Lecture 16 delves into the technological controls specified in ISO/IEC 27002. These controls are critical for implementing cybersecurity measures within an organization. This set contains 34 controls and encompasses what many people typically consider when thinking about cybersecurity measures. This article provides a detailed breakdown of key points discussed, emphasizing the importance of technological controls and their implementation.
Key Concepts
Technological Controls
Definition: These are measures involving technology to safeguard information assets.
Importance: They address various cybersecurity threats and vulnerabilities, protecting the confidentiality, integrity, and availability of information.
ISO/IEC 27002 Technological Controls
Categories: The controls cover areas such as access management, malware protection, vulnerability management, network security, and secure software development.
Detailed Breakdown
Privileged Access Rights
Control Description: The allocation and use of privileged access rights should be restricted and managed.
Guidance:
- Authorization Process: Implement an authorization process for granting privileged access.
- User Awareness: Ensure users are aware of their privileged access rights and responsibilities.
- Stringent Authentication: Implement more stringent authentication for privileged access.
- Regular Review: Regularly review and update the list of users with privileged access.
Protection Against Malware
Control Description: Protection against malware should be implemented and supported by appropriate user awareness.
Guidance:
- Combination of Measures: Use malware detection and repair software, information security awareness, and access controls.
- Detection of Unauthorized Software: Implement rules to prevent or detect unauthorized software.
- Malicious Websites: Prevent or detect the use of malicious websites.
- Technical Vulnerability Management: Reduce vulnerabilities that malware can exploit.
Management of Technical Vulnerabilities
Control Description: Information about technical vulnerabilities should be obtained, exposure evaluated, and appropriate measures taken.
Guidance:
- Inventory of Systems: Maintain a detailed inventory of systems, including third-party software.
- Supplier Notifications: Require suppliers to notify about discovered vulnerabilities.
- Penetration Testing: Conduct routine penetration testing to detect vulnerabilities.
- Update Procedures: Implement and test updates promptly to rectify vulnerabilities.
Web Filtering
Control Description: Access to external websites should be managed to reduce exposure to malicious content.
Guidance:
- Blocking Techniques: Block IP addresses or domains of malicious websites.
- Automatic Configurations: Configure browsers and anti-malware technologies to block harmful sites.
- Types of Websites: Identify and block access to websites containing illegal information or malicious content.
Secure System Architecture and Engineering Principles
Control Description: Principles for engineering secure systems should be established, documented, maintained, and applied to information system development activities.
Guidance:
- Security Architecture Principles: Use principles such as security by design, defense in depth, default deny, and least privilege.
- Design Reviews: Conduct security-oriented design reviews to identify vulnerabilities.
Least Privilege Principle
Definition: System or system components should only have access to information and resources necessary for their tasks.
Example: A user should not have access to administrative functions unless required for their role.
Least Functionality Principle
Definition: Systems should provide only the necessary functionality to perform tasks.
Example: Disable non-essential services on servers to reduce the attack surface.
Practical Applications
Implementing Privileged Access Rights
Scenario: A company needs to manage privileged access to its critical systems.
Actions:
- Authorization Process: Establish a formal process for granting and revoking privileged access.
- User Training: Educate users about their responsibilities when granted privileged access.
- Regular Audits: Conduct regular audits to ensure that only authorized users have privileged access.
Managing Technical Vulnerabilities
Scenario: An organization wants to ensure its systems are secure against newly discovered vulnerabilities.
Actions:
- System Inventory: Maintain an updated inventory of all systems and software.
- Vulnerability Alerts: Subscribe to alerts from software vendors and security organizations.
- Penetration Testing: Schedule regular penetration tests to identify and address vulnerabilities.
Applying Secure System Architecture Principles
Scenario: A software development team is tasked with designing a new application.
Actions:
- Security by Design: Integrate security considerations into every stage of the development lifecycle.
- Defense in Depth: Implement multiple layers of security controls to protect against various threats.
- Design Reviews: Conduct regular security design reviews to identify and mitigate potential vulnerabilities.
Relevant Standards and Publications
ISO/IEC 27002
Standard: ISO/IEC 27002 provides guidelines for implementing security controls to protect information assets.
Clauses to Review:
- Technological Controls: Sections covering privileged access rights, protection against malware, management of technical vulnerabilities, and more.
NIST Special Publication 800-53
Document: National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations, NIST Special Publication 800-53 (Rev 5), 2020.
Chapter to Review: Chapter 2 (pp. 7–15) for an overview of security controls, including those for protecting information processing resources.
Book References for Further Reading
- “Information Security Management Principles” by Andy Taylor, David Alexander, Amanda Finch, and David Sutton
- Provides a comprehensive overview of information security management, including technological controls.
- “Network Security Essentials: Applications and Standards” by William Stallings
- Covers key concepts in network security, including the implementation and management of technological controls.
- “Security Risk Management: Building an Information Security Risk Management Program from the Ground Up” by Evan Wheeler
- Discusses practical approaches to managing security risks, integrating broader principles that complement the implementation of technological controls.
Summary
Lecture 16 emphasizes the importance of implementing technological controls to ensure cybersecurity within an organization. These controls include managing privileged access, protecting against malware, managing technical vulnerabilities, web filtering, and applying secure system architecture principles. The ISO/IEC 27002 standard provides detailed guidance on these controls, which are essential for addressing various cybersecurity threats and vulnerabilities. The recommended books and standards offer further insights and practical guidance on implementing these controls within an organizational context.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.