Beruflich Dokumente
Kultur Dokumente
Eric Conrad
econrad@gmail.com
Twitter: @eric_conrad
CISSP-CAT: COMPUTERIZED ADAPTIVE TESTING
INFOSEC
• Confidentiality ≠ disclosure
• Integrity ≠ alteration
• Availability ≠ destruction
• Identification
• Authentication
• Authorization
• Accountability
Confidentiality
• Confidentiality aims to prevent the unauthorized disclosure of
information
• Secrets remain secret while confidentiality is maintained
Integrity
• Integrity focuses on prevention of unauthorized modification of
assets
• Applies to both data and systems
• Malware installation would be a violation of a system's integrity
MGT414 | SANS Training Program for CISSP® Certification 9
CONFIDENTIALITY, INTEGRITY, AVAILABILITY, AND PRIVACY (2)
Availability
• Availability ensures required access to resources remains
possible
• Ransomware and denial of service (DoS) attacks represent
obvious breaches of availability
Privacy
• Confidentiality and protection of personally identifiable
information
Identification
• Identification provides a weak and unproven claim of identity
• Providing a username would be an example of identification
• Requires proof (authentication) prior to being granted access
(authorization) to controlled data.
Authentication
• Authentication serves as proof a user's identity claim is legitimate
• Strong authentication implies higher integrity means of proof
and/or multiple methods of proof
Authorization
• Authorization proceeds after successful authentication and
determines what the authenticated user can do
Accounting
• Accounting (also known as Accountability) details the
interactions performed by individuals
• Audit logs could be generated allowing users to be held
accountable for their documented actions
Annualized Loss
Annualized Rate of
Expectancy (ALE):
Occurrence (ARO):
Single Loss Expectancy
Frequency of threat
(SLE) x Annualized Rate
occurrence per year
of Occurrence (ARO)
• You are an information security manager for mgt414.com. Your network has
suffered repeated Denial of Service attacks against your internet web
servers, using malformed web requests from thousands of IP addresses,
resulting in extended outages that resulted in lost online sales.
• Your company makes $1,000,000 profit in online sales per year, and each
DoS attacks cost you 2% of those profits annually. You see an average of six
such attacks per year
• Your staff have identified a cloud-based Web Application Firewall (WAF)
service that will completely mitigate this issue. The service costs $40,000
per year, and will require an additional $10,000 per year in staff costs to
maintain
• Is this a wise purchase?
• Qualitative Analysis
o Not as overtly tied to dollar amounts associated with potential losses
o Considerably easier to calculate for most environments
• Businesses might not consider as valuable because of the lack of
explicit dollar amounts
• Very useful for prioritization of risks to be addressed
LIKELIHOOD
Medium 2 3 4
Low 1 2 3
Authentication Non-Repudiation
iQEcBAEBAgAGBQJOixjhAAoJEO0hDEoY65E+fPEH/
gmk1GESj2oqo6EF7ln2GPNUO4i2oC9tuyLELjAFfu
KqW0JpINEipO6Q/84Jb0E/mbxHQ1EX52dosBJT83Q
cnxCLMAtEtFoL+45Z1tmONbbqYU2e4IMls+LJcKGs
KbXDDAHW56Qm84gRfl/EZu6CRFrNRToAVZRGMJPHs
Encrypt with private key
SdWCo+Zmtxt08ltI+QbM+JyhhExyarSIyoe2twj71
=ybpb
-----END PGP SIGNATURE-----
Planning
Decommissioning Provisioning
Operating