Security+ Risk Management Notes

Controls and Risks

Security Controls - Procedures and mechanisms to manage risks

Defense in Depth - Multiple controls for one objective

Categorization
- Attack mitigation
  - Deterent - discourage attempted attack
  - Detective - identify attack (breach)
  - Preventive - Keeping the attack damage from happening
  - Corrective Control - Mechanism to minimize the damage and take action to keep a similar attack from happening again
  - Administrative - Activities that minimize security risks through established business processes (e.g. background checks or drug tests on potential employees)
  - Physical - Tangible security measures (e.g. door locks, fences, Security Guards & etcetera)
  - Compensating Control - To account for the following conditions:
    1. False Positive - A security alert for an event that poses no threat
    2. False Negative - An event that gives a false sense of security by not identifying an event as a threat

Security Policy Framework - used as a basis for the implementation and management of security controls - Subject to many factors.

Policies - Mandatory Rules that everyone must follow which are rigorously written to stand the test of times
Standards - Authority from policies - how things need to be done - Mandatory
Guidelines - Best practices - Optional
Procedures - Step-by-Step process for an activity

Security Policies
Factors (International standards are often more strict than national or local standards)
Culture - Customs and traditions established by society - Industries tend to have their own cultures and terms.
Industry - Common practices among organizations
Regulatory - Laws and standards established by government that everyone must adhere to - Federal regulations supercede state and local regulations.
Nonregulatory - Recommendations established by organizations that provide technical metrics and standards for improved science and technology

Common Policies
Information Security
Responsible Individual Role Designation
Security Roles and Responsibilities
Authority to create standards
Authority for incident response
Process for Policy Exceptions and Violations
General Security Policies

Privacy (see Linked-in's Privacy Policy for an example)
Acceptable Use Policy (AUP) - Defines a contractual agreement which states the rules that apply to the use of technology and describes responsible use in terms of respecting the rights of other users, the integrity of the physical facilities and all pertinent information. This should include clear specific language for:
Policies on Social Media
Policies on Personal Email
Standards of Behavior
Acceptable and unacceptable uses
Consent forms
Privacy statement
Disclaimer of liability
Non-Disclosure Agreement
Standard Operating Procedure (SOP) - a prescriptive set of written instructions that document a routine or repetitive activity followed by an organization.

Risk Assessment

Identify and triage

Threat - external force - Threat vectors are specific methods that threats use to exploit a vulnerability
- Vulnerability - Weakness in security
- Risk - combination of a vulnerability and a corresponding threat

Quantitative Risk Assessment

Asset Value (AV)
- Original Cost - Found on invoices or receipts
- Depriciated Cost - Reduced from original cost
- Replacement Cost - How much it would cost to replace
Exposure Factor (EF) - Estimated % of loss in a damaging event
- Single-Loss Expectance (SLE) - Estimated damage per incident
  SLE = AV * EF
- Annualized Rate of Occurrence (ARO) - Estimated number of times a risk is expected to occur each year
- Annualized Loss Expectancy (ALE) - Estimated $ lost from risk
  ALE = SLE * ARO
- Mean Time To Failure (MTTF) - Average time for nonrepairable assets to fail
- Mean Time Between Failures (MTBF) - Average time for repairable assets to fail
- Mean Time To Repair (MTTR) - Average time to repair
Risk Management - Systematically analyzing risk
- Avoidance - Prevention
- Transfer - Insurance
- Mitigation - Provisions to minimize the risk
- Acceptance - Taking the risk
- Deterence - Dissuade a threat
Risk Visibility and Reporting
- Risk Register - Tracks risks
- Threat Inelligence - Shares risk information

Supply Chain Risk

Vendors should have security policies that are at least as strict as your organization's security policies.

Managing Vendor Relationships
Vendor Agreements
- Service-Level Requirement (SLR) - a contract that establishes a set of deliverables that one party has agreed to provide another. This agreement can exist between a business and its customers, or one department that delivers a recurring service to another department within that business.
- Service-Level Agreement (SLA) - a contract that establishes a set of deliverables that one party has agreed to provide another.
- Memorandum of Understanding (MoU) - an agreement between two or more parties outlined in a formal document. It is not legally binding but signals the willingness of the parties to move forward with a contract.
- Memorandum of Agreement (MoA) - a formal business document used to outline an agreement made between two separate entities, groups or individuals
- Business Partnership Agreement (BPA) - a contract between partners that contains terms like the business’s purpose, partner contributions and voting rights.
- Interconnection Security Agreement (ISA) - A document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high- level roles and responsibilities in management of a cross-domain connection.
- Security and Compliance Terms - a systematic approach to governance designed to ensure that an institution meets its obligations under applicable laws, regulations, best practices and standards, contractual obligations, and institutional policies.
Vendor Information Management - Data Ownership Provisions

Personnel Management

Onboarding to start implementing the employment agreement
Mandatory Vacations - Requiring employees to take certain days off with the following ideas:
- Denying the employees who are on mandatory leave access to what they normally would have access to while they are on mandatory leave
- Verifying that the employees are being honest and then investigating those who are being dishonest... perhaps leading up to termination of employment and prosecution for criminal activities.
Job Rotation - The systematic movement of employees from one job to another within the organization to achieve various human resources objectives.
Need to Know and Least Privilege - Limits access for people to information to what they need to do their job
- Need to Know - A process should only have access to those objects it needs to accomplish its task, and furthermore only in the modes for which it needs access and only during the time frame when it needs access.
- Least Privilege - Minimum access to do job - Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges when they become obsolete). Failure to adhere to this principle may result in Privilege Aggregation or Privelege Creep which is the escalation of privileges that occurs when obsolete privileges are still assigned to the user(s).

Clean Desk Policy
A policy which states that clutter and sensitive documents are not allowed to remain on desks.

The purpose for this policy is to establish a culture of security and trust for all employees. An effective clean desk effort involving the participation and support of all employees can greatly protect paper documents that contain sensitive information about our clients, customers and vendors. All employees should familiarize themselves with the guidelines of this policy.

Back Ground Checks - Includes personal history of each employee and procpective employee, such as:
- Work History
- Criminal Record
- Medical History
- Driving Record
- Drug Screening
- and etcetera...
Separation of Duties and Responsibilities
- Enforced requirements for duties involving access to PII or other high stakes resources (e.g. accounts payable and payroll) to be done by multiple staff members. For example, the users of de-identified PII data would not also be in roles that permit them to access the information needed to re-identify the records.
- Two-Person Control - Requires two people to perform a task
Security in the Hiring Process
- Insider Threat -
- PreEmployment Screening -
- Non-Disclosure Agreement (NDA) - a legally enforceable contract that establishes confidentiality between two parties
- Orientation Sessions - Welcoming activities that establish new hires as legitimate employees and trains them on organizational policies and procedures.
Employee Termination Process
- Exit Interviews - Interviews conducted at the end of employment which often includes a reminder of a Non-Disclosure Agreement.
- Terminating access - Revoking all access to computer and network resources as well as any other organizational resources that are beyond what the common people (i.e. non-employees) already have access to.
- Offboarding to finalize the termination of employment

Awareness and Training

Role-based Awareness Training - Training that you provide for users in their job roles.
Security Education
- Training - Introduces new material
- Awareness - Reviews old material
- Testing - Verifies who understands the concepts
- Customization - Training that is adapted for business needs and individual capabilities
- Role-Based Training - Provides specific Information Systems Security professionals with education targeted to their roles
- Training Frequency -
- Relevance -
- Continuing Education -
Information Classification
- Data Classification Policies -
- Classification Levels -
- Labeling Requirements -
- Secure Information Disposal -
Compliance Training
- Compliance Programs -
- Security training should include compliance
- Laws - Government rules made by law makers that everyone must follow
- Regulations - Rules made by Government agencies
- Standards - Technical requirements
User Habits
- Password practices
- Tailgating
- Bring Your Own Device (BYOD)
- Social media and Peer-to-Peer (P2P) resources
User-based Threats
- Phishing & other attacks
- Patching
Measuring Security Education
- Simulated Phishing
- Surveys
Continuing Education
- New Employees and Contractors should be educated on security requirements
- Remind users about the security requirements
- The Security requirements should be documented and then distributed to employees and contractors
- Regular focus group sessions and on-the-job training should be provided
- General online security-related resources should be available in its simplest and concise form.
- Regular updates to the security requirements should be gone over distributed to the employees and contractors.

Business Continuity and Disaster Recovery

Business Continuity Plan (BCP)
- Ways to keep a business running despite disasters
  1. Confidentiality -
  2. Integrity -
  3. Availability -
Defining a Business Continuity Plan (BCP Scope) by conducting a Business Impact Assessment (BIA) which Identifies and prioritizes risks and Information Technology (IT) contingencies, namely:
Business Continuity Controls
- Risk Assessment Factors - Artificial and Environmental, which includes:
- Critical Functions - Activities that ensure continued operations
- Single Point of Failure (SPoF) - A situation where continued operations depends on one thing.
High Availability and Fault Tolerance (FT), which includes:
1. High Availablility (HA) - Multiple systems to protect against failures
2. Fault Tolerance (FT) - Making systems resilient (e.g. two power supplies for a server)
3. Load Balancing (LB) - Spread the burden of providing a service across multiple systems
4. Redundant Array of Independent Disks (RAID) - data distributed among multiple disks for fault tolerance
  - RAID 0 - Disk Striping without parity - NOT Fault Tolerant
  - RAID 1 - Disk Mirroring/Duplexing - Need 2 disks
  - RAID 5 - Disk Striping with Parity - Need 3+ disks total with 1+ disk(s) for parity
  - RAID 6 - Disk Striping with double-parity - Requires 4+ drives with 2+ disks for parity
  - RAID 10 - Combines RAID 1 with RAID 0 = Disk Mirroring + Disk Striping - Requires 4+ drives
  - RAID 50 - Combines RAID 5 with RAID 0 = Disk Striping with parity + Disk Striping - Reuires 6+ drives
  - RAID 60 - Combines RAID 6 with RAID 0 = Disk Striping with double parity + Disk Striping - Requires 8+ drives
  - Other RAID configurations exist, but are not commonly used.
5. Quality of Service (QoS) - Maintaining consistent performance
6. Mean Time To Failure (MTTF) - The average amount of time a non-repairable component can last before it needs to be replaced.
7. Mean Time Between Failures (MTBF) - The average amount of time a repairable component can last before it needs fixing.
Disaster Recovery - Restore business data and operations
- Initial Response - Mitigation from the effects of the damage which causes normal operations to cease, namely:
  - Contain the damage
  - Recover capabilities that can be immediately be restored
  - Include a variety of activities depending upon the nature of the disaster
- Disaster Communications - Collaboration on restoring normal operations, including:
  - Initial activation of the disaster recovery team
  - Regular status updates and
  - Tactical communications
- Assessment Mode - Triage the damage to the organization
- Order of Restoration - Taking steps to return to normal operations, namely:
  1. Recovery Time Objective (RTO) - The targeted amount of time that an application can be down without resulting in significant damage.
  2. Recovery Point Objective (RPO) - The amount of data lost due to disaster since the last viable backup prior to the disaster.
- Disaster Recovery efforts end only when the business is operating normally in its primary facility. Team members should receive regular training on their DR responsibilities.
Geographic Disaster Recovery Considerations
- Backups -
  1. Full - Complete copy of all data
  2. Snapshots - Special case of full backups
  3. Differential - Copy of all data since last full backup
  4. Incremental - Copy of all data since last full or incremental backup
- Backup Media -
  - Tape
  - Disk-to_Disk
  - Cloud
- Media Rotation Strategies - Allow reuse of backup media
  - Grandfather-Father-Son (GFS) - Uses the following method to rotate back up media:
    - Uses Original (1^st) media once during an extended period of time (e.g. quarterly) and then put back into circulation once a new full back up is made for the next period of time
    - Uses subsequent media once during an intermediate period of time (e.g. weekly) and then put back into circulation after each intermediate period of time during the longer period of time
    - Uses subsequent media often for back ups during each short period of time (e.g. daily) through out the intermediate period of time.
  - First In First Out (FIFO) - Once all of the media gets used, the oldest media used (the earliest archive available) gets reused first.
  - Tower of Hanoi - Uses a mathematical puzzle with the largest media on the bottom with smaller media stacked on top.
  - Other strategies - use some variation of systematic media rotation that involves redundancy in case a media set fails.
- Disaster Recovery Sites - Alternately Processing Sites
  - Hot Sites - Live data center
  - Warm Sites - Compromise between a hot site and a cold site
  - Cold Sites - No equipment running, but on standby in case of disaster
- Geographic Disaster Recovery Considerations
  - Cloud Computing
  - Legal
  - Data Sovereignty
Testing BC/DR Plans
- Read Throughs - Checklists
- Walk Through - Table Top - Discussions on Plans
- Simulation - simulates a disaster
- Parallel - test the plan
- Full Interruption - Fully implements the DR plans
After Action Reports
- Executive summary
- Background for incident
- details of the incident
- Lessons Learned (include the positives as well as negatives)
- Next Steps

Incident Response

Security Incidents

Security Event - any observable action on a computer system that impacts security.
Advserse Security Event - Any security event with negative consequences
Security Incident - Any adverse event that violates security policies
Attack Vector Categorization

Documented Incident Types and Categories include:
Web and cloud - Attacks perpectuated through websites and cloud-based applications and infrastructure
Email - Attacks via email (e.g. phishing and malicious attachments)
Improper Usage - Incidents that violate Acceptable Use Policies
Equipment damage, loss or theft - Incidents involving equipment that is no longer available due to damage, loss or theft
Security Incident Roles and Responsibilities
Upper management should establish formal policies which may include the authority for the Information Technology staff to take any of the following actions:
- Confiscate computers and other information systems
- Disconnect data networks and other information systems
- Monitor systems for further analysis
- Communicate with the press
Preparing for Incident Response - NIST Special Publication 800-61 - Includes:
1. Policy and plan documentation
2. Procedures for incident handling
3. Guidelines for response teams communicating with each other and externally
4. Structure and staffing model for the team
5. Description of relationships with other groups
6. Mission, strategies, and goals of incident response
7. Senior management approval
8. Approach to incident response
9. Metrics for measuring response capabilities
10. How the incident response program fits into the organization
Incident Identification and Containment
- Monitoring
- Security Incident and Event Management (SIEM)
- Threat Intelligence - important strategic and tactical information
- First responders must act quickly to isolate affected systems to contain damage
Escalation and Notification
- Evaluate severity
- Escalate to appropraite
- Notify management and other stakeholders
Incident Mitigation - Control damage - Mitigation ends with stability
- Common Strategies
  1. Damage Potential
  2. Evidence Preservation
  3. Service Availablility
  4. Resource Requirements
  5. Expected Effectiveness
  6. Solution Timeframe
- Low-Impact - First responders may try to resolve immediately and then report on what happened after the issues are resolved
- Moderate-Impact - First responders should consult with management and stakeholders before attempting to resolve the issues and then report on what happened.
- High-Impact - First responders must consult with managment and stakeholders before attempting to resolve the issues and then report on what happened
Eradication and Recovery - Remove effects of incident and getting back to normal
- Technical Recovery Efforts
  - Rebuild compromised systems
  - Remove malware
  - Disable breached accounts
  - Restore corrupted or deleted data
- Remediation - Make it harder for another similar incident to occur
  - Applying security patches
  - Updating firewall rules
  - Implementing intrusion prevention
  - Strengthening access controls
- Removing Vulnerabilities- Get rid of any exploited vulnerabilities and other potential weaknesses that could result in a similar incident
- Recovery - Returning to normal
- Reconstitution - Corrects vulnerabilities
Lessons Learned and reporting - Create a report that includes lessons learned and recommendations.
- Opportunity to reflect and discuss what happened and what should be done to prevent the incident from reoccuring.
- Use an independent trained facilitor (removed from original incident)
- Conduct meetings to discuss lessons learned from the incident and then quickly compile a report about these discussions.
- Use the NIST Lessons Learned Questions to come up with conclusions, namely:
  - How well did staff and management perform?
  - Were documented procedures followed?
  - Were those procedures adequate?
  - Did any actions inhibit the recovery effort?
  - What would responders do differently next time?
  - How could information sharing improve?
  - What could prevent similar incidents?
  - What should the organization watch for?
  - What tools or resources are needed?

Forensics

Conducting Investigations
- Investigation Types
  - Operational - Look into technical issues
  - Criminal - Look into possible crimes (usually by government officials)
  - Civil - Look into disputes between parties (preponderance)
  - Regulatory - Look into violations of administrative procedures (usually by government officials)
- Interviews - Voluntary conversations with individuals that investigators can use to find out what happened
- Interrogations - Mandatory conversations that law enforcement use to find out what happened. Cybersecurity investigators should never conduct interrogations.
Evidence Types
- Real - Tangible
- Documentary - written
  1. Authenticated - Documents must be authenticated by testimony
  2. Best Evidence Rule - Original documents are superior to copies
  3. Parol Evidence Rule - Written contracts are assumed to be the entire agreement
- Testimonial - Verbal (witness statements) - You must avoid hearsay (unverified conversations)
  1. Direct Evidence - Based on observations
  2. Expert Opinion - Conclusions drawn by credentialed professionals based on other evidence
Introduction to Forensics
- Rules
  - Never alter evidence!
  - Forensics should only be done by trained professionals
- Digital Foresics - Evidence consisting of digital information
- Volatility - How quickly evidence goes away - order of volatility
  1. Network traffic
  2. Memory contents
  3. System and process data
  4. Files
  5. Logs
  6. Archived Records
- Time Offset (T_o) - Time difference between the actual time (T_a) and the time that a system reports (T_r)
  T_o = |T_a - T_r|
- Recovery and Preservation
System and File Forensics - Digital evidence located on local systems used in litigation
- Images (copies) of digital media (not original media) should be used to ensure that contents of original media remain unchanged - Use write blockers (forensic disk controllers) to prevent accidental modifications to data on original media.
- Hashing Evidence - Demonstrates that evidence remains unaltered.
- Screenshots, memory contents, process table, operating system configuration and other evidence can be used in litigation.
Network Forensics - Digital evidence located on the network used in litigation
- Network communications can be captured (e.g. Wireshark)
- Full packet capture requires a lot of storage.
- NetFlow Summarizes Network Traffic
Software Forensics - Digital evidence based on software - Requires advanced software engineering skills
1. Intellectual Property
2. Malware Origins
Embedded Device Forensics - Digital evidence from embedded devices used in litigation
Chain of Custody - Documentation on who had possession of evidence over time
- Evidence Log - Shows how evidence changed hands
- Failures in the Chain of Custody may render the evidence as invalid (not admissable)
Electronic Discovery (eDiscovery) - Most often performed by attorneys with the help of IT staff
- Preservation - Suspending automated deletions of relevant logs as well as preventing people from altering these logs
- Collection - Activities related to gathering relevant information
- Production - Attorneys decide which evidence and information to present in court

Data Security and Privacy

Understanding Data Security
- Data States
  1. Data at Rest - Data on media that is not being actively used.
  2. Data in Motion - Data that is being actively used or is in transit over network
- Big Data - Large data sets that are on servers, but not part of a database
Data Security Policies
- Criteria for good data security policies
  - Foundation authority for data security
  - Clear expectations for data security responsibilities
  - Guidance for requesting access to information
  - Process for granting policy expectations
- Data Classification Policies - Describe security levels (classification Levels)
- Data Storage Policies
  - Appropriate storage locations
  - Access Control Requirements
  - Encryption Requirements
- Data Transmission Policies
  - Appropriate Data Transmission Policies
  - Encryption Requirements
  - Acceptable Transmission Mechanisms
- Data Lifecycle Policies - Describe end-of-life for data
  1. Data retention
  2. Data disposal (e.g. DBAN or Blancco)
Data Security Roles
1. Data Owner - Top authority for data - Business Leaders
2. Data Steward - Data governance - Day-to-Day governance which data owner delegates to them (typically supervisors and middle management)
3. Data Custodian - Actually store and process information (most often IT staff)
4. System Administrator - Responsible for enforcing data policies and setting up access to data resources
5. System Owner - Owns the system that the data is stored or processed on
6. User - The person working with the data
7. Privileged User - A user with extra permissions and access to more resources than a normal user
8. Executive User - A user with elevated access to personnel files and accounting records as outlined in the Personnel section of this document (above)
Data Privacy
- Types of data Privacy
  - Personally Identifiable Information (PII) - Can be associated with a specific individuals
  - Protected Health Information (PHI) - most often regulated by Health Insurance Portability Accountability Act (HIPAA)
- Generally Accepted Privacy Principles (GAPP) - outline ten components of data privacy, namely:
  1. Management - Governance structures to proctect information
  2. Notice - People should receive notice of information management policies
  3. Choice and Consent - The organization should inform data subjects of all of their options regarding the data that they own. And obtain consent from those individuals for the collection storage, use, and sharing of their personal information.
  4. Collection - The organization should only collect personal information for purposes disclosed in their privacy notices.
  5. Use, Retention, and Disposal - When the organization collects personal information it should only use that information for the disclosed purposes, and not use it for other reasons because they already have the data.
  6. Access - When the organization collects personal information it should only use that information for the disclosed purposes, and not use it for other reasons because they already have the data.
  7. Discolure to 3rd parties - The organization should only share information with third parties if that sharing is consistent with the purposes disclosed in privacy notices and the organization has the consent of the individual to share that information.
  8. Security - The organization must secure private information against any unauthorized access.
  9. Quality - The organization should take reasonable steps to ensure that the personal information they maintain is accurate, complete, and relevant.
  10. Monitoring and Enforcement - The organization should have a program in place to monitor compliance with its privacy policies and provide a dispute resolution mechanism.
- Developers of GAPP are:
  - American Institute of Certified Public Accountants (AICPA)
  - Canadian Institute of Chartered Accountants (CICA)
  - Information Systems Audit and Control Association (ISACA)
  - Institute of Internal Auditors (IIA)
Privacy Assessments - Anyone who works with the United States Federal Government are required to submit to privacy assessments and render an account for how they handled PII.
Federal Privacy Assessment Processes involve:
- Privacty Threshold Analysis (PTA) - Evaluates the use of PII to determine whether privacy controls are necessary.
- Privacy Impact Assessment (PIA) - Evaluates the privacy controls used by an IT system to determine whether they are sufficient. Here are the the following goals of privacy that a PIA accomplishes:
  1. Ensures that PII handling meets all applicable requirements
  2. Identifies risks associated with handling PII wihtin an IT system
  3. Examines privacy controls and recommends mitigations
- Privacy Impact Assessments are governed by the E-Government Act of 2002 and must answer seven questions, namely:
  1. What information is being collected?
  2. Why is the information being collected?
  3. What is the intended use of the information?
  4. With whom will the information be shared?
  5. What notice will be provided to individuals?
  6. How will the information be secured?
  7. Is the system subject to the Privacy Act?
Limiting Data Collection - need to get consent before collecting data and disclose what you do with the data
- Minimize Information Collected - Only get what data you need and only keep it for as long as you need it.
- Make sure that the data collected is done in a fair and lawful manner.
- Monitor 3rd parties - Verify their privacy practices

The navigation options for this page are:

Go back to Domain #4 → Identity and Access Management Notes,
Proceed to Domain #6 → Cryptography Notes,
Return to the main Security+ resources page,
Return to the main Nine Star training website, or
Go to the main Nine Star website.