CISSP 8 Domains.pdf - CISSP(8 Domain Certified Information Systems Security Professional Kelly Handerhan Instructor WELCOME TO CISSP BOOTCAMP

CISSP 8 Domains.pdf - CISSP(8 Domain Certified Information...

This preview shows page 1 out of 508 pages.

You've reached the end of your free preview.

Want to read all 508 pages?

Unformatted text preview: CISSP (8 Domain) Certified Information Systems Security Professional Kelly Handerhan, Instructor WELCOME TO CISSP BOOTCAMP CISSP (Certified Information Systems Security Professional) Kelly Handerhan, Instructor [email protected] CASP, CISSP, PMP 2 THE 8 DOMAINS OF CISSP CISSP Course Syllabus: Chapter 1: Security and Risk Management Chapter 2: Asset Security Chapter 3: Security Engineering Chapter 4: Communications and Network Security Chapter 5: Identity and Access Management Chapter 6: Security Assessment and Testing Chapter 7: Security Operations Chapter 8: Software Development Security 3 EXAM SPECIFICS 250 Questions (25 are “beta” and are not graded) 6 hours to complete the exam You can mark questions for review You will be provided with 1“wipe” board 8x11 and a pen. materials. You will also have access to an on-screen calculator. Many test centers provide earplugs or noise cancelling head phones. Call your center ahead of time to verify Questions are weighted (Remember…security transcends technology) 4 THE CISSP MINDSET • Your Role is a Risk Advisor • Do NOT fix Problems • Who is responsible for security? • How much security is enough? • All decisions start with risk management. Risk management starts with Identifying/Valuating your assets. • “Security Transcends Technology” • Physical safety is always the first choice • Technical Questions are for Managers. Management questions are for technicians • Incorporate security into the design, as opposed to adding it on later • Layered Defense! 5 CHAPTER 1 Security and Risk Management 6 AGENDA • Confidentiality, integrity, and availability concepts • IAAA • Security governance vs. Management • Compliance • Legal and regulatory issues • Professional ethics • Security policies, standards, procedures and guidelines • Business Continuity and Disaster Recovery 7 WELL KNOWN EXPLOITS 8 THE ROLE OF INFORMATION SECURITY WITHIN AN ORGANIZATION • First priority is to support the mission of the organization • Requires judgment based on risk tolerance of organization, cost and benefit • Role of the security professional is that of a risk advisor, not a decision maker. 9 Planning Horizon Strategic Goals Over-arching - supported by tactical goals and operational Tactical Goals Mid-Term - lay the necessary foundation to accomplish Strategic Goals Operational Goals Day-to-day - focus on productivity and task-oriented activities 10 SECURITY FUNDAMENTALS • C-I-A Triad • Confidentiality • Integrity • Availability 11 CONFIDENTIALITY • Prevent unauthorized disclosure • Threats against confidentiality: • Social Engineering • Training, Separation of Duties, Enforce Policies and Conduct Vulnerability Assessments • Media Reuse • Proper Sanitization Strategies • Eavesdropping • Encrypt • Keep sensitive information off the network 12 INTEGRITY • Detect modification of information • Corruption • Intentional or Malicious Modification • Message Digest (Hash) • MAC • Digital Signatures 13 AVAILABILITY • Provide Timely and reliable access to resources • Redundancy, redundancy, redundancy • Prevent single point of failure • Comprehensive fault tolerance (Data, Hard Drives, Servers, Network Links, etc..) 14 BEST PRACTICES (TO PROTECT C-I-A) Separation of Duties (SOD) Mandatory Vacations Job rotation Least privilege Need to know Dual control 15 DEFENSE IN DEPTH • Also Known as layered Defense • No One Device will PREVENT an attacker • Three main types of controls: • Technical (Logical) • Administrative • Physical 16 RISK • Every decision starts with looking at risk • Determine the value of your assets • Look to identify the potential for loss • Find cost effective solution reduce risk to an acceptable level (rarely can we eliminate risk) • Safeguards are proactive • Countermeasures are reactive 17 RISK DEFINITIONS Asset: Anything of Value to the company Vulnerability: A weakness; the absence of a safeguard Threat: Something that could pose loss to all or part of an asset Threat Agent: What carries out the attack Exploit: An instance of compromise Risk: The probability of a threat materializing Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure 18 SOURCES OF RISK • Weak or non-existing anti-virus software • Disgruntled employees • Poor physical security • Weak access control • No change management • No formal process for hardening systems • Lack of redundancy • Poorly trained users 19 RISK MANAGEMENT Processes of identifying, analyzing, assessing, mitigating, or transferring risk. It’s main goal is the reduction of probability or impact of a risk. Summary topic that includes all risk-related actions Includes Assessment, Analysis, Mitigation, and Ongoing Risk Monitoring 20 RISK MANAGEMENT Risk Management • Risk Assessment • • Risk Analysis • • • • Qualitative Quantitative Risk Mitigation/Response • • • • Identify and Valuate Assets Identify Threats and Vulnerabilities Reduce /Avoid Transfer Accept /Reject Ongoing Risk Monitoring 21 RISK ASSESSMENT • Identification and Valuation of Assets is the first step in risk assessment. • What are we protecting and what is it worth Is it valuable to me? To my competitors? What damage will be caused if it is compromised? How much time was spent in development Are there compliance/legal issues? 22 RISK ANALYSIS • Determining a value for a risk • Qualitative vs. Quantitative • Risk Value is Probability * Impact • Probability: How likely is the threat to materialize? • Impact: How much damage will there be if it does? • Could also be referred to as likelihood and severity. 23 RISK ANALYSIS • Qualitative Analysis (subjective, judgment-based) • Probability and Impact Matrix • Quantitative Analysis (objective, numbers driven 24 QUALITATIVE ANALYSIS Subjective in Nature Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability Delphi technique is often used to solicit objective opinions 25 QUANTITATIVE ANALYSIS More experience required than with Qualitative Involves calculations to determine a dollar value associated with each risk event Business Decisions are made on this type of analysis Goal is to the dollar value of a risk and use that amount to determine what the best control is for a particular asset Necessary for a cost/benefit analysis 26 QUANTITATIVE ANALYSIS • AV (Asset Value) • EF (Exposure Factor) • ARO (Annual Rate of Occurrence) • SLE (Single Loss Expectancy)=AV * EF • ALE (Annual Loss Expectancy) SLE*ARO • Cost of control should be the same or less than the potential for loss 27 MITIGATING RISK Three Acceptable Risk Responses: Reduce Transfer Accept Secondary Risks Residual Risks Continue to monitor for risks How we decide to mitigate business risks becomes the basis for Security Governance and Policy 28 SECURITY GOVERNANCE The IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition, defines Security governance as follows: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.” 29 SECURITY BLUEPRINTS For achieving “Security Governance” BS 7799, ISO 17799, and 27000 Series COBIT and COSO OCTAVE ITIL 30 COBIT AND COSO COBIT (Control Objectives for Information and related Technology. COSO (Committee of Sponsoring Organizations) Both of these focus on goals for security 31 ITIL Information Technology Infrastructure Library (ITIL) is the de facto standard for best practices for IT service management 5 Service Management Publications: Strategy Design Transition Operation Continual Improvement **While the Publications of ITIL are not testable, it's purpose and comprehensive approach are testable. It provides best practices for organization and the means in which to implement those practices 32 OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Self Directed risk evaluation developed by Carnegie Mellon. People within an organization are the ones who direct the risk analysis A suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. 1. Identify Assets 2. Identify Vulnerabilities 3. Risk Analysis and Mitigation 33 BS 7799, ISO 17799, 27000 SERIES BS 7799-1, BS 7799-2 Absorbed by ISO 17799 Renamed ISO 27002 to fit into the ISO numbering standard 34 ISO 27000 SERIES ISO 27001: Establishment, Implementation, Control and improvement of the ISMS. Follows the PDCA (Plan, Do, Check, Act) ISO 27002: Replaced ISO 17799. Provides practical advice for how to implement security controls. Uses 10 domains to address ISMS. ISO 27004: Provides Metrics for measuring the success of ISMS ISO 27005: A standards based approach to risk management ISO 27799: Directives on protecting personal health information 35 The Plan Do Check Act (PDCA) Model PLAN INTERESTED PARTIES DO Information Security Requirements And Expectations INTERESTED PARTIES Establish ISMS Implement and Operate ISMS * Deming – TQM (basis for 6 Sigma) * ISO 9001: 2008 * Best Practice for ISM Governance ACT Maintain and Improve ISMS Managed Information Security CHECK Monitor and Review ISMS Check 36 MANAGEMENT Top-Down Approach Security practices are directed and supported at the senior management level Bottom-Up Approach The IT department tries to implement security Senior Management Senior Management Middle Management Middle Management Staff Staff 37 SENIOR MANAGEMENT ROLE CEO, CSO, CIO, etc.. Ultimately responsible for Security within an organization Development and Support of Policies Allocation of Resources Decisions based on Risk Prioritization of business processes 38 LIABILITIES Legal liability is an important consideration for risk assessment and analysis. Addresses whether or not a company is responsible for specific actions or inaction. Who is responsible for the security within an organization? Senior management Are we liable in the instance of a loss? Due diligence: Continuously monitoring an organizations practices to ensure they are meeting/exceeding the security requirements. Due care: Ensuring that “best practices” are implemented and followed. Following up Due Diligence with action. Prudent man rule: Acting responsibly and cautiously as a prudent man would Best practices: Organizations are aligned with the favored practices within an industry 39 ORGANIZATIONAL SECURITY POLICY Also Known as a Program Policy Mandatory High level statement from management Should support strategic goals of an organization Explain any legislation or industry specific drivers Assigns responsibility Should be integrated into all business functions Enforcement and Accountability 40 ISSUE AND SYSTEM SPECIFIC POLICY Issue Specific policy, sometimes called Functional Implementation policy would include company's stance on various employee issues. AUP, Email, Privacy would all be covered under issue specific System Specific policy is geared toward the use of network and system resources. Approved software lists, use of firewalls, IDS, Scanners, etc. 41 Security Policy Document Relationships Laws, Regulations and Best Practices Program or Organizational Policy Functional (Issue and System Specific) Policies Standards Procedures Management’s Security Directives Baselines Guidelines 42 STANDARDS Mandatory Created to support policy, while providing more specifics. Reinforces policy and provides direction Can be internal or external 43 PROCEDURES Mandatory Step by step directives on how to accomplish an end-result. Detail the “how-to” of meeting the policy, standards and guidelines 44 GUIDELINES Not Mandatory Suggestive in Nature Recommended actions and guides to users “Best Practices” 45 BASELINES Mandatory Minimum acceptable security configuration for a system or process The purpose of security classification is to determine and assign the necessary baseline configuration to protect the data 46 PERSONNEL SECURITY POLICIES (EXAMPLES) Hiring Practices and Procedures Background Checks/Screening NDA's Employee Handbooks Formal Job Descriptions Accountability Termination 47 ROLES AND RESPONSIBILITIES Senior/Executive Management CEO: Chief Decision-Maker CFO: Responsible for budgeting and finances CIO: Ensures technology supports company's objectives ISO: Risk Analysis and Mitigation Steering Committee: Define risks, objectives and approaches Auditors: Evaluates business processes Data Owner: Classifies Data Data Custodian: Day to day maintenance of data Network Administrator: Ensures availability of network resources Security Administrator: Responsible for all security-related tasks, focusing on Confidentiality and Integrity 48 RESPONSIBILITIES OF THE ISO Responsible for providing C-I-A for all information assets. Communication of Risks to Senior Management Recommend best practices to influence policies, standards, procedures, guidelines Establish security measurements Ensure compliance with government and industry regulations Maintain awareness of emerging threats 49 LIABILITIES – WHO IS AT FAULT? Failure of management to execute Due Care and/or Due Diligence can be termed negligence Culpable negligence is often used to prove liability Prudent Man Rule Perform duties that prudent people would exercise in similar circumstances Example: Due Care: setting a policy; Due Diligence: enforcing that policy Downstream Liabilities Integrated technology with other companies can extend one’s responsibility outside the normal bounds 50 LEGAL LIABILITY Legally Recognized Obligation A standard exists that outlines the conduct expected of a company to protect others from unreasonable risks Proximate Causation Fault can actually be proven to be a direct result of one’s action or inaction Violation of Law Regulatory, criminal, or intellectual property Violation of Due Care Stockholders suits Violation of Privacy Employee suits 51 TYPES OF LAWS • Criminal Law • Civil Law • Regulatory • Intellectual Property 52 CRIMINAL LAW Beyond a reasonable doubt—can be difficult to meet this burden of proof in computer-related crimes Penalties: Financial, Jail-time, death Felonies: More serious of the two. Often penalty results in incarceration of at least a year. Misdemeanors: Normally the less serious of the two with fines or jail-time of less than one year. The Goal of criminal penalties is: Punishment Deterrence 53 CIVIL (TORT) LAW Preponderance of evidence Damages Compensatory: Paid for the actual damage which was suffered by a victim, including attorney fees, loss of profits, medical costs, investigative costs, etc... Punitive: Designed as a punishment for the offender Statutory: an amount stipulated within the law rather than calculated based on the degree of harm to the plaintiff. Often, statutory damages are awarded for acts in which it is difficult to determine the value of the harm to the victim. Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent to civil law , as well as administrative law 54 ADMINISTRATIVE (REGULATORY) LAW • Defines standards of performance and regulates conduct for specific industries • Banking (Basel II) • Energy (EPAct) of 2005 • Health Care (HIPAA) • Burden of Proof is “More likely than not” • Penalties consist of financial or imprisonment 55 INTELLECTUAL PROPERTY Intellectual Property Law Protecting products of the mind Company must take steps to protect resources covered by these laws or these laws may not protect them Main international organization run by the UN is the World Intellectual Property Organization (WIPO) Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage 56 INTELLECTUAL PROPERTY PROTECTION • Trade Secret • Resource must provide competitive value • Must be reasonably protected from unauthorized use or disclosure • Proprietary to a company and important for survival • Must be genuine and not obvious 57 COPYRIGHT • Copyright • Copyright protections lasts for the lifetime of the author plus 70 years or 75 years for corporations • Work does not need to be registered or published to be protected. • Protects expression of ideas rather than the ideas themselves • Author to control how work is distributed, reproduced, used • Protects the expression of the resource instead of the resource itself • Two Limitations on Copyright: • First sale • Fair Use 58 INTELLECTUAL PROPERTY PROTECTION CONTINUED • Trademark • Protect word, name, symbol, sound, shape, color or combination used to identify product to distinguish from others • Protect from someone stealing another company’s “look and feel” • Corporate Brands and operating system logos • Trademark Law Treaty Implementation Act protects trademarks internationally 59 INTELLECTUAL PROPERTY PROTECTION CONTINUED • Patent • Originally valid for 17 years, but are now valid for 20 years • Protection for those who have legal ownership of an invention • Invention must be novel and non-obvious • Owner has exclusive control of invention for 20 years • Cryptographic algorithm • The strongest form of protection • Published to stimulate other inventions • PCT (Patent Cooperation Treaty) has been adopted by over 130 countries to provide the international protection of patents • No organization enforces patents. It is up to the owner to purse the patent rights through the legal system 60 ATTACKS ON INTELLECTUAL PROPERTY • Piracy • Copyright infringement • Counterfeiting • Cybersquatting • Typosquatting 61 EXPORT/IMPORT RESTRICTIONS Export restriction WASSENAAR Agreement makes it illegal to export munitions to terrorist sponsored nations Exporting of cryptographic software is allowed to nongovernment end-users of other countries No exporting of strong encryption software to terrorists states Import restriction In many countries, the import of cryptographic tools with strong encryption requires a copy of the private keys be provided to law enforcement US Safe Harbor Laws 62 INTERNATIONAL ISSUES • Trans border Issues • Each country treats computer crimes differently • Evidence rules differ between legal systems • Governments may not assist each other in international cases • Jurisdiction issues 63 PRIVACY ISSUES – EMPLOYEE MONITORING Local labor laws related to privacy cannot be violated Be mindful of the reasonable expectation of privacy (REP) Gain an employee waiver by signature on policies, etc... Notify of monitoring that may be used, or do not monitor the employees at all Banner and security awareness Ensure that monitoring is lawful Do not target individuals in monitoring Monitor work-related events: Keystroke, Cameras, Badges, Telephone, E-mail 64 HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT) • Applies to • Health Insurers • Health Providers • Health care clearing houses (claim processing agencies) • As of 2009, covered entities must disclose security breaches regarding personal information 65 GRAMM-LEACH-BLILEY FINANCIAL SERVICES MODERNIZATION ACT Known as GLBA Requires financial agencies to better protect customer’s PII (Personally Identifiable Information) Three Rules: Financial Privacy rule-Requires financial institutions to provide information to customers regarding how PII is protected Safeguards Rule-Requires each financial institution to have a formal written security plan detailing how customer PII will be safeguarded Pretexting Protection-Addresses social engineering and requires methods be in place to limit information that can be obtained by this type of attack 66 PCI DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD) Not a legal mandate Payment Card Industry self-regulates its own security standards Applies to any business worldwide that transmits, processes or stores payment card transactions to conduct business with customers Compliance is enforced by the payment card vendor (Visa, MasterCard, American Express, etc..) Compliance ...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes