Notes

Domain: Information System (General Notes)
 
Roles and Responsibilities
Security Planning
Security Administration
Significant influences on the Information Security Environment

  • Regulations (external, not all businesses have these)
  • Competition (external, field dominated)
  • Organizational Objectives (Internal, direction of the organization)
  • Organization Goals (Internal, identified goals of organization)
  • Laws (external, local – state – federal / country – international)
  • Shareholders Interest (Profit)

Policy – High level written statement / direction on organizational goal or requirement

  • Mandate. Not a guideline.
  • Authorized document on internal required behavior.
  • Output of policy: Guidelines, Standards, baseline, procedures

Integrity

  • Data is what we expect
  • Processes are predictable

Availability

  • Ensuring data and process are protected from modification
  • Ensuring system is performing as expected every time (accomplished via audit, redundancy, integrity checks, testing, validating, reports, etc.)
  • Should be able to prove something is effective (to an auditor, tester, internal, media, etc)

Confidentiality

  • Protecting data from improper disclosure
  • Key words: Sensitivity and Criticality
    • Sensitivity: Limited access/Need-to-know
    • Critical: Vital to operation at hand

 
 
Controls are designed to avoid:

  • Destruction (Availability)
  • Modification (Integrity)
  • Disclosure (Confidentiality)

Authenticity – Integrity
Non-repudiation - Integrity
(Repudiate = deny, didn’t do it, avoid responsibility)
Non-repudiation = can’t deny
Governance
 
Roles and Responsibilities (III-4)

  • Policy should apply to everyone unless an exception exists
    (Note: many approved exceptions are a symptom that the policy isn’t a good fit: too stringent, not applicable, not enough scope, etc)
  • Security begins at day one of employment (or before, with background checks, etc.)
  • Security needs to be simple: short is best. Too complex will cause people to work around the system.
  • Training is mandatory. Is very often the best answer on the test.
    • Training trumps technology when question is asking for broad applicability
  • Internal Roles
    • Executive management
      • Board level – publish and endorse policies, set the security tone
      • C Level – CFO, CIO, CEO, etc.
      • Bottom up security does not work
    • Info systems security professionals
      • Responsible for overall information systems
    • Developers
      • Increased scrutiny of late given new vulnerability threat/front
      • Emphasis: BSI – Build Security In (instead of bolt on after the fact)
      • Current big challenge: Get developers to think about security (instead of InfoSec thinking about code)
    • Custodians & Operations Staff
      • Custodians: Control of the system / guardian
      • Custodians – Not the owner of the data

 

    • Auditors: Independent and objective analysis experts
  • External Roles
    • Contractors: Leave with knowledge, must comply with your rules
      • Over time they become treated as internal roles/employees
      • Transitory individuals
      • Risks: Access roles may not be properly cleaned, badges retrieved, etc.
  • Security in depth: Multiple layers of security
    • Physical is the first line of defense but eventually a lock will be broken…

 

  • Workflow
    • Board of directors provide direction to executives
    • Executives convert direction into policy
    • Management converts policy into baselines, guidelines and standards
    • Team/Project leads convert baselines, guidelines, and standards into procedure
    • Users implement day-to-day procedures
    • HR disseminates policy and procedure, enforces compliance

 

  • If you outsource any activity, you are STILL responsible for the behavior/output
  • Heartland: Credit card clearing house that was compromised a few years ago.
    • Heartland was breached internally despite 4 successful audits
    • Alberto Gonzalez was arrested in 2010, convicted 2012
    • Take-a-way: Vendor met audit requirements but Visa, Amex, etc were responsible
      • They incurred the cost and PR, card replacement, 2 yrs of credit checks, etc.
  • Human Resources
    • Tasked with insuring potential employees are trustworthy
      • Drug checks, criminal backgrounds, convictions (not arrests), etc.
      • Felony level, misdemeanors are too minor for most businesses
      • Credit checks – to show fiscal vulnerability
      • Education checks – Confirm resume claims
      • Reference checks – resume accuracy, rehireability, etc.
      • Social presence
    • Signed Employment Agreements
      • Acceptable Use
      • Non-disclosures (NDA)
      • Non-compete (where legal)
      • Ethics
        • Ethics are situational
    • FSGO = Federal Sentencing Guidelines for Organizations
      • First time that formal ethics policy and training were required
      • All Organizations must have a ethics policy and training
      • Take-a-way: Organizations must train so employees cannot say they didn’t know better.
    • Personnel Good Practices
      • Least priv: Have only access that you need to do your job (access to system)
      • Need to know: You may not have to need to know things to do your job (access to data)
        • Least priv is NOT need to know
      • Separation of duties
        • No one person may complete a task from start to finish
        • Mandates a check-and-balance system within a process
        • Forces collusion amongst 2 or more people in wrongdoing
      • Job rotation
        • Shows redundancy of roles
        • Increases job skills of employees
        • Identifies any aberrant behavior
        • Fresh eyes may spot issues
      • Mandatory vacations
        • Shows redundancy of roles
        • Identifies any aberrant behavior
    • SATE – Security, Awareness, Training and Education
      • Awareness training
        • Delivery methods – must vary (posters, newsletters, brownbags,etc)
        • Topics – Tailored to job function, known weaknesses, etc.
      • Job training – Different than security training
        • Focused on security topics required by jobs
        • Training should be relevant, scope properly, address the audience
      • Professional education
         
  • Security Planning
    • Focus on the mission
    • Organizations are different
    • Cost effective/risk based
      • Don’t spend $100K to protect $10 worth of data
      • Must also factor in other business costs: reputation, productivity, etc.
    • Levels of Security planning:
      • Strategic: Long-term high-level future goals/direction (3-5 yrs outlook)
      • Tactical: Mid-term implementation goals
      • Operational: Day-to-day issues
    • Security Program Management
      • Increasingly, security is reporting up through IT
    • Security Blueprints
      • Plan before an activity which provides ability to measure progress and help ensure the expected outcome, architectural design suitable for review
      • Good SPs are holistic/broad overview of all items
      • Inspection along the way will help guarantee success
    • Terms:
      • Blueprints = frameworks, standards, models, architectural guidelines
      • COSO = Banks, ITIL = IT, IS0 27000 = Most popular
      • COBIT = Control Objectives for IT (by ISACA.org) currently at ver 5
      • Know ISO 27000 breakdown:
        • 27000: General vocabulary
        • 27001: Requirements and specifications – Main player
        • 27002: Guidance
        • 27003: ISMS guidance
        • 27004: How to measure
        • 27005: Risk management
        • 27006: Certification processes
        • 27799: Health systems that do not have HIPPA
    • ISO 27001 brings information security explicitly under management control
      • Requires management to systematically examine risk, taking into account threats, vulnerabilities and impacts – and design/implement a suite of controls
    • Functional Requirements vs. Assurance Requirements
      • Functional: What does it do? How does it work?
        • This is the DUE CARE function
      • Assurance: Does it do what we said it does? Does it really work?
        • This is the DUE DILIGENCE function
        • Validity and confidence in solution
        • Verbs: Test, audit, validate
    • Due care vs Due Diligence
      • C = Concept (What you should be doing? Ex: Define policy)
      • D = Doing (Are we doing what we said? Ex: Following/Enforcing policy)
      • Negligence can lead to liability
    • Single points of failure
      • Where in the fabric of the organization (processes, people, technology)
        Our job is to identify where SPoF exist
         
  • Security Administration
    • From policy come:
      • Baseline: Minimum acceptable level, clipping level, also called trigger level
      • Guideline: Best practice, recommendation (optional) – Only one that is optional
      • Standard: Hardware/Software applied universally
      • Procedure: Step by step consistent repeatable results
    • Security Policy
      • Management’s goals and objectives in writing and posted
        • Must be written otherwise it is not enforceable
        • Must be reviewed and posted annually
      • Documents compliance
      • Creates a security culture
      • Needs to balance between specific examples but not exclude other examples. A balance between specifics vs. general guidance
      • Good traits: Simple, easy to understand, not in the weeds, enforceable
      • Good trait: applicability, accountability, terse (1-3 pages max)
      • General use language (explain technical jargon/acronyms, etc.)
      • Should be configuration management (revisioning, dates, version control, etc)
      • Every policy should have an owner
      • The more detailed a policy is, the more updates are required (and loop holes may exist), so in general they are kept at a high level
      • Three types of policy:
        • Organization or Program-specific (issued by Senior Mgmt individual who creates scope and authority for program)
        • Functional/issue-specific policies (address specific security concerns requiring classification – e.g., access control policy, disaster recover policy, etc.)
        • System-specific: System specific or greater control for a specific technical or operational area
      • Three reasons for policy:
        • Regulatory – Someone said so
        • Advisory – Someone said how to
        • Informational – Someone needs to know how
      • Policy terms
        • Standard: Hardware/Software applied universally
          • Ex: Desktop, Antivirus, Firewall
          • Sometimes a document (ie, ISO27001 standard)
        • Baseline: Establish consistent minimum level (clipping level or trigger)
          • Ex: VPN Setup, IDS config, Password Rules (3x=lockout)
        • Guidelines: Recommendations (optional but a good idea)
          • Ex: Recommendation, Best Practice, ISO
  • Risk Management (Know def on III-21)
    • Risk analysis: Identify assets and threats
    • Risk assessment: Prioritize risk and choice of how to handle risk
    • Risk mitigation: Risk reduction efforts of identified risk
    • Evaluation and on-going monitoring: Maintaining and tracking risk
  • Risk Mgmt Purpose (NIST-800-30 documentation)
    • Risk is a function of a likelihood of a given threat-sources exercising a particular vulnerability and the resulting impact of that adverse event on the organization.
    • That is: How likely is the event and how painful would it be?
    • Risk = Likelihood * Impact
  • Terms:
    • Risk Vulnerability : Flaw, weakness or Lack of Countermeasure
    • Controls
      • Safeguards: Safeguarding an asset, proactive steps to avoid event
      • Countermeasures: Reactive, counteraction to correct an event
    • Total Risk vs. Residual Risk
      • Total = Threats * Vulnerabilities * Asset Value
      • Residual = Total Risk – Controls/Countermeasures/Risk Mgmt Tasks
      • Note: You will always have residual risk (b/c you will never know all risks)
    • Know Risk Management Concept Flow chart on III-24
    • Know Risk Assessment Steps: SP 800-30 on III-24
  • Ways to value information/risk valuation
    • Modified Delphi – Small pieces of information that are gathered anonymously from known subject matter experts.
    • Facilitated sessions – Focus groups, general group discussion
    • Survey: Blanket queries
    • Interviews: 1-on-1 data collection
    • Checklist: Forms filled out by user population
  • Methods for Risk Analysis
    • Quantitative = All about the money, the only metric that counts is cost
    • Qualitative = NO MONEY, the only thing that exist are scenarios
  • Quantitative Risk Analysis
    • Assign monetary values to everything
    • Labor and time intensive
    • Difficult to achieve
    • Bottom line: Risk = MONEY
    • Objective analysis
    • Term: Totally quantitative or fully quantitative: Assigning everything a value
    • Steps:
      • 1. Estimate potential loss (Single Loss Expectancy = SLE)
      • 2. Conduct threat analysis (Annualized Rate of Occurrence = ARO)
      • 3. Calculate annual loss expectancy (ALE – SLE * ARO)
    • Formulae
      • Single Loss Expectancy
        • SLE = AV ($) * EF (%) where: AV = Asset Value, EF = Exposure Factor
        • EF = % of loss (did I lose all of the resource)
      • ARO = # of exposures or incidents that can be expected in a year
      • 2 times in 100 yrs = 0.02, 1 in 10 years= 0.1, etc
  • Qualitative Risk Analysis
    • Subjective
    • No dollar values involved
    • Sensitivity is low/medium/high
    • ANZ – 4360 is a commonly used reference
    • Scenario oriented, performed for each dept in organization, input from all depts.
    • Cumulative weighted ranking of the unmitigated risks across all departments describes the severity of the total risk to the organization
    • Adv: Better understanding of system processes and improved cross-dept communication
  • Hybrid Risk Analysis: Mix of Quan/Qual as well as FMEA and FTA
  • Covert channel – release of information in contradiction of your security policy

    • Overrides:
    • Failsafes: Making system fail in a secure mode (ex: last rule of FW is drop all)
    • Residuals / Reset: During recovery, must be secure at all points and protect data at all point.
    • Every control must be owned
  • Plan , Do, Check, Act - FRamework for IEC27001 (Comes from Deming's quality control)

Ethics
 
 

  • Ethical responsibilities should go from higher to lower:
    • Global responsibility
    • National
    • Organizational
    • Personal
  • Responsibilities as a CISSP
    • Set the example. No white-hat hacking.
    • Encourage ethical guidelines and standards
    • Inform users of ethical responsibilities
  • Ethical theories:
    • Teleology: Ethics in terms of goals (The end justifies the many, Spock quote)
      • The need of the many outweigh the need of the few
    • Deontology: Ethical behavior is a duty (deity-driven, we are required to do good inherently)
    • Informed consent: Conscious decision must be acquired before doing hazardous activities (volunteer for drug testing, for example)
  • Relevant Professional Code of Ethics
    • You will be asked this on the test
    • (ISC)^2
      • Know the preamble. Know the canons, in order. 
      •  
        Code of Ethics Preamble:   
        • The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
        • Therefore, strict adherence to this Code is a condition of certification.

        Code of Ethics Canons:   

        • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
        • Act honorably, honestly, justly, responsibly, and legally.
        • Provide diligent and competent service to principals.
        • Advance and protect the profession.

         

    • RFC 1087
      • “Access and use of the Internet is a PRIVILEGE and should be treated as such”
      • RFC1087 refers to “Negligence in the conduct of Internet-wide experiments” as “irresponsible and unacceptable” but does specifically label such conduct as “unethical”.
    • Internet Architecture Board (IAB) aka, Internet Activities Board
      • Has been around for a long time
      • Know the canons on III-37
      • Generally held as a good idea but otherwise toothless
  • Additional points:
    • Steven Levy – talked about computers enriching our lives, adding beauty, etc.
    • Peter Tippett – Outlined 7 “ethical fallacies”
      • Computer game – WarGames. Hacking as a game that has no harm, just completing a challenge. Mitnick’s electronic joyriding.
      • Law abiding citizen (legal vs. ethical) – Do you have a right to write a virus? Are you responsible if it gets out? Just because you can doesn’t mean you should.
      • Shatterproof (little harm) – Did Mitnick steal the code even if he didn’t use it?
      • “Candy from a baby” – If you don’t protect it, not my fault I took it.
      • Hacker – Technical analysis and security checks.
      • Free information – Information should be free. Assumes all info is free, open accessible and all info is free. Doesn’t factor in malicious use of information. One person should not choose for others what is/is not available.
      • Hacktivism (Anonymous, Lulz, etc.) - Hacking for a “greater good” or otherwise political agendas.