CBK Domain #1 Information

Security and Risk Management

Chapter 1 we will talk about

The CIA triad (out of order)
Security Management Responsibilities
Administrative, Technical and Physical
Controls
Risk Management and Risk Analysis
Security Policies
Information Classification
Positions and Responsibilities

CIA, its not just a government

agency (59)
The CIA triad provides for the security
objectives. This is also called the AIC
triad.

Confidentiality (60)
Protects the data from un-authorized disclosure
Ensures the necessary level of secrecy is
enforced at each junction of data processing
Can provide via technical controls such as
authentication methods, encryption methods
Attacks include shoulder surfing and social
engineering, man in the middle, attempts at
decryption. etc

Integrity (60)
Ensuring that the data is not modified.
Must ensure accuracy and reliability of the
information and Information Systems.
Must not allow unauthorized modification.
(either intentional or accidental*)

Integrity Example
The trader was supposed to sell one share for
610,000 yen ($5,065). Instead, 610,000 shares
valued at $3.1 billion were offered for 1 yen
each.
Somebody made a typing mistake, said the
brokerage unit of Mizuho Financial Group,
Japan's second-largest bank. The error set off a
frenzy of trades, and cost the unit at least 27
billion yen ($224 million) as it tried to buy back
the shares, the bank said.

Integrity
Hashes and signed messages are
examples of how to ensure integrity
Can attack with birthday attacks / hash
collisions. Man in the middle attacks

Availability
The ability to access data and systems by
authorized parties
This is very easy to attack and hard to
defend against.
Attacks are often DoS type attacks.
Example of Availability attack:
Taking down a power grid
Stopping stock market trades

Security Management
Now that we know the 3 principles of
security lets talk about how we can
manage security

Security Management
pg 53)

(back to

Attempts to manage security.

Includes Risk Management, IS Policies, Procedures,
Standards, Guidelines, Baselines, Information
Classification, Security Organization. *
These build a security program Purpose protect the
companies assets
A security program requires balanced application of
Technical and non-technical methods!*
Process is circular, asses risks, determine needs,
monitor, evaluate start all over.

Security Management
Management is ULTIMATELY responsible
for security NOT admins, not security
workers.. MANAGEMENT let me
repeat MANAGEMENT.
Management must lead and direct all
security programs. They must provide the
vision AND support*

Security Management
Any good security program should be top down
with an ultimate goal. This approach
management creates the vision and lays out the
framework. It does not make sense just to run
about locking down machines without a vision.
Though this is often how things are actually
done.*
Why would a bottom up approach fail? (can you
build a house by just starting to build?)

IMPORTANT REMINDER
Reminder MANAGEMENT should direct
security. A security officer or groups is to
ensure the managements directives are
fulfilled! They do NOT create security
policy*

Security Controls
The following controls should be utilized to
achieve security management directives
Administrative policies, standards, procedures,
guidelines, personnel screening, training
Technical Controls (logical controls)* authentication, firewalls, biometrics etc.
Physical Controls locks, monitoring, mantraps,
environmental controls.
See diagram on page 57

Functional vs. Assurance

All solutions must be evaluated by its
functional and assurance requirements
Functional: Does the solution carry out
the required tasks*
Assurance: How sure are we of the level
of protection this solution provides*

Security Definitions*
You need to know these!
These terms are on pages 61-63. You
should all memorize and internalize these
terms! Read them again and again till you
understand them.. Well cover them in the
next couple slides

Vulnerability* (61)
A software hardware or procedural
weakness that may provide an attacker
the opportunity to obtain unauthorized
access.
Could be an un-patched application
Open modems
Lax physical security
Weak protocol* (lets define protocol)

Threat *
A natural or man-made event that could
have some type of negative impact on the
organization.
A threat usually requires a vulnerability
A threat might also be natural such as a
hurricane

Threat Agent
An actual person that takes advantage of
a vulnerability

Risk
This likelihood of a threat agent taking
advantage of a vulnerability and the
corresponding business impact
Risk ties the vulnerability, threat and
likelihood of exploitation together.

Exposure
An instance of being exposed to losses from
a threat agent.
Example: A public web server that has a
known vulnerability that is not patched, is
an exposure.

Countermeasure or Safeguard
Some control or countermeasure put into
place to mitigate the potential risk. A
countermeasure reduces the possibility
that a threat agent will be able to exploit a
vulnerability. (You can NEVER 100%
safeguard something)*

End of risk terms

Organizational Security Models

Each organization will create its own security
model which will have many entities, protection
mechanisms, logical, administrative and physical
components, procedures, business processes
and configurations that all support the end goal.
A model is a framework made up of many
entities protection mechanisms, processes,
procedures that all work together and rely on
each other to protect the company (see diagram
pg 65)
(more)

Organization Security Models

Each company will have its own methods
for the above to accomplish their own
security model.
Has multiple layers and Multiple GOALS
(talk about next)

Goals*
Operational goal These are DAILY goals, very
short term goals.
Example: installs security patch released today.

Tactical goals mid term goals that help to

achieve a final goal.
Example: create managed domain and move all
workstations into the domain

Strategic Goals long term objectives.

Example: Have all workstations in a domain with
centralized security management, auditing, encrypted
data access and PKI.

Security Program Development (pg

76 in book)
A program is more than just a policy! Its
everything that protects data.
Security Program development is a
LIFECYCLE!!!
Plan and Organize
Implement
Operate and Maintain
Monitor and Evaluate
Then start all over again!

Business Requirements Private vs.

Military
Which security model an organization
uses depends on its goals and objectives.
Military is generally concerned with
CONFIDENTIALITY
Private business is generally concerned with
either availability (ex. Netflix, eBay etc) OR
integrity (ex. Banks). Some private sector
companies are concerned with confidentiality
(ex. Drug companies)

Break?
This is probably time for a break you
probably are asleep now dont worry it
will get more interesting in a bit.

Information Risk Management

IRM is the process of identifying and
assessing risk and reducing it to an
acceptable level*
There is no such thing as 100% security!*
You must identify risks and mitigate them
with either countermeasure (ex. Firewalls)
or by transferring risk (ex. Insurance)*

What are risks*

Physical Damage building burns down
Human Interaction accidental or intentional action
Equipment malfunction Failure of systems (hard drives
failure)
Inside and Outsides attacks CRACKERS! (not
hackers)
Misuse of Data Sharing Trade secrets, fraud
Loss of Data intentional or unintentional loss of data
Application Error (integrity) computation errors, input
errors, poor code/bugs. (superman/office space
example)

Risks
Risks MUST be identified, classified and
analyzed to asses potential damage (loss)
to company. Risk is impossible to totally
measure, but we must prioritize the risks
and attempt to address them!

Risk management
Did I mention that IRM is ULTIMATELY the
responsibility of MANAGEMENT* (I really
cannot stress this enough)
Should support the organizations mission.
Should have an IRM policy.
Should have an IRM team.
IRM should be a subset of the companies
total Risk Management Policy.

IRM policy
Should include the following items
(see top of page 82)
Goal if IRM is to ensure the company is
protected in the most COST EFFECTIVE
manner!* (doesnt make sense to spend
more to protect something than the
something is worth)

IRM team (83)

Remember goal is to keep things cost effective.
Many companies will not have a large IRM team.
Government might have small armies dedicated
simply to IRM goals.
IRM team members usually have other full time
jobs!
Not just IT staff! (ex IT staff may not understand
legal or physical concerns)
Senior Management Support is NECESSARY for
success*

Risk Analysis (83)

IRM team will need to analyze risk, what is
risk analysis?
A tool for risk management, which identifies
assets, vulnerabilities and threats (What are
these again?)
Access possible damage and determine
where to implement safeguards

We will talk about RA goals next.

Risk Analysis Goals (83)

Identify assets and their values
Identify Vulnerabilities and threats
Quantify the probability of damage and cost of
damage
Implement cost effective countermeasures!
ULTIMATE GOAL is to be cost effective. That is:
ensure that your assets are safe, at the same
time dont spend more to protect something than
its worth*

who is ultimately responsible for

risk?
MANAGEMENT!
Management may delegate to data
custodians or business units that shoulder
some of the risk. However ultimately it is
senior management that is responsible for
the companies health and as such they
are ultimately responsible for the risk. (you
really need to understand this for the
exam)

Value of information and assets?

(85)
It is important to understand an assets value
if you plan on doing risk analysis. So
what is something worth?
See pg 86 bullet items

Note value can be measured both

quantitatively and qualitatively*

2 types of analysis
Quantitative analysis
Qualitative analysis

Lets talk in detail about Qualitative vs.

Quantitative specifically in the next couple
slides

Quantitative (92)
Quantitative analysis attempts to assign real
values to all elements of the risk analysis
process. Including
Asset value
Safeguards' costs
Threat frequency
Probability of incident
(more)

Quantitative Analysis (93)

Purely quantitative risk analysis is
impossible as there are always unknown
values, and there are always qualitative
values. (what is the value of a reputation?)
You can automate quantitative analysis
with software and tools. These require
tons of data to be collected though, as
such require along time and effort to
complete, but the tools help speed that up.

Overview of steps in a quantitative

analysis (94)
1. Assign value to an asset
2. Estimate actual cost for each asset and
threat combination. (see SLE later)
3. Perform a threat analysis determine
the probability of each threat occurring.
4. Derive the Overall loss potential per
threat per year.
5. Reduce, Transfer Avoid or Accept the
Risk.

Steps in Quantitative Analysis (94)

Now lets break each step out more

Step 1:Assign value to assets (94)

What is something worth?
Cost to obtain
Money an asset brings in
Value to competitors
Cost to re-create
Legal liabilities

Step 2:Estimate Loss Potential*

(94)
For Each threat we need to determine how much
could a threat damage/cost us
Physical damage
Loss of productivity
Cost of repairing
Amount of Damage (EF next slide)*
We need to determine Single Loss Expectancy
per asset and threat*
Example: if you have a virus outbreak and each
outbreak costs $50K in lost revenue and repair
costs. Your SLE = 50K

Step 2: Estimate of Loss potential

When determining SLE, you may hear the term EF
(exposure factor)
For some items loss is a percentage of a value,
this is where EF comes in
If you have a warehouse with $1,000,000 of value,
and the threat is a fires, your fire suppression
systems might stop a fire at 25%, this is your EF,
and must be calculated in SLE
SLE= total value/cost * EF
In this case the fire SLE = $1,000,000 * .25 =
$250,000

Step 3:Perform a Threat Analysis

(95)
Figure out the likely hood of an incident.
Analyze vulnerabilities and rate of exploits.
Analyze probabilities of natural disasters to your
location
Review old records of incidents.
In this step we need to calculate the Annualized
Rate of Occurrence (ARO)*
Example: chance of a virus outbreak in any
month=75% then the ARO = .75 * 12 (1 year) So
we can expect an ARO=9

Step 4: Derive the ALE (95)

Derive the Annual Loss Expectancy
SLE * ARO = ALE
Example: 50K cost of virus outbreak (SLE)
* 9 occurrences per year (ARO) = $450K
cost for this threat
Be able to do these calculation for the
exam

Step 5: Reduce, Transfer, Avoid or

Accept the Risk (95)
For each risk you can do the following
Reduce risk* (install countermeasures to
lessen the risk, or mitigate EF (exposure
factor) (well go in depth on next slide)
Transfer Risk* (buy insurance)
Accept Risk* (do nothing to minimizing
risk)
Avoid Risk (stop doing activity that causes
risk)*

Details of Reducing Risk (102)

When determining whether to implement an
countermeasure, you MUST be concerned
about being cost effective* It makes no
sense to spend more to protect an asset
then its worth! Understand this!*
How do we determine whether its worth it
MATH! (next slide)

Details of Reducing Risk (102)

If the cost per year of the countermeasure is
more than the ALE, dont implement it. (or
do something else like buy insurance)
Lets each do the handout word problem by
ourselves and discuss in 5 minutes.

Word Problem
The probability of a virus infection per month is 50%.
If an outbreak occurred your sales staff of 5, would not
be able to work for the 4 hours while the systems were
rebuilt. Each sales person makes $40/hour.
IT would require 1 person 4 hours to repair at a cost of
$50/hour.
A certain antivirus system could stop ALL viruses (ok,
thats just to make the math easier) but the cost is 20K
per year for this system.
Should you implement the Anti-virus system?
If so how much are you saving?
If not how much are you wasting by buying it?

Word Problem Answer

Determine SLE
(5 sales * 4 hours each * $40) + (1 IT * 4 hours *
50) = $1000 cost per incident
ARO = 12 months * .50 likelihood per month= 6
ALE = SLE ($1000) * ARO (6) = $6000.00
Cost to protect = $20,0000.00 a year
No it costs more to protect than its worth.
If you bought the AV system, youd waste $14,000
a year.

Total Risk vs. Residual Risk (106)

No matter what controls you place to
protect an asset, it will never be 100%
secure. The leftover risk after applying
countermeasures is called the residual
risk.*
Total Risk is the risk a company faces if
they choose not to implement a safegaurd
(if the accept the risk)
(more)

Total Risk vs. Residual Risk (106)

A control gap* is the protection a countermeasure cannot
provide
Conceptual (not actual) formulas*
Threats x vulnerabilites x asset value = total risk
Or
(threats, vulnerabilities, asset value = total risk
(threats x vuln x asset value) x control gap = residual
risk
Or
Total risk countermeasures = residual risk

Review of Quantitative (back to 95)

Assign value to assets

Estimate potential Loss per Threat (SLE)
Estimate likelihood of threat
Estimate Annual Loss per year (ALE)
Reduce, Transfer, Avoid or Accept Risk

Qualitative Risk Analysis

Rather than assign values to everything, walk
through different scenarios and rank the
seriousness (prioritize) based on threats and
counter measures
Techniques includes
Judgment
Best practices
Intuition
Experience
(more)

Qualitative (98)
Specific techniques include
Delphi (later)
Brainstorming
Storyboarding
Focus groups
Surveys
Questioners
Interviews and one-on-one meetings

Delphi* (100)
Technique where a groups comes together, each
member gives an honest opinion of what he or
she believes the result of a threat will be. Idea is
to have everyone express their true ideas and
not just go along with one person dictates
The results are then compiles and given to group
members that ANONYMOUSLY write down there
comments and returned to analysis group.
These comments are compiled and redistributed
for comments until a consensus is reached

Modified Delphi
A silent form of brainstorming , participants
develop idea individually without a group
and submit their ideas to decision makers.

Review of Quantitative and

Qualitative (101)
Read over chart on 101 internalize for
exam
Qualitative Cons
Subjective
No dollar values
No standards
(more)

Review of Q vs. Q
Quantitative cons
Complex calculations
Extremely difficult without tools
Lots of preliminary work required

Policies Standards, Baselines,

Guidelines and Procedures (109)
A security program must have all the pieces
necessary to provide overall protection to a
company and lay out a long term strategy.
Policies, Standards, Baselines, Guidelines and
Procedures are part of the security program
You NEED to understand the terms in the following
slides for the exam. (Polices, standards,
baseline, guidelines and proceedures)

Security Policy* (110)

An overall GENERAL statement provided by senior
management.
Very generic
Provides missions statement for security
Should represent business objectives
Should be easily understood
It should be developed at integrate security into
ALL business functions and processes*
(more)

Security Policy (110)

It should be reviewed an modified as a
company changes.
Policy should be dated and version
controlled.
It should be forward thinking
It should use strong language (MUST, not
should)
Should be non-technical
(more)

Security Policy
Can be one of three types
Regulatory ensures an organization is
following required regulations (finance, health)
Advisory strongly advises employees as to
which types of behaviors should/should not take
place
Informative informs employees of goals and
missions relevant to a company, not specific or
enforceable

Standards* (112)
Standards are MANDATORY* actions or
rules. Defines compulsory* rules.
Standards give a policy its support and
start adding specifics.
Example: a standard is all employees
MUST wear their company ID badge at all
times

Baseline* (113)
Baselines (in regards to policy) are minimum
levels of protection required.
For example: a baseline my require that a
system be compliant to some external
measurement. Any systems must meet
these requirements, changes to the
system must be assessed to ensure the
baseline is still being met.
(more)

Baseline
A baseline may also be a technical definition
or configuration of a system.
Example: a baseline my specify that all
windows XP systems must have SP2
installed, and ISS turned off.
Example: a baseline may also specify all
Linux systems run SElinux in enforcing
mode.

Guidelines* (114)
Guidelines are RECOMMENDED actions.
These cover the gray areas and are
approaches to provide flexibility for
unforeseen things. (not every situation can
be pre-known)
Can anyone give me an example of a
guideline?

Procedures* (114)
Detailed step-by-step tasks that should be
performed in some situation.
Example: written procedures on OS installation
and configuration.
Lowest level In the policy as they are closest to
users and resources.
Procedures spell out how policy, standards and
guidelines will be implemented for a specific
resources (ex. OS)

Random Terminology*
You need to understand these 2 terms for the
exam
Due Diligence*: act of investigating and
understanding a risk a company faces.
Due Care*: demonstrates that a company has
taken responsibility for its activities and has
taken necessary steps to protect its assets and
employees from threats.
Not practicing these can lead to charges of
negligence.

Review of Policies, Standards

We just talked about Polices, Standards,
Baselines, Guidelines and Procedures
Everyone remember what they all are?
Internalize these terms for the exam

Information Classification (117)

We need to be able to assign value to
information. Especially where secrecy is
concerned. (both military and private
sector)
Data is classified to ensure data is protected
in a COST-EFFECTIVE* manner.
Each classification should have separate
handing requirements.
(more)

Information Classification
Military vs. private sector concerns
Military is usually more concerned with
confidentiality
Private Sector is usually more concerned
with integrity and availability

What are some common

classifications?
Lets look in the book at page 118.
You should know these levels and what are
example of each level for the exam!

Classification Controls
Once data is classified we have some actions we
should take to protect and manage the data
Access controls
Encryption of data in transit* and at rest* (what
are these terms)
Data access should be logged and audited
Periodically review classifications
(more)

Classification Controls
Backup and restoration procedures
Change Control procedures
Proper data disposals

Positions and Responsibilities

Senior management is obviously
ULTIMATELY responsible for data security,
risk management and pretty much
everything else. However lets look at
some of the other positions commonly
found and see what their responsibilities
are.
For the exam, you should know all the
positions we are about to talk about*

Data Owner* (130)

Data owner is usually a member of
management who is in charge of a specific
business unit and responsible for that
information that such a unit possesses.
Responsible for specifying the
classification of data
Responsible for determining necessary
controls are in place to protect data
(more)

Data Owner*
Defining backup requirements (not
implementing)
Determines who gets access to data (in a
DAC model)
Delegates day-to-day maintenance to the
data custodian
This is a Business role

Data Custodian* (131)

The Data Custodian MAINTAINS the data
day to day.
Performs backups
Validates data integrity
Restores data

System Owner (131)

System owner is responsible for one or more
systems that hold and process data.
Responsible for integrating security
considerations into application and system
purchasing.
Responsible to ensure adequate security is
being provides by the necessary controls
(passwords, remote access, OS configurations)
Must ensure systems are assessed for
vulnerabilities and must report any to the
incident response team and DATA OWNER.

Security Administrator* (132)

Setup security configurations on a system as
defined by the DATA OWNER*
Does not authorize permissions for a user, thats
the data owners responsibility*, just configures
security settings based the what is set down by
the data owner*
Creates accounts
Sets access rights in support of the policies
defined.
Technical position.

Security Analyst* (132)

Helps define a security program elements
and ensures the elements are being
implemented properly by the technical
people and procedures.
This is NOT an implementation role
Higher more strategic level.

Application Owner* (132)

This is like a data owner, but in regards to
applications.
Usually business unit managers.
Responsible for determine who may have
access to their applications. (in lines of company
policy)
Responsible for the security of a units
applications. Ensuring testing, patching and
proper change control is implemented. (though
they do not themselves do this work)

Supervisor (132)
More of an HR role, you all know what a
supervisor does.
Managing employees
Ensuring employees live up to their
responsibilities
Handle HR tasks such as hiring, firing and
initiating corrective action.
Informing security admin of changes to an
employees position.

Data Analyst (133)

Ensures hat data is stored in a way that
makes the most sense for its application.
Specifically considered with information
architecture, how data is stored in
reference to other data, data structures
Work with data owners to ensure the
structures support the business objectives.

Process Owner (133)

Are responsible for certain business
processes (not computer processes ;)
An example of a process is procurement
Another example is Hiring
Another example is order fulfillment

Solution Provider
These are vendors enough said

User * (134)
Someone who uses the data, day to day to
accomplish work tasks and business
objectives
Responsible for following data and
security procedures that have been laid
out by management.

Auditor* (134)
Provides a method for independently ensuring that
management and shareholders can rely upon
the appropriateness of security objectives.
Determines if controls/methods have been
reached
Determines if practices are in compliance with
company or legal requirements
Should be 3rd party
(more)

Auditor (not in book)

The exam might also refer to an auditor in
the role of someone in the company that
goes though security, or usage logs to
determine if data and technical systems
are being used/abused/attacked etc.
This is the form/usage I remember from
the exam.

Enough of the positions

Lets talk abut Employee type concerns and
techniques.

Separation of Duties*
The idea of ensuring one individual cannot
complete a critical task by themselves.
Reduces the possibility for fraud,
sabotages, theft or general abuse.
Separation of Duties requires Collusion*
(next page) for the above problems to
occur

Collusion* (136)
Means that at least two people must WORK
TOGETHER to pull off some type of
negative action.
For the exam. Read pg 136 (lets do this
together) regarding software
development.. You will probably see this or
similar concepts, we will also talk abut this
later

Hiring Practices* (136)

All employees should have background
checks and be screened* (even janitors
etc in high security environments)
Everyone MUST sign an NDA, which
should protect secrets and conflicts of
interest.
Drugs tests
Education checks
Reference checks

Rotation of Duties* (138)

Employees should rotate in their duties
Why?
For redundancy
To ensure no-one has too much control
over a segment of business

Mandatory Vacations* (139)

Employees MUST take vacations
Why?
Gives opportunity for others to discover fraud. If
employees dont want to take a vacation, they
might be doing something underhanded and
dont want to be found out
Also enforces that other people can step in and
that the process cannot be disrupted by that
employee being absent for whatever reason.

Split Knowledge* (138)

Separation of duties concept. Where
someone only has enough knowledge to
perform part of a task. Again helps fight
fraud.
Example: two manager only know half a
bank vault combination.

Dual Control
Like split knowledge, but in this case two or
more people must be available and active
to perform an action.
Example two physically separated locks to
a vault that must be turned at the same
time.

Employee Termination*
Companies should have a strict procedure for
employee termination, can be different for each
company, but must be strictly enforced.
Examples policy is
Employee must leave the facility immediately
under supervision of a security guard
Employee must surrender id badges, keys
Employee must complete an exit interview
Employee accounts must be locked out.

OK chapter review
We covered a lot.
Lets look over the quick tips and questions.