This document summarizes the third session of a 2020 CISSP Mentor Program. It provides housekeeping reminders for the online chat, checks in with participants, and reviews content from the previous sessions. The session then discusses risk analysis in more depth, including qualitative vs. quantitative analysis, risk choices, and risk management processes. The document concludes with a quiz to test participants' knowledge.
1. 2020 CISSP MENTOR
PROGRAM
April 20, 2020
-----------
Class 3 – April 20, 2020
Instructor:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
2. CISSP® MENTOR PROGRAM – SESSION THREE
1
FRSECURE CISSP MENTOR PROGRAM LIVE
STREAM
#MissionBeforeMoney
Quick housekeeping reminder.
• The online/live chat that’s provided while live streaming on YouTube
is for constructive, respectful, and relevant (about course content)
discussion ONLY.
• At NO TIME is the online chat permitted to be used for disrespectful,
offensive, obscene, indecent, or profane remarks or content.
• Please do not comment about controversial subjects, and please NO
DISCUSSION OF POLITICS OR RELIGION.
• Failure to abide by the rules may result in disabling chat for you.
THANK YOU!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
3. • Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Everyone is still being safe and physically distancing,
right?
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
2
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
4. • Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Everyone is still being safe and physically distancing,
right?
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
3
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
5. • Every week goes so fast, it’s easy to forget what
happened. Same for you guys?
• Virginia won the NCAA Men’s BB Championship
(Class #1 night)
• Snowpocalypse (Class #2 night)
• Everyone is still being safe and physically distancing,
right?
• Check-in.
• How many have read Chapter 1 & 2?
• Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
4
GETTING GOING…
Great job last week! We’re through the introduction and the 1st Domain
(Security and Risk Management)
Let’s get going!
Other Updates:
• If you haven’t already signed up we have a study group,
you can register at
https://groups.io/g/FRSecure2020CISSPMentorProgram
FRSECURE.COM/CISSP-MENTOR-PROGRAM
6. • Assets – hardware, software, and information
• Vulnerability (or weakness)
• Threat
• Risk = Threat x Vulnerability (likelihood and impact)
• Risk = Threat × Vulnerability × Impact (another way to put
it)
CISSP® MENTOR PROGRAM – SESSION THREE
5
GETTING GOING…
Let’s spend a little more time on risk analysis…
Human life trumps everything!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
7. • Qualitative – based upon professional opinion; High,
Medium, Low…
• Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Risk Analysis Matrix – Qualitative risk analysis table;
likelihood on one side, impact on the other.
CISSP® MENTOR PROGRAM – SESSION THREE
6
GETTING GOING…
Qualitative & Quantitative Risk Analysis
FRSECURE.COM/CISSP-MENTOR-PROGRAM
8. • Quantitative – based on real values; dollars. Pure
quantitative analysis is nearly impossible (lack of data).
• Asset Value (AV) – Fair market value for an asset
• Exposure Factor (EF) - % of asset lost during an incident
(threat occurrence)
• Single Loss Expectancy (SLE) – AV x EF
• Annual Rate of Occurrence (ARO) – How many times a
bad thing is expected/year.
• Annualized Loss Expectancy (ALE) – SLE x ARO
CISSP® MENTOR PROGRAM – SESSION THREE
7
GETTING GOING…
Qualitative & Quantitative Risk Analysis
If ALE exceeds Total Cost of Ownership (TCO), there is a positive Return on
Investment (ROI), or Return on Security Investment (ROSI).
FRSECURE.COM/CISSP-MENTOR-PROGRAM
9. There are only four; risk acceptance criteria should be
documented. Risk decisions should ALWAYS be made by
management, NOT information security.
• Accept – the risk is acceptable without additional control
or change.
• Mitigate – the risk is unacceptable (to high) and requires
remediation.
• Transfer – the risk can be transferred to someone else;
3rd-party provider, insurance.
• Avoid – the risk will be avoided by discontinuing the
action(s) that led to the risk.
CISSP® MENTOR PROGRAM – SESSION THREE
8
GETTING GOING…
Risk Choices
FRSECURE.COM/CISSP-MENTOR-PROGRAM
10. There are dozens of risk management
processes or methodologies.
• United States National Institute of
Standards and Technology (NIST) Special
Publication 800-30, Risk Management
Guide for Information Technology
Systems
(http://csrc.nist.gov/publications/nistpubs
/800-30/sp800-30.pdf); Nine step process
à
CISSP® MENTOR PROGRAM – SESSION THREE
9
GETTING GOING…
Risk Management Process(es)
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
11. 1. Which of the following would be an example of a policy
statement?
A. Changes with a significant potential impact and/or significant
complexity must have usability, security, and impact testing and
back out plans included in the change documentation.
B. Wireless devices must use Temporal Key Integrity Protocol
(TKIP) or Advanced Encryption System (AES) protocols with a
minimum key length of 128 bits.
C. You may create a strong password by choosing the first letter of
each word in a sentence and mixing in numbers and symbols
D. The standard cryptoperiod (lifespan) of an encryption key is one
(1) year.
CISSP® MENTOR PROGRAM – SESSION THREE
10
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
12. 1. Which of the following would be an example of a policy
statement?
A. Changes with a significant potential impact and/or
significant complexity must have usability, security,
and impact testing and back out plans included in
the change documentation.
B. Wireless devices must use Temporal Key Integrity Protocol
(TKIP) or Advanced Encryption System (AES) protocols with a
minimum key length of 128 bits.
C. You may create a strong password by choosing the first letter of
each word in a sentence and mixing in numbers and symbols
D. The standard cryptoperiod (lifespan) of an encryption key is one
(1) year.
CISSP® MENTOR PROGRAM – SESSION THREE
11
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
13. 2. Evidence must be?
A. Relevant, Real, Accurate, Complete, Direct
B. Authentic, Accurate, Direct, Relevant, Real
C. Relevant, Authentic, Accurate, Complete, Convincing
D. Real, Direct, Circumstantial, Corroborative, Hearsay
CISSP® MENTOR PROGRAM – SESSION THREE
12
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
14. 2. Evidence must be?
A. Relevant, Real, Accurate, Complete, Direct
B. Authentic, Accurate, Direct, Relevant, Real
C. Relevant, Authentic, Accurate, Complete, Convincing
D. Real, Direct, Circumstantial, Corroborative, Hearsay
CISSP® MENTOR PROGRAM – SESSION THREE
13
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
15. Your company sells Apple iPods online and has suffered many denial-of-service
(DoS) attacks. Your company makes an average $40,000 profit per week, and a
typical DoS attack lowers sales by 20%. You suffer fourteen DoS attacks on
average per year. A DoS-mitigation service is available for a subscription fee of
$12,000/month. You have tested this service, and believe it will mitigate the
attacks.
3. What is the Annual Rate of Occurrence in the above scenario?
A. $120,000
B. 14
C. 20%
D. $40,000
CISSP® MENTOR PROGRAM – SESSION THREE
14
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
16. Your company sells Apple iPods online and has suffered many denial-of-service
(DoS) attacks. Your company makes an average $40,000 profit per week, and a
typical DoS attack lowers sales by 20%. You suffer fourteen DoS attacks on
average per year. A DoS-mitigation service is available for a subscription fee of
$12,000/month. You have tested this service, and believe it will mitigate the
attacks.
3. What is the Annual Rate of Occurrence in the above scenario?
A. $120,000
B. 14
C. 20%
D. $40,000
CISSP® MENTOR PROGRAM – SESSION THREE
15
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
17. Your company sells Apple iPods online and has suffered many denial-of-service
(DoS) attacks. Your company makes an average $40,000 profit per week, and a
typical DoS attack lowers sales by 20%. You suffer fourteen DoS attacks on
average per year. A DoS-mitigation service is available for a subscription fee of
$12,000/month. You have tested this service, and believe it will mitigate the
attacks.
4. What is the annualized loss expectancy (ALE) of lost iPod sales due
to the DoS attacks?
A. $144,000
B. $112,000
C. $8,000
D. $40,000
CISSP® MENTOR PROGRAM – SESSION THREE
16
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
18. Your company sells Apple iPods online and has suffered many denial-of-service
(DoS) attacks. Your company makes an average $40,000 profit per week, and a
typical DoS attack lowers sales by 20%. You suffer fourteen DoS attacks on
average per year. A DoS-mitigation service is available for a subscription fee of
$12,000/month. You have tested this service, and believe it will mitigate the
attacks.
4. What is the annualized loss expectancy (ALE) of lost iPod sales due
to the DoS attacks?
A. $144,000
B. $112,000
C. $8,000
D. $40,000
CISSP® MENTOR PROGRAM – SESSION THREE
17
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
19. Your company sells Apple iPods online and has suffered many denial-of-service
(DoS) attacks. Your company makes an average $40,000 profit per week, and a
typical DoS attack lowers sales by 20%. You suffer fourteen DoS attacks on
average per year. A DoS-mitigation service is available for a subscription fee of
$12,000/month. You have tested this service, and believe it will mitigate the
attacks.
5. Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself
B. Yes, $12,000 is less than the $112,000 Annualized Loss
Expectancy
C. No, the annual Total Cost of Ownership is higher than the
Annualized Loss Expectancy
D. No, the annual Total Cost of Ownership is lower than the
Annualized Loss Expectancy
CISSP® MENTOR PROGRAM – SESSION THREE
18
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
20. Your company sells Apple iPods online and has suffered many denial-of-service
(DoS) attacks. Your company makes an average $40,000 profit per week, and a
typical DoS attack lowers sales by 20%. You suffer fourteen DoS attacks on
average per year. A DoS-mitigation service is available for a subscription fee of
$12,000/month. You have tested this service, and believe it will mitigate the
attacks.
5. Is the DoS mitigation service a good investment?
A. Yes, it will pay for itself
B. Yes, $12,000 is less than the $112,000 Annualized Loss
Expectancy
C. No, the annual Total Cost of Ownership is higher than the
Annualized Loss Expectancy
D. No, the annual Total Cost of Ownership is lower than the
Annualized Loss Expectancy
CISSP® MENTOR PROGRAM – SESSION THREE
19
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
21. 6. An attacker sees a building is protected by video
cameras, and attacks a building next door with no video
cameras. What control combination are the video
cameras?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
CISSP® MENTOR PROGRAM – SESSION THREE
20
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
22. 6. An attacker sees a building is protected by video
cameras, and attacks a building next door with no video
cameras. What control combination are the video
cameras?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
CISSP® MENTOR PROGRAM – SESSION THREE
21
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
23. 7. The security team uses the recording from the video
cameras to investigate theft of computer supplies. What
control combination are the video cameras?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
CISSP® MENTOR PROGRAM – SESSION THREE
22
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
24. 7. An attacker sees a building is protected by video
cameras, and attacks a building next door with no video
cameras. What control combination are the video
cameras?
A. Physical/Compensating
B. Physical/Detective
C. Physical/Deterrent
D. Physical/Preventive
CISSP® MENTOR PROGRAM – SESSION THREE
23
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
25. 8. Which of the following is not a cannon of ISC2?
A. Protect society, the commonwealth, and the infrastructure
B. Act in a way that does not destroy the integrity of computer
systems
C. Provide diligent and competent service to principals
D. Advance and protect the profession
CISSP® MENTOR PROGRAM – SESSION THREE
24
QUIZ!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
26. 8. Which of the following is not a cannon of ISC2?
A. Protect society, the commonwealth, and the infrastructure
B. Act in a way that does not destroy the integrity of
computer systems
C. Provide diligent and competent service to principals
D. Advance and protect the profession
CISSP® MENTOR PROGRAM – SESSION THREE
25
QUIZ!
Piece of cake!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
27. CISSP® MENTOR PROGRAM – SESSION THREE
26
DOMAIN 2: ASSET SECURITY
Protecting Security of Assets
Easy chapter in theory, difficult in practice
FRSECURE.COM/CISSP-MENTOR-PROGRAM
28. • Classifying Data
• Ownership
• Memory and Remanence
• Data Destruction
• Determining Data Security Controls
CISSP® MENTOR PROGRAM – SESSION THREE
27
DOMAIN 2: ASSET SECURITY
Agenda – Domain 2: Asset Security
Short chapter; starting on page 81
FRSECURE.COM/CISSP-MENTOR-PROGRAM
29. • RAM - Random Access Memory, volatile hardware memory that
loses integrity after loss of power
• Remanence - Data that persists beyond noninvasive means to delete
it.
• Reference Monitor - Mediates all access between subjects and
objects
• ROM - Read Only Memory, nonvolatile memory that maintains
integrity after loss of power
• Scoping - The process of determining which portions of a standard
will be employed by an organization
• SSD - Solid State Drive, a combination of flash memory (EEPROM)
and DRAM
• Tailoring - The process of customizing a standard for an
organization
CISSP® MENTOR PROGRAM – SESSION THREE
28
DOMAIN 2: ASSET SECURITY
Terms and Definitions to Memorize
FRSECURE.COM/CISSP-MENTOR-PROGRAM
30. Objects have labels – Subjects have clearances
• Data classification scheme
• Executive Order 12356 (http://www.archives.gov/federal-
register/codification/executive-order/12356.html) - Top
Secret, Secret, and Confidential
• Company/Private Sector – Confidential, Internal Use Only,
Public
• Security Compartments; documented need to know and
clearance
CISSP® MENTOR PROGRAM – SESSION THREE
29
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Labels
FRSECURE.COM/CISSP-MENTOR-PROGRAM
31. Objects have labels – Subjects have clearances
• Formal approval/authorization to specific levels of
information
• Not really used as much in the private sector
• “All About Security Clearances” from the US Department
of State;
http://www.state.gov/m/ds/clearances/c10978.htm
• Standard Form 86 is a 127 page questionnaire!
CISSP® MENTOR PROGRAM – SESSION THREE
30
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Clearance
FRSECURE.COM/CISSP-MENTOR-PROGRAM
32. Formal Access Approval
• Documented
• Access requests should be approved by the owner, not
the manager and certainly not the custodian (more to
follow)
• Approves subject access to certain objects
• Subject must understand all rules and requirements for
access
• Best practice is that all access requests and access
approvals are auditable
CISSP® MENTOR PROGRAM – SESSION THREE
31
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
33. • Three roles; data owner, data custodian, and data user
• Three classifications; Confidential, Internal Use, and
Public
• In real life; easy to document and hard to implement
• Data Classification defines sensitive information à data
handling requirements à data storage requirements and
in some cases data retention requirements
CISSP® MENTOR PROGRAM – SESSION THREE
32
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
34. Data Owner:
• Typically, the person responsible for, or dependent upon the business
process associated with an information asset. The Data Owner is
knowledgeable about how the information is acquired, transmitted, stored,
deleted, and otherwise processed.
• Determines the appropriate value and classification of information generated
by the owner or department;
• Must communicate the information classification when the information is
released outside of the department and/or organization;
• Controls access to his/her information and must be consulted when access
is extended or modified; and
• Must communicate the information classification to the Data Custodian so
that the Data Custodian may provide the appropriate levels of protection.
CISSP® MENTOR PROGRAM – SESSION THREE
33
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
35. Data Custodian:
• The Data Custodian maintains the protection of data
according to the information classification associated to
it by the Data Owner.
• The Data Custodian role is delegated by the Data Owner
and is usually Information Technology personnel.
CISSP® MENTOR PROGRAM – SESSION THREE
34
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
36. Data User:
• The person, organization or entity that interacts with data
for the purpose of performing an authorized task. A Data
User is responsible for using data in a manner that is
consistent with the purpose intended and in compliance
with policy.
CISSP® MENTOR PROGRAM – SESSION THREE
35
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
37. Confidential Data:
• Information protected by statutes, regulations, company policies or contractual
language. Data Owners may also designate data as Confidential.
• Sensitive in nature, and access is restricted. Disclosure is limited to individuals on a
“need-to-know” basis only.
• Disclosure to parties outside of the company must be authorized by Executive
Management, approved by the Information Security Committee, or be covered by a
binding non-disclosure or confidentiality agreement.
• Examples of Confidential Data include Protected Health Information (“PHI”)/Medical
records, Financial information, including credit card and account numbers, Social
Security Numbers, Personnel and/or payroll records, Any data identified by
government regulation to be treated as confidential, or sealed by order of a court of
competent jurisdiction, and any data belonging to a customer that may contain
personally identifiable information.
CISSP® MENTOR PROGRAM – SESSION THREE
36
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
38. Minimum Protection Requirements for Confidential Data
• When stored in an electronic format must be protected with a minimum level of
authentication to include strong passwords, wherever possible.
• When stored on mobile devices and media, protections and encryption measures
provided through mechanisms approved by organization IT Management must be
employed.
• Must be stored in a locked drawer, room, or area where access is controlled by a
guard, cipher lock, and/or card reader, or that otherwise has sufficient physical access
control measures to afford adequate protection and prevent unauthorized access by
members of the public, visitors, or other persons without a need-to-know.
• Must be encrypted with strong encryption when transferred electronically to any entity
outside of the organization (See Encryption Policy).
CISSP® MENTOR PROGRAM – SESSION THREE
37
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
39. Minimum Protection Requirements for Confidential Data
• When sent via fax, must be sent only to a previously established and used address or
one that has been verified as using a secured location
• Must not be posted on any public website
• Must be destroyed when no longer needed subject to the FRSecure Sample Data
Retention Policy. Destruction may be accomplished by:
• “Hard Copy” materials must be destroyed by shredding or another approved process
that destroys the data beyond either recognition or reconstruction as per the FRSecure
Sample Data Destruction and Re-Use Standard.
• Electronic storage media that will be re-used must be overwritten according to
the FRSecure Sample Data Destruction and Re-Use Standard.
• Electronic storage media that will not be re-used must be physically destroyed
according to the FRSecure Sample Data Destruction and Re-Use Standard.
• Deleting files or formatting the media is NOT an acceptable method of destroying
Confidential Data.
CISSP® MENTOR PROGRAM – SESSION THREE
38
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
40. Minimum Protection Requirements for Confidential Data
The FRSecure Sample Information Security Committee must be
notified in a timely manner if data classified as Confidential is lost,
disclosed to unauthorized parties or is suspected of being lost or
disclosed to unauthorized parties, or if any unauthorized use of
FRSecure Sample information systems has taken place or is suspected
of taking place.
CISSP® MENTOR PROGRAM – SESSION THREE
39
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
41. Minimum Labeling Requirements for Confidential Data
If possible, all Confidential Data must be marked, regardless of the
form it takes. Confidential Data will be marked using the word
“Confidential” in bold, italicized, red font (i.e. Confidential). The
marking should be placed in the right corner of the document header or
footer.
CISSP® MENTOR PROGRAM – SESSION THREE
40
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
42. Internal Data:
Internal Data is information that must be guarded due to proprietary,
ethical, or privacy considerations and must be protected from
unauthorized access, modification, transmission, storage or other use.
This classification applies even though there may not be a civil statute
requiring this protection. Internal Data is information that is restricted
to personnel designated by the company, who have a legitimate
business purpose for accessing such data.
Examples of Internal Data include Employment data, Business partner
information where no more restrictive non-disclosure or confidentiality
agreement exists, Internal directories and organization charts, Planning
documents, and Contracts
CISSP® MENTOR PROGRAM – SESSION THREE
41
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
43. Minimum Protection Requirements for Internal Data
• Must be protected to prevent loss, theft, unauthorized access and/or unauthorized
disclosure
• Must be protected by a non-disclosure or confidentiality agreement before access is
allowed
• Must be stored in a closed container (i.e. file cabinet, closed office, or department
where physical controls are in place to prevent disclosure) when not in use
• Must be destroyed when no longer needed subject to the FRSecure Sample Data
Retention Policy. Destruction may be accomplished by:
• “Hard Copy” materials must be destroyed by shredding or another approved
process which destroys the data beyond either recognition or reconstruction as
per the FRSecure Sample Data Destruction and Re-Use Standard.
• Electronic storage media shall be sanitized appropriately by overwriting or
degaussing prior to disposal as per the FRSecure Sample Data Destruction and
Re-Use Standard.
• Is the “default” classification level if one has not been explicitly defined.
CISSP® MENTOR PROGRAM – SESSION THREE
42
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
44. Minimum Labeling Requirements for Internal Data
If possible, all Internal Data should be marked, regardless of the form it
takes. Internal Data will be marked using the word “Internal” in bold,
italicized, blue font (i.e. Internal). The marking should be placed in the
right corner of the document header or footer.
CISSP® MENTOR PROGRAM – SESSION THREE
43
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
45. Public Data:
Public data is information that may or must be open to the general
public. It is defined as information with no existing local, national, or
international legal restrictions on access or usage. Public data, while
subject to FRSecure Sample disclosure rules, is available to all
FRSecure Sample employees and all individuals or entities external to
the corporation.
Examples of Public Data include Publicly posted press releases,
Publicly available marketing materials, Publicly posted job
announcements, Disclosure of public data must not violate any pre-
existing, signed non-disclosure or confidentiality agreements.
CISSP® MENTOR PROGRAM – SESSION THREE
44
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
46. Minimum Protection Requirements for Public Data
There are no specific protection requirements for Public
Data.
Minimum Labeling Requirements for Internal Data
If possible, all Public Data should be marked, regardless of
the form it takes. Public Data will be marked using the
word “Public” in bold, italicized, black font (i.e. Public). The
marking should be placed in the right corner of the
document header or footer.
CISSP® MENTOR PROGRAM – SESSION THREE
45
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification) - Data Classification Policy
(Sample)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
47. Ownership
• Business Owners
• Data Owners
• System Owners
• Owner responsibilities must be documented and owners
must be trained
• Segregation of duties
CISSP® MENTOR PROGRAM – SESSION THREE
46
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
48. Data Controllers and Data Processors
• Data controllers create and manage sensitive data within
an organization.
• Data processors manage data on behalf of data
controllers.
• Data Collection Limitation – organizations should collect
the minimum amount of sensitive information necessary;
OECD, Collection Limitation Principle – GDPR Individual
Rights
CISSP® MENTOR PROGRAM – SESSION THREE
47
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
FRSECURE.COM/CISSP-MENTOR-PROGRAM
49. CISSP® MENTOR PROGRAM – SESSION THREE
48
DOMAIN 2: ASSET SECURITY
Classifying Data (or Data Classification)
Shifting gears a little…
Questions?
How about a joke?
FRSECURE.COM/CISSP-MENTOR-PROGRAM
50. • Data Remanence
• Memory
• Cache Memory; fast and close to CPU
• Register file (contains multiple registers); registers
are small storage locations used by the CPU to
store instructions and small amounts of data
• Level 1 cache; located on the CPU
• Level 2 cache; connected to (but not on) the CPU
• SRAM (Static Random Access Memory)
CISSP® MENTOR PROGRAM – SESSION THREE
49
DOMAIN 2: ASSET SECURITY
Memory and Remanence
FRSECURE.COM/CISSP-MENTOR-PROGRAM
51. Memory
• RAM (Random Access Memory)
• Volatile
• Modules installed in slots on motherboard (traditionally)
• DRAM (Dynamic Random Access Memory)
• Slower and cheaper
• Small capacitors to store bits (data)
• Capacitors leak charge and must be continually refreshed
• SRAM (Static Random Access Memory)
• Fast and expensive
• Latches called “flip-flops” to store bits (data)
• Does not require refreshing
CISSP® MENTOR PROGRAM – SESSION THREE
50
DOMAIN 2: ASSET SECURITY
Memory and Remanence
FRSECURE.COM/CISSP-MENTOR-PROGRAM
52. Memory
• ROM (Read Only Memory)
• Can be used to store firmware; small programs that don’t change
much and configurations
• PROM (Programmable Read Only Memory) – written to once;
usually by the manufacturer
• EPROM (Erasable Programmable Read Only Memory) – can be
“flashed”; usually with ultraviolet light
• EEPROM (Electrically Erasable Programmable Read Only
Memory) – can be “flashed”; electrically
• PLD (Programmable Logic Device) – field-programmable device;
EPROMs, EEPROMs, and Flash Memory are all PLDs
CISSP® MENTOR PROGRAM – SESSION THREE
51
DOMAIN 2: ASSET SECURITY
Memory and Remanence
FRSECURE.COM/CISSP-MENTOR-PROGRAM
53. Memory
• Flash Memory
• Can be a security nightmare
• Specific type of EEPROM
• Written in larger sectors (or chunks) than other EEPROMs
• Faster than other EEPROMS, but slower that magnetic drives
CISSP® MENTOR PROGRAM – SESSION THREE
52
DOMAIN 2: ASSET SECURITY
Memory and Remanence
FRSECURE.COM/CISSP-MENTOR-PROGRAM
54. • Deleting data and/or formatting a hard drive is not a
viable/secure method for destroying sensitive
information.
• Deleting a file only removes the entry from the File
Allocation Table (FAT) and marks the block as
“unallocated”. The data is still there and often times it’s
retrievable.
• Reformatting only replaces the old FAT with a new FAT.
The data is still there and often times it’s retrievable.
• Data that is left over is called remnant data, or “data
remanence”.
CISSP® MENTOR PROGRAM – SESSION THREE
53
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
55. • Data that is left over is called
remnant data, or “data
remanence”.
• Hundreds of data recovery tools
available, one good resource to
check out is ForsensicsWiki.org
(http://www.forensicswiki.org/wi
ki/Tools:Data_Recovery)
CISSP® MENTOR PROGRAM – SESSION THREE
54
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
56. Overwriting
• Also called shredding or wiping
• Overwrites the data and removes the FAT entry
• Secure overwriting/wiping overwrites each sector of a hard drive (or
media).
CISSP® MENTOR PROGRAM – SESSION THREE
55
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
57. Overwriting
• One pass is enough (as long as each sector is overwritten).
• Tools include Darik's Boot And Nuke (DBAN), CBL Data Shredder,
HDDErase, KillDisk and others.
• Windows built-in cipher command.
CISSP® MENTOR PROGRAM – SESSION THREE
56
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
58. Deguassing
• Destroys the integrity of magnetic media using a strong
magnetic field
• Most often destroys the media itself, not just the data
CISSP® MENTOR PROGRAM – SESSION THREE
57
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
59. Destruction (Physical)
• The most secure method of destroying data.
• Physical destruction of the media.
• Incineration, pulverization, shredding, and acid.
• A hammer to the spindle works, and so does a rifle.
• Pretty cheap nowadays. Look for a National Association of
Information Destruction (NAID) certified vendor and get a certificate
of destruction.
• Onsite vs. offsite
CISSP® MENTOR PROGRAM – SESSION THREE
58
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
60. Shredding
• Most people think of paper.
• Strip-cut vs. Cross-cut
• A determined attacker can defeat (maybe)
• Easy to audit
• Many breaches attributed to poor document disposal
• Dumpster diving
CISSP® MENTOR PROGRAM – SESSION THREE
59
DOMAIN 2: ASSET SECURITY
Data Destruction
FRSECURE.COM/CISSP-MENTOR-PROGRAM
61. • Two related but entirely different terms.
• Certification is the validation that certain (owner-
specified) security requirements have been met.
• Accreditation is a formal acceptance of the certification
by the owner.
• In an ideal world, certification and accreditation would be
required before production deployment.
CISSP® MENTOR PROGRAM – SESSION THREE
60
DOMAIN 2: ASSET SECURITY
Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
62. PCI-DSS
• PCI-DSS only applies to the Cardholder Data Environment (CDE), so scope is
really important
• Core principles of the PCI-DSS include:
• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Version 3.2 released (April, 2016), see
https://www.pcisecuritystandards.org/security_standards/index.php
• Major breaches include Target, Home Depot, Heartland Systems, Dairy
Queen, etc.
CISSP® MENTOR PROGRAM – SESSION THREE
61
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
63. OCTAVE®
• Operationally Critical Threat, Asset, and Vulnerability Evaluation(sm)
• Risk management framework developed by Carnegie Mellon
University (see: http://www.cert.org/resilience/products-
services/octave/)
• Three phase process for managing risk (latest version actually has
four, but for the test three is good):
• Phase 1 – staff knowledge, assets and threats
• Phase 2 – identify vulnerabilities and evaluate safeguards (or
controls)
• Phase 3 – risk analysis and risk mitigation strategy
CISSP® MENTOR PROGRAM – SESSION THREE
62
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
64. ISO 17799 and 27000 Series
• Broad and flexible information security standards maintained by the
International Organization for Standardization (ISO) – based in
Geneva
• Derived from the British Standard (BS) 7799 Part 1, renamed to
ISO/IEC 27001 to align with the 27000 series of standards.
• There are more than 30 ISO/IEC 27000 standards, the main ones
being:
• ISO 27001 (Information technology - Security Techniques)
• ISO 27002 (Code of practice for information security
management)
• ISO 27005 (Information security risk management)
• ISO 27799 (Information security management in health using
ISO/IEC 27002)
CISSP® MENTOR PROGRAM – SESSION THREE
63
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
65. ISO 17799 and 27000 Series
• ISO 27002:2005 is mentioned in the book
as the latest; however, ISO 27002:2013 is
actually the latest
• Copyrighted and licensed standard
• See:
http://www.iso.org/iso/home/standards/
management-standards/iso27001.htm
CISSP® MENTOR PROGRAM – SESSION THREE
64
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
66. COBIT
• Control Objectives for Information and related Technology, current
version is v5
• Developed and maintained by the Information Systems Audit and
Control Association (ISACA; www.isaca.org)
• 34 Information Technology Processes across four domains
• Four domains:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
CISSP® MENTOR PROGRAM – SESSION THREE
65
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
67. ITIL
• Information Technology Infrastructure Library
• Best services in IT Service Management (ITSM)
• See: www.itil-officialsite.com
• Five “Service Management Practices – Core Guidance” publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
CISSP® MENTOR PROGRAM – SESSION THREE
66
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
68. NIST CSF
• National Institute of Standards and Technology (NIST) Cybersecurity
Framework (CSF)
• Probably not testable, but certainly applicable
• Result of Executive Order (EO) 13686, Improving Critical
Infrastructure Cybersecurity
• Gaining in popularity. See: http://www.nist.gov/cyberframework/
• Core, Implementation Tiers, and Framework Profile
• Core is comprised of five Functions (Identify, Protect, Detect,
Respond, and Recover), Categories, and Subcategories
• Major frameworks and standards are represented
• Voluntary
CISSP® MENTOR PROGRAM – SESSION THREE
67
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
69. NIST SP 800-53
• Not mentioned in the book yet, but this is a big deal for
FISMA and government systems.
• Usually goes hand-in-hand with FIPS 199, FIPS 200, and
NIST SP 800-60
• Just mentioning now, more later
CISSP® MENTOR PROGRAM – SESSION THREE
68
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Standards and Control Frameworks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
70. • Rule of thumb… If I cannot be assured of physical
security, I should consider encryption.
• Data in transit – if I cannot be assured of physical
security (routers, switches, firewalls, transmission media,
etc.), I should consider encryption
• Data at rest – if I cannot be assured of physical security
(flash drives, laptops, poorly secured datacenters,
insecure office spaces, backup tapes, etc.), I should
consider encryption
• Encryption is your friend!
CISSP® MENTOR PROGRAM – SESSION THREE
69
DOMAIN 2: ASSET SECURITY
Determining Data Security Controls - Protecting Data in Motion & Data at
Rest Encryption and Physical Security
FRSECURE.COM/CISSP-MENTOR-PROGRAM
71. Questions?
CISSP® MENTOR PROGRAM – SESSION THREE
70
DOMAIN 2: ASSET SECURITY
That does it for Chapter 3 – Domain 2: Asset Security
Ready for Chapter 4 – Domain 3: Security
Engineering?
FRSECURE.COM/CISSP-MENTOR-PROGRAM
72. CISSP® MENTOR PROGRAM – SESSION THREE
71
DOMAIN 3 SECURITY ENGINEERING
Engineering and Management of Security
Easy chapter…
FRSECURE.COM/CISSP-MENTOR-PROGRAM
73. • Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
Formerly separate domains: Security Architecture, Cryptography, and Physical Security
CISSP® MENTOR PROGRAM – SESSION THREE
72
DOMAIN 3 SECURITY ENGINEERING
Agenda – Domain 3: Security Engineering
We will take three classes to get through this domain…
LONG chapter; starting on page 103
FRSECURE.COM/CISSP-MENTOR-PROGRAM
74. • Asymmetric Encryption - encryption that uses two keys: if you
encrypt with one you may decrypt with the other
• Hash Function - one-way encryption using an algorithm and no
key
• Hypervisor - Allows multiple virtual operating system guests to
run on one host
• Mantrap - A preventive physical control with two doors. Each
door requires a separate form of authentication to open
• Tailgating - Following an authorized person into a building
without providing credentials
• TCSEC - Trusted Computer System Evaluation Criteria, also
known as the Orange Book
• Symmetric Encryption - encryption that uses one key to encrypt
and decrypt
CISSP® MENTOR PROGRAM – SESSION THREE
73
DOMAIN 3 SECURITY ENGINEERING
Terms and Definitions to Memorize
FRSECURE.COM/CISSP-MENTOR-PROGRAM
75. • What subjects and objects are
permitted to do (within a model or
framework)
• Subject (often a user)
• Object (a resource)
• Managing relationship between
subject and object is access control
• Understand concepts of read up, read
down, write up, write down
CISSP® MENTOR PROGRAM – SESSION THREE
74
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
76. • Discretionary access control (DAC)
• Defined in the Trusted Computer System Evaluation Criteria
(TCSEC); Orange Book
• Means of restricting access to objects based on the identity of
subjects and/or groups to which they belong
• A subject with a certain access permission is capable of passing
that permission (perhaps indirectly) on to any other subject
• Mandatory access control (MAC)
• Type of access control where the operating system constrains
the ability of a subject to access or perform some sort of
operation on an object
• Authorization rule enforced by the operating system kernel
• Security policy is centrally controlled by a security policy
administrator
CISSP® MENTOR PROGRAM – SESSION THREE
75
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
77. • Rule-based access control (RBAC)
• Access is allowed or denied to objects based on a set of rules
defined by a system administrator
• Access properties are stored in Access Control Lists (ACL)
associated with each object
• Role-based access control (also RBAC)
• Also known as Non-discretionary Access Control
• Assigns permissions to particular roles in an organization
CISSP® MENTOR PROGRAM – SESSION THREE
76
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
78. Understand the Fundamental Concepts of Security Models
• State Machine Model
• Bell-LaPadula Model
• Lattice-Based Access Controls
• Biba Model
• Clark-Wilson Model
• Information Flow Model
• Brewer and Nash Model (aka Chinese Wall)
• Take-Grant Model
• Access Control Matrix
• Zachman Framework for Enterprise Architecture
• Graham-Denning Model
• Harrison-Ruzzo-Ullman Model
CISSP® MENTOR PROGRAM – SESSION THREE
77
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
79. State Machine Model
• State of a machine is captured in order to verify the security of a
system
• State consists of all current permissions and all current instances of
subjects accessing the objects. If the subject can access objects
only by means that are concurrent with the security policy, the
system is secure
• Always secure no matter what state it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security models
CISSP® MENTOR PROGRAM – SESSION THREE
78
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
80. Bell-LaPadula Model
• Originally developed for the U.S. Department of Defense
• Focused on maintaining the confidentiality of objects
• Two Access Rules:
• Simple Security Property – no read up
• * Security Property (“Star” Security Property) – no write down
• Two Object Label Rules:
• Strong Tranquility Property - security labels will not change while
the system is operating
• Weak Tranquility Property - security labels will not change in a way
that conflicts with defined security properties
CISSP® MENTOR PROGRAM – SESSION THREE
79
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
81. Lattice-Based Access Controls
• Security controls for complex environments
• For every relationship between a subject and an object, there are
defined upper and lower access limits implemented by the
system
• Subjects have a Least Upper Bound (LUB) and Greatest Lower
Bound (GLB) of access to the objects based on their lattice
position
• A security lattice model combines multilevel and multilateral
security
CISSP® MENTOR PROGRAM – SESSION THREE
80
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
82. Biba Model
• Developed after Bell-LaPadula model
• Focused on maintaining the integrity of objects
• Uses a lattice of integrity levels unlike Bell-LaPadula
which uses a lattice of security levels
• Two primary rules
• Simple Integrity Axiom – no read down
• * Integrity Axiom (“Star” Integrity Axiom) – no write up
• Essentially the reverse of Bell-LaPadula
CISSP® MENTOR PROGRAM – SESSION THREE
81
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
83. Clark-Wilson Model
• Real-world integrity model
• Requires subjects to access objects via programs
• Programs have specific limitations to what they can and cannot
do to objects
• Two primary concepts
• Well-Formed Transactions - ability to enforce control over
applications; comprised of the “access control triple:” user,
transformation procedure (TP/well-formed transaction), and
constrained data item (CDI/data that requires integrity) - integrity
verification procedures (IVPs) ensure that data are kept in a valid
state
• Separation of Duties - ensures that authorized users do not change
data in an inappropriate way
CISSP® MENTOR PROGRAM – SESSION THREE
82
DOMAIN 3 SECURITY ENGINEERING
Security Models
Separation of duties and transformation procedures.
1) Authorized access and
2) Modification only in an authorized manner
FRSECURE.COM/CISSP-MENTOR-PROGRAM
84. Information Flow Model
• In this model, data is thought of as being held in
individual discrete compartments
• Information is compartmentalized based on two
factors; classification and need to know
• Subject clearance has to dominate the object
classification and the subject security profile must
contain the one of the categories listed in the object
label, which enforces need to know
CISSP® MENTOR PROGRAM – SESSION THREE
83
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
85. Brewer and Nash Model (aka Chinese Wall)
• Designed to avoid conflicts of interest by prohibiting one person,
such as a consultant, from accessing multiple conflict of interest
categories (CoIs)
• Provides access controls that can change dynamically
depending upon a user’s previous actions
• Model states that a subject can write to an object if, and only if,
the subject can not read another object that is in a different data
set
• Initially designed to address the risks inherent with employing
consultants working within banking and financial institutions
CISSP® MENTOR PROGRAM – SESSION THREE
84
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
86. Noninterference Models
• Model ensures that any actions that take place at a
higher security level do not affect, or interfere with,
actions that take place at a lower level
• Not concerned with the flow of data, but rather with
what a subject knows about the state of the system
• Addresses the inference attack that occurs when
some one has access to some type of information
and can infer(guess) something that he does not have
the clearance level or authority to know.
• Covert Channel – policy violation hidden from the
system owner
CISSP® MENTOR PROGRAM – SESSION THREE
85
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
87. Take-Grant Model
• Contains rules that govern the interactions between subjects and
objects, and permissions subjects can grant to other subjects
• Two rights occur in every instance of the model: take and grant
• Rules include take, grant, create, and remove
• take rule allows a subject to take rights of another object (add an
edge originating at the subject)
• grant rule allows a subject to grant own rights to another object
(add an edge terminating at the subject)
• create rule allows a subject to create new objects (add a vertex and
an edge from the subject to the new vertex)
• remove rule allows a subject to remove rights it has over on another
object (remove an edge originating at the subject)
CISSP® MENTOR PROGRAM – SESSION THREE
86
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
88. Access Control Matrix
• Commonly used in OS and applications
• Table that defines access permissions between
specific subjects and objects
CISSP® MENTOR PROGRAM – SESSION THREE
87
DOMAIN 3 SECURITY ENGINEERING
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Security Models
89. Zachman Framework
for Enterprise
Architecture
• Six frameworks for
providing information
security, asking what,
how, where, who, when,
and why
CISSP® MENTOR PROGRAM – SESSION THREE
88
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
90. Graham-Denning Model
• Defines a set of basic rights in terms of commands that a
specific subject can execute on an object
• Three parts; objects, subjects, and rules; focus on the eight (8)
rules:
• R1: Transfer Access
• R2: Grant Access
• R3: Delete Access
• R4: Read Object
• R5: Create Object
• R6: Destroy Object
• R7: Create Subject
• R8: Destroy Subject
CISSP® MENTOR PROGRAM – SESSION THREE
89
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
91. Modes of Operation
• There are four (4) modes of system/access control
operation:
1. Dedicated:
• Only one classification (label) for all objects in the system
• Subject must possess a clearance equal or greater than the
system label
• Subjects must have 1) appropriate clearance, 2) formal
access approval, and 3) a need to know for all the objects in
the system
CISSP® MENTOR PROGRAM – SESSION THREE
90
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
92. Modes of Operation
• There are four (4) modes of system/access control
operation:
2. System High:
• System contains objects of mixed labels
• Subjects must possess a clearance equal to (or greater than)
the highest object label
CISSP® MENTOR PROGRAM – SESSION THREE
91
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
93. Modes of Operation
• There are four (4) modes of system/access control
operation:
3. Compartmented:
• Objects are placed into “compartments”
• Subjects must have a formal (system-enforced) need to
know to access data in compartment
• All subjects must have:
• 1) Signed NDA for ALL information on the system
• 2) clearance for ALL information on the system
• 3) formal access approval for SOME objects on the
system, and
• 4) valid need to know for SOME objects on the system
CISSP® MENTOR PROGRAM – SESSION THREE
92
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
94. Modes of Operation
• There are four (4) modes of system/access control
operation:
4. Multilevel:
• System contains objects of varying labels
• Subjects with varying clearances can access the system
• Reference Monitor mediates access between subjects and
objects
• All subjects must have 1) Signed NDA for ALL information on
the system, 2) clearance for SOME information on the
system, 3) formal access approval for SOME objects on the
system, and 4) valid need to know for SOME objects on the
system
CISSP® MENTOR PROGRAM – SESSION THREE
93
DOMAIN 3 SECURITY ENGINEERING
Security Models
FRSECURE.COM/CISSP-MENTOR-PROGRAM
95. Trusted Computer System Evaluation Criteria
(TCSEC or Orange Book)
Download here http://csrc.nist.gov/publications/history/dod85.pdf
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
CISSP® MENTOR PROGRAM – SESSION THREE
94
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
96. Trusted Computer System Evaluation Criteria
(TCSEC or Orange Book)
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
CISSP® MENTOR PROGRAM – SESSION THREE
95
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
97. Trusted Computer System Evaluation Criteria (TCSEC or Orange
Book)
• Division D is the lowest form of security, and A is the highest:
• D: Minimal Protection
• C: Discretionary Protection
• C1: Discretionary Security Protection
• C2: Controlled Access Protection
• B: Mandatory Protection
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domains
• A: Verified Protection
• A1: Verified Design
CISSP® MENTOR PROGRAM – SESSION THREE
96
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
98. Trusted Network Interpretation (TNI)/Red Book
• Sort of like the Orange Book for network systems
• Can download it here
http://ftp.fas.org/irp/nsa/rainbow/tg011.htm
• All of the Rainbow Books can be accessed here
http://ftp.fas.org/irp/nsa/rainbow.htm
CISSP® MENTOR PROGRAM – SESSION THREE
97
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
99. Information Technology Security Evaluation
Criteria (ITSEC)
• Used extensively in Europe (where it was developed)
• 1st successful international evaluation criteria
• References to the Orange Book, but added:
• F – Functionality
• Q – Effectiveness (part of assurance)
• E – Correctness (also part of assurance)
CISSP® MENTOR PROGRAM – SESSION THREE
98
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
100. Information Technology Security Evaluation
Criteria (ITSEC)
• Assurance correctness ratings range from E0 (inadequate) to E6
(formal model of security policy)
• Functionality ratings range include TCSEC equivalent ratings (F-
C1, F-C2, etc.)
• The equivalent ITSEC/TCSEC ratings are:
• 0: D
• F-C1,E1: C1
• F-C2,E2: C2
• F-B1,E3: B1
• F-B2,E4: B2
• F-B3,E5: B3
• F-B3,E6: A1
CISSP® MENTOR PROGRAM – SESSION THREE
99
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
Additional functionality ratings include:
• F-IN: High integrity requirements
• AV: High availability requirements
• DI: High integrity requirements for networks
• DC: High confidentiality requirements for networks
• DX: High integrity and confidentiality requirements for networks
FRSECURE.COM/CISSP-MENTOR-PROGRAM
101. International Common Criteria (“Common
Criteria”)
• Internationally agreed upon standard for describing and testing
the security of IT products
• Primary objective of the Common Criteria is to eliminate known
vulnerabilities of the target for testing
• Terms:
• Target of Evaluation (ToE): the system or product that is being
evaluated
• Security Target (ST): the documentation describing the TOE
• Protection Profile (PP): an independent set of security requirements
and objectives for a specific category of products or systems
• Evaluation Assurance Level (EAL): the evaluation score of the tested
product or system
CISSP® MENTOR PROGRAM – SESSION THREE
100
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
102. International Common Criteria (“Common
Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1,
Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.
1R3.pdf
CISSP® MENTOR PROGRAM – SESSION THREE
101
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
FRSECURE.COM/CISSP-MENTOR-PROGRAM
103. International Common Criteria (“Common
Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• EAL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria (July 2009, Version 3.1,
Rev.3);
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.
1R3.pdf
CISSP® MENTOR PROGRAM – SESSION THREE
102
DOMAIN 3 SECURITY ENGINEERING
Evaluation Methods, Certification and Accreditation
STOP!!! THAT’S ENOUGH ALREADY!
FRSECURE.COM/CISSP-MENTOR-PROGRAM
104. • Yes it is…
• We’ll continue from here on Wednesday.
• Please spend time reading Chapters 1 - 3, if you haven’t
already.
• If you have time to delve into Chapter 4, please do so.
• Please come with questions on Wednesday (4/22). We
will recap some of today’s material and cover questions
in the next class.
CISSP® MENTOR PROGRAM – SESSION THREE
103
DOMAIN 3 SECURITY ENGINEERING
STOP!!! THAT’S ENOUGH ALREADY!
Looking ahead, we won’t have class next
Monday (4/27). It’s our first break
FRSECURE.COM/CISSP-MENTOR-PROGRAM