CISSP - Domain 1. - Security & Risk Management
GLBA
"Graham-Leach-Bliley Act" (Financial Services Modernization Act of 1999) - GLBA is relating to the privacy of financial information. Companies must provide written notice to consumers of their privacy rights and explain the company's procedures for safeguarding data.
Governance EchoSystem
(Ref 2.1 Frameworks, Benchmarks and Guidelines)
Replay Attack
- A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network. - An attack that retransmits captured communication to attempt to gain access to a targeted system.
Business Continuity vs Disaster Recovery actions
- Business Continuity means availability of businesses in case of hardware outages like server, disk, network interfaces etc. - Network Bonding, Clustering and RAID are its examples. - Disaster Recovery means failing over to alternate site in case of disasters. Relocating over to Cold Site or Backup restoration are examples of DR.
CyberSecurity Governance - Responsibility of leadership
- Determine and articulate the organization's desired state of security. - Provide strategic direction, resource funding and support to ensure desired state of security can be achieved and sustained. - Maintain responsibility and accountability (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Normal Clause of SLA's
- RTO/Failover time - Uptime - Maximum consecutive downtime Normally the confidentiality of data confidentiality is not part of SLA, instead it is part of non-disclosure agreement.
Executive Management Responsibilities
- Strategic Alignment - Risk Management - Value Delivery - Performance measurement - Resource Management - Process assurance (Ref 2.1 Frameworks, Benchmarks and Guidelines)
1. Factor analysis of information risk (FAIR) 2. Risk factor analysis 3. Probabilistic risk assessment (PRA)
1 —An approach to risk management that develops baselines of probabilities for the frequency and magnitude of loss events. It's considered an add-on to existing risk frameworks. 2 —Another approach to risk analysis that uses a six-step methodology to identify factors that drive the behavior of the project schedule, cost, and technical performance. 3—Designed for use with large-scale complex projects where risk is defined as a feasible detrimental outcome of an activity or action. The results are expressed numerically.
NIST Risk Management Framework (RMF)
1. CATEGORIZE Information System 2. SELECT Security Control 3. IMPLEMENT Security Controls 4. ASSESS Security Control 5. AUTHORIZE Information Systems 6. MONITOR Security Controls
Emergency Response Guidebook
A Guidebook for First Responders During the Initial Phase of a Dangerous Goods/Hazardous Materials Transportation Incident. - Immediate Response Procedures - List of Individuals to be notified - Secondary Response Procedures for first responders.
Annualized Loss Expectancy. It is calculated by multiplying the SLE by the ARO. Say is rebuilding and reconfiguring datacenter would cost $10 Million and the loss expected by threat materializes (SLE) is 5 Million, so the exposure would be 50%, and ARO would be .005, So ALE in this case would be 5 Million (SLE) X .005 (ARO) =25K ALE = SLE X ARO
ALE
AWS adoption criteria should be based on Shared Responsibility Model of services that are subscribed and also on our PTx process.
AWS adoption criteria
ARO
Annualized Rate of Return Calculated based on # of occurrence per year. If a threat can happen once every 100 years, the ARO would be 0.01 percent.
These two terms compliment each other but mean different. - Availability is generally depicted in SLA's that mandates how long your application/business process must be available to meet business requirement during specified period. It is represented in percentage 99.9% in a year. - Recovery is a target that mandates that system must recover to its operational state in case of an outage within a specified time period to avoid intolerable business impact. It is represented in absolute hours, days etc.
Availability vs Recovery
Procedure to ensure continuity of critical processes and services throughout an emergency or disruption. This requires that you identify and implement workarounds to ensure continuity of the processes and services provided by the organization.
BCP (Business Continuity Plan)
BRP stands for Business Resumption Plan that addresses the restoration of business processes after an emergency caused by deliberate attack, accident or natural disaster. DRP stands for Data Recovery or in general referred as Disaster Recovery Plan.
BRP and DRP
Business Resilience prepares organizations to withstand, adapt and effectively respond to changing conditions caused by deliberate attacks, accidents or naturally occurring threats or incidents. This is an extension to Business Continuity. For effective resilience - Support from Sr Management with appropriate Policy Statement - Defined Standards for different discipline. - Well defined Control Objectives & Procedures - Good Governance - Effective Risk Management - Diverse skills and knowledge base
Business Resilience
It prepares organizations to withstand, adapt and recover rapidly from changing conditions caused by deliberate attacks, accidents, disruptions caused natural threats and incidents. It helps you to - Identify services and conduct BIA on each service - Essential services based on MTD's and DLT - Apply BCM Framework. recommended by FFEIC - Identify assets for services (Applications, TPP, People) - Apply Preventive Controls - Develop BCP and BRP (Business Resumption Plan), DRP - Test, Train and Exercise - Maintain the Plan
Business Resiliency
Identify critical business processes - - Recovery and Availability Objectives (MTD, DLT etc.) Identify associated technology assets (Applications/Platforms etc) - Identify threats - Identify vulnerabilities - Identify RTO/RPO/MTTR etc. - Based on Business impact, categorize assets - Develop GRC based on business tolerance. - Design for Failures (Design for Storms not for Blue Skies) - Conduct testing to become Proactive vs reactive - Engage with business owners to make them aware of evolving risks.
Business vs Technology Resiliency
CFR (Code of Federal Regulations)
CFR contains - It contains text of all the administrative laws promulgated by federal agencies. United States Code - it contains criminal and civil law.
CI/CD falls under DevOps (the joining of development and operations teams) and combines the practices of continuous integration and continuous delivery. CI/CD automates much or all of the manual human intervention traditionally needed to get new code from a commit into production, encompassing the build, test (including integration tests, unit tests, and regression tests), and deploy phases, as well as infrastructure provisioning. With a CI/CD pipeline, development teams can make changes to code that are then automatically tested and pushed out for delivery and deployment. Get CI/CD right and downtime is minimized and code releases happen faster. Some organizations use jxt pipeline comprise of Jules for CI and Spinnaker for CD, which enables you to apply organization specific controls in to ci/cd (pax process) pipeline. Courtesy - gitlab
CI/CD pipeline
Information Security Manager Responsibilities
CRO or CISO or IAO or ISO - SME - Managing Information Security Program - Communicating with executive management - coordinating budget for information security activities - Ensuring development and upkeep of governance documents. - Responsible for interpreting the strategic direction and are held accountable for the success or failure of their area. - The ISM personnel should report as high as possible to maintain visibility, limit distortion and minimize conflict of interest. (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Chaos Testing is the deliberate injection of faults or failures into your infrastructure in a controlled manner, to test the system's ability to respond during a failure. This is an effective method to practice, prepare, and prevent or minimize downtime and outages before they occur.
Chaos Testing
Whenever any application is onboarded on Cloud Platform, application must be planned, designed and developed for 1) Design for Failure 2) Resiliency By Design and 3) Secure by Design The degree of such approach defines maturity level of your application deployment, whether it is Cloud Friendly, Cloud Resilient and Cloud Native. These approaches enhance HA & performance and helps optimize Cost by integrating Agility, Recovery and Resiliency in it.
Cloud Maturity
Role generally tasked with identifying applicable statutory, regulatory, and contractual requirements
Compliance Officer (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Who has joint responsibility for identification of and ensuring compliance with applicable organization regulatory, and contractual security and privacy requirement?
Compliance Officer, Information Security Officer Privacy Officer (Ref 3.1 Contractual Compliance Requirement)
Vital Records Program
Concept where BCP documentation that qualifies as vital business record necessary to restart the business in the alternate location.
Copyright Law
Copyright Law - written works, such as website content, are normally protected in this law. Copyrighted material cannot be used without the owner's permission. Patents Law - protects inventions and discoveries. Trademark Law - protects words and symbols used to represent a brand.
The functional role responsible for implementing, managing, and monitoring protection mechanisms.
Custodians (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Cyber attacks can be realized through - Spoofing (Masquereding) (Authentication) - Tampering, (Integrity) - Repudiation (Claim not responsible) - Information disclosure (Confidentiality) - Denial of Service (Availability) - Elevation of privileges (Authorization)
Cyber Security How Cyber Threats are realized and its affects?
Generally these threat actors are politically or criminally motivated individuals, who do it primality for - Financial Gains, - Espionage, Stealing intellectual property - Cause disruption of some sort There are some individuals who do it for fun to see what happens.
Cyber Security What motivates these threat actors?
Generally, these are politically or criminally motivated individuals who find vulnerabilities with the system either with Information technology or people (ignorant users) and exploit them. There are some individuals who do it for fun or may be some who want to cause disruption like disgruntled employee.
Cyber Security? - Who are Threat Actors and what they do?
Fraggle Attack - It uses method of Smurf attack and large amount of UDP echo traffic to IP Broadcast address and spoof the return IP address. Teardrop Attack - It is an attack where you send fragmented packets. Spoofing Attack - is an attempt that someone masquerede as someone and gain access.
DDOS Attack Fraggle Attack vs Teardrop attack vs Spoofing attack
LAND Attack (Local Area Network Denial Attack) - The attacker sends a TCP SYN spoofed packet, where source and destination IP's an ports are set to be identical. When the target receives the packet, it enters into the loop and causes target machine to crash. Smurf Attack - Uses type of ping packet called an ICMP Echo Request and it is directed to broadcast domain and spoofs the return IP address of the victim.
DDOS Attack LAND Attack vs Smurf Attack
SYN Flood - It exploits the 3 way TCP handshake and consumes resources on the target server. Essentially, with SYN Flood the offender sends TCP Connection request faster than the target server process them. and causes network saturation. Ping Of Death - It floods the target services with the oversized ICMP packets, causing target service to either freeze or crash.
DDOS Attack SYN Flood vs Ping Of Death
Resilience is an ability to prepare for & adapt to and withstand & recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats.
Definition of Resilience in NIST Glossary
The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
Difference between Due Care vs Due Diligence
- LAND Attack (Local Area Network Denial Attack) - SYN Flood Attack - Ping Of Death - Smurf Attack - Fraggle Attack - Teardrop Attack - Spoofing Attack - Zomies and Botnet
Different DDOS Attacks
Who is ultimately responsible for for actions and inactions from legal, regulatory and fiduciary perspective?
Directors and Executive Management (Ref 3.1 Regulatory & Contractual Obligations)
- Carry out BIA and identify MTD/RTO/RPO etc. - Apply controls based on criticality of applications. - Develop Plan and Procedures - Train Users - Exercise/Test the Plan - Review/Update and Maintain the Plan
Disaster Recovery Plan. (DRP)
Potential liability incurred by a company whose computer systems are compromised.
Downstream Liability (Ref 2.1 Frameworks, Benchmarks and Guidelines)
The legal term applied to the standard of care exercised by prudent person.
Due Care Action taken by organization to protect its stakeholder, investors, employees and customers from harm on continuous basis.. (Ref 2.1 Frameworks, Benchmarks and Guidelines)
The term used to describe the investigation of a business or person generally before entering into a contract.
Due Diligence (Ref 2.1 Frameworks, Benchmarks and Guidelines)
A measure of the magnitude of loss of an asset. Used in the calculation of single loss expectancy (SLE). Say is rebuilding and reconfiguring datacenter would cost $10 Million and the loss expected by threat materializes (SLE) is 5 Million, so the exposure would be 50%.. Exposure Factor = SLE/Total Cost of Entity
Exposure Factor
Additional investments are required when you deploy your application On-Prem or On-Cloud to safeguard your business processes during unprecedented situations. When you deploy your application on 3rd party service provider, it becomes essential to carry out due diligence to identify risks and invest appropriately to mitigate risks and safeguard your business processes.
Extra investment in Cloud Resiliency
The focus of the Principles and Standards help financial institutions to be less vulnerable and more resilient to Cyber Threats.
FFEIC Principles and Standards
NIST Glossary says that Resilience is the ability to Prepare for & adapt to changing conditions and withstand & recover rapidly from disruptions. Resilience include the ability to withstand and recover from deliberate attacks, accidents or naturally occurring threats or incidents.
FFEIC has changed the definition of Resilience in NIST Glossary, what it is?
FFEIC has expanded the BCP and DR model to encompass all the possible scenario of resilience (Operational and Cyber) to ensure proactive defense and prepare & adapt to changing conditions and withstand & recover rapidly from disruptions. Resilience prepares you to withstand and recover from deliberate attacks, accidents or naturally occurring threats or incidents.
FFEIC has uplifted BCP to BCM, why?
This institution is a formal Financial Examiner and Banking Regulator, which is empowered to prescribe uniform technology principles and standards across the financial section to achieve high degree of resilience and recoverability.
FFEIC. (Federal Financial Institution Examination Council)
BCP - Business Continuity Plan COOP - Continuity Of Operations Plan CCP - Crisis Communication Plan DRP - Disaster Recovery Plan OEP - Occupant Emergency Plan CIRP - Cyber Incident Response Plan
FFIEC and NIST has spelled out requirements for Business continuity management, what are those?
Failure Mode and Effect Analysis FMEA is a step-by-step approach for identifying all possible failures in a design of a product or service. It is a common process analysis tool. "Failure modes" means the ways, or modes, in which something might fail. Failures are any errors or defects, especially ones that affect the customer, and can be potential or actual. "Effects analysis" refers to studying the consequences of those failures. Failures are prioritized according to how serious their consequences are, how frequently they occur, and how easily they can be detected. The purpose of the FMEA is to take actions to eliminate or reduce failures, starting with the highest-priority ones. Failure modes and effects analysis also documents current knowledge and actions about the risks of failures, for use in continuous improvement. FMEA is used during design to prevent failures. Later it's used for control, before and during ongoing operation of the process. Ideally, FMEA begins during the earliest conceptual stages of design and continues throughout the life of the product or service.
FMEA
GDPR
General Data Protection Regulation is for maintaining privacy of customer data across border. - United States Department of Commerce is responsible for implementing the EU-US Privacy Shield Agreement.
Configuration Guidance Examples
Government - - NIST 800 Publications Private Sector - - Microsoft. - technet.microsoft.com - Cisco - www.cisco.com/support/doc (Ref 2.1 Frameworks, Benchmarks and Guidelines)
This is to standardize the PTx process with in the firm and will help inducting controls into the PTx process. As a result, there will be tollgates right before Pro and will make our application HA, Secure by design and Resilient.
Harmony
- Network Access Control (NAC) systems can be used to authenticate users and then validate their system's compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution.
How to avoid Zero Day Attack?
Internationally recognized Information Security Framework
ISO 27000 (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Business Continuity Plan Documentation
Includes - - Continuity Planning Goals - Statement of Importance - Statement of Priorities - Organizational Responsibility - Urgency - Risk assessment - Risk acceptance - Risk Mitigation strategies
Installing Firewall or taking preventive measures
Installing a devise that will block the attacks is an attempt to lower the risk by reducing the likelihood of a successful application attackk.
ISMS (Information Security Management Systems)
It is a framework for designing, establishing, implementing, managing and monitoring an information security program in order to achieve CIA triad (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Framework
It is a logical structure to document and organize processes? (Ref 2.1 Frameworks, Benchmarks and Guidelines)
As per Mandiant Company CEO - Enhance the Security of internal infrastructure itself like Zero Trust Solutions, Endpoint detection solutions, Encryption, Access Control - Enhance the Security of Build Systems like new software provide specific permission and basic isolation - Improve the integrity of Supply Chain like Secure Software Build Process (It cannot be implemented by a single company regardless of their competencies instead we have created a community to share our research and innovations) - Continue to learn - Constantly at vigil
Key elements of Secure By Design
RTO & RPO are the recovery objectives for technologies supporting business process and generally considered in case of traditional outages caused by natural causes like Fire, Flood, Hurricanes etc. Environmental issues like Transportation, Violence etc. or Human errors. While MTD, DLT and TROL (Target Recovery Operating Level) are business recovery targets and it these thresholds are breached it can use intolerable loss to the business or the organization.
MTD & DLT. vs RTO & RPO
Metasploit is a tool used to exploit known vulnerabilities. Nikto is a web application and server vulnerability scanning tool, Ettercap is a man-in-the-middle attack tool, and THC Hydra is a password brute-force tool.
Metasploit Nikto Ettercap THC Hydra
This program is the US government repository of publicly available security guidance.
NCP. - National Checklist Program (Ref 2.1 Frameworks, Benchmarks and Guidelines)
This US framework is voluntary guidance, based on existing standards, guidelines and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
NIST Cyber Security Framework (Ref 2.1 Frameworks, Benchmarks and Guidelines)
The US government repository of standards-based vulnerability management data
NVD - National Vulnerability Database (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Computer Security Act of 1987
One of the first attempts to protect federal computer systems by establishing minimum acceptable security practices. It gave NIST (National Institute Of Standards and Technology) responsibility for developing standards and guidelines for federal computer systems.
Members of management responsible for protecting subset of information and/or systems
Owner. (Functional Role) (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Who is responsible for decisions related to classification, access control and protection of data or asset?
Owners (Ref 3.1 Contractual Compliance Requirement)
It is contractual requirement - A bank issuing credit cards - A retailer accepting credit cards as payment - A business that processes credit card payments on behalf of a retailer
PCI DSS applies to
As part of P-Harmny, we are trying to standardize the Pix process across firm to ensure consistent application of firm control for each and every changes. Say for example resiliency and high availability controls are required to be integrated in the PTx process to ensure minimum tollgates are applied to each and every change into production. Spinnaker is a CD tool can be used for integrating firm's control
PTX Process for minimum Tollgates
The outcome when operational synergies and efficiencies are achieved.
Process Integration (Ref 2.1 Frameworks, Benchmarks and Guidelines)
When you are deploying your application on Public Cloud, you must be aware that some outages with core services can have cascading effect and can cause other managed services to go down. In such cases, client technology teams do not have control and become a mute listener on the incident call until the CSP resolves the issue. That's why is mandatory to engage business process owners to be aware of these failure scenarios and they must have alternate mechanism to conduct business in such unprecedented situations. Core services are - EC2 API, Cloudwatch, Internal DNS, S3 etc.
Public Cloud Core Service Outage
- Identify the assets, its criticality and value - Identify threats - Identify vulnerabilities - Determine the likelihood - Identify impact - Determine Risk as combination of Likelihood and Impact.
Risk Assessment Steps
- Categorize Systems - Select Controls - Implement Controls - Assess Controls - Authorize Information Security - Monitor Controls
Risk Management Framework (NIST 800-53)
Risk Acceptance vs Risk Avoidance
Risk acceptance or risk retention means the fact of accepting the identified risk and not taking any other action in order to reduce the risk because we can accept its impact, the possible consequences. Risk avoidance can be achieved through proactive actions & practices. policy and procedure, training and education and technology implementations are few examples.
An SLA (service level agreement) is an agreement between provider and client about measurable metrics like uptime, responsiveness, and responsibilities. it is kind of promise that you make to your client. An SLO (service level objective) is an agreement within an SLA about a specific metric like uptime or response time. So, SLOs are the individual promises you're making to that customer. SLOs are what set customer expectations and tell IT and DevOps teams. An SLI (service level indicator) measures compliance with an SLO (service level objective). So, for example, if your SLA specifies that your systems will be available 99.95% of the time, your SLO is likely 99.95% uptime and your SLI is the actual measurement of your uptime.
SLA vs SLO vs SLI
- The SOC 1 report only provides information about financial reporting mechanisms of the target and is of little interest to the IT security professional, so A is incorrect. - The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function and its effectiveness. - The SOC 2, Type 1 report only describes IT security controls designed by the target, but not how effectively those controls function, so B is incorrect. - The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail
SOC Reporting. The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA)
SOX
Sarbanes-oxley act of 2002: enacted in response to the financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices. In this US Law requires internal controls assessment including IT transaction flows for publicly traded companies.
The term used to describe the responsibility of leadership to determine, articulate, authorize and fund the desired state of security
Security Governance (Ref 2.2 Leadership Roles and Responsibilities)
Electronic Vaulting
Service whereby data changes are automatically transmitted over the network on a continuous basis to an off-site server maintained by a third party. The term is used to describe the transfer of data by electronic means to a backup site, as opposed to the physical shipment of backup tapes or disks.
It's a major Cyber attack took place for 8-9 months in 2020. It was carried out by a group backed Russian Govt that penetrated into thousands of organizations worldwide including US Govt. agencies and caused Data Breach. It was the worst Cyber Espionage incident ever suffered in US in which the hackers had access to the systems from March 2020 till Dec 2020. Pentagon, NATO, Microsoft kind of organizations were affected because of this hack.
Solarwinds Hack
STRIDE Model
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
Triage: Incident Response team examines the incident to see what was affected. Investigation: Involves collection of relevant data points. Containment: To limit and mitigate the damage. Analysis: Identify the root cause of the incident Tracking: The sources of the incident is determined. Post Mortem Review: Completed last as part of incident response. Recovery - Making adjustment and enhancements to the policies and procedures.
Steps for Cyber Incident Response
The outcome when security decision making is tied to organizational objectives.
Strategic Alignment (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Sometimes applications owners suppress unwanted alerts to optimize monitoring cost. It is good practice if no critical alerts are suppressed. However, it is application specific issue and each AO has responsibility to enhance availability, safeguard business process and respond quickly during its outages. Thats why we recommend Chaos testing to be proactive.
Suppressing Monitoring Alerts
What law provides intellectual property protection to the holders of trade secret?
The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from US Corporations. It gives true teeth to the intellectual property rights of trade secret owners.
1. Delphi technique 2. Facilitated Risk Assessment Process (FRAP)
The _________ is one approach to qualitative risk assessment. The Delphi technique uses a group approach designed to allow individuals to contribute anonymous opinions. The idea is to avoid being swayed by pushy people, to find synergy, and to allow participants to be honest. This ________. is another subjective process that obtains results by asking questions. It is designed to be completed in a matter of hours, making it a quick process to perform. Qualitative assessments can use many techniques such as brainstorming, surveys, questionnaires, checklists, one-on-one meetings with asset owners, and interviews.
Board Of Directors. Responsibilities
These are decision making body such are owners, managing partners etc. - Determine organization's Risk Tolerance - Approving policies and projects - Allocating funds - Reviewing audit and examination result - Promote Effective Governance - Provide oversight and authorization - Fiduciary, legal and regulatory responsibilities - Standard of due care and due diligence. (Ref 2.1 Frameworks, Benchmarks and Guidelines)
CIS Benchmark (Center for Information Security)
This benchmark are consensus based best practices for the secure configuration of a target system and it is widely accepted by Govt, businesses, industry and academia. https://www.cisecurity.org (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Graham-Leach-Bliley Act. (GLBA)
This is another name for the Financial Services Modernization Act of 1999. - It contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions, where they are obligated to provide written notice of privacy practices to customers.
Benchmark
This type of metric is intended to help an organization compare themselves to peers. (Ref 2.1 Frameworks, Benchmarks and Guidelines)
A LAND Attack, the attacker sends a TCP SYN spoofed packet where source and destination IPs and ports are set to be identical. When the target machine tries to reply, it enters a loop, repeatedly sending replies to itself which eventually causes the victim machine to crash. A SYN Flood exploits the TCP three way handshake and consumes resources on the targeted server. Essentially, with SYN Flood, the offender sends TCP connection requests faster that the target server process then, causing network saturation. A Ping of death floods target computers with oversized ICMP packets, causing the target computer to either freeze or crash. A Smurf attack uses a type of ping packet called an ICMP ECHO REQUEST to a directed broadcast address, but spoofs the return IP address. A Fraggle attack uses same method as the smurf attack. An attacker sends a large amount of UDP echo traffic to an IP broadcast address, A Teardrop attack is an attack that involves sending fragmented packets to a target machine. A Spoofing attack is an attempt by someone or something to masquerade as someone else. - Example: MAC address of an unauthorized system is modified to different address which is allowed in the network domain that uses MAC filtering. This nonsecurity issues is called ________ and causes address conflict. A zombie is a computer on which an application is installed that will be used to attack another computer or network at a later date. A botnet is a group of compromised computers that are used to carry out an attack using a bot.
Types of DDOS Attacks
Multi-factor authentication
Use of several authentication techniques together. Techniques are: - Something you know - Username, Password, Pin. Security Question etc. - Something you have - RSA Key - Something you are - Fingerprint, Minimum two techniques you should use for multi-factor authentication.
The outcome when investments in support of business objectives are optimized.
Value Delivery (Ref 2.1 Frameworks, Benchmarks and Guidelines)
Critical step for Risk Acceptance
When you accept the risk, you must maintain a detailed documentation of risk acceptance to satisfy the auditors in the future.
Resilience is more importance these days because of changing risk landscape caused by 1. Global Market 2. Innovation - Cut throat competion 3. Interconnected businesses 4. Fast changing technology than ever before 5. Cloud Adoption 6. Cyber threats.
Why is Resilience more attention these days?
FISMA (Federal Information Security Management Act)
applies to federal government agencies and contractors like defense contractors or different government departments.
ITIL (Information Technology Infrastructure Library)
is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
Evil Twin Attack
the attacker is in the vicinity with a Wi-Fi-enabled computer and a separate connection to the Internet. Using a hotspotter—a device that detects wireless networks and provides information on them the attacker simulates a wireless access point with the same wireless network name, or SSID, as the one that authorized users expect. If the signal is strong enough, users will connect to the attacker's system instead of the real access point. - An attack that relies on an access point to spoof a legitimate access point's SSID and MAC address.