Exam 1 C.Security_Part 1

Vulnerability:

A flaw or weakness in an asset's design, implementation, or operation and management that could be exploited by some threat

Threat

A potential for a threat source to exploit a vulnerability in some asset, which if it occurs may compromise the security of the asset and cause harm to the asset's owner

IT SECURITY MANAGEMENT

A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability. IT security management functions include: Determining organizational IT security objectives, strategies, and policies Determining organizational IT security requirements Identifying and analyzing security threats to IT assets within the organization Identifying and analyzing risks Specifying appropriate safeguards Monitoring the implementation and operation of safeguards that are necessary in order to cost effectively protect the information and services within the organization Developing and implementing a security awareness program Detecting and reacting to incidents

Computer Security Strategy comprises of

Security Policy, Implementation, Evaluation and Assurance

Security Training - Benefits to Organizations

Security awareness, training, and education programs provide four major benefits to organizations: • Improving employee behavior • Increasing employee accountability • Mitigating liability for employee behavior • Complying with regulations and contractual obligations

Risk Assessment Steps

Step 1: Prepare for Assessment Step 2: Conduct Risk Analysis Step 3: Communicate Results Step 4: Maintain Assessment Formal risk analysis approach as documented by different standards organizations agree on the overall process used. The illustration depicts a typical process used for risk assessment. The approach is also mandated by government organization and their business associates.

Control Classes

Supportive controls: Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls Preventative controls: Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability Detection and recovery controls: Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources

Termination of Employment (important)

Termination security objectives: (Ensure employees, contractors, and third party users exit organization or change employment in an orderly manner.) (The return of all equipment and the removal of all access rights are completed.) Critical actions: Remove name from all authorized access lists. Inform guards that ex-employee general access is not allowed. Remove personal access codes, change physical locks and lock combinations, reprogram access card systems. Recover all assets, including employee ID, portable USB storage devices, documents, and equipment. Notify by memo or e-mail appropriate departments.

Documenting Incidents

- Should immediately follow a response to an incident: - Identify what vulnerability led to its occurrence. - How this might be addressed to prevent the incident in the future. - Details of the incident and the response taken. - Impact on the organization's systems and their risk profile.

Security Education

-Most in depth program -Targeted at security professionals whose jobs require expertise in security -Fits into employee career development category -Often provided by outside sources: (College courses and Specialized training programs)

Challenges of computer security

1. Computer security is not as simple as it might first appear to the novice 2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those security features 3. Procedures used to provide particular services are often counterintuitive 4. Physical and logical placement needs to be determined 5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that participants be in possession of some secret information which raises questions about the creation, distribution, and protection of that secret information 6. Attackers only need to find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security 7. Security is still too often an afterthought to be incorporated into a system after the design is complete, rather than being an integral part of the design process 8. Security requires regular and constant monitoring 9. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs 10. Many users and even security administrators view strong security as an impediment to efficient and user-friendly operation of an information system or use of information

Cost Benefit Analysis

1. Should be conducted by management to identify controls that provide the greatest benefit to the organization given the available resources 2. May be qualitative or quantitative 3. Must show cost justified by reduction in risk 4. Should contrast the impact of implementing a control or not, and an estimation of cost 5. Management chooses selection of controls 6. Considers if it reduces risk too much or not enough, is too costly or appropriate 7. Fundamentally a business decision

Security Incidents (arrows down increase in level)

1."Any action that threatens one or more of the classic security services of confidentiality, integrity, availability, accountability, authenticity, and reliability in a system" 2.Unauthorized access to a system: •Accessing information not authorized to see. •Passing information on to a person not authorized to see it. •Attempting to circumvent the access mechanisms. •Using another person's password and user id. 3.Unauthorized modification of information on the system: •Attempting to corrupt information that may be of value. •Attempting to modify information without authority. •Processing information in an unauthorized manner.

Asset:

A system resource or capability of value to its owner that requires protection

Security Control

An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.

An Attack Tree

An attack tree is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities. The security incident that is the goal of the attack is represented as the root node of the tree, and the ways that an attacker could reach that goal are iteratively and incrementally represented as branches and sub nodes of the tree. Each subnode defines a subgoal, and each subgoal may have its own set of further subgoals, etc. The final nodes on the paths outward from the root, i.e., the leaf nodes, represent different ways to initiate an attack. The attack tree can guide both the design of systems and applications, and the choice and strength of countermeasures.

Asset Identification

Asset is "anything that needs to be protected" because it has value to the organization and contributes to the successful attainment of the organization's objectives" Draw on expertise of people in relevant areas of organization to identify key assets. Identify and interview such personnel

System integrity

Assures that a system performs its intended functions in an unimpaired manner

Privacy

Assures that individual control or influence what information may be collected and stored and by whom

The scope that the hacker can use to break into a system is also called as

Attack Surface

Active Attack

Attempts to alter system resources or affect their operation. Involve some modification of the data stream or the creation of a false stream. Four categories below: Replay, Masquerade, Modification of messages, Denial of service

Security Compliance

Audit process to review security processes. Goal is to verify compliance with security plan. Use internal or external personnel. Usually based on use of checklists which verify: (Suitable policies and plans were created) (Suitable selection of controls were chosen) (That they are maintained and used correctly) Often as part of wider general audit.

You are in the process of implementing a backup server for a critical application. Which of the following security requirements you are trying to fulfill?

Availability

Suggested Policies

Business use only Policy scope Content ownership Privacy Standard of conduct Reasonable personal use Unlawful activity prohibited Company rights Disciplinary action

Center for Internet Security(CIS)

CIS plays an important role in forming security policies and decisions by maintaining the CIS Controls and CIS Benchmarks, and hosting the Multi-State Information Sharing and Analysis Center (MS-ISAC).[9]

Computer Security Incident Response Team (CSIRT))

CSIRTs are responsible for: Rapidly detecting incidents Minimizing loss and destruction Mitigating the weaknesses that were exploited Restoring computing services

Awareness Program Models

Centralized, Partially Centralized, De-Centralized (review slide 15, Lec3)

Attack Surfaces

Consist of the reachable and exploitable vulnerabilities in a system. Analysis is a useful technique for assessing the scale and severity of threats to a system. A systematic analysis of points of vulnerability makes developers and security analysts aware of where security mechanisms are required. Once an attack surface is defined, designers may be able to find ways to make the surface smaller, thus making the task of the adversary more difficult. The attack surface also provides guidance on setting priorities for testing, strengthening security measures, or modifying the service or application.

Security Training

Designed to teach people the skills to perform their IT related tasks more securely: What people should do and how they should do it. (What people should do and how they should do it) General users: Focus is on good computer security practices. (Focus is on good computer security practices) Programmers, developers, system maintainers: Develop a security mindset in the developer. (Develop a security mindset in the developer) Management level: How to make tradeoffs involving security risks, costs, benefits. (How to make tradeoffs involving security risks, costs, benefits) Executive-level: Risk management goals, measurement, leadership. (Risk management goals, measurement, leadership)

Human Factors

Employee behavior is a critical concern in ensuring the security of computer systems and information assets Principal problems associated with employee behavior are: Errors and omissions, Fraud, Actions by disgruntled employees

Attempt to prevent people from being able to see information is

Encapsulation (data hiding)

Data confidentiality

Ensure that confidential information is not disclosed to unauthorized persons

Availability

Ensuring that the systems run reliably, and authorized users are not denied of any service

Analyze Existing Controls

Existing controls used to attempt to minimize threats need to be identified. Security controls include: Management Operational Technical processes and procedures Use checklists of existing controls and interview key organizational staff to solicit information.

Is a type of a biometric authentication for identifying a person to access confidential data.

Fingerprint. Think of biometric as something made up of something like biology root (part of body).

International Organization for Standardization (ISO)

ISO is a nongovernmental organization whose work results in international agreements that are published as International Standards

Security management model

ISO model process for managing information security comprises of the following steps: Plan: Establish security policy, objectives, processes and procedures; perform risk assessment; develop risk treatment plan with appropriate selection of controls or acceptance of risk. Do: Implement the risk treatment plan. Check: Monitor and maintain the risk treatment plan. Act: Maintain and improve the information security risk management process in response to incidents, review, or identified changes.

Security Learning Evolution

First starts with Awareness>Training>Education the higher the more advanced in learning. Standards recognize that the learning objectives for an employee with respect to security depend on the employee's role. There is a need for a continuum of learning programs that starts with awareness, builds to training, and evolves into education. Beginning at the bottom of the model, all employees need an awareness of the importance of security and a general understanding of policies, procedures, and restrictions. Training, represented by the two middle layers, is required for individuals who will be using IT systems and data and therefore need more detailed knowledge of IT security threats, vulnerabilities, and safeguards. The top layer applies primarily to individuals who have a specific role centered on IT systems, such as programmers and those involved in maintaining and managing IS assets and those involved in IT security.

Goals of Security Awareness Program

Goal 1: Raise staff awareness of information technology security issues in general. Goal 2: Ensure that staff are aware of local, state, and federal laws and regulations governing confidentiality and security. Goal 3: Explain organizational security policies and procedures. Goal 4: Ensure that staff understand that security is a team effort and that each person has an important role to play in meeting security goals and objectives. Goal 5: Train staff to meet the specific security responsibilities of their positions. Goal 6: Inform staff that security activities will be monitored. Goal 7: Remind staff that breaches in security carry consequences. Goal 8: Assure staff that reporting of potential and realized security breakdowns and vulnerabilities is responsible and necessary behavior. Goal 9: Communicate to staff that the goal of creating a trusted system is achievable. (simply to reach out to everyone)

Triage Function

Goal: Ensure that all information destined for the incident handling service is channeled through a single focal point. Commonly achieved by advertising the triage function as the single point of contact for the whole incident handling service. Responds to incoming information by: Requesting additional information in order to categorize the incident. Notifying the various parts of the enterprise or constituency about the vulnerability and shares information about how to fix or mitigate the vulnerability. Identifies the incident as either new or part of an ongoing incident and passes this information on to the incident handling response function.

Integrity

Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity

Security Plan Implementation

IT security plan documents: What needs to be done for each selected control. Personnel responsible. Resources and time frame. Identified personnel: Implement new or enhanced controls. May need system configuration changes, upgrades or new system installation. May also involve development of new or extended procedures. Need to be encouraged and monitored by management. When implementation is completed management authorizes the system for operational use.

The primary objective of a risk management strategy is to

Identify credible risks and reduce them to an acceptable level.

Vulnerability Identification

Identify exploitable flaws or weaknesses in organization's IT systems or processes Determines applicability and significance of threat to organization Need combination of threat and vulnerability to create a risk to an asset Outcome should be a list of threats and vulnerabilities with brief descriptions of how and why they might occur

NIST Cyber Security Framework Components

Identify(ID): Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities, to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Protect(PR): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Detect(DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Respond(RS): "" The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Recover(RC): Maintain resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.

Establishing the Context

Initial step: Determine the basic parameters of the risk assessment. Identify the assets to be examined Explores political and social environment in which the organization operates: Legal and regulatory constraints Provide baseline for organization's risk exposure Risk appetite: The level of risk the organization views as acceptable

makes sure that data is not changed when it is not supposed to be

Integrity

Economy of mechanism:

Keep the design of hardware and software security measures as simple and small as possible. •Simple design is easier to test and verify thoroughly •Complex design could lead to vulnerabilities.

Levels of security breach impact

Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals

Comparative Framework

MUST REVIEW SLIDE 9 LECTURE 3 Will for sure be on exam and high chance on quiz. Pg. 554 in the book, Slide 9 in Lec3.

Organizational Context and Security Policy

Maintained and updated regularly Using periodic security reviews Reflect changing technical/risk environments Examine role and importance of IT systems in organization First examine organization's IT security below: Objectives: wanted IT security outcomes Strategies: how to meet objectives Policies: identify what needs to be done

Information Security Continuous Monitoring (ISCM) (slide23)

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Maintaining an up-to-date view of information security risks across an organization is a complex, multifaceted undertaking. Tier 1 (Top layer) risk management activities address high level information security governance policy as it relates to risk to the organization as a whole, to its core missions, and to its business functions Tier 2(Middle Layer) criteria for continuous monitoring of information security are defined by how core mission/business processes are prioritized. Controls in the Program Management (PM) family are an example of Tier 2 security controls. Tier 3(Bottom Layer): address risk management from an information system perspective. These activities include ensuring that all system-level security controls (technical, operational, and management controls) are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time. ISCM activities at Tier 3 also include assessing and monitoring hybrid and common controls implemented at the system level. Security status reporting at this tier often includes but is not limited to security alerts, security incidents, and identified threat activities.

Control Classifications

Management controls: Focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization's mission These controls refer to issues that management needs to address. Operational controls: Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies. These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems. They are used to improve the security of a system or group of systems. Technical controls: Involve the correct use of hardware and software security capabilities in systems. These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions.

Computer security:

Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated.

Maintenance

Need continued maintenance and monitoring of implemented controls to ensure continued correct functioning and appropriateness. Goal is to ensure controls perform as intended.

Attack Surface Categories

Network Attack Surface: Vulnerabilities over an enterprise network, wide area network, or the Internet. Included in this category are network protocol vulnerabilities, such as those used for a denial-of service attack, disruption of communications links, and various forms of intruder attacks Software Attack Surface: Vulnerabilities in application, utility, or operating system code Particular focus is Web server software Human Attack Surface: Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders

During Employment

Objectives with respect to current employees: (Ensure that employees, contractors, and third-party users are aware of information security threats and concerns and their responsibilities and liabilities with regard to information security.) (Are equipped to support the organizational security policy in their work.) (Reduce the risk of human error.) Two essential elements of personnel security during employment are: (A comprehensive security policy document.) (An ongoing awareness and training program.) Security principles: (Least privilege.) (Separation of duties.) (Limited reliance on key employees.)

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

IT Security Plan

Provides details of: What will be done, What resources are needed, Who is responsible The Goal is to detail the: actions needed to improve the identified deficiencies in the risk profile Should include: Risks, recommended controls, action priority Selected controls, resources needed Responsible personnel, implementation dates Maintenance requirements

Detailed Security Risk Analysis

Provides the most accurate evaluation of an organization's IT system's security risks. Highest cost. Initially focused on addressing defense security concerns. Often mandated by government organizations and associated businesses.

Requirements Discovery Process

Question 1 What assets need to be protected? (Knowing about your crown jewels to protect) Question 2 How are those assets threatened? (Knowing about your weaknesses and about your enemy) Question 3 What can be done to counter those threats? (Planning and Implementing Security) Ensures that critical assets are sufficiently protected in a cost effective manner Security risk assessment is needed for each asset in the organization that requires protection Provides the information necessary to decide what management, operational, and technical controls are needed to reduce the risks identified

Describes the probability that a threat to an IT system can materialize

Risk

Risk Treatment Alternatives

Risk acceptance: Choosing to accept a risk level greater than normal for business reasons Risk avoidance: Not proceeding with the activity or system that creates this risk Risk transfer: Sharing responsibility for the risk with a third party Reduce consequence: Modifying the structure or use of the assets at risk to reduce the impact on the organization should the risk occur Reduce likelihood: Implement suitable controls to lower the chance of the vulnerability being exploited

Considering a critical security risk, an organization decided to discontinue a new feature in its social media platform online. This is an example of

Risk avoidance

Implementation Follow Up

Security management is a cyclic process: (Constantly repeated to respond to changes in the IT systems and the risk environment) Need to monitor implemented controls. Evaluate changes for security implications: (Otherwise increase chance of security breach) Includes a number of aspects: 1. Maintenance of security controls. 2. Security compliance checking. 3. Change and configuration management. 4. Incident handling.

Awareness

Seeks to inform and focus an employee's attention on security issues within the organization: (Aware of their responsibilities for maintaining security and the restrictions on their actions.) (Users understand the importance of security for the well-being of the organization.) (Promote enthusiasm and management buy-in.) •Program must be tailored to the needs of the organization and target audience. •Must continually promote the security message to employees in a variety of ways. •Should provide a security awareness policy document to all employees.

Analyze Risks

Specify likelihood of occurrence of each identified threat to asset given existing controls. Specify consequence should threat occur. Derive overall risk rating for each threat (Risk = probability threat occurs x cost to organization) Hard to determine accurate probabilities and realistic cost consequences. Hence, many organizations opt to perform qualitative risk assessments based on assessing the risk impact/risk factor of identified threats and vulnerabilities to an organization.

Security Standards Organizations

Standards have been developed to cover management practices and the overall architecture of security mechanisms and services. The standards are usually set by a professional organization, institution, government, etc., and are agreed upon by the knowledgeable representatives of that community.

Risk

The potential for loss computed as the combination of the likelihood that a given threat exploits some vulnerability to an asset, and the magnitude of harmful consequence that results to the asset's owner

Authenticity

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

Accountability

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.

Threat consequences

Unauthorized disclosure: threat to confidentiality Exposure (release data), interception, inference, intrusion • Deception: threat to integrity Masquerade, falsification (alter data), repudiation • Disruption: threat to integrity and availability Incapacitation (destruction), corruption (backdoor logic), obstruction (infer with communication, overload a line) • Usurpation: threat to integrity: Misappropriation (theft of service), misuse (hacker gaining unauthorized access)

Which of the following is Acceptable use as per the University Information Security and Acceptable Use Policy?

Using University provided email accounts for conducting University business

Events vs Incidents

VERY IMPORTANT: •Event - Any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt.: Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. •Incident - A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.: Examples of incidents are: •An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash. •Users are tricked into opening a "quarterly report" sent via email that is malware; running the tool has infected their computers and established connections with an external host. •An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money. •A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

Fail-safe default:

access decisions should be based on permissions; i.e., the default situation is lack of access

Countermeasures

any means taken to deal with a security attack. Ideally, a countermeasure can be devised to prevent a particular type of attack from succeeding. When prevention is not possible, or fails in some instance, the goal is to detect the attack and then recover from the effects of the attack. A countermeasure may itself introduce new vulnerabilities. In any case, residual vulnerabilities may remain after the imposition of countermeasures. Such vulnerabilities may be exploited by threat agents representing a residual level of risk to the assets. It is imperative to seek to minimize the residual risk given other constraints.

Data integrity

assures that information and programs are changed only in a specified and authorized manner

An assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is a(n)

attack

Security Risk Assessment(Lec.2 Slide 13 Part 1 of Slide)

critical component of process Ideally examine every organizational asset (Not feasible in practice) Approaches to identifying and mitigating risks to an organization's IT infrastructure: Baseline, Informal, Detailed risk, Combined

UTD Security Policy

https://policy.utdallas.edu/utdbp3096

Residual Risk

is the risk that remains after the controls have been implemented towards mitigating the inherent risks the reduction in level of risk can result from: the reduction in threat likelihood The reduction in magnitude of the impact

ISCM Process

review slide 24

A system admin reported that a critical server is missing a critical security-related operating system patch. What did the system admin report?

vulnerability

The Art of War

• "If you know the enemy and know yourself, you need not fear the result of a hundred battles. • If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. • If you know neither the enemy nor yourself, you will succumb in every battle." ―Sun Tzu

Passive Attack

• Attempts to learn or make use of information from the system but does not affect system resources • Eavesdropping on, or monitoring of, transmissions • Goal of attacker is to obtain information that is being transmitted • Two types: Release of message contents Traffic analysis

Vulnerabilities

• Corrupted (loss of integrity) • Leaky (loss of confidentiality) • Unavailable or very slow (loss of availability)

Evaluation of human threat sources should consider:

• Motivation • Capability • Resources • Probability of attack • Deterrence

Threat Sources

• Threats may be: Natural "acts of God" Man-made Accidental or deliberate Any previous experience of attacks seen by the organization also needs to be considered

NIST Recommendations on Incident Response

•Create, support, and operate a formal incident response capability. •Reduce the frequency of incidents by effectively securing networks, systems, and applications. •Document organizational guidelines for interactions with other organizations regarding incidents. •Be generally prepared to handle any incident but focus on being prepared to handle incidents that use common attack vectors. •Emphasize the importance of incident detection and analysis throughout the organization. •Create written guidelines for prioritizing incidents. •Use the lessons learned from the incident response process to improve the handling of future incidents.

Information Systems Audit and Control Association(ISACA)

•Global organization for information governance, control, security and audit professionals. •Publishes IS auditing and IS control standards are followed by practitioners worldwide

Assets of a Computer System

•Hardware: Including computer systems and other data processing, data storage, and data communications devices •Software: Including the operating system, system utilities, and applications. •Data: Including files and databases, as well as security-related data, such as password files. •Communication facilities and networks: Local and wide area network communication links, bridges, routers, and so on.

Detecting Incidents

•Incidents may be detected by users or administration staff: (Staff should be encouraged to make reports of system malfunctions or anomalous behaviors) •Automated tools below: •System integrity verification tools. •Log analysis tools. •Network and host intrusion detection systems (IDS). •Intrusion prevention systems.

Employment Practices and Policies

•Managing personnel with potential access is an essential part of information security Employee involvement below: Unwittingly aid in the commission of a violation by failing to follow proper procedures. Forgetting security considerations. Not realizing that they are creating a vulnerability. Knowingly violate controls or procedures.

Responding to Incidents (very important)

•Must have documented procedures to respond to incidents Procedures should: 1.Detail how to identify the cause. 2. Describe the action taken to recover from the incident. 3. Identify typical categories of incidents and the approach taken to respond to them. 4. Identify the circumstances when security breaches should be reported to third parties such as the police or relevant CERT. 5.Identify management personnel responsible for making critical decisions and how to contact them.

National Institute of Standards and Technology (NIST)

•NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private sector innovation •telecom networks and services

Security in the Hiring Process

•Objective: • "To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities" •Need appropriate background checks and screening: (Investigate accuracy of details) • For highly sensitive positions: (Have an investigation agency do a background check) (Criminal record and credit check)

Email and Internet Use Policies

•Organizations are incorporating specific e-mail and Internet use policies into their security policy document Concerns for employers Below: Work time consumed in non-work-related activities. Computer and communications resources may be consumed, compromising the mission that the IT resources are designed to support. Risk of importing malware. Possibility of harm, harassment, inappropriate online conduct.

Incident Response Communications

•Organizations often need to communicate with outside parties regarding an incident, and they should do so whenever appropriate, such as contacting law enforcement, fielding media inquiries, and seeking external expertise. •Another example is discussing incidents with other involved parties, such as Internet service providers (ISPs), the vendor of vulnerable software, or other incident response teams. •Organizations may also proactively share relevant incident indicator information with peers to improve detection and analysis of incidents. •The incident response team should discuss information sharing with the organization's public affairs office, legal department, and management before an incident occurs to establish policies and procedures regarding information sharing.

Security Incident Response

•Response procedures to incidents are an essential control for most organizations below: •Procedures need to reflect possible consequences of an incident on the organization and allow for a suitable response. •Developing procedures in advance can help avoid panic. •Benefits of having incident response capability below: •Systematic incident response •Quicker recovery to minimize loss, theft, disruption of service. •Use information gained during incident handling to better prepare for future incidents. •Dealing properly with legal issues that may arise during incidents.

Incident Response Life Cycle

•The phases of the incident response process include preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. •Once an incident is opened, it transitions through a number of states, with all the information relating to the incident (its change of state and associated actions), until no further action is required from the team's perspective and the incident is finally closed.