Penetration Testing with Kali Linux OffSec
|
|
Payment Card Industry Data Security Standard
(PCI DSS) 97 is an information security standard, first published in 2004, for organizations handling customer payment data for a number of major credit card companies. It is managed by the Payment Card Industry Standards Council. It’s purpose is to ensure that payment data is properly secured in order to reduce the risk of credit card fraud. As with other frameworks, PCI DSS consists of a number of requirements, compliance with which must be assessed annually. Most of these requirements resemble other industry best practices regarding network and system security, access control, vulnerability management, monitoring, etc. For example, Requirement 2 prohibits the use of vendor-supplied defaults for system passwords and other security-related parameters. Other requirements are credit-card specific formulations of other familiar best practices. For example, Requirement 3 outlines what types of credit card data can be stored and how it must be protected. CIS Top 18 : The Center for Internet Security (CIS) Critical Security Controls, also known as CIS Controls , 98 are a set of 18 (previously 20) recommended controls intended to increase an organization’s security posture. While not themselves laws or regulations, these controls pertain to a number of areas that regulations are concerned with, including data protection, access control management, continuous vulnerability management, malware detection, and more. These controls are divided into a number of safeguards (previously known as sub-controls), which, in turn, are grouped into three implementation groups 99 intended to help prioritize safeguard implementation. IG1 consists of controls that are considered the minimum standard for information security meant to protect against the most common attacks and should be implemented by every organization. They are typically implemented by small businesses with limited IT expertise that manage data of low sensitivity. IG2 is composed of additional safeguards that are meant to apply to more complex organizations, typically those with multiple departments and staff dedicated to managing IT infrastructure with more sensitive customer and proprietary data. IG3, which consists of all safeguards, is typically implemented by organizations with dedicated cybersecurity experts managing sensitive data that may be subject to oversight. NIST Cybersecurity Framework : The National Institute for Standards and Technology (NIST) Cybersecurity Framework 100 is a collection of standards and practices designed to help organizations understand and reduce cybersecurity risk. It was originally developed to help protect critical infrastructure; however, it has been subsequently adopted by a wide array of organizations. 101 The NIST framework consists of three components : 102 Core, Implementation Tiers, and Profiles. The Framework Core is a set of cybersecurity activities and outcomes. It is divided into five high- level functions that encompass a number of categories (for example, Asset Management and 97 (PCISSC, 2022), https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI_DSS-QRG-v3_2_1.pdf 98 (CIS, 2022), https://www.cisecurity.org/controls/cis-controls-list 99 (CIS, 2022), https://www.cisecurity.org/controls/implementation-groups 100 (NIST, 2022), https://www.nist.gov/industry-impacts/cybersecurity-framework 101 (NIST, 2022), https://www.nist.gov/cyberframework/getting-started 102 (NIST, 2022), https://www.nist.gov/cyberframework/online-learning/components-framework Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 53 Risk Assessment). These categories, in turn, include subcategories that consist of statements describing the outcome of improved security and which are aligned with Information References. These references go into deeper detail about possible technical implementations. For example, Subcategory ID.BE-1 (Function: Identify, Category: Business Environment) states “The organization’s role in the supply chain is identified and communicated.” The Framework Implementation Tiers specify the degree to which an organization’s Cybersecurity practices satisfy the outcome described by the subcategories of the Framework Core. There are four such Tiers: partial (the least degree), risk informed, repeatable, and adaptive. Framework Profiles refer to the relationship between the present implementation of an organization’s cybersecurity activities (Current Profile) and their desired outcome (Target Profile), which is determined by the organization’s business objectives, requirements, controls and risk appetite. The comparison of these profiles can help the organization perform a gap analysis, as well as understand and prioritize the work required to fill it. ATT3CK and D3FEND: The MITRE 103 organization has tabulated and organized a framework for cataloging how groups of attackers work together to infiltrate systems and achieve their goals. This framework, called the Yüklə Dostları ilə paylaş:
|