1. Sec and Risk Management / 2. Assets Flashcards
military classification
unclassidied, confidential, secret, top secret
commercial classification
public, sensitive, confidential/private
policy components
procedures, guidelines, baselines, standards, policies
STRIDE
threat categorization scheme focused on application threats
spoofing tampering repudiation information disclosure DoS elevation of privileges
DREAD
threat rating system used for threat priorization
damage potential reproducibility exploitability affected users discoverability
security management planning
strategic: long-term goals, missions
tactical: midterm, how to accomplish goals?
operational: short-term, highly detailed
quantitative risk analysis
Assign Asset Value AV
Calculate Exposure Factor EF
Calculate Single Loss Expectancy SLE=AVEF
Assess annualized rate of occurance ARO
Derive annualized loss expectancy ALE=SLEARO
Perform cost/benefit analysis of countermeasures (ALE1-ALE2-ACS) (annual cost of safeguard)
qualitative risk analysis
brainstorming. delphi, surveys, checklists, interviews, meetings
delphi technique
anonymous feedback-and-response process to reach an anonymous consensus. Gives honest an uninfluenced responses. repeatet until consensus is found
risk assignment
assigning or transferring risk
insurance or outsourcing (SLA)
risk acceptance
management has agreed to accept the consequences because of negative cost/benefit analysis of possible safeguards
risk
threatsvulnerabilitiesasses value= total risk (combination)
residual risk
total risk-controls gap = residual risk
types of controls I
technical: hardware, software
administrative: policies, procedures
physical
types of controls II
deterrent: appeals to human decision not to….
preventive: blocks the action
detective: discovers after occurence
corrective: corrects problems (reboot, restore)
recovery: advanced correction: imaging, clustering…
directive: direct control of actions to force compliance (escape route signs, posted notifications)
risk framework management
RFM
- categorize
- select
- implement
- assess
- authorize
- monitor
BCP steps
- project scope, planning
- business impact analysis
- continuity planning
- approva, implementation
BCP step 1
project scope and planning
- business organization analysis builds foundation for BCP team selection
- BCP team selection (representatives from each operational and support departments
- face legal and regulatory requirements (due diligence, regulations, obligations to clients)
- resource requirements (personal, time)
BCP step 2
business impact analysis BIA
- identify priorities (threats and their relevance, MTD, MTO Maximum Tolerable Outage, RTO Recovery Time Objectve)
- risk identification
- likelihood assessment (ARO)
- impact assessment (EF, SLE, ALE)
- ressource priorization (to identified risks)
BCP step 3
continuity planning
- strategy development ( which risks will be adressed? in accordance to priorization from step 2 and MTD)
- provisions and processes (people first!)
BCP step 4
approval and implementation
- approval by senior management
- training, education
- BCP documentation (written record for everyone affected
What is included in BCP documentation?
goals, statement of importance, statement of priorities and responsibility, risk acceptance/mitigation, emergency response guidelines, maintenance testing)
law
common law:
criminal: murder, robbery
civil: business
administrative: government agencies
copyright
books, poems, songs
70 years after death
work for hire:
95 years after date of publication
120 years after date of creation
trademarks
names, slogans, logos
TM without registration
R after registration
patent
inventions
20 years from request
trade secret
protects operating secrets
no registration
adequate controls, NDA required
software licensing
UCITA
- contractual license: written contract
- shrink-wrap: on software package
- click trough
- cloud service license agreement: online click though
Computer Fraud and Abuse Act 1987
protects computer used by government or in interstate commerce
Computer Security Act 1987
- NIST is responsible for securing government systems
- NSA is responsible for securing classified systems
- NIST is responsible for developing standards
- requires security plans by all operators of federal computer systems
- requires training for all people involved in management and use of federal computers
DMCA Digital Millenium Copyright Act
- limits the liability of ISPs for the activities of their users
- copyright protecting mechanisms placed in digital media
- 1 Mio $ or up to 10 years for repeated offenders
- in compliance with WIPO
export restrictions
wassenaar agreement
india, pakistan, afghanistan, cuba, north korea, sudan, syria
privacy in US constitutions
4th amendment
Health Information Tech for Economical und Clinical Health Act 2009
HITECH
- updates HIPAA
- protected health information (PHI) processed by other firms are covered by HIPAA
- data breaches must be notified to individuals, Secretary of Health and media
Safe Harbour
- directive to protect personal data processed by infosystems
- organizations outside EU must apply these rules
- department of commerce certifies businesses and offers them “safe harbour”
notice: inform individuals about purpose of collecting data
choice: opt-out
onward transfer: transfer only to compliant organizations
data integrity: data is allowed to use only for purpose declared befor
access: individuals have the right to correct or delete if inacurate
enforcement: implement mechanisms to ensure compiance with principles above
PCI-DSS
self regulated
compliant with sabanes-oaxley
PII
personalli identifiable information
PHI
protected health information
managing sensitive data
- labeling (identifies classification)
- handling (secure transportation)
- storing (encryption, loss prevention, physical)
- destroying
destroying sensitive data
- erasing: delete op, data remains on drive
- clearing: overwriting
- purging: intense clearing
- declassification : reuse in unclass. environment
- sanitization: remote all data, purge or destroy media
- degaussing: magnetic field
- destruction: crushing, shredding, acid
data owner
senior management
identifies classification, ensures labeling, ensures sec controls bases on classification, decides privileged and access rights
system owner
often same as data owner
responsible for system sec und system labeling
business/mission owner
own processes managed by IT
cost/profit oriented
data processors
processes data on behalf of the owner
administrators
assign permissions based on need to know
custodians
day to day routines, backup, storing
Baselines
provide minimum security standard
listing of basic controls
imaging
Scoping/Tailoring Baselines
Scoping: Select only the baselinses that meet requirements
Tailoring: Modity baselines, so that they align with the mission of an organization
Policies, Standards, Guidelines, Procedures
PSGP
Policy: overview of an organizations security needs
Standard: tactical documents, that define methods to accomplish the goals and overall direction defined by security policy
Guideline: recommendations on how standards and baselines are implemented. operational guide
Procedures: step-by-step how-to document to implement a specific security mechanism
Baseline
Mimimun level of security that every system must meet
Vulnerability
The weakness in an asset + the absence of a safeguard
Threat
Any potential occurence that could cause damage, disclosure oder loss
Breach
Security mechanism being bypassed by a threat agent
third party governance
mandadet by law, regulation, industry standard, licensing requirements
exigent circumstance doctrine
exception to search warrant because destruction of evidence is near
Tort law
civil law
downstream liabilities
Haftung bei intrusion and theft of data from customers or business partners
remanence
residual magnetization
due care
due diligence
negligence
due care is informal
due diligence follows a process
negligence is the opposite (Fahrlässigkeit)
attestation
the secutity practices of a service provider are reviewed by third party finally attested
compartmentilization
technical method for enforcing need to know
SSD erase
ATA Secure Erase or destruction
garbage collection by TRIM does not reliably destroy data
SRAM
DRAM
SRAM: fast, flipflop, expensive
DRAM: capacitors, slow, cheap
