by Inflectra on Monday, August 19, 2024

Continuous Improvement Model Evolving Threat Landscape CIA Triad Beyond the CIA Triad Attack Vectors and Solution Controls Table: ISO OSI Model - Attack Vectors & Solution Controls Implementing ISO 27001 as a Project ISO 27001:2022 Revisions Benefits of ISO 27001 in the Software Development Life Cycle Best Practices for Implementing ISO 27001 Conclusion Disclaimer References

Introduction

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It provides a comprehensive framework to protect an organization’s sensitive information, whether it be physical infrastructure, digital assets, or stakeholder data. Central to this framework is risk management, supported by ISO 27002 controls.

ISO 27001 Information Security Overview

Continuous Improvement Model

ISO 27001, first published in 2005, follows the Plan-Do-Check-Act (PDCA) model, fostering a mindset of continuous improvement. This structure allows organizations to systematically implement, update, and manage controls that bolster their information security posture.

Evolving Threat Landscape

As technology rapidly advances, so do cyber threats like phishing, ransomware, and malware. ISO 27001 emphasizes proactive risk identification, control implementation, and continuous monitoring to stay ahead of these threats.

CIA Triad

Information security governance begins with the CIA Triad (Confidentiality, Integrity, Availability). This model secures both human and non-human resources, providing a top-down approach to safeguarding information.

ISO OSI Model and Information Security

Beyond the CIA Triad

While essential, the CIA Triad is not sufficient on its own. Information today flows through multiple layers, requiring comprehensive protection. The seven layers of the OSI Model—ranging from physical connections to application processes—must be secured.

Use the famous mnemonic: “Please do not take spinach pizza away,” where the first character of every word indicates the seven OSI layers - to remind yourself of the big picture in implementing security.

Dr. Sriram Rajagopalan, Global Head of Agile Strategy, Inflectra

Attack Vectors and Solution Controls

The table below summarizes common vulnerabilities in each OSI layer and the corresponding security controls necessary to address them:

Table: ISO OSI Model - Attack Vectors & Solution Controls

OSI Layer	Attack Vectors	Solution Controls
7. Application	PhishingCross-Site Request Forgery (CSRF)Brute force attacksAPI vulnerabilities	Multi-Factor AuthenticationCSRF tokensRate limitingScheduled security audits
6. Presentation	Buffer overflowSQL injectionCross-site scripting (XSS)MIME sniffing	Input validationOutput encodingContent Security Policy (CSP)Proper error handling
5. Session	Session hijackingReplay attacks	Session encryptionSession timeoutsToken based authorization
4. Transport	TCP SYN floodPort scanningSSL/TLS vulnerabilities	SYN cookiesTransport Layer SecurityPort randomization
3. Network	IP spoofingDistributed Denial of Service (DDoS) attacksPacket sniffingRouting table poisoning	FirewallsIntrusion Detection / Prevention (IDS/IPS)Virtual Private Network (VPN)Access Control Lists (ACL)
2. Data Link	MAC address spoofingARP poisoningMan-in-the-middle attacksFrame sniffing	MAC address filteringPort securityEncryptionVirtual LAN
1. Physical	WiretappingPhysical theftElectromagnetic interference (EMI)Cable cutting	Physical access controlsEncryption of data in transitEMI shieldingRedundant Communication Paths

Implementing ISO 27001 as a Project

Think of ISO 27001 implementation as a project, with attacks becoming hierarchical requirements and controls becoming tasks. Spira, an application lifecycle management tool, can help track your ISO 27001 implementation by organizing tasks, test cases, risks, and incidents.

“The global threat environment in the modern information age is constantly evolving, making it important for organizations to develop a comprehensive security strategy that protects all assets, resources, and functional components. The ISO 27001 standard promotes strategic thinking towards collaborative problem-solving," Ian Frazier, Head of Information Security, Inflectra.

ISO 27001:2022 Revisions

The 2022 revision of ISO 27001 reduced security controls from 114 to 93, grouping them under four categories: organizational, people, physical, and technological. Tools like RACI charts can help manage the roles and responsibilities involved in upholding these controls.

Upholding Security is everyone’s responsibility. While the technology group is accountable (A) for implementing the controls, multiple stakeholders from various groups are equally responsible (R) for upholding the controls grouped under the organizational, physical, and people levels by consulting (C) among themselves and informing (I) others on a need-only basis.– Dr. Sriram Rajagopalan

Leadership and Collaboration

Security is everyone's responsibility. While the technology group is accountable for implementing controls, all stakeholders must collaborate, consult, and inform each other about the controls in place.

Benefits of ISO 27001 in the Software Development Life Cycle

ISO 27001 offers several key benefits:

Protecting Sensitive Information: Safeguarding data from unauthorized access and misuse.

Compliance: Meeting legal and regulatory requirements (e.g., GDPR, CCPA).

Competitive Advantage: Building trust with customers through ISO 27001 certification.

Improved Risk Management: Systematically identifying and mitigating security risks.

Enhanced Incident Response: Swiftly responding to incidents to minimize operational impact.

Continuous Improvement: Regularly updating security practices to stay aligned with new threats.

ISO 27001 Implementation Guidelines

There are several key steps involved in implementing ISO 27001:

Establish an Information Security Policy: Develop a comprehensive information security policy that outlines the organization's commitment to protecting sensitive information and defines the roles and responsibilities of stakeholders.

Conduct a Risk Assessment: Identify and assess the organization's information security risks, taking into account threats, vulnerabilities, and potential impacts. Any ISO standard and most regulations are governed by risk-based thinking and evidence-based decision-making.

Select and Implement Controls: Choose appropriate security controls from ISO 27001 Annex A (Edwards, 2024) to mitigate the identified risks. These controls may include technical measures (e.g., encryption, firewalls), physical measures (e.g., access control, surveillance cameras), and organizational measures (e.g., security awareness training, incident response plans). Some of these controls are corrective actions, and some of these controls are protective actions, and these are collectively called CAPA.

Implement the ISMS: Establish and implement an information security management system (ISMS) based on the requirements of ISO 27001. This includes documenting information security processes, procedures, and responsibilities.

Monitor and Review the ISMS: Continuously monitor and review the effectiveness of the ISMS to ensure it remains aligned with changing threats and risks. This involves regular audits and management reviews.

Best Practices for Implementing ISO 27001

Leadership Commitment: Ensure active involvement from top management.

Risk-Based Approach: Tailor the ISMS to specific organizational risks.

Continuous Improvement: Regularly review and update the ISMS.

Employee Awareness and Training: Cultivate a security-conscious culture through training.

Incident Response: Prepare a robust response plan for security incidents.

Third-Party Risk Management: Evaluate the security risks posed by third-party vendors.

Compliance: Align with relevant laws and regulations.

ISO 27001 Annex A Controls: Implement appropriate controls to mitigate identified risks.

Communication: Regularly communicate the importance of security to all stakeholders.

Conclusion

Implementing ISO 27001 provides a systematic approach to managing information security risks, and ensuring confidentiality, integrity, and availability of assets. By following these guidelines and using tools like Spira to track progress, organizations can effectively maintain ISO 27001 compliance and foster a secure environment for their information assets.

Disclaimer

The information provided here is for informational purposes only and should not be relied upon as legal or compliance advice. Always consult with a professional for compliance-related decisions.

References

Day, J. D. and Zimmermann, H. (1983). The OSI reference model. Proceedings of the IEEE, 71(12), 1334-1340.

Edwards, M. (2024). ISO 27001:2022 Annex A Explained. ISMS.Online. Retrieved from https://www.isms.online/iso-27001/annex-a/

Fenrich, K. (2008). Securing your control system: The "CIA triad" is a widely used benchmark for evaluating information system security effectiveness. Power Engineering, 112(2), 44-51.

Glossary of Terms

Access Control Lists (ACLs): Rules that filter network traffic based on predefined criteria.

Application Layer: Provides network services directly to end-users or applications.

Application Lifecycle Management (ALM): A continuous process of managing the life of an application through governance, development, and maintenance.

API vulnerabilities: Weaknesses in application programming interfaces that can be exploited.

ARP poisoning: Technique to attack an Ethernet network by updating ARP tables with forged entries.

Auditability: The ability to conduct a systematic review of records, activities, and

Brute force attacks: Attempting to guess passwords or encryption keys by trying all possible combinations.

Buffer overflow: Occurs when a program writes more data to a buffer than it can hold.

Cable cutting: Physical sabotage of network infrastructure.

Content Security Policy (CSP): An added layer of security to detect and mitigate certain types of attacks.

Continuous Improvement: An ongoing effort to improve products, services, or processes.

Corrective Actions: Any set of actions taken as a reaction to an issue that has occurred.

Cross-site request forgery (CSRF): Tricking a user into performing unwanted actions on a web application.

CSRF tokens: Unique, secret tokens in web forms to prevent CSRF attacks.

Data Link Layer: Handles node-to-node data transfer and error detection/correction.

DDoS attacks: Overwhelming a system with traffic from multiple sources to make it unavailable.

Decryption: Converting encrypted data into its original data format

Deming’s PDCA Cycle: A four-step management method used for continuous improvement of processes and products (Plan-Do-Check-Act). Deming updated this later as PDSA Cycle (Plan-Do-Study-Act).

Electromagnetic interference: Disruption of electronic devices due to electromagnetic radiation.

Electromagnetic shielding: Blocking electromagnetic fields to prevent interference.

Encryption: Converting data into a code to prevent unauthorized access.

Evidence-Based Decision Making: Making decisions based on the analysis of data and information rather than assumptions or intuition.

Firewalls: Network security systems that monitor and control incoming and outgoing network traffic.

Frame sniffing: Capturing and analyzing data packets at the data link layer.

Governance: The act of authorizing, controlling, and overseeing an organization’s process approach for problem-solving and decision-making to ensure that it complies with its policies and procedures.

Input validation: Ensuring that input data meets certain criteria before processing.

Intrusion Detection/Prevention Systems (IDS/IPS): Monitoring network traffic for suspicious activity.

IP spoofing: Creating IP packets with a false source IP address.

MAC address filtering: Allowing or blocking network access based on MAC addresses. MAC stands for Media Access Control.

MAC address spoofing: Changing a device's MAC address to impersonate another device.

Man-in-the-middle attacks: Intercepting communication between two parties.

MIME sniffing: Inspecting the content of a file to determine its type, potentially bypassing security measures. MIME stands for Multipurpose Internet Mail Extensions.

Multi-factor authentication: Requiring two or more pieces of evidence to grant access.

Network Layer: Manages packet routing and logical addressing.

Output encoding: Converting special characters to their HTML entity equivalents.

Packet sniffing: Capturing and analyzing data packets on a network.

Physical access controls: Measures to limit physical access to network infrastructure.

Physical Layer: Deals with the physical connection between devices, including hardware specifications.

Phishing: Attempting to obtain sensitive information by disguising it as a trustworthy entity.

Port randomization: Assigning random port numbers to connections to prevent predictability.

Port scanning: Probing a server or network host for open ports.

Port security: Configuring a network switch port with specific security settings.

Presentation Layer: Translates data between the application layer and lower layers, handling data formatting and encryption.

Preventive Actions: Measures taken to eliminate the cause of a potential nonconformity or other undesirable situation.

Process Approach: Managing activities and related resources as a process to achieve desired outcomes more efficiently.

Redundant communication paths: Multiple routes for data to travel in case of failure.

Regulatory Compliance: Adherence to laws, regulations, guidelines, and specifications relevant to business operations.

Replay attacks: Valid data transmission is maliciously repeated or delayed.

Risk-Based Thinking: Incorporating risk management principles to anticipate and mitigate potential issues in processes and systems.

Routing table poisoning: Injecting false routing information to redirect network traffic.

Session encryption: Protecting session data from unauthorized access or tampering.

Session hijacking: Taking over a valid user session to gain unauthorized access.

Session Layer: Establishes, manages, and terminates sessions between applications.

Session timeouts: Automatically ending a session after a period of inactivity.

Software Development Lifecycle (SDLC): A process for planning, creating, testing, and deploying an information system.

SQL injection: Inserting malicious SQL statements into application queries.

SSL/TLS vulnerabilities: Weaknesses in secure communication protocols.

Stakeholder: Any individual, group, or organization that can affect or be affected by an organization's actions.

Strong session management: Implementing secure practices for handling user sessions.

Token-based authentication: Using tokens instead of passwords for authentication.

Traceability: The ability to trace the history, application, or location of an entity by means of recorded identification.

Transport Layer: Ensures end-to-end communication and data integrity.

Transport Layer Security (TLS): Cryptographic protocols for secure communication.

Virtual LANs (VLANs): Logical segmentation of a network independent of physical layout.

Virtual Private Networks (VPNs): Extending a private network across public networks securely.

Wiretapping: Intercepting communications by tapping physical lines.

Workflow: A sequence of processes through which a piece of work passes from initiation to completion.

XSS (Cross-Site Scripting): Injecting malicious scripts into web pages viewed by other users.