Infosec Strategies and Best Practices E-Book

Infosec Strategies and Best Practices

Gain proficiency in information security using expert-level strategies and best practices

Joseph MacMillan

BIRMINGHAM—MUMBAI

Infosec Strategies and Best Practices

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson D'souza

Publishing Product Manager: Sankalp Khatri

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Shankar Kalbhor

First published: April 2021

Production reference: 1240521

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80056-635-4

www.packt.com

To Helen, my best friend and the love of my life. Her support made all of the difference while I was trying to write this thing.

Contributors

About the author

Joseph MacMillan is a technological utopian and cybersecurity junkie, currently living in Amsterdam.

Employed by Microsoft as a Global Black Belt for Cybersecurity, Joseph uses his experience in senior information security roles to transform businesses into secure organizations rooted in risk management principles to drive decision making.

Much of Joseph's work has been focused on enabling businesses to achieve their goals by removing the ambiguity surrounding risk, which enables the CEO and C-Suite to plan and achieve their goals in a secure manner with confidence.

Joseph holds various certifications, including the CISSP, CCSP, CISA, CSSLP, AlienVault Certified Engineer, and ISO 27001 Certified ISMS Lead Auditor.

I would like to take this opportunity to thank my wife and best friend, Helen, for her support and care along the way. Furthermore, I would like to thank all of the members of the Packt team who have supported me in the creation of this book, from beginning to end.

About the reviewer

Kyle Reidell has world-class experience leading, developing, and architecting cybersecurity and engineering solutions for numerous government agencies, as well as Fortune 500 companies, and cutting-edge technology start-ups. His background is truly multi-disciplinary: from developing and defending global operations centers to securing communications for the highest levels of government and designing cloud-native architectures while continuing to serve as a Cyber Officer in the Air National Guard.

Kyle is a Marine Corps veteran who is actively engaged as a mentor for aspiring youth and cybersecurity professionals. He holds multiple degrees and industry certifications, including a master's degree in information security.

I would like to thank my family, especially my wife and son, for the continuous support they have provided throughout my career and endeavors; I could not have done any of this without them!

Table of Contents

Preface

Section 1: Information Security Risk Management and Governance

Chapter 1: InfoSec and Risk Management

Basic InfoSec terminology

Understanding why risk management is important

Understanding assets7

Understanding vulnerabilities9

Performing a basic risk assessment

Defining and calculating impact11

Defining and calculating likelihood12

Calculating risk13

Risk appetite, risk treatment, and risk acceptance 16

Considering legal regulations, investigations, and compliance structures

Compliance structures18

Understanding legal and regulatory requirements19

Responding to and undertaking investigations21

Further compliance optimization22

Proven methodologies in creating a strategy

Creating InfoSec policies, procedures, and playbooks 23

Establishing and maintaining a security awareness, education, and training program24

Managing third-party risk 25

Continual improvement and reporting27

Summary

Chapter 2: Protecting the Security of Assets

Implementing an ISMS

Responsibilities of top management31

Developing an ISMS32

Educating members of your organization47

Evaluating the effectiveness of the ISMS47

Improving the policy48

Identifying and classifying information assets

Structuring information asset classifications49

Determining the roles for assets50

Methods of identifying and protecting information assets50

Retention policies52

Securing information assets

Disposing of assets

Data remnants59

Summary

Section 2: Closing the Gap: How to Protect the Organization

Chapter 3: Designing Secure Information Systems

Understanding the risks your organization faces

Threats, threat actors, and motivations65

Vulnerabilities69

System exploitation methods 73

Best practices in assessing and mitigating vulnerabilities

Hardware security81

Software security83

Network security83

Physical security84

Selecting appropriate controls/defense against the dark arts84

Best practices in designing secure information systems

Secure design principles86

Well-known controls and their mitigations88

Considering alternative devices90

Summary

Chapter 4: Designing and Protecting Network Security

Designing secure network architectures

Internet Protocol suite and the OSI model97

Network components and protocols102

Network devices and applications106

Attacks, defense, and detection113

Strategies for protecting network security

Creating a policy119

Keep it simple121

Business continuity and disaster recovery121

Backup and restore procedures121

Insider threat mitigations/third-party threats121

Software and firmware updates123

Ensuring secure communication123

Cloud network security124

Education and awareness125

Security Operations Center125

Chapter 5: Controlling Access and Managing Identity

Access control models and concepts

State machine model129

Information flow model130

Confidentiality models130

Integrity models132

Real-world access control models 133

Selecting and implementing authentication and authorization mechanisms

Authentication versus authorization 136

Authentication and security137

Authorization144

Identity and access management (IAM) 

Leveraging identity services146

Controlling physical access to assets

Physical access control147

Electronic access control148

Preventing exploitation148

Summary

Section 3: Operationalizing Information Security

Chapter 6: Designing and Managing Security Testing Processes

Preparing for security assessments

Defining your requirements155

Understanding the different types of security assessments

Automated assessments and scanning160

Internal assessments166

Third-party assessments167

Best practices in performing security assessments

Interpreting results from security assessments

Summary

Chapter 7: Owning Security Operations

Effective strategies in provisioning resources and maintaining assets

Provisioning resources176

Focusing on availability, disaster recovery, and business continuity

Defining, implementing, and testing disaster recovery processes184

Managing business continuity design, planning, and testing186

Implementing and managing physical security186

Managing upgrades, patching, and applying security controls

Education187

Change control188

Security improvement program189

Investigating events and responding to incidents

Defining your incident response plans191

Performing security investigations193

Implementing and utilizing detective controls

Using security monitoring to improve visibility

Security monitoring best practices

Establish requirements and define workflows200

Define specific rules and ensure their effectiveness201

Continuously improve your SIEM configuration and incident response policies202

Summary

Chapter 8: Improving the Security of Software

Exploring software security paradigms

Buyer beware208

Legal documentation208

Understanding the secure development life cycle

Compatibility with various software development methodologies210

Defining business and security requirements211

Designing secure software212

Testing plans for secure software212

Securing software development215

Testing the software215

Utilizing the OWASP Top 10 Proactive Controls

Define security requirements217

Leverage security frameworks and libraries218

Secure database access219

Encode and escape data220

Validate all inputs221

Implement digital identity221

Enforce access controls222

Protect data everywhere223

Implement security logging and monitoring224

Handle all errors and exceptions224

Assessing software security

Reducing the risk from software developed by a third-party vendor227

Improving the security of in-house software231

Summary

Why subscribe?

Other Books You May Enjoy

Preface

In this book, we will cover various topics within the information security (InfoSec) domain, and help you to translate your organization's strategic requirements into actionable improvements in securing their most valuable assets.

You can expect to learn about a wide range of InfoSec paradigms, including the foundations of risk management, implementing processes and controls, designing information systems securely, and managing the day-to-day activities required to ensure security is maintained at your organization.

Upon completion, you should be well on your way toward converting the theory of your InfoSec certifications into actionable and practical changes you can make to ensure your organization is more secure. Beyond that, delving deeper into any and all of the topics covered in this book will help you to progress in your career as an InfoSec professional.

Who this book is for

This book is for those who are looking to begin (or have recently begun) working in an InfoSec role. Perhaps you've been taking courses and studying for an industry-standard certification such as the CISSP or CISM, but you're looking for a way to convert the concepts (and seemingly endless number of acronyms) from theory into practice and start making a difference in your day-to-day work at your organization.

What this book covers

Chapter 1, InfoSec and Risk Management, establishes the core principles of InfoSec and ensures the topics central to the discipline are well-understood.

Chapter 2, Protecting the Security of Assets, implements effective processes to ensure you can identify the assets of an organization and avoid common pitfalls that InfoSec professionals encounter.

Chapter 3, Designing Secure Information Systems, explores how to assess architectures and systems for vulnerabilities and mitigate those vulnerabilities with controls, including cryptography.

Chapter 4, Designing and Protecting Network Security, covers designing secure network systems, selecting the appropriate network components, and ensuring their effectiveness for your organization's requirements.

Chapter 5, Controlling Access and Managing Identity, examines both physical and digital access to your organization, and the various aspects of selecting and implementing the appropriate identity and access management controls.

Chapter 6, Designing and Managing Security Testing Processes, covers adopting a mindset of continuous improvement by testing existing implementations and utilizing any findings to optimize your InfoSec program.

Chapter 7, Owning Security Operations, covers aligning the day-to-day tasks involved with maintaining InfoSec to an organization's strategies.

Chapter 8, Improving the Security of Software, covers enforcing secure practices in procuring and developing software.

To get the most out of this book

Bring your inquisitive nature and interest in securing information systems. This book covers an extremely wide set of subjects, offering the opportunity to investigate further on your own. If a topic interests you, make sure you delve deeper into the content available online.

After completing this book, challenge the conclusions made, don't accept anything as a hard-and-fast rule, and cater all the solutions to suit you and your organization.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781800566354_ColorImages.pdf.

Conventions used

The following is how tip and information notes will be shown throughout this book:

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Information Security Risk Management and Governance

In this section, we'll establish the core principles of information security, and ensure the topics central to the discipline are well understood.

This section contains the following chapters: