Domain 1 Flashcards
ICS2 Code of Ethics
- Protect Society, the commonwealth, the infrastructure
- Act honorably, honestly, justly, legally
- Provide diligent and competent service to principals
- Advance and protect the profession
4 Levels of Security Policy Development
- Acceptable use policy
- Security baselines
- Security guidelines
- security procedures
3 types of security plans
- Strategic (long term, stable, risk assessment, 5 year)
- Tactical (mid term, details on goals of strategic plan, 1 year)
- Operational (short term, highly detailed, based on strategic + tactical, monthly/quarterly)
Primary risk management framework for the exam
NIST 800-37
Secondary risk management frameworks for the exam
- OCTAVE
- FAIR
- TARA
7 steps of risk management framework (RMF), especially NIST 800-37
- PREPARE to execute the RMF
- CATEGORIZE information systems
- SELECT security controls
- IMPLEMENT security controls
- ASSESS security controls
- AUTHORIZE the system
- MONITOR the security controls
People Can See I Am Always Monitoring
Fact on risk management
Not every risk can be mitigated
Who decides how risk is handled?
Management
What should I do in case of legal issues?
Calling an attorney
Inherent Risk
Newly identified, not addressed with strategies, absence of controls
Total risk
amount of risk WITHOUT ANY safeguards + controls
Formula Total Risk
total risk = threats * vulnerabilities * asset value
Formula Risk
risk = threat * vulnerabilities
6 major steps of Quantitative Risk Analysis
- INVENTORY assets and assign value (AV)
- Identify THREATS (+ calculate EF and SLE)
- Perform a THREAT ANALYSIS (+ calculate likelihood in single year –> ARO=
- Estimate the POTENTIAL LOSS (by calculating ALE)
- Research COUNTERMEASURES for threat (+ calculate change to ARO and ALE)
- Perform a COST BENEFIT analysis
Quantitative Risk Analysis
Dollar value, objective
Qualitative Risk Analysis
Scoring System (rank threats + effectiveness controls), subjective
Delphi Technique
qualitative, anonymous, feedback + response –> arrive at consensus
What threat agents do
exploiting vulnerabilties
Exposure Factor (=EF)
percentage of loss in case asset gets hit
Single Loss Expectancy (=SLE)
costs, single realized risk, specific asset
Formula for SLE
SLE = Asset Value (AV) x Exposure Factor (EF)
Annualized Rate of Occurrence (=ARO)
risk / threat frequency within single year
Annualized Loss Expectancy (=ALE)
yearly cost, realized threat, specific asset
Formula for ALE
SLE x ARO
Safeguard evaluation considerations
mitigate risk, transparent, difficult to bypass, cost effective
Formula Value of Safeguard
ALE before safeguard - ALE after safeguard - annual costs of safeguard = ALE 1 - ALE2 - ALC
Controls Gap
Amount of risk reduced by implementing safeguard
Formula Residual Risk
Residual risk = Total risk - controls gap
Threat Modeling
potential threats identified, categorized, analyzed –> goal = eradicate or reduce threats
proactive or reactive
Threat Model Focus
- Focused on assets (asset valuation)
- Focused on attacks (threats based on attackers goals)
- Focuses on software (potential threats agains software)
STRIDE (threat model Microsoft)
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege
PASTA (threat model, focus on AV)
- Definition of Objectives
- Definition of Technical Scope
- App Decomposition and Analysis
- Threat Analysis
- Weakness and Vulnerability Analysis
- Attack Modeling and Simulation
- Risk Analysis & Management
VAST (threat model)
Visual
Agile
Simple
Threat
Trike (threat model)
focus on risk based approach
DREAD (threat model)
Damage potential Reproducibility Exploitability Affected users Discoverability
2 Types of Security Controls
Safeguard = proactive Countermeasure = reactive
Control Types
- Deterrent (discourage violation)
- Preventative (stop unwanted/unauthorized activity)
- Detective (discover/detect unwanted/unauthorized activity)
- Compensating (options to other existing controls)
- Corrective (return systems to normal)
- Recovery (extension of corrective controls)
- Directive (control the actions of subjects)
Types of Law
Criminal Law
Civil Law
Administrative Law
Computer Fraud and Abuse Act (CFAA)
first major piece of US cyber-crime-specific legislation
Federal Sentencing Guidelines
punishment guidelines, help federal judges interpret computer crime laws
Federal Information Security Management Act (FISMA)
formal infosec operations, for government
Copyright and Digital Millennium Copyright Act
literary, music, dramatic work
Trademarks
words, slogan, logos (identification of company, products, services)
Patents
intellectual property rights of inventor (not secret)
Trade secrets
Secret, absolutely critical to business (like Coca Cola recipe), must not be disclosed
4 Licensing types
- contractual
- shrink wrap
- click through
- cloud services
Absolute basis for privacy rights
4th amendment of the US constitution
Healthcare specific laws
HIPAA, HITECH
FI specific laws
Gramm Leach Bliley Act
Law related to privacy of Children online
COPPA = Children Online Privacy Protection Act
2 Laws related to Electronic Communication
ECPA = Electronic Communication Privacy Act CALEA = Communications Assistance for Law Enforcement Act
5 Business Continuity Planning process steps
- Strategy DEVELOPMENT
- Provision and PROCESSES
- Plan APPROVAL
- Plan IMPLEMENTATION
- Training and EDUCATION
Governance
the process of how an organization is managed
Security Governance
the entirety of policies, roles, processes to make security decisions
Security Control Frameworks
- ISO27001/27002
- COBIT = Control Objectives for Information and related Technology (maintained by ISACA)
- ITIL = Information Technology Infrastructure Library (Best Practices for IT Service Management)
- Risk Management Framework (especially NIST SP 800-37 + 800-53)
- CSA STAR Cloud Service Alliance (Start Ratings for Cloud Service Providers)
Due Care
What the organization owes its customers
Due Diligence
Any activity to to demonstrate or provide due care, evidence of providing due care
Risk Frameworks (NOT only RMF)
- ISO 3100 (Risk Management Principles and Guidelines)
- ISO 27005 (IT Security Risk Management)
- COSO (ERM framework, financial reporting irregulatories and fraud)
- ISACA (Risk IT, connect strategic risk with IT risk management)
- NIST (RMF, SP 800-37)
3rd party assessment and monitoring
- ISO certified audits
- CSA STAR evaluation
- AICPA SSAE 16 SOC Reports
Industry standards
- set by industry participants
- can eventually evolve into legal standard
- may be accepted by regulators
- examples: ISO, CSA STAR, Uptime Institute
PII data examples
- Name
- Home address
- Tax identification numbers / social security numbers
- mobile telephone numbers
- specific computer data (MAC address, IP address of users client)
data owner / data controller
entity that collects or controls PII data
data processor
creating, storing, sending, etc. on behalf of the data owner
data custodian
manages data day to day (system admin, database admin, etc.)
What kind of data storage is PCI DSS prohibiting?
CVV (Card Verification Value)
Does the information security policy require signing by employees?
No
Opposite of CIA
DAD = Disclosure, Alteration, Destruction
IAAA - requirements for accountability
- Identification
- Authentication
- Authorization
- Accountability
Responsibility of the ISO
- Written products
- CIRT
- Security Awareness
- Communicate risk to higher management
- report as high a level as possible
- security is everyone’s responsibility
Wassenaar Arrangement (WA)
Dual use goods & trade, international cryptographic agreement, prevent destabilizing
Section 302
CEOs CFOs can go to jail, in case they sign false info
Section 404
describing logical controls over accounting files; good auditing and information security
Wire tapping
eavesdropping on communication, only legal with prior consent or warrant
Data Diddling
act of modifying information, programs, documents to commit fraud
tampers with INPUT data
Water holing
creates a buch of websites with similar names
Work function / factor
how difficult is it to get cipher text to clear text (cost/time)?
SLR (Service Level Requirements)
requirements from a clients perspective
Service level report
insight into service providers ability to deliver the agreed service quality