Skip to content

Latest commit

 

History

History
482 lines (465 loc) · 23.9 KB

5.md

File metadata and controls

482 lines (465 loc) · 23.9 KB

5.0 Risk Management

5.1 Explain the importance of policies, plans and procedures related to organizational security. (Mike Meyers 1, Mike Meyers 2)

  • Standard operating procedure
    • "Standard operating procedures are... mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the stated security objectives of the firm." (Conklin)
  • Agreement types (James Messer, Mike Meyers)
    • BPA
      • "A business partnership agreement (BPA) is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners." (Conklin)
    • SLA
      • "A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider. SLAs essentially set the requisite level of performance of a given contractual service." (Conklin)
    • ISA
      • "An interconnection security agreement (ISA) is a specialized agreement between organiza- tions that have interconnected IT systems, the purpose of which is to document the secu- rity requirements associated with the interconnection." (Conklin)
    • MOU/MOA
      • "A memorandum of understanding (MOU) and memorandum of agreement (MOA) are legal documents used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal." (Conklin)
  • Personnel management (James Messer)
    • Mandatory vacations
      • "Requiring employees to use their vacation time through a policy of mandatory vacations can be a security protection mechanism. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation." (Conklin)
    • Job rotation
      • "Rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance (or hinder) the business... If all security tasks are the domain of one employee, security will suffer if that individual is lost from the organization." (Conklin)
    • Separation of duties
      • "Separation of duties is when more than one person is required to complete a task." (uCertify)
      • "Ensure[s] that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened." (Conklin)
    • Clean desk
      • "Policy specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian." (Conklin)
    • Background checks
      • "Background checks can validate previous employment, criminal backgrounds, and financial background." (Conklin)
    • Exit interviews
  • Role-based awareness training (James Messer, Mike Meyers)
    • "Needed to ensure that the individual understands the responsibilities as they relate to information security." (Conklin)
    • Roles
      • Data owner
        • Executive level manager; responsible for the security of the data
        • Ultimately responsible for compliance
      • System administrator
        • "System administrators are administrative users with the responsibility of maintaining a system within its defined requirements." (Conklin)
        • Enables use of application or data
        • Not necessarily a user
      • System owner
        • Usually separate from the system administrator
        • Makes decisions about the overall operation of the application and data
        • Defines security policies and backup policies
        • Manages changes and updates
    • User roles
      • User
        • Normal user
        • Has least privileged access
      • Privileged user
        • Area manager; report creation; user and password changes
      • Executive user
        • Responsible for the overall use of the application
        • Evaluates the operation fo the application
        • Evaluates goals and makes decisions about future directions
        • "Limiting the access of executives is not meant to limit their work, but rather limit the range of damage should an account become compromised." (Conklin)
    • NDA
      • "Non-disclosure agreements (NDAs) are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exer- cised to prevent disclosure to unauthorized parties." (Conklin)
    • Onboarding
      • "Ensure[s] that the personnel are aware of and understand their responsibilities with respect to securing company information and assets." (Conklin)
    • Continuing education
      • "Maintaining a skilled workforce in security necessitates ongoing training and education." (Conklin)
    • AUP: Acceptable use policy/rules of behavior
      • "Outlines what the organization considers to be the appropri- ate use of its resources... The goal of the policy is to ensure employee productivity while limiting potential organizational liability resulting from inappropriate use of the organization’s assets." (Conklin)
    • Adverse actions
      • "Punishing employees when they violate policies..." (Conklin)
      • Two schools of thought:
        • Zero-tolerance
          • "One strike and you are out is the norm. The defense of this view is that by setting the bar high, you get better performers and stricter adherence to policies." (Conklin)
        • Discretionary action
          • "Makes handling cases more challenging because management must determine the correct level of adverse action, but it also gives the flexibility to salvage good employees who have made an uncharacteristic mistake." (Conklin)
  • General security policies (James Messer)
    • Social media networks/applications
      • Balance company reputation with employee participation
      • Extension of your code of conduct
        • Define requirements and expectations
        • Identification as an employee
        • Personal responsibility
      • No conidential information
    • Personal email
      • Some organizations prohibit personal use of company email

5.2 Summarize business impact analysis concepts. (James Messer)

  • Recovery
    • MTTR: Mean time to restore (or repair)
      • Mean time to repair
    • MTTF: Mean time to failure
    • MTBF: Mean time between failures
      • Predict the time between failures
    • RTO/RPO
      • Recovery time objectives
        • "Get up and running quickly. Get back to a particular level." (Messer)
      • Recovery point objectives
        • "How much data loss is acceptable? Bring back system online; how far back does data go?" (Messer)
  • Uptime
    • Yearly
      • 99.9999% - 32s
      • 99.999% - 5m15s
      • 99.99% - 52m34s
      • 99.9% - 8h45m36s
      • 99% - 87h36mk
  • Mission-essential functions
    • If a hurricane blew through, what functions would be essential to the organization?
      • That's where you start your analysis
    • Identification of critical systems
  • Single point of failure
    • A single event can ruin your day
    • Multiple devices (the "Noah's Ark" of networking)
    • Backup power, multiple cooling devices
  • Impact
    • Life
      • Maku sure everyone is safe.
    • Property
      • Risk to buildings and assets.
    • Safety
      • Some environments are too dangerous to work.
    • Finance
      • The resulting financial cost.
    • Reputation
      • Event can cause status or character problems
  • Privacy threshold assessment
    • Identify business processes that are privacy-sensitive
    • "A privacy threshold assessment is an analysis of whether PII is collected and maintained by a system. If PII is stored, then the next step in determining privacy risk is a privacy impact assessment, PIA, covered in the preceding section." (Conklin)
    • "Determine if privacy impact assessment is required." (Messer)
  • Privacy impact assessment (PIA)
    • Ensures compliance with regulations
    • "A privacy impact assessment (PIA) is a structured approach to determining the gap between desired privacy performance and actual privacy performance. A PIA is an analysis of how personally identifiable information (PII) is handled through business processes and an assessment of risks to the PII during storage, use, and communication." (Conklin)
    • "Ensures compliance with privacy laws and regulations." (Messer)

5.3 Explain risk management processes and concepts. (James Messer, Mike Meyers)

  • Threat assessment
    • Environmental
      • Hurricanes, tornados
    • Manmade
      • Internal vs. external
        • Internal
          • e.g. employees
  • Risk assessment
    • Likelihood of occurrence
    • ARO: Annualized Rate of Occurance
    • SLE: Single Loss Expectancy
      • asset value × exposure factor
      • What is the monetary loss if a single event occurs?
    • ALE: Annual Loss Expectancy
      • ARO x SLE
    • Impact
      • Quantitative
      • Qualitative
    • Asset value
  • Risk register
    • Every project has a plan, but also has risk.
    • Identify and document the risk associated with each step.
    • Apply possible solutions to the identified risks.
    • Monitor the results
  • Supply chain assessment
    • Get a product or service from supplier to customer.
    • Evaluate coordination between groups.
    • Identify areas of improvement.
    • Assess the IT systems supporting the operations
    • Document the business process changes
  • Identify significant risk ractors
    • Display visually with traffic light grid or similar method
  • Business impact analysis
    • Critical business functions?
    • What is impacted?
    • For how long?
    • Impact to bottom line?
  • Testing
    • Penetration testing authorization
    • Vulnerability testing authorization
    • Running vulnerability and penetration tests can cause outages
    • Get formal authorization
  • Risk response techniques
    • Avoid
      • Stop participating in activity
    • Transfer
      • Insurance
    • Accept
      • "We'll take the risk"
    • Mitigate
      • Decrease risk level
      • Risk cannot be eliminated
  • Change management
    • Formal process
    • Upgrade software, change firewall configuration, modify switch ports

5.4 Given a scenario, follow incident response procedures. (Jason Dion, Mike Meyers)

  • Incident response plan (James Messer)
    • Documented incident types/category definitions
      • External/removable media
      • Attrition
        • Bruce force attack
      • Web
      • Email
      • Improper usage
      • Loss or theft of equipment
    • Roles and responsibilities
      • Incident response team
      • IT security management
      • Compliance officers
      • Technical staff
      • User community
    • Reporting requirements/escalation
      • CIO
      • Human resources
      • Public affairs
      • Legal department
      • External
        • System owner, law enforcement
        • US-CERT (for US Gov agencies)
    • CIRT: Cyber-incident response teams
      • Receives, reviews, responds
      • "Determine what type of events require a CIRT repsonse." (Messer)
      • Incident handling
        • Incident response
        • Incident analysis
        • Incident reporting
    • Exercise
      • "Test yourselves before actual event." (Messer)
      • Well-defined rules of engagement
        • Don't touch prooduction systems
      • Specific scenario
      • Table top exercise
  • Incident response process (James Messer)
    • NIST SP800-61
      • NIST Special Publication 800-61
      • Computer Security Incident Handling Guide
      • Response lifecycle
    • Preparation
      • Communication methods
      • Incident handling hardware and software
      • Incident analysis resources
        • Diagrams, baselines, critical file hash values
      • Incident migration software
    • Identification
      • Detection
      • Almost always complex
      • Precursors
        • Web server log
        • Exploit announcement
        • Direct threats
      • Indicators
        • Buffer overflows seen by IDS/IPS
        • Anti-virus identifies malware
        • Host-based monitor detects
          • Monitors system files
    • Containment
      • Isolate
      • Sandbox
        • "The attacker thinks they're on a real system, but they're not." (Messer)
    • Eradication
      • Remove the vulnerability
      • Restore from backups
      • Rebuild from scratch
    • Recovery
      • Phased. May take months.
    • Lessons learned
      • Post-incident meeting.
        • Invite everyone affected.
      • Details timestamps
      • Evaluate incident plans.
      • What would you do next timie?
      • What indicators to watch next time?

5.5 Summarize basic concepts of forensics. (James Messer, Jason Dion, Mike Meyers)

See also "RFC 3227 - Guidelines for Evidence Collectiion and Archiving"

  • Order of volatility
    • As ordered by Conklin:
      1. CPU, cache, and register contents (collect first)
      2. Routing tables, ARP cache, process tables, kernel statistics
      3. Live network connections and data flows
      4. Memory (RAM)
      5. Temporary file system/swap space
      6. Data on hard disk
      7. Remotely logged data
      8. Data stored on archival media/backups (collect last)
  • Chain of custody
    • As listed by Conklin:
      1. Record each item collected as evidence.
      2. Record who collected the evidence along with the date and time it was collected or recorded.
      3. Write a description of the evidence in the documentation.
      4. Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container.
      5. Record all message digest (hash) values in the documentation.
      6. Securely transport the evidence to a protected storage facility.
      7. Obtain a signature from the person who accepts the evidence at this storage facility.
      8. Provide controls to prevent access to and compromise of the evidence while it is being stored.
      9. Securely transport the evidence to court for proceedings.
    • As listed by uCertify:
      • collection of evidence from the site
      • analysis of the evidence by a team of experts
      • storage of the evidence in a secure place to ensure that the - evidence is not tampered with
      • presentation of the evidence by legal experts in a court of law
      • returning the evidence to the owner after the proceedings are over
  • Legal hold
    • A "litigation hold, the process by which you properly preserve any and all digital evidence related to a potential case. This event is usually triggered by one organization issuing a litigation hold request to another. Once an organization receives this notice, it is required to maintain a complete set of unaltered data including metadata, of any and all information related to the issue causing the litigation hold." (Conklin)
  • Data acquisition
    • Capture system image
    • Network traffic and logs
    • Capture video
    • Record time offset
    • Take hashes
    • Screenshots
    • Witness interviews
  • Preservation (James Messer)
    • Keep all data
    • Data may need to be revisited
  • Recovery
    • Learn after incidents
  • Strategic intelligence/ counterintelligence gathering
    • Learn more about attacker
    • Active logging
      • Log everything, everywhere
  • Track man-hours and expenses
    • May be required for restitution

5.6 Explain disaster recovery and continuity of operation concepts. (Mike Meyers)

  • Recovery sites (James Messer, Jason Dion)
    • Cold site
      • Empty building, no hardware, no people
    • Warm site
      • Either: Bring hardware, or already has hardware
    • Hot site
      • Exact duplicate of everything
      • Implication: You buy two of everything
      • Automated reduplication
      • Flip a switch and everything moves
    • Also
      • Redundant site
        • "Contain all of the alternate computer and telecommunication equipment needed in a disaster" (uCertify)
  • Order of restoration (James Messer)
    • Organization sets priority
  • Backup concepts (James Messer, Jason Dion, Mike Meyers)
    • Strategies
      • Take, disk, optical
      • Database: replication, online backups
      • Email backups
      • OS volume, hypervisor snapshots
      • Images
      • Archive bit on files
        • Reset upon backup
    • Full
      • Every file on every backup
    • Incremental
      • All files changed since last incremental backup
    • Differential
      • All files changed since last full backup
    • Snapshots
  • Geographic considerations (James Messer)
    • Off-site backups
      • "Vaulting"
        • Send backup media to outside storage facility
        • E-vaulting
      • Org-owned or 3rd-party
      • Requires extensive protection
      • Compliance mandates on backups
        • SOX: Sarbanes-Oxley
        • FISMA: Federal Information Systems Management Act
        • HIPAA: Health Insurance Portability and Accountability Act
    • Distance
      • Recovery vs accessibility
      • Should be outside scope of disaster
      • Consider travel for support staff
      • Consider unique business requirements
    • Location selection
      • Legal implications
        • Business regulations across states, countries
    • Data sovereignty
      • Data subject to laws of country where it resides
      • Law may require staying within borders
  • Continuity of operation planning (James Messer)
    • Exercises/tabletop
      • Simulated disaster
      • Step through process
      • Decide on complexity, scope
      • Involve everyone
      • May be surprise
      • Don't assume all info will be available
        • Find the gaps
    • AAR: After-action reports
      • What worked? What didn't?
      • Update procedures, tools
    • Failover
      • Recovery site is prepped
      • Business processes failover
    • Alternate business practices
      • Norms disrupted
      • Alternatives
        • Manual transactions
        • Paper receipts
        • Phone calls for transaction approvals
      • Document before problem occurs
    • Alternate processing sites

5.7 Compare and contrast various types of controls. (James Messer)

  • Three basic types
    • Technical
      • "A technical control is the use of some form of technology to address a physical security issue." (Conklin)
      • "Another term for technical controls is logical controls." (uCertify)
    • Administrative
      • "An administrative control is a policy or procedure used to limit security risk." (Conklin)
    • Physical
      • "A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating." (Conklin)
  • Functions
    • Deterrent
      • "A deterrent control acts to discourage the attacker by reducing the likelihood of success from the perspective of the attacker." (Conklin)
    • Preventive
      • "A preventative control is one that prevents specific actions from occurring, such as a mantrap prevents tailgating." (Conklin)
    • Detective
      • "A detective control is one that facilitates the detection of a physical security breach." (Conklin)
    • Corrective
      • "A corrective control is used post event, in an effort to minimize the extent of damage." (Conklin)
    • Compensating
      • "A compensating control is one that is used to meet a requirement when there is no control available to directly address the threat." (Conklin)

5.8 Given a scenario, carry out data security and privacy practices. (Mike Meyers)

  • Data destruction and media sanitization (James Messer, Jason Dion, Mike Myers)
    • Burning
    • Shredding
    • Pulping
      • Large tank washing to remove ink
      • Paper broken down to pulp
    • Pulverizing
      • Heavy machinery destroys platters
    • Degaussing
      • Remove the magnetic field
      • Destroys drive data and the electronics
    • Purging
      • Remove from existing data store
      • Delete some of data from a database
    • Wiping
      • Overwrite storage locations
      • Make drive reusable
      • Sdelete - Windows Sysinternals
      • DBAN - Darik's Boot and Nuke
  • Data sensitivity labeling and handling (James Messer)
    • Public
      • Anyone can access
    • Private
      • Restricted access
      • May require DNA
    • Confidential
      • Very sensistive
      • Must be approved to view
    • Proprietary
      • Property of organization
      • May include trade secrets
      • Unique to organization
    • PII: Personally identifiable information
      • Used to identify individual
      • Name, DOB, biometric
    • PHI: Personal health information
      • Health care records
      • Insurance information
  • Data roles (James Messer)
    • Owner
      • e.g. CEO or senior officer
    • Steward
      • Managing accuracy, privacy, security
      • Assigns security labels
      • Associates sensitivity levels
    • Custodian
      • Manages access rights
      • Implements security controols
      • Sometimes same person as steward
    • Privacy officer
      • Responsible for overall data privacy
      • Sets policies, implements processes and procedures
  • Data retention
    • How often? How much data?
    • Common: Keep multiple versions for week
    • Ability to recover damanged data
  • Legal and compliance
    • Email storage required for years sometimes
    • Industry-specific
    • Depends on data type