Domain 1 - Security and Risk Management Flashcards
Confidentiality
Access controls help ensure that only authorized subjects can access objects.
Integrity
Ensures that data or system configurations are not modified without authorization
Availability
Authorized requests for objects must be granted to subjects within a reasonable amount of time.
Code of Ethics
PAPA
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession
Security Policy development
Acceptable Use Policy
Assigns roles and responsibilities
Security Baselines
Define “minimum levels”
Security Guidelines
Offer recommendations
Security Procedures
Detailed step-by-step
Risk Categories
Group of potential causes of risk.
Damage - Results in the physical loss of an assess or the inability to access the asset.
Disclosure - Disclose critical information regardless of how or where it was disclosed.
Losses - Might be permanent or temporary including altered data or inaccessible data.
Risk Factors
Something that increase risk or susceptibility.
Physical damage - Natural disaster, power loss, or vandalism.
Malfunctions - Failure of systems, networks, or peripherals.
Attacks - Purposeful acts whether from the inside or outside, such as unauthorized disclosure.
Human errors - Usually considered accidental incidents, whereas attacks are purposeful incidents.
Application errors - Failures of the application including the operating system.
Security Planning
Strategic - long term ~5 year
Tactical - midterm plan ~1 year
Operations - shorter (highly detailed) month to month or quarterly.
Response to risk
Risk acceptance - Do nothing, accept the risk and potential loss if threat occurs.
Risk mitigation - You do this by implementing a countermeasure and accepting the residual risk.
Risk Assignment - Transfer risk to 3rd party.
Risk Avoidance - When costs of mitigating or accepting are higher than benefits of service
Risk Deterrence - Implementing deterrents to would-be violators of security behavior.
Risk rejection - UNACCETABLE possible response to risk is to reject of ignore risk.
Risk management Frameworks
Primary risk management framework
NIST 800-37 rev 2
7 Steps of NIST 800-37 rev 2
PCSIAAM
People Can See I am Always Monitoring
- Prepare - to execute the RMF
- Categorize - information systems
- Select - security controls
- Implement - security controls
- Assess - the security controls
- Authorize - the system (ATO)
- Monitor - security controls
When legal issues are involved.
contact an attorney
Types of Risks
Residual - risk that remain after all safeguards - After
Inherent - risk that exists without controls (newly identified) - Before
Total - amount of risk an organization would face if no safeguards were implemented - Without
Total Risk Formula
threats * vulnerabilities * asset value = total risk
Risk formula
threat * vulnerability = risk
Risk analysis - Quantitative
Quantitative - dollar value to evaluate effectiveness of countermeasures. OBJECTIVE
- Assign asset value (AV)
- Calculate exposure factor (EF)
- Calculate single loss expectancy (SLE)
- Assess the annualized rate of occurrence (ARO)
- Derive the annualized loss expectancy (ALE)
- Perform cost/benefit analysis of countermeasures
- Inventory assets and assign a value (AV)
- Identify threats. Research each asset and produce a list of all possible threats to each assets. (EF and SLE)
- Perform a threat analysis to calculate the likelihood of each threat being realized within a single year. (ARO)
- Estimate the potential loss by calculating the annualized loss expectancy (ALE).
- Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
- Perform a cost/benefit analysis of each countermeasure for each threat for each asset.
Risk analysis - Qualititative
Uses a scoring system to rank threats and effectiveness of countermeasures. SUBJECTIVE
Delphi Technique
An anonymous feed-back and response process used to arrive at a consensus.
Loss potential
What would be lost if the threat agent is successful in exploiting a vulnerability.
Delayed loss
This is the amount of loss that can occur over time.
Threat agent
are what causes the threat by exploiting vulnerabilities
Formula terms
exposure factor (EF) % of loss that an organization would experience if a specific asses were violated by a realized risk.
single loss expectancy (SLE)
Represents the cost associated with a single realized risk against a specific assets
annualized rate of occurrence (ARO) - The expected frequency with which a specific threat or risk will occur with a single year.
annualized loss expectancy (ALE)
Safeguard evaluation -
SLE Formula
AV * EF = SLE
ALE
SLE * ARO = ALE
Safeguard Evaluation formula
ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard
ALE1 - ALE2 - ACS = value of safeguard
Controls gap
the amount of risk reduced by impending safeguards
total risk - controls gap = residual risk
Threat Modeling
Security process where potential threats are identified, categorized, and analyzed.
Threat Model
STRIDE
STRIDE (Microsoft) Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
Threat Model
PASTA
Risk centric approach
Stage I: Definition of Objectives
Stage II: Definition of Technical Scope
Stage III: App Decomposition and Analysis
Stage IV: Threat Analysis
Stage V: Weakness and Vulnerability Analysis
Stage VI: Attack Modeling & Simulation
Stage VII: Risk Analysis & Management
Threat Model
VAST
Based on Agile project management
Visual
Agile
Simple
Threat
Threat Model
Trike
Risk-based approach
Threat Model
DREAD
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
Reduction Analysis - Threat Modeling
Trust boundary - any location where the level of trust or security changes
Data flow paths
Input points - locations where external inputs are received
Privileged operations - any activity that requires greater privileges than of a standard user account
Details about security stance and approach
Security controls
measures for countering and minimizing loss of unavailability
Control categories
Technical (logical) - hardware/software mechanisms used to manage access
Administrative - policies and procedures defined by org’s security policy, and other regulations and requirements.
Physical - items which you can touch - guards, gates, laptop locks
Control types
Deterrent Controls - deployed to discourage violation of security policies
Preventative Controls - deployed to thwart or stop unwanted or unauthorized activity from occurring - (fences, locks, access control points, alarm systems, separation of duties, job rotation, antimalware software, firewalls, IPs)
Detective Controls - deployed to discover or detect unwanted or unauthorized activity - (CCTV, honeynets/honeypots, IDSs, security cameras, guards, audit trails, incident investigators) .. discover activity only AFTER it has occured
Compensating Controls - provides other options to other existing controls to aid in enforcement of security policies.
Corrective Controls - modifies the environment to return system to normal after an unwanted or unauthorized activity has occurred
Recovery Controls- an extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation.
Directive Controls - direct, confine, or control the actions of subjects to force or encourage compliance with security policies
Laws
Computer Fraud and Abuse Act (CFAA) - The first major
piece of US cybercrime-specific legislation
Federal Sentencing Guidelines. provided punishment
guidelines to help federal judges interpret computer crime
laws.
Federal Information Security Management Act (FISMA).
Required a formal infosec operations for federal gov’t
Copyright and the Digital Millennium Copyright Act. Covers
literary, musical, and dramatic works.
IP Licensing
Trademarks. covers words, slogans, and logos used
to identify a company and its products or services.
Patents. Patents protect the intellectual property
rights of inventors.
Trade Secrets. intellectual property that is absolutely
critical to their business and must not be disclosed.
Licensing. 4 types you should know are contractual,
shrink-wrap, click-through, and cloud services.
Encryption and Privacy
Computer Export Controls. US companies can’t
export to Cuba, Iran, North Korea, Sudan, and Syria.
Encryption Export Controls. regulations on the
export of encryption products outside the US.
Privacy (US). The basis for privacy rights is in the
Fourth Amendment to the U.S.
Privacy (EU). General Data Protection Regulation
(GDPR) is the most likely to be mentioned
U.S. Privacy Laws
HIPAA (Health Insurance Portability and Accountability Act)
HITECH (Health Information Technology for Economic and
Clinical Health)
Gramm-Leach-Bliley Act (financial institutions)
Children’s Online Privacy Protection Act (COPPA)
Electronic Communications Privacy Act (ECPA)
Communications Assistance for Law Enforcement Act
(CALEA)
Domain 1
Chapter 1 - 4
Integrity is dependent on
Confidentiality and access control
Availability is dependent on
integrity and confidentiality
Protection Mechanisms
Defense in depth
Abstraction - used for efficiency. Similar elements are put into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective.
Data Hiding
Encryption
NIST Risk Management Framework (RMF)
Six phases: CSIAAM
Categorize select implement assess authorize monitor
Categorize
Select
Implement
Assess
Authorize
Monitor
Elements of AAA
Identification
Authentication
Authorization
Auditing
Accountability
COBIT
Control Objectives for Information and Related Technology (COBIT) - security concept infrastructure used to organize the complex security solutions of companies.
UBA and UEBA
User behavior analytics
User and entity behavior analytics
-Concept of analyzing the behavior or users, subjects, visitors, customers, etc for a specific goal or purpose.
RMM
Risk maturity model
is a means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process.
BCP
Business Continuity Plan - 4 steps
Project scope and planning
Business impact analysis
Continuity Planning
Approval and implementation
BIA
Business Impact Analysis
Identifies the business processes and tasks that are critical to an organization’s ongoing viability and the threats posed to those resources.
MTO | MTD
Maximum tolerable outage | Maximum tolerable downtime
The maximum length of time a business function can tolerate a disruption before suffering irreparable harm.
RTO
Recovery time objective (RTO)
for each business function is the amount of time in which you think you can feasibly recover the function in the event of a disruption.
RPO
Recovery point objective
data loss equivalent to the time-focused
Business impact analysis process
Five stages Identification priorities Risk identification Likelihood assessment Impact analysis Resource prioritization
ITAR
International Traffic in Arms Regulations
-controls the export of items that are specifically designated as military and defense items, including the technical information related to those items.
EAR
Export Administration Regulations
Cover a broader set of items that are designed for commercial use by may have military applications.
Canadian privacy law
PIPEDA
Personal Information Protection and Electronic Documents Act
Credit card payment PCI DSS
12 main requirements
