Domain 1 Security and Risk Management

Domain 1 Security and Risk

Management

Areas Covered• Security Governance Principles such as the CIA Triad, Prudent Man, Due Care,

Due Diligence, Continuous Monitoring• Compliance• Professional Ethics• Security Documentation• Risk Management -Treatments, Qualitative, Quantitative, Formulas,

Frameworks• Threat Modeling and Threat Intelligence• Business Continuity Plan Fundamentals • Acquisition Strategy and Practice• Personnel Security Policies• Security Awareness and Training• Types, Classes, and Categories of Security Controls

CIA Triad• Confidentiality: only authorized entities have access to the data• Integrity: there are no unauthorized modifications of the data• Availability: authorized entities can access the data when and how

they are permitted to do soA VPN, an ACL, and physical security provide confidentiality

Hashes, digital signatures and version control provide integrity

Backups, resistance to DOS, UPS’s provide availability

CIA Triad and Its Opposite

ConfidentialityConfidentiality is keeping secrets such as the following:• Military plans. Confidentiality is the main CIA concern of the military• PII, PHI, PFI• Trade secrets and intellectual property

Confidentiality is provided by the following:

• ACLs/Limiting read access• Physical security• Encryption/VPNs• Marking and labeling• Need to know• Least privilege

• Faraday cages• Background investigations• Security clearances• Firewalls• Security cages• Screen lock/remote wipe

DRM Protects Confidentiality• DRM provides an additional layer of protection and travels with

documents.• It can prevent printing, forwarding, and screen scrapes. Documents

can be set to automatically destruct.• DRM searches data, classifies data, can prevent movement of data

to USB or Dropbox.• It can be installed on hosts, the network, or a CASB.• DRM solution traits include the following:• Persistency• Continuous audit trail• Dynamic policy control• Interoperability• Automatic expiration

IntegrityIntegrity means the information has not altered by a malicious user, a malicious process, nor has it been corrupted. Integrity is the main concern of banks.• FIM checks the integrity of files• Hashes such as SHA 512 provide integrity• Trusted boot and Integrity Management store a hash of key boot files in a

TPM that is referenced by UEFI during boot• HMAC provides integrity and authentication• Digital signatures provide non-repudiation, authentication and integrity• Limiting write permissions, particularly for standard users provides integrity• Snapshots, backups, and system restore provide integrity and availability. They

provide the ability to get back to an unaltered state.

AvailabilityAvailability means that systems and data are available to authorized users when needed. It is the main CIA concern of SCADA. It is provided in the following ways:• Redundant components/systems

• Avoiding single points of failure• RAID for hard drives• Load-balanced or clustered servers• UPSs, generators, and redundant circuits for power• VRRP for routers• Clustering for switches• NIC teaming• Port bonding• Replication, backups, and snapshots for data• Redundant datacenters

• Resistance to attacks such as DOS, DDOS, and PDOS

Terms Related to CIA• Accuracy: Being correct and precise• Truthfulness: Being a true reflection of reality• Authenticity: Being authentic or genuine• Validity: Being factually or logically sound• Nonrepudiation: Not being able to deny having performed an action or

activity or being able to verify the origin of a communication or event• Accountability: Being responsible or obligated for actions and results• Responsibility: Being in charge or having control over something or someone• Completeness: Having all needed and necessary components or parts• Comprehensiveness: Being complete in scope; the full inclusion of all needed

elements

AAA Supports CIAAAA refers to Authentication, Authorization and Accounting. We will also look at identification which precedes authentication and auditing which follows accounting.• Identification – Who a user claims to be with a user ID.• Authentication – Proving the identity claim of a user• Authorization – What a user can do once he is authenticated• Accounting – Recording what a user did• Auditing – Making sure all the records and logs don't contain any

abnormalities and all the systems are compliant. It's possible to accurately identify which person, IP address, or process performed a certain action.

Governance Terms• Governance: the process of how an organization is managed. This includes

all aspects of how decisions are made for that organization and can (and usually does) include the policy, roles, and procedures the organization uses to make those decisions.• Security governance: the entirety of the policies, roles, and processes the

organization uses to make security decisions. Just as each organization has its own unique governance structure, it will also have security governance specific to its purposes and objectives.• eGRC: Electronic Governance, Risk Management, and Compliance• Due care: what the organization owes its customers

• Due diligence: any activity used to demonstrate or provide due care

Governance vs. Management• The board of directors takes on the role of governance in making

decisions about the direction of the company. Duties such as oversight, strategic planning, decision-making, the appropriate level of security, and financial planning fall under governance activities.

• While governance pertains to the vision of an organization, and translation of the vision into policy, management is all about making decisions on implementing the policies.

• Management comes only second to the governing body, and they are bound to strive as per the wishes of the governing body.

• To get everyone behind security governance/policies a top-down approach with full management support should be used

Plans Implement GovernanceThe three types of plans from long range to short range are strategic, tactical, and operational

• Strategic Plan - Long-term plan aligned to the goals, mission, and objectives of the organization. Five-year horizon. Annual updates.

• Tactical Plan – Mid-range plan. schedules the tasks necessary to accomplish organizational goals. One-year horizon.

• Operational Plan - Short-term, highly detailed plan based on the strategic and tactical plans. It is valid for a short time.

Organization Processes Affect Governance

•Mergers/Partnerships/SLAs• De-Mergers/Divestitures• Doing business overseas• Using the cloud• BYOD’s• New software

Change Control Makes Sure that Changes Do Not Negatively Affect the CIA Triad or Governance

• Changes are requested using a change management form• Changes are evaluated for impact to CIA• They must vetted by the Change Management Board• Proposed changes are tested• Backout plans are made• Users are educated on changes• Changes are made during a maintenance window when feasible• Documentation is updated after a change• Systems are monitored for ill effects after changes are made

Managing Third Party Governance• Acceptable governance should be verified for business partners including

cloud providers, suppliers, and outsourcing/offshoring providers

• Risks of partnership include the following:• Loss of control of confidential information• Lack of accountability• Lack of compliance

• Mitigations to partnership include the following:• Document exchange and review• Policy and process review• On-site first party assessment• Third-party assessment and accreditation

Governance includes AuditingAuditing validates compliance to the following:• Security Control Frameworks• Standards• Published Specifications

Examples: • ISO 27001 - Information Security Management System (ISMS)• PCI DSS • SSAE 18• FISMA• NIST Cyber Security Framework• RMF

eGRC and Legal Compliance• eGRC is Electronic Governance, Risk Management and Compliance. These three

terms are interrelated. A major risk is non-compliance with laws and regulations.• A company must show due diligence and due care in compliance with laws and

regulations. A company must take prudent steps to reduce cyber-crime. If a company is hacked, it must comply with notification laws.• Typical cyber crimes:

• Malware• Unauthorized access• Ransomware• Theft• Illegal use of resources• Fraud

Types of Laws• Criminal Law:• “Society” is the victim and proof must be “beyond a reasonable doubt”.• Incarceration, Death and Financial fines to “Punish and Deter”.

• Civil Law (Tort Law):• Individuals, groups or organizations are the victims and proof must be ”the Majority

of Proof”.• Financial fines to “Compensate the Victim(s)”.

• Administrative Law (Regulatory Law):• Laws enacted by Government Agencies (FDA Laws, HIPAA, FAA Laws etc.) Proof

“More likely than not”.

• Private Regulations:• Compliance is required by contract (For instance PCI-DSS).

Responsible PartiesThe roles and responsibilities of all the participants in the information classification program must be clearly defined.• Senior Manager - Senior Manager has the ultimate responsibility for security.• Information Security Officer - Information Security Officer has the functional

responsibility for security.• Data Owner - Data Owner determines the data classification.• Data Custodian - Data Custodian is responsible for preserving the information.• System Owner - System Owner is responsible for security of the system containing

the data.• Security Administrator - Security Administrator will set up the security

configurations on a system.• Security Analyst - Security Analyst defines and implements security program

elements.• User - The User or an Operator should follow the security procedures.• Auditor: Auditor examines the security.

Risk Management• Vulnerability –Weakness. In computer security, a vulnerability is a weakness which

can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.• Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and

obtain, damage, or destroy an asset• Security controls are safeguards or countermeasures to avoid, detect, counteract, or

minimize security risks to physical property• Risk = Vulnerability x Threat x Control Failure Probability• Risk = Likelihood x Impact • Risk = Single Loss Expectancy (SLE) X Annual Rate of Occurrence (ARO) = Annual Loss

Expectancy (ALE)• Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)

Qualitative vs. Quantitative Risk Assessment

• Qualitative – Subjective, based on expert judgement, words based. Risk assessment is based on Likelihood x Impact where the ratings are usually high, medium, or low.

• Quantitative – Numbers-based, based on history or mathematics. Uses formulas such as ALE = SLE x ARO.

Quantitative Risk Assessment• Single loss expectancy (SLE): the expected negative impact related

to a particular risk (the risk being assessed)

• Annual rate of occurrence (ARO): the number of times per year a given impact is expected, expressed as a number

• Annual loss expectancy (ALE): the SLE multiplied by the ARO, which gives us the estimated annual cost related to a particular risk

• ALE = SLE x ARO

Qualitative Risk Assessment • Delphi Technique – Experts brainstorming, sharing opinions anonomously• SWIFT Analysis - Standing for “Structured What-If Technique”, team-based

approach in a workshop environment, where the team investigates how changes from an approved design, or plan, may affect a project through a series of “What if” considerations. • Decision Tree Analysis help determine the best course of action wherever

there is uncertainty in the outcome of possible events or proposed plans. • Bow-tie Analysis looks at a risk event and then projects this in two directions.

To the left, all the potential causes of the event are listed and, to the right, all the potential consequences of the event are listed. • Probability/Consequence Matrix provides a practical means of ranking the

overall severity of a risk by multiplying the likelihood of risk occurrence against the impact of the risk, should it still occur.

Risk Treatments

•Avoid•Accept•Mitigate• Transfer•Deter•Risk Exemption• Exploit an Opportunity

Risk Types• Inherent Risk - Raw or untreated risk is the natural level of risk

inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects

• Residual Risk – Risk that remains after risk treatments have been applied

• Acceptable Risk - The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system.

A Major Risk is Business Interruption• Business continuity (BC) - actions, processes, and tools for

ensuring an organization can continue critical operations during a contingency• Disaster recovery (DR) - tasks and activities required to bring an

organization back from contingency operations and reinstate regular operations• Often referred to jointly as “BCDR”• Succession Planning - Identifying and developing new leaders who can

replace old leaders when they leave, retire or die.

Business Continuity vs. Disaster Recovery

A BIA is a Major Part of BCP• BIA - Business impact analysis is a component of business continuity planning

that helps to identify critical and non-critical systems.• MTD – The maximum tolerable downtime is is the time after which the process

being unavailable creates irreversible consequences generally, exceeding the MTD results with severe damage to the viability of the business. • RPO – How much data can be lost? This determines the backup schedule• RTO – When do the systems have to be back online? This determines whether

your company has a hot site, warm site, or cold site.• MTTF – Mean time to fail determines system reliability• MTTR – Mean time to repair determines time to fix a product• MTBF = MTTF + MTTR

Types of Controls• Technical/logical: implemented with or by automated or

electronic systems. Controls implemented in hardware or software. Examples are encryption, ACLs, firewalls, IDS/IPS, and anti-virus• Physical: implemented through a tangible mechanism. Examples

are mantraps, locks, doors, safes, locking cabinets, bollards.• Administrative: implemented through policy and procedure.

Examples in password policies, account lockout policies, background investigations, AUP, least privilege, need to know

Background Investigations are Administrative Controls

• Detailed job descriptions• Drug tests• Checking references• Employment history• Background check• Financial profile

Training is an Administrative Control

• Education: Formal classes, usually in an accredited academic institution outside the organization of employment, often with a degree program or professional certification.• Training: Semi-formal, usually offered by the organization itself (or

by vendors), presented by subject matter experts (typically security practitioners).• Awareness: Informal and often unscheduled and not mandatory,

awareness elements typically are used to remind and encourage employees about operating in a secure manner.

Evaluating Training

Onboarding and Offboarding are Administrative Controls

Onboarding:• Review job description, contract

terms, and employee handbook• Formal initial training to familiarize

the new employee with the organization’s security policies and procedures• Signing NDA and AUP• Secure process for issuing the

employee any access information or tools

Offboarding:• Disable account• Recover credentials, badges and

other property• Exit interview• Review NDA

Part of Onboarding and Training is Getting Buy-In to an Organization’s Code of Ethics

ISC2 Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification. • Member can lose certification for noncompliance.• Non-compliance must be reported in writing• Adherence is a requirement for ISC2 certification• Conflicts are resolved by order in the cannons

Four cannons in order of precedence:1. Protect society, the common good, necessary public trust and confidence,

and the infrastructure.2. Act honorably, honestly, justly, responsibly, and legally.3. Provide diligent and competent service to principles.4. Advance and protect the profession.

Vendors and Business Partners also Need to be Onboarded and Offboarded

• Partners need to have governance in line with your company’s acceptable risk.•Make sure that contracts and SLAs have enforceable and have

comprehensive security provisions.• Have partners sign NDA’s• Show due diligence in investigating partner claims• Escort partners that come on site• Use an Interconnection Security Agreement (ISA) to delineate

information that will be shared and how it will be protected• Offboard partners that are either not performing or violating

security

Controls for the Supply ChainRisk management methodologies should be applied to vendors, suppliers, customers, contractors, possibly including:• Governance review• Site security review• Formal security audit• Penetration testing

When direct review of external entities is not viable, third party assessment and monitoring can be used• ISO-certified audits• CSA STAR evaluation• AICPA SSAE 18 SOC reports• ISO 27001/27002

Combining ControlsDefense in Depth/Layered Defense is multiple controls in series:• No one control can protect against all possible threats. • If one control fails the next control should stop the attackExamples:• Management, physical, and logical controls• People, network, and host controls

Diversity in Defense is using different vendors/OS’s or controls. Examples:• The firewalls in a DMZ are different models with different certificates, so

if one is compromised, hopefully the other stands tall• The 13 root DNS servers run 13 different flavors of UNIX and Linux so

they can’t simultaneously be hacked using the same exploit.• A user uses a proximity badge to authenticate to the outer door of a

mantrap. A biometric is used to authenticate to the inner door.

Security Control Frameworks•PCI-DSS – Credit cards•ISO 27001/27002 - International•COBIT – Control Objectives for

Business Information Technology•ITIL – Better service delivery•RMF – Continuous risk reduction•CSA STAR - Cloud providers•OCTAVE - Operationally Critical

Threat, Asset, and Vulnerability Evaluation

•NERC – Nuclear power plants•COPPA – Children’s Online

Privacy Protection act•NIST – Cybersecurity

Framework• SABSA – Enterprise

business security• FERPA - Education• SSAE 18 SOC 1, 2, 3 Type 1

and Type 2

ISO 27001/27002

COBIT 5 Principles

IT Infrastructure Library - ITIL

CSA StarThe Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with the control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.)• Level 1: STAR Self-Assessment• Level 2: STAR Certification, STAR Attestation, and C-STAR

Assessment• Level 3: STAR Continuous Monitoring (program requirements are

still under development by CSA)

CSA Star

PCI-DSS

Risk Management Framework (RMF)

1. Categorize System2. Select Security Controls3. Implement Security Controls4. Assess Security Controls5. Authorize System6. Monitor Security Controls

The RMF was developed by NIST to secure government systems. Reference NIST SP 800-37 R1. The following are steps in the RMF:

Risk Management Framework (RMF)1. Categorize System and the information processed, stored, and

transmitted by that system based on an impact analysis.2. Select Security Controls - Select an initial set of baseline security

controls for the system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions

3. Implement Security Controls - Implement the security controls and document how the controls are deployed within the system and environment of operation

Risk Management Framework (RMF)4. Assess Security controls to determine that controls are implemented

correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system

5. Authorize system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the system and the decision that this risk is acceptable

6. Monitor security controls in the system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials

Privacy Frameworks

• Directive 95/44 EU•GPPR•Privacy Shield• The Privacy Act (Australia)• HIPAA• APPI (Japan)• Personal Data Protection Law (Argentina)• Personal Data Protection Law (Singapore)

• GLBA• PIPEDA• SOX• FISMA• HIPPA• PCI-DSS• FERPA

Privacy: the right of a human being to control the manner and extent to which information about him or her is distributed

Common Privacy Law Provisions• Lawfulness, fairness and transparency• Purpose limitation• Data minimization• Accuracy• Storage limitation• Integrity and confidentiality (security)• Accountability

General Data Protection Regulation (GDPR)

Ways to Comply with GDPR• Privacy Shield - The EU-U.S. and Swiss-U.S. Privacy Shield

Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce• Equivalent national law – Countries with equivalent laws include

Brazil, Australia, Japan, S. Korea, and Switzerland• Contract with EU entity with provisions equivalent to GDPR.

Threat Modeling

• Popular model: STRIDE• Spoofing• Tampering • Repudiation • Information disclosure • DOS • Elevation of privilege

Threat modeling: looking at an environment, system, or application from an attacker’s viewpoint and trying to determine vulnerabilities the attacker would exploit

Threat Modeling

•Another popular model is DREAD. The five DREAD categories are:•Damage – how bad would an attack be?•Reproducibility – how easy is it to reproduce the attack?• Exploitability – how much work is it to launch the attack?•Affected users – how many people will be impacted?•Discoverability – how easy is it to discover the threat?

Scoring Vulnerabilities• CVE – Common Vulnerabilities and Exposures - A list of publicly

known cybersecurity vulnerabilities• NVD – National Vulnerability Database - U.S. government repository

of standards based vulnerability management data represented using SCAP – Security Content Automation Protocol• CVSS – Common Vulnerability Scoring System - Captures the

principal characteristics of a vulnerability and produce a numerical score reflecting its severity.• CWE/SANS Top 25 – Common Weaknesses and Exposures - Most

dangerous software errors• OWASP Top 10 – Open Web application Security Project - Most

critical security risks to web applications.

Assets have Vulnerabilities Classes of Assets:• Tangible (things)• Intangible (intellectual property)• People• Liquid – Cash or stock accounts that can be easily converted to cash.

Putting a Value on Assets:• How much money will it take to replace an asset?• How much money does an asset produce?• How valuable would an asset be to an adversary?• The military might classify systems or data as Top Secret, Secret, or

Confidential • Business Impact Analysis (BIA) - Measures the value of an asset, the

threats and risks posed to/by the asset, and the impact to the organization if the asset were affected.

Information Security Management• Information Security Policies• Standards• Procedures• Guidelines• Baselines • Information Classification• Risk Management• Security Organization• Security Education

Types of Security Policies• Regulatory Policy: Regulatory policy ensures that the organization

is following industry-specific regulations or standards. Example: HIPPA, PCI-DSS, etc.

• Advisory Policy: Advisory policy strongly advises the employees or users on the type of behaviors and activities to be followed within the organization. Example: Policy for handling medical or personal information

• Informative Policy: Informative policy informs the employees of certain key topics. Example: Policy explaining the goals and mission of an organization

Typical Security Policies

• AUP• Password• NDA• Least Privilege• Need to Know• Incident Response• Communications• Remote Access

• DR/BCP• Change Management• BYOD•MDM• Vendor Access•Media sanitization• HR policies such as background

investigations

Information Security Management•Standards: Refer to the mandatory activities, rules, actions, or regulations. Example: ISO 27001•Guidelines: Refer to the recommended operational guides or actions to the users, operations staff, IT staff, and others. Example: Security password guideline•Procedures: Refer to the step-by-step tasks to be performed to achieve a certain objective. Example: Incidence response procedure•Baselines: Refer to a stage or state that is used as a comparison for future changes (reference point). Example: All Windows 10 systems must be a gold edition to which STIGs and SCAP have been applied

Goals, Mission, and Objectives

•Goals – The Overall context for what the organization wants to accomplish

•Mission - The organization’s purpose and reason for existence

•Objectives – Map to the goals of the organization

• Security - Supports the goals, mission, and objectives of the organization

Agreements• Contracts – One time requirements• SLAs – Service Level Agreements - Ongoing requirements for a price.

Maybe defined for security incident response, security alert delivery, security investigation, policy and procedure review• BPA – Business Partnership Agreements - Reciprocal agreements• ISA – Interconnection Security Agreements - Technical requirements

for sharing, moving, storing information• OLA – Operating Level Agreement - Business unit support for an SLA• NDA – Non-Disclosure Agreements -Protect information• Acceptable Use – Protect assets

Contracting Documents• RFI – Request for Information – Why is a company qualified to bid• RFP – Request for Proposal -How will a company address contract

requirements• RFQ – Request for Quotation -Prices and payment terms• RFT – Request for Tender - Prices for common consumables and

products• Contract – Binding agreement•MSA – Master Service Agreement – Framework for future deliveries• SOW – Statement of Work – What will done, at what time, at what

location.

Review Questions1. When the cost of compliance outweighs additional revenue, what

risk management strategy should be used? a. Exploitb. Acceptc. Mitigated. Avoid

Review Questions2. Joe has some data that is extremely valuable. He backs it up from her computer to a flash stick, and then puts the flash stick in a safe deposit box. Which two principles of the CIA triad does this address?a. Confidentiality and integrityb. Confidentiality and availabilityc. Integrity and availabilityd. Availability and nonrepudiation

Review Questions3. An organization’s recovery time objective (RTO) must always be less than:

a. The maximum allowable downtime (MAD)b. RPOc. MTBFd. The duration allowed by regulators

Review Questions4. A security practitioner holding an (ISC)2 certification is expected to first serve:

a. The clientb. The industryc. ISC2d. Humanity

Review Questions5. Joe is the security manager for an online retailer. To protect the customer data they are entrusted with, Joe requires all personnel to attend security training sessions regularly. Joe documents and tracks which personnel have attended training, and he suspends account access for those personnel who have missed training. Which of the following answers does this best typify?

a. Due careb. Due diligencec. Legal dutyd. Reasonable expectation

Review Questions6. Whenever an organization chooses to perform risk mitigation to address a particular risk, what other form of risk management will also be included?

a. Risk transferenceb. Risk avoidancec. Risk captured. Risk acceptance

Review Questions7. In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), what data element must not be stored for any length of time beyond the transaction?

a. Credit card numberb. User IDc. Credit card verification value (CVV)d. Social Security number

Review Questions8. Which of the following security tools would probably best help an organization protect its proprietary software?

a. DAMb. IPSc. WAFd. DRM

Review Questions8. Which of the following has the highest precedence for an

organization?

a. Guidelinesb. Policyc. Standardsd. Procedures

Review Questions9. Which of the following is an employee not required to sign, but is still accountable for compliance?

a. Security policyb. AUPc. NDAd. Employment contract

Review Questions10. Which of the following would be a poor way to deliver security instruction

a. Rote memorizationb. Computer-based trainingc. Live trainingd. Rewards

Domain 1 Security and Risk

Management

Domain 1 Security and Risk Management

Documents

Transcript of Domain 1 Security and Risk Management