Penetration Testing with Kali Linux OffSec
|
|
Personal Identifiable Information
(PII) across the wire. Any required tracing and auditing data can be output from the applications rather than intercepted, and the secrets and PII can be excluded, encrypted, or scrubbed. PII can include names, addresses, phone numbers, email addresses, SSNs, and other information that can be used to track down or spy on an individual person. Along with ensuring we can encrypt data, we should ensure that only the minimum required persons or systems can decrypt said data. We also probably want backups that are encrypted with different keys. In general, we don’t want to re-use encryption keys for different uses, as each key should only have one purpose. A file encryption key might encrypt millions of files, but that key should be used for only that purpose, and not, for example, signing or TLS. Although using encryption and backups are great practices, we also should implement protocols for routinely restoring from backups to ensure that we know how, and that the process works for every component. In some cases, we don’t need to back up detailed log data; however, most compliance and auditing standards require historic logs. Some specifications may even require that systems are in place to query for and delete specific historic log records. 3.4.9 Logging and Chaos Testing Being able to access granular data quickly is of great benefit to an organization. Well-engineered logging is one of the most important security aspects of application design. With consistent, easy to process, and sufficiently-detailed logging, an operations team can more quickly respond to problems, meaning incidents can be detected and resolved faster. Along with well-engineered security and application logging, it’s also important to be able to quickly access inventory. The last control we’ll explore is Chaos Testing . 83 Chaos testing is a type of BCP or disaster recovery (DR) 84 practice that is often handled via automation. For example, we might leverage a virtual machine that has valid administrative credentials in the production network to cause intentional disasters from within. Chaos engineering includes a variety of different approaches, such as having red teams create chaos in the organization to test how well the organization is able to handle it, scheduling programmed machine shutdowns at various intervals, or having authenticated malicious platform API commands sent in. The goal is to truly test our controls during messy and unpredictable situations. If a production system and organization can handle chaos with relative grace, then it is an indication that it will be robust and resilient to security threats. 3.5 Cybersecurity Laws, Regulations, Standards, and Frameworks This Learning Unit covers the following Learning Objectives: 82 (TLS, 2022), https://en.wikipedia.org/wiki/Transport_Layer_Security 83 (IBM, 2022), https://www.ibm.com/garage/method/practices/manage/practice_chaotic_testing/ 84 (VMware, 2022), https://www.vmware.com/Modules/glossary/content/disaster-recovery.html Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 50 • Gain a broad understanding of various legal and regulatory issues surrounding cybersecurity • Understand different frameworks and standards that help organizations orient their cybersecurity activities 3.5.1 Laws and Regulations Much can be written about cybersecurity laws and regulations, especially since different countries and jurisdictions all have their own. Most of the items we’ll discuss here are centered on the United States; however, some are applicable globally as well. As a security professional, it’s always important to understand exactly which laws and regulations one might be subject to. HIPAA : The Yüklə Dostları ilə paylaş:
|