Day 16/100 of?#cybertechdave100daysofcyberchallenge - Cybersecurity Basics and Compliance

Now, before diving into the technical stuff of Host & Network Penetration Testing, there was a little tour of Compliance basics.

So today we zoom out a bit from pentesting and look at this area as a whole in an organization.

Let's start with some cybersecurity basics:

What are we trying to protect in the first place?

In most cases, it's about protecting information such as:

• Personal data from customer data to employee information
• Financial data
• Intellectual property
• Business secrets (e.g. R&D data)
• Business strategies

From whom do we want to protect this information?

• Criminals of course
• But also competitors
• Insider Threats
• Malicious Actors

That's where the CIA Triad, which was presented yesterday, comes in. The art is to balance the triad with the business needs, as these influence each other. One example is the concept of Defense in Depth. For example, the following article describes how local windows-firewalls can be configured on the client in addition to a network firewall:

Windows-Firewall-Konfigurieren

The point is to implement several layers of security, one after the other, so to speak.

If we then zoom out, we inevitably (which is a good thing) encounter the subject of compliance and regulations. Governments, as well as business groups, have developed standards, policies and specifications that organizations must comply with. These are for example administrative, physical or technical safeguards. If organizations do not comply with the regulations, penalties can be charged and, under certain circumstances, the company can be deprived of its ability to continue it's business. In the foreground it is about improving private rights and protecting customers. And on the other hand to give a possibility to increase controls and for example to reduce fraud.

Some regulations mentioned in the Auditing Fundamentals course are the following. However, this list is far from comprehensive:

Payment Card Industry Data Security Standard (PCI DSS):

• A regulation created by the major payment card providers to handle their sensitive data
• Administered by PCI SS Council

Health Insurance Portability and Accountability (HIPAA):

• US regulated regulations for handling protected patient data

General Data Protection Regulation (GDPR):

• A data protection and privacy law in the EU and EEA (European Economic Area)
• Controls and processes over the handling of personal data must be implemented with technical and organizational measurements to protect this data

Sarbanes-Oxley Act (SOX):

• his is about the handling of financial data and its archiving, auditability and reporting
• There are strong requirements for internal control processes in the IT infrastructure and applications

How can we implement such regulations??

Firstly, depending on the business sector, any organization can implement regulations of other governments or countries, regardless of whether they are required to do so or not. It helps the organization immensely to improve its structure and processes with it.

Several frameworks have been developed at this point to help implement the regulations under which the organizations fall. Below is a small list of frameworks. Again, it should be mentioned that this list is not comprehensive and I am only giving an overview. There are whole departments within various organizations with teams that are continuously working on these topics.

ISO 27000 (International Organization for Standardization and IEC (International Electrotechnical Commission):

• Offer a wide scope of applicable areas and address more than just privacy, confidentiality and IT, technology, cybersecurity issues
• Applicable to organizations of various sizes
• For IT/Cybersecurity ISO 27001 is one of the most important as it deals with:
• Information Technology, Security Techniques, Information security management systems and their requirements

COBIT (Control Objectives for Information and Related Technologies):

• Created by ISACA for IT management and IT governance
• Focuses on defining a set of generic processes for IT management

NIST (National Institute of Standards and Technology)

• A catalog of security and privacy processes for US government information systems
• US government agencies are committed to being NIST compliant

CIS (Center for Internet Security) and CIS Benchmarks

• Set of 18 prioritize protection measures to prevent/reduce the chance of the most common cyber attacks
• Provide a Defen-in-Depth model

CMMC (Cybersecurity Maturity Model Certification)

• A training, certification, and third-party assessment program for cybersecrutiy in U.S. government defense industrial base
• Requires a third party assessor to determine maturation level

As said this world is a science for itself and also offers a lot of material to be able to deal with it for a very long time. :)

How does this fit into the penetration testing?

With the results and the report of the pentest, our goal is to give value to the organization or the customer. This means that our recommendations must be useful in that they can be used to develop solutions that fit into their risk management, used framework and maturity level.

For example, we can tier our recommendations into:

• Must, should, could, recommendations and info
• Determine severity levels
• Apply targeted communication tailored to the audience

I hope today's article could give a little insight into this topic.?

And with that: That's it for today. :)