CH. 3 Policies, Procedures, and Awareness

Business Impact Analysis (BIA)

A Business Impact Analysis (BIA) focuses on the impact losses will have on the organization. A BIA: Identifies threats that can affect processes/assets. Identifies mission-essential functions. Identifies critical systems. Establishes the maximum down time (MDT) the corporation can survive without the process/asset. Establishes other recovery benchmark values. Recovery Point Objective (RPO) Recovery Time Objective (RTO) Mean time between failures (MTBF) Mean time to repair (MTTR) Estimates tangible (financial loss) and intangible (e.g., loss of customer trust) impact on the organization. Life, Property, Safety, Finance, Reputation

California Database Security Breach Act of 2003

A California state law that specifies that any agency, person, government entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or is believed to have been stolen.

Gramm-Leach-Bliley Act of 1999

A US federal law designed to protect private information held at financial institutions.

Patriot Act of 2001

A US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.

Children's Online Privacy Protection Act of 1998 (COPPA)

A US federal law that requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information.

Sarbanes-Oxley Act of 2002

A US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems.

Health Insurance Portability and Accountability Act (HIPAA)

A US federal law that specifies that all organizations must protect the health information that they maintain.

Waterfall Planning

A development model sequential in its layout, with phases that contain a series of instructions that must be executed and documented before the next phase can begin.

Agile Development

A development model that breaks development into smaller time frames called sprints.

Extreme Programming

A development model that values simplicity, feedback, courage, and communication and brings the entire team of developers, managers, and customers together so that adequate feedback and evaluations can be provided.

Clean Room

A development model used for high-quality software where all levels of development are tested for bugs and defects with the goal of finding problems before they can mature.

Ad Hoc

A development model where qualified developers are given a project without a consistent team, funding, or schedule.

Code Escrow Agreement

A document that specifies the storage and conditions of release of source code.

Organizational Security Policy

A high-level overview of the corporate security program.

Organization Security

A high-level overview of the corporate security program. The organizational security policy: Is usually written by the security professionals, but must be wholly supported and endorsed by senior management Identifies roles and responsibilities to support and maintain the elements of the security program Identifies what is acceptable and unacceptable regarding security management Identifies the rules and responsibilities of the enforcement of the policy

Social Engineering

A malicious attempt to fraudulently acquire sensitive information that is usually accomplished using impersonations.

Countermeasure

A means of mitigating the potential risk.

Computer-Aided Software Engineering (CASE)

A method of using computers to help with the systematic analysis, development, design, and implementation of software.

Structured Programming

A method used by programmers that uses layering, modularity, and segmenting to allow for optimal control over coherence, security, accuracy, and comprehensibility.

Spiral Development

A mix of the waterfall model and the prototype model in which a prototype is developed and tested using the waterfall method.

Threat Vector

A path or means that an attacker can use to compromise the security of a system.

Business Continuity Plan

A plan for recovering and restoring critical functions after a catastrophic disaster or extended disruption.The Business Continuity Plan (BCP) identifies appropriate disaster responses that maintain business operations during reduced or restricted infrastructure and resource capabilities. In addition, a BCP identifies actions required to restore the business to normal operation. A business continuity plan is designed to ensure that critical business functions (CBF) can be performed when operations are disrupted. Development of a BCP manual to document and track progress of the BCP would include the following steps: Analysis Solution design Implementation Testing and organization acceptance Maintenance A BCP: Identifies and prioritizes critical functions. Calculates recovery timeframes. Identifies plans, including resource dependencies and response options, to bring critical functions online within an established timeframe. These plans spell out a clear order of restoration based on company needs and priorities, as well as legal responsibilities to customers and shareholders. Specifies procedures for security of unharmed assets. Identifies procedures for salvage of damaged assets. Identifies BCP team members who are responsible for plan implementation. Should be tested on a regular basis to verify that the plan still meets recovery objectives.

Acceptable Use Policy (AUP)

A policy that defines how users should use the information and network resources in an organization.

Password Policy

A policy that detail the requirements for passwords used in an organization.

User Management Policy

A policy that identify actions to follow when employee status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.

Privacy Policy

A policy that outlines how the organization will secure private information for employees, clients, and customers.

Change Management and Configuration Management Policy

A policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.

Authorized Access Policy (AAP)

A policy that specifies access controls that are employed on a network.

Human Resources (HR) Policy

A policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.

User Education and Awareness Policy

A policy with provisions for user education and awareness training.

Remote Wipe

A procedure to remotely clear specific, sensitive data on a mobile device.

Manageable Network Plan

A process created by the National Security Agency (NSA) to assist in making a network manageable, defensible, and secure.

Succession Planning

A process for identifying and developing internal people with the potential to fill key positions within the organization at some point in the future.

Guideline

A recommendation that is used when a specific standard or procedure does not exist.

Regulation

A requirement published by a government or other licensing body that must be followed.

Asset

A resource that has value to an organization.

Code of Ethics

A set of rules or standards that help individuals to act ethically in various situations.

Collusion

A situation in which multiple employees conspire to commit fraud or theft.

Vishing

A social engineering attack that exploits voice-over-IP telephone services to gain access to an individual's personal and financial information, including their government ID number, bank account numbers, or credit card numbers.

Email Hoax

A social engineering attack that preys on email recipients who are fearful and will believe most information if it is presented in a professional manner.

Spear Phishing

A social engineering attack that targets specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage or commit fraud.

Phishing

A social engineering attack that usually involves sending emails that are purported to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Watering Hole

A social engineering attack where the victim is a group like an organization, an industry, or a region and where the attacker guesses or observes which websites the group uses and infects one or more of them with malware.

Whaling

A spear phishing attack targeted that targets senior executives and high-profile victims.

Baseline

A standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.

Procedure

A step by step process that outlines how to implement a specific action.

Cost-Benefit Analysis

A systematic approach to calculating and comparing the benefits and costs of a course of action in a given situation.

Software Development Life Cycle (SDLC)

A systematic, seven-phase method for design, development, and change management used for software development and the implementation of system and security projects.

Prototype Development

A type of iterative development that was made to combat the weaknesses of waterfall-based models.

Critical Business Functions (CBF)

Activities that are vital to your organization's survival and to the resumption of business operations.

Vulnerability Evaluation

After identifying possible sources of threats, the next step is to evaluate common vulnerabilities to identify weaknesses that can be exploited. Vulnerabilities include: Software, operating system, and hardware vulnerabilities Lax physical security Weak policies and procedures, such as a poor password policy

Risk Response

After you have identified the risks and their associated costs, you can determine how best to respond to the risk. Responses include: Taking measures to reduce (or mitigate) the likelihood of the threat by deploying security controls or other protections. When deploying countermeasures, the annual cost of the countermeasures should not exceed the ALE. If it does, you are paying more to protect the asset than it is worth. Security control types include: Management , Operational, Technical Consider the following factors when implementing security controls to reduce risk: Compatibility with the existing infrastructure Effectiveness Regulatory compliance Organizational policies Operational (performance) impact Feasibility (technical requirements or usability) Safety and reliability Transferring (or assigning) risk by purchasing insurance to protect the asset. When the incident occurs, the cost of replacing or repairing the asset is covered by insurance. When deciding to transfer the risk, be sure to compare the cost of insurance with the ALE. Purchase the insurance only if its cost is less than the ALE. Accepting the risk and choosing to do nothing. For example, you might decide that the cost associated with a threat is acceptable or that the cost of protecting the asset from the threat is unacceptable. In this case, you would plan for how to recover from the threat, but not implement any measures to avoid it. Risk rejection (or denial) is choosing not to respond to the risk even though the risk is not at an acceptable level. Risk rejection introduces the possibility of negligence and may lead to liability. Risk rejection is not an appropriate response. Risk deterrence is letting threat agents know of the consequences they face if they choose to attack the asset. This could include posting warnings on login pages to indicate prosecution policies. Distributive Allocation responds to the risk by spreading it through redundancy and high availability techniques such as clustering, load balancing, and redundant storage arrays.

Milestone

An action or event marking a significant change when implementing a manageable network plan.

Scarcity

An active social engineering technique that attempts to make people believe that if they don't act quickly, they will miss out on an item, opportunity, or experience.

Urgency

An active social engineering technique that attempts to make people believe they must act quickly to avoid imminent damage or suffering.

Consensus

An active social engineering technique that leverages peoples' willingness to perform an act if others have already performed the act.

Familiarity

An active social engineering technique that leverages peoples' willingness to perform an act requested by someone they are familiar with.

Intimidation

An active social engineering technique that usually involves an attacker impersonating a manager or director to frighten lower-level employees to gain information.

Service Level Agreement (SLA)

An agreement between a customer and provider that guarantees the quality of a network service provider's care to a subscriber.

Asset Classification

An asset prioritization method that identifies the appropriate value and protection levels by grouping similar assets and comparing the valuation of different classifications.

Sensitivity vs. Risk

An asset prioritization method that uses a chart to qualify the value of an asset based on sensitivity and risk.

Comparative

An asset prioritization method that uses a ranking based on an arbitrary scale that is compatible with the organization's industry.

Delphi

An asset prioritization method that uses an anonymous survey to determine the value of an asset.

Control Your Network (User Access)

Control Your Network (User Access) ensures network security, but restricts user access: Limit a user to the least privilege required for the user's job Limit local admins to an absolute minimum Use regular user accounts for day-to-day work Use role-based access controls Don't let users install software Set account expiration dates Disable or remove accounts when a user leaves the organization

Software Development and Coding

Development and coding involves three main actions, each of which should be performed by individual groups: Coding Testing Validation The product goes into major production and is developed by programmers. In this phase: The software should be tested in the same environment where it will be used. Sometimes backdoors (known as maintenance hooks) are unintentionally left by developers. These can later be exploited by attackers. It is important that developers test all aspects of their product for possible backdoors and eliminate any that are found. Using modular coding makes implementing changes easier. Making sure no vulnerable function calls are used. Use dynamic code analysis to detect dependencies. Take advantage of peer code review. Use design and architectural patterns to cover recurring software limitations or vulnerabilities. Two concepts associated with modular coding are high cohesion and low coupling: High cohesion in coding implies that the functions performed by a module are related and clearly defined. Low coupling indicates that a module is not dependent on another module and that changes in the module will not require changes in another module. Each task in this phase ( coding, testing and validation) should be performed by a different group.

Document Your Network

Document Your Network is the step in which you create the documentation for your network. Document all processes and procedures.

Virus Hoax

False reports about non-existent viruses that often claim to do impossible things that cause recipients to take drastic action, like shutting down their network.

Functional Design

Functional design involves the following actions: A project plan is developed. Security activities and checkpoints are identified. Design documentation is developed. Some limited resources are allocated to the project. The security framework is created. The evaluation criteria is identified. The framework of the application is designed, and a prototype of the most critical components is implemented.

Passive Social Engineering

Gathering information or gaining access to secure areas by taking advantage of peoples' unintentional actions.

Active Social Engineering

Gathering information or gaining access to secure areas through direct interaction with users.

User Management Policies

Identify actions that must take place when employee status changes. The administrator of a network for an organization needs to be aware of new employees, employee advancements and transfers, and terminated employees to ensure the security of the system. All of these activities could result in changes to: Network access Equipment configuration Software configuration

End of Life

Implementation of disposal. Disposal includes: Archiving Overwriting Destroying An accurate record should be kept of the product and any modifications that were made to it during its lifetime. Additionally, make sure that all applicable laws, regulations, and contractual obligations are met.

Software Installation and Implementation

Installation and implementation involves the following actions: Formal functional testing is performed by users. All bugs, vulnerabilities, and risks should be evaluated and documented. User guides and operational manuals are created. Certification, accreditation, and auditing are performed.

Tailgating or Piggybacking

Listening to a conversation between employees discussing sensitive topics.

Shoulder Surfing

Looking over the shoulder of someone working on a computer to view usernames, passwords, or account numbers.

Patch Management

Manage Your Network Part I (Patch Management) establishes an update management process for all software on your network. Patch all systems on a regular schedule Apply critical patches whenever they are released Include mobile devices that connect to the network infrequently Automate the patching process Consider using Windows Server Update Services (WSUS)

Baseline Management

Manage Your Network Part II (Baseline Management) provides rules for establishing a baseline for all systems. Create an approved application list for each class of device on the network Establish the criteria and process for getting an application on the approved list Verify apps before adding them to the allowed list Create device baselines Secure Web browsers Check baselines for security misconfigurations (consider using the Microsoft Baseline Security Analyzer [MBSA])

Map Your Network

Map Your Network ensures that you are aware of all the components of the network and that you know where the physical devices are. Steps are: Create a map of the network topology. Create a list of all devices. Don't forget to include wireless devices. Use a network scanner and then confirm manually with a room-by-room walkthrough. Identify who is responsible for each device and detail other information, such as IP address, service tag, and physical location. Consider using a database file to store the information. Create a list of all protocols being used on the network by using a network analyzer. Consider removing unauthorized devices and protocols from your network.

Operations and Maintenance

Operations and maintenance involve the following actions: As the software is operating in a live environment, operational testing and maintenance should be conducted. Different types of maintenance, such as patching and changes, might be necessary as the application evolves over time. Security functions should remain intact in order to efficiently respond to update requirements. Security-related patches and upgrades should be applied to a system as quickly as possible (with the standard caveat that all patches and upgrades should be tested on non-production systems first). When securing a workstation for use on a secured network, the application of any operating system updates and patches should be performed first. If your organization relies on high-end customized software developed by an external company, code escrow should be implemented. Code escrow is a storage facility hosted by a trusted third party that ensures access to the mission-critical code even if the development company goes out of business.

Resource Allocation Policy

Outlines how resources are allocated. Resources could include: Staffing Technology Budgets

Prepare to Document

Prepare to Document means establishing the process you will use to document your network. A useful document will: Be easy to use Include enough detail Document the important things Use timestamps Be protected with restricted access and possibly encryption Have a printed hard copy kept in a secure location

Object-Oriented Programming (OOP)

Programming based on the organization of objects rather than actions that uses pre-assembled programming code in a self-contained module that encapsulates a segment of data and its processing instructions.

Project Initiation

Project initiation involves the following actions: An original, profitable idea is recognized, and a cost justification is made. Initial security objectives are defined. Timelines for the project are identified. The potential users are contacted and involved in the concept development. Security objectives that the software needs to meet are created. Initial risk analysis is performed to see if an alternative approach might be beneficial.

Protect Your Network (Network Architecture)

Protect Your Network (Network Architecture) identifies the following steps to protect your network: Identify and document each user on the network and the information the user has access to Identify the high-value network assets Document the trust boundaries Identify the choke points on the network Segregate and isolate networks Isolate server functions Physically secure high-value systems

Reach Your Network (Device Accessibility)

Reach Your Network (Device Accessibility) helps to ensure that all of the devices on your network can be easily accessed while still maintaining the device's security. Accessibility includes physical access as well as remote access. Important considerations include: Do not use insecure protocols Use Windows Group Policies to administer Windows systems Make sure that remote access connections are secure Automate administration as much as possible

Employee Management

Reduces asset vulnerability from employees by implementing processes that include the following: Pre-employment processing Employee agreement documents Employee monitoring Termination procedures

Change Control

Regulates changes to policies and practices that could impact security. The primary purpose of change control is to prevent unchecked change that could introduce reductions in security. Change control must be a formal, fully documented process. The following are the change control process steps: Identify the need for a change and submit it for approval.Conduct a feasibility analysis, including technical and budgetary considerations. Design the method for implementing the change. Implement the change. Test the implementation to make sure it conforms to the plan and that the change does not adversely affect confidentiality, integrity, and accessibility. Document the change. Analyze feedback. In the event that a change unintentionally diminishes security, an effective change control process includes rollback. A rollback makes it possible to revert the system back to the state it was in before the change was put into effect.

User Education and Awareness Training

Security awareness and training is designed to: Familiarize employees with the security policy. Communicate standards, procedures, and baselines that apply to the employee's job. Facilitate employee ownership and recognition of security responsibilities. Establish reporting procedures for suspected security violations. Role-based security awareness training which should be tailored for the role of the employee (role-based awareness training) Data owner System Administrator System owner User Privileged user Executive user When an updated version of a security plan is produced, the most critical activity to prevent is public release of older versions of the document. Even an out of date plan can provide sufficient information to attackers to perform serious security intrusions. When the security plan is updated, users should be made aware of the changes, the document should be distributed internally to appropriate parties, and all old versions should be destroyed.

Release

Software should always be released to a librarian for disposition into production. Installations and routine operations of the application are performed. Security requirements should be included in proposals and contracts. The following list explains the application vulnerability life cycle, the chain of events that happen following the release of an application. The application is released. Any bugs that are released in the program are discovered by hackers. Hackers publish the bugs and make them known to the public. Venders develop and release patches. Application users install the patches to their system. Hackers continue to discover vulnerabilities, sometimes as a result of the patch itself. The cycle frequently repeats itself, starting at step two, until the application is no longer in production.

Mobile Device Management (MDM)

Software that allows IT administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoints.

System Design

System design identifies the: Functional model Behavioral model Informational model Key output from the system design includes: Data design Procedural design Architectural design Key security decisions made are: Access controls Rights and permissions Encryption algorithms

Disaster Recovery Plan (DRP)

The Disaster Recovery Plan (DRP) identifies short-term actions necessary to stop the incident and restore critical functions so the organization can continue to operate. The DRP is a subset of the BCP, and is the plan for IT-related recovery and continuity. A disaster recovery plan (DRP) should include: Plans for resumption of applications, data, hardware, communications, and other IT infrastructure in case of disaster. Attempts to take into consideration every failure possible. Plans for converting operations to alternate processing sites in case of disaster. Plans for converting back to the original site after the disaster has concluded. Disaster recovery exercises (such as fire drills) that simulate a possible disaster.

Acceptable Use

The acceptable use agreement might set expectations for user privacy when using company resources. Privacy is the right of individuals to keep personal information from unauthorized exposure or disclosure. In a business environment, businesses might need to be able to monitor and record actions taken by employees.

Onboarding

The activities involved in setting up the work environment for new employees.

Offboarding

The activities involved when an employee resigns, retires, or is terminated.

Provisioning

The configuration, deployment, and management of IT system resources, including mobile devices.

Risk Management

The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact.

Risk

The likelihood of a vulnerability being exploited.

Threat Probability

The likelihood that a particular threat will occur that exploits a specific vulnerability.

Interoperability Agreement

The means through which organizations (public administrations or businesses) formalize cooperation with one another.

Residual Risk

The portion of risk that remains after the implementation of a countermeasure.

Authority

The process of looking in the trash for sensitive information that was not properly disposed of.

Physical Security

The protection of assets from physical threats

Loss

The real damage to an asset that reduces its confidentiality, integrity, or availability.

Fraud

The use of deception to divert company assets or profits to an employee.

Exposure

The vulnerability to losses from a threat agent.

Authorized Access

This documents access control to company resources and information. This policy specifies who is allowed to access the various systems of the organization.

Configuration Management

This provides a structured approach to securing company assets and making changes. ________ _______: Establishes hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation. Tracks and documents significant changes to the infrastructure. Assesses the risk of implementing new processes, hardware, or software. Ensures that proper testing and approval processes are followed before changes are allowed.

Delphi Method

This uses an anonymous survey to determine the value of an asset. Anonymity promotes honest responses.

Threat Identification

When identifying threats, consider the various sources of threats: External threats are those events originating outside of the organization that typically focus on compromising the organization's information assets. Examples are hackers, fraud perpetrators, and viruses. Internal threats are intentional or accidental acts by employees, including: Malicious acts such as theft, fraud, or sabotage Intentional or unintentional actions that destroy or alter data Disclosing sensitive information through snooping or espionage Natural events are those events that may reasonably be expected to occur over time. Examples are a fire or a broken water pipe. Disasters are major events that have significant impact on an organization. Disasters can disrupt production, damage assets, and compromise security. Examples of disasters are tornadoes, hurricanes, and floods.

Risk Assessment

______ _______ is the practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs. There are two general risk assessment methods: Quantitative analysis assigns real numbers to the costs of damages and countermeasures. It also assigns concrete probability percentages to risk occurrence. Qualitative analysis uses scenarios to identify risks and responses. Qualitative risk analysis is more speculative (based on opinion) and results in relative costs or rankings.

Asset Identification

_______ _______ includes the following processes: Asset identification identifies the organization's resources. Asset valuation determines the worth of that resource to the organization. Asset valuation is important because it establishes the level of protection appropriate for each asset. When identifying assets and values, be sure to include both tangible and intangible assets.

Human Resource

documentation of the storage and conditions of release of source code. For example, a code escrow agreement could specify that you can obtain the source code from a vendor if the vendor went out of business.

Impersonation

refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. The attacker usually poses as a member of senior management.