CompTIA Security+ 501 Summary Part 11

Feb. 27, 2023, 5:35 a.m.

This is a summary of my notes on Chapter 11 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition

Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.

Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.

Some things are repeated but this is simply to reinforce.

PII is Personally Identifiable Information

1. Standard Policies

Standard operating procedures, SOPs, are written security policies or administrative controls that identify a security plan. Personnel create plans and procedures to implement security controls and enforce the security policies. An acceptable use policy, AUP, defines proper system usage or the rules of behavior for employees when using information technology systems.

Mandatory vacation policies help detect when employees are involved in malicious activity, such as fraud or embezzlement. Separation of duties prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing the tasks between employees. This helps prevent potential fraud, such as if a single person prints and signs checks. Data leakage occurs when users install P2P software and unintentionally share files. Organizations often block P2P software at the firewall.

Job rotation policies require employees to change roles on a regular basis. Employees might change roles temporarily, such as for three to four weeks, or permanently. This helps ensure that employees cannot continue with fraudulent activity indefinitely. A clean desk policy requires users to organize their areas to reduce the risk of possible data theft. It reminds users to secure sensitive data and may include a statement about not writing down passwords. A background check checks into a potential employee’s history with the intention of discovering anything about the person that might make him a less-than- ideal fit for a job.

A non-disclosure agreement, NDA, is used between two entities to ensure that proprietary data is not disclosed to unauthorized entities. Onboarding is the process of granting individuals access to an organization’s computing resources after being hired. Offboarding is the process of removing their access.

A memorandum of understanding or memorandum of agreement, MOU/MOA, defines responsibilities of each party, but it is not as strict as a service level agreement, SLA, or interconnection security agreement, ISA. If the parties will be handling sensitive data, they should include an ISA to ensure strict guidelines are in place to protect the data while in transit. An MOU/MOA often supports an ISA.

Public data is available to anyone. Confidential data information is kept secret among a certain group of people. Proprietary data is data related to ownership, such as patents or trade secrets. Private data is information about individuals that should remain private. Data classifications and data labeling help ensure personnel apply the proper security controls to protect information.

A data retention policy identifies how long data is retained, and sometimes specifies where it is stored. Personally Identifiable Information includes information such as a full name, birth date, biometric data, and identifying numbers such as a SSN. PHI, Personal Health Information, is PII that includes medical or health information. Organizations have an obligation to protect PII and PHI and often identify procedures for handling and retaining PII in data policies.

Health Insurance Portability and Accountability Act of 1996, HIPAA. HIPAA mandates that organizations protect PHI. Gramm-Leach Bliley Act, GLBA. This is also known as the Financial Services Modernization Act and includes a Financial Privacy Rule. Sarbanes-Oxley Act, SOX. SOX was passed after several accounting scandals by major corporations, such as Enron and WorldCom. Companies were engaging in accounting fraud to make their financial condition look better than it was and prop up their stock price.General Data Protection Regulation, GDPR, is a European Union directive that mandates the protection of privacy data for individuals within the EU.

Key data roles within an organization are responsible for protecting data. The owner has overall responsibility for the protection of the data. A steward or custodian handles routine tasks to protect data. A privacy officer is an executive responsible for ensuring the organization complies with relevant laws. An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.

2. Response Plans

An incident response plan, IRP, provides more detail than the incident response policy. The first step in the incident response process is preparation. After identifying an incident, personnel attempt to contain or isolate the problem. This is often as simple as disconnecting a computer from a network. Eradication attempts to remove all malicious components from an attack and recovery returns a system to normal operation. Reviewing lessons learned allows personnel to analyze the incident and the response with a goal of preventing a future occurrence.

When collecting data for a forensic analysis, you should collect it from the most volatile to the least volatile. The order of volatility is cache memory, regular RAM, swap or paging file, hard drive data, logs stored on remote systems, and archived media. A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture. Experts capture an image of the data before analysis to preserve the original and maintain its usability as evidence. Hashing provides integrity for captured images, including images of both memory and disk drives. You can take a hash of a drive before and after capturing an image to verify that the imaging process did not modify the drive contents.

A chain of custody provides assurances that evidence has been controlled and handled properly after collection. It documents who handled the evidence and when they handled it. A legal hold is a court order to preserve data as evidence. Role-based training ensures that employees receive appropriate training based on their roles in the organization. Common roles that require role-based training are data owners, system administrators, system owners, end users, privileged users, and executive users.