Domain 1 Flashcards
Due Diligence
Practicing the activities that maintain the due care effort
Think before you act
Due Care
Doing what a reasonable person would do in a given situation. “Prudent man” rule
Actions speak louder than words
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Access controls help ensure that only authorized subjects can access objects
Integrity
Ensures data or system config are not modified without authentication
Availability
Auth requests or objects must be granted to subjects with in a reasonable amount of time
ISC2 Code of Ethics
- Protect society, the common wealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
Security Policy Development
from the bottom up
Security Procedures
- Detailed step by step
Security Guidelines
- Offer reccomendations
Security baselines
- Define “minimum levels”
Acceptable Use Policy
- Assign roles / responsibility
Risk Categories
Damage
Result in physical loss of an asset or inability to access that asset
Risk Categories
Disclosure
Disclosed critical info regardless of where or how it was disclosed
Risk Categories
Losses
Permanent or temp, including altered or inaccessible data
Risk Factors
Physical Damage
Natural disaster, power loss, vandalism
Risk Factors
Malfunctions
Failure of systems, networks, or peripherals
Risk Factors
Attacks
Purposeful acts
Risk Factors
Human Errors
Accidental incidents
Risk Factors
Application Errors
Fails of apps including OS
Security Planning
Strategic
Long term, includes risk assessment
5 year, annual updates
Security Planning
Tactical
Midterm, ~1 year
Security Planning
Operational
Short term, monthly / quarterly
Response to Risk
Acceptance
Do nothing, accept risk and potential loss
Response to Risk
Mitigation
Implement countermeasure and aceept residual
Response to Risk
Assignment
Transfer to 3rd party (insurance)
Response to Risk
Avoidance
When cost to mitigate / accept are higher than the benefits of service
Response to Risk
Deterance
Would be violators of policy
Response to Risk
Rejection
Unacceptable, to reject / ignore
Risk Management Framework
NIST 800-37
- Prepare
- Categorize info systems
- Select security controls
- Implement security controls
- Assess security controls
- Authorize the system
- Monitor security controls
People Can See I Am Always Monitoring
Types of Risk
Residual
remains, with all safeguards in place.
- Mngmt chose to accept rather than mitigate
After
Types of Risk
Inherent
New risk, not yet identified with mngmt
- exists in absence of controls
Before
Types of Risk
Total
risk if no safeguards in place
Without
Total Risk = threats * Vulns * asset value
Formula
Risk
Risk = Threat * Vuln
Quantitative Risk Analysis
(6 Steps)
-
Inventory Assets and Assign Value
AV
-
Identify Threats Research assets and Make list of all possible threats
EF
,SLE
-
Perform Threat Analysis calc chance that each threat is realized in a single year
ARO
-
Estimate Potential Loss calc annual loss expectancy
ALE
-
Research Countermeasures for Each Threat then cal changes to
ARO
andALE
- Perform a Cost / Benefit Analysis for each safeguard –> threat –> asset
Qualitative Risk Analysis
Delphi Technique
Anonymous feedback / response process
Qualitative Risk Analysis
Loss Potential
What would be lost
Qualitative Risk Analysis
Delayed Loss
amount of loss than can occur over time
Exposure Factor (EF)
% of loss that an org faces if a specific asset were violated by a related risk
Single Loss Expectancy (SLE)
the cost associated with a single related risk against a specific asset
SLE = Asset Value * Exposure Factor
SLE = AV * EF
Annualized Rate of Occurence (ARO)
expected frequency with a specific threat or risk in a year
Annualized Loss Expectancy (ALE)
possible yearly cost of all instances of a specific realized threat against a specific asset
ALE = Single Loss Expectancy * Annual Rate of Occurance
ALE = SLE * ARO
Formula
Safeguard Evaluation
ALE1 = ALE before safeguard
ALE2 = ALE after safeguard
ACS = Annualized Cost of Safeguard
Value of Safeguard = ALE1 - ALE2 - ACS
Formula
Controls Gap
Residual Risk = Total Risk - Controls Gap
Supply Chain Eval
- On site assessment
- Docs exchange and review
- Process / policy Review
- 3rd Party Audit
Threat Modeling (General Approaches)
Proactive or Reactive
Focus on:
- Assets using AV to ID threats
- Attackers ID attackers and threats based on attackers goals
- Software potential threats against software itself
Threat Modeling
STRIDE by Microsoft
Spoofing
Tampering
Repudation
Info disclosure
Denial of Service
Elevation of privelige
Threat Modeling
PASTA
countermeasure based on AV
1. Define objectives
2. Def technical scope
3. App Decomposition and analysis
4. Threat analysis
5. Weakness & Vuln analysis
6. Attack Modeling & Simulation
7. Risk analysis & Mngmt
Threat Modeling
VAST
based on Agile
Visual
Agile
Simple
Threat
Threat Modeling
DREAD
based on 5 ?’s
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability
Threat Modeling
TRIKE
focus on acceptible risk
- Open src threat modeling that implements requirements model
- assigns lvl of risk for each asset as “acceptable” to stakeholders
Security Control Framework
COBIT
IT Mgmt and Govt
1. Meeting stakeholder needs
2. Covering Enterprise end to end
3. Applying in single, integrated framework
4. Enabling a Holistic Approach
5. Separation of Govt from Mgmt
Risk Reduction Analysis
(5 parts)
- Trust Boundaries Any location where the level of trust or security changes
- Data Flow Paths
- Input Points
- Privileged Operators
- Details ab Security Stance + Approach
Security Controls
(2 types)
Safeguards = Proactive
Countermeasure = Reactive
Security Controls
Categories (3 types)
- Technical: hardware / software
- Administrative: Policies, procedures, regulations
- Physical: Barriers, locked doors, moats
Security Controls
Control Types (7 types)
- Deterrant discourage violations
- Preventative stops unauthorized activity from happening
- Detective Discovers unauth acts
- Compensating: Provides options to other controls to aid enforcements
- Corrective: Returns system to normal
- Recovery: extension of corrective, with more abilities
- Directive Direct actions of subjects to force security compliance
Important Laws
Computer Fraud and Abuse Act (CFAA)
The first major US cybercrime specific legislation
Important Laws
Federal Sentencing Guidelines
Gave punishment guidelines for computer crimes
Important Laws
Federal Info Security Mgmt Act (FISMA)
Required a formal infosec operations for feds
Important Laws
Copyright and the Digital Millenium Copyright Act
Covers literary, musical, and drama works
IP and Licensing
Trademarks
Words, slogans and logos
IP and Licensing
Patents
IP of inventors
IP and Licensing
Licensing (4 types)
- Contractual:
- Shrink wrap - a permission given to someone to use a software or product that would otherwise be illegal
- Click through - End User License Agreement (EULA)
- Cloud servers- licenses sit in the virtual cloud.
IP and Licensing
Trade Secrets
IP that is critical to business and cannot be disclosed
Encryption and Privacy Laws
Computer Export Controls
US companies cannot export to Cuba, Iran, North Korea, Sudan or Syra
Encryption and Privacy Laws
Encryption Export Controls
Dept of commerce controls this
Encryption and Privacy Laws
Privacy (US)
4th amendment rights against unwarranted searches and seizures
Encryption and Privacy Laws
Privacy (EU)
General Data Protection Regulation (GDPR)
Applies to any company with customers in EU!!
US Privacy Laws
HIPAA
Health Insurance Portability and Accountability Act
US Privacy Laws
HITECH
Health Info Tech for Economic Clinical Health
US Privacy Laws
Gramm-Leach-Bliley Act
for Financial institutions
US Privacy Laws
COPPA
Childrens Online Privacy Protection Act
US Privacy Laws
ECPA
Electronic Comms Privacy Act
US Privacy Laws
CALEA
Comm Assistance for Law Enforcement Act
Business Continuity Planning (BCP)
(5 steps)
- Strategy development
- Provisions and processes
- Plan approval
- Plan implementation
- Training and education
“Overall how-to plan”
BCP Definitions
Disaster Recovery Plan (DRP)
recovery from a disaster impacting IT and returning IT to operational
BCP for whole business
DRP just for IT
BCP Definitions
Continuity of Operation Plan (COOP)
Continuing business until IT is restored
Consequences of Privacy and Data Breach
(4 types)
- Reputation Damage
- ID Theft
- IP Theft
- Fines from failing to report
- GDPR can fine up to 4% of global revenue or 20 Million Euros
Data Breach Notifications
(Notes :/ )
- GDPR is 72 hours
- Escalations to external sources possible
- Countries have their own reporting timescale
- Delays can warrant a criminal investigation