1601 Chp 12

1.Specific warning bulletins issued when developing threats and specific attacks pose measurable risk to the organization 2.Periodic summaries of external information 3.Detailed intelligence on highest risk warnings

Monitoring process has three primary deliverables

black box or white box

Penetration Testing-Can be conducted one of two ways:

-Metrics should be used for monitoring the performance of information security controls -Six-phase iterative process

Performance measures

1. Prepare for data collection 2. Collect data analyze results 3. ID corrective actions 4. Develop Business case 5. Obtain resources 6. Apply corrective actions

Performance measures Six-phase iterative process

Information security program planning and review

Periodic review of an ongoing information security program coupled with planning for enhancements and extensions is a recommended practice for any organization. --should examine future IT needs of organization and its impact on information security

p.651

Review the maintenance model diagram

war driving

Searching for wireless signals from an automobile or on foot using a portable computing device.

1.External monitoring 2.Internal monitoring 3.Planning and risk assessment 4.Vulnerability assessment and remediation 5.Readiness and review

Security Maintenance Model five subject areas

should continuously monitor system performance to ensure that it is consistent with established user and security requirements and that needed system modifications are incorporated

System Development Life Cycle Monitoring activities

identifies risks and proposes controls

The RA process does what 2 things ?

planning and risk assessment domain

The component of the maintenance model that focuses on identifying and planning ongoing information security activities and identifying and managing risks introduced through IT information security projects.

Internal Monitoring Domain

The component of the maintenance model that focuses on identifying, assessing, and managing the configuration and status of information assets in an organization.

revision date

The date associated with a particular version or build.

Interconnecting Systems(Information Security Area)

The direct connection of two or more information systems for sharing data and other information resources. It can expose the participating organizations to risk, but when properly managed, the added benefits include greater efficiency, centralized access to data, and greater functionality.

providing indicators of current or imminent vulnerabilities

The most important value of raw intelligence provided by the intrusion detection system (IDS) is?

Vulnerability repair

The optimum solution in most cases is to repair the vulnerability. Applying patch software or implementing a workaround often accomplishes this.

white box pen test aka full disclosure testing

The org provides info about the systems to be examined

readiness and review domain

The primary goal is to keep the information security program functioning as designed and to keep it continuously improving over time.

Performance Measurement(Information Security Area)

The process in which an organization collects information to measure and report on how well it is doing, usually with the goal of managing to improve its performance.

Vulnerability Assessment and Remediation

The process of identifying and documenting specific and provable flaws in the organization's information asset environment.

version

The recorded state of a particular revision of a software or hardware configuration item.

1. senior management support 2. security policy and procedures 3. quantifiable performance measures 4. analyses

The typical information performance management program consists of 4 interdependent components which are?

Documenting Vulnerabilities

The vulnerability database, like the risk, threat, and attack database, both stores and tracks information. --Low cost and ease of use make relational databases a realistic choice -Vulnerability database is an essential part of effective remediation

Information technology contingency planning(Information Security Area)

This consists of a process for recovery and documentation of procedures.

1.Using vulnerability assessment procedures 2.Documenting background information and providing tested remediation procedures for vulnerabilities 3.Tracking vulnerabilities from the time they are identified 4.Communicating vulnerability information to owners of vulnerable systems 5.Reporting on the status of vulnerabilities 6.Ensuring that the proper level of management is involved

Vulnerability Assessment and Remediation is accomplished by? (6)

Security Risk Assessments

a method of identifying and documenting the risk that a project, process, or action introduces to the organization and may also involve offering suggestions for controls that can reduce that risk.

performance baseline

an expected level of performance against which all subsequent levels of performance are compared

1. Configuration management and configuration control processes for the information system 2. Security impact analyses on changes to the information system 3. Assessment of selected security controls in the information system and reporting of the system's security status to appropriate agency officials

at a minimum, an effective monitoring program requires? (3)

Platform security validation

designed to find and document the vulnerabilities that may be present because there are misconfigured systems in use within the organization.

Internet vulnerability assessment

designed to find and document the vulnerabilities that may be present in the public-facing network of the organization.

Certification, accreditation, and security assessments (Information Security Area)

ensures that an information system operates with the appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically

Models

frameworks that structure the tasks of managing particular set of activities or business functions

Incident response (Information Security Area)

helps the organization detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations rapidly

Configuration and Change Management(Information Security Area)

manages the effects of changes in configurations, five-step process

partner interconnections

network devices, communications channels, and applications that may not be owned by the organization but are essential to the continued operation of the organization's partnership with another company.

60% rule

offers a few guidelines that security personnel can use when exploring the issues of system and network performance

1. Planning needed for infosec programs 2. evaluation of current risks using operational risk assessment

planning and risk assessment domain 2 pivotal processes

1.Establishing a formal information security program review process 2.Instituting formal project identification, selection, planning, and management processes 3.Coordinating with IT project teams to introduce risk assessment and review for all IT projects 4.Integrating a mindset of risk assessment throughout the organization

planning and risk assessment domain Primary objectives (4)

Awareness and Training(Information Security Area)

processes that are put into place to monitor compliance and effectiveness

The NIST SP 800-100 Information Security Handbook

provides technical guidance for the establishment and implementation of an information security program.

1.Policy review 2.Program review 3.Rehearsals

readiness and review domain primary goal is accomplished by: (3)

Threat Removal

some circumstances, threats can be removed without requiring a repair of the vulnerability.

Acceptance or Transference of Risk

some instances, risk must either simply be acknowledged as being part of an organization's business process, or else the organization should buy insurance to transfer the risk to another organization.

external monitoring domain

the component of the maintenance model that focuses on evaluating external threats to the organization's information assets

System Development Life Cycle(Information Security Area)

the overall process of developing, implementing, and retiring information systems through a multi-step process.

Vulnerability Assessment

the process of identifying and documenting specific and provable flaws in the organizations information asset environment.

auditing

the review of a systems use to determine if misuse or malfeasance has occurred

minor release

(update or patch) a minor revision of a version from its previous state

Security Services and Products Acquisition (Information Security Area)

-CBA should be conducted prior to purchasing -vulnerabilities in IT products surface nearly every day -checklist aka lockdown or hardening guide, should be used with new products

Interconnection Security Agreement (ISA)

An agreement between parties intended to minimize security risks for data transmitted across a network.

Configuration and Change Management (CCM) aka Configuration Management (CM)

An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.

configuration and change management (CCM)

An approach to implementing system change that uses policies, procedures, techniques, and tools to manage and evaluate proposed changes, track changes through completion, and maintain systems inventory and supporting documentation.

intranet vulnerability assessment

An assessment approach designed to find and document selected vulnerabilities that are likely to be present on the organization's internal network. --This assessment is usually performed against critical internal devices with a known, high value by using selective penetration testing

wireless vulnerability assessment

An assessment approach designed to find and document vulnerabilities that may be present in the organization's wireless local area networks.

identify weaknesses in various security efforts

Analyzing attack signatures from unsuccessful system attacks can

traffic analysis

Another IDS monitoring element is

1. Tracking system should capture key information on program activities. 2. Tracking compliance involves assessing the status of the program 3. Security policies must continue to evolve

Awareness and training monitoring activities(3)

1.Identify Change 2. Evaluate Change Request 3.Implementation Decision 4.Implement Approved Change Request 5. Continuous Monitoring

CM process step-by-step procedure for identifying, processing, tracking, and documenting changes. (5)

1.Identify the baseline 2.Identify prioritization requirements 3.Conduct enterprise-level prioritization 4.Conduct system-level prioritization 5.Develop supporting materials 6.Implement an Investment Review Board (IRB) 7.Submit budget approval paperwork

Capital Planning and Investment Control 7 step process

1.Departments required to allocate funding toward highest-priority investments 2.Designed to facilitate the expenditure of agency funds

Capital Planning and Investment Control monitoring activities (2)

1.Acquisition of new assets 2.Emergence of new vulnerabilities 3. Shifting business priorities 4. Partnerships form or dissolve 5. Employee hire and turnover

Changes that may affect an organization's information security environment: (5)

Capital Planning and Investment Control(Information Security Area)

Designed to facilitate and control the expenditures of agency funds. -Departments required to allocate funding toward highest-priority investments

-collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference

External monitoring does the following

contingency planning

-Consists of a process for recovery and documentation of procedures

Security Planning (Information Security Area)

-One of the most crucial ongoing responsibilities in security management

Risk Management(Information Security Area)

-Ongoing effort -Tasks include performing risk identification, analysis, and management

Network characterization and inventory

-Organizations should have/maintain carefully planned and fully populated inventory of network devices, communication channels, and computing devices

1. Information security governance 2. System Development Life Cycle 3.Awareness and training 4.Risk Management 5.Certification, accreditation, and security assessments 6.Security services and products acquisition 7.Configuration or change management 8.Capital Planning and Investment Control 9. Interconnecting Systems 10. Performance Measurement 11. Security Planning 12. Information Technology Contingency Planning 13. Incident Response

13 areas of information security management

1.vendors, 2.computer emergency response teams (CERTs), 3.public network sources, or 4.membership sites

4 classes of data sources for external monitoring

1.Internet 2. Intranet 3. platform security 4.wireless

4 vulnerability assessment processes

configuration

A collection of components that make up a configuration item.

software library

A collection of configuration items that is usually controlled and that developers use to construct revisions and issue new configuration items.

Black box penetration testing

A form of penetration testing where the tester is not given any system credentials. Used to simulate an external cyber attack

configuration item

A hardware or software item that will be modified and revised throughout its life cycle

build list

A list of the versions of components that make up a build.

Difference Analysis

A procedure that compares the current state of a network segment against a known previous state of the same network segment (the baseline of systems and services).

major release

A significant revision of a version from its previous state.

build

A snapshot of a particular version of software assembled or linked from its component modules.

Penetration Testing

A test by an outsider to actually exploit any weaknesses in systems that are vulnerable. --A level beyond vulnerability testing

war game

A type of rehearsal that seeks to realistically simulate the circumstances needed to thoroughly test a plan.

Characterization

In Network Characterization and Inventory The process of collecting this information is often referred to as?

1.Ongoing information security activities are providing appropriate support to the agency's mission 2.Policies and procedures are current 3.Controls are accomplishing their intended purpose

Information security governance(Information Security Area) - Agencies should monitor the status of their programs to ensure: (3)

Phase 1: Planning the interconnection Phase 2: Establishing the interconnection Phase 3: Maintaining the interconnection Phase 4: Disconnecting the interconnection

Interconnecting Systems 4 phase Life Cycle Management Approach

1.Inventorying network devices and channels, IT infrastructure and applications, and information security infrastructure elements 2.Leading the IT governance process 3.Real-time monitoring of IT activity 4.Monitoring the internal state of the organization's networks and systems

Internal Monitoring accomplished by (4)

1.Planning, scheduling, and notification 2.Target selection 3.Test selection 4.Scanning 5.Analysis 6.Record keeping

Internet vulnerability assessment-Steps in the process include:

manage and operate the ongoing security program

Management model must be adopted to?

Security Maintenance Model

•Designed to focus the organizational effort on maintaining systems -Recommended maintenance model based on five subject areas

1. Smaller projects tend to have more manageable impacts on networks and users 2. Most large projects can easily be broken down into smaller projects, giving more opportunities to change direction and gain flexibility 3. Shorter planning, development, and implementation schedules reduce uncertainty

•Large projects should be broken into smaller projects for several reasons (3)

-monitoring activity, reporting results, and escalating warnings

•Monitoring, escalation, and incident response consists of?

-carefully organized and stored using a mechanism (manual or automated) that allows timely retrieval and rapid integration of disparate facts

•Network characterization and inventory - Once characteristics are identified, they must be?