Things To Remember

Domain 1: Security & Risk Mgmt

Governments tend to prioritise confidentiality, private companies often favour availability.

DAD is the inverse of CIA:
– Disclosure is the inverse of Confidentiality
– Alteration is the inverse of Integrity
– Destruction is the inverse of Availability

Operational Technology systems (PLCs, SCADA) tend to prefer availability, then integrity, then finally confidentiality – AIC triad.

Accountability (and security in generally) must be legally defensible

Protection mechanisms include layering, abstraction, data hiding.

Strategic plan: ~5 yrs (update annually)
Tactical plan: 6-12 mths
Operational plan: short term, highly focused (update mthly/qtly)

Policies can be organisational, issue-specific or system specific.
Policies can be regulatory (req’d by industry or legal standards), advisory (define acceptable behaviours/activites & consequences of violations) or informative.
Most policies are advisory.
Advisory/informative does not mean optional – all policies are compulsory.

Due care & due diligence

Due care – doing the right thing; Prudent Man rule; senior mgmt ultimately responsibility
Due diligence – practicing activities to maintain due care

Classification scheme implementation steps

1. Identify custodian; define their responsibilities
2. Specify evaluation criteria (how information will be classified & labelled)
3. Classify & label each resource (owner conduct, supervisor reviews)
4. Document any exceptions discovered to the classification policy; update evaluation critera
5. Select controls to be applied to each classification level
6. Specify procedures for declassifying resource, as well as for transferring to an external party
7. Enterprise-wide awareness of classification system

Note that marking of hardware assets (computers, backups) with classification labels is commonplace and good security practice.

Some DLP tools can automatically apply protection based on labels applied by users (e.g. to email messages).

Military classification scheme

U.S. Can Stop Terrorism
Unclassified
Sensitive (SBU)
Confidential [would cause damage]
Secret [would cause serious damage]
Top Secret [would cause exceptionally grave damage]

Classified = Confidential (lowest), Secret, Top Secret (highest)

A classification authority is the entity that applies the original classifcation to sensitive data. In the US, only the president, vice president, and agency heads can classify data (although they can delegate this permission to others).

Private sector classification scheme

Public
Sensitive
Private (personal info of employees)
Confidential

“Sensitive” label can mean different things in different organisations (no prescribed single classification scheme for private sector), but for the exam: sensitive refers to any information that isn’t public or unclassified.

Data classifications are typically defines within security policies or data policies.

Sensitivity vs criticality

• Sensitivity describes the amount of damage that would be done should the information be disclosed – i.e. concerned with confidentiality.
• Criticality describes the time sensitivity of the data – i.e. concerned with availability.

Security roles

Senior Manager (organisational owner) – responsible for due care & due diligence
Security Professional (infosec officer) – delegated tasks such as writing & implementing policy (not decision making)
Data Owner – responsible for classifying info (typically a manager)
Data Custodian – delegated task of implementing protection defined by policy
User – follows policy
Auditor – reviews & verifies policy

Threat modelling

Proactive (defensive) approach: predict threats and build defences into design – more cost effective, but not all threats can be foreseen
Reactive (adversarial) approach: respond to threats/vulnerabilities as discovered (e.g. by pen testing, source code review or fuzz testing)

SD3+C

“Secure by Design, Secure by Default, Secure in Deployment + Communication” (Microsoft)
Aims to reduce vulnerabilities and reduce impact of any that remain.

Identifying threats

Focused on assets, focused on attackers or focused on software.

STRIDE

Microsoft again!

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privileges

PASTA

• DO: Define Objectives
• DTS: Define Technical Scope
• ADA: Application Decomposition & Analysis
• TA: Threat Analysis
• WVA: Weakness & Vulnerability Analysis
• AMS: Attack Modelling & Simulation
• RAM: Risk Analysis & Management

Objectives -> scope -> app analysis -> threats -> weaknesses -> attacks -> risks

Other threat modelling concepts

Trike: Risk-based approach.
VAST: Visual, Agile & Simple Threat.

Reduction analysis/decomposition

Key concepts:

• Trust boundaries
• Data flow paths
• Input points
• Privileged operations
• Details about security stance & approach

Prioritisation & response

Probability * Damage Potential: Score both from 1-10, multiply for total score of 1-100
High, Medium, Low

DREAD:

• Damage potential
• Reproducibility
• Exploitability
• Affected users
• Discoverability

SSAE/SOC audits

• SSAE 18 replaced SSAE 16 in 2017
• SOC-1 audit: internal controls over financial reporting
• SOC-2 audit: assesses CIA of security controls (shared under NDA)
• SOC-3: same as SOC-2, but publicly available

(ISC)2 canons

To be applied in order (remember longest to shortest):

• Protect society, the commonwealth & the infrastructure
• Act honourably, honestly, justly, responsibly & legally
• Privide diligent & competent service to principals
• Advance & protect the profession

Privacy definitions

• Active prevention of unauthorised access to PII
• Freedom from unauthorised access to information deemed personal or confidential
• Freedom from being observed, monitored or examined without consent or knowledge

Quantitative RA

SLE = AV * EF
ALE = SLE * ARO

Cost Benefit Analysis:
Value = ALE before safeguard – ALE after safeguard – annual cost of safeguard

Residual risk = cost of applying extra countermeasures is more than the estimated loss resulting from a threat/vulnerability
Controls gap = amount of risk reduced by implementing controls
TOTAL RISK – CONTROLS GAP = RESIDUAL RISK

Controls

Compensating: substitute for loss of primary controls
Corrective: mitigate damage (e.g. backups)
Recovery: restore to normal after incident

Functional order: Deter -> Deny -> Detect -> Delay

BCM/BCP

Business continuity planning processes [EXAM]

1. Project scope & planning
   • Acquire BCP policy stmt from senior mgmt
   • Business Organisational Analysis (BOA) [EXAM]
     • helps identify potential BCP team members and provides the foundation for the remaining processes
     • evaluates depts responsible for core services, as well as critical support services such as IT, physical security facilities & maintenance
     • identifies senior execs and other key individuals essential for the ongoing viability of the organisation
   • BCP team creation – include: [EXAM]
     • a project mgr
     • representation from senior mgmt, IT, InfoSec, HR, PR, legal & core services depts identified in BOA
     • a representative from each of the functional areas identified by the BOA
   • Assessment of resources (and commitment from snr mgmt to support the BCP process)
   • Analysis of legal & regulatory landscape [EXAM]
     • including due diligence to protect shareholder interests, contractual requirements with clients, and any industry-specific laws/regulations that mandate specific BCP procedures
2. Business impact assessment
3. Continuity planning
4. Approval & implementation

Business Impact Assessment (BIA)

• Identifies critical resources, and the threats posed to them
• Assesses likelihood of each threat occurring, and the impact this would have
• Provides measures to help prioritise the commitment of resources
• Quantitative vs qualitative
• Remember to include any cloud vendors on which the organisation relies
  • Contract is not sufficient due diligence
  • Need to verify sufficient controls are in place – often not possible to perform a site visit, so many cloud providers can provide a SOC-2 or SOC-3 report (SOC-1 reports don’t work as they are for internal financial controls only!)
• Steps of BIA: [EXAM]
  1. Identify business priorities (criticality prioritisation)
     • Start with a qualitative list, ordered by priority
     • Assign quantitative AV (asset value) to each asset
     • Calculate MTD for each business function, and decide upon an achievable RTO (that is less than the MTD)
  2. Risk identification
     • Natural, e.g. earthquakes, hurricanes, tornadoes, storms
     • Man-made e.g. terrorism, theft/vandalism, arson, service provider outages
     • This stage is purely qualitative
  3. Likelihood assessment
     • Assign ARO to each risk
     • Expert advice is sometimes available for free, e.g. USGS earthquake hazard map
     • Your insurance company may be able to share some of the risk likelihood information they have compiled
  4. Impact assessment
     • Assign EF to each asset (e.g. percentage of the facility that will be lost if there is a fire)
     • Calculate the SLE (AV * EF) and ALE (SLE * ARO) for each risk
     • Difficult to put dollar values on qualitative aspects such as loss of goodwill among client base, employee attrition & negative publicity, but important to do so at this quantitative stage so they don’t get lost or forgotten, and can be included in the next (and final) stage
  5. Resource prioritisation
     • Sort the list of risks analysed during the BIA process in descending order by ALE
     • Select as many items as you’re willing and able to address simultaneously, and work your way down until you run out of risks (unlikely!) or resources (much more likely!)
     • Merge the list with the results of any qualitative concerns identified in the BIA (an art, not a science – relies on expertise of BCP team & input of senior mgmt)
     • Qualitative concerns may justify elevating or lowering the priority of risks that are already on the ALE-sorted quantitative list.

Continuity planning steps [EXAM]

• Strategy development
  • Bridges gap between BIA and continuity planning phases
  • Take the output of BIA resource prioritisation process and decide which risks will be address by the BCP
  • Look at MTD estimates created earlier, and determine which risks are deemed acceptable
  • Determine which risks require mitigation, and the level of resources that will be committed to each mitigation task
• Provisions & processes
  • The meat of the entire BCP
  • BCP team designs the specific procedures and mechanisms to mitigate risks that were deemed unacceptable during the previous phase
  • Covers three categories of assets:
    • People
      • Human safety is always the first priority, including before, during and after an emergency
      • Next you must make provisions to allow your employees to conduct their BCP & operational tasks in as normal a manner as possible
      • Think about arrangements for shelter and food, if your BCP requires people to be present in the workplace for extended periods – maintain stockpiles & rotate to prevent spoilage
    • Buildings & facilities
      • Many businesses require specialised facilities such as offices, manufacturing plants, warehouses etc
      • BCP should outline hardening provisions: mechanisms & procedures that can be put in place to protect your facilities against the risks identified in the strategy development phase. Examples range from patching a leaky roof to installing hurricane shutters & fireproof walls.
      • In the event that it’s not feasible to harden a facility against a risk, your BCP should identify alternate sites where business activities can resume (immediately, ore at least within a period shorter than the MTD for all critical functions)
    • Infrastructure
      • Every business depends on some sort of infrastructure for its critical processes – often IT in the form of systems that process orders, manage the supply chain and perform other business functions, as well as the communications backbone
      • The BCP must address how these systems will be protected against risks identify during the strategy development phase
      • As with buildings, there are two main methods of providing this protection:
        • Physically hardening systems by introducing protective measures such as fire suppression and UPS
        • Introducing alternative systems to provide redundancy (either redundant components or completely redundant systems/comms links)
      • Applies to whatever infrastructure components serve your critical processes – transportation, utilities, banking systems etc. – not just IT
• Plan approval
  • Plan should be approved by highest level executive possible – ideally the CEO
  • Demonstrates importance of the plan to the entire organisation, as well as give it greater credibility to other senior managers
• Plan implementation
• Training & education
  • should include a plan overview for all staff, and specific training for individuals with direct or indirect involvement in the BCP

BCP documentation

Committing your BCP methodology to paper is critical, and provides several important benefits:

• Ensures that BCP personnel have a written document to reference in the event of an emergency, regardless of the availability of senior BCP members
• Provides a historical record of the BCP process that will be useful to future personnel seeking to understand the reasoning behind various procedures, and implement necessary changes in the plan
• Forces the team members to think clearly about their thoughts, which often reveals flaws in the plan – it also allows draft documents to be distributed outside of the BCP team for a “sanity check”

Some important elements of a written BC plan include:

• Continuity planning goals
  • To be decided at (or before) the first BCP team meeting
  • Likely to remain unchanged throughout the life of the BCP
  • Most common goal is simply to ensure the continuous operation of the business in the face of an emergency situation
  • Other goals may be included to meet organisational needs
• Statement of importance
  • Commonly takes the form of a letter to the organisation’s employees stating the reason that the organisation devoted significant resources to the BCP development process, and requesting the cooperation of all personnel in the BCP implementation phase
  • This is where senior exec buy-in comes into play: ideally this letter should be signed by the CEO
• Statement of priorities
  • Flows directly from the “identify priorities” element of the BIA
  • Simply involves listing critical functions, ordered by priority
• Statement of organisational responsibility
  • Also comes from a senior-level exec and can be incorporated in the same letter as the statement of importance
  • Basically echoes the statement that “BC is everyone’s responsibility!”
• Statement of urgency & timing
  • Expresses the criticality of implementing the BCP
  • Outlines the implementation timetable decided upon by the BCP team and agreed by upper mgmt
  • Can be included in the same letter as the statement of importance & statement of organisational responsibility, in which case the timetable should be included as a separate document
• Risk assessment
  • Summaries the decision-making process undertaken during the BIA
  • Should include a discussion of all the risks considered, as well as the quantitative & qualitative analyses performed against them
    • including actual AV, EF, ARO, SLE & ARO figures, for the quantitative analysis
    • the thought process behind the quantitative analysis should also be provided
  • This section must be updated on a regular basis because it reflects a point-in-time assessment
• Vital records program
  • Document outlining where critical business records will be stored, and the procedures for making & storing backups
  • One of the biggest challenges in implementing a VRP is identifying the vital records in the first place!
  • Ask functional leaders what they would need if they were to rebuild the organisation from scratch, forcing them to visualise the actual process and walk through the steps in their mind
• Emergency response guidelines
  • Outline the organisation & individual responsibilities for immediate response to an emergency situation, including:
    • Immediate response procedures (security & safety procedures, fire suppression procedures, notification of emergency response agencies etc)
    • List of individuals to be notified of the incident (execs, BCP team members etc)
    • Secondary response procedures that first responders should take while waiting for BCP team to assemble
  • Should be easily accessible to everyone in the organisation who may be first responders in a crisis incident – when disaster strikes, time is of the essence, and any delay in activating your BC procedures may lead to undesirable downtime for your business operations
• Maintenance
  • BCP documentation and the plan itself must be living documents
  • BCP team should not be disbanded after plan is developed; they should meet periodically to discuss, review & update the plan
  • Minor changes can be made by unanimous consent, but drastic changes to an organisation may require starting the full BCP development process from scratch
  • Practice good version control and ensure all older versions of the BCP in existence are physically destroyed & replaced
• Testing & exercises
  • A formalised exercise program should be outlined in the BCP documentation.

Note on overall BCP resource requirements

• BCP Development: The major resource consumed by this phase will be effort expended by members of the BCP team and supporting staff.
• BCP Testing, Training & Maintenance: Will require some hardware & software commitments, but again the major commitment in this phase will be effort on the part of the the employees involved in these activities.
• BCP Implementation: A full implementation of the BCP (i.e. when disaster strikes) will require significant resources, including a large amount of effort and the utilisation of hard resources (primarily funding but possibly also hardware/software, other goods and even buildings)

Types of BC/DR test

• Checklist: Copies of plans distributed to different departments; functional managers review.
• Structured walkthrough: Representatives of each dept go over the plan; think “read–through”; also known as table-top test
• Simulation test: Going through an imaginary disaster scenario, stop short of actual relocation to alternate site.
• Parallel test: Systems moved to an alternate site; a portion of processing takes place there
• Full-interruption test: Original site is shut down and all processing is moved to the alternate facility.

Laws

Criminal vs civil

• In the US, both types of law are enacted in the same way (House of Representatives & the Senate) and must comply with the Constitution
• At the federal level, both types of law are embodied in the United States Code (USC)
• Major difference is in how they are enforced – in civil matters, law enforcement authorities are normally not involved (beyond taking action necessary to restore order)
• In civil law, the plaintiff must file a lawsuit against the defendant
• Administrative law, published in the Code of Federal Regulations (CFR) is a third type of law dictating the day-to-day operations of government agencies – from procurement procedures to immigration policies
• Info sec professionals must have a basic working knowledge of laws & regulations, but if in doubt, call an attorney!

Specific laws

• Comprehensive Crime Control Act (CCCA, 1984) – first law against computer crime
  • Unauthorised access of classified info
  • Cause malicious damage to a federal system >$1000
  • Modify medical resources
• Computer Fraud & Abuse Act (CFAA, 1986)
  • Amendment to CCAA
  • Increased damage threshold to $5000
  • Scope increased widely from “federal systems” to “federal interest computers”
  • Often criticised as over-broad – can be interpreted to criminalise violation of a website’s ToS
  • 1994 additions (Computer Abuse Amendments Act): outlawed creation of malicious code, and scope of law to cover all systems used in interstate commerce
  • 1996 additions (National Information Infrastructure Protection Act): now covers international as well as interstate commerce, extends protections to national infrastructure such as railways, gas pipelines, electrical grids and telecoms circuits, and treats any acts that deliberately or recklessly damage these as a felony
  • Further amendments in 1996, 2001, 2002 & 2008
• Federal Information Security Management Act (FISMA, 2002):
  • Requires federal agencies to implement an InfoSec program, including:
    • Risk assessments
    • Policies & procedures
    • Awareness training
    • Testing, evaluation & remediation
    • Procedures for managing security incidents
    • Continuity of operations plans & procedures
    • IS program must include activities of contractors
  • Repealed & replaced Computer Security Act (1987) and Government Information Security Reform Act (2000)
  • Developed by NIST
• Federal Cybersecurity Laws of 2014
  • Confusingly-named Federal Information Security Modernization Act – centralised cybersec responsibility within the Department of Homeland Security [DHS] (except defence-related which remains with the Secretary of Defense, and intelligence-related with the Director of National Intelligence)
  • Cybersecurity Enhancement Act – gives NIST responsibility for coordinating nationwide work on voluntary cybersecurity standards (800 series of Special Publications, and the NIST CPF: Cybersecurity Policy Framework)
  • National Cybersecurity Protection Act: required the DHS to establish a national cybersecurity & comms integration centre to serve as the interface between federal agencies & civilian organisations for sharing cybersec risks, incidents, analysis & warnings
• Paperwork Reduction Act (1995)
  • Requires approval before requesting info from public
  • Enacted by Office of Management Budget (OMB)
• Uniform Computer Information Transaction Act (UCITA)
  • Law against breach of licence agreements (e.g. EULAs)
• Federal Sentencing Guidelines (1991)
  • Formalised prudent man rule (senior execs take personal responsibility)
  • Organisations can minimise punishment if they can prove they exercised due diligence
  • Outlines burdens of proof for negligence

Import/export

• International Traffic in Arms Regulations (ITAR)
  • Controls export of items specifically designated as military & defence items
  • Includes technical information relating to those items
  • Items covered appear on the US Munitions List (USML)
• Export Administration Regulations (EAR)
  • Cover a broader set of items that are designed for commercial use but may have military applications (including an entire category of infosec products)
  • Items covered appear on the Commerce Control List (CCL) maintained by US Dept of Commerce
• Export of high-performance computing systems from the US is currently allowed to virtually any country without prior government approval (excepts include Cuba, Iran, North Korea, Sudan & Syria)
• Export of even relatively low-grade encryption was virtually impossible under previous regulations, but retail and mass-market security software may now be freely exported after a review by the Commerce Dept

Privacy-focused laws & regulations

Laws & regulations differ but typically a primary requirement is that the collection of data must be limited to only what is needed. Also, data should be obtained by lawful & fair methods, and with the knowledge and/or consent of the individual.

• HIPAA + HITECH (health)
  • Not just for healthcare providers such as doctors/hospitals; any employer that provides (or supplements) healthcare policies handles PHI; in the US, employers providing/subsidising healthcare, therefore HIPAA applies to large percentage of organisations in the US
  • HITECH requires a written contract agreement known as a BAA (business associate agreement) for organisations who handle PHI on behalf of a HIPAA-covered entity, and also introduces new data breach notifications (notify affected individuals, and if affecting >500 individuals, also the Secretary of Health & Human Services + the media)
• All states (apart from Alabama & North Dakota) have data breach notification laws modelled on those first introduced in California in 2002
• GLBA (financial)
  • GLBA relaxed governmental barriers between financial institutions, but includes limitations on the types of information that could be exchanged (even between subsidiaries), and also requires institutions to provide written privacy policies to all their customers
• FERPA (education)
  • applies to any educational institution accepting federal govt funding
  • parents/students have right to inspect/correct educational records
  • schools may not release personal information without written consent (with certain exceptions)
• COPPA (children’s online privacy)
  • websites must have a privacy notice
  • parents must be able to review any information on their children, and have the right to permanently delete it
  • parents must give consent to collection of info about children <13
• CalOPPA (California Online Privacy Protection Act 2003, amended 2014)
  • First US state law requiring commercial websites/online services to include a privacy policy on their website
  • Applies to any service that collects personal information on California residents – in effect, potentially applies to any website in the world that collects personal information (since if it’s available on the Internet, California residents can access it)
  • Most states now have a similar state law deriving from CalOPPA
• PIPEDA (Personal Information Protection & Electronic Documents Act, Canada)
• EU DPD
  • Processing of data must meet one of the following criteria:
    • Consent
    • Contract
    • Legal obligation
    • Vital interest of the data subject
    • Balance between interests of data holder & data subject
  • Outlines key rights of individuals (data subjects):
    • Right to access the data
    • Right to know the data’s source
    • Right to correct inaccurate data
    • Right to withhold consent to process data in some situations
    • Right of legal action should these rights be violated
  • Even organisations outside Europe must consider these rules due to trans-border data flow requirements
  • US businesses doing business in Europe can obtain protection under the Privacy Shield agreement between the EU and the US that allows the Department of Commerce & the Federal Trade Commission (FTC) to certify businesses that comply with regulations
    • Replaces the invalidated “safe harbor” agreement between the US and the EU
    • Privacy Shield requirements [EXAM]
      • Notice: Inform individuals about the purpose for which data is collected & used.
      • Choice: Offer an opportunity to opt out.
      • Security: Take reasonable precautions to protect data.
      • Data Integrity & Purpose Limitation: Only collect data that is needed for processing purposes identified in the Notice. Take reasonable steps to ensure that personal data is accurate, complete & current.
      • Access: Individuals mist have access to their data, and the ability to correct, amend or delete when inaccurate.
      • Recourse, Enforcement & Liability: Implement mechanisms to ensure compliance with the principles and provide means to handle individual complaints.
    • There is also a Swiss-US Privacy Shield
    • Both programs are administered by the US Department of Commerce and organisations can self-certify by means of a lengthy questionnaire.
• GDPR
  • Replaces EU DPD
  • Now applies to all organisations who collect data from residents in the EU (or process information on their behalf)
  • Some key provisions include:
    • Breaches to be informed within 24 hours
    • Centralised data protection authorities
    • Individuals have the right to access their own data
    • Data portability between service providers
    • Right to be forgotten
  • Companies that violate GDPR privacy rules are liable for fines of up to 4% of global revenue
  • Encryption, pseudonymisation & anonymisation can reduce or remove the requirements of GDPR
    • Pseudonymisation is similar to tokenisation, and involves replacing personal data (such as names) with artificial identifiers. These identifiers point to the real data held in a different location, so the process is reversible.
    • Anonymisation, if done effectively, means that GDPR no longer applies, however data is difficult to truly anonymise and protect from data inference techniques.
      • Consider a database containing a table of actors, a table of films, and a table of payments for each actor. These are linked, so you can see which actors appeared in which films, and how much each actor was paid.
      • You could anonymise the actors table to remove the actor’s names, but it’s still relatively easy to identify the actors by the set of films they have appeared in, which is generally unique.
    • Masking can be an effective way of anonymising data by swapping data in individual data columns, so that aggregated calculations can still be performed (e.g. average age) and the data still looks like real data, but doesn’t match reality.
      • A very simple example of a table containing three fields – first name, last name and age, containing Joe Smith (25), Sally Jones (28), Bob Johnson (37) and Maria Doe (26) could become Sally Doe (37), Maria Johnson (25), Bob Smith (28) and Joe Jones (26).
    • Unlike pseudonymisation/tokenisation, masking is irreversible.
• Wassenaar Arrangement – import/export controls for strong encryption
• Fourth Amendment (searching private property without warrant)
• Privacy Act (1974) – severely limits the way federal govt may deal with private information about individuals; agencies must maintain only the records necessary for conducting their business and destroy them when no longer needed; provides formal procedure for citizens to view their records and request that they be amended if incorrect; applies only to govt agencies
• Electronic Communication Privacy Act (ECPA, 1986)
  • crime to invade electronic privacy of an individual
  • broadened Federal Wiretap Act to apply to any illegal interception of electronic communicates or intentional unauthorised access to data
  • monitoring mobile phone conversations is illegal and punishable by a fine up to $500 and imprisonment of up to 5 years
• Communications Assistance for Law Enforcement (1994, CALEA)
  • requires all comms carriers to make wiretaps possible for law enforcement, with an appropriate court order, and regardless of the technology in use
• Economic Espionage Act (1996)
  • extends definition of property to include proprietary economic info so the theft of such information can be considered industrial or corporate espionage
• Economic & Protection of Proprietary Information Act (EPPIA, 1996) – theft of economic information considered espionage
• US PATRIOT Act (2001) – provides blanket approval for surveillance (brought in after 9/11, aimed at terrorist activity)
  • allows ISPs to provide information voluntary, as well as under subpoena
  • amends CFAA to provide more severe penalties for criminal acts, with jail terms up to 20 yrs
• Identity Theft & Assumption Deterrence Act (1998)
  • Makes identity theft a crime against the victim and provides severe criminal penalties of up to a 15-yr prison term and/or $250K fine

“Reasonable expectation of privacy”

• The US courts have maintained that the right to privacy (as an extension of the basic constitutional rights) should only be guaranteed where there is a reasonable expectation of privacy; for example, if you mail a letter in a sealed envelope, you may reasonably expect that it will be delivered without being read on the way – if you send a message on a postcard instead, you do so with the awareness that one or more people might read the message before it arrives at the other end
• Recent court rulings have found that employees do not have a reasonable expectation of privacy when using employer-owned equipment in the workplace, however if you’re planning to monitor employee communications, you should take reasonable precautions such as:
  • Clauses in employment contracts that state that the employee should have no expectation of privacy while using corporate equipment
  • Similar written statements in corporate acceptable use & privacy policies
  • Logon banners warning that all communications are subject to monitoring
  • Labels on computers & telephones warning of monitoring

Intellectual Property

• Copyright: Lasts until 70 years after author’s death (95 years from date of publication for anonymous works, or works for hire; or 120 years from date of creation, whichever is shorter)
  • Can be officially registered, but not necessary as protection is automatic
  • DMCA protects copy-protection mechanisms and brings US in line with WIPO treaties; limits liability of ISPs but they must promptly remove stored content when notified of infringement
• Trademarks: 10 years, then renewed for 10 years at a time
  • Should not be purely descriptive, or confusingly similar to another trademark
• Patents: 20 years from application date (Patent Application: TEN times Two) then expires and anyone can use the idea
  • Inventions should be new, useful and non-obvious
• Trade secret: Indefinite (organisation must implement own controls)
  • Can be formally protected by copyright or patents, but this will reveal the secret!
  • NDAs etc
  • One of the best ways to protect computer software
  • Economic Espionage Act (1996) made it illegal to steal trade secrets from a US corporation with the intent of benefitting a foreign government or agent (up to $500K fine and up to 15 years imprisonment); theft of trade secrets under other circumstances is up to $200K and 10 years – companies must be able to prove that their trade secrets are well protected.

Compliance

• PCI DSS is an example of a compliance requirement that is not dictated by law, but by contractual obligation (via a merchant agreement between a business accepting credit cards and the bank that processes the transactions)
  • It has 12 main requirements:
    • Install & maintain firewall to protect cardholder data
    • Do not use default values for passwords & other security parameters
    • Protect stored cardholder data
    • Encrypt transmission of cardholder data across open networks
    • Protect all systems against malware; regularly update AV software
    • Develop & maintain secure systems & applications
    • Restrict access to cardholder data by need-to-know
    • Identify & authenticate access to system components
    • Restricted physical access to cardholder data
    • Track & monitor all access to network resources & cardholder data
    • Regularly test security systems & processes
    • Maintain a policy that addresses info sec for all personnel
  • Also applies to organisations that are not merchants, but store, process or transmit credit card information on behalf of merchants, such as shared hosting providers
• SOX (Sarbanes-Oxley Act) is an example of a regulation which requires security controls around financial systems
• Organisations may be subject to compliance audits, either by their existing internal & external auditors or by regulators

Third-party governance

• Mandated on you by law, regulation, industry standard, contractual obligation etc; generally involves outside investigator/auditor
• Another aspect is the application of security oversight on third-parties on which you rely
• Documentation review – reading exchanged materials (e.g. third party policy & reports) and verifying them against standards & expectations (typically before any on-site inspection)
  • If documentation is not in compliance, chances are the location is not either
  • In many situations (commonly government/military) failure to provide sufficient documentation can result in loss of authorisation to operate (ATO), requiring a complete document review & on-site review to re-establish
  • If documentation is complete & sufficient, existing ATO can be maintained, or temporary ATO (TATO) can be granted
• Questions to cover during vendor governance reviews:
  • What types of sensitive info are stored, processed or transmitted?
  • What controls are in place to protect information?
  • How is our organisation’s information segregated from that of other clients?
  • If applicable, what encryption algorithms & key lengths are used, and how is key management handled?
  • What type of audits does the vendor perform, and does the client have access to the reports?
  • Does the vendor rely on any third-parties to store, process or transmit data? How to the security provisions of the contract extend to these parties?
  • Where will data storage, processing & transmission take place? If outside the home country of the client/vendor, what are the implications?
  • What is the vendors incident response process, and when will clients be notified of a potential breach?
  • What provisions are in place to ensure the ongoing integrity & availability of client data?

Personnel security

• Job rotation provides knowledge redundancy as well as reducing risk of fraud etc. Cross-training involves preparing workers to perform other job positions, but not actually rotating jobs unless needed to fill a work gap, e.g. as part of an emergency response
• Training is considered an administrative control.
• Mandatory vacations are a primarily detective control.
• Non-compete agreements are difficult to enforce legally but may still provide a deterrent for workers
• Primary purpose of the exit interview is to review any liabilities/restrictions placed on the former employee (most commonly an NDA)

Risk terminology

• Asset
• Asset Valuation
  • $ value
• Threat
  • any potential occurrence that may cause an undesirable outcome
  • can result from action or inaction
  • threat agents (usually people) intentionally exploit vulnerabilities
  • threat events are accidental or intentional exploitations of vulnerabilities (natural or man-made)
  • a realised threat is a threat that results in loss
• Vulnerability
  • weakness in an asset, or the absence of a safeguard
• Exposure
  • the potential of asset loss because of a threat
  • experienced exposure means that a realised threat is actually occurring
  • exposure factor (EF) is derived from this concept
• Risk
  • the likelihood that at a threat will exploit a vulnerability to cause harm to an asset
  • as a formula: risk = threat * vulnerability
• Safeguards
  • the only means by which a risk is mitigated
  • reconfiguring existing security and even removing elements from the infrastructure are valid safeguards – not just purchasing new tools
• Attack
  • deliberate exploitation of a vulnerability by a threat agent
  • can also be viewed as any violation of an organisation’s security policy
• Breach
  • the occurrence of a security mechanism being bypassed by a threat agent

Remember:
Threats exploit vulnerabilities which results in exposure.
Exposure causes risk.
Risk is mitigated by safeguards which protect assets (which are endangered by threats).

Risk analysis

• Quantitative or qualitative – usually both (i.e. hybrid)
• Major elements of a quantitative RA:
  • Assign asset value (AV)
  • Calculate exposure factor (EF)
  • Calculate single loss expectancy (SLE)
  • Assess the annualised rate of occurrence (ARO)
  • Derive the annualised loss expectancy (ALE)
  • Perform cost/benefit analysis of countermeasures
• EF represents %age loss of an asset from a realised risk (loss potential)
• SLE = AV * EF
• ALE = SLE * ARO (or ALE = AV * EF * ARO)
• Cost/benefit analysis: (ALE1 – ALE2) – ACS
  • ALE1: ALE before safeguard
  • ALE2: ALE after safeguard
  • ACS: annual cost of safeguard
• Delphi technique (used in qualitative RA): anonymous feedback-and-response process used to enable a group to reach a consensus.
• Countermeasure selection is not part of risk analysis – it’s a later activity of the wider risk management piece
• Total risk is the amount of risk an organisation would face if no safeguards were implemented:
  threats * vulnerabilities * asset value = total risk
  (In this case, * implies a combination function, not multiplication – it’s not a true mathemetical formula)
• Controls gap: difference between total & residual risk (i.e. the amount of risk that is reduced by implementing controls:
  total risk – controls gap = residual risk
• Recovery controls are a more advanced extension of corrective controls; examples include backups, fault-tolerant RAID, AV software, DB shadowing etc.
• Specialist software is a good way to reduce the burden on risk analysis staff, particularly on quantitative analysis.

Risk management frameworks

• NIST Risk Management Framework (RMF)
  • Defined in SP 800-37
  • Lists 6 steps (CSIAAM):
    • Categorise the information system
    • Select baseline controls
    • Implement controls
    • Assess controls
    • Authorise information system operation
    • Monitor the controls in the information system (ongoing)
• Other RM frameworks include:
  • OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation)
  • FAIR (Factor Analysis of Information Risk)
  • TARA (Threat Agent Risk Assessment)

---

Domain 2: Asset Security

Assets include sensitive data, the hardware used to process it, and the media used to hold it.

Two areas where organisations typically trip up:

• Backup media should be protected with the same level of protection as the data that is backed up!
• Properly sanitising media and/or equipment when it is at the end of its lifecycle

Record retention: A good reason to define a record retention policy is to prevent unnecessary legal issues, such as having to trawl through old emails which could/should have been deleted. A company cannot legally delete potential evidence after a lawsuit is filed, however if a record retention policy is in place, it is legal to delete data older than the maximum retention period before any lawsuit is filed.
Hardware retention: Keeping hold of hardware until it has been properly sanitised
Personnel retention: In this context, refers to knowledge that staff gain while being employed by an organisation. NDAs are widely used to prevent current or former employees from sharing proprietary data.

Methods of removing data

• Erasing: Simple logical deletion of file – data is still there
• Clearing: Overwriting. Can be recovered in some labs using specialist tools. Suitable only for unclassified data
• Purging: Intense form of clearing. Press media for use in a less sensitive environment. Data is non-recoverable using known methods. Not suitable for highly classified data (e.g. Top Secret).
• Declassification: Process of using media in an unclassified environment.
• Sanitisation: Combination of processes to remove data, ensuring data cannot be recovered at any cost. Usually stops short of physical destruction.
• Destruction: Final stage in media lifecycle. Most secure option. Can include shredding, incineration, dissolving with chemicals etc. Often cheaper to destroy & purchase new media than have assured sanitisation, and no risk of a new method of data recovery being discovered. Only truly secure method for SSD sanitisation.
• Good idea to encrypt all data on SSDs, so any data that manages to escape the sanitisation process cannot be read.
• Note on degaussing: Good for magnetic tapes, not recommended for hard drives; the strong magnetic field usually destroys the sensitive electronics used to read the data, leaving you with no way of verifying whether the data has been destroyed. Someone could open the drive in a cleanroom and transplant the platters to another drive in order to read the data.

Data roles

• Business/Mission Owner: Has responsibility for a department, e.g. sales dept. Owns the process and is responsible for ensuring it provides value to the organisation. IT governance models such as COBIT are sometimes used to help business owners balance security control requirements with business or system need, and justify the cost of security to the business.
• System Owner: Person responsible for actual computers that house data, including their hardware/software config. Develops system security plan and ensure it is deployed. Delegates technical responsibilities to custodians.
• Data Owner: Ultimately responsible for data. Classifies the data and specifies controls. Management duties rather than hands-on. Typically CEO, president or dept head. Business, System and/or Data Owner roles can be combined
• Data Administrator: Grants access to personnel as directed by data owner, typically using RBAC (assigning/deassigning users to roles).
• Custodian: Performs hands-on tasks to protect assets as directed by data owner/system owner (e.g. making backups). Process followers, not decision makers.
• Data Controller: Person who controls processing of data (e.g. HR/payroll dept)
• Data Processor: Entity who processes personal data on behalf of a data controller (e.g. third-party payroll company). Must protect the privacy of the data and not use it for any purpose other than directed by the data controller.

“Rules of behaviour” are established by the Data Owner and are effectively the same as an acceptable use policy (AUP). These outline the responsibilities & expected behaviour of individuals, and state the consequences of non-compliance.

Certification & accreditation

• Certification means a system has been certified to meet the security requirements of the data owner. You can be CERTain that it meets its requirements!
• Certification considers the system, the security measures taken to protect it, and the residual risk represented by it.
• Accreditation is the data owner’s formal acceptance of the certification and of the residual risk, which is required before the system is put into production. The data owner believes the system is CREDible!

Standards & control frameworks

PCI DSS

• Industry specific: applies to vendors who store, process and/or transmit payment card data
• Created by the Payment Card Industry Security Standards Council, comprised of AmEx, Discover, MasterCard, Visa and other.
• Seeks to protect credit card data by requiring vendors to take specific precautions
• Based on a set of core principles:
  • Build & maintain a secure network, and systems
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
• Vendors must either carry out regular web vulnerability scans, or place their applications behind a web application firewall

OCTAVE

• Stands for Operationally Critical Threat, Asset & Vulnerability Evaluation
• A risk management framework from Carnegie Mellon University
• Describes a three-phase process for managing risk:
  • Phase 1 identifies staff knowledge, assets & threats
  • Phase 2 identifies vulnerabilities and evaluates safeguards
  • Phase 3 conducts the risk analysis & develops the risk mitigation strategy

Common Criteria

• International standard for describing and testing the security of IT products
• Presents a hierarchy of requirements for a range of classifications & systems
• Key terms:
  • Target of evaluation (ToE): The system or product that is being evaluated
  • Security target (ST): The documentation describing the ToE, including the security requirements and operation environment
  • Protection profile (PP): An independent set of security requirements & objectives for a specific category of products/systems, such as firewalls or IDSs
  • Evaluation assurance level (EAL): The evaluation score of the tested product or system. There are seven EALs, each building upon the previous level (for example, EAL3 products can be expected to meet or exceed the requirements of products rated EAL1 or EAL2):
    • EAL1: Functionally tested
    • EAL2: Structurally tested
    • EAL3: Methodically tested & checked
    • EAL4: Methodically designed, tested & reviewed
    • EAL5: Semi-formally designed & tested
    • EAL6: Semi-formally verified, designed & tested
    • EAL7: Formally verified, designed & tested

The ISO 27000 series

• ISO 27002 is a set of optional guidelines for an information security code of practice. It was based on BS 7799 Part 1 and was renumbered from ISO 17799 in 2005 for consistency with other ISO security standards. It has 11 areas, each focusing on specific info sec controls:
  1. Policy
  2. Organisation of info sec
  3. Asset management
  4. HR security
  5. Physical & environmental security
  6. Comms & operations management
  7. Access control
  8. Information systems acquisition, development & maintenance
  9. Info sec incident management
  10. Business continuity management
  11. Compliance
• ISO 27001 is a related standard and comprises mandatory requirements for organisations wishing to be certified against it

COBIT

• A control framework for employing info sec governance best practices within an organisation
• Developed by ISACA (Information Systems Audit & Control Association)
• Made up of four domains:
  • Plan & Organise
  • Acquire & Implement
  • Deliver & Support
  • Monitor & Evaluate
• Key principles include:
  • Meeting stakeholder needs
  • Covering the enterprise end-to-end
  • Applying a single, integrated framework
  • Enabling a holistic approach
  • Separating governance from management

ITIL

• Information Technology Infrastructure Library
• A framework for providing best practice in IT Service Management
• Contains five core publications providing guidance on various service management practices:
  • Service Strategy: helps IT provide services
  • Service Design: details the infrastructure & architecture required to deliver IT services
  • Service Transition: describes taking new projects and making them operational
  • Service Operation: covers IT operations controls
  • Continual Service Improvement: describes ways to improve existing IT services

Scoping & tailoring

• Scoping is the process of determining which parts of a standard/baseline should apply to an organisation. For example, an organisation that does not employ wireless equipment may declare the wireless provisions of a particular standard are out of scope and therefore do not apply.
• Tailoring is the process of customising a standard for an organisation to align with its mission. It begins with controls selection, continues with scoping & finishes with the application of compensating controls.

US government organisations are required to comply with many of the standards published in NIST SP-800 documents. These same documents are used by many private sector organisations to develop & implement their own security standards.

Cryptography, cryptanalysis & cryptography

• Cryptography is the art of creating & implementing secret codes & ciphers.
• Cryptanalysis is the study of methods to defeat codes & ciphers.
• Together, cryptography & cryptanalysis are referred to as cryptology

Symmetric vs asymmetric encryption

• Symmetric = secret key or private key cryptosystems using a single shared key (shared secret)
• Asymmetric = public key cryptosystems, using pairs of public and private keys

Other terms

• Initialisation vector (IV or nonce) used to create unique ciphertext each time the same message is encrypted using the same key
• Split knowledge and M of N control can be used for key escrow
• Work function or work factor (time/cost effort to perform a brute-force attack) need only be slightly greater than the time value of the asset (e.g. if data only useful for 10 years, an 11-year work factor is sufficient) – principle that all security, including crypto, should be cost effective & cost efficient; provide sufficient protection without unnecessary effort.
• Codes do not always provide secrecy; e.g. the “10-system” used by law enforcement is commonly known by the public, but it does provide for ease of communication.
• All ciphers provide secrecy, and are always meant to hide the true meaning of a message.
• Remember that codes work on words & phrases, whereas ciphers work on individual characters & bits

Substitution cipher

• Caesar cipher (ROT3) is an example of a shift cipher, which shifts each letter three places to the right to encrypt (and three places to the left to decrypt) – vulnerable to frequency analysis
• Polyalphabetic ciphers like Vigenère not vulnerable to direct frequency analysis, but to a second-order form of frequency analysis called period analysis
• One-time pads are a powerful form of polyalphabetic cipher which are considered unbreakable as long as the one-time pad (which must be as long as the message to be encrypted) is truly random, physically protected from disclosure, and only used once.
• Caesar shift cipher, Vigenère and one-time pads are very similar – the only difference is the key length. Caesar cipher uses a key of length one, Vigenère using a longer key (usually a word or sentence) and one-time pad uses a key as long as the message.
• Running key cipher uses a passage from a book or newspaper as the key. It assigns a numeric value to the plaintext and the key and performs modulo 26 addition to determine the ciphertext.

Transposition cipher

• Provides transposition, or permutation, by rearranging the character of the plain text (like an anagram)
• Columnar transposition numbers the letters in a keyword in alphabetical order and arranges the message underneath in columns. The columns are then read vertically in order of the numbers to encipher the message

---

Unsorted

Biba vs Bell-LaPadula

• Imagine the “i” in Biba means “integrity” – leaving Bell-LaPadula for confidentiality
• Bell-LaPadula is hard to write down! So this has the “no write down” rule
• “Written in the stars” applies to the write rules in both models
  • *-Property in BLP (no write down)
  • * Integrity Property in Biba (no write up)

Fire classes

(A)sh – Common combustibles: wood, paper
(B)oil – Liquid fires
(C)urrent – Electrical fires
(D)ent – Metal fires
(K)itchen

Fire extinguishing agents

Soda acid – reduces fuel intake
Halon (or equivalent) – reduces chemical reaction
CO₂ – removes O₂
Water – reduces heat

Database terminology

Relation = table
Attribute = column
Tuple = row
Cardinality = number of rows
Degree = number of columns
Domain = all possible values of a column

SW-CMM

IRDMO:
Initial – disorganised, no process
Repeatable – life cycle mgmt process introducts, project planning, QA etc
Defined – developers operate with formal procedure; more oganised
Managed – detailed understanding of development; quantitive development metrics & quality mgmt
Optimised – sophisticated dev process; feedback oriented; change mgmt

Composition theories

1. Cascading
2. Feedback
3. Hookup

Waterfall is a SW dev methology, not a comp theory.
Iterative is not a comp theory.

Misc stuff

MAC addresses must be locally unique (in theory, they are globally unique, but this is not guaranteed)

Ring model only has 4 rings (0-3), rings 1 & 2 (device drivers) not normally implemented in practice; 0 = kernel, 3 = user.

TCP handshake: SYN > SYN/ACK > ACK

Turnstile is best way to restrict access into or out of a facility (one person at a time, often directional), not mantrap

Secondary verification mechanisms establish the correctness of detection systems

Governments tend to prioritise confidentiality, private companies often favour availability.

Operational Technology systems (PLCs, SCADA) tend to prefer availability, then integrity, then finally confidentiality – AIC triad.

MOM – Means, Opportunity & Motive: the three things an attacker/adversary needs

CIDR

WAF = reverse proxy

TOTP = Time-Based OTP (One-Time Passwords)

Rules of behaviour: Rules identified for the protection of data. RoB apply to the user, not the system.

Static RAM (SRAM) uses “flip-flops” (latches) – faster.
Dynamic RAM (DRAM) uses small capacitors – slower/cheaper.
Both types are volatile (lose data upon power loss) but DRAM requires constant refreshing while SRAM does not.

Quality Control (QC) – assessment of quality based on interernal standards
Quality Assurance (QA) – assessment of quality based on external standards; involves reviewing of QC processes & activities

DAM = Database Activity Monitoring

Data dispersion replicates data in multiple physical locations
Data fragmentation splits data into shards and distributes them across a large number of machines

Tokenisation replaces sensitive data (e.g. credit card numbers) with a reference to that data (that may reside elsewhere, e.g. in a more secure environment)

Some implementations of EMV payment cards use 3DES encryption.

Blowfish uses 32-448 bit key sizes and is used by bcrypt (Linux) to encrypt passwords. Bcrypt adds a 128-bit salt to protect against rainbow table attacks.

SSL is susceptible to POODLE (Padding Oracle On Downgraded Legacy Encryption) and should ideally be disabled in favour of a TLS-only approach.

IPSec is often combined with L2TP (Layer 2 Tunnelling Protocol) for VPNs. L2TP itself transmits data in cleartext, but is used with IPSec in tunnel mode to protect data in transit.

NOT: ~ or ! symbol
XOR: ⊕ (X within an O, Rotated) or ⊻ (OR with a line under it)
Modulus: mod or %