Concepts (10) - Sunflower CISSP

.Ethics (33)Just because something is legal doesn’t make it right.Within the ISC context: Protecting information through CIAISC2 Code of Ethics CanonsProtect society, the commonwealth, and theinfrastructure.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.Advance and protect the profession.Internet Advisory Board (IAB)Ethics and Internet (RFC 1087)Don’t compromise the privacy of users. Access to and use ofInternet is a privilege and should be treated as suchIt is defined as unacceptable and unethical if you, for example, gainunauthorized access to resources on the internet, destroy integrity,waste resources or compromise privacy.Business Continuity plans development (38)-Defining the continuity strategyComputing strategy to preserve the elements of HW/SW/communication lines/data/applicationFacilities: use of main buildings or any remote facilitiesPeople: operators, management, technical support personsSupplies and equipment: paper, forms HVACDocumenting the continuity strategyBIA (39)Goal: to create a document to be used to help understand whatimpact a disruptive event would have on the businessGathering assessment materialOrg charts to determine functional relationshipsExamine business success factorsVulnerability assessmentIdentify Critical IT resources out of criticalprocesses, Identify disruption impacts andMaximum, Tolerable Downtime (MTD)Loss Quantitative (revenue, expenses forrepair) or Qualitative (competitive edge,public embarrassment). Presented as low,high, medium.Develop recovery proceduresAnalyze the compiled informationDocument the process Identify interdependabilityDetermine acceptable interruption periodsDocumentation and RecommendationRTO MTDAdministrative Management Controls (47)Risk Management (52)Separation of duties - assigns parts of tasks to differentindividuals thus no single person has total control of thesystem’s security mechanisms; prevent collusionM of N Control - requires that a minimum number of agents (M)out of the total number of agents (N) work together to performhigh-security tasks. So, implementing three of eight controls wouldrequire three people out of the eight with the assigned work task ofkey escrow recovery agent to work together to pull a single key outof the key escrow databaseLeast privilege - a system’s user should have the lowest level ofrights and privileges necessary to perform their work and shouldonly have them for the shortest time. Three types:Read only, Read/write and Access/changeTwo-man control - two persons review and approve the work ofeach other, for very sensitive operationsDual control -two persons are needed to complete a taskRotation of duties - limiting the amount of time a person isassigned to perform a security related task before being moved todifferent task to prevent fraud; reduce collusionMandatory vacations - prevent fraud and allowing investigations,one week minimum; kill processesNeed to know - the subject is given only the amount ofinformation required to perform an assigned task, businessjustificationAgreements – NDA, no compete, acceptable useGOAL - Determine impact of the threat and risk of threat occurringThe primary goal of risk management is to reduce risk to anacceptable level.Step 1 – Prepare for Assessment (purpose, scope, etc.)Step 2 – Conduct AssessmentID threat sources and eventsID vulnerabilities and predisposing conditionsDetermine likelihood of occurrenceDetermine magnitude of impactDetermine riskStep 3 – Communicate Risk/resultsStep 4 – Maintain Assessment/regularlyTypes of RiskInherent chance of making an error with no controls in placeControl chance that controls in place will prevent, detect or controlerrorsDetection chance that auditors won’t find an errorResidual risk remaining after control in placeBusiness concerns about effects of unforeseen circumstancesOverall combination of all risks aka Audit risk PreliminarySecurity Examination (PSE): Helps to gather the elements thatyou will need when the actual Risk Analysis takes place.ANALYSIS Steps: Identify assets, identify threats, and calculaterisk.ISO 27005 – deals with riskEmployment (48)-staff members pose more threat thanexternal actors, loss of money stolenequipment, loss of time work hours, loss ofreputation declining trusts and loss ofresources, bandwidth theft, due diligenceVoluntary & involuntary ------------------Exit interview!!!Third Party Controls (49)VendorsConsultantsContractorsProperly supervised, rights based on policyRisk Management Concepts (52)Threat – damageVulnerability – weakness to threat vector (never does anything)Likelihood – chance it will happenImpact – overall effectsResidual Risk – amount left overOrganizations own the riskRisk is determined as a byproduct of likelihood and impactITIL (55)ITIL – best practices for IT core operational processes, not forauditServiceChangeReleaseConfigurationStrong end to end customer focus/expertiseAbout services and service strategyRisk Assessment Steps (60)Four major steps in Risk assessment?Prepare, Perform, Communicate, MaintainQualitative (57)Approval –Form Team –Analyze Data –Calculate Risk –Countermeasure Recommendations REMEMBER HYBRID!

Quantitative Risk Analysis (58)-Quantitative VALUES!!SLE (single Loss Expectancy) Asset Value * Exposurefactor (% loss of asset)ALE (Annual loss expectancy) SLE * ARO(Annualized Rate of occurrence)Accept, mitigate(reduce by implementing controls calculate costs-),Assign (insure the risk to transfer it), Avoid (stop business activity)Loss probability * costResidual risk - where cost of applying extra countermeasures ismore than the estimated loss resulting from a threat or vulnerability(C L). Legally the remaining residual risk is not counted whendeciding whether a company is liable.Controls gap - is the amount of risk that is reduced byimplementing safeguards. A formula for residual risk is as follows:total risk – controls gap residual riskRTO – how quickly you need to have that application’s informationavailable after downtime has occurredRPO -Recovery Point Objective: Point in time that application datamust be recovered to resume business functions; AMOUNT OFDATA YOUR WILLING TO LOSEMTD -Maximum Tolerable Downtime: Maximum delay a businesscan be down and still remain viableMTD minutes to hours: criticalMTD 24 hours: urgentMTD 72 hours: importantMTD 7 days: normalMTD 30 days non-essentialPLANAcceptBuild Risk TeamReviewOnce in 100 years ARO of 0.01SLE is the dollar value lost when an asset is successfully attackedExposure Factor ranges from 0 to 1NO – ALE is the annual % of the asset lost when attacked – NOTDetermination of Impact (61)Life, dollars, prestige, market shareRisk Response (61)Risk Avoidance – discontinue activity because you don’t want toaccept riskRisk Transfer – passing on the risk to another entityRisk Mitigation – elimination or decrease in level of riskRisk Acceptance – live with it and pay the costBackground checks – mitigation, acceptance, avoidanceRisk Framework Countermeasures (63)Penetration Testing (77)AccountabilityAuditabilitySource trusted and knownCost-effectivenessSecurityProtection for CIA of assetsOther issues created?If it leaves residual data from its functionTesting a networks defenses by using the same techniques asexternal intrudersScanning and Probing – port scanners Demon Dialing – war dialing for modems Sniffing – capture data packets Dumpster Diving – searching paper disposal areas Social Engineering – most common, get information byaskingPenetration testingBlue team - had knowledge of the organization, can be donefrequent and least expensiveRed team - is external and stealthyWhite box - ethical hacker knows what to look for, see code as adeveloperGrey Box - partial knowledge of the system, see code, act as auserBlack box - ethical hacker not knowing what to findControls (68)Primary Controls (Types) – (control cost should be less than thevalue of the asset being protected)Administrative/Managerial PolicyPreventive: hiring policies, screening security awareness(also called soft-measures!)Detective: screening behavior, job rotation, review ofaudit recordsTechnical (aka Logical)Preventive: protocols, encryption, biometricssmartcards, routers, firewallsDetective: IDS and automatic generated violationreports, audit logs, CCTV(never preventative)Preventive: fences, guards, locksDetective: motion detectors, thermal detectors videocamerasPhysical (Domain 5) – see andtouchFences, door, lock, windows etc.Prime objective - is to reduce the effects of security threats andvulnerabilities to a tolerable levelRisk analysis - process that analyses threat scenarios andproduces a representation of the estimated Potential lossMain Categories of Access Control (67)Directive: specify rules of behaviorDeterrent: discourage people, change my mindPreventative: prevent incident or breachCompensating: sub for loss of primary controlsDetective: signal warning, investigateCorrective: mitigate damage, restore controlRecovery: restore to normal after veData checks,Labels, traffic DBMS, ctiveCyclicRedundancyIDS, kupsEmergencyresponseDatabasecontrolsFunctional order in which controls should be used. Deterrence,Denial, Detection, Delay4 stages: planning, discovery, attack, reportingvulnerabilities exploited: kernel flaws, buffer overflows,symbolic links, file descriptor attacksother model: footprint network (information gathering) portscans, vulnerability mapping, exploitation, report scanningtools are used in penetration testsflaw hypotheses methodology operation system penetrationtestingEgregious hole – tell them now!Strategies - External, internal, blind, double-blindCategories – zero, partial, full knowledge testsPen Test Methodology(79)Recon/discover Enumeration vulnerability analysis execution/exploitation document findings/reporting - SPELL OUT AND DEFINE!!!!Control AssessmentLook at your posture76Deming Cycle (83)Plan – ID opportunity & plan for changeDo – implement change on small scaleCheck – use data to analyze results of changeAct – if change successful, implement wider scale, if fails begincycle again

Identification of Threat (86)TermsIndividuals must be qualified with the appropriate level of training.Develop job descriptionsContact referencesScreen/investigate backgroundDevelop confidentiality agreementsDetermine policy on vendor, contractor, consultant, andtemporary staff accessDUE DILIGENCEWire Tapping eavesdropping on communication -only legal withprior consent or warrantData Diddling act of modifying information, programs, ordocuments to commit fraud, tampers with INPUT dataPrivacy Laws data collected must be collected fairly andlawfully and used only for the purpose it was collected.Water holing – create a bunch of websites with similar namesWork Function (factor): the difficulty of obtaining the clear textfrom the cipher text as measured by cost/timeFair Cryptosystems - In this escrow approach, the secret keysused in a communication are divided into two or more pieces, eachof which is given to an independent third party. When thegovernment obtains legal authority to access a particular key, itprovides evidence of the court order to each of the third parties andthen reassembles the secret key.SLA – agreement between IT service provider and customer,document service levels, divorce; how to dissolve relationshipSLR (requirements) – requirements for a service from clientviewpointService level report – insight into a service providers ability todeliver the agreed upon service qualitySoftware Licenses (91)Public domain - available for anyone to useOpen source - source code made available with a license in whichthe copyright holder provides the rights to study, change, anddistribute the software to anyoneFreeware - proprietary software that is available for use at nomonetary cost. May be used without payment but may usually notbe modified, re-distributed or reverse-engineered without theauthor's permissionAssurance (92)Degree of confidence in satisfaction of security requirementsAssurance other word for securityTHINK OUTSIDE AUDITSuccessful Requirements Gathering 92Don’t assume what client wantsInvolve users earlyDefine and agree on scopeMORESecurity Awareness (96)Technical training to react to situations, best practices for Securityand network personnel; Employees, need to understand policiesthen use presentations and posters etc. to get them awareFormal security awareness training – exact prep on howto do thingsLegislative drivers?FISMA(federal agencies)Phase 1 categorizing, selecting minimum controls, assessmentPhase 2: create n

Concepts (10) CIA DAD - NEGATIVE - (disclosure alteration and destruction) Confidentiality - prevent unauthorized disclosure, need to know, and least privilege. assurance that information is not disclosed to unauthorized programs, users, processes, encryption, logical and