CISSP-1-Security-And-Risk-Management
Risk Reduction
Implement a countermeasure to alter or reduce risk
BCP Documentation
1) Continuity Planning Goals 2) Statement of Importance 3) Statement of Priorities 4) Statement of Organizational Responsibility 5) Statement of Urgency and Timing 6) Risk Assessment 7) Risk Acceptance/Mitigation 8) Vital Records Program 9) Emergency-Response Guidelines 10) Maintenance 11) Testing and Exercises
Three Control Types One Should Always Have
1) Corrective 2) Detective 3) Preventative
NIST SP 800-34 7 Steps
1) Develop the continuity planning policy statement 2) Conduct the business impact analysis 3) Identify preventive controls 4) Create contingency strategies 5) Develop an information system contingency plan 6) Ensure plan testing, training and exercises 7) Ensure plan maintenance
Authorization Categories
1) Discretionary Access Control 2) Mandatory Access Control 3) Role-based Access Control
Qualitative Risk Reasons
1) Does not require a lot of numeric data 2) Results more descriptive than measurable 3) Easier to perform if time is short 4) Recommended for less experience assessors
Thread Modeling
1) Focused on assets 2) Focused on attackers 3) Focused on software
Chain of Evidence / Chain of Custody
1) General description of the evidence 2) Time and date the evidence was collected 3) Exact location the evidence was collected from 4) Name of the person collecting the evidence 5) Relevant circumstances surrounding the collection The chain can never be broken
IAAAA
1) Identification 2) Authentication 3) Authorization 4) Auditing 5) Accounting
Risk Analysis Goals
1) Identify assets and their values 2) Identify vulnerabilities and threats 3) Quantify the probability and business impact of these potential threats 4) Provide an economic balance between the impact of the threat and the cost of the countermeasure
Object
A passive entity such as data on a system
Tangible Asset
A physical asset such as a computer
Office of Management and Budget Circular A-130 (OMD)
A program developed to meet information resource management requirements for the federal government Requires that a review of security controls for each government application be performed at least every three years
Copyright
A type of intellectual property that protects the form of "expression" of some artistic resource but not in the manner of how it was created Prevents against unauthorized copying Artist - Lifetime + 70 years Corporations - 95 to 120 years Can include software programs If multiple artists then 70 year after the death of the last artist
Seclusion
"Storing" something in an out-of-way manner
Annual Cost of Safeguard (ACS)
(ALE1 - ALE2) - THIS
MTD - Urgent
1 day
MTD - Important
3 days
MTD - Nonessential
30 days
MTD - Normal
7 days
Statutory
A type of financial damage in civil/tort law Prescribe by law which can be awarded to the victim even if the victim incurred no actual loss or injury
Compensatory
A type of financial damage in civil/tort law Provide the victim with a financial award in the effort to compensate for the loss or injury incurred as a direct result of the wrong doing
Maximum Tolerable Outage (MTO)
Another name for MTD
Security Professional
Assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management The security professional has the functional responsibility for security, including writing the security policy and implementing it
BCP Review
At least once a year
BCP vs. DRP
BCP comes and if it fails then DRP steps in the fill the gaps
Security Controls Development Examples
COBIT 5 COSO Internal Control Integrated Framework NIST SP 800-53
Shared Authority
Ensures that no single user can take illegal action on their own authority
Piracy
Focuses on infringement of a copyright
Patent Requirements
Invention must be new, patentable only if they are original ideas Invention must be useful; it must actually work and accomplish some sort of task Invention must not be obvious
Quantitative Decision Making
Involves the use of numbers and formulas to reach a decision This type of data often expresses options in terms of the dollar value to the business AV, MTD, RTO
Virtualized Browsers
Isolation of a Web-browsing application from the operating system (OS) used to access it Protects against malware
Privacy
Keeping information confidential that is personally identifiable or that might cause harm, embarrassment or disgrace to someone if revealed
Material Evidence
Must be related to the case at hand
Competent Evidence
Must have been obtained legally
Risk Management Frameworks
NIST 800-30, FRAP, OCTAVE are examples of these Note: Nist drinks fraps and listens to octaves on 800 AM KRIS
Prescreening
One of the best preventative controls against future insider attacks when hiring someone new Limit the amount of information in background checks and interviews needed for job role
Council of Europe (CoE) Convention on Cybercrime
One of the first international treaties attempting to create a standard international response to cybercrime including creating a framework to determine jurisdiction and extradition
Least Privilege
Only authorized entities have access to information on a need-to-know basis
OECD - Accountability
Organizations should be accountable for complying with measures that support the previous principles
Financial Risk Calculation
P * M = C (P) Probability of harm (M) Magnitude of harm (C) Cost of prevention
Security Awareness Training
Performed to "modify" employees' behavior and attitude toward security
OECD - Data Quality
Personal data should be kept complete and current and be relevant to the purposes for which it is being used
Detection and Identification
Phase 1 of incident response 1) Look for abnormal or suspicious behavior 2) Under the radar stuff found in logs and detection systems
Response and Reporting
Phase 2 of incident response 1) Isolation and containment - Always treat as if legal will get involve - Don't power system down or anything else that may destroy the evidence 2) Gathering evidence - Collect the equipment and software for the investigation - voluntarily surrender it, subpoena or search warrant 3) Analysis and reporting - fact-based, not opinion - management readable
Recovery and Remediation
Phase 3 of incident response 1) Restoration 2) Lessons learned (post mortem)
Warez
Pirated software
Data Hiding
Preventing data from being discovered or accessed by a subject Often a key element in security controls as well as in programming
Color of Law
Private citizens carry out actions or investigations on behalf of law enforcement They may be considered agents of law enforcement
Safeguards
Proactive controls Should reduce ARO
ISC^2 Code of Ethics Canon 3
Provide diligent and competent service to principals (employers)
Corroborative Evidence
Provides additional support for a fact that might have called into question
Countermeasures
Reactive controls
Security Administrator
Responsible for providing adequate physical and logical security for IS programs, data and equipment
Risk Identification
Step 2 of BIA A qualitative in approach to find both natural and manmade risks
Uncertainty Level
The inverse of confidence level
BCP Initiation Phase
The phase to get managements support, developing the scope of the plan and securing funding and resources for BCP
Continuity of Operations Plan (COOP)
The plan for continuing to do business until the IT infrastructure can be restored Hint: Chickens in coops can still lay eggs without IT
Business Resumption Plan (BRP)
The plan to move from the disaster recovery site back to your business environment or back to normal operations
Recovery Point Objective (RPO)
The point in time to which data must be restored in order to successfully resume processing This is the organization's definition of acceptable data loss
Risk Transfer
The practice of passing/sharing the risk in question to another entity such as an insurance company
Military and Intelligence Attack
To obtain secret and restricted information from military or law enforcement sources
NIST SP 800-30
U.S. standard for conducting risk assessments for IT systems Hint: 3rd r0ck form the sun is a risky place to live
FIPS 199 and FIPS 200
U.S. standards that establishes security categories of information systems as mandated by FISMA
Expert Opinion
Witness may offer an expert opinion based on the other facts presented and their personal knowledge of the field
Directive Access Control
deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures
Tactical Plan
is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad-hoc based upon unpredicted events Typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals Examples are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans
Job Responsibilities
the specific work tasks an employee is required to perform on a regular basis, including access they need to do perform a task
RFC 1087
IAB created request to define activities as unethical or unacceptable on the Internet
One-on-One Meeting
A technique to perform a qualitative risk analysis
NIST SP 800-37 Steps
1) Categorize information system 2) Select security controls 3) Implement security controls 4) Assess security controls 5) Authorize information system 6) Monitor security controls
Investigation Types
1) Civil (preponderance of the evidence) 2) Criminal (beyond a reasonable doubt) 3) Operational (internal) 4) Regulatory (government)
Quantitative Risk Reasons
1) Require numerical data 2) Provide results that are measurable 3) More difficult to perform and require more time than qualitative risk assessment 4) Recommended for experienced assessors
Quantitative Attributes
1) Requires more complex calculations 2) Is easier to automate and evaluate 3) Used in risk management performance tracking 4) Allows for cost/benefit analysis 5) Uses independently verifiable and objective metrics
Qualitative Attribtutes
1) Requires no calculations 2) Involves high degree of guesswork 3) Provides general areas and indications of risks 4) Provides the opinions of the individuals who know the process best
IAB Bad Practices
1) Seeks to gain unauthorized access to the resources of the Internet 2) Disrupts the intended use of the Internet 3) Wastes resources (people, capacity, computer) through such actions 4) Destroys the integrity of computer-based information 5) Compromises the privacy of users
Information Security Management System (ISMS)
A coherent set of policies, processes and systems to manage risks to information assets as outlined in ISO/IEC 27001
Intellectual Property Types
1) Industrial (patents, trademarks, trade secrets) 2) Copyrighted (literary/artistic works)
Directive
A control type designed to specify acceptable rules of behavior within an organization
Nonrepudiation
A user cannot deny have performed a transaction and must have authentication and integrity to enforce it
Prudent Man Rule
Acting responsibly and cautiously as a prudent person would from a liability perspective
Threat Event
An accidental or intentional exploitation of a vulnerability
Authorization
Defining the allows and denials of resource and object access for a specific identity
DAD
Disclosure, Alteration, Destruction
Conclusive Evidence
Evidence that is incontrovertible like DNA
Payment Card Industry Data Security Standard (PCI DSS)
A standard created by credit card companies that applies to any entity that processes, transmits, stores or accepts credit card data Varying levels of compliance and penalties exist but this is NOT A LAW, but voluntary (if entities want to be able to use the credit card company services) 12 control objectives broken down into 6 requirements categories
Risk Management Framework (RMF)
A structured process that allows to identify and assess risk, reduce it to an acceptable level and ensure that it remains at that level 1) Categorize 2) Select 3) Implement 4) Assess 5) Authorize 6) Monitor
Split Knowledge
A variation of separation of duties In this case each person knows parts of the information and not all (like half of a lock combination)
Dual Control
A variation of separation of duties In this case two or more people are required to perform an action like turning keys to launch a missile
Disaster Recovery Plan (DRP)
A plan for recovering from an IT disaster and having the IT infrastructure back in operation Usually very IT focused where everyone is scrambling to get all critical systems back online
Data Disclosure
A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party
Fair Use
A copyright limitation that allow one to make a copy of copyrighted material for personal use Libraries and other non-profit entities may fall under this category too
First Sale
A copyright limitation that gives one the legal right to sell copyrighted material even though they are not the copyright holders
Control
A countermeasure or safeguard to mitigate risk
Computer-Targeted Crime
A crime where a computer is the victim such as a DoS or malware victim The computer is attacked by something
Computer-Assisted Crime
A crime where a computer is used as a tool to break the law such as enabling the commission of a crime The computer is attacking something
Uniform Computer Information Transactions Act (UCITA)
A federal law designed for adoption by each of the 50 states to provide a common framework for the conduct of computer-related business transactions Provides a framework for the enforcement of shrink-wrap and click-wrap agreements by federal and state governments
Risk Rejection / Risk Deny
A final but unacceptable possible response to risk is to reject or ignore risk Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk
Pretexting
A form of social engineering in which an individual lies to obtain privileged data
Authorization to Operate (ATO)
A formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations
Committee of Sponsoring Organization (COSO)
A framework created to deal with fraudulent financial activities - "a model for corporate governance" Covers non-IT items as well such as company culture, financial accounting principles ... 17 internal control principles grouped into 5 internal control components that cover these major areas: 1) Control Environment 2) Risk Assessment 3) Control Activities 4) Information and Communication 5) Monitoring Activities Hint: COrporate SOciety
Control Objectives for Information and Related Technology (COBIT)
A framework for business governance and management by explicitly tying stakeholder drivers to stakeholder needs to organization goals to IT goals - "a model for IT governance" ... the above is described as "cascading" goals Based on five principles w/a checklist approach Derived from COSO and used for security compliance during audits in the civilian world
Security Goverance
A framework that allows the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization Think of it as adding several points of responsibility, accountability, compliance and oversight with the existing security program in place
Sarbanes-Oxely Act of 2002 (SOX)
A law enacted in response to the financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices Regulatory compliance mandated standards for financial reporting of publicly traded companies Based on the COSO model e.g., Enron, Black "SOX" scandaal
Religious Law System
A legal system based on religious beliefs where lawmakers/scholars attempt to discover the truth of law in religious text
Customary Legal System
A legal system based on traditions and customs where personal conduct and behavior are enforced
Mixed Law System
A legal system that combines two or more legal systems such as civil, common, religious and customary
End User License Agreement (EULA)
A licensing agreement that specify conditions and restrictions for a software program
Fail-Safe
A mode that allows a system to continue to function in a degraded mode e.g., A door is unlocked when power is removed
Fail-Secure
A mode where the system defaults to locked/protected state
Reciprocal Agreement
A mutual agreement in which two organizations agree to provide resources to each other in case of a disaster Contract is non-binding and difficult to enforce
Computer Ethics Institute
A non-profit organization that works to help advance technology by ethical means
Closed Architecture
A not-so preferred approach to black box approach to design in which security is through obscurity
Bottom-Up Approach
A not-so-preferred security practice in the organization that starts with IT working its way up to top management
Nonpracticing Entity (NPE)
A patent troll who obtains a patent, but not to protect it nor produce it, but to aggressively go after others who invent something similar
MTD - Critical
ASAP
Enterprise Architecture
An architecture that addresses the structure of an organization
System Architecture
An architecture that addresses the structure of software and computing components
Security Enterprise Architecture (SEA)
An architecture that allows how the security components from the ISMS will be integrated into the layers of the organization
Denial of Service (DoS)
An attack that attempts to prevent authorized use of a resource This can be done through flaw exploitation, connection overloading or traffic flooding
Elevation of Privilege
An attack where a limited user account is transformed into an account with greater privileges, powers and access
Financial Attack
Any type of computer attack that involves money
Safeguard / Countermeasure
Anything that removes or reduces a vulnerability or protects against one or more specific threats Should reduce ARO
Dilution
Occurs when someone uses a famous trademark in a manner that blurs or tarnishes it Diminishes the capacity of a famous trademark to identify and distinguish goods or services, regardless of the presence or absence
Regulatory Policy
Required whenever industry or legal standards are applicable to your organization Discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance
Communications Assistance for Law Enforcement Act (CALEA) of 1994
Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use
European Union Privacy Law
Requires that all processing of personal data meet one of the following criteria: 1) Consent 2) Contract 3) Legal obligation 4) Vital interest of the data subject 5) Balance between the interests of the data holder and the interests of the data subject
Data Custodian / Data Steward
Responsible for storing and safeguarding the data and include IS personnel such as system analyst and computer operators Include IS personnel such as system analysis and computer operators
Data Custodian
Responsible for the day-to-day tasks of performing and testing backups, validating data integrity, deploying security solutions and managing data storage based on classification
Accounting / Accountability
Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
4th Amendment
Right of people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures
Secondary Risk
Risk event that comes as a result of another risk response Fix one problem to cause another Damned if you do and damned if you don't
Risk Monitoring
Risk is forever
Intellectual Property Organization (WIPO)
Run by UN to protect intellectual property
Job Description
SOC-2 and ISO 27001 require that it be defined and up-to-date annually
Delayed Loss
Secondary in nature and takes place well after a threat agent exploited after vulnerability
Risk Assessment
The method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls Here we gather the data
Return on Investment (ROI)
The money saved after safeguard implementation ALE (before) - ALE (after) If positive then it's "worth" doing otherwise consider risk avoidance
Risk Management (RM)
The process of identifying and assessing risk, reducing it to an acceptable level and ensuring it remains at that level
RMF - Implement
The security controls and describe how the controls are employed within the information system and its environment of operation
RMF - Assess
The security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system
Microsoft STRIDE
Used for threat modeling Normally focused on application threats 1) Spoofing 2) Tampering 3) Repudiation 4) Information Disclosure 5) Denial of Service (Dos) 6) Elevation of Privilege
Abstraction
Used to collect similar elements into groups, classes or roles that are assigned security controls, restrictions or permissions as a collective Adds efficiency to carrying out a security plan
Nondisclosure Agreement (NDA)
Used to protect the confidential information within an organization from being disclosed by a former employee
Contractual License Agreement
Uses a written contract between the software vendor and the customer, outlining the responsibilities of each These agreements are commonly found for high-priced and/ or highly specialized software packages
Typosquatting
Very close spelling of well-known product Not illegal but it's what you do with site
Security Effectiveness
Deals with metrics, meeting SLA requirements, achieving ROI, setting baselines, etc. to provide management with a balanced scorecard system
Deterrent Access Control
Deployed to discourage violation of security policies THIS and preventive controls are similar, but THIS often depend on individuals deciding not to take an unwanted action on their own
Compensating Access Control
Deployed to provide various options to other existing controls to aid in enforcement and support of security policies THIS can be any controls used in addition to, or in place of, another control
Internet Architecture Board (IAB) Unacceptable Use
(a) seeks to gain unauthorized access to the resources of the Internet (b) disrupts the intended use of the Internet, (c) wastes resources (people, capacity, computer) through such actions, (d) destroys the integrity of computer-based information, and/or (e) compromises the privacy of users.
ISC^2 Code of Ethics Preamble
- The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior - Therefore, strict adherence to this Code is a condition of certification
Attack Tree
A conceptual diagrams showing how an asset, or target, might be attacked usually created while doing threat modeling
Corrective
A control type that attempts to get a system back to normal by fixing components after an incident has occurred
Control Categories
1) Administrative/Soft 2) Physical 3) Technical/Logical
Security Policy Categories
1) Advisory 2) Informative 3) Regulatory
Qualitative Risk Analysis Methods
1) Brainstorming 2) Delphi technique 3) Storyboarding 4) Focus groups 5) Surveys Questionnaires 6) Checklists 7) One-on-one meetings 8) Interview
PCI DSS Requirement Categories
1) Build and Maintain a Secure Network and Systems 2) Protect Cardholder Data 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy
Risk Management Framework (RMF) Steps
1) Categorize 2) Select 3) Implement 4) Assess 5) Authorize 6) Monitor Hint: CSI A AM
OECD Principles
1) Collection Limitation 2) Data Quality 3) Purpose Specification 4) Use Limitation 5) Security Safeguards 6) Openness 7) Individual Participation 8) Accountability
Functional Control Types
1) Compensating 2) Corrective 3) Detective 4) Deterrent 5) Preventative 6) Recovery 7) Directive
Computer Crime Categories
1) Computer-Targeted 2) Computer-Assisted 3) Computer-Incidental Attacks: 1) Military and intelligence 2) Business 3) Financial (phone phreaking) 4) Financial 5) Grudge 6) Thrill
Integrity Types
1) Data 2) System
Safe Harbor Principles
1) Data Integrity 2) Enforcement 3) Access 4) Choice 5) Onward Transfer 6) Notice 7) Security Hint: DEACONS safely harbor sinners
Incident Response Process
1) Detection and Identification 2) Response and Reporting - Isolation and containment - Gathering evidence - Analysis and reporting 3) Recovery and Remediation - Restoration - Lessons learned Hint: A DI responds and reports about his recovery and remediation
Data Classification Program Steps
1) Identify the custodian, and define their responsibilities 2) Specify the evaluation criteria of how the information will be classified and labeled 3) Classify and label each resource. (The owner conducts this step, but a supervisor should review it) 4) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria 5) Select the security controls that will be applied to each classification level to provide the necessary level of protection 6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity 7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.
Employee Termination
1) Inform the person that they are relieved of their job 2) Request the return of all access badges, keys, and company equipment 3) Disable the person's electronic access to all aspects of the organization 4) Remind the person about the NDA obligations 5) Escort the person off the premises
Capability Maturity Model Integration (CMMI) Levels
1) Initial 2) Managed 3) Defined 4) Quantitatively Managed 5) Optimizing Hint: "I'm DQ Optimizing" my "cmminon" ice cream cone
BCP Activities
1) Initiate project 2) Assign responsibilities 3) Define continuity policy statement 4) Perform business impact analysis 5) Identify preventative controls 6) Create recovery strategies 7) Develop BCP and DRP documents 8) Test plans 9) Maintain plans
PCI DSS Requirements
1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters 3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks 5) Protect all systems against malware and regularly update antivirus software or programs 6) Develop and maintain secure systems and applications 7) Restrict access to cardholder data by business need-to-know 8) Identify and authenticate access to system components 9) Restrict physical access to cardholder data 10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes 12) Maintain a policy that addresses information security for all personnel
Quantitative Risk Analysis Steps
1) Inventory assets, and assign an asset value 2) Research each asset and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE) 3) Perform a threat analysis to calculate the likelihood of each threat being realized within a single year— that is, the annualized rate of occurrence (ARO) 4) Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE) 5) Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure 6) Perform a cost/ benefit analysis of each countermeasure for each threat for each asset and select the most appropriate response to each threat AV -> EF -> SLE -> ARO -> ALE -> Cost/Benefit analysis of countermeasure
Security Policy Types
1) Issue-specific 2) Organizational-specific 3) System-specific
COBIT 5
1) Meeting Stakeholder Needs 2) Covering the Enterprise End-to-End 3) Applying a Single, Integrated Framework 4) Enabling a Holistic Approach 5) Separating Governance From Management
COBIT Principles
1) Meeting stakeholder needs 2) Covering the enterprise end-to-end 3) Applying a single integrated framework 4) Enabling a holistic approach 5) Separating governance from management Hint: MC-AES
Quantitative Risk Analysis Goals
1) Monetary values assigned to assets 2) Comprehensive list of all possible and significant threats 3) Probability of the occurrence rate of each threat 4) Loss potential the company can endure per threat in a 12-month time span 5) Recommended controls
Trademark Requirements
1) Must not be confusingly similar to another trademark 2) Should not be descriptive of the goods and services that you will offer For example, "Mike's Software Company" would not be a good trademark candidate because it describes the product produced by the company
EU Data Protection Directive
1) Notify individuals how their personal data is collected and used 2) Allowing individuals to opt out of sharing their personal data with third parties 3) Granting individuals the right to choose to opt into sharing the most sensitive personal data as opposed to being opted in automatically 4) Providing reasonable protections for personal data Hint: NAG (P)rivacy
Recovery Planning Steps
1) Perform BIA 2) Develop recovery strategy 3) Develop recovery plan 4) Testing 5) Maintaining
The Life Cycle of Any Process
1) Plan and Organize 2) Implement 3) Operate and Maintain 4) Monitor and Evaluate
NIST SP 800-30 Steps
1) Prepare the assessment 2) Conduct the assessment a: Identify threat sources and events b: Identify vulnerabilities and pre-disposing conditions c: Determine likelihood of occurance d: Determine magnitude of impact e: Determine risk 3) Communicate results 4) Maintain assessment
Integrity
1) Preventing unauthorized subjects from making modifications 2) Preventing authorized subjects from making unauthorized modifications, such as mistakes 3) Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent and verifiable
HIPAA Three Rules
1) Privacy 2) Security 3) Breach Notification
BCP Steps
1) Project scope and planning 2) Business impact assessment (BIA) 3) Continuity planning 4) Approval and implementation
ISC^2 Code of Ethics Canons
1) Protect society, the commonwealth (nation), and the infrastructure 2) Act honorably, honestly, justly, responsibly, and legally 3) Provide diligent and competent service to principals (employers) 4) Advance and protect the profession Hint: PAPA, protect actors to provide advancement Hint: This is the order of importance so always choose the highest (1 is highest, 4 is lowest)
Security Policy Contents
1) Purpose 2) Scope 3) Responsibilities 4) Compliance
Risk Response Types
1) Reduce 2) Assign 3) Accept 4) Reject
Admissible Evidence
1) Relevant (make more probable than without) 2) Material (related to the case) 3) Competent (obtained legally)
Change Management Process
1) Request 2) Review 3) Approve/Reject 4) Schedule/Implement 5) Document
European Union Privacy Law Rights
1) Right to access the data 2) Right to know the data's source 3) Right to correct inaccurate data 4) Right to withhold consent to process data in some situations 5) Right of legal action should these rights be violated
BIA Steps
1) Select individuals to interview for data gathering 2) Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative) 3) Identify the company's critical business functions 4) Identify the resources these functions depend upon 5) Calculate how long these functions can survive without these resources 6) Identify vulnerabilities and threats to these functions 7) Calculate the risk for each different business function 8) Document findings and report them to management
CIRT Team Members
1) Senior management 2) IT folks 3) Legal representatives 4) Public affairs/communication folks 4) Engineers system/network
IAB 10 Commandments
1) Thou shalt not use a computer to harm other people 2) Thou shalt not interfere with other people's computer work 3) Thou shalt not snoop around in other people's computer files 4) Thou shalt not use a computer to steal 5) Thou shalt not use a computer to bear false withness 6) Thou shalt not copy proprietary software for which you have not paid 7) Thou shalt not use other people's computer resources without authorization or proper compensation 8) Thou shalt not appropriate other people's intellectual output 9) Thou shalt think about the social consequences of the program you are writing or the system you are designing 10) Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
Threat Model Components
1) Trust Boundaries 2) Data Flow Paths 3) Input Points 4) Privileged Operations 5) Details about Security Stance and Approach
Safeguard Value
= ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) (ALE1 - ALE2) - ACS If value is negative then the safeguard is not a financially responsible choice
Detective
A control type that helps identify an incident's activities and potentially an intruder
Recovery
A control type aimed to get systems back to normal before/during an attack e.g., disaster recovery site, data backups, high availability
Ministry of Defense Architecture Framework (MoDAF)
A British DoD EAF based on DoDAF The crux of the framework is to get data in the right format to right people as soon as possible
NIST SP 800-39
A U.S. standard that provides guidelines for "managing risk" to organizational operations and assets Organizational Tier Business Process Tier Information Process Tier
Preventative
A control type that is intended to avoid an incident from occurring
Deterrent
A control type that is intended to discourage a potential attacker
National Information Infrastructure Protection Act of 1996
A CFAA amendment 1) Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce 2) Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids and telecommunications circuits 3) Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony
Personal Information Protection and Electronic Documents Act (PIPEDA)
A Canadian law that sets the ground rules how private sector organizations collect, uses and disclose personal data
Department of Defense Architecture Framework (DoDAF)
A DoD EAF Provides a foundational framework for developing and representing architecture descriptions that ensure a common denominator for understanding, comparing and integrating architectures across organizational, joint and multinational boundaries Focus is on command, control, communications, computers, intelligence, surveillance and reconnaissance systems and processes Ensures that all systems, processes and work in a concerted effort to accomplish its mission
The Open-Group Architecture Framework (TOGAF)
A DoD-derived EAF Provides an approach to design, implement and govern the following enterprise information architecture types: 1) Business 2) Data 3) Application 4) Technology Uses an iterative and cyclic process that allows requirements to be continuously reviewed/updated Uses architecture development mode (ADM) Hint: Airforce snake eats its own toe (circular)
Sherwood Applied Business Security Architecture (SABSA)
A EAF Similar to the Zachman Framework in terms of using a matrix of interrogatives but uses layers Each layer decreases in abstraction and increases in detail moving from policy to practical implementation of technology Both a framework and methodology that can be constantly monitored and improved over time Hint: Zachman likes SALSA
Safe Harbor - Data Integrity
A Safe Harbor Principle Data must be relevant and reliable for the purpose it was collected for
Safe Harbor - Access
A Safe Harbor Principle Individuals must be able to access information held about them and correct or delete it if it is inaccurate
Safe Harbor - Notice
A Safe Harbor Principle Individuals must be informed that their data is being collected and about how it will be used
Safe Harbor - Choice
A Safe Harbor Principle Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties
Safe Harbor - Security
A Safe Harbor Principle Reasonable efforts must be made to prevent loss of collected information
Safe Harbor - Enforcement
A Safe Harbor Principle There must be effective means of enforcing these rules
Safe Harbor - Onward Transfer
A Safe Harbor Principle Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles
NIST SP 800-34
A U.S. standard for continuity planning for federal information systems Hint: 3 + 4 + ... is continuity
NIST SP 800-55
A U.S. standard that provide guidance on how "metrics" can be used to measure success of a ISMS ISO/IEC 27004 is the international counterpart Hint: Sum is 10 which is best performance
NIST SP 800-37
A U.S. standard that provide guidelines for applying the risk management framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization and security control monitoring
Emergency Change Advisory Board (ECAB)
A change policy type Does not require formal testing or change advisory board (CAB) approval ITIL
Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
A commercial risk assessment methodology intended to be used in situations where people "internally" manage and direct the risk evaluation for IT security Insiders f properly trained can make the best decision when it comes to understanding risks from "ALL" assets Carnegie Mellon University Hint: The 8 intervals "inside" two notes sing "risky" business
Reasonable Expectation of Privacy (REP)
A company should protect itself legally when monitoring employees through policy, constant reminders (computer banners) and regular training Employees can be asked to sign a waiver to waive their expectation to privacy in the workplace Forth Amendment considerations
Zombie
A compromised computer used in a botnet IRC is often used as a communication tool
Computer Incidental Crime
A crime where a computer just happens to be there during a the commission of a crime but not as the primary vehicle The computer is not attacked nor is attacking but may be used for storage of illegal material or secondary in act of a crime (like making a video of the crime)
Employment Agreement
A document outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences and the length of time the position is to be filled by the employee
Memorandum of Understanding (MOU)
A document specifying an agreement between two entities in "broad terms" Often seen in government, as government agencies that typically cannot have contracts with each other
Memorandum of Agreement (MOA)
A document specifying an agreement between two entities in "detail" Often seen in government, as government agencies that typically cannot have contracts with each other
Control Objectives for Informational and Related Technology (COBIT)
A documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA) It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives A security concept infrastructure used to organize the complex security solutions of companies Five key principles for governance and management of enterprise
Asset Valuation
A dollar value assigned to an asset based on actual cost and nonmonetary expenses
The Economic Espionage Act of 1996
A law designed to curtail industrial espionage particularly when such activities benefits a foreign entity 1) Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $ 500,000 and imprisoned for up to 15 years. 2) Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years
Electronic Communications Privacy Act (ECPA)
A law enacted to provide protection of electronic communications against warrantless wiretapping Prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal
Health Insurance Portability and Accountability Act (HIPAA)
A law enacted to put strict privacy and security rules for PHI data used by health insurers, providers and clearinghouse (claims) agencies Requires risk analysis along with administrative, physical and technical safeguards Privacy, security and breach notification
Children's Online Privacy Protection Act of 1998 (COPPA)
A law focused on websites that cater to children or knowingly collect information from children 1) Websites must have a privacy notice that clearly states the types of information they collect and what it's used for, including whether any information is disclosed to third parties 2) Parents must be provided with the opportunity to review any information collected from their children and permanently delete it from the site's records 3) Parents must give verifiable consent to the collection of information about children younger than the age of 13 prior to any such collection
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
A law that address the privacy and security concerns associated with health records Enacted as part of the American Recovery and Reinvestment Act Requires reporting of data breaches with 60 days It added stricter penalties and fines to strengthen criminal enforcement of HIPAA
The Computer Fraud and Abuse Act of 1986 (CFAA)
A law that covers crimes against "federal interest" computer systems like unauthorized access, destroying or damaging equipment An amendment to CCCA that goes beyond just federal computers, it added federal interest and financial computers as well 1) Any computer used exclusively by the U.S. government Any computer used exclusively by a financial institution 2) Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use that system 3) Any combination of computers used to commit an offense when they are not all located in the same state
Federal Privacy Act of 1974
A law that establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies Social Security Administration, Census Bureau, IRS, Bureau of Labor Statistics
Digital Millennium Copyright Act (DMCA)
A law that makes it illegal to create products that circumvent copyright protection mechanisms Up to $ 1,000,000 and 10 years in prison for repeat offenders Non-profits/libraries are exempt
Electronic Communications Privacy Act of 1986 (ECPA)
A law that makes it illegal to monitor wire/electronic/oral communications without permission
U.S. Family Education Rights and Privacy Act (FERPA)
A law that protects the privacy of student education records It applies to all schools that receive funds under an applicable program of the U.S. Department of Education
Economic Espionage Act of 1996
A law that provides penalties for people who steal trade secrets, intellectual property (IP) and PII/IP Harsher penalties for individuals who know the trade secret will benefit a foreign government
Federal Information Security Management Act of 2002 (FISMA)
A law that requires every federal agency to create, document and implement an agency-wide security program to provide protection for the information and systems that support the operations and assets of the agency including those contracted externally Requires annual audits with results sent to the Office of Management and Budget (OMB) for review Security awareness training Periodic testing Policies and procedures and reporting Uses NIST SP 800-53 checklist
Gramm-Leach Bliley Act of 1999 (GLBA)
A law that requires protection of the confidentiality and integrity of consumer financial information Requires financial institutions to develop privacy notices and give customers the option to prohibit financial institutions from sharing their information to non-affiliated third parties Requires security plans and criminalizes pretexting (phishing) and also notification of data misuses Bael II version pertains to international banking
The Computer Security Act of 1987
A law that requires the federal government agencies to baseline computer security: 1) To give NIST the responsibility for developing standards and guidelines for federal computer systems. -- getting help from NSA NSA classified / NIST unclassified 2) To provide for the enactment of such standards and guidelines 3) To require the establishment of security plans by all operators of federal computer systems that contain sensitive information 4) To require mandatory periodic training for all people involved in management, use, or operation of federal computer systems
The Federal Privacy Act of 1974
A law that severely limits the ability of federal government agencies to disclose private information to other persons or agencies without the prior written consent of the affected individual Agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government Written permission required
Due Diligence
A legal liability concept that requires an organization to continually review its practices to ensure that protection requirements are met An entity's liability is its legal responsibility for any action or lack of action that puts the entity or any other entity at risk Practicing THIS can help an entity create a defense against negligence, which means that an entity is held responsible for an action or inaction that resulted in harm to another entity or individual Doing everything within one's power to prevent a bad thing from happening e.g., Setting appropriate policies, researching the threats and incorporating them into a risk management plan and ensuring audits happen at the right times Hint: Think of the word "knowing"
Best Evidence Rule
A legal principle that holds an "original" copy of a document as superior evidence If not original then it is called "secondary" evidence
Common Law System
A legal system based on previous interpretations of laws or precedence Used in the U.S./U.K. Broken down into criminal, civil/tort and administrative/regulatory laws Hint: The English Queen makes laws for her "commoners"
Strategic Plan
A long-term, stable plan that defines the organization's security purpose Useful for about five years and maintained and updated annually
Qualitative Risk Matrix
A matrix that consists of likelihood vs. consequences (impact) Multiple team members enter what they think the values should be
Annual Rate of Occurrence (ARO)
A measure of the estimated frequency of occurrence for a threat or event for each year e.g., If occurrence is once for every 10 years the the value would be 1/10 = 0.1
Single Loss Expectancy (SLE)
A measure of the loss incurred from a single realized threat or event, expressed in dollars = AV * EF
Exposure Factor (EF)
A measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage
Failure Modes and Effect Analysis (FMEA)
A method for determining functions, identifying functional failures and assessing the causes of failures and the failure effects through a structured process Goal is to identify where something is most likely going to break then do something/nothing about it
Fault Tree Analysis
A method to identify failures that can take place within more complex environments and systems Similar to attack trees but for failure analysis
Key Performance Indicator (KPI)
A metric to verify an organization is following accepted best practices or guidelines
Baseline
A minimum level of security
Business Continuity Plan (BCP)
A plan that contains strategy documents that provide detailed procedures that ensure critical business functions are maintained and that help minimize losses of life, operations and systems Much broad scope than DRP Needs senior management support, prioritization, annual review, etc. A CORRECTIVE Control
Baselines
A point in time that is used as a comparison for future changes thus providing for a consistent reference point Could be technical or non-technical Tactical and Mandatory
Issue-specific Security Policy
A policy that covers things like security related to e-mail and should be "technology and solution independent" Acceptable Use Policy (AUP) Email Privacy Also called a functional policy
BCP Policy
A policy that supplies the framework for and governance of designing and building the BCP effort which includes scope, mission statement, principles, guidelines and standards
Clean Desk Policy
A policy that tells users to clean their workspace before they leave to ensure that sensitive material is not left unprotected
System-specific Security Policy
A policy type that are specific to actual computers, networks, databases and applications
Organizational-specific Security Policy
A policy type where management establishes how a security program will be set up, lays out the program's goals assigns responsibilities, shows the strategic and tactical value of security and outlines how enforcement should be carried out Must also address laws, regulations and liability issues Reviewed on a regular basis Also called a master security policy
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
A post 9/11 law that some argue eroded the constitutional rights of U.S. citizens particularly in rights of privacy and illegal search and seizure once protected by the fourth amendment in the effort to foil acts of terrorism
Top-Down Approach
A preferred security practice in the organization that starts with top management working its way down through the ranks
Open Design
A preferred transparent approach to design which allows for peer review
Awareness
A prerequisite to security training is bring security to the forefront and make it a recognized entity for users
Department of Veterans Affairs Information Security Protection Act
A privacy law that applies to the VA after a breach of millions of veterans' records
Six Sigma
A process improvement methodology by using statistical methods of measuring operation efficiency, reducing variation, defects and waste
Capability Maturity Model Integration (CMMI)
A process used to determine the maturity of an organization's processes using 5 levels Each maturity level with this model represents an evolutionary stage More heavily used in the security world than Six Sigma and ITIL Carnegie Mellon University
Delphi Technique
A qualitative risk analysis method An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus Its primary purpose is to elicit honest and uninfluenced responses from all participants The participants are usually gathered into a single meeting room To each request for feedback, each participant writes down their response on paper anonymously The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached
Facilitated Risk Analysis Process (FRAP)
A qualitative risk assessment methodology that focuses only on the systems that really need assessing to reduce costs and time obligations Keeps assessments focused, tight on single assets Qualitative approach first then if risk is high enough follow it with a quantitative analysis Hint: Nautical meaning is to bind something tightly with a "simple" knot to reduce "risk"
Quantitative Risk Analysis
A risk analysis methodology that attempts to assign numeric/monetary values to components A pure one is usually not possible due some degree of uncertainty Could depend on qualitative analysis AV/EF/SLE/ARO/ALE/TCO/ROI
Qualitative Risk Analysis
A risk analysis methodology that attempts to assign subjective values to components like low/medium/high Uses severity vs. likelihood matrices
Central Computing and Telecommunications Agency Risk Analyses and Management Mode (CRAMM)
A risk assessment methodology from the U.K. that works in three stages using automated tools from Siemens: 1) Define objectives 2) Assess Risks 3) Identify Countermeasures Hint: "Cramming" too many sweets in your mouth "risks" cavities
DREAD
A risk assessment/threat model previously used by Microsoft Damage - how bad would an attack be? Reproducibility - how easy is it to reproduce the attack? Exploitability - how much work is it to launch the attack? Affected users - how many people will be impacted? Discoverability - how easy is it to discover the threat?
Civil Law System
A rule-based, codified legal system not based on precedence Used in most other places in the world except US/UK Lower courts are NOT compelled to follow the decisions made by higher courts
Information Technology Infrastructure Library (ITIL)
A set of detailed "best practices for IT service management (ITSM)" that focuses on aligning IT services with the needs of business A customizable framework that provides the goals and necessary activities to reach objectives via a continual process improvement paradigm Normally "internal" to the organization where SLAs are established between departments
Operational Plan
A short-term, highly detailed plan based on the strategic and tactical plans Valid or useful only for a short time, maybe monthly or quarterly to retain compliance with tactical plans Operational plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans Examples are resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures
Risk Management
A systematic process for identifying, analyzing, evaluating, remedying and monitoring risk
Business Impact Analysis (BIA)
A systematic process performed at the beginning of BCP to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption It identifies the company's critical systems needed for survival and estimates the outage time that can be tolerated as a result of the event
BCP Committee
A team that comprises of people who are familiar with different departments within the company such as business units, senior management, IT, security, communications and legal
Risk Analysis Team
A team that includes individuals from key departments to ensure that all of the threats are identified and address Includes management, technical and legal personnel
Reduction Analysis
A technique used reduce the number of attacks and threats to consider This is usually done to simplify the number of attack trees used when threat modeling Also known as decomposing
Mean Time Between Failures (MTBF)
A time determination for how long a piece of IT infrastructure will continue to work before it fails
Mean Time to Repair (MTTR)
A time determination for how long it will take to get a piece of hardware/software repaired and back on-line
Punitive
A type of financial damage in civil/tort law Punish an individual or organization in an attempt to discourage a particularly egregious violation where the compensatory or statutory damages along would not act as a deterrent
Criminal Law
A type of law that addresses behavior that is considered harmful to society, like murder, and that society is the victim Punishment can lead to incarceration and/or monetary fines Must prove guilt "beyond a reasonable doubt" - innocent until proven guilty
Civil/Tort Law
A type of law that addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death Punishment can be compensatory, punitive or statutory damages. NEVER incarceration Must prove "liability" with "a preponderance of evidence"
Administrative/Regulatory Law
A type of law that are regulatory in nature and usually enacted by government agencies Punishment can be incarceration and/or financial Must prove guilt as "more likely than not"
Vulnerability
A weakness in a system that allows a threat source to compromise its security
Scenario
A written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets
Information Security Officer (ISO)
Accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability
ISC^2 Code of Ethics Canon 2
Act honorably, honestly, justly, responsibly, and legally
Compliance
Actions that ensure behavior that complies with established rules
ISC^2 Code of Ethics Canon 4
Advance and protect the profession
Policy Types
Advisory Informative Issue Regulatory System
Paperwork Reduction Act of 1995
Agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public
Risk Acceptance
Allow the risk to exists and acceptance the consequences Most often when cost of mitigation is more than asset value and avoidance is not an option
Government Information Security Reform Act (GISRA) of 2000
Amended the Paperwork Reduction Act to implement additional information security policies and procedures To provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations and assets Places the burden of maintaining the security and integrity of government information and information systems squarely on the shoulders of individual agency leaders and more ...
Total Risk
Amount of risk without implementing mitigation What will it cost me if I do nothing?
Zachman Framework
An EAF 2 Dimensional Matrix that uses 6 interrogatives with different viewpoints Cols - What/How/Where/When/Who/Why Rows- CEO/Janitor/IT Dude/Security Peep Hint: Bachman Turnover Drive was not the "Who"
Intangible Assets
An abstract asset such as source code, data, etc.
Subject
An active entity such as a user/process on a data system
Mandatory Vacations
An administrative detective control that can be used to uncover fraudulent activities by forcing employees to take vacations
Rotation of Duties
An administrative detective control to can be used to uncover fraudulent activities moving employees form position to another within the company
Safe Harbor
An agreement between the United States Department of Commerce and the European Union that regulated the way that U.S. companies could export and handle the personal data of European citizen Data Integrity, Enforcement, Access, Choice, Onward Transfer, Notice, Security Hint: DEACONS safely harbor sinners
Interconnection Security Agreement (ISA)
An agreement specifying technical requirements between organizations connecting systems and exchanging data designed to support the MOU/MOA
Cross-training
An alternative to job rotation In both cases, workers learn the responsibilities and tasks of multiple job positions Here the workers are just prepared to perform the other job positions; they are not rotated through them on a regular basis
Computer Abuse Amendments Act of 1994
An amendment to CFAA 1) Outlawed the creation of any type of malicious code that might cause damage to a computer system 2) Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems 3) Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage 4) Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages
Strength, Weaknesses, Opportunities, Threats (SWOT)
An analysis tool to identify an organization's strengths and weaknesses as well as broader opportunities and threats
Cost/Benefit Analysis
An analysis used when choosing a security control for a given risk The benefit must outweigh the cost (ALE Before) - (ALE After) - (Annual Cost of Safeguard) = Net value of safeguard to the company
Threat Agent
An entity that takes advantage of a vulnerability
Incident
An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization's data 1) Scanning 2) Compromises 3) Malicious code 4) Denial of service Report to legal folks if a violation of law including disclosure of sensitive data
Recovery Access Control
An extension of corrective controls but have more advanced or complex abilities Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.
Breach
An incident that results in the disclosure or potential exposure of data the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result
Opt-in Agreement
An information sharing agreement that prevents an entity from sharing a user's information by default The organization must get your approval Privacy advocates prefer THIS where the user would have to do something in order have their data used
Opt-out Agreement
An information sharing agreement that requires a user to act in order to prevent an entity from sharing that user's information User MUST act to opt-out Usually uncheck a checkbox Disallows information to be resold
RMF - Select
An initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed
Exploit
An instance of compromise Occurs when a vulnerability is taken advantage of by an attacker
Statement of Auditing Standards 70 (SAS)
An internal controls audit carried out by a third-party auditing organization
ISO/IEC 22301
An international standard for business continuity management (BCM)
Threat
Any potential danger that is associated with the exploitation of a vulnerability Someone or something will identify a specific vulnerability and use it against the company or individual
ISO/IEC 27000
An international standard on how to develop and maintain an ISMS within an organization Provides an overview and introduction of the entire ISMS standards and a glossary of words Adopted from the British Standard 7799
ISO/IEC 27003
An international standard on providing "implementation guidance" for ISMS Hint: It takes "3" to "implement" an IT crowd
ISO/IEC 27031
An international standard that describe the concepts and principles of information and communication technology (ICT) readiness
ISO/IEC 27004
An international standard that provide guidance on how "metrics" can be used to measure success of a ISMS NIST SP 800-55 is the U.S. counterpart Hint: four-eyes can read these things
ISO/IEC 27002
An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS) to support CIA Replaced ISO/IEC 17799 which replaced BS 7799
ISO 27799
An international standard that provides directives on protecting personal health information Hint: Jerry had bad health in 77 and Prince after 1999
ISO/IEC 27001
An international standard that provides for the establishment, implementation, control and improvement of the information management system (ISMS) Uses the Plan, Do, Check, Act (PDCA) methodology
ISO/IEC 27005
An international standard that provides guidance for a "risk management" framework Hint: High 5'ing dirty hands is a bacteria risk
ISO/IEC 27006
An international standard to provide guidance for auditing and certifying ISMS Hint: Mark of the beast to pass audit
Uses the Plan, Do, Check, Act (PDCA)
An iterative four-step management method used in business for the control and continual improvement of processes and products
Security Policy
An overall general statement produced by senior management that dictates what role security plays within the organization Annually reviewed and should be kept confidential from outsiders Strategic and Mandatory Should be reviewed in case of security breach
Threat Exposure
Another name for vulnerability
Event
Any occurrence that takes place during a certain period of time, but which may or may not warrant as a security incident
Single Points of Failure (SPOF)
Any single input to a process that, if missing, would cause the process or several processes to be unable to function
Business Continuity Planning (BCP)
Assessing the risks to organizational processes and creating policies, plans and procedures to minimize the impact those risks might have on the organization if they were to occur Used to maintain the continuous operation of a business in the event of an emergency situation If the continuity is broken, then business processes have stopped and the organization is in disaster mode; thus, disaster recovery planning (DRP) takes over 1) Project scope and planning 2) Business impact assessment (BIA) 3) Continuity planning 4) Approval and implementation
Data Owner
Assigned to the person who is responsible for classifying information for placement and protection within the security solution Typically a high-level manager who is ultimately responsible for data protection
Collusion
At least two people are working together to cause some type of destruction or fraud
Noncompete Agreement (NCA)
Attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent that second organization from benefiting from the worker's special knowledge of secrets
AAA
Authentication, authorization, accountability and identification
Arms Export Control Act of 1976
Authorizes the President to designate those items that shall be considered as defense articles and defense services and control their import and the export
Employment Candidate Screening
Based on the sensitivity and classification defined by the job description The sensitivity and classification of a specific position is dependent on the level of harm that could be caused by accidental or intentional violations of security by a person in the position
Strategic Alignment
Both business drivers and regulatory/legal requirements are being met by a security enterprise architecture
Thrill Attack
Bragging rights and pride of conquering a secure system
COBIT Principle 3
COBIT Principle #? Applying a single integrated framework
COBIT Principle 2
COBIT Principle #? Covering the enterprise end-to-end
COBIT Principle 4
COBIT Principle #? Enabling a holistic approach
COBIT Principle 1
COBIT Principle #? Meeting stakeholder needs
COBIT Principle 5
COBIT Principle #? Separating governance from management
Process Management Development Examples
Capability Maturity Model Integration (CMMI) ITIL Six Sigma
Identification
Claiming an identity when attempting to access a secure area or system
OECD - Collection Limitation
Collection of personal data should be limited, obtained by lawful and fair means and with the knowledge of the subject
CIA
Confidentiality, Integrity and Availability
Secondary Evidence
Consists of copies of original documents, oral descriptions and computer-generated logs
Hearsay Evidence
Constitutes second-hand evidence Computer logs of a crime would be consider this unless legally authenticated in some way
Click-through License Agreement
Contract terms are either written on the software box or included in the software documentation During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them
Compensating
Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable level A control type that provides an alternate solution to one that is either impossible or too expensive to implement
Electronic Discovery (eDiscovery)
Describes a standard process for conducting eDiscovery with nine steps 1) Information Governance 2) Identification 3) Preservation 4) Collection 5) Processing 6) Review 7) Analysis 8) Production 9) Presentation
Personal Files
Not considered an asset at an organization
Terrorist Attack
Damaging the ability to communicate and respond to a physical attack
Service Organization Control (SOC)
Designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent auditing firm Should your organization trust this cloud service to do due diligence like you AICPA Reports come in three formats: 1) SOC-1 2) SOC-2 (test results) 3) SOC-3 (public)
OECD - Openness
Developments, practices and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data
Grudge Attack
Disclosing embarrassing personal information Launching a virus on an organization's system Sending inappropriate email with a spoofed origination address of the victim organization
Advisory Policy
Discusses behaviors and activities that are acceptable and defines consequences of violations Explains senior management's desires for security and compliance within an organization
Enterprise Architecture Development Examples
DoDAF MoDAF SABSA Model TOGAF Zachman Framework
DRM Responsibilities for ISPs
Does not hold ISP liable for the "transitory activities" if these conditions are met: 1) The transmission must be initiated by a person other than the provider 2) The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider 3) The service provider must not determine the recipients of the material 4) Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients, and must not be retained for longer than reasonably necessary 5) The material must be transmitted with no modification to its content Cache and logs also exempt but they must be removed quickly upon notification
BCP Documentation (Justification)
Ensures that BCP personnel have a written continuity document to reference in the event of an emergency, even if senior BCP team members are not present to guide the effort Provides a historical record of the BCP process that will be useful to future personnel seeking to both understand the reasoning behind various procedures and implement necessary changes in the plan Forces the team members to commit their thoughts to paper
Governance
Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes and addresses how expected performance will be evaluated
Testimonial Evidence
Evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition Witnesses must take an oath agreeing to tell the truth, and they must have personal knowledge on which their testimony is based Cannot be based on hearsay
Comprehensive Crime Control Act of 1984 (CCCA)
Exclusively covers computer crimes that crossed state boundaries to avoid infringing on states' rights and treading on thin constitutional ice 1) Access classified information or financial information in a federal system without authorization or in excess of authorized privileges 2) Access a computer used exclusively by the federal government without authorization 3) Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) 4) Cause malicious damage to a federal computer system in excess of $ 1,000 5) Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual 6) Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system
Wassenaar Arrangement
Export controls for "Conventional Arms and Dual-Use Goods and Technologies" which includes cryptography and computers Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations Post Cold War agreement w/41 countries
Economic and Protection of Proprietary Information Act of 1996
Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage This changed the legal definition of theft so that it was no longer restricted by physical constraints
Preventive Access Control
Fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access-control methods, encryption, auditing, presence of security cameras or CCTV, smartcards, callback procedures, security policies, security-awareness training, antivirus software, firewalls, and intrusion prevention systems (IPSs)
Pareto Principle (80:20 rule)
Fix the biggest risks first since 80% of the consequences stem from 20% of the causes
PII Examples
Full name (if not common), national Id number, IP address (in some cases), vehicle registration plate number, driver's license number, biometrics, credit card numbers, digital identity, birthday Less enforced: first or last name, address, age, gender, race, school, workplace, criminal record, grades, salary, job title
Blueprints
Functional definitions for the integration of technology into business processes
Relevant Evidence
Has any tendency to make a fact more or less probable than it would be without the evidence
Criticality
How important something is to the organization's mission The higher the level, the more likely the need to maintain the confidentiality of the information High levels are essential to the operation or function of an organization
Recovery Time Objective (RTO)
How quickly you need to have that application's information available after downtime has occurred The time period after a disaster that a system can remain online before business fails This is the organization's definition of the acceptable amount of time an IT system can be off-line THIS value should always be less than MTD
Risk Governance vs. Risk Management
In regards to "risk", __________ is what needs to be accomplished and __________ say how it will be done
Alternative System
In the event that it's not feasible to harden a facility against a risk, your BCP should identify alternate sites where business activities can resume immediately (or at least in a period of time that's shorter than the maximum tolerable downtime for all affected critical business functions)
Documentary Evidence
Includes any written items brought into court to prove a fact at hand and must also be authenticated Should follow best evidence and parol evidence rules
RMF - Authorize
Information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable
Intellectual Property
Intangible property that is created as the result of a creative act
Isolation
Keeping something separate from others
Behavior Modification
Learning on behalf of the user usually through training and awareness
Advanced Persistent Threat (APT)
Long term attack consisting of multiple vectors usually carried out by organized crime or governments
FIPS 199 Security Classifications
Low Medium High
Identity Theft and Assumption Deterrence Act
Makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/ or a $ 250,000 fine) for anyone found guilty of violating this law
Hardening Provisions
Mechanisms and procedures that can be put in place to protect your "existing facilities" against the risks defined in the strategy development phase This might include steps as simple as patching a leaky roof or as complex as installing reinforced hurricane shutters and fireproof walls
Corrective Access Control
Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred It attempts to correct any problems that occurred as a result of a security incident Rebooting, quarantine a virus, etc.
RMF - Monitor
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials
Education
More detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks Often associated with users pursuing certification or seeking job promotion
Hacktivist
Motivated by political beliefs and thrill seeking
NIST SP 800-34 Step 2
NIST SP 800-34 Step #? Conduct the business impact analysis (BIA) Identify critical functions and systems and allow the organization to prioritize them based on necessity Identify vulnerabilities and threats and calculate risks
NIST SP 800-34 Step 4
NIST SP 800-34 Step #? Create contingency strategies Formulate methods to ensure systems and critical functions can be brought online quickly
NIST SP 800-34 Step 5
NIST SP 800-34 Step #? Develop an information system contingency plan Write procedures and guidelines for how the organization can still stay functional in a crippled state
NIST SP 800-34 Step 1
NIST SP 800-34 Step #? Develop the continuity planning policy statement Write a policy that provides the guidance necessary to develop a BCP and that assigns the authority to the necessary roles to carry out these tasks
NIST SP 800-34 Step 7
NIST SP 800-34 Step #? Ensure plan maintenance Put in place steps to ensure the BCP is a living document that is updated regularly
NIST SP 800-34 Step 6
NIST SP 800-34 Step #? Ensure plan testing, training and exercises Test the plan to identify deficiencies in the BCP and conduct training to properly prepare individuals on their expected tasks
NIST SP 800-34 Step 3
NIST SP 800-34 Step #? Identify preventive controls Once threats are recognized, identify and implement controls and countermeasures to reduce the organization's risk level in an economical manner
Risk Management Framework Examples
NIST SP 800-37 ISO 31000:2009 ISACA Risk IT COSO
OECD - Use Limitation
Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated
Defense-in-Depth Security Controls
Physical -> Logical/Technical -> Admin -> ASSET
ISC^2 Code of Ethics Canon 1
Protect society, the commonwealth (nation), and the infrastructure
1991 US Federal Sentencing Guidelines
Provided punishment guidelines to help federal judges interpret computer crime laws 1) Formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation 2) Allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties 3) Three burdens of proof for negligence a) The person accused of negligence must have a legally recognized obligation b) The person must have failed to comply with recognized standards c) There must be a causal relationship between the act of negligence and subsequent damages
Informative Policy
Provides support, research, or background information relevant to the specific elements of the overall policy
System Development Management
Provides technical support for hardware and software environment by developing, installing and operating the requested system
Information Systems Risk Management (ISRM) Policy
Provides the foundation and direction for the organization's security risk management process and procedures and should address all issues of information security
Authentication
Proving that you are that identity
OECD - Security Safeguards
Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification and disclosure
Auditing
Recording a log of events and activities related to the system and subjects
NIST SP 800-53
Security and Privacy Controls for Federal Information Systems and Organization Provides a catalog of security controls for all U.S. federal IT systems except those for national security and checklist for FISMA auditors Technical, management and operational Hint: # of rosary beads ... better run through them all to be compliant above
Process Enhancement
Security enablement should also be viewed as an opportunity to make things better in regards to the process that it is trying to protect
Detective Access Control
Security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations
Business Enablement
Security should not get in the way of business process, but should be implemented to better enable them
System Integrity
Seeks to protect a system such as an OS from unauthorized modifcation
Data Integrity
Seeks to protection information from unauthorized modification
Circumstantial Evidence
Serves to establish the events related to particular points or other evidence
Discretion
Shown by a person when choosing to control disclosure of something An act of decision where an operator can influence or control disclosure in order to minimize harm or damage
Freeware
Software that is publicly available free and charge and can be used, copied, studied, modified and redistributed without restriction
Shareware/Trialware
Software that vendors use to market their product based on a free, trail version in hopes that once the trail ends the users will buy it
Exposure
Something being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event Doesn't mean that a realized threat (an event that results in loss) is actually occurring
Trade Secret
Something that is proprietary to a company and important for its survival and profitability Use of NDAs and other protective measures
Real Evidence
Something that is tangible or physical object such as a knife or bloody glove
Asset
Something the provides value (usually in dollars) to an organization whether tangible or intangible Anything within an environment that should be protected
Project Scope and Planning
Step 1 of BCP 1) Structured analysis of the business's organization from a crisis planning point of view 2) The creation of a BCP team with the approval of senior management 3) An assessment of the resources available to participate in business continuity activities 4) An analysis of the legal and regulatory landscape that governs an organization's response to a catastrophic event
Business Organization Analysis
Step 1 of BCP's Project Scope and Planning 1) Operational departments that are responsible for the core services the business provides to its clients 2) Critical support services, such as the information technology (IT) department, plant maintenance department, and other groups responsible for the upkeep of systems that support the operational departments 3) Senior executives and other key individuals essential for the ongoing viability of the organization First, provides the groundwork necessary to help identify potential members of the BCP team Second, it provides the foundation for the remainder of the BCP process
Identify Priorities
Step 1 of BIA A great way to divide the workload of this process among the team members is to assign each participant responsibility for drawing up a prioritized list that covers the business functions for which their department is responsible This helps to define the qualitative metrics first before moving onto quantitative
Strategy Development
Step 1 of Continuity Planning Determines which risks require mitigation and the level of resources that will be committed to each mitigation task Bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP
Spoofing
Step 1 of STRIDE An attack with the goal of gaining access to a target system through the use of a falsified identity wit the goal to bypass authorization
Business Impact Assessment (BIA)
Step 2 of BCP Identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources Assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business 1) Identify Priorities 2) Risk Identification 3) Likelihood Assessment 4) Impact Assessment 5) Resource Prioritization
BCP Team Selection
Step 2 of BCP's Project Scope and Planning Picking the right members of a BCP team 1) Representatives from each of the organization's departments responsible for the core services performed by the business 2) Representatives from the key support departments identified by the organizational analysis 3) IT representatives with technical expertise in areas covered by the BCP 4) Security representatives with knowledge of the BCP process 5) Legal representatives familiar with corporate legal, regulatory, and contractual responsibilities 6) Representatives from senior management
Provisions and processes
Step 2 of Continuity Planning The BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage Three categories of assets must be protected: 1) People 2) Buildings/Facilities 3) Infrastructure
Tampering
Step 2 of STRIDE Any action resulting in the unauthorized changes or manipulation of data, whether in transit or in storage Used to falsify communications or alter static information Such attacks are a violation of integrity as well as availability
Continuity planning
Step 3 of BCP Focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets 1) Strategy development 2) Provisions and processes 3) Plan approval 4) Plan implementation 5) Training and education
Resource Requirements
Step 3 of BCP's Project Scope and Planning What are the needed resources to support BCP? 1) BCP Development - The BCP team will require resources to perform the four steps of the BCP process 2) BCP Testing, Training and Maintenance - Hardware and software will be needed here 3) BCP Implementation - The actual stuff that will be needed to fight a disaster from pencils to labor
Likelihood Assessment
Step 3 of BIA Identifies the likelihood that each risk will occur Usually express as ARO
Plan Approval
Step 3 of Continuity Planning Attempt to have the plan endorsed by the top executive in your business— the chief executive officer, chairman, president or similar business leader
Repudiation
Step 3 of STRIDE The ability for a user or attacker to deny having performed an action or activity Often attackers engage in THIS in order to maintain plausible deniability so as not to be held accountable for their actions Can also result in innocent third parties being blamed for security violations
Approval and Implementation
Step 4 of BCP Critical to get top-level management endorsement of the plan
Impact Assessment
Step 4 of BIA Analyze the data gathered during risk identification and likelihood assessment and attempt to determine what impact each one of the identified risks would have on the business if it were to occur SLE, ALE
Plan Implementation
Step 4 of Continuity Planning The BCP team should get together and develop an implementation schedule that utilizes the resources dedicated to the program to achieve the stated process and provision goals in as prompt a manner as possible given the scope of the modifications and the organizational climate
Information Disclosure
Step 4 of STRIDE The revelation or distribution of private, confidential or controlled information to external or unauthorized entities This could include customer identity information, financial information or proprietary business operation details
Resource Prioritzation
Step 5 of BIA Create a list of all the risks you analyzed during the BIA process and sort them in descending order according to the ALE computed during the impact assessment phase Provides you with a prioritized list of the risks that you should address Here both qualitative and quantitative lists will need to be merged
Training and Education
Step 5 of Continuity Planning All personnel who will be involved in the plan (either directly or indirectly) should receive some sort of training on the overall plan and their individual responsibilities Everyone in the organization should receive at least a plan overview briefing to provide them with the confidence that business leaders have considered the possible risks posed to continued operation of the business and have put a plan in place to mitigate the impact on the organization should business be disrupted
Procedures
Step-by-step instructions that should be performed to achieve a certain goal Tactical and Mandatory
OECD - Individual Participation
Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data and to challenge denied requests to do so
OECD - Purpose Specification
Subjects should be notified of the reason for the collection of their personal information at the time that it is collected and organizations should only use it for that state purpose
Guidelines
Suggestions/recommendations Tactical and Not Mandatory
Confidentiality
Supports the principle of "least privilege" by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis
Cloud Service License Agreement
Take click-through agreements to the extreme. Most cloud services do not require any form of written agreement and simply flash legal terms on the screen for review In some cases, they may simply provide a link to legal terms and a check box for users to confirm that they read and agree to the terms
Qualitative Decision Making
Takes non-numerical factors, such as emotions, investor/ customer confidence, workforce stability and other concerns into account This type of data often results in categories of prioritization (such as high, medium, and low)
Due Care
Taking the precautions that a reasonable and competent person would take A legal liability concept that defines the minimum level of information protection that business must achieve Means by which an entity can ensure that its business practices are practices that any reasonable individual would consider prudent and appropriate The process of measuring business practices against the judgement of any reasonable individual is also know as the Prudent Man Rule An entity's liability is its legal responsibility for any "action or lack" of action that puts the entity or any other entity at risk e.g., Someone who ignores a security warning and clicks through a malicious website would not be practicing this but instead "culpable negligence" Hint: Caring for the kid
Business Attack
Targets proprietary information stored on a civilian organization's system
Training
Teaching employees to perform their work tasks and to comply with the security policy Awareness if the prerequisite to THIS
Direct Evidence
Testimony provided by a witness regarding what they actually experienced through their five senses
Copyright Directive
The EU's version of the Digital Millennium Copyright Act (DMCA)
Chain of Custody
The PRIMARY goal is to ensure that it will be admissible in court 1) Who obtained the evidence 2) What was the evidence 3) Where and when the evidence was obtained 4) Who secured the evidence 5) Who had control or possession of the evidence
Risk Avoidance
The act of eliminating/terminating the process that creates the risk Must be legal to do so
Concealment
The act of hiding or preventing disclosure Often viewed as a means of cover, obfuscation or distraction
Outsourcing
The act of hiring/contracting an outside company to do something for the company You are still ultimately responsible for the risk SLA, Audits (SAS 70), Onsite Inspections (due diligence)
Risk Mitigation
The act of implementing safeguards/controls to reduce risk to an acceptable level
Secrecy
The act of keeping something a secret or preventing the disclosure of information
Residual Risk
The amount of risk left over after a risk response the risk that management has chosen to accept rather than mitigate Too expensive to eliminate all risk in many cases
Defense in Depth
The coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. "Castle Approach" usually done in a "serial" fashion
Internet Architecture Board (IAB)
The coordinating committee for Internet design, engineering and management and responsible for the architectural oversight of the Internet Engineering Task Force (IETF), Internet Standards Process oversight and appeal and editor of Requests for Comments (RFCs) Access to and use of the Internet is a privilege and should be treated as such by all users of the systems See RFC 1087
Annual Loss Expectancy (ALE)
The cost of a loss per year SLE * ARO
Control Gap
The difference between total risk and residual risk
Attack
The exploitation of a vulnerability by a threat agent In other words, an attack is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets
Total Cost in Ownership (TCO)
The financial estimate of the direct and indirect costs of a product or system
California Senate Bill 1386
The first privacy breach notification law that requires any organization that suffers a breach that involves the personal data of a California resident to report the breach to that resident
American Institute of Certified Public Accountants (AICPA)
The group that standardized the Service Organization Control (SOC) audits
Business Continuity Management (BCM)
The holistic, overreaching management process that covers all aspects of both BCP and DRP thus allowing the organization to perform business operations under various conditions
RMF - Categorize
The information system and the information processed, stored and transmitted by that system based on an impact analysis
Business Continuity Coordinator
The leader for the BCP team who will oversee the development, implementation and testing of the business continuity and disaster recovery plans
Risk
The likelihood that a threat will exploit a vulnerability and the corresponding business impact = threat * vulnerability * asset value
Maximum Tolerable Downtime (MTD)
The maximum length of time a business function can be inoperable without causing irreparable harm to the business
Risk Analysis
The method of doing qualitative and quantitative analysis once the risk assessment completes so management can prioritize and allocate resources to protect assets accordingly The process by which the goals of risk management are achieved Here we analyze the data
Annualized Rate of Occurrence (ARO)
The number of times a business expects to experience a given disaster each year If a earthquake is predicted to occur one every 30 years then THIS will be 1/30
Gross Negligence
The opposite of due care which could result in negative legal liability
Enterprise Architecture Frameworks (EAF)
The practice of organizing and documenting a company's IT assets to enhance planning, management and security Zachman, TOGAF, DoDAF, MoDAF, SABSA
Documentation Review
The process of reading the exchanged materials and verifying them against standards and expectations Typically performed before any on-site inspection takes place
Enterprise Security Architecture (ESA) Framework
The processes used to plan, allocate and control information security resources
Patent
The protection (monopoly) of an invention Valid for 20 years from initial file date which then become publicly available The STRONGEST form of intellectual property protection Must be novel, unique and not obvious
Trademark
The protection of a distinguishing name, logo or symbol that represents a product brand or business (TM) is unregistered and (R) is registered (but protected either way) at USPTO Intent to use is an advantage for (R) Initial term is 10 years and can renew forever
Sensitivity
The quality of information, which could cause harm or damage if disclosed Maintaining confidentiality helps to prevent harm or damage
Third-party Governance
The system of oversight that may be mandated by law, regulation, industry standards, contractual obligation or licensing requirements Focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations
Alteration
The unauthorized modification of data and is the opposite of integrity
Disclosure
The unauthorized release of data and is the opposite of confidentiality
Standards
These lay out specific steps or processes required to meet a certain requirement and give policy its support and reinforcement in direction Usually very technical Tactical and Mandatory
Senior Management Role
These people are ultimately responsible for security within the organization through policy
SOC-2
This AICPA report contains the auditor testing and results
SOC-1
This AICPA report covers only internal controls over financial reporting Simplest of the three
SOC-3
This AICPA report provides the highest level of certification and assurance of operational excellence that a data center can receive Provides a system description and the auditor's opinion
Confidence Level
This is the degree you have confidence in when estimating the value of something during risk analysis Expressed as a percentage
Economic Co-operation and Development (OECD)
This organization created the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Primarily focused global organizations moving data across country boundaries securely by following a set of principles
Separation of Duties
This preventative security practice that ensures one individual cannot complete a critical task alone - others are required Creates a system of checks and balances Avoids conflicts of interest e.g., The nuke codes and keys
Postmortem Review
This should be conducted within a week of a security incident by CIRTs
Cybersquatting
URL that someone else wants
Asset Value (AV)
What something is worth in currency
Loss Potential
What the company would lose if a threat agent actually exploited a vulnerability Immediate damage
Parol Evidence
When an agreement between parties is put into written form, the written document is assumed to contain ALL of the terms of the agreement and no verbal agreements may modify the written agreement
Enticement
When law enforcement makes the conditions for commission of a crime favorable where someone had the intent to break the law in the first place
Entrapment
When law enforcement persuades someone to commit a crime when they had no intention to commit it in the first place
Psychological Acceptability
When talking about security controls where users may think it is too complicated or intrusive to the point that they will not use it
CMMI Level 3
Which CMMI level #? Defined Processes characterized for the organization and is proactive
CMMI Level 1
Which CMMI level #? Initial Process unpredictable, poorly controlled and reactive
CMMI Level 2
Which CMMI level #? Managed Processes characterized for projects and is often reactive
CMMI Level 5
Which CMMI level #? Optimizing Focus on process improvement
CMMI Level 4
Which CMMI level #? Quantitatively Managed Processes measured and controlled
SWOT - Strengths
Which SWOT category? Characteristics of the project team that give it an advantage over others
SWOT - Weaknesses
Which SWOT category? Characteristics that place the team at a disadvantage relative to others
SWOT - Threats
Which SWOT category? Elements that could contribute to the project's failure
SWOT - Opportunities
Which SWOT category? Elements that could contribute to the project's succss
Shrink-wrap License Agreement
Written on the outside of the software packaging Commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package
Confidential vs. Private Data
__________ and __________ data in a commercial business/private sector classification scheme both require roughly the same level of security protection The real difference between the two labels is that __________ data is company data whereas __________ data is data related to individuals, such as medical data
Interview vs. Interrogation
__________ involves open questions to gather information while __________ involves closed-ended questions with a specific and adversarial goal in mind -- when in doubt contact legal