Cybersecurity Management I - Strategic - C727
Business Continuity plan
1. Develop the continuity planning policy statement 2. Conduct the BIA - identify vulnerabilities, threats, risks (most important) 3. Identify preventive controls 4. Develop recovery strategies 5. Develop the contingency plan 6. Test the plan, and conduct training and exercises 7. Maintain the plan
Risk Management
A guideline or recipe for how risk is to be assessed, resolved, and monitored
user management policies
Defined policies that detail user management. Includes: Employee Termination, New Employees and Transferred employees.
quantitative risk analysis:
$ To analyze the prioritized risks in such a way as to give each a numerical rating. Attempts to quantify the prioritization, probability, and effect for security risks. Supports Automation. Exposure factor (EF): It is defined as the percentage of loss experienced by an organization when a particular asset is violated by a realized risk. Single loss expectancy (SLE): It is defined as the cost related to a single realized risk against a particular asset. The following formula is used to calculate the SLE:SLE = asset value (AV) * exposure factor (EF) Annualized rate of occurrence (ARO): It is defined as the expected frequency of occurrence of a particular threat or risk in a single year. Annualized loss expectancy (ALE): It is defined as the yearly cost of all instances of a particular threat against a particular asset. The following formula is used to calculate the ALE:ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)
Qualitative risk analysis
% subjective report that is compiled by the risk analysis team that describes the threats, countermeasures and likelihood an event will occur. Delphi Technique - type of Qualitative risk analysis where each member of the risk analysis team gives anonymous opinions.
Memory Cards
-Do not have processing power - can supply user credentials for authentication - can provide two factor authentication(req PIN). -EASY to counterfit.
Capability Maturity Model Integration (CMMI) framework
5 LEVELS OF MATURITY Level 1 processes are unpredictable, Level 2 processes are repeatable, Level 3 processes are defined, Level 4 process managed, and Level 5 processes are optimized. Can improve on information security management system (ISMS). "The process is optimized, with a focus on continuous improvement." means reached highest level of maturity.
Defense in Depth
A defense that uses multiple types of security devices to protect a network. Also called layered security. This security is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. Defense in depth also seeks to offset the weaknesses of one security layer by the strengths of two or more layers.
security policy
A security policy defines the broad security objectives of an organization, establishes authority and responsibilities of individuals, and is strategic in nature. implementation process: 1. develop policy 2. obtain mgmt approval 3. Implement standards, procedures, guidelines. 4. Security awareness training. A security policy does not lay down the performance objectives of an organization. A security policy is not tactical in nature. Tactical security policy goals are short- to mid-term in nature, while strategic policy goals are long term. An entire security policy should always be strategic in nature to ensure long-term issues are addressed. A security policy should be developed before procedures and guidelines are developed. The security policy should be used to properly design the procedures and guidelines. A security policy enlists procedures to enforce the security policy and the ramifications of noncompliance. A security policy governs the background of the security program, the auditing requirements, and the rules for enforcement. The higher management of the organization is responsible for creating the security policy for the organization. Gaining management approval is the first step in the development of a security policy. The three categories of security policies are organizational, issue-specific, and system-specific: Organizational security policy: This policy is formulated by management and defines the procedure used to set up the security program and its goals. It identifies the major functional areas of information and defines all relevant terms. The management assigns the roles and responsibilities and defines the procedure to enforce the security policy. A security policy is developed prior to the implementation of the standard operating procedures or guidelines. The organizational polices are strategically developed for long-term achievement of security objectives. Issue-specific policy: An issue-specific security policy involves detailed evaluation of security problems and addresses specific security issues. An issue-specific security policy ensures that all the employees understand these security issues and comply with the security policies defined to address these security issues. System-specific policy: A system-specific policy describes rules for the protection of information processing systems, such as databases, computers, and so on. A system-specific policy is strategic in nature and is designed with a longterm focus. It restricts the use of software to roles approved by the management and further defines the policies and guidelines for system configuration, implementation of firewalls, intrusion detecting systems, and network and virus
(ALE) Annualized loss expectancy
ARO(Annual rate of occurrence) * SLE(Single Loss expectancy Example: ARO = 20%, SLE = 680 ALE = .2 * 680 ALE = 136
Access Controls
Access Control techniques support the access control models. A technical(logical) control is put into place to restrict access to networks and systems. Examples: System auditing(accountability), software controls and Monitoring(smart cards). An administrative(managerial) control define the security policy, standards, guidelines, supervisory structure, security awareness training and SOP. Examples: rotation of duties, separation of duties, and mandatory vacations. Policies and procedures that are developed by management to ensure the organization is secure(Background checks). A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks(fences, locks, separation-of-duties policies, job rotation policies, data classification, penetration testing, antivirus software, firewalls, and intrusion prevention systems, routers, encryption.)also, edit forms controls and limit check(limit pay to prevent fraud). Detective - security breaches as they occur (security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection systems, violation reports, supervision and reviews of users, and incident investigations.). Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach(can be simple, such as terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active intrusion detection systems that can modify the environment to stop an attack in progress.). Business Continuity Planning is a corrective control. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative(Less expensive) - A compensative control provides an alternative control if another control may be too expensive(requiring two authorized signatures to release sensitive information, needing two keys to open a safety deposit box, signing in or out of a traffic log, and using a magnetic card to access to an operations center.). Directive - A directive control provides mandatory controls based on regulations or environmental requirements.
Business Continuity Planning
All Business unites must be represented. business impact analysis(BIA) is the most vital document. Senior MGMT must be represented.
Construction of processing facility
All walls should have a minimum of two hour fire rating.
procedure
An established or official way of doing something
(SLE) Single Loss Expectancy
Asset value × Exposure factor (EF)
Audit categories
Audit Privilege - audit all instances of users exercising their rights(under local security policy) Audit account logon Events - tracks all attempts to log on with a domain user account when enabled on domain controllers. If enabled on workstation or member server it will record any attempt to logon using a local account. Audit account Management - monitors changes to user accounts and groups. Audit Object Access - Tracks access to all objects outside Active directory.
governance strategy responsibility
Board of directors -> Strategy definition Executive team -> Strategy implementation Operations team -> Strategy execution
Control Objectives for Information and Related Technology (COBIT)
COBIT is a security framework that acts as a model for IT governance and focuses more on operational goals. COBIT is an initiative from the Information Systems Audit and Control Association (ISACA) and is preferred among IT auditors COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors.
Matrix
Capability - corresponds to a row in the access control matrix. A capability lists all the access permissions that a subject has been granted.
mutual authentication
Checks the identity of both ends of the connection. AKA - Two-Way authentication.
Computer security acts
Computer security act of 1987 - federal agencies identify computers with sensitive info on them and develop a plan. Economic espionage act of 1996 - guidelines as who to investigate a crime US communications assistance for law enforcement act of 1994 - ability of law enforcement to preserve surveillance.
Computer crimes
Computer targeted crime - the crime targets a computer or its owner (DoS). Computer is victim. Computer assisted crime - computer is used as a tool to commit the crime. Examples: Attacking confidential servers that contain data, attacking financial system to steal money, protesting government by attacking governments computers. Incidental computer crime - when a computer is involved (incidentally)without being the victim or the attacker. The computer is not the target of the crime and is not the main tool to carry out the crime. Computer prevalence crime - software privacy
CIA Triad
Confidentiality: Authorized users only: EX. Un/PW(minimum level of secrecy) (uses encryption). Classify to properly to protect confidentiality Integrity: Prevent changes: EX. editing database (reliability of info) Availability: Equipment available for use: ex. reboots, server failures (redundancy, fault tolerance)
data haven
Countries (or other sovereign entities) that have lax privacy rules to encourage companies to store data there.
access provisioning lifecycle
Creation - AKA provisioning maintenance - AKA review Deletion - AKA deprovisioning, termination, revocation.
Owners
Data Owner - Uses Discretionary Access Control(DAC) - responsible for access using Access Control List(ACL) Data custodian - Maintain and protect data, maintain activity records, verify data accuracy and reliability, backup and restore data.
European privacy principals
Data cannot be used for other purposes other than those specifically stated at collection. The European Privacy Principles are as follows: The reason for gathering data must be stated when the data is collected. Data cannot be used for other purposes other than those specifically stated at collection. Data that is not needed should not be collected. Data should only be kept while it is needed to accomplish a stated task. Only individuals who are required to accomplish a stated task should be given access to the data. The individuals responsible for securely storing the data should not allow unintentional leaking of data. Individuals are entitled to receive a report on the information that is held about them. Data transmission of personal information to locations where equivalent personal data protection cannot be assured is prohibited. Individuals have the right to correct errors contained in their personal data. The principles of notice, choice, access, security, and enforcement refer to privacy.
Access controls
Discretionary Access Control(DAC) - Data owner responsible for access using Access Control List(ACL). considered "Need to know". Discretionary Access control (DAC) least secure because enforced by data owners only. Identity-biased is implemented in DAC model Mandatory Access control (MAC) - Uses a "Label" assigned(such as secret, top secret) (STRICTEST) Examples of objects under MAC: file, printer or computer. Objects are resources that are accessed. Within MAC, if not expressly permitted, its FORBIDDEN. MAC usually associated with multi-level security policy. Non-Discretionary Role-Biased Access Control (RBAC) - Security administrator primarily responsible for roles defined. Has low security cost since configured on roles and easier to implement. RBAC is easy to enforce for general users RBACK is poplar for commercial large network applications. Non-Discretionary EASIEST
passwords
Hardest to remember - Dynamic/software generated passwords. These are typically one time passwords. cognitive - things like mothers madden name or fav color. Static/user generated - created by user. Pass Phrase is easiest to remember.
Security management life cycle
Implement phase - Asset identification and change control)
IDaaS (Identity as a Service)
Included: Single Sgin-on Provisioning Password Management Access Governance.
System Security Policy
Lists hardware / software to be used and steps to undertake to protect infrastructure and specific steps undertaken for the protection of infrastructure equipment.
Privacy notice
Must be posted, printed at first service and available upon request.
Controls
Operational controls: Controls over hardware, software, and informational assets. Operational goals are daily goals. System controls: Restricts the execution of certain types of instructions that can only be executed when an operating system is in supervisor mode. Physical controls: Monitor the physical security aspect of a facility infrastructure such as fences, guards, gates, ect.
Software Protection Association (SPA)
Private org of software publishers designed to legally pursue software piracy
Biometrics
Retina scan - examines blood vessels at the back of the eye. Can be intrusive. Iris Scan - examines unique patterns, colors, rings, and coronas of eye. Fingerprint systems - enroll ENTIRE fingerprint ( more time) Finger Scan - only extract specific characteristics (faster) To determine crossover error rate (CER), the False Acceptance Rate (FAR) and False Reject Rate (FRR). voice print is considered LEAST intrusive. Type 1 errors: authorized users denied access to resources. (AKA) - represent the False Rejection Rate (FRR). FRR is primary consideration for covenant authentication for users. Type 2 Errors: erroneous authentication of unauthorized users. (AKA) - the False Acceptance Rate (FAR). behavioral system(signature dynamic) - analyzes what a person does and how they do it. Physiological system - analyzes physical traits(retina, iris, fingerprint and palm scans). Facial Scan - "Feature Analysis" is most widely used system. Hand Geometry Scan: will not evaluate ridge endings on fingers or skin tone. High productivity is not important to be considered during deployment.
correct order of the steps in the risk assessment life cycle
Security categorization Security control selection Security control implementation Security control assessment Information system authorization Security control monitoring
Critical Application
Servers as a CORE to an organizations business operations and should remain operational all the time.
National Institute of Standards and Technology (NIST)
The NIST has identified several accepted self-testing techniques: network mapping, vulnerability scanning, penetration testing, password cracking, log review, virus detection, and war dialing
The Patriot Act was established in 2001
The Patriot Act was established in 2001 to reduce restrictions to search telephone, e-mail communications, medical, financial, and other records. Up until the Patriot Act was established, law enforcement officials were limited by the Fourth Amendment. The Patriot Act is usually only used in situations where the U.S. government is investigating agents of governments. The restrictions of the Patriot Act and the Fourth Amendment do not apply to private individuals not employed by the U.S. government. However, there are exceptions where the Fourth Amendment applies to private citizens if the citizen is acting on behalf of the government, including the following: The government is aware of the intent to search or is aware of a search conducted by the private individual and does not object to these actions. The private individual performs the search to aid the government. The private individual conducts a search that would require a search warrant if conducted by a government entity.
Standard
The uniform procedures used in the administration and scoring of a test.
Property law
Trade secret: Something a company owns, such as a formula which is vital for survival Copyright: protects resources to control how its distributed, reproduced, displayed, and adapted. Trademark: Protects a word, symbol or identification for sale or advertising. Patent: Lasts for 20 years.
TEMPEST
US program that reduce electronic equipment emanations to reduce eavesdropping attacks.
Designing security program
Use top-down approach to ensure all initiates come from the top management and work their way down. Bottom-up approach occurs when IT department has to implement a security program with out top managements initiation or support.
1991 US Federal Sentencing Guidelines
White-Collar Crimes. Fine up to 290 Million can be opposed on senior management. .
Kerberos
a client is granted a TGT from an Authentication Server (AS). the client then sends the TGT to a Key Distribution Center (KDC) then the KDC sends a session to the client. the client then uses the key to access resources. KDC stores, distributes and maintains cryptographic session keys. with Kerberos, a ticket Granting Server (TGS) grants tickets. To ensure tickets expire correctly, clock synchronization is uses with Kerberos. Secure European System for Applications in a Multi-vendor environment (SESAME) improves upon weakness in Kerberos. SESAME uses both Symmetric and asymmetric encryption.
policy
a course or principle of action adopted or proposed by a government, party, business, or individual.
guideline
also known as guide
Rainbow table
contains all possible passwords in hash format
The Internet Architecture Board (IAB)
coordinates Internet design, engineering, and management. It oversees the Internet Engineering Task Force (IETF). The IAB issues ethics-related Internet usage guidelines.
risk assessment life cycle
correct order: Security categorization Security control selection Security control implementation Security control assessment Information system authorization Security control monitoring
The World Wide Web Consortium (W3C)
developed the Platform for Privacy Preferences Project (P3P) for user privacy on Web sites. Each site that adopts P3P will have its own privacy statement that users should read. W3C allows Web sites to express their privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents. It allows users to be informed of site practices in human-readable format. It automates decision-making based on the site's privacy practices when appropriate.
OMB Circular A-130
developed to meet information resource management requirements for the federal government. according to this circular, independent audit should be performed every three years.
The Institute of Electrical and Electronics Engineers (IEEE
develops standards for new technologies, including wireless
Due diligence Due Care
due diligence - Implies company investigates and determines the possible vulnerabilities and risks. Occurs when evaluate information to identify vulnerabilities, threats, and issues related to risk. Due Care - Organization has taken necessary steps to protect the organization, its resources and personnel.
Downstream Liability
ensures organizations working together under a contract are responsible for their information security management and security controls deployed.
The Sarbanes-Oxley Act
established accounting practices and methods that publicly traded companies must use when they report their financial status
The KennedyKassebaum Act, also known as the Health Insurance Portability and Accountability Act (HIPAA),
established national standards for the storage, usage, and transmission of medical data. enforced by office of civil rights of the department of health and human services(HHS).
The Gramm-Leach-Bliley Act (GLBA)
established privacy policies for financial institutions.
Remote Access
for authentication, authorization, and accounting, you should use the RADIUS sever for centralized setup.
The European Union (EU)
has developed its own EU Principles on Privacy, which lists six areas that address using and transmitting information that is sensitive in nature. AKA Safe Harbor requirements.
The Computer Security Act of 1987
has the following requirements: The federal agency should identify the computer systems that contain sensitive information. A security plan should be developed and implemented for the systems' security. Periodic security awareness training should be conducted for employees. Acceptable computer usage practices should be defined in advance. The government agencies should ensure that employees maintain a certain level of awareness and protection. The primary purpose of the Computer Security Act of 1987 is to safeguard sensitive information of the federal government and to ensure that all federal computer systems fulfill a certain desired level of security to ensure the confidentiality, integrity, and availability of information.
Database models
hierarchical - uses LDAP, issues a logical tree structure. Relational - uses rows and columns to arrange data and presents in a data table. Most popular. Object-oriented - can store graphical, audio and video data. Popular database is db4objects. Object-relational - relational with a software front end written in object-orientated programing language such as Oracle 11g. Network - expands on the hierarchal - allows child record to have more than one parent since hierarchal only allows to have one parent.
five key functions:
identify, protect, detect, respond, and recover. 1. The identify function is where you develop an understanding of what your risks are, what your assets are, and what your capabilities are. 2. Protect is your set of plans and actions that put in place the right controls (remember: controls do stuff) to protect the assets. 3. Detect is the set of plans and actions that you will use to identify, classify, etc., an attack against your assets. 4. Respond is the set of activities that you engage in response to an attack. 5. Finally, recover refers to whatever plans or protocols you have in place to bring things back to normal after an attack
The Internet Engineering Task Force (IETF)
is a committee that is overseen by IAB. The IETF's goal is to make the Internet better. It adheres to the same ethics as the IAB, but the IETF does not have its own ethics statement.
The Software Protection Association (SPA)
is primarily concerned with software piracy.
The Internet Corporation for Assigned Names and Numbers (ICANN)
is the organization responsible for the allocation of IP addresses and management of DNS
Exigent circumstance
is used when evidence might be destroyed. Exigent circumstance allows officials to seize evidence before its destruction and without a warrant. A judge will decide at a later time if the seizure was proper and if the evidence can be admitted in court.
Sarbanes-Oxley Act (SOX)
law that requires publicly traded companies to maintain adequate systems of internal control
vulnerability assesment
method of determining vulnerability and their risks. Steps are then taken to reduce the risk.
Administrative Law
often called regulatory law. includes standards of performance or conduct expected by government agencies from companies, industries, and certain officials.
Virus and attacks
retrovirus - attacks or bypasses anti-virus software phage virus - modifies other programs and databases. Emanations capturing - involves using special tools to eavesdrop on wave frequencies(wireless) to capture traffic. maintenance hooks - backdoors in applications that are designed by developers for maintenance. Asynchronous attack(AKA time-of-check/time-of-use (TOC/TOU) attack - happens when an attacker interrupts ad task and changes something to direct the result. Buffer overflow - Occurs when to much data transmitted to an application or operating system.
information policy
specifies the organization's rules for sharing, disseminating, acquiring, standardizing, classifying, and inventorying information. Minimum of public and private classifications.
International Standards Organization (ISO) 17799
standard that provides recommendations on enterprise security.
fire procedures
true of information processing facility - doors and walls should have the same fire rating. In the event of fire steps: 1. Evacuate facility and shut down computer systems if possible. 2. Inform facility manager and contact fire department.
Raking
used by intruders to circumvent a lock(ie lockpick)
Cross certification
used to establish trust between different PKIs and build an overall PKI hierarchy. Allows users to validate each others certificate when certified under different certification.
