Domain 1
- Principles of Security
- Security Governance
- Information Security Program
- Information Security Risk Management
- Legal Considerations
- Knowledge Transfer
- Confidentiality vs. Disclosure
- keep data secret
- no one unauthorized can access the data
- need to know and least privilege
- Tools to ensure this:
- secure data-at-rest, data-in-motion, data-in-use
- Tools to ensure this:
- Integrity vs. Alteration
- protect data against unauthorized modification
- ensure data is not altered
- Tools to ensure this:
- checksums
- hashes
- signatures
- ACL
- encryption
- IDS
- Tools to ensure this:
- Nonrepudiation
- Not beeing able to deny of doing a certain activity or action
- made possible through IAAA
- Not beeing able to deny of doing a certain activity or action
- Availability vs. Destruction
- authorized people can access when needed
- Tools to ensure this:
- redundancy on power
- IPS / IDS
- SLA’s
- Patch Management
- RAID
- Backups
- Tools to ensure this:
- authorized people can access when needed
- User Access Control
- name, username, ID etc.
- verify of users identity through ex. Password
- 2nd Factor:
- Something you know (type 1)
- Something you have (type 2)
- Something you are (type 3)
- what the identity is allowed to access
- access-control-matrix
- [DAC](Domain 5 - Identity and Asset Management.md#discretionary-access-control-dac) / [MAC](Domain 5 - Identity and Asset Management.md#mandatory-access-control-mac) / [RBAC](Domain 5 - Identity and Asset Management.md#role-based-access-control-rbac)
- Recording logs
- Monitoring is possible without auditing
- Track an action to the subjects identities
- Whats has been done, where, when and by who.
- non-repudiation
- level of confidentiality and privacy protections
- Least Privlege / need to know
- you only have access you need (MAC)
- you access only data you need to know (even access (DAC))
- non-repudiation
- a user cannot deny doing things (authentication and integrity)
- subject / object
- subject (active)
- programs, users etc
- object (passive)
- passive data
- subject (active)
- C-Level (CEO / CIO / CTO / CSO / CISO / CFO )
- prio / decisions
- balance upon enterprise objects
- risk appetite
- monitor compliance and performance
- plan, builds, run, monitors by the direction set by governance
- risk tolerance
- PCI / DSS
- required for creditcard institutes
- [OCTAVE](Operationally Critical Threat, Asset and Vulnurability Evaluation )
- Self directed Risk Management
- COBIT
- Goals for IT
- COSO
- Goals for entire organization
- ITIL
- FRAP
- Risk analyzation for business units, application system etc. (with internal employees)
- ISO 27000
Image via Infosec Institute
- Polices, Procedures, Awareness
- Physical Security
- Network
- Server
- Application
- Data
- also called layered defense or onion defense
- Criminal Law
- “Society” is the victim
- Punishment: incapacitation / death / financial fines
- Civil Law
- Individuals, groups or organizations are victims
- Punishment: financial fines
- Administrative Law
- laws enacted by the government (for example HIPAA)
- Private Regulation
- Compliance is required by contract (for example PCI-DSS)
- CFAA
- FISMA
- COPPA
- GLBA
- PATRIOT Act
- FERPA
- Who is held accountable?
- Who is to blame?
- Who should pay?
- DD: Research / Practices / Common protection
- DC = Acting on a research / Doing the implementation / Bug fixing etc.
- Opposite of Due Care
- If you did DC, you are not liable
- If you didn’t do DC, you are most likely liable
- physical (not the data)
- Testimony of witness
- Evidence to support circumstances
- Support facts
- not first hand knowledge
- log files are considered hearsay
- are admissable when taken near the event
- should be accurate, complete, relevant, authentic and convincing
- logs and documents
- hashed files
- hash before and after forensics with original and copy
- Who handled it?
- When did the handle it?
- What did they do with it?
- Where did the handle it?
- 4th Amendment protects US citizen from unreasonable search
- court will determine if evidence was obtained legally
- employees need to be aware that their actions will be monitored
- illegal / unethical
- when someone is persuaded to commit a crinme they had no intention to do and then charged with it.
- legal / ethical
- making commiting a crime more enticing, but the person has already broken the law
- honeypots
- copyright
- granted automatically
- last 70yrs after creators death
- attack: piracy / infringement
- trademark
- must be registered
- last 10yrs
- attack: counterfeiting
- patents
- must be new, useful, nonobvious
- last 20yrs
- attack: infringement
- trade secrets
- last unlimited
- attack: espionage
- HIPAA - Health Insurance Portability and Accountability Act
- Strict privacy and security rules on handling PHI
- Security Breach Notification Laws
- individual by state!
- ECPA - Electronic Communications Privacy Act
- protects against warrentless wiretapping
- PATRIOT Act of 2001
- expands law enforcement electronic monitoring capabilities
- allows search and seizure w/o immediate disclosure
- CFAA - Computer Fraud and Abuse Act
- most used law to prosecutre computer criminals
- GLBA - Gram-Leach-Briley Act
- applies to financial institutions
- SOX - Serbanes Oxley Act
- PCI-DSS
- GDPR - General Data Protection Regulation
- If you have customers in the EU the GDPR applies to you
- fines up to 20Million or up to 4% of the annual worldwide turnover
- Restrictions
- lawfull interceptions
- Right to access
- able to provide a free copy on request
- Right to erasure
- right ot be forgotten
- Data portability
- data must be in an electronic format
- Data breach notification
- notify within 72hrs
- privacy by design
- only data witch is absolutely neccessary
- data protection officers
- EU Data Protection Directive
- EU-US Safe Harbor
- Privacy Shield
- 8 principles
- Collection limitation principle
- Data quality principle
- Purpose specification principle
- Use limitation principle
- Security safe guards principle
- Openness principle
- Individual participation principle
- Accountability principle
TOP
- Values
- (Ethics, Principles, Beliefs)
- Vision
- Hope and Ambition
- Mission
- Motivation and Purpose
- Strategic Objects
- Plans/Works and sequencing
- Action & KPI
- Actions, Recourses, Outcomes, owners and timeframe BOTTOM
- Governance
- Strategic Plan (3-5 Yrs)
- Management
- Tactical Plan (1 Yr)
- Staff
- Operational Plan (High detail, updated frequently)
- Baselines
- Tactical
- Mandatory
- Procedures
- Tactical
- Mandatory
- low-level step-by-step
- Guidelines
- Tactical
- non-mendatory
- (recommendations)
- Standards
- Tactical
- Mandatory
- specific use
- (specific mendatory controls)
- Policies
- Strategic
- Mandatory
- High level non-specific
- (general management statements)
- Awareness
- we want to change the behavior
- Training
- give users a specific skillset
- Hiring Practices
- background checks
- NDA
- Employee Termination Process
- Regulations
- Training
- Preventive, Detective, Corrective, Recovery, Deterrent, Compensation
- Hardware
- Software
- Locks
- Fences
- Guards
- Risk = Threat * Vulneribility (* Impact)
- Impact can be added to give the full picture
- Total Risk = Threat * Vulneribility * Asset Value
- Residual Risk = Total Risk - Countermeasures
- IT Risk Verification -> IT Risk Assessment -> Response and Mitigation -> Risk and Control Monitoring etc. -> IT Risk Verification….
- Scope
- Methods
- Tools
- Acceptable Risk
- Risk Appetite
- Tangible: Physical, Buildings..
- Intangible: Data, trade secrets..
- Quantitive (costs) Risk Analysis
-
- Inventory Asset (AV)
- Research Asset and do a list of threats. For each Threat define a exposure factor (EF) and a single loss expectancy (SLE)
- Perform Threat analysis and calculate an annualized rate of occurrence (ARO)
- Derive the overall loss potential by calculating the annualized loss expectancy (ALE)
- Research countermeasures (Safeguards) for each threat, then recalculate the ARO und ALE
- Perform a cost/benefit analysis of each safeguard for each threat of any asset.
-
- Qualitive (How bad?) Risk Analysis
- cost-benefit analysis
- Risk Mitigation / Transference / Acceptance / Avoid / Respone
- NEVER reject a risk
- Assess countermeasures
- Good enough?
- Need for improvement?
- Do we need new?
| Concept | Formula |
|---|---|
| Exposure factor (EF) | % |
| Single loss expectancy | SLE = AV * EF |
| Annualized rate of occurrence | # / year |
| Annualized loss expectancy | ALE = SLE * ARO or ALE = (AV * EF) * ARO |
| Annual cost fo the safeguard (ACS) | $ / year |
| Value of benefit of a safeguard | (ALE1 - ALE2) - ACS |
Risk Analysis (Quantitive) -> NIST.SP.800-30r1
- Risk Analysis Matrix
| Likelihood (X) / Consequences (Y) | Insignificent | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Almost Certain | High | High | Extreme | Extreme | Extreme |
| Possible | Minor | High | High | Extreme | Extreme |
| Unlikely | Low | Minor | High | High | Extreme |
| Possible | Low | Low | Minor | High | Extreme |
| Rare | Low | Low | Minor | High | High |
- Risk Register
| Category | Name | Risk # | Probability | Impact | Mitigation | Cost | Risk Score after Mitigation | Action by | Action When |
|---|---|---|---|---|---|---|---|---|---|
- Asset Value (AV) = Worth?
- Exposure Factor (EF) = Percentage of Asset lost?
- SingleLossExpectancy (SLE) = (AV * EF) = What does it cost when it happens once?
- Annual Rate of Occurrence (ARO) = How often will it happen each year?
- Annualized Loss Expectency = Cost per Year if we do nothing
- Total Cost of Ownership (TCO) = Mitigation Cost: upfront + ongoing
- Key Goal Indicator
- tell the management if the it prtocess has archived its business needs
- Key Performance Indicator
- How are we performing?
- Key Risk Indicators
- How risky is an activity and how much risk is the organization facing?
- Level 1(initial) -> Level 2 (Repeatable) -> Level 3 (Defined) -> Level 4 (Managed) -> Level 5 (optimizing)
- Sponsor and management
- Identify risk
- Analyze risk
- Plan risk response
- Integrate risk managment and project management systems
- Trust in and a culture of risk management
- Script Kiddies & White / Gray / Black Hackers
- Internal / External Threat
- Hacktivists / Governments
- Bots / Botnets
- Phishing (Social Engineering)
- Identify -> Protect -> Detect -> Respond -> Recover
- Link to NIST Site
Business Continuity Plan NIST.SP.800-34r1
Cycle: Analysis -> Solution Design -> Implementation -> Test & Acceptance -> Maintenance
- Contains:
- COOP (Continuity of Operations Plan)
- Crisis Communication Plan
- Critical Infrastructure Contingency Plan
- Occupant Emergency Plan
Cycle: Project Initiation (w/ Senior Management) -> Scope the project -> Business Impact Analysis -> Identify Preventive Controls -> Recovery Strategy -> Plan, Design and Development -> Implementation / Training / Testing -> BCP / DRP Maintenance (w/ Senior Management)
- Critical is where disruption is not unacceptable
- may also be defined by law
- For each critical system, function or activity two values are assigned:
- Recovery Point Objective (RPO)
- The acceptable amount of data that can not be recovered. The RPO must ensure that the maximum data loss is not exceeded
- Maximum Tolerable Downtime (MTD)
- MTD >= RTO + WRT
- System rebuild time must be less or equal to our MTD
- Recovery Time Objective (RTO)
- The amount of time to restore the system (hardware)
- Work Recovery Time (WRT)
- How long does it take to configure the software
- Meantime before failure (MTBF)
- Meantime to repair (MTTR)
- Minimum Operating Requirements (MOR)
- Minimum requirements for critical systems to function
- Recovery Point Objective (RPO)