Domain 1: Security and Risk Management

Posted byAayush GoelPosted inUncategorizedTags:, , , , , , ,

CIA Triad:

  1. Confidentiality (C): Resources should be protected from unauthorized access
  2. Integrity (I): Resources should be protected from unauthorized modification 
  3. Availability (A): Resource should be accessible to authorized parties

IAAA:

  1. Identification: Action owner identifies themselves
  2. Authentication: Action owner proves their identity
  3. Authorization: The action owner is allowed/disallowed to perform an action
  4. Auditing: The action owner’s actions are logged

Accounting: 

The action owner logs are reviewed for violations

Non-repudiation: 

The action owner cannot deny his/her actions

Governance(Not us):

  • Decided by C – level(CISO, CFO, etc.) executives
  • Sets direction for the organization on the basis of prioritization and decision-making
  • Monitors performance and compliance
  • Decides risk appetite

Management(Us):

  • Plans to implement directions on governance
  • Minimize risk to the tolerance level

Principle:

There are 2 types of principles:

  1. Top Down:
    • Works on the directions given by upper management.
    • Everything is done with the support of upper management
    • Good for the security implementation
  2. Bottom Up:
    • Works on the demands and requests given by staff
    • Bad for security.

Standards and Frameworks

There are many security frameworks and standards available for security implementation and guidance for any organization. A few examples are

  1. PCI DSS: Mostly used for financial organizations that hold payment card-related details.
  2. COBIT
  3. ITIL
  4. ISO 27001
    • This is given by the International Organisation of Standards(ISO) for Information Security Management Systems (ISMS).
    • Follows a risk-based approach.
    • Monitors using PDCA cycle.
      • Plan
      • Do
      • Check
      • Act
  5. ISO 27002: Focuses on the implementation of ISO 27001.
  6. ISO 27005: Risk management
  7. ISO 27799: Protection of Personal Health Information (PHI)

Protection Methods

  1. Defense in Depth
    • Multiple layers of security
    • Includes physical, administrative, and logical controls
      • Physical: Guards, fence, CCTV
      • Administrative: Policies and Procedures
      • Logical: Firewall, IDPS
    • Improves CIA
  2. Encryption: Makes data unreadable to unauthorized subjects
  3. Data Hiding: Hides data for unauthorized users

Security Governance Principles

Types of Plan:

  1. Strategic Plan
    • 3 to 5 years
    • Decide by Governance
    • Plans mission, vision, and goals
  2. Tactical Plan
    • 1 year
    • Project Management, Hiring, etc.
  3. Operational Plan
    • Few months
    • Comprise of methods to achieve the tactical plan

Laws

There are various types of laws:

  1. Criminal Law
    • Violation of criminal law.
    • Evidence should be “Beyond a reasonable doubt”
    • Punishment may be in the form of fines, jail or both.
  2. Civil Law
    • Contract Disputes between entities
  3. Administrative Law
    • Laws by government agencies

Regulations

  1. Computer Fraud and Abuse Act 1986 (CFAA)

Due Care

Mostly a plan to be comply with all applicable regulations and also look if there is any failure to comply any regulation

Due Diligence

It is the effort to maintain the due care. It can include VAPT, security reviews and audits, etc.

Intellectual Property

Copyright

It is mostly for the protection of art or software. It prevents copying the original softwares. It is indicated by © symbol.

Trademark

It is usually logos, names, etc. indicated by ™ symbol and indicated by ® symbol if registered.

Patent

It is used to protect inventions. For eg: Medicines

Trade Secrets

These are the organization’s trade secrets which helps in succeeding them. For eg: A special recipe

Import/Export Restrictions

Third Party Security

  1. Service Level Agreement (SLA): Agreement to provide certain level of service
  2. Right to penetration test and audit

Vendor, Consultants, Contractors, Outsourcing and Offshoring

They should at least follow organization security methods.

Acquisitions

One organization has acquired another organization

Divestiture

The organization is split up.

Security Documents

  1. Policy
    • Mandatory
    • High level – Not specific to technology
    • Comprise of regulatory, advisory and informational points
  2. Standards
    • Mandatory
    • Specific use of technology
  3. Guidelines
    • Non mandatory
    • Usually contains recommendation on how to implement
  4. Procedures
    • Mandatory
    • Low level
    • Step by step methods to implement
  5. Baseline
    • Mandatory
    • Minimum acceptable requirement

User Security

Personnel/user security is basically securing employees. This can be achieved by:

  1. Awareness
  2. Training
  3. Hiring
    • Background checks
    • Non Disclosure Agreement
  4. Termination
    • Lock the account, never delete.

Access Control

Categories:

  1. Administrative
    • Policies and procedures
    • Regulations
    • Training
  2. Technical
    • Hardware, software and firmware
    • Encryption
  3. Physical
    • Locks, fences, etc.
    • Guard, Dogs, etc.

Types:

  1. Preventive: Least Privilege, IPS, firewall
  2. Detective: IDS, CCTV
  3. Corrective: Antivirus, Patching
  4. Recovery: DR, Backup
  5. Deterrent: Fence, Guards
  6. Compensating

Risk Management

Risk = Threat * Vulnerability

Steps:

  1. Identification
    • Asset
      • Tangible: Physical Hardware, Anything you can touch
      • Intangible: Data, trade secrets, etc.
    • Team
    • Scoping
    • Tools
    • Methods
    • Risk Appetite
  2. Assessment
    • Quantitative
    • Qualitative
    • Cost Benefit Analysis
    • Mitigation/Transfer/Acceptance/Avoidance
    • Risk rejection is not acceptable

Total Risk = Threat * Vulnerability*Asset Value

Qualitative Risk Assessment

Risk Matrix

Quantitative Risk 

Risk registers can be used to monitor the risk.

Risk Analysis

Single Loss Expectancy(SLE) = Asset Value(AV) * Exposure Factor(EF)

Annual Loss Expectancy(ALE) = Annual Rate of Occurrence (ARO) * Single Loss Expectancy(SLE)

Key Goal Indicators (KGI)

Defines a measure that tells management whether a goal has been achieved.

Key Performance Indicators (KPI)

Define actions that determine how well the processes are performing to reach the goal.

Key Risk Indicators (KRI)

Metrics that determine the risk organization is facing.

Risk response and mitigation

  1. Mitigation
  2. Transfer
  3. Acceptance
  4. Avoidance

Update risk registers with mitigations to get the risk to an acceptable level.

Business Continuity Planning

Comprise of:

  • Continuity of operations plan
  • Crisis communication plan
  • Critical infrastructure protection plan
  • Cyber incident response
  • Disaster Recovery Plan
  • Information system contingency plan
  • Occupant emergency plan

The NIST 800-34 can be followed as the standard.

Explain benefits of BCP

  • Cost of disaster
  • Regulatory requirements
  • Legal consequences
  • Loss of customer trust

Business Impact Analysis

Identify critical and non critical assets

Recovery Point Objective (RPO) – Maximum amount of data the organization can tolerate losing.

Maximum Tolerable Downtime (MTD) – Amount of time mission/business process can be disrupted without causing significant harm.

Recovery Time Objective (RTO) – Maximum length of time it should take to restore normal operations following an outage or data loss.

Work Recovery Time (WRT) – Time required to configure a recovered system.

MTD >= RTO + WRT

Mean Time Between Failures (MTBF) – How long will a new/repaired asset will function.

Mean Time To Repair (MTTR) – How long it takes to recover a failed system.

Minimum Operating Requirement (MOR) – Minimum requirement for our critical system to function.

Threat Intelligence

Set of activities that an organization undertakes to educate itself about changes in the cyber security threat landscape, and adapt security controls based upon threat information.

Mostly available on Open Source platforms.

Approaches:

  • Focused on Assets – Protect valuable assets 
  • Focused on Attackers – Protect the things that attackers want to attack 
  • Focused on Software – Protect the software

Threat Hunting

Approach to seek Indicators of Compromise (IOC) on network.

IOC can be of various types:

  • Unused file, processes
  • Log entries
  • Unapproved actions

STRIDE 

  • Spoofing – Falsifying information to gain access 
  • Tampering – Making unauthorized changes 
  • Repudiation – Denying having done an action 
  • Information Disclosure – Revelation of controlled information 
  • Denial-of-Service – Prevents the use of an asset 
  • Escalation of Privilege – Elevates capability of under privileged account

Supply Chain Risk Management (SCRM)

Vendor should perform security activities as organization follow in their environment.

Phases:

  1. Vendor Selection – Request for Proposal (RFP)
  2. Onboarding – Verification of contracts
  3. Monitoring – Ensure security is followed.
  4. Offboarding – Data disposal

Agreements

  • Non Disclosure Agreement (NDA)
  • Service Level Requirements (SLR)
  • Service Level Agreements (SLA) – Penalties
  • Memorandum of Understanding (MOU)
  • Business Partnership Agreement (BPA)
  • Statement of Work (SOW)

Audits and Assessments

  • Scope
  • Internal Auditors – Reports to executives
  • External Auditor
  • Gap Analysis

Cloud Audits

SOC Reports

Discover more from Information Security Blogs

Subscribe to get the latest posts sent to your email.

Leave a comment

Discover more from Information Security Blogs

Subscribe now to keep reading and get access to the full archive.

Continue reading