Risk Theory

Risk Analysis

Attack by email

Attack by Deception

Hoaxes

Hackers

Web Page Attacks

Attack of the Worms

IRC and P2P

Subject - WHO?
Viruses
Object - WHAT?
Asset and Data Valuation Attack Vectors Write Permission Problem -
Rights (Subject -> the right to create user) - HOW?
give permissions to write
Context and Data Value
Permissions (Subject R/W/X) - HOW? anything, i.e. virus
Corporate vs Departmental Access Control Concepts Access Control List - RWX
Business Legal and Regulatory
Access Control on OSI model
Requirements Read Permission Problem -
TOE
Domain 4 - ACL List subject reads file and create a
Requirements ACL Repository copy of this file with its
EAL Product Assurance Evaluation Criteria Analysis and ownership
CC Assurance Security Standards Mandatory Access control (Labels)
ISO 27000 series 20/02 : 28/02 Limit access to essential objects
Cap ab ility Maturity Mod el 7 workday(s)
Label data
(SEI-CMM)
DAC Implementation Strategie s Filter information
Concept of Layered Architecture
Policy
PCI DSS
Monitoring
Architectural Solutio n

Architecture Frameworks Configuration files

Discretionary Access Control - DAC Windows registry
Department of Defence DoDAF
(Object Owner decides) | evaluates ACL
The Zachman Framework Services
ISO 7 498 series Data
System Security Engineering
Methodology CACLS tool (execute problem) Set all to READ ONLY
Design Validation Block removable media
Certification Access Control Mechanisms Solutions HIDS
Peer Reviews Software integrity inventories
Documentation Monitor execution

RBAC (roles)
Natural
ORCON (contest of the originator is required)
Industry
Risk Analysis DRM (Digital - cryptographic)
Neighbours Non-Discretionary Access Control (more DAC than MAC)
UCON (usage controlled / frequency of access)
Business Impact Analysis
Rule-based (Firewalls / VPNs) |
Data stored in electronic Form
evaluates activity
Remote Replication and Off-site journaling
Least Functionality
Selecting Recovery Strategy
ISSAP
Domain 5 - BCP and DR
Backup Strateg ies Least Privilege (no limitations)
01/03 : 11/03
Implementing Recovery Strateg y 7 workday(s) Separation of Duties

Documenting the Plan

AAA
The Human Factor
Cost-Benefit Analysis Single Sign-On
Logistics

Plan Maintenance
Proxy Access Control

Gatekeeper

Access Control Server

TACACS

Voice Communication Domain 6 - Centralized Access Control RADIUS

Network Architectu r e Telecommunications and
Protocols EAP
Network Design Considerations Network Security
12/03 : 19/03 KERBEROS
6 workday(s)
SESAME

Design Considerations
Domain 1 - Access Architecture
Control Systems
and Methodology
23/01 : 31/01 Distributed | Shared database | Robust | Scalable
7 workday(s) De-centralized Access Control
Design Considerations

Trusted Computing Base

Federated Access Control Design Considerations

Directories and Access Control Design Considerations

Identity Management

Who?What?Where?When?Effec t ?
Accounting

Authorized | Monitored | Validated

Access Control Administration
P2P
Access Control Ad ministration
and Management Concepts Views | Triggers | Stored Procedures
Database Access

Inherent Rights

Change of Privilege Levels

Role based
Groups
Task based

Dual Control

Location

Topology

Subnet

Geo consideration

Physical and Logical

Device types Network based

Third Party Software

Strength and Weaknesses of

Authentication Tools

Badges

Magnetic Strips
Granted Rig hts Token based Authentication Tools
Proximity Cards

Common Issues

Performance

Biometric Authenticatio n Implementation

Common Issues
Authentication Design Validation
Architecture Effectiveness Assurance

Testing Strategies

Testing Objectives

Testing Paradigms

Repeatability

Methodology

Developing Test Procedures

Risk-Based Consideration s

Applications of Cryptography

Message Encryption

Secure IP Communication (IPSEC)

Remote Access

Wireless Communication

Other types of Secure Communication

Identification and Authenticatio n

Storage Encryption

Code Signing
Principles

Symmetric

Block Cipher

Stream Cipher
Methods of Cryptography
Asymmetric

Hash and MAC

Digital Signatures

Key Types

Strength and Key Size

Key Life Cycle

Key Creation

Key Distribution
Key Management Key Storage

Key Update
Domain 2 - Cryptography
Key Revocation
01/02 : 11/02
7 workday(s)
Key Escrow

Backup and Recovery

Key Distribution

Certificates and Key Storage

PKI Registration

Certificate Issuance
Public Key Infrastructure Trust Models

Certificate Chains

Certificate Revocation

Cross Certification

Review of Cryptanalytic Attacks

Design Validation
Risk-Based Cryp tog rap h ic
Architecture
NSA-FIPS-19 7

NSA-FIPS-14 0
Standards
NIST CAVP

NIST CMVP
Cryp tog rap h ic Comp lian ce
PCI DSS

Industry- specific Standards HIPAA

EU Data Protection Act

Roadway Design

Parking
Traffic Monitoring
Open Area Parking

Loading Docks

Infrared Sensors
Microwave

Coaxial Strain-Sensitive Ca b l e

Taut-Wire Systems

Unauthorized access Surveillance Devices Time Domain Reflectometry Systems

CCTV

DVR

Video Content Analysis

Physical Security Risks Guard Force

Card Types
Domain 3 - Physical Security Badge Equipment
11/02 : 19/02 Access Control Systems
7 workday(s) Biometrics
Access control Head-End

Low Profile

Location Hazard
Threat Assessment

Facility Risk Site Planning

Restricted Work Areas

Entrances and Exits

Mobile Devices

Evacuation Drills
Protection Plan Incident Response

Penetration Tests
Design Validation Access Control Violation Monitorin g

ISSAP_map_0113.mmap - 29/01/2013 - Mindjet