Domain 1. Chapter 2 Flashcards
- Personnel Security
- Risk Management Concepts
- Social Engineering
- Establish and Maintain a Security Awareness, Education, and Training Program
- Personnel Security
1.1Candidate Screening and Hiring
1) creating a job description or position description
2) setting a classification for the job
3) screening employment candidates
4) hiring
5) training
Job roles typically align to a rank or level of privilege, whereas job descriptions map to specifically assigned responsibilities and tasks.
Job responsibilities are the specific work tasks an employee is required to perform on a regular basis.
Employment candidate screening for a specific position is based on the sensitivity and classification defined by the job description.
Background checks include obtaining a candidate’s work and educational history; checking references; verifying education; interviewing colleagues; checking police and government records for arrests or illegal activities; verifying identity through fingerprints, driver’s license, and/or birth certificate; and holding a personal interview.
1.2 Onboarding: Employment Agreements and Policies
Onboarding is the process of adding new employees to the organization, having them review and sign employment agreements and policies, be introduced to managers and coworkers, and be trained in employee operations and logistics.
The principle of least privilege states that users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities.
When a new employee is hired, they should sign an employment agreement. Such a document outlines the rules and restrictions of the organization, the security policy, details of the job description, violations and consequences, and the minimum or probationary length of time the position is to be filled by the employee. These items might be separate documents, such as an acceptable use policy (AUP).
Nondisclosure agreement (NDA). An NDA is used to protect the confidential information within an organization from being disclosed by a current or former employee
1.3 Employee Oversight
Managers should regularly review or audit the job descriptions, work tasks, privileges, and responsibilities for every staff member.
Reviewing and then adjusting user capabilities to realign with the principle of least privilege is a risk reduction strategy.
Mandatory vacations are used as a peer review process. A worker to be away from the office and without remote access for one to two weeks per year. A different worker performs their work duties. He/she detect abuse, fraud, or negligence on the part of the original employee.
Other user and worker management and evaluation techniques include separation of duties, job rotation, and cross-training.
User behavior analytics (UBA) and user and entity behavior analytics (UEBA).
1.4 Offboarding, Transfers, and Termination Processes
Offboarding is the removal of an employee’s identity from the IAM system once that person has left the organization.
Employee transfers into a new job position.
1)Remove or disable the employee’s user account at the same time as or just before they are notified of being terminated.
2) Make sure the employee returns any organizational equipment or supplies from their vehicle or home.
3) Arrange for a member of the security department to accompany the released employee while they gather their personal belongings from the work area.
4) Inform all security personnel and anyone else who watches or monitors any entrance point to ensure that the ex-employee does not attempt to reenter the building without an escort.
5) An exit interview. Restrictions placed on the former employee based on the employment agreement, NDAs, and any other security-related documentation.
1.5 Vendor, Consultant, and Contractor Agreements and Controls
- Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved.
Using service-level agreements (SLAs) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by both the service provider, vendor, or contractor and the customer organization.
- Outsourcing is the term often used to describe the use of an external third party, such as a vendor, consultant, or contractor, rather than performing the task or operation in-house. Outsourcing can be used as a risk response option known as transference or assignment
- Vendor management system (VMS). A VMS is a software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products and services.
1.6 Compliance Policy Requirements
Compliance is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. Compliance is an important concern of security governance.
Compliance is a form of administrative or managerial security control because it focuses on policies and people abiding by those policies (as well as whether the IT and physical elements of the organization comply with policies).
1.7 Privacy Policy Requirements
Definitions of privacy:
- Active prevention of unauthorized access to information that is personally identifiable (that is, data points that can be linked directly to a person or organization), known as personally identifiable information (PII)
- Freedom from unauthorized access to information deemed personal or confidential
- Freedom from being observed, monitored, or examined without consent or knowledge.
The Health Insurance Portability and Accountability Act (HIPAA)
The Sarbanes–Oxley Act of 2002 (SOX),
The Family Educational Rights and Privacy Act (FERPA),
The Gramm–Leach–Bliley Act
Union’s General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679)
- Risk Management Concepts
2.1
Risk management is a detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
The primary goal of risk management is to reduce risk to an acceptable level.
Risk management is composed of two primary elements: risk assessment and risk response.
- Risk assessment or risk analysis is the examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk.
- Risk response involves evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings based on other conditions, concerns, priorities, and resources; and providing a proposal of response options in a report to senior management.
Risk awareness is the effort to increase the knowledge of risks within an organization.
2.2 Risk Terminology and Concepts
- An asset is anything used in a business process or task. If an organization relies on a person, place, or thing, whether tangible or intangible, then it is an asset.
- Asset valuation is value assigned to an asset based on a number of factors, including importance to the organization, use in critical process, actual cost, and nonmonetary expenses/costs (such as time, attention, productivity, and research and development). (AV)
- Threats - any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset
- Threat agents or threat actors intentionally exploit vulnerabilities. Threat agents are usually people, but they could also be programs, hardware, or systems.
- Threat events are accidental occurrences and intentional exploitations of vulnerabilities.
- A threat vector or attack vector is the path or means by which an attack or attacker can gain access to a target in order to cause harm.
- Vulnerability The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability.
- Exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event. (exposure factor (EF)
- Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. risk = threat * vulnerability. OR risk = probability of harm * severity of harm
- Safeguards A safeguard, security control, protection mechanism, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. This concept is also known as a risk response.
- An attack is the intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets.
- A breach, intrusion, or penetration is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. A breach is a successful attack.
2.3 Asset Valuation
An asset-based or asset-initiated risk analysis starts with inventorying all organizational assets.
The goal of asset valuation is to assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones.
Assigning or determining the value of assets to an organization can fulfill numerous requirements by
- Serving as the foundation for performing a cost/benefit analysis of asset protection when performing safeguard selection
- Serving as a means for evaluating the cost-effectiveness of safeguards and countermeasures
- Providing values for insurance purposes and establishing an overall net worth or net value for the organization
- Helping senior management understand exactly what is at risk within the organization
- Preventing negligence of due care/due diligence and encouraging compliance with legal requirements, industry regulations, and internal security policies
2.4 Identify Threats and Vulnerabilities
An essential part of risk management is identifying and examining threats. This involves creating an exhaustive list of all possible threats for the organization’s identified assets. The list should include threat agents as well as threat events.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30r1 Appendix D, “Threat sources,” and Appendix E, “Threat events.”
But even risk management consultants do not perform risk assessment and analysis on paper only; they typically employ risk assessment software. This software streamlines the overall task, provides more reliable results, and produces standardized reports that are acceptable to insurance companies, boards of directors, and so on.
2.5 Risk Assessment/Analysis
Risk management is primarily the responsibility of upper management. However, upper management typically assigns the actual task of risk analyses and risk response modeling to a team from the IT and security departments.
- Quantitative risk analysis assigns real dollar figures to the loss of an asset and is based on mathematical calculations. - Qualitative risk analysis assigns subjective and intangible values to the loss of an asset and takes into account perspectives, feelings, intuition, preferences, ideas, and gut reactions.
- The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis.
2.6 Qualitative Risk Analysis
Qualitative risk analysis is more scenario based than it is calculator based.
You can use many techniques to perform qualitative risk analysis:
- Brainstorming
- Storyboarding
- Focus groups
- Surveys
- Questionnaires
- Checklists
- One-on-one meetings
- Interviews
- Scenarios
- Delphi technique
2.6.1 Scenarios
The basic process for all these mechanisms involves the creation of scenarios. A scenario is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets.
For each scenario, several safeguards are described that would completely or partially protect against the major threat discussed in the scenario. The analysis participants then assign to the scenario a threat level, a loss potential, and the advantages of each safeguard. These assignments can be simple—such as High, Medium, and Low, or a basic number scale of 1 to 10—or they can be detailed essay responses.
2.6.2 Delphi Technique
The Delphi technique is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus.
2.7 Quantitative Risk Analysis
The quantitative method results in concrete probability indications or a numeric indication of relative risk potential.
The process of quantitative risk analysis starts with asset valuation and threat identification (which can be performed in any order). This results in asset-threat pairings that need to have estimations of harm potential/severity and frequency/likelihood assigned or determined.
The major steps or phases in quantitative risk analysis are as follows:
1)Inventory assets, and assign a value (asset value [AV]).
2)Research each asset, and produce a list of all possible threats to each individual asset. This results in asset-threat pairings.
3)For each asset-threat pairing, calculate the exposure factor (EF).
4)Calculate the single loss expectancy (SLE) for each asset-threat pairing.
5)Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO).
6)Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
7)Research countermeasures for each threat, and then calculate the changes to ARO, EF, and ALE based on an applied countermeasure.
8)Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
2.7 Quantitative Risk Analysis
The cost functions associated with quantitative risk analysis include the following:
- Exposure Factor The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
- The single-loss expectancy (SLE) is the potential loss associated with a single realized threat against a specific asset. The SLE is calculated using the following formula:
SLE = asset value (AV) * exposure factor (EF)
or more simply:
SLE = AV * EF
- The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.
- The annualized loss expectancy (ALE) is the possible yearly loss of all instances of a specific realized threat against a specific asset.
ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)
or
ALE = asset value (AV) * exposure factor (EF) * annualized rate of occurrence (ARO)
or more simply:
ALE = SLE * ARO
or
ALE = AV * EF * ARO
The task of calculating EF, SLE, ARO, and ALE for every asset and every threat/risk is a daunting one.
2.8 Risk Responses
There are several possible responses to risk:
- Mitigation or reduction - , is the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.
-Assignment or transfer - is the placement of the responsibility of loss due to a risk onto another entity or organization.
- Deterrence - is the process of implementing deterrents to would-be violators of security and policy. The goal is to convince a threat agent not to attack.
- Avoidance - is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.
- Acceptance - is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.
- Reject or ignore. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due care/due diligence responses to risk.
2.8 Risk Responses
Risk appetite is the total amount of risk that an organization is willing to shoulder in aggregate across all assets.
Risk capacity is the level of risk an organization is able to shoulder.
An organization’s desired risk appetite may be greater than its actual capacity.
Risk tolerance is the amount or level of risk that an organization will accept per individual asset-threat pair.
This is often related to a risk target, which is the preferred level of risk for a specific asset-threat pairing.
A risk limit is the maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.
2.8 Risk Responses
Inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed.
Once safeguards, security controls, and countermeasures are implemented, the risk that remains is known as residual risk.
Total risk is the amount of risk an organization would face if no safeguards were implemented. A conceptual formula for total risk is as follows:
threats * vulnerabilities * asset value = total risk
The controls gap is the amount of risk that is reduced by implementing safeguards. A conceptual formula for residual risk is as follows:
total risk – controls gap = residual risk
2.9 Cost vs. Benefit of Security Controls
Annual cost of the safeguard (ACS). Several common factors affect ACS:
- Cost of purchase, development, and licensing
- Cost of implementation and customization
- Cost of annual operation, maintenance, administration, and so on
- Cost of annual repairs and upgrades
- Productivity improvement or loss
- Changes to environment
- Cost of testing and evaluation
The final computation in this process is the cost/benefit calculation, or cost/benefit analysis.
[ALE pre-safeguard – ALE post-safeguard] – annual cost of safeguard (ACS) = value of the safeguard to the company
In review, to perform the cost/benefit analysis of a safeguard, you must calculate the following three elements:
The pre-safeguard ALE for an asset-threat pairing
The potential post-safeguard ALE for an asset-threat pairing
The ACS (annual cost of the safeguard)
With those elements, you can finally obtain a value for the cost/benefit formula for this specific safeguard against a specific risk against a specific asset:
(pre-safeguard ALE – post-safeguard ALE) – ACS
or, even more simply:
(ALE1 – ALE2) – ACS
2.10 Countermeasure Selection and Implementation
However, you should consider several other factors when assessing the value or pertinence of a security control:
The cost of the countermeasure should be less than the value of the asset.
The cost of the countermeasure should be less than the benefit of the countermeasure.
The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack.
The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound appealing.)
The benefit of the countermeasure should not be dependent on its secrecy. Any viable countermeasure can withstand public disclosure and scrutiny and thus maintain protection even when known.
The benefit of the countermeasure should be testable and verifiable.
The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on.
The countermeasure should have few or no dependencies to reduce cascade failures.
The countermeasure should require minimal human intervention after initial deployment and configuration.
The countermeasure should be tamperproof.
The countermeasure should have overrides accessible to privileged operators only.
The countermeasure should provide fail-safe and/or fail-secure options.
2.10 Countermeasure Selection and Implementation Security controls, countermeasures, and safeguards can be implemented administratively, logically/technically, or physically.
The category of administrative controls are the policies and procedures defined by an organization’s security policy and other regulations or requirements. They are sometimes referred to as management controls, managerial controls, or procedural controls.
The category of technical controls or logical controls involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems.
Physical controls are security mechanisms focused on providing protection to the facility and real-world objects.
