Again, not one of my favourite days. This week, we’re diving into security engineering, and the focus today was on governance, compliance, and threat modelling. Not the most thrilling material for me personally, but it’s important for the Security+ exam, and that’s keeping me motivated.
I learned to distinguish some terms like:
Governance: The overall management and direction of an organisation or system to meet objectives and ensure compliance with laws, regulations, and standards.
Regulation: A rule or law enforced by a governing body to ensure compliance and reduce harm.
Compliance: The state of adhering to applicable laws, regulations, and standards.
I also explored key regulatory frameworks:
- GDPR
- HIPAA
- PCI-DSS
- GLBA
The NIST SP 800-53 publication offers a catalogue of security and privacy controls to protect the CIA triad (Confidentiality, Integrity, Availability) of information systems.
Examples of control types include:
- Administrative: Awareness training, risk assessments
- Technical: Access control, identification, and authentication
- Physical: Personnel security, media protection
- Strategic: Planning
The ISO/IEC 27001 standard provides a structured approach to managing an Information Security Management System (ISMS). Key components include:
- Scope: Defines the boundaries of the ISMS
- Information Security Policy: Sets the strategic approach
- Risk Assessment: Identifies and evaluates security risks
- Risk Treatment: Applies controls to mitigate risks
- Statement of Applicability (SoA): Specifies which controls are in use
- Internal Audit: Verifies ISMS effectiveness
- Management Review: Ongoing performance evaluations
I also learned about the DREAD framework (no pun intended). Its an acronym for:
Damage: How severe is the impact?
Reproducibility: Can it be easily repeated?
Exploitability: How easy is the attack to execute?
Affected Users: How many users would it affect?
Discoverability: How easy is it to find the vulnerability?
Each factor is rated 1–10 for a subjective risk score.
The STREAD framework is another threat modelling methodology also developed by Microsoft, which helps identify and categorise potential security threats in software development and system design.
The acronym STRIDE is based on six categories of threats, namely: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
Then, another framework: PASTA – Process for Attack Simulation and Threat Analysis, is a structured, risk-centric threat modelling framework designed to help organisations identify and evaluate security threats and vulnerabilities within their systems, applications, or infrastructure.
By the end of the day we had some revision on malware analysis but since I was done with it yesterday, I went to do some CTF challenges with the CTF gang.
I had some time to study a bit for the Security+, I had a look on the materials and i saw that the material from today is actually very important, although not my favourite part.
