Loading...

Mind map: CISSP_Domain_01

  • Risk Categories

    • Damage

      • Results in physical loss of an asset or
        the inability to access the asset.

    • Disclosure

      • Disclosing critical information
        regardless of where or how it was disclosed.

    • Losses

      • These might be permanent or temporary,
        including altered data or inaccessible data

  • Response to Risk

    • Risk Mitigation / Reduction

    • Risk Acceptance

    • Risk Avoidance

    • Risk Transfer / Assignment

  • Risk factors

    • Physical Damage

      • Natural disaster, power loss or
        vandalism.

    • Malfunctions

      • .Failure of systems, networks, or
        peripherals.

    • Attacks

      • Purposeful acts whether from the inside or
        outside, such as unauthorized disclosure.

    • Human Errors

      • Usually considered accidental
        incidents, whereas attacks are purposeful incidents.

    • Application errors

      • Failures of the application,
        including the operating system.

  • Types./ State of Risk

    • Inherent Risk

      • The amount of risk that exists
        in the absence of controls.

    • Residual Risk

      • The risk management has chosen
        to accept rather than mitigate.

    • Total Risk

      • The amount of risk an organization would
        face if no safeguards were implemented.

  • CIA Triad

    • Confidentiality

    • Integriity

    • Availability

  • Security Planning

    • Strategic Plan

      • Long term, stable plan that should include a
        risk assessment.(5 yr horizon, annual updates)

    • Tactical Plan

      • Under guideline from Strategy plans , Mid term

        • Hiring Plans

        • Project Plans

        • Acquisition Plans

    • Operational Plan

      • Short term, highly detailed plan based
        on the strategic and tactical plans.

        • System deployment plans

        • Resource Allocation Plans

  • Risk Management Framework - PCSIAAM

    • 7 steps of NIST 800-37

      • Prepare to execute the RMF

      • Categorize information systems

      • Select Security Controls

      • Implement Security controls

      • Assess the security controls

      • Authorize the system

      • Monitor security controls

    • mneumonic: People can see i am always monitoring  (PCSIAAM)

    • Exam Tips

      • When legal issues are involved "Call an attorney" mis a valid choice 

      • Remember not every risk can be mitigated

      • It is management's job to decide how that risk is handled

      • multiple priorities present , human safety is the most important

  • Due Care & Due Deligence

    • Due
      Diligence

      • practicing the activities that maintain
        the due care effort.

        • Think
          BEFORE
          you act!

        • Do Detect

    • Due Care

      • doing what a reasonable person would
        do in a given situation. It is sometimes
        called the “prudent man” rule.

        • Actions speak
          louder than words

        • Do Correct

  • ISC Code of Ethics

    • Protect Society, the common good and the the infrastructure

    • Act Honorably, Honestly, Justly. responsibly and Legally

    • Provide diligent and competent service to principals

    • Advance and protect the profession

  • Legal & Regulatory

    • ISACA code of Ethics

    • Types of Law

      • Criminal Law

      • Civil Law

      • Administrative Law

    • Laws

      • Computer Fraud and Abuse Act (CFAA)
        . The first major

      • Federal Sentencing Guidelines

      • Federal Information Security Management Act (FISMA)
        FISMA).

      • Copyright and the Digital Millennium Copyright Act

      • Wassenaar Arrangement

      • International Traffic In Arms (ITAR):

      • Export Administration Regulations (EAR)

    • IP & Licensing

      • Trade Secrets

        • Trade secrets Disclosure

          • In order to gain an unfair advantage over competitors or to reap the benefits of another company's hard work without putting in any effort of their own, economic and industrial espionage frequently targets trade secrets.

      • Copyright

        • Copyright attacks

          • Piracy – unauthorized use or reproduction of material

      • Trademarks

        • Trademark attacks

          • Counterfeiting – products intended to be mistakenly associated with brand

          • Dilution – widespread use of brand name as stand-in for product (e.g. Kleenex, Xerox, etc.)

      • Patents

        • Patent attacks

          • primarily involve infringement upon the reserved rights of the patent holder (knowingly or unknowingly)

      • Licensing

        • Contractual license agreements

        • Shrink-wrap license agreements

        • Click-through license agreements

        • Cloud services license agreements

    • Encryption and Privacy

      • Computer Export Controls

      • Encryption Export Controls

      • Privacy (US)

        • HIPAA
          (Health Insurance Portability and Accountability

        • HITECH
          (Health Information Technology for Economic and
          Clinical Health)

        • Gramm Leach Bliley Act (financial Institutions)

        • Children’s Online Privacy Protection Act (COPPA)

        • Electronic Communications Privacy Act (ECPA)

        • Communications Assistance for Law Enforcement Act
          (CALEA)

      • Privacy (EU)

        • GDPR

  • Security Controls

    • Control Categories

      • Administrative

        • Developing & publishing policies, standards, procedures (Ex. Risk Mgmt, Chg. Ctrl)

      • Technical.

        • Implementing access control mechanisms, password mgmt, Ident & Auth, etc.

      • Physical

        • Controlling individual physical access (Ex. locks, environmental controls, disable USB)

    • Control Types

      • Preventive

        • Prevents harmful occurrences by restricting what a potential user can do
           Physical: Lock, Mantrap | Technical: Firewall | Admin: Pre-employment drug screen

      • Deterrent.

        • Discouraging unwanted actions (ex. Beware of Dog sign, documented punishment)
           Physical: Beware of Dog sign | Administrative: Sanction policy

      • Detective

        • Controls that alert during or after a successful attack (ex. IDS/IPS, CCTV, Alarm)
           Phsyical: CCTV, Light | Technical: IDS | Admin: Post-employment random drug screen

      • Compensating

        • Compensate for weaknesses in other controls (ex. reviewing users web usage)

      • Corrective

        • Restores systems that are victims of harmful attacks (often bundled with Detective)

      • Recovery

        • Restore functionality of the system and organization (ex. re-image a PC, Restore, etc.)

      • Directive

        • Controls that alert during or after a successful attack (ex. IDS/IPS, CCTV, Alarm)
           Phsyical: CCTV, Light | Technical: IDS | Admin: Post-employment random drug screen

    • Security Control Framework

      • COBIT

        • o Operational framework & best practices Model for IT Governance

        • o Defines goals for controls that should be used to manage IT and ensure IT maps to business needs

        • o 4 Domains (34 Processes):

          •  Plan & Organize

          •  Acquire & Implement

          •  Deliver & Support

          •  Monitor & Evaluate

      • COSO

        • o Strategic Model for Corporate Governance

        • o 5 Components:

          •  Control Environment

          •  Risk Assessment

          •  Control Activities

          •  Communication of Information

          •  Monitoring (ITIL) Information Technology Infrastructure

      • ISO

      • ITIL- IT Best Practices

        • o Customizable framework for providing best services in IT Service Management (ITSM)

        • o 5 Service Management Practices-Core Guidance publications

          •  Service Strategy (helps IT provide services)

          •  Service Design (designing infrastructure & architecture)

          •  Service Transition (making projects operational)

          •  Service Operation (operations controls)

          •  Continual Service Improvement (ways to improve existing services)

  • Information Security Governance

    • Policy (Mandatory)

      • High-level management directives

    • Standards (Mandatory)

      • Describe the specific use of a technology (ex. laptop make/model/specs):

    • Procedure (Mandatory)

      • Step-by-step guide for accomplishing a task

    • Security Guidelines

      • (Discretionary) Recommendations

    • Security Baselines

      • (Discretionary) Uniform way of doing something. Defines the lowest acceptable security level

  • Supply Chain

    • Supply Chain Evaluation

      • On Site Assessment .

      • Document Exchange and Review 

      • Process/Policy Review

      • Third party Audit

  • Threat Modeling

    • Threat Reduction Analysis

      • Identify Trust Boundaries

        • Any location where the level of trust
          or security changes

      • Data Flow Paths

        • The movement of data between
          locations

      • Input Points

        • Locations where external input is received

      • Priviledge Operations

        • Any activity that requires
          greater privileges than of a standard user account

      • Security Stance and approaches

        • declaration of security policy, security foundations, and
          security assumptions.

    • Prioritization & Response

      • Option 1 : Probability
        x Damage

        • Identify Threat Probability
          and Damage it can cause
          for every threat

          • Assign numbers 1 to 10 and
            find XxY = Product

      • Option 2 Assign
        Values

        • High

          •  Immediate Attention

        • Medium 

          • Attention but later

        • Low 

          • may be attention if cost
            expenditure allows

      • Option 3 Follow
        DREAD Method

        • Damage

          • How much damage is possible with this threat

        • Reproducibility

          • How feasible for attacker to reproduce this threat

        • Exploitation

          • Chance that this threat can be exploited

        • Affected Users

          • How many users can be affected it is exploited

        • Discoverability

          • How hard it is for attacker to discover this vulnerability

    • Threat Identification Approaches

      • Focsed on Assets

        • Uses Asset Valuation results
          to identify threats to the valuable assets.

      • Focused on Attacker

        • Identify potential attackers
          and identify threats based on the
          Attacker's Goal

      • Focused on Software

        • Considers Potential Threats 
          against the software the org develops.

    • Threat Categorization

      • Microsoft model is
        STRIDE

        • Spoofing

        • Tampering

        • Repudiation

        • Information disclosure

        • Denial of service

        • Elevation of privilege

      • Process of Attack Simulation
        and Threat Analysis PASTA

        • Stage I : Definition of Objectives

        • Stage II : Definition of Technical Scope

        • Stage III : App Decomposition & Analysis

        • Stage IV: Threat Analysis

        • Stage V: Weakness & Vulnerability

        • Stage VI: Attack Modeling & Simulation Analysis

        • Stage VII : Risk Analysis & Management

      • TRIKE

        • An open source threat modeling process
          that implements a requirements model.

        • Ensures the assigned level of risk for each
          asset is “acceptable” to stakeholders.

      • VAST

        • Visual

        • Agile

        • Simple

        • Threat

  • Risk Analysis

    • Quantitative

      • Risk Analysis Steps

        • Inventoy Assets

        • Identify Threats

        • Perform a Threat Analysis

        • Estimate the potential loss

        • Research countermeasures for each threat

        • Perform cost / benefit Analysis

      • Calculating Risk

        • Exposure Factor (EF)

        • Single Loss Expectancy (SLE)

          • SLE = asset value (AV) * exposure factor (EF)

        • Annualised Rate of Occurrence (ARO).

        • Annualized loss expectancy (ALE)

          • ALE = single loss expectancy (SLE) annualized rate of occurrence (ARO) OR ALE = asset value (AV) exposure factor (EF) annualized rate of occurrence (ARO)
            or more simply:
            ALE = SLE             ARO
            or
            ALE = AV EF ARO

        • Safeguard Evaluation

          • ALE before safeguard - ALE after safeguard
            – annual cost of safeguard = value of safeguard

        • Control Gap

          • total risk - controls gap = residual risk

    • Qualitative 

      • Delphi technique 

    • Threat Agent

  • Business Continuity Planning

    • Strategy development

    • Provisions and processes

    • Plan approval

    • Plan implementation

    • Training and education

  • User Education

  • Certification & Accreditation:

    • Certification: Detailed inspection verifying whether system meets documented security requirements

      • o Inspects: Management, Operational, and Technical security controls

    • Accreditation: The Data Owner‟s acceptance of the risk associated with the system & authorizing its implementation based on the discussed risks and security controls (may be performed by an auditor)

      • o Risk Owner: Usually senior management. The person performing accreditation