InfoSec professionals - Please help me find / understand real life examples

Folks - I want to get into Security Governance, risk assessment, IT audits etc. but don't have any experience yet. I have tried very hard to gain some knowledge of real life examples so I can at least understand and talk about these during interviews but having one hell of a time trying to come up to speed on real life scenarios, examples etc. There is no shortage of theory in books but no detailed real life examples. Can somebody please help with some real life examples - Don't have to be very detailed but at least help me understand metrics and parameters involved in such scenarios.
For example - Infosec professional often interface with 3rd party suppliers, vendors and review 3rd party apps and solutions to ensure their security posture aligns with their organization's security policies and standards. Where can I find details and examples of working with business partners/ external security teams - what kind of parameters / profiles/ metrics etc are compared.
Similarly how can I gain knowledge of Financial services' Security Governance Framework (policies and standards). How do I find practical Info about banks Security standards, policies, practices - Understanding of security controls/ mechanisms and threat / risk assessment techniques pertaining to complex data/apps/networking components?
I understand each situation would be unique but how do I gain some understanding of what is involved so I can confidently talk about these in the interviews?
Please advise.

Find more posts tagged with

Comments

EANx

They apply specifically to the Federal government but trickle down to corporate. You'll want to start poking around the NIST 800 series documents. I'd start off with 800-37 and 800-53.

You can access the NIST directory of publications at https://csrc.nist.gov/publications/search?requestserieslist=1&requeststatuslist=1,3&requestdisplayoption=brief&itemsperpage=100&requestsortorder=5

kabooter

EANx wrote: »

They apply specifically to the Federal government but trickle down to corporate. You'll want to start poking around the NIST 800 series documents. I'd start off with 800-37 and 800-53.

You can access the NIST directory of publications at https://csrc.nist.gov/publications/search?requestserieslist=1&requeststatuslist=1,3&requestdisplayoption=brief&itemsperpage=100&requestsortorder=5

Thanks a lot. I was able to expand my search a bit more based on what you mentioned and google a few docs.
Somehow it is very difficult to find real life examples of cyber security work being done. I do understand that most orgs dont want to share the exact info but can't understand how can a wanna be security professional increase his knowledge without real life examples.

infosec123

I will give you a fun example. Lets say you are internal security for a company. This company wants to onboard a 3rd party vendor's work order management system, which is hosted by the vendor (cloud). Your company's security posture requires SSO, but the vendor is a small time vendor and has never heard of SAML or the like. You decide to go with LDAP queries, which traverse the public internet. You only allow LDAP questions from the vendor's IP, but LDAP queries are done in plain text by default. You tell the vendor you want to do secure LDAP queries (LDAPS), but the developer for the vendor insists LDAP queries are encrypted by default and refuses to enable secure LDAP. Your company is putting pressure on the IT department to get the new product in production, and leaders arent really concerned with the security aspects. What is the risk here and what do you do?

edit: please, no one reply with what you would do, let OP try.

kabooter

infosec123 wrote: »

What is the risk here and what do you do?
edit: please, no one reply with what you would do, let OP try.

Oh boy, I am already in interview room. So here we go:
Risk All Microsoft LDAP/AD servers will give up metadata about the server itself to all callers via an anonymous connection. AD LDAP traffic is unsecured by default, which makes it possible to use network-monitoring software to view the LDAP traffic between clients and DCs.
Possible Solutions:
Use a VPNRather than allow LDAP over the public internet, the remote systems can use a VPN solution to connect securely to the enterprise's internal network or DMZ. This can be accomplished with the built-in PPTP VPNs as part of Microsoft networking, or with a third-party VPN such as provided by Cisco or Sonicwall.These VPNs may be required for other reasons anyway, so this would be a natural way to provide access to the directory.Use Outlook Web AccessThough not as functional as a local email client, using Outlook Web Access via an SSL-protected webserver allows access to the Exchange server and the associated address books.Tunnel through SSHEnterprises with external Secure Shell instances available may be able to tunnel through an authenticated SSH connection to reach the LDAP server for access. This is easy to accomplish with Linux/UNIX-based systems running OpenSSH, or even with Windows-based SSH servers such as the excellent (but commercial) VShell.
So did I sort of stumble in the right direction?

Cyber_space

I like the question posed. I’ve experienced a number of those scenarios. Can I point out one thing I noticed. OP mentioned getting into GRC but the answered from an engineering standpoint. I would say to look at this from a GRC viewpoint as all risk aren’t solved by technical means.

Cyber_space

I think this also is an example of what goes wrong when job postings ask for 10 different roles in one posting.

--chris--

Cyber_space wrote: »

I like the question posed. I’ve experienced a number of those scenarios. Can I point out one thing I noticed. OP mentioned getting into GRC but the answered from an engineering standpoint. I would say to look at this from a GRC viewpoint as all risk aren’t solved by technical means.

This ^

GRC is (from my short experience working in/with/near it) is focused on applying organizational standards, identifying and minimizing risk and working with IT, dev, others towards compliance with a standard like PCI, GLBA, HIPPA, etc...less technical, which may be why OP is having a hard time finding examples.

I work in a smaller shop (6 IT total). I handle all of the "security" branded work, including policy creation, due dilligence & risk ID (and the steps associated with management of it).

The best way to learn what and how this stuff works would be to find a policy (like this: https://www.sans.org/security-resources/policies/general#clean-desk-policy) and think of somewhere you have worked and how it would apply (and how users would adapt to it, or fail to adapt to it, how mgmt would resist or adhere, etc...).

You can find many sample policies here:
https://www.sans.org/security-resources/policies/

kiki162

@kabooter

What's your background/experience? It's not that hard to translate some of these compliance controls into real life examples. If you are in an interview, the first thing you want to know is the product. So if Company A that you are interviewing for has a cloud product, you would need to understand the network architecture setup. Does it have a firewall, WAF, proxies, data encryption, etc. It's very possible that you don't have the knowledge / experience yet. The biggest thing is to understand the concepts.

One good place to start is NIST 800-53, and do a search by Family at the top. For Access Control, you'll see different stuff like Least Privilege, Separation of Duties, Remote Access, etc. One easy one would be Unsuccessful Logon Attempts. So if Company A has a Windows domain, and they want to ensure that Unsuccessful Logon Attempts are being logged and prevented. What would need to be done in order for Company A to be "in compliance" with that control. Start by looking at FEDRAMP, SOC2, and CSA STAR.

kabooter

Bravo Chris. This is exactly what I was looking for. Sort of real life examples of theory in action.
I will really appreciate if someone can guide me as to how can I enhance my experience or at least knowledge of real life applications of GRC concepts. I have not had a chance to get my feet wet in this arena yet but am sure can pick up lot of knowledge by looking at real life examples.

--chris-- wrote: »

This ^

GRC is (from my short experience working in/with/near it) is focused on applying organizational standards, identifying and minimizing risk and working with IT, dev, others towards compliance with a standard like PCI, GLBA, HIPPA, etc...less technical, which may be why OP is having a hard time finding examples.

I work in a smaller shop (6 IT total). I handle all of the "security" branded work, including policy creation, due dilligence & risk ID (and the steps associated with management of it).

The best way to learn what and how this stuff works would be to find a policy (like this: https://www.sans.org/security-resources/policies/general#clean-desk-policy) and think of somewhere you have worked and how it would apply (and how users would adapt to it, or fail to adapt to it, how mgmt would resist or adhere, etc...).

You can find many sample policies here:
https://www.sans.org/security-resources/policies/

Cyber_space

--chris-- wrote: »

This ^

GRC is (from my short experience working in/with/near it) is focused on applying organizational standards, identifying and minimizing risk and working with IT, dev, others towards compliance with a standard like PCI, GLBA, HIPPA, etc...less technical, which may be why OP is having a hard time finding examples

I would also add it’s tough because different companies have varying levels risk acceptance, regulatory requirements, other factors. When I did vulnerability scanning, many medical offices refused to upgrade from windows xp although I*t* was EoL. There are still some hospitals that use it* probably in 2017. Every company and every industry is different so in my opinion what helped me was networking and coworkers. Talk to GRC leads and risk people and understand their mindset. I had a tremendous teacher in a co-worker who handled all kinds of risk and helped me to see things beyond a technical means.

kabooter

Awesome, thanks a lot. I was oblivious to the products company may already have so it is a fantastic point. Can't beat real life expierince in life!

kiki162 wrote: »

@kabooter

What's your background/experience? It's not that hard to translate some of these compliance controls into real life examples. If you are in an interview, the first thing you want to know is the product. So if Company A that you are interviewing for has a cloud product, you would need to understand the network architecture setup. Does it have a firewall, WAF, proxies, data encryption, etc. It's very possible that you don't have the knowledge / experience yet. The biggest thing is to understand the concepts.

One good place to start is NIST 800-53, and do a search by Family at the top. For Access Control, you'll see different stuff like Least Privilege, Separation of Duties, Remote Access, etc. One easy one would be Unsuccessful Logon Attempts. So if Company A has a Windows domain, and they want to ensure that Unsuccessful Logon Attempts are being logged and prevented. What would need to be done in order for Company A to be "in compliance" with that control. Start by looking at FEDRAMP, SOC2, and CSA STAR.