m Security Management Concepts

Key Points


References


Key Concepts


Security Management Notes doc

https://drive.google.com/file/d/0BxqKQGV-b4WQYXVyOXphQ3NQT
1E/view?usp=sharing


Cyber Security Program Framework

Raj Grover

https://www.linkedin.com/posts/rajkgrover_transformpartner-digitaltransformation-activity-6993139664693936128-y9h7?utm_source=share&utm_medium=member_desktop

Typically, a comprehensive assessment firstly aims to understand the business context, then the risk scenarios faced by the business are determined. Next, the desired maturity profile and relevant roadmaps should be considered. One outcome of such an assessment is an action-oriented plan containing prioritized initiatives to better equip the organization to evaluate and justify the value provided by cybersecurity. Naturally, it makes sense to enrich the assessment with additional enablers to inform the cybersecurity strategy and roadmap planning, e.g., through a dedicated cybersecurity value optimization, a review of the operating model and governance structure or through a cybersecurity transformation or co-sourcing engagement.
 
Our latest GISS study reveals that a large portion of respondents in Switzerland cannot quantify, in financial terms, the effectiveness of their cybersecurity spending in addressing the risks faced by the business. A thorough analysis is the basis for prioritizing investments and setting the scene for sustainable growth. An independent assessment often reveals more about the current state of security in an organization than internal reviews.
 
A comprehensive assessment, typically supported by state-of-the-art tools, enables you to rapidly assess your current state and to develop agile strategies and roadmaps to transform your organization. The value added is not only the identification of key business risks related to the maturity of specific cybersecurity domains areas, but also the alignment of the cybersecurity strategy with a focus on the organization's strategic priorities and business objectives. It enables a facilitation of a dialogue between the cybersecurity team and business leaders to articulate the benefits of cybersecurity program investments and helps to understand areas of improvement requiring additional investment. This industry-proven method helps in developing pragmatic recommendations to further improve cybersecurity programs, especially with the correct alignment of risk and cost with business needs. 
 
 
Source: EY


Cybersecurity Program Accelerator Framework


Beyond Zero Trust - Trust Engineering


Zero Trust Principles


Zero Trust Conceptsm Security Concepts#ZeroTrustConcepts%26Architecture


https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/



Market Guide for Zero Trust Network Access - Gartner

zero-trust-gartner.com-Market Guide for Zero Trust Network Access.pdf file

zero-trust-gartner.com-Market Guide for Zero Trust Network Access.pdf link

Several use cases lend themselves to ZTNA:
  • Opening applications and services to named collaborative ecosystem members — such as distribution channels, suppliers, contractors or retail outlets — without requiring a VPN or DMZ. Access is more tightly coupled to users, applications and services.
  • Deriving personas based on user behavior — for example, if a user’s phone is in one country, but their PC is in another country, and both are attempting to log on to the same application, legitimate access should be permitted, while compromised devices should be blocked.
  • Carrying encryption all the way from the endpoint to the ZTNA gateway (which may run on the same server as the application it protects) for scenarios where you don’t trust the local wireless hot spot, carrier or cloud provider.
  • Providing application-specific access for IT contractors and remote or mobile employees as an alternative to VPN-based access.
  • Controlling administrative access to applications, such as IaaS/PaaS applications as a lower-cost alternative to full privileged access management (PAM) tools.
  • Extending access to an acquired organization during M&A activities, without having to combine networks, combine directories or configure site-to-site VPN and firewall rules.
  • Isolating high-value enterprise applications in the network or cloud to reduce insider threats and affect separation of duties for administrative access.
  • Authenticating users on personal devices — ZTNA can improve security and simplify bring your own device (BYOD) programs by reducing full management requirements and enabling more-secure direct application access.
  • Creating secure enclaves of Internet of Things (IoT) devices or a virtual appliance-based connector on the IoT network segment for connection.
  • Protecting internal systems from hostile networks, such as the public internet, by removing inbound access (leveraging phone home), thus reducing attack surface.




Trust Engineering - Trusts, Decisions, Proofs


For a given use case, scenario context what trusts are needed for a process for each party?

What decisions need to be made on those trusts by who? when? how? where? why?

What proofs are needed to validate the trusts?



Cybersecurity Futures Landscape - threats, focus - WEF

Cybersecurity Futures 2030 New Foundations-WEF-2023.pdf.  link

Cybersecurity Futures 2030 New Foundations-WEF-2023.pdf file


This report presents findings from Cybersecurity Futures 2030, a global research initiative focused on exploring how digital security could evolve over the next five to seven years. The goal of this project is to help shape a future-focused research and policy agenda that is widely applicable across countries and sectors. The findings are based on discussions held at a series of in-person workshops conducted throughout 2023 in Dubai (United Arab Emirates), Washington DC (USA), Kigali (Rwanda), New Delhi (India) and Singapore, as well as a virtual workshop with participants from multiple European countries and the United Kingdom. The workshops centred on discussion of four scenarios that portray diverse “cybersecurity futures” that are fictional (but plausible) depictions of the world roughly in the year 2030. UC Berkeley Center for Long-Term Cybersecurity (CLTC) independently designed the scenarios to explore trade-offs in goals and values that decision-makers will have to contend with in the near future. Key findings

– Acceleration in technology and business model innovation (both lilcit and criminal) will underpin the new digital security landscape for 2030. Societies must fundamentally reorient their responses to perennial digital security challenges, including data privacy, talent development and sustainability.

– Shoring up trust will be a key goal of cybersecurity efforts over the next decade. The online spread of mis- and disinformation are now core cybersecurity concerns. Cybersecurity will become less about protecting the confidentiality and availability of information and more about protecting its integrity and provenance.

– Stable governments that follow through on long-term technology and cybersecurity strategies can become trusted “brands”, gaining advantages in attracting talent, seizing leadership opportunities in multilateral standards-setting processes and countering disinformation campaigns. – Public-private partnerships will be imperative to move the needle on combating sovereign and criminal cyberattacks and information operations but new incentive structures will be needed to achieve such partnerships.

– There is a window of opportunity for emerging and developing countries to implement “secure by design” principles that the first waves of digitalization have largely failed to embed. Decision-makers should monitor the pace of digitalization and the ability of populations to integrate new technologies safely and securely.

– Transformative investment in cybersecurity talent and training will be a priority objective. Countries’ ability to project themselves as trusted global brands, attract global talent, retain homegrown talent and provide a productive environment to capitalize on that talent matters significantly. Promoting education and awareness of digital security will be critical.

– Decision-makers across regions are struggling to balance technology value- chain interdependencies and self-sufficiency. Even as national data regulations proliferate, trusted standards are needed that incentivize interoperability in cybersecurity and artificial intelligence (AI) security. In some regions, there is a sense of a global leadership void, a lack of trusted and expert regulatory bodies and insufficient capacity for enforcement of security and privacy laws and standards.

– The focus in the next three to five years will be on the practicalities of navigating a world in flux. This dynamic will vary across regions, will be influenced by their relationships with China and/or the US and will hold steady regardless of the strength or weakness of the US-China relationship over the next five years.

Takeaways for decision-makers

– Organizations will need to ensure they have a stable and secure supply chain of resources, including technology components, raw materials and skilled, affordable workers.

– Effective digital policies and regulations should demonstrate clear and stable priorities of companies, governments and other organizations.

– Resilience, humour and optimism about the future – and the opportunities that await those willing and able to seize them – are critical in the run-up to 2030.

– Having a digitally literate public and customer base that is media savvy and inoculated against mis-, dis- and mal-information (MDM) will be a source of strength for organizations that wish to succeed in an era of degrading trust.

– Leaders should actively look for ways to ensure that emerging technologies help the general population, for example by stabilizing national economies, addressing high costs of living, providing food security and advancing renewable energy.

– The public and private sectors should invest in education (e.g. media literacy and cybersecurity hygiene) for the general population to decrease the attack surface and in-job training to upskill a digital workforce.

– Leaders will need to strategically and tactically use regulation to guard against the downsides of AI products as they rise in prominence and must take meaningful measures to combat MDM before it further degrades trust and unity.

– Countries should form and strengthen trusted research institutions, particularly in lessdeveloped economies, to support governments in addressing the most challenging social and technical cybersecurity problems of 2030. The next phase of this project will include working with decision-makers to generate additional priorities and thinking more broadly about how findings from this report could reshape organizations’ futures. Grappling with these kinds of questions should be a defining focus in 2024 for C-suites, boards and government agencies internationally




Risk categories to track on SDP delivery

business risk - the business goals, resources change good or bad

project risk - the project delivery capabilities change good or bad

technology risks - the technologies in the solution for delivery or operation risks have changed good or bad



Potential Value Opportunities



Potential Challenges



Security Vendor Lockin Risks

security-vendor-challenges-Is Microsoft Lock-In the Right Strategy for your Org.pdf.  link

security-vendor-challenges-Is Microsoft Lock-In the Right Strategy for your Org.pdf. file


Microsoft server software always had higher security risks than other architectures < see Fidelity issues 2012 & the Microsoft Certification Environment



compare microsoft azure security tools to other vendor options on pros, cons, costs, security open standards support



security risks using microsoft azure security - many of these exist on other platforms as well


Microsoft Azure has several security risks, including:
  • Unauthorised access: Bad actors can use stolen subscription credentials to run harmful scripts.
  • Data breaches: These can be caused by application vulnerabilities or storage container misconfigurations, which can lead to unauthorized access or data leakage.
  • Misuse of platform access: Azure administrators should be aware of this risk.
  • Insider threats: These can include employees with existing permissions.
Other security risks include:
  • Access token abuse and leakage
  • Lateral movement from compromised workloads
  • Compromised third-party partners with privileged permissions
  • Credentials theft
  • Reconnaissance with search engines
  • Data collection by blob hunting
  • Microsoft Entra ID complexity
  • Azure Container Registry and AKS vulnerabilities 
Here are some best practices to help prevent these risks:
  • Encrypt sensitive data at rest and in transit
  • Implement secure coding practices
  • Regularly patch and update applications
  • Use Azure Key Vault for secure key management
  • Employ Azure Security Center for continuous monitoring and threat detection
  • Lock down management ports
  • Scope permissions tightly using tools like Privileged Identity Management
  • Segment your network properly with private endpoints, service endpoints, and network security groups
  • Continuously monitor activity logs
  • Perform penetration testing 




VPN Security Challenges or Zero Trust NA - Network Access

https://www.esecurityplanet.com/networks/vpn-security/

esecurityplanet.com-VPN Security Risks Best Practices for 2022.pdf link

esecurityplanet.com-VPN Security Risks Best Practices for 2022.pdf file

VPNs were developed to solve two challenges: the high cost of leased lines for branch offices, and the growing need to enable remote workers to access the corporate network securely.

While VPNs provide security by encrypting data and sending it through a “tunnel,” there are limitations to that security. Before examining those limitations, let’s take a look at how VPNs work.

How VPN works

A VPN involves the transfer of encrypted data wrapped with a header containing routing information. This process enables the data to travel securely over a shared or public network to reach its endpoint.

Data packets passed over the public network in this way are unreadable without the decryption keys, thus ensuring that data is not disclosed or changed during transmission.

From the user’s perspective, the VPN connection is a point-to-point connection between the user’s computer and a corporate server. The nature of the public network is irrelevant to the user because it appears as if the data is being sent over a dedicated private link.

VPNs improve wifi security

Many of these mobile workers use public Wi-Fi to access corporate data, and more than one-third never use a VPN to protect their data even though two-thirds are concerned about public Wi-Fi security, according to a survey by iPass. VPN remains a viable option for securing data transferred over public Wi-Fi.

VPN risks

Are VPNs safe? Admittedly, there are security risks associated with VPNs. These include VPN hijacking, in which an unauthorized user takes over a VPN connection from a remote client; man-in-the-middle attacks, in which the attacker is able to intercept data; weak user authentication; split tunneling, in which a user is accessing an insecure Internet connection while  also accessing the VPN connection to a private network; malware infection of a client machine; granting too many network access rights; and DNS leak, in which the computer uses its default DNS connection rather than the VPN’s secure DNS server.

Even with these added security measures, VPNs are not immune to breaches. They operate on a principle of trusting whoever enters the network rather than using the principle of least privilege.

VPN product security features needed

VPN security features when choosing a VPN product. These include must-have security features include:

  • support for strong authentication
  • strong encryption algorithms
  • support for anti-virus software and intrusion detection and prevention tools
  • strong default security for administration and maintenance ports
  • digital certificate support
  • logging and auditing support
  • and the ability to assign addresses to clients on a private network while ensuring all addresses are kept private.

Also, having a kill switch is an important VPN security precaution



Crowdstrike lessons 2024 - Impacts and lessons on Perfected Trust 

see gdoc details here on crowdstrke 

I've been part of a similar upgrade failure across a network. Briefly, there were clear operations failures in policy, procedure and performance by CrowdStrike and Delta. That said, PART of the problem was clearly the quality of the older Microsoft software that always had poor engineering quality. While that specific risk probably does not exist in current Microsoft software, as someone who managed a Microsoft production environment, I overcame Microsoft software quality problems with operations controls on testing, deployment. Thinking forward, there are architecture gaps in software stacks that can be addressed with a new quailty standard and related automated audits to validate the quality. I have yet to see some key in depth engineering strategies to improve software reliability that would make a dramatic impact on runtime quality management. A lot more to be done by all parties.


https://www.forbes.com/sites/ariannajohnson/2024/07/19/crowdstrike-update-heres-what-you-should-do/

https://www.yahoo.com/finance/news/crowdstrike-microsoft-outage-chinese-cybersecurity-093000754.html

https://www.nbcnews.com/tech/tech-news/microsoft-outage-crowdstrike-global-airlines-windows-fix-rcna162685

https://finance.yahoo.com/news/delta-ceo-lashes-crowdstrike-cost-135953941.html

Forbes >> crowdstrike-update-heres-what-you-should-do

Kurtz told NBC some users have been able to resolve the problem by rebooting their computers. But if problems persist, CrowdStrike has offered a manual workaround solution for the blue screen error. This fix involves booting the system into Safe Mode or the Windows Recovery Environment, and navigating to the C:\Windows\System32\drivers\CrowdStrike directory. Users must then delete the file title “C-00000291*.sys.” The process puts the system into a mode where CrowdStrike and other third-party drivers aren’t able to operate, according to the Verge.

WILL RESTARTING YOUR COMPUTER 15 TIMES WORK?

Microsoft said some customers using its Azure cloud were able to fix their computers by rebooting the systems as many as 15 times. Amazon also suggested rebooting computers may also solve the issue for customers using its AWS cloud software.


6 sigma quality for SMPE - Service Management Policy Effectiveness for prevention, remediation of service quality problems 

6 sigma -  a process being 99.9997% defect-free

Six Sigma is a set of tools and methodologies that businesses use to improve processes by reducing defects and errors, minimizing variation, and increasing quality and efficiency. The goal is to achieve a level of quality that is nearly perfect, with only 3.4 defects per million opportunities (DPMO), which is considered a "six sigma" level. This level of performance equates to a process being 99.9997% defect-free

https://www.simplilearn.com/what-is-six-sigma-a-complete-overview-article


Aggregated service quality calculations 

Assume a primary service has up to 50 dependent services it invokes processing all it's apis in the contract

Every individual service is rated very high quality ( eg .999 reliability )

The aggregated quality shows the consolidated impact of 50 services that all have that quality rating


aggregate qualityservice qualityservice count
0.77831255710.99550
0.95120562820.99950
0.9521577860.99949
0.94263620810.991

the aggregated quality of consolidated services is very low

key points 

  • aggregated service quality is below each individual service quality
  • how do we measure the service quality of each individual service




Candidate Solutions



Open-source security Tools 



More Open Source Cyber Security Tools

https://www.spiceworks.com/it-security/vulnerability-management/articles/top-open-source-cybersecurity-tools/

Best Open Source Security Tools in 2022-spiceworks.com-.pdf link 

Best Open Source Security Tools in 2022-spiceworks.com-.pdf file

AlienVault is a commercial and open-source cybersecurity developer acquired by
AT&T in 2018. The company’s Open Source Security Information and Event Management
(OSSIM) offers free and powerful security information and event management (SIEM)
capabilities.

OpenEDR - Comodo is a U.S.-based cybersecurity company. It open-sourced its EDR
solution in November 2020, with the project’s complete source code available on GitHub.

John the Ripper - A free tool developed as part of the Openwall Project to help simulate password
cracking and check for vulnerabilities. It is one of the best cybersecurity tools for password
auditing in business environments.

Kali Linux was developed by Offensive Security, a U.S.-based cybersecurity
company. It helps in penetration testing, ethical hacking, and network security assessments
in Linux.

Nmap is a free network scanner first launched in 1997. It is now available in
multiple languages like C, C++, Python, and Lua and has a simple graphical user interface
(GUI) on top of the source code.

OpenIAM, launched in 2008, is an open-source identity and access management
solution. It is widely used across enterprises and is available in both community and
commercial editions.

OSSEC - an open-source tool for host-based intrusion detection. It was first launched
in 2008 and is now owned by the cybersecurity company Trend Micro.

Tripwire - It offers an open-source tool for security monitoring and data integrity, which alerts security professionals
to any critical file changes.

Wireshark is a free and open-source network packet analyzer first launched
in1998. It has a frontend GUI to help IT professionals efficiently manage network security.





Step-by-step guide for Example



sample code block

sample code block
 



Recommended Next Steps