DOMAIN 1 SECURITY AND RISK MANAGEMENT DOMAIN
Personnel Security Policies and Procedures
1) screening and hiring 2) Employment agreements and policies (nda's, drug tests, references, interviews of associates, social media) 3) Onborading and termination 4) vendor consultant and contractor agreements (supply change risk) 5) Compliance policy requirements (statutory and regulatory obligations to validate things are done in a certain way) 6) Privacy policy requirements (mgmt and expectation of mgmt of PII (HIPAA)) about due diligence and oversight procedure is about due care
Control Types
1) technical or administrative measures in place to assist with resource management i.e., Directive, Deterrent, Preventive, Detective, Corrective, Recovery
Control Categories
1. Administrative Controls 2. Logical Controls 3. Physical Controls
Threat Modeling Process 5 Steps *****MUST KNOW*****
1. Identify Security Objectives 2. Survey the Application / system (we may be doing modeling on an application or an entire system) 3. Decompose it (take it apart and put it back together to see all possible attack vectors) 4. Identify Threats 5. Identify Vulnerabilities; 4 and 5 are different what are we looking for in each step
Conduct assessment - Step 2 Qualitative
1) Get Org chart - decision makers, levels responsibilities 2) Inquire what the assets are (intellectual, real property assets, computer/office equipment, people their rate of pay and value) 3) After identify threats and vulnerabilities to those assets what is the risk 4) conduct assessment determine the likelihood (high, med or low rating) and impact (high, med or low rating) (walk-through, questionnaire - if answer no to question then may have a vulnerability if there is a threat 6) Overall risk rating 7) Handle the risk - SEE 4 risk responses
Key Concepts of GDPR
1) Harmonization across and beyond the EU 2) Personal Data 3) no distinction between personal data about individuals in their private, public or work roles - the person is the person
Public Sector Control Classes (Gov't)
1) Management 2) Operational 3) Technical/Logical
Addresses the "WHY" of policy
1) Methods and techniques to present awareness and training - briefings, online or real time, live, pre-recorded, document 2) Periodic content reviews 3) Program effectiveness evaluation - audio, visual, reading,
Planning Horizon - 3 Types of Goals
1) Operational 2)Tatical 3)Strategic
Conduct Assessment -Step 2 Quantitative
1) Org chart 2) ID assets and value 3) ID threats estimate potential loss SLE=AV * EF 4) Perform threat assessment 5) Handle the Risk? (Reduce it, mitigate, ignore, Get/see the firewall, ids sys, how many attacks did your IDS/firewall have over the year and how many of those turned out to be real attacks, statistics, logs, etc. what was monetary loss you had; almost impossible to do purely quantitative risk assessment;
NIST Overall Risk Assessment Process Steps 1 of 4
1) Prepare for assessment 2) Conduct assessment 3) Communicate Risks/Results 4) Maintain assessment
Skills or Things you need in BCDR/BIA
1) Project mgmt, 2) senior mgmt support* (extremely impt; if no support, no due care or diligence = no mitigation of risk; decision makers are backing because culture flows from them and support comes from them), 3) project scope (what is our our focus, limited resources; mindful; scope document helps to filter down to what is really needed; POC, sow), resources (clearly identify resources whether physical or people WBS, document info), timeline
4 canons of the Code of Ethics
1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; Life/people safety is more impt than info 2) always Act with honor, hones, responsibly, and legally; be aligned with legal requirements 3) Provide diligent and competent service to principals; Make sure we do our job, show up every day, trained and up to the task 4) 1. never put CIA at odds with the mission and objectives of the organ; Advance and protect profession; never put ourselves, our co, profession or customers in a bad light i.e., ethical hacking
Two ways to measure risk
1) Qualitative risk assessment subjective deep knowledgeable people 2) Quantitative risk assessment based on reas can hybrid expressed use people with different kinds of skills; but can be hybrid assessment that mixed together
Penetration Testing Methodologies - 5 Steps (whether hacking or white hat)
1) Reconnaissance - fact finding; prepare the assessment 2) Enumeration 3) Vulnerability analysis - analyze vulnerabilities, weakness identification; 4) Execution / Exploitation - to gain access; still need to validate how far can go (i.e., can get in, but no username and password; worth noting but not the same as no username at all) 5) Document findings - look for ways to create opportunity to remediate and give value; what are other areas we can look to pen test on; overview; executive report highlighting the most detailed report; appendix
There are 8 domains
1) Sec and Risk Magmt 2) Asset Sec 3) Sec Architecture and Engineering 4) Comm and Network Sec 5) Sec Identity and Access Mgmt 6) Sec Assessment 7) Sec Operations 8) Software Dev Sec
5 aspects of the Standards of Good Practice for Information Security
1) Security mgmt 2) Critical business applications 3) Computer Installations (our hardware and how we build it) 4) Networks - How we comm and collaborate between two or more sys's connected over LAN or WAN via IP's, VPN's, DNS, dhcp, etc. and 5) SDLC - sys or software and how we choose to identify, document and build it
5 ITIL Life cycle phases
1) Service Strategy 2) Service Design 3) Service Transition 4) Service Operation 5) Continual Service Improvement CSI
Types of Attacks
1) Social Engineering 2) Pretexting 3) Phishing 4) Baiting 5) tailgating
4 things help us in a BCP Program
1) Talk to senior mgmt to get buy-in approval MUST BE in writing 2) define the scope or coverage (what will be inside and outside of the scope) 3) Estimate project resources - cost$ what do we have available, what can we do; the knowledge - the capability to do these things is a resource (i.e., we may have a constraint on knowledge) 4) We have to define a timeline that all of these things will take place
8 individual rights under GDPR
1) right to be informed 2) right of access, 3) Right to rectification, 4) Right to erasure, 5) Right to restrict processing, 6) Right to data portability, 7) Right to Object 8) Rights in relation to automated decision making and profiling
Predisposing event
An event that makes someone liable or inclined to specified attitude, action, or condition, are we patching, testing, vulnerability assessment, baseline assessment
5 categories of NIST CSF
Identify, Protect, Detect, Respond, Recover
Conduct Assessment -Step 2 Qualitative
Can be done Qualitatively or Quantitatively; Qualitatively - interviews w/key players subject matter experts to tell what the assets are; the types of threats and vulnerabilities faced; what is likelihood vulnerability can be exposed and what impact would be if exposed
ISO27006
Certification agency, A guide to the certification/registration process
CSRC
Computer Security Resource Center
SP8161R2
Computer Security incident handling
NIST SP800-160 Vol1 | Vol2 Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
Downtime
Consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO (Recovery Time Objective) + RPO. The time available to recover disrupted systems and resources
Maintain assessment - Step 4
Continuously monitor; Every six months review the assessment and update it (iterative process); develop Risk Register upto date, see if vulnerabilities have changed; new threats
Trade Secret Law
Corporate resource that protects a specific resource and provides the organization with a value or advantage
Business Risk
Cost of doing business; The possibility of loss (failure) or gain (success) inherent in conducting business
Due care
Identifying what you need to do and Ensuring you are complying with laws, Rules, Reg's., etc. It is about knowing what to do; asking are you doing things that a reasonable person would do; standard of care used. Is the care you are using documented, and approved to minimize risk;
A good investment is
If it costs as much or less than the cost to purchase then it is seen as a good investment; If it cost more than, it still may be seen as a good investment, but we have to increase the recoup time to see the return. Instead of 12 months, maybe 24 months
FIPS 199
Impact Assessment where you are just looking at the impact of different types of data; NOT a Risk Assessment because only looking at Impact and not Likelihood
Continuity of Operation Plan (COOP)
Implies there is a disaster and you have to recover to an alternate site
Public sector is more concerned with
Confidentiality
CVSS
Created by US Common Vulnerability Scoring System; Open protocol for scoring new vulnerabilities; brings together major players in the technology and I.T. and security spaces.People in companies and entities like Cisco, Symantec, Microsoft, etc,to really contribute behind the scenes, research, vulnerability, information, etc.To come up with a common system that could then expose, discuss and score vulnerabilities and make them available, so we can then interact with them
MTD Times
Critical = min's to hours Urgent = 24 hours Important = 72 hours Normal = 7 days
ISO27010
Critical infrastructure management
Personal data
Data about a living identifiable person, which is specific or uniquely identifiable to that person (physical, physiological, genetic, mental, economic, cultural or social identity - 23 and me)
Security awareness training ****IMPT TO KNOW****
Establishing an understanding of the importance of, and need to, comply with security policies within the organization; should break up (mgmt, mid-level, technical) can lead to risk mitigation which leads to the reinforcement of through good clear communication and good documentation, standardization of behavior and as a result of that risk mitigation.
EAL
Evaluation Assurance Level
Framework for specification of evaluation Protection Profile (PP)
Evaluation Assurance Level (EAL 1-7)
COBIT IT Governance framework associated with GRC (governance risk and compliancy)
Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated industry
Supply Chain Risks
Examples: Insertion of counterfeits, unauthorized production, tampering, threat, insertion of malicious software and hardware (GPS tracking, computer chips), poor manufacturing and development practices in the supply chain. These risks are realized when threats in the supply chain exploit existing vulnerabilities
Data controller Accountability
Exercises due diligence. The processor under the guidance provided by the controller through due diligence exercises due care. The data controller is the overseer and has accountability. They ensure that all these other seven things are happening and shaping the discussion, the interaction, the collection, the management, storage usage, etc., throughout the data life cycle of the data. If we don't have oversight function or if we don't bring due diligence, we don't act through the other seven areas with due care, we're not exercising the proper level of thought, protection, integrity and confidentiality around our data
prevent, detect, correct
First reaction is PREVENT a security breach since can't prevent unknown Second is to DETECT and then take a CORRECTIVE action
Timelimits for GDPR
Guidance only - data controllers must notify the appropriate supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it." If notification is not made within 72 hours, the controller must provide a "reasoned justification" for the delay; 30 days for request for personal information
NIST SP800-30R1 *****IMPT TO KNOW*****
Guide for conducting risk assessments
NIST SP800-30R1 p12 (IMPT)
Guide for conducting risk; SP800 series goes all the way back to the 1970's or so And is the foundation for much of the modern reference we have for guidelines. SEE IMAGE
NIST SP800-121R2
Guide to Bluetooth Security
NIST SP837R1
Guideline for applying risk mgmt framework (RMF or risk mgmt framework to Federal Syst's); originally 837
NIST SP800-88R1
Guidelines for Media Sanitization
Integrity Controls applied
Hashing, separation of duties, dual control (two man rule launching a weapon, safety deposit box)
HIPAA
Health Information Portability and Accountability Act; Act means it's a law and regulation medical industry. HITECH applicable to BAA's. If they don't say specifically that it's a law, then applies to industry
ARO (Annualized Rate of Occurrence)
How often over a single year are we going to see that occur (i.e., 3 times)
Risk Assessment Process
How we figure out what a risk is; it is a process
Qualitative Risk Assessment
INTANGIBLE; determines the product of likelihood of risk to produce a level of risk; the higher the risk the more immediate the need; an environmental hazard based on human perception rather than data; NOT numerically or metrically based but uses a soft factors like brand, reputation, the impact to that co may be negatively perceived (Risk Matrix)
ISO27009
IS governance
ISO27003
ISMS implementation guide
ISO27004
ISMS metrics
COBIT 5
IT business framework for the governance and compliance or risk mgmt created by ISACA.org and focused on GRC activities; COBIT allows us to frame the concepts and the conversations within the business around IT governance and what governance, risk and compliance mean
The GDPR provides exceptions to this additional requirement for the controller to notify data subjects in the following circumstances
1. The controller has "implemented appropriate technical and organisational protection measures" that "render the data unintelligible to any person who is not authorized to access it, such as encryption" 2. The controller takes actions subsequent to the personal data breach to "ensure that the high risk for the rights and freedoms of data subjects" is unlikely to materialize. 3. When notification to each data subject would "involve disproportionate effort," in which case alternative communication measures may be used
Additional Concepts for Integrity
1. accuracy 2. authenticity 3. validity 4. nonrepudiation - user cannot deny having performed an action; when we have integrity with our email and have a digital signature and hashing creating a message digest, we use nonrepudiation,
Three ways in which we can understand Integrity:
1. preventing unauthorized subjects from making modifications (users seeking to access data NPE non-person entities (user or application or account proxying on our behalf, a computer account) 2. preventing authorized subjects from making unauthorized modifications 3. maintaining consistency of objects so that they are true and accurate (ensure the data or asset is consistent kept in a true good known state; data can be modified by a system process of flags are changed on that data; timestamp, meta data)
Confidentiality Concepts
1. sensitivity 2. discretion (may have more than one scenario, but choose the best correct answer; minimizes administrative overhead and cost) 3. criticality 4. concealment 5. isolation 6. integrity 7. principle of least privilege 8. need to know
Availability Concepts
1. usability 2. accessibility 3. timeliness
Security Safeguards
3 layers: technical safeguards, data safeguards, and human safeguards; vlanning, access control
BIA Process 4 Steps (KNOW IN ORDER) (SP800R1)****MUST KNOW***
4 steps Step 1 - Gather info (interviews re svcs); Step 2 - vulnerability assesment - weaknesses of sys's (outage, attack, ? take them out of svc); Step 3 - risk analysis the outcome qual (opinion 1 to 10) and quant ($ based ALE = SLE * ARO) - threat analysis to determine what would happen if svc not avail); Step 4 - Comm Findings
Individual Participation
A fair information practices principle, ask the individual to opt-in; can't assume we can take your data without your knowledge and consent
Information Security Handbook
A guide for managers SP800-100
Risk Matrix
A matrix that lists an organization's vulnerabilities, with ratings that assess each one in terms of likelihood and impact on business operations, reputation, and other areas; typically high impact, high urgency would be at the uppermost right-hand quadrant.Typically, where it's lower we'd see low impact, typically lower left.
Safe Harbor (PRIVACY)
A negotiated agreement between two parties that relaxes the regulatory requirements and burden by allowing the participant that is negotiating to adhere to the spirit of the law as opposed to the letter of the regulatory compliance. I.E., things like the directive 95/46 and writes around personally identifiable information and privacy rights, but it could deal with a variety of things
COE is made up of
A) COE Preamble B) COE Canons - 1) Protect society, commonwealth and infrastructure (DO NO HARM AND PROTECT LIFE ABOVE ALL ELSE) 2) Act honorably, justly, responsibly, and legally 3) Provide diligent and competent service to principals 4) Advance and protect the profession \ 3) Organizational COE
Formula for quantitative risk assessment
ALE =SLE * ARO ALE = annual loss expectancy SLE = single loss expectancy ARO = annualized rate of occurrence
The Computer Security Act 1987
Aimed to Improve the security and privacy of sensitive info in federal computer systems and to establish a minimum acceptable security practice for these systems
Supplementation
All about making additions or adding on (resources, things that overlap) in order to reinforce to give us more value to support of mission objectives of the assessment; if we haven't scoped or tailored, we cannot measure properly to know whether we are doing well or not
Data Protection Officer (DPO) (GDPR)
All public authorities have it; expert knowledge of law and data; the that independent voice that sits above controller and data processor; they monitor compliance; advise with regards to impact assessments under Article 33; work with the controller or processor as the supervisory authority and the key contact point for that authority; single voice of communication; single conduit for information flow between the organization and any outside exchange around issues supporting and/or in alignment with GDPR; all communication in and out
Memorandum of Understanding (MOU)
An agreement between two or more parties to enable them to work together that is not legally enforceable but is more formal than an unwritten agreement. (M&A)
Penetration Strategies
Microsoft Baseline Security Analyzer (MBSA) ⦁ Ext Testing (white box) - pay someone to test system ⦁ Int Testing - do test internally, red/blue teams, tiger teams are terms used in govt, military and private sector ⦁ Blind Testing (black box) - involves either one of the two groups involved in testing knows something the other doesn't know (similar to external or internal testing) ⦁ Double-blind Testing (both internal and external teams are not told anything; they will get ip's that are off limits or life-safety things which goes back to scoping and tailoring)
Tactical management
Mid-Term Goals - (The thing we do Monthly or weekly) goals that involve how the security systems are developed and implemented to meet policy requirement
Security Control Assessments (SCA)
Monitor the controls we use to assess how well they are performing; different controls or countermeasures applied and assess on an ongoing basis of how well the are doing. when things change, we may need to change
countermeasure control categories
Must be cost, effective and appropriate. They should also provide value - cost effects how we deal with quantitative assessment risk and evaluation of risk. We ask how much will we have to spend to acquire and/or implement against the actual problem; we are attempting to mitigate risk; if the counter measure costs as much as the problem we still may want to have it depending on how long the risk is around
Risk Assessment Methodologies***IMPT TO KNOW ***
NIST 800-66r1 FRAP NIST 800-38 OCTAVE NIST 800-30r1 SOMAP CRAMM VAR FM & EA Spanning Tree
Places to find updates
NIST, ISF, ISO, BSIMM
NIST
National Institute of Standards and Technology. NIST is a part of the U.S. Department of Commerce, and it includes an Information Technology Laboratory (ITL); Globally recognized; US gov't institution f/k/a the National Bureau of Standards; NIST is the United States National Measurement Institute and promotes and maintains measurement standards for government agencies, academia and industries. It also has active programs for encouraging and assisting industry and science to develop and use these standards.
Octave 2003 *******MUST KNOW**********
Operationally Critical Threat, Asset, and Vulnerability Evaluation) 2003; risk management threat modeling framework
OEDC (PRIVACY)
Organization of Economically Developed Countries - in 1985 originated trans-border data flow; privacy principles that help to focus on how we capture info, manage it, and what we do with it; the OEDC developed the 8 core principles of privacy
AS/NZS 4360
Original 2004 and updated in 2009; tied to an ISO implementation; world's first Australian and New Zealand risk mgmt standard made up of 5 steps. a risk mgmt methodology can be used to understand a company's financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose. This risk methodology is more focused on the health of a company from a business point of view, not security.
Private Sector Control Classes
Overarching above Control Types 1) Physical (guards guns and gates), 2) Administrative (policy based, rules) 3) Logical (technical) (things we implement through software vpn or vlan
Contingency
PREDICT A possible future event that must be prepared for or guarded against; possibility
Safeguard
PROACTIVE Security Control put in place BEFORE vulnerabilities are exposed; to prevent exposure
Use Limitation
Personal data should not be disclosed or used for purposes other than stated in the Purpose Principle, except with the consent of the individual or by the authority of law (ex. if your doctor collects data to treat you, they cannot then sell that data to another without your knowledge and consent)
NIST SP800-193
Platform Firmware Resiliency Guidelines
PIA (GDPR)
Privacy Impact Assessment
NIST SP800-171R1
Protecting Controlled Unclassified Information in NON-FEDERAL Systems and Organizations
countermeasure (control measure) ********MUST KNOW************
REACTIVE Security Control we use to deal with, AFTER, the likelihood of a threat's adverse impact
Guidance
Recommendations, suggestions or a set of steps, procedures, processes, a path and How we measure whether we are successful or not at doing something
BIA or business impact Analysis (coop operation)
Risk mgmt mitigation tool used to understand and determine what impact a disruptive event would have on an organization; how business critical services if disrupted would rank by priority; it's about measuring the importance of services because we have a limited amount of resources and time so everything doesn't warrant the same protection; The BIA helps us frame risks and rank services by their impt and why; should be done, examined, renewed and refreshed semi-annually or at least once a year
SP means
SP for special publication and R stands for Revision
The concept of Safe Harbor is
Safe harbor (2000) is the idea that we can negotiate an agreement in this case between two countries or more countries, the EU and US, an agreement almost like a side line agreement that allows us to stipulate that we will not violate the letter of an agreement will comply with the spirit of the law
NIST SP800-125AR1
Security Recommendations for Server-based Hypervisor Platforms
Availability
Security actions put into place for continuity and in the event of a disaster; they ensure that AUTHORIZED users can access data at the appropriate times
NIST SP800-R5
Security and Privacy Controls for Information Systems and Organizations
NIST SP853R4
Security controls for federal gov't information systems. the most current one is currently 853R4
Operational risks
Short term goals (Things we do daily vulnerability scanning, reviewing of logs) - concerned with performing day to day business transactions of the organization; threats inherent in the technologies used to reach business success
Information Security Forum
Standards of Good Practice for Information Security; where we get 5 aspects (standards of IS); broken into 30 areas and 135 sections
Goals, Missions and Objectives are made up of
Strategic view - Goals Tactical View - a. what you do and how you execute Operational vision - stitches the goals and tactical views together Strategy - managed through policy and procedures
NIST SP800-161 p7 ******IMPT TO KNOW*******
Supply chain and risk mgmt practices for Federal Information systems; even though says for federal use, it is used worldwide to manage supply chain and third party risk in an orga
Quantitative
Tangible; When we quantify the measure of risk; a numerical assessment assigned when we drill down our understanding and assessment of the potential impacts of risk.
Vulnerability Assessments/testing
Tell us what weaknesses exist in our network; we test to make sure what we think is happening is actually happening; trust but verify; can be a physical or software configuration or misconfiguration
Rights in relation to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention (big data, ai, machine learning); can't let a computer alone make a damaging decision that can impact you negatively. A human must be involved in that process.We could still have the computers spit out all that stuff and recommend yes or no, But a human must go through, look at that, and then ultimately make that decision
ITIL
The Information Technology Infrastructure Library (ITIL) is a service framework for how we provide Information Technology Services Management (ITSM) to the business. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.
Integrity Controls give you
The ability to oversee, monitor and manage the current, present, well documented, agreed upon state of data so that if it were to be modified in any way, we would have record or knowledge of it and have the ability to go back through incident response; changing or removing data is a violation of the integrity w/o prior consent
Privacy by Design
The concept that organizations need to build privacy directly into technology, systems and practices at the design phase, thereby ensuring the existence of privacy from the outset. Originating in the mid-1990s by the Information and Privacy Commissioner of Ontario, the principle has gained recognition around the globe, including from the U.S. Federal Trade Commission and the European Commission.
RTO (recovery time objective)
The max amt of time it will take to recover from an event; RTO AND MTD can be the same but no margin for error if things don't go well will have no buffer; Better if RTO is less than MTD
Maximum tolerable outage (MTO)
The maximum time that the organization can support processing in the alternate site - O = outage alt facility
Exposure Factor (EF)
The measure or percentage of loss experienced IF a specific asset were attacked
E-Privacy Regulation is lateral to the GDPR
This global legislation controls/regulates the flow of personal data and the management of data across all electronic communications including telephony (i.e., non verbal communication over the web using a form RDP); significant penalties for non-compliance. In the UK this regulation will replace the exiting PECR laws;
USCU Safe Harbor framework
US maintained website
Right of access
Under the GDPR, individuals will have the right to obtain: • confirmation that their data is being processed; • access to their personal data; and • other supplementary information - this largely corresponds to the information that should be provided in a privacy notice (see Article 15)
Export Administration Regulations (EAR)
Under what conditions can we export (US) - dual use goods
Examples of assessments
Vulnerability, penetration testing,
Impact ********MUST KNOW************
What a threat will cost qualitative and quantitative
loss potential
What the company would lose if a threat agent actually exploited a vulnerability
Examples of due care
When practitioners implement through procedures - need to know, least privilege, job rotation, separation of duties
Right to restrict processing
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future (backups)
Management framework
Zachman framework, the Calder-Moir framework, TOGAF, DODAF, MODAF
Categories of Penetration Testing
Zero knowledge a/k/a black box - NO knowledge Partial knowledge a/k/a grey box - SOME knowledge Full knowledge a/k/a white box - on inside and know all
data breach or personal data breach (GDPR)
a breach of security leading to accidental or intentional, unlawful, willful destruction of data, loss, alteration, unauthorized disclosure of and/or access to personal data transmitted, stored or otherwise processed
Preventive
a camera and a sign or a lock
security frameworks allow us to have
a common vocabulary, create context, and have a central and shared point of reference and commonality for our communication, discussion, and dialogue around how we approach managing and they structure and define a set of requirements and elements that help us to measure whether or not we're being effective in what we do
Risk Assessment
a component of risk management; 4 steps to completing risk assessment
Deterrent
a control - deters you from doing something (i.e., cameras)
Consent must be freely given
a controller cannot insist on data that's not required for the performance of a contract as a pre-requisite for that contract
code of ethics a/k/a code of professional ethics
a formal statement of ethical principles and rules of conduct; COE's help to standardize behavior, conduct and focus in and around the organization
The Economic Espionage Act of 1996
a law that makes the theft of trade secrets by foreign entities a federal crime in the United States; (Edward Snowden)
MTD (Maximum Tolerable Downtime)
a measure of time; The longest period of time a business can be inoperable without causing the business to fail irrecoverably. It encompasses the entire window of time from the beginning of RTO to resume production
Directive
a policy control - only allow this for this reason; we only allow remote access through VPN
Threat Modeling (risk mgmt)
a process for defenders use to systematically identify, enumerate and prioritize potential threats - viewed from a hypothetical attacker's point of view.; allows for use-cases; to use attack vectors, attacking tools or approaches, used to view the world from a bad actor's point of view and ask questions about "what if" this happened, what are our concerns and the targets or assets they want; what would we do; may involve tying into vulnerability and pen testing to have a complete package to assess and examine
Trademark
a recognizable sign, design, or unique expression related to products or services of a particular source from those of others, usually called service marks
COSO (Committee of Sponsoring Organizations)
a risk framework; it speaks about the control element of risks, how we setup controls, manage it and control it - 5 areas of internal control
Reputational Risk
a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.
Delayed Loss
a secondary in nature and takes place well after a vulnerability is exploited. and may include damage to the company's reputation, loss of market share, accrued late penalties, civil suits, the delayed collection of funds from customers
Patent
a set of exclusive rights of OWNERSHIP granted by a sovereign state or governmental organization to an inventor or a signee for SOMETHING NEW/NOVEL, USEFUL AND NOT OBVIOUS a limited period of time (typically 20 years) in exchange for detailed public disclosure of an invention
intellectual property (IP law)
a set of laws and thought processes we apply to data; intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents; sensitive, pii, financial data, information about m&a to manipulate stock prices; They must be able to demonstrate that they took steps to secure it
Integrity controls or countermeasures
a. strict access controls / authentication b. IDS (passive monitoring sys that alerts when something goes wrong but doesn't take action) c. encryption (doesn't matter if you get it, just so long as the encryption holds best safeguard) d. hashing (is not about keeping data secure or secret by encryption it's about no changes to the data occur and if it does occur, you have permission to do so) e. interface restrictions / controls (can only access this workstation under strict controls) f. input / function checks (validation when typing in data and asking you to safe it you insert your smartcard to make sure you have permission to save it)
Availability controls or countermeasures
a. strict access controls / authentication b. continuous monitoring c. firewalls & routers to prevent DoS / DDoS attacks d. redundant system design eliminate SPOF (single point of failures) e. periodic testing of backup systems; Redundancy, backups, remote site hosting (hot, warm cold sites), high availability (cluster active/passive) and fault tolerance (0 downtime)
Right to erasure
a/k/a 'the right to be forgotten; this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing
Data Processors in GDPR
act with due care; they are the entity that actually performs the data processing ON THE controller's behalf
contractual
agreed in a contract (verbal) standardized and adheres to requirements
Should the controller determine that the personal data breach "is likely to result in a high risk to the rights and freedoms of individuals," it must
also communicate information regarding the personal data breach to the affected data subjects. Under Article 32, this must be done "without undue delay.
GDPR also allows the data protection officer functions to be performed by
an employee of the controller or processor or by a third party service provider
The ITIL framework is
an enterprise mgmt framework that comes from British or other governmental military mgmt; it defines what customer service is in IT and how we measure it; it standardizes the selection, planning, delivery and support of IT services to a business
Breach
an occurrence or event that has compromised data and impacted one or more of the CIA and as a result has modified, disclosed or rendered the data unavailable, with a negative outcome; a countermeasure being bypassed or rendered ineffective
Threat Source a/k/a threat actor or BAD actors ********MUST KNOW************
any kind of event or situation that has negative consequences or if it occurred would prevent normal operation of the organization; can be internal or external (i.e., not just hackers, but red and blue teams because they are negotiated and approved by the customer)
User
any person who has access to a secured system
Threat event
any potential adverse occurrence or unwanted event that could injure the organization or prevent the normal operation; all events are not bad
Regulations
apply to governmental agencies and industries the use of governmental authority to control or change some practice in the private sector; punishment loss of license or designation
Risk Management
applying overlapping controls and counter measures to mitigate risk and minimize them to the point of toleration, based on our risk appetite in the business; change management and risk management - you have to have both
CMMI and UML
are not threat models, right.They may provide elements in frameworks associated with aspects you may engage in with threat modeling, but they're not threat models
ISO 27002
are the security controls that help us frame ISO 27001; Organisations can achieve certification to ISO 27001 but not ISO 27002
E-Privacy Regulation is important for digital marketing activity
as it overrides the GDPR's allowance for legitimate interests and enforces consent on all digital communications for marketing purposes. There will still be an allowance for the "soft opt-in" where customers can be communicated to about similar goods and services with an opt-out only, but it should be noted that the wording here has been tightened restricting the use to customers only
willful destruction or alteration of data is
as much a breach as theft; it's about integrity, confidentiality and availability
ISO27007
audit
Copyright covers
books, advertisements, articles, graphic designs, labels, letters (including emails), lyrics, maps, musical compositions, product designs, etc.
BS 7799 Part 1, ISO 17799, ISO 27002
code of practice; ISO came from the British security standards BS7799 and ISO 17799; 133 controls, 500 plus detailed controls built on called BS 7799 which is the original British security standards document
Computer related crimes
computer-incidental crimes
"downstream" responsibility of DSAR's
controllers to take "reasonable steps" to notify processors and other downstream data recipients of such requests
Access Controls
controls that restrict unauthorized individuals from using information resources and are concerned with user identification; temporal, time based; discretionary, managed
STRIDE Methodology *******MUST KNOW**********
created by two security practitioners, Loren Kohnfelder and Praerit Gard, at Microsoft in 1999, to assess applications and security in their methodology approach; characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker). Stands for Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
A company with multiple subsidiaries may appoint a single
data protection officer so long as they are "easily accessible from each establishment
Avoidance
decide not to engage in that behavior; avoid risk by not doing what will lead to that risk; disengage i.e., patching, not using windows, anti
Scoping and Tailoring - In step 1
decide through scoping what will and will not be included in the assessment then tailor it to filter and/or modify our approach to fit our scope objectives (i.e., iterations when doing SDLC)
Exposure
degree to which you are susceptible to asset loss due to a threat
BCP Planning begins with
developing a BCP Program - wherein we sketch out the parameters of what the program means
Administrative Controls
directive controls - policies and procedures, privilege management or monitoring
Logical (Technical) Controls
directive controls - policies and procedures, privilege management or monitoring
Deterrent Controls
discourage people from violating security directives reinforce directive controls
The GDPR regulation expressly prevents
dismissal or censure of the data protection officer for performance of his/her tasks and places no limitation on the length of their tenure
Due Diligence
doing what it takes from day-to-day to implement oversight of standards that are set, the security culture that is guided by the framework so everybody can be held accountable within that culture, and everybody is responsible for operating in the appropriate way within that culture
Asset valuation
dollar value assigned to an asset
E-Privacy Regulation
ePrivacy, ePrivacy2, PECR2, ePR
Cybercrime
engaging in criminal activity through use of a computer, a. Loss of intellectual property and sensitive data b. Damage to brand image/reputation c. Penalties and compensatory payments d. Cost of countermeasures e. regulatory and compliance issues (jail time, sensure, assets seized)
Integrity controls are not about
ensuring info is kept confidential/secret. It is impt because if the info is changed, the meaning of the info may also change
Job Rotation (personnel security/EMPLOYEE CONTROL)
ensuring people can move through different jobs in organization - enables cross training - ensure knowledge documentation
Third Party Assessment
ensuring we have visibility through some sort of audit ability, verification, validation, and assurance process to ensure that due diligence and due care are being applied.We have to have good, clean, understandable, signed off on,and agreed to SLAs, service level agreements, that are contractual vehicles.That bind both customers and suppliers, or providers, you can think of it either way,to a set of assumptions,a set of requirements
Reporting
every last step is to communicate findings and summarize effectively what you have done, timeliness and understandability
privacy management (GDPR)
exercising personal control over confidential information in order to enhance autonomy or minimize vulnerability; The regulation mandates a "Risk Based Approach:" where the appropriate organizational controls must be developed according to the degree of risk associated with the processing activities.
Standards
external guidance for industries should align with to maintain designation
Detective
finds suspicious behavior and alert you IDS
Standardization/Standards
formalized (written down) guidance that allows us to operate with a set of things we need to do in a certain way; formalized guidance and things we need to be aligned with coming from an agency and have penalty of
ISMS is a
framework of policies and procedures that includes mgmt of all legal, physical and technical controls involved in an org's info risk mgmt processes. Tells you what you should have in place but doesn't tell you how to do it - strategic level
Acceptance
going to engage in risk behavior even though there may be a downside, the cost of doing business
Risk Framework
guideline or recipe for how risk is to be assessed, resolved, and monitored. (COSO, ITIL, ISO 27001 and 27002 ISO 17799/BS 7799, ISMS (01) and Controls (02); ISO 73:2009 (risk mgmt vocab list), ISO 31010:2009 (risk mgmt techniques), ISO 31000:2018 (risk mgmt guidelines)
ISO31000
guidelines on managing risks
Security Control Frameworks
help us to structure mgmt identification of requirements goals and objectives
Policy
high level strategy or statement of events, gives direction but not details or specific approach of how to get there; they should be broad in scope and coverage; details come in supporting documentation
BCP - business continuity planning
how do what we do to get back to normal; if it's not working, we need to understand what isn't working and what it means; what steps we do to get systems working to restore continuity
OEDC 8 core principles or privacy
i. Collection limitation ii. Data quality iii. Purpose specification- what we capture data for and narrowingly defining that need iv. Use limitation- what we capture data for and narrowingly defining that need so we don't capture more than we need so as not to expose data v. Security safeguards vi. Openness vii. Individual participation viii. Data controller accountability
incidents and breaches are important because of
i. Privacy ii. Governance iii. Risk iv. Compliance
Internal Penetration Testing
important because people who know the system will know where to look for the holes, but they also will ignore certain things; or only test for compliance because even though you may meet compliance, an external tester will look for all ways to get in
High availability
involves system downtime while we failover to a new system and bring it back up (i.e., cluster)
International Wire Transfer
is Governed by the countries that use it so data remains under the laws of the agreements through the countries it travels through
Risk Value
is how we measure risk
Data Custodian
is responsible for implementing the protections called out by the security policy at the behest/direction of the data owner. Performs all activities necessary to provide CIA protection.
The ITL
is supported by NIST and publishes special publications related to security that are freely available for download here: http:// csrc.nist.gov/ publications/ PubsSPs.html.
ALE
is the $ value over a period of time (12 months/year, 6 months. Etc.)
organizational process role and responsibility
is this idea of well thought out, well defined, and communicated policies and procedures that everybody understands
Risk Assessment Goal
is to identify, catalog and mitigate risks
BCP Planning
is when one or more individuals from diff areas of an organ that get together to jointly come up with a plan that can be a set of written/documented requirements; detailed action-oriented capability that we develop in business; a story or narrative about what we should do if something isn't working; a good plan that encompasses what needs to happen and how
Right to data portability
it allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to format, usability because it mandates standardized data formats like .csv; it ensures that data is gonna be structured, stored, managed, and used in ways that make it portable so I'm not locked in to one vendor, no proprietary systems
Recital 171 of GDPR
makes clear that existing consent is O.K. if it was in line with the purpose of GDPR; you're not supposed to go out and consistently seek a renewal of consent because certain activities can be seen as being problematic for other reasons
Disclosure
making secret information public; breaks confidentiality; disclosures can happen as a result of a breach
Adverse impact
measures what a vulnerability would cost or mean if it happens
Encryption Controls
mechanisms, rules, thought processes, policies and procedures (guns, guards, gates, sing-ins, sec cameras, card access, CCTV monitoring, non-stop observation
The goal of the ISMS is to
minimize risk and ensure continuity by pro-actively limiting the impact of a sec breach and to ensure business is conducted within an acceptable level of risk (minimize risk and maximize CIA)
Mitigation
minimize the risk, engage in behavior and execute countermeasures at every opportunity (patching up to date; access control; administrative account special)
BS 7799
morphs into ISO17799 which ultimately becomes the bedrock and baseline for ISO 27001 and 27002
Defense-in-Depth Strategy
multiple layers or levels of access controls to provide layered security; a series of concentric rings that show controls overlap and mutually reinforce each other overlapping neutrally reinforcing layers of controls or counter measures to minimize risk.Remember, if one control is good, two is better, and three is better than two because they may be implemented differently in different systems, be managed and overseen by different areas of the business,we may have different vulnerabilities that we are addressing with them indifferent areas of the architecture even though they are the same.
US Privacy Shield Framework
new name for the Privacy Sheild
when a data processor experiences a personal data breach, it must
notify the controller but otherwise has no other notification or reporting obligation
COUNTER MEASURE SELECTION
offset risk, counter measures are about the things we will do in order to prevent unauthorized access to the system
Repudiation occurs when
one party in a transaction denies that the transaction took place
security frameworks are never
one size fits all. they are one size fits one; they should be used as guidance, a starting point or skeleton; they don't have to be taken verbatim but do have to be documented and implemented so we can audit, validate and verify against them; they help us to translate those ideas into what we already do without ripping and replacing everything
Guidelines
optional things, a set of best practice recommendations not forced to follow, doesn't carry the force of a regulation
Consent should be demonstrable
organizations need to be able to show clearly how consent was gained and when.
Right to be informed
our ability to be able to have our information fairly processed and managed. And as a result there is a privacy notice that is provided by companies that are either updating or have sent you or revised that you see we treat you data this way, we do these things to it. We don't sell it, we don't give it to these people
ISO2700 series
overall addresses information security management across a broad a swath of different numbered standards in this series; Organisations can achieve certification to ISO 27001 but not ISO 27002.
PCI DSS
payment card industry data security standard - credit card, prevent identity theft; applies to payment card industry, they regulated themselves
Violations of obligations related to legal justification for process (Consent)
permission for something to happen or agreement to do something; opt-in to give explicit permission to use data
Data owner
person or entity who has ultimate control over data who has access, what permissions, etc. the person who is in charge of data classification
Physical Controls
preventative and deterrent controls - things we apply to a system to prevent something from happening (doors, locks, windows, guards, dogs, etc)
Applicable types of control measures or countermeasures
preventive, detective and corrective
Strategy is not the same as
procedures
Integrity
provides assurances that data has not been modified, tampered with, or corrupted; is Change control for data - no unauthorized modification without knowledge and consent of data owner"; confidentiality and integrity depend on each other; can't have one without the other
DREAD Methodology
quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.
Corrective Controls
remedy circumstance, mitigate damage, and/or restore controls (attempt to fix when something has gone wrong) (corrective would be power cycling something to clear an error; a blue screen so restarting)
Work factor
represents the time and effort required to break a protective measure and it has to be large
Gramm-Leach-Bliley Act (GLBA)
requires financial institutions to ensure the security and confidentiality of customer data
Recovery Controls
restore conditions to normal after a security incident (let's try to restore after problem has happened from backup take because of a failure)
Right to Object
right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); • direct marketing (including profiling); and • processing for purposes of scientific/historical research and statistics.
Financial Risk
risk associated with a monetary outlay; includes the initial cost of the purchase, as well as the costs of using the item or service Probability of Harm (P) x Magnitude of Harm (M) = Cost of Prevention (C)
ISO 31000:2018 ******IMPT TO KNOW*****
risk mgmt guidelines; linked to AS/NZS 4360 which underlines ISO 31000
ISO 31010:2009 ******IMPT TO KNOW*****
risk mgmt techniques
Cross border data transfers (GDPR)
safe movement of electronic, personal data around the world. ... The regulation addresses the transfer of personal data to locations outside the EU or EEA (European Economic Area)
War Dialing
searching for an idle modem by programming a computer to dial thousands of phone lines
Data Protection Directive of the GDPR is the
second part of GDPR, it's called the DPD which is designed around police and criminal justice related activities to ensure that victims of crimes, witnesses and suspects all duly protected, whatever those protections may be, under the context of an investigation through law enforcement action
non-repudiation
security principle of providing proof that a transaction did or did not occur between identified parties (i.e., a digital signature; username and password); BUT with just nonrepudiation, there is a GAP, they only know that it was my username and password or digital signature; they don't know that it was me who did it so you NEED multifactor authentication, something you have, know and are -
Security frameworks
sets of best practices and rules that drive the behavior and common language of an org; it is the over-arching thought process of how we structure and align with sec support strategy, goal, mission, and objectives of the org
Withdrawing consent should always be possible
should be as easy as giving it
Detective Controls
signal a warning when a security control has been breached (alert or warn us when something is wrong, flashing light, alarm)
ISC2 Code of Ethics*
simple code with a preamble and 4 canons -describes *what you should do*; the behavior is accepted and expected from those that act on behalf of the organ
Incident
some sort of occurrence or event that has the potential to do harm to the elements of CIA; it may or may not be negative
Corrective
something that is done when we find suspicious activity and take action to prevent it from occurring - IPS
Recovery
something we implement to fix a problem (If we can run a script that will restore functionality)
NIST documents are
standard documents numbered in the 800 series. the 1500 series updates the 800's
Procedures
step-by-step instructions for completing a task
Compensating Controls
substitute for the loss of primary controls and mitigate risk down to an acceptable level; they substitute when control is lost (redundancy, ups, backup power supplies)
Availability indicates
that data and services are available for authorized people when needed/on-demand
information security management system (ISMS) or ESA validate
that the appropriate policies, procedures, standards, and guidelines are implemented to ensure business operations are conducted within an acceptable level of risk
Fault tolerance
the ability for a system to respond to unexpected failures or system crashes as the identical component immediately and automatically takes over with no downtime (i.e., drive mirroring or a generator)
Half-Life
the amount of time it takes to break encryption that is going to be chipped away at every second of every day the encryption is in place.
We mitigate risks through
the application of controls
Cryptography
the art of protecting information by transforming it into an unreadable format, called cipher text
Likelihood ********MUST KNOW************
the chance that something might happen
Encryption only means
the data will be harder for the bad actor to decrypt; it does not mean they can't get to the data; a way of protecting data that uses a control that allows us to transform the nature of the data with a lock and key mechanism
Culture
the enduring behaviors, ideas, attitudes, values, and traditions shared by a group of people; it allows us to share information and create relevancy
Attack
the exploitation of a vulnerability by a threat agent (bad actor)
Compliance
tools or processes that are put into place to validate and verify, trust but verify; it's about that the organization is aligning with the contractual legal, industry standard or regulatory requirements (maritime (international waters), treaties, antarctic etc.)
Availability control does not mean
uninterrupted service. Some availability controls are compensating controls that allow us to restore system access, but there will be a delay of some sort (i.e., ups')
Notice is not required if "the personal data breach is
unlikely to result in a risk for the rights and freedoms of individuals
Preventive Controls
used to stop a security incident or information breach (anti-lock brakes; crash avoidance)
NIST is a
very expansive organization. It does all sorts of stuff. It is really the research and standardization of the US government when it comes to standards across all industries, Not just information security and not just IT; for IT want to look under publications, SP (special publications), see table showing the release dates, status, draft and the number, can click and download the standard pdf
NIST Cybersecurity Framework
was published in February 2014 in response to Presidential Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," which called for a standardized security framework for critical infrastructure in the United States; https://www.nist.gov/cyberframework
Residual Risk ********MUST KNOW************
whatever risk that is left over after the countermeasures have been applied; ex. zero day exploits you may not know or be aware of, but that doesn't mean there is no risk) Residual Risk = Threats * Vulnerabilities * Asset Value OR Residual Risk = Total Risk - Controls
Dual Control
when two people perform a separate portion of a task at the same time as a control over the process
Acceptable levels of risk
when we can mitigate or minimize, quantify or qualify all known and documented risks; when we are willing to deal with what is left over knowing that certain risks are less impactful
Openness
willingness to try new things and be open to new experiences; we should be able to tell people what we're doing with our data and purpose specification what the expectations are for our data; transparency
5 areas of internal control of COSO necessary for disclosure objectives
⦁ Control environments ⦁ Risk assessment ⦁ The control activities - how we're going to engage in controls ⦁ Information and communication mechanisms ⦁ Monitoring
ITIL's 5 thought process areas
⦁ Service strategy ⦁ Service design ⦁ Service transition ⦁ Service operation ⦁ CSI or Continual Service Improvement then iterate back through
STEPS FOR VULNERABILITY
⦁ Vulnerability scanning - Nmap, winmap, xenmap, nrip scanner, Metasploit ⦁ Analysis - of open ports and the services that it is open for (webserver, apache, iis webserver) ⦁ Communicate results - devolve the info we find so people can understand what they need to do. Need vs. investment
Seven types/categories of access control
1) Directive 2) Deterrent (3) Preventive (4) Compensating (5) Detective (6) Corrective (7) Recovery
GRC
Governance, Risk and Compliance standards
Collection Limitation Principle
"OECD privacy guideline principle that states that personal data can be collected but limited to the purpose specified.
Encryption is the
#1 control for confidentiality; a process of encoding messages to keep them secret, so only "authorized" parties can read it (i.e., lock and key)
Hashing is the
#1 control for integrity; it Is the process of using an algorithm for verifying the integrity or authenticity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file, and may miss systematic corruptions which might occur to both files. A more popular approach is to also store checksums (hashes, message digests) of files for later comparison.
Asset Value (AV)
$$$ amount asset is worth to the organization
5 rights are associated with a copyright
(1) Reproduction of the work in any form, language, or medium (you have the right to block that from somebody who is doing that illegally, without licensing, without your approval) (2) Adapt or derive more works from it. (3) Make and distribute its copies. (4) Perform it in public. (5) Display or exhibit it in public
Prepare for assessment - Step 1
(A) Determine methodology, qualitative or quantitative. Qualitative - 3 high, med and low ratings or 5 very high, high, moderate, low, very low. Quantitative - collect statistics about things that have happened (B) Determine Scope need to know what to focus on AND what we can ignore regarding the assessment (IT as a whole, HIPAA focused, PCI-DSS) (C) Rigor we will use (D) Degree of formality we will use?
Transference
(Insurance or SLA) get someone else take on the risk for our behalf; pay someone to take on the risk in exchange for money they will manage it on your behalf (i.e., move to cloud to SASS, PASS or IS model - renting infrastructure from somebody else for a fee giving someone else the liability for managing it for you; transferring the risk to a cloud provider
M2M
(Machine to Machine) enables connected devices to communicate with each other
Declaration of Trans-border data flow
(PRIVACY) Transfer of data between countries; fast changes in technology flow of data is boundary and border-less between countries, pii. there is a physical way to control it, but not with data
Directive Controls
(administrative) do this don't do that; specify acceptable rules of behavior within an organization
ISO27001
(formally known as ISO/IEC 27001:2005) specification for an information security management system (ISMS)
AS/NZS 4360 5 Step Process *****IMPT TO KNOW****
1) Establish Context: Establish the risk domain, i.e., which assets/systems are important? 2) Identify the Risks: Within the risk domain, what specific risks are apparent? 3) Analyze the Risks: Look at the risks and determine if there are any supporting controls in place. 4) Evaluate the Risks: Determine the residual risk. 5) Treat the Risks: Describe the method to treat the risks so that risks selected by the business will be mitigated.
Definition of ISO/IEC 15408-1:2009
-1 means Revision 1 :2009 is the year it was last updated; can see table of contents, first couple of pages, the appendices, will have to buy to see guts
Privacy Principles
1) Accurate 2) up-to-date info 3) can't be disclosed to a third party unless authorized consent is given by person or statute 4) people have a right to have info corrected
Process Steps for doing a Risk Assessment
1) Approval - get sr mgmt buy-in 2) Form a Risk Assessment Team 3) Analyze Data 4) Calculate Risk 5) Coutermeasure Recommendations
Ways to Assess Whether we are in line with policies, rules and regulations on an ongoing basis
1) Audits (informal or formal; annual or semi-annual) 2) continuous monitoring 3) use automation tools and techniques 4) logging 5) automation monitoring that alerts; must have well-defined processes and procedures that get implemented, monitored and standardized in a way that can be validated
4 RISK RESPONSE APPROACHES/WAYS TO DEAL WITH RISK - ATAM
1) Avoidance 2) Transference 3) Acceptance 4) Mitigation/Reduce; can apply to any pm project
6 legal grounds under the GDPR
1) Consent, 2) Contract, 3) Legal obligations, 4) Vital interests, 5) Public interests 6) Legitimate interests;
Quantitative Risk Assessment Formulas ***IMPT TO KNOW ***
1) Cost Benefit Analysis CBA = ALE before Safeguards - ALE after Safeguard 2) Total Risk = Threats * Vulnerabilities * Asset Value 3) Residual Risk = Threats * Vulnerabilities * Asset Value 4) Residual Risk = Total Risk - Controls
Different Types of law
1) Criminal harms done to one or more organizations 2) civil - interaction between business and individual 3) administrative - day to day oversight and regulation 4) maritime 5) International
Threat Modeling Two ways to visually represent what we do with data
1) Data flow diagrams - look at how data moves through the system (PASTA and TRIKE) 2) Process flow diagram - visual representation of what we do (VAST)
Conduct Assessment - Step 2 Substeps
5 substeps; (a) Identify threat sources and events (can be negative or not negative events are incidents - want to catalog them and this is based on information from Step 1 (b) Identify vulnerabilities and predisposing conditions - things that occur that allow threats to occur or not occur; unless I check and verify I don't know and ask are there countermeasures - (c) Determine likelihood that the risks will occur, if you're not patching the likelihood of something to occur, the likelihood that those vulnerabilities will not occur (d) Determine magnitude of impact - quantitative or qualitative risk impact (number on a scale, dollar value, or a hybrid) (e) Determine risk - the sum total of Risk (the effect of threat sources, events, predisposing conditions and vulnerabilities, likelihood of occurrence and magnitude of impact)
Vulnerability ********MUST KNOW************
= weakness; an inherent weakness in an information system (i.e., policy, procedures, internal controls or implementation) ALL vulnerabilities are not equal
Data Quality
A comprehensive approach to ensuring the accuracy, validity, and timeliness of data (elminate data, minimize errors)
Compensating
A control designed to be in place so that if another control fails, that control picks up the slack and will offset the failure (anti-lock brakes/anti-collision or firewall/IDS/IPS or IDPS). ⦁ IDS is passive, detects ⦁ IPS - active, alert, can shut down
Total Risk
A risk a company faces if it chooses not to implement a safeguard, control or countermeasure
Process for Attack Simulation and Threat Analysis (P.A.S.T.A)
A seven-step process for aligning business objectives and requirements, taking into account compliance issues and business analysis. Provides a dynamic threat identification, enumeration, and scoring process. Also associated with Microsoft; Once the threat model is completed security subject matter experts develop a detailed analysis of the identified threats. Finally, appropriate security controls can be enumerated. Provides an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.
Penetration Testing
A test by an authorized outsider to do agreed upon work to actually exploit any weaknesses in systems that are vulnerable.
External Penetration Testing
A test by an outsider to actually exploit any weaknesses in systems that are vulnerable; may not need if nothing uses cloud services or AS400; if you can't guarantee you don't use it, that will be the thing that someone exploits
Zero Day Exploit
An unknown risk; a vulnerability that is exploited before the software creator/vendor is even aware of its existence.
DREAD algorithm
An used to compute a risk value; Risk_DREAD = DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 get a numerical value; will always produce a number between 0 and 10; the higher the number, the more serious the risk. the lower the number the less impactful
Cost-Benefit Analysis (CBA)
Analysis that compares (CBA = ALE before Safeguards - ALE after Safeguard) the costs of various possible decisions to each other, forecasts the net impact of each on the bottom line, and recommends the best alternative.
Quantitative or quantifiable Risk Formula
AnnualLossExpectancy (ALE) = SingleLossExpectancy (SLE) * Annual Rate of Occurrence (ARO) ALE=SLE*ARO
Asset
Anything of value that is owned
Other areas Penetration Testing
Application DoS/DDoS (internet sites) WAR... (driving dialing) Wireless Social Engineering Telephony - (not vlanned voip phones; little computers malware into may access across the network plugged into switch and routers)
Regulatory Risk
The risk that changes in regulations may negatively affect the operations of a company.
NIST SP800-53AR4
Assessing Security and Privacy Controls in FEDERAL Information Systems and Organizations: Building Effective Assessment Plans
ASSIGN RISK
Assign risk when you have the risk residual; senior mgmt assigns - This is the person that will manage risk on behalf of the organization; Senior management owns and bears responsibility and accountability of the risk
VAST
Associate with AGILE, Another threat modeling methodology, visual, agile, and simple threat model or modeling, that's what it's referring to
Financial Frameworks
Basel II, Sarbanes-Oxley (financial AND publically traded co's NASDAQ OR NEW STOCKEXCHANGE), COSO, GLBA
Threat modeling methodologies - History
Began in 1977; christopher Alexander; Visualization;
BSIMM
Building Security In Maturity Model (BSIMM) measures software security; Software security framework made of four domains (governance, Intelligence, SSDL Touchpoints, Deployments
ISO 15, 16,17, 18
Cloud standards
Eight Core Principles
Collection Limitation, Data Quality, Purpose, Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, Data Controller Accountability
ISO15408
Common Criteria For IT Security Evaluation Framework for specification of evaluation protection profile (PP) Evaluation Assurance Level (EAL 1-7) - government and military standards - equip is certified at a certain level of security
Confidentiality countermeasures or controls
Done through Access controls (permissions) a. encryption b. traffic padding (adding random garbage in the traffic stream to make it harder for the hacker to pick out good stuff) c. strict access controls / authentication mechanisms d. data classification e. awareness training
Need to Know (risk mitigation technique)
Defines the minimum level of access for subjects based on their job or business requirements;
DODAF
Department of Defense Architecture Framework
Separation of Duties (personnel security/EMPLOYEE CONTROL)
Dividing responsibilities between two or more people to give us more insite and oversite to a control and limit fraud and promote accuracy of accounting records (ex. backups and restore; prevent one person from having all the power; similar to TWO PERSON RULE
separation of duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records (i.e., backing up data)
Copyright
Don't have to register it like a patent, can just claim it as copyrighted material; it protects published or unpublished UNIQUE/original work (for the duration of its author's life plus 50 years) from unauthorized duplication without due credit and compensation; Protects not only books but also According to the major international intellectual-property protection treaties (Berne Convention, Universal Copyright Convention, and WIPO Copyright Treaty - United Nations entity World Intellectual Property Organization, a subset of the United Nations,that governs this globally international ip)
The Wassenaar Arrangement
Dual Use Goods
Examples of due diligence (personnel security/EMPLOYEE CONTROLS)
From a Sr. mgmt perspective overseeing- need to know, least privilege, job rotation, separation of duties
Privacy Requirements
GDPR replaces Directive 95/46 EC, HIPAA, Personally Identifiable Information (PII)
Examples of governance organizations
GRC standards, US, EU Safe Harbor Framework
GDPR
General Data Protection Regulation (EU) April 27, 2016/679 (GDPR) is a regulation that ALL member states must adhere to. The GDPR in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. 173 recitals and 99 articles (the 99th is the go live date May 25, 2018; 98 articles we pay attentionto)
Security Policy
Give us direction, guidance and guidelines around what we are supposed to do; strategic in nature; high level
Collection Limitation and Purpose Specification
Go hand in hand because data needs to be collected for the specified purpose and tell you so you have knowledge
Right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
BS 7799 Part 2 ISO 27001
Information Security Management System (ISMS)
ISACA stands for
Information Systems Audit and Control Association
ISSAP
Information Systems Security Architecture Professional
ISSEP
Information Systems Security Engineering Professional
enterprise security architecture (ESA)
Information security mgmt system (ISMS)
ISO27005
Infosec risk management; sec guides
Private Sector is more concerned with
Integrity and availability
IAPP
International Association of Privacy Professionals, internationally recognized for privacy and trans-border data flow
ISO
International Organization for Standards
Examples of Import/export controls
International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR) and The Wassenaar Arrangement - All three these agreements classify technology as dual use goods because we can use computers and encryption algorithms to not only create secure environments but also hide nefarious activities
International Traffic in Arms Regulations (ITAR)
International traffic in arms regulations - a group of agreements countries can sign on for that govern the use of dual use goods; dual use goods
NIST SP800-12R1
Introduction to information security; good for general knowledge, framework, reference; the lower the number the older the document
ISACA
Issues standards, guidance, and procedures for conducting information system audits behind various IT framework with the most famous being COBIT
Least Privilege (risk mitigation technique (personnel security/EMPLOYEE CONTROL))
Level of access required to execute full control; Providing only the minimum amount of privileges necessary to accomplish a function (i.e., access control)
Strategic management
Long-Term Goals - (Things we will do in the future) involves creating security policies, dealing with people issues, and evaluating threats and risks
A disaster is when we hit the
MTD barrier
"Privacy Shield" Framework
Managed by the FTC sets forth Data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. This replaces the previous "Safe harbor" framework.
directive
One size fits one concept; Something that guides or directs and can be interpreted differently; no standardization; no one way of doing things; especially, a general instruction from a high-level body or official.
Controller
One who or that oversees, regulates, gives guidance and directs from a management perspective the why and the how for processing personal data; they are the ones who exercise due diligence
Communicate Risks/Results - Step 3
Regardless of the type of assessment completed (Quantitative or Qualitative) the Results can be quantitative or qualitative; broadly and widely in the organization; to senior decision makers to help them understand what is involved in dealing with the risk
Privacy Act of 1974
Restricts the way in which personal data can be used by federal agencies Individuals must be permitted access to information stored about them and may correct any information that is incorrect. Agencies must ensure both the security and confidentiality of any sensitive information.
NIST SP800-37R2
Risk mgmt framework for information systems and organizations; a life cycle approach for security and privacy
Deming cycle
See Plan-Do-Check-Act Cycle (PDCA); clockwise; do is execute, check is validate, act continue or remediate; continuous improvement; iterations (i.e., patch mgmt, vulnerability assessment, risk management)
Employee controls
Separation of duties, Job Rotation and Least Privilege; mandatory vacation, split knowledge, dual control, collusion
SLA
Service Level Agreement - Transfer; are contractual vehicles that bind both customers and providers to a set of documented statements, assumptions, and operational requirements. That we both have to agree to in order to create this trust that allows us to coexist and manage within that system.But ultimately, this all boils back down to due diligence and due care due diligence in their systems to oversee, and to provide the governance, and to provide the oversight in the system so that things work the right way. We as customers have to exercise due care, we have to consume according to those rules and operate according to those rules.And we have to ensure our vendors follow that same thought process when we're managing outsourced relationships
SLR
Service Level Requirements enumeration of the requirements that help shape and structure the SLA; the details that both the provider and the customer stipulate to that go into making up the service level agreements.
Security Role
The part an individual plays in the overall scheme of security implementation and administration within an organization.
Vulnerability Management
The practice of finding and mitigating software vulnerabilities in computers and networks.
Risk ********MUST KNOW************
The probability or likelihood that a given threat will take advantage of a vulnerability and the impact if that occurs; it is the sum total, the effect of threat sources, events, predisposing conditions and vulnerabilities, likelihood of occurrence and magnitude of impact risk = threat * vulnerability
Asset Valuation
The process of assigning financial value or worth to each information asset. need to know tangible and intangible worth (asset is something that adds value to the organization); depreciate asset over three or five year life cycle; GAP
Risk Framing
The process of identifying risks, needs, answering 5 W's and H
ALE (Annual Loss Expectancy)
The total cost of a risk to an organization on an annual basis. (i.e., $3,000)
SLE (Single Loss Expectancy)
The value of the potential impact of an event when it occurs ONE time (i.e., a $ value $1,000)
Trike
Threat models are used to satisfy the security auditing to help value and profile and understand acceptable risk levels; a threat modeling process where Threat models are based on a "requirements model." The requirements model establishes the stakeholder-defined "acceptable" level of risk assigned to each asset class. Analysis of the requirements model yields a threat model form which threats are enumerated and assigned risk values. The completed threat model is used to construct a risk model based on asset, roles, actions, and calculated risk exposure.
Total Risk Formula (Quantitative Risk Assessment)
Threats * Vulnerabilities * Asset Value
RPO (Recovery Point Objective)
Time we are willing to lose or walk away from when a sys is recovered. i.e., backups occur every 15 mins., the RPO is 15 mins so if email fails, the most we will lose is 15 mins.
Information Provided at Data Collection
the identity and the contact details of the controller and DPO • the purposes of the processing for which the personal data are intended • the legal basis of the processing • where applicable, the legitimate interests pursued by the controller or by a third party • where applicable, the recipients or categories of recipients of the personal data • where applicable, that the controller intends to transfer personal data internationally • the period for which the personal data will be stored, or if this is not possible, the criteria used to determine this period • the existence of the right to access, rectify or erase the personal data • the right to data portability • the right to withdraw consent at any time • and the right to lodge a complaint to a supervisory authority
Evaluation Assurance Level (EAL)
the level of certification sought in the Common Criteria
Risk (Organizational risk)
the likelihood that a threat source will, through threat events, exploit a vulnerability or weakness and the resulting impact will occur
BIA Goals
the main goal is to look at all the services offered (i.e., phones, email, remote access, dm, w:\ drive, accounting, printing, directory services, internet) 1) Determine criticality (ranking priorities on a scale of 1 to 10); 2) Estimate max downtime BEFORE we have a crisis (MAD max allowable downtime) and max tolerable downtime (MTD max tolerable downtime); 3) Evaluate internal and external resource requirements (where we ask who needs what service i.e., color printing, wifi) - internal (system dependency) - external (ISP connection cross-over cable to network, i.e., supply chain, vendors) - If we don't know these things we cannot assess and validate in order to prioritize and recover
Key space
the number of possible random permutations of the key that could be used to decrypt the data (i.e., a password) and it has to be large
Moore's Law (Gordon Moore Intel)
the observation that computing power roughly doubles every two years while the price will get cheaper
Legitimate Interests & Direct Marketing
the processing of data for "direct marketing purposes" can be considered as a legitimate interest.
Data subject rights - data subject access request DSAR's (GDPR)
the right to a timely processing of a request to remove their information, the right for their information to be forgotten from a system or to have the personal information corrected; Controllers must inform subjects of the period of time (or reasons why) data will be retained on collection
Confidentiality, integrity, and availability***IMPT TO KNOW***
the security triad, CIA
Governance ***IMPT TO KNOW***
the system an org uses to directs and control IT security (adapted from ISO 38500) to deliver IT decisions that bring value and impact bus for stakeholders
Confidentiality helps prevent
the unauthorized disclosure of data; keep good data away from bad people; For Confidentiality to be maintained and protected in ALL forms, at rest (in storage), in use and on the wire (transmitted). Confidentiality and Integrity depend on each other. One is not effective without the other.
Profiling (GDPR)
the use of computers to combine data from multiple sources, automated collection and processing of personal data, so that we can learn more about individuals (big data, data visualization, AI, machine learning, Alexa, etc.)
data subject equals
the user
Import
to bring a product into a country which may be governed by a series of laws
Purpose of threat modeling
to provide defenders with a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.