- Risk-management
- 5.0 Risk Management
- 5.1 Explain the importance of policies, plans and procedures related to organizational security.
- 5.2 Summarize business impact analysis concepts.
- 5.3 Explain risk management processes and concepts.
- 5.4 Given a scenario, follow incident response procedures.
- 5.5 Summarize basic concepts of forensics.
- 5.6 Explain disaster recovery and continuity of operation concepts.
- 5.7 Compare and contrast various types of controls.
- 5.8 Given a scenario, carry out data security and privacy practices.
(Mike Meyers 1, Mike Meyers 2)
- "Standard operating procedures are... mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the stated security objectives of the firm." (Conklin)
- Important processes to maintain data and system security
- Day to day processes such as new user creation, backup data storage requirements
(James Messer, Mike Meyers,Mike Chapple)
-
Organizations often utilize different types of agreements to help identify various responsibilities. Many are used when working with other organizations, but they can often be used when working with different departments within the same organization
- 3rd parties and outsourced services such as web hosting, payroll, firewall mgtmnt
- Who do they hire, what type of access controls in place ect.
- Legal side of the IT usually handled by a legal team
-
5.1.2.1 BPA : business partnership agreement
- "A business partnership agreement (BPA) is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners." (Conklin)
- “It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership.”
- Common between manufacturers and resellers
-
5.1.2.2 SLA: service level agreement
- "A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider. SLAs essentially set the requisite level of performance of a given contractual service." (Conklin)
- An SLA is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
- Shorter than BPA
-
5.1.2.3 ISA: Interconnection Security Agreement
- Used by US Federal gvt to define security controls
- An ISA specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.
- Provide details about security parameters such as encryption standards and transfer protocols
-
5.1.2.4 MOU/MOA : memorandum of understanding / memorandum of agreement
- Relatively less formal, MOA is one step above MOU
- "A memorandum of understanding (MOU) and memorandum of agreement (MOA) are legal documents used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal." (Conklin)
- “A MOU/MOA defines responsibilities of each party, but it is not as strict as a SLA or ISA. If the parties will be handling sensitive data, they should include an ISA to ensure strict guidelines are in place to protect the data while in transit. An MOU/MOA often supports an ISA.”
- Mandatory vacations
- "Requiring employees to use their vacation time through a policy of mandatory vacations can be a security protection mechanism. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation." (Conklin)
- Job rotation
- "Rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance (or hinder) the business... If all security tasks are the domain of one employee, security will suffer if that individual is lost from the organization." (Conklin)
- Separation of duties
- "Separation of duties is when more than one person is required to complete a task." (uCertify)
- "Ensure[s] that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened." (Conklin)
- Clean desk
- "Policy specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian." (Conklin)
- Background checks
- "Background checks can validate previous employment, criminal backgrounds, and financial background." (Conklin)
- Exit interviews
- Role-based awareness training (James Messer, Mike Meyers)
- "Needed to ensure that the individual understands the responsibilities as they relate to information security." (Conklin)
- Roles
- Data owner
- Executive level manager; responsible for the security of the data
- Ultimately responsible for compliance
- System administrator
- "System administrators are administrative users with the responsibility of maintaining a system within its defined requirements." (Conklin)
- Enables use of application or data
- Not necessarily a user
- System owner
- Usually separate from the system administrator
- Makes decisions about the overall operation of the application and data
- Defines security policies and backup policies
- Manages changes and updates
- Data owner
- User roles
- User
- Normal user
- Has least privileged access
- Privileged user
- Area manager; report creation; user and password changes
- Executive user
- Responsible for the overall use of the application
- Evaluates the operation fo the application
- Evaluates goals and makes decisions about future directions
- "Limiting the access of executives is not meant to limit their work, but rather limit the range of damage should an account become compromised." (Conklin)
- User
- NDA
- "Non-disclosure agreements (NDAs) are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exer- cised to prevent disclosure to unauthorized parties." (Conklin)
- Onboarding
- "Ensure[s] that the personnel are aware of and understand their responsibilities with respect to securing company information and assets." (Conklin)
- Continuing education
- "Maintaining a skilled workforce in security necessitates ongoing training and education." (Conklin)
- AUP: Acceptable use policy/rules of behavior
- "Outlines what the organization considers to be the appropriate use of its resources... The goal of the policy is to ensure employee productivity while limiting potential organizational liability resulting from inappropriate use of the organization’s assets." (Conklin)
- Adverse actions
- "Punishing employees when they violate policies..." (Conklin)
- Two schools of thought:
- Zero-tolerance
- "One strike and you are out is the norm. The defense of this view is that by setting the bar high, you get better performers and stricter adherence to policies." (Conklin)
- Discretionary action
- "Makes handling cases more challenging because management must determine the correct level of adverse action, but it also gives the flexibility to salvage good employees who have made an uncharacteristic mistake." (Conklin)
- Zero-tolerance
- Social media networks/applications
- Balance company reputation with employee participation
- Extension of your code of conduct
- Define requirements and expectations
- Identification as an employee
- Personal responsibility
- No conidential information
- Personal email
- Some organizations prohibit personal use of company email
- Recovery
- Mean time to repair - The average time required to repair a failed system, device or
component and return it to operational status
- MTTF: Mean time to failure (expected lifetime) , the average time to failure for a unrepairable system
-
- Predict the time between failures
- plan for failures or prevent them
- Recovery time objectives is to determine at what point the service available again
- "Get up and running quickly.
- Get back to a particular service level." (Messer)
- Recovery point objectives
- "How much data loss is acceptable? Bring back system online;
- how far back does data go?" (Messer)
- Uptime
- Yearly
- 99.9999% - 32s
- 99.999% - 5m15s (five 9s)
- 99.99% - 52m34s
- 99.9% - 8h45m36s
- 99% - 87h36mk
- Yearly
- If a hurricane blew through, what functions would be essential to the organization?
- That's where you start your analysis
- These are broad business requirements
- A single event can ruin your day
- Multiple devices (the "Noah's Ark" of networking)
- Backup power, multiple cooling devices
- Life
- Maku sure everyone is safe.
- Property
- Risk to buildings and assets.
- Safety
- Some environments are too dangerous to work.
- Finance
- The resulting financial cost.
- Reputation
- Event can cause status or character problems
- Identify business processes that are privacy-sensitive
- "A privacy threshold assessment is an analysis of whether PII is collected and maintained by a system. If PII is stored, then the next step in determining privacy risk is a privacy impact assessment, PIA, covered in the preceding section." (Conklin)
- "Determine if privacy impact assessment is required." (Messer)
- Ensures compliance with regulations
- "A privacy impact assessment (PIA) is a structured approach to determining the gap between desired privacy performance and actual privacy performance. A PIA is an analysis of how personally identifiable information (PII) is handled through business processes and an assessment of risks to the PII during storage, use, and communication." (Conklin)
- "Ensures compliance with privacy laws and regulations." (Messer)
- Understanding Risk Management
- Risk is the likelihood that a threat will exploit a vulnerability.
- A threat is an external force jeopardizing security (potential danger)
- A vulnerability is a weakness in security controls that threat might exploit to undermine CIA (e.g missing patches , promiscuous firewall rules and security misconfigurations )
- A Threat vectors are the specific methods that threats use to exploit a vulnerability (e.g hacker toolkit, physical intrusion, social engineering)
- Environmental
- Hurricanes, tornados
- Manmade
- Internal vs. external
- Internal
- e.g. employees
- Internal
- Internal vs. external
- Likelihood of occurrence (probability that risk will occur)
- Impact (amount of expected damage)
- Two techniques for risk assessment
- Qualitative (Mike Chapple)
- Use subjective ratings to evaluate likelihood and impact
- Typically categorized as Low , Medium or High or traffic light grid
- Quantitative
- Use objective numeric ratings to evaluate risk likelihood and impact
- Usually in Dollars $
- perform quantitative RA for a single risk and asset pair (e.g risk of flooding a data center)
- Determine asset value in $ (original cost/ depreciated cost / replacement cost)
- Exposure Factor (EF) - expected % damage to an asset
- Qualitative (Mike Chapple)
- SLE: Single Loss Expectancy (only give an idea of impact )
- asset value × exposure factor
- What is the monetary loss if a single event occurs?
- e.g laptop stolen (assets value) $1000
- ARO: Annualized Rate of Occupance (likelihood or the number of times a risk is expected to occur each year)
- ALE: Annual Loss Expectancy (expected $ loss from a risk in any given year)
- ARO x SLE
- Risk register (Mike Chapple)
- Tracks risk information
- Every project has a plan, but also has risk.
- Identify and document the risk associated with each step.
- Apply possible solutions to the identified risks.
- Monitor the results
- Supply chain assessment (Mike Chapple)
- A supply chain assessment evaluates everything needed to produce and sell a product. It includes all the raw materials and processes required to create and distribute a finished product
- Get a product or service from supplier to customer.
- Evaluate coordination between groups.
- Identify areas of improvement.
- Assess the IT systems supporting the operations
- Document the business process changes
- Identify significant risk factors
- Display visually with traffic light grid or similar method
- Business impact analysis BIA
- Critical business functions?
- What is impacted? loss of revenue, legal requirements, customer service
- For how long?
- Impact to bottom line? Is disaster recovery a good investment ?
- Testing
- Penetration testing authorization
- Vulnerability testing authorization
- Running vulnerability and penetration tests can cause outages
- Get formal authorization
- Risk response techniques (Mike Chapple)
- Avoid
- Stop participating in activity (e.g relocate a datacenter due to a flood risk)
- Transfer
- Insurance (e.g flood insurance)
- Accept
- Accepts the risk without taking further action
- Mitigate
- Decrease risk likelihood and impact (flood proofing the datacenter)
- Risk cannot be eliminated
- Deterrence
- Takes action that dissuade a threat from exploiting a vulnerability (e.g fences and guard dogs)
- Avoid
- Formal process to minimize risk
- Upgrade software, change firewall configuration, modify switch ports
- occurs very frequently
- “A security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within the organization, or that has the potential to do”
- “An incident response policy defines a security incident and incident response procedures. Incident response procedures start with preparation to prepare for and prevent incidents. Preparation helps prevent incidents such as malware infections. Personnel review the policy periodically and in response to lessons learned after incidents.”
- Documented incident types/category definitions (Attack vector categorization)
- External/removable media
- Attrition
- Bruce force attack
- Web
- Improper usage
- Loss or theft of equipment
- Roles and responsibilities
- Incident response team - specialized group , trained and tested
- IT security management- corporate support
- Compliance officers - Intricate knowledge of company rules
- Technical staff
- User community
- Reporting requirements/escalation
- CIO
- Human resources
- Public affairs
- Legal department
- External
- System owner, law enforcement
- US-CERT (for US Gov agencies)
- CIRT: Cyber-incident response teams
- Receives, reviews, responds - a predefined group of professionals
- "Determine what type of events require a CIRT response." (Messer)
- Incident handling
- Incident response
- Incident analysis
- Incident reporting
- Exercise / Testing BC/DR plans (Mike Chapple)
- "Test yourselves before actual event." (Messer)
- Well-defined rules of engagement
- Don't touch production systems
- Specific scenario
- Table top exercise
- After Action reports AAR (Mike Chapple)
- After action reports create a formal record of a disaster recovery or BC event
- NIST SP800-61
- NIST Special Publication 800-61
- Computer Security Incident Handling Guide
- Response lifecycle
- Preparation
- Communication methods -phones and contact info
- Incident handling hardware and software
- Incident analysis resources
- Diagrams, documentations , baselines, critical file hash values
- give picture of normal operations
- Incident migration software - clean OS and application images
- Identification
- Detection
- Almost always complex
- Incident Precursors (ways to monitor in order to give heads up)
- Web server log
- Exploit announcement, vulnerability patch releases
- Direct threats
- Incident Indicators
- Buffer overflows seen by IDS/IPS
- Anti-virus identifies malware
- Host-based monitor detects
- Monitors system files
- Containment
- Isolate, an incident can spread quickly
- Sandbox
- "The attacker thinks they're on a real system, but they're not." (Messer)
- Eradication
- Remove the vulnerability
- Restore from backups
- Rebuild from scratch
- Recovery
- Phased. May take months.
- Get things bak to normal
- Eradicate the bug - remove malware , disable breached accounts, fix vulnerabilities
- Recover the system - restore from backup, rebuild from scratch, replace compromised files
- Lessons learned
- Post-incident meeting.
- Invite everyone affected.
- dont wait too long
- Details timestamps
- Evaluate incident plans, did they work as expected?
- What would you do next time?
- What indicators to watch next time? different precursors ?
- Post-incident meeting.
(James Messer, Jason Dion, Mike Meyers, Mike Chapple)
See also "RFC 3227 - Guidelines for Evidence Collection and Archiving"
-
Order of volatility
- As ordered by Conklin:
- CPU, cache, and register contents (collect first)
- Routing tables, ARP cache, process tables, kernel statistics
- Live network connections and data flows
- Memory (RAM)
- Temporary file system/swap space
- Data on hard disk
- Remotely logged data
- Data stored on archival media/backups (collect last)
- As ordered by Conklin:
-
Chain of custody (Mike Chapple)
- As listed by Conklin:
- Record each item collected as evidence.
- Record who collected the evidence along with the date and time it was collected or recorded.
- Write a description of the evidence in the documentation.
- Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container.
- Record all message digest (hash) values in the documentation.
- Securely transport the evidence to a protected storage facility.
- Obtain a signature from the person who accepts the evidence at this storage facility.
- Provide controls to prevent access to and compromise of the evidence while it is being stored.
- Securely transport the evidence to court for proceedings.
- As listed by uCertify:
- collection of evidence from the site
- analysis of the evidence by a team of experts
- storage of the evidence in a secure place to ensure that the - evidence is not tampered with
- presentation of the evidence by legal experts in a court of law
- returning the evidence to the owner after the proceedings are over
- As listed by Conklin:
-
Legal hold
- A "litigation hold, the process by which you properly preserve any and all digital evidence related to a potential case. This event is usually triggered by one organization issuing a litigation hold request to another. Once an organization receives this notice, it is required to maintain a complete set of unaltered data including metadata, of any and all information related to the issue causing the litigation hold." (Conklin)
- Prepare for impending litigation
- Initiated by legal counsel
-
Data acquisition
- Capture system image - bit for bit/ byte for byte
- Network traffic and logs
- Capture video
- Record time offset
- Take hashes MD5/CRC
- Screenshots
- Witness interviews
-
Preservation (James Messer)
- Keep all data
- Data may need to be revisited
-
Recovery
- Learn after incidents
-
Strategic intelligence/ counterintelligence gathering
- Learn more about attacker
- Active logging
- Log everything, everywhere
-
Track man-hours and expenses
- May be required for restitution
- “Business Impact Analysis Concepts
- A business impact analysis (BIA) is an important part of a BCP.
- “The BIA identifies mission-essential functions and critical systems that are essential to the organization’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident.”
- “The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. The recovery point objective (RPO) refers to the amount of data you can afford to lose.”
(James Messer, Jason Dion, Mike Chapple)
- Cold site
- Empty building, no hardware, no people
- Warm site
- Either: Bring hardware, or already has hardware
- Hot site
- Exact duplicate of everything
- Implication: You buy two of everything
- Automated reduplication
- Flip a switch and everything moves
- Also
- Redundant site
- "Contain all of the alternate computer and telecommunication equipment needed in a disaster" (uCertify)
- Redundant site
- Organization sets priority
- Not all applications have the same priority
(James Messer, Jason Dion, Mike Meyers)
- Strategies
- Tape, disk, optical
- Database: replication, online backups
- Email backups
- OS volume, hypervisor snapshots
- Images
- Archive bit on files
- Reset upon backup
- Full
- Every file on every backup
- Incremental
- All files changed since last incremental backup
- To recover you need last full backup and all the incremental backups after that
- Differential
- All files changed since last full backup
- To recover you only need the last full backup and last differential backup
- Snapshots
- Off-site backups
- "Vaulting"
- Send backup media to outside storage facility
- E-vaulting
- Org-owned or 3rd-party
- Requires extensive protection
- Compliance mandates on backups
- SOX: Sarbanes-Oxley
- FISMA: Federal Information Systems Management Act
- HIPAA: Health Insurance Portability and Accountability Act
- "Vaulting"
- Distance
- Recovery vs accessibility
- Should be outside scope of disaster
- Consider travel for support staff
- Consider unique business requirements
- Location selection
- Legal implications
- Business regulations across states, countries
- Legal implications
- Data sovereignty
- Data subject to laws of country where it resides
- Law may require staying within borders
- Exercises/tabletop
- Simulated disaster
- Step through process
- Decide on complexity, scope
- Involve everyone
- May be surprise
- Don't assume all info will be available
- Find the gaps
- AAR: After-action reports
- What worked? What didn't?
- Update procedures, tools
- Failover
- Recovery site is prepped
- Business processes failover
- Alternate business practices
- Norms disrupted
- Alternatives
- Manual transactions
- Paper receipts
- Phone calls for transaction approvals
- Document before problem occurs
- Alternate processing sites
-
Defense in depth (also known as layered security) refers to the security practice of implementing several layers of protection.
- "A technical control is the use of some form of technology to address a physical security issue." (Conklin)
- "Another term for technical controls is logical controls." (uCertify)
- Firewalls, IPS, Encryption, DLP , Anti malware
- "An administrative control is a policy or procedure used to limit security risk." (Conklin)
- Management processes that improve the enterprise security
- User access reviews , log monitoring, background checks and security awareness training
- "A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating." (Conklin)
- include fences, cameras and security guards
- "A deterrent control acts to discourage the attacker by reducing the likelihood of success from the perspective of the attacker." (Conklin)
- "A preventative control is one that prevents specific actions from occurring, such as a mantrap prevents tailgating." (Conklin)
- Security guard / Firewall (technical and preventive)
- "A detective control is one that facilitates the detection of a physical security breach." (Conklin)
- Motion detector/ IDS/IPS
- "A corrective control is used post event, in an effort to minimize the extent of damage." (Conklin)
- "A compensating control is one that is used to meet a requirement when there is no control available to directly address the threat." (Conklin)
- Measures taken above and beyond other controls to fill the gap when you cant meet a standard
- doesn't prevent attack, restore using other means
- Hotsite backup
(James Messer, Jason Dion, Mike Myers)
- Burning
- Shredding
- Pulping
- Large tank washing to remove ink
- Paper broken down to pulp
- Pulverizing
- Heavy machinery destroys platters
- Degaussing
- Remove the magnetic field
- Destroys drive data and the electronics
- Purging
- Remove from existing data store
- Delete some of data from a database
- Wiping
- Overwrite storage locations
- Make drive reusable
- Sdelete - Windows Sysinternals
- DBAN - Darik's Boot and Nuke
- Public
- Anyone can access
- Private
- Restricted access
- May require NDA
- Confidential
- Very sensitive
- Must be approved to view
- Proprietary
- Property of organization
- May include trade secrets
- Unique to organization
- PII: Personally identifiable information
- Used to identify individual
- Name, DOB, biometric
- PHI: Personal health information
- Health care records
- Insurance information
- Owner
- e.g. CEO or senior officer
- Steward
- Managing accuracy, privacy, security
- Assigns security labels
- Associates sensitivity levels
- Custodian
- Manages access rights
- Implements security controls
- Sometimes same person as steward
- Privacy officer
- Responsible for overall data privacy
- Sets policies, implements processes and procedures
- How often? How much data?
- Common: Keep multiple versions for week
- Ability to recover damaged data
- Email storage required for years sometimes
- Industry-specific
- Depends on data type