Domain 1 - Security and Risk Management Flashcards
ISC2 code of ethics
PROTECT - society, commonwealth, and infrastructure
ACT - honorably, honestly, justly, responsibly, and legally
PROVIDE - diligent and competent service to principals
ADVANCE - and protect the profession
Risk categories
○ Damage - physical loss or inability to access an asset
○ Disclosure - disclosing critical information regardless of where or how it was disclosed
Losses - might be permanent or temporary including altered or inaccessible data
Risk Factors
○ Increase risk or susceptibility
○ Physical damage - natural disaster, power loss, vandalism
○ Malfunctions - failure of systems, networks, peripherals
○ Attacks - purposeful acts from inside or outside such as unauthorized disclosure
○ Human errors - usually accidental
Application errors - failures of app or OS
Risk Response
○ Acceptance - do nothing, risk is accepted
○ Mitigation - implement a countermeasure and accept residual risk
○ Assignment - transfer risk to 3rd party i.e. insurance against damage or outsourcing
○ Avoidance - when costs of mitigating or accepting are higher than benefits of service
○ Deterrence - implementing deterrents to would-be violators i.e. audit policy, cameras, sec guards, warning signs
Rejection - unacceptable response, ignore risk, pretend it doesn’t exist
Risk Management Framework (RMF)
○ NIST 800-37 is the primary RMF referenced
§ 7 steps (know these well)
® Remember PCSIAAM - People can see I am always monitoring
□ Prepare - to execute
□ Categorize - information systems
□ Select - sec controls
□ Implement - sec controls
□ Asses - the sec controls
□ Authorize - the system to operate in a normal
environment
Monitor - the sec controls, periodically assessing
Residual Risk
risk that remains with conceivable safeguards in place
total risk
amount of risk if no safeguards were implemented
Threats * vulnerabilities * asset value = total risk
inherent risk
newly identified risk not yet addressed with risk management strategies, amount of risk that exists in the absence of controls
Quantitative risk analysis
assigns dollar value to evaluate effectiveness of countermeasures, more labor intensive, requires a lot of data that results in specific dollar values, OBJECTIVE, 6 steps
§ Inventory assets - and assign value (asset value or AV)
§ Identify threats - research each asset and produce list of possible threats (calculate EF and SLE)
§ Threat analysis - calculate likelihood of each threat being realized within single year (ARO)
§ Estimate potential loss - calculate the annualized loss expectancy (ALE)
§ Research countermeasures for each threat - calculate the changes to ARO and ALE based on countermeasures
Perform a cost/benefit analysis - of each countermeasure
Qualitative risk analysis
§ Uses scoring system to rank threats and countermeasure effectiveness
§ Uses guesswork, opinions, and estimations - SUBJECTIVE
“low, medium, high”
Delphi technique
Anonymous feedback and response process used to arrive at a consensus
Loss potential
What would be lost if threat agent was successful in exploiting a vuln
Delayed loss
§ Amount of loss that can occur over time
i.e. website down, money lost over time
Threat agents
Cause threats by exploiting vulns
Exposure factor (EF)
% of loss that an organization would experience if asset were violated by realized risk
Single Loss Expectancy
§ Cost associated with single realized risk against specific asset
§ SLE = Asset value (AV) * Exposure factor (EF)
SLE = 100,000 * 30% = 30,000 30,000
Annualized rate of occurrence (ARO)
Expected frequency a specific risk/ threat will occur in a year
Annualized Loss Expectancy (ALE)
§ ALE = SLE * ARO
§ Example:
□ Office building = $200,000 (AV)
□ Hurricane damge estimate = 50% (EF)
□ Hurricane probability is every 10 years = 10% (ARO)
□ SLE = AV * EF
® SLE = 200,000 * 50%
® SLE = 100,000
□ ALE = SLE * ARO
® ALE = 100,000 * 10%
® ALE = 10,000
In this example, spending over 10,000/year on hurricane damage mitigation is a waste of money because it costs more than we expect to lose
Safeguard evaluation
§ Good security controls mitigate risk, are transparent to users, difficult to bypass, and are cost effective
§ ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard
□ Value of safeguard = ALE1 - ALE2 - ACS
Is the safeguard cost effective?
Controls gap
Total Risk - controls gap = residual risk
Supply Chain
○ Most services are delivered through a chain of multiple entities
○ Secure supply chain includes vendors who are secure, reliable, trustworthy, reputable
○ On-site assessment - visit org, interview personnel, observe operations
○ Document exchange and review - investigate dataset and doc exchange, review processes
○ Process/ policy review - request copies of security policy
3rd party audit - involve independent auditor for security review
Threat modeling
○ Proactive or Reactive
○ Focused on assets - uses asset valuation to identify threats to valuable assets
○ Focused on attackers - identify potential attackers and identify threats based on their goals
Focused on software - considers potential threats against software the org develops
STRIDE (threat model)
§ Spoofing
§ Tampering
□ Data manipulation
§ Repudiation
□ Ability of user/ attacker to deny having
performed an activity
§ Information Disclosure
§ Denial of service
Elevation of privilege
PASTA (threat model)
develop countermeasures based on asset value
§ Stage 1 - definition of objectives
§ Stage 2 - definition of technical scope
§ Stage 3 - app decomposition and analysis
§ Stage 4 - threat analysis
§ Stage 5 - weakness and vulnerability analysis
§ Stage 6 - attack modeling and simulation
Stage 7 - risk analysis and management
VAST (threat model)
based on Agile PM princilples - integrate threat management into an agile development cycle
§ Visual
§ Agile
§ Simple
Threat
DREAD (threat model)
§ Damage potential?
§ Reproducibility?
§ Exploitability?
§ Affected Users?
§ Discoverability?
How difficult to discover the weakness
TRIKE (threat model)
-focuses on acceptable risk
§ Open source threat modeling that implements a requirements model
Ensures the assigned level of risk for each asset is acceptable to stakeholders
COBIT
security control framework
§ IT management and governance framework
§ Principle 1 - meeting stakeholder needs
§ Principle 2 - cover enterprise end to end
§ Principle 3 - applying single, integrated framework
§ Principle 4 - enabling a holistic approach
Principle 5 - separating governance from management
Trust boundaries
any location where the level of trust/ security changes
technical controls
logical, involveshardware/ software mechanisms to manage access
administrative controls
policies and procedures
physical controls
anything you can touch
deterrent controls
deployed to discourage violation of sec polices
preventative controls
stop unwanted/ unauthorized activity from occurring
detective controls
discover/ detect unwanted/ unauthorized activity
compensating controls
options to other existing controls to aid in enforcement of sec policies
corrective controls
modifies environment to return systems to normal after an unwanted or unauthorized activity has occurred
□ I.e. antivirus removing malware
Backup software restoring files
recovery controls
extension of corrective controls but more advanced
i.e. vm shadowing, hot sites, warm sites
directive controls
direct, confine, or control actions of subjects to force or encourage compliance with sec policies
Ie sec policy requirement, posted notifications
criminal law
prohibitions against acts such as murder, assault, etc
civil law
contract disputes, real estate, employment, estate
administrative law
gov agencies have leeway to enact admin law
Computer fraud and abuse act (CFAA)
first piece of cybercrime legislation, provides specific protections for systems operated by fed agencies
Federal sentencing guidelines
provided punishment guidelines to help fed judges interpret computer crime laws
Federal Information Security Management Act (FISMA)
required a formal infosec operations for federal government, regulates infosec for all federal agencies
Copyright and digital millenium copyright act
covers literary, musical, and dramatic works. Includes written works like website content
Trademarks
words, slogans, logos to identify company
Patents
protect IP rights of inventors
Trade secrets
IP that is critical to business and must not be disclosed
Licensing
4 types - contractual, shrink-wrap, click-through, and cloud services
Computer export controls
US cant export to Cuba, Iran, North Korea, Sudan, and Syria
Encryption Export Controls
dept of commerce details limitations on export of encryption products outside the US
Privacy (US)
basis for privacy rights is the 4th amendment to US constitution
Privacy (EU)
General Data Protection Regulation (GDPR) applies to any company with customers in the EU, standard contractual clauses and binding corporate rules
-GDPR outlines fines of up to 4% of companies annual global revenue or 20 million euros (any company with a customer in the EU is subject to GDPR)
HIPAA (Health Insurance Portability and Accountability Act)
health
HITECH
(Health Information Technology for Economic and Clinical Health)
Gramm-Leach-Bliley Act (GLBA)
Financial institutions
COPPA
Children’s Online Privacy Protection Act, 13yo and under
Electronic communications privacy act (ECPA)
crime to invade electronic privacy of an individual, prohibits unauthorized monitoring of email and voicemail
Communications assistance for law enforcement act (CALEA)
enables the government to intercept wire and electronic communications and call-identifying information under certain circumstances – in particular, when it is necessary in order to protect national security.
Business Continuity Plan (BCP)
overall organizational plan for “how-to” continue business
§ Focuses on whole business
§ Cover comms and process more broadly
Umbrella policy
Disaster Recovery Plan (DRP)
- returning IT infrastructure to operation after disaster
§ Focuses on technical aspects of recovery
Falls under the BCP umbrella
Continuity of operations plan (COOP)
plan for continuing to do business until IT infrastructure can be restored
Consequences of privacy and data breaches
○ Reputational damage - result in loss of customer trust and loss of revenue
○ Identity theft - using someones private info to impersonate them
○ IP Theft - costs customer, credit ratings, brand reputation, forfeiture of first to market advantage, loss of profitability, lines of business to competition
Fines - failing to report a breach can cost millions. GDPR outlines fines of up to 4% of companies annual global revenue or 20 million euros (any company with a customer in the EU is subject to GDPR)
Breach notifications
○ Laws - failing to report a breach can result in fines that can reach into the millions
○ GDPR - breaches must be reported within 72 hours
○ Escalations - to external sources like law enforcement or outside experts to stop/ investigate breach
○ Other countries have their own reporting timescale
Delays - can sometime allow for criminal investigation
FERPA
Family education rights and privacy act, ensures privacy of educational records
Homeland Security Act (HSA)
created DHS and the cyber enhancement act of 2002 and the critical in
Memorandum of understanding (MOU)
statement of intentions, NOT a legal contract
Service Organization Control (SOC)
review of existing security
Type 1 = point in time
Type 2 = over a period of time
SOC1=financial
SOC2=security and CIA
PCI DSS
Credit card compliance, BANK can pursue legal actions