Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
This step is actually closely tied to the next step concerning gap analysis. As such, you may wish to address both steps together. You've already identified your critical and non-critical assets, and performing a gap analysis on them may be a useful start in finding and analyzing the logical entry points of a system. But what are some of the most common entry points that attackers may use?<ref name="KumarDiscover16">{{cite web |url=https://resources.infosecinstitute.com/discovering-entry-points/ |title=Discovering Entry Points |author=Kumar, A.J. |publisher=InfoSec Institute |date=06 September 2016 |accessdate=23 July 2020}}</ref><ref name="AhmedIndustrial19">{{cite web |url=https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/ |title=Industrial control system (ICS) cybersecurity advice, best practices |author=Ahmed, O.; Rehman, A.; Habib, A. |work=Control Engineering |publisher=CFE Media LLC |date=12 May 2019 |accessdate=23 July 2020}}</ref><ref name="BonderudPodcast19">{{cite web |url=https://securityintelligence.com/media/podcast-lateral-movement-combating-high-risk-low-noise-threats/ |title=Podcast: Lateral Movement: Combating High-Risk, Low-Noise Threats |author=Bonderud, D. |work=SecurityIntelligence |publisher=IBM |date=11 June 2019 |accessdate=23 July 2020}}</ref><ref name="VerizonIncident19">{{cite web |url=https://enterprise.verizon.com/resources/reports/dbir/2019/incident-classification-patterns-subsets/ |title=Incident Classification Patterns and Subsets |work=2019 Data Breach Investigations Report |publisher=Verizon |date=2019 |accessdate=23 July 2020}}</ref>
A gap analysis is different from a risk analysis in that the gap analysis represents a high-level, narrowly-focused comparison of the technical, physical, and administrative safeguards in place with how well they actually perform against a cyber attack. As such, the gap analysis can be thought of as introduction to potential vulnerabilities in a system, which is part of an overall risk analysis.<ref name="NortonSimilar18">{{cite web |url=https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=HIPAA One |date=21 June 2018 |accessdate=23 July 2020}}</ref> The gap analysis asks what your cyber capabilities are, what the major threats are, and what the differences are between the two. Additionally, you may want to consider what the potential impacts would be if a threat were realized.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=23 July 2020}}</ref>


* Inbound network-based attacks through software, network gateways, and online repositories
The gap analysis can also be looked at as measure of current safeguards in place vs. what industry best practice controls dictate. This may be done by choosing an industry standard security framework—we're using the NIST SP 800-53, Rev. 4 framework for this guide—and evaluating key stakeholder policies, responsibilities, and processes against that framework.<ref name="SellHowTo15">{{cite web |url=https://www.cio.com/article/2876708/how-to-conduct-an-information-security-gap-analysis.html |title=How To Conduct An Information Security Gap Analysis |author=Sell, C. |work=CIO |publisher=IDG Communications, Inc |date=28 January 2015 |accessdate=23 July 2020}}</ref>
* Inbound network-based attacks through misconfigured firewalls and gateways
* Access to systems using stolen credentials (networked and physical)
* Access to peripheral systems via communication protocols, insecure credentials, etc. through lateral movement in the network
 
From email and enterprise resource planning (ERP) applications and servers to networking devices and tools, a wide variety of vectors for attack exist in the system, some more common than others. Analyzing these components and configurations takes significant expertise. If internal expertise is unavailable for this, it may require a third-party security assessment to gain a clearer picture of the entry points into your system. Even employees and their lack of cybersecurity knowledge may represent points of entry, via phishing schemes.<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref><ref name="VerizonIncident19" /> This is where training and internal random testing (addressed later) come into play.<ref name="DowningAHIMA17" />
 
Physical access to system components and data also represent a significant attack vector, more so in particular industries and network set-ups. For example, industrial control systems in manufacturing plants may require extra consideration, with some control system vendors now offering an added layer of physical security in the form of physical locks that prevent code from being executed on the controller.<ref name="AhmedIndustrial19" /> Cloud-based data centers and field-based monitoring systems represent other specialist situations requiring added physical controls.<ref name="DowningAHIMA17" /><ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=23 July 2020}}</ref> That's not to say that even small businesses shouldn't worry about physical security; their workstations, laptops, USB drives, mobile devices, etc. can be compromised if made easy for the general public to access offices and other work spaces.<ref name="CopelandHowToDev18" /> In regulated environments, physical access controls and facility monitoring may even be mandated.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 16:01, 16 February 2022

A gap analysis is different from a risk analysis in that the gap analysis represents a high-level, narrowly-focused comparison of the technical, physical, and administrative safeguards in place with how well they actually perform against a cyber attack. As such, the gap analysis can be thought of as introduction to potential vulnerabilities in a system, which is part of an overall risk analysis.[1] The gap analysis asks what your cyber capabilities are, what the major threats are, and what the differences are between the two. Additionally, you may want to consider what the potential impacts would be if a threat were realized.[2]

The gap analysis can also be looked at as measure of current safeguards in place vs. what industry best practice controls dictate. This may be done by choosing an industry standard security framework—we're using the NIST SP 800-53, Rev. 4 framework for this guide—and evaluating key stakeholder policies, responsibilities, and processes against that framework.[3]

References

  1. Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 23 July 2020. 
  2. Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020. 
  3. Sell, C. (28 January 2015). "How To Conduct An Information Security Gap Analysis". CIO. IDG Communications, Inc. https://www.cio.com/article/2876708/how-to-conduct-an-information-security-gap-analysis.html. Retrieved 23 July 2020.