Cyber Security Chapter 5

issue-specific security policy

(1) addresses specific areas of technology (2) requires frequent updates, (3) contains a statement on the organization's position on a specific issue

The Defense Strategy includes 3 common methods

1) Application of policy (Managerial control) 2) Education and training (Operational control) 3) Application of technology (Technological control)

Things to consider when considering Best Practices for your organization

1) Does your organization resemble the identified target organization? Is your organization in a similar industry as the target? 2) Can your organization expend resources similar to those identified with the best practice? 3) Is your organization in a similar threat environment as the target organization?

12. What are the strategies from controlling risk as described in this chapter?

1. Defend - The defend control strategy attempts to prevent the exploitation of the vulnerability. 2. Transfer - The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations. 3. Mitigate - The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. 4. Accept - The accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. 5. Terminate - The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.

Six steps in contingency planning process

1. Identifying the mission- or business-critical functions: 2. Identifying the resources that support 3. Anticipating potential contingencies or disasters:he critical functions. 4. Selecting contingency planning strategies 5. Implementing the contingency strategies 6. Testing and revising the strategy

Three main concerns if fire occurs in OR

1. protect the patient 2. contain the fire 3. move the anesthesia equipment as far away as possible from the fire source

11. What is competitive disadvantage? Why has it emerged as a factor?

A competitive disadvantage occurs when a company falls behind the competition in its ability to maintain the highly responsive services required in today's marketplaces. This is a factor because almost all organizations have an IT system in this day and time. Therefore, organizations need to obtain or improve their IT systems to avoid falling behind all others.

Security clearance

A component of data classification scheme that assigns a status level to employees to designate maximum level classified data they may access

Risk assessment

A determination of the extent to which an organization's information assets are exposed to risk

Threats-vulnerabilities-assets worksheet

A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings

Threat-vulnerabilities-assets triples

A pairing of an asset with a threat and an identification of vulnerabilities that exist between the two. This pairing is often expressed in the format TVA, where there may be one or more vulnerabilities between the threat and asset.

Baseline

A performance value or metric used to compare changes in the object being measured

Acceptable Use Policy(AUP)

A policy used by organizations such as schools and businesses to regulate online use.

asset valuation

A process of assigning financial value or worth to each information asset

19. What is the definition of single loss expectancy? What is annual loss expectancy?

A single loss expectancy is the value associated with the most likely loss from an attack. It is a calculation based on the value of the asset and the expected percentage of loss that would occur from a single occurrence of a particular attack. Annual loss expectancy is the expected loss from exploitation of a vulnerability for a specific information asset over the course of a year. It is calculated by multiplying the single loss expectancy for a particular information asset by the annualized rate of occurrence.

Federal Agencies Security Practices (FASP)

A web site established by the U.S. government to share best practices in Information Security

Hot Sites

A xxx is a fully configured computer facility,

Warm Sites

A xxxx site typically does not include the actual applications the company needs,

Cold Sites

A xxxxx provides only rudimentary services and facilities.

Cost benefit analysis (CBA)

AKA an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control; contrasted with its projected value to the organization

Asset exposure

Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack

Loss magnitude

Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack

NIST Special Publication SP 800-12

An Introduction to Computer Security (The computer Security handbook)

organizational feasibility

An assessment of how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization

Operational feasibility

An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders

behavioral feasibility

An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders

technical feasibility

An assessment of whether the organization can acquire the technology necessary to implement and support the proposed control

Political feasibility

An assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest

Qualitative assessment

An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures

Phishing

An attack that sends an email or displays a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information

Field change order (FCO)

An authorization issued by an organization for the repair, modification, or update of a piece of equipment

DNS poisoning

An entry is embedded in the victim's local DNS cache that

Dumpster diving

An information attack that involves searching through a organization's trash and recycling bins for sensitive information

Clean desk policy

An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every workday

Threat assessment

And evaluation of the threats to information assets, including a determination of their potential to endanger the organization

ALE = Single Loss Expectancy (SLE) x Annualized Rate of Occurance (ARO)

Annualized Loss Expectancy (ALE)

Quantitative Assessment

As asset valuation approach that attempts to assign absolute numerical measures

6. What value does an automated asset inventory system have for the risk identification process?

Automated tools can sometimes identify the system elements that make up hardware, software, and network components. The inventory listing is usually available in a database. Once stored, the inventory listing must be kept current. When you move to the later steps of risk management, which involve calculations of loss and projections of costs, the case for the use of automated risk management tools for tracking information assets becomes stronger.

EMI Shielding

Barrier placed around wires block EMI from interfering with the electrical signals in the wires

The most common mitigation plans are:

Contigency Plans (IR, DR, BC plans)

18. What is a Cost Benefit Analysis?

Cost benefit analysis is the formal decision-making process used by an organization to evaluate whether or not the benefit gained from a given project is worth the expense its undertaking incurs.

CBA = ALE (prior) - ALE (post) - ACS (Annualized Cost of Safeguard)

Cost-Benefit Analysis (CBA)

Turnstiles

Device with bars or other obstruction to alternately block an entry way

separation of duty

Different people do parts of the process, which is well documented; no single person has control end to end

Fire class

Different types of fire based on the fuel that feeds the fire

Electromagnetic radiation (EMR)

Electromagnetic signals given off all electronic equipment

NIST SP 800-27, Rev. A

Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

Data Center

Facility specifically designed to store and manage vast quantities of data

FUD

Fear, uncertainty, and doubt (FUD) emotions of upper management officials

Data classification scheme

Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it

4. In risk management strategies, why must periodic review be a part of the process?

Frequently, organizations implement control mechanisms, but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they are still effective.

Hot and Cold Aisles

Fronts of servers face cold aisles; hot air is expelled into hot aisles

Policy Management

Good management practices for policy development and maintenance make for a more resilient organization.

NIST SP 800-37, Rev. 1

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach

Waterholes

Hackers discover which websites are often visited by specific individuals, department, or all employees of a company

Internet engineering task force

IETF

Single Loss Expectancy (SLE)

In a cost benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor

Annualized rate of occurrence (ARO)

In a cost benefit analysis, the expected frequency of an attack, expressed on a per year basis

Exposure Factor (EF)

In a cost benefit analysis, the expected percentage of loss that would occur from a particular attack

Annualized Loss expectancy

In a cost benefit analysis, the product of the annualized rate of occurrence and single loss expectancy

Annualized cost of a safeguard

In a cost-benefits analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use

3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?

In an organization, it is the responsibility of each community of interest to manage the risks that organization encounters. Each community of interest has a role to play. Since the members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk.

Pharming

Involves setting up a website that looks legitimate and credible but is used to steal personal information entered by users

8. Which is more important to the systems components classification scheme, that the list be comprehensive or mutually exclusive?

It is more important that the list be comprehensive than mutually exclusive. It would be far better to have a component assessed in multiple categories rather than to have it go completely unrecognized during a risk assessment.

2. According to Sun Tzu, what two key understandings must you achieve to be successful?

Know yourself Know your enemy

Loss Event Frequency (LEF) Formula

LEF = Likelihood of attack x attack success probability

Primary factors to consider when selecting a risk control strategy

Level of the threat and value of the asset

Reasons for back pain or injury

Lifting with the back bowed out, bending and reaching with the back bowed out, jerking or twisting at the hips, obesity, loss of strength and flexibility, poor nutrition

Two measures to compare benchmarking practices

Metrics-based and Process-based measures

Compartmented Information

Named projects requiring an extreme-need-to-know before access is allowed

Security Framework

OUtline of Information security

Defense in Depth

One of the basic tenets of security architectures is the layered implementation of security.

The Reasoned Approach to Risk

One that balances the expense of controlling vulnerabilities against possible losses if the vulnerabilities are exposed

Process-based measures

Performance measures or metrics based on intangible activities

Metrics-based measures

Performance measures or metrics based on observed numerical data

Whale Phishing

Phishing attack targeting individuals with high net worth or high status

Vishing

Phishing attacks committed using telephone calls or VoIP systems.

Smishing

Phishing attacks committed using text messages (SMS).

Mantrap

Physical access control system that uses two sets of interlocking doors

Three goals of security measures

Preventing a problem

Risk management

Process of identifying risk, assessing its relative magnitude, taking steps to reduce it to an acceptable level

Offboarding

Process of managing the way employees leave the organization.

spear phishing

Recipients are deliberately chosen for attack

RACE

Remove/rescue anyone from fire or smoke danger to a safe area; Alert/sound the alarm; Contain the fire; Extinguish/evacuate

Central Sterile Supply and Processing (CSPD)

Responsible for wrapping instrument sets and sterilizing them; also used for storing an distributing supplies and equipment and processing supplies as they arrive from manufacturers

9. What's the difference between an asset's ability to generate revenue and its ability to generate profit?

Revenue is the recognition of income from an activity supported by the system. Profit is the amount of revenue that exceeds operating costs. Some systems may cost more to operate than they contribute to revenue.

Risk Formula

Risk = Loss frequency x Loss magnitude + uncertainty

17. What is risk appetite? Explain why risk appetite varies from organization to organization?

Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade offs between perfect security and unlimited accessibility. Risk appetite varies from organization to organization because different organizations maintain different balances between the expense of controlling vulnerabilities and the losses possible if these vulnerabilities were exploited. The key for each organization is to find the balance in its decision-making processes and in its feasibility analyses, therefore assuring that an organization's risk appetite is based on experience and facts.

1. What is risk management? Why is identification of risks, by listing assets and their vulnerabilities, so important to the risk management process?

Risk management is the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level.

Server Room

Secured room in which servers and networking equipment are installed

NIST SP 800-26

Security Self-Assessment Guide for Information Technology Systems

Best business practices

Security efforts that seek to provide a superior level of performance in the protection of information. AKA best practices or recommended practices.

5. Why do networking components need more examination from an information security perspective than from a systems development perspective?

Since networking subsystems are often the focal point of attacks against the system, they should be considered as special cases rather than combined with general hardware and software components. Additionally, some networking components require examination from an information security perspective due to the fact that they must be reconfigured from their default settings to both serve their required purpose and maintain security requirements. From the systems development perspective, the networking component may function perfectly, as is, right out of the box. However, without information security oversight, potential vulnerabilities could go unnoticed.

SLE = Exposure Factor (EF) x Asset Value

Single Loss Expectancy Formula

The Fire Triangle

Source of ignition (ignition), oxygen (oxygen-rich environment), flammable chemical gas, vapor, or liquid (fuel)

TEMPEST

Spe

FAIR Approach to Risk Assessment

Stage 1: Identify scenario components Stage 2: Evaluate Loss Event Frequency (LEF) - Threat Event Frequency (TEF) - Threat capability (TCap) - Control strength (CS) - Vulnerability (Vuln) Stage 3: Evaluate Probable Loss Magnitude (PLM) Stage 4: Derive and Articulate Risk

Closed-Circuit Television(CCTV)

System in which video cameras transmit signals to a centralized monitoring location, not publicly broadcast

16. How is an incident response plan different from a disaster recovery plan?

The DR plan focuses more on preparations completed before and actions taken for disasters - often escalated incidents; to reestablish operations at the primary site. The IR plan focuses on Incident Response: intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions taken while an incident is occurring.

NIST Special Publication 800-18 Rev. 1

The Guide for Developing Security Plans for Federal Information Systems can be used as the foundation for a comprehensive security blueprint and framework.

7. What information attribute is often of great value for networking equipment when DHCP is not used?

The IP address is a useful attribute for networking equipment. Note that many organizations use the dynamic host control protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset identification process problematic. As a result, IP address use in inventory is usually limited to those devices that use static IP addresses.

Crisis Management

The actions taken during and after a disaster

Avoidance of competitive disadvantage

The adoption and implementation of a business model, method, technique, resource, or technology prevent being a out performed by a competing an organization; working to keep pace with the competition and innovation, rather than falling behind

Competitive advantage

The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to out perform the competition

Risk appetite

The amount of risk organization is willing to accept

Residual risk

The amount of risk that remains to an information asset even after the organization has applied its desired level controls

Risk control

The application of controls that reduce the risks to an organization's information assets to an acceptable level

Loss frequency

The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range

Baselining

The comparison of past security activities and events against the organization's current performance

13. Describe the "defend" strategy. List and describe the three common methods.

The defend control strategy attempts to prevent the exploitation of the vulnerability. This Is the preferred approach, and is accomplished by means of countering threats, removing vulnerabilities from assets, limiting access to assets, and adding protective safeguards. There are three common methods used to defend: - Application of policy - Education and training - Application of technology

Performance gap

The difference between an organization's observed and desired performance

Risk identification

The enumeration and documentation of risks to an organization's information assets

Business Impact Analysis

The first phase in the development of the contingency planning process is the xxxxx). A xxxx is an investigation and assessment of the impact that various attacks can have on the organization. xxxx takes up where the risk assessment process leaves off. It begins with the prioritized list of threats and vulnerabilities identified in the risk management process.

Strategic plan

The first priority of the CISO and the information security management team is the creation of a __________ to accomplish the organization's information security objectives.

15. Describe the "mitigate" strategy. What three planning approaches are discussed in the text as opportunities to mitigate risk?

The mitigate strategy is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. Mitigation begins with the early detection that an attack is in progress and the ability of the organization to respond quickly, efficiently, and effectively. This approach requires the creation of three types of plans: the incident response plan, the disaster recovery plan, and the business continuity plan. Each of these plans depends on the ability to detect and respond to an attack as quickly as possible and relies on the existence and quality of the other plans. Incident Response Plan (IRP) - Defines the actions an organization can and perhaps should take while an incident is in progress. Disaster recovery plan (DRP) - The most common mitigation procedure; preparations for the recovery process. Business Continuity Plan (BCP) - Encompasses the continuation of business activities if a catastrophic event occurs.

attack success probability

The number of successful attacks that are expected to occur within a specified time period.

policy administrator

The policy champion and manager

Incident Planning

The predefined responses enable the organization to react quickly and effectively to the detected incident.

Likelihood

The probability that a specific vulnerability within an organization will be the target of an attack

Benchmarking

The process of comparing other organization's activities against the practices used in one's own organization to produce results it would like to duplicate

cost avoidance

The process of preventing the financial impact of an incident by implementing a control

Onboarding

The process through which new employees learn the attitudes, knowledge, skills, and behaviors required to function effectively within an organization.

Defense Control Strategy

The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards

mitigation control strategy

The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation

transfer control strategy

The risk control strategy that attempts to shift residual risk to other assets, other processes, or other organizations

termination control strategy

The risk control strategy that eliminates all risk associated with an information asset by removing it from service

acceptance control strategy

The risk control strategy that indicates an organization is willing to accept the current level of residual risk

20. What is residual risk?

The risk to information assets that remains even after current controls have been applied.

Electronic vaulting

The transfer of large batches of data to an offsite facility is called xxxxx. This transfer is usually conducted through leased lines, or services provided for a fee.

Remote journaling

The transfer of live transactions to an offsite facility is called xxxxxx

14. Describe the "transfer" strategy. Describe how outsourcing can be used for this purpose.

The transfer strategy is the control approach that attempts to shift risk to other assets, other processes, or other organizations. Outsourcing allows an organization to transfer the risk associated with the management of complex systems to another organization that has experience in dealing with those risks. One of the benefits of outsourcing is that the service provider is responsible for disaster recovery when recovery efforts are needed.

Three Safety Factors around ionizing radiation

Time, shielding , and distance

Tailgating

Unauthorized person walking into a facility with or right behind authorized people to appear as if with them

Bollards

Vertical cylinders permanently installed to prevent vehicles from passing

10. What are vulnerabilities and how do you identify them?

Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. They are a flaw or weakness in an information asset, security procedure, design, or control that could be exploited accidentally or on purpose to breach security. Analyzing all components of an Information System and evaluating the risk to each component should identify any vulnerabilities.

Dissemination

________ demonstrate that the policy has been made readily available for review by the employee. Common xxx techniques include hard copy and electronic distribution.

Systems-Specific Policy (SysSP)

________ often function as standards or procedures to be used when configuring or maintaining systems

Governance

________ providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly."

DMZs

a no-man's-land between the inside and outside networks; it is also where some organizations place Web servers. These servers provide access to organizational Web pages, without allowing Web requests to enter the interior networks.

Incident Response Plan

a set of documents that direct the actions of each involved individual who reacts to and recovers from the incident.

Proxy Servers

actions on behalf of another system.

Personally Identifiable Information (PII)

any data that can be used to identify, locate, or contact an individual

Operational controls

are management and lower-level planning functions that deal with the operational functionality of security in the organization, such as disaster recovery and incident response planning. xxxxx address personnel security, physical security, and the protection of production inputs and outputs.

Intrusion Detection and Prevention Systems (IDPSs)

detect unauthorized activity within the inner network or on individual machines

Business Unit Analysis

determine which are most vital to continued operations.

Firewalls

discriminates against information flowing into or out of the organization. A xxxxx is usually a computing device or a specially configured computer that allows or prevents access to a defined area based on a set of rules. xxxxx are usually placed on the security perimeter, just behind or as part of a gateway router.

Chemical hazards

disinfecting agents, waste anesthetic gases, and vapors and fumes from chemical agents

Sender policy framework(SPF)

e-mail protocol used to validate the legitimacy of the e-mail address

Potential Damage Assessment

estimate the cost of the best, worst, and most likely cases.

Occupational Safety and Health Administration (OSHA)

federal organization that is dedicated to protecting the health of workers by establishing standards that address issues related to safety in the work place

NIST Special Publication 800-14

generally Accepted Principles and Practices for Securing Information Technology Systems provides best practices and security principles that can direct the security team in the development of a security blueprint.

Standard Precautions

guidelines established by the Occupational Safety and Health Administration and the Centers for Disease Control and Prevention to reduce the risk of disease transmission from blood and body fluids

Damage assessment

immediate determination of the scope of the breach

Static electricity

is prevented by keeping the humidity above 50%; humidity below this is conductive to spark transmission

Disaster Recovery Planning

is the process of preparing an organization to handle and recover from a disaster, whether natural or man-made.

Biological hazards

laster and/or electrosurgical plume, pathogens found in body fluids, latex sensitivity, and injuries from sharps

Laser

light amplification by the stimulated emission of radiation

electrosurgical unit

mechanical device which produces an electric current that is converted into thermal energy(heat) for the purpose of cutting or coagulating tissue

firewall subnet

multiple firewalls creating a buffer between the outside and inside networks

ET tube for laser surgery

must be inflated with sterile water instead of air with wet sponges around the tube and cuff

Fiberoptic beam

must not be focused on the drapes

Physical hazards

noise, ionizing radiation, electricity, injury to the body, fire, and explosion

Ebonized instrumentation

nonreflective instrumentation that must be used in the vicinity of the laser site

Database shadowing

not only processes duplicate, real-time data storage, but also duplicates the databases at the remote site to multiple servers.

triboelectrification

one of two processes by which static electricity can build; occurs by friction between two surfaces

Business continuity planning

prepares an organization to reestablish critical business operations during a disaster that affects operations at the primary site.

Grounding

prevents the passage of the electrical current through the patient by directing the current to the ground, therefore bypassing the patient

Managerial controls

set the direction and scope of the security process and provide detailed instructions for its conduct

security education, training, and awareness

seta

Plume

smoke produced by laser or electrocautery that has been shown to contain biological material

Subordinate Plan Classification

subordinate plans take into account the identification of, reaction to, and recovery from each attack scenario.

Jersey walls

tee-shaped walls usually made of concrete to prevent vehicles from passing

Environmental Services

the ancillary department charged with cleaning the surgery department

Incident response (IR)

the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.

ISO 27000 Series

xxxx "give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization.

Security Area Working Group

xxxxx acts as an advisory board for the protocols and areas developed. (Internet Engineering Task Force) - IETF security architecture

Technical controls

xxxxx are the components put in place to protect an organization's information assets. designing and implementing

Security Perimeter

xxxxx defines the boundary between the outer limit of an organization's security and the beginning of the outside world.

Spheres of Security

xxxxxxx illustrate how information is under attack from a variety of sources.