1: Risk management Flashcards
CIA triad
Security goals: confidentiality, integrity (permissions) and availability + Auditing&Accountability, Non-Repudiation (user cannot deny communication).
Risk
Threats x Vulnerabilities = risk SP800-30
Threat Actors
(Internal/External): Script kiddies - amateur Hacktivist - intent & motivation Organized crime Nation states/advanced persistent threat (APT) Insiders Competitors
Risk Assessment
List of assets->value->vulnerabilities
cve.mitre.org - common vulnerabilities
Nessus, Penetration testing - vulnerability assessment tool
Threat Types
Adversarial
Accidental
Structural
Environmental
Risk Response
Mitigation
Risk transference
Risk acceptance
Risk avoidance
Frameworks
NIST Risk Management Framework 800-37
ISACA Risk IT Infrastructure
Guides for Risk Assessment
Benchmarks Thresholds Secure configurations Network infrastructure devices - info by CISCO, etc. General Purpose guides
Security Controls
(Protect IT infrastructure and remediate problems)
Administrative Control
Technical Control
Physical Control
Security Control Functions
Deterrent Preventative Detective Corrective Compensating
Security Control Examples
Mandatory Vacation Job Rotation Multižperson Control Seperation of Duties (Administrative). Principle of least priviledge
Sources of Security Controls
- Laws and regulations - for ex. HIPAA
- Standards (government and industry, PCI-DSS - for credit cards)
- Best Practices
- Common Sense
Security Controls
- Policies
- Organizational Standards - higher level of detail than policies
Procedures - how to
Guidelines (optional)
Security Policies
Acceptable Use Policy - what a person can and cannot do on company assets
Data Sensitivity and Classification - confidential, etc.
Access Control Policies - what and how access data, etc.
Password policy
Care and Use of Equipment
Privacy Policies - in house or customers
Personnel policy
Framework
regulatory, non-regulatory, national standards, international standards, industry-specific. (NIST SP800-37 - regulatory, ISACA IT Infrastructure - non-regulatory, ISO 27000 - international)
NIST: Categorize Systems->Select Security Controls->Implement Security Controls->Asses Security Controls (Sandbox)->Authorize Information Systems->Monitor Security Controls
Quantitative Risk Calculations
Exposure factor - percentage of an asset that is lost as a result of incident
Asset Value x Exposure Factor =Single Loss Expectancy
ARO - annualized rate of occurence
SLE x ARO =ALE - annualized Loss Expectancy
MTTR - mean time to repair
MTTF - mean time to failure
MTBF - mean time between failures = MTTR + MTTF
Business Impact Analysis
Determine mission process Identify critical systems Single point-of-failure - avoid with redundancy. backups Identify resource requirements Identify recovery priorities
Business Impact
Finance - credit, cash flows and accounts receivable
Property
People - safety and life
Reputation
Privacy Impact Assessment (PIA) - what would the impact be in case of a problem
Privacy Threshold Assessment (PTA) - how we store, consume and transmit the data
RTO - recovery time objective, minimal time to repair a system, maximum time the system can be down without substantial impact
RPO - recovery point objective, maximum amount of data that can be lost without substantial impact
Data Types
Public - no restrictions
Confidential - Limited to authorized party
Private - personally identifiale information PII, atc.
Proprietary - private at corporate level - proprietary information
Protected Health Information - PHI
Data Roles
Owner - has legal responsibility
Steward/custodian - maintains the accuracy and integrity of data
Privacy Officer - ensures that data adheres to policies
Data Users:
Users - standard amount of permissions
Priviledged Users - increased access and control to a user (most of the time cannot delete all of the data).
Executive Users - make strategic decision - verifies backups being done, etc. strategic
System Administrator - complete control of system and data. In charge of day to day manipulation.
Data owner/System owner - have legal ownership of dataset or system.
Security Training
Onboarding (background check, non-disclosure agreement NDA, Standard operating procedures, rules of behavior, general security policies).
Offboarding (disable accounts, return credentials, exit interview, knowledge transfer)
PII
PII - personally identifiable information - NIST 800-122
full name, home address, email address, NI number, passport, license plate, digital identity, date of birth, drivers license number, face, fingerprint, credit card
Role Based Controls
Personnel Management Controls - mandatory vacations, 2 weeks. Job rotation. Separation of Duties.
Role-based Data Controls: System Owner System Administrator Data Owner - defines access User - accesses and uses data, monitors and reports security breaches Privileged user - has special access Executive user - read only access
Third Party Agreements
BPA - business partnership agreement (primary entities, time frame, financial issues, management,)
SLA - service level agreement, service provided, minimum up-time, response time and contacts, start and end date
ISA - interconnection security agreement - statement of requirements, system security considerations, topological drawing, Signature authority (time frame for interconnection and scheduling for reviews). Technical document.
MOU/ MOA - Memorandum of Understanding/Agreement - purpose of interconnection, authorities, responsibilities of both organizations, terms of the agreement, termination/reauthorisation.
