Chapter 10. Industry Trends
This chapter covers the following topics:
Perform Ongoing Research: Topics include best practices, new technologies, new security systems and services, and technology evolution.
Situational Awareness: Topics include the latest client-side attacks, knowledge of current vulnerabilities and threats, zero-day mitigating controls and remediation, and emergent threats and issues.
Research Security Implications of New Business Tools: Topics include social media/networking, end-user cloud storage, and integration within the business.
Global IA Industry/Community: Topics include the Computer Emergency Response Team (CERT), conventions/conferences, threat actors, and the emerging threat sources and threat intelligence.
Research Security Requirements for Contracts: Topics include requests for proposal (RFPs), requests for quote (RFQs), requests for information (RFIs), and agreements.
This chapter covers CAS-002 objective 3.1.
While ensuring enterprise security, security professionals often find it hard to keep up with the latest trends. Technology usually moves along at such a fast pace that even the best-trained professionals find that they need to seek education to understand the newest trends. At different points in the past 40 years or so, security professionals have emphasized different areas of security: from physical security when mainframes were in use to dial-up modem security when personal computers first launched. In more recent years, security professionals have had to learn the ins and outs of managing larger networks as well as wireless networks. Today, with cloud computing and BYOD, you can easily see why it is important to stay abreast—or preferably in front of—the latest industry trends to better protect your organization and its enterprise.
A security professional can very easily fall behind in this fast-paced world. Failing to keep up with trends will prove to be both detrimental to your organization and your career. This chapter covers performing ongoing research, ensuring situational awareness, researching security implications of new business tools, sharing with and learning from the global IA industry and community, and researching security requirements for contracts.
Foundation Topics
Perform Ongoing Research
As a security professional, sometimes just keeping up with your day-to-day workload can be exhausting. But performing ongoing research as part of your regular duties is more important in today’s world than ever before. You should work with your organization and direct supervisor to ensure that you either obtain formal security training on a regular basis or are given adequate time to maintain and increase your security knowledge. You should research the current best security practices, any new technologies that are coming, any new security systems and services that have launched, and how technology has evolved recently.
Best Practices
Every organization should have a set of best practices that are based on the industry in which it is engaged. It is the responsibility of security professionals to ensure that the organization takes into consideration IT security best practices. Security professionals should research all established best practices to determine which practices should be implemented for their organizations. Organizations including the Computer Security Resource Center (CSRC) of the National Institute of Standards and Technology (NIST), the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), and the Institute of Electrical and Electronics Engineers (IEEE) provide publications on standards and best practices that can be used to guide your organization in its security program development.
Any organization that can provide documentation of its security policies is better protected against any litigation that could be brought against the organization, particularly if those policies are developed based on the standards and best practices recommended by national and international bodies of authority. The standards and best practices can vary based on the organization you consult. Your organization can choose to follow the standards and best practices of a single body or can combine the standards and best practices of several bodies to customize the organization’s internal policies.
As part of designing its security program, an organization should consider developing an overall organizational security policy. In addition, the organization should ensure that the appropriate security professionals are retained and that these professionals obtain the appropriate training. The security professionals should then work to develop all of the user, network, computer, device, and data policies that are needed, particularly those discussed in Chapter 8, “Security, Privacy Policies, and Procedures.”
Best practices vary based on the devices and operating systems to be protected. For example, security practices for protecting Windows computers vary slightly from those for protecting Linux or Mac computers. Security practices for protecting switches and routers are vastly different from those for protecting servers.
No matter which devices you are protecting, there are certain procedures you should always keep in mind:
Disable or rename the default accounts, including any administrator or guest accounts.
Change the default passwords for any default accounts.
Regularly update the software or firmware for all devices with the latest patches and hot fixes.
Implement firewalls when necessary, both at the network and device levels.
Disable remote login ability unless absolutely necessary. If it is necessary, ensure that you have changed default settings, including accounts and passwords.
Implement encryption to protect data.
Configure auditing.
Review audit and security logs on a regular basis.
Disable all unnecessary services and protocols.
While all of these procedures are important, security professionals should ensure that they adopt new policies and procedures as technologies and attack methods change. Researching the latest security issues and threats will help to ensure that your organization is protected in a timely manner. When deploying new technologies, devices, operating systems, and applications, security professionals should research any best practices to ensure that their organization is protected.
New Technologies
In today’s world, it seems that new technologies, including devices, software, and applications, are being released at lightning speed. As technologies change, security professionals must ensure that the protections needed for these technologies are deployed to protect the organization and its assets.
Back when home networks involved the use of dial-up technologies, most users did not need to concern themselves with security issues. Many homes and small businesses today include wireless networks that introduce security issues that most users do not understand. Organizations also deploy wireless networks but usually employ the appropriate security professionals to ensure that these networks are protected. Without the appropriate controls, any user is able to access the wireless network and possibly breach the security of the entire network.
Recently, the popularity of mobile technologies, including flash drives, smartphones, and tablets, has introduced an entirely new level of security concerns. In most cases, senior management does not understand the issues that are introduced when these devices are allowed to access the organization’s network. It is the responsibility of the security professionals to ensure that the appropriate security and privacy controls are implemented to protect the organization.
These examples demonstrate why security professionals must always obtain training to protect their organizations. This is particularly true for security professionals who work for organizations that are usually early adopters of new technology. Early adopters should ensure that they have the appropriate agreements with the vendors of the new technologies so that the organization can be protected against new issues as soon as vendors discover them.
New Security Systems and Services
Just as security professionals must understand the security implications of any new technologies they deploy on their organizations’ networks, security professionals should also make sure they understand any new security systems and services that are released. Firewalls first emerged two decades ago as the first IT security systems. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) followed shortly thereafter. Today, unified threat management (UTM) combines a traditional firewall with content inspection and filtering, spam filtering, intrusion detection, and antivirus. Biometric systems have increased in popularity, and the security of routers, switches, and other network devices has evolved.
Today, security professionals only need to look at industry blogs, white papers, and knowledge bases to learn about the newest security systems and services. Recently, the biggest advances in security have occurred in the wireless network and mobile device areas. These two areas have introduced new security concerns that never needed to be considered in the past. Fortunately, learning about the security needs in these two areas is just a click away for security professionals. However, caution should be used when researching new security systems and services because not all information comes from reputable sources. Security professionals should always verify that the information, systems, and services they obtain are valid and do not pose a threat to their enterprise.
For many large enterprises, security systems and services are implemented and managed internally. However, some enterprises may choose to outsource to a managed security service provider. These providers may include a broad range of services, including monitoring security devices, providing penetration testing, providing analysis of network activity, and responding to any issues they discover, depending on the terms of the service-level agreement (SLA). Organizations must ensure that SLAs define all the services that the providers will be responsible for.
Finally, security professionals should keep in mind that any new security technologies or services that are implemented may also introduce new security vulnerabilities. Security professionals should continually assess new security technologies and services to identify any vulnerabilities that exist.
Technology Evolution
As technologies evolve, organizations need a means to communicate any major technological advancement that has occurred. The Internet Engineering Task Force (IETF) is an international body of Internet professionals. This body is responsible for creating requests for comments (RFCs) that describe research and innovations on the Internet and its systems. Most RFCs are submitted for peer review, and once approved, are published as Internet standards.
RFCs have been issued for a number of Internet protocols and systems. While many RFCs are now obsolete, there are still a great many that are in use today, including the following:
RFC 854 and 855, which cover Telnet
RFC 959, on File Transfer Protocol (FTP)
RFC 1034 and 1035, which discuss domain names and Domain Name System (DNS)
RFC 1157, on Simple Network Management Protocol (SNMP) v1
RFC 2131, on Dynamic Host Configuration Protocol (DHCP)
RFC 2251, 2252, and 2253, which cover Lightweight Directory Access Protocol (LDAP) v3
RFC 2460, on IPv6
RFC 2821, which discusses Simple Mail Transfer Protocol (SMTP)
RFC 2865 and 2866, on Remote Authentication Dial In User Service (RADIUS)
RFC 3315, on DHCPv6
While the IETF is primarily concerned with the Internet, the ISO/IEC (mentioned earlier in this chapter) provides industry standards in many areas. One of the primary standards of concerns to security professionals is ISO 17799, which was issued in 2005. It establishes guidelines and general principles for information security management in an organization. ISO 27000 is a family of information security management system (ISMS) standards.
Situational Awareness
Situational awareness is being aware of the environment in which a system operates at a certain point in time. It is important for security professionals to have situational awareness to ensure that they make solid security decisions, based on all the known factors. In IT security, situational awareness includes understanding the current status of a device, any threats to the device, any device weaknesses, and any factors that could negatively affect the device. It also involves understanding how the systems and devices are interconnected and their relationships with each other. Finally, situational awareness helps an organization determine when an attack is occurring or is about to occur.
Situational awareness involves understanding the latest client-side attacks, having knowledge of current vulnerabilities and threats, understanding zero-day mitigating controls and remediation, and understanding emergent threats and issues.
Latest Client-Side Attacks
To understand client-side attacks, security professionals must first understand server-side attacks. Servers provide services that clients can use, including DNS, DHCP, FTP, and so on. Clients make use of these services by connecting to the server through a port. By allowing connections, servers are vulnerable to attacks from hackers. Any attack directly against a server is considered a server-side attack.
A client-side attack targets vulnerabilities in the client’s applications that work with the server. A client-side attack can occur only if the client makes a successful connection with the server. Client-side attacks are becoming increasingly popular because attackers usually find it easier to attack a client computer and because of the proliferation of client computers. Administrators often ensure that the servers are well protected with the latest updates and security patches. However, the same care is not always taken with client computers, particularly those owned by individuals. Client-side attacks can involve web servers but can also involve client/server configurations using other technologies, including FTP, video streaming, and instant messaging.
To prevent client-side attacks, security professionals should ensure that the client computers are kept up-to-date with the latest updates and security patches for the operating system and all applications. A single update for an application can cause a vulnerability in a client computer that can be exploited. Also, security professionals should ensure that installed applications are limited and that firewalls have rules configured to watch for the use of nonstandard ports. An organization can implement network access control (NAC) policies to ensure that client computers attaching to the network have certain security minimums. Client computers that do not comply with these NAC policies are not allowed to connect. Finally, security awareness training for users should include instruction on how attacks occur and how to report suspected attacks.
Knowledge of Current Vulnerabilities and Threats
A vulnerability is an absence of a countermeasure or a weakness of one that is in place. Vulnerabilities can occur in software, hardware, or personnel. An example of a vulnerability is unrestricted access to a folder on a computer. Most organizations implement vulnerability assessments to identify vulnerabilities. A threat is the next logical progression in risk management. A threat occurs when a vulnerability is identified or exploited. An example of a threat is an attacker identifying the folder on the computer that has an inappropriate or absent access control list (ACL).
Because technology changes quickly, security professionals need to have knowledge of the technology used by their organization, the tools used by attackers, and any vulnerabilities within their enterprise that a potential attacker could exploit. To ensure that they have the knowledge they need, security professionals should obtain periodic intensive security training to bring their skills up-to-date.
Currently, some of the biggest threats to organizations are related to the use of mobile devices, wireless networks, and social engineering attacks. Mobile devices, bring your own device (BYOD) policies, and wireless networks are increasingly popular with many organizations. Security professionals should familiarize themselves with the vulnerabilities and threats of these technologies and ensure that the enterprise is protected. Social engineering attacks are constantly becoming more complex and convincing, and security awareness training should include examples of the latest techniques.
To identify current vulnerabilities, an organization should perform a vulnerability assessment. A vulnerability assessment helps to identify the areas of weakness in a network. Vulnerability assessments usually fall into one of three categories:
Personnel testing: Reviews standard practices and procedures that users follow
Physical testing: Reviews facility and perimeter protections
System and network testing: Reviews systems, devices, and network topology
A security analyst who will be performing a vulnerability assessment must understand the systems and devices that are on the network and the jobs they perform. Having this information ensures that the analyst can assess the vulnerabilities of the systems and devices based on the known and potential threats to the systems and devices.
Vulnerability Management Systems
The importance of performing vulnerability and penetration testing is emphasized throughout this book. A vulnerability management system is software that centralizes and to a certain extent automates the process of continually monitoring and testing the network for vulnerabilities. These systems can scan the network for vulnerabilities, report them, and in many cases remediate the problem without human intervention. Although they’re a valuable tool, these systems, regardless of how sophisticated they might be, cannot take the place of vulnerability and penetration testing performed by trained professionals.
Advanced Persistent Threats
An advanced persistent threat (APT) is a hacking process that targets a specific entity and is carried out over a long period of time. In most cases, the victim of an APT is a large corporation or government entity. The attacker is usually a group of organized individuals or a government. The attackers have a predefined objective. Once the objective is met, the attack is halted. APTs can often be detected by monitoring logs and performance metrics.
Zero-Day Mitigating Controls and Remediation
Vulnerabilities are often discovered in live environments before a fix or patch exists. Such vulnerabilities are referred to as zero-day vulnerabilities. A zero-day attack occurs when a security vulnerability in an application is discovered on the same day the application is released. The best way to prevent zero-day attacks is to write bug-free applications by implementing efficient designing, coding, and testing practices. Having staff discover zero-day vulnerabilities rather than those looking to exploit the vulnerability is best. Monitoring known hacking community websites can often provide an early alert because hackers often share zero-day exploit information. Honeypots or honeynets can also provide forensic information about hacker methods and tools for zero-day attacks.
New zero-day attacks are announced on a regular basis against a broad range of technology systems. A security manager should create an inventory of applications and maintain a list of critical systems to manage the risks of these attack vectors.
Because zero-day attacks occur before a fix or patch has been released, it is difficult to prevent them. As with many other attacks, keeping all software and firmware up-to-date with the latest updates and patches is important. Enabling audit logging of network traffic can help reconstruct the path of a zero-day attack. Inspection of logs helps security professionals determine the presence of an attack in the network, estimate the damage, and identify corrective actions. Zero-day attacks usually involve activity that is outside “normal” activity, so documenting normal activity baselines is important. Also, routing traffic through a central internal security service can ensure that any fixes affect all the traffic in the most effective manner. Whitelisting can also aid in mitigating attacks by ensuring that only approved entities are able to use certain applications or complete certain tasks. Finally, security professionals should ensure that their organization implements the appropriate backup schemes to ensure that recovery can be achieved, thereby providing remediation from an attack.
Emergent Threats and Issues
As has been stated many times in this book, information technology changes quickly. Security professionals are constantly challenged to ensure that they understand emerging threats and issues and can mitigate these problems. In today’s computing world, the main emergent threats and issues generally involve mobile computing, cloud computing, and virtualization.
The increasing use of mobile devices combined with the fact that many of these devices connect using public networks with little or no security provides security professionals with unique challenges. Educating users on the risks related to mobile devices and ensuring that they implement appropriate security measures can help protect against threats involved with these devices. Some of the guidelines that should be provided to mobile device users include implementing a device locking PIN, using device encryption, implementing GPS location, and implement remote wiping. Also, users should be cautioned on downloading apps without ensuring that they are coming from a reputable source. In recent years, mobile device management (MDM) and mobile application management (MAM) systems have become popular in enterprises. They are implemented to ensure that an organization can control mobile device settings, applications, and other parameters when those devices are attached to the enterprise.
With cloud computing, a third-party vendor is closely involved in the computer operations of an organization. Security and privacy concerns should be addressed as part of any contract and should include provisions regarding the ownership and dispersion of data. The level of protection for data should be explicitly defined to ensure that the provider will give the level needed. Also, keep in mind that crossing international boundaries can affect the laws and regulations that govern service.
Today, physical servers are increasingly being consolidated as virtual servers on the same physical box. Virtual networks using virtual switches even exist in the physical devices that host these virtual servers. These virtual network systems and their traffic can be segregated in all the same ways as in a physical network—using subnets, VLANs, and, of course, virtual firewalls. Virtual firewalls are software that has been specifically written to operate in the virtual environment. Increasingly, virtualization vendors such as VMware are making part of their code available to security vendors to create firewalls (and antivirus products) that integrate closely with their products.
Keep in mind that in any virtual environment, each virtual server that is hosted on the physical server must be configured with its own security mechanisms. These mechanisms include antivirus and antimalware software and all the latest service packs and security updates for all the software hosted on the virtual machine. Also, remember that all the virtual servers share the resources of the physical device.
Security professionals should always be on guard for new emerging threats and issues by performing ongoing research. Networking with other security professionals can also provide a great deal of information on these threats and issues.
Research Security Implications of New Business Tools
While many organizations are cautious about early implementation of new business tools, the senior managers of some organizations are quick to push their IT departments into implementing these business tools even before all the security issues introduced by these tools are known. Security professionals must meet the demands of senior management while keeping enterprise security at the forefront. Recent new business tools include social media/networking and end-user cloud storage. Integration of these business tools within the organization’s enterprise should be carefully planned.
Social Media/Networking
With the rise in popularity of social media and networking, cybercriminals have started targeting social media users. In 2010, Facebook bugs allowed spammers to flood Facebook with messages promoting scams, such as links to a website where they could “win” an iPhone by filling in their personal information. Many of the popular Facebook applications send identifying information to dozens of advertising and Internet tracking companies. If these attackers can get Facebook users to divulge personal information so easily, what are the implications if employees are lured into releasing company information? What if attackers can get Facebook users to download Facebook applications that contain malware on organizational devices? While social media sites can serve as a great tool for an organization, particularly when it comes to marketing, security professionals must consider the security issues that could arise if personnel are allowed to access these sites using company devices or from the company network.
Let’s suppose a company is evaluating a new strategy involving the use of social media to reach its customers so that the marketing director can report important company news, product updates, and special promotions on the social websites. After an initial and successful pilot period, other departments want to use social media to post their updates as well. The chief information officer (CIO) has asked the company security administrator to document three negative security impacts of allowing IT staff to post work-related information on such websites. In this scenario, the security administrator should report back to the CIO that the major risks of social media include malware infection, phishing attacks, and social engineering attacks. The company should dedicate specific staff to act as social media representatives of the company. The security policy needs to be reviewed to ensure that social media policy is properly implemented.
If an organization decides to allow its employees to access and use social media at work, strict policies and guidelines should be established, including:
Make sure all devices and applications are up-to-date.
Ensure that the organization employs layers of security to defend the enterprise from security threats.
Create acceptable use policies that explicitly spell out the details about social media usage at work. These policies should include what type of company information can be published by all personnel and what type should only come from senior management or public relations.
Include social media training as part of the security awareness training that all personnel must obtain.
End-User Cloud Storage
Although cloud technologies have been out for a few years, they are just now starting to become popular with end users. Unfortunately, most end users do not fully understand the security implications of cloud storage.
Cloud services give end users more accessibility to their data. However, this also means that end users can take advantage of cloud storage to access and share company data from any location. The IT team no longer controls the data. This is the case with both public and private clouds.
With private clouds, organizations can:
Ensure that the data is stored only on internal resources.
Ensure that the data is owned by the organization.
Ensure that only authorized individuals are allowed to access the data.
Ensure that data is always available.
However, a private cloud is only protected by the organization’s internal resources, and this protection can often be affected by the knowledge level of the security professionals responsible for managing the cloud security.
With public clouds, organizations can be sure that:
Data is protected by enterprise-class firewalls and within a secured facility.
Attackers and disgruntled employees are unsure of where the data actually resides.
The cloud vendor will provide security expertise and must maintain the level of service detailed in the contract.
However, public clouds can grant access to any location, and data is transmitted over the Internet. Also, the organization depends on the vendor for all services provided.
End users must be educated about cloud usage and limitations as part of their security awareness training. In addition, security policies should clearly state where data can be stored, and access control lists (ACLs) should be configured properly to ensure that only authorized personal can access data. The policies should also spell out consequences for storing organizational data in cloud locations that are not authorized.
Integration Within the Business
As with many other technologies, most organizations had very strict policies against the use of social media at its advent. But through the years, organizations have adopted more lenient policies when it comes to the use of social media at work.
When cloud implementations were first becoming popular, many organizations shied away from giving a vendor so much control over organizational data. However, as more cloud providers have been established and prices have continued to improve, more organizations are choosing to use some sort of cloud implementation for their enterprise.
If your organization decides to implement these new business tools or any new tool that comes in the future, it is important that a full risk assessment be done before the organization implements the new tool. Policies should be put into place to protect the organization and its assets, and user security awareness is essential. Users should be aware of exactly what is allowed with these new tools. For example, regular users should never announce new products on their own pages until an official organizational announcement is made, and then the users should only divulge the information that is given in the official announcement.
Integrating new tools within a business can often bring many advantages and make the organization work more effectively. However, security professionals must be given the time and resources to ensure that these tools do not adversely affect the organization’s security.
Global IA Industry/Community
The global information assurance (IA) industry and community comprise many official groups that provide guidance on information security. Three groups that are involved in this industry include the SysAdmin, Audit, Networking, and Security (SANS) Institute, the International Information Systems Security Certification Consortium [(ISC)2], and the International Council of Electronic Commerce Consultants (EC-Council). These groups provide guidance on establishing information technology security and also offer security certifications. The IT security community is also full of individuals and small groups who are often very willing to help security professionals in their day-to-day struggles.
The following sections discuss CERT, conventions/conferences, threat actors, and emerging threat sources and threat intelligence.
Computer Emergency Response Team (CERT)
CERT is an organization that studies security vulnerabilities and provides assistance to organizations that fall victim to attacks. It is part of the Software Engineering Institute at Carnegie Mellon University. It offers 24-hour emergency response service and shares information for improving web security.
A similar organization is the U.S. Computer Emergency Readiness Team (US-CERT), part of the National Cyber Security Division of the U.S. Department of Homeland Security. US-CERT works closely with CERT to coordinate responses to cyber security threats.
An organization should have an internal incident response team. When establishing its incident response team, an organization must consider the technical knowledge of each individual. The members of the team must understand the organization’s security policy and have strong communication skills. Members should also receive training in incident response and investigations.
When an incident has occurred, the primary goal of the team is to contain the attack and repair any damage caused by the incident. Security isolation of an incident scene should start immediately when the incident is discovered. Evidence must be preserved, and the appropriate authorities should be notified.
An incident response team should have access to the organization’s incident response plan. This plan should include the list of authorities to contact (including CERT), team roles and responsibilities, an internal contact list, procedures for securing and preserving evidence, and a list of investigation experts who can be contacted for help. The organization should create a step-by-step manual for the incident response team to follow to ensure that no steps are skipped. It may be necessary to involve CERT early in the process if help is needed. After the incident response process has been engaged, all incident response actions should be documented.
If the incident response team determines that a crime has been committed, senior management and the proper authorities should be contacted immediately.
Conventions/Conferences
Perhaps one of the best avenues for security professionals to get the latest on information security is to attend security conventions and conferences. Such conventions and conferences cover different facets of security, but the majority of them fit into one of three categories: security industry, academic security, and hacking.
Probably the most well-known conference is RSA Conference, which covers all facets of security and draws security professionals from across the employment spectrum, including educators, governmental personnel, and other security professionals. This conference has an agenda that includes several tracks, including cloud and data security, cybercrime and law enforcement, mobile security, and security infrastructure.
The Black Hat convention is an annual conference held in Las Vegas and other locations in Europe and Asia. It includes four days of training and two days of briefings, while providing attendees with the latest in information security research, development, and trends in a vendor-neutral environment.
DEFCON conferences are more centered around hacking and are considered more technical in nature than many of the other popular conferences.
It is important for security professionals to use security conventions and conferences as the learning tools they are intended to be. Often the training obtained at these events can help to prepare a security professional for what is coming, while also covering what has already occurred in the security field.
Threat Actors
A threat is carried out by a threat actor. An attacker who takes advantage of an inappropriate or absent ACL is a threat agent. Keep in mind, though, that threat actors can discover and/or exploit vulnerabilities. Not all threat actors will actually exploit an identified vulnerability.
The Federal Bureau of Investigation (FBI) has identified three categories of threat actors:
Organized crime groups primarily threatening the financial services sector and expanding the scope of their attacks
State sponsors, usually foreign governments, interested in pilfering data, including intellectual property and research and development data from major manufacturers, government agencies, and defense contractors
Terrorist groups that want to impact countries by using the Internet and other networks to disrupt or harm the viability of a society by damaging its critical infrastructure
While there are other less organized groups out there, law enforcement considers these three groups to be the primary threat actors. However, organizations should not totally disregard the threats of any threat actors that fall outside these three categories. Lone actors or smaller groups that use hacking as a means to discover and exploit any discovered vulnerability can cause damage just like the larger, more organized groups.
Hacker and cracker are two terms that are often used interchangeably in media but do not actually have the same meaning. Hackers are individuals who attempt to break into secure systems to obtain knowledge about the systems and possibly use that knowledge to carry out pranks or commit crimes. Crackers, on the other hand, are individuals who attempt to break into secure systems without using the knowledge gained for any nefarious purposes. Hackivists are the latest new group to crop up. They are activists for a cause, perhaps for animal rights, that use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their cause.
In the security world, the terms white hat, gray hat, and black hat are more easily understood and less often confused than the terms hackers and crackers. A white hat does not have any malicious intent. A black hat has malicious intent. A gray hat is considered somewhere between the other two. A gray hat may, for example, break into a system, notify the administrator of the security hole, and offer to fix the security issues for a fee.
Emerging Threat Sources/Threat Intelligence
New threat sources and threat intelligence are emerging daily. Many organizations may find themselves victims of cybercrime. Organizations must constantly battle to stay ahead of the attackers to protect their data and other assets. Unfortunately, in today’s world, no organization is immune to attacks.
Security professionals can use emerging threat reports and intelligence as a means to convince management of the need to invest in new security devices and training. Emerging threat reports paired with company attack trends can be even more convincing. So make sure to use all the tools at your disposal to make your case!
Our society depends on computers and information technology so much today that it is very rare to find an organization that is not connected to the Internet. It is vital that security professionals from across the spectrum work together to battle the emerging threats and share information regarding these threats and their attack vectors with each other. Consider groups like Anonymous and Julian Assange’s WikiLeaks that are known for their attacks but were relatively unknown just a few years back. Even terrorist organizations are becoming more technologically savvy in their methods of attack. As in most other cases, education is key. A security professional never stops learning!
Research Security Requirements for Contracts
Contracts with third parties are a normal part of business. Recently, because security has become such a concern for most organizations and governmental entities, contracts are including sections that explicitly detail the security requirements for the vendor. Organizations should consult with legal counsel to ensure that the contracts they execute include the appropriate security requirements to satisfy not only the organizations’ needs, but also any governmental regulations and laws.
Some of the provisions that an organization may want to consider including as part of any contracts include:
Required policies, practices, and procedures related to handling organizational data
Training or certification requirements for any third-party personnel
Background investigation or security clearance requirements for any third-party personnel
Required security reviews of third-party devices
Physical security requirements for any third-party personnel
Laws and regulations that will affect the contract
Security professionals should research security requirements for contracts, including RFPs, RFQs, RFIs, and other agreements.
Request for Proposal (RFP)
An RFP is a bidding-process document issued by an organization that gives details of a commodity, a service, or an asset that the organization wants to purchase. Potential suppliers use the RFP as a guideline for submitting a formal proposal.
Suppose that two members of senior management can better understand what each vendor does and what solutions they can provide after three vendors submit their requested documentation. But now the managers want to see the intricacies of how these solutions can adequately match the requirements needed by the firm. The manager should submit an RFP to the three submitting firms to obtain this information.
Request for Quote (RFQ)
An RFQ (sometimes called an invitation for bid [IFB]) is a bidding-process document that invites suppliers to bid on specific products or services. RFQs often include item or service specifications. An RFQ is suitable for sourcing products that are standardized or produced in repetitive quantities, such as desktop computers, RAM modules, or other devices.
Suppose that a security administrator of a small private firm is researching and putting together a proposal to purchase an IPS. A specific brand and model has been selected, but the security administrator needs to gather cost information for that product. The security administrator should prepare an RFQ to perform a cost analysis report. The RFQ would include information such as payment terms.
Request for Information (RFI)
An RFI is a bidding-process document that collects written information about the capabilities of various suppliers. An RFI may be used prior to an RFP or RFQ, if needed, but can also be used after these if the RFP or RFQ does not obtain enough specification information.
Suppose that a security administrator of a large private firm is researching and putting together a proposal to purchase an IPS. The specific IPS type has not been selected, and the security administrator needs to gather information from several vendors to determine a specific product. An RFI would assist in choosing a specific brand and model.
Now let’s look at an example where the RFI comes after the RFP or RFQ. Say that three members of senior management have been working together to solicit bids for a series of firewall products for a major installation in the firm’s new office. After reviewing RFQs received from three vendors, the three managers have not gained any real data regarding the specifications about any of the solutions and want that data before the procurement continues. To get back on track in this procurement process, the managers should contact the three submitting vendor firms and have them submit supporting RFIs to provide more detailed information about their product solutions.
Agreements
Organizations use other types of agreements with third parties besides those already discussed. Even though many of these agreements are not as formal as RFPs, RFQs, or RFIs, it is still important for an organization to address any security requirements in an agreement to ensure that the third party is aware of the requirements. This includes any type of contracts that organizations use to perform business, including purchase orders, sales agreements, manufacturing agreements, and so on.
Exam Preparation Tasks
You have a couple of choices for exam preparation: the exercises here and the exam simulation questions on the CD-ROM.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 10-1 lists these key topics and the page number on which each is found.
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
unified threat management (UTM)
vulnerability management system
advanced persistent threat (APT)
Computer Emergency Response Team (CERT)
Review Questions
1. Senior management at your organization has implemented a policy which states that best practice documentation must be created for all security personnel. Which of the following is a valid reason for this documentation?
a. Using this documentation will ensure that the organization will not have any legal issues due to security.
b. Using this documentation will ensure that the organization will not have any security breaches.
c. Using this documentation will allow security personnel to ensure that they know what to do according to industry standards.
d. Using this documentation will ensure that security personnel are properly trained.
2. Which organization issues RFCs?
a. IETF
b. IEEE
c. ISO
d. IEC
3. Situational awareness is being aware of the _________ in which a system operates at ________.
a. time; a certain performance level
b. environment; a certain point in time
c. environment; a certain performance level
d. time; its maximum level
4. Recently, your organization has been the victim of several client-side attacks. Management is very concerned and wants to implement some new policies that could negatively impact your business. You explain to management some of the measures that should be taken to protect against these attacks. Management asks why client-side attacks are increasing. What should be your reply? (Choose all that apply.)
a. Servers are more expensive than clients.
b. Client computers cannot be protected as well as servers.
c. Client computers are not usually as protected as servers.
d. There are more clients than servers.
5. The application development team of your organization has released a new version of an application today. Within hours, popular hacker forums have several posts regarding a security vulnerability in the application. Which type of attack does this indicate?
a. client-side attack
b. end-user attack
c. advanced persistent threat
d. zero-day attack
6. Over the past several months, your organization’s network has been under a password attack. The attack has been carried out from different computers throughout the United States. Which type of attack is being carried out?
a. client-side attack
b. end-user attack
c. advanced persistent threat
d. zero-day attack
7. Which of the following attacks can be carried out using social media? (Choose all that apply.)
a. malware
b. phishing
c. social engineering
d. wardriving
8. Your organization is trying to decide whether to implement a private cloud or use a public cloud. Which of the following is a valid reason for choosing a private cloud?
a. Attackers and disgruntled employees are unsure of where the data actually resides.
b. It will ensure that the data is owned by your organization.
c. The cloud vendor will provide security expertise and must maintain the level of service detailed in the contract.
d. Data is protected by enterprise-class firewalls and within a secured facility.
9. Which of the following is not one of the three listed threat actors as listed by the FBI?
a. organized crime groups
b. state sponsors
c. terrorists groups
d. natural disasters
10. Which document requires that a vendor reply with a formal bid proposal?
a. RFI
b. RFP
c. RFQ