From Event to Action: Accelerate Your Decision Making with Real-Time Automation
2019 FRecure CISSP Mentor Program: Session Two
1. 2019 CISSP MENTOR
PROGRAM
April 10, 2019
-----------
Class 2 – April 10, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO
• Maybe some others later…
2. CISSP® MENTOR PROGRAM – SESSION TWO
1
INTRODUCTION
You ready?! Let the journey begin…
Only 90 slides tonight. This is small font on purpose.
3. • Cornerstone Information Security Concepts
• Legal and Regulatory Issues
• Security and 3rd Parties
• Ethics
• Information Security Governance
• Access Control Defensive Categories and Types
• Risk Analysis
• Types of Attackers
CISSP® MENTOR PROGRAM – SESSION TWO
2
INTRODUCTION
Agenda – Domain 1: Security and Risk Management
4. • CIA Triad
• Confidentiality - prevent the unauthorized disclosure of information:
keep data secret.
• Integrity - prevent unauthorized modification of information: keep
data accurate.
• Availability - ensures that information is available when needed
• Identity
• Subject - An active entity on an information system
• Object - A passive data file
CISSP® MENTOR PROGRAM – SESSION TWO
3
INTRODUCTION
Terms and Definitions to Memorize
5. • Risk – The likelihood of something bad happening and the impact if it
did; threats (bad event) and vulnerabilities (weakness)
• Annualized Loss Expectancy (or ALE) - the cost of loss due to a risk
over a year
• Safeguard (or “control”) - a measure taken to reduce risk
• Total Cost of Ownership (or TCO) – total cost of a safeguard/control
• Return on Investment (or ROI) - money saved by deploying a
safeguard
CISSP® MENTOR PROGRAM – SESSION TWO
4
INTRODUCTION
Terms and Definitions to Memorize
6. Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality, integrity, and
availability of information using administrative, physical and technical
controls.
“Most organizations overemphasize technical controls to protect confidentiality and do so at the
expense of other critical controls and purposes.”
CISSP® MENTOR PROGRAM – SESSION TWO
5
INTRODUCTION
Cornerstone Information Security Concepts
7. Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality, integrity, and
availability of information using administrative, physical and technical
controls.
“Most organizations overemphasize technical controls to protect confidentiality and do so at the
expense of other critical controls and purposes.”
CISSP® MENTOR PROGRAM – SESSION TWO
6
INTRODUCTION
Cornerstone Information Security Concepts
8. Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality, integrity, and
availability of information using administrative, physical and technical
controls.
Balance is critical
Opposite of C I A is D A D (Disclosure, Alteration, and Destruction)
CISSP® MENTOR PROGRAM – SESSION TWO
7
INTRODUCTION
Cornerstone Information Security Concepts
9. Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality, integrity, and
availability of information using administrative, physical and technical
controls.
• Prevent unauthorized access; disclosure, or read access.
• Keeping data secret.
• Data accessible to subjects with clearance, formal approval, and a
need to know.
CISSP® MENTOR PROGRAM – SESSION TWO
8
INTRODUCTION
Cornerstone Information Security Concepts
10. Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality, integrity, and
availability of information using administrative, physical and technical
controls.
• Prevent unauthorized modification, or write access.
• Two types; data integrity and system integrity.
CISSP® MENTOR PROGRAM – SESSION TWO
9
INTRODUCTION
Cornerstone Information Security Concepts
11. Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality, integrity, and
availability of information using administrative, physical and technical
controls.
• Ensure that data is available when needed.
• Confidentiality and integrity compete with availability; locking down
data make it less accessible/available.
CISSP® MENTOR PROGRAM – SESSION TWO
10
INTRODUCTION
Cornerstone Information Security Concepts
12. Information security is about risk management, not risk elimination.
In order to determine risk, we must first determine what our most important
(or critical assets) are.
We use safeguards (or controls) to protect our assets and mitigate (not
eliminate) risk. Risk tolerance is the amount of risk that the business is
willing to tolerate (or accept).
CISSP® MENTOR PROGRAM – SESSION TWO
11
INTRODUCTION
Cornerstone Information Security Concepts
13. Definition of “privacy” (don’t forget):
Privacy is managing risks to the confidentiality, integrity, and availability
of personally identifiable information (or PII) using administrative, physical
and technical controls.
Privacy is part of information security, but often treated as separate issues.
CISSP® MENTOR PROGRAM – SESSION TWO
12
INTRODUCTION
Cornerstone Information Security Concepts
14. Definition of “privacy” (don’t forget):
CISSP® MENTOR PROGRAM – SESSION TWO
13
INTRODUCTION
Cornerstone Information Security Concepts
“According to our definitions, privacy
and information security cannot be
separated. The two disciplines are
unified. The unified approach can
create simplicity, improve effectiveness
and ensure compliance. The letter of
the law is one thing, but the intent in
many cases is to manage risk well.
There are always a few nuances here
and there, but the theory is if we
manage risk well according to our
definitions, we will be compliant -- or
very close to compliant.”
https://www.forbes.com/sites/forbestechcouncil/2019/03/11/simplify-your-information-security-and-privacy-
frameworks/#2382afba697e
15. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
First identity…
• Nothing more than a claim.
• Like, “I am Brad” or my username is “bnigh”.
• Name, username, ID number, employee number, etc.
• Should be non-descriptive, but often are descriptive.
• Without proof (next slide), you’ll have to just take my word for it.
CISSP® MENTOR PROGRAM – SESSION TWO
14
INTRODUCTION
Cornerstone Information Security Concepts
16. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
Then authentication…
• Proof that I am who I say I am. A subject proves identity to another
subject or object.
• Password, PIN code, picture, biometric, etc.
• Identification and authentication must be separate and ideally
different (SSN – OOPS!)
• An identity is stolen when the authenticator is also stolen. A stolen
password leads to a stolen identity…
CISSP® MENTOR PROGRAM – SESSION TWO
15
INTRODUCTION
Cornerstone Information Security Concepts
17. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
Then authentication, there are three types (or factors):
• Something you know; password, PIN number, etc.
• Something you have; tokens, phone, debit card, etc.
• Something you are; biometrics (fingerprint, retina scan, etc.)
• Using two (or more) factors is called “strong” authentication, multi-
factor authentication, 2FA, MFA, etc.
CISSP® MENTOR PROGRAM – SESSION TWO
16
INTRODUCTION
Cornerstone Information Security Concepts
18. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
Then authentication, there are three types (or factors):
• Something you know; password, PIN number, etc.
• Something you have; tokens, phone, debit card, etc.
• Something you are; biometrics (fingerprint, retina scan, etc.)
• Using two (or more) factors is called “strong” authentication, multi-
factor authentication, 2FA, MFA, etc.
CISSP® MENTOR PROGRAM – SESSION TWO
17
INTRODUCTION
Cornerstone Information Security Concepts
19. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
Once a subject has been identified and authenticated, they must be
authorized to do something. Authorization…
• What actions is a subject permitted to perform?
• Read, write, execute.
• Privileges, rights, permissions, etc.
CISSP® MENTOR PROGRAM – SESSION TWO
18
INTRODUCTION
Cornerstone Information Security Concepts
20. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
CISSP® MENTOR PROGRAM – SESSION TWO
19
INTRODUCTION
Cornerstone Information Security Concepts
“At a functional level; IAM includes access, meaning what an
identity is permitted to do; authorization. Identity and access
management then includes identity, authentication, and
authorization. Both IM and IAM benefit from accountability, so
this function is added to both. This results in:
• IM = Identity + Authentication + Accountability
• IAM = Identity + Authentication + Authorization +
Accountability
IA and IAM are in fact two functions that are integrated, not one
single synonymous function.”
21. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
CISSP® MENTOR PROGRAM – SESSION TWO
20
INTRODUCTION
Cornerstone Information Security Concepts
“At a functional level; IAM includes access, meaning what an
identity is permitted to do; authorization. Identity and access
management then includes identity, authentication, and
authorization. Both IM and IAM benefit from accountability, so
this function is added to both. This results in:
• IM = Identity + Authentication + Accountability
• IAM = Identity + Authentication + Authorization +
Accountability
IA and IAM are in fact two functions that are integrated, not one
single synonymous function.”
22. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
CISSP® MENTOR PROGRAM – SESSION TWO
21
INTRODUCTION
Cornerstone Information Security Concepts
“At a functional level; IAM includes access, meaning what an
identity is permitted to do; authorization. Identity and access
management then includes identity, authentication, and
authorization. Both IM and IAM benefit from accountability, so
this function is added to both. This results in:
• IM = Identity + Authentication + Accountability
• IAM = Identity + Authentication + Authorization +
Accountability
IA and IAM are in fact two functions that are integrated, not one
single synonymous function.”
https://www.cybersecurityintelligence.com/blog/identity-management-fundamentals-4208.html
23. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
Just because a subject has been authorized (or permitted) by a system to
do something, doesn’t mean that the subject should do something. The
principle of need to know still applies.
CISSP® MENTOR PROGRAM – SESSION TWO
22
INTRODUCTION
Cornerstone Information Security Concepts
24. Identity and Authentication, Authorization and Accountability (IAAA
or AAA)
Very similar, but slightly different:
• Least Privilege is tied to rights; basically what I can do with and in
the system.
• Need to Know is tied to information; basically what I can with
information.
A violation of least privilege can easily violate the need to know principle.
"Over 30 percent of respondents admit to having no policy in place for managing
administrator access”
CISSP® MENTOR PROGRAM – SESSION TWO
23
INTRODUCTION
Cornerstone Information Security Concepts
25. Subjects and Objects
• A subject is an active entity; users, services, applications, etc.
• An object is a passive entity; paper, database tables, etc.
• An entity can be a subject in one instance and an object in another. It
really depends on context.
Expect the exam to use these definitions and test you on them. – very
testable
CISSP® MENTOR PROGRAM – SESSION TWO
24
INTRODUCTION
Cornerstone Information Security Concepts
26. Due Care and Due Diligence
Reasonable?
• Conduct an information security risk assessment?
• Make logical risk-based information security decisions?
• Not knowing what your most significant risk is?
• Ignorance?
CISSP® MENTOR PROGRAM – SESSION TWO
25
INTRODUCTION
Cornerstone Information Security Concepts
27. Those are our “cornerstone” information security concepts.
They are foundational, so master them.
Easy, right?
26
INTRODUCTION
Cornerstone Information Security Concepts
CISSP® MENTOR PROGRAM – SESSION TWO
28. Another “Dad” Joke…
What’s the difference between bird flu and swine flu?
27
INTRODUCTION
Cornerstone Information Security Concepts
CISSP® MENTOR PROGRAM – SESSION TWO
29. Another “Dad” Joke…
What’s the difference between bird flu and swine flu?
One requires tweetment, and the other requires oinkment.
28
INTRODUCTION
Cornerstone Information Security Concepts
CISSP® MENTOR PROGRAM – SESSION TWO
30. • There are four major legal systems that are covered in
the exam:
• Civil Law
• Common Law
• Religious Law
• Customary Law
• There are different legal systems in different parts of the
world. Be aware of what legal system is used in
whatever country you’re operating in!
CISSP® MENTOR PROGRAM – SESSION TWO
29
LEGAL AND REGULATORY ISSUES
Major Legal Systems
31. • Most common legal system throughout the world.
• Codified laws (or statutes)
• A legislative body (or branch) is usually tasked with
creating the laws/statutes.
• Judicial body (or branch) interprets the law.
• No (or very little) weight is given to judicial precedent
or outcomes from previous cases.
CISSP® MENTOR PROGRAM – SESSION TWO
30
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Civil Law (Legal System)
32. • The legal system in the United States, Canada, U.K. and
others
• Codified laws (or statutes)
• A legislative body (or branch) is usually tasked with
creating the laws/statutes.
• Much weight is given to judicial precedent and outcomes
from previous cases. Judicial interpretations of the laws
can change over time.
This is the most likely legal system to be referred to on the
exam.
CISSP® MENTOR PROGRAM – SESSION TWO
31
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Common Law (Legal System)
33. CISSP® MENTOR PROGRAM – SESSION TWO
32
LEGAL AND REGULATORY ISSUES
Within the Common Law (legal system)
34. • Victim is society – promote and maintain an orderly and
law-abiding citizenry
• Require proof beyond a reasonable doubt
• Deter crime and punish offenders
• Incarceration
• Financial penalties
• Even execution…
CISSP® MENTOR PROGRAM – SESSION TWO
33
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Common Law (Legal System) Criminal Law
35. • Victim is an individual, group, or organization
• Most commonly between private parties
• One act can be prosecuted under both criminal and civil
procedures
• Damages are financial (often):
• Statutory Damages – prescribed by the law (even if no loss or
injury to the victim)
• Compensatory Damages – awarded to compensate a victim for
loss or injury
• Punitive Damages – to punish and discourage really bad
behavior
• Burden of proof is the preponderance of the evidence
(think tipping the scale)
CISSP® MENTOR PROGRAM – SESSION TWO
34
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Common Law (Legal System) Civil Law
36. • Victim is an individual, group, or organization
• Most commonly between private parties
• One act can be prosecuted under both criminal and civil
procedures
• Damages are financial (often):
• Statutory Damages – prescribed by the law (even if no loss or
injury to the victim)
• Compensatory Damages – awarded to compensate a victim for
loss or injury
• Punitive Damages – to punish and discourage really bad
behavior
• Burden of proof is the preponderance of the evidence
(think tipping the scale)
CISSP® MENTOR PROGRAM – SESSION TWO
35
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Common Law (Legal System) Civil Law
37. • Laws enacted by governmental agencies
• Typically the legislature or President issues an
administrative law
• The agency interprets the law and enforces it
• Government-mandated compliance
• Examples include FCC regulations, HIPAA, FDA
regulations, FTC regulations, etc.
• Very little, if any, recourse.
CISSP® MENTOR PROGRAM – SESSION TWO
36
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Common Law (Legal System) Administrative Law
38. • Laws enacted by governmental agencies
• Typically the legislature or President issues an
administrative law
• The agency interprets the law and enforces it
• Government-mandated compliance
• Examples include FCC regulations, HIPAA, FDA
regulations, FTC regulations, etc.
• Very little, if any, recourse.
CISSP® MENTOR PROGRAM – SESSION TWO
37
LEGAL AND REGULATORY ISSUES
Major Legal Systems – Common Law (Legal System) Administrative Law
39. • Who should be held accountable?
• Who should we blame?
• Who should pay?!
• Apply the Prudent Man Rule
• Due Care
• Due Diligence
CISSP® MENTOR PROGRAM – SESSION TWO
38
LEGAL AND REGULATORY ISSUES
Liability
40. • Collecting and handling evidence is a critical legal issue
– some evidence carries more weight than others
• Some evidence is more important than others, or carry
more weight
• Evidence should be relevant, authentic, accurate,
complete, and convincing.
• Need to understand the five types of evidence.
CISSP® MENTOR PROGRAM – SESSION TWO
39
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations
41. • Real Evidence – consists of tangible or physical objects; a computer
or hard drive is real evidence, but the data is NOT.
• Direct Evidence – testimony from a first hand witness using one or
more of his/her five senses; non-first hand evidence is called
“hearsay”.
• Circumstantial Evidence – establishes the circumstances related to
points in the case or other evidence; not good to use alone to prove
a case.
• Corroborative Evidence – evidence to strengthen a fact or element
of a case; provides additional support, but cannot establish a fact on
its own.
• Hearsay Evidence – second hand evidence normally considered
inadmissible in court (Rule 802), but there are exceptions (Rule
803)…
CISSP® MENTOR PROGRAM – SESSION TWO
40
LEGAL AND REGULATORY ISSUES
Types of evidence
42. • The general inadmissibility of hearsay evidence is defined in Rule
802 Federal Rules of Evidence of the United States
• Numerous rules (namely 803 and 804 here) provide exceptions to
Rule 802
• Business and computer generated records (logs) are generally
considered to be hearsay evidence.
• Rule 803 provides for the admissibility of a record or report that was
“made at or near the time by, or from information transmitted
by, a person with knowledge, if kept in the course of a regularly
conducted business activity, and if it was the regular practice of
that business activity to make the memorandum, report, record
or data compilation.”
CISSP® MENTOR PROGRAM – SESSION TWO
41
LEGAL AND REGULATORY ISSUES
Hearsay Evidence
43. • We always preserve the original, create a binary copy,
and conduct an investigation using the copy, not the
original.
• Rule 1001 allows for the admissibility of binary disk and
physical memory images; “if data are stored in a
computer or similar device, any printout or other output
readable by sight, shown to reflect the data accurately,
is an ‘original’.
• Opposing counsel will question the validity of the data
used in an investigation.
CISSP® MENTOR PROGRAM – SESSION TWO
42
LEGAL AND REGULATORY ISSUES
Hearsay Evidence
44. • Best Evidence Rule – courts prefer the best evidence
possible; evidence should be relevant, authentic,
accurate, complete, and convincing – direct evidence is
always best.
• Secondary Evidence – common in cases involving
computers; consists of copies vs. originals – logs and
documents from computers are considered secondary
• Chain of Custody – chain of custody form
• Prosecuting computer crimes (criminal) is hard…
CISSP® MENTOR PROGRAM – SESSION TWO
43
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations
45. • Best Evidence Rule – courts prefer the best evidence
possible; evidence should be relevant, authentic,
accurate, complete, and convincing – direct evidence is
always best.
• Secondary Evidence – common in cases involving
computers; consists of copies vs. originals – logs and
documents from computers are considered secondary
• Chain of Custody – chain of custody form
• Prosecuting computer crimes (criminal) is hard…
CISSP® MENTOR PROGRAM – SESSION TWO
44
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations
46. • The quality of the evidence will be challenged in court (or
at least assume it will be).
• The integrity of the evidence is a critical forensic function
• Checksums can ensure that no data changes occurred
as a result of the acquisition and analysis.
• One-way hash functions such as MD5 or SHA-1 are
commonly used for this purpose. (Pro tip: MD5 in
practice is weak and not preferred)
CISSP® MENTOR PROGRAM – SESSION TWO
45
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations – Evidence Integrity
47. • Fourth Amendment to the United States Constitution
protects citizens from unreasonable search and seizure
• In ALL cases, the court will determine if evidence was
obtained legally
• Law enforcement needs a search warrant issued by a
judge (in most cases)
• Plain sight
• Public checkpoints
• Exigent circumstances – immediate threat to human
life or of evidence destruction
• Only apply to law enforcement and those operating
under the “color of law” – Title 18. U.S.C. Section 242
– Deprivation of Rights Under the Color of Law
CISSP® MENTOR PROGRAM – SESSION TWO
46
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations – Reasonable Searches
48. • Fourth Amendment to the United States Constitution
protects citizens from unreasonable search and seizure
• In ALL cases, the court will determine if evidence was
obtained legally
• Law enforcement needs a search warrant issued by a
judge (in most cases)
• Plain sight
• Public checkpoints
• Exigent circumstances – immediate threat to human
life or of evidence destruction
• Only apply to law enforcement and those operating
under the “color of law” – Title 18. U.S.C. Section 242
– Deprivation of Rights Under the Color of Law
CISSP® MENTOR PROGRAM – SESSION TWO
47
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations – Reasonable Searches
CAUTION: If law enforcement tells you to do something during an investigation, you may be
operating under the color of law, which means you must comply with the 4th Amendment. If law
enforcement is not involved, a search warrant is not required.
49. • Entrapment – persuades someone to commit a crime
who otherwise had no intent to commit a crime – valid
legal defense
• Enticement – persuades someone to commit a crime
who already had the intent to commit a crime – not a
valid defense.
Honeypots
CISSP® MENTOR PROGRAM – SESSION TWO
48
LEGAL AND REGULATORY ISSUES
Legal Aspects of Investigations – Entrapment & Enticement
50. Trademarks – ® and ™
• Creation of a distinguishing brand
• Applies to name, logo, symbol, or image (usually)
• ™ can be used freely by anyone; unregistered
trademark
• ® is a registered trademark with the U.S. Patent and
Trademark Office
• A superscript “SM” can be used to brand a service
CISSP® MENTOR PROGRAM – SESSION TWO
49
LEGAL AND REGULATORY ISSUES
Intellectual Property – Trademarks and Servicemarks
SecurityStudio® and VENDEFENSE®
51. CISSP® MENTOR PROGRAM – SESSION TWO
50
LEGAL AND REGULATORY ISSUES
Intellectual Property – Trademarks and Servicemarks
52. • Provide a (legal) monopoly to the patent holder in
exchange for the patent holder making their invention
public
• Invention must be “novel” and “unique”
• Generally patents provide exclusivity for 20 years
• After patent expiration, the invention can be produced
and sold by anyone
CISSP® MENTOR PROGRAM – SESSION TWO
51
LEGAL AND REGULATORY ISSUES
Intellectual Property – Patents
53. • Software is typically covered under copyright law
• Limitations:
• Fair sale – allow a legitimate purchaser to sell the
software (or video, music, etc.) to someone else
• Fair use – allows for duplication without the consent
of the copyright holder, subject to the Copyright Act of
1976
• Licenses – contract between the consumer and provider;
provides explicit limitations on the use and distribution of
software; EULAs
CISSP® MENTOR PROGRAM – SESSION TWO
52
LEGAL AND REGULATORY ISSUES
Intellectual Property – Copyrights
54. • Implied copyright on all artistic works.
• People can file for a registered copyright with the
Copyright Office.
• Enforceable term for copyright is 70 years after the
death of the author.
• Corporate copyright term is 95 years after the first
publication or 120 years after creation, whichever
comes first.
CISSP® MENTOR PROGRAM – SESSION TWO
53
LEGAL AND REGULATORY ISSUES
Intellectual Property – Copyrights
55. • Business-proprietary information that is essential for the
organization to compete in the marketplace.
• “Secret sauce”
• Must be “actively protected” to be enforceable; using
due care and due diligence
• If an organization does not take reasonable steps to
protect a trade secret, it is assumed that the organization
doesn’t enjoy a competitive advantage from the trade
secret, leading to a conclusion that it’s not actually a trade
secret at all.
CISSP® MENTOR PROGRAM – SESSION TWO
54
LEGAL AND REGULATORY ISSUES
Intellectual Property – Trade Secrets
56. • Piracy and copyright infringement – Pirate Bay, Bit
Torrent, etc.
• Cybersquatting & Typosquatting
• Counterfeiting
• Dilution (not really an attack)
• Band-aid
• Kleenex
CISSP® MENTOR PROGRAM – SESSION TWO
55
LEGAL AND REGULATORY ISSUES
Intellectual Property – Intellectual Property Attacks
57. • Piracy and copyright infringement – Pirate Bay, Bit
Torrent, etc.
• Cybersquatting & Typosquatting
• Counterfeiting
• Dilution (not really an attack)
• Band-aid
• Kleenex
CISSP® MENTOR PROGRAM – SESSION TWO
56
LEGAL AND REGULATORY ISSUES
Intellectual Property – Intellectual Property Attacks
58. • Piracy and copyright infringement – Pirate Bay, Bit
Torrent, etc.
• Cybersquatting & Typosquatting
• Counterfeiting
• Dilution (not really an attack)
• Band-aid
• Kleenex
CISSP® MENTOR PROGRAM – SESSION TWO
57
LEGAL AND REGULATORY ISSUES
Intellectual Property – Intellectual Property Attacks
59. • Piracy and copyright infringement – Pirate Bay, Bit
Torrent, etc.
• Cybersquatting & Typosquatting
• Counterfeiting
• Dilution (not really an attack)
• Band-aid
• Kleenex
CISSP® MENTOR PROGRAM – SESSION TWO
58
LEGAL AND REGULATORY ISSUES
Intellectual Property – Intellectual Property Attacks
60. CISSP® MENTOR PROGRAM – SESSION TWO
59
LEGAL AND REGULATORY ISSUES
Intellectual Property – Intellectual Property Attacks
61. • Confidentiality of personally-identifiable information
(subset of security)
• Examples of PII; names/email addresses (maybe),
Social Security Numbers (SSN), Protected Health
Information (“PHI”), bank account information (sort
of), etc.
• There are numerous privacy laws throughout the
world
• EU General Data Protection Regulation (GDPR) -
https://eugdpr.org/
• California Consumer Privacy Act (CCPA) -
https://www.caprivacy.org/
CISSP® MENTOR PROGRAM – SESSION TWO
60
LEGAL AND REGULATORY ISSUES
Privacy
The value has encouraged
many leaders to create a whole
slew of laws and regulations,
including medical and data-
based regulations (paywall).
GDPR is only one such
regulation, but in the United
States, we have many state and
federal ones to deal with
(Compilation of State & Federal
Privacy Laws by Robert Ellis
Smith cites over 800).
62. • Aggressive pro-privacy law
• Notifying individuals of how their data is gathered and
used
• Allow for opt-out for sharing with 3rd parties
• Opt-in required for sharing “most” sensitive data
• Reasonable protections
• No transmission out of EU unless the receiving country is
perceived to have adequate (equal) privacy protections;
the U.S. does NOT meet this standard. EU-US Safe
Harbor, optional between organization and EU.
CISSP® MENTOR PROGRAM – SESSION TWO
61
LEGAL AND REGULATORY ISSUES
Privacy – European Union Privacy (EU Data Protection Directive)
63. • Aggressive pro-privacy law
• Notifying individuals of how their data is gathered and
used
• Allow for opt-out for sharing with 3rd parties
• Opt-in required for sharing “most” sensitive data
• Reasonable protections
• No transmission out of EU unless the receiving country is
perceived to have adequate (equal) privacy protections;
the U.S. does NOT meet this standard. EU-US Safe
Harbor, optional between organization and EU.
CISSP® MENTOR PROGRAM – SESSION TWO
62
LEGAL AND REGULATORY ISSUES
Privacy – European Union Privacy (EU Data Protection Directive)
64. • Designed to "harmonise" data privacy laws across Europe and give
greater protection and rights to individuals
• Publication in the EU Official Journal in May 2016, effective on May
25, 2018
• Individuals, organisations, and companies that are either 'controllers'
or 'processors' of personal data
• 99 articles containing rights of individuals and obligations placed on
organisations
• An excellent summary can be found on Advisera’s website;
https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-
10-key-gdpr-requirements/
CISSP® MENTOR PROGRAM – SESSION TWO
63
LEGAL AND REGULATORY ISSUES
Privacy – EU General Data Protection Regulation (GDPR)
I don’t think GDPR is testable, but it should be. It’s very applicable in the real-world. If I were you, I would
just get familiar with the basics of it. Don’t spend a ton of time on it, but skim some.
65. • Not Mandatory - Eight driving principles:
• Collection Limitation Principle
• Data Quality Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle
CISSP® MENTOR PROGRAM – SESSION TWO
64
LEGAL AND REGULATORY ISSUES
Privacy – Organization for Economic Cooperation and Development (OECD)
Privacy Guidelines
66. • Not Mandatory - Eight driving principles:
• Collection Limitation Principle
• Data Quality Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle
CISSP® MENTOR PROGRAM – SESSION TWO
65
LEGAL AND REGULATORY ISSUES
Privacy – Organization for Economic Cooperation and Development (OECD)
Privacy Guidelines
67. • For use where U.S. companies don’t have EU-compliant
privacy practices.
• Give US based organizations the benefit of authorized
data sharing
• Voluntarily consent to data privacy principles that are
consistent with the EU Data Protection Directive
CISSP® MENTOR PROGRAM – SESSION TWO
66
LEGAL AND REGULATORY ISSUES
Privacy – EU-US Safe Harbor
68. • For use where U.S. companies don’t have EU-compliant
privacy practices.
• Give US based organizations the benefit of authorized
data sharing
• Voluntarily consent to data privacy principles that are
consistent with the EU Data Protection Directive
CISSP® MENTOR PROGRAM – SESSION TWO
67
LEGAL AND REGULATORY ISSUES
Privacy – EU-US Safe Harbor
69. • Health Insurance Portability and Accountability Act
(HIPAA not HIPPA)
• Overseen by the Department of Health and Human Services
(DHS), enforced by the Office for Civil Rights (OCR)
• Three rules; Privacy Rule, Security Rule, and Breach
(notification) Rule
• Applies to “covered entities” and also (now) “business
associates”
• Originally passed in 1996, Security Rule finalized in 2003,
modified in 2009 (HITECH), and Omnibus Rule in 2013
• Security Rule mandates certain administrative, physical, and
technical safeguards
• Risk analysis is required
CISSP® MENTOR PROGRAM – SESSION TWO
68
LEGAL AND REGULATORY ISSUES
Other Important Rules and Laws - HIPAA
70. • Electronic Communications Privacy Act (ECPA)
• Protection of electronic communications against
warrantless wiretapping
• Amended/weakened by the PATRIOT Act
• Computer Fraud and Abuse Act (CFAA) – Title 18
Section 1030
• Most commonly used law to prosecute computer
crimes
• Enacted in 1986
• Amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT
Act), and 2008 (Identity Theft Enforcement and
Restitution Act)
CISSP® MENTOR PROGRAM – SESSION TWO
69
LEGAL AND REGULATORY ISSUES
Other Important Rules and Laws
71. • PATRIOT Act of 2001
• Expands law enforcement electronic monitoring
capabilities
• Allows search and seizure without immediate
disclosure
• Gramm-Leach-Bliley Act (GLBA)
• Applies to financial institutions; driven by the Federal
Financial Institutions Examination Council (FFIEC);
enforced by member agencies, OCC, FDIC, FRB,
NCUA, and CFPB
• Enacted in 1999, requires protection of the
confidentiality and integrity of consumer financial
information
CISSP® MENTOR PROGRAM – SESSION TWO
70
LEGAL AND REGULATORY ISSUES
Other Important Rules and Laws
72. • California Senate Bill 1386 (SB1386)
• Regulates the privacy of personal information
• One of the first data breach notification laws
• Sarbanes-Oxley Act of 2002 (SOX)
• Directly related to the financial scandals in the late
90s
• Regulatory compliance standards for financial
reporting
• Intentional violations can result in criminal penalties
CISSP® MENTOR PROGRAM – SESSION TWO
71
LEGAL AND REGULATORY ISSUES
Other Important Rules and Laws
73. CISSP® MENTOR PROGRAM – SESSION TWO
72
LEGAL AND REGULATORY ISSUES
Breach Notification Laws
74. CISSP® MENTOR PROGRAM – SESSION TWO
73
LEGAL AND REGULATORY ISSUES
Breach Notification Laws
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-
notification-laws.aspx
75. • 47 48 50 states have enacted breach notification laws
• There is no Federal breach notification law
• Conflicts arise in interpretations, jurisdictions, and
definitions
• Safe harbors may (or may not) be provided if the data
was encrypted, depending on the state
There are also two data protection laws and numerous data destruction
laws. To make matters worse, there are data openness laws and
Freedom of Information Act considerations!
CISSP® MENTOR PROGRAM – SESSION TWO
74
LEGAL AND REGULATORY ISSUES
Breach Notification Laws
76. • More accurately “third-party information security risk
management”
• Attestation – How can you attest to the fact that vendors
are protecting assets adequately? Risk assessments
(FISASCORE®), SOC 2 (Type 1 and 2), ISO Certification,
HITRUST, Shared Assessments, PCI-DSS ROC, etc.
• Right to Penetration Test & Right to Audit
• Procurement
• Acquisitions
• Divestures
CISSP® MENTOR PROGRAM – SESSION TWO
75
LEGAL AND REGULATORY ISSUES
Vendor Risk Management Considerations
SecurityStudio’s VENDEFENSE –
https://vendefense.com
77. • Must be agreed to in order to become CISSP
• Preamble, cannons (mandatory), and guidance (advisory)
• Cannons (in order):
• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
• Cannons are applied in order; if there are conflicts go with
the higher one.
CISSP® MENTOR PROGRAM – SESSION TWO
76
ISC2® CODE OF ETHICS
VERY TESTABLE
78. 1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer
work.
3. Thou shalt not snoop around in other people’s computer
files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness
CISSP® MENTOR PROGRAM – SESSION TWO
77
COMPUTER ETHICS INSTITUTE
Ten Commandments of Computer Ethics
79. 6. Thou shalt not copy or use proprietary software for
which you have not paid.
7. Thou shalt not use other peoples computer resources
without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual
output.
9. Thou shalt think about the social consequences of the
program you are writing or the system you are
designing.
10.Thou shalt always use a computer in ways that ensure
consideration and respect for your fellow humans.
CISSP® MENTOR PROGRAM – SESSION TWO
78
COMPUTER ETHICS INSTITUTE
Ten Commandments of Computer Ethics
80. • “Ethics and the Internet”
• Defined as a Request for Comment (RFC), #1087
• Published in 1987
• Considered unethical behavior:
• Seeks to gain unauthorized access to the resources of
the Internet
• Disrupts the intended use of the Internet
• Wastes resources (people, capacity, computer)
through such actions
• Destroys the integrity of computer-based information
• Compromises the privacy of users
CISSP® MENTOR PROGRAM – SESSION TWO
79
INTERNET ACTIVITIES BOARD (IAB) ETHICS
Ten Commandments of Computer Ethics
81. • Policy (Mandatory)
• Purpose
• Scope
• Responsibilities
• Compliance
• Policy types
• Program policy
• Issue-specific policy
• System-specific policy
CISSP® MENTOR PROGRAM – SESSION TWO
80
INFORMATION SECURITY GOVERNANCE
Security Policy and Related Documents
82. • Procedures
• Mandatory
• Step-by-step guidance
• Standards
• Mandatory
• Specific use of a technology
• Guidelines
• Recommendations; discretionary
• Advice/advisory
• Baselines (or benchmarks)
• Usually discretionary
• Uniform methods of implementing a standard
CISSP® MENTOR PROGRAM – SESSION TWO
81
INFORMATION SECURITY GOVERNANCE
Security Policy and Related Documents
83. Switching gears now…
CISSP® MENTOR PROGRAM – SESSION TWO
82
INFORMATION SECURITY GOVERNANCE
Security Policy and Related Documents
84. • Security Awareness and Training
• Actually two different things
• Training teaches specific skills
• Awareness activities are reminders
• Background Checks
• Criminal history, driving records, credit checks, employment verification,
references, professional claims, etc.
• More sensitive roles require more thorough checks; one-time and
ongoing
• Employee Termination
• Formalized disciplinary process (progressive)
• Exit interviews, rights revocation, account reviews, etc.
• Dealing with Vendors, Contractors, 3rd Parties
• Outsourcing and Offshoring
CISSP® MENTOR PROGRAM – SESSION TWO
83
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES
Personnel Security Considerations
85. • Categories
• Administrative Controls
• Technical Controls
• Physical Controls
• Types
• Preventive
• Detective
• Corrective
• Recovery
• Deterrent
• Compensating
CISSP® MENTOR PROGRAM – SESSION TWO
84
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES
Access Control Defensive Categories and Types
VERY TESTABLE: you may be given a
scenario or control description and
need to provide the category and
type.
In order to be sure of the control type,
you need to clearly understand
context.
86. • All decisions should be driven by risk.
• Most people don’t assess risk well (formally or informally)
• Assets
• Threats
• Vulnerabilities
• Risk = Threat x Vulnerability
• Risk = Threat x Vulnerability x Impact (better)
CISSP® MENTOR PROGRAM – SESSION TWO
85
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES
Risk Analysis
Risk is arguably the most overused and
misunderstood concept in security.
NOTE: I disagree with the book. Risk is the
likelihood of something bad happening and
the impact if it did.
87. • Risk calculations (also VERY TESTABLE)
• Risk analysis matrix
• Annualized Loss Expectancy (ALE = SLE x ARO)
• Asset Value (AV)
• Market Approach
• Income Approach
• Cost Approach
• Exposure Factor (EF) – expressed as a percent of asset
exposed (given a threat and vulnerability)
• Single Loss Expectancy (SLE = AV x EF)
• Annual Rate of Occurrence (ARO)
CISSP® MENTOR PROGRAM – SESSION TWO
86
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES
Risk Analysis
88. • Risk calculations (also VERY TESTABLE)
• Risk analysis matrix
• Annualized Loss Expectancy (ALE = SLE x ARO)
• Asset Value (AV)
• Market Approach
• Income Approach
• Cost Approach
• Exposure Factor (EF) – expressed as a percent of asset
exposed (given a threat and vulnerability)
• Single Loss Expectancy (SLE = AV x EF)
• Annual Rate of Occurrence (ARO)
CISSP® MENTOR PROGRAM – SESSION TWO
87
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES
Risk Analysis
89. • Qualitative Risk Analysis
• Quantitative Risk Analysis
• There are thousands of different risk assessment/analysis
methodologies. One is NIST SP 800-30 which outlines a
9-step process:
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis (vulnerabilities)
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
CISSP® MENTOR PROGRAM – SESSION TWO
88
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES
Risk Analysis
90. • Hackers
• Black hat (or “Cracker” or “malicious hacker”)
• White hat (or “ethical hacker”)
• Gray hat (confused/identity crisis)
• Script Kiddies – low skill, can click and type, use
tools/scripts made by others
• Outsiders vs. Insiders
• Hacktivist
• Bots and Botnets
• Phishers and Spear Phishers (also vishers and whalers
or whaling)
CISSP® MENTOR PROGRAM – SESSION TWO
89
TYPES OF ATTACKERS
The book says…
Two truths about attackers:
1. If you think you know
they’re motivation, you’re
probably wrong.
2. Attribution is hard, and in
most cases it’s not worth
it.
91. CONGRATS! That was a lot of information, but now you
get a whole four days to digest it.
• Please spend time reading Chapter 1 & 2, if you haven’t
already.
• Please come with questions on Monday (4/15). We will
recap some of today’s material and cover questions in the
next class.
• Brad leads on Monday!
CISSP® MENTOR PROGRAM – SESSION TWO
90
THAT’S IT. NEXT?
Yay us!
Evan Francen
@evanfrancen
Brad Nigh
@BradNigh
See you Monday!