1601 Chp 12
1.Specific warning bulletins issued when developing threats and specific attacks pose measurable risk to the organization 2.Periodic summaries of external information 3.Detailed intelligence on highest risk warnings
Monitoring process has three primary deliverables
black box or white box
Penetration Testing-Can be conducted one of two ways:
-Metrics should be used for monitoring the performance of information security controls -Six-phase iterative process
Performance measures
1. Prepare for data collection 2. Collect data analyze results 3. ID corrective actions 4. Develop Business case 5. Obtain resources 6. Apply corrective actions
Performance measures Six-phase iterative process
Information security program planning and review
Periodic review of an ongoing information security program coupled with planning for enhancements and extensions is a recommended practice for any organization. --should examine future IT needs of organization and its impact on information security
p.651
Review the maintenance model diagram
war driving
Searching for wireless signals from an automobile or on foot using a portable computing device.
1.External monitoring 2.Internal monitoring 3.Planning and risk assessment 4.Vulnerability assessment and remediation 5.Readiness and review
Security Maintenance Model five subject areas
should continuously monitor system performance to ensure that it is consistent with established user and security requirements and that needed system modifications are incorporated
System Development Life Cycle Monitoring activities
identifies risks and proposes controls
The RA process does what 2 things ?
planning and risk assessment domain
The component of the maintenance model that focuses on identifying and planning ongoing information security activities and identifying and managing risks introduced through IT information security projects.
Internal Monitoring Domain
The component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization.
revision date
The date associated with a particular version or build.
Interconnecting Systems(Information Security Area)
The direct connection of two or more information systems for sharing data and other information resources. It can expose the participating organizations to risk, but when properly managed, the added benefits include greater efficiency, centralized access to data, and greater functionality.
providing indicators of current or imminent vulnerabilities
The most important value of raw intelligence provided by the intrusion detection system (IDS) is?
Vulnerability repair
The optimum solution in most cases is to repair the vulnerability. Applying patch software or implementing a workaround often accomplishes this.
white box pen test aka full disclosure testing
The org provides info about the systems to be examined
readiness and review domain
The primary goal is to keep the information security program functioning as designed and to keep it continuously improving over time.
Performance Measurement(Information Security Area)
The process in which an organization collects information to measure and report on how well it is doing, usually with the goal of managing to improve its performance.
Vulnerability Assessment and Remediation
The process of identifying and documenting specific and provable flaws in the organization's information asset environment.
version
The recorded state of a particular revision of a software or hardware configuration item.
1. senior management support 2. security policy and procedures 3. quantifiable performance measures 4. analyses
The typical information performance management program consists of 4 interdependent components which are?
Documenting Vulnerabilities
The vulnerability database, like the risk, threat, and attack database, both stores and tracks information. --Low cost and ease of use make relational databases a realistic choice -Vulnerability database is an essential part of effective remediation
Information technology contingency planning(Information Security Area)
This consists of a process for recovery and documentation of procedures.
1.Using vulnerability assessment procedures 2.Documenting background information and providing tested remediation procedures for vulnerabilities 3.Tracking vulnerabilities from the time they are identified 4.Communicating vulnerability information to owners of vulnerable systems 5.Reporting on the status of vulnerabilities 6.Ensuring that the proper level of management is involved
Vulnerability Assessment and Remediation is accomplished by? (6)
Security Risk Assessments
a method of identifying and documenting the risk that a project, process, or action introduces to the organization and may also involve offering suggestions for controls that can reduce that risk.
performance baseline
an expected level of performance against which all subsequent levels of performance are compared
1. Configuration management and configuration control processes for the information system 2. Security impact analyses on changes to the information system 3. Assessment of selected security controls in the information system and reporting of the system's security status to appropriate agency officials
at a minimum, an effective monitoring program requires? (3)
Platform security validation
designed to find and document the vulnerabilities that may be present because there are misconfigured systems in use within the organization.
Internet vulnerability assessment
designed to find and document the vulnerabilities that may be present in the public-facing network of the organization.
Certification, accreditation, and security assessments (Information Security Area)
ensures that an information system operates with the appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically
Models
frameworks that structure the tasks of managing particular set of activities or business functions
Incident response (Information Security Area)
helps the organization detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations rapidly
Configuration and Change Management(Information Security Area)
manages the effects of changes in configurations, five-step process
partner interconnections
network devices, communications channels, and applications that may not be owned by the organization but are essential to the continued operation of the organization's partnership with another company.
60% rule
offers a few guidelines that security personnel can use when exploring the issues of system and network performance
1. Planning needed for infosec programs 2. evaluation of current risks using operational risk assessment
planning and risk assessment domain 2 pivotal processes
1.Establishing a formal information security program review process 2.Instituting formal project identification, selection, planning, and management processes 3.Coordinating with IT project teams to introduce risk assessment and review for all IT projects 4.Integrating a mindset of risk assessment throughout the organization
planning and risk assessment domain Primary objectives (4)
Awareness and Training(Information Security Area)
processes that are put into place to monitor compliance and effectiveness
The NIST SP 800-100 Information Security Handbook
provides technical guidance for the establishment and implementation of an information security program.
1.Policy review 2.Program review 3.Rehearsals
readiness and review domain primary goal is accomplished by: (3)
Threat Removal
some circumstances, threats can be removed without requiring a repair of the vulnerability.
Acceptance or Transference of Risk
some instances, risk must either simply be acknowledged as being part of an organization's business process, or else the organization should buy insurance to transfer the risk to another organization.
external monitoring domain
the component of the maintenance model that focuses on evaluating external threats to the organization's information assets
System Development Life Cycle(Information Security Area)
the overall process of developing, implementing, and retiring information systems through a multi-step process.
Vulnerability Assessment
the process of identifying and documenting specific and provable flaws in the organizations information asset environment.
auditing
the review of a systems use to determine if misuse or malfeasance has occurred
minor release
(update or patch) a minor revision of a version from its previous state
Security Services and Products Acquisition (Information Security Area)
-CBA should be conducted prior to purchasing -vulnerabilities in IT products surface nearly every day -checklist aka lockdown or hardening guide, should be used with new products
Interconnection Security Agreement (ISA)
An agreement between parties intended to minimize security risks for data transmitted across a network.
Configuration and Change Management (CCM) aka Configuration Management (CM)
An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.
configuration and change management (CCM)
An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.
intranet vulnerability assessment
An assessment approach designed to find and document selected vulnerabilities that are likely to be present on the organization's internal network. --This assessment is usually performed against critical internal devices with a known, high value by using selective penetration testing
wireless vulnerability assessment
An assessment approach designed to find and document vulnerabilities that may be present in the organization's wireless local area networks.
identify weaknesses in various security efforts
Analyzing attack signatures from unsuccessful system attacks can
traffic analysis
Another IDS monitoring element is
1. Tracking system should capture key information on program activities. 2. Tracking compliance involves assessing the status of the program 3. Security policies must continue to evolve
Awareness and training monitoring activities(3)
1.Identify Change 2. Evaluate Change Request 3.Implementation Decision 4.Implement Approved Change Request 5. Continuous Monitoring
CM process step-by-step procedure for identifying, processing, tracking, and documenting changes. (5)
1.Identify the baseline 2.Identify prioritization requirements 3.Conduct enterprise-level prioritization 4.Conduct system-level prioritization 5.Develop supporting materials 6.Implement an Investment Review Board (IRB) 7.Submit budget approval paperwork
Capital Planning and Investment Control 7 step process
1.Departments required to allocate funding toward highest-priority investments 2.Designed to facilitate the expenditure of agency funds
Capital Planning and Investment Control monitoring activities (2)
1.Acquisition of new assets 2.Emergence of new vulnerabilities 3. Shifting business priorities 4. Partnerships form or dissolve 5. Employee hire and turnover
Changes that may affect an organization's information security environment: (5)
Capital Planning and Investment Control(Information Security Area)
Designed to facilitate and control the expenditures of agency funds. -Departments required to allocate funding toward highest-priority investments
-collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference
External monitoring does the following
contingency planning
-Consists of a process for recovery and documentation of procedures
Security Planning (Information Security Area)
-One of the most crucial ongoing responsibilities in security management
Risk Management(Information Security Area)
-Ongoing effort -Tasks include performing risk identification, analysis, and management
Network characterization and inventory
-Organizations should have/maintain carefully planned and fully populated inventory of network devices, communication channels, and computing devices
1. Information security governance 2. System Development Life Cycle 3.Awareness and training 4.Risk Management 5.Certification, accreditation, and security assessments 6.Security services and products acquisition 7.Configuration or change management 8.Capital Planning and Investment Control 9. Interconnecting Systems 10. Performance Measurement 11. Security Planning 12. Information Technology Contingency Planning 13. Incident Response
13 areas of information security management
1.vendors, 2.computer emergency response teams (CERTs), 3.public network sources, or 4.membership sites
4 classes of data sources for external monitoring
1.Internet 2. Intranet 3. platform security 4.wireless
4 vulnerability assessment processes
configuration
A collection of components that make up a configuration item.
software library
A collection of configuration items that is usually controlled and that developers use to construct revisions and issue new configuration items.
Black box penetration testing
A form of penetration testing where the tester is not given any system credentials. Used to simulate an external cyber attack
configuration item
A hardware or software item that will be modified and revised throughout its life cycle
build list
A list of the versions of components that make up a build.
Difference Analysis
A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services).
major release
A significant revision of a version from its previous state.
build
A snapshot of a particular version of software assembled or linked from its component modules.
Penetration Testing
A test by an outsider to actually exploit any weaknesses in systems that are vulnerable. --A level beyond vulnerability testing
war game
A type of rehearsal that seeks to realistically simulate the circumstances needed to thoroughly test a plan.
Characterization
In Network Characterization and Inventory The process of collecting this information is often referred to as?
1.Ongoing information security activities are providing appropriate support to the agency's mission 2.Policies and procedures are current 3.Controls are accomplishing their intended purpose
Information security governance(Information Security Area) - Agencies should monitor the status of their programs to ensure: (3)
Phase 1: Planning the interconnection Phase 2: Establishing the interconnection Phase 3: Maintaining the interconnection Phase 4: Disconnecting the interconnection
Interconnecting Systems 4 phase Life Cycle Management Approach
1.Inventorying network devices and channels, IT infrastructure and applications, and information security infrastructure elements 2.Leading the IT governance process 3.Real-time monitoring of IT activity 4.Monitoring the internal state of the organization's networks and systems
Internal Monitoring accomplished by (4)
1.Planning, scheduling, and notification 2.Target selection 3.Test selection 4.Scanning 5.Analysis 6.Record keeping
Internet vulnerability assessment-Steps in the process include:
manage and operate the ongoing security program
Management model must be adopted to?
Security Maintenance Model
•Designed to focus the organizational effort on maintaining systems -Recommended maintenance model based on five subject areas
1. Smaller projects tend to have more manageable impacts on networks and users 2. Most large projects can easily be broken down into smaller projects, giving more opportunities to change direction and gain flexibility 3. Shorter planning, development, and implementation schedules reduce uncertainty
•Large projects should be broken into smaller projects for several reasons (3)
-monitoring activity, reporting results, and escalating warnings
•Monitoring, escalation, and incident response consists of?
-carefully organized and stored using a mechanism (manual or automated) that allows timely retrieval and rapid integration of disparate facts
•Network characterization and inventory - Once characteristics are identified, they must be?