seela logo

Concepts in methodology and certification

Reading time : 5 min

Contents

Let's remember the main objective of cyber security, which could be defined as: protecting the company's business and data.

We can say that this objective has no definite end in time, so we must work in an iterative and agile way.

Finally, we can also say that today the advantage is with the attackers (opportunity of vulnerabilities, surprise effect, means), which means that we must also be reactive and supervise in real time our security posture.

So an essential mantra for someone working in cyber security is:
preparedness - agility - resilience.

The achievement of our goals cannot be done without methodology, and it is the basics of these methodologies that we will discover in this lesson.

Defense in depth

Defense in Depth is a concept inherited from the military world (as is often the case in cyber security), which implements different independent and overlapping defense mechanisms to improve the overall level of protection.

We can retain the image of a medieval fortress, where the dungeon was itself fortified (armored door, pits, very high walls, very narrow stairs). The keep itself was surrounded by walls, very high, with a covered way and loopholes. These walls were themselves surrounded by very deep moats. Finally, the castle was built in an advantageous place for the defense, for example on top of a hill.

defense-in-depth cybersecurity scheme

Defense in depth consists of some important concepts:

  • Defense systems must be independent, i.e. if one system fails, it must not drag the others down with it!
  • Defense systems are not necessarily technical, governance and processes are also very important.
  • Defense systems must be as dynamic as possible, i.e. they must react to events that affect what they protect.
  • Defense systems are not only designed to prevent an attack. Some must also be present so that a successful attack has the least possible impact (detection, high availability, backups, incident response processes).

The "zero trust" concept

"Zero trust" is a cyber security concept that brings together many of the best practices already discussed in this course.

This concept aims to correct some of the weaknesses that protection mechanisms have had in the past by placing too much trust in certain elements.

💡 F or example: it was commonly accepted in the past that a workstation connecting to the corporate network was necessarily a legitimate workstation.

The "zero trust" concept is based on three main pillars:

  • Explicit verification: authentication should not be limited to users, but should include authentication of everything that accesses services and data (terminals, applications, etc.).
  • Principle of least privilege: provide minimum access to accomplish tasks.
  • Prepare for the incident: the "zero trust" concept considers that a security incident is inevitable and that it is necessary to prepare for it in order to reduce the impact as much as possible and to react effectively.

To go further, please consult the ANSSI document: Scientific and technical advice: the Zero Trust model

The concept of security through darkness

Security through obscurity is the concept that it is more difficult to attack what you don't know
💡 An example of security through obscurity is when certain cryptographic algorithms are kept secret.

Overall, it is difficult to have security that relies entirely on obscurity. It is regularly observed that the public release of source code or cryptographic algorithms allows researchers to find vulnerabilities and correct them for the benefit of all.

Instead, we need to integrate darkness into our security management without making it an end in itself.

💡 For example, not disclosing architecture diagrams is a good practice, as it would greatly help attackers to move laterally in our systems.

Standards and certifications

As we have just seen, our cyber security approach must be methodical and involves many essential concepts. This is why, in order to make our daily work easier, we can rely on guidelines, which summarize all the best practices and methodologies. There are many reference systems, and most of the time it is several of these reference systems that we will implement to reach our objectives and respect the principle of defense in depth.

Example of reference systems

Depending on the type of activity, here are some of the most recognized cyber security standards:

💡 F or example, we can follow the ISO 27002 standard for our cyber security governance, use the EBIOS RM standard for our risk management, and follow several standards such as the CIS Benchmark for all technical measures to be implemented.

Importance of certification

For some of the standards we have just discussed, it is possible to be audited so that a third party determines our level of compliance with the standard, and gives us a certificate attesting to it.

While certification should not be an end in itself, a certification process can have benefits:

  • An impartial auditor determines our compliance, and allows us to continue to improve our posture (helping us avoid the inking bias).
  • This can help to better involve the company's management, the first "sponsor" of cyber security, and to attest to the good progress of the company's posture (commitment/results)
  • Highlighting its certifications gives a positive image of the company in the eyes of the general public (insurance, advertising).

To summarize

In this lesson, we discovered that knowing the essential principles of cyber security, and applying the right methodology to implement an effective continuous security approach is paramount.

To help us achieve this goal, we can count on the help of reference systems, which guide us in the adoption of a cyber security posture (governance, prevention).

Once we have adopted our posture, we can again rely on the repositories to help us follow good operational practices (risk reduction, monitoring, resilience).

logo cyber training

Start your cybersecurity training!

Launch your career in cybersecurity and train for the job that fits you. Our online platform allows you to train at your own pace for a quick and efficient increase in skills.

100% online

Theory & Practice

Customized by level

Start your cybersecurity training

Training

Career

Cybersecurity

100% online

Breathe new life into your career with our cybersecurity training courses

Mail

information@seela.io