CISSP Domain 1 - Security and Risk Management

Calculating Safeguard Cost Benefit

(ALE before safeguard - ALE after implementing the safeguard) - annual cost of safeguard (ACS) = value of safeguard to the company. If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the savings your orgazniztion will reap.

Implementation of Controls

(from outside in)Physical>Logical Controls>Admin Controls>Assets Security controls, countermeasures and safeguards can be implemented administratively, logically/technically, or physically. Should be implemented in a defense-in-depth manner

Steps in Business Impact Analysis

1. Identify Business Priorities - assigning an Asset Value, developing the Maximum tolerable downtime or MTO, recovery time objective(amount of time which you think you can feasibly recover functions) 2. Risk Identification - can be man-made or natural risks 3. Likelihood Assessment - likelihood that each risk will occur. Expressed in terms of annualized rate of occurence 4. Impact Assessment - Analyze data gathered during risk id and likelihood and determine what impact each of the risks would have. Exposure factor, annual loss expectancy and single loss expectancy are used in this step. 5. Resource Prioritization - create a list of all the risks analyzed during the BIA process and sort them in descending order according to the ALE computed during the impact assessment phase. This provides a prioritized list of the risks that should be addressed first

Seven Phases of Data Classification

1. Identify the custodian and define their responsibilities 2. Specify the evaluation criteria of how the information will be classified and labeled 3. Classify and label each resource (The owner conducts this step) 4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria 5. Select the security controls that will be applied to each classification level to provide the necessary level of protection 6. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity 7. Create an enterprise-wide awareness program to instruct all personnel about the classification system

Steps for Termination

1. Inform the person that they are relieved of their job. with a witness in attendance. 2. Request the returrn of all access badges, keys and company equipment 3. Disable the person's electronic access to all aspects of the organization 4. Remind the person about the NDA obligations 5. Escort the person off the premises

Risk

= Threat x Vulnerability

Scenario

A written description of a single major threat. The description focuses on how a threat would be instigated ans what effects its occurrence could have on the organization, IT infrastructure and specific assets. For each scenario, one or more safguards are described that would completely or partially protect against the major threat discussed in the scenario. The analysis participants then assign to the scenario a threat level, loss potential and advantages of each safeguard. They can be high, med, low or 1-10 scale.

Countermeasures for Integrity

Access controls, rigorous authentication procedures, IDS, data encryption, hash total verifications, personnel training. Without confidentialisy, integrity cannot be maintained.

Threat Event

Accidental or intentional exploitations of vulnerabilities

Concealment

Act of hiding or preventing disclosure. Often is viewed as a means of cover, obfuscation or distraction.

Prudent Man Rule

Acting responsibly and cautiously as a prudent man would. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters.

Buildings and Facilities

Addressed during continuity planning. Continuity plan should address two areas for each critical facility: Hardening Provisions - BCP should outline mechanisms and procedures that can be put in place to protect existing facilities against the risks defined in the strategy development phase Alternate Sites - In the event that it's not feasible to harden a facility agains a risk, BCP should identify alternate sites where business activities can resume

Infrastructure

Addressed during continuity planning. Two main methods of providing protection: Physically hardening systems - Protecting systems against the risks by introducing protective measures such as computer-safe fire suppression systems and UPS Alternative systems - Business systems can also be protected by introducing redundancy.

BCP Team Selection

After organization analysis is conducted, the BCP team is selected. Should include: Representatives from each of the org's departments responsible for the core services performed by the business. Reps from the key support departments identified by the organizational analysis IT reps with technical expertise in areas covered by the BCP Security reps with knowledge of the BCP Legal representative familar with corporate legal, regulatory and contractual responsibilities Reps from senior management

Security Management

Aligns the secuirty functions to the strategy, goals, mission and objectives of the organizaiton. Responsibility of upper management and is considered a business operations issue rather than IT administration issue. Without senior management's approval of and committment to the security policy, the policy will not succeed.

ISC2 Code of Ethics

All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. (ISC)² members are obligated to follow the ethics complaint procedure upon observing any action by an (ISC)² member that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon IV. There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional. Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession.

Communications Assistance for Law Enforcement Act (CALEA) of 1994

Amended the Electronic Communications Privacy Act of 1986. Requires all communications carries to make wiretaps possible for law enforcement with an appropriate court order

Computer Abuse Amendments at of 1994

Amendment to the CFAA. It outlawed the creation of any type of malicious code that might cause damage to a computer system. Modigied the CFAA to cover any computer used in interstate commerce rather than just federal interest computer systems. Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage. Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages.

Government Information Security Reform Act of 2000

Amendment to the Paperwork Reduction Act. Implements additional info security policies and procedures. 5 basic purposes: To provide comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations and assets. To recognize the highly networked nature of the federal computing environment, including the need for federal government interoperability and in the implementation of improved security management measures, to assure that opportunities for interoperability are not adversely affected. To provide effective governement wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security and law enforcement communities. To provide for deleopment and maintenance of minimum controls required to protect federla information and information systems To provide a mechanism for improved oversight of federal agency information sec programs. Charges NIST with responsibilties for unclassified info prcoessing and NSA for classified info processing. Also outlines a new category of computer system - Mission critical system. It is mission critical if - It is defined as a national security system by other provisions of law. It is protected by procedures established for clasified information. The loss, misuse, disclosure or unauthorized access to or modification of any info it processes would have a debiltating impact on the mission of an agency.

Return on Investment (ROI)

Amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control

Declaring a disaster

Anyone can declare an emergency, only Senior Management or the BCP Coordinator can declare a disaster (disaster is when the entire facility is unusable for a day or longer)

HIPAA (Health Insurance Portability and Accountability Act)

Applies to: Health Insurers Health Providers Healthcare clearing houses

Financial Damages

Are broken into three categories, which cover subjective compensation and values set to deter offenses and create consequences for a violator. The three forms are statutory, compensatory and punitive.

Protection Mechanisms

Are common characteristics of security control. Not all security controls must have them, but many controls offer their protection for confidentiality, integrity and availability through the use of these mechanisms. These mechanisms include using multiple layers or levels of access, employing abstraction, hiding data and using encryption

Security Standards, Baselines and Guidelines

Are developed after the main security policies are set. Standards - Define what policy says. Specific requirements for the homogenous use of hardware, software, technology, and security controls. Are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Baselines - Define minimum level of security that every system in the org must meet. All systems not in compliance should be taken out of production until they meet baseline. Guidelines - non-mandatory. Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. Are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures.

Training and Education on BCP

Are essential elements of the BCP implementation. All personnel who will be involved in the plan should receive some sort of training on the overall plan and their individual responsibilities to ensure that they are able to complete them efficiently when disaster strikes.

Data Owner

Assigned to the person who is responsible for classifying information for placement and protection within the security solution.

BCP vs. DRP

BCP comes first and if the BCP efforts fail, DRP steps in to fill the gap. DRP is more IT focused and goal is to minimize the effects of a disaster. BCP focuses on sustaining operations, long term focused.

DREAD

Based on the answers to 5 main questions about each threat: 1. Damage potential - How severe is the damage likely to be if the threat is realized? 2. Reproducibility - How complicated is it for attackers to reproduce the exploit? 3. Exploitability - How hard is it to perform the attack? 4. Affected users - How many users are likely to be affected(percentage)? 5. Discoverability - How hard is it for an attacker to discover the weakness? By asking these and potentially additional questions, along with assigning high/med/low or 3/2/1 values, you can establish a detailed threat prioritization.

Authenticity Requirements

Basic: user supplied password Digest: challenge/response Certificate based: X.509 v4 certificates Token based Smart cards Biometrics Multifactor authentication

Exposure

Being susceptible to asset loss because of a threat

Electronic Communications Privacy Act of 1986

Broadened the federal wiretap act to apply to any illegal interception of electronic communications. It prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal. Protects the monitoring of email and voicemail communications.

Legal and Regulatory requirements

Business leaders must exercise due diligence to ensure that shareholders interests are protected in the event disaster strikes. Some industries are also subject to federal, state and local regulations that mandate specific BCP procedures. Businesses also have contractual obligations to their clients that must be met before, and after a disaster.

Computer Fraud and Abuse Act (CFAA)

CCCA was passed in 1984 then amended to the CFAA in 1986. Covers computer crimes that crossed state boundaries to avoid infringing on states rights. Includes: First to implement penalties for the creators of viruses worms and other types of malicious code. Also includes any computer used exclusively by the US government. Any computer used exclusively by a financial institution. Any computer used by the governement or a financial instatution when the offense impedes the ability of the government or institution to use that system. Any combination of cumputers used to commit an offense when they are not all located in the same state.

Senior Management

CEO, CSO, CIO, etc Responsible and liable for security within org, development and support of policies, prioritization of business processes, allocation of resources, decisions based on risk, set the Business continuity policy.

Types of BCP Testing

Checklist test - copies of plan distributed to diff departments. Functional managers review. Paper based. Structured walk through (table top) - Representatives from each department go over plan. Talk through the plan, paper based. Simulation test - going through a disaster scenario. Continues up to the actual relocation to an offsite facility. Parallel Test - systems moved to alternate site and processing takes place there Full Interruption test - original site shut down. All processing moved to offsite facility.

BCP Steering Committee

Conduct the BIA Coordinate with department reps Develop analysis group

Business Classification Levels

Confidential - Highest level of classification. Extremely sens company data. Proprietary - Used for trade secrets Private - Data that is personal, internal use only. personal data. Sensitive - Data that is more classified than public data Public - Lowest level of classification. Disclosure does not have negative impact

AAA - Authentication, authorizing and accountability

Contains Five Elements: Identification Authentication Authorization Auditing Accountability

Criminal Law

Contains prohibitions against acts such as murder, assault, robbery and arson. Burden of proof is beyond a reasonable doubt.

Software licensing agreements and Uniform Computer Information Transactions Act

Contractual license agreements are written agreements between a software vendor and user. Shrink-wrap agreements are written on software packaging and take effect when a user opens the package. Click-wrap agreements are included in a package but require the user to accept the terms during the software installation process. The Uniform Computer Information Transactions Act provides a framework for enforcement of these licenses.

Copyright and the Digital MIllenium Copyright Act (DMCA)

Copyright law guarantees the creators of original works of authorship protection against the unauthorized duplication of their work. This includes literary, musical, dramatici, pantomimes and choriographic, pictorial, graphical and sculptural, motion pictures and other audiovisiula works, sound recordings, architectural works. Computer software is protected under literary works. It only protects the source code. Digital Millenium Copyright Act prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of ISPs for the activites of their users. The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption.

SOC 2 and 3

Covers the security, privacy and availability of controls

Risk Rejection/Ignore

Denying that a risk exists and hoping that is will never be realized. Not acceptable response.

Directive Controls

Deployed to direct, confine or control the actions of subjects to force or encourage compliance with security policies. Includes security policy requirements or criteria, supervision and procedures.

Detective Controls

Deployed to discover or detect unwanted or unauthorized activity. Operate after the fact and can discover the activity only after it has occured. Ex. include audit trails, job rotation, honeypots, etc.

Compensating Controls

Deployed to provide various options to other existing controls to aid in enforcement and support of security policies. Can be any controls used in addition to, or in place of, another control.

Civil Law / Tort Law

Designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Could include contract disputes, real estate transactions, employment matters and estate/probate procedures. Majority of evidence needed for conviction (less than reasonable doubt)

RAID Level 5

Disk striping with parity, requires a minimum of three physical hard disks to operate.

Security Policy (Organizational Security policy)

Document that defines the scope of security needed by the organization and discusses the assts that require protection and the extent to which security solutions should go to provide the necessary protection. Overview or generalization of an organization's security needs. Defines the main security objectives and outlines the security framework of an organization. Should clearly define why security is important and what assets are valuable. Is a strategic plan for implemening security. High level and broad, not a detailed policy.

Risk Avoidance

End process associated with risk

Governance

Ensures that stakeholder needs, conditions and options are evaluated to determine: Balanced agreed-upon enterprise objectives to be achieved Setting direction through prioritization and decision making Monitoring performance and compliance against agreed-upon direction and objectives Defines risk appetite.

Senior Management approval and buy-in

Essential to the success of the overall BCP effort

Risk Assessment Portion of BCP

Essentially recaps the deciosion-making process undertaken during the BIA. It should include a discussion of all the risks considered during the BIA as well as the quantitative and qualitative analyses performed to assess these risks. For quantitative analysis, the actual AV, EF, ARO, SLE and ALE figures should be included. For qualitative analysis, the thought process behind the risk analysis should be provided.

Secuirty Awareness

Establishes a common baseline or foundation of security understanding across the entire org and focuses on key or basic topics and issues related to security that all employees must understand and comprehend. Issues to be covered are avoiding waste, fraud, and unauthorized activities. Awareness program should be tied to the security policy.

Economic and Protection of Proprietary Information Act of 1996

Extends the definition of property to include proprietary economic info so that the theft of this information can be considered industrial or corporate espionage.

Recovery Controls

Extension of corrective controls but have more complex abilities. Ex. include backups and restores, system imaging, server clustering, vm shadowing, etc.

How much security is enough?

Finding proper balance between cost and benefits. Cost/benefit analysis and risk analysis drives this.

California's SB1386

First statewide requirement to notify individuals of a breach of their personal information. All but 3 states followed suit. Federal law only requires the notification of individuals when a HIPAA covered entity breaches their PHI

Types of Threat Modeling

Focused on Assets Focused on Software Focused on Attackers

Continuity Planning

Focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets. Subtasks include: Strategy development Provisions and processes Plan approval Plan implementation Training and Education

Computer Security Act of 1987

Four main purposes: To give the NIST responsibility for developing standards and guidelines for federal computer systems. To provide for the enactment of such standards and guidelines. To require the establishment of security plans by all operators of federal computer systems that contain sensitive information. To require mandatory periodic training for all people involved in management, use, or operation of federal computer systems that contain sensitive information

Asset Valuation

Goal is to assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones. It provides values for insurance, foundation for cost/benefit analysis, establishes net worth, helps senior management understand risk, prevents negligence of due care and encourages compliance with legal requirements and regulations.

Copyright

Guarantees the creators of original works of authorship protection against the unauthorized duplication of their work. Copyright protections lasts for the lifetime of the author plus 70 years or 75 years for corporations. Work does not need to be registered or published to be protected. Protects expression of ideas rather than the ideas themselves. Exceptions: First sale - can't make copies to sell but can sell the original that was purchased Fair use - can make a copy for personal use, not sale

Internet Architecture Board (IAB)

Has developed an ethics-related statement concerning the use of the Internet. As part of this statement, the IAB states that Internet use is a privilege, not a right. Unethical behavior includes: purposely seeking to gain unauthorized access, disrupting Internet use, purposely wasting resources, destroying the integrity of computer-based information, and compromising another person's privacy.

Data Classification

Helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable. It also helps with data life-cycle management which in part is the storage length(retention), usage and destruction of the data.

ISO 27000 Series

ISO 27001 - Is direction on how to plan, set up, improve, manage ISMS. Uses Plan, Do, Check, Act model. Describes implementation and controls. ISO 27002 - absorbed: BS 7799-1, BS 7799-2, ISO 17799. Provides advice for how to implement security controls. Best practices or how to. ISO 27005 - A standards based approach to risk managemnet

Risk Assessment

Identify Assets, Threats, Vulnerabilities

Risk Mitigation/Reduction

Implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Lessens the probability and/or impact of a risk to a tolerable level

SLAs

Important when using any type of third-party service provider. Commonly addressed issues: System uptime Maximum consecutive downtime Peak load Average load Responsibility for diagnostics Failover time

Provisions and processes

In this task, the BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable. People, buildings/facilities and infrastructure must be protected.

Integrity Requirements

Input Validation should be used in all forms to ensure that data control language is not entered, and field size and data types are enforced Published software should provide the user with a message digest so the user can validate the accuracy and completeness of the software Subjects should be prevented from modifying data, unless explicitly allowed.

Trade Secrets

Intellectual property that is absolutely critical to their business and significant damage would result if it were disclosed to competitors or the public. Ex. Coke and KFC recipes. Must be reasonably protected. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation.

Business Continuity Planning (BCP)

Involves assessing the risks to organizational processes and creating policies, plans and procedures to minimize the impact those risks might have on the org if they were to occur. Used to maintain the continuous operation of a business in the event of an emergency situation. Top priority is always ensuring safety of people. Overall goal is to provide a quick, calm and efficient response in the event of an emergency and to enhance a company's ability to recover from a disruptive event proptly. Has 4 main steps: 1. Project scope and planning 2. Business impact assessment 3. Continuity planning 4. Approval and implementation

BCP Documentation

Is a critical step in the BCP planning process. It ensures that BCP personnel have a written continuity document for reference in the event of an emergency. It provides a historical record of the BCP process. It forces the team to commit their thoughts to paper.

Security Analyst

Is a strategic role that helps to develop policies, standards, and guidelines and ensures the security elements are implemented properly.

Risk Management

Is the responsibility of upper management to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. All risk assessments, results, decisions and outcomes must be understood and approved by upper management. Primary goal is to reduce risk to an acceptable level.

Exigent Circumstance

Is used when evidence might be destroyed. This allows officials to seize evidence before its destruction and without a warrant.

Physical Controls

Items you can physically touch. Include physical mechanisms deployed to prevent, monitor or detect direct contact with systems or areas within a facility. Include guards, fences, motion detectors, locks, lights, badges, cameras, mantraps, alarms, etc.

Strategic Plan

Long term plan, should include a risk assessment

Qualitative Concerns of BCP

Loss of goodwill, loss of employees to other jobs after prolonged downtime, social/ethical responsibilities, negative publicity. It may be difficult to put a dollar amount on these, but it is important.

Nonrepudiation

Made possible through identification, authentication, authorization, accountability and auditing. Can be established using digital certificates, session identifiers, transaction logs. A suspect cannot be held accountable if they can repudiate the claim against them.

BCP Threat Types

Man-Made - terrorism, hackers Natural - fire, flood, etc. Technical - power outages, device failures

EU Data Protection Law

Mandates protection of privacy data. A data controller can hire a third party to process data and in this context, the third party is the data processor. Third parties agree to abide by the seven Safe Harbor principles as a method of ensuring that they are complying with the EU Data Protection law. The US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. According to the European Union's Data Protection Directive, third-party organizations that process personal data on behalf of a data controller are known as data processors. The organization that they are contracting with would act in the role of the business or mission owners

Recovery Point Objective - RPO

Maximum amount of data that can be lost

Recovery Time Objective - RTO

Maximum amount of time that systems can be down

Tactical Plan

Midterm plan developed to provide more details on accomplishing the goals set forth in th estrategic plan. A tactical plan is typically useful for about a year and prescribes and schedules the tasks necessary to accomplish organizational goals. Ex include - project plans, acquisition plans, budget plans, maintenance plans

Corrective Controls

Modifies the environment to return systems to normal after an unwanted or unauthorized acticity has occured. Can be antivirus solutions that quarentine a threat, or rebooting a system

Qualitative Risk Analysis

More scenario based than calculator based. Threats are ranked on a scale to evaluate their risks, costs and effects. May use Delphi Technique. Uses words like high, medium low to describe likelihood and severity of a threat eoxposing a vulnerability.

Privacy Act of 1974

Most significant piece of privacy legislation restricting the way the federal government may deal with private information about its citizens.

Three Phases following a Disruption/Disaster

Notification/Activation - notifying recovery personnel, performing a damage assessment Recovery Phase--Failover - Actions taken by recovery teams and personnel to restore IT operations at an alternate site. Performed by the Recovery team. Reconstitution--Failback - Outlines actions taken to return the systems to normal operating conditions. Performed by the Salvage team

Calculating Safeguard Costs

Numerous factors are involved including: Cost of purchase, development Cost of implementation and customization Cost of annual operation, maintenance Cost of annual repairs and upgrades, etc. If the cost of the countermeasure is greater than the value of the asset, you should accept the risk.

Post Incident Review

Occurs after BCP testing. Purpose is how to get better and improve.

Business Impact Analysis

Occurs after the 4 steps of BCP planning. It identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Initiated by the BCP committee.

Determining and Diagramming Potential Attacks

Occurs in threat modeling - Happens after an understanding has been gained in regards to threats facing infrastructure or projects. First, a data flow diagram is created and all technologies involved are identified (OS, protocols, apps). Then, attacks are identified that could be targeted at each element of the data diagram.

Performing Reduction Analysis

Occurs in threat modeling - Happens after determining potential attacks. aka decomposing the app, system, env. Purpose is to gain a greater understanding of the logic of the product as well as its interactions with external elements. System/app/env needs to be divided iinto smaller containers or compartments. It makes it much easier to identify the essential components of each element as well as take notice of vulns and points of attack.

Prioritization and Response

Occurs in threat modeling - Happens after reduction analysis. Next is to fully document the threats. After documentation, threats are ranked or rated.

STRIDE

Occurs in threat modeling - Often used in relation to assessing threats against applications or operating systems. Spoofing - Attack with the goal of gaining access to a target system through the use of a falsified identity Tampering - any action resulting in the unauthorized changes or manipulation of data Repudiation - ability for user or attacker to deny having performed an action or activity Information Disclosure - relevant distribution of private, confidential or controlled information to external or unauthorized entities Denial of Service - dos Elevation of Privilege - attack where a limited user account is transformed into an account with greater privileges

Authorization

Once a subject is authenticated, this must occur. Ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates an access control matrix that compares the subject, the object and the intended activity. If the specific action is allowed, the subject is authorized. If the action is not allowed, the subject is not authorized. Subject only has least privilege access.

Responses to threats

Once threat priorities are set, this needs to be determined. Technologies and processes to remediate threats should be considered and weighted according to their cost and effectiveness.

SOC-1

Only covers the internal controls of financial reporting

Employment Agreement

Outlines the rules and restrictions of the organization, security policy, acceptable use and activities policies, details of the job description, violations and consequences and the length of time the position is to be filled by the employee. Should be signed by new employees when hired.

Federal Information Secuirty Management Act (FISMA)

Passed in 2002. Requires that federal agencies implement an information securiity program that covers the agency's operations. Also requires that government agencies include the activities of contractors in their security management programs. NIST is responsible for developing the FISMA implementation guidelines. Federal agencies and governemnt contractors must develop and maintain substantial documentation of their FISMA compliance activities.

Risk Analysis

Performed to provide uppoer management with the details necessary to decide which risks should be mitigated, transferred or accepted. It identifies risk, quantifies the impact of threats and aids in budgeting for security.

Management

Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. Defines risk tolerance inside risk appetite.

Administrative Law

Policies, procedures and regulations that govern the daily operations of an agency. Covers topics like procedures to be used within a federal agency to obtain a telephone to immigration polices that will be used to enforce laws passed by Congress. Administrative Law is published in the Code of Federal Regulations (CFR) Burden of proof is "more likely than not" Ex. HIPAA, Basel II, SOX

Relationship of security policy components

Policies>Standards>Guidelines>Procedures

Annual Loss Expectency (ALE)

Possible yearly cost of all instances of a specific realized threat against a specific asset. ALE = SLE * ARO

Due Dilligence

Practicing the activities that maintain the due care effort. Continuously monitoring an organization practices to ensure they are meeting/exceeding the security requirements. Ex. Due Care is developing a formalized secuirty structure containing a policy, standards, baselines, guidelines. Due diligence is the continued application of this security structure onto the IT infrastructure.

COBIT - Control Objectives for Information and Related Technology

Prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. Documented set of best IT security practices crafted by ISACA. Based on 5 key principles: 1. Meeting Stakeholder Needs 2. Covering the Enterprise End-to-End 3. Applying a Single, Integrated Framework 4. Enabling a Holistic Approach 5. Separating Governance From Management

Data Hiding

Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. Forms of this include keeping a database from being accessed by unauthorized visitors and restricting a subject at a lower classification level from accessing data at a higher classification level. Preventing an application from accessing hardware directly is also a form of data hiding. Is often a key element in security controls as well as in programming.

Authentication

Process of verifying or testing that the claimed identity is valid. Most common from of authentication is using password. Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities. The authentication factor used to verify the identity is private information. Identification and Authorization are always used together as a single two-step process.

Exit Interviews

Process usually involves reviewing any nondisclosure agreements as well as any other binding contracts or agreements that will continue after employment has ceased.

Probability x Damage Potential

Produces a risk severity number on a scale of 1 to 100 with 100 being the most severe risk possible. Each of the 2 initial values (probability or damage) can be assigned numbers between 1 and 10 with 1 lowest. These rankings can be arbitrary and subjective.

Auditing

Programmatic means by which a subject's actions are tracked and recorded for the purpose of holdin gthe subject accountable for their actions while authenticated on a system. Recording activities of a subject and its objects as well as recording the activities of core system functions. Log files provide an audit trail for re-creating the history of an event, intrusion or system failure.

Patents

Protect the intellectual property rights of inventors. Provides 20 years where the inventor is granted exclusive rights to use the invention. Invention must be novel and non-obvious.

Intellectual Property Law

Protecting products of the mind. Company must take steps to protect resources covered by these laws or these laws may not protect them. **Main international org run by the UN is the World Intellectual Property Organization (WIPO) Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage.

USA PATRIOT Act of 2001

Provisions of the PATRIOT Act allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under a single warrant. Also, ISPs may provide the government with large range of information.

Risk Transfer/Assignment

Purchasing insurance and outsourcing are common forms of this. Shares the risk with another party.

Cybersquatting

Registering, trafficking in, or using an internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else

Overall Categories of Security Policies

Regulatory - required whenever industry or legal standards are applicable Advisory - Discusses behaviors and activities that are acceptable and defines consequences (most policies) Informative - Designed to provide information or knowledge about a specific subject

Federal Sentencing Guidelines

Released in 1991. Provided punishment guidelines to help federal judges interpret computer crime laws. Included: The guidelines formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation Allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties. Outlined 3 burdens of proof for negligence. First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Third, there must be a casual relationship between the act of negligence and subsequent damages.

Typosquatting

Relies on mistakes such as typo errors made by internet users when inputting a website address into a web browser. ex. typing

Exposure Factor (EF)

Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. Can also be called the loss potential.

Secondary Risk

Risk event that comes as a result of another risk response

Managing Risks

Risk must be reduced and managed. Risk can never be totally eliminated!!

Residual Risk

Risk that remains after countermeasures are implemented total risk - controls gap = residual risk

Threat Modeling

Security process where potential threats are identified, categorized and analyzed. Can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern and the means to eradicate or reduce the threat. Proactive/defensive approach - takes place during early stages of system development, specifically during initial design and spec establishment. Based on predicting threats and designing in specific defenses Reactive/adversarial approach - Takes place after a product has been created and deployed. Core concept behind ethical hacking, penetration testing, source code review.

Operational Plan

Short term, highly detailed plan based on the strategic and tactical plans. Only valid or useful for a short time. Must be updated often (quarterly or monthly) to retain compliance with tactical plans. Include details on how the implementation processes are in compliance with the organization's security policy. Ex. are training plans, system deployment plans.

Emergency Response Guidelines

Should include: Immediate response procedures (security and safety, fire suppression, notification of emergency response) A list of individuals who should be notified of the incident(executives, BCP team) Secondary response procedures that first responders should take

Delphi Technique

Simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Primary purpose is to elicit honest and uninfluenced responses from all participants.

Availability Requirements

Software shall meet availability requirements of x% uptime as specified in SLA Software should support x number of users simultaneously Software must support replication and provide load balancing Mission critical functionality of the software should be restored to normal operation within x minutes

Fuzz Testing

Specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specifically crafted to trigger known software vulns.

NIST RMF - Risk Management Framework

Steps include: 1. Categorize - the info system and info processed, stored and transmitted by that system based on an impact analysis 2. Select - an initial set of baseline security controls for the information system based on the security categorization 3. Implement - the security controls and describe how the controls are employed within the information system and its env 4. Assess - the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operatin gas intended and producing desired outcome 5. Authorize - info system operation based on a determination of the risk to org operations and assets, individulas, other orgs, resulting from the operation of the info system 6. Monitor - the secuirty controls in the info system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment, conducting security impact analysis

Technical/Logical Controls

Technical or logical access involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. As the name implies, it uses technology. Methods include authentication methods, encyption, acls, protocols, firewalls, routers, ids

Testing of BCP

Testing is similar to that of the DRP. Should happen once per year, or after any major change.

Maintenance

The BCP documentation and the plan itself must be living documents. BCP team should not be disbanded after the plan is developed but should still meet periodically to discuss the plan and review results of plan tests. Any time a change is made, good version control must be practiced. BCP components should also be included in job descriptions.

Vital Records Program

The BCP should also outline this for the org. This document states where critical business records will be stored and the procedures for making and storing backup copies of those records. One of the biggest challenges is identifying the vital records in the first place.

Strategy development

The BCP team must take the prioritized list of concerns and determine which risks will be addressed by the BCP. BCP team should look to the MTD to determine which risks must be mitigated.

Single Loss Expectancy (SLE)

The EF is needed to calculate this. Is the cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an org woul dexperience if an asset were harmed by a specific threat occurring. SLE = asset value(AV) * exposure factor (EF) SLE is expressed in a dollar value.

Bottom Up Approach

The IT department tries to implement security. Is not the proper method, should be using a top down approach!

Total Risk (Inherent Risk)

The amount of risk an organization would face if no safeguards were implemented. threats * vulns * asset value = total risk

Fourth Amendment

The basis for privacy rights. Sets the probable cause standard that law enforcement officers must follow when conducting searches or seizures. Also states officers must gain a warrant for search and seizure.

ARO after applied countermeasures

The best of all possible safeguards would reduce the ARO to zero. Many safeguards have an applied ARO that is smaller than the nonsafeguarded ARO.

Security Governance

The collection of practices related to supporting, defining, and directing the security efforts of an organization. Should be aligned with business goals and processes. COBIT and COSO focus on goals for security. ITIL - IT service management. OCTAVE - self directed risk assessment ISO 27000 series

Annualized Rate of Occurence (ARO)

The expected frequency with which a specific threat or risk will occur within a single year. Can range from a value of 0.0, indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often. It can be derived from historical records, statistical analysis or guesswork. Also known as probability determination. For some threats or risks, it is calculated by multiplyin gthe likelihood of a single occurrence by the number of users who could initiate the threat.

Security Procedures

The final element of the formalized security policy structure. A procedure is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control or solution. Ensure the integrity of a business process.

Business Organizational Analysis

The first responsibilities of the individuals responsible for business continuity planning is to perform an analysis of the business org to identify all departments and individuals who have a take in the BCP process. This step provides groundwork to help identify potential members of the BCP team. Second, it provides the foundation for the remainder of the BCP process. Also, the first step of the BCP team is to review and validate the business organization analysis

Attorney Assistance

The most important lesson to be learned is knowing when its necessary to call in an attorney.

Collusion

The occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft or espionage

Fiduciary responsibility

The officers and directors of publicly traded firms have a fiduciary responsibility to exercise due diligence in the execution of their business continuity duties.

Administrative Controls

The policies and procedures defined by an org's security policy and other regulations or requirements. Sometimes referred to as management controls. Focus on personnel and business practices. Includes: admin access policies, procedures, hiring practices, background checks, data classifications, security awareness, work supervision, etc.

Identification

The process by which a subject professes an identity and accountability is initiated. Can involve typing in a username, swiping a smart cards, speaking a phrase or positioning face, hand or finger for scanning. Without an identity, a system has no way to correlate an authentication factor with the subject.

Safe Harbor Principles

The seven principles are notice, choice, onward transfer, security, data integrity, access and enforcement.

Layering AKA Defense in Depth

The use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Using layers in a seriers rather than in parallel is important. Only through a series configuration will each attach be scanned, evaluated or mitigated by every security control.

Risk Acceptance

The valuation by management of the cost/benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. Also means that management has agreed to accept the consequences and the loss if the risk is realized. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future.

Primary purpose of exit interview

To review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement and any other security related documentation

Levels of Government/Military Classification

Top Secret - highest level. Classified Secret - data of restricted nature. Classified Confidential - private, sensitive data. Classified Sensitive but unclassified Unclassified - lowest level Acronym - US Can Stop Terrorism (backwards is TSCSU)

Awareness, Training and Education

Ultimately trying to modify user behavior. Awareness - Before training can take place, this must occur Training - trains employees to perform their work tasks and to comply with the security policy Education - A more detailed endeavor where students/users learn much more than they actually need to know to perform their work tasks.

Top Down Approach

Upper, or senior management is responsible for initiating and defining policies for the organization. Secuirty policies provide direction for all levels of the organization's hierarhcy. It is the responsibiltiy of middle management to flesh out th esecuirty policy into standards, baselines, guidelines and procedures. The operational managers or secuirty professionals must then implmenet the configurations prescribed in the security management documentation. FInally, the end users must comply with all the security policies.

Job Descriptions

Used as a guide for selecitng candidates and properly evaluating them for a position. The thoroughness of the screening process should reflect the security of the position to be filled. Maintaining security through job descriptions includes the use of speration of duties, job responsibilities and job rotation

Abstraction

Used for efficiency. Similar elements are put into groups, classes or roles that are assigned security controls, restriction or permissions as a collective. The concept is used when classifying objects or assigning roles to subjects. The concept also includes the definition of object and subject types or of objects themselves. Is used to define what types of data an object can contain, what types of function can be persormed on or by that object and what capabilites that object has.

Data Custodian

User who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. Performs all activities necessary to provide adequate protection for the CIA triad of data. Activities include performing and testing backups, validating data integrity, deploying security solutions and managing data storage based on classification.

Due Care

Using reasonable care to protect the interests of an organization. Ensuring that "best practices" are implemented and followed. Following up Due Dilligence with action. Using due care and due diligence will not cause business or senior management to be liable for loss.

Quantitative Risk Analysis

Value of potential risks. Results in concrete probability percentages. The end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures and value of safeguards. Places a dollar figure on each asset and threat. Although some items are not tangible and cannot be quantified. Major Steps: 1. Inventory assets and assign a value 2. Research each asset and produce a list of all possible threats of each individual asset. For each threat, calculate the exposure factor(EF) and single loss expectancy(SLE) 3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year - annualized rate of occurence (ARO) 4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE) 5. Research countermeasures for each threat and then calculate the changes to ARO and ALE based on applied countermeasures 6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.

OMB Circular A-130

Was developed to meet information resource management requirements for the federal government. According to this circular, independent audits should be performed every three years.

Trademarks

Words, slogans, and logos used to identify a company and its products or services. Protect from someone stealing another company's look and feel. Corporate brands and operating system logos. TM symbol is used until registration is granted. Once his application is approved, he can use the R with circle symbol. Trademark Law Treaty Implementation Act protects trademarks internationally.

Accountability

You can maintain security only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject's identity and track their activities. Established by linking a human to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication and identification. Human accountability is ultimately dependent on the strength of the authentication process. To have viable accountability, you must be able to support your security in a court of law.

Total Cost of Ownership (TCO)

is the total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well. Ex. purchasing an AV, it also includes annual fees