Domain 1 - Security and Risk Management Flashcards
Confidentiality
- We keep our data and secrets secret.
- We ensure no one unauthorized can access the data
Integrity
- Protection against modification of the data and the systems
- We ensure the data has not been altered
Availibility
We ensure authorized people can access the data they need, when they need to
Threats on Confidentiality
- Attacks on encryption (cryptanalysis)
- Social Engineering
- Key Loggers
Countermeasures on threats on confidentiality
- Encryption data at rest using AES256, full disk encryption
- Secure transport protocol for data in motion using SSL, TLS, IPSEC
- Using secure practice when data in use , for example, clean desk no shoulder surfing, PC locking
- Strong password, multi factor authentication, masking, strict access control, Principle of Least Privilege (PoLP)
Threats on Integrity
- Alteration of data
- Code Injection
- Attacks on encryption
Countermeasures on threats on Integrity
- Cryptography
- Check sums/Hash verification
- Digital Signature (provide non-repudation)
- Strict Access Control
Threats on Availability
- Malicious attacks (DDOS, physical, system compromise, staff)
- Application failures (errors in code)
- Component failures (Hardware)
Countermeasures on threats on availability
- IPS/IDS
- SLAs - How high uptime to we want (99%)
- Patch Management
- Redundancy in Hardware power, Disks (RAID), Traffic Path, HVAC, staff, High Availability
The Opposite of CIA Triad
DAD (Disclosure, Alteration, and Destruction)
IAAA services
Identification, Authentication, Authorization, and Accountability
Identification
Claiming Identity for example, your name, username, id number
Authentication
Proving you are the identity you were claimed.
3 types of Authentication
Type 1 - something you know (password, PIN, etc)
Type 2 - something you have (cookie, ID number, passport, token, etc)
Type 3 - something you are - biometrics - no way to reissue if compromises (fingerprint, iris scan, facial geometry, etc)
Authorization
Permission, What are you allowed to access.
Accountability
Trace action to subject identity, prove who/what a given action was performed by (non-repudiation)
What is mission IT Security in organization?
Supporting organization, enable organization to fulfill its mission and statement and business goals, not the most important part of organization.
What is PoLP?
Principle of Least Privilege - We give our users/systems exactly the access they need, no more, no less.
Need to Know - Even if you have access, if you do not need to know, then you should not access the data.
What is non-repudiation?
A user cannot deny having performed a certain action. This uses both Authentication and Integrity.
Subject and Object on Security Governance
Subject (Active) - Most often users, but can also programs, Subject manipulates object.
Object (Passive) - Any passive data - Object manipulated by Subject
Some can both at different times, an active program is a subject; when closed, the data can be an object
Governance vs. Management
Governances - This is C-Level Executives
> What are stakeholder needs
> Setting direction through prioritization and decision making
> Monitoring performance and compliance againts agreed-upon direction and objectives
> Risk appetite - Aggresive, neutral, adverse
Management - How do we get to the destination
> Plans, builds, runs, monitor activities in alignment with the direction set by the governance to achieve the objectives.
> Risk tolerance - How are we going to practically work with our risk appetite and our environment.
Top-Down vs. Bottom-Up on Security Management
Bottom-Up : IT Security seen as annoyance not helper, this often changes when breaches happens.
Top-Down : IT leadership is on board with IT Security, they lead and set direction.
What is PCI-DSS?
Payment Card Industry Card Security Standard
> is a standard but required if we want to handle or issue debit and credit card
What is OCTAVE?
Operational Critical Threat, Asset, and Vulnerability Evaluation
> Flexible Risk Management
What is COBIT?
Control Objectives for Information and related Technology
> Goals for IT - Stakeholder needs are mapped down to IT related goals.
What is COSO?
Commitee of Sponsoring Organizations
> Goals for the entire organizations (more higher level)
What is ITIL?
Information Technology Infrastructure Library
> IT Service Management (ITSM)
What is FRAP?
Facilitated Risk Analysis Process
> Analyzed one business unit, application, or system at a time in roundtable brainstorm with internal employees, The impact is analyzed, and the threats and the risks are prioritized.
List ISO 27000 series?
ISO 270001: Establish, implement, control, and improvement of the ISMS. Uses PDCA (Plan, Do, Check, Act)
ISO 27002: Provides practical advice on how to establish, implement, control, and improvement security controls. It has 10 domains it users for ISMS (cannot get this certified)
ISO 27003: Information security management system implementation guidance
ISO 27004: Provides metrics for measuring the success of your ISMS
ISO 27005: Standards based approach to risk management
ISO 27799: Directive on how to protect PHI (Protected Health Information)
What is Defend in Depth?
> Layered Defense or Onion Defense, implement multiple overlapping security control to protect asset
This applies to physical, administrative, and logical controls
No single security control secures an asset
Improve organization CIA
List Legal and Regulatory issues
Criminal Laws : Society is the victim, text law included in United States Code
Civil Law: Individuals, groups or organizations are the victim, mostly financial fines, text law included in United States Code
Administrative Law: Laws enacted by goverment agencies (FDA Laws, HIPAA, FAA)
Private Regulations: Compliance is required by contract (PCI-DSS)
Customary Law: handle personal conduct on area/region
Religious Law: Based on the religious beliefs in that area or country. include morality and code of ethics
Administrative Law : CFR (Code of Federal Regulations) contains all administrative law
Supreme Court rulling contains interpretation of law
If something happens, who is ultimately liable?
Senior Leadership, but we need Negligence to prove it.
> Due Diligence (Do Detect), research to build IT Security architecture and preparing before implementing.
Due Care (Do Correct), Prudent person rule.
Negligence, if system under your control is compromised and you did NOT perform Due Care, you are most likely liable.
List type of evidence
Real Evidence: Tangible and physical object in IT Security: Hard disks, USB drives (not the data)
Direct Evidence: Testimony from a first hand witness, what they experienced
Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.
Corroborative Evidence: Support facts or elements of the case; not facts on their own but they support other fact
Hearsay: not first-hand knowledge - normally inadmissible in a case
How do we ensure evidence integrity?
We do with hashes, any forensics done on copies and never the originals.
Why logs and documents set as secondary evidence?
Because there is no real evidence, there is nothing you can touch.
What need to bear in mind when searching for evidence?
> must be obtained legally, even on organization employee need to be aware if actions are monitored
no threat to human life
What is entrapment and enticement?
Entrapment: When someone is persuaded to commit a crime they had no intention of commiting and is then charged with it
Enticement: Making commiting a crime more enticing, but the person has already broken the law. Honeypots can be good way to use Enticement
What is Intellectual Property?
is a category of property that includes intangible creations of the human intellect.
Copyright: Automatically granted after creating something, last 70 years after creator death or 95 years for corporation
Trademark: Brand names, logos, slogan - must be registered and valid for 10 years and can be renewed indefinitely. protected by USPTO (US Patent and Trademark Office)
Patents: Protect invetion for 20 years, invention must be Novel, useful, Nonobvious
Trade secrets: tell no one of your formula, not protected
What type of Attacks on Intellectual Property?
Copyright > Piracy
Trademark > Counterfeiting
Patent > used by someone else without permission
Cyber Squatting > Buying url that you know someone will need it
Typo Squatting > Buying url that is very close to real website name (can be illegal if for purpose is disguise)
What is GDPR?
General Data Protection Regulation, regulation in EU Law on data protection and privacy for all individuals within EU
Violators of the GDPR may be fined up to 20 million EUR
Unless a data subject has provided informed consent to data processing, personal data may not be processed unless there is at least one legal basis to do so. unless there is lawful interception
What is Privacy?
act of keeping hiding that contains PII (personally identifiable information)
Example Rules/Regulation in US?
HIPAA - Health Insurance Portability and Accountability Act. Strict privacy rules on handling PHI (Protected Health Information)
Security Breach Notification Laws
ECPA - Electronic Communication Privacy Act. Protection of electronic communication against warrantless wiretapping, weakened by the Patriot Act.
Patriot Act of 2001:
> Expand law enforcement electronic monitoring capabilities
> Allow search and seizure without immediate disclosure
CFAA - Computer Fraud and Abuse Act, protects computers used by the government or in interstate commerce from a variety of abuses
GLBA - Gramm-Leach-Bliley Act
Applies to financial institutions
SOX - Sarbanes-Oxley Act
Directly related to accounting scandals
PCI-DSS - Payment Card Industry-Data Security Standard
created by payment card industry
FISMA - Federal Information Security Modernization Act (previously GISRA, expired in 2002), goverment contract sponsorship
FERPA - Family Educational Rights and Privacy Act, It grants certain privacy rights to students older than 18 and the parents of minor students
Identity Theft and Assumption Deterrence Act In 1998, This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.
What are example of GDPR regulation?
> Right to access: Data controllers must be able to provide a free copy of individual data if requested
Right to erasure: All users have a “right to be forgotten”
Data portability: All users will be able to request access to their data “in electronic format”
Data breach notification: Users and data controllers must be notified of data breaches within 72 hours
Privacy by design: When designing data processes, care must be taken to ensure personal data is secure
Data Protection Officers: Companies whose activities involve data processing and monitoring must appoint a data protection officer
What is OECD Privacy Guidelines?
Organization for Economic Cooperation and Development contains 30 members nations from around the worlds.
8 Driving Principles issued in 1980, Collection limitation(collection must within knowledge of subject), Data Quality (data should be complete), Purpose Spesification (why data being collected), Use Limitation (only consent of subject/law), Security Safeguards (there is reasonable safeguard to protect CIA) , Openness(has to be communicate openly), Individual Participation (be able to which organization has the data), Accountability (organization must held with 7 principles)
What is wassenaar Arrangement?
Arrangement mostly for arms and dual use, cryptography is considered dual use (harmful and good)
How we ensure security on 3rd party services and applications?
- Set SLA (Service Level Agreement)
- Have right to penetration test and Right to audit on agreement
- Vendor must be accredited to industry standard, ISO, SOC, PCI-DSS
Security Governance Principles Pyramid
> Values (Ethics, Principles, Belief)
Vision (Hope and Ambition)
Mission (Motivation and Purpose)
Strategic Objectives (Plans, goals, and sequencing)
Action and KPIs (Actions, Resources, Outcomes, Owners, and Timeframes)
Policies, Standards, Guidelines, Procedures and Baselines on Security Governance
> Policy (Mandatory) : General Management Needs, High level, non-specific
Standards (Mandatory) : Specific Mandatory Control, specific
Guidelines (non-Mandatory) : Recommendation/Best Practice
Procedures (Mandatory) : Low level step-by-step guides
Baselines (Mandatory) : minimum requirement, implement stronger if needed
How to increase Personnel Security using Security Governance?
> Awareness: establishes a minimum standard common denominator or foundation of security understanding
Training: Set security training
Hiring Practices: Do background checks
Employee Termination Practices: Coordinate with HR to shut off access at the right time
List Access Control categories
> Administrative (Directive) Control: Organizational policies, Regulation
Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption
Physical Controls: Locks, fences, guards, turnstile
List Access Control categories
> Administrative (Directive) Control: Organizational policies, Regulation
Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption
Physical Controls: Locks, fences, guards
List Access Control types
> Preventative: Prevents action from happening - Least privilege, IPS, firewalls
Detective: Controls that detect during or after attack, IDS, CCTV, alarms
Corrective: Controls that Correct an attack - Anti-virus, patches, IPS
Recovery: Controls that help us Recover after attack, DR Environment, backups, HA environments
Deterrent: Controls that Deter an attack - Fences, security guards, dogs
Compensating: Controls that Compensate, when other control are impossible or too costly to implement
4 Phases - Risk Management Lifecycle
> Risk Identification: If there a risk, identify assets, which type of risk appetite do we have
Tangible Assets: physically touch - building, hardware
Intangible Assets: untouchable physically - data, trade secrets
Risk Assessment: How bad is the risk
Risk Mitigation: How do we want to react to this
Risk and Control: Iterative, monitor control, uses KRI and KPI
The Prudent Man Rule (1991)
Require senior executive take personal responsibility for information security matters
Quantitative Risk Assessment vs Qualitative Risk Assessment
Qualitative Risk Assessment > more scenario based than it is calculator based. best tool for intangible assets
> Delphi technique : anonymous feedback-and-response process used to
enable a group to reach an anonymous consensus
> Risk Analysis Matrix : Consequences x Likelihood
Quantitative Risk Assessment > results in concrete probability indications or a numeric indication of relative risk potential
> Assign Asset Value
> Calculate Exposure Factor (EF) : percentage of loss that an organization
would experience if a specific asset were violated by a realized risk
> Calculate Single Loss Expectancy (SLE) : SLE = asset value (AV) * exposure
factor (EF), potential loss associated with a single realized threat against a
specific asset
> Assess Annual Rate Occurence (ARO) : is the expected frequency with
which a specific threat or risk will occur (that is, become realized) within a
single year
> Get Annualize Loss Expectancy (ALE) : ALE = SLE * ARO
> Perform Cost/Benefit Analysis for countermeasures, Mitigation Cost vs ALE
Total Risk = Threat * Vulnerability * Asset Value
Residual Risk = Total Risk - Countermeasures
Example US Privacy Law
> Fourth Amendment : The basis for privacy rights
Privacy Act of 1974 : applies only to government agencies, agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed
Electronic Communications Privacy Act of 1986 : crime to invade the electronic privacy of an individual
Economic Espionage Act : protect trade secret
Communications Assistance for Law Enforcement Act (CALEA) of 1994 : requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use
Health Insurance Portability and Accountability Act of 1996 (HIPAA) : strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.
What is due diligence and due care?
Due diligence is establishing a plan, policy, and process to protect the interests of an organization.
Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.
What is RAID and level of RAID?
Redundant Array of Inexpensive Disk
RAID 0 - no fault tolerance (high performance)
RAID 1 - Mirroring, data duplicate two drives (expensive)
RAID 5 - Stripping with parity, 3 or more disk
RAID 6 - Double Parity
RAID 10 - most common, combine RAID 0 (stripping) and RAID 1 (mirroring). can survive failure up to 2 disk
Data custodian
assigned role who is responsible for implementing security control defined by policy and senior management
Type of Risk Responses
> Risk Mitigation (Reducing risk) : the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats
> Risk Assignment (Risk Transference) : the placement of the responsibility of loss due to a risk onto another entity or organization, Purchasing cybersecurity insurance
> Risk Deterrence : implementing deterrents to would-be violators of security and policy, the goal is to convince a threat agent not to attack. example, security cameras, and warning banners
> Risk Avoidance : process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. example, remove unused but vulnerable server.
> Risk Acceptance : is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk
> Risk Rejection : An unacceptable possible response to risk is to reject risk, ignoring risk may be considered negligence in court
List of Social Engineering Principle
- Authority : claimed as higher authority
- Intimidation
- Consensus : past familiar action
- Scarcity : a technique used to convince someone that an object has a higher value based on the object’s scarcity
- Familiarity
- Trust
- Urgency
Why mandatory vacations is necessary?
Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence.
What is UBA/UEBA?
User behavior analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, and so forth for some specific goal or purpose. Information collected from UBA/UEBA monitoring can be used to improve personnel security policies, procedures, training, and related security oversight programs.
Risk management framework (RMF) from NIST
> Prepare, to execute the RMF from an organization- and system-level perspective by establishing a context and priorities for managing security and privacy risk.
> Categorize, the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss.
> Select, an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.
> Implement, the controls and describe how the controls are employed within the system and its environment of operation.
> Assess, the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.
> Authorize, the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable.
> Monitor, the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
What is SCRM?
supply chain risk management (SCRM), means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners
What is the goal of Reduction Analysis?
to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements
5 keys concept:
> Trust Boundaries : Any location where the level of trust or security changes
> Dataflow Paths : The movement of data between locations
> Input Points : Locations where external input is received
> Privileged Operations : Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
> Details about Security Stance and Approach : The declaration of the security policy, security foundations, and security assumptions
4 Steps of BCP process
- Project scope and planning
- Business impact analysis
- Continuity planning
- Approval and implementation
Differences between BCP vs DRP
BCP: Business Continuity Planning deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck.
DRP: Disaster Recovery Planning deals with restoring normal business operations after the disaster takes place.
The BCP project concentrates on continuing business operations, whereas the DRP project focuses on recovering the original business functions
5 Stages on business impact analysis process
> identification of priorities > risk identification > likelihood assessment > impact analysis > resource prioritization
d/ element of data categorization management
d/ military data and private sector data classification
d/ licensing agreements
What is KGI, KPI, and KRI?
KGI (Key Goal Indicator) measures wheter IT process has achieved its business need
KPI (Key Performance Indicators) : how well process performing in enabling the goal
KRI (Key Risk Indicator) : Quantify the risk organization is facing
Key Goal Indicator