CISSP terminology Flashcards
1
Q
Availability terms:
MTD
RPO
RTO
A
Maximum Tolerable Downtime
Recovery Point Objective
Recovery Time Objective
2
Q
Disaster vs Catastrophe?
A
todo check handerhan video
3
Q
IAAAA
A
Identification: User should be uniquely Identified
Authentication: Validation of an entity’s identity claim
Authorization: Confirms that an authenticated entity has the privileges and permissions
necessary.
Auditing: Any activity in the application/system should be audited (Identify technical issues/
Breaches)
Accountability: Tracing an action to a subject
4
Q
Strategic vs Tactical?
A
Strategic - Longer (5 years)
Tactical - Mid/Short (6 months to 1 year)
Operational - Shortest (Days to weeks)
5
Q
US Government data classifications
A
Top Secret (Classified - grave damage to national security if disclosed)
Secret (Classified - critical/serious damage to national security if disclosed)
Confidential (Classified - serious/actual damage to national security if disclosed)
Sensitive But Unclassified
For Official Use Only
Unclassified
Note: for CISSP, sensitive typically means “neither public nor unclassified”
6
Q
Security Roles
A
- Senior Manager - Management (Ultimately responsible)
- Security Professional - Information Security team
- Data Owner - Classifies the data
- Data Custodian - Takes care of day to day activity (performing backups)
- User - End user
- Auditor - Responsible for reviewing the data
7
Q
STRIDE
A
S - Spoofing (authentication)
T - Tampering (integrity)
R - Repudiation (digital signatures)
I - Information Disclosure (encryption/confidentiality)
D - Denial of Service (availability, fault tolerance/redundancy)
E - Escalation of privilege (authorisation)
8
Q
DREAD
A
D - Damage potential (How severe the damage likely to be if the threat is realized)
R - Reproducibility (How complicated it is for the attacker to reproduce the exploit)
E - Exploitability (How hard it is to perform the attack)
A - Affected users (How many users are likely to be affected)
D - Discoverability (How hard it is for an attacker to discover the weakness)
9
Q
Asset, Threat, Vulnerability, Exploit, Control
A
Asset Valuation - Value of an asset
Risk: Likelihood that a threat will exploit a vulnerability in an asset.
Threat: Has the potential to harm an asset.
Vulnerability: A weakness; a lack of safeguard
Exploit: Instance of compromise
Controls: Protective mechanisms to secure vulnerabilities
• Safeguards: Proactive
• Countermeasure: Reactive mechanism
10
Q
AV, EF, SLE, ARO, ALE?
A
AV = asset value EF = exposure factor = proportion of asset value lost in single event
SLE = AV * EF = single loss expectancy (expected loss from single event)
ARO = annualised rate of occurrence
ALE = SLE * ARO = annualised loss expectancy (expected loss each year)
11
Q
Risk treatments
A
M - Mitigate (Reduce likelihood and/or impact) A - Accept A - Avoid T - Transfer/Assign D -Deter
R - Reject (not a real option)
12
Q
Categories of law
A
- Criminal law: Law enforcement is involved (Murder) - reasonable doubt
- Civil Law: Designed to provide an orderly society & govern matters which are not criminal. {United states code} (Law suite, defamation cases) - preponderance of evidence
- Administrative Law: Covers topics as procedures to be used within federal agency. - balance of evidence ?
13
Q
Goals of cryptography
A
P - Privacy (Confidentiality)
A - Authentication
I - Integrity
N - Non-Repudiation - depends on Authentication and Integrity
Integrity depends on Authentication and vv? check Handerhan video
14
Q
Zero Knowledge proof (eg for authentication)
A
Proof that knowledge without sharing that knowledge eg challenge response
15
Q
Stream vs Block ciphers
A
Stream: RC-4 on exam; also Salsa/ChaCha (DJB)
Block: generally more secure than stream but typically slower?
AES, RC-2, RC-5/6, DES/3DES, Blowfish, IDEA (PGP) are all block based
16
Q
Hybrid cryptography
A
Encrypt message with symmetric alto (faster) and then encrypt symmetric key using asymmetric crypto (public key).
used in eg SSL/TLS and PGP
17
Q
Security by Design
A
- Principle of Least Privilege: Access to the system should always be limited based on least privilege.
- Separation of Duties: Ensuring no single person should be able to complete a critical task alone.
- Trust but verify: It’s totally okay to trust your users but always ensure to verify just to avoid any unauthorized impact on CIA.
- Principle of Defense in Depth: Never rely on one security control. Always implement layered security.
- Fail Securely: There would be several reasons the system would fail. However, when it fails, do not let any user/process gain more privileges.
- Secure defaults: Establishing secure defaults means there should be strong security rules for how user registrations are handled, how often passwords must be updated, how complex passwords should be and so on.
• Privacy by design: It’s equally important to consider privacy at the design phase. Considering the system will be subject to processing PII data, it’s important to design the controls to protect it.
- Keep it simple: More complex the design of the system will be, it will be difficult to protect.
- Minimize attack surface: Always perform the threat model to know your potential threats.
• Asset classification: It’s important to know what to protect. Without classification, controls cannot be implemented.
18
Q
Security model composition theories
A
Composition Theories:
- Cascading. Output of System A is input of System B
- Feedback: Output of System A is input of System B and vice versa
- Hookup: Output of System A is input of System B and other System C
19
Q
Security models
A
Bell-LaPadula (prevent leak to lower level)
BIBA (prevent corruption from lower level)
Clark Wilson (untrusted accesses trusted through constrained interfaces)
Brewer Nash (chinese wall?)
20
Q
Bell-LaPadula and Biba rules
A
Simple = read related Star/* = write related
Bell-LaPadula:
Simple: no read up
Star/*: no write down
Biba:
Simple: no read down
Star/*: no write up
Strong star/*: ???
21
Q
Security Evaluation Models
A
TCSEC “Orange book” - Trusted Computer System Evaluation Criteria
(Rainbow series, US Federal)
A / B1/2/3 / C1/2 / D
ITSEC - Information Technology Security Evaluation Criteria
(European alternative to TCSEC)
levels todo!!
Common Criteria ISO-15408
assurance levels EAL1..7
EAL4 is most common target - tested and reviewed but no formal methods
22
Q
Security Evaluation - certification vs accreditation
A
Certification: Technical Evaluation. Internal verification trusted by your (ie the supplier’s) internal organization.
Accreditation: Formal Acceptance by the management. Performed by third party and accepted by everyone.
*Exam tip: When
23
Q
Cloud computing key elements
A
Virtualisation
Elasticity
Resource pooling
Service provided by third party
24
Q
SCADA
A
Supervisory Control And Data Acquisition
Control system for Industrial Control System (ICS).
Stuxnet was a root kit for SCADA systems
25
OWASP top 10
Code injection - mitigate with input validation (or proper escaping/encapsulation!)
Broken authentication / Session management
Sensitive data exposure - mitigate with encryption
XML external entities
Broken access control
Security misconfiguration
XSS Cross-site Scripting - input validation or proper escaping/encapsulation
Insecure deserialisation
Using known vulnerable components
Insufficient logging and monitoring
CSRF dropped off in 2017?
Others include: buffer overflow, race conditions, side-channel attacks, file based attacks
26
Primary responsibility of OS
To keep the computing environment stable nd to maintain process isolation
27
TEMPEST
Faraday cage around system.
+
White noise injected to mask signals
28
First and last lines of defence
Physical security is first line of defence
People are the last line of defence
29
Physical boundary security
Fence
* 3-4 foot - casual trespass
* 6-7 foot - most intruders
* 8+ foot - determined intruders
Gate
Turnstile - prevents tailgating
Man trap - prevents piggybacking
Security guards - expensive, unreliable, can use judgement
Dogs - expensive, liability
30
OSI and TCP/IP models
todo - picture/table
31
Ping based attacks
Loki (covert channel)
ping of death (oversized packet)
Ping flood
Smurf
level 3 attacks using ICMP
whereas SYN flood (TCP) and Fraggle (UDP echo/chargen) are layer 4
Smurf and Fraggle re both reflection/amplification attacks
32
RBAC, DAC, MAC, RuBAC etc
todo
33
Firewall types
Packet Filter - layer 3(/4), src/dest IP address, port, protocol (TCP vs UDP)
Application level Proxy/Firewall - layer 7, inspect content of data stream, performance overhead
Stateful firewall - layer 3+4, tracks connection state and block unsolicited replies
Deep Packet Inspection - looks inside packets for specific threats
34
AIPA
Private IP ranges defined in RFC1918
10. x.x.x (Class A)
172. 16.x.x-172.31.x.x (Class B)
192. 168.x.x (Class C)
35
Protocol Data Units for each layer
todo
36
wifi standards
802. 11 Family
1. 802.11 a : 54 Mbps/ 5 GHz/ 8 channels
2. 802.11 b : 11 Mbps/ 2.4 GHz (same as home network) 3. 802.11 g : 54 Mbps/ 2.4 GHz
4. 802.11 n : 200+ Mbps/ 2.4 GHz or 5 GHz
5. 802.11 ac : 1 Gbps/ 5GHz
b/g/n all same freq and backwards compatible
37
Bluetooth attacks
Blue Jacking --> Sending SPAM
Blue Snarfing --> Copies information of the remote device
Blue Bugging --> More serious. Allows full use of phone, make call and can eaves drop on calls.
38
wireless security
1. Wired Equivalent Protocol (WEP)
a. Shared Authentication Passwords b. Weak Initialization vector (24 bits) c. IV transmitted in clear text
d. RC4 (Stream Cipher)
e. Easily crack able
f. Only option for 802.11 b
2. Wi-Fi Protected Access (WPA)
a. Stronger IV
b. Introduced Temporal Key Integrity Protocol (TKIP)
c. Still uses RC4 (to make upgrade from WEP easier)
3. WPA 2
a. AES (Block Cipher)
b. CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol)
c. Not backward compatible
Uses 802.1X/EAP authentication to have individual passwords for individual users.
39
Dial up/WAN link authentication
PAP - Password Authentication Protocol - password sent in clear
CHAP - Challenge Handshake Authentication Protocol (also MS-CHAP, MS-CHAPv2)
EAP - Extensible Authentication Protocol - to support non-password authentication e.g. biometrics
EAP variations eg PEAP, LEAP
Protected EAP: EAP itself doesn’t provide any security so it encapsulates EAP in TLS tunnel.
Lightweight EAP: Cisco Proprietary but it was broken with ASLEAP attack.
40
VPN protocols
PPP - Point-to-Point Protocol (still in use eg PPPoE, PPPoE) - no encryption
PPTP - Point-to-Point Tunnelling Protocol - no encryption
L2TP - Layer 2 Tunnelling Protocol - no encryption so often run over IPSec
IPSec - limited to IP protocols - run L2TP over IPSec to tunnel non-IP protocols
41
Authentication factor types
Type1: Something you know (password, pin)
Type2: Something you have (smart card, token)
Type3: Something you are (biometric)
Type4: Somewhere you are (location, IP address?)
(Type5: Something you do e.g. typing cadence, walking gait)
42
(Biometric/Behavioural) Authentication failure modes/rates
Type1 error: False Rejection Rate (FRR)
Type2 error: False Acceptance Rate (FAR)
Cross over error rate (CER): It’s the meeting point of FAR and FRR
43
Identity Assurance Level
IAL 1: If any are self-asserted or should be treated as self-asserted.
IAL 2: Either remote or in person identity proofing is required. It requires identity proofing to have been verified in person or remotely.
IAL 3: In person identity proofing is required. Identifying attributes must be verified by the authorized Credential Service Provider (CSP) representative through examination of physical documentation.
44
Kerberos
Todo
45
SSO protocols
SAML: Based on XML and is used to exchange authentication & Authorization between feder- ated organization.
SPML: Based on XML specifically designed for exchanging user information for federated iden- tity single sign on purposes.
XACML: Extensible Access Control Markup Language is used to define access control policies within an XML format and it commonly implements RBAC.
Others
SESAME: Secure European System for Application in a Multivendor Environment, imple- mented to overcome the weakness of Kerberos. New version of Kerberos superseded.
Krypto knight: Time based authentication system by IBM
Open ID and OAuth: OpenID is used for authentication and OAuth is used for authorization (though OAuth2 also used for identity and authentication)
Typically SAML for enterprise, OAuth/OpenID for commercial and B2C - though starting to change.
46
AAA protocols
RADIUS: IP only, uses UDP. Encrypts only password while communicating between RADIUS client & server. User ID and sessions are sent in clear text and vulnerable to Replay attack.
TACACS+: Uses TCP. Encrypts everything. Supports IP and non-IP (eg Appletalk, IPX/SPX)
Diameter (“twice as good as RADIUS”): Uses TCP on port 3868 (Stream Control Transmission Protocol, SCTP). Supports IPSec and TLS. EAP (“Diameter-EAP”) authentication. Not backward compatible.
47
Authorisation
Need to know: Access granted only to data resources they need to perform. (Permission)
Least Privilege: Access granted to the privileges necessary to perform an assigned task. (Security clearance)
Separation of Duties: No single person is allowed to perform end to end critical task alone. (Preventive control)
SegOD is said to “prevent collusion” but really it “forces attackers to collude” (making attack harder to do and easier to detect)
Constrained Interface: Access control on interface. E.g. Access to modify would be visible, however, it would be greyed out if not authorized.
Content Dependent: Database Views. Depends on the content of the Object
Context Dependent: Require specific activity before granting access. E.g. Payment needs to be made before downloading online media.
Job rotation and Mandatory Vacation act as detective controls. (As well as having skills transfer benefits)
48
Access Control Models
Access Control Models:
1. Discretionary Access Control: Owner, creator or custodian define access to the objects.
Uses Access control list (known as Identity based access control)
2. Non-Discretionary Access Control: Centrally managed by administrators. (Hint: Any model which is not DAC, can be called as Non-DAC)
3. Role Based Access Control: Access is defined based on the role in an organization and subjects are granted access based on their roles. Normally it is implemented in
the organizations with high employee turnover.
4. Rule Based Access Control: There are set of rules. e.g. Firewall. Global rules are applied to all users equally.
5. Mandatory Access Control (Lattice Based): Implemented in high secure organizations such as Military. It is compartment based.
a. Hierarchical - Clearance of Top secret gives access to Top secret as well as Secret b. Compartmentalized - Each domain represents a separate isolated compartment. c. Hybrid - Combination of both
6. Attribute Based Access Control: Rules that can include multiple attributes. e.g. working hours, place of work, type of connection etc.
49
Types of Phishing attack
Spear Phishing: When a specific person or group of users are targeted.
Whaling: When the target is a CXO or someone who belong to higher management.
Vishing: It’s a technique referred to trick user over voice call.
Smishing: When a phishing attempt is done via SMS.
50
Common ports
```
FTP – 21
SSH – 22
Telnet - 23
SMTP – 25
DNS – 53
HTTP – 80
POP3 – 110
NTP – 123
HTTPS – 443
MS SQL – 1433
Oracle – 1521
H.323 – 1720
PPTP – 1723
RDP – 3389
```
51
Forensics Investigation Process steps
Identification (of evidence)
Preservation (start chain of custody, forensic hashes)
Collection (work within knowledge, minimise handling, keeps logs, accurate image, ensure repeatable, work fast starting with most volatile eg registers/cache/RAM, take photos, label evidence)
Examination (attack signatures, logs, recover hidden data)
Analysis (on bit-level working copy of image, also hashed and write-protected)
Presentation (of findings, eg expert testimony)
Decision
IPCEAPD - order is testable
52
5 rules of digital evidence
```
Authentic
Accurate
Complete
Convincing
Admissible
```
53
Forensic Hashes
```
Hash of original drive
(take a bit-level copy of drive)
Hash the copy
(analyse the copy)
Hash the copy again
```
all 3 hashes must match
54
Fourth amendment protections against search/seizure unless...
Done by private citizens (not law enforcement)
or
subpoena
search warrant
consent
exigencies circumstances (e.g. about to be destroyed if not seized)
55
Evidence lifecycle
```
Identification and Collection
Analysis
Storage/Preservation, Transportation
Presentation
Return to owner
```
must maintain integrity through lifecycle
56
Evidence types
Direct Evidence - proves a fact by itself - information provided based on the 5 senses of a reliable witness
Real/Physical Evidence - the objects used in the crime
Best Evidence - original copy of a document eg a signed contract.
copies need to be demonstrated to match original - typically using hashes
Secondary Evidence - supports other evidence; includes expert opinion
Corroborative - additional support to back up claim
Circumstantial - proves one fact which can then be used to reasonably suggest another. not enough on its own.
Hearsay - usually not admissible. Includes in authenticated copies of documents
57
Enticement vs Entrapment
Enticement - tempting a potential criminal. Legal and ethical. Example: Honeypot
Entrapment - tricking a person into a crime.. Illegal and unethical. Example: providing a link to a site and then saying it is trespass to click on the link
58
Redundant site models
DR site - active/standby or active/active
Hot site - todo
Warm site - kit in place; hours/days to recover
Cold site - no kit in place, may not have connectivity; takes weeks/more to recover
59
Backup types
Full - everything, archive bit reset
Incremental - new/changed, archive bit reset. Recover from full+N increments
Differential - new/changed, archive bit not reset. Recover from full + 1 differential
Unscheduled/copy backups - as full but don’t reset archive bit (to avoid affecting next full/incremental/differential)
60
Backup media rotation
Grandfather Father Son
Tower of Hanoi: tape 1 used every other day, tape 2 every 4th day, tape 3 every 8th day, etc. N tapes allows 2^(N-1) backs before last recycling
61
Secure Development Principles
Reduce attack surface
Good enough security
Economy of mechanism
Psychological acceptability
Least privilege
Need to know
Separation of duties
Defence in depth
Layered defence
Complete mediation of flaws
Fail safe (vs fail secure)
Weakest link
Single point of failure
Redundancy
Threat modelling (STRIDE, data flow diagrams, use/mis-use cases, DREAD)
Controls evaluation (efficacy, economy/simplicity/performance, cost/benefit, user impacts/psychology)
62
Security flaw vs bug
flaw is a inherent fault in the design (eg bad choice of algorithm, not doing input validation at all)
bug is an implementation defect
secure design is intended to avoid flaws but bugs are still possible
63
Software Development Lifecycles
Waterfall
Prototyping
Spiral
Agile
64
Cloud security responsibilities
todo
65
Organisational Normative Framework (for secure software development)
```
Business Context
Regulatory Context
Technical Context
Specifications
Roles
Processes
Application Security Control library
```
ONF is for whole org. Application Normative Framework for each application.
(ISO 27034 - not testable)
66
Validation vs Verification
Verification - does it meet the spec/requirements?
(and Certification that it has been verified)
Validation - are the requirements right? does it solve the real-world problem? (Acceptability)
(and Accreditation by customer - acceptance by management of the product to go into production)
67
Object oriented
On test - “modular and reusable” usually means object oriented is part of the answer
68
Database design and security
Hierarchical (eg Active Directory, DNS)
Relational
Distributed (eg DNS)
Threats:
Aggregation & Inference:
Polyinstantiation - give alternate description of same fact depending on security clearance (eg ship destination is “training exercise” for uncleared)
Code injection: Input validation
ACID is testable too
69
Malware
Adware
Virus - spreads via files on its own
Worm - spreads through network on its own
Trojan - masquerades as harmless program/file
Spyware
Rootkit
Back door
70
6 steps of developing ICS security program?
BTS PFT
BUSINESS case
Create cross functional TEAM
Define charter and SCOPE
Define specific ICS POLICIES and PROCEDURES
Implement an ICS Security Risk Management FRAMEWORK
Provide TRAINING and raise security awareness for ICS staff
71
GDPR privacy principles
todo
State reason for gathering data at point of collection
Cannot use for purposes other than those stated
Data that is not needed should not be collected
Data should only be retained while it is needed for a specific task
Only individuals who are required to perform a stated task should be given access to the data
Individuals responsible for securely storing data should not allow it to be leaked
72
Maximum Tolerable Downtime ratings
todo
Important - 72 hrs ?
73
Twisted pair category cables
todo
74
TCP
UDP
ICMP
Transmission Control Protocol
Unreliable Datagram Protocol ??
Internet Control Message Protocol
75
SW-CMM phases
todo
76
Security model compositions
todo
77
Business Impact Assessment steps
todo
78
Confidentiality terms
Sensitivity - extent to which disclosure may cause harm
Criticality - importance of the information to the mission
Discretion - act of decision by operator which may impact disclosure
Concealment - security through obscurity may have value sometimes
Secrecy - preventing disclosure
Privacy - secrecy of personal data
Seclusion - keep in an “out of the way” location
Isolation - keep separate from other information
Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.
Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage. Criticality The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization.
Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy. While security through obscurity is typically not considered a valid security measure, it may still have value in some cases.
Secrecy is the act of keeping something a secret or preventing the disclosure of information.
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement of confidentiality protections.
Isolation is the act of keeping something separated from others. Isolation can be used to prevent commingling of information or disclosure of information.
79
Integrity concepts
Accuracy: Being correct and precise
Truthfulness: Being a true reflection of reality Authenticity: Being authentic or genuine
Validity: Being factually or logically sound
Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
Accountability: Being responsible or obligated for actions and results
Responsibility: Being in charge or having control over something or someone
Completeness: Having all needed and necessary components or parts
Comprehensiveness: Being complete in scope; the full inclusion of all needed elements
80
Availability includes
Accessibility
Usability
Timeliness / Performance
81
Data classification steps
1. Identify the CUSTODIAN, and define their responsibilities.
2. Specify the evaluation CRITERIA of how the information will be classified and labeled.
3. CLASSIFY and label each resource. (The owner conducts this step, but a supervisor should review it.)
4. Document any EXCEPTIONS to the classification policy that are discovered, and integrate them into the evaluation criteria.
5. Select the SECURITY CONTROLS that will be applied to each classification level to provide the necessary level of protection.
6. Specify the PROCEDURES for declassifying resources and the procedures for transferring custody of a resource to an external entity.
7. Create an enterprise-wide AWARENESS program to instruct all personnel about the classification system.
82
Private sector security classification
Confidential - significant negative impact for organisation if disclosed
Private - significant negative impact for organisation or individuals if disclosed
Sensitive - negative impact if disclosed
Public
83
COBIT 5 principles
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management
84
Elements of security governance
```
Policies - regulatory, advisory, informational
Standards
Baselines
Guidelines
Procedures
```
85
Reactive threat modelling techniques
pen test / ethical hacking
source code review
fuzz testing
86
PASTA stages
Process for Attack Simulation and Threat Analysis
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM)
87
6 security roles
```
Senior Management
Security Professional (Information Security Officer)
Data Owner
Data Custodian
User
Auditor
```
88
Privacy Laws
HIPPA - Health Insurance Portability and Accountability Act
SOX - Sarbanes-Oxley
FERPA -Family Educational Rights and Privacy Act
GDPR
PCI-DSS
89
Qualitative risk analysis
```
Scenarios
NIST 800-30 1..10 ratings of threats, vulnerability, etc
Brainstorming
Delphi technique
Storyboarding
Focus groups
Surveys
Questionnaires
Checklists
One-on-one meetings
Interviews
```
90
6 Types of Security Control
```
Detective
Preventative
Deterrent
Corrective (incl Recovery)
Directive (policy etc)
Compensating (replacing/substitute for another control)
```
91
NIST RMF (Risk Management Framework) steps
```
Categorise the system
Select controls
Implement controls
Assess controls
Authorise system for use
Monitor controls in use
```
92
3 Classes of Security Control
Logical / Technical
Administrative
Physical
93
Awareness, Training, Education
Awareness aimed at changing behaviour and mak8ng receptive to training
Training to do specific job role
Education to learn more eg for promotion
94
Employee Termination process
Disable access
Notify employee
Witness
Collect company credentials and property
Exit interview - reinforce NDA obligations
95
Delphi estimation technique (for risk analysis)
Panel each anonymously provides estimate
Panel discusses each estimate
Repeat until consensus achieved
96
BCP Steps
Project Scoping and Planning
* Organisation Analysis
* Create BCP Team
* Identify Resource Requirements (incl for scope/plan and for invocation)
Business Impact Assessment
* Prioritise business processes
* AV, MTD/MTO, RTO
* Risk Identification (incl supplier risks)
* SOC2/3 from supplier
* Likelihood Assessment (ARO)
* Impact Assessment (EF, SLE, ALE)
* Resource Prioritisation
Continuity Planning
* Strategy development - determine risks to be mitigates
* Provisions and processes - design mitigations
Approval and Implementation
* Plan approval
* Plan implementation
* Training and education
97
BCP Team representation
Each core business department
Each functional area identified in org analysis
IT SMEs
Cybersecurity SMEs
Physical security and facilities management
Legal
HR
PR / media and communications
Senior management able to set vision, define priorities and allocate resources
98
SOC Reports
Type I SOC1 - financial controls - needed by customers if eg outsource includes payment processing
Type II SOC1 - also assesses effectiveness of controls over a particular period
Type I SOC2 - for management, customers, customers’ auditors
Must cover Security (aka Common Criteria)
May also cover Processing Integrity, Availability, Confidentiality, Privacy
Type II SOC2 - also assesses effectiveness of controls over a particular period
SOC3 - for general consumption, less detail than SOC2
No Type II variant
99
BCP Training plan
Plan overview for everyone in org
Training on BCP responsibilities for all with direct involvement
Training for backup personnel too
100
USA relevant legislation
CFAA - Computer Fraud and Abuse Act (last amended 1986]
* covers any computer of “federal interest” including those used by US govt or any financial institution, or any used to commit an offence across state lines
Computer Abuse Amendments Act (1994)
* adds any computer used in interstate commerce
* outlaws creation of any type of malicious code
* includes prison sentences under strict liability
* provides for civil action for injunctive relief and damages
* Often criticised as over-broad - eg may make breaching website ToS a crime
National Information Infrastructure Protection Act 1996
* more amendments to CFAA
* include systems used in international commerce (not just inter-state)
* also includes railroads, power grids, telecoms etc
Federal Sentencing Guidelines:
* Prudent Man rule
* Due Diligence as a defence / reduce punishment
* Negligence finding based on failure to c9mply with recognised standards where there is a causal link to damages and the negligent person had legal obligation of care
Federal Information Security Management Act 2002 (and Modernisation Act, 2014)
* made NIST responsible for developing implementation guidelines for federal agencies
Cybersecurity Enhancement Act 2014:
* charges NIST with coordination of nationwide work on voluntary cybersecurity standards
* NIST Special Publications eg SP800-53, -171
Privacy Act 1974: like 4th amendment, constraints government agencies only
Electronic Communications Privacy Act 1986: no interception of wired or mobile comma; constrains individuals and companies not just government
Communication Assistance for Law Enforcement Act 1994 (amends ECPA): wiretaps required when court ordered
Economic Espionage Act 1996: extends theft to include theft of economically valuable information
Health Insurance Portability and Accountability Act 1996 (HIPAA): includes security and privacy regulations relating to medical information about individuals
Health Information Technology for Economic and Clinical Heath Act 2009 (HITECH Act): amends HIPAA, adds data breach notification requirements to inform affected individuals
California SB1386 (2002): data breach notification if individual’s name combine with SSN/driver’s license/state id/credit/debit card#/bank acct#/medical records/health insurance information
Similar laws passed on all other states except Alabama and South Dakota
Child Online Privacy Protection Act 1998: covers information held by online services regarding children
Family Educational Rights and Privacy Act: some privacy rights for students over 18
Gramm-Leach-Bailey Act 1999: enables data sharing by FS firms but requires privacy policies to be published
USA PATRIOT Act 2001: allows blanket wiretapping of contacts of a monitored suspect, allows ISPs to share data with govt voluntarily or under subpoena, plus more severe jail terms for CFAA crimes.
Identity Theft and Assumption Deterrence Act 1998: criminalised identity theft
CalOPPA California Online Privacy Protection Act - require privacy notice for any commercial website/online service collecting personal information on California residents
101
Criminal vs Civil vs Adminstrative Law
todo
102
EU Privacy Shield requirements
Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.
Choice: An organization must offer individuals the opportunity to opt out.
Accountability for Onward Transfer: Organizations can only transfer data to other organizations that comply with the Notice and Choice principles.
Security: Organizations must take reasonable precautions to protect personal data.
Data Integrity and Purpose Limitation: Organizations should only collect data that is needed for processing purposes identified in the Notice principle. Organizations are also responsible for taking reasonable steps to ensure that personal data is accurate, complete, and current.
Access: Individuals must have access to personal information an organization holds about them. Individuals must also have the ability to correct, amend, or delete information, when it is inaccurate.
Recourse, Enforcement, and Liability: Organizations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.
Provide free and accessible dispute resolution
Cooperation with Dept of Commerce
Ensure transparency wrt enforcement actions
Ensure commitments kept as long as data held
103
PII
Personally Identifiable Information
Defined in NIST SP 800-122 as:
Any information about an individual maintained by an agency, including
(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
104
Hash Algorithms
SHA-1 (believed weak, 512b blocks, 160b output)
SHA-2 (-256/-224 use 512b blocks, 512/-384 use 1024b blocks)
SHA-3 (same variants as SHA-2, mandated for FIPS digital signatures)
MD2 (broken - not one way, 16b blocks, 128b output)
MD4 (weak - collisions can be found easily, 512b blocks, 128b output)
MD5 (weak - collisions can be found, 512b blocks, 128b output)
HAVAL (1024b blocks, 128/160/192/224/256b output, MD5 variant)
HMAC (uses shared secret key plus any hash algorithm)
Password hashing;
bcrypt, script, PBKDF2
105
Digital Signature algorithms
DSA FIPS 186-4
RSA ANSI X9.31
ECDSA (elliptic curve DSA) ANSI X9.62
Schnorr
Nyberg-Rueppel
106
3 major public key crypto systems
RSA
El Gamal (extension of Diffie-Hellman key exchange, doubles length of message)
Elliptic Curve Cryptography (160b ECC equivalent to 1024b RSA)
107
IPsec features
Transport mode - only payload encrypted
tunnel mode - whole packet encrypted
AH Authentication Header provides authentication, access controls and replay protection
ESP Encapsulating Security Payload provides confidentiality, limited authentication, plus replay protection
ISAKMP Internet Security Association and Key Management Protocol (RFC2408)
108
Common Cryptographic Aatacks
```
Birthday (collision)
Man in Middle
Meet in the Middle
Replay
Known plaintext
Chosen ciphertext
Chosen plaintext
```
109
TOCTOU (Tock To)
| vulnerability
Time of Check to Time of use
