CySA+ domain #3: Securing corporate environment
In an earlier CySA+ article, I mentioned that we would be delving into some of the subdomains of the four knowledge domains of the CySA+ certification exam. This article will detail one of the subdomains of Domain 1.0, Threat Management — Securing Corporate Environment.
Looking closer, this article will examine penetration testing, reverse-engineering, training exercises and risk evaluation. Most organizations use at least some semblance of a corporate environment with regard to their information security environment, making this subdomain relevant to most everybody working in information security. And, of course, studying it will help you earn a passing score on this CySA+ certification exam section.
It is the responsibility of cybersecurity analysts to perform ongoing monitoring of the effectiveness of an organization’s security controls. This obligation is fulfilled by penetration testing, where the cybersecurity analyst uses the information, tools and techniques that real attackers would use against the organization’s information security environment.
Penetration testing can be either external or internal and often varies in scope. The scope of the testing is determined by the pentesting rules of engagement. These ROEs are:
- Timing: Establishes what the testing day will be, as well as what hours the testing will occur
- Scope: The devices, networks and systems that should be included in the test
- Authorization: The formal written permission to perform the test
- Exploitation: Which exploits are attempted if there are vulnerabilities found
- Communication: Communication between pentesters and organization stakeholders needs to be determined, including periodic reports and methods for urgent communication if needed
- Reporting: The reports that will be delivered and their set timelines need to be determined
Cybersecurity analysts need to reverse-engineer software on occasion in order to gain a better understanding of malware. Hardware can also be reverse-engineered to locate security vulnerabilities. There are different techniques for reverse-engineering:
Isolation, or sandboxing, is an approach to studying previously unknown malicious code by studying its behavior rather than its signatures. The possibly malicious code is then executed in a way that will not harm other computers and systems. An example of a common sandboxing tool is Cuckoo.
Another available approach is to create a “sheep dip” system where a purposely infected computer is set up away from other systems so they will not be harmed and with monitoring software. This allows the cybersecurity analyst to see what will actually happen when a computer actually becomes infected.
An unfortunate fact of life is that security vulnerabilities can lurk within hardware, making validating hardware information integrity essential to the cybersecurity analyst.
- Source authenticity of hardware: This asks whether the hardware in question is genuine and not altered
- Trusted Foundry: This is a DoD program with the goal of a trusted hardware acquisition supply chain
- OEM verification: This is a vendor-driven approach where vendors keep documented records of different methods to validate whether the hardware is both genuine and unaltered
Not to be left out, software is also reversed-engineered by cybersecurity analysts for both integrity and security bugs.
- Fingerprints and hashing tools: Both are used to validate whether the copy of software is unaltered/identical to the software from the original source. An example of such a tool is SHA256 sums
- Decomposition: Determines potential threat indicators (PTI) within software
Even good things can get better, and an organization’s ability to defend its network is no different. To this end, security teams conduct training exercises (basically war games) to further improve their defensive effectiveness in simulated test environments. These exercises are normally divided into three teams, comprised of:
- Red Team: The Red Team is the offense/attack force of the exercise. This team uses pentesting and exploitation to exploit network weaknesses pursuant to established rules of engagement
- Blue Team: The Blue Team is the defending team that tries to detect, mitigate and stop the Red Team
- White Team: The White Team is the referee of the training exercise that enforces rules of engagement and documents both teams’ progress in the exercises
Training exercises of this nature also have the potential to train less up-to-speed members of security teams in contemporary information security attack and defense tactics.
Risk evaluation is an important consideration for cybersecurity analysts in the corporate environment. Cybersecurity analysts use different methods for determining their organization’s risk, including:
- Technical controls: Implemented with tools including firewalls, security appliances and permissions, technical controls need to be evaluated by cybersecurity analysts to ensure that they properly address treats without costing the organization more than the threat’s impact would cause
- Operational controls: Implemented through policies and procedures, operational controls reduce the likeliness of a threat occurring
- Technical impact and likelihood: To present information gathered about threats in an easily digestible and visible way, cybersecurity analysts make risk matrices that place likelihood on the Y-axis, technical impact on the X-axis and use a sliding score of “low,” “medium” and “high” to get a better grasp on their organization’s risk environment
Securing the corporate environment is one of the most common responsibilities of cybersecurity analysts, most clearly demonstrated by the fact that most cybersecurity analysts work for corporate organizations in some form. It should come as no surprise that this particular material will be more likely to be used on the job than be relegated to the land of unused trivia in your mind.
Whether you are preparing for the CySA+ certification exam or just seeking a refresher for this relevantly useful information, use this article as your guide and you will be in good shape to either earn a passing score or impress your colleagues at work.
- CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
- CompTIA CySA+ Objective 1.4, Pack IT Forwarding