This document summarizes session 3 of a 2019 CISSP mentor program. It discusses risk analysis, including qualitative and quantitative approaches. Key terms like asset value, exposure factor, single loss expectancy, and annualized loss expectancy are defined. Examples of risk analysis calculations are provided. The session also covered risk management processes, risk choice options, and included a quiz to test understanding.
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
Understand the impact of today's security breaches by attending our June 26th webinar which will discuss the 2017 Ponemon Cost of a Data Breach study.
Join Ponemon Institute and IBM Security Services on June 26th for a webinar discussing the impact of today’s security breaches based on the latest release of the 2017 Cost of Data Breach Study.
Register for IBM Security Services Webinar highlighting Ponemon Institute 2017 Cost of Data Breach Study The 12th annual Cost of Data Breach Study conducted by Ponemon Institute and sponsored by IBM Security Services calculates the real costs, implications and probabilities of security breaches faced by global organizations.
This webinar will present global findings highlighting trends across 11 countries and 2 regions. Attendees will have access to industry experts for live Q/A and will walk away with key insights, cost reducing strategies, investments and proactive best practices to reduce impact to their businesses in preparation for the next breach.
Join IBM Security Services and Larry Ponemon, founder of the Ponemon Institute, as he walks through the results and methodology of the 2017 Cost of Data Breach Study.
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
These are the slides I used during my cyber security presentation at the Bucknell SBDC. Titled "Be More Secure than your Competition" this is geared toward small businesses.
Be Angry - why CEOs should join the coalition against cyber crimeKevin Duffey
Phil Reitinger shares his experience as Director at the National Cyber Security Center, Microsoft, Sony and elsewhere, with over 100 CEOs and executives in London. Join the GCA to fight systemic cyber risks.
Get a firsthand look at our new product in a webinar on Tuesday, 17 September.
Many IT organizations tasked with securing infrastructure find that one of their biggest challenges is the vulnerability management process. This process is often manual and inefficient, leaving systems exposed to breaches and attacks.
Our new product, Puppet Remediate, addresses common pain points in the vulnerability management workflow to better protect your infrastructure and reduce manual work. With Remediate, you can:
Eliminate data handoffs between teams. Puppet Remediate integrates with the three major vulnerability scanners — Tenable, Qualys and Rapid7 — providing a single source of truth for IT Ops;
Easily assess the most critical threats. The dashboard shows all vulnerabilities prioritized by relative risk, so you know what to address first;
Agentless remediation. Run a task to remediate vulnerabilities directly from the dashboard. You can upload your own scripts, or make use of existing modules in the Puppet Forge.
What problems are we exist between IT Security and Cyber Insurance?
Correlation between Cyber Maturity and Cyber Insurance
Why is this Urgent?
What You can Do Today to Reduce Risk?
PCI. HIPAA. CFPB. We're KILLING small businesses with over-regulation in the name of security, while turning a blind eye to the fact that the cost of over-regulation is doing more harm than good, distracting business owners from realistically focusing on the risks that apply to their companies. It's time to have an open, honest conversation about a "common sense" security framework.
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
Briefing the board lessons learned from cisos and directorsPriyanka Aash
Communicating effectively with the board of directors can make or break a security program. Across 2016, John Pescatore and Alan Paller of SANS talked with dozens of CISOs and several members of corporate boards and distilled down a set of best practices and lessons learned. This session will present the findings from that effort, with lessons learned from real-world board sessions.
(Source : RSA Conference USA 2017)
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
2019 FRSecure CISSP Mentor Program: Class Three
1. 2019 CISSP MENTOR
PROGRAM
April 15, 2019
-----------
Class 3 – April 15, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO
2. • Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
1
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!
3. • Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
2
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!
Other Updates:
• We’ve had a couple of people who told us that they are
interested in hosting/facilitating a study group.
• Email mentorprogram@frsecure.com if you’re interested
in hosting/facilitating/participating in a study group. We’ll
put the right people in touch.
• We’ve got a request to setup a Slack channel for the class.
4. • Assets – hardware, software, and information
• Vulnerability (or weakness)
• Threat
• Risk = Threat x Vulnerability (likelihood and impact)
• Risk = Threat × Vulnerability × Impact (another way to put
it)
CISSP® MENTOR PROGRAM – SESSION THREE
3
GETTING GOING…
Let’s spend a little more time on risk analysis…
Human life trumps everything!
5. • Qualitative – based upon professional opinion; High,
Medium, Low…
• Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Risk Analysis Matrix – Qualitative risk analysis table;
likelihood on one side, impact on the other.
CISSP® MENTOR PROGRAM – SESSION THREE
4
GETTING GOING…
Qualitative & Quantitative Risk Analysis
6. • Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Asset Value (AV) – Fair market value for an asset
• Exposure Factor (EF) - % of asset lost during an incident
(threat occurrence)
• Single Loss Expectancy (SLE) – AV x EF
• Annual Rate of Occurrence (ARO) – How many times a
bad thing is expected/year.
• Annualized Loss Expectancy (ALE) – SLE x ARO
CISSP® MENTOR PROGRAM – SESSION THREE
5
GETTING GOING…
Qualitative & Quantitative Risk Analysis
If ALE exceeds Total Cost of Ownership (TCO), there is a positive Return on
Investment (ROI), or Return on Security Investment (ROSI).
7. There are only four; risk acceptance criteria should be
documented. Risk decisions should ALWAYS be made by
management, NOT information security.
• Accept – the risk is acceptable without additional control
or change.
• Mitigate – the risk is unacceptable (to high) and requires
remediation.
• Transfer – the risk can be transferred to someone else;
3rd-party provider, insurance.
• Avoid – the risk will be avoided by discontinuing the
action(s) that led to the risk.
CISSP® MENTOR PROGRAM – SESSION THREE
6
GETTING GOING…
Risk Choices
8. There are dozens of risk management
processes or methodologies.
• United States National Institute of
Standards and Technology (NIST) Special
Publication 800-30, Risk Management
Guide for Information Technology Systems
(http://csrc.nist.gov/publications/nistpubs/8
00-30/sp800-30.pdf); Nine step process
CISSP® MENTOR PROGRAM – SESSION THREE
7
GETTING GOING…
Risk Management Process(es)
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
9. 1. Which of the following would be an example of a policy
statement?
A. Protect PII by hardening servers
B. Harden Windows 7 by first installing the pre-hardened OS image
C. You may create a strong password by choosing the first letter of
each word in a sentence and mixing in numbers and symbols
D. Download the CISecurity Windows benchmark and apply it
CISSP® MENTOR PROGRAM – SESSION THREE
8
QUIZ!
10. 1. Which of the following would be an example of a policy
statement?
A. Protect PII by hardening servers
B. Harden Windows 7 by first installing the pre-hardened OS image
C. You may create a strong password by choosing the first letter of
each word in a sentence and mixing in numbers and symbols
D. Download the CISecurity Windows benchmark and apply it
CISSP® MENTOR PROGRAM – SESSION THREE
9
QUIZ!
11. 2. Which of the following steps would be taken while
conducting a Qualitative Risk Analysis?
A. Calculate the Asset Value
B. Calculate the Return on Investment
C. Complete the Risk Analysis Matrix
D. Complete the Annualized Loss Expectancy
CISSP® MENTOR PROGRAM – SESSION THREE
10
QUIZ!
12. 2. Which of the following steps would be taken while
conducting a Qualitative Risk Analysis?
A. Calculate the Asset Value
B. Calculate the Return on Investment
C. Complete the Risk Analysis Matrix
D. Complete the Annualized Loss Expectancy
CISSP® MENTOR PROGRAM – SESSION THREE
11
QUIZ!
13. Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
3. What is the Annual Rate of Occurrence in the above scenario?
A. $20,000
B. 40%
C. 7
D. $10,000
CISSP® MENTOR PROGRAM – SESSION THREE
12
QUIZ!
14. Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
3. What is the Annual Rate of Occurrence in the above scenario?
A. $20,000
B. 40%
C. 7
D. $10,000
CISSP® MENTOR PROGRAM – SESSION THREE
13
QUIZ!
15. Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
4. What is the annualized loss expectancy (ALE) of lost iPod sales due
to the DoS attacks?
A. $20,000
B. $8,000
C. $84,000
D. $56,000
CISSP® MENTOR PROGRAM – SESSION THREE
14
QUIZ!
16. Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
4. What is the annualized loss expectancy (ALE) of lost iPod sales due
to the DoS attacks?
A. $20,000
B. $8,000
C. $84,000
D. $56,000
CISSP® MENTOR PROGRAM – SESSION THREE
15
QUIZ!
17. Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
5. Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself
B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy
C. No, the annual Total Cost of Ownership is higher than the
Annualized Loss Expectancy
D. No, the annual Total Cost of Ownership is lower than the
Annualized Loss Expectancy
CISSP® MENTOR PROGRAM – SESSION THREE
16
QUIZ!
18. Your company sells Apple iPods online and has suffered many denial-of-
service (DoS) attacks. Your company makes an average $20,000 profit per
week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS
attacks on average per year. A DoS-mitigation service is available for a
subscription fee of $10,000/month. You have tested this service, and believe it
will mitigate the attacks.
5. Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself
B. Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy
C. No, the annual Total Cost of Ownership is
higher than the Annualized Loss Expectancy
D. No, the annual Total Cost of Ownership is lower than the
Annualized Loss Expectancy
CISSP® MENTOR PROGRAM – SESSION THREE
17
QUIZ!
19. 6. An attacker sees a building is protected by security
guards, and attacks a building next door with no guards.
What control combination are the security guards?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
CISSP® MENTOR PROGRAM – SESSION THREE
18
QUIZ!
20. 6. An attacker sees a building is protected by security
guards, and attacks a building next door with no guards.
What control combination are the security guards?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
CISSP® MENTOR PROGRAM – SESSION THREE
19
QUIZ!
21. 7. Which of the following proves an identity claim?
A. Authentication
B. Authorization
C. Accountability
D. Auditing
CISSP® MENTOR PROGRAM – SESSION THREE
20
QUIZ!
22. 7. Which of the following proves an identity claim?
A. Authentication
B. Authorization
C. Accountability
D. Auditing
CISSP® MENTOR PROGRAM – SESSION THREE
21
QUIZ!
Piece of cake!
23. CISSP® MENTOR PROGRAM – SESSION THREE
22
DOMAIN 2: ASSET SECURITY
Protecting Security of Assets
Easy chapter in theory, difficult in practice
24. • Classifying Data
• Ownership
• Memory and Remanence
• Data Destruction
• Determining Data Security Controls
CISSP® MENTOR PROGRAM – SESSION THREE
23
DOMAIN 2: ASSET SECURITY
Agenda – Domain 2: Asset Security
Short chapter; starting on page 81
25. • RAM - Random Access Memory, volatile hardware memory that loses
integrity after loss of power
• Remanence - Data that persists beyond noninvasive means to
delete it.
• Reference Monitor - Mediates all access between subjects and
objects
• ROM - Read Only Memory, nonvolatile memory that maintains
integrity after loss of power
• Scoping - The process of determining which portions of a standard
will be employed by an organization
• SSD - Solid State Drive, a combination of flash memory (EEPROM)
and DRAM
• Tailoring - The process of customizing a standard for an organization
CISSP® MENTOR PROGRAM – SESSION THREE
24
DOMAIN 2: ASSET SECURITY
Terms and Definitions to Memorize
26. Objects have labels – Subjects have clearances
• Data classification scheme
• Executive Order 12356 (http://www.archives.gov/federal-
register/codification/executive-order/12356.html) - Top
Secret, Secret, and Confidential
• Company/Private Sector – Confidential, Internal Use
Only, Public
• Security Compartments; documented need to know and
clearance
CISSP® MENTOR PROGRAM – SESSION THREE
25
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Labels
27. Objects have labels – Subjects have clearances
• Formal approval/authorization to specific levels of
information
• Not really used as much in the private sector
• “All About Security Clearances” from the US Department
of State;
http://www.state.gov/m/ds/clearances/c10978.htm
• Standard Form 86 is a 127 page questionnaire!
CISSP® MENTOR PROGRAM – SESSION THREE
26
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Clearance
28. Formal Access Approval
• Documented
• Access requests should be approved by the owner, not
the manager and certainly not the custodian (more to
follow)
• Approves subject access to certain objects
• Subject must understand all rules and requirements for
access
• Best practice is that all access requests and access
approvals are auditable
CISSP® MENTOR PROGRAM – SESSION THREE
27
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
29. • Three roles; data owner, data custodian, and data user
• Three classifications; Confidential, Internal Use, and
Public
• In real life; easy to document and hard to implement
• Data Classification defines sensitive information data
handling requirements data storage requirements and
in some cases data retention requirements
CISSP® MENTOR PROGRAM – SESSION THREE
28
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
30. Data Owner:
• Typically, the person responsible for, or dependent upon the business
process associated with an information asset. The Data Owner is
knowledgeable about how the information is acquired, transmitted, stored,
deleted, and otherwise processed.
• Determines the appropriate value and classification of information generated
by the owner or department;
• Must communicate the information classification when the information is
released outside of the department and/or organization;
• Controls access to his/her information and must be consulted when access is
extended or modified; and
• Must communicate the information classification to the Data Custodian so
that the Data Custodian may provide the appropriate levels of protection.
CISSP® MENTOR PROGRAM – SESSION THREE
29
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
31. Data Custodian:
• The Data Custodian maintains the protection of data
according to the information classification associated to it
by the Data Owner.
• The Data Custodian role is delegated by the Data Owner
and is usually Information Technology personnel.
CISSP® MENTOR PROGRAM – SESSION THREE
30
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
32. Data User:
• The person, organization or entity that interacts with data
for the purpose of performing an authorized task. A Data
User is responsible for using data in a manner that is
consistent with the purpose intended and in compliance
with policy.
CISSP® MENTOR PROGRAM – SESSION THREE
31
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
33. Confidential Data:
• Information protected by statutes, regulations, company policies or contractual
language. Data Owners may also designate data as Confidential.
• Sensitive in nature, and access is restricted. Disclosure is limited to individuals on a
“need-to-know” basis only.
• Disclosure to parties outside of the company must be authorized by Executive
Management, approved by the Information Security Committee, or be covered by a
binding non-disclosure or confidentiality agreement.
• Examples of Confidential Data include Protected Health Information (“PHI”)/Medical
records, Financial information, including credit card and account numbers, Social
Security Numbers, Personnel and/or payroll records, Any data identified by
government regulation to be treated as confidential, or sealed by order of a court of
competent jurisdiction, and any data belonging to a customer that may contain
personally identifiable information.
CISSP® MENTOR PROGRAM – SESSION THREE
32
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
34. Minimum Protection Requirements for Confidential
Data
• When stored in an electronic format must be protected with a minimum level of
authentication to include strong passwords, wherever possible.
• When stored on mobile devices and media, protections and encryption measures
provided through mechanisms approved by organization IT Management must be
employed.
• Must be stored in a locked drawer, room, or area where access is controlled by a
guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access
control measures to afford adequate protection and prevent unauthorized access by
members of the public, visitors, or other persons without a need-to-know.
• Must be encrypted with strong encryption when transferred electronically to any entity
outside of the organization (See Encryption Policy).
CISSP® MENTOR PROGRAM – SESSION THREE
33
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
35. Minimum Protection Requirements for Confidential
Data
• When sent via fax, must be sent only to a previously established and used address or
one that has been verified as using a secured location
• Must not be posted on any public website
• Must be destroyed when no longer needed subject to the FRSecure Sample Data
Retention Policy. Destruction may be accomplished by:
• “Hard Copy” materials must be destroyed by shredding or another approved process
that destroys the data beyond either recognition or reconstruction as per the FRSecure
Sample Data Destruction and Re-Use Standard.
• Electronic storage media that will be re-used must be overwritten according to the
FRSecure Sample Data Destruction and Re-Use Standard.
• Electronic storage media that will not be re-used must be physically destroyed
according to the FRSecure Sample Data Destruction and Re-Use Standard.
• Deleting files or formatting the media is NOT an acceptable method of destroying
Confidential Data.
CISSP® MENTOR PROGRAM – SESSION THREE
34
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
36. Minimum Protection Requirements for Confidential
Data
The FRSecure Sample Information Security Committee must be
notified in a timely manner if data classified as Confidential is lost,
disclosed to unauthorized parties or is suspected of being lost or
disclosed to unauthorized parties, or if any unauthorized use of
FRSecure Sample information systems has taken place or is suspected
of taking place.
CISSP® MENTOR PROGRAM – SESSION THREE
35
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
37. Minimum Labeling Requirements for Confidential Data
If possible, all Confidential Data must be marked, regardless of the
form it takes. Confidential Data will be marked using the word
“Confidential” in bold, italicized, red font (i.e. Confidential). The
marking should be placed in the right corner of the document header or
footer.
CISSP® MENTOR PROGRAM – SESSION THREE
36
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
38. Internal Data:
Internal Data is information that must be guarded due to proprietary,
ethical, or privacy considerations and must be protected from
unauthorized access, modification, transmission, storage or other use.
This classification applies even though there may not be a civil statute
requiring this protection. Internal Data is information that is restricted to
personnel designated by the company, who have a legitimate business
purpose for accessing such data.
Examples of Internal Data include Employment data, Business partner
information where no more restrictive non-disclosure or confidentiality
agreement exists, Internal directories and organization charts, Planning
documents, and Contracts
CISSP® MENTOR PROGRAM – SESSION THREE
37
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
39. Minimum Protection Requirements for Internal Data
• Must be protected to prevent loss, theft, unauthorized access and/or unauthorized
disclosure
• Must be protected by a non-disclosure or confidentiality agreement before access is
allowed
• Must be stored in a closed container (i.e. file cabinet, closed office, or department
where physical controls are in place to prevent disclosure) when not in use
• Must be destroyed when no longer needed subject to the FRSecure Sample Data
Retention Policy. Destruction may be accomplished by:
• “Hard Copy” materials must be destroyed by shredding or another approved
process which destroys the data beyond either recognition or reconstruction as
per the FRSecure Sample Data Destruction and Re-Use Standard.
• Electronic storage media shall be sanitized appropriately by overwriting or
degaussing prior to disposal as per the FRSecure Sample Data Destruction and
Re-Use Standard.
• Is the “default” classification level if one has not been explicitly defined.
CISSP® MENTOR PROGRAM – SESSION THREE
38
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
40. Minimum Labeling Requirements for Internal Data
If possible, all Internal Data should be marked, regardless of the form it
takes. Internal Data will be marked using the word “Internal” in bold,
italicized, blue font (i.e. Internal). The marking should be placed in the
right corner of the document header or footer.
CISSP® MENTOR PROGRAM – SESSION THREE
39
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
41. Public Data:
Public data is information that may or must be open to the general
public. It is defined as information with no existing local, national, or
international legal restrictions on access or usage. Public data, while
subject to FRSecure Sample disclosure rules, is available to all
FRSecure Sample employees and all individuals or entities external to
the corporation.
Examples of Public Data include Publicly posted press releases,
Publicly available marketing materials, Publicly posted job
announcements, Disclosure of public data must not violate any pre-
existing, signed non-disclosure or confidentiality agreements.
CISSP® MENTOR PROGRAM – SESSION THREE
40
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
42. Minimum Protection Requirements for Public Data
There are no specific protection requirements for Public
Data.
Minimum Labeling Requirements for Internal Data
If possible, all Public Data should be marked, regardless of
the form it takes. Public Data will be marked using the
word “Public” in bold, italicized, black font (i.e. Public).
The marking should be placed in the right corner of the
document header or footer.
CISSP® MENTOR PROGRAM – SESSION THREE
41
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
43. Ownership
• Business Owners
• Data Owners
• System Owners
• Owner responsibilities must be documented and owners
must be trained
• Segregation of duties
CISSP® MENTOR PROGRAM – SESSION THREE
42
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
44. Data Controllers and Data Processors
• Data controllers create and manage sensitive data
within an organization.
• Data processors manage data on behalf of data
controllers.
• Data Collection Limitation – organizations should
collect the minimum amount of sensitive information
necessary; OECD, Collection Limitation Principle –
GDPR Individual Rights
CISSP® MENTOR PROGRAM – SESSION THREE
43
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
45. CISSP® MENTOR PROGRAM – SESSION THREE
44
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
Shifting gears a little…
Questions?
How about a joke?
46. • Data Remanence
• Memory
• Cache Memory; fast and close to CPU
• Register file (contains multiple registers); registers
are small storage locations used by the CPU to
store instructions and small amounts of data
• Level 1 cache; located on the CPU
• Level 2 cache; connected to (but not on) the CPU
• SRAM (Static Random Access Memory)
CISSP® MENTOR PROGRAM – SESSION THREE
45
DOMAIN 2: ASSET SECURITY
Memory and Remanence
47. Memory
• RAM (Random Access Memory)
• Volatile
• Modules installed in slots on motherboard (traditionally)
• DRAM (Dynamic Random Access Memory)
• Slower and cheaper
• Small capacitors to store bits (data)
• Capacitors leak charge and must be continually refreshed
• SRAM (Static Random Access Memory)
• Fast and expensive
• Latches called “flip-flops” to store bits (data)
• Does not require refreshing
CISSP® MENTOR PROGRAM – SESSION THREE
46
DOMAIN 2: ASSET SECURITY
Memory and Remanence
48. Memory
• ROM (Read Only Memory)
• Can be used to store firmware; small programs that don’t change
much and configurations
• PROM (Programmable Read Only Memory) – written to once;
usually by the manufacturer
• EPROM (Erasable Programmable Read Only Memory) – can be
“flashed”; usually with ultraviolet light
• EEPROM (Electrically Erasable Programmable Read Only
Memory) – can be “flashed”; electrically
• PLD (Programmable Logic Device) – field-programmable device;
EPROMs, EEPROMs, and Flash Memory are all PLDs
CISSP® MENTOR PROGRAM – SESSION THREE
47
DOMAIN 2: ASSET SECURITY
Memory and Remanence
49. Memory
• Flash Memory
• Can be a security nightmare
• Specific type of EEPROM
• Written in larger sectors (or chunks) than other EEPROMs
• Faster than other EEPROMS, but slower that magnetic drives
CISSP® MENTOR PROGRAM – SESSION THREE
48
DOMAIN 2: ASSET SECURITY
Memory and Remanence
50. • Deleting data and/or formatting a hard drive is not a
viable/secure method for destroying sensitive information.
• Deleting a file only removes the entry from the File
Allocation Table (FAT) and marks the block as
“unallocated”. The data is still there and often times it’s
retrievable.
• Reformatting only replaces the old FAT with a new FAT.
The data is still there and often times it’s retrievable.
• Data that is left over is called remnant data, or “data
remanence”.
CISSP® MENTOR PROGRAM – SESSION THREE
49
DOMAIN 2: ASSET SECURITY
Data Destruction
51. • Data that is left over is called
remnant data, or “data
remanence”.
• Hundreds of data recovery tools
available, one good resource to
check out is ForsensicsWiki.org
(http://www.forensicswiki.org/wiki/
Tools:Data_Recovery)
CISSP® MENTOR PROGRAM – SESSION THREE
50
DOMAIN 2: ASSET SECURITY
Data Destruction
52. Overwriting
• Also called shredding or wiping
• Overwrites the data and removes the FAT entry
• Secure overwriting/wiping overwrites each sector of a hard drive (or
media).
CISSP® MENTOR PROGRAM – SESSION THREE
51
DOMAIN 2: ASSET SECURITY
Data Destruction
53. Overwriting
• One pass is enough (as long as each sector is overwritten).
• Tools include Darik's Boot And Nuke (DBAN), CBL Data Shredder,
HDDErase, KillDisk and others.
• Windows built-in cipher command.
CISSP® MENTOR PROGRAM – SESSION THREE
52
DOMAIN 2: ASSET SECURITY
Data Destruction
54. Deguassing
• Destroys the integrity of magnetic media using a strong
magnetic field
• Most often destroys the media itself, not just the data
CISSP® MENTOR PROGRAM – SESSION THREE
53
DOMAIN 2: ASSET SECURITY
Data Destruction
55. Destruction (Physical)
• The most secure method of destroying data.
• Physical destruction of the media.
• Incineration, pulverization, shredding, and acid.
• A hammer to the spindle works, and so does a rifle.
• Pretty cheap nowadays. Look for a National Association of
Information Destruction (NAID) certified vendor and get a certificate
of destruction.
• Onsite vs. offsite
CISSP® MENTOR PROGRAM – SESSION THREE
54
DOMAIN 2: ASSET SECURITY
Data Destruction
56. Shredding
• Most people think of paper.
• Strip-cut vs. Cross-cut
• A determined attacker can defeat (maybe)
• Easy to audit
• Many breaches attributed to poor document disposal
• Dumpster diving
CISSP® MENTOR PROGRAM – SESSION THREE
55
DOMAIN 2: ASSET SECURITY
Data Destruction
57. • Two related but entirely different terms.
• Certification is the validation that certain (owner-
specified) security requirements have been met.
• Accreditation is a formal acceptance of the certification by
the owner.
• In an ideal world, certification and accreditation would be
required before production deployment.
CISSP® MENTOR PROGRAM – SESSION THREE
56
DOMAIN 2: ASSET SECURITY
Certification and Accreditation
58. PCI-DSS
• PCI-DSS only applies to the Cardholder Data Environment (CDE), so scope
is really important
• Core principles of the PCI-DSS include:
• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Version 3.2 released (April, 2016), see
https://www.pcisecuritystandards.org/security_standards/index.php
• Major breaches include Target, Home Depot, Heartland Systems, Dairy
Queen, etc.
CISSP® MENTOR PROGRAM – SESSION THREE
57
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
59. OCTAVE®
• Operationally Critical Threat, Asset, and Vulnerability Evaluation(sm)
• Risk management framework developed by Carnegie Mellon
University (see: http://www.cert.org/resilience/products-
services/octave/)
• Three phase process for managing risk (latest version actually has
four, but for the test three is good):
• Phase 1 – staff knowledge, assets and threats
• Phase 2 – identify vulnerabilities and evaluate safeguards (or
controls)
• Phase 3 – risk analysis and risk mitigation strategy
CISSP® MENTOR PROGRAM – SESSION THREE
58
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
60. ISO 17799 and 27000 Series
• Broad and flexible information security standards maintained by the
International Organization for Standardization (ISO) – based in
Geneva
• Derived from the British Standard (BS) 7799 Part 1, renamed to
ISO/IEC 27001 to align with the 27000 series of standards.
• There are more than 30 ISO/IEC 27000 standards, the main ones
being:
• ISO 27001 (Information technology - Security Techniques)
• ISO 27002 (Code of practice for information security
management)
• ISO 27005 (Information security risk management)
• ISO 27799 (Information security management in health using
ISO/IEC 27002)
CISSP® MENTOR PROGRAM – SESSION THREE
59
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
61. ISO 17799 and 27000 Series
• ISO 27002:2005 is mentioned in the book
as the latest; however, ISO 27002:2013 is
actually the latest
• Copyrighted and licensed standard
• See:
http://www.iso.org/iso/home/standards/ma
nagement-standards/iso27001.htm
CISSP® MENTOR PROGRAM – SESSION THREE
60
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
62. COBIT
• Control Objectives for Information and related Technology, current
version is v5
• Developed and maintained by the Information Systems Audit and
Control Association (ISACA; www.isaca.org)
• 34 Information Technology Processes across four domains
• Four domains:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
CISSP® MENTOR PROGRAM – SESSION THREE
61
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
63. ITIL
• Information Technology Infrastructure Library
• Best services in IT Service Management (ITSM)
• See: www.itil-officialsite.com
• Five “Service Management Practices – Core Guidance” publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
CISSP® MENTOR PROGRAM – SESSION THREE
62
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
64. NIST CSF
• National Institute of Standards and Technology (NIST) Cybersecurity
Framework (CSF)
• Probably not testable, but certainly applicable
• Result of Executive Order (EO) 13686, Improving Critical
Infrastructure Cybersecurity
• Gaining in popularity. See: http://www.nist.gov/cyberframework/
• Core, Implementation Tiers, and Framework Profile
• Core is comprised of five Functions (Identify, Protect, Detect,
Respond, and Recover), Categories, and Subcategories
• Major frameworks and standards are represented
• Voluntary
CISSP® MENTOR PROGRAM – SESSION THREE
63
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
65. NIST SP 800-53
• Not mentioned in the book yet, but this is a big deal for
FISMA and government systems.
• Usually goes hand-in-hand with FIPS 199, FIPS 200, and
NIST SP 800-60
• Just mentioning now, more later
CISSP® MENTOR PROGRAM – SESSION THREE
64
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
66. • Rule of thumb… If I cannot be assured of physical
security, I should consider encryption.
• Data in transit – if I cannot be assured of physical security
(routers, switches, firewalls, transmission media, etc.), I
should consider encryption
• Data at rest – if I cannot be assured of physical security
(flash drives, laptops, poorly secured datacenters,
insecure office spaces, backup tapes, etc.), I should
consider encryption
• Encryption is your friend!
CISSP® MENTOR PROGRAM – SESSION THREE
65
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Protecting Data in Motion & Data at
Rest Encryption and Physical Security
67. Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
66
DOMAIN 2: ASSET SECURITY
That does it for Chapter 3 – Domain 2: Asset Security
Ready for Chapter 4 – Domain 3: Security
Engineering?
68. CISSP® MENTOR PROGRAM – SESSION THREE
67
DOMAIN 3 SECURITY ENGINEERING
Engineering and Management of Security
Easy chapter…
69. • Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
Formerly separate domains: Security Architecture, Cryptography, and Physical Security
CISSP® MENTOR PROGRAM – SESSION THREE
68
DOMAIN 3 SECURITY ENGINEERING
Agenda – Domain 3: Security Engineering
We will take three classes to get through this domain…
LONG chapter; starting on page 103
70. • Asymmetric Encryption - encryption that uses two keys: if you
encrypt with one you may decrypt with the other
• Hash Function - one-way encryption using an algorithm and no
key
• Hypervisor - Allows multiple virtual operating system guests to
run on one host
• Mantrap - A preventive physical control with two doors. Each
door requires a separate form of authentication to open
• Tailgating - Following an authorized person into a building
without providing credentials
• TCSEC - Trusted Computer System Evaluation Criteria, also
known as the Orange Book
• Symmetric Encryption - encryption that uses one key to encrypt
and decrypt
CISSP® MENTOR PROGRAM – SESSION THREE
69
DOMAIN 3 SECURITY ENGINEERING
Terms and Definitions to Memorize
71. • What subjects and objects are
permitted to do (within a model or
framework)
• Subject (often a user)
• Object (a resource)
• Managing relationship between
subject and object is access control
• Understand concepts of read up, read
down, write up, write down
CISSP® MENTOR PROGRAM – SESSION THREE
70
DOMAIN 3 SECURITY ENGINEERING
Security Models
72. • Discretionary access control (DAC)
• Defined in the Trusted Computer System Evaluation Criteria
(TCSEC); Orange Book
• Means of restricting access to objects based on the identity of
subjects and/or groups to which they belong
• A subject with a certain access permission is capable of passing
that permission (perhaps indirectly) on to any other subject
• Mandatory access control (MAC)
• Type of access control where the operating system constrains
the ability of a subject to access or perform some sort of
operation on an object
• Authorization rule enforced by the operating system kernel
• Security policy is centrally controlled by a security policy
administrator
CISSP® MENTOR PROGRAM – SESSION THREE
71
DOMAIN 3 SECURITY ENGINEERING
Security Models
73. • Rule-based access control (RBAC)
• Access is allowed or denied to objects based on a set of rules
defined by a system administrator
• Access properties are stored in Access Control Lists (ACL)
associated with each object
• Role-based access control (also RBAC)
• Also known as Non-discretionary Access Control
• Assigns permissions to particular roles in an organization
CISSP® MENTOR PROGRAM – SESSION THREE
72
DOMAIN 3 SECURITY ENGINEERING
Security Models
74. Understand the Fundamental Concepts of Security
Models
• State Machine Model
• Bell-LaPadula Model
• Lattice-Based Access Controls
• Biba Model
• Clark-Wilson Model
• Information Flow Model
• Brewer and Nash Model (aka Chinese Wall)
• Take-Grant Model
• Access Control Matrix
• Zachman Framework for Enterprise Architecture
• Graham-Denning Model
• Harrison-Ruzzo-Ullman Model
CISSP® MENTOR PROGRAM – SESSION THREE
73
DOMAIN 3 SECURITY ENGINEERING
Security Models
75. State Machine Model
• State of a machine is captured in order to verify the security of a
system
• State consists of all current permissions and all current instances of
subjects accessing the objects. If the subject can access objects only
by means that are concurrent with the security policy, the system is
secure
• Always secure no matter what state it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security models
CISSP® MENTOR PROGRAM – SESSION THREE
74
DOMAIN 3 SECURITY ENGINEERING
Security Models
76. Bell-LaPadula Model
• Originally developed for the U.S. Department of Defense
• Focused on maintaining the confidentiality of objects
• Two Access Rules:
• Simple Security Property – no read up
• * Security Property (“Star” Security Property) – no write down
• Two Object Label Rules:
• Strong Tranquility Property - security labels will not change while
the system is operating
• Weak Tranquility Property - security labels will not change in a way
that conflicts with defined security properties
CISSP® MENTOR PROGRAM – SESSION THREE
75
DOMAIN 3 SECURITY ENGINEERING
Security Models
77. Lattice-Based Access Controls
• Security controls for complex environments
• For every relationship between a subject and an object, there are
defined upper and lower access limits implemented by the
system
• Subjects have a Least Upper Bound (LUB) and Greatest Lower
Bound (GLB) of access to the objects based on their lattice
position
• A security lattice model combines multilevel and multilateral
security
CISSP® MENTOR PROGRAM – SESSION THREE
76
DOMAIN 3 SECURITY ENGINEERING
Security Models
78. Biba Model
• Developed after Bell-LaPadula model
• Focused on maintaining the integrity of objects
• Uses a lattice of integrity levels unlike Bell-LaPadula
which uses a lattice of security levels
• Two primary rules
• Simple Integrity Axiom – no read down
• * Integrity Axiom (“Star” Integrity Axiom) – no write up
• Essentially the reverse of Bell-LaPadula
CISSP® MENTOR PROGRAM – SESSION THREE
77
DOMAIN 3 SECURITY ENGINEERING
Security Models
79. Clark-Wilson Model
• Real-world integrity model
• Requires subjects to access objects via programs
• Programs have specific limitations to what they can and cannot
do to objects
• Two primary concepts
• Well-Formed Transactions - ability to enforce control over
applications; comprised of the “access control triple:” user,
transformation procedure (TP/well-formed transaction), and
constrained data item (CDI/data that requires integrity) - integrity
verification procedures (IVPs) ensure that data are kept in a valid
state
• Separation of Duties - ensures that authorized users do not change
data in an inappropriate way
CISSP® MENTOR PROGRAM – SESSION THREE
78
DOMAIN 3 SECURITY ENGINEERING
Security Models
Separation of duties and transformation procedures.
1) Authorized access and
2) Modification only in an authorized manner
80. Information Flow Model
• In this model, data is thought of as being held in
individual discrete compartments
• Information is compartmentalized based on two
factors; classification and need to know
• Subject clearance has to dominate the object
classification and the subject security profile must
contain the one of the categories listed in the object
label, which enforces need to know
CISSP® MENTOR PROGRAM – SESSION THREE
79
DOMAIN 3 SECURITY ENGINEERING
Security Models
81. Brewer and Nash Model (aka Chinese Wall)
• Designed to avoid conflicts of interest by prohibiting one
person, such as a consultant, from accessing multiple conflict of
interest categories (CoIs)
• Provides access controls that can change dynamically depending
upon a user’s previous actions
• Model states that a subject can write to an object if, and only if,
the subject can not read another object that is in a different data
set
• Initially designed to address the risks inherent with employing
consultants working within banking and financial institutions
CISSP® MENTOR PROGRAM – SESSION THREE
80
DOMAIN 3 SECURITY ENGINEERING
Security Models
82. Noninterference Models
• Model ensures that any actions that take place at a
higher security level do not affect, or interfere with,
actions that take place at a lower level
• Not concerned with the flow of data, but rather with
what a subject knows about the state of the system
• Addresses the inference attack that occurs when
some one has access to some type of information and
can infer(guess) something that he does not have the
clearance level or authority to know.
• Covert Channel – policy violation hidden from the
system owner
CISSP® MENTOR PROGRAM – SESSION THREE
81
DOMAIN 3 SECURITY ENGINEERING
Security Models
83. Take-Grant Model
• Contains rules that govern the interactions between subjects and
objects, and permissions subjects can grant to other subjects
• Two rights occur in every instance of the model: take and grant
• Rules include take, grant, create, and remove
• take rule allows a subject to take rights of another object (add an
edge originating at the subject)
• grant rule allows a subject to grant own rights to another object (add
an edge terminating at the subject)
• create rule allows a subject to create new objects (add a vertex and
an edge from the subject to the new vertex)
• remove rule allows a subject to remove rights it has over on another
object (remove an edge originating at the subject)
CISSP® MENTOR PROGRAM – SESSION THREE
82
DOMAIN 3 SECURITY ENGINEERING
Security Models
84. Access Control Matrix
• Commonly used in OS and applications
• Table that defines access permissions between
specific subjects and objects
CISSP® MENTOR PROGRAM – SESSION THREE
83
DOMAIN 3 SECURITY ENGINEERING
Security Models
85. Zachman Framework
for Enterprise
Architecture
• Six frameworks for
providing information
security, asking what,
how, where, who, when,
and why
CISSP® MENTOR PROGRAM – SESSION THREE
84
DOMAIN 3 SECURITY ENGINEERING
Security Models
86. Graham-Denning Model
• Defines a set of basic rights in terms of commands that a specific
subject can execute on an object
• Three parts; objects, subjects, and rules; focus on the eight (8)
rules:
• R1: Transfer Access
• R2: Grant Access
• R3: Delete Access
• R4: Read Object
• R5: Create Object
• R6: Destroy Object
• R7: Create Subject
• R8: Destroy Subject
CISSP® MENTOR PROGRAM – SESSION THREE
85
DOMAIN 3 SECURITY ENGINEERING
Security Models
87. Modes of Operation
• There are four (4) modes of system/access control
operation:
1. Dedicated:
• Only one classification (label) for all objects in the system
• Subject must possess a clearance equal or greater than the
system label
• Subjects must have 1) appropriate clearance, 2) formal
access approval, and 3) a need to know for all the objects in
the system
CISSP® MENTOR PROGRAM – SESSION THREE
86
DOMAIN 3 SECURITY ENGINEERING
Security Models
88. Modes of Operation
• There are four (4) modes of system/access control
operation:
2. System High:
• System contains objects of mixed labels
• Subjects must possess a clearance equal to (or greater than)
the highest object label
CISSP® MENTOR PROGRAM – SESSION THREE
87
DOMAIN 3 SECURITY ENGINEERING
Security Models
89. Modes of Operation
• There are four (4) modes of system/access control
operation:
3. Compartmented:
• Objects are placed into “compartments”
• Subjects must have a formal (system-enforced) need to know
to access data in compartment
• All subjects must have:
• 1) Signed NDA for ALL information on the system
• 2) clearance for ALL information on the system
• 3) formal access approval for SOME objects on the
system, and
• 4) valid need to know for SOME objects on the system
CISSP® MENTOR PROGRAM – SESSION THREE
88
DOMAIN 3 SECURITY ENGINEERING
Security Models
90. Modes of Operation
• There are four (4) modes of system/access control
operation:
4. Multilevel:
• System contains objects of varying labels
• Subjects with varying clearances can access the system
• Reference Monitor mediates access between subjects
and objects
• All subjects must have 1) Signed NDA for ALL information on
the system, 2) clearance for SOME information on the
system, 3) formal access approval for SOME objects on the
system, and 4) valid need to know for SOME objects on the
system
CISSP® MENTOR PROGRAM – SESSION THREE
89
DOMAIN 3 SECURITY ENGINEERING
Security Models
91. Trusted Computer System Evaluation Criteria
(TCSEC or Orange Book)
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
CISSP® MENTOR PROGRAM – SESSION THREE
90
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
92. Trusted Computer System Evaluation Criteria
(TCSEC or Orange Book)
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
CISSP® MENTOR PROGRAM – SESSION THREE
91
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
93. Trusted Computer System Evaluation Criteria
(TCSEC or Orange Book)
• Download here http://csrc.nist.gov/publications/history/dod85.pdf
• Division D is the lowest form of security, and A is the highest:
• D: Minimal Protection
• C: Discretionary Protection
• C1: Discretionary Security Protection
• C2: Controlled Access Protection
• B: Mandatory Protection
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domains
• A: Verified Protection
• A1: Verified Design
CISSP® MENTOR PROGRAM – SESSION THREE
92
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
94. Trusted Network Interpretation (TNI)/Red Book
• Sort of like the Orange Book for network systems
• Can download it here
http://ftp.fas.org/irp/nsa/rainbow/tg011.htm
• All of the Rainbow Books can be accessed here
http://ftp.fas.org/irp/nsa/rainbow.htm
CISSP® MENTOR PROGRAM – SESSION THREE
93
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
95. Information Technology Security Evaluation
Criteria (ITSEC)
• Used extensively in Europe (where it was developed)
• 1st successful international evaluation criteria
• References to the Orange Book, but added:
• F – Functionality
• Q – Effectiveness (part of assurance)
• E – Correctness (also part of assurance)
CISSP® MENTOR PROGRAM – SESSION THREE
94
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
96. Information Technology Security Evaluation
Criteria (ITSEC)
• Assurance correctness ratings range from E0 (inadequate) to E6
(formal model of security policy)
• Functionality ratings range include TCSEC equivalent ratings (F-
C1, F-C2, etc.)
• The equivalent ITSEC/TCSEC ratings are:
• 0: D
• F-C1,E1: C1
• F-C2,E2: C2
• F-B1,E3: B1
• F-B2,E4: B2
• F-B3,E5: B3
• F-B3,E6: A1
CISSP® MENTOR PROGRAM – SESSION THREE
95
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
Additional functionality ratings include:
• F-IN: High integrity requirements
• AV: High availability requirements
• DI: High integrity requirements for networks
• DC: High confidentiality requirements for networks
• DX: High integrity and confidentiality requirements for networks
97. International Common Criteria (“Common
Criteria”)
• Internationally agreed upon standard for describing and testing
the security of IT products
• Primary objective of the Common Criteria is to eliminate known
vulnerabilities of the target for testing
• Terms:
• Target of Evaluation (ToE): the system or product that is being
evaluated
• Security Target (ST): the documentation describing the TOE
• Protection Profile (PP): an independent set of security requirements
and objectives for a specific category of products or systems
• Evaluation Assurance Level (EAL): the evaluation score of the
tested product or system
CISSP® MENTOR PROGRAM – SESSION THREE
96
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
98. International Common Criteria (“Common
Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1,
Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R
3.pdf
CISSP® MENTOR PROGRAM – SESSION THREE
97
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
99. International Common Criteria (“Common
Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1,
Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R
3.pdf
CISSP® MENTOR PROGRAM – SESSION THREE
98
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
STOP!!! THAT’S ENOUGH ALREADY!
100. • Yes it is…
• We’ll continue from here on Wednesday.
• Please spend time reading Chapters 1 - 3, if you haven’t
already.
• If you have time to delve into Chapter 4, please do so.
• Please come with questions on Wednesaday (4/17). We
will recap some of today’s material and cover questions in
the next class.
CISSP® MENTOR PROGRAM – SESSION THREE
99
DOMAIN 3 SECURITY ENGINEERING
STOP!!! THAT’S ENOUGH ALREADY!
Looking ahead, we won’t have class next
Monday (4/22). It’s our first break