The COBIT Framework

 

COBIT, which stands for Control Objectives for Information and Related Technology, is a framework for IT governance and management. It provides a set of best practices and guidelines for organizations to effectively manage and govern their IT processes. Here are the core tenets of COBIT:

1. Focus on business outcomes: COBIT is designed to help organizations achieve their business objectives by aligning their IT processes with their strategic goals.
2. Holistic approach: COBIT provides a comprehensive framework that covers all aspects of IT governance and management, including people, processes, and technology.
3. Process-based: COBIT is organized around a set of IT processes that are aligned with industry best practices, such as ITIL and ISO 20000.
4. Risk-driven: COBIT emphasizes the importance of risk management in IT governance and management, and provides guidance on how to identify, assess, and manage IT-related risks.
5. Metrics-oriented: COBIT provides a set of metrics and performance indicators that can be used to measure the effectiveness of IT processes and demonstrate their value to the business.
6. Continual improvement: COBIT is designed to be a living framework that evolves over time based on industry feedback and the latest trends in IT governance and management.

The latest version of COBIT is COBIT 2019, which was released in 2018. It is the successor to COBIT 5, and includes updates and improvements based on feedback from industry experts and practitioners. COBIT 2019 provides a more streamlined and flexible framework that is easier to implement and customize for specific organizational needs. It also incorporates new trends in IT governance and management, such as DevOps and agile methodologies.

 

Supreme Court Case 21-1333, Gonzalez v. Google on Section 230(c)(1)

 

Supreme Court Case 21-1333, Gonzalez v. Google on Section 230(c)(1)

 

47 U.S. Code § 230 - Protection for private blocking and screening of offensive material

Section 230 (c)Protection for “Good Samaritan” blocking and screening of offensive material

(1) Treatment of publisher or speaker

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

This is known as the 26 Words that Created the Internet.  Jeff Kosseff wrote a book about it called The Twenty-Six Words That Created the Internet which is a book that I recommend that provided context about the law and background for this test in front of The Court.  This section has historically allowed the freedom of information to be allowed to be on the Internet and has allowed platforms and carriers to be immune from legal action, both civil and criminal, for content posted by third parties.

On February 21, 2023, this was argued in front of the Supreme Court.  You can listen to the arguments and see the facts of the case on Oyez.   This question brought is:

Does Section 230(c)(1) of the Communications Decency Act immunize interactive computer services when they make targeted recommendations of information provided by another information content provider?

Google is the defendant and is accused of allegedly creating an algorithm that directs videos on YouTube to people that may not have been looking for them.  In this instance, the videos in contention are ISIS videos that are used for recruitment and radicalization, so which makes Google liable for aiding and abetting international terrorism by allowing ISIS to use the platform to spread its message.

Eric Schnapper, arguing for the Petitioners, states, ”So, if I may make clear, as I may not have done that well, the distinction we're drawing, our claim is not that they did an inadequate job of block -- of keeping things off their -- their computers that you can access from -- from outside or from failure to -- to block it. It's that that's the -- that's the heartland of the statute.  What we're saying is that insofar as they were encouraging people to go look at things, that's what's outside the protection of the statute, not that the stuff was there. If they stopped recommending things tomorrow and -- and all sorts of horrible stuff was on their website, as far as we read the statute, they're fine.”

This leaves us with the situation that since Google/YouTube used an algorithm to direct users to videos as suggestions to watch, should they still be afforded the ability to be protected under what is commonly referred to as “230”?

Listening to the rest of this was not compelling due to none of the councils or judges completely understanding the technology.  Kudos to Ketanji Brown Jackson for being the most computer savvy for understanding the concepts.  I predict the court will find for the defendant in this instance. There should have been more focus on that the use of the algorithm used by YouTube to push content to the users that are not looking for it makes them a content provider as a value add.  Eric Schnapper failed to communicate that position.

 

 

 

 

ISO/IEC 27001 Core Concepts of the Framework

 

ISO/IEC 27001 is a standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within an organization. The core concepts of ISO/IEC 27001 are:

1. Information security management system (ISMS): This is a framework of policies, procedures, and processes that an organization establishes to manage its information security risks.
2. Risk assessment: This is the process of identifying, analyzing, and evaluating risks to an organization's information security.
3. Risk treatment: This is the process of selecting and implementing controls to manage identified risks.
4. Controls: These are measures put in place to manage risks and ensure the confidentiality, integrity, and availability of information.
5. Information security objectives: These are the goals an organization sets for its ISMS, which are aligned with its overall business objectives.
6. Continual improvement: This is an ongoing process of monitoring, reviewing, and improving the effectiveness of an organization's ISMS.
7. Management commitment: This is the involvement and support of top management in the establishment, implementation, and maintenance of the ISMS.
8. Legal and regulatory requirements: Organizations must comply with applicable laws and regulations related to information security.
9. Information security incident management: This is the process of handling and responding to information security incidents, including reporting, investigating, and taking corrective action.

Overall, the core concepts of ISO/IEC 27001 are focused on establishing and maintaining a systematic approach to managing information security risks, while also ensuring compliance with legal and regulatory requirements and continually improving the effectiveness of the ISMS.

 

SWOT Analysis and Cyber Security Strategy

 

Should SWOT Analysis be part of threat modeling?

SWOT analysis and threat modeling are two distinct methodologies that serve different purposes, so whether SWOT analysis should be part of threat modeling depends on the specific objectives of the analysis.

SWOT analysis is a strategic planning tool that helps identify an organization's strengths, weaknesses, opportunities, and threats. It is typically used to assess the organization's overall position in the market, and to inform decisions related to strategy, resource allocation, and risk management.

Threat modeling is a process for identifying and assessing potential security threats to a system, application, or organization. It is a structured approach that involves identifying potential threats, evaluating their likelihood and impact, and identifying appropriate mitigation strategies.

While there may be some overlap between the two methodologies, the focus of SWOT analysis is broader and more strategic, while threat modeling is more focused on specific security risks. Therefore, it may not always be necessary or appropriate to include SWOT analysis as part of a threat modeling process.

SWOT analysis can provide useful context for threat modeling by helping to identify potential weaknesses in an organization's overall strategy or operations. For example, weaknesses identified in a SWOT analysis, such as a lack of resources or expertise, may inform the selection of specific threats to model and the development of appropriate mitigation strategies.

Let’s turn this around, should Threat Modeling be part of the SWOT Analysis?

Threat modeling can provide useful information for a SWOT analysis by identifying potential weaknesses in an organization's security posture. For example, threats identified through threat modeling, such as cyber-attacks or data breaches, could be considered in the "threats" section of a SWOT analysis.

SWOT analysis is not an essential part of threat modeling, it can provide useful context and inform the overall risk management strategy of an organization. Threat modeling is not an essential part of SWOT analysis, it can provide useful information that could be considered as part of the overall risk management strategy of an organization.  Leadership should not try to blend the two frameworks to create a shortcut to cybersecurity strategy.

Should SWOT Analysis be done for assessing a cybersecurity strategy?

SWOT analysis can be a useful tool for assessing a cybersecurity strategy. A SWOT analysis can help identify an organization's strengths, weaknesses, opportunities, and threats related to cybersecurity, and can inform decisions related to strategy, resource allocation, and risk management.

When conducting a SWOT analysis for assessing a cybersecurity strategy, some potential factors to consider include:

Strengths:

• Existing security policies and procedures that are effective.
• Experienced cybersecurity team with the necessary skills and expertise
• Strong technical infrastructure and tools
• Good track record of incident response and remediation

Weaknesses:

• Outdated software and systems that are vulnerable to cyber-attacks.
• Lack of security awareness and training among employees
• Insufficient security budget and resources
• Limited visibility into the security posture of third-party vendors

Opportunities:

• Introduction of new security technologies and solutions
• Partnership with industry experts to strengthen security posture.
• Implementation of security awareness and training programs
• Integration of security into the software development life cycle

Threats:

• Increasing frequency and complexity of cyber attacks
• Rapidly evolving threat landscape
• Insider threats from employees, contractors, or partners
• Regulatory non-compliance leading to financial and legal consequences.

By considering these factors and conducting a SWOT analysis, an organization can gain a better understanding of its current cybersecurity posture and identify areas for improvement. This can help inform the development of a more robust cybersecurity strategy and help ensure the organization is better prepared to prevent and respond to cyber threats.

 

What are the core concepts of the System and Organization Controls (SOC) for Service Organizations from AICPA?

The System and Organization Controls (SOC) for Service Organizations is a set of standards developed by the American Institute of Certified Public Accountants (AICPA) that helps service organizations to establish, maintain and report on their internal control environments. The SOC framework consists of three types of reports: SOC 1, SOC 2, and SOC 3. Here are the core concepts of each report:

1. SOC 1: The SOC 1 report focuses on the internal controls over financial reporting of a service organization that are relevant to the user entities' financial statements. The core concept is to ensure that the service organization has appropriate controls in place to process the financial transactions of its clients accurately and completely.

2. SOC 2: The SOC 2 report focuses on the controls that a service organization has in place to ensure the security, availability, processing integrity, confidentiality, and privacy of its clients' data. The core concept is to ensure that the service organization has appropriate controls in place to protect the confidentiality, integrity, and availability of its clients' data.

3. SOC 3: The SOC 3 report is a general-use report that provides a summary of the service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. The core concept is to provide an easy-to-understand report that can be shared publicly to demonstrate the service organization's commitment to meeting its clients' security and privacy requirements.

In summary, the SOC framework provides a set of standards for service organizations to demonstrate their commitment to maintaining effective internal controls related to financial reporting and information security. By undergoing SOC audits, service organizations can provide their clients with assurance that they are managing risks appropriately and meeting their contractual obligations.

What are some commonly used cybersecurity frameworks?

 There are several commonly used cybersecurity frameworks that organizations use to manage and improve their cybersecurity posture. Here are a few examples:

1. NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (NIST), this framework provides a risk-based approach to managing cybersecurity that is applicable to a wide range of organizations, including critical infrastructure sectors.

2. ISO/IEC 27001: This is an international standard that provides a systematic approach to managing and protecting sensitive information using a risk management process.

3. CIS Controls: Developed by the Center for Internet Security (CIS), this framework provides a prioritized set of cybersecurity actions to help organizations prevent and respond to cyber threats.

4. COBIT: This framework provides a comprehensive governance and management framework for information and technology, including cybersecurity.

5. ITIL: This framework provides a set of best practices for IT service management, including cybersecurity incident management.

6. SANS Critical Security Controls: Developed by the SANS Institute, this framework provides a prioritized set of security controls to help organizations improve their cybersecurity posture.

Each of these frameworks provides a structured approach to managing and improving an organization's cybersecurity program. Organizations may choose to adopt one or more of these frameworks depending on their specific needs and objectives.

How do security architects keep up to date with the latest security threats, trends, and best practices and continually assessing and enhancing the security posture of the organization?

 Security architects can keep up to date with the latest security threats, trends, and best practices by following a variety of methods, including:

1. Attending conferences and events: Security architects can attend industry conferences and events to network with other professionals and learn about the latest security trends and best practices. Some popular events include RSA Conference, Black Hat, and DEF CON.

2. Reading industry publications: Security architects can stay up to date on the latest security news and trends by regularly reading industry publications such as Dark Reading, Infosecurity Magazine, and Security Week.

3. Participating in industry groups: Joining industry groups such as ISACA, ISSA, and (ISC)² can provide opportunities for networking, sharing best practices, and staying up to date on the latest threats and trends.

4. Engaging with the security community: Security architects can engage with the security community on social media platforms like Twitter and LinkedIn, as well as security-focused forums and blogs to discuss and share information about the latest threats and trends.

5. Continuously assessing and enhancing the organization's security posture: To assess and enhance the organization's security posture, security architects can conduct regular security assessments, penetration testing, and vulnerability scans. They can also regularly review and update security policies and procedures, implement security awareness training for employees, and monitor security logs and alerts to identify and address potential security issues.

Overall, it is important for security architects to continuously educate themselves on the latest security threats, trends, and best practices to ensure they are well-equipped to protect their organization from security risks.

How can a security architect providing technical guidance and support to other members of the IT team and other stakeholders, such as business leaders and management?

 A security architect can provide technical guidance and support to other members of the IT team and other stakeholders, such as business leaders and management, by following these steps:

1. Establish clear communication: Establish clear and effective communication channels with other members of the IT team, business leaders, and management. This can include regular meetings, progress reports, and other communication methods.

2. Understand the business needs: Understand the business needs and objectives to align the security architecture with the organization's goals.

3. Develop a security roadmap: Develop a security roadmap that outlines the steps needed to achieve the organization's security objectives. This can include identifying security gaps, defining security requirements, and establishing a timeline for implementation.

4. Provide technical guidance: Provide technical guidance to the IT team on security best practices, design principles, and implementation strategies. This can include providing guidance on access controls, encryption, intrusion detection/prevention systems, and other security controls.

5. Support security testing: Support security testing activities such as vulnerability assessments, penetration testing, and other security testing methodologies. This can include providing guidance on testing tools and techniques and reviewing the results of the testing.

6. Advise on security incidents: Advise on security incidents and provide guidance on incident response and remediation. This can include developing incident response plans and coordinating incident response activities.

7. Train personnel: Train personnel on security best practices and procedures to ensure that they are aware of the security requirements and policies.

8. Stay up-to-date: Stay up-to-date with the latest security trends and best practices to ensure that the security architecture is up-to-date and aligned with the latest threats and vulnerabilities.

It is important for a security architect to work closely with other members of the IT team and business leaders to ensure that the security architecture is effective, efficient, and aligned with the organization's goals and objectives. Effective communication and collaboration are critical to the success of the security architecture and its integration into the organization's information systems and networks.

How can an organization ensure that security measures are integrated into new or existing information systems and networks throughout the entire development lifecycle?

An organization can ensure that security measures are integrated into new or existing information systems and networks throughout the entire development lifecycle by following these steps:

1. Establish security requirements: Establish security requirements at the beginning of the development process. This can include determining the level of security required, identifying potential threats and vulnerabilities, and establishing security policies and standards.

2. Integrate security into the design: Integrate security into the design phase of the development lifecycle. This can include designing security controls and measures such as access controls, encryption, and intrusion detection/prevention systems.

3. Implement secure coding practices: Implement secure coding practices to ensure that the code is written securely and is resistant to common attacks such as injection and cross-site scripting.

4. Conduct security testing: Conduct security testing throughout the development process to identify and address security issues as early as possible. This can include vulnerability assessments, penetration testing, and other security testing methodologies.

5. Ensure secure deployment: Ensure that the information system or network is deployed securely. This can include configuring security controls and measures, securing communications channels, and other security-related tasks.

6. Monitor and maintain security: Monitor and maintain security throughout the entire lifecycle of the information system or network. This can include performing regular security audits, applying security patches and updates, and responding to security incidents.

7. Train personnel: Train personnel on security best practices and procedures to ensure that they are aware of the security requirements and policies.

It is important to ensure that all relevant stakeholders are involved in the security integration process, including developers, IT staff, security personnel, and senior management. This can help to ensure that security is integrated into the information system or network throughout the entire development lifecycle and that the system or network is secure and resilient against potential threats and vulnerabilities.

How can an organization design and implement security controls and measures, such as firewalls, intrusion detection/prevention systems, access controls, encryption, and others?

An organization can design and implement security controls and measures, such as firewalls, intrusion detection/prevention systems, access controls, encryption, and others, by following these steps:

Determine the security requirements: Identify the organization's security requirements based on the risk assessment and vulnerability assessment. This will help to determine the appropriate security controls and measures.

Develop security policies and standards: Develop security policies and standards that provide guidelines for the selection, configuration, and management of security controls and measures.

Select security controls and measures: Select security controls and measures that align with the security requirements and policies. This can include firewalls, intrusion detection/prevention systems, access controls, encryption, and others.

Configure security controls and measures: Configure the security controls and measures to align with the security policies and standards. This can include setting firewall rules, defining access control lists, configuring intrusion detection/prevention systems, and other tasks.

Implement security controls and measures: Implement the security controls and measures in the organization's information systems and networks.

Test and validate security controls and measures: Test and validate the effectiveness of the security controls and measures to ensure they meet the organization's security requirements.

Monitor and manage security controls and measures: Monitor the security controls and measures to detect and respond to security incidents. This can include performing regular security audits and updating the security controls and measures as needed.

Review and update security policies and standards: Regularly review and update the security policies and standards to ensure they remain aligned with the organization's security requirements and the evolving threat landscape.

It is important to involve all relevant stakeholders, including IT staff, security personnel, and senior management, in the design and implementation of security controls and measures. This can help to ensure that the controls and measures are effective, efficient, and aligned with the organization's overall goals and objectives.

How can an organization develop and maintain information security policies and procedures to ensure compliance with relevant regulations and standards?

 

Developing and maintaining information security policies and procedures is a crucial aspect of any organization's security program. Here are some steps an organization can take to develop and maintain effective policies and procedures to ensure compliance with relevant regulations and standards:

1. Identify applicable regulations and standards: Organizations should identify the regulations and standards that apply to their industry or sector, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), or ISO 27001/27002. Understanding the requirements of these regulations and standards is a critical first step in developing an effective security policy.
2. Conduct a risk assessment: Organizations should conduct a risk assessment to identify the information assets that need protection, potential threats and vulnerabilities, and the likelihood and impact of security incidents. The results of the risk assessment can help inform the development of security policies and procedures.
3. Develop policies and procedures: Policies and procedures should be developed to address the specific risks and requirements of the organization. Policies should outline the organization's goals and objectives for information security, while procedures should detail the specific steps that employees and other stakeholders need to take to comply with the policies.
4. Communicate policies and procedures: Policies and procedures should be clearly communicated to all employees, contractors, and other stakeholders who have access to the organization's information assets. Employees should receive training on the policies and procedures to ensure that they understand their roles and responsibilities.
5. Monitor and review policies and procedures: Policies and procedures should be regularly reviewed and updated to ensure that they remain relevant and effective. Any changes to regulations or standards should be incorporated into the policies and procedures. Organizations should also monitor compliance with policies and procedures and take appropriate corrective actions if necessary.

Overall, developing and maintaining information security policies and procedures is an ongoing process that requires collaboration between different stakeholders in the organization, including IT, legal, human resources, and management. It's essential to have a comprehensive and well-defined security program in place to protect the organization's sensitive information from security threats.

What does an information security architect do?

 

 

An information security architect is a professional responsible for designing, building, and maintaining secure information systems and networks. The main goal of an information security architect is to ensure the confidentiality, integrity, and availability of information assets by implementing and maintaining a variety of security controls and practices.

Some of the specific tasks and responsibilities of an information security architect may include:

1. Developing and maintaining information security policies and procedures to ensure compliance with relevant regulations and standards.
2. Conducting risk assessments and vulnerability assessments to identify potential threats and vulnerabilities to information systems and networks.
3. Designing and implementing security controls and measures, such as firewalls, intrusion detection/prevention systems, access controls, encryption, and others.
4. Ensuring that security measures are integrated into new or existing information systems and networks throughout the entire development lifecycle.
5. Providing technical guidance and support to other members of the IT team and other stakeholders, such as business leaders and management.
6. Keeping up to date with the latest security threats, trends, and best practices and continually assessing and enhancing the security posture of the organization.

Overall, the primary focus of an information security architect is to protect the organization's sensitive and confidential information from unauthorized access, modification, or disclosure.

Defense in Depth Network Strategy Incorporating Zero Trust Architecture

 

Insider threats, hackers, and bots, Oh My!  When the Wizard wants to protect his confidential information, he used a curtain to conceal the system from the public.  This was quite easily revealed by a small group trying to gain access.  Network security architecture has been evolving since the days where it was a firewall between the LAN and the Internet.  The concept of defense in depth has been evolving into the segmentation of systems based on their function and classification of the data.  Developing models of separation evolved in conjunction of sophisticated standards and policies.  The focus of network security architecture will move to addressing perimeter security, internal zone segmentation security and extending the perimeter of the traditional network. The basics of what is in NIST SP:800-207[i] need to be understood as the baseline.

Zero Trust has seven fundamental concepts that are core tenets needed for implementation. 

• .       Data sources and computing services are considered resources. 
• .       All communication is secured regardless of network location. 
• .       Access to individual enterprise resources is granted on a per-session basis.
• .       Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
• .       The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
• .       All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• .       The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

In addition, the network has an addition six assumptions for secure connectivity.

1.       The entire enterprise private network is not considered an implicit trust zone.

2.       Devices on the network may not be owned or configurable by the enterprise.

3.       No resource is inherently trusted.

4.       Not all enterprise resources are on enterprise-owned infrastructure.

5.       Remote enterprise subjects and assets cannot fully trust their local network connection.

6.       Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.

With those six core assumptions, there architecture is divided into two logical areas which are the control plane and data plane.  In the control plane of the network, there is the policy decision point which makes up the policy administration and the policy engine. The policy engine is where the policy is executed on what access is provided whereas the policy administrator is used for creating and destroying communication paths between system assets.  Between the control plane and data plane, there is the policy enforcement point, which is responsible for enabling, monitoring, and termination connections between assets. Other tenets that are applicable to both planes are:

• .       Continuous diagnostic and mitigation system
• .       Industry compliance system
• .       Threat Intelligence feeds
• .       Network and system activity logs
• .       Data access policies
• .       Enterprise public key infrastructure
• .       Identity and access management
• .       Security information and event management (SIEM) system

As these core principles are now established, the next focus is designing and defining perimeter security zones, internal security zones and extending out the perimeter.

 Anything that is outside of the enterprise control and ownership should be considered untrusted and hostile to the enterprise, which includes B2B partners, vendors, and the Internet.  The area that provides access to those areas is considered the perimeter zone, or commonly known as a DMZ.  The traditional DMZ structure is archaic and should be refined much more clearly.  First, there should be multiple perimeter security zones, and these should be connection dependent on the untrusted area. There used to be a simple DMZ that housed all external traffic that was ingress to the enterprise (B2B, Vendor, Internet) and traffic that was destined to external resources for data egress.  This architecture had significant risk which allowed pivot points for hostile attackers to utilize.  In the current environment, it is prudent to establish individual perimeter zones for B2B DMZ, Vendor DMZ, Inbound Internet DMZ and Outbound Internet Access DMZ.  Modern technological advances in gateway technology allow for the subdivision of networks to be used on the same device using a variety of mechanisms.  The use of a firewall as a gateway creates the needed policy enforcement point that controls access between assets between the zones.  It is within these zones that all traffic regardless of ingress or egress direction should be inspected, authenticated, and authorized before leaving the enterprise.  The importance of the perimeter zones is that they are untrusted, and this is where all data flows are vetted.  There should be no data-at-rest stored in this zone.  Any asset placed in this perimeter must be viewed as a system that can be sacrificed to prevent further incursion to interior networks.  Any of these assets should be viewed like sentry guards to a fortress, where once the alarm is sounded, the connections are shut off like the gates on a castle are locked down.  For traffic that is inbound, there should be the ability to have a landing spot, where encrypted traffic must be decrypted and inspected before being forwarded to the final destination.  There are several commercial network detection and response solutions that provide Digital Loss Prevention (DLP), Anti-Malware/Anti-Virus, Content Inspection, and Instruction Detection/Prevention that provide visibility to decrypt commonly used protocols such as SFTP and HTTPS.  By having allowed traffic pass through that gauntlet of inspection reduces the risk prior to sending it to a trusted zone.  For other not common protocols, the inspection point becomes the application server situated in the semi-trusted perimeter zone. It is paramount that all outbound data flows be inspected to prevent data leakage.  The use of a content filtering proxy also prevents users and systems from accessing sites that would not be authorized due to policies and standards. 

 The internal zone is what should be considered your most prized enterprise assets which consist of your data and intellectual property.  Most enterprises this is the area where the users and servers reside for the company’s daily operations.  With the zero-trust incorporating defense in depth concepts, the internal zone needs to be segmented into multiple secure zones.  There should be zones for securing databases, policy management systems, internal applications, and line of business systems.  Secure zones for lines of business should be established for Human Resources, Accounting, Marketing, Manufacturing, and Infrastructure Management. Policy Enforcement Points (PEP) should be established for all access to and from those zones that is based on authentication, authorization, and inspection.  Please note that there should be no access from an untrusted zone directly to a trusted zone and no access from a trusted zone.  Access to the secure zone should only initiate from another secure zone or a semi-trusted zone with the correct authentication and authorization. There should be no user systems in any of the secure internal zones. Systems within the secure zones should not be directly accesses from user systems but instead through a jump box or a middleware application.  All systems should have access controlled by policy and access control device such as a firewall gateway.   Systems should be monitored and have logs sent to a SIEM for threat analysis and system monitoring.  Compliance systems should be regularly run against systems than are in-scope for violations on regular intervals.

 There is one more internal zone that should be considered insecure yet semi-trusted due to the systems being owned and managed by the enterprise.  That is the User Zone.  There must be stringent controls on these systems that would have anti-malware and host-based firewall installed.  Users are considered an essential threat to the infrastructure no matter how much training is provided.  Even the best trained security aware employees fail to follow precautions 100% of the time.  The human factor is the weakest link in the environment.  Systems need to be locked down so no unauthorized software is installed and USB access disabled.  Authorized hardware, software and patching should be done from a centralized distribution point.  Users’ systems should not access the Internet directly but should utilize a content filtering system that limits access to only authorized sites.  For access to internal secure areas, users should access a jump box in the Trusted Internal Zone that provides that controlled access.  Corporate data should never be stored on a user system. 

The biggest challenge to the Zero Trust Architecture Framework is the remote workforce.  This has been exemplified by COVID-19.  The perimeter has been extended to the users outside the confines of the controlled environment to the User’s home.  Countless threats that the enterprise cannot control are being faced by the remote workforce.  Enterprises need to make sure the systems used to connect to the environment have a Virtual Private Network (VPN) connection established continually.  This VPN needs to be secured using higher IPsec Standards using certificate-based PKI Crypto standards. Systems should be automatic locked with a short timeout.  When connectivity is established, a system check should be performed.  Hard drives should also be encrypted. E-Mail should be stored on the server and local post office boxes should be disabled by policy. 

 In conclusion, there is a need to incorporate the defense in depth philosophy with the zero trust.  If this were a fortress, you would have a strong perimeter and each interior room would be locked with an access reader that requires you to badge in ever entrance and exit.  I have created the following graphic to visually display the flows of access.

---

[i] Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2019). Zero trust architecture (No. NIST Special Publication (SP) 800-207 (Draft)). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix – References

 

Kindervag, J. (2010). Build security into your network's dna: The zero trust network architecture. Forrester Research Inc, 1-26 http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf

Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2019). Zero trust architecture (No. NIST Special Publication (SP) 800-207 (Draft)). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Gilman, E., & Barth, D. (2017). Zero Trust Networks. O'Reilly Media, Incorporated. https://www.usenix.org/sites/default/files/conference/protected-files/lisa16_slides_gilman.pdf

M. Campbell, "Beyond Zero Trust: Trust Is a Vulnerability," in Computer, vol. 53, no. 10, pp. 110-113, Oct. 2020, doi: 10.1109/MC.2020.3011081. Beyond Zero Trust: Trust Is a Vulnerability | IEEE Journals & Magazine | IEEE Xplore (tamu.edu)

McKay, Paul, “How to find the right zero-trust strategy: Large tech companies and the US Federal Government have adopted zero trust as their next-generation security model.” in Computer Weekly. 3/3/2020, p22-24. 3p. How to find the right zero-trust strategy: Large tech companies and the US ...: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Saran, Cliff. “Zero Trust: Taking Back Control of IT Security” Computer Weekly. 2/18/2020, p15-18. 4p. ZERO TRUST: TAKING BACK CONTROL OF IT SECURITY.: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Leong, Khoo Boo. “The importance of zero trust networks to data center network security”, NetworkWorld Asia. Sep/Oct2012, Vol. 9 Issue 3, p33-33. 1p. The importance of zero trust networks to data center network security.: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Moscaritolo, Angela. “Eliminating Trust”, SC Magazine: For IT Security Professionals (15476693). Jun2011, Vol. 22 Issue 6, p24-26. 3p ELIMINATING TRUST.: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Gordon, Scott. “A Matter of Trust”,  In Network Security. May 2019 2019(5):9-11 A matter of trust - ScienceDirect (tamu.edu)

Diogenes, Y., & Ozkaya, E. (2019). Cybersecurity-Attack and Defense Strategies. Packt Publishing.

Chuan, T., Lv, Y., Qi, Z., Xie, L., & Guo, W. (2020, October). An Implementation Method of Zero-trust Architecture. In Journal of Physics: Conference Series (Vol. 1651, No. 1, p. 012010). IOP Publishing. An Implementation Method of Zero-trust Architecture - IOPscience

 

Threat Modeling

 

Guidance on Threat Modeling

 

Introduction: Threat modeling is a structured approach to identify and prioritize potential security threats to a system, application, or network. It is a proactive measure that helps organizations assess the security of their systems and identify any potential vulnerabilities. By identifying these risks early, organizations can take proactive steps to mitigate them before an attacker takes advantage of them.

Asset Types: When performing a threat modeling exercise, it is important to first identify the assets that need to be protected. These assets can include but are not limited to: • Systems and networks • Applications and services • Data and information • Personnel and users • Infrastructure and facilities

Threat Modeling Basics: Threat modeling involves the following steps: • Identifying assets and their importance • Determining potential threats • Evaluating the likelihood of a threat occurring • Assessing the impact of a threat • Prioritizing threats based on likelihood and impact • Developing and implementing mitigations to mitigate the risk.

Attack Vector: An attack vector is a path or method that an attacker uses to access a system, application, or network. Examples of attack vectors include phishing, malware, and network-based attacks.

Attack Surface: The attack surface refers to the total sum of potential vulnerabilities that exist within a system, application, or network. This includes both the entry points for an attacker and the potential weak spots in the system.

Attack Tree: An attack tree is a graphical representation of the different ways an attacker can access a system, application, or network. It is used to model different scenarios and to prioritize mitigation efforts based on likelihood and impact.

Attack Life Cycle: The attack life cycle refers to the different stages of an attack, including reconnaissance, exploitation, and post-exploitation. Understanding the attack life cycle helps organizations develop mitigations that target specific stages of an attack.

Threat Modeling Tools: There are several tools that can be used to support threat modeling activities. Some of the most used tools include:

• STRIDE Methodology

• DREAD Methodology

• TRIKE Threat Modeling Tool

• Elevation of Privilege Threat Modeling Tool

• Delphi Technique

STRIDE Methodology: The STRIDE methodology is a threat modeling approach that helps identify and categorize potential threats. It is based on the acronym STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

DREAD Methodology: The DREAD methodology is a threat assessment approach that evaluates the likelihood and impact of potential threats. It is based on the acronym DREAD, which stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.

TRIKE Threat Modeling Tool: TRIKE is a tool used to model and visualize potential threats to a system, application, or network. It provides a visual representation of the different attack scenarios and helps organizations prioritize their mitigation efforts.

Elevation of Privilege Threat Modeling Tool: The Elevation of Privilege Threat Modeling Tool is used to assess the potential for an attacker to gain higher levels of access to a system, application, or network. It helps organizations identify the potential for escalation of privileges and take steps to mitigate these risks.

Delphi Technique: The Delphi Technique is a group-based approach to threat modeling that involves brainstorming potential threats and prioritizing mitigation efforts. It helps organizations obtain consensus on potential.

Common Mistakes in Threat Modeling:

 

1. Ignoring assets and their importance: Not identifying the assets to be protected can result in a failure to identify potential threats and vulnerabilities.
2. Not considering the attack surface: Ignoring the attack surface can result in missing potential vulnerabilities and entry points for an attacker.
3. Failing to prioritize threats: Not prioritizing threats based on likelihood and impact can result in ineffective mitigation efforts.
4. Overlooking human factors: Ignoring the role that people play in the attack and defense of a system can result in missed opportunities to improve security.
5. Focusing too much on technical solutions: Relying solely on technical solutions to mitigate threats can result in an ineffective security strategy.

Correct Questions to Ask in Threat Modeling:

 

1. What are the assets to be protected?
2. What are the potential threats to these assets?
3. What is the likelihood of each threat occurring?
4. What is the potential impact of each threat?
5. What are the entry points for an attacker?
6. What are the weak spots in the system that an attacker could exploit?
7. What are the different attack scenarios?
8. What are the potential mitigations for each threat?
9. What is the effectiveness of each mitigation?
10. What is the prioritization of mitigation efforts based on likelihood and impact?
11. How will the mitigations be implemented and maintained over time?

 

What is Multilevel Threat Modeling?

 

Multilevel Threat Modeling is a process of conducting threat modeling at multiple levels of abstraction in an organization's systems, applications, or products. The purpose of multilevel threat modeling is to provide a comprehensive view of the security posture of an organization, considering the interdependencies and relationships between systems.

Multilevel threat modeling starts with high-level modeling, which focuses on identifying the overall threats and risks to the organization, followed by a more detailed analysis of individual systems, applications, or products. This process is repeated as necessary, with each level of detail adding more granularity to the overall threat model.

Multilevel threat modeling provides a more comprehensive view of an organization's security posture, helps to identify potential security gaps, and supports informed decision-making on security investments and mitigation strategies. Additionally, multilevel threat modeling can help to prioritize mitigation efforts, ensuring that resources are allocated to the areas of highest risk.

Threat and Mitigation Catalogs from NIST, ISO, and ENISA

 

NIST, ISO, and ENISA are three leading organizations in the field of cybersecurity and information security, and each has developed its own catalogs of threats and mitigations.

NIST Threat and Mitigation Catalogs: The National Institute of Standards and Technology (NIST) has published several catalogs of threats and mitigations, including the NIST Special Publication 800-53 (Rev. 4), which provides a comprehensive list of security controls for federal information systems and organizations. This publication includes a catalog of common threats, such as malware, unauthorized access, and denial of service attacks, and corresponding mitigations, such as network segmentation, firewalls, and intrusion detection systems.

ISO Threat and Mitigation Catalogs: The International Organization for Standardization (ISO) has developed a number of standards related to information security, including ISO/IEC 27001:2013, which provides a framework for information security management systems. This standard includes a catalog of common information security risks, such as unauthorized access, data theft, and data corruption, and corresponding mitigations, such as access control, data encryption, and disaster recovery planning.

ENISA Threat and Mitigation Catalogs: The European Union Agency for Cybersecurity (ENISA) has published several catalogs of threats and mitigations, including the ENISA Threat Landscape report, which provides an overview of the current and emerging cyber threats in Europe. This report includes a catalog of common threats, such as phishing, ransomware, and DDoS attacks, and corresponding mitigations, such as security awareness training, network security, and incident response planning.

In summary, these catalogs provide a comprehensive view of the current cybersecurity threat landscape and the recommended mitigations for mitigating those threats. They serve as valuable resources for organizations looking to improve their security posture and protect against potential attacks.

NIST SP 800-154

 

The National Institute of Standards and Technology (NIST) has published the Special Publication (SP) 800-154, which provides guidelines for conducting threat modeling. The NIST threat modeling approach is a structured method for identifying and prioritizing potential security threats to a system, application, or product, and for developing and implementing mitigations to mitigate those threats. The following steps outline the NIST threat modeling approach:

1. Initialize: Define the scope of the threat modeling effort, identify stakeholders, and gather relevant information about the system, application, or product being analyzed.
2. Identify Assets: Identify the assets to be protected, including data, functionality, and infrastructure components.
3. Identify Threats: Identify potential threats to the assets, including external threats (such as malicious actors) and internal threats (such as human error).
4. Prioritize Threats: Prioritize the identified threats based on their likelihood and potential impact.
5. Identify Mitigations: Identify potential mitigations for each threat, including technical solutions, policy changes, and process improvements.
6. Evaluate Mitigations: Evaluate the effectiveness of each mitigation, including its impact on system performance and its ability to mitigate the threat.
7. Implement Mitigations: Implement the most effective mitigations, considering any trade-offs between security and other system requirements.
8. Monitor and Review: Continuously monitor the security posture of the system, application, or product, and review the threat modeling process to identify areas for improvement.

The NIST threat modeling approach is a flexible and adaptable method that can be customized to meet the specific needs of an organization. By following the steps outlined in SP 800-154, organizations can develop a comprehensive view of their security posture and take proactive steps to mitigate potential threats.

What are common threat modeling Mitigations?

 

Threat modeling mitigations are measures taken to mitigate the potential impact of identified security threats. Common threat modeling mitigations include:

1. Access control: Restricting access to sensitive information and systems to only those who need it to perform their job functions.
2. Authentication and authorization: Ensuring that users are who they claim to be and that they have the appropriate level of access to resources.
3. Data encryption: Encrypting sensitive data to protect it from unauthorized access or theft.
4. Firewalls and network security: Implementing firewalls and other security measures to prevent unauthorized access to systems and data.
5. Intrusion detection and response: Detecting and responding to security incidents in a timely manner.
6. Security awareness training: Providing employees with training on security best practices and the importance of protecting sensitive information.
7. Incident response planning: Developing a plan to respond to security incidents in a coordinated and effective manner.
8. Regular software updates and patches: Keeping software up to date to address known security vulnerabilities.
9. Vulnerability assessment and penetration testing: Regularly testing systems to identify and address vulnerabilities.
10. Backup and disaster recovery: Having a plan in place to quickly recover from a disaster, such as a fire or cyberattack.

These are just a few examples of the types of mitigations that organizations can implement to mitigate security threats. The specific mitigations will depend on the results of the threat modeling process, including the prioritization of threats and the specific security requirements of the organization.