Sie sind auf Seite 1von 104

CBK DOMAIN #1 INFORMATION

SECURITY AND RISK MANAGEMENT

HARSHAD SHAH
CISO(CHIEF INFORMATION SECURITY OFFICER)
GLOBAL CYBER SECURITY RESPONSE TEAM
CHAPTER 1 – WE WILL TALK ABOUT

• THE CIA TRIAD (OUT OF ORDER)


• SECURITY MANAGEMENT RESPONSIBILITIES
• ADMINISTRATIVE, TECHNICAL AND PHYSICAL CONTROLS
• RISK MANAGEMENT AND RISK ANALYSIS
• SECURITY POLICIES
• INFORMATION CLASSIFICATION
• POSITIONS AND RESPONSIBILITIES
CIA, IT’S NOT JUST A
GOVERNMENT AGENCY (59)

• THE CIA TRIAD PROVIDES FOR THE SECURITY OBJECTIVES. THIS IS ALSO CALLED
THE AIC TRIAD.
CONFIDENTIALITY (60)

• PROTECTS THE DATA FROM UN-AUTHORIZED


DISCLOSURE
• ENSURES THE NECESSARY LEVEL OF SECRECY IS
ENFORCED AT EACH JUNCTION OF DATA PROCESSING
• CAN PROVIDE VIA TECHNICAL CONTROLS SUCH AS
AUTHENTICATION METHODS, ENCRYPTION METHODS
• ATTACKS INCLUDE SHOULDER SURFING AND SOCIAL
ENGINEERING, MAN IN THE MIDDLE, ATTEMPTS AT
DECRYPTION. ETC
INTEGRITY (60)

• ENSURING THAT THE DATA IS NOT MODIFIED.


• MUST ENSURE ACCURACY AND RELIABILITY OF THE INFORMATION AND
INFORMATION SYSTEMS. MUST NOT ALLOW UNAUTHORIZED MODIFICATION.
(EITHER INTENTIONAL OR ACCIDENTAL*)
INTEGRITY EXAMPLE

• THE TRADER WAS SUPPOSED TO SELL ONE SHARE FOR


610,000 YEN ($5,065). INSTEAD, 610,000 SHARES
VALUED AT $3.1 BILLION WERE OFFERED FOR 1 YEN
EACH.
• SOMEBODY MADE A TYPING MISTAKE, SAID THE
BROKERAGE UNIT OF MIZUHO FINANCIAL GROUP,
JAPAN'S SECOND-LARGEST BANK. THE ERROR SET OFF
A FRENZY OF TRADES, AND COST THE UNIT AT LEAST 27
BILLION YEN ($224 MILLION) AS IT TRIED TO BUY BACK
THE SHARES, THE BANK SAID.
INTEGRITY

• HASHES AND SIGNED MESSAGES ARE EXAMPLES OF HOW TO ENSURE INTEGRITY


• CAN ATTACK WITH BIRTHDAY ATTACKS / HASH COLLISIONS. MAN IN THE
MIDDLE ATTACKS
AVAILABILITY

• THE ABILITY TO ACCESS DATA AND SYSTEMS BY AUTHORIZED PARTIES


• THIS IS VERY EASY TO ATTACK AND HARD TO DEFEND AGAINST.
• ATTACKS ARE OFTEN DOS TYPE ATTACKS.
• EXAMPLE OF AVAILABILITY ATTACK:
• TAKING DOWN A POWER GRID
• STOPPING STOCK MARKET TRADES
SECURITY MANAGEMENT

NOW THAT WE KNOW THE 3 PRINCIPLES OF SECURITY LETS TALK ABOUT HOW WE
CAN MANAGE SECURITY
SECURITY MANAGEMENT
(BACK TO PG 53)
ATTEMPTS TO MANAGE SECURITY.
• INCLUDES RISK MANAGEMENT, IS POLICIES, PROCEDURES,
STANDARDS, GUIDELINES, BASELINES, INFORMATION
CLASSIFICATION, SECURITY ORGANIZATION. *
• THESE BUILD A SECURITY PROGRAM – PURPOSE… PROTECT
THE COMPANIES ASSETS
• A SECURITY PROGRAM REQUIRES BALANCED APPLICATION
OF TECHNICAL AND NON-TECHNICAL METHODS!*
• PROCESS IS CIRCULAR, ASSES RISKS, DETERMINE NEEDS,
MONITOR, EVALUATE… START ALL OVER.
SECURITY MANAGEMENT

• MANAGEMENT IS ULTIMATELY RESPONSIBLE FOR SECURITY… NOT ADMINS,


NOT SECURITY WORKERS.. MANAGEMENT… LET ME REPEAT…
MANAGEMENT.
• MANAGEMENT MUST LEAD AND DIRECT ALL SECURITY PROGRAMS. THEY MUST
PROVIDE THE VISION AND SUPPORT*
SECURITY MANAGEMENT
• ANY GOOD SECURITY PROGRAM SHOULD BE “TOP
DOWN” WITH AN ULTIMATE GOAL. THIS APPROACH
MANAGEMENT CREATES THE VISION AND LAYS OUT
THE FRAMEWORK. IT DOES NOT MAKE SENSE JUST TO
RUN ABOUT LOCKING DOWN MACHINES WITHOUT A
VISION. THOUGH THIS IS OFTEN HOW THINGS ARE
ACTUALLY DONE.*

• WHY WOULD A BOTTOM UP APPROACH FAIL? (CAN


YOU BUILD A HOUSE BY JUST STARTING TO BUILD?)
IMPORTANT REMINDER

• REMINDER MANAGEMENT SHOULD DIRECT SECURITY. A SECURITY OFFICER


OR GROUPS IS TO ENSURE THE MANAGEMENTS DIRECTIVES ARE FULFILLED! THEY
DO NOT CREATE SECURITY POLICY*
SECURITY CONTROLS

THE FOLLOWING “CONTROLS” SHOULD BE UTILIZED TO


ACHIEVE SECURITY MANAGEMENT DIRECTIVES
• ADMINISTRATIVE – POLICIES, STANDARDS,
PROCEDURES, GUIDELINES, PERSONNEL SCREENING,
TRAINING
• TECHNICAL CONTROLS (LOGICAL CONTROLS)* -
AUTHENTICATION, FIREWALLS, BIOMETRICS ETC.
• PHYSICAL CONTROLS – LOCKS, MONITORING,
MANTRAPS, ENVIRONMENTAL CONTROLS.
• SEE DIAGRAM ON PAGE 57
FUNCTIONAL VS. ASSURANCE

• ALL SOLUTIONS MUST BE EVALUATED BY IT’S FUNCTIONAL AND ASSURANCE


REQUIREMENTS

• FUNCTIONAL: “DOES THE SOLUTION CARRY OUT THE REQUIRED TASKS”*


• ASSURANCE: “HOW SURE ARE WE OF THE LEVEL OF PROTECTION THIS
SOLUTION PROVIDES”*
SECURITY DEFINITIONS*

• YOU NEED TO KNOW THESE!


• THESE TERMS ARE ON PAGES 61-63. YOU SHOULD ALL MEMORIZE AND
INTERNALIZE THESE TERMS! READ THEM AGAIN AND AGAIN TILL YOU
UNDERSTAND THEM.. WE’LL COVER THEM IN THE NEXT COUPLE SLIDES
VULNERABILITY* (61)

• A SOFTWARE HARDWARE OR PROCEDURAL WEAKNESS THAT MAY PROVIDE AN


ATTACKER THE OPPORTUNITY TO OBTAIN UNAUTHORIZED ACCESS.

• COULD BE AN UN-PATCHED APPLICATION


• OPEN MODEMS
• LAX PHYSICAL SECURITY
• WEAK PROTOCOL* (LET’S DEFINE PROTOCOL)
THREAT *

A NATURAL OR MAN-MADE EVENT THAT COULD HAVE SOME TYPE OF NEGATIVE


IMPACT ON THE ORGANIZATION.

• A THREAT USUALLY REQUIRES A VULNERABILITY


• A THREAT MIGHT ALSO BE NATURAL SUCH AS A HURRICANE
THREAT AGENT

• AN ACTUAL PERSON THAT TAKES ADVANTAGE OF A VULNERABILITY


RISK

THIS LIKELIHOOD OF A THREAT AGENT TAKING ADVANTAGE OF A VULNERABILITY


AND THE CORRESPONDING BUSINESS IMPACT

• RISK TIES THE VULNERABILITY, THREAT AND LIKELIHOOD OF EXPLOITATION


TOGETHER.
EXPOSURE

AN INSTANCE OF BEING EXPOSED TO LOSSES FROM A THREAT AGENT.


• EXAMPLE: A PUBLIC WEB SERVER THAT HAS A KNOWN VULNERABILITY THAT IS
NOT PATCHED, IS AN EXPOSURE.
COUNTERMEASURE OR SAFEGUARD

SOME CONTROL OR COUNTERMEASURE PUT INTO PLACE TO MITIGATE THE


POTENTIAL RISK. A COUNTERMEASURE REDUCES THE POSSIBILITY THAT A THREAT
AGENT WILL BE ABLE TO EXPLOIT A VULNERABILITY. (YOU CAN NEVER 100%
SAFEGUARD SOMETHING)*
END OF RISK TERMS
ORGANIZATIONAL SECURITY MODELS
• EACH ORGANIZATION WILL CREATE IT’S OWN
SECURITY MODEL WHICH WILL HAVE MANY ENTITIES,
PROTECTION MECHANISMS, LOGICAL, ADMINISTRATIVE
AND PHYSICAL COMPONENTS, PROCEDURES, BUSINESS
PROCESSES AND CONFIGURATIONS THAT ALL SUPPORT
THE END GOAL.
• A MODEL IS A FRAMEWORK MADE UP OF MANY
ENTITIES PROTECTION MECHANISMS, PROCESSES,
PROCEDURES THAT ALL WORK TOGETHER AND RELY
ON EACH OTHER TO PROTECT THE COMPANY (SEE
DIAGRAM PG 65)
(MORE)
ORGANIZATION SECURITY MODELS

• EACH COMPANY WILL HAVE IT’S OWN METHODS FOR THE ABOVE TO
ACCOMPLISH THEIR OWN SECURITY MODEL.

• HAS MULTIPLE LAYERS AND MULTIPLE GOALS (TALK ABOUT NEXT)


GOALS*

• OPERATIONAL GOAL – THESE ARE DAILY GOALS,


VERY SHORT TERM GOALS.
• EXAMPLE: INSTALLS SECURITY PATCH RELEASED TODAY.
• TACTICAL GOALS – MID TERM GOALS THAT HELP TO
ACHIEVE A FINAL GOAL.
• EXAMPLE: CREATE MANAGED DOMAIN AND MOVE ALL
WORKSTATIONS INTO THE DOMAIN

• STRATEGIC GOALS – LONG TERM OBJECTIVES.


• EXAMPLE: HAVE ALL WORKSTATIONS IN A DOMAIN WITH
CENTRALIZED SECURITY MANAGEMENT, AUDITING,
ENCRYPTED DATA ACCESS AND PKI.
SECURITY PROGRAM
DEVELOPMENT (PG 76 IN BOOK)

• A PROGRAM IS MORE THAN JUST A POLICY! IT’S EVERYTHING THAT PROTECTS


DATA.

• SECURITY PROGRAM DEVELOPMENT IS A LIFECYCLE!!!


• PLAN AND ORGANIZE
• IMPLEMENT
• OPERATE AND MAINTAIN
• MONITOR AND EVALUATE
• THEN START ALL OVER AGAIN!
BUSINESS REQUIREMENTS
PRIVATE VS. MILITARY

• WHICH SECURITY MODEL AN ORGANIZATION USES DEPENDS ON IT’S GOALS


AND OBJECTIVES.

• MILITARY IS GENERALLY CONCERNED WITH CONFIDENTIALITY


• PRIVATE BUSINESS IS GENERALLY CONCERNED WITH EITHER AVAILABILITY (EX.
NETFLIX, EBAY ETC) OR INTEGRITY (EX. BANKS). SOME PRIVATE SECTOR
COMPANIES ARE CONCERNED WITH CONFIDENTIALITY (EX. DRUG COMPANIES)
BREAK?

• THIS IS PROBABLY TIME FOR A BREAK… YOU PROBABLY ARE ASLEEP NOW…
DON’T WORRY IT WILL GET MORE INTERESTING IN A BIT.
INFORMATION RISK
MANAGEMENT

• IRM IS THE PROCESS OF IDENTIFYING AND ASSESSING RISK AND REDUCING IT


TO AN ACCEPTABLE LEVEL*

• THERE IS NO SUCH THING AS 100% SECURITY!*


• YOU MUST IDENTIFY RISKS AND MITIGATE THEM WITH EITHER COUNTERMEASURE
(EX. FIREWALLS) OR BY TRANSFERRING RISK (EX. INSURANCE)*
WHAT ARE RISKS*

• PHYSICAL DAMAGE – BUILDING BURNS DOWN


• HUMAN INTERACTION – ACCIDENTAL OR INTENTIONAL ACTION
• EQUIPMENT MALFUNCTION – FAILURE OF SYSTEMS (HARD DRIVES
FAILURE)
• INSIDE AND OUTSIDES ATTACKS – CRACKERS! (NOT HACKERS)
• MISUSE OF DATA – SHARING TRADE SECRETS, FRAUD
• LOSS OF DATA – INTENTIONAL OR UNINTENTIONAL LOSS OF
DATA
• APPLICATION ERROR – (INTEGRITY) COMPUTATION ERRORS,
INPUT ERRORS, POOR CODE/BUGS. (SUPERMAN/OFFICE SPACE
EXAMPLE)
RISKS

• RISKS MUST BE IDENTIFIED, CLASSIFIED AND ANALYZED TO ASSES POTENTIAL


DAMAGE (LOSS) TO COMPANY. RISK IS IMPOSSIBLE TO TOTALLY MEASURE, BUT
WE MUST PRIORITIZE THE RISKS AND ATTEMPT TO ADDRESS THEM!
RISK MANAGEMENT

• DID I MENTION THAT IRM IS ULTIMATELY THE RESPONSIBILITY OF


MANAGEMENT* (I REALLY CANNOT STRESS THIS ENOUGH)
• SHOULD SUPPORT THE ORGANIZATIONS MISSION.
• SHOULD HAVE AN IRM POLICY.
• SHOULD HAVE AN IRM TEAM.
• IRM SHOULD BE A SUBSET OF THE COMPANIES TOTAL RISK MANAGEMENT
POLICY.
IRM POLICY

SHOULD INCLUDE THE FOLLOWING ITEMS


• (SEE TOP OF PAGE 82)

• GOAL IF IRM IS TO ENSURE THE COMPANY IS PROTECTED IN THE MOST COST


EFFECTIVE MANNER!* (DOESN’T MAKE SENSE TO SPEND MORE TO PROTECT
SOMETHING THAN THE “SOMETHING” IS WORTH)
IRM TEAM (83)

• REMEMBER GOAL IS TO KEEP THINGS COST EFFECTIVE.


MANY COMPANIES WILL NOT HAVE A LARGE IRM
TEAM. GOVERNMENT MIGHT HAVE SMALL ARMIES
DEDICATED SIMPLY TO IRM GOALS.
• IRM TEAM MEMBERS USUALLY HAVE OTHER FULL TIME
JOBS!
• NOT JUST IT STAFF! (EX IT STAFF MAY NOT
UNDERSTAND LEGAL OR PHYSICAL CONCERNS)
• SENIOR MANAGEMENT SUPPORT IS NECESSARY
FOR SUCCESS*
RISK ANALYSIS (83)

IRM TEAM WILL NEED TO ANALYZE RISK, WHAT IS RISK ANALYSIS?


• A TOOL FOR RISK MANAGEMENT, WHICH IDENTIFIES ASSETS, VULNERABILITIES AND
THREATS (WHAT ARE THESE AGAIN?)

• ACCESS POSSIBLE DAMAGE AND DETERMINE WHERE TO IMPLEMENT SAFEGUARDS


WE WILL TALK ABOUT RA GOALS NEXT.
RISK ANALYSIS GOALS (83)

• IDENTIFY ASSETS AND THEIR VALUES


• IDENTIFY VULNERABILITIES AND THREATS
• QUANTIFY THE PROBABILITY OF DAMAGE AND COST
OF DAMAGE
• IMPLEMENT COST EFFECTIVE COUNTERMEASURES!
• ULTIMATE GOAL IS TO BE COST EFFECTIVE. THAT IS:
ENSURE THAT YOUR ASSETS ARE SAFE, AT THE SAME
TIME DON’T SPEND MORE TO PROTECT SOMETHING
THAN IT’S WORTH*
WHO IS ULTIMATELY
RESPONSIBLE FOR RISK?

• MANAGEMENT!
• MANAGEMENT MAY DELEGATE TO DATA CUSTODIANS OR BUSINESS UNITS THAT
SHOULDER SOME OF THE RISK. HOWEVER ULTIMATELY IT IS SENIOR
MANAGEMENT THAT IS RESPONSIBLE FOR THE COMPANIES HEALTH AND AS
SUCH THEY ARE ULTIMATELY RESPONSIBLE FOR THE RISK. (YOU REALLY NEED TO
UNDERSTAND THIS FOR THE EXAM)
VALUE OF INFORMATION AND
ASSETS? (85)

IT IS IMPORTANT TO UNDERSTAND AN ASSETS VALUE IF YOU PLAN ON DOING RISK


ANALYSIS. SO WHAT IS SOMETHING WORTH?

• SEE PG 86 BULLET ITEMS

NOTE VALUE CAN BE MEASURED BOTH QUANTITATIVELY AND QUALITATIVELY*


2 TYPES OF ANALYSIS

• QUANTITATIVE ANALYSIS
• QUALITATIVE ANALYSIS

LETS TALK IN DETAIL ABOUT QUALITATIVE VS. QUANTITATIVE SPECIFICALLY IN THE


NEXT COUPLE SLIDES
QUANTITATIVE (92)

QUANTITATIVE ANALYSIS ATTEMPTS TO ASSIGN REAL VALUES TO ALL ELEMENTS OF


THE RISK ANALYSIS PROCESS. INCLUDING

• ASSET VALUE
• SAFEGUARDS' COSTS
• THREAT FREQUENCY
• PROBABILITY OF INCIDENT
(MORE)
QUANTITATIVE ANALYSIS (93)

• PURELY QUANTITATIVE RISK ANALYSIS IS IMPOSSIBLE AS THERE ARE ALWAYS


UNKNOWN VALUES, AND THERE ARE ALWAYS “QUALITATIVE” VALUES. (WHAT IS
THE VALUE OF A REPUTATION?)

• YOU CAN AUTOMATE QUANTITATIVE ANALYSIS WITH SOFTWARE AND TOOLS.


THESE REQUIRE TONS OF DATA TO BE COLLECTED THOUGH, AS SUCH REQUIRE
ALONG TIME AND EFFORT TO COMPLETE, BUT THE TOOLS HELP SPEED THAT UP.
OVERVIEW OF STEPS IN A
QUANTITATIVE ANALYSIS (94)

1. ASSIGN VALUE TO AN ASSET


2. ESTIMATE ACTUAL COST FOR EACH ASSET AND THREAT COMBINATION. (SEE
SLE LATER)
3. PERFORM A THREAT ANALYSIS – DETERMINE THE PROBABILITY OF EACH
THREAT OCCURRING.

4. DERIVE THE OVERALL LOSS POTENTIAL PER THREAT PER YEAR.


5. REDUCE, TRANSFER AVOID OR ACCEPT THE RISK.
STEPS IN QUANTITATIVE
ANALYSIS (94)

NOW LETS’ BREAK EACH STEP OUT MORE


STEP 1:ASSIGN VALUE TO
ASSETS (94)

WHAT IS SOMETHING WORTH?


• COST TO OBTAIN
• MONEY AN ASSET BRINGS IN
• VALUE TO COMPETITORS
• COST TO RE-CREATE
• LEGAL LIABILITIES
STEP 2:ESTIMATE LOSS
POTENTIAL*
FOR EACH THREAT WE (94)
NEED TO DETERMINE HOW MUCH
COULD A THREAT DAMAGE/COST US
• PHYSICAL DAMAGE
• LOSS OF PRODUCTIVITY
• COST OF REPAIRING
• AMOUNT OF DAMAGE (EF – NEXT SLIDE)*
WE NEED TO DETERMINE “SINGLE LOSS EXPECTANCY”
PER ASSET AND THREAT*
• EXAMPLE: IF YOU HAVE A VIRUS OUTBREAK AND EACH
OUTBREAK COSTS $50K IN LOST REVENUE AND REPAIR
COSTS. YOUR SLE = 50K
STEP 2: ESTIMATE OF LOSS
POTENTIAL
WHEN DETERMINING SLE, YOU MAY HEAR THE TERM EF
(EXPOSURE FACTOR)
FOR SOME ITEMS LOSS IS A PERCENTAGE OF A VALUE,
THIS IS WHERE EF COMES IN
IF YOU HAVE A WAREHOUSE WITH $1,000,000 OF
VALUE, AND THE THREAT IS A FIRES, YOUR FIRE
SUPPRESSION SYSTEMS MIGHT STOP A FIRE AT 25%,
THIS IS YOUR EF, AND MUST BE CALCULATED IN SLE
SLE= TOTAL VALUE/COST * EF
IN THIS CASE THE FIRE SLE = $1,000,000 * .25 =
$250,000
STEP 3:PERFORM A THREAT
ANALYSIS (95)
FIGURE OUT THE LIKELY HOOD OF AN INCIDENT.
• ANALYZE VULNERABILITIES AND RATE OF EXPLOITS.
• ANALYZE PROBABILITIES OF NATURAL DISASTERS TO
YOUR LOCATION
• REVIEW OLD RECORDS OF INCIDENTS.
IN THIS STEP WE NEED TO CALCULATE THE ANNUALIZED
RATE OF OCCURRENCE (ARO)*
EXAMPLE: CHANCE OF A VIRUS OUTBREAK IN ANY
MONTH=75% THEN THE ARO = .75 * 12 (1 YEAR)
SO WE CAN EXPECT AN ARO=9
STEP 4: DERIVE THE ALE (95)

DERIVE THE ANNUAL LOSS EXPECTANCY


• SLE * ARO = ALE
• EXAMPLE: 50K COST OF VIRUS OUTBREAK (SLE) * 9 OCCURRENCES PER YEAR
(ARO) = $450K COST FOR THIS THREAT
• BE ABLE TO DO THESE CALCULATION FOR THE EXAM
STEP 5: REDUCE, TRANSFER,
AVOID OR ACCEPT THE RISK (95)

FOR EACH RISK YOU CAN DO THE FOLLOWING


• REDUCE RISK* (INSTALL COUNTERMEASURES TO LESSEN THE RISK, OR MITIGATE
EF (EXPOSURE FACTOR) (WELL GO IN DEPTH ON NEXT SLIDE)
• TRANSFER RISK* (BUY INSURANCE)
• ACCEPT RISK* (DO NOTHING TO MINIMIZING RISK)
• AVOID RISK (STOP DOING ACTIVITY THAT CAUSES RISK)*
DETAILS OF REDUCING RISK (102)

WHEN DETERMINING WHETHER TO IMPLEMENT AN COUNTERMEASURE, YOU MUST


BE CONCERNED ABOUT BEING COST EFFECTIVE* IT MAKES NO SENSE TO SPEND
MORE TO PROTECT AN ASSET THEN IT’S WORTH! UNDERSTAND THIS!*

HOW DO WE DETERMINE WHETHER IT’S WORTH IT… MATH! (NEXT SLIDE)


DETAILS OF REDUCING RISK (102)

IF THE COST PER YEAR OF THE COUNTERMEASURE IS MORE THAN THE ALE, DON’T
IMPLEMENT IT. (OR DO SOMETHING ELSE LIKE BUY INSURANCE)

LET’S EACH DO THE HANDOUT WORD PROBLEM BY OURSELVES AND DISCUSS IN 5


MINUTES.
WORD PROBLEM

• THE PROBABILITY OF A VIRUS INFECTION PER MONTH IS 50%.


• IF AN OUTBREAK OCCURRED YOUR SALES STAFF OF 5, WOULD
NOT BE ABLE TO WORK FOR THE 4 HOURS WHILE THE SYSTEMS
WERE REBUILT. EACH SALES PERSON MAKES $40/HOUR.
• IT WOULD REQUIRE 1 PERSON 4 HOURS TO REPAIR AT A COST
OF $50/HOUR.
• A CERTAIN ANTIVIRUS SYSTEM COULD STOP ALL VIRUSES (OK,
THAT’S JUST TO MAKE THE MATH EASIER) BUT THE COST IS 20K
PER YEAR FOR THIS SYSTEM.
• SHOULD YOU IMPLEMENT THE ANTI-VIRUS SYSTEM?
• IF SO HOW MUCH ARE YOU SAVING?
• IF NOT HOW MUCH ARE YOU WASTING BY BUYING IT?
WORD PROBLEM ANSWER

DETERMINE SLE
(5 SALES * 4 HOURS EACH * $40) + (1 IT * 4 HOURS *
50) = $1000 COST PER INCIDENT
ARO = 12 MONTHS * .50 LIKELIHOOD PER MONTH= 6
ALE = SLE ($1000) * ARO (6) = $6000.00
COST TO PROTECT = $20,0000.00 A YEAR
NO IT COSTS MORE TO PROTECT THAN IT’S WORTH.
IF YOU BOUGHT THE AV SYSTEM, YOU’D WASTE
$14,000 A YEAR.
TOTAL RISK VS. RESIDUAL RISK
(106)

• NO MATTER WHAT CONTROLS YOU PLACE TO PROTECT AN ASSET, IT WILL


NEVER BE 100% SECURE. THE LEFTOVER RISK AFTER APPLYING
COUNTERMEASURES IS CALLED THE RESIDUAL RISK.*

• TOTAL RISK IS THE RISK A COMPANY FACES IF THEY CHOOSE NOT TO


IMPLEMENT A SAFEGAURD (IF THE ACCEPT THE RISK)

(MORE)
TOTAL RISK VS. RESIDUAL RISK
(106)
A CONTROL GAP* IS THE PROTECTION A COUNTERMEASURE
CANNOT PROVIDE

CONCEPTUAL (NOT ACTUAL) FORMULAS*


• THREATS X VULNERABILITES X ASSET VALUE = TOTAL RISK
OR
• (THREATS, VULNERABILITIES, ASSET VALUE = TOTAL RISK

• (THREATS X VULN X ASSET VALUE) X CONTROL GAP = RESIDUAL


RISK
OR
• TOTAL RISK – COUNTERMEASURES = RESIDUAL RISK
REVIEW OF QUANTITATIVE
(BACK TO 95)

• ASSIGN VALUE TO ASSETS


• ESTIMATE POTENTIAL LOSS PER THREAT (SLE)
• ESTIMATE LIKELIHOOD OF THREAT
• ESTIMATE ANNUAL LOSS PER YEAR (ALE)
• REDUCE, TRANSFER, AVOID OR ACCEPT RISK
QUALITATIVE RISK ANALYSIS

RATHER THAN ASSIGN VALUES TO EVERYTHING, WALK


THROUGH DIFFERENT SCENARIOS AND RANK THE
SERIOUSNESS (PRIORITIZE) BASED ON THREATS AND
COUNTER MEASURES
TECHNIQUES INCLUDES
• JUDGMENT
• BEST PRACTICES
• INTUITION
• EXPERIENCE
(MORE)
QUALITATIVE (98)

SPECIFIC TECHNIQUES INCLUDE


• DELPHI (LATER)
• BRAINSTORMING
• STORYBOARDING
• FOCUS GROUPS
• SURVEYS
• QUESTIONERS
• INTERVIEWS AND ONE-ON-ONE MEETINGS
DELPHI* (100)

TECHNIQUE WHERE A GROUPS COMES TOGETHER, EACH


MEMBER GIVES AN HONEST OPINION OF WHAT HE OR
SHE BELIEVES THE RESULT OF A THREAT WILL BE. IDEA IS
TO HAVE EVERYONE EXPRESS THEIR TRUE IDEAS AND
NOT JUST GO ALONG WITH ONE PERSON DICTATES
THE RESULTS ARE THEN COMPILES AND GIVEN TO GROUP
MEMBERS THAT ANONYMOUSLY WRITE DOWN
THERE COMMENTS AND RETURNED TO ANALYSIS
GROUP.
THESE COMMENTS ARE COMPILED AND REDISTRIBUTED
FOR COMMENTS UNTIL A CONSENSUS IS REACHED
MODIFIED DELPHI

A SILENT FORM OF BRAINSTORMING , PARTICIPANTS DEVELOP IDEA INDIVIDUALLY


WITHOUT A GROUP AND SUBMIT THEIR IDEAS TO DECISION MAKERS.
REVIEW OF QUANTITATIVE
AND QUALITATIVE (101)

READ OVER CHART ON 101 – INTERNALIZE FOR EXAM

QUALITATIVE CONS –
• SUBJECTIVE
• NO DOLLAR VALUES
• NO STANDARDS
(MORE)
REVIEW OF Q VS. Q

QUANTITATIVE CONS
• COMPLEX CALCULATIONS
• EXTREMELY DIFFICULT WITHOUT TOOLS
• LOTS OF PRELIMINARY WORK REQUIRED
POLICIES STANDARDS, BASELINES,
GUIDELINES AND PROCEDURES
(109)
A SECURITY PROGRAM MUST HAVE ALL THE PIECES
NECESSARY TO PROVIDE OVERALL PROTECTION TO A
COMPANY AND LAY OUT A LONG TERM STRATEGY.
POLICIES, STANDARDS, BASELINES, GUIDELINES AND
PROCEDURES ARE PART OF THE SECURITY PROGRAM
YOU NEED TO UNDERSTAND THE TERMS IN THE
FOLLOWING SLIDES FOR THE EXAM. (POLICES,
STANDARDS, BASELINE, GUIDELINES AND
PROCEEDURES)
SECURITY POLICY* (110)

AN OVERALL GENERAL STATEMENT PROVIDED BY


SENIOR MANAGEMENT.
• VERY GENERIC
• PROVIDES “MISSIONS STATEMENT FOR SECURITY”
• SHOULD REPRESENT BUSINESS OBJECTIVES
• SHOULD BE EASILY UNDERSTOOD
• IT SHOULD BE DEVELOPED AT INTEGRATE SECURITY
INTO ALL BUSINESS FUNCTIONS AND PROCESSES*
(MORE)
SECURITY POLICY (110)

• IT SHOULD BE REVIEWED AN MODIFIED AS A COMPANY CHANGES.


• POLICY SHOULD BE DATED AND VERSION CONTROLLED.
• IT SHOULD BE FORWARD THINKING
• IT SHOULD USE STRONG LANGUAGE (MUST, NOT SHOULD)
• SHOULD BE NON-TECHNICAL
(MORE)
SECURITY POLICY

CAN BE ONE OF THREE TYPES


• REGULATORY – ENSURES AN ORGANIZATION IS
FOLLOWING REQUIRED REGULATIONS (FINANCE,
HEALTH)
• ADVISORY – STRONGLY ADVISES EMPLOYEES AS TO
WHICH TYPES OF BEHAVIORS SHOULD/SHOULD NOT
TAKE PLACE
• INFORMATIVE – INFORMS EMPLOYEES OF GOALS AND
MISSIONS RELEVANT TO A COMPANY, NOT SPECIFIC
OR ENFORCEABLE
STANDARDS* (112)

STANDARDS ARE MANDATORY* ACTIONS OR RULES. DEFINES COMPULSORY*


RULES. STANDARDS GIVE A POLICY IT’S SUPPORT AND START ADDING
SPECIFICS.

• EXAMPLE: A STANDARD IS “ALL EMPLOYEES MUST WEAR THEIR COMPANY ID


BADGE AT ALL TIMES”
BASELINE* (113)

BASELINES (IN REGARDS TO POLICY) ARE MINIMUM LEVELS OF PROTECTION


REQUIRED.

FOR EXAMPLE: A BASELINE MY REQUIRE THAT A SYSTEM BE COMPLIANT TO SOME


EXTERNAL MEASUREMENT. ANY SYSTEMS MUST MEET THESE REQUIREMENTS,
CHANGES TO THE SYSTEM MUST BE ASSESSED TO ENSURE THE BASELINE IS STILL
BEING MET.

(MORE)
BASELINE

A BASELINE MAY ALSO BE A TECHNICAL DEFINITION OR CONFIGURATION OF A


SYSTEM.

• EXAMPLE: A BASELINE MY SPECIFY THAT ALL WINDOWS XP SYSTEMS MUST


HAVE SP2 INSTALLED, AND ISS TURNED OFF.

• EXAMPLE: A BASELINE MAY ALSO SPECIFY ALL LINUX SYSTEMS RUN SELINUX IN
ENFORCING MODE.
GUIDELINES* (114)

GUIDELINES ARE RECOMMENDED ACTIONS. THESE COVER THE GRAY AREAS


AND ARE APPROACHES TO PROVIDE FLEXIBILITY FOR UNFORESEEN THINGS.
(NOT EVERY SITUATION CAN BE PRE-KNOWN)

• CAN ANYONE GIVE ME AN EXAMPLE OF A GUIDELINE?


PROCEDURES* (114)

DETAILED STEP-BY-STEP TASKS THAT SHOULD BE


PERFORMED IN SOME SITUATION.
• EXAMPLE: WRITTEN PROCEDURES ON OS
INSTALLATION AND CONFIGURATION.
• LOWEST LEVEL IN THE POLICY AS THEY ARE CLOSEST
TO USERS AND RESOURCES.
• PROCEDURES SPELL OUT HOW POLICY, STANDARDS
AND GUIDELINES WILL BE IMPLEMENTED FOR A
SPECIFIC RESOURCES (EX. OS)
RANDOM TERMINOLOGY*

• YOU NEED TO UNDERSTAND THESE 2 TERMS FOR THE


EXAM
• DUE DILIGENCE*: ACT OF INVESTIGATING
AND
UNDERSTANDING A RISK A COMPANY FACES.
• DUE CARE*: DEMONSTRATES THAT A COMPANY HAS
TAKEN RESPONSIBILITY FOR IT’S ACTIVITIES AND HAS
TAKEN NECESSARY STEPS TO PROTECT IT’S ASSETS AND
EMPLOYEES FROM THREATS.
NOT PRACTICING THESE CAN LEAD TO CHARGES OF
NEGLIGENCE.
REVIEW OF POLICIES, STANDARDS…

WE JUST TALKED ABOUT POLICES, STANDARDS, BASELINES, GUIDELINES AND


PROCEDURES
• EVERYONE REMEMBER WHAT THEY ALL ARE?
• INTERNALIZE THESE TERMS FOR THE EXAM
INFORMATION CLASSIFICATION (117)

WE NEED TO BE ABLE TO ASSIGN VALUE TO INFORMATION. ESPECIALLY WHERE


SECRECY IS CONCERNED. (BOTH MILITARY AND PRIVATE SECTOR)

DATA IS CLASSIFIED TO ENSURE DATA IS PROTECTED IN A COST-EFFECTIVE*


MANNER.

EACH CLASSIFICATION SHOULD HAVE SEPARATE HANDING REQUIREMENTS.


(MORE)
INFORMATION CLASSIFICATION

MILITARY VS. PRIVATE SECTOR CONCERNS


• MILITARY IS USUALLY MORE CONCERNED WITH CONFIDENTIALITY
• PRIVATE SECTOR IS USUALLY MORE CONCERNED WITH INTEGRITY AND
AVAILABILITY
WHAT ARE SOME COMMON
CLASSIFICATIONS?

LET’S LOOK IN THE BOOK AT PAGE 118.


YOU SHOULD KNOW THESE LEVELS AND WHAT ARE EXAMPLE OF EACH LEVEL FOR
THE EXAM!
CLASSIFICATION CONTROLS

ONCE DATA IS CLASSIFIED WE HAVE SOME ACTIONS WE


SHOULD TAKE TO PROTECT AND MANAGE THE DATA

• ACCESS CONTROLS
• ENCRYPTION OF DATA IN TRANSIT* AND AT REST*
(WHAT ARE THESE TERMS)
• DATA ACCESS SHOULD BE LOGGED AND AUDITED
• PERIODICALLY REVIEW CLASSIFICATIONS
(MORE)
CLASSIFICATION CONTROLS

• BACKUP AND RESTORATION PROCEDURES


• CHANGE CONTROL PROCEDURES
• PROPER DATA DISPOSALS
POSITIONS AND RESPONSIBILITIES

SENIOR MANAGEMENT IS OBVIOUSLY ULTIMATELY RESPONSIBLE FOR DATA


SECURITY, RISK MANAGEMENT AND PRETTY MUCH EVERYTHING ELSE. HOWEVER
LET’S LOOK AT SOME OF THE OTHER POSITIONS COMMONLY FOUND AND SEE
WHAT THEIR RESPONSIBILITIES ARE.

• FOR THE EXAM, YOU SHOULD KNOW ALL THE POSITIONS WE ARE ABOUT TO
TALK ABOUT*
DATA OWNER* (130)

DATA OWNER IS USUALLY A MEMBER OF MANAGEMENT WHO IS IN CHARGE OF A


SPECIFIC BUSINESS UNIT AND RESPONSIBLE FOR THAT INFORMATION THAT SUCH
A UNIT POSSESSES.

• RESPONSIBLE FOR SPECIFYING THE CLASSIFICATION OF DATA


• RESPONSIBLE FOR DETERMINING NECESSARY CONTROLS ARE IN PLACE TO
PROTECT DATA

(MORE)
DATA OWNER*

• DEFINING BACKUP REQUIREMENTS (NOT IMPLEMENTING)


• DETERMINES WHO GETS ACCESS TO DATA (IN A DAC MODEL)
• DELEGATES DAY-TO-DAY MAINTENANCE TO THE “DATA CUSTODIAN”
• THIS IS A “BUSINESS” ROLE
DATA CUSTODIAN* (131)

THE DATA CUSTODIAN MAINTAINS THE DATA DAY TO DAY.


• PERFORMS BACKUPS
• VALIDATES DATA INTEGRITY
• RESTORES DATA
SYSTEM OWNER (131)

SYSTEM OWNER IS RESPONSIBLE FOR ONE OR MORE


SYSTEMS THAT HOLD AND PROCESS DATA.
• RESPONSIBLE FOR INTEGRATING SECURITY
CONSIDERATIONS INTO APPLICATION AND SYSTEM
PURCHASING.
• RESPONSIBLE TO ENSURE ADEQUATE SECURITY IS BEING
PROVIDES BY THE NECESSARY CONTROLS
(PASSWORDS, REMOTE ACCESS, OS
CONFIGURATIONS)
• MUST ENSURE SYSTEMS ARE ASSESSED FOR
VULNERABILITIES AND MUST REPORT ANY TO THE
INCIDENT RESPONSE TEAM AND DATA OWNER.
SECURITY ADMINISTRATOR* (132)

SETUP SECURITY CONFIGURATIONS ON A SYSTEM AS


DEFINED BY THE DATA OWNER*
• DOES NOT AUTHORIZE PERMISSIONS FOR A USER,
THAT’S THE DATA OWNERS RESPONSIBILITY*, JUST
CONFIGURES SECURITY SETTINGS BASED THE WHAT IS
SET DOWN BY THE DATA OWNER*
• CREATES ACCOUNTS
• SETS ACCESS RIGHTS IN SUPPORT OF THE POLICIES
DEFINED.
• TECHNICAL POSITION.
SECURITY ANALYST* (132)

HELPS DEFINE A SECURITY PROGRAM ELEMENTS AND ENSURES THE ELEMENTS ARE
BEING IMPLEMENTED PROPERLY BY THE TECHNICAL PEOPLE AND PROCEDURES.

• THIS IS NOT AN IMPLEMENTATION ROLE


• HIGHER MORE STRATEGIC LEVEL.
APPLICATION OWNER* (132)

THIS IS LIKE A DATA OWNER, BUT IN REGARDS TO


APPLICATIONS.
• USUALLY BUSINESS UNIT MANAGERS.
• RESPONSIBLE FOR DETERMINE WHO MAY HAVE
ACCESS TO THEIR APPLICATIONS. (IN LINES OF
COMPANY POLICY)
• RESPONSIBLE FOR THE SECURITY OF A UNITS
APPLICATIONS. ENSURING TESTING, PATCHING AND
PROPER CHANGE CONTROL IS IMPLEMENTED.
(THOUGH THEY DO NOT THEMSELVES DO THIS WORK)
SUPERVISOR (132)

MORE OF AN HR ROLE, YOU ALL KNOW WHAT A SUPERVISOR DOES.


• MANAGING EMPLOYEES
• ENSURING EMPLOYEES LIVE UP TO THEIR RESPONSIBILITIES
• HANDLE HR TASKS SUCH AS HIRING, FIRING AND INITIATING CORRECTIVE
ACTION.

• INFORMING SECURITY ADMIN OF CHANGES TO AN EMPLOYEES POSITION.


DATA ANALYST (133)

ENSURES HAT DATA IS STORED IN A WAY THAT MAKES THE MOST SENSE FOR IT’S
APPLICATION.

• SPECIFICALLY CONSIDERED WITH INFORMATION “ARCHITECTURE”, HOW DATA


IS STORED IN REFERENCE TO OTHER DATA, DATA STRUCTURES

• WORK WITH DATA OWNERS TO ENSURE THE STRUCTURES SUPPORT THE BUSINESS
OBJECTIVES.
PROCESS OWNER (133)

ARE RESPONSIBLE FOR CERTAIN BUSINESS PROCESSES (NOT COMPUTER PROCESSES


;)
• AN EXAMPLE OF A PROCESS IS PROCUREMENT
• ANOTHER EXAMPLE IS HIRING
• ANOTHER EXAMPLE IS ORDER FULFILLMENT
SOLUTION PROVIDER

THESE ARE VENDORS… ENOUGH SAID


USER * (134)

SOMEONE WHO USES THE DATA, DAY TO DAY TO ACCOMPLISH WORK TASKS AND
BUSINESS OBJECTIVES

• RESPONSIBLE FOR FOLLOWING DATA AND SECURITY PROCEDURES THAT HAVE


BEEN LAID OUT BY MANAGEMENT.
AUDITOR* (134)

PROVIDESA METHOD FOR INDEPENDENTLY ENSURING


THAT MANAGEMENT AND SHAREHOLDERS CAN RELY
UPON THE APPROPRIATENESS OF SECURITY
OBJECTIVES.
• DETERMINES IF CONTROLS/METHODS HAVE BEEN
REACHED
• DETERMINES IF PRACTICES ARE IN COMPLIANCE WITH
COMPANY OR LEGAL REQUIREMENTS
• SHOULD BE 3RD PARTY
(MORE)
AUDITOR (NOT IN BOOK)

THE EXAM MIGHT ALSO REFER TO AN AUDITOR IN THE ROLE OF SOMEONE IN THE
COMPANY THAT GOES THOUGH SECURITY, OR USAGE LOGS TO DETERMINE IF
DATA AND TECHNICAL SYSTEMS ARE BEING USED/ABUSED/ATTACKED ETC.

• THIS IS THE FORM/USAGE I REMEMBER FROM THE EXAM.


ENOUGH OF THE POSITIONS

LETS TALK ABUT EMPLOYEE TYPE CONCERNS AND TECHNIQUES.


SEPARATION OF DUTIES*

THE IDEA OF ENSURING ONE INDIVIDUAL CANNOT COMPLETE A CRITICAL TASK BY


THEMSELVES.

• REDUCES THE POSSIBILITY FOR FRAUD, SABOTAGES, THEFT OR GENERAL ABUSE.


• SEPARATION OF DUTIES REQUIRES COLLUSION* (NEXT PAGE) FOR THE ABOVE
PROBLEMS TO OCCUR
COLLUSION* (136)

MEANS THAT AT LEAST TWO PEOPLE MUST WORK TOGETHER TO PULL OFF
SOME TYPE OF NEGATIVE ACTION.

• FOR THE EXAM. READ PG 136 (LET’S DO THIS TOGETHER) REGARDING


SOFTWARE DEVELOPMENT.. YOU WILL PROBABLY SEE THIS OR SIMILAR
CONCEPTS, WE WILL ALSO TALK ABUT THIS LATER
HIRING PRACTICES* (136)

• ALL EMPLOYEES SHOULD HAVE BACKGROUND CHECKS AND BE SCREENED*


(EVEN JANITORS ETC IN HIGH SECURITY ENVIRONMENTS)
• EVERYONE MUST SIGN AN NDA, WHICH SHOULD PROTECT SECRETS AND
CONFLICTS OF INTEREST.

• DRUGS TESTS
• EDUCATION CHECKS
• REFERENCE CHECKS
ROTATION OF DUTIES* (138)

EMPLOYEES SHOULD ROTATE IN THEIR DUTIES


WHY?
• FOR REDUNDANCY
• TO ENSURE NO-ONE HAS TOO MUCH CONTROL OVER A SEGMENT OF BUSINESS
MANDATORY VACATIONS* (139)

EMPLOYEES MUST TAKE VACATIONS


WHY?
• GIVES OPPORTUNITY FOR OTHERS TO DISCOVER
FRAUD. IF EMPLOYEES DON’T WANT TO TAKE A
VACATION, THEY MIGHT BE DOING SOMETHING
UNDERHANDED AND DON’T WANT TO BE FOUND OUT
• ALSO ENFORCES THAT OTHER PEOPLE CAN STEP IN
AND THAT THE PROCESS CANNOT BE DISRUPTED BY
THAT EMPLOYEE BEING ABSENT FOR WHATEVER
REASON.
SPLIT KNOWLEDGE* (138)

SEPARATION OF DUTIES CONCEPT. WHERE SOMEONE ONLY HAS ENOUGH


KNOWLEDGE TO PERFORM PART OF A TASK. AGAIN HELPS FIGHT FRAUD.

• EXAMPLE: TWO MANAGER ONLY KNOW HALF A BANK VAULT COMBINATION.


DUAL CONTROL

LIKE SPLIT KNOWLEDGE, BUT IN THIS CASE TWO OR MORE PEOPLE MUST BE
AVAILABLE AND ACTIVE TO PERFORM AN ACTION.

• EXAMPLE TWO PHYSICALLY SEPARATED LOCKS TO A VAULT THAT MUST BE


TURNED AT THE SAME TIME.
EMPLOYEE TERMINATION*

COMPANIES SHOULD HAVE A STRICT PROCEDURE FOR


EMPLOYEE TERMINATION, CAN BE DIFFERENT FOR
EACH COMPANY, BUT MUST BE STRICTLY ENFORCED.
EXAMPLES POLICY IS
• EMPLOYEE MUST LEAVE THE FACILITY IMMEDIATELY
UNDER SUPERVISION OF A SECURITY GUARD
• EMPLOYEE MUST SURRENDER ID BADGES, KEYS
• EMPLOYEE MUST COMPLETE AN EXIT INTERVIEW
• EMPLOYEE ACCOUNTS MUST BE LOCKED OUT.
OK CHAPTER REVIEW

WE COVERED A LOT.
LET’S LOOK OVER THE QUICK TIPS AND QUESTIONS.