Domain 1: Security and Risk Management
1.1 Understand and apply concepts of confidentiality, integrity and availability
1.2 Evaluate and apply security governance principles
Security Governance Principles – goal is to maintain business processes. IT security goals support the business goals (compliance, guidelines, etc). You shouldn’t be looking for the best technical answer, but the answer that best supports the business.
Understand the difference between subjects and objects
Subjects – active entity on a system. Normally people. Programs can be subjects as well, such as a script updating files
Object – passive data on a system
Frameworks help avoid building IT security in a vacuum or without considering important concepts
Can be regulations, non-regulation, industry-specific, national, international
COBIT is an example. Set of best practices from ISACA. Five key principles. Focuses on WHAT you’re trying to achieve. Also serves as a guideline for auditors:
Principle 1 – Meeting Stakeholder needs
Principle 2 – Covering the enterprise end-to-end
Principle 3 – Applying a single, integrated framework
Principle 4 – Enabling a holistic approach
Principle 5 – Separating governance from management
ITIL is the de facto standard for IT service management. How you’re trying to achieve something
ISO 27000 series. Started as a British standard.
OCTAVE – self directed risk assessments
Due Diligence vs Due Care
Due Diligence – the thought, planning or research put into the security architecture of your organization. This would also include developing best practices and common protection mechanisms, and researching new systems before implementing them
Due Care – is an action. It follows the Prudent Person Rule which begs the question “what would a prudent person do in this situation?” This includes patching systems, fixing issues, reporting, etc in a timely fashion.
1.3 Determine compliance requirements
1.4 Understand legal and regulatory issues that pertain to information security in a global context
EU Data Protection Directive – very pro privacy. Organizations must notify individuals regarding how their data is gathered and used. Must allow an opt-out option for sharing with 3rd parties. Opt-In is required for “most sensitive” data. Transmission of data outside of EU is not allowed unless recipients have equal privacy protections. US does NOT meet this standard. Safe Harbor is an optional agreement between the organization and the EU, where the organization must voluntarily consent to data privacy principles that are consistent with this.
General Data Protection Regulation – went into effect in 2018 which replaced the above restrictions.
Applies to all organizations worldwide that offer services to EU customers
Extends concept of PII to photos/videos/social media posts, financial transactions, location data, browsing history, login credentials, and device identifiers
Data collection, retention and sharing must be minimized exclusively for the intended purpose.
Data breach requires notification within 72 hours of discovery
Organizations that deal with personal data on a large scale must appoint a Data Protection Officer to their boards
Focus of controls are on encryption and pseudonymization, which is the process of replacing some data elements with pseudonyms and makes it more difficult to identify individuals.
Wassenaar Arrangement – export/import controls for conventional arms and dual-use goods and technologies. Cryptography is considered “dual use” This includes countries like Iran, Iraq, China and Russia who want to spy on their citizens, and so they don’t import overly strong cryptography technologies. US is not included in this. Companies like Google have to make country-specific technology because of this
Digital Millenium Copyright Act of 1998 - prohibits the circumvention of copy protection mechanisms placed in digital media, and relieves ISP of liability for activities of users
Intellectual Property Protections:
Trademark – names, slogans and logos that identify a company/product. Cannot be confusingly similar to any trademarks. They are good for 10 years, but can be renewed indefinitely.
Patent – Has to be registered with the US Patent office, which is public information. Many companies avoid this, such as 3M. A patent is good for 20 years, and is considered the shortest of all intellectual property protections.
Copyright – Creative content such as songs, book and software code. It requires disclosure of the product and expires 70 years after the death of the author.
Licenses – End-User License Agreement (EULA) is a good example
Trade Secrets – KFC’s special seasoning, coca-cola’s formula,, etc. Protected by NDAs (non-disclosure agreement) and NCAs (non-compete agreements). These are the best options for organizations that do not want to disclose any information about their products. Trade Secrets have no expiration.
Intellectual Property Attacks:
Digital Rights Management is any solution that allows content owners to enforce any of the above restrictions on music, movies, etc
1.5 Understand, adhere to, and promote professional ethics
Be familiar with the order of the canons which are applied in order. If there is any ethical dilemma, you must follow the order. Protecting society is more important than protecting the profession,, for example.
1.6 Develop, document, and implement security policy, standards, procedures and guidelines
Security Policies - These are the highest level and are mandatory. Everything about an organization’s security posture will be based around this. Specifyies auditing/compliance requirements and acceptable risk levels. Used as proof that senior management has exercised due care. Mandatory that it is followed.
Wouldn’t use terms like Linux or Windows. That’s too low level. It would refer to these things as “systems”
Should be reviewed yearly or after major business changes, and dated with version number
Standards – mandatory actions and rules. Describes specific technologies.
Baselines – represents a minimum level of security. Often refer to industry standards like TCSEC and NIST
Guidelines – Simply guide the implementation of the security policy and standard. These are not mandatory.
Procedures – very detailed step-by-step instructions. These are mandatory. Specific to system and software. Must be updated as hardware and software evolves.
1.7 Identify, analyze and prioritize Business Continuity requirements
Strategic Plan – Long term (5 years). Goals and visions for the future. Risk assessments fall under this
Tactical Plan – useful for about a year. Projects, hiring, budget etc
Operational Plan – short term (month or quarter). Highly detailed, more step-by step.
1.8 Contribute to and enforce personnel security policies and procedures
1.9 Understand and apply risk management concepts
NIST Risk Management Framework
Businesses don’t care about information security, they care about business. Security is concerned with managing the risks to a business
Risk Management Concepts:
Risk = Threat x Vulnerability
Assets – valuable resources to protect. People are always the most important assets
Vulnerability – a weakness
Threat - potentially harmful occurrence
Impact takes into account the damage in terms of dollar amounts. Human life is considered infinite impact.
Risk Analysis Types:
Risk analysis types:
Steps in Qualitative Analysis
Determine worth of an asset, including how much money it generates, value to competitors, legal liabilities, etc. Assign a dollar amount value
Evaluate loss potential caused by an instance of damage. You will determine your Exposure Factor and then calculate your SLE by multiplying the AV by EF (SLE = AV x EF)
Loss of productivity
Determine the likelihood of an incident occurring. Here we will be calculating the ARO.
Determine the ALE by multiplying SLE by ARO (ALE = SLE x ARO), OR (ALE = AV x EF x ARO)
Determine course of action:
Reduce risk – use controls to mitigate risk and reduce ARO or EF
Transfer/Assign risk – often done by purchasing insurance. You’d have to calculate if it makes sense financially. Could also mean outsourcing to a third party.
Avoid risk – very simply avoiding whatever would be introducing the risk
Accept risk – Usually done if an asset costs less than any controls required to protect it (See Safeguard Evaluation). Should be documented reasoning for accepting risk. All other options should be considered beforehand.
Risk left over after applying countermeasures is Residual Risk. Total Risk is the risk a company faces if they accept risk. The difference between the two is Control Gap.
Total risk – controls gap = residual risk
Uses more approximate values or measurements, such as HIGH/MED/LOW
Based more on softer metrics such as opinions, rather than numbers and historical data
Qualitative techniques and methods include brainstorming, focus groups, checklists, Delphi Technique, etc.
ALE (before safeguard) – ALE (after implementing safeguard) – annual cost of safeguard = value to the company
The value should not be negative. If it is, the cost of protecting an asset is more than the asset itself.
1.10 Understand and apply threat modeling concepts and methodologies
Malware propagates through four main techniques:
Boot sector infection
LOKI – ICMP traffic with commands hidden in it. Not so effective in 2019
Smurf Attack – Type of DDoS attack. ICMP packets with spoofed IP. The responses are all redirected to the victim
Fraggle Attack – Similar to Smurf attack, but uses UDP.
SYN Flood - succession of TCP SYN requests without ever completing the 3 way handshake. Goal is to consume all a server’s available memory.
LAND Attack – packet with the same source and destination address
Tear Drop – overlapping fragments, causing OS to get confused and crash.
Replay Attack – traffic is intercepted in a MITM attack, and resubmitted at a later time. Time stamping messages is a simple countermeasure.
1.11 Apply risk-based management concepts to the supply chain