Domain 1: Security and Risk Management 15% Flashcards
Due Diligence
The research to build the IT Sec. architecture of your org. Best practices and common protection mechanisms. Research of new sys. before implementing.
Due Care
Prudent person rule. Implementing the IT Security architecture, keeping sys patched. If comprimised: fix the issue, notify affected users.
Negligence
is the opposite of Due Care. If a system under your control is compromised and you can prove you did your Due Care, you are most likely not liable. If a system under your control is compromised and you did NOT perform Due Care, you are most likely liable.
Real Evidence
Tangible and physical objects in IT Security: Hard disks, USB drives –NOT the data on them.
Direct Evidence
Testimony from a first hand witness, what they experienced with their 5 senses.
Circumstantial Evidence
Evidence to support circumstances for a point or other evidence.
Corroborative Evidence
Supports facts or elements of the case: not a fact on its own but support other facts.
Hearsay
Not first-hand knowledge - normally inadmissible in a case. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by. Must have clear chain of custody and hash the files/logs to assure the data was not modified.
Best Evidence Rule
The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.
Secondary Evidence
This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.
Evidence Integrity
It is vital that the evidence integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never originals. Check hashes on both original and copy before and after the fornsics.
Chain of Custody
This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?
Entrapment
Illegal and unethical: When someone is persuaded to commit a crime they had no intention of committing and is then charged with it
Enticement
Legal and ethical: Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so. Honeypots can be a good way to use Enticement.
Copyright
Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for coporations.
Attack: Software piracy and copyright infringement (songs and images)
Trademarks
Brand names, logos, slogans - Must be registered, is valid for 10 years at a time, can be renewed indefinitely.
Attack: Counterfeiting - fake Rolexes
Patents
Protects inventions for 20 years. Cryptography algorithms can be patented. Inventions must be novel, useful, nonobvious.
Attack: Patent infringment using someone else’s patent in your product without permission.
Trade Secrets
You tell no one about your formula, your secret sauce. If discovered anyone can use it; you are not protected.
HIPAA
Health Insurance Portability and Accountability Act. Puts strict privacy and security rules on how Personal Health Info. is handled by health insurers, providers and clearing house agencies (Claims). Has 3 rules: Privacy rule, Security rule and Breach Notification rule. Risk Analysis is required.
Electronic Communications Privacy Act (ECPA)
Protection of elect. comm. against warrantless wiretapping. This Act was weakened by the Patriot Act.
Patriot Act of 2001
Expands law enf. elect. monitoring cabapbilities. Allows search and seizure without immediate disclosure.
Computer Fraud and Abuse Act. (CFAA)
Most commonly used law to prosecute computer crimes. Enacted in 1986 and aamended many time including 2002 (Patriot Act) and 2008 (Identity Theft Enforcement and Restitution Act).
Gramm-Leach-Bliley Act (GLBA)
Applies to financial instit. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.
Sarbanes-Oxley Act of 2002 (SOX)
Directly related to the acct scandals in the late 90’s. Regulatory compliance mandated standards for financial report of publicily traded companies. Intential violations can result in criminal penalties.
EU Data Protection Directive
Very aggressive pro-privacy law. Orgs must notify individ of how their data is gathered and used. Orgs must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing “most” sensitive data. No transmission out of EU unless the recieving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard.
Organization for Economic Cooperation and Development (OECD) Privacy Guidelines
Eight driving principles. Security safeguards principles: Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
Wassenaar Arranagement
Export/import controls for Conventional Arms and Dual-Use Goods and Technologies. 41 countries are a part of the arrangement. Cryptography is considered “Dual-Use” Iran, Iraq, China, Russia and others have import restrictions on strong cryptography.
Procurement
When we buy products or services from a 3rd party, security is included and not an afterthought.
Service Level Agreement (SLA)
a certain uptime can be promised.
Acquisitions
Your company acquires another. How do you ensure their security standards are high enough? How do you ensure data availability in the transition?
Divestures
You org is being split up. How do you ensure no data crosses boundaries it shouldn’t? Who gets the IT Infrastructure?
GDPR, General Data Protection Regulation
is a regulation in EU law on data protection and privacy for all individuals within the EU and European Economic Area (EEA). It does not matter where we are based, if we have customers in EU/EEA we have to adhere to the GDPR. Violators of the GDPR may be fined up to 20 million Euros or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
ISC Code of Ethics Preamble
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is condition of certification.
ISC Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competant service to principles.
Advance and protect the profession.
IAB’s Ethics and the Internet
Defined as RFC #1087. Considered unethical behavior: 1. Seeks to gain unauthorized access to the resources of the Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources.
Informaton Security Governance Mandatory items
Policies, Standards, Procedures
Informaton Security Governance non-Mandatory items
Guidelines, Baselines (Benchmarks)
Informaton Security Governance: Personnel Security
Users often pose the largest security risk:
Awareness, Training, Hiring Practices, Employee Termination Practices, Vendors, Consultants, and Contractor Security, Outsourcing and Offshoring
Administrative (Directive) Access Controls
Organizational policies and procedures. Regulation. Training and awareness
Technical Access Control
Hardware/software/firmware-Firewalls, routers, encryption
Physical Access Controls
Locks, fences, guards, dogs, gates, bollards
Preventative
Prevents action from happening - least privilege, drug tests, IPS, firewalls, encryption
Detective
Controls that detect during or after an attack - IDS, CCTV, alarms, anti-virus
Corrective
Controls that Correct an attack - Anti-virus, patches, IPS
Recovery
Controls that help us Recover after an attack - DR Enviroment, backups, HA Enviroments
Deterrent
Controls that Deter an attack - Fences, security guards, dogs, lights, Beware of the dog signs
Compensating
Controls that Compensate - other controls that are impossible or too costly to implement
Qualitative Risk Analysis
How likely is it to happen and how bad is it if it happens? Most often done to know where to focus the Quantitative Risk Analysis. Sometimes used with a Risk Analysis Matrix. Think “quality” This concept is semi-vague, e.g., “pretty good quality.”
Quantitative Risk Analysis
What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
Threat
A potential harmful incident.
Vulnerability
A weakness that can allow a Threat to do harm.
Risk
Threat x Vulnerability
Impact
Can at times be added to give a more full picture.
Total Risk
Threat x Vulnerability x Asset Value
Residual Risk
Total Risk - Countermeasures
Single Loss Expectancy (SLE)
Asset Value (AV) x Exposure factor (EF)
Annual Rate of Occurrence (ARO)
How often will this happen each year?
Annualized Loss Expectancy (ALE)
This is what it cost per year if we do nothing.
Transfer the Risk
The insurance risk approach.
Risk Avoidance
Don’t issue laptops to employees or build data-center where there are no floods.
Risk Rejection
This is never acceptable.
Secondary Risk
Mitigating one risk may open up another risk.
Risk Analysis: NIST 800-30
9-step process for Risk Management
White Hat hackers
Professional pen testers trying to find flaws so we can fix it. Ethical Hackers
Black Hat hackers
Malicious hackers, trying to find flaws to exploit them
Grey Hat hackers
They are somewhere between the white and black hats. Look for a vulnerability and publish it if the company does nothing to fix it.
Hacktivist
Hacking for political or socially motivated purposes
Bots
are a system with malware controlled by a botnet
Botnets
is a Command and Control network, controlled by the people (bot-herders)
Phishing
social engineering email attack
Spear Phishing
targeted phishing, not just random spam, but targeted at specific individuals
Whale Phishing (Whaling)
Spear phishing targeted at senior leadership of an organization.