Tien Nguyen Duc, profile picture
Uploaded byTien Nguyen Duc
58 views

Chapter 1

The document discusses key concepts in information security including the CIA triad of confidentiality, integrity and availability. It defines each component of the CIA triad and provides examples of related threats, attacks and countermeasures. The document also outlines other important security concepts such as AAA services, legally defensible security, protection mechanisms, layering and abstraction. Maintaining the CIA triad and applying these additional concepts are important for developing a robust security infrastructure.

Embed presentation

Download to read offline
Contents I. Understand and Apply Concepts of Confidentiality, Integrity, and Availability .....................................................2 1 CIA Triad..............................................................................................................................................................2 1.1 Confidentiality.............................................................................................................................................2 1.2 Integrity.......................................................................................................................................................2 1.3 Availability...................................................................................................................................................3 2 Other Security Concepts .....................................................................................................................................4 2.1 AAA Services................................................................................................................................................4 2.2 Legally Defensible Security..........................................................................................................................4 2.3 Protection Mechanisms ..............................................................................................................................4 2.4 Layering.......................................................................................................................................................4 2.5 Abstraction..................................................................................................................................................4 2.6 Data Hiding..................................................................................................................................................4 2.7 Encryption ...................................................................................................................................................4 II. Evaluate and Apply Security Governance Principles...............................................................................................4 1 Alignment of Security Function to Business Strategy, Goals, Mission, and Objectives......................................5 1.1 A security management planning team should develop three types of plans ...........................................5 1.2 Organizational Processes ............................................................................................................................5 - Senior Manager...............................................................................................................................................6 III. Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines .........................7 IV. Understand and Apply Threat Modeling Concepts and Methodologies ............................................................8 1 Threat modeling..................................................................................................................................................8 1.1 Identifying Threats ......................................................................................................................................8 1.2 Determining and Diagramming Potential Attacks ......................................................................................9 1.3 Performing Reduction Analysis...................................................................................................................9 1.4 Prioritization and Response ........................................................................................................................9 V. Apply Risk-Based Management Concepts to the Supply Chain ............................................................................10
I. Understand and Apply Concepts of Confidentiality, Integrity, and Availability 1 CIA Triad - Primary goals and objectives of a security infrastructure. - Security controls are typically evaluated on how well they address these three core information security tenets. - Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. 1.1 Confidentiality - Goal: is to prevent or minimize unauthorized access to data. - It offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects. - Attacks: capturing network traffic and stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges ... Not limited to directed intentional attacks. Also result of human error, oversight, or ineptitude. Countermeasures: encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training. - Without object integrity, confidentiality cannot be maintained. - Other concepts, conditions, and aspects of confidentiality include the following: o Sensitivity quality of information. Maintaining confidentiality of sensitive information helps to prevent harm or damage. o Discretion operator can influence or control disclosure in order to minimize harm or damage. o Criticality The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization. o Concealment hiding or preventing disclosure. is security through obscurity, hiding, silence, or secrecy. not considered a valid security measure, it may still have value in some cases. o Secrecy keeping something a secret or preventing the disclosure of information. o Privacy keeping information confidential that is personally identifiable or that might cause harm, embarrassment (lúng túng), or disgrace (ghét bỏ) to someone if revealed. o Seclusion storing something in an out-of-the-way location. This location can also provide strict access controls. o Isolation keeping something separated from others. Isolation can be used to prevent commingling (trộn lẫn) of information or disclosure of information. 1.2 Integrity - Goal: prevents unauthorized alterations of data. - it offers a high level of assurance that the data, objects, and resources are unaltered from their original protected state. - Attacks: viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors.
- Countermeasures: strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training. - Other concepts, conditions, and aspects of confidentiality include the following: o Accuracy: Being correct and precise o Truthfulness: Being a true reflection of reality o Authenticity: Being authentic or genuine o Validity: Being factually or logically sound o Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event Accountability: Being responsible or obligated for actions and results o Responsibility: Being in charge or having control over something or someone o Completeness: Having all needed and necessary components or parts o Comprehensiveness: Being complete in scope; the full inclusion of all needed elements - Nonrepudiation: ensures that the subject of an activity or who caused an event cannot deny that the event occurred, a part of accountability, - Integrity can be examined from three perspectives: o Preventing unauthorized subjects from making modifications o Preventing authorized subjects from making unauthorized modifications, such as mistakes o Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable 1.3 Availability - Goal: authorized subjects are granted timely and uninterrupted access to objects - it offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects - Threats: device failure, software errors, and environmental issues (heat, static, flooding, power loss, and so on). Attacks: DoS attacks, object destruction, and communication interruptions. - Countermeasures: designing intermediary delivery systems properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Most security policies, as well as business continuity planning (BCP), focus on the use of fault tolerance features at the various levels of access/storage/security (that is, disk, server, or site) with the goal of eliminating single points of failure to maintain availability of critical system - Other concepts, conditions, and aspects of confidentiality include the following: o Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject o Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations o Timeliness: Being prompt, on time, within a reasonable time frame, or providing low-latency response
2 Other Security Concepts 2.1 AAA Services - Identification - Authentication - Authorization - Auditing - Accountability 2.2 Legally Defensible Security 2.3 Protection Mechanisms - Some common examples of these mechanisms include using multiple layers or levels of access, employing abstraction, hiding data, and using encryption. 2.4 Layering - defense in depth - is simply the use of multiple controls in a series - Using layers in a series rather than in parallel is important - In a series configuration, failure of a single security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. 2.5 Abstraction - Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective - Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function 2.6 Data Hiding - Data hiding vs security through obscurity 2.7 Encryption II. Evaluate and Apply Security Governance Principles - Security Governance: is the collection of practices related to supporting, defining, and directing the security efforts of an organization. - Security governance is the implementation of a security solution and a management method that are tightly interconnected. Security governance directly oversees and gets involved in all levels of security - Security governance is commonly managed by a governance committee or at least a board of directors - Security frameworks and governance guidelines, including NIST 800-53 or 800-100
1 Alignment of Security Function to Business Strategy, Goals, Mission, and Objectives - Security management planning ensures proper creation, implementation, and enforcement of a security policy. - Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization - Security management planning: top-down vs bottom-up - Security management is a responsibility of upper management, not of the IT staff, and is considered an issue of business operations rather than IT administration 1.1 A security management planning team should develop three types of plans - Strategic Plan: long-term plan that is fairly stable, 5 year, include risk assessment, - Tactical Plan: midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. Example: project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans - Operational Plan: short-term, highly detailed plan based on the strategic and tactical plans. Example: training plans, system deployment plans, and product design plans 1.2 Organizational Processes - Acquisitions (sáp nhập), : increased level of risk, Such risks include inappropriate information disclosure, data loss, downtime, or failure to achieve sufficient return on investment (ROI), - Divestitures (thoái vốn), : another time period of increased risk and thus increased need for focused security governance - Governance committees (ủy ban quản trị) 1.2.1 Change Control/Management - Goal: to ensure that any change does not lead to reduced or compromised security, prevent unwanted reductions in security - Primary purpose: to make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management. - The change control process of configuration or change management has several goals or requirements: o Implement changes in a monitored and orderly manner. Changes are always controlled. o A formalized testing process is included to verify that a change produces expected results. o All changes can be reversed (also known as backout or rollback plans/procedures). o Users are informed of changes before they occur to prevent loss of productivity. o The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected. o The negative impact of changes on capabilities, functionality, and performance is minimized. o Changes are reviewed and approved by a Change Advisory Board (CAB). 1.2.2 Data classification - To implement a classification scheme, you must perform seven major steps, or phases: o 1. Identify the custodian, and define their responsibilities
o 2. Specify the evaluation criteria of how the information will be classified and labeled. o 3. Classify and label each resource. (The owner conducts this step, but a supervisor should review it.) o 4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria. o 5. Select the security controls that will be applied to each classification level to provide the necessary level of protection. o 6. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. o 7. Create an enterprise-wide awareness program to instruct all personnel about the classification system. - Government/military classification vs Commercial business/private sector classification - Ownership 1.2.3 Organizational Roles and Responsibilities - Senior Manager - Security Professional - Data Owner - Data Custodian - User - Auditor 1.2.4 Security Control Frameworks - Control Objective Information and related Technology COBIT (ISACA) - COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management -
1.2.5 Due Care and Due Diligence III. Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines - Security Policies o A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. o defines the main security objectives and outlines the security framework of an organization o issue-specific security policy focuses on a specific network service, department, function, or other aspect that is distinct from the organization as a whole o A system-specific security policy focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls. o The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels. o there are three overall categories of security policies: regulatory, advisory, and informative  regulatory policy: required whenever industry or legal standards are applicable to your organization  Advisory policy: An advisory policy discusses behaviors and activities that are acceptable and defines consequences of violations  An informative policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers.  Security Policy -> Standard -> Baseline -> Guideline ->Procedures o Security Policies and Individuals o Acceptable Use Policy - Security Standards, Baselines, and Guidelines o Security Standards: Standards define compulsory requirements for the homogenous use of hardware, software, technology, and security controls o A baseline defines a minimum level of security that every system throughout the organization must meet. Baselines are usually system specific and often refer to an industry or government standard, like the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation and Criteria (ITSEC) or NIST (National Institute of Standards and Technology) standards. o A guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. - Security Procedures o A procedure or standard operating procedure (SOP) is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
IV. Understand and Apply Threat Modeling Concepts and Methodologies 1 Threat modeling - Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Proactive Approach (defensive approach) vs Reactive Approach (adversarial Approach) - Goal: o To reduce the number of security-related design and coding defects o To reduce the severity of any remaining defects 1.1 Identifying Threats o Focused on Assets o Focused on Attackers o Focused on Software - STRIDE threat model o Spoofing o Tampering o Repudiation o Information disclosure o Denial of service (DoS) o Elevation of privilege - Process for Attack Simulation and Threat Analysis (PASTA) o Stage I: Definition of the Objectives (DO) for the Analysis of Risks o Stage II: Definition of the Technical Scope (DTS) o Stage III: Application Decomposition and Analysis (ADA) o Stage IV: Threat Analysis (TA) o Stage V: Weakness and Vulnerability Analysis (WVA) o Stage VI: Attack Modeling & Simulation (AMS)
o Stage VII: Risk Analysis & Management (RAM) o Trike threat modeling- risk based approach o DREAD threat modeling: Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability 1.2 Determining and Diagramming Potential Attacks 1.3 Performing Reduction Analysis - Reduction Analysis as known decomposing the application, system, environment - In the decomposition process, you must identify five key concepts: o Trust Boundaries Any location where the level of trust or security changes o Data Flow Paths The movement of data between locations o Input Points Locations where external input is received o Privileged Operations Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security o Details about Security Stance and Approach The declaration of the security policy, security foundations, and security assumptions 1.4 Prioritization and Response - To define the means, target, and consequences of a threat - Do rank or rate the threats o Probability × Damage Potential ranking o high/medium/low rating o the DREAD system  Damage potential  Reproducibility  Exploitability
 Affected users  Discoverability V. Apply Risk-Based Management Concepts to the Supply Chain - evaluating a third party for your security integration, consider the following processes: o On-Site Assessment o Document Exchange and Review o Process/Policy Review o Third-Party Audit:  American Institute of Certified Public Accountants (AICPA)  Statement on Standards for Attestation Engagements (SSAE)  SOC 1: SOC1 audit focuses on a description of security mechanisms to assess their suitability  SOC 2: audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality - Here are some excellent resources related to security integrated with acquisition: o Improving Cybersecurity and Resilience through Acquisition o NIST Special Publication 800-64 Revision 2: Security Considerations in the System Development Life Cycle

More Related Content

PPT
Network Security
byVipul Mosaic
 
PPT
Intro
byJustineJohn3
 
PPT
Iss lecture 1
byAli Habeeb
 
PPTX
Information System Security
bySyed Asif Sherazi
 
PPT
Information security
byYogeshwari M Yogi
 
PPT
Protocols and Practices in Using Encryption Chapter 4
byAfiqEfendy Zaen
 
PPTX
Information security
byRohit Gir
 
PDF
Psychological Security: Introducing the PsySec Field
byZach(ary) Eikenberry
 
Network Security
byVipul Mosaic
 
Intro
byJustineJohn3
 
Iss lecture 1
byAli Habeeb
 
Information System Security
bySyed Asif Sherazi
 
Information security
byYogeshwari M Yogi
 
Protocols and Practices in Using Encryption Chapter 4
byAfiqEfendy Zaen
 
Information security
byRohit Gir
 
Psychological Security: Introducing the PsySec Field
byZach(ary) Eikenberry
 

What's hot

PDF
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
byvkarthi314
 
PPT
Ch1 cse
bybhaskard8
 
PPTX
Introduction to Information Security
byShreedevi Tharanidharan
 
PPT
Information Security
byDhilsath Fathima
 
PPT
Information security introduction
byPrachi Gulihar
 
PPTX
Concept of physical protection and its principals
byRasheed Abbasi
 
PPT
Introduction to information security
byKumawat Dharmpal
 
PPTX
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
PPT
Isl awareness training
byshibichery
 
PDF
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
PPTX
USG_Security_Awareness_Primer.pptx
byBilmyRikas
 
PPT
Ch01 overview nemo
byMrNitinJainSETAssist
 
PDF
Security Audits & Cyber
byPaul Andrews
 
PDF
2018 CISSP Mentor Program Session 2
byFRSecure
 
PDF
Global Ransomware Attacks
byEmily Brown
 
PPTX
Cause 11 im final
bycavapyta
 
PPTX
Trustifier tux™ makes effective security simple
byG.F. Windsor, Barrister & Solicitor
 
PPT
Isys20261 lecture 03
byWiliam Ferraciolli
 
PDF
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
byShah Sheikh
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
byvkarthi314
 
Ch1 cse
bybhaskard8
 
Introduction to Information Security
byShreedevi Tharanidharan
 
Information Security
byDhilsath Fathima
 
Information security introduction
byPrachi Gulihar
 
Concept of physical protection and its principals
byRasheed Abbasi
 
Introduction to information security
byKumawat Dharmpal
 
Cybersecurity Fundamentals for Legal Professionals
byShawn Tuma
 
Isl awareness training
byshibichery
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
USG_Security_Awareness_Primer.pptx
byBilmyRikas
 
Ch01 overview nemo
byMrNitinJainSETAssist
 
Security Audits & Cyber
byPaul Andrews
 
2018 CISSP Mentor Program Session 2
byFRSecure
 
Global Ransomware Attacks
byEmily Brown
 
Cause 11 im final
bycavapyta
 
Trustifier tux™ makes effective security simple
byG.F. Windsor, Barrister & Solicitor
 
Isys20261 lecture 03
byWiliam Ferraciolli
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
byShah Sheikh
 

Similar to Chapter 1

PDF
CIA = Confidentiality of information, Integrity of information, Avai.pdf
byannaielectronicsvill
 
PPTX
Security and Risk Management Practices.pptx
byharshadrai2
 
PDF
Concepts of Cyber Security lecture notes.pdf
byPriyank974941
 
PDF
1. Security and Risk Management
bySam Bowne
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
informations_security_presentations.pptx
byFAKHARZAMANPROUD
 
PPTX
Security Ch-1.pptx
byKeenboonAsaffaa
 
PPTX
Information security principles
byDan Morrill
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
PPT
CIA Triad in Cybersecurity By Dr.Purushottam Petare.ppt
byDr.Purushottam Petare
 
PPTX
ISM-CS5750-01.pptx
byRashidSahito1
 
PPTX
1. Introduction to Information Security.pptx
bynoura53269
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PPTX
Security & Risk Mgmt_WK1.pptx
bydotco
 
PPTX
Security & Risk Mgmt_WK1.pptx
byTechnocracy2
 
PPTX
IT.pptx
byRaaviKapoor
 
PPTX
security in is.pptx
byselvapriyabiher
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PPTX
crisc_wk_5.pptx
bydotco
 
CIA = Confidentiality of information, Integrity of information, Avai.pdf
byannaielectronicsvill
 
Security and Risk Management Practices.pptx
byharshadrai2
 
Concepts of Cyber Security lecture notes.pdf
byPriyank974941
 
1. Security and Risk Management
bySam Bowne
 
1. Security and Risk Management
bySam Bowne
 
informations_security_presentations.pptx
byFAKHARZAMANPROUD
 
Security Ch-1.pptx
byKeenboonAsaffaa
 
Information security principles
byDan Morrill
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
CIA Triad in Cybersecurity By Dr.Purushottam Petare.ppt
byDr.Purushottam Petare
 
ISM-CS5750-01.pptx
byRashidSahito1
 
1. Introduction to Information Security.pptx
bynoura53269
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
Security & Risk Mgmt_WK1.pptx
bydotco
 
Security & Risk Mgmt_WK1.pptx
byTechnocracy2
 
IT.pptx
byRaaviKapoor
 
security in is.pptx
byselvapriyabiher
 
InfoSecConcepts.ppt
byMobileAntitheft
 
crisc_wk_5.pptx
bydotco
 

Recently uploaded

PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PPTX
Corporate AI Training to AI Enable a Company Workforce
byStélio Inácio
 
PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PPTX
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Corporate AI Training to AI Enable a Company Workforce
byStélio Inácio
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
Cesium formate brine - A brief history - prepared by John Downs in May 2011
byJohn Downs
 

Chapter 1

  • 1.
    Contents I. Understand andApply Concepts of Confidentiality, Integrity, and Availability .....................................................2 1 CIA Triad..............................................................................................................................................................2 1.1 Confidentiality.............................................................................................................................................2 1.2 Integrity.......................................................................................................................................................2 1.3 Availability...................................................................................................................................................3 2 Other Security Concepts .....................................................................................................................................4 2.1 AAA Services................................................................................................................................................4 2.2 Legally Defensible Security..........................................................................................................................4 2.3 Protection Mechanisms ..............................................................................................................................4 2.4 Layering.......................................................................................................................................................4 2.5 Abstraction..................................................................................................................................................4 2.6 Data Hiding..................................................................................................................................................4 2.7 Encryption ...................................................................................................................................................4 II. Evaluate and Apply Security Governance Principles...............................................................................................4 1 Alignment of Security Function to Business Strategy, Goals, Mission, and Objectives......................................5 1.1 A security management planning team should develop three types of plans ...........................................5 1.2 Organizational Processes ............................................................................................................................5 - Senior Manager...............................................................................................................................................6 III. Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines .........................7 IV. Understand and Apply Threat Modeling Concepts and Methodologies ............................................................8 1 Threat modeling..................................................................................................................................................8 1.1 Identifying Threats ......................................................................................................................................8 1.2 Determining and Diagramming Potential Attacks ......................................................................................9 1.3 Performing Reduction Analysis...................................................................................................................9 1.4 Prioritization and Response ........................................................................................................................9 V. Apply Risk-Based Management Concepts to the Supply Chain ............................................................................10
  • 2.
    I. Understand andApply Concepts of Confidentiality, Integrity, and Availability 1 CIA Triad - Primary goals and objectives of a security infrastructure. - Security controls are typically evaluated on how well they address these three core information security tenets. - Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. 1.1 Confidentiality - Goal: is to prevent or minimize unauthorized access to data. - It offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects. - Attacks: capturing network traffic and stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges ... Not limited to directed intentional attacks. Also result of human error, oversight, or ineptitude. Countermeasures: encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training. - Without object integrity, confidentiality cannot be maintained. - Other concepts, conditions, and aspects of confidentiality include the following: o Sensitivity quality of information. Maintaining confidentiality of sensitive information helps to prevent harm or damage. o Discretion operator can influence or control disclosure in order to minimize harm or damage. o Criticality The higher the level of criticality, the more likely the need to maintain the confidentiality of the information. High levels of criticality are essential to the operation or function of an organization. o Concealment hiding or preventing disclosure. is security through obscurity, hiding, silence, or secrecy. not considered a valid security measure, it may still have value in some cases. o Secrecy keeping something a secret or preventing the disclosure of information. o Privacy keeping information confidential that is personally identifiable or that might cause harm, embarrassment (lúng túng), or disgrace (ghét bỏ) to someone if revealed. o Seclusion storing something in an out-of-the-way location. This location can also provide strict access controls. o Isolation keeping something separated from others. Isolation can be used to prevent commingling (trộn lẫn) of information or disclosure of information. 1.2 Integrity - Goal: prevents unauthorized alterations of data. - it offers a high level of assurance that the data, objects, and resources are unaltered from their original protected state. - Attacks: viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors.
  • 3.
    - Countermeasures: strictaccess control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training. - Other concepts, conditions, and aspects of confidentiality include the following: o Accuracy: Being correct and precise o Truthfulness: Being a true reflection of reality o Authenticity: Being authentic or genuine o Validity: Being factually or logically sound o Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event Accountability: Being responsible or obligated for actions and results o Responsibility: Being in charge or having control over something or someone o Completeness: Having all needed and necessary components or parts o Comprehensiveness: Being complete in scope; the full inclusion of all needed elements - Nonrepudiation: ensures that the subject of an activity or who caused an event cannot deny that the event occurred, a part of accountability, - Integrity can be examined from three perspectives: o Preventing unauthorized subjects from making modifications o Preventing authorized subjects from making unauthorized modifications, such as mistakes o Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable 1.3 Availability - Goal: authorized subjects are granted timely and uninterrupted access to objects - it offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects - Threats: device failure, software errors, and environmental issues (heat, static, flooding, power loss, and so on). Attacks: DoS attacks, object destruction, and communication interruptions. - Countermeasures: designing intermediary delivery systems properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Most security policies, as well as business continuity planning (BCP), focus on the use of fault tolerance features at the various levels of access/storage/security (that is, disk, server, or site) with the goal of eliminating single points of failure to maintain availability of critical system - Other concepts, conditions, and aspects of confidentiality include the following: o Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject o Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations o Timeliness: Being prompt, on time, within a reasonable time frame, or providing low-latency response
  • 4.
    2 Other SecurityConcepts 2.1 AAA Services - Identification - Authentication - Authorization - Auditing - Accountability 2.2 Legally Defensible Security 2.3 Protection Mechanisms - Some common examples of these mechanisms include using multiple layers or levels of access, employing abstraction, hiding data, and using encryption. 2.4 Layering - defense in depth - is simply the use of multiple controls in a series - Using layers in a series rather than in parallel is important - In a series configuration, failure of a single security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. 2.5 Abstraction - Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective - Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function 2.6 Data Hiding - Data hiding vs security through obscurity 2.7 Encryption II. Evaluate and Apply Security Governance Principles - Security Governance: is the collection of practices related to supporting, defining, and directing the security efforts of an organization. - Security governance is the implementation of a security solution and a management method that are tightly interconnected. Security governance directly oversees and gets involved in all levels of security - Security governance is commonly managed by a governance committee or at least a board of directors - Security frameworks and governance guidelines, including NIST 800-53 or 800-100
  • 5.
    1 Alignment ofSecurity Function to Business Strategy, Goals, Mission, and Objectives - Security management planning ensures proper creation, implementation, and enforcement of a security policy. - Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization - Security management planning: top-down vs bottom-up - Security management is a responsibility of upper management, not of the IT staff, and is considered an issue of business operations rather than IT administration 1.1 A security management planning team should develop three types of plans - Strategic Plan: long-term plan that is fairly stable, 5 year, include risk assessment, - Tactical Plan: midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. Example: project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans - Operational Plan: short-term, highly detailed plan based on the strategic and tactical plans. Example: training plans, system deployment plans, and product design plans 1.2 Organizational Processes - Acquisitions (sáp nhập), : increased level of risk, Such risks include inappropriate information disclosure, data loss, downtime, or failure to achieve sufficient return on investment (ROI), - Divestitures (thoái vốn), : another time period of increased risk and thus increased need for focused security governance - Governance committees (ủy ban quản trị) 1.2.1 Change Control/Management - Goal: to ensure that any change does not lead to reduced or compromised security, prevent unwanted reductions in security - Primary purpose: to make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management. - The change control process of configuration or change management has several goals or requirements: o Implement changes in a monitored and orderly manner. Changes are always controlled. o A formalized testing process is included to verify that a change produces expected results. o All changes can be reversed (also known as backout or rollback plans/procedures). o Users are informed of changes before they occur to prevent loss of productivity. o The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected. o The negative impact of changes on capabilities, functionality, and performance is minimized. o Changes are reviewed and approved by a Change Advisory Board (CAB). 1.2.2 Data classification - To implement a classification scheme, you must perform seven major steps, or phases: o 1. Identify the custodian, and define their responsibilities
  • 6.
    o 2. Specifythe evaluation criteria of how the information will be classified and labeled. o 3. Classify and label each resource. (The owner conducts this step, but a supervisor should review it.) o 4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria. o 5. Select the security controls that will be applied to each classification level to provide the necessary level of protection. o 6. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. o 7. Create an enterprise-wide awareness program to instruct all personnel about the classification system. - Government/military classification vs Commercial business/private sector classification - Ownership 1.2.3 Organizational Roles and Responsibilities - Senior Manager - Security Professional - Data Owner - Data Custodian - User - Auditor 1.2.4 Security Control Frameworks - Control Objective Information and related Technology COBIT (ISACA) - COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management -
  • 7.
    1.2.5 Due Careand Due Diligence III. Develop, Document, and Implement Security Policy, Standards, Procedures, and Guidelines - Security Policies o A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. o defines the main security objectives and outlines the security framework of an organization o issue-specific security policy focuses on a specific network service, department, function, or other aspect that is distinct from the organization as a whole o A system-specific security policy focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls. o The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels. o there are three overall categories of security policies: regulatory, advisory, and informative  regulatory policy: required whenever industry or legal standards are applicable to your organization  Advisory policy: An advisory policy discusses behaviors and activities that are acceptable and defines consequences of violations  An informative policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers.  Security Policy -> Standard -> Baseline -> Guideline ->Procedures o Security Policies and Individuals o Acceptable Use Policy - Security Standards, Baselines, and Guidelines o Security Standards: Standards define compulsory requirements for the homogenous use of hardware, software, technology, and security controls o A baseline defines a minimum level of security that every system throughout the organization must meet. Baselines are usually system specific and often refer to an industry or government standard, like the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation and Criteria (ITSEC) or NIST (National Institute of Standards and Technology) standards. o A guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. - Security Procedures o A procedure or standard operating procedure (SOP) is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
  • 8.
    IV. Understand andApply Threat Modeling Concepts and Methodologies 1 Threat modeling - Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Proactive Approach (defensive approach) vs Reactive Approach (adversarial Approach) - Goal: o To reduce the number of security-related design and coding defects o To reduce the severity of any remaining defects 1.1 Identifying Threats o Focused on Assets o Focused on Attackers o Focused on Software - STRIDE threat model o Spoofing o Tampering o Repudiation o Information disclosure o Denial of service (DoS) o Elevation of privilege - Process for Attack Simulation and Threat Analysis (PASTA) o Stage I: Definition of the Objectives (DO) for the Analysis of Risks o Stage II: Definition of the Technical Scope (DTS) o Stage III: Application Decomposition and Analysis (ADA) o Stage IV: Threat Analysis (TA) o Stage V: Weakness and Vulnerability Analysis (WVA) o Stage VI: Attack Modeling & Simulation (AMS)
  • 9.
    o Stage VII:Risk Analysis & Management (RAM) o Trike threat modeling- risk based approach o DREAD threat modeling: Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability 1.2 Determining and Diagramming Potential Attacks 1.3 Performing Reduction Analysis - Reduction Analysis as known decomposing the application, system, environment - In the decomposition process, you must identify five key concepts: o Trust Boundaries Any location where the level of trust or security changes o Data Flow Paths The movement of data between locations o Input Points Locations where external input is received o Privileged Operations Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security o Details about Security Stance and Approach The declaration of the security policy, security foundations, and security assumptions 1.4 Prioritization and Response - To define the means, target, and consequences of a threat - Do rank or rate the threats o Probability × Damage Potential ranking o high/medium/low rating o the DREAD system  Damage potential  Reproducibility  Exploitability
  • 10.
     Affected users Discoverability V. Apply Risk-Based Management Concepts to the Supply Chain - evaluating a third party for your security integration, consider the following processes: o On-Site Assessment o Document Exchange and Review o Process/Policy Review o Third-Party Audit:  American Institute of Certified Public Accountants (AICPA)  Statement on Standards for Attestation Engagements (SSAE)  SOC 1: SOC1 audit focuses on a description of security mechanisms to assess their suitability  SOC 2: audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality - Here are some excellent resources related to security integrated with acquisition: o Improving Cybersecurity and Resilience through Acquisition o NIST Special Publication 800-64 Revision 2: Security Considerations in the System Development Life Cycle