Security and Risk Management Flashcards
5 Pillars of information security
- Confidentiality: Secure read access
- Integrity: Secure write access
- Availability: Systems are available for normal business use
- Authenticity: Proving an identity claim
- Nonrepudiation: The combination of integrity and authenticity
CIA Opposite
Disclosure, Alteration, Destruction
Confidentiality (opp Disclosure)
Aims to prevent the unauthorized disclosure of information
Integrity ( Opp Alteration)
Focuses on the prevention of unauthorized modification of assets.
Applies to both data and systems
Malware installation would be a violation of a system’s integrity
Availability (Opp Destruction)
Ensures that required access to resources remains possible
Ransomware and denial of service(DoS) attacks represent breaches of availability
Privacy
defined as confidentiality and protection of PII
Identification
Provides a weak and unproven claim of identity
providing a username - an example of identification
Authenticity
serves as proof a user’s identity claim is legitimate
strong authentication implies higher integrity means of proof
Nonrepudiation
Combination of integrity and authenticity
Eg: proving a user signed a contract, while also proving that the contract was not subsequently altered
Authorization
proceeds after successful authentication and determines what the authenticated user can do
Accounting
details the interactions performed by individuals
Audit logs could be generated for accountability / documented actions
4 main categories of authentication
something you know
something you have
something you are
someplace you are (GPS ) - SANS
Two-factor or multi-factor authentication
using 2 of the categories
PoLP
Principle of least privilege(PoLP) known as Min necessary access
fundamental principle of security
Any additional rights, permissions, privileges, or entitlements violate this principle
Separation of Duties (SoD)
Goal of SoD is to limit risk associated with critical functions/transactions
Risk is mitigated by requireing two parties to perform what one person could
Eg: Requiring multiple individuals to sign a check (financial transactions)
Rotation of duties
Another policy for fraud deterrence/detection
- force other people to be in charge of key tasks
eg: printing payroll checks
Due Care and Due Deligence
Due Care: acting as any reasonable person would (referred to as prudent man rule)
Due diligence: practices to processes that ensure the decided upon standard of care is maintained
types of controls
preventive :deny unauthorised access to resources
detective: tries to detect that ther eis a pbm after an attack
corrective: reacts to an attack
deterrent: discourages security violations
recovery : restores after an attack/failure
compensating: used to shore up existing controls deficiencies
controls implemented across
Administrative : Background checks, policies n procedures
Technical: Encryption, smart cards
Physical: Locks, security laptops n magnetic media, protection of cable
detective control eg
eg: Auditing and IDS (Intrusion detection system)
CCTV, Motion sensors
preventive n deterrent control difference
eg: preventive control will not allow a user to violate the security policy
deterrent control will present a banner indicating not legal to use , but not orevent: eg: no trespassing sign
NIST SP 800-30
Risk mgmt guide for information technology systems
Asset Identification and Evaluation
understanding assets is key to effective risk analysis
inventory assets and assess their role in the org
Evaluate the asset value
understand how uncertain the data obtained is
Risk
Risk = Threat * Vulnerability
Threat
Threat: anything that can cause harm to an infosystem
threat agents / threat sources are who (Adversary)
Threat agent: organised crime
threat: sys compromise thru server-side attack
Vulenrabilities
a weakness in a system that could potentially be exploited
zero-day vulnerabilities
are those not publicly known (targeted with zero-day exploits)
Exploits & the payload
Exploitation is the process of a threat taking advantage of a vulnerability
the actions triggered by the exploit are called the payload
Risk Analysis - Quantitative and Qualitative risk analysis
Quantitative formulas (SLE,ARO,ALE)
TCO , ROI, Cost/Benefit Analysis
SLE- Single loss expectancy
ARO -Annualised rate of occurrence
ALE - Annualised loss expectancy
SLE = EF (Exposure factor) * AV (Asset value)
ALE = SLE * ARO
TCO - Total cost of ownership
ROI - Return on investment
Risk Management Key Formulas
Quantitative
Asset Value(AV) : The value os the asset
ARO: Frequency of threat occurrence per year
Exposure Factor (EF) : % of asset value at risk due to a threat
SLE = AV EF
ALE : SLEARO
Qualitative risk analysis
Likehood and impact
Excessive Risk
level of risk is unacceptable to the decision makers
eg: Injury or loss of life
Risk mitigation
taking actions that decreases the risk
mitigation can come in flavours:
1. threat oriented : focused on reducing motivation of the threat agents
2.vulnerability oriented : reducing vulns
3.Impact oriented : reducing the impact
4. likelihood oriented : reducing likelihood
Risk avoidance
not to move fwd with a new project that introduces risk
transferring risk
eg:purchase of insurance
outsource risky systems to a third party
Eg:data breach insurance
Accepting risk
accept residual risk
accept a certain level of risk
controls identification and assessment
after identification, assess
TCO
ROI
Security architecture: mergers n acquisitions
divestitures (demergers or deacquisitions)
acquisitions - challenge
deacquisitions - nightmare
RFI / RFP/ / RFQ
Request for information / proposal / quote
BPA (Business process agreement)
typically addresses things like ownership, profit/losses, partner contributions
MOU / MOA
Memorandum of understanding or agreement -
goal is to establish the basic roles, responsibilities, and requirements for interconnection
NIST 800-47
Security guide for interconnecting info technology systems
SLA / OLA /ELA
OLA is an internal agreement that supports SLA
SLA: Expectations customer has for their service provider
ELA : Enterprise license agreement
FedRAMP
Federal risk and authorization management program
SCRM - Supply chain risk management
SBOM ( Software bill of materials)
SBOM Minimums:
Supplier name
component name
version of the component
other unique identifiers
dependency relationship
author of SBOM data
timestamp
SOC Reports - System and organisation controls
created/validated by auditors provide insight into 3rd party service providers
SOC Reports : SOC 1, SOC 2, SOC 3
SOC1: Internal control over financial reporting (ICFR)
Focus on financial stmts
SOC2: Trust services criteria
emphasis on controls related to security
SOC3: Trust services criteria for general use report / public report
SOC Type 1 / SOC Type 2
Type 1: Description / suitability of controls design
Type 2: Description/suitability/effectiveness of controls design
Note: SOC3 can be created as type 2 report
SOC for cybersecurity
SOC for supply chain
Threat modelling
Microsoft STRIDE
Spoofing ID
Tampering with data
Repudiation
Information disclosure
DoS
Elevation of privilege
Threat Identification
Vulnerability identification
identify various threats that could exeercise vulns
- understand various threats
-
Attack Surface
A systems attack surface represents all the ways in which an attacker could attempt to introduce data to exploit a vuln
reducing attack surface — is by disabling unneeded services
or - not listening on unnecessary ports
Scoring vulnerabilities
CVSS
5 to 1
CVSS - Common vulnerability scoring system
Developed by a consortium of US Govt orgs and vendors
Threat Vectors
are methods attackers use to touch or exercise vulns
Laws
Laws, directives, regulations do not normally provide detailed instructions for protecting computer related assets
instead they specify requirements such as restricting the availability of PII
Types of laws
Statutes
Administrative
Civil
Common law
Religious
Constitution
Statutes
- criminal proceedings
- civil proceedings
Administrative :
Regulations : HIPAA
Common law:case law or judicial precedent
Legal systems:
Civil law:
- Statutory
- Most common
Common law ( case law)
eg: UK, US, Canada
Religious law:
Sharia : Islamic law
Customary law
Criminal Law
society has been harmed
criminal charges are the only laws in which someone can get jail time
successful prosecution can warrant being removed from society
Civil Law
Deals with civil actions initiated by individual or orgs
Eg: torts, contracts, property and loss by business/individual
takes less time in courtroom
person can be ordered to pay monetary damages
Computer crime challenges
difficult to keep pace with rapidly changing tech
Types of damages
Compensatory : monetary award — rel to actual loss/harm
Statutory: Monetary damages designated by law
Punitive: award meant to punish the defendant, not tied to actual losses
Legal fees:
International difficulties , international cooperation
IP - Intellectual Property
Patent
Copyright
Trademark
Servicemark
Trade secret
Patent
protects inventions for 20 years from date of filing
invention must:
have utility
novelty
be non-obvious
must reduce the invention to practice and cover single idea
Copyright
form of expression
provided to the authors of original works
recorded thought on - paper, vinyl, plastic, magnetic media, or other
Trademark
is a word , name, symbol or device that is used in trade with goods
servicemark - a trademark for a service instead of a product
Trade secret
protects critical IP that is not publicly available
IP enforcement and attacks
Trademark attacks :
1. counterfeiting : products intended to be mistakenly associated with brand
2. Dilution: widespread use of brand names
Copyright attacks:
Piracy: unauthorised use or reproduction of material
Trade secrets:
economic/industrial espionage
Counterfeit products
eg: cisco fiber transceiver
Product implants and tampering
hardware supply chain attack
1. seeding: modify the product in the facotry itself
2. interdiction: intercept products that move between factories
Software licensing issues
licensing can serve as a form of IP Protection
site license
per-user/per-device license
concurrent users license
Workplace privacy
employee privacy
management responsibilities
European Union
Data protection directive
International privacy considerations
OECD : Org for economic co-operation and development
EU
GDPR
GDPR - General data protection regulation
Supersedes EU data protection directive
OECD Guidelines
key provisions
- limitations on collection
lawful collection
accuracy of data ensured
collected for legitimate purposes
no data disclosure
accountable for data controller
GDPR principles
lawfulness, fairness, transparency
purpose limitation
data minimization
accuracy
storage limitation
integrity n confidentiality
accountability
Enforcement of GDPR began in may 2018
eg: Google LLC , Amazon europe - 60,34 million euros for pushing advertising cookies without consent
GDPR: Data breach
breach notification to supervisory authority within 72hrs of discsovery
communication of data breach to those affected
eg: british airways - 20million euros - 400k customers
Marriot : 18.4m - 339 million customers
GDRP - DPIA - Data protection impact assessment
Designate a DPO Data protection officer
PIPL - Personal information protection law (China) - 2021
SPI - Sensitive personal info
PIPIA - personal information protection impact assessment
PoPIA - enforce 2021 - South Africa
Protection of personal information act
CCPA - California consumer privacy act
2018 state-level law
US - FIPPs (Fair information practice principles )
Databreach - minimization
- insure against the loss with data breach insurance
- plan comms in advanceof a breach
PCI DSS
developed by major credit card companies to reduce fraud associated with credit card companies
Ethics bodies
IAB (Internet activities board)
what not to do
- seek to gain unauthorized access on internet
disrupt intended use of internet
waste resources
destroy the integrity of computer based info
Code of Ethics:
- Protect society
- Act honorably, honestly, justly, responsibly, and legally
- provide diligent and competent service to principals
- Advance and protect the profession
Security Policies
provide high level guidance regarding expected conditions
eg: password s must be changed every 90 days
Policy components
Purpose
Related docs
Cancellation
background
scope/exceptions
policy statement
responsibility
ownership
effective date / expiration date
Scope : Levels of policy
Policies can exist on differnet levels with a hierarchy that can determine scope
- enterprise-wide / corporate policy
- division-wide policy
- local policy
- Issue - specific policy
Security procedures
are more detailed than security policies
- focussed on how to achieve what security policies mandate
eg: follow these step-by-step instructions to build the server
policies vs procedures
policies are high level, procedures are detailed guidance
Security standard
organizational, compulsory
eg: admins must use windows server 2019 as the base OS
Baseline: is a more specific implementation of a standard
Security Guideline
suggestions
not compulsory
Personnel Security
prior to hiring, during employment, during the separation
Background checks
pre-employment background checks and screenings are a common way of vetting candidates
Cross-training
Job rotation
Mandatory vacation
helps to force job rotation
AUP - Acceptable use policy
establishes expectations of employees
Personnel Monitoring
Non-Disclosure Agreement (NDA)
- Company data should not be shared with competitors
Non-compete agreement
purpose is to establish that an employe who leaves the org agrees not to work for a competitor
Hiring, training, grooming employees can be costly for an org
non-solicitation agreement
if an employee leaves the company, agreement prohibits an employee from
— soliciting other employees to also leave
–soliciting customers of the employer for business
Termination
Mishandling access revocation poses significant risk
ensuring all access has been removed in a timely basis can decrease the likelihood of compromise
imp with disgruntled individuals
Controlling your env : key principles
Policy : tells a user what to do
Training: provides the skillset
Awareness: changes user behaviour
Key threat: social engineering
- manipulation
- people need to be made aware of the dangers
Audit Standards: SSAE
Statement on Standards for Attestation Engagements (SSAE),
Audit Standards: AICPA
American institute of certified public accountants
Audit Standards: ISAE
International standard on assurance engagements
Audit Standards: IAASB
International Auditing and Assurance Standards Board
global digital forensics standards:
1.ISO/IEC 27037:2012: Guide for collecting, identifying, and preserving electronic evidence
2. ISO/IEC 27041:2015: Guide for incident investigations
3. ISO/IEC 27042:2015: Guide for digital evidence analysis
4.ISO/IEC 27043:2015: Incident investigation principles and processes
5.ISO/IEC 27050-1:2016: Overview and principles for eDiscovery
ISO 27001
ISO 27001 is the standard for international information security management.
ISMS - Information security management system
ISO 27002
ISO 27002 is a supporting standard that guides how the information security controls can be implemented.
ISO/IEC 27017:2015
A set of standards regarding the guidelines for information security controls applicable to the provision and use of cloud services and cloud service customers