Domain 1: Security and Risk Management Flashcards
What is the CIA Triad?
Confidentiality, Integrity and Availability
What is the principle of ‘confidentiality’?
It is about protecting secrecy of data, objects, or resources by preventing unauthorised access to data. Prevent unauthorised disclosure, need to know, and least privilege, assurance that information is not disclosed to unauthorised programs, users, processes, encryption, logical and physical access control.
What is the principle of ‘integrity’?
Protecting the reliability and correctness of data. Examples include access controls, IDS/IPS, and hashing.
What is the principle of ‘availability’?
Providing authorised subjects timely and uninterrupted access to objects. This means access to data is reliable, timely, accessible, fault tolerant, and has recovery procedures in place. Examples include, monitoring network traffic.
What is an ‘object’?
Passive element, such as files, computers, network connections, and applications
What is a ‘subject’?
Active element in a security relationship, such as users, programs and computers.
What is defense in depth?
Use of multiple controls in a series to protect an asset
What is abstraction?
Where details of something is hidden. Security controls can be applied to the entire group (thus hiding the details)
What is ‘IAAA’?
Identification, Authentication, Authorisation, and Auditing
What is ‘Authentication’?
Proving one’s identity. Process of verifying or testing that the claimed identity is valid. Examples include providing a correct password, or other correct information.
What is ‘Authorisation’?
About defining the permissions (e.g. grant or deny) of a resource and object access for a specific identity. It involves evaluating an access control matrix that compares the subject, the object, and the intended activity.
What is ‘Auditing’?
Process of recording log files to check for compliance and violations in order to hold subjects accountable for their actions. Ensures that a subject’s actions are non-repudiation.
What is ‘layering’?
Use of multiple controls in a series. Also known as Defense in Depth. Serial configurations (controls in a row) are very narrow but very deep, alternatively parallel configurations are very broad, but lack depth.
What is ‘data hiding’?
Preventing data from being discovered or accessed by a subject positioning the data in a logical storage compartment that is not accessible or seen by the subject. Such as polyinstantiaton.
What is the weakest element in any security solution?
Humans
What role does job descriptions play when hiring new staff?
Ensure job descriptions consider separation of duties to separate key functions to limit ability for one employee to circumvent key security controls. Further, ensure a classification for the job.
What is ‘job rotation’?
Rotating employees among multiple job positions. This is the best way to investigate an employee’s daily business activity to uncover any potential fraud that may be taking place.
Strategic Plan
Long term plan defining organisation’s security purpose. Aligns the plan with the organisations goals, mission, objectives. This is a 5 year plan with annual reviews
Tactical Plan
Mid term plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredictable events. This lasts a year
Operational Plan
Short term (for a month or quarter) highly detailed plan. Purpose to retain compliance with tactical plans. The plans may include: resource allotments, budgetary requirements.
Data Classification Process
Identify the custodian, specify evaluation criteria, document any exceptions, select security controls for each level, specify the procedures for declassifying, and create enterprise wide awareness program
Levels of Government/military classification
Top Secret, Secret, Confidential, Sensitive but Unclassified, Unclassified
Levels of Corporate classifications
Confidential, Private, Sensitive, Public
Due care
Using responsible care to protect the interests of an organisation. Company must do all that it could have reasonably done to try and prevent a security breach /compromise/disaster, and take the necessary steps required as countermeasures/controls (safeguards).
Due diligence
Practicing activities that maintain due care effort. Company properly investigated all of its possible weaknesses and vulnerabilities AKA understanding the threats.
Information security program
Designing and implementing security practices to protect critical business process and assets.
Types of policies
Corporate policy, security policy, system specific policy and issue specific policy
Dual control
Where two people must simultaneously authorise an action, such as use of two keys. This is similar to M of N control
What is the order of security documents in an organisation?
Policies –> Standards/Baseline –> Guidelines –> Procedures
What is a security policy?
Document that defines the scope of security needed by the organisation at a high level. Discusses the assets that require protection, and assigns roles and responsibilities.
What is a ‘standard document’?
Mandatory document that provides compulsory requirements for systems to enable consistent use
Guidelines
Not mandatory, suggestive in nature actions to guide users
Procedure documents
For example, these are Standard Operating Procedures that provide step by step instructions on a given topic
Baselines
Mandatory minimum acceptable security configuration for a system or process, e.g. performing hardening, has a standard image
Risk
Possibility or likelihood of a threat exploiting a vulnerability to cause harm. Calculated as Risk = Threat x Vulnerability
Threat
Potential cause of an unwanted incident, which may result in harm to a system or organisation. Threats exploit vulnerabilities.
Vulnerability
Weakness in a system that allows a threat source to compromise its security
Exposure
Being susceptible to asset loss because of a threat
Safeguards
Security control to reduce/remove a vulnerability. Can be a technical, physical or administrative control
Attack
Exploitation of a vulnerability by a threat agent
Breach
Intentional or unintentional release of private data to an untrusted environment.
Threat agent
Entity that takes advantage of a vulnerability
What is ‘DAD’?
Negative to CIA, this is the
- Disclosure
- Alteration
- Destruction
Privacy
Maintaining the confidentiality of data
ISO 27005
Risk management framework
Risk management approach
It is not possible to get rid of all risk, therefore, aim is to bring risk to an acceptable/tolerable level
Responsibilities of the Information Security Officer
- Written products - ensure they are done
- Cyber Incident Response Team - implement and operate
- Security awareness - provide leadership
- Communicate - risk to higher management
- Report to as high a level as possible
- Security is everyone’s responsibility
Control Frameworks
Ensure control frameworks are:
- Consistent - approach and application
- Measurable - way to determine progress
- Standardised - all the same
- Comprehension - examine everything
- Modular - to help in review and adaptive. Layered, abstraction.
Patent
Grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application.
Copyright
Protects the expression of ideas but not necessarily the idea itself. For example, poem or song. Expires 70 years after author dies.
Trade secret
Something that is proprietary to a company and important for its survival and profitability (like formula of Coke or Pepsi). This is NOT registered
Trademarks
Words, name, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products. For example, McDonald’s ‘M’. Expires in 10 years
Wassenaar Agreement (WA) AKA International Traffic in Arms Regulations
Agreement which implemented controls on the export of cryptographic systems.
SOX
Sarbanes Oxley. Protects shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures.
Section 302 SOX
CEO’s and CFO’s can be sent to jail when the information they sign is incorrect. CEO must sign
Section 404 SOX
This is about internal controls assessment: describing logical controls over accounting files, good auditing and information security.
Legal Liability for Executives
Executives are now held liable if the organisation they represent is not compliant with the law
Negligence
It is a breach of duty of care. This occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations.
COSO
Internal control system/framework to work with Sarbanes Oxley 404 compliance. Developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognised as the definitive standard against which organisations measure the effectiveness of their systems of internal control.
COBIT
IT governance and management framework created by ISACA.
Incident
An event that has the potential to do harm
Data disclosure
Unauthorised acquisition of personal information
Event
Threat events are accidental and intentional exploitations of vulnerabilities
Fourth Amendment
Basis for privacy rights in fourth amendment to the constitution
1974 US Privacy Act
Protection of PII on federal databases
1980 OECD Privacy Guidelines
Established the first internationally agreed upon privacy principles.
1986 US Computer Fraud and Abuses Act
Protects computers used by the Government or in interstate commerce from a variety of abuses.
1986 Electronic Communications Privacy Act
Makes it a crime to invade the privacy of an individual
Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
Amended version of HIPAA. The HITECH Act encouraged healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data. Federal law requires notification of individuals when a HIPAA-covered entity breaches their protected health information.
Digital Millennium Copyright Act
Prohibits the circumvention of copy protection mechanisms placed in digital media and limits the liability of ISP’s for the activities of their users. ISP’s are no longer liable for the transitory activities of the user.
Economic Espionage Act 1996
Provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties apply when the individual knows that the information will benefit a foreign government.
GDPR
General Data Protection Regulation governs the use and exchange of personal information.
ISC2 Code of Ethics Cannons
ISC has established four key cannon/principles
ISC Cannon 1
Protect society, the commonwealth, and the infrastructure
ISC Cannon 2
Act honorably, honestly, justly, responsibly, and legally
ISC Cannon 3
Provide diligent and competent service to principals
ISC Cannon 4
Advance and protect the profession
Ethics and Internet RFC 1087
Don’t compromise the privacy of users. Access to and use of Internet is a privilege and should be treated as such. It is defined as unacceptable and unethical if you, for example, gain unauthorised access to resources on the internet, destroy integrity, waste resources or compromise privacy
BC Plan Development Process
Based on the ISC2 BCP Process:
- Project scope and planning
- BIA
- Continuity Planning
- Approval and Implementation
Business Impact Assessment
Goal is to create a document to be used to help understand what impact a disruptive event would have on the business.
BIA: 1. Project Scope and Planning
- Business organisation analysis: analyse organisation, including teams
- BCP Team Selection: make sure to include senior executives
- Resource Requirements: who do you need?
- Legal and Regulatory Requirements
BIA: 2. Business Impact Assessment
- Identify priorities: valuation of assets, including MTD and RTO for each business function
- Identify risks for those assets, such as natural, man made and perform a likelihood assessment
BIA: 3. Continuity Planning
Determine appropriate responses: such as risk reduction/mitigation, assign/transfer, risk acceptance, and risk rejection
BIA: 4. Approval and Implementation
- Get approval from CEO
- Plan Training
- Plan implementation
Seperation of Duties
Assigns parts of tasks to different individuals thus no single person has total control of the system’s security mechanisms; forces collision.
M of N Control
Requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. So, implementing three of eight controls would require three people out of the eight with the assigned work task of key escrow recovery agent to work together to pull a single key out of the key escrow database.
Least privilege
A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types exist: Read only, read/write, and access/change.
Two man control
Two persons review and approve the work of each other, for very sensitive operations
Dual control
Two persons are needed to complete a task
Rotation of duties
Limiting the amount of time a person is assigned to perform a security related task before being moved to different task to prevent fraud; forces collusion
Mandatory vacations
Prevent fraud and allowing investigations, one week minimum; kill processes
Need to know
The subject is given only the amount of information required to perform an assigned task, business justification
Agreement Examples
NDA, non compete, and acceptable use
Explain risk of employees in managing security
Staff members pose more threat than external actors. Loss of money, stolen equipment, loss of time work hours, loss of reputation, declining trusts and loss of resources, bandwidth theft, due diligence.
Controls during Voluntary and Involuntary Leave
Ensure you perform exit interview
Third Party Controls
Vendors, consultants, and contractors. Make sure they are properly supervised, with their rights based on policy.
Likelihood
Chance it will happen
Residual Risk
Amount of risk left over. Organisations own the risk, and risk is determined as a byproduct of likelihood and impact. Further, the cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L). Legally the remaining residual risk is not counted when deciding whether a company is liable.
ITIL
Best practices for IT core operational processes, not for audit. This includes Service, change, release, and configuration, Strong end-to-end customer focus/expertise. Focused on services and service strategy.
Goal of Risk Management
Goal is to determine impact of threat and risk of threat occuring, then reduce risk to an acceptable level.
Step 1: Categorise
Categorise the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
Step 2: Risk Management
Conduct Assessment:
- ID threat sources and events
- ID vulnerabilities and predisposing conditions
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk
Step 3: Implement
Implement the security controls and describe how the controls are employed within the information system and its environment of operation
Step 4: Assess
Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Inherent: Types of Risk
Chance of making an error with no controls in place
Control: Types of Risk
Chance that controls in place will not prevent, detect or control errors
Detection: Types of Risk
Chance that auditors won’t find an error
Business: Types of Risk
Concerns about effects of unforseen circumstances
Overall: Types of Risk
Combination of all risks aka Audit Risk
Preliminary Security Assessment (PSE)
Helps to gather the elements that you will need when the actual Risk Analysis takes place.
Risk Assessment Steps
- Prepare
- Perform
- Communicate
- Maintain
Qualitative Risk Management Process
- Approval
- Form Team
- Analyse Data
- Calculate Risk
- Countermeasure Recommendations
Quantitative Risk Analysis
Uses quantitative values to calculate risk
Single Loss Expectancy (SLE)
Asset Value * Exposure Factor (% loss of asset). It is the dollar value lost when an asset is successfully attacked.
Annual Loss Expectancy (ALE)
SLE * ARO
Annualised Rate of Occurance (ARO)
Number of times an event occurs in a year
How to address risk
- Accept: live with it and pay the cost
- Mitigate: Reduce by implementing controls by calculating costs
- Assign/Transfer: insure the risk to transfer it. Passing it to another entity.
- Avoid: stop business activity
Loss Formula
Loss = probablity * cost
Controls Gap
Is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: Total Risk - Controls Gap = Residual Risk
RTO
Recovery Time Objective: How quickly you need to have that application’s information available after downtime has occurred.
RPO
Recovery Point Objective: Point in time that application data must be recovered to resume business functions. Amount of data you are willing to lose. For example, you may be willing to loose one day of data.
MTD
Maximum Tolerable Downtime: Maximum Delay a business can be down and still remain viable. MTD: minutes to hours = critical MTD: 24 hours = urgent MTD 72 hours = important MTD 7 days = normal MTD 30 days = non-essential
Exposure Factor
How much of an asset is exposed to loss, expressed as a percentage (0 to 100%).
Factors that effect impact
Human life, dollars, prestige, market share
Risk Framework Countermeasures
- Accountability
- Auditability
- Source trusted and known
- Cost effectiveness
- Security
- Protection for CIA of assets
- Other issues created?
Primary Controls (types)
Control costs should be less than the value of the asset being protected
Administrative/Managerial/Policy
Preventive: hiring policies, screening security awareness (also called soft measures)
Detective: screening behaviour, job rotation, review of audit records
Technical (aka Logical)
- Preventive: protocols, encryption, biometrics, smartcards, routers, firewalls
- Detective: IDS and automatic generated violation reports, audit logs, CCTV (never preventative)
- Preventive: fences, guards, locks
- Detective: motion detectors, thermal detectors, video detectors
Physical Controls
Things you can see and touch, such as fences, doors and lock, windows
Prime Objective
Reduce effects of security threats and vulnerabilities to a tolerable level
Risk analysis
Process that analyses threat scenarios and produce a representation of the estimated potential loss
Main categories of access control
7 Types of controls
Directive control
Specify rules of behaviour
Deterrent
Discourage people, change my mind
Preventative
Prevent incident or breach
Compensating
Substitute for loss of primary controls
Detective control
Signal warning, investigate
Corrective
Mitigate damage, restore control. For example, correct a system by deleting its virus.
Recovery
Restore to normal after incident
Preventive Controls
- Accuracy: data checks, validity checks
- Security: labels, traffic padding, encryption
- Consistency: DBMW, data dictionary
Detective controls
- Accuracy: cyclic redundancy
- Security: IDS, audit trails
- Consistency: comparison tools
Corrective controls
- Accuracy: checkpoint backups
- Security: emergency response
- Consistency: database controls
Functional order in which controls should be used
- Deterrence
- Denial
- Detection
- Delay
Penetration Testing
Testing a network’s defenses by using the same technique as external intruders
Scanning and probing
Port scanners (such as nmap)
Sniffing
Capturing data packets
Demon Dialing
War dialing for modems
Dumpster diving
Searching paper disposal areas
Social engineering
Most common, get information by asking
Types of Penetration Testing
Blue Team: Had knowledge of the organisation, can be done frequent and least expensive
Red Team: is external and stealthy
White Box Testing
Ethical hacker knows what to look for, see code as a developer
Grey Box Testing
Partial knowledge of the system, see code, act as a user
Black Box
Hacker does not know what to find
4 Stages of Pen Testing
- Planning
- Discovery: recon/discover, and enumeration
- Attack: Vulnerability analysis, and execution/exploitation
- Reporting: document findings/reporting
Vulnerabilities exploited
Kernal flaws, buffer overflows, symbolic links, file descriptor attacks
Other Model
Footprint network (information gathering) port scans, vulnerability mapping, exploitation, report scanning, tools are used in penetration tests
Flaw hypotheses methodology
Operating system penetration testing
Penetration testing strategy
External, internal, blind, double blind.
Categories: zero, partial, full knowledge tests
Deming Cycle
- Plan: ID opportunity and plan for change
- Do: implement change on small scale
- Check: Use data to analyse results of change
- Act: If change successful, implement wider scale, if fails begin, cycle again
Identification of threat
Individuals must be qualified with the appropriate level of training. This includes:
- Developing job descriptions
- Contact references
- Screen/investigate background
- Develop confidentiality agreements
- Determine policy on vendor, contractor, consultant and temporary staff access
Software Licenses
- Public Domain; available for anyone to use
- Open Source: source code made available with a license in which the copyright holder provide the rights to study, change, and distribute the software to anyone
- Freeware: proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author’s permission.
Assurance
Degree of confidence in satisfaction of security requirements. Is another word for security
Successful Requirements Gathering
Don’t assume what client wants, involve users early, define and agree on scope.
Security awareness
Technical training to react to situations, best practices for security and network personnel. Employees need to understand policies.
Formal security awareness training provides exact prep on how to do things.
Wire Tapping
Eavesdropping on communication - only legal with prior consent or warrant
Data Diddling
Act of modifying information, progrms, or documents to commit fraud, tampers with INPUT data
Privacy Laws
Data collected must be collected fairly and lawfully and used only for the purpose for the purpose it was collected
Water holing
Create a bunch of websites with similar names
Work function (factor)
The difficulty of obtaining the clear text from the cipher text as measured by cost/time
Fair Cryptosystms
In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reasembles the secret key.
SLA
Agreement between IT service provider and customer, document service levels, divorce: how to dissolve relationship
SLR (requirement)
Requirements for a service from client viewpoint
Service Level Report
Insight into a service providers ability to deliver the agreed upon service quality
FISMA (federal agencies)
The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency’s operations. FISMA also requires that government agencies include the activities of contractors in their security management programs.
Two phases of FISMA
Phase 1: categorising, selecting minimum controls, assessment
Phase 2: create national network of secure services to assess
ISO/IEC 27799
Known as the health informatics, and its purpose is to provide guidance to health organisations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.
Process improvement models
- Six Sigma: Business management strategy that can be used to carry out process improvement
- CMMI: organisational development for process improvement developed by Carnegie Mellon
Emergency procedures (BCP)
Are carried out to protect human life, and then other procedures need to be executed to reduce the damage from other threats.
Prudent Rule Man/Reasonable Person Test
The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.
Gramm-Leach-Bliley Act of 1999 (GLBA)
Requires financial institutions to provide written privacy policies to all their customers.
STRIDE
Threat modelling technique. S: Spoofing T: Tampering R: Repudiation I: Information disclosure D: Denial of access E: Elevation of privilege
Reduction Analysis
Threat modelling diagramming where a greater understanding of the logic of the product as well as its interactions with external elements.
Communications Assistance for Law Enforcement Act (CALEA) 1994
Requires all carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.
Step 5: Authorise (risk management framework)
Authorise information system operation based on a determination of the risk to organisational operations and assets, individuals, other organisations, and the country resulting from the operation of the information system and the decision that this risk is acceptable.
Step 6: Monitor (risk management framework)
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organisational officials.
