResponse.p
df
2093
https://www.owasp.org/images/9/92/Top10ConsiderationsForIncidentResponse.pdf
2094
1. Audit & Due Diligence

Performing an audit will let
you know how well
prepared the organization
is for Incident Responsein
terms of:
• People
• Process
• Equipment
2095
2. Create Response Team

An Incident Response
team should consist of
people with sufficient
technical skills. It is
important that the team
members consist of SME's
(Subject Matter Experts)
or Knowledge Engineers
from different domains
across the organization.
2096
2. Create Response Team

• Team lead
• Triage officer
• Incident handler
2097
3. Create Documented IR
Plan
An organization should
have a well-documented IR
plan that would guide the
IR Team during an incident.
A comprehensive plan at
minimum , should cover
Roles & Responsibilities,
Investigation, Triage and
Mitigation, Recovery, and
Documentation process.
2098
4. Identify Indicators &

Triggers
• What would be
categorized as an
incident at your
organization?
• How important or
weighty are the factors
that would trigger an
incident?
• Clearly define what can
trigger an incident
2099
5. Investigate the Problem

• Establishing , clearly
what has occurred
• Identify what systems,
people or processes
have been compromised
or affected based on
incident
• Determine what
happened & what was
compromised
2100
5. Investigate the Problem

• Determine the point of
origin of the incident
where possible. This
infers that you establish
the source of the threat
or attack vector
• Specify your
investigation objectives,
triage and resolution
methodology
END
2101
INCIDENT MANAGEMENT-II
Module 239 Top 10 Considerations For

Incident Response
https://www.owasp.org/im
ages/9/92/Top10Considerat
ionsForIncidentResponse.p
df
2102
6. Triage & Mitigation

Investigation leads to the
triage and resolution
process. As the team
identifies potential
exposure, they should plan
and execute effective
mitigation accordingly:
• Classification of Incident
• Incident Prioritization
• Assigning specific tasks
to specific people
2103
7. Recovery
Once a thorough
investigation has been
carried out, recovery is a
significant step for
restoring services or
materials that might have
been affected during an
incident. This could be the
task of the technical team
(transition from active
incident to standard
monitoring) 2104
8. Documentation &
Reporting
A comprehensive incident
report is required in
keeping with best
practices and with the
Incident Response plan.
The type of reports that
might be required might
vary but should help in
managing and reviewing
incidents satisfactorily.
2105
9. Process Review
Make intelligent decisions
about important factors:
• Should I increase or
decrease the number of
Incident Handlers?
• What risks did we
identify during the
incident that needs to
be followed up for
action and monitored
closely ?
2106
10. Practice, Practice,

Practice !
Do not wait until an
incident occurs before you
put your team to work.
Once the organization has
a workable plan in place, it
is advisable to run through
part or all of it as a
tabletop exercise, and run
through various scenarios
END and drills.
2107
CHANGE MANAGEMENT-I
Module 240 ITIL CHANGE

MANAGEMENT BEST
PRACTICES
http://www.bmc.com/guid
es/itil-change-
management.html
2108
CHANGE MANAGEMENT-I
2109
CHANGE MANAGEMENT-I
ITIL change management

is a process designed to
understand and minimize
risks while making IT
changes. Businesses have
two main expectations of
the services provided by IT:
2110
CHANGE MANAGEMENT-I
1. The services should be

stable, reliable, and
predictable.
2. The services should be
able to change rapidly
to meet evolving
business requirements.
2111
CHANGE MANAGEMENT-I
• These expectations are

in conflict. The objective
of change management
is to enable IT service
management to meet
both expectations—to
enable rapid change
while minimizing the
possibility of disruption
to services.
2112
CHANGE MANAGEMENT-I
Types Of Changes
Standard changes are
changes to a service or to
the IT infrastructure where
the implementation
process and the risks are
known upfront.
• These changes are
managed according to
policies that are the IT
organization already has
in place.
2113
CHANGE MANAGEMENT-I
• Since these changes are

subject to established
policies and procedures,
they are the easiest to
prioritize and
implement, and often
don’t require approval
from a risk management
perspective.
2114
CHANGE MANAGEMENT-I
Normal Changes
• Those that must go
through the change
process before being
approved and
implemented. If they are
determined to be high-
risk, a change advisory
board must decide
whether they will be
implemented.
2115
CHANGE MANAGEMENT-I
Emergency Changes
• Arise when an
unexpected error or
threat occurs, such as
when a flaw in the
infrastructure related to
services needs to be
addressed immediately.
A security threat is
another example of an
emergency situation
END that requires changes to
be made immediately. 2116
CHANGE MANAGEMENT-II

MANAGEMENT BEST
PRACTICES
es/itil-change-
management.html
2117
2118
Mission
The mission of the IT
change management
process is to implement
changes in the most
efficient manner, while
minimizing the negative
impact on customers when
changes are implemented.
KPIs for tracking success of
the IT change
management process are:
2119
i. Successful changes: The

number of changes that
have been completed
successfully compared to
the total number of
completed changes. The
higher the percentage of
successful changes, the
better.
2120
ii. Backlog of changes: The

number of changes that
are not yet completed.
While this absolute
number depends on the
size of the organization, it
should not grow over time.
2121
iii. Emergency changes:

The number of completed
“emergency” changes.
This absolute number
depends on the size of the
organization and should
not increase over time.
2122
Scope
The scope of the IT change
management process is
limited to change
implementations that will
cause:
i. A service to become
unavailable or
degraded during
service hours
2123
Scope
ii. The functionality of a
service to become
different
iii. The CMDB to require an
update
Other IT changes don’t
usually require formal
change management.
Instead, they can be
tracked as standard IT
activities.
2124
IT Change Management
Procedures
a. Request for change

review: Change
coordinators use this
procedure when they are
dealing with requests for
change.
2125
b. Change planning:
Change coordinators and
specialists employ this
process to prepare the
implementation plans for
changes.
c. Change approval: The
change manager and
approvers (e.g., customer
representatives and
service owners) follow this
procedure to approve
planned changes. 2126
d. Change
implementation:
Specialists use this process
to implement
infrastructure changes.
e. change closure:
Specialists follow this
procedure when they
perform production tests
after changes have been
implemented, and change
coordinators employ it to
END close out changes. 2127
CHANGE MANAGEMENT-III

MANAGEMENT BEST
PRACTICES
es/itil-change-
management.html
2128
2129
CHANGE MANAGEMENT
ROLES
The change
initiator recognizes and
identifies the need for
change.
• The initiator should be
someone who works
directly with support
services tools.
2130
CHANGE MANAGEMENT
ROLES
• Members of your team
who provide support
services to customers
may be best suited for
this position due to their
frequent interaction
with the system.
2131
CHANGE MANAGEMENT
ROLES
The change
coordinator assesses
requests for change that
originate from incident
management, problem
management, release
management, or continuity
management.
2132
CHANGE MANAGEMENT
ROLES
• The change coordinator
registers changes as
needed to handle
requests for change or
receives change
requests from other
change initiators;
determines the risk and
impact for requested
changes;
2133
CHANGE MANAGEMENT
ROLES
• prepares
implementation plans by
creating tasks; and
monitors the progress
of changes.
2134
CHANGE MANAGEMENT
ROLES
The change manager is
generally needed in mid-
sized and larger
organizations. If your IT
department is part of a
larger company, you will
need to pick one or
multiple persons to
perform the role of change
manager.
2135
CHANGE MANAGEMENT
ROLES
• These individuals are
responsible for
managing change
procedures, receiving
and prioritizing change
requests, evaluating the
risk level associated with
requests, and keeping
thorough records of the
outcome of each
change. 2136
CHANGE MANAGEMENT
ROLES
The change advisory
board is responsible for
authorizing changes and
further evaluating requests
when the change manager
determines that there is a
high risk associated with
these requests.
2137
CHANGE MANAGEMENT
ROLES
• The board takes into
account the impact that
a requested change may
have on all affected
parties.
• When these high-risk
changes are brought to
the attention of the
change advisory board,
the board will …
2138
CHANGE MANAGEMENT
ROLES
• …schedule a meeting
with a detailed agenda
to determine how to
proceed.
2139
CHANGE MANAGEMENT
ROLES
The approver decides
whether to approve or
reject changes.
2140
CHANGE MANAGEMENT
ROLES
The change
implementation
team consists of the
specialists on your team
who are responsible for
actually making changes.
2141
CHANGE MANAGEMENT
ROLES
• You will likely be part of
this team and
employees directly
under you may also be
assigned to implement
changes.
• As an IT manager, you
will often be responsible
for overseeing changes.
END
2142
PROJECT MANAGEMENT FOR INFOSEC: PART 1
Module 243 • PART 1:

– IMPORTANCE OF
PROJECT
MANAGEMENT FOR
INFORMATION
SECURITY
2143
• CYBER SECURITY
CHALLENGES:
1. Reactive
2. Superficial
3. Contention
4. Box-Approach
5. Governance-
Overkill
Denial During The

Last 10 Years
2144
• Effective project
management makes or
breaks any project
• Project management is
the sum-total of
managing, organizing,
and prioritizing all
resources, and tasks in
order to achieve a
successful outcome
within the stipulated
timeframe
2145
• Successful Security
Transformation
Implementation is
heavily dependent upon
the project being in the
hands of an experienced
project manager:
– Has authority
– Has domain
knowledge
– Has ability to suggest
solutions
2146
• In a nut-shell, effective
project management for
is about understanding
the landscape,
understanding what is
required to solve the
problem, and being fully
committed to ensure
that the successful
outcome is achieved
within time
2147
• Common Challenges
During Projects:
– Discipline during the
one year duration
– Prior shortage of
resources
– New initiatives
(diversions)
– Constant slippage of
tasks
– Lack of commitment
by team members 2148
• Without bold, well-

organized, disciplined,
and committed project
management, the
cannot be achieved
within an organization
• Effective project
management is the
cornerstone of
END achieving success for
projects 2149

– STRUCTURE
2150
• Structure refers to the

hierarchy and
organization of teams,
their interaction along
with frequency,
reporting, and problem-
resolution mechanisms
2151
PROJECT STRUCTURE Board

[QTR]
InfoSec Steering
Comm.
[MONTHLY]
Management Committee (ISMC)
[WEEKLY]
2152
INFOSEC HEAD
INFOSEC
TEAM Infosec INFOSEC
STRUCTURE Head INFOSEC
Manager Networks
Systems Consultant
Manager
Manager
Apps/DB
2153
PROJECT 1. Establish
SEQUENCE Track
5. Continuous
2. MSB
Improvement
4. Implement
3. Pilot
Across IT
2154
TRACK 1: IT INFRASTRUCTURE
TRACK 2: ISMS DOC & PROCESSES
TRACK 3: SOFTWARE APP
TRACK 4: OTHER APPS/UTILITIES/3RD PARTIES
TRACK 5: DESKTOPS & BROWSERS
TRACK 6: VULNERABILITY MANAGEMENT
TRACK 7: MOBILE SECURITY
2155
• An effective project
manager has a thorough
understanding of what
needs to be achieved,
and is able to
orchestrate resources,
teams, hierarchy, and
reporting in order to
achieve a successful
project outcome
END
2156

– REPORTING
2157
• Reporting is a critical
component of effective
project management
and has the following
objectives:
2158
• Reporting Objectives:
1. Creating visibility
2. Keeping resources
engaged for their
inputs and involvement
3. Keeping management
informed of successes
& challenges
4. Creating credibility
5. Ensuring team
members are on their
toes 2159
TRANSFORMATION ISMC
PROJECT
MAIN ENTITIES
DELTA TECH
IT STEERING
IT TEAMS CONSULTANT
COMMITTEE
TEAM
BOARD/
EXECUTIVE
2160
REPORTING ISMC
MECHANISM
Weekly
status
update
IT STEERING Monthly
COMM. status
update
Quarterly
status update
BOARD
2161
2162
• Dashboard Objectives:
1. Provide simple & single
view of all project
tracks, and where the
project stands
2. Highlight problem
areas for management
intervention and
support
3. Monthly Steering
Committee & Quarterly
Board reports
2163
Forum Frequency Report Format Objectives
IDENTIFY TASKS,
PDF MINS OF
ISMC WEEKLY RESPONSIBILITY,
MEETING
TIMELINE
INFORM
RELEVANT HEADS
STEERING PPT
MONTHLY OF PROGRESS,
COMMITTEE PRESENTATION
IDENTIFY
CHALLENGES
CRITICAL LOOK AT
PROGRESS
ACHIEVED,
BOARD QUARTER PPT
IDENTIFY
MEETING LY PRESENTATION
CHALLENGES &
SOLUTIONS, SEEK
ASSISTANCE
2164
• By creating an accurate,
honest, and disciplined
reporting mechanism,
the project manager
ensures that all project
stakeholders are
informed, involved and
helping where necessary
for project success
END
2165

– LEADERSHIP
2166
• The Security
Transformation requires
significant effort over a
one year period
• All resources have to be
tightly focused on the
successful outcome
• Without leadership, the
transformation cannot
take place
2167
• Leadership:
1. Authenticity
2. Openness and
transparency
3. Respect for all
individuals and teams
4. Creating motivation
5. Integrity
6. Boldness to take a
stand
2168
• Technical resources will

always respect a leader
who has knowledge of
his/her domain, and is
able to provide a clear
and effective strategy
2169
• Security Transformation
Leadership is about
creating trust, and a
team environment to
facilitate efforts
resulting in positive
outcome
• Security Transformation
Leadership is about
working with people, at
all levels to create a
END credible and successful
project 2170
Capacity Management – Part 1
Module 247 • ISO27001:2013

– 12.1.3: The use of
resources should be
monitored, tuned
and projections made
of future capacity
requirements to
ensure the required
system performance
2171
• What is capacity
management ?
– Aims to ensure that
the capacity of IT
services and the IT
infrastructure is
able to deliver the
agreed service level
targets in a cost
effective and timely
manner.
https://wiki.en.it-
processmaps.com/index.php/Capacity_
Management
2172
• What is capacity
management ?
– The Capacity
Management
process considers
all resources
required to deliver
the IT service, and
plans for short,
medium and long
term business
requirements.
https://wiki.en.it-
processmaps.com/index.php/Capacity_Man
agement
2173
• ITIL suggests three

sub-processes:
– Business capacity
management
– Service capacity
management
– Component capacity
management
https://advisera.com/20000acade
my/knowledgebase/three-faces-
capacity-management/
2174
• Business capacity
management:
– Translates business
plans and needs into
requirements for IT
services and
architecture
2175
• Business capacity
management:
– As customers’
business changes,
so are service
requirements
changing. Change in
service
requirements
usually has an
impact on demand
for capacity.
https://advisera.com/20000academy/kno
wledgebase/three-faces-capacity-
management/
2176
• Service capacity
management:
– Service capacity
mngmt focuses on
management,
control and
prediction of end-to-
end performance of
live IT services usage
and workloads.
2177
• Service capacity
management:
– It’s about measuring
performance and
comparing it to
reqmts that are set
in Service Level
Agreements (SLAs)
or Service Level
Requirements
(SLRs).
https://advisera.com/20000academy/kno
wledgebase/three-faces-capacity-
management/
2178
• Component capacity
management:
– Focuses on mngmt,
control, performance
prediction, utilization
& capacity of
technology
components (e.g. a
hard disc, processor,
etc.).
2179

look at ISO27002:2013
guidance for capacity
management…
END
2180
Week 15 • In this module, lets

Module 248 look at capacity
management guidance
from ISO27002:2013
2181
• ISO27002 guidance:
– Capacity
requirements should
be identified, taking
into account the
business criticality of
the concerned
system
2182
– System tuning and
monitoring should be
applied to ensure
and, where
necessary, improve
the availability and
efficiency of systems.
2183
– Detective controls
should be put in
place to indicate
problems in due
time.
2184
– Projections of
future capacity
reqmts should take
account of new
business and system
reqmts and current
& projected trends
in the organization’s
info processing
capabilities
2185
– Particular attention
needs to be paid to
any resources with
long procurement
lead times or high
costs; therefore
managers should
monitor the
utilization of key
system resources.
2186
– Providing sufficient
capacity can be
achieved by
increasing capacity
or by reducing
demand.
2187
– Examples of
managing capacity
demand include:
a) deletion of obsolete
data (disk space);
b) decommissioning of
applications, systems,
databases or
environments;
c) optimising batch
processes & schedules;
2188
– A documented
capacity
management plan
should be
considered for
mission critical
systems
– Also consider
human resources &
offices/facilities
2189
• ITIL looks at capacity

management more in-
depth under service
design phase
• ISO27002 provides
some useful guidance
• In the industry we find
that capacity
management is not
formalized as a process
END
and lacks
documentation
2190
RISK MANAGEMENT & INTERNAL AUDIT-I
Module 249 Three Lines of Cyber

Defense:
https://securityintelligence.
com/take-a-load-off-
delegate-cyber-risk-
management-using-the-
three-lines-of-defense-
model/
2191
https://info.knowledgeleader.com/what-is-internal-audits-role-in-cyber-security
2192
1. Business & IT Functions

(Management Control):
The first line encompasses
the information security
department as well as
various business units that
own their cyber risks.
These entities need to
understand how their
assets are vulnerable and
actively manage their
cyber risks within…
2193

…organizationally
acceptable tolerances.
Sometimes called
management control, this
function is tasked with
managing cyber risks by
executing various controls.
This means handling risk
events, updating key risk
indicators (KRIs), and…
2194

…deploying and managing
controls that
affect people, processes
and technology.
2195
2. Risk Management
• The second line of
defense is composed of
risk managers looking at
aggregate risks at an
enterprise level. It is
often simply termed risk
management but can
also include compliance,
legal, quality control and
financial control.
2196
2. Risk Management
• The second line looks at
cybersecurity control
frameworks, defines
KRIs and metrics,
creates risk
assessments, and tests
and reviews
conformance by
tracking the actions of
the first line of defense
and analyzing the…
2197
2. Risk Management
• …impact of those
actions to determine
their effectiveness in
mitigating cyber risks. In
other words, this
function monitors how
management is doing in
its handling of cyber
risks by determining the
extent that risks are
actively monitored and
appropriately managed. 2198
2. Risk Management
• It is often performed
under an umbrella of
senior management and
some board directors or
a board-level
committee, such as the
audit committee or a
risk committee. And,
importantly, this second
line can challenge the
first line.
2199
ISSUES WITH RISK

MANAGEMENT IN
PAKISTAN
1. Risk Management
hierarchy not trained in
IT
2. Separate Dept – not
suitable given security
maturity level
3. Seen as outsider
4. Low cooperation levels
END with IT
2200
RISK MANAGEMENT & INTERNAL AUDIT-II
Module 250 Three Lines of Cyber

Defense:
https://securityintelligence.
com/take-a-load-off-
delegate-cyber-risk-
management-using-the-
three-lines-of-defense-
model/
2201
RISK MANAGEMENT & INTERNAL AUDIT-II
https://info.knowledgeleader.com/what-is-internal-audits-role-in-cyber-security
2202
INTERNAL AUDIT
3. Internal Audit
• The third line of defense
is internal audit. It may
also include input from
external auditors and/or
regulators. This
function, sometimes
termed independent
assurance, evaluates the
overall process of cyber
risk governance for the
entire organization.
2203
INTERNAL AUDIT
3. Internal Audit
• It ensures that the
organization’s internal
control framework is
adequate for dealing
with the risks the
organization faces.
2204
INTERNAL AUDIT
3. Internal Audit
• As with the second line
of defense, the third line
can push back on the
assertions of the
previous lines regarding
the adequacy of the
controls in place. This
function usually reports
directly to the board or
the audit committee.
2205
INTERNAL AUDIT
Issues With Internal Audit

In Pakistan
a. Not on the same page
with other Depts
b. KPI seems to be
highest number of
observations – not
organizational benefit
c. No common security
vision in the
organization
2206
INTERNAL AUDIT
Issues With Internal Audit

In Pakistan
d. Large number of point
observations do not help
to improve the security
posture
e. Internal audit not aware
of IT team or security team
framework being adopted
END
2207
MANAGEMENT REVIEW
Module 251 How To Conduct ISO27001

Management Review
https://www.isms.online/is
o-27001/how-to-conduct-
your-iso-27001-
management-review/
2208
MANAGEMENT REVIEW
Purpose
• The purpose of the
Management Review is
to ensure the ISMS and
its objectives continue
to remain suitable,
adequate and effective
given the organisation’s
purpose, issues and
risks.
2209
MANAGEMENT REVIEW
Results
• The results of the
management review will
enable senior
management to make
well informed, strategic
decisions that will have a
material effect on
information security and
the way the
organisation manages it.
2210
MANAGEMENT REVIEW
What should be covered ?

a) the status of actions
from previous
management reviews;
b) changes in external and
internal issues that are
relevant to the information
security management
system;
2211
MANAGEMENT REVIEW

c) feedback on the
performance, including
trends in:
• nonconformities and
corrective actions;
• monitoring and
measurement results;
• audit results; and
• fulfilment of information
security objectives.
2212
MANAGEMENT REVIEW

d) feedback from
interested parties;
e) results of risk
assessment and status of
risk treatment plan; and
f) opportunities for
continual improvement.
2213
MANAGEMENT REVIEW
Who Should Attend ?

• For the ISMS to be
effective in an
organisation, it needs
senior management
commitment and, as
such, it makes sense for
the members of an ISMS
“Board’ to have
authority in matters
pertaining to
information security.
2214
MANAGEMENT REVIEW
Who Should Attend ?

• Typically an ISMS Board
might include the Chief
Officer (CISO), Senior
Information Risk Owner
(SIRO), Chief Technical
Officer and maybe even
the CEO.
2215
MANAGEMENT REVIEW
Who Should Attend ?

• The outputs of the
management review will
include decisions related
to continual
improvement
opportunities and any
needs for changes to the
management system.
END
2216
Human Resource Security
Module 252 • In this module, lets

look at human resource
security…
2217
• Prior to employment
(ISO27001):
– Screening
– Terms & conditions
of employment
2218
• ISO27002 guidance
(Screening):
– availability of
satisfactory
character
references, e.g. one
business and one
personal;
– a verification (for
completeness and
accuracy) of the
applicant’s CV;
2219
(Screening):
– confirmation of
claimed academic
and professional
qualifications;
– independent
identity verification
(passport or similar
document);
2220
(Screening):
– more detailed
verification, such as
credit review or
review of criminal
records
2221
• During employment
(ISO27001):
– Management
responsibilities
– Awareness,
education, and
training
– Disciplinary process
2222
(Disciplinary Process):
– The disciplinary
process should not
be commenced
without prior
verification that an
infosec breach has
occurred
2223
– The formal
disciplinary process
should ensure
correct and fair
treatment for
employees who are
suspected of
committing
breaches of info
security
2224
– The formal
disciplinary process
should provide for a
graduated response
that takes into
consideration
factors such as the
nature and gravity
of the breach and its
impact on business;
2225
• Termination or change
of employment
(ISO27001):
– Infosec
responsibilities &
duties are defined,
communicated to
employee or
contractor &
enforced
2226
(termination/change):
– The communication
of termination
responsibilities
should include on-
going infosec reqmts
& legal
responsibilities &,
where appropriate,
responsibilities…
2227
(termination/change):
– …contained within
any confidentiality
agreement & the
terms & conditions of
employment
continuing for a
defined period after
the end of the
employee’s or
contractor’s
employment 2228
• As you can see, human

resource security has
quite a bit of detail
• ISO27002 provides very
useful guidance and
elaborates the ISO27001
controls
END
2229
SBP CIRC. # 5, TECHNOLOGY GOVERNANCE FRAMEWORK
Module 253
SBP TECHNOLOGY
GOVERNANCE AND RISK
MANAGEMENT
FRAMEWORK
2230
2231
OBJECTIVES
• The framework aims to
provide enabling
regulatory environment
for managing risks
associated with the
acquisition,
development,
deployment and use of
technology and shall
serve as SBP's baseline
requirements for all
FI(s). 2232
OBJECTIVES
• The FI(s) shall upgrade
their systems, controls
and procedures to
ensure compliance with
this framework latest by
June 30, 2018.
2233
OBJECTIVES
• The FI(s) shall assess and
conduct a gap analysis
between their current
status & this framework
and draw a time-bound
action plan to address
the gaps and comply
with the guidelines in
this framework
2234
OVERVIEW
• The instructions are
focused on enhancing
the proactive and
reactive environments
in FI(s) to various facets
and dimensions of
technology including
information security,
technology operations,
audit, business
continuity, …
2235
OVERVIEW
• …project/performance
management and
related domains (pg 5)
• FI(s) shall adopt an
integrated risk
management approach
to identify, measure,
monitor and control
technology risks (page
5)
2236
OVERVIEW
• The Framework consists
of 6 domains and 35 sub-
domains
• Overall the Framework
is a combination of
COBIT, ITIL, and
ISO27001:2013 (ISMS)
2237
Implementation
Mechanism
a. Gap analysis
b. Documentation
c. Implementation
END
2238
CYBER SECURITY MATURITY MATRIX - OVERVIEW
Module 254 • In this module we will

introduce the Cyber
Security Maturity
Matrix (CSMM)
2239
SECURITY MATURITY LEVEL
VI. SECURED VI. SECURED
V. MONITORED V. MONITORED
IV. PROTECTED IV. PROTECTED
III. HARDENED III. HARDENED
II. FUNDAMENTALS II. FUNDAMENTALS
I. FOUNDATION I. FOUNDATION
2240
Industry Security
Challenges:
• Grass-roots security
controls have not been
implemented
• Haphazard, reactive
security approach
• Not following any
structured security
architecture or
framework
2241
What challenges does

CSMM address ?
• 5 characteristics of
Information Security in
Pakistan:
– Reactive
– Superficial
– Box approach
– Contention
– Governance overkill
2242
How is the local industry

coping with security
implementation ?
a. Large organizations
b. Medium sized
organizations
c. Small organizations
2243
Issues with large

organizations:
1. Missed out on
security hardening
2. Vulnerability
management
effectively not being
done as per Int’l
best-practice
3. Attempting
automation or box
approach
2244
Issues with medium sized

organizations:
1. Don’t have sufficient
security expertise and
knowledge
2. Security was never a
focus
3. Have built insecure IT
networks just like the
large organizations
4. VM and hardening
missing here too
2245
Issues with smaller

organizations:
1. Mostly have pirated
software
2. Enterprise antivirus
and Microsoft Active
Directory (AD) mostly
missing
3. Not enough budget for
security
4. No personnel allocated
for security
2246
The industry status:

1. Industry lacks a
standard & authentic
roadmap of how to
achieve security
2. No mechanism to
measure or certify
security
3. Divergent
understanding of how
security will be
achieved
2247
SECURITY MATURITY LEVEL MINIMUM CHARACTERISTICS
Red Tea m Penetra tion Tes ting
Security Orches tra tion, Automa tion, & Incident Res pons e
VI. SECURED
Threa t Protection
Threa t Simula tion
Security Opera tions Center (SOC) Implementa tion
Critica l Da ta Encryption
V. MONITORED
Da ta Los s Prevention (DLP) Solution
SIEM Solution For Security Events Detection
ISO27001:2013 (ISMS) Certifica tion
Externa l/Interna l Penetra tion Tes t (Critica l As s ets )
IV. PROTECTED
Softwa re Source Code Review For Critica l Applica tions
CIS 20 Critica l Security Controls
Softwa re Security Ha rdening Progra m
NGN FW At Da ta Center Entry Point With Filtering
III. HARDENED
CIS Security Benchma rks Ha rdening Of All IT As s ets
Min Monthly Credentia l Ba s ed VM Cycle
Network Segmenta tion With VLANs By Dept/Service, & DMZ
Edge NGN FW With Web, Ema il, Anti-ma lwa re Filtering
II. FUNDAMENTALS
Min Qua rterly Credentia l Ba s ed VM Cycle
Licens ed Or Open Source VM Tool
Edge FW With Filtering
Active Directory (WS/S)
I. FOUNDATION
Licens ed Enterpris e AV (WS/S)
Licens ed Windows OS (WS/S) Or Open Source
2248
How does CSMM help ?

• Offers a proactive,
structured, sequential
model to implement
security
• Model is certifiable
• Cyber Security
Certification Board
(CSCB) will certify
security status of
organizations
END 2249
CSMM - LAYER 1 - FOUNDATION

introduce the Cyber
Security Maturity
Matrix (CSMM): layer 1
2250

Red Team Penetration Testing
VI. SECURED
Security Orchestration, Automation, & Incident Response
Threat Protection
VI. SECURED
Threat Simulation
Security Operations Center (SOC) Implementation
V. MONITORED
Critical Data Encryption
V. MONITORED
Data Loss Prevention (DLP) Solution
ISO27001:2013 (ISMS) Certification
IV. PROTECTED
External/Internal Penetration Test (Critical Assets)
Software Source Code Review For Critical Applications IV. PROTECTED
CIS 20 Critical Security Controls
Software Security Hardening Program
III. HARDENED
NGN FW At Data Center Entry Point With Filtering
CIS Security Benchmarks Hardening Of All IT Assets
III. HARDENED
Min Monthly Credential Based VM Cycle
Network Segmentation With VLANs By Dept/Service, & DMZ
II. FUNDAMENTALS
Edge NGN FW With Web, Email, Anti-malware Filtering
Min Quarterly Credential Based VM Cycle
II. FUNDAMENTALS
Licensed Or Open Source VM Tool
I. FOUNDATION
Licensed Enterprise AV (WS/S) I. FOUNDATION
Licensed Windows OS (WS/S) Or Open Source
2251
CSMM LAYER 1: FOUNDATION

I. FOUNDATION
Licensed Enterprise AV (WS/S)
2252
1.1: LICENSED WINDOWS

OR OPEN SOURCE
• Licensed windows
(MS)
• Ubuntu open source
• Other numerous open
source alternatives
• Basic requirement for a
secure IT setup
• Pirated software
infested with malware
2253
1.2: LICENSED ENTERPRISE

ANTI-VIRUS
• Users usually do not
update their AV
• Visibility dashboard, &
central mngmt reqd
• Consistent mngmt of
hundreds or thousands
of anti-virus agents
• Many anti-virus agents
are out-of-synch with
the update-server
2254
1.3: ACTIVE DIRECTORY

(AD)
• Active Directory (AD) is
essential not only to
regulate account
management
(authentication and
authorization) but also
to enforce and manage
security controls
2255
1.4: Edge FW With

Filtering
• Forms first line of
perimeter defense
• Filtering of incoming
and outgoing traffic
• DMZ for hosted
services
• Policy enforcement for
security
END
2256
CSMM - Layer 2 - Fundamentals

introduce the Cyber
Security Maturity
Matrix (CSMM), layer 2
2257
CSMM - Layer 2 - Fundamentals

VI. SECURED
Threat Protection
VI. SECURED
Threat Simulation
V. MONITORED
Data Loss Prevention (DLP) Solution V. MONITORED
IV. PROTECTED
III. HARDENED
III. HARDENED
II. FUNDAMENTALS
II. FUNDAMENTALS
I. FOUNDATION
Licensed Enterprise AV (WS/S)
I. FOUNDATION
2258
CSMM - LAYER 2 - FUNDAMENTALS
CSMM LAYER 2: FUNDAMENTALS

II. FUNDAMENTALS
2259
2.1: LICENSED OR OPEN

SOURCE VM TOOL
• Vulnerability
management or patch
management is a
foundational layer of
security practice
• Open source: OpenVAS
• Licensed: Qualys,
Nessus, Rapid7
2260
2.2: MIN QUARTERLY

CREDENTIAL BASED VM
CYCLE
• For those
organizations that have
not conducted VM
practice before
• International best-
practice is weekly VM
cycle
2261
2.3: Edge NGN FW With

Web, Email, Anti-malware
Filtering
• Typical NGN FW:
Fortinet
• Features: VPNs, web
filtering, email anti-
spam filtering,
Antivirus, anti-
malware, application
visibility & control,
access-lists
2262
2.4. Network
Segmentation With VLANs
by Dept./Service & DMZ
• Network segmentation
helps create separate
broadcast domains
• Separate policies and
filtering possible for
each separate VLAN
• Helps manage traffic
• Segregates traffic into
END traffic-types
2263
CSMM - LAYER 3: HARDENED

introduce the Cyber
Security Maturity
2264

VI. SECURED
Threat Protection
VI. SECURED
Threat Simulation
V. MONITORED
V. MONITORED
IV. PROTECTED
III. HARDENED
III. HARDENED
II. FUNDAMENTALS
II. FUNDAMENTALS
I. FOUNDATION
2265
CSMM LAYER 3: HARDENED

III. HARDENED
2266
3.1: Minimum Monthly

Credential Based VM Scan
• Now moved to
monthly scan from
quarterly scan
• Credential based scan
from non-credential
scan
2267
3.2: CIS BENCHMARKS

HARDENING OF ALL IT
ASSETS
• Hardening covered in
detail in this course
• Planning, pilot,
production
implementation
• Usually takes 6-8
months depending
upon size of
organization
2268
3.3: NGN FW At
Datacenter Entry Point
With Filtering
• Filtering and malware
protection at
datacenter entry point
often ignored
• All traffic including
internal user traffic
entering or exiting
data center needs to
be filtered
2269
3.4: Software Security

Hardening Program
• Software security
program needs to be
developed
hardening: controls
identification, pilot
controls
implementation,
validation, testing,
END change mngmt, PROD
2270
CSMM - LAYER 4: PROTECTED

introduce the Cyber
Security Maturity
2271

VI. SECURED
Threat Protection
VI. SECURED
Threat Simulation
V. MONITORED
V. MONITORED
IV. PROTECTED
III. HARDENED
III. HARDENED
II. FUNDAMENTALS
II. FUNDAMENTALS
I. FOUNDATION
2272
CSMM LAYER 4: PROTECTED

IV. PROTECTED
Software Source Code Review For Critical Applications
2273
4.1: CIS 20 CRITICAL

SECURITY CONTROLS
• Aggregate control set
covering all aspects of
IT
• CIS benchmarks
covered individual
asset hardening
• Excellent set of
security controls
• Sets out International
best-practices
2274
4.2: Software Source Code

Review For Critical
Applications
• Source code review is a
specialized activity
which may be
conducted in a manual
or automated manner
• Specific to the
software technology
platform
• Peer or third-party
2275
4.3: External/Internal
Penetration Test (Critical
Assets):
• Penetration test most
beneficial after the
internal VM program is
functional, and security
hardening has been
performed
• Third-party review of
vulnerabilities and
hacker-view of assets
2276
4.4: ISO27001:2013 (ISMS)

Certification
• Global gold standard
for Information
Security governance
• Needs to be wisely
used as it is both deep
and broad
• Utilize as security
governance framework
leveraging VM and
END security hardening
2277
CSMM - LAYER 5: MONITORED

introduce the Cyber
Security Maturity
2278

VI. SECURED
Threat Protection
VI. SECURED
Threat Simulation
V. MONITORED
V. MONITORED
IV. PROTECTED
III. HARDENED
III. HARDENED
II. FUNDAMENTALS
II. FUNDAMENTALS
I. FOUNDATION
2279
CSMM LAYER 5: MONITORED

V. MONITORED
2280
5.1: SIEM SOLUTION FOR

SECURITY EVENTS
DETECTION
• SIEM solutions provide
security log collection,
dashboard reporting,
root-cause analysis,
and correlation
• Leading SIEM
solutions: LogRhythm,
IBM Q-Radar, Splunk,
Elastic Search
2281
5.2: DATA LOSS

PREVENTION (DLP)
SOLUTION
• Classification, visibility,
and control of data
• Monitoring and
blocking of data
leakage and data
exfiltration
• Network DLP and
system DLP (agent)
2282
5.3: CRITICAL DATA

ENCRYPTION
• Protect intellectual
property and
confidential
information
• Confidentiality and
integrity of data
• Encrypt data at rest, in
transit, and in use
• Laptop HDD and
removable media
2283
5.4: SECURITY
OPERATIONS CENTER
(SOC) IMPLEMENTATION
• After implementation
of the first four layers,
its time to consolidate
security operations
• People, process, and
technology/tools
• Similar to a NOC but for
security purposes
END • SIEM is starting point
2284
CSMM - LAYER 6: SECURED

introduce the Cyber
Security Maturity
2285

VI. SECURED
Threat Protection
VI. SECURED
Threat Simulation
V. MONITORED
V. MONITORED
IV. PROTECTED
III. HARDENED
III. HARDENED
II. FUNDAMENTALS
II. FUNDAMENTALS
I. FOUNDATION
2286
CSMM LAYER 6: SECURED

VI. SECURED
Threat Protection
Threat Simulation
2287
6.1: THREAT SIMULATION

• Platform such as
Redwolf Security
(www.redwolfsecurity.
com)
• Security testing, load
testing, and DDOS
testing
• Misconfigured security
devices and incident
response
2288
6.2: THREAT PROTECTION

• Various threat
protection solutions
• Best solutions will map
to the vulnerability
condition of your IT
assets e.g. Qualys
Threat Protect
• Helps to pinpoint most
critical assets and
prioritize patching
2289
6.2: THREAT PROTECTION

• Qualys Threat
Protection Live Threat
Intelligence Feed
displays the latest
vulnerability
disclosures and maps
them to your impacted
IT assets. You can see
the number of assets
affected by each
threat, and drill down
into asset details. 2290
6.3: SECURITY
ORCHESTRATION,
AUTOMATION, AND
INCIDENT RESPONSE
• Solution such as
Cybersponse
(www.cybersponse.co
m)
2291
6.3: SECURITY
ORCHESTRATION,
AUTOMATION, AND
INCIDENT RESPONSE
• From triaging and
investigating alerts to
collaboration and
remediation between
team members,
CyberSponse takes
your security operation
team to the next level.
2292
6.4: RED TEAM

PENETRATION TESTING
• Red team and blue
team
• Attack & defense
simulation
• Continuously find holes
in security defenses
• Uncover security
vulnerabilities before
hackers exploit them
END
2293
InfoSecurity Lifecycle – Security Validation
Module 261 • Lets have a re-look at

the 8-Step Security
Hardening
Methodology
2294
8 STEP METHODOLOGY FOR SECURITY HARDENING

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
2295
• Validation during
security hardening:
– Purpose here is to
only validate or
confirm that the
intended controls
have been correctly
and completely
applied in the pilot
setup
2296
• Validation during
security hardening:
– Nothing mentioned
for production
environment
– Nothing mentioned
for BUSINESS
LAUNCH (GO-LIVE)
2297
• Now lets look at the

more comprehensive
Lifecycle (7 stages)
which is not specific to
security hardening
2298
1. Requirements

3. Remediation
6. Accredit
Plan
4. Implement
5. Test/Validate
Controls
2299
• In the Information
Security Lifecycle chart,
we have already gone
into production
“environment” with
Stage 4
• However, formal
approval for BUSINESS
LAUNCH (GO-LIVE) has
not yet been issued
• Security accreditation
has not taken place
2300
1. Requirements

3. Remediation
6. Accredit
Plan
4. Implement
5. Test/Validate
Controls
2301
• In the Information
Security Lifecycle chart
Stage 5 & 6:
• …Refer to activities
carried out in
PRODUCTION
“environment”
• …But before Business
launch (GO-LIVE) has
taken place
2302
1. Requirements

***FORMAL BUSINESS
LAUNCH OR GO-LIVE
3. Remediation
6. Accredit
Plan
4. Implement
5. Test/Validate
Controls
2303
• The formal business

launch or GO-LIVE only
takes place after
team accredits that the
new application/portal
or service is secure
• Business launch or GO-
LIVE also has business
related activities as
dependencies such as
marketing, & other
2304
• Business launch or GO-

LIVE dependencies:
– UAT & application
bug testing and
feature testing
– Facilities readiness
– Sales & marketing
Launch ceremony
– Partner readiness
– Org service
readiness
2305
• Lets look at the

following steps in more
detail and granularity in
the following modules:
– Security validation
– Security testing
– Security
accreditation
2306
What is Security Validation ?
Module 262 • What does security

validation mean ?
– To confirm via walk-
through of system
or device that the
security controls
implemented by an
IT team have
actually been
implemented
correctly
2307
• Who implements the

security controls ?
– Under the Security
Transformation
Model, security
controls are
implemented by the
IT teams
2308
• Who conducts security

validation ?
– Security controls are
validated by the
Information
Security team or by
a third-party
consultant following
the principle of
segregation of duty
2309
• Why do we need to
validate security
controls ?
1. To check the
completeness of
the controls
2. To check the
correctness of the
controls
3. As an overall
assurance
2310
1. To check the
completeness of the
controls:
– Usually 100’s of
controls need to be
implemented
– There may be
genuine omissions
by technical team
members
– There may have
been errors made
2311
2. To check the correctness of controls:

– Technical capabilities of teams vary
– Technical capabilities of team members vary
– A technical issue may not have been understood
correctly
2312
3. As an overall assurance:
– IT team may not
have sufficient
resources to ensure
100% completeness
and correctness
– Implementation by
IT and validation by
team forms a
healthy team
relationship
2313
– This is also referred
to as maker-checker
principal
– Some of the
controls may have
been designated as
“not-applicable” or
“not possible” and
the reasons and
justification needs
to be reviewed
2314
– Significant
resources are
allocated to the
security
transformational
program; even one
control missed may
affect the security
posture
– Uncovered at the
time of hack/attack
2315
– Ability, integrity
and diligence of
team members are
key factors
http://whatis.techtarget.com/d
efinition/four-eyes-principle
– Healthy technical
debate and cross-
checks have a
positive outcome
on the program
2316
• The Information
Security team or the
ISMC is tasked with the
overall responsibility
of the success of the
program
• Any lapses discovered
later fall squarely
under the
responsibility of
InfoSec/ISMC
2317
• Security validation
becomes an essential
activity and needs to
be established in an
environment of
healthy & professional
commitment to ensure
the 100% complete and
correct
implementation &
upkeep of the controls
END…
2318
How is Security Validation Performed ?
Module 263 • Ownership of security

validation lies with
team, alternately with
an Information Security
consultant
• Driven by ISMC or
Head of Information
Security
2319
• Security validation is
the same irrespective if
performed specific to
8-Step Security
Hardening (Model) or
to the Information
Security Lifecycle
2320
8 STEP METHODOLOGY FOR SECURITY HARDENING

8. Implement on
PROD & monitor
3. Checklist of
4. Document
applicable
controls into SOP
controls
2321
STEP DESCRIPTION PERFORMED BY FACILITATED BY
1 IDENTIFY CRITICAL ASSETS ISMC HEAD OF IT
(& ASSET OWNER) SECTION
2 RESEARCH APPLICABLE SECURITY INFOSEC TEAM ISMC
CONTROLS
3 CHECLIST OF APPLICABLE INFOSEC TEAM TEAM LEAD
SECURITY CONTROLS
4 DOCUMENT CONTROLS INTO TEAM LEAD INFOSEC TEAM
SOP
5 IMPLEMENT CONTROLS ON TEST IT OPERATIONS TEAM LEAD
SETUP TEAM
6 VALIDATION OF CONTROL INFOSEC TEAM IT OPERATIONS
IMPLEMENTATION TEAM
7 CHANGE MANAGEMENT TEAM LEAD ISMC
PROCESS FOR PRODUCTION
8 PRODUCTION & MONITOR IT OPERATIONS TEAM LEAD
TEAM
2322
SECURITY VALIDATION SEQUENCE
1. Decide
Scope
5. Confirm 2. Study
Validation Controls
4. Remove 3. Conduct
Errors Review
2323
1. Decide Scope
– Acquire checklist of
applied controls from
IT team
– Decide stakeholders
who will conduct
review (IT & InfoSec)
– Schedule the review
and send formal
email to IT (plus
calendar invite)
2324
2. Study Controls
team to acquire
original controls
from CIS/DISA/other
– Study & understand
the controls
– Mark the checklist &
ensure correctness
– Prepare docs &
notes for actual
review
2325
3. Conduct Review
– One person to
conduct review &
one to take notes
– Walkthrough of
each control
– Random sampling
of controls (20-30%)
– Agree on any action
items for
shortcomings with
timeline
2326
• Important to discuss &

understand controls
marked by IT team as:
– Not-applicable
– Not-possible
• Understand reasoning
• Verify dependencies if
any
• Challenge the IT team
view wherever
appropriate
2327
4. Remove Errors:
– IT team to remove
any shortcomings
or omissions in
control
implementation
– IT team reports
back to InfoSec
team when all
shortcomings fixed
2328
5. Confirm Validation
– InfoSec team
schedules another
session with IT
team to confirm
that all
shortcomings have
been removed
– InfoSec team adds
a confirmation
column &
comments column
to checklist 2329
5. Confirm Validation
– Status of validation
communicated to
relevant IT teams &
stakeholders
– Records updated to
register the
validation activity
– Project
management stats
updated accordingly
END (% complete)
2330
What Is Security Testing ?
Module 264 • What is security testing

?
– Security testing is a
process intended to
reveal flaws in
the security
mechanisms of an
information system
that protect data and
maintain functionality
as intended
https://en.wikipedia.org/wiki/Security_testing
2331
• Security testing is not

validation
– Security testing
consists of running
tests through a
manual process or
automated tools to
discover
weaknesses, flaws,
or bugs in the
software,
application or device
2332
• Types of security
testing:
– Vulnerability
assessment (VA)
– Penetration testing
(PT)
– Other security tests
through various
automated tools
– Code review
(initiated in test
environment)
2333
1. Vulnerability
assessment:
– VA scanners have
various tests built-in
such as for malware,
vulnerabilities, web
application flaws
(e.g. OWASP top
ten)
– Compliance scanning
against CIS/DISA
benchmarks
2334
2. Penetration Testing:
– Penetration testing
(also called pen
testing) is the
practice of testing a
computer system,
network or Web
application to find
vulnerabilities that
an attacker could
exploit.
http://searchsoftwarequality.
techtarget.com/definition/pe
netration-testing
– Usually outsourced
to a third-party
depending on
nature and criticality
of the application or
service being
launched
– Highly specialized
skill not commonly
found in-house
2336
– Pen tests can be
automated with
software
applications or they
can be performed
manually. Either
way, the process
includes gathering
information about…
et.com/definition/penetration-testing
2337
– …the target before
the test
(reconnaissance),
identifying possible
entry points,
attempting to break
in (either virtually or
for real) and
reporting back the
findings
http://searchsoftwarequality.tec
htarget.com/definition/penetrat
ion-testing
2338
3. Other security tests:

– If the testing is
being conducted in-
house, the tests
should be
conducted in the
pilot/testing/staging
environment and re-
validated in the
Production
environment
2339
3. Other security tests:

– If the testing is
being conducted by
a third-party
specialist (such as
for penetration
testing), it will
normally be
conducted only in
the Production
environment (prior
to GO-LIVE)
2340
3. Other security tests (in-

house):
– In-house testing
capability &
experience
– Conduct the tests
(e.g. OWASP ZAP
tool)
– Report findings
– Re-confirm once
remediation done
by IT
2341
3. Other security tests

(outsourced):
– As mentioned, will
most likely be
conducted in
Production
environment, prior
to GO-LIVE
– Follow same
sequence as for in-
house testing
2342
4. Code review:
– Code review
examines flaws and
vulnerabilities in
programming
source code
– A complete cycle,
initiated early and in
pilot testing phase
– May be conducted
for production
applications as well
2343
4. Code review:
– Requires a mature
internal process,
experience and
capability
– May be integrated
with software QA
testing
END
2344
What Is Security Accreditation ?
Module 265 • What is security

accreditation ?
– Accreditation is the
formal acceptance
of the adequacy of
the system’s overall
security by the
management
(SANS)
room/whitepapers/accreditation/i
ntroduction-certification-
accreditation-1259
2345
• Lets have another look

at the Information
Security Lifecycle…
2346
1. Requirements

***FORMAL BUSINESS
LAUNCH OR GO-LIVE
3. Remediation
6. Accredit
Plan
4. Implement
5. Test/Validate
Controls
2347
• Whenever a new,
significant portal,
application, or service
is launched,
management requires
team to certify after
carrying out the
required security
validation & security
testing that the…
2348
• Security of the new

portal/application or
service has been
thoroughly examined
& tested and meets the
min requirements as
per organizational
security policy
• That the new
portal/application is
safe & secure & is free
from security risks
2349
SECURITY ACCREDITATION SEQUENCE
1. Organize
6. Issue 2. Prepare
Accredit. Checklist
5. Team 3. Confirm
Meeting Tests
4. Complete
Doc &
Processes
2350
Security Accreditation
Sequence
1. Organize
– Collect all security
requirements,
related security
policy & SOPs,
hardening checklists,
validation status
reports, test reports,
completion status
reports
2351
Sequence
1. …Organize
team ensures that the
full context of the
security risks/impact
are understood
– Subsequent security
hardening & testing
has been fully
covered
2352
Sequence
2. Prepare Checklist &
Share With Stakeholders
– Checklist should
cover all activities &
their status for
completion of
accreditation
– Share with
stakeholders for
END feedback
2353
What Is Security Accreditation – Part 2 ?
Week 16 • What is security

Module 266 accreditation ?
– Accreditation is the
formal acceptance
of the adequacy of
the system’s
overall security by
the management
(SANS)
room/whitepapers/accreditation/i
ntroduction-certification-
accreditation-1259
2354
• Lets have another look

at the Security
Accreditation
Sequence…
2355
SECURITY ACCREDITATION SEQUENCE
1. Organize
6. Issue 2. Prepare
Accredit. Checklist
5. Team 3. Confirm
Meeting Tests
4. Complete Doc
& Processes
2356
Sequence
3. Confirm Tests
– Core activity:
confirm that all test
reports are
satisfactory
– All tests and follow-
up remediation
measures have been
completed
2357
Sequence
4. Documentation &
Processes (Complete)
– Reconfirm correct
versions
– Re-check checklists,
SOPs
– Backups & DR
– All change control
measures & sign-
offs
2358
Sequence
4. Documentation &
Processes (Complete)
– Re-check all
management
approvals
– Re-check UATs,
customer sign-offs
– Check application
performance issues
2359
Sequence
5. Team Meeting
– Call team meeting
and report status
of all activities
– List any snags &
decide completion
dates
– Seek stakeholder
sign-off on
accreditation form
2360
Sequence
5. Team Meeting
– Clarify & recap
security
requirements &
SOPs
– Clarify what actions
will invalidate the
security
accreditation
2361
Sequence
6. Issue Accreditation
– Once all details
completed on
accreditation sign-
off form issue
accreditation
– Business has GO-
LIVE permission
using tested
versions
2362
Sequence
6. Issue Accreditation
– Enter activities for
accredited IT assets
into IT audit
program
– Update Operations
teams, incident
management, and
risk management
END register
2363
Embedding InfoSec Lifecycle Into SDLC
Module 267 • The systems

development life-cycle
(SDLC) should embed
the Information
Security activities
forming a sec-SDLC
(secure SDLC)
2364
1. Requirements

***FORMAL BUSINESS INFORMATION

LAUNCH OR GO-LIVE
SECURITY
LIFECYCLE
3. Remediation
6. Accredit
Plan
4. Implement
5. Test/Validate
Controls
2365
• Software Assurance
Maturity Model
(SAMM) developed by
OWASP
security into
software
development
– 96 page PDF
oads/SAMM-1.0.pdf
2366
2367
• Four critical business

functions
• For each business
function there are
three security
practices
• For each security
practice, three
maturity levels as
objectives
oads/SAMM-1.0.pdf (PAGE 3)
2368
• The Software
Assurance Maturity
Model (SAMM) is an
open framework to
help organizations
formulate and
implement a strategy
for software security
that is tailored to the
specific risks facing the
organization.
oads/SAMM-1.0.pdf (PAGE 3)
2369
2370
2371
2372
2373
2374
• The SAMM document

sections:
1. Understanding the
model
2. Applying the model
3. Security practices
4. Case studies
END oads/SAMM-1.0.pdf
2375
Software Security Testing & Validation–1
Module 268 • The OWASP Software

Assurance Maturity
Model (SAMM)
undertakes software
security testing &
validation during the
following phases:
– Verification
– Deployment
2376
2377
• OWASP Software
Assurance Maturity
Model (SAMM)
Verification Phase:
– Design Review
– Code Review
– Security Testing
2378
• Design Review:
– Focused on
assessment of
software design
and architecture for
security-related
problems
– Detect architecture-
level issues early in
software…
2379
• Design Review:
– …development and
thereby avoid
potentially large
costs from
refactoring later due
to security concerns
2380
2381
• Code Review:
– Focused on
inspection of
software at the
source code level
in order to find
security
vulnerabilities.
– Code-level
vulnerabilities are
generally simple to
understand…
2382
• Code Review:
– …conceptually, but
even informed
developers can
easily make
mistakes that leave
software open to
potential
compromise.
2383
2384
• Security Testing:
– Focused on
inspection of
software in the
runtime
environment in
order to find
security problems.
– These testing
activities bolster the
assurance case for
software by…
2385
• Security Testing:
– …checking it in the
same context in
which it is expected
to run, thus making
visible operational
misconfigurations
or errors in business
logic that are
difficult to
otherwise find.
2386
2387
• Lets look at SAMM

Deployment Phase in
the next module…
2388
Module 269 • The OWASP Software

Assurance Maturity
Model (SAMM)
undertakes software
security testing &
validation during the
following phases:
– Verification
– Deployment
2389
2390
• OWASP Software
Assurance Maturity
Model (SAMM)
Deployment Phase:
– Environment
Hardening
– Vulnerability
Management
– Operational
Enablement
2391
• Environment
Hardening:
– Focused on building
assurance for the
runtime environment
that hosts the
organization’s
software.
– Since secure
operation of an
application can be...
2392
• Environment
Hardening:
– …deteriorated by
problems in external
components,
hardening this
underlying
infrastructure
directly improves the
overall security
posture of the
software
2393
2394
• Vulnerability
Management:
– Focused on the
processes within an
organization with
respect to handling
vulnerability reports
and operational
incidents.
– By having these
processes in place,
an organization’s
2395
• Vulnerability
Management:
– …projects will have
consistent
expectations and
increased efficiency
for handling these
events, rather than
chaotic and
uninformed
responses.
2396
2397
• Operational
Enablement:
– Focused on
gathering security
critical information
from the project
teams building
software and
communicating it to
the users and
operators of the
software.
2398
• Operational
Enablement:
– Without this
information, even
the most securely
designed software
carries undue risks
since important
security
characteristics and
choices will not be
known at a
deployment site. 2399
2400
• SAMM is an excellent
model for software
(security) assurance
• OWASP also has a
multitude of additional
materials, guidance,
and tools for software
END and seb application
security
2401
Embedding InfoSec Into Project Management
Module 270 • PMIs five phases of

project management:
– Initiate
– Plan
– Executing
– Controlling
– Closing
https://project-
management.com/top-5-project-
management-phases/
2402
Initiate
Project sponsorship, requirement gathering &
analysis, develop project charter
SECURITY TASKS:
-Security requirements study

-Security impact assessment
-Security section in project charter
2403
Plan
Build project plan and identify resources &
schedule for the project
SECURITY TASKS:
-Identify security role, team, and resources

-Risk management plan
-Embed security tasks into phased project plan
2404
Executing
Execute the project, project performance review &
corrections
SECURITY TASKS:
-Track security tasks

-Security dashboard
-Weekly, monthly, quarterly progress reports
2405
Controlling
Project controlling, monitoring & corrections
SECURITY TASKS:
-Utilize contingency if required

-Prioritize remaining tasks
-Re-plan phases & cover for delays
2406
Closing
Launch product or solution, relieve resources
SECURITY TASKS:
-Security accreditation
-Identify operational measures
-SOPs, incident management, internal audit,
monitoring
2407
• Senior management
needs to ensure that
security is integrated
with IT project plans
• Sufficient security
resources should be
made available to
manage the security
aspects of projects
END
2408
How To Conduct Internal Security Assessment
Module 271 • What is an internal

security assessment ?
– An effort to assess
the security
posture, risks, or
vulnerabilities for
any project,
service,
application, or
device
2409
• When is an internal
security assessment
required ?
– Launch of a new IT
project or service
– When an incident
has occurred
– On change of
leadership
– Regulatory or
compliance reqmts
2410
• Sequence of security
assessment:
1. Management approval
or communication
2. Assign resources
3. Build plan, scope and
objectives
4. Conduct assessment
5. Report findings &
remediation measures
2411
1. Management approval
or communication:
– Authority of the
assessment
– Cooperation from
stakeholders
– Determine &
communicate
timeline
– Determine
appropriate report
format
2412
2. Assign resources:
– Assign information
security resources
with relevant
experience
– Identify respective
resources for IT asset
to be assessed
– Hold initial meeting
with respective
stakeholder POC
2413
3. Build plan, scope &

objectives
– Study IT asset &
gather background
security docs
– Clear scope boundary
– Clear objectives
– Determine
assessment method
based on report
format
– Build plan 2414
4. Conduct assessment:
– Conduct the
necessary activities
such as system
walkthrough,
vulnerability
assessment, security
testing, evaluation
of security controls,
review of process
and documentation,
etc
2415
5. Report findings &

remediation measures
– Assimilate and
analyze findings
– Determine level of
severity, risk and
appropriate
remediation
– Tailor findings to
report format &
appropriate to forum
– Share report
2416
• A few pointers:
– Security should not
be reactive
– Security
transformation
project should
address security
loopholes
– Align the security
assessment with
benchmarks
END established already
2417
Different Types Of Security Assessments
• Vulnerability
Module 272 assessment
• Penetration test
• Audits
• Whitebox/greybox/
blackbox assessments
• Risk assessment
• Threat assessment
• Bug bounty
• Red team
https://danielmiessler.com/study/sec
urity-assessment-types/#gs.NdADAuQ
2418
• Vulnerability
assessment:
– Technical
assessment to yield
as many
vulnerabilities as
possible in an
environment along
with severity and
remediation priority
information
https://danielmiessler.com/study/secur
ity-assessment-types/#gs.NdADAuQ
2419
• Vulnerability
assessment:
– Best when security
maturity is low to
medium, need a
prioritized list of
everything that’s
wrong, goal is to fix
as many things as
possible as
efficiently as
possible
2420
• Penetration test:
– A Penetration Test
is a technical
assessment
designed to achieve
a specific goal, e.g.,
to steal customer
data, to gain
domain
administrator, or to
modify sensitive
salary information
2421
• Penetration test:
– Penetration Tests
are for testing
security that is
assumed to be
strong
– No point in wasting
the effort if
hardening and
vulnerability
assessment have
not been done
2422
• VA & PT difference:
– Vulnerability
assessments look
for security
problems when you
know/assume they
exist, and
penetration testing
validates a
configuration when
you believe it to be
secure
2423
• Audit:
– An audit can be
technical and/or
documentation-
based, and focuses
on how an existing
configuration
compares to a
desired standard
https://danielmiessler.com/study/secu
rity-assessment-types/#gs.NdADAuQ
2424
• Audit:
– Orgs use audits to
demonstrate
compliance
– Importantly,
compliance should
not be used to
demonstrate
security
– Compliant orgs
more likely to be
secure
2425
• Audit:
– Secure orgs are
significantly more
likely to be
compliant (if
checked), but
compliant orgs
should lay no claims
to being secure just
because they are in
accordance with
standard X or Y.
2426
• Lets look at the

following in the next
modules:
– Whitebox/greybox/
blackbox
assessments
– Risk assessment
– Threat assessment
– Bug bounty
– Red team
END https://danielmiessler.com/study/securit
y-assessment-types/#gs.NdADAuQ
2427
Types Of Security Assessments-Part 2
• Vulnerability
• Audits
• Risk assessment
• Bug bounty
• Red team
2428
TYPE OF DESCRIPTION BEST USED
ASSESSMENT WHEN
WHITEBOX Tester has full Best used with
access to all vulnerability
internal assessments
information because you
available, such want to find as
as network many issues as
diagrams, possible
source code,
etc.
https://danielmiessler.com/study/security-assessment-types/#gs.NdADAuQ
2429

ASSESSMENT WHEN
GREYBOX Tester has some You want to give

information but some
not all information to
the tester but
not all
2430

ASSESSMENT WHEN
BLACKBOX Tester is given Performing a
no knowledge penetration test
about the
network –
“attackers
perspective”
2431
• Risk assessment:
– Should involve
determining what
the current level of
acceptable risk is,
measuring the
current risk level,
and then
determining what
can be done to bring
these two in …
2432
– …line where there
are mismatches.
Risk Assessments
commonly involve
the rating of risks in
two dimensions:
probability, and
impact.
2433
– Umbrella term for
determining what
you have of value,
how it can be
attacked, what you
would lose if those
attacks were
successful, and what
should be done to
address the issues.
2434
• Threat assessment:
– The driver for the
assessment is to
determine how
many resources—if
any—should be
spent on addressing
the issue in
question.
2435
– A threat assessment
is best used in
situations where
someone has made
a claim around
performing an
attack in the future,
or such a potential is
uncovered
somehow.
https://danielmiessler.com/study/sec
urity-assessment-types/#gs.NdADAuQ
2436
– Lets look at red
team exercises and
bug bounty
programs in the
next module
END
2437
• Vulnerability
• Audits
• Risk assessment
• Bug bounty
• Red team
2438
• Bug bounty:
– A Bug Bounty is a
type of technical
security assessment
that leverages
crowdsourcing to
find vulnerabilities in
a system. The
central concept is
simple: security
testers, regardless
of quality, have their
https://danielmiessler.com/study/security-
assessment-types/#gs.NdADAuQ
2439
• Bug bounty:
– …own set of
strengths,
weaknesses,
experiences, biases, &
preferences, & these
combine to yield
different findings for
the same system
when tested by
different people.
2440
• Bug bounty:
– Best used when you
have done multiple
Vulnerability
Assessments
already and have
already found the
easy stuff. Bug
Bounties excel at
finding issues not
found using other
methods.
2441
• Red team assessment:

– “Red team” is: an
independent group
that challenges an
organization to
improve its
(security)
effectiveness
– Services should be
continuous rather
than point-in-time
2442
• Red team assessment:

– Best used when an
org has covered the
basics of strong
vulnerability
management and
has at least some
capability to detect
and respond to
malicious or
suspicious behavior
in the environment
2443
• Note: the term red

team is taken from the
military maneuvers
where a red team
simulates attacks and a
blue team takes
evasive measures
against those attacks
2444

take a brief summary
of all the various
assessment types…
END https://danielmiessler.com/study/security-
2445
Module 275 • Lets take a look at a

brief summary of all
the assessment
types…
2446
TYPE SUMMARY OUTPUT

Designed to find as many The output
vulnerabilities as possible for is a list of
VA
the purpose of prioritizing prioritized
remediation efforts issues.
Designed to determine whether Report
an attacker can achieve specific stating
goals when facing your current whether
PT security posture, such as the goals
stealing sensitive data or other were
activities that would harm the achieved
org or not
https://danielmiessler.com/study/securityassessment-types/#gs.NdADAuQ
2447
TYPE SUMMARY OUTPUT

List of
Designed to determine how a
areas that
given organization measures
must be
against a given standard. Audits,
Audit fixed in
as a rule, do not test security
order to
directly, but rather test
achieve
compliance with a standard.
compliance
2448
TYPE SUMMARY
White Measure of how much information is
Box, being provided to a security testing
Grey Box, organization during an assessment.
Black Box These can be internal, external,
Assess- application-based, network-based,
ments with or without exploitation, etc
2449
TYPE SUMMARY OUTPUT

determining the most List of
important risks facing a prioritized
given organization for the risks
Risk Assess-
purposes of ensuring that followed
ment
they are brought within by
acceptable levels for the recommen-
business. dations.
2450
TYPE SUMMARY OUTPUT

Recommendation
Determining whether of what—if any—
Threat
a given threat is amount of effort
Assess-
worth spending should be
ment
limited resources on. dedicated to the
issue
2451
TYPE SUMMARY
Crowdsourcing for the discovery
of vulnerabilities in a system.
Utilizes large collection of
Bug Bounties
independent researchers who all
bring their own perspectives to
the testing
2452
TYPE SUMMARY
Continuously and effectively emulate
an organization’s real-world attackers
for the purpose of improving its
defensive capabilities. Red Teams
Red Team operate continuously, with near-full-
Assessment scope and very limited restrictions,
and constantly evolve their
approaches to match and/or exceed
the capabilities of the organization’s
actual attackers.
2453
• Vulnerability
assessment
• Audits
• Risk assessment
• Bug bounty
• Red team
END
2454
STAGES OF 3RD PARTY PENETRATION TEST
Module 276 1. SYSTEM PORT

SCANNING
2. IDENTIFICATION OF
SYSTEM SERVICES
3. IDENTIFICATION &
VERIFICATION OF
SYSTEM
VULNERABILITIES
4. PENETRATION
TESTING (SYSTEM
EXPLOITATION)
2455
1. SYSTEM PORT
SCANNING
- Port scanning is one of
the most important
phases of a vulnerability
assessment exercise prior
to a penetration test.
- This will be the first tool
used by an attacker once
he has identified the IP
address to be targeted.
2456
1. SYSTEM PORT
SCANNING…
- The key part here is to
use a multiple of port-
scanning tools in order to
ensure the least false
positives and the
maximum information
that can be gathered.
2457
SYSTEM SERVICES
- Once the open ports
have been enumerated, it
is important to determine
the services that are
keeping those ports open.
- This is typically done by
analyzing the banners
thrown back when a
default connection is
made to the open port.
2458
SYSTEM SERVICES…
- The latest nmap version
allows this to be done
using the –sV switch.
2459
3. IDENTIFICATION &
VERIFICATION OF SYSTEM
VULNERABILITIES
- During vulnerability
identification, an
assessor will perform
several activities to
detect exploitable weak
points.
2460
3. IDENTIFICATION &
VULNERABILITIES
These activities include:
- Identify vulnerable
services using service
banners.
- Perform vulnerability
scan to search for
known vulnerabilities.
Information regarding
known vulnerabilities…
2461
3. IDENTIFICATION &
VULNERABILITIES
• Information regarding
known vulnerabilities
can be obtained from
the vendors’ security
announcements, or
from public databases
such as SecurityFocus,
CVE or CERT advisories.
2462
3. IDENTIFICATION &
VULNERABILITIES
- Perform false positive and
false negative verification
(e.g. by correlating
vulnerabilities with each
other and with previously
acquired information).
2463
3. IDENTIFICATION &
VULNERABILITIES
- Enumerate discovered
vulnerabilities.
- Estimate probable impact
(classify vulnerabilities
found).
- Identify attack paths and
scenarios for exploitation.
2464
4. PENETRATION TESTING
(SYSTEM EXPLOITATION)
-Following the approvals of
individual attacks by
Customer, the assessor
tries to gain unauthorized
access by circumventing
the security measures in
place and tries to reach as
wide a level of access as
possible. This process will
have the following steps:
2465
- Find proof of concept
code/tool
- Find proof of concept
code available in your own
repository or from publicly
available sources to test
for vulnerabilities. If the
code is from your own
trusted repository and…
2466
…thoroughly tested, you
can use it, otherwise test it
in an isolated environment.
- Develop tools/scripts
- Under some
circumstances it will be
necessary (and cost
effective) for assessors to
create their own tools and
scripts.
2467
- …Test proof of concept
code/tool in an isolated
environment
- The proof of concept
code/tool is used against
the target to gain as many
points of unauthorized
access as possible.
- Document findings
END
2468
Security Transformation: Failure ?
Module 277 • Let us examine the

reasons for proposing a
in the first place:
almost one
generation behind
– Arduous to catch up
with Information
Security posture
unless there is a
“transformation”
2469
• Guaranteed failure:
1. Cosmetic
commitment
2. Not willing to invest
in resources
3. Deficient program
structure
4. Lack of effective
project
management
2470
1. Cosmetic Commitment:
– Lack of awareness &
understanding
– Short-term vision
– Lack of priority
– Poorly managed
organization
2471
2. Not Willing To Invest In

Resources:
– Deficient allocation
of funds for
Program
– Not willing to
allocate time for IT
to perform security
tasks
– Loss-making
organization
2472
3. Deficient Program
Structure:
– Ineffective
Management
Committee (ISMC)
– Not taking along
other stakeholders
– Inexperienced IT or
security leadership
– IT team not
incentivized
2473
4. Lack Of Effective
Project Management:
– Any project will fail
without effective
project
management
– Effective planning,
execution,
monitoring, and
reporting
– Experience &
domain knowledge
2474
• Conclusion:
– The Information
Security
Transformation
requires a
tremendous amount
of hard work
– Not possible without
commitment, right
strategy, correct
structure, and
END effective execution
2475
Benefits Of The Security Transformation
Module 278 • Key Benefits:

– Prevention of attacks
– Prevention of fraud &
pilferage
– A reliable & robust IT
setup
2476
2477
2478
• Impact of attacks:
– Loss of market
goodwill
– Loss of customer
confidence
– Regulatory fines,
legal consequences
2479
• Prevention Of Fraud &

Pilferage:
– An effective
Program makes it
harder to conduct
fraud, abuse, or
misuse without
getting detected
– Controls in business
process
– Audits
2480
• A Reliable & Robust IT

Setup:
– Business continuity
& DR
– Redundancy
– Backups
– Capacity
management
– Incident
management
2481
• Conclusion:
– An effective
Program (achieved
through an
Transformation) is
essential wherever an
IT setup exists
– Not a luxury but an
imperative
END
2482
Security Transformation Timeline
Module 279 • Recommended timeline

for security
transformation project
2483
Month Months Months

1: 4-5 8-10
Planning Phase 2 Phase 4
Months Months Months

2-3 6-7 11-12
Phase 1 Phase 3 Phase 5
2484
• Month 1: Planning
– Understand
organization &
security issues
– Develop ISMC
– Identify stakeholders
for InfoSec Steering
Committee
– Identify assets for
various phases
– Project kickoff and
awareness trainings2485
• Months 2-3: Pilot (Phase

1)
– Perform hardening of
key IT assets in test
environment (Pilot)
– Validate the
hardening in the test
environment
– Prime IT & InfoSec
teams for their roles
– Vulnerability
management pilot
2486
Month Months Months

1: 4-5 8-10
Planning Phase 2 Phase 4
Months Months Months

2-3 6-7 11-12
Phase 1 Phase 3 Phase 5
2487
• Months 4-5 (Phase 2):

– Hardening of IT
assets (minimum
security baseline)
identified for phase 2
– Validation of
hardening and
moving the hardened
IT assets to PROD
environment through
change management
process
2488

– Hardening of IT
assets (minimum
security baseline)
identified for phase 3
– Validation of
hardening and
moving the hardened
IT assets to PROD
environment through
change management
process
2489

– Technical teams
continue the IT
assets hardening in
phase 4
– Raise vulnerability
management
program frequency
to monthly
– Focus on governance
(policies, SOPs, etc)
2490

– ISO27001:2013 stage 1
and stage 2
certification
– Stage 1 mostly
documentation
review
– Stage 2 mostly
implementation
review
END
2491
Security Transformation Responsibility
Module 280 • Responsibility for the

is a balance between
management & security
team
• IT team led by the CIO
plays an instrumental
role in the success of the
program
2492
• Management role:
– Commitment
– Sets the tone at the
top
– Allocates resources
– Assigns responsibility
& roles
– Conducts periodic
performance review
2493
Team:
– Builds an effective
strategy & structure
for the program
– Identifies key players
to enroll in ISMC
– Ensures effective
execution & project
management
– Conducts transparent
reporting
2494
• IT Team:
– Mobilizes the
resources for
implementation of
the security program
– Ensures quality and
process during the
security
transformation
program
– Resolves roadblocks
in implementation
2495
• Conclusion:
– An effective
Transformation can
only be orchestrated
through effective
team work
– All parts of the
END organization have to
play their due role to
make the program a
success
2496
Actions To Raise Management Support
Module 281 • What can you do if your

organizational
management is not
supporting for the
Transformation
Program ?
2497
a. Understand the
organizational business
requirements and
potential impact
b. Understand regulations
& sector best-practices
c. Evaluate the security
posture
d. Assess the extent of
work and resources
required
e. Present your report
2498
a. Understand the
organizational business
requirements & potential
impact:
– Type of
business/industry
– Business
requirements
– Confidentiality,
integrity, availability
– What can go wrong
and impact ?
2499
b. Understand regulations
and sector best-practices
– Financial industry
(SBP)
– Telecoms & IT
industry
(PTA/MOITT)
– Oil & Gas (OGRA)
– Look at standards &
best-practices
(quality & security)
2500
c. Evaluate the security

posture
– Evaluate security
posture against each
of the four layers of
Transformation
Model
– Any recent incidents ?
– Org culture ?
– Quality and
improvement
emphasis ?
2501
d. Assess the extent of

work and resources
required
– Size of organization
and size of IT ?
– Extent of IT assets ?
– Internal software
development ?
– Evaluate team size
required for InfoSec
and consultant
option
2502
e. Present your report

– Take key
stakeholders on
board
– Reach out to
stakeholders before
presentation
– The better
researched and
prepared you are, the
better your chances
to convince
2503
Conclusion:
• Many of the problems
associated with weak
security posture are
actually due to poor
awareness
• Put yourself in the shoes
of your audience and
explain the need for a
security program from
their perspective
END • Keep it high level
2504
Key Questions To Assess Security Posture
Module 282 • What are the key

questions that can be
used to assess the
security posture of the
organization ?
2505
SN QUESTION PTS
1 DESIGNATED HEAD OF INFORMATION 30
SECURITY ?
2 INFORMATION SECURITY POLICY 20
(AVAILABLE ON PORTAL) ?
3 INTERNAL VULNERABILITY MANAGEMENT 50
PROGRAM (INTERNAL TOOL WITH MIN
QTR SCANS) ?
4 EXTERNAL PENETRATION TEST 50
CONDUCTED MIN ONCE PER YEAR ?
5 IT ASSETS HARDENED WITH CIS/DISA OR 100
OTHER INDUSTRY BEST-PRACTICE ?
2506
SN QUESTION PTS
6 ESTABLISHED INTERNAL PROCESSES FOR 25
CHANGE MANAGEMENT, INCIDENT
MANAGEMENT, CAPACITY PLANNING ?
7 IS INFOSEC TEAM SIZE MIN 15% OF IT TEAM 25
?
8 DO YOU HAVE OPERATIONAL DR SITE ? 50
9 ALL SYSTEMS HAVE LICENSED OS ? 50
10 IS ACTIVE DIRECTORY AND LICENSED AV 50
RUNNING ON ALL WORKSTATIONS ?
2507
SN QUESTION PTS
11 DOES NETWORK PERFORM FILTERING FOR 20
WEB, AND ANTI-SPAM AT EDGE ?
12 FILTER TRAFFIC AT DATA CENTER SWITCH 20
BASED ON ACCESS LIST ?
13 EDGE FIREWALL AND DMZ PRESENT ? 20
14 REGULAR BACKUPS OFFSITE AND 20
PERFORM DR DRILL ON 2X YEAR BASIS ?
15 DOES MANAGEMENT REVIEW INFOSEC ON 20
A QUARTERLY BASIS ?
TOTAL 500
2508
RECCOMENDED
SCORE RANGE POSTURE
ACTIONS
INFORMATION
SECURITY
LESS THAN 20% SEVERE RISK
TRANSFORMATION
PROGRAM
INFORMATION
SECURITY
20% TO 35% HIGH RISK
TRANSFORMATION
PROGRAM
INFORMATION
SECURITY
35% TO 50% MEDIUM RISK
TRANSFORMATION
PROGRAM
2509
RECCOMENDED
SCORE RANGE POSTURE
ACTIONS
FURTHER
THIRD-PARTY
50% TO 70% IMPROVEMENTS
SECURITY REVIEW
REQUIRED
THIRD-PARTY
70% TO 85% SATISFACTORY
SECURITY REVIEW
GO FOR
HIGHER THAN 85% VERY GOOD ! ISO@7001:2013
CERTIFICATION !
2510
• By evaluating the
security posture and
comparing with a few
other organizations
(through a limited
survey), the security
posture can be
portrayed in a
quantitative manner
• The questions can be
refined and customized
for your organization
END
2511
Key Leadership Qualities Of InfoSec Head
Module 283 • Lets examine the key

leadership qualities of
the Information Security
Head or the key
resource driving the
Program
2512
• Authenticity
• Candidness
• Fairness & fair play
• Team environment
• Recognizing talent and
hard work
• Celebrating success !
2513
• Authenticity
– IT is complex
– No one person
“knows-it-all”
– Communicate that
each individual has
limitations
– Admit mistakes and
failures
– Give credit where it is
due
2514
• Candidness:
– Call a spade a spade
– Honesty and straight-
talk
– Hear feedback and
give respect to views
of everyone
2515
• Fairness & Fair Play:

– Promote
performance and
merit
– Adjust players in the
right positions based
on their strengths
– Coach and guide
team to perform and
achieve results
2516
• Team Environment:
– Discourage solo-flight
and promote team
consensus, team
reviews, and team
achievements
– Single out and coach
individuals playing
turf tactics
2517
• Recognize Talent & Hard

Work:
– Identify self-
promotion versus
talent combined with
hard work
– Encourage hard
workers who are
team players
2518
• Celebrate Success !
– Hold team
celebrations
– Recognize quiet
workers and
background workers
as well
– Promote team
END achievements
2519
COURSE WRAP UP
Module 284 • CONGRATULATIONS

ON REACHING THE
END OF THE COURSE !
2520
COURSE WRAP UP
CHAPTER 1: INTRO TO
INFORMATION SECURITY
• Some basic terms and
introduction to
concepts
• Status of Information
Security in Pakistan
2521
COURSE WRAP UP
CHAPTER 2: TYPICAL
ENTERPRISE IT
ARCHITECTURE AND
SECURITY OVERLAY
• What does IT
enterprise topology
look like ?
• Security tools overlay
• Structure of It teams
and security roles in an
enterprise
2522
COURSE WRAP UP
CHAPTER 3: SECURITY
TRANSFORMATION STAGE
1: SECURITY HARDENING
• Description of security
hardening
• Security hardening
case studies for a
variety of IT assets
through CIS
benchmarks and DISA
STIGs
2523
COURSE WRAP UP
CHAPTER 4: SECURITY
2: VULNERABILITY
MANAGEMENT
• VM description and
introduction
• VM demos (Qualys) &
Other tools
• VM program best-
practices
2524
COURSE WRAP UP
CHAPTER 5: SECURITY
3: SECURITY ENGINEERING
• Description of Security
Engineering
• CIS 20 Critical Controls
2525
COURSE WRAP UP
CHAPTER 6: SECURITY
4: SECURITY
GOVERNANCE
• Security governance
introduction
• Different governance
frameworks
• ISO27001:2013 (ISMS)
appendix controls
• Cyber Security Maturity
Matrix (CSMM)
2526
COURSE WRAP UP
CHAPTER 7: SECURITY
TESTING & VALIDATION
• Security assessments
and validation
description
• Security accreditation
testing & validation
• Stages of a third-party
penetration test
2527
COURSE WRAP UP
CHAPTER 8: SUCCESSFUL
SECURITY
TRANSFORMATION
• Security
Transformation key
success factors
• Security
Transformation
timeline
• Security
Transformation
benefits
2528
COURSE WRAP UP
BECOME A SECURITY
TRASFORMATION
CHAMPION !
Nahil.mahmood@gmail.co
m
nahil@deltatechglobal.net
Nahil Mahmood
2529

CS205 Handouts by CS World

Uploaded by

Copyright:

Available Formats

CS205 Handouts by CS World

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS205 Handouts by CS World

Uploaded by

Copyright:

Available Formats

CS205 Information Security

Week 01 • Protecting information

• What is Cyber Security ?

Module 3 • Bangladesh Bank

Recent Cyber Attack – May 2017

IMPORTANCE OF INFORMATION SECURITY • As per PWC Global

• As per Europol 2013

• Pakistan ranked almost

Module 5 • Three pillars of

• Industry & sectors:

• Academia & research

Module 7 1. Security hardening

1. Identify critical 6. Validation of 7. Change

Module 9 • Information security

Module 11 • Project definition:

4. Asset 12. Third-party

Module 13 • The Information Security

• InfoSec Manager Tasks:

• InfoSec Manager Tasks

Module 14 • Ensure employees are

• NIST Special Publication

ISO27001:2013 MANDATORY CLAUSES

ISO27001:2013 DISCRETIONARY CONTROLS

• PCI Data Security

• COBIT 5 brings together

Module 16 • Risk is a fundamental

• Risk is managed so that:

REF: ISACA CISM MANUAL

REF: ISACA CISM MANUAL

• Challenges with risk

Extra Module • An Information Security

7. Monitor & 2. Assess

• Step 2: Assess Current

• Step 7: Monitor & Audit

Module 17 • What is management

• “Tone at the top”

Week 02 • Default organizational

• Security involvement &

InfoSec Steering Comm.

IT / InfoSec Teams [DAILY]

Module 19 • Fox News Video:

• Leading Global Reports:

• Leading Global Reports:

Module 20 • Challenges Of IT:

Module 21 • Cyber attack can have

• Regionally, the most

• Pakistan; State Bank Of

Module 22 • Pakistan Electronic

Global Cyber Security Index 2017 (ITU):

Pakistan ranked 67th with a score of 0.44/1

• Pakistan cyber security

• Reasons for poor

• Changing dynamics (PK):

Module 23 • Generally, Pakistan

• Solution for strong

• Don’t repeat the same

• What does a typical

• Data center switch & FW

Module 25 • Edge router