Mod 1
CIA – Confidentiality, Integrity, Availability
- Opposite of CIA is DAD – Destruction, Alteration, Disclosure
Security support business objectives.
Senior Management makes all final decisions on Security / Risk
Security Management
- Identifies risks
- Establishes control framework with Policies
- Awareness training
- Monitoring
- Budget
- Monies need to be set aside for specific programs
- Divided in ‘maintaining’ current initiatives
- Promoting new initiatives to ‘keep up’ with intruders
- Changing regulatory requirements
Metrics
- If you can’t measure it, you can’t improve it. – Peter Drucker
- Must measure the known
- Need to determine protection for unknown
Organization Processes
- Acquisitions
- Divestures
- Governance
Security Roles
CISO
- Security Policies/Procedures/Baselines/Standards/Guidelines are written
- Won’t necessarily write them all
- Policies approved at Senior Level
- Computer Incident Response
- InfoSec Security Awareness program
- Communicate risks to Sr. Management
- Emerging regulatory developments
- Who does CISO report to
Frameworks
- NIST – RMF – Risk Management Framework
- ISO 27001 – International
- Cobit
- COSO
- ITIL
- CSA STAR – Security, Trust, Assurance, Registry
- Tier 1 – Sell Assessment, Tier 2 – External Auditor, Tier 3 – Continuous Monitoring
Due Care
- What would a reasonable person do
- culpable negligence
Due Diligence
- Associated with an Action
Policy – High Level, Complete, Enforceable, General, Static
Standard – Hardware / Software
Procedure – Step by Step
Baseline – Minimum Level of Security
Guideline – Recommendation
Regulatory Compliance
- Local
- National
- International
Risk Management – Systematic process – Identify, Evaluate, Remediate, Monitor
Transfer, Avoid, Assume, Mitigate
Compliance
Actions that ensure behavior complies with you policies
Laws and company polices
GRC should encompass Senior Management Guidance
Privacy
European – Data Protection Directive
- Transparency
- Proportional to Use
- Legitimate Purpose
US
- No privacy guaranteed in Constitution
- Some provisions at State Level
- Independent Legislation
- HIPAA
- GLB – Repealed Glass-Steagall Act,
- PCI – Industry Regulation
Computer Crime
- Computer as the Target – Theft of data
- Computer enables the crime – Running code on a computer to steal money
- Computer is incidental to other crimes – computer is not essential to crime, but makes it easier
- Crimes associated with prevalence of computers – counterfeit software
Insider Crime
- typically young, well-regarded employees;
- held a wide variety of positions, although most commonly were caseworkers, clericals, or data-entry technicians;
- most were aided by co-conspirators;
- committed the criminal activity over a 6-month period, on the average;
- stole in response to a situational stress, such as personal indebtedness
- didn’t think about the consequences of their actions, or assessed the risks of getting caught as minimal
Licensing Intellectual Property
- Patent – Protection of Idea – 20 years
- Copyright – Protection of Expression – 70 years after death of inventor
- Trademark – Protection of item in Stream of Commerce – Never Expire
- Trade Secret – Kept Secret, Never Expires, Must be labeled Secret,
The conspirators wrote: “I have information that’s all classified and extremely confidential, that only a handful of the top execs at my company have seen. I can even provide actual products and packaging of certain products, that no eye has seen, outside of maybe 5 top execs.”
- 40 countries have signed
- Intent is to control international security and transparency
- Buy 10 tanks from country 1, Buy 10 tanks from country 2, Buy 10 tanks from country 3
- Wassenaar prevents
OECD – Organization for Economic Cooperation and Development
- Limits collection of personal data
- Data should be relevant
- Purposes of data should be specified
- Data should be used for purpose specified
- Data should be protected
- User should have access to their data
- User has right to be forgotten
Event – change of state
Incident – event that has potential to harm CIA
Breach – an incident that involves disclosure
Disclosure – unauthorized acquisition of personal information
Breach is an attack coming in
Disclosure is data going out
ISC2 Code of Ethics
- Protect Society
- Act Honorably
- Protect Principals
- Protect Profession
BCP – Business Continuity Program
DRP – Disaster Recovery Program, focused on restoring operability at an alternate site
Senior Leaders of each functional area need an BCP for their area
BIA – Business Impact Analysis
- Determine Criticality
- Every critical system should be evaluated
- Prioritized List of Time Critical Business Processes
- Estimate Maximum Downtime
- Determine MTD –
- Estimates a Recovery Time Objective
- Evaluate Resource Requirements
- Determine resources required to resume operations
Vulnerability Assessments p.41
https://www.ready.gov/business-impact-analysis
Job Rotation – Moving employees from one job to the next. Could incur higher cost for training over multiple jobs, increases resilience as more people can do a specific job
Separation of Duties – No one individual should be able to execute all steps for criticality sensitive processes
Segregation of Duties – Process to protect a company against errors
Need to know / Least Privilege –
- Need to know – access to the training room
- Least Privilege – access to computer in room
Mandatory Vacation
Employee Policy
- Termination
- Retirement, layoff, quit, fired, layoff, death
- Voluntary termination – departure is agreeable to both parties
- Process needs to include return of company property, removal of access to company assets
- Exit interview
- Continued confidentiality
- Involuntary
- Either party is not agreeable, particularly the employee
Third Party Controls
- How was Target hacked
- Login credentials stolen from a third party HVAC vendor
- Critical component of control policy
- What are some ways your organization deals with third parties?
- Escorting, NDA, limited access to compute resources, vetting vendor associates
Privacy Policy
- Using computer to surf the web
- Camera in the restroom
- Policy should be stated in Information Policy or Employee Handbook
- Notify employees of any monitoring
- Ensure monitoring is lawful
- Do not target individuals
- Monitor work related activities
- Keystroke
- Camera
- Badges
- Telephone
RISK – Risk is probability of a threat causing harm by exploiting a vulnerability in the absence of a control which impacts negatively on assets
Hacker | Challenge
Ego Rebellion |
hacking
Social Engineering System Intrusion Unauthorized System Access |
Computer Criminal | Destruction of Information
Illegal Information Disclosure Monetary gain Unauthorized data alteration |
Computer crime
Fraudulent Act Information Bribery Spoofing Intruscion Detection |
Terrorist | Blackmail
Destruction Exploitation Revenge |
Bomb / Terrorism
Information Warfare System attack System Penetration System tampering |
Risk Assessment
- 4 Steps – p52 – Prepare, Conduct, Communicate (to Sr Mgmt.), Maintain
- Includes likelihood and impact
Qualitative -committees, interviews, opinions and subjective input
Steps – Approval, Form Team, Analyze Data, Calculate Risk, Recommendations
- Requires less time, less costly
- Relative terms including high, medium, low
- Quicker process to complete
- Findings are simple in nature
- Focus is on specific vulnerabilities to the affected assets
- Values of loss are perceived and not quantified
- Vulnerabilities are rated subjectively
- Focus is on understanding the risk and often include recommendations for mitigation based on analysts knowledge and expertise
- Brainstorming, storyboarding, checklists, one-on-one meetings and Delphi
- Loss of revenue – would not be considered in Qualitative?
When to use Qualitative Risk Analysis
Qualitative Risk Analysis is the entry step for risk analysis. It must be performed before quantitative risk analysis can be used. In addition it is the only way by which risks of all kinds of impact categories can be integrated into one register. So risks describing Environmental, Health and Safety, Operational, Business and Reputational Impacts can all be included in a single Project Risk Register even though they do not have a commonly quantifiable metric for impact.
Quantitative – Numeric – Loss of Revenue is Quantitative
Steps – Approval, Form Team, Review Information
- True risk assessment must include quantitative
- Each asset can have multiple risks associated with it
- Each risk must have an assessment
- Portions can be automated
- Involves complex calculations
- Requires High Volume of Information
- Requires Experience
- Include dollar ($) figures
Quantitative Pros | Qualitative Pros |
Assessment & results are based substantially on independently objective processes & metrics. Thus, meaningful statistical analysis is supported. | Calculations are simple and readily understood and executed. |
The value of information are expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood. | Not necessary to determine quantitative threat frequency & impact data. |
A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported. | Not necessary to estimate the cost of recommended risk mitigation measures & calculate cost/benefit. |
A general indication of significant areas of risk that should be addressed is provided. |
Quantitative Cons | Qualitative Cons |
Calculations are complex. If they are not understood or effectively explained, management may mistrust the results. | Risk assessment & results are essentially subjective in both process & metrics. Use of independently objective metrics is eschewed. |
A substantial amount of information about the target information & its IT environment must be gathered | No effort is made to develop an objective monetary basis for the value of targeted information assets. |
There is not yet a standard, independently developed & maintained threat population & frequency knowledge base. | No basis is provided for cost/benefit analysis of risk mitigation measures. Only subjective indication of a problem. |
It is not possible to track risk management performance objectively when all measures are subjective. |
Terminology
- EF – Exposure Factor – Potential for Loss
- AV – Asset Value
- SLE – Single Loss Expectancy
- SLE = EF x AV
- ARO – Annualized Rate of Occurrence
- ALE = Annualized Loss Expectancy
- ALE = ARO*SLE
No countermeasure should be greater than the risk, Never allow cost of mitigation to exceed ALE
- Yields results in terms of financial impact
- Emphasizes remediation based on cost of remediation vs. potential cost of loss
- All findings are expressed in monetary values, percentages, and probabilities
- Allows for more control and understanding regarding procurement and budgeting
- Requires larger organizational cooperation
- Better protection against litigation risk
- Very time intensive
Risk Assignment –
- RAAT – Reduce, Accept, Avoid, Transfer
- Reduce (Mitigate) – eliminate, or significantly decrease, risk
- Avoid – disconnect the activity
- Accept – live with it
- Transfer – passing to another entity, such as buying insurance
- Cannot transfer ownership of risk, car insurance will cover financial damage, not criminal charges
- Residual Risk – Risks left after controls are implemented
Senior Management owns ALL risks
Data owners or custodians should assist in identifying risks
Frameworks
- COSO
- Relate these terms: Control, Risk, Information, Monitoring
- ITIL
- Service Catalog
- Total Quality Management
- COBIT
- ISO 27000
- Code of Practice
- Best Practices
- ISO 17799/BS7799 – Initially a British Specification
Threat and Vulnerabilities
- Threat – something that might happen
- Vulnerability – an inherent weakness, flaw that can be exploited
Threat Sources
- Human – threat attackers, malicious insiders, loss personnel, unintentional errors
- Nature – Natural disasters, Fire is a natural issue
- Technical – hardware, software, unauthorized use, malicious code
- Physical –
- Environmental – hazardous waster, biological agent
- Operational – manual or automated process that affects CIA
Implementation
Security Architect
- What framework for reference
- Who are the stakeholders
- What are the Single Points of Failure (SPOF)
Security Practitioner
- Who are the end users
- How does this integrate into my existing network
- Why am I only be given ‘x’ amount to get this done
Security Operations
- What metrics can be used to manage
- Who do I need to partner with
- How will communications go out
Controls
- Directive – No Trespassing
- Security policies, procedures,
- Deterrent – Beware of Dog, The “Club”,
- Easier to obey rather than risk consequences
- Preventative – Locked Door
- System controls that force users to obey
- Compensating – Substitute for the loss of a primary control
- Layer SSL over an application that doesn’t support encryption
- Detective – Logs
- Warn when something has happened
- Earliest point in post-incident
- Corrective –
- Return the environment to a secured state
- Recovery –
Control Types
- Physical – Protect People and physical environment
- Operational, security zones, ( hills, ditches, retention walls, fences, concrete posts ), cameras, locks
- Administrative – Human interaction, manage people, user credentials, privilege access, monitoring activity
- Technical – Also known as Logical / System / software related, VLANs, firewall, VPN, cryptography
Control Assessment
Vulnerability Assessment – Look for documented issues,
- Automated tools to scan for issues
- Remove false positives
- Rate vulnerability on scale (high, medium, low) or 1-5
- Discuss with system owners
Controls are not part of the RISK.
Penetration
- Simulate an attack on a system
- Exploit known issues
- External – Network perimeter, Internet
- Internal – Test for exploits once inside the perimeter
- Blind – test using publicly available information, defenders are aware of attack
- Double blind – blind test with defenders unaware
- Black Box – Zero Knowledge – Basic blind testing
- Partial Knowledge – Basic, usually public, information is provided.
- Would be available to attacker anyway, saves time and allows attacker to focus on vulnerabilities
- Allows boundaries to be defined
- Full Knowledge – Determines full extent of vulnerabilities once penetrated
Methodology
- Reconnaissance – Planning
- Enumeration – What can I find
- Vulnerability Analysis – What is running / open
- Execution – What is attackable
- Document Findings –
Other types of Tests
DDOS
War Dialing – Are Modems / Faxes still in Use
Wireless Networking – How far does the SSID extend
Social Engineering – Who remembers AOL – http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/hackers/
It is notable to mention that social engineering is becoming a common element of malicious attackers. As this framework will outline, the malicious social engineer will have many tools in their arsenal and many attack vectors at their fingertips. Attackers know that most of the time an employee either doesn’t realize they are doing something wrong; or doesn’t understand the value of the information they are disclosing. It is this naivety that creates a perfect atmosphere for a breach. The only way to protect against these attacks, is to create a security-minded culture within your business or organization through continual education and training.
From
Pretexting – Using an invented scenario
Phishing – e-mail
Baiting – Infected USB drive
Tailgating –
PBX, IP Telephony – Badir Brothers –
People are weakest link
Motivation – help community, verifying skills, recognition of skills, financial gain
Asset Valuation
Tangible Assets – Good to use Quantitative estimates
Intangible Assets – Quantitative or Qualitative
Exclusive Possession
Liability
Operational Impact
Security / Awareness Training
Training is the easy answer
Other
Management Team
Ultimately responsible for security of all systems in an organization
Primarily responsible for failures of a CSIRT
Weakest link in a security system
People
Terrorism Attacks
Military and intelligence attacks – perpetrated by criminals, traitors, seeking classified law enforcement or military information.
Financial attacks – Banks, large corporations, and e-commerce sites motivated by greed.
Business attacks – Competitive intelligence gathering, denial of service, and other computer- related attacks.
Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals still exists, particularly in private enterprise.
Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.
Lack of reporting or prosecution : Because of public relations concerns and the inability to prosecute computer criminals due to either a lack of evidence or a lack of properly handled evidence, the majority of business attacks still go unreported.
Grudge attacks – take revenge against a person or organization. A disgruntled employee, for example, may steal “Fun” attacks – thrill seekers and script kiddies who are motivated by curiosity or excitement.
According to the Internet Advisory Board, the following are unethical:
- seek to gain unauthorized access to the resources of the Internet,
- disrupt the intended use of the Internet,
- waste resources (people, capacity, computer) through such actions,
- destroy the integrity of computer-based information
- compromise the privacy of users.