Domain 1 Flashcards
ISC2 Code of Ethics
PAPA
Protect society, the commonwealth,
and the infrastructure
Act honorably, honestly, justly,
responsibly, and legally
Provide diligent and competent
service to principals
Advance and protect the profession
Types of Security Planning
Strategic. Long term, stable plan that should include a risk assessment. (5-yr horizon, annual updates)
Tactical. Midterm plan developed to provide more details on goals of the strategic plan. (usually ~1 year)
Operational. Short term, highly detailed plan based on the strategic and tactical plans. (monthly, quarterly)
Primary Risk Management Framework
NIST 800-37 RMF
Other RMFs
OCTAVE
operationally critical threat, asset, and
vulnerability evaluation
FAIR
Factor Analysis of Information Risk
TARA
Threat Agent Risk Assessment
6 Steps of NIST 800-37 RMF
P CSIAAM Prepare to execute the RMF 1. Categorize information systems 2. Select security controls 3. Implement security controls 4. Assess the security controls 5. Authorize the system 6. Monitor security controls
Types of Risk
Residual - (AFTER)The risk that remains even with all conceivable safeguards in place.
Inherent - (BEFORE)Newly identified risk not yet addressed with risk management strategies.
Total - (WITHOUT)The amount of risk an organization would face if no safeguards were implemented.
Risk Formula
Threat * Vulnerability
Types of Risk Analysis
Quantitative - Assigns a dollar value to evaluate effectiveness of countermeasures
Qualitative - Uses a scoring system to rank threats and effectiveness of countermeasures
Delphi Technique - An anonymous feedback-and-response process used to arrive at a consensus.
Risk Analysis Steps
The six major steps in quantitative risk analysis
1. Inventory assets and assign a value (asset value, or AV).
2. Identify threats. Research each asset and produce a list of all
possible threats of each asset. (and calculate EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat
being realized within a single year. (the ARO)
4. Estimate the potential loss by calculating the annualized loss
expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the
changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each
threat for each asset.
Loss Potential
What would be lost if the threat agent is
successful in exploiting a vulnerability.
Delayed loss
This is the amount of loss that can occur
over time.
Quantitative Formula Terms
exposure factor (EF) single loss expectancy (SLE) annualized rate of occurrence (ARO) annualized loss expectancy (ALE) Safeguard evaluation
Controls Gap
The amount of risk reduced by
implementing safeguards
total risk - controls gap = residual risk
Supply Chain Evaluation
On Site Assessment. Visit organization, interview personnel, and observe their operating habits.
Document Exchange and Review. Investigate dataset and doc exchange, review processes
Process/Policy Review. Request copies of their security policies, processes, or procedures.
Third party Audit. Having an independent auditor provide an unbiased review of an entity’s security infrastructure
Threat Modeling Focuses on 3 Approaches
Focused on Assets. Uses asset valuation results to identify threats to the valuable assets.
Focused on Attackers. Identify potential attackers and identify threats based on the attacker’s goals.
Focused on Software. Considers potential threats against the software the org develops.
Threat Modeling STRIDE
Microsoft
Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
Threat Modeling PASTA
risk centric model, which focuses on controls relative to asset value
Stage I: Definition of Objectives
Stage II: Definition of Technical Scope
Stage III: App Decomposition and Analysis
Stage IV: Threat Analysis
Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management
Threat Modeling VAST
model, based on Agile project management and programming principles
Visual
Agile
Simple
Threat
GOAL: Scalable integration of threat management into an Agile programming environment
Threat Modeling Trike
An open source threat modeling process
that implements a requirements model.
Ensures the assigned level of risk for each
asset is “acceptable” to stakeholders.
Threat Modeling DREAD
Damage potential Reproducibility Exploitability Affected users Discoverability
Security Controls
Safeguards and Countermeasures
Safeguards are proactive
Countermeasures are reactive
Control Categories
Technical. aka “logical”, involves the hardware or software mechanisms used to manage access.
Administrative. Policies and procedures defined by org’s security policy, other regulations and requirements
Physical. Are items you can physically touch.
Control Types
Deterrent. Deployed to discourage violation of security policies.
Preventative. Deployed to thwart or stop
unwanted or unauthorized activity from occurring.
Detective. Deployed to discover or detect
unwanted or unauthorized activity.
Compensating. Provides options to other existing controls to aid in enforcement of security policies.
Corrective. modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.
Recovery. an extension of corrective controls but have more advanced or complex abilities.
Directive. direct, confine, or control the actions of subjects to force or encourage compliance with security policies.
LAWS: CFAA
Computer Fraud and Abuse Act (CFAA). The first major piece of US cybercrime specific legislation
LAWS: Federal Sentencing Guidelines
provided punishment guidelines to help federal judges interpret computer crime
laws.
LAWS: FISMA
Federal Information Security Management Act (FISMA). Required a formal infosec operations for federal gov’t
LAWS: CDMCA
Copyright and the Digital Millennium Copyright Act (CDMCA). Covers literary, musical, and dramatic works.
Trademarks
cover words, slogans, and logos used
to identify a company and its products or services.
Patents
Patents protect the intellectual property
rights of inventors.
Trade Secrets
intellectual property that is absolutely
critical to their business and must not be disclosed.
Licensing
4 types you should know are contractual,
shrink wrap, click through, and cloud services.
(Legal & Regulatory) Encryption and Privacy
Computer Export Controls. US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria.
Encryption Export Controls. regulations on the export of encryption products outside the US.
Privacy (US). The basis for privacy rights is in the Fourth Amendment to the U.S.
Privacy (EU). General Data Protection Regulation (GDPR) is the most likely to be mentioned
HIPAA
Health Insurance Portability and Accountability
HITECH
Health Information Technology for Economic and Clinical Health
GLBA
Gramm-Leach-Bliley Act (financial institutions)
COPPA
Children’s Online Privacy Protection Act (
ECPA
Electronic Communications Privacy Act (
CALEA
Communications Assistance for Law Enforcement Act
Business Continuity Planning Steps
- Strategy development
- Provisions and processes
- Plan approval
- Plan implementation
- Training and education
COBIT
IT management and governance framework
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End to End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management