CISSP Terms and Definitions

Some definitions of Risk Management and Security Management that you need to know to CISSP exam:

Value of information
Cost to acquire + value to owners + what others are willing to pay

Asset
Something of value (resource, product, data)

Probability or Exposure
The chance or likelihood that an event (threat) will occur

Risk
The potential for harm or loss.
Total risk = asset value * vulnerabilities * threats

Safeguard (Control or Countermeasure)
Risk reducing measure (reducing both impact and likelihood) and must allow for auditability and accountability.

Safeguard Effectiveness (%)
Effective mitigation a vulnerability.

Threat
Defines an unfortunate event, undesirable impact on the well being of an asset.

Uncertainty (%)
Typically measured inversely with respect to confidence.

Exposure
Instance of being exposed to losses from specific threat.

Vulnerability
Absence or weakness of a safeguard (potential to allow a threat).

Awareness

A company could spend a lot of money in technology to raise the security but to ensure it; persons need to be trained and committed.
People need to be aware about what the company expects of them about security policy, creating Security Awareness Trainings. These in help to achieve some benefits: Measurable reduction in unauthorized access attempts, Increase effectiveness of control and Help to avoid fraud and abuse.

Proverb: A chain is strong as its weakest link; remember people are the weakest link in security.

It’s important to have periodic awareness sessions for new employees and remember those that already had. Methods of awareness improvement: Live interactive presentations, Computer Based Training (CBT), Publishing of posters and newsletters, Incentives and awards and Reminders, login banners

I found an comic material for Password’s Campaign: Office of Policy and Education, University of Michigan


Passwords are like Underwear. . . Change Yours Often!
You should change yours passwords often (every 90 days).

Passwords are like Underwear . . . Don’t Share Them with Friends!
Never share your password with ANYONE. Your password is the only thing that that ensures privacy of your account. You are responsible for how your account is used, so do not let other people have access to it.

Passwords are like Underwear . . . Be Mysterious!
When creating your password don’t use anything that would be easy for someone to guess. For example, never use any part of your username or legal name. Don’t use your phone number, birth date, or license plate number.

Passwords are like Underwear . . . The Longer the Better!
A longer password equals better security. The longer your password is the harder it is for someone to figure out. Your password should be at least 8 characters long and contain a mix of numbers and letters.

Passwords are like Underwear . . . Don’t Leave Yours Lying Around!
Keep your password hidden. Do not write your password down on a piece of paper. Instead commit it to memory!

Information Classification

Information Classification, gives to organizations a way to address their most significant risks, by affording them the appropriate level of security.

Prevent unauthorized disclosure and failure of confidentiality, helps identify sensitive and vital information (supports CIA).
Criteria: value, age and useful life (de-classified), personal association (if data contains personal information should remain classified).
Distribution events: court order, government contracts, senior level approval.Demonstrates due diligence, identifies most sensitive info, regulatory compliance or reasons. (high level benefit, commitment to security)
Lattice model: every resource and user is associated with one of an ordered set of classes. Resources may only be accessed by those whose associated class is as high or higher than that of the resource.
Bell-LaPadula Model (Orange Book): most common model. Relationships -assigned level of access or privilege, security clearance. Object's level of sensitivity (security classification). Write access - same or higher level, read access - same or lower level, read/write - same level. MAC
In addition must have a Need-to-Know - just because you have "secret" clearance doesn't mean all "secret" data just data with a Need-to-Know.

Information Protection Requirements - Not all information has the same value or use, data classification is intended to lower cost of overprotecting all data, and improve the overall quality of corporate decision making by helping to ensure a higher level of trust in critical data upon which the decision makers depend.

Benefits at the corporate level:

• CIA are improved, because appropriate controls are used
  
• Protection mechanisms are implemented where they are needed most (less costly controls)
  
• Quality of decisions on trusted data
  
• Process to review on a periodic basis to determine data classifications
  
• Low Costs are front-end start-up costs
  

Methodology for developing and implement a data classification program:

• Executive sponsor (success factor), Risk analysis matrix
  
• Policy
  
• Business impact analysis
  
• Establishing classification
  
• Defining roles and responsibilities
  
• Identifying owners
  
• Classifying information and applications
  
• Ongoing monitoring
  

Policy - essential tool, defines that data is an asset of the corporation and must be protected, classified based on data value, sensitivity, risk of loss or compromise, and legal and retention requirements. Information must first be recognized and treated as an asset of the company before efforts can be expended protecting it.
Data Management Policy: definitions for each classification; security criteria for each classification (software and data); roles and responsibilities for each group of individuals.

Access control security - How much it is going to cost to not protect the valuable information?

Roles:
Owner - may be executive or manager, final corporate responsibility of the data protection, classify the level, reviews classification level, delegates responsibility of data protection to the custodian.
Custodian - day-to-day responsibility generally IT, regular backups and testing recovery, performs restoration when required, maintains records in accordance with the classification policy.
End User - anyone the routinely uses the data as part of job, must follows operating procedures, due care to protect, computing resources of company for company purposes only.

Procedures:
Identify administrator/custodian
Specify classification criteria
Classify by owner
Specify exceptions to classification policy
Specify controls for each classification level
Specify procedures for declassifying or transferring custody
Enterprise awareness program

Shon Harris, CISSP All-in-One Exam Guide, Third Edition (All in One): McGraw-Hill Osborne Media, September 15, 2005. 48 pg.

References:
Official (ISC)2 Guide to the CISSP Exam
CISSP All-in-One Exam Guide, Third Edition (All in One)
CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition

Technorati : CISSP, Information Classification, Security Management
Del.icio.us : CISSP, Information Classification, Security Management

Defense in depth

The circle of Security

The circle of Security Networks need to be protected in layers (Defense in depth), so the attacker must pass through all of then before accessing an assetNot relying upon just one countermeasure (problem in one layer have a "backup" to compensate)

The three phases:

1. Protection - taking all necessary safeguards to protect an asset
   
   • Security Policies, Risk Management, Security Awareness, Access Controls
     

1. Detection - the constant monitoring of network activity and enforcement of security policies
   
   • Intrusion Detection, Host and Network, Auditing, Penetration testing
     


2. Response - triggered by any anomaly found during the detection phase
   
   • Forensics, Disaster Recover, Incidents Responses, Disaster Recovery
   
   
   
   
   

References:

Official (ISC)2 Guide to the CISSP Exam
CISSP All-in-One Exam Guide, Third Edition (All in One)
CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition
Microsoft - Security Risk Management Guide, Chapter 4: Assessing Risk

Risk Management

Risk Management
The processes of identifying, analyzing and assessing, mitigating or transferring risk.

1st phase Risk Analysis - represents the process of analyzing a target environment and the relationships of its risk-related attributes. The analysis should identify threat vulnerabilities; associate these vulnerabilities with affected assets, identify the potential for and nature of an undesirable result, and identify and evaluate risk-reducing countermeasures.
# The phase includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk (more comprehensive than a Business Impact Analysis).

2nd phase Risk Assessment - represents the assignment of value to assets, threat frequency (annualized), consequence (i.e., exposure factors), and other elements of chance. The reported results of risk analysis can be said to provide an assessment or measurement of risk, regardless of the degree to which quantitative techniques are applied. For consistency in this chapter, the term "risk assessment" hereafter is used to characterize both the process and the result of analyzing and assessing risk.
# The phase includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures.

Concept:
Vulnerabilities allow threats to occur with a greater frequency or greater impact. Intuitively it can be seen that the more vulnerabilities there are greater the risk of loss.

Terms and Definitions:
Value of information = cost to acquire + value to owners + what others are willing to pay
Asset - something of value (resource, product, data)
Probability or Exposure - the chance or likelihood that an event (threat) will occur
Risk - the potential for harm or loss. Total risk = asset value * vulnerabilities * threats
Safeguard (Control or Countermeasure) - risk reducing measure (reducing both impact and likelihood) and must allow for auditability and accountability.
Safeguard Effectiveness - (%) effective mitigation a vulnerability.
Threat - defines an unfortunate event, undesirable impact on the well being of an asset.
Uncertainty - (%) typically measured inversely with respect to confidence.
Exposure - instance of being exposed to losses from specific threat.
Vulnerability - absence or weakness of a safeguard (potential to allow a threat).

Calculation:
(ALE) Annualized Loss Expectancy ALE = SLE x ARO (To calculate the risk)
(ARO) Annualized Rate Occurrence frequency threat expected (0.0 never occurs)
(EF) Exposure Factor - factor of loss or impact magnitude (% of asset loss)
(SLE) Single Loss Exposure SLE = Asset Value x EF
ALE = (SLE = (Asset Value * Exposure Factor)) * ARO

Categories of Threats
• Data Classification - malicious code or logic
• Information Warfare - technically oriented terrorism
• Personnel - Unauthorized system access
• Application / Operational - ineffective security results in data entry errors
• Criminal - Physical destruction, or vandalism
• Environmental - utility outage, natural disaster
• Computer Infrastructure - Hardware failure, program errors
• Delayed Processing - reduced productivity, delayed collections processing

Central tasks of Information Risk Management - provides concerned management with the identification and assessment of risk as well as cost justified recommendation for risk reduction, thus allowing the decision (avoid, accept or transfer).
• Establish IRM Policy, fund an IRM team, IRM methodology and Tools; identify and Measure Risk; projecting sizing.

Information Protection Environment (reports)
• Threat analysis - identification of threats that may impact the target environment;
• Asset identification and valuation - identify the assets (tangible and intangible), their replacement costs, further valuing of information asset (CIA);
• Vulnerability analysis - identify vulnerabilities that could increase the frequency or impact of threats.
• Risk evaluation - evaluation of all collected information regarding threats, vulnerabilities, assets and asset values in order to measure the associated chance and magnitude of loss (ALE).

Establish Risk Acceptance Criteria (Resistance - Ignorance, Arrogance and Fear)
• Mitigate Risk
• Safeguard Selection and Risk Mitigation Analysis
• Cost Benefit analysis
• Final Report
• Monitor Information Risk Management Performance

Elements of Risk Metrics
• Asset Value
• Threat Frequency and Exposure Factor (EF)
• Safeguard Effectiveness and Cost
• Uncertainty

Remedies
• Risk Reduction - implementation of safeguards to mitigate risk
• Risk Transference - insurance, transfer cost of loss to insurance company
• Risk Acceptance - accept the risk, affront the chance of loss

Value Assessment - Asset valuation necessary to perform cost/benefit analysis, necessary for insurance or supports safeguard choices

Safeguard Selection
• Asset valuation necessary to perform cost/benefit analysis
• Perform cost/benefit analysis
o ALE(PreControl) - ALE(PostControl) = Annualized Value Control
• Costs of safeguards need to be considered including
o Purchase, development and licensing costs
o Installation costs
o Disruption to production
o Normal operating costs

Methods of Risk Analysis
Quantitative - assigns objective numerical values ($ money).
Value to be protected, threat and corresponding risk, loss potential, frequency, controls, predict money loss. (Major project that requires a detailed process plan)
Preliminary Security Examination (PSE) - Often conducted before the quantitative analysis, PSE helps gather elements that will be needed for current Risk Analysis
Pros: assessment and results based metrics (statistical analysis supported); the CIA value expressed in monetary terms credible basis for cost/benefit assessment or risk mitigation; RM performance can be tracked and evaluated; management language.
Cons: complex calculation; not practical; substantial amount of information must be gathered; no standard knowledge base.

Qualitative - intangible values of data loss and other issues that aren't pure hard costs. Ranking threats in different scenarios or sensitivity assets.
Judgment, intuition and experience. (high subjective level)
Methods - Delphi, brainstorming, story boards
• List the threat and the frequency
• Create exposure rating scale for each scenario
• Scenario written that address each major threat
• Scenario reviewed by business users for reality check
• Risk Analysis team evaluates and recommends safeguards
• Work through each finalized scenario
• Submit findings to management
Pros: simple calculations; not necessary to determine the monetary value of information; not necessary to determine quantitative threat frequency and impact data; not necessary to estimate the cost of recommended risk mitigation (and cost/benefit); general indication of significant areas of risk.
Cons: risk assessment and result are subjective; value may not reflect actual value of risk; no cost/benefit analysis of risk mitigation; no track risk management performance.

Tasks of Risk Assessment
• Projecting sizing (Background, purpose, scope, constraints, objective, responsibilities, approach)
• Threat Analysis (automated tools)
• Asset Identification and Valuation
• Replacement Costs Risk Management (RM): security controls to reduce effects of threats and vulnerabilities to a level that is tolerable (mitigate risk). (Asset, threat and vulnerability).

References:
Official (ISC)2 Guide to the CISSP Exam
CISSP All-in-One Exam Guide, Third Edition (All in One)
CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition

Security Management Concepts: Availability, Integrity, Confidentiality

Concepts and Principles

Protecting important assets, security rules and procedures should support the organizational mission.
Objective of Security: reduce effects of threats and vulnerabilities to a tolerable level.

The Big Three or CIA triad

Availability
System accessible by authorized users whenever needed.
Controls: backup, fault tolerance.
Prevent: Unavailable information
Denial-of-service, Loss of data processing capabilities (natural disaster or human action)


Integrity
Protection from intentional or accidental unauthorized changes
Controls: Enforced by Access Control
Granting access on need-to-know basis, separation and rotation of duties
Prevent: alteration and modification of data
Modifications made by unauthorized personnel or processes, unauthorized modifications by authorized personnel or processes, internal and external consistency of data


Confidentiality
Protect information to unauthorized people so they can’t access it.
Controls: user identification, authentication and authorization
Prevent: disclosure of data unauthorized
Hackers, masqueraders, networks, unauthorized users activity, unprotected downloaded files, Trojan horses and social engineering.

Other important concepts of services:



References:
Official (ISC)2 Guide to the CISSP Exam
CISSP All-in-One Exam Guide, Third Edition (All in One)
CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition
CISSP by Mandy Andress (Exam cram) - Coriolis
Certified Information Systems Security Professional, CramSession BrainBuzz