Security Management (domain 9)

Security Policy Implementation

Security Policies are the basis for a sound security implementation. Often organizations will implement technical security solutions without first creating a foundation of policies, standards, guidelines, and procedures, which results in unfocused and ineffective security controls.

The following questions are discussed in this section:

·         What are polices, standards, guidelines, and procedures?

·         Why do we use polices, standards, guidelines, and procedures?

·         What are the common policy types?

Policies, Standards, Guidelines, and Procedures

Policies

A policy is one of those terms that can mean several things in InfoSec. For example, there are security policies on firewalls, which refer to the access control and routing list information. Standards, procedures, and guidelines are also referred to as policies in the larger sense of a global Information Security Policy.

A good, well-written policy is more than an exercise that is created on white paper, it is an essential and fundamental element of sound security practice. A policy, for example, can literally be a life saver during a disaster, or it may be a requirement of a governmental or regulatory function. A policy can also provide protection from liability due to an employee’s actions, or can form a basis for the control of trade secrets.

Policy Types

When we refer to specific polices, rather than a group “policy,” we are generally referring to those policies that are distinct from the standards, procedures, and guidelines. As you can see from the Policy Hierarchy chart shown in Figure 1.3, policies are considered the first and highest level of documentation, from which the lower level elements of standards, procedures, and guidelines flow. This order, however, does not mean that policies are more important than the lower elements. These higher level policies, which are the more general policies and statements, should be created first in the process for strategic reasons, and then the more tactical elements can follow.

Image from book
Figure 1.3: Policy hierarchy.

Senior Management Statement of Policy. The first policy of any policy creation process is the Senior Management Statement of Policy. This is a general, high-level statement of a policy that contains the following elements:

·         An acknowledgment of the importance of the computing resources to the business model

·         A statement of support for information security throughout the enterprise

·         A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines

Image from bookImage from book

Senior Management Commitment

Fundamentally important to any security program’s success is the senior management’s high-level statement of commitment to the information security policy process, and a senior management’s understanding of how important security controls and protections are to the enterprise’s continuity. Senior management must be aware of the importance of security implementation to preserve the organization’s viability (and for their own “Due Care” protection), and must publicly support that process throughout the enterprise.

Image from bookImage from book

 

Regulatory. Regulatory policies are security policies that an organization is required to implement, due to compliance, regulation, or other legal requirements. These companies may be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization operates.

Regulatory polices commonly have two main purposes:

1.      To ensure that an organization is following the standard procedures or base practices of operation in its specific industry.

2.      To give an organization the confidence that they are following the standard and accepted industry policy.

Advisory. Advisory policies are security polices that are not mandated to be followed, but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory. Most policies fall under this broad category.

These policies can have many exclusions or application levels. Thus, some employees can be more controlled by these policies than others, according to their roles and responsibilities within that organization. For example, a policy that requires a certain procedure for transaction processing may allow for an alternative procedure under certain, specified conditions.

Informative. Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption, but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.

However, penalties may be defined for the failure to follow a policy, such as the failure to follow a defined authorization procedure without stating what that policy is, and then referring the reader to another more detailed and confidential policy.

Standards, Guidelines, and Procedures

The next level down from policies is the three elements of policy implementation — standards, guidelines, and procedures. These three elements contain the actual details of the policy, such as how they should be implemented, and what standards and procedures should be used. They are published throughout the organization via manuals, the intranet, handbooks, or awareness classes.

It is important to know that standards, guidelines, and procedures are separate, yet linked, documents from the general polices (especially the senior-level statement). Unfortunately, companies will often create one document that satisfies the needs of all of these elements; this is not good. There are a few good reasons why they should be kept separate:

·         Each one of these elements serves a different function, and focuses on a different audience. Also, physical distribution of the policies is easier.

·         Security controls for confidentiality are different for each policy type. For example, a high-level security statement may need to be available to investors, but the procedures for changing passwords should not be available to anyone that is not authorized to perform the task.

·         Updating and maintaining the policy is much more difficult when all the policies are combined into one voluminous document. Mergers, routine maintenance, and infrastructure changes all require that the policies be routinely updated. A modular approach to a policy document will keep the revision time and costs down.

Standards. Standards specify the use of specific technologies in a uniform way. This standardization of operating procedures can be a benefit to an organization by specifying the uniform methodologies to be used for the security controls. Standards are usually compulsory and are implemented throughout an organization for uniformity.

Guidelines. Guidelines are similar to standards — they refer to the methodologies of securing systems, but they are recommended actions only, and are not compulsory. Guidelines are more flexible than standards, and take into consideration the varying nature of the information systems. Guidelines may be used to specify the way standards should be developed, for example, or to guarantee the adherence to general security principles. The Rainbow series, described in Appendix B, and the Common Criteria, discussed in Appendix G, are considered guidelines.

Procedures. Procedures embody the detailed steps that are followed to perform a specific task. Procedures are the detailed actions that personnel are required to follow. They are considered the lowest level in the policy chain. Their purpose is to provide the detailed steps for implementing the policies, standards, and guidelines, which were previously created. Practices is also a term that is frequently used in reference to procedures.

Baselines. We mention baselines here because they are similar to standards, yet are a little different. Once a consistent set of baselines has been created, the security architecture of an organization can be designed, and standards can then be developed. Baselines take into consideration the difference between various operating systems, for example, to assure that the security is being uniformly implemented throughout the enterprise. If adopted by the organization, baselines are compulsory.

Roles and Responsibilities

The phrase “roles and responsibilities” pops up quite frequently in InfoSec. InfoSec controls are often defined by the job or role an employee plays in an organization. Each of these roles has data security rights and responsibilities. Roles and responsibilities are central to the “separation of duties” concept — the concept that security is enhanced through the division of responsibilities in the production cycle. It is important that individual roles and responsibilities are clearly communicated and understood (see Table 1.2).

Table 1.2: Roles and Responsibilities

Role

Description

Senior Manager

Has the ultimate responsibility for security.

InfoSec Officer

Has the functional responsibility for security.

Owner

Determines the data classification.

Custodian

Preserves the information’s C.I.A.

User/Operator

Performs IAW the stated policies.

Auditor

Examines security.

All of the following concepts are fully defined in Chapter 6, “Operations Security,” but we discuss them briefly here:

Senior Management. Executive or senior-level management is assigned the overall responsibility for the security of information. Senior management may delegate the function of security, but they are viewed as the end of the food chain when liability is concerned.

Information Systems Security Professionals. Information systems security professionals are delegated the responsibility for implementing and maintaining security by the senior-level management. Their duties include the design, implementation, management, and review of the organization’s security policy, standards, guidelines, and procedures.

Data Owners. Previously discussed in the section titled “Information Classification Roles,” data owners are primarily responsible for determining the data’s sensitivity or classification levels. They can also be responsible for maintaining the information’s accuracy and integrity.

Users. Previously discussed in the section titled “Information Classification Roles,” users are responsible for following the procedures, which are set out in the organization’s security policy, during the course of their normal daily tasks.

Information Systems Auditors. Information systems auditors are responsible for providing reports to the senior management on the effectiveness of the security controls by conducting regular, independent audits. They also examine whether the security policies, standards, guidelines, and procedures are effectively complying with the company’s stated security objectives.

Risk Management

A major component of InfoSec is Risk Management (RM). Risk Management’s main function is to mitigate risk. Mitigating risk means to reduce the risk until it reaches a level that is acceptable to an organization. Risk Management can be defined as the identification, analysis, control, and minimization of loss that is associated with events.

The identification of risk to an organization entails defining the four following basic elements:

·         The actual threat

·         The possible consequences of the realized threat

·         The probable frequency of the occurrence of a threat

·         The extent of how confident we are that the threat will happen

Many formula and processes are designed to help provide some certainty when answering these questions. It should be pointed out, however, that because life and nature are constantly evolving and changing, not every possibility can be considered. Risk Management tries as much as possible to see the future and to lower the possibility of threats impacting a company.

 

Note 

Mitigating Risk

It’s important to remember that the risk to an enterprise can never be totally eliminated — that would entail ceasing operations. Risk Mitigation means finding out what level of risk the enterprise can safely tolerate and still continue to function effectively.

Principles of Risk Management

The Risk Management task process has several elements, primarily including the following:

·         Performing a Risk Analysis, including the cost benefit analysis of protections

·         Implementing, reviewing, and maintaining protections

To enable this process, some properties of the various elements will need to be determined, such as the value of assets, threats, and vulnerabilities, and the likelihood of events. A primary part of the RM process is assigning values to threats, and estimating how often, or likely, that threat will occur. To do this, several formulas and terms have been developed, and the CISSP candidate must fully understand them. The terms and definitions listed in the following section are ranked in the order that they are defined during the Risk Analysis (RA).

The Purpose of Risk Analysis

The main purpose of performing a Risk Analysis is to quantify the impact of potential threats — to put a price or value on the cost of a lost business functionality. The two main results of a Risk Analysis — the identification of risks and the cost/benefit justification of the countermeasures — are vitally important to the creation of a risk mitigation strategy.

There are several benefits to performing a Risk Analysis. It creates a clear cost-to-value ratio for security protections. It also influences the decision-making process dealing with hardware configuration and software systems design. In addition, it also helps a company to focus its security resources where they are needed most. Furthermore, it can influence planning and construction decisions, such as site selection and building design.

Terms and Definitions

The following are RA terms that the CISSP candidate will need to know.

Asset

An asset is a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. The loss of the asset could affect C.I.A., confidentiality, integrity, availability, overall or it could have a discrete dollar value — it could be tangible or intangible. It could also affect the full ability of an organization to continue in business. The value of an asset is composed of all of the elements that are related to that asset — its creation, development, support, replacement, public credibility, considered costs, and ownership values.

Threat

Simply put, the presence of any potential event that causes an undesirable impact on the organization is called a threat. As we will discuss in the Operations Domain, a threat could be man-made or natural, and have a small or large effect on a company’s security or viability.

Vulnerability

The absence or weakness of a safeguard constitutes a vulnerability. A minor threat has the potential to become a greater threat, or a more frequent threat, because of a vulnerability. Think of a vulnerability as the threat that gets through a safeguard into the system.

Combined with the terms asset and threat, vulnerability is the third part of an element that is called a triple in risk management.

Safeguard

A safeguard is the control or countermeasure employed to reduce the risk associated with a specific threat, or group of threats.

Exposure Factor (EF)

The EF represents the percentage of loss a realized threat event would have on a specific asset. This value is necessary to compute the Single Loss Expectancy (SLE), which in turn is necessary to compute the Annualized Loss Expectancy (ALE). The EF can be a small percentage, such as the effect of a loss of some hardware, or a very large percentage, such as the catastrophic loss of all computing resources.

Single Loss Expectancy (SLE)

An SLE is the dollar figure that is assigned to a single event. It represents an organization’s loss from a single threat. It is derived from the following formula:

Asset Value ($) x Exposure Factor (EF) = SLE

For example, an asset valued at $100,000 that is subjected to an exposure factor of 30 percent would yield an SLE of $30,000. While this figure is primarily defined in order to create the Annualized Loss Expectancy (ALE), it is occasionally used by itself to describe a disastrous event for a Business Impact Assessment (BIA).

Annualized Rate of Occurrence (ARO)

The ARO is a number that represents the estimated frequency in which a threat is expected to occur. The range for this value can be from 0.0 (never) to a large number (for minor threats, such as misspellings of names in data entry). How this number is derived can be very complicated. It is usually created based upon the likelihood of the event and number of employees that could make that error occur. The loss incurred by this event is not a concern here, only how often it does occur.

For example, a meteorite damaging the data center could be estimated to occur only once every 100,000 years, and will have an ARO of .00001. Whereas 100 data entry operators attempting an unauthorized access attempt could be estimated at six times a year per operator, and will have an ARO of 600.

Annualized Loss Expectancy (ALE)

The ALE, a dollar value, is derived from the following formula:

Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = ALE

In other words, an ALE is the annually expected financial loss to an organization from a threat. For example, a threat with a dollar value of $100,000 (SLE) that is expected to happen only once in 1,000 years (ARO of .001) will result in an ALE of $100. This helps to provide a more reliable cost versus benefit analysis. Remember that the SLE is derived from the asset value and the Exposure Factor (EF). Table 1.3 shows these formulas.

Table 1.3: Risk Analysis Formulas

Concept

Derivation Formula

Exposure Factor (EF)

% of asset loss caused by threat.

Single Loss Expectancy (SLE)

Asset Value x Exposure Factor (EF).

Annualized Rate of Occurrence (ARO)

Frequency of threat occurrence per year.

Annualized Loss Expectancy (ALE)

Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO).

Overview of Risk Analysis

We will now discuss the four basic elements of the Risk Analysis process:

1.      Quantitative Risk Analysis

2.      Qualitative Risk Analysis

3.      Asset Valuation Process

4.      Safeguard Selection

Quantitative Risk Analysis

The difference between quantitative and qualitative RA is fairly simple: Quantitative RA attempts to assign independently objective numeric values (hard dollars, for example) to the components of the risk assessment and to the assessment of potential losses. Qualitative RA addresses more intangible values of a data loss, and focuses on the other issues, rather than the pure hard costs.

When all elements (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability) are measured, rated, and assigned values, the process is considered to be fully quantitative. However, fully quantitative risk analysis is not possible because qualitative measures must be applied. Thus, the reader should be aware that just because the figures look hard on paper does not mean it is possible to foretell the future with any certainty.

A quantitative risk analysis process is a major project, and as such it requires a project or program manager to manage the main elements of the analysis. A major part of the initial planning for the quantitative RA is the estimation of the time required to perform the analysis. In addition, a detailed process plan must also be created, and roles must be assigned to the RA team.

Preliminary Security Examination (PSE). A PSE is often conducted before the actual quantitative RA. The PSE helps to gather the elements that will be needed when the actual RA takes place. A PSE also helps to focus an RA. Elements that are defined during this phase include asset costs and values, a listing of various threats to an organization (in terms of threats to both the personnel and the environment), and documentation of the existing security measures. The PSE is normally then subject to a review by an organization’s management before the RA begins.

Image from bookImage from book

Automated Risk Analysis Products

There are several good automated risk analysis products on the market. The main objectives of these products is to minimize the manual effort that must be expended to create the risk analysis and to provide a company with the ability to forecast its expected losses quickly with different input variations. The creation of a database during an initial automated process enables the operator to rerun the analysis using different parameters—to create a what if scenario. These products enable the users to perform calculations quickly in order to estimate future expected losses, thereby determining the benefit of their implemented safeguards.

Image from bookImage from book

 

Risk Analysis Steps

The three primary steps in performing a risk analysis are similar to the steps in performing a Business Impact Assessment (see Chapter 6, “Operations Security”). However, a risk analysis is commonly much more comprehensive and is designed to be used to quantify complicated, multiple-risk scenarios.

The three primary steps are as follows:

1.      Estimate the potential losses to assets by determining their value.

2.      Analyze potential threats to the assets.

3.      Define the Annualized Loss Expectancy (ALE).

Estimate Potential Losses

To estimate the potential losses incurred during the realization of a threat, the assets must be valued by commonly using some sort of standard asset valuation process (this is described in more detail later). This results in an assignment of an asset’s financial value by performing the EF and the SLE calculations.

Analyze Potential Threats

Here we determine what the threats are, and how likely and often they are to occur. To define the threats, we must also understand the asset’s vulnerabilities and perform an ARO calculation for the threat and vulnerabilities.

All types of threats should be considered in this section, no matter if they seem likely or not. It is may be helpful to organize the threat listing into the types of threats by source, or by their expected magnitude. In fact, some organizations can provide statistics on the frequency of various threats that occur in your area. In addition, the other domains of InfoSec discussed in this book have several varied listings of the categories of threats.

Some of the following categories of threats could be included in this section.

Data Classification.  Data aggregation or concentration that results in data inference, covert channel manipulation, a malicious code/virus/Trojan horse/worm/logic bomb, or a concentration of responsibilities (lack of separation of duties)

Information Warfare.  Technology-oriented terrorism, malicious code or logic, or emanation interception for military or economic espionage

Personnel.  Unauthorized or uncontrolled system access, the misuse of technology by authorized users, tampering by disgruntled employees, or falsified data input

Application/Operational.  Ineffective security application that results in procedural errors or incorrect data entry

Criminal.  Physical destruction or vandalism, the theft of assets or information, organized insider theft, armed robbery, or physical harm to personnel

Environmental.  Utility failure, service outage, natural disasters, or neighboring hazards

Computer Infrastructure.  Hardware/equipment failure, program errors, operating system flaws, or a communications system failure

Delayed Processing.  Reduced productivity or a delayed funds collection that results in reduced income, increased expenses, or late charges

Define the Annualized Loss Expectancy (ALE)

Once the SLE and ARO have been determined, we can estimate the ALE using the formula we previously described.

Results

After performing the Risk Analysis, the final results should contain the following:

·         Valuations of the critical assets in hard costs

·         A detailed listing of significant threats

·         Each threat’s likelihood and its possible occurrence rate

·         Loss potential by a threat — the dollar impact the threat will have on an asset

·         Recommended remedial measures and safeguards or countermeasures

Remedies

There are three generic remedies to risk, which may take the form of either one or a combination of the following three:

·         Risk Reduction. Taking measures to alter or improve the risk position of an asset throughout the company

·         Risk Transference. Assigning or transferring the potential cost of a loss to another party (like an insurance company)

·         Risk Acceptance. Accepting the level of loss that will occur, and absorbing that loss

The remedy chosen will usually be the one that results in the greatest risk reduction, while retaining the lowest annual cost necessary to maintain a company.

Qualitative Risk Analysis

As we mentioned previously, a qualitative RA does not attempt to assign hard and fast costs to the elements of the loss. It is more scenario-oriented, and, as opposed to a quantitative RA, a purely qualitative risk analysis is possible. Threat frequency and impact data is required to do a qualitative RA, however.

In a qualitative risk assessment, the seriousness of threats and the relative sensitivity of the assets are given a ranking, or qualitative grading, by using a scenario approach, and creating an exposure rating scale for each scenario.

During a scenario description, we match various threats to identified assets. A scenario describes the type of threat and the potential loss to which assets, and selects the safeguards to mitigate the risk.

Qualitative Scenario Procedure

After the threat listing has been created, the assets for protection have been defined, and an exposure level rating is assigned, the qualitative risk assessment scenario begins. See Table 1.4 for a simple exposure rating scale.

Table 1.4: Simple Exposure Rating Level Scale

Rating Level

Exposure Percentage

Blank or 0

No measurable loss

1

20% loss

2

40% loss

3

60% loss

4

80% loss

5

100% loss

The procedures in performing the scenario are as follows:

·         A scenario is written that addresses each major threat.

·         The scenario is reviewed by business unit managers for a reality check.

·         The RA team recommends and evaluates the various safeguards for each threat.

·         The RA team works through each finalized scenario using a threat, asset, and safeguard.

·         The team prepares their findings and submits them to management.

After the scenarios have all been played out and the findings are published, management must implement the safeguards that were selected as being acceptable, and begin to seek alternatives for the safeguards that did not work.

Asset Valuation Process

There are several elements of a process that determine the value of an asset. Both quantitative and qualitative RA (and Business Impact Assessment) procedures require a valuation made of the asset’s worth to the organization. This valuation is a fundamental step in all security auditing methodologies. A common universal mistake made by organizations is not accurately identifying the information’s value before implementing the security controls. This often results in a control that either is ill-suited for asset protection, not financially effective, or it protects the wrong asset. Table 1.5 discusses quantitative versus qualitative RA.

Table 1.5: Quantitative vs. Qualitative RA

Property

Quantitative

Qualitative

Cost/benefit analysis

Yes

No

Financial hard costs

Yes

No

Can be automated

Yes

No

Guesswork involved

Low

High

Complex calculations

Yes

No

Volume of information required

High

Low

Time/work involved

High

Low

Ease of communication

High

Low

Reasons for Determining the Value of an Asset

Here are some additional reasons to define the cost or value that have been previously described:

·         The asset valuation is necessary to perform the cost/benefit analysis.

·         The asset’s value may be necessary for insurance reasons.

·         The asset’s value supports safeguard selection decisions.

·         The asset valuation may be necessary to satisfy “due care” and prevent negligence and legal liability.

Elements that Determine the Value of an Asset

There are three basic elements that are used to determine an information asset’s value:

1.      The initial and on-going cost (to an organization) of purchasing, licensing, developing, and supporting the information asset

2.      The asset’s value to the organization’s production operations, research and development, and business model viability

3.      The asset’s value established in the external marketplace, and the estimated value of the intellectual property (trade secrets, patents, copyrights, and so forth)

Safeguard Selection Criteria

Once the risk analysis has been completed, safeguards and countermeasures must be researched and recommended. There are several standard principles that are used in the selection of safeguards to ensure that a safeguard is properly matched to a threat, and to ensure that a safeguard most efficiently implements the necessary controls. Important criterion must be examined before selecting an effective countermeasure.

Cost/Benefit Analysis

The number one safeguard selection criteria is the cost effectiveness of the control that is to be implemented, which is derived through the process of the cost versus benefit analysis. To determine the total cost of the safeguard, many elements need to be considered, which include the following:

·         The purchase, development, and/or licensing costs of the safeguard

·         The physical installation costs and the disruption to normal production during the installation and testing of the safeguard

·         Normal operating costs, resource allocation, and maintenance/repair costs

The simplest calculation to compute a cost/benefit for a given safeguard is as follows:

(ALE before safeguard implementation) – (ALE after safeguard implementation) – (annual safeguard cost) = value of safeguard to the organization

For example, if an ALE of a threat has been determined to be $10,000, the ALE after the safeguard implementation is $1,000, and the annual cost to operate the safeguard totals $500, then the value of a given safeguard is thought to be $8,500 annually. This amount is then compared against the startup costs, and the benefit or lack of benefit is determined.

This value may be derived for a single safeguard, or can be derived for a collection of safeguards though a series of complex calculations. In addition to the financial cost-to-benefit ratio, other factors can influence the decision of whether to implement a specific security safeguard. For example, an organization is exposed to legal liability if the cost to implement a safeguard is less than the cost resulting from the threat realized and the organization does not implement the safeguard.

Level of Manual Operations

The amount of manual intervention required to operate the safeguard is also a factor in the choice of a safeguard. In case after case, vulnerabilities are created due to human error or an inconsistency in application. In fact, automated systems require fail-safe defaults to allow for manual shutdown capability in case a vulnerability occurs. The more automated a process is, the more sustainable and reliable that process will be.

In addition, a safeguard should not be too difficult to operate, and it should not unreasonably interfere with the normal operations of production. These characteristics are vital for the acceptance of the control by operating personnel, and for acquiring the all-important management support that is required for the safeguard to succeed.

Auditability and Accountability Features

The safeguard must allow for the inclusion of auditing and accounting functions. The safeguard must have the ability to be audited and tested by the auditors, and its accountability must be implemented to effectively track each individual who accesses the countermeasure or its features.

Recovery Ability

The safeguard’s countermeasure should be evaluated in regard to its functioning state after activation or reset. During and after a reset condition, the safeguard must provide the following:

·         No asset destruction during activation or reset

·         No covert channel access to or through the control during reset

·         No security loss or increase in exposure after activation or reset

·         Defaults to a state that does not enable any operator access or rights until the controls are fully operational

Vendor Relations

The credibility, reliability, and past performance of the safeguard vendor must be examined. In addition, the openness (open source) of the application programming should also be known in order to avoid any design secrecy that prevents later modifications or allows unknown application to have back doors into the system. Vendor support and documentation should also be considered.

Image from bookImage from book

Back Doors

A back door, maintenance hook, or trap door is a programming element that enables application maintenance programmers access to the internals of the application, thereby bypassing the normal security controls of the application. While this is a valuable function for the support and maintenance of a program, the security practitioner must be aware of these doors and provide a means of control and accountability during their use.

Image from bookImage from book

 

 

Security Awareness

Although this is our last section for this chapter, it is not the least important. Security awareness is often an overlooked element of security management, because most of a security practitioner’s time is spent on controls, intrusion detection, risk assessment, and proactively or reactively administering security.

However, it should not be that way. People are often the weakest link in a security chain, often because they are not trained or generally aware of what security is all about. Employees must understand how their actions, even seemingly insignificant actions, can greatly impact the overall security position of an organization.

Employees must be aware of the need to secure information and to protect the information assets of an enterprise. Operators need training in the skills that are required to fulfill their job functions securely, and security practitioners need training to implement and maintain the necessary security controls.

All employees need education in the basic concepts of security and its benefits to an organization. The benefits of the three pillars of security awareness training — awareness, training, and education — will manifest themselves through an improvement in the behavior and attitudes of personnel, and through a significant improvement in an enterprise’s security.

Awareness

As opposed to training, security awareness refers to the general, collective awareness of an organization’s personnel of the importance of security and security controls. In addition to the benefits and objectives we have previously mentioned, security awareness programs also have the following benefits:

·         Make a measurable reduction in the unauthorized actions attempted by personnel

·         Significantly increase the effectiveness of the protection controls

·         Help to avoid the fraud, waste, and abuse of computing resources

Personnel are considered to be “security aware” when they clearly understand the need for security, and how security impacts viability and the bottom line, and the daily risks to computing resources.

It is important to have periodic awareness sessions to orient new employees and refresh senior employees. The material should always be direct, simple, and clear. It should be fairly motivational and should not contain a lot of techno-jargon, and should be conveyed in a style easily understood by the audience. The material should show how the security interests of the organization parallel the interest of the audience, and how they are important to the security protections.

Let’s list a few ways that security awareness can be improved within an organization, and without a lot expense or resource drain.

·         Live/Interactive Presentations. Lectures, video, and Computer Based Training (CBT)

·         Publishing/Distribution. Posters, company newsletters, bulletins, and the intranet

·         Incentives. Awards and recognition for security-related achievement

·         Reminders. Login-banner messages, marketing paraphernalia such as mugs, pens, sticky notes, and mouse pads

One caveat here: It is possible to oversell security awareness and to inundate the personnel with a constant barrage of reminders. This will most likely have the effect of turning off their attention. It is important to find the right balance of selling security awareness. An awareness program should be creative and frequently altered to stay fresh.

Training and Education

Training is different from awareness in that it utilizes specific classroom or one-on-one training. The following types of training are related to InfoSec:

·         Security-related job training for operators and specific users

·         Awareness training for specific departments or personnel groups with security-sensitive positions

·         Technical security training for IT support personnel and system administrators

·         Advanced InfoSec training for security practitioners and information systems auditors

·         Security training for senior managers, functional managers, and business unit managers

In-depth training and education for systems personnel, auditors, and security professionals is very important, and is considered necessary for career development. In addition, specific product training for security software and hardware is also vital to the protection of the enterprise.

A good starting point for defining a security training program could be the topics of policies, standards, guidelines, and procedures that are in use at an organization. A discussion of the possible environmental or natural hazards, or a discussion of the recent common security errors or incidents — without blaming anyone publicly — could work. Motivating the students is always the prime directive of any training, and their understanding of the value of the security’s impact to the bottom line is also vital. A common training technique is to create hypothetical security vulnerability scenarios and to get the students’ input on the possible solutions or outcomes.

Image from bookImage from book

The Need for User Security Training

All personnel using a system should have some kind of security training that is either specific to the controls employed or general security concepts. Training is especially important for those users who are handling sensitive or critical data. The advent of the microcomputer and distributed computing has created an opportunity for the serious failures of confidentiality, integrity, and availability.


 

Chapter 4: Security Management Practices

Terms you’ll need to understand:

·         Confidentiality

·         Integrity

·         Availability

·         Authorization

·         Authentication

·         Nonrepudiation

·         Layering

·         Data hiding

Techniques you’ll need to master:

·         Understanding security management concepts and principles

·         Managing change control

·         Understanding employment policies and practices

The Security Management Practices domain covers the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, and procedures that ensure confidentiality, integrity, and availability.

For the CISSP exam, you need to fully understand the planning, organization, and roles of individuals in identifying and securing an organization’s information assets. Your understanding should include developing policies and procedures, awareness training, and employee hiring and termination practices.

Security Management Concepts and Principles

In security, specific concepts must be addressed by any solution. The main concepts are availability, integrity, and confidentiality, which are discussed next in detail. Without addressing these three concepts, security solutions do not provide the complete package.

Availability

Protecting the availability of data means ensuring that it is accessible to those who use the data when they need to use it. This area was not emphasized until the denial of service (DoS) attacks hit the Internet in February 2000. Prior to these attacks, problems with availability were caused mainly by technology issues or maintenance problems. The DoS attacks of 2000 showed that the Internet could be brought to its knees by a few determined individuals. For an e-commerce site, where revenue is obtained from online orders or ad impressions displayed, any downtime (when the site is not accessible to customers) can cost the company millions of dollars.

Integrity

Protecting the integrity of data means ensuring that the data has not been modified in any way, whether in transit or in storage. If a company sends payroll data to a processing center over the Internet, how would the payroll department like a zero added to the amount paid to the HR Director while the data is in transit, changing the amount to be paid from $5,000 to $50,000? Or what if a zero is added to each salary field in the HR database, increasing everyone’s salary by a magnitude of 10? Protecting data integrity prevents these kinds of errors.

Confidentiality

Protecting the confidentiality of data means ensuring that only the authorized people have the ability to see the data. Access controls and authorization models help define who can see what, whereas cryptography helps prevent data being seen by tools (such as sniffers) as it travels over public networks.

When most people think about security, they focus on confidentiality. Secrecy is important, but the availability and integrity of data is just as critical. A software company might lose millions of dollars if the source code to its applications is found and leaked to the public. But the company might also lose millions of dollars if it is the victim of a DoS attack, and customers cannot access the Web site to order products. Additionally, if the source code is modified slightly when being transferred from one machine to another, causing the application to crash the system instead of functioning properly, customers will not continue to buy the software, and word will spread quickly about the poor quality of the product.

Security Services and Mechanisms

The ISO developed Document 7498-2, “Information Processing Systems – Open Systems Interconncection – Basic Reference Model – Part 2: Security Architecture,” to explain security architecture concepts such as security services and security mechanisms.

Security Services

The ISO standard defines several key security services, defined here in Table 4.1, that you will learn more about in later chapters.

Table 4.1: Definitions of security services.

Term

Definition

Identification and authentication

Authentication is the process of proving that you are who you say you are—establishing proof of identity. This can be achieved through passwords, smart cards, biometrics, or a combination thereof.

Access control or authorization

Access controls provide a means of determining who can access which system resources. After a user is authenticated to a system, defined access controls tell the system where the user can go. For example, ordinary system users should not have access to areas where account passwords are stored. Access control services prevent this from occurring.

Data confidentiality

Data confidentiality protects data from being viewed by unauthorized individuals.

Data integrity

Data integrity protects data from being modified, retaining the consistency and original meaning of the information.

Nonrepudiation

Repudiation is the ability for an individual to deny participation in a transaction. If a customer places an order and a nonrepudiation security service is not built in to the system, the customer could deny ever making that purchase. Nonrepudiation services provide a means of proving that a transaction occurred, whether it was an order placed at an online store or an email message sent and received. Digital signatures are one means of providing nonrepudiation.

Confidentiality, integrity, and availability are often combined and referred to as the CIA triad.

Security Mechanisms

ISO 7498-2 also defines security mechanisms. Security mechanisms are technologies, whether software or procedures, that implement one or more security services. The main security mechanisms are defined in Table 4.2.

Table 4.2: Definitions of security mechanisms.

Term

Definition

Encryption

Encryption is the process of converting data to an unrecognizable form. This supports security services such as authentication, confidentiality, integrity, and nonrepudiation. Encryption technologies are described in further detail later in this chapter.

Digital signatures

Digital signatures help guarantee the authenticity of data, much like a written signature verifies the authenticity of a paper document. This supports security services such as authentication and nonrepudiation.

Access control

Access control is a process that ensures a person or system has the permission to use a requested resource. These controls can be built directly into the operating system, incorporated into applications, or implemented as add-on packages. One example of an access control mechanism is a firewall.

Data integrity checks

Data integrity checks include mechanisms such as parity checks and checksum comparisons. These checks support the data integrity service and require the sender and receiver to compare check sequences to ensure the data has not been modified.

Authentication exchange

Authentication exchange is a communication mechanism between a requester and a verifier to assure the verifier of the requester’s identity. This communication can occur between the sender and the receiver in the case of mutual authentication, or between the sender, receiver, and a third party in the case of third-party authentication.

Traffic padding

Traffic padding is a mechanism that disguises data characteristics to provide protection against traffic analysis. This mechanism can include the padding of data (adding irrelevant and unnecessary data to a message) or sending dummy messages to disguise traffic.

Specific vs. Pervasive Mechanisms

As defined by ISO, a security mechanism can be specific or pervasive. A specific security mechanism implements only one security service at a time. One example of a specific security mechanism is encryption. Although encryption can be used to implement data confidentiality, integrity, and nonrepudiation security services, the means of implementation requires a different security mechanism for each service.

A pervasive security mechanism implements multiple security services. Usually, pervasive mechanisms are lists of procedures. Examples of pervasive mechanisms include incident detection, response procedures, and audit logs.

Protection Mechanisms

Protection mechanisms are used in coding or database development to further protect data and resources. These mechanisms are required for higher-level government certification.

Layering

The concept of layering is required at TCSEC layers B3 or above and requires that:

·         Layers know about the interfaces and depend on the services of layers below, but know nothing about—and do not depend on—the correct functioning of the layers above.

·         Each layer is protected from tampering by the layers above.

·         Layers cannot violate the portions of the security policy enforced by the layers below.

Layering not only facilitates the verification of the correctness of the application by allowing examination of one layer at a time, but it also simplifies future changes by allowing the higher layers to be modified (or perhaps even “chopped off” and replaced) for new releases without the need to redesign the lower layers.

Data Abstraction

Data abstraction is a fundamental premise of object-oriented programming. It is the process of defining user types and using these types only through a set of interface operations instead of directly manipulating their representations. The concept of data abstraction is also required at TCSEC layers B3 or above. For example, the design might make use of a stack object, with the operations PUSH and POP, so that the use of the stack is easier to understand than if the design described an array of words, a pointer, and the algorithms used to temporarily store words in the array.

Change Control and Management

Change control and management deals with the processes and procedures to properly approve, migrate, and deploy changes to applications, servers, network infrastructure, or any other critical function. Without change control, developers and programmers could create small programs that delete data, transfer funds, cause computation errors, and so forth. Proper change control procedures help minimize this risk by ensuring that only agreed-upon and approved changes are migrated to the production environment.

Best practice change control procedures should include the following:

1.      Request for change should be documented on a standard change request form.

2.      The form should then be submitted to the information systems department, where further information on the request, such as estimated completion time and cost, is added.

3.      Change specifications should then be approved in advance by a supervisor.

4.      Source or object code changes should be reviewed by a supervisor or quality assurance group in a testing area before being migrated to production.

Information/Data

For the exam, information/data focuses on information valuation. In general, when valuing information, you focus on how much it would cost to replace the lost data, often referred to as cost-of-loss modeling.

In cost-of-loss modeling, assets may have one or more of the following properties: substance, confidentiality, integrity, and service potential. The value of these properties can be determined by looking at the effect of adverse impacts such as deprivation, disclosure, modification, and unavailability.

There are at least six cost-of-loss models. The first four address consequences of adverse events. The other two models focus on transferring responsibility to another party or claiming that any amount of risk is unacceptable, so the cost-of-loss model is useless. The models are:

·         Replacement model—Addresses deprivation.

·         Repair model—Addresses restoration of system integrity eroded by unwanted modification.

·         Compromise model—Addresses unauthorized disclosure of sensitive information and is highly speculative.

·         Service model—Addresses the unavailability of system resources. Assigns a cost-per-unit time to the various services delivered by or to the system.

·         Transference model—Deals with risk as transferred to another party, usually an insurance company.

·         Catastrophe model—Any risk of catastrophic loss is unacceptable and cost-benefit analysis has no real role. If you cannot handle any loss, than you will take all necessary measures, regardless of cost.

Employment Policies and Practices

The employees (and people in general) are the weakest link in the security chain. After hiring strong, dependable people, security awareness training is the next step. The three components of a good employee security awareness program are:

·         Framework—Appropriate organization structure, the requisite job descriptions, and lines of authority that provide for clear definitions of responsibilities and authority.

·         Hiring practices—Performing background checks and completely understanding the person being hired.

·         Education operations—Keeping employees informed and aware of security issues and their role in the security process.

Employee policies and practices help protect the organization from the following threats:

·         Theft (outright removal of an asset of the company by an employee)

·         Fraud (an employee obtaining assets of the organization through intentional misrepresentation or misapplication of information)

·         Misuse of information (an employee releasing sensitive data to the public)

·         Sabotage (an employee intentionally deleting or modifying data)

·         Rule disobedience (an employee ignoring security policies)

·         Physical accidents (an employee spilling a drink on a system, for example)

·         Emergencies (an employee having an accident, causing a fire, finding a break-in, and so on)

Although it is virtually impossible for an organization to be completely immune to fraud, the only way it should be susceptible to fraud is if the collusion of two or more individuals occurs. If two or more individuals are working together, fraud is much harder to detect. By defining the organizational structure along functional lines, it is possible to prevent employees from entering areas where they do not belong; this is the standard separation of duties concept. However, an organization’s structure can assist in the prevention of fraud only by preventing deliberate breaches of security such as theft, fraud, sabotage, and misuse of information.

A few organizational/functional structures that should be in place include:

·         Segregating systems analysis and programming functions

·         Segregating the systems development function from the systems maintenance

·         Segregating the software maintenance organization from the operations functions

·         Segregating the operations control functions from development activities

·         Rotating software maintenance and computer operations personnel within their own areas

·         Ensuring that family relationships do not exist between employees in sensitive components of the organization

The optimum corporate security structure to achieve maximum security levels would involve three independent groups:

·         Corporate security chief

·         Internal auditor

·         EDP security officer

Hiring Practices

Hiring practices are an important part of the employment process. At a minimum, employers should perform reference checks and security background checks. For reference checks, specific information that should be reviewed with the references other than work competence include information relating to the employee’s habits, honesty, and educational record.

Background checks should look into the following areas:

·         Special checks (check all available public records to determine whether the employee has any negative elements on his or her record)

·         Military records

·         Law enforcement records

·         Drug testing

·         Lie detector tests (seldom used except for highly sensitive security positions); illegal in some states

·         Educational records

When an employee is terminated, all access should be immediately revoked and he should not be allowed to return to his desk unless accompanied by a manager or security guard. The organization should have a termination checklist to follow.

Employee Relationships

Care should be taken by an organization to make sure that its relationship with its employees is maintained at a reasonable level. The entire work force is generally loyal to the employing organization, and employee morale is a significant factor in the organization’s security. Compensatory time, bonuses, and recognition of accomplishments are some of the tools available to management to maintain morale.

Operations

Company operations also have specific security policies and procedures that should be in place to ensure maximum security. One of the main processes that should be in place is job rotation, which helps prevent one employee from being in total control of a specific area. If job rotation is not possible, employees in sensitive areas should be given extended vacations and should be forced to take their vacations on contiguous days.

Access control is also an important area for operations. Each employee should have an ID card, and access to sensitive areas should be strictly controlled.

As always, continuous observation of the employees and their behavior is necessary.

Policies, Standards, Guidelines, and Procedures

A policy is a broad statement of management’s views and position regarding a particular topic. Policies designate the computer security function as management’s representation for ensuring that the appropriate protective steps are taken. The policy statement might conclude with a caveat that those who fail to comply may face sanctions. Policies must be both enforced and reinforced by standards, guidelines, and procedures.

Standards (or corporate standards) are mandatory activities, actions, rules, or regulations designed to provide the policies with the support, structure, and specific directions they require to be meaningful and effective. A standard may state that only authorized personnel can access this data. Or, the data must be backed-up and stored off-site.

Guidelines are more general statements that are also designed to achieve the policy’s objectives by providing a framework within which to implement procedures. Standards connote specific, mandatory activities, actions, and rules, while guidelines contain more general approaches and flexible parameters within which to operate.

Procedures spell out the specifics of how the policy and the supportive standards and guidelines will actually be implemented in an operating environment. Active management support is critical to successfully implement computer security programs.

Risk Management

Risk management is the process of establishing and maintaining information technology security within an organization. Risk analysis is the means by which threats to systems are identified and assessed to justify security safeguards. Risk is the probability that a threat agent (cause) will exploit a system vulnerability (weaknesses) and thereby create an effect detrimental to the system.

Several types of risk exist. Inherent risk exists in all situations and does not take into account existing safeguards. Present risk currently exists and does take existing safeguards into account. Residual risk is what is left after all mitigating factors are implemented. It takes both existing and recommended safeguards into account.

Cost-Benefit Analysis

Although mitigating risk is important, the solution to mitigating the risk should not cost more than it would to replace the data or resource. The annualized cost of safeguards to defend against threats or to shield assets, or both, is compared with the expected cost of loss.

To perform the cost-benefit analysis, you need to understand the properties of threats that you can encounter, which include the likelihood of the threat, the number of times a year a particular threat can occur, the severity of the threat, and its consequences.

The value of an asset is either its cost (quantitative value) or its importance (qualitative value) to an organization. Irrespective of their value to an organization, some assets are more prone to loss than others. Exposure of an asset may justify spending more for safeguards than the cost of the asset would indicate in a cost- benefit analysis.

Risk Safeguards

There are several ways to reduce risk. Risk avoidance is the safest way and just requires you to avoid any scenario that would introduce risk. Even though this is the safest way, it is certainly not the most practical. Risk transference is an option that transfers risk to other parties, such as insurance companies. You can also mitigate the risk (most common safeguard) by implementing security controls, policies, and procedures.

When selecting safeguards, you need to be aware of any constraints that may affect the selection of a safeguard. Time constraints can occur that specify the time in which a solution can be selected or specify how a safeguard can affect processing time once implemented. Financial constraints are often encountered. Return on Investment (ROI) calculations are one of the standard measurements for information security controls selection. You can also encounter technical constraints, sociological constraints, environmental constraints, and legal constraints.

Roles and Responsibilities

Each employee, regardless of position or title, should have specific roles and responsibilities that are clearly defined and documented. As part of this documentation, security roles should be included.

Security awareness should also be included in the roles and responsibilities discussion. For senior management, security awareness is brief, but focused. For line management, more detailed coverage of standards, guidelines, and procedures should be discussed. Departmental security representatives and coordinators should be selected and made aware of specific policies, standards, guidelines, and procedures for their group.

Practice Questions

Question 1

Which of the following concepts ensures that data and resources are accessible when they need to be?

a.       Confidentiality

b.      Integrity

c.       Availability

d.      Authorization

Answer c is correct. Availability ensures data and resources are accessible when they need to be. Answer a is incorrect because confidentiality protects data from being viewed by unauthorized individuals. Answer b is incorrect because integrity protects data from being modified, retaining the consistency and original meaning of the information. Answer d is incorrect because authorization provides a means of determining who can access which system resources.

Question 2

Providing a means of determining who can access which system resources describes which of the following concepts?

a.       Confidentiality

b.      Integrity

c.       Availability

d.      Authorization

Answer d is correct. Authorization provides a means of determining who can access which system resources. Answer a is incorrect because confidentiality protects data from being viewed by unauthorized individuals. Answer b is incorrect because integrity protects data from being modified, retaining the consistency and original meaning of the information. Answer c is incorrect because availability ensures data and resources are accessible when they need to be.

Question 3

Protecting data from being viewed by unauthorized individuals describes which of the following concepts?

a.       Confidentiality

b.      Integrity

c.       Availability

d.      Authorization

Answer a is correct. Confidentiality protects data from being viewed by unauthorized individuals. Answer b is incorrect because integrity protects data from being modified, retaining the consistency and original meaning of the information. Answer c is incorrect because availability ensures data and resources are accessible when they need to be. Answer d is incorrect because authorization provides a means of determining who can access which system resources.

Question 4

Confidentiality, integrity, and availability constitute which of the following?

a.       Accountability

b.      Nonrepudiation

c.       Audit

d.      CIA triad

Answer d is correct. Confidentiality, integrity, and availability constitute what is known as the CIA triad. Accountability, nonrepudiation, and audit are not part of the CIA triad. Answer a is incorrect because accountability binds an action to a specific individual. Answer b is incorrect because nonrepudiation keeps an individual from denying that a transaction took place. Answer c is incorrect because audit is the process of analyzing and reviewing configurations, policies, procedures, and so on.

Question 5

Which of the following concepts describes binding an action to a specific individual?

a.       Accountability

b.      Nonrepudiation

c.       Audit

d.      CIA triad

Answer a is correct. Accountability binds an action to a specific individual. Answer b is incorrect because nonrepudiation keeps an individual from denying that a transaction took place. Answer c is incorrect because audit is the process of analyzing and reviewing configurations, policies, procedures, and so on. Answer d is incorrect because the CIA triad is a combination of confidentiality, integrity, and availability.

Question 6

Keeping an individual from denying that a transaction took place describes which of the following concepts?

a.       Accountability

b.      Nonrepudiation

c.       Audit

d.      CIA triad

Answer b is correct. Nonrepudiation keeps an individual from denying that a transaction took place. Answer a is incorrect because accountability binds an action to a specific individual. Answer c is incorrect because audit is the process of analyzing and reviewing configurations, policies, procedures, and so on. Answer d is incorrect because the CIA triad is the combination of confidentiality, integrity, and availability.

Question 7

Which of the following is not ideal in an effective change control program?

a.       Change requests must be formally documented.

b.      All changes must be approved.

c.       Programmer moves code directly to production.

d.      Code is approved before being migrated to production.

Answer c is correct. A programmer moving code directly to production is not an effective change control program. Answers a, b, and d are incorrect because they are all effective change control procedures.

Question 8

What should you not do after dismissing an employee?

a.       Escort him out the door

b.      Let him return to his desk unsupervised

c.       Disable all accounts and logons

d.      Follow the termination checklist

Answer b is correct. After dismissing an employee, you should not let him return to his desk unsupervised. Answers a, c, and d are all steps of an effective termination policy.

Question 9

A(n) _________ can assist only in the prevention of deliberate breaches of security such as theft, fraud, sabotage, and misuse.

a.       Organization structure

b.      Encapsulation

c.       Training program

d.      Change control

Answer a is correct. An organization’s structure can assist only in the prevention of deliberate breaches of security such as theft, fraud, sabotage, and misuse. Answers b, c, and d are incorrect because encapsulation, training programs, and change control all help prevent other security breaches in addition to theft, fraud, sabotage, and misuse.

Question 10

Security awareness programs cannot:

a.       Make employees aware of issues

b.      Show them the proper procedures to follow

c.       Enforce security policy

d.      Make them aware of risks

Answer c is correct. Awareness programs help educate, but they cannot enforce security policy. Answers a, b, and d are thus incorrect.

 

 

Chapter 1: Security Management

Overview

This chapter is supplemental to and coordinated with the Security Management chapter in the CISSP Prep Guide. The fundamentals of security management are covered in Chapter 1 of the CISSP Prep Guide at a level on par with that of the CISSP Examination.

It is assumed that the reader has a basic knowledge of the material contained in Chapter 1 and has the CISSP Prep Guide available to provide background information for the advanced questions pertaining to the Security Management chapter.

In the Security Management questions areas we will discuss data classification, security awareness, risk analysis, information system policies, and roles in information protection.

Advanced Sample Questions

1. 

Which choice below most accurately reflects the goals of risk mitigation?

a.       Defining the acceptable level of risk the organization can tolerate, and reducing risk to that level

b.      Analyzing and removing all vulnerabilities and threats to security within the organization

c.       Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party, such as an insurance carrier

d.      Analyzing the effects of a business disruption and preparing the company's response

a The correct answer is a. The goal of risk mitigation is to reduce risk to a level acceptable to the organization. Therefore risk needs to be defined for the organization through risk analysis, business impact assessment, and/or vulnerability assessment. Answer b is not possible. Answer c is called risk transference. Answer d is a distracter.

2. 

Which answer below is the BEST description of a Single Loss Expectancy (SLE)?

a.       An algorithm that represents the magnitude of a loss to an asset from a threat

b.      An algorithm that expresses the annual frequency with which a threat is expected to occur

c.       An algorithm used to determine the monetary impact of each occurrence of a threat

d.      An algorithm that determines the expected annual loss to an organization from a threat

c The correct answer is c. The Single Loss Expectancy (or Exposure) figure may be created as a result of a Business Impact Assessment (BIA). The SLE represents only the estimated monetary loss of a single occurrence of a specified threat event. The SLE is determined by multiplying the value of the asset by its exposure factor. This gives the expected loss the threat will cause for one occurrence. Answer a describes the Exposure Factor (EF). The EF is expressed as a percentile of the expected value or functionality of the asset to be lost due to the realized threat event. This figure is used to calculate the SLE, above. Answer b describes the Annualized Rate of Occurrence (ARO). This is an estimate of how often a given threat event may occur annually. For example, a threat expected to occur weekly would have an ARO of 52. A threat expected to occur once every five years has an ARO of 1/5 or .2. This figure is used to determine the ALE. Answer d describes the Annualized Loss Expectancy (ALE). The ALE is derived by multiplying the SLE by its ARO. This value represents the expected risk factor of an annual threat event. This figure is then integrated into the risk management process.

3. 

Which choice below is the BEST description of an Annualized Loss Expectancy (ALE)?

a.       The expected risk factor of an annual threat event, derived by multiplying the SLE by its ARO

b.      An estimate of how often a given threat event may occur annually

c.       The percentile of the value of the asset expected to be lost, used to calculate the SLE

d.      A value determined by multiplying the value of the asset by its exposure factor

a Answer b describes the Annualized Rate of Occurrence (ARO). Answer c describes the Exposure Factor (EF). Answer d describes the algorithm to determine the Single Loss Expectancy (SLE) of a threat.

4. 

Which choice below is NOT an example of appropriate security management practice?

a.       Reviewing access logs for unauthorized behavior

b.      Monitoring employee performance in the workplace

c.       Researching information on new intrusion exploits

d.      Promoting and implementing security awareness programs

b Monitoring employee performance is not an example of security management, or a job function of the Information Security Officer. Employee performance issues are the domain of human resources and the employee's manager. The other three choices are appropriate practice for the information security area.

5. 

Which choice below is an accurate statement about standards?

a.       Standards are the high-level statements made by senior management in support of information systems security.

b.      Standards are the first element created in an effective security policy program.

c.       Standards are used to describe how policies will be implemented within an organization.

d.      Standards are senior management's directives to create a computer security program.

c Answers a, b, and d describe policies. Guidelines, standards, and procedures often accompany policy, but always follow the senior level management's statement of policy. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. Simply put, the three break down as follows:  * Standards specify the use of specific technologies in a uniform way (for example, the standardization of operating procedures).  * Guidelines are similar to standards but are recommended actions.  * Procedures are the detailed steps that must be performed for any task.

6. 

Which choice below is a role of the Information Systems Security Officer?

a.       The ISO establishes the overall goals of the organization's computer security program.

b.      The ISO is responsible for day-to-day security administration.

c.       The ISO is responsible for examining systems to see whether they are meeting stated security requirements.

d.      The ISO is responsible for following security procedures and reporting security problems.

b Answer a is a responsibility of senior management. Answer c is a description of the role of auditing. Answer d is the role of the user, or consumer, of security in an organization.

7. 

Which statement below is NOT true about security awareness, training, and educational programs?

a.       Awareness and training help users become more accountable for their actions.

b.      Security education assists management in determining who should be promoted.

c.       Security improves the users' awareness of the need to protect information resources.

d.      Security education assists management in developing the in-house expertise to manage security programs.

b The purpose of computer security awareness, training, and education is to enhance security by:  * Improving awareness of the need to protect system resources  * Developing skills and knowledge so computer users can perform their jobs more securely  * Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems   Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability because without the knowledge of the necessary security measures and to how to use them, users cannot be truly accountable for their actions. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12 .

8. 

Which choice below is NOT an accurate description of an information policy?

a.       Information policy is senior management's directive to create a computer security program.

b.      An information policy could be a decision pertaining to use of the organization's fax.

c.       Information policy is a documentation of computer security decisions.

d.      Information policies are created after the system's infrastructure has been designed and built.

d Computer security policy is often defined as the `documentation of computer security decisions.` The term `policy` has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term `policy` is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy. A security policy is an important document to develop while designing an information system, early in the System Development Life Cycle (SDLC). The security policy begins with the organization's basic commitment to information security formulated as a general policy statement. The policy is then applied to all aspects of the system design or security solution. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security) .

9. 

Which choice below MOST accurately describes the organization's responsibilities during an unfriendly termination?

a.       System access should be removed as quickly as possible after termination.

b.      The employee should be given time to remove whatever files he needs from the network.

c.       Cryptographic keys can remain the employee's property.

d.      Physical removal from the offices would never be necessary.

a Friendly terminations should be accomplished by implementing a standard set of procedures for outgoing or transferring employees. This normally includes:  * Removal of access privileges, computer accounts, authentication tokens.  * The control of keys.  * The briefing on the continuing responsibilities for confidentiality and privacy.  * Return of property.  * Continued availability of data. In both the manual and the electronic worlds this may involve documenting procedures or filing schemes, such as how documents are stored on the hard disk, and how they are backed up. Employees should be instructed whether or not to `clean up` their PC before leaving.  * If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured.   Given the potential for adverse consequences during an unfriendly termination, organizations should do the following:  * System access should be terminated as quickly as possible when an employee is leaving a position under less-than-friendly terms. If employees are to be fired, system access should be removed at the same time (or just before) the employees are notified of their dismissal.  * When an employee notifies an organization of the resignation and it can be reasonably expected that it is on unfriendly terms, system access should be immediately terminated.  * During the `notice of termination` period, it may be necessary to assign the individual to a restricted area and function. This may be particularly true for employees capable of changing programs or modifying the system or applications.  * In some cases, physical removal from the offices may be necessary.   Source: NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems .

10. 

Which choice below is NOT an example of an issue-specific policy?

a.       E-mail privacy policy

b.      Virus-checking disk policy

c.       Defined router ACLs

d.      Unfriendly employee termination policy

c Answer c is an example of a system-specific policy, in this case the router's access control lists. The other three answers are examples of issue-specific policy, as defined by NIST. Issue-specific policies are similar to program policies, in that they are not technically focused. While program policy is traditionally more general and strategic (the organization's computer security program, for example), issue-specific policy is a nontechnical policy addressing a single or specific issue of concern to the organization, such as the procedural guidelines for checking disks brought to work or e-mail privacy concerns. System-specific policy is technically focused and addresses only one computer system or device type. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12 .

11. 

Who has the final responsibility for the preservation of the organization's information?

a.       Technology providers

b.      Senior management

c.       Users

d.      Application owners

b Various officials and organizational offices are typically involved with computer security. They include the following groups:  * Senior management  * Program/functional managers/application owners  * Computer security management  * Technology providers  * Supporting organizations  * Users   Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. While senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

12. 

Which choice below is NOT a generally accepted benefit of security awareness, training, and education?

a.       A security awareness program can help operators understand the value of the information.

b.      A security education program can help system administrators recognize unauthorized intrusion attempts.

c.       A security awareness and training program will help prevent natural disasters from occurring.

d.      A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

c An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security awareness and training program should encompass the following seven steps:  1. Identify program scope, goals, and objectives.  2. Identify training staff.  3. Identify target audiences.  4. Motivate management and employees.  5. Administer the program.  6. Maintain the program.  7. Evaluate the program.   Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems .

13. 

Which choice below is NOT a common information-gathering technique when performing a risk analysis?

a.       Distributing a questionnaire

b.      Employing automated risk assessment tools

c.       Reviewing existing policy documents

d.      Interviewing terminated employees

d Any combination of the following techniques can be used in gathering information relevant to the IT system within its operational boundary:  *   Questionnaire. The questionnaire should be distributed to the applicable technical and nontechnical management personnel who are designing or supporting the IT system.   *   On-site Interviews. On-site visits also allow risk assessment personnel to observe and gather information about the physical, environmental, and operational security of the IT system.   *   Document Review. Policy documents, system documentation, and security-related documentation can provide good information about the security controls used by and planned for the IT system.   *   Use of Automated Scanning Tools. Proactive technical methods can be used to collect system information efficiently.    Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems .

14. 

Which choice below is an incorrect description of a control?

a.       Detective controls discover attacks and trigger preventative or corrective controls.

b.      Corrective controls reduce the likelihood of a deliberate attack.

c.       Corrective controls reduce the effect of an attack.

d.      Controls are the countermeasures for vulnerabilities.

b Controls are the countermeasures for vulnerabilities. There are many kinds, but generally they are categorized into four types:  * Deterrent controls reduce the likelihood of a deliberate attack.  * Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact. Preventative controls inhibit attempts to violate security policy.  * Corrective controls reduce the effect of an attack.  * Detective controls discover attacks and trigger preventative or corrective controls. Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums.   Source: Introduction to Risk Analysis, C & A Security Risk Analysis Group and NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems .

15. 

Which statement below is accurate about the reasons to implement a layered security architecture?

a.       A layered security approach is not necessary when using COTS products.

b.      A good packet-filtering router will eliminate the need to implement a layered security architecture.

c.       A layered security approach is intended to increase the work-factor for an attacker.

d.      A layered approach doesn't really improve the security posture of the organization.

c Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. The need for layered protections is important when commercial-off-the-shelf (COTS) products are used. The current state-of-the-art for security quality in COTS products do not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security) .

16. 

Which choice below represents an application or system demonstrating a need for a high level of confidentiality protection and controls?

a.       Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.

b.      The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.

c.       Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is either backed up by paper documentation or on disk.

d.      The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.

b Although elements of all of the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality. A system may need protection for one or more of the following reasons:  *   Confidentiality. The system contains information that requires protection from unauthorized disclosure.   *   Integrity. The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification.   *   Availability. The system contains information or provides services which must be available on a timely basis to meet mission requirements or to avoid substantial losses.    Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems

17. 

Which choice below is an accurate statement about the difference between monitoring and auditing?

a.       Monitoring is a one-time event to evaluate security.

b.      A system audit is an ongoing "real-time" activity that examines a system.

c.       A system audit cannot be automated.

d.      Monitoring is an ongoing activity that examines either the system or the users.

d System audits and monitoring are the two methods organizations use to maintain operational assurance. Although the terms are used loosely within the computer security community, a system audit is a one-time or periodic event to evaluate security, whereas monitoring refers to an ongoing activity that examines either the system or the users. In general, the more `real-time` an activity is, the more it falls into the category of monitoring. Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems .

18. 

Which statement below is accurate about the difference between issue-specific and system-specific policies?

a.       Issue-specific policy is much more technically focused.

b.      System-specific policy is much more technically focused.

c.       System-specific policy is similar to program policy.

d.      Issue-specific policy commonly addresses only one system.

b Often, managerial computer system security policies are categorized into three basic types:  * Program policy-used to create an organization's computer security program  * Issue-specific policies-used to address specific issues of concern to the organization  * System-specific policies-technical directives taken by management to protect a particular system   Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. System-specific policy is much more focused, since it addresses only one system.  Table A.1 helps illustrate the difference between these three types of policies. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12 .  Security Policy Types   POLICY TYPE   DESCRIPTION   EXAMPLE   Program policy High-level program policy Senior-level Management Statement Issue-specific policy Addresses single issue Email privacy policy System-specific policy Single-system directives Router Access Control Lists

19. 

Which statement below MOST accurately describes the difference between security awareness, security training, and security education?

a.       Security training teaches the skills that will help employees to perform their jobs more securely.

b.      Security education is required for all system operators.

c.       Security awareness is not necessary for high-level senior executives.

d.      Security training is more in depth than security education.

a Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. The purpose of training is to teach people the skills that will enable them to perform their jobs more securely. Security education is more in depth than security training and is targeted for security professionals and those whose jobs require expertise in security. Management commitment is necessary because of the resources used in developing and implementing the program and also because the program affects their staff. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12 .

20. 

Which choice below BEST describes the difference between the System Owner and the Information Owner?

a.       There is a one-to-one relationship between system owners and information owners.

b.      One system could have multiple information owners.

c.       The Information Owner is responsible for defining the system's operating parameters.

d.      The System Owner is responsible for establishing the rules for appropriate use of the information.

b The System Owner is responsible for ensuring that the security plan is prepared and for implementing the plan and monitoring its effectiveness. The System Owner is responsible for defining the system's operating parameters, authorized functions, and security requirements. The information owner for information stored within, processed by, or transmitted by a system may or may not be the same as the System Owner. Also, a single system may utilize information from multiple Information Owners. The Information Owner is responsible for establishing the rules for appropriate use and protection of the subject data/information (rules of behavior). The Information Owner retains that responsibility even when the data/information are shared with other organizations. Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems .

21. 

Which choice below is NOT an accurate statement about an organization's incident-handling capability?

a.       The organization's incident-handling capability should be used to detect and punish senior-level executive wrong-doing.

b.      It should be used to prevent future damage from incidents.

c.       It should be used to provide the ability to respond quickly and effectively to an incident.

d.      The organization's incident-handling capability should be used to contain and repair damage done from incidents.

a An organization should address computer security incidents by developing an incident-handling capability. The incident-handling capability should be used to:  * Provide the ability to respond quickly and effectively.  * Contain and repair the damage from incidents. When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. Containing the incident should include an assessment of whether the incident is part of a targeted attack on the organization or an isolated incident.  * Prevent future damage. An incident-handling capability should assist an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities.   Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems .

22. 

Place the data classification scheme in order, from the least secure to the most:

a.       Sensitive

b.      Public

c.       Private

d.      Confidential

b, c, a, and d Various formats for categorizing the sensitivity of data exist. Although originally implemented in government systems, data classification is very useful in determining the sensitivity of business information to threats to confidentiality, integrity, or availability. Often an organization would use the high, medium, or low categories. This simple classification scheme rates each system by its need for protection based upon its C.I.A. needs, and whether it requires high, medium, or low protective controls. For example, a system and its information may require a high degree of integrity and availability, yet have no need for confidentiality.  A Sample H/M/L Data Classification   CATEGORY   DESCRIPTION   High Could cause loss of life, imprisonment, major financial loss, or require legal action for correction if the information is compromised. Medium Could cause significant financial loss or require legal action for correction if the information is compromised. Low Would cause only minor financial loss or require only administrative action for correction if the information is compromised. Or organizations may categorize data into four sensitivity classifications with separate handling requirements, such as Sensitive, Confidential, Private, and Public. This system would define the categories as follows:  *   Sensitive. This classification applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher-than-normal assurance of accuracy and completeness.   *   Confidential. This classification applies to the most sensitive business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations.   *   Private. This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees.   *   Public. This classification applies to all other information that does not clearly fit into any of the preceding three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely the organization, its employees, and/or its customers.    The designated owners of information are responsible for determining data classification levels, subject to executive management review. Table A.2 shows a sample H/M/L data classification for sensitive information. Source: NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems .

23. 

Place the five system security life-cycle phases in order:

a.       Implementation phase

b.      Development/acquisition phase

c.       Disposal phase

d.      Operation/maintenance phase

e.       Initiation phase

e, b, a, d, c Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle, but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal. The order of these phases is:  a. Initiation phase-During the initiation phase, the need for a system is expressed and the purpose of the system is documented.  b. Development/acquisition phase-During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed.  c. Implementation phase-During implementation, the system is tested and installed or fielded.  d. Operation/maintenance phase-During this phase, the system performs its work. The system is almost always being continuously modified by the addition of hardware and software and by numerous other events.  e. Disposal phase-The disposal phase of the IT system life cycle involves the disposition of information, hardware, and software.   Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems .

24. 

How often should an independent review of the security controls be performed, according to OMB Circular A-130?

a.       Every year

b.      Every three years

c.       Every five years

d.      Never

b The correct answer is b. OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years. For general support systems, OMB Circular A-130 requires that the security controls be reviewed either by an independent audit or self review. Audits can be self-administered or independent (either internal or external). The essential difference between a self-audit and an independent audit is objectivity; however, some systems may require a fully independent review. Source: Office of Management and Budget Circular A-130, revised November 30, 2000.

25. 

Which choice below is NOT one of NIST's 33 IT security principles?

a.       Implement least privilege.

b.      Assume that external systems are insecure.

c.       Totally eliminate any level of risk.

d.      Minimize the system elements to be trusted.

c Risk can never be totally eliminated. NIST IT security principle #4 states: `Reduce risk to an acceptable level.` The National Institute of Standards and Technology's (NIST) Information Technology Laboratory (ITL) released NIST Special Publication (SP) 800-27, `Engineering Principles for Information Technology Security (EP-ITS)` in June 2001 to assist in the secure design, development, deployment, and life-cycle of information systems. It presents 33 security principles which start at the design phase of the information system or application and continue until the system's retirement and secure disposal. Some of the other 33 principles are:  *   Principle 1. Establish a sound security policy as the `foundation` for design.   *   Principle 2. Treat security as an integral part of the overall system design.   *   Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.   *   Principle 7. Implement layered security (ensure no single point of vulnerability).   *   Principle 11. Minimize the system elements to be trusted.   *   Principle 16. Isolate public access systems from mission critical resources (e.g., data, processes, etc.).   *   Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.   *   Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.   *   Principle 23. Use unique identities to ensure accountability.   *   Principle 24. Implement least privilege.    Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security) , and `Federal Systems Level Guidance for Securing Information Systems,` James Corrie, August 16, 2001.

26. 

Which choice below would NOT be considered an element of proper user account management?

a.       Users should never be rotated out of their current duties.

b.      The users' accounts should be reviewed periodically.

c.       A process for tracking access authorizations should be implemented.

d.      Periodically re-screen personnel in sensitive positions.

a Organizations should ensure effective administration of users' computer access to maintain system security, including user account management, auditing, and the timely modification or removal of access. This includes:  *   User Account Management. Organizations should have a process for requesting, establishing, issuing, and closing user accounts, tracking users and their respective access authorizations, and managing these functions.   *   Management Reviews. It is necessary to periodically review user accounts. Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, and whether required training has been completed.   *   Detecting Unauthorized/Illegal Activities. Mechanisms besides auditing and analysis of audit trails should be used to detect unauthorized and illegal acts, such as rotating employees in sensitive positions, which could expose a scam that required an employee's presence, or periodic re-screening of personnel.    Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems .

27. 

Which question below is NOT accurate regarding the process of Risk Assessment?

a.       The likelihood of a threat must be determined as an element of the risk assessment.

b.      The level of impact of a threat must be determined as an element of the risk assessment.

c.       Risk assessment is the first process in the risk management methodology.

d.      Risk assessment is the final result of the risk management methodology.

d Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk assessment is the first process in the risk management methodology. The risk assessment process helps organizations identify appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. The likelihood that a potential vulnerability could be exercised by a given threat-source can be described as high, medium, or low. Impact refers to the magnitude of harm that could be caused by a threat's exploitation of a vulnerability. The determination of the level of impact produces a relative value for the IT assets and resources affected. Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems .

28. 

Which choice below is NOT an accurate statement about the visibility of IT security policy?

a.       The IT security policy should not be afforded high visibility.

b.      The IT security policy could be visible through panel discussions with guest speakers.

c.       The IT security policy should be afforded high visibility.

d.      Include the IT security policy as a regular topic at staff meetings at all levels of the organization.

a Especially high visibility should be afforded the formal issuance of IT security policy. This is because nearly all employees at all levels will in some way be affected, major organizational resources are being addressed, and many new terms, procedures, and activities will be introduced. Including IT security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions, guest speakers, question/answer forums, and newsletters can be beneficial.

29. 

According to NIST, which choice below is not an accepted security self-testing technique?

a.       War Dialing

b.      Virus Distribution

c.       Password Cracking

d.      Virus Detection

b Common types of self-testing techniques include:  * Network Mapping  * Vulnerability Scanning  * Penetration Testing  * Password Cracking  * Log Review  * Virus Detection  * War Dialing   Some testing techniques are predominantly human-initiated and conducted, while other tests are highly automated and require less human involvement. The staff that initiates and implements in-house security testing should have significant security and networking knowledge. These testing techniques are often combined to gain a more comprehensive assessment of the overall network security posture. For example, penetration testing almost always includes network mapping and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration. None of these tests by themselves will provide a complete picture of the network or its security posture. Source: NIST Special Publication 800-42, DRAFT Guideline on Network Security Testing .

30. 

Which choice below is NOT a concern of policy development at the high level?

a.       Identifying the key business resources

b.      Identifying the types of firewalls to be used for perimeter security

c.       Defining roles in the organization

d.      Determining the capability and functionality of each role.

b Answers a, c, and d are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer d is the final step in the policy creation process and combines steps a and c. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity. Source: Surviving Security: How to Integrate People, Process, and Technology by Mandy Andress (Sams Publishing, 2001).

Answers

1. 

a

The correct answer is a. The goal of risk mitigation is to reduce risk to a level acceptable to the organization. Therefore risk needs to be defined for the organization through risk analysis, business impact assessment, and/or vulnerability assessment.

Answer b is not possible. Answer c is called risk transference. Answer d is a distracter.

2. 

c

The correct answer is c. The Single Loss Expectancy (or Exposure) figure may be created as a result of a Business Impact Assessment (BIA). The SLE represents only the estimated monetary loss of a single occurrence of a specified threat event. The SLE is determined by multiplying the value of the asset by its exposure factor. This gives the expected loss the threat will cause for one occurrence.

Answer a describes the Exposure Factor (EF). The EF is expressed as a percentile of the expected value or functionality of the asset to be lost due to the realized threat event. This figure is used to calculate the SLE, above.

Answer b describes the Annualized Rate of Occurrence (ARO). This is an estimate of how often a given threat event may occur annually. For example, a threat expected to occur weekly would have an ARO of 52. A threat expected to occur once every five years has an ARO of 1/5 or .2. This figure is used to determine the ALE.

Answer d describes the Annualized Loss Expectancy (ALE). The ALE is derived by multiplying the SLE by its ARO. This value represents the expected risk factor of an annual threat event. This figure is then integrated into the risk management process.

3. 

a

Answer b describes the Annualized Rate of Occurrence (ARO).

Answer c describes the Exposure Factor (EF).

Answer d describes the algorithm to determine the Single Loss Expectancy (SLE) of a threat.

4. 

b

Monitoring employee performance is not an example of security management, or a job function of the Information Security Officer. Employee performance issues are the domain of human resources and the employee's manager. The other three choices are appropriate practice for the information security area.

5. 

c

Answers a, b, and d describe policies. Guidelines, standards, and procedures often accompany policy, but always follow the senior level management's statement of policy. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. Simply put, the three break down as follows:

·         Standards specify the use of specific technologies in a uniform way (for example, the standardization of operating procedures).

·         Guidelines are similar to standards but are recommended actions.

·         Procedures are the detailed steps that must be performed for any task.

6. 

b

Answer a is a responsibility of senior management. Answer c is a description of the role of auditing. Answer d is the role of the user, or consumer, of security in an organization.

7. 

b

The purpose of computer security awareness, training, and education is to enhance security by:

·         Improving awareness of the need to protect system resources

·         Developing skills and knowledge so computer users can perform their jobs more securely

·         Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability because without the knowledge of the necessary security measures and to how to use them, users cannot be truly accountable for their actions. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.

8. 

d

Computer security policy is often defined as the "documentation of computer security decisions." The term "policy" has more than one meaning. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term "policy" is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy.

A security policy is an important document to develop while designing an information system, early in the System Development Life Cycle (SDLC). The security policy begins with the organization's basic commitment to information security formulated as a general policy statement. The policy is then applied to all aspects of the system design or security solution. Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security).

9. 

a

Friendly terminations should be accomplished by implementing a standard set of procedures for outgoing or transferring employees. This normally includes:

·         Removal of access privileges, computer accounts, authentication tokens.

·         The control of keys.

·         The briefing on the continuing responsibilities for confidentiality and privacy.

·         Return of property.

·         Continued availability of data. In both the manual and the electronic worlds this may involve documenting procedures or filing schemes, such as how documents are stored on the hard disk, and how they are backed up. Employees should be instructed whether or not to "clean up" their PC before leaving.

·         If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured.

Given the potential for adverse consequences during an unfriendly termination, organizations should do the following:

·         System access should be terminated as quickly as possible when an employee is leaving a position under less-than-friendly terms. If employees are to be fired, system access should be removed at the same time (or just before) the employees are notified of their dismissal.

·         When an employee notifies an organization of the resignation and it can be reasonably expected that it is on unfriendly terms, system access should be immediately terminated.

·         During the "notice of termination" period, it may be necessary to assign the individual to a restricted area and function. This may be particularly true for employees capable of changing programs or modifying the system or applications.

·         In some cases, physical removal from the offices may be necessary.

Source: NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems.

10. 

c

Answer c is an example of a system-specific policy, in this case the router's access control lists. The other three answers are examples of issue-specific policy, as defined by NIST. Issue-specific policies are similar to program policies, in that they are not technically focused. While program policy is traditionally more general and strategic (the organization's computer security program, for example), issue-specific policy is a nontechnical policy addressing a single or specific issue of concern to the organization, such as the procedural guidelines for checking disks brought to work or e-mail privacy concerns. System-specific policy is technically focused and addresses only one computer system or device type. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.

11. 

b

Various officials and organizational offices are typically involved with computer security. They include the following groups:

·         Senior management

·         Program/functional managers/application owners

·         Computer security management

·         Technology providers

·         Supporting organizations

·         Users

Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. While senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

12. 

c

An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation.

In general, a computer security awareness and training program should encompass the following seven steps:

1.      Identify program scope, goals, and objectives.

2.      Identify training staff.

3.      Identify target audiences.

4.      Motivate management and employees.

5.      Administer the program.

6.      Maintain the program.

7.      Evaluate the program.

Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.

13. 

d

Any combination of the following techniques can be used in gathering information relevant to the IT system within its operational boundary:

·         Questionnaire. The questionnaire should be distributed to the applicable technical and nontechnical management personnel who are designing or supporting the IT system.

·         On-site Interviews. On-site visits also allow risk assessment personnel to observe and gather information about the physical, environmental, and operational security of the IT system.

·         Document Review. Policy documents, system documentation, and security-related documentation can provide good information about the security controls used by and planned for the IT system.

·         Use of Automated Scanning Tools. Proactive technical methods can be used to collect system information efficiently.

Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.

14. 

b

Controls are the countermeasures for vulnerabilities. There are many kinds, but generally they are categorized into four types:

·         Deterrent controls reduce the likelihood of a deliberate attack.

·         Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact. Preventative controls inhibit attempts to violate security policy.

·         Corrective controls reduce the effect of an attack.

·         Detective controls discover attacks and trigger preventative or corrective controls. Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums.

Source: Introduction to Risk Analysis, C & A Security Risk Analysis Group and NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.

15. 

c

Security designs should consider a layered approach to address or protect against a specific threat or to reduce a vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. The need for layered protections is important when commercial-off-the-shelf (COTS) products are used. The current state-of-the-art for security quality in COTS products do not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals.

Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security).

16. 

b

Although elements of all of the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality.

A system may need protection for one or more of the following reasons:

·         Confidentiality. The system contains information that requires protection from unauthorized disclosure.

·         Integrity. The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification.

·         Availability. The system contains information or provides services which must be available on a timely basis to meet mission requirements or to avoid substantial losses.

Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems

17. 

d

System audits and monitoring are the two methods organizations use to maintain operational assurance. Although the terms are used loosely within the computer security community, a system audit is a one-time or periodic event to evaluate security, whereas monitoring refers to an ongoing activity that examines either the system or the users. In general, the more "real-time" an activity is, the more it falls into the category of monitoring. Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.

18. 

b

Often, managerial computer system security policies are categorized into three basic types:

·         Program policy—used to create an organization's computer security program

·         Issue-specific policies—used to address specific issues of concern to the organization

·         System-specific policies—technical directives taken by management to protect a particular system

Program policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organization. However, they do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. System-specific policy is much more focused, since it addresses only one system.

Table A.1 helps illustrate the difference between these three types of policies. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.

Table A.1: Security Policy Types

POLICY TYPE

DESCRIPTION

EXAMPLE

Program policy

High-level program policy

Senior-level Management Statement

Issue-specific policy

Addresses single issue

Email privacy policy

System-specific policy

Single-system directives

Router Access Control Lists

 

19. 

a

Awareness is used to reinforce the fact that security supports the mission of the organization by protecting valuable resources. The purpose of training is to teach people the skills that will enable them to perform their jobs more securely. Security education is more in depth than security training and is targeted for security professionals and those whose jobs require expertise in security. Management commitment is necessary because of the resources used in developing and implementing the program and also because the program affects their staff. Source: National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.

20. 

b

The System Owner is responsible for ensuring that the security plan is prepared and for implementing the plan and monitoring its effectiveness. The System Owner is responsible for defining the system's operating parameters, authorized functions, and security requirements. The information owner for information stored within, processed by, or transmitted by a system may or may not be the same as the System Owner. Also, a single system may utilize information from multiple Information Owners.

The Information Owner is responsible for establishing the rules for appropriate use and protection of the subject data/information (rules of behavior). The Information Owner retains that responsibility even when the data/information are shared with other organizations. Source: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.

21. 

a

An organization should address computer security incidents by developing an incident-handling capability. The incident-handling capability should be used to:

·         Provide the ability to respond quickly and effectively.

·         Contain and repair the damage from incidents. When left unchecked, malicious software can significantly harm an organization's computing, depending on the technology and its connectivity. Containing the incident should include an assessment of whether the incident is part of a targeted attack on the organization or an isolated incident.

·         Prevent future damage. An incident-handling capability should assist an organization in preventing (or at least minimizing) damage from future incidents. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities.

Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.

22. 

b, c, a, and d

Various formats for categorizing the sensitivity of data exist. Although originally implemented in government systems, data classification is very useful in determining the sensitivity of business information to threats to confidentiality, integrity, or availability. Often an organization would use the high, medium, or low categories. This simple classification scheme rates each system by its need for protection based upon its C.I.A. needs, and whether it requires high, medium, or low protective controls. For example, a system and its information may require a high degree of integrity and availability, yet have no need for confidentiality.

Table A.2: A Sample H/M/L Data Classification

CATEGORY

DESCRIPTION

High

Could cause loss of life, imprisonment, major financial loss, or require legal action for correction if the information is compromised.

Medium

Could cause significant financial loss or require legal action for correction if the information is compromised.

Low

Would cause only minor financial loss or require only administrative action for correction if the information is compromised.

Or organizations may categorize data into four sensitivity classifications with separate handling requirements, such as Sensitive, Confidential, Private, and Public.

This system would define the categories as follows:

·         Sensitive. This classification applies to information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion. It is information that requires a higher-than-normal assurance of accuracy and completeness.

·         Confidential. This classification applies to the most sensitive business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations.

·         Private. This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees.

·         Public. This classification applies to all other information that does not clearly fit into any of the preceding three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely the organization, its employees, and/or its customers.

The designated owners of information are responsible for determining data classification levels, subject to executive management review. Table A.2 shows a sample H/M/L data classification for sensitive information. Source: NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems.

23. 

e, b, a, d, c

Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle, but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.

The order of these phases is:

a.       Initiation phase—During the initiation phase, the need for a system is expressed and the purpose of the system is documented.

b.      Development/acquisition phase—During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed.

c.       Implementation phase—During implementation, the system is tested and installed or fielded.

d.      Operation/maintenance phase—During this phase, the system performs its work. The system is almost always being continuously modified by the addition of hardware and software and by numerous other events.

e.       Disposal phase—The disposal phase of the IT system life cycle involves the disposition of information, hardware, and software.

Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.

24. 

b

The correct answer is b. OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years. For general support systems, OMB Circular A-130 requires that the security controls be reviewed either by an independent audit or self review. Audits can be self-administered or independent (either internal or external). The essential difference between a self-audit and an independent audit is objectivity; however, some systems may require a fully independent review. Source: Office of Management and Budget Circular A-130, revised November 30, 2000.

25. 

c

Risk can never be totally eliminated. NIST IT security principle #4 states: "Reduce risk to an acceptable level." The National Institute of Standards and Technology's (NIST) Information Technology Laboratory (ITL) released NIST Special Publication (SP) 800-27, "Engineering Principles for Information Technology Security (EP-ITS)" in June 2001 to assist in the secure design, development, deployment, and life-cycle of information systems. It presents 33 security principles which start at the design phase of the information system or application and continue until the system's retirement and secure disposal. Some of the other 33 principles are:

·         Principle 1. Establish a sound security policy as the "foundation" for design.

·         Principle 2. Treat security as an integral part of the overall system design.

·         Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.

·         Principle 7. Implement layered security (ensure no single point of vulnerability).

·         Principle 11. Minimize the system elements to be trusted.

·         Principle 16. Isolate public access systems from mission critical resources (e.g., data, processes, etc.).

·         Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.

·         Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.

·         Principle 23. Use unique identities to ensure accountability.

·         Principle 24. Implement least privilege.

Source: NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), and "Federal Systems Level Guidance for Securing Information Systems," James Corrie, August 16, 2001.

26. 

a

Organizations should ensure effective administration of users' computer access to maintain system security, including user account management, auditing, and the timely modification or removal of access. This includes:

·         User Account Management. Organizations should have a process for requesting, establishing, issuing, and closing user accounts, tracking users and their respective access authorizations, and managing these functions.

·         Management Reviews. It is necessary to periodically review user accounts. Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, and whether required training has been completed.

·         Detecting Unauthorized/Illegal Activities. Mechanisms besides auditing and analysis of audit trails should be used to detect unauthorized and illegal acts, such as rotating employees in sensitive positions, which could expose a scam that required an employee's presence, or periodic re-screening of personnel.

Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.

27. 

d

Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk assessment is the first process in the risk management methodology. The risk assessment process helps organizations identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. The likelihood that a potential vulnerability could be exercised by a given threat-source can be described as high, medium, or low. Impact refers to the magnitude of harm that could be caused by a threat's exploitation of a vulnerability. The determination of the level of impact produces a relative value for the IT assets and resources affected. Source: NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.

28. 

a

Especially high visibility should be afforded the formal issuance of IT security policy. This is because nearly all employees at all levels will in some way be affected, major organizational resources are being addressed, and many new terms, procedures, and activities will be introduced.

Including IT security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions, guest speakers, question/answer forums, and newsletters can be beneficial.

29. 

b

Common types of self-testing techniques include:

·         Network Mapping

·         Vulnerability Scanning

·         Penetration Testing

·         Password Cracking

·         Log Review

·         Virus Detection

·         War Dialing

Some testing techniques are predominantly human-initiated and conducted, while other tests are highly automated and require less human involvement. The staff that initiates and implements in-house security testing should have significant security and networking knowledge. These testing techniques are often combined to gain a more comprehensive assessment of the overall network security posture. For example, penetration testing almost always includes network mapping and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration. None of these tests by themselves will provide a complete picture of the network or its security posture. Source: NIST Special Publication 800-42, DRAFT Guideline on Network Security Testing.

30. 

b

Answers a, c, and d are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer d is the final step in the policy creation process and combines steps a and c. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity. Source: Surviving Security: How to Integrate People, Process, and Technology by Mandy Andress (Sams Publishing, 2001).

 


 

Chapter 5: Security Management Concepts and Principles

The CISSP Exam Topics Covered in this Chapter Include:

·         Security Management Concepts and Principles

·         Protection Mechanisms

·         Change Control/Management

·         Data Classification

The Security Management Practices domain of the Common Body of Knowledge (CBK) for the CISSP certification exam deals with the common elements of security solutions. These include elements essential to the design, implementation, and administration of security mechanisms.

This domain is discussed in this chapter and in Chapter 6, "Asset Value, Policies, and Roles." Be sure to read and study the materials from both chapters to ensure complete coverage of the essential material for the CISSP certification exam.

Security Management Concepts and Principles

Security management concepts and principles are inherent elements in a security policy and solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution. It is important for real-world security professionals, as well as CISSP exam students, to understand these items thoroughly.

The primary goals and objectives of security are contained within the CIA Triad. The CIA Triad is the name given to the three primary security principles: confidentiality, integrity, and availability. Security controls must address one or more of these three principles. Security controls are typically evaluated on whether or not they address all three of these core InfoSec tenets. Vulnerabilities and risks are also evaluated based on their threats against one or more of the CIA Triad principles. Thus, it is a good idea to be familiar with these principles and use them as guidelines and measuring sticks against which to judge all things related to security.

These three principles are considered the most important within the realm of security. However, how important each is to a specific organization depends upon the organization's security goals and requirements and on the extent to which its security might be threatened.

Confidentiality

The first principle from the CIA Triad is confidentiality. If a security mechanism offers confidentiality, it offers a high level of confidence that data, objects, or resources are not exposed to unauthorized subjects. If a threat exists against confidentiality, there is the possibility that unauthorized disclosure could take place.

In general, for confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. Each of these states of data, resources, and objects requires unique and specific security controls to maintain confidentiality.

There are numerous attacks that focus on the violation of confidentiality. These include capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, and so on.

Violations of confidentiality are not limited to directed intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude. Events that lead to confidentiality breaches include failing to properly encrypt a transmission, failing to fully authenticate a remote system before transferring data, leaving open otherwise secured access points, accessing malicious code that opens a back door, or even walking away from an access terminal while data is displayed on the monitor. Confidentiality violations can occur because of the actions of an end user or a system administrator. They can also occur due to an oversight in a security policy or a misconfigured security control.

There are numerous countermeasures to ensure confidentiality against possible threats. These include the use of encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training.

Confidentiality and integrity are dependent upon each other. Without object integrity, confidentiality cannot be maintained. Other concepts, conditions, and aspects of confidentiality include sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, and isolation.

Integrity

The second principle from the CIA Triad is integrity. Integrity is the principle that objects retain their veracity and are only intentionally modified by authorized subjects. If a security mechanism offers integrity, it offers a high level of confidence that the data, objects, and resources are unaltered from their original protected state. This includes alterations occurring while the object is in storage, in transit, or in process. Thus, maintaining integrity means the object itself is not altered and the operating system and programming entities that manage and manipulate the object are not compromised.

Integrity can be examined from three perspectives:

·         Unauthorized subjects should be prevented from making modifications.

·         Authorized subjects should be prevented from making unauthorized modifications.

·         Objects should be internally and externally consistent so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable.

For integrity to be maintained on a system, controls must be in place to restrict access to data, objects, and resources. Additionally, activity logging should be employed to ensure that only authorized users are able to access their respective resources. Maintaining integrity across storage, transport, and processing requires numerous variations of controls and oversight to maintain and validate object integrity.

There are numerous attacks that focus on the violation of integrity. These include viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors.

Integrity violations are not limited to intentional attacks. Many instances of unauthorized alteration of sensitive information are due to human error, oversight, or ineptitude. Events that lead to integrity breaches include accidentally deleting files; entering invalid data; altering configurations; including errors in commands, codes, and scripts; introducing a virus; and executing malicious code (such as a Trojan horse). Integrity violations can occur because of the actions of any user, including administrators. They can also occur due to an oversight in a security policy or a misconfigured security control.

There are numerous countermeasures to ensure integrity against possible threats. These include strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.

Integrity is dependent upon confidentiality. Without confidentiality, integrity cannot be maintained. Other concepts, conditions, and aspects of integrity include accuracy, truthfulness, authenticity, validity, nonrepudiation, accountability, responsibility, completeness, and comprehensiveness.

Availability

The third principle from the CIA Triad is availability. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects. If a security mechanism offers availability, it offers a high level of confidence that the data, objects, and resources are accessible to authorized subjects. Availability includes efficient uninterrupted access to objects and prevention of denial of service (DoS) attacks. Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access.

For availability to be maintained on a system, controls must be in place to ensure authorized access and an acceptable level of performance, quickly handle interruptions, provide for redundancy, maintain reliable backups, and prevent data loss or destruction.

There are numerous threats to availability. These include device failure, software errors, and environmental issues (heat, static, etc.). There are also some forms of attacks that focus on the violation of availability, including denial of service attacks, object destruction, and communications interruptions.

Violations of availability are not limited to intentional attacks. Many instances of unauthorized alteration of sensitive information are due to human error, oversight, or ineptitude. Some events that lead to integrity breaches include accidentally deleting files, overutilizing a hardware or software component, under-allocating resources, and mislabeling or incorrectly classifying objects. Availability violations can occur because of the actions of any user, including administrators. They can also occur due to an oversight in a security policy or a misconfigured security control.

There are numerous countermeasures to ensure availability against possible threats. These include designing intermediary delivery systems properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems.

Availability is dependent upon both integrity and confidentiality. Without integrity and confidentiality, availability cannot be maintained. Other concepts, conditions, and aspects of availability include usability, accessibility, and timeliness.

Other Security Concepts

In addition to the CIA Triad, there are a plethora of other security related concepts, principles, and tenants that should be considered and addressed when designing a security policy and deploying a security solution. This section discusses privacy, identification, authentication, authorization, accountability, nonrepudiation, and auditing.

Privacy

Privacy can be a difficult entity to define or even quantify. The term is used frequently in numerous contexts without much quantification or qualification. Here are some possible partial definitions of privacy:

·         Prevention of unauthorized access

·         Freedom from unauthorized access to information deemed personal or confidential

·         Freedom from being observed, monitored, or examined without consent or knowledge

When addressing privacy in the realm of IT, it usually becomes a balancing act between individual rights and the rights or activities of an organization. Some claim that individuals have the right to control whether or not information can be collected about them and what can be done with it. Others claim that any activity performed in public view, such as most activities performed over the Internet, can be monitored without the knowledge of or permission from the individuals being watched and that the information gathered from such monitoring can be used for whatever purposes an organization deems appropriate or desirable.

On one hand, protecting individuals from unwanted observation, direct marketing, and disclosure of private, personal, or confidential details are considered worthy efforts. Likewise, organizations profess that demographic studies, information gleaning, and focused marketing improve business models, reduce advertising waste, and save money for all parties.

Whatever your personal or organizational stance is on the issue of online privacy, it must be addressed in an organizational security policy. Privacy is an issue not just for external visitors to your online offerings, but also for your customers, employees, suppliers, and contractors. If you gather any type of information about any person or company, you must address privacy.

In most cases, especially when privacy is being violated or restricted, the individuals and companies must be informed; otherwise, you may face legal ramifications. Privacy issues must also be addressed when allowing or restricting personal use of e-mail, retaining e-mail, recording phone conversations, gathering information about surfing or spending habits, and so on.

Identification

Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability. Providing an identity can be typing in a username, swiping a smart card, waving a token device, speaking a phrase, or positioning your face, hand, or finger for a camera or scanning device. A process proving a process ID number also represents the identification process. Without an identity, a system has no way to correlate an authentication factor with the subject.

Once a subject has been identified, the identity is accountable for any further actions by that subject. IT systems track activity by identities, not by the subjects themselves. A computer doesn't know one human from another, but it does know that your user account is different from all other user accounts. A subject's identity is typically labeled as or considered to be public information.

Authentication

The process of verifying or testing that the claimed identity is valid is authentication. Authentication requires from the subject additional information that must exactly correspond to the identity indicated. The most common form of authentication is using a password. Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities (i.e., user accounts). The authentication factor used to verify identity is typically labeled as or considered to be private information. The capability of the subject and system to maintain the secrecy of the authentication factors for identities directly reflects the level of security of that system.

Identification and authentication are always used together as a single two-step process. Providing an identity is step one and providing the authentication factor(s) is step two. Without both, a subject cannot gain access to a system— neither element alone is useful.

There are several types of authentication information a subject can provide (e.g., something you know, something you have, etc.). Each authentication technique or factor has its unique benefits and drawbacks. Thus it is important to evaluate each mechanism in light of the environment in which it will be deployed to determine viability. Authentication was discussed at length in Chapter 1, "Accountability and Access Control."

Authorization

Once a subject is authenticated, access must be authorized. The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity. If the specific action is allowed, the subject is authorized. If the specific action is not allowed, the subject is not authorized.

Keep in mind that just because a subject has been identified and authenticated does not automatically mean they have been authorized. It is possible for a subject to be logged onto a network (i.e., identified and authenticated) but be blocked from accessing a file or printing to a printer (i.e., by not being authorized to perform that activity). Most network users are authorized to perform only a limited number of activities on a specific collection of resources. Identification and authentication are all-or-nothing aspects of access control. Authorization has a wide range of variations between all or nothing for each individual object within the environment. A user may be able to read a file but not delete it, print a document but not alter the print queue, or log onto a system but not access any resources.

Auditing

Monitoring, or auditing, is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Monitoring is also the process by which unauthorized or abnormal activities are detected on a system. Monitoring is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis. Auditing and logging are usually native features of an operating system and most applications and services. Thus, configuring the system to record information about specific types of events is fairly straightforward.

For more information on configuring and administrating auditing and logging, see Chapter 14, "Auditing and Monitoring."

Accountability

An organization's security policy can be properly enforced only if accountability is maintained. In other words, security can be maintained only if subjects are held accountable for their actions. Effective accountability relies upon the capability to prove a subject's identity and track their activities. Thus, accountability builds on the concepts of identification, authentication, authorization, access control, and auditing.

Accountability is maintained by recording the activities of a subject and objects as well as core system functions that maintain the operating environment and the security mechanisms. The audit trails created by recording system events to logs can be used to evaluate the health and performance of a system. System crashes may indicate faulty programs, corrupt drivers, or intrusion attempts. The event logs leading up to a crash can often be used to discover the reason a system failed. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure.

Nonrepudiation

Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. It is made possible through identity, authentication, authorization, accountability, and auditing. Nonrepudiation can be established using digital certificates, session identifiers, transaction logs, and numerous other transactional and access control mechanisms.

Protection Mechanisms

Another aspect of security solution concepts and principles is the element of protection mechanisms. These are common characteristics of security controls. Not all security controls must have these, but many controls offer their protection for confidentiality, integrity, and availability through the use of these mechanisms.

Layering, also known as defense in depth, is simply the use of multiple controls in a series. No one specific control can protect against all possible threats. The use of a multilayered solution allows for numerous different and specific controls to be brought to bear against whatever threats come to pass. When security solutions are designed in layers, most threats are eliminated, mitigated, or thwarted.

Using layers in a series rather than in parallel is an important concept. Performing security restrictions in a series means to perform one after the other in a linear fashion. Only through a series configuration will each attack be scanned, evaluated, or mitigated by every security control. A single failure of a security control does not render the entire solution ineffective. If security controls were implemented in parallel, a threat could pass through a single checkpoint that did not address its particular malicious activity. Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow. Parallel systems are useful in distributed computing applications, but parallelism is not a useful concept in the realm of security.

Think of physical entrances to buildings. A parallel configuration is used for shopping malls. There are many doors in many locations around the entire perimeter of the mall. A series configuration would most likely be used in a bank or an airport. A single entrance is provided and that entrance is actually several gateways or checkpoints that must be passed in sequential order to gain entry into active areas of the building.

Layering also includes the concept that networks comprise numerous separate entities, each with its own unique security controls and vulnerabilities. In an effective security solution, there is a synergy between all networked systems that creates a single security front. The use of separate security systems creates a layered security solution.

Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Thus, the concept of abstraction is used when classifying objects or assigning roles to subjects. The concept of abstraction also includes the definition of object and subject types or of objects themselves (i.e., a data structure used to define a template for a class of entities). Abstraction is used to define what types of data an object can contain, what types of functions can be performed on or by that object, and what capabilities that object has. Abstraction simplifies security by enabling you to assign security controls to a group of objects collected by type or function.

Data hiding is exactly what it sounds like: preventing data from being known by a subject. Keeping a database from being accessed by unauthorized visitors is a form of data hiding, as is restricting a subject at a lower classification level from accessing data at a higher classification level. Preventing an application from accessing hardware directly is also a form of data hiding. Data hiding is often a key element in security controls as well as in programming.

Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. Encryption can take many forms and be applied to every type of electronic communication, including text, audio, and video files, as well as applications themselves. Encryption is a very important element in security controls, especially in regard to the transmission of data between systems. There are various strengths of encryption, each of which is designed and/or appropriate for a specific use or purpose. Encryption is discussed at length in Chapter 9, "Cryptography and Public Keys," and 10, "PKI and Crypto Attacks."

Change Control/Management

Another important aspect of security management is the control or management of change. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. This usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. This data is then used to identify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself.

The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. Change management is only a requirement for systems complying with the Information Technology Security Evaluation and Certification (ITSEC) classifications of E1, E2, or E3. However, change management can be implemented on any system despite the level of security. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or effected diminishments.

Change management should oversee alterations to every aspect of a system, including hardware configuration and OS and application software. Change management should be included in design, development, testing, evaluation, implementation, distribution, evolution, growth, ongoing operation, and modification. Change management requires a detailed inventory of every component and configuration. It also requires the collection and maintenance of complete documentation for every system component, from hardware to software and from configuration settings to security features.

The change control process of configuration or change management has several goals or requirements:

·         Implement changes in a monitored and orderly manner. Changes are always controlled.

·         A formalized testing process is included to verify that a change produces expected results.

·         All changes can be reversed.

·         Users are informed of changes before they occur to prevent loss of productivity.

·         The effects of changes are systematically analyzed.

·         Negative impact of changes on capabilities, functionality, and performance is minimized.

Data Classification

Data classification is the primary means by which data is protected based on its secrecy, sensitivity, or confidentiality. It is inefficient to treat all data the same when designing and implementing a security system. Some data items need more security than others. Securing everything at a low security level means sensitive data is easily accessible. Securing everything at a high security level is too expensive and restricts access to unclassified, noncritical data. Data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it.

The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Data classification is used to provide security mechanisms for the storage, processing, and transfer of data. It also addresses how data is removed from a system and destroyed.

The criteria by which data is classified varies based on the organization performing the classification. However, there are numerous generalities that can be gleaned from common or standardized classification systems:

·         Usefulness of the data

·         Timeliness of the data

·         Value or cost of the data

·         Maturity or age of the data

·         Lifetime of the data (or when it expires)

·         Association with personnel

·         Data disclosure damage assessment (i.e., how disclosure would affect the organization)

·         Data modification damage assessment (i.e., how modification would affect the organization)

·         National security implications of the data

·         Authorized access to the data (i.e., who has access to the data)

·         Restriction from the data (i.e., who is restricted from the data)

·         Maintenance and monitoring of the data (i.e., who should maintain and monitor the data)

·         Storage of the data

Using whatever criteria is appropriate for the organization, data is evaluated and an appropriate data classification label is assigned to it. In some cases, the label is added to the data object. In other cases, labeling is simply assigned by the placement of the data into a storage mechanism or behind a security protection mechanism.

The two common classification schemes are government/military classification and commercial business/private sector classification. The government/ military classification has five levels of classification (listed highest to lowest):

·         Top Secret The highest level of classification. Unauthorized disclosure of Top Secret data will have drastic effects and cause grave damage to national security.

·         Secret Used for data of a secret nature. Unauthorized disclosure of Secret data will have significant effects and cause critical damage to national security.

·         Confidential Used for data of a confidential nature. Unauthorized disclosure of Confidential data will have noticeable effects and cause serious damage to national security. This classification is used for all data between Secret and Sensitive but Unclassified classifications.

·         Sensitive but Unclassified Used for data of a sensitive or private nature, but this data would not cause significant damage if disclosed.

·         Unclassified The lowest level of classification. Used for data that is neither Sensitive nor Classified. Disclosure of Unclassified data does not compromise confidentiality nor cause any noticeable damage.

The classifications of Confidential, Secret, and Top Secret are collectively known or labeled as classified. Often, revealing the actual classification of data to unauthorized individuals is a violation of that data in and of itself. Thus, the term classified is used to generally refer to any data that is ranked above Sensitive but Unclassified. All classified data is exempt from the Freedom of Information Act as well as other laws and regulations.

The commercial business/private sector classification has four levels of classification (listed highest to lowest):

·         Confidential The highest level of classification. Used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for the company if confidential data is disclosed.

·         Private Used for data of a private or personal nature that is intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed.

·         Sensitive Used for data that is classified as greater than public data. A negative impact could occur for the company if sensitive data is disclosed.

·         Public The lowest level of classification. Used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization.

Another classification often used in the commercial business/private sector is proprietary. Proprietary data is a form of confidential information. If proprietary data is disclosed, it can have drastic affects on the competitive edge of an organization.

Summary

Security management concepts and principles are inherent elements in a security policy and in solution deployment. They define the basic parameters needed for a secure environment. They also define the goals and objectives that both policy designers and system implementers must achieve in order to create a secure solution. It is important for real-world security professionals as well as CISSP exam students to understand these items thoroughly.

The primary goals and objectives of security are contained within the CIA Triad: confidentiality, integrity, and availability. These three principles are considered the most important within the realm of security. Their importance to an organization depends on the organization's security goals and requirements and on how much of a threat to security exists in its environment.

The first principle from the CIA Triad is confidentiality, the principle that objects are not disclosed to unauthorized subjects. Security mechanisms that offer confidentiality offer a high level of confidence that data, objects, or resources are not exposed to unauthorized subjects. If a threat exists against confidentiality, there is the possibility that unauthorized disclosure could take place.

The second principle from the CIA Triad is integrity, the principle that objects retain their veracity and are only intentionally modified by authorized subjects. Security mechanisms that offer integrity offer a high level of confidence that the data, objects, and resources are unaltered from their original protected state. This includes alterations occurring while the object is in storage, in transit, or in process. Maintaining integrity means the object itself is not altered, nor are the operating system and programming entities that manage and manipulate the object compromised.

The third principle from the CIA Triad is availability, the principle that authorized subjects are granted timely and uninterrupted access to objects. Security mechanisms that offer availability offer a high level of confidence that the data, objects, and resources are accessible by authorized subjects. Availability includes efficient uninterrupted access to objects and prevention of denial of service attacks. It also implies that the supporting infrastructure is functional and allows authorized users to gain authorized access.

Other security-related concepts, principles, and tenants that should be considered and addressed when designing a security policy and deploying a security solution are privacy, identification, authentication, authorization, accountability, nonrepudiation, and auditing.

Yet another aspect of security solution concepts and principles is the elements of protection mechanisms: layering, abstraction, data hiding, and the use of encryption. These are common characteristics of security controls, and although not all security controls must have them, many controls use these mechanisms to protect confidentiality, integrity, and availability

The control or management of change is an important aspect of security management practices. When a secure environment is changed, loopholes, overlaps, missing objects, and oversights can lead to new vulnerabilities. You can, however, maintain security by systematically managing change. This typically involves extensive logging, auditing, and monitoring of activities related to security controls and security mechanisms. This data is then used to identify agents of change, whether objects, subjects, programs, communication pathways, or even the network itself.

Data classification is the primary means by which data is protected based on its secrecy, sensitivity, or confidentiality. Because some data items need more security than others, it is inefficient to treat all data the same when designing and implementing a security system. If everything is secured at a low security level, sensitive data is easily accessible, but securing everything at a high security level is too expensive and restricts access to unclassified, noncritical data. Data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it.

Exam Essentials

·         Understand CIA Triad element confidentiality. Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Know why it is important, mechanisms that support it, attacks that focus on it, and effective countermeasures.

·         Understand CIA Triad element integrity. Integrity is the principle that objects retain their veracity and are only intentionally modified by authorized subjects. Know why it is important, mechanisms that support it, attacks that focus on it, and effective countermeasures.

·         Understand CIA Triad element availability. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects. Know why it is important, mechanisms that support it, attacks that focus on it, and effective countermeasures.

·         Know how privacy fits into the realm of IT security. Know its multiple meanings/definitions, why it is important to protect, and the issues surrounding privacy, especially in a work environment.

·         Be able to explain how identification works. Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability.

·         Understand the process of authentication. The process of verifying or testing that a claimed identity is valid is authentication. Authentication requires additional information from the subject that must exactly correspond to the identity indicated.

·         Know how authorization fits into a security plan. Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.

·         Be able to explain the auditing process. Monitoring, or auditing, is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Monitoring is also the process by which unauthorized or abnormal activities are detected on a system. Monitoring is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis.

·         Understand the importance of accountability. An organization's security policy can be properly enforced only if accountability is maintained. In other words, security can be maintained only if subjects are held accountable for their actions. Effective accountability relies upon the capability to prove a subject's identity and track their activities.

·         Be able to explain nonrepudiation. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

·         Know how layering simplifies security. Layering is simply the use of multiple controls in series. Using a multilayered solution allows for numerous different and specific controls to be brought to bear against whatever threats come to pass.

·         Be able to explain the concept of abstraction. Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

·         Understand data hiding. Data hiding is exactly what it sounds like: preventing data from being known by a subject. It is often a key element in security controls as well as in programming.

·         Understand the need for encryption. Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. It can take many forms and be applied to every type of electronic communication, including text, audio, and video files, as well as programs themselves. Encryption is a very important element in security controls, especially in regard to the transmission of data between systems.

·         Be able to explain the concepts of change control and change management. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change.

·         Know why and how data is classified. Data is classified to simplify the process of assigning security controls to groups of objects rather than to individual objects. The two common classification schemes are government/ military and commercial business/private sector. Know the five levels of government/military classification and the four levels of commercial business/private sector classification.

Key Terms

Before you take the exam, be certain you are familiar with the following terms:

·         abstraction

·         accountability

·         auditing

·         authentication

·         authorization

·         availability

·         change control

·         change management

·         CIA Triad

·         commercial business/private sector classification

·         confidentiality

·         data classification

·         data hiding

·         encryption

·         government/military classification

·         identification

·         integrity

·         layering

·         nonrepudiation

·         privacy

·         proprietary

·         Top Secret

Review Questions and Answers

1. 

Which of the following contains the primary goals and objectives of security?

A.     A network's border perimeter

B.     The CIA Triad

C.     A stand-alone system

D.     The Internet

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

2. 

Vulnerabilities and risks are evaluated based on their threats against which of the following?

A.     One or more of the CIA Triad principles

B.     Data usefulness

C.     Due care

D.     Extent of liability

A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.

3. 

Which of the following is the principle that authorized subjects are granted timely and uninterrupted access to objects?

A.     Identification

B.     Availability

C.     Encryption

D.     Layering

B. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

4. 

Which of the following is not considered a violation of confidentiality?

A.     Stealing passwords

B.     Eavesdropping

C.     Hardware destruction

D.     Social engineering

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

5. 

Which of the following is not true?

A.     Violations of confidentiality include human error.

B.     Violations of confidentiality include management oversight.

C.     Violations of confidentiality are limited to direct intentional attacks.

D.     Violations of confidentiality can occur when a transmission is not properly encrypted.

C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.

6. 

Confidentiality is dependent upon which of the following?

A.     Accountability

B.     Availability

C.     Nonrepudiation

D.     Integrity

D. Without integrity, confidentiality cannot be maintained.

7. 

If a security mechanism offers availability, then it offers a high level of confidence that the data, objects, and resources are _______________ by authorized subjects.

A.     Controlled

B.     Audited

C.     Accessible

D.     Repudiated

C. Accessibility of data, objects, and data is the goal of availability. If a security mechanism offers availability, then it offers a high level of confidence that the data, objects, and resources are accessible by authorized subjects.

8. 

Which of the following is considered to be the freedom from being observed, monitored, or examined without consent or knowledge?

A.     Integrity

B.     Privacy

C.     Authentication

D.     Accountability

B. Privacy is freedom from being observed, monitored, or examined without consent or knowledge.

9. 

All but which of the following items require awareness for all individuals affected?

A.     The restriction of personal e-mail

B.     Recording phone conversations

C.     Gathering information about surfing habits

D.     The backup mechanism used to retain e-mail messages

D. Users should be aware that e-mail messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

10. 

Which of the following is typically not used as an identification factor?

A.     Username

B.     Smart card swipe

C.     Fingerprint scan

D.     A challenge/response token device

D. A challenge/response token device is almost exclusively used as an authentication factor, not an identification factor.

11. 

What ensures that the subject of an activity or event cannot deny that the event occurred?

A.     CIA Triad

B.     Abstraction

C.     Nonrepudiation

D.     Hash totals

C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.

12. 

Which of the following is the most important and distinctive concept in relation to layered security?

A.     Multiple

B.     Series

C.     Parallel

D.     Filter

B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.

13. 

Which of the following is not considered an example of data hiding?

A.     Preventing an authorized reader of an object from deleting that object

B.     Keeping a database from being accessed by unauthorized visitors

C.     Restricting a subject at a lower classification level from accessing data at a higher classification level

D.     Preventing an application from accessing hardware directly

A. Preventing an authorized reader of an object from deleting that object is just an access control, not data hiding. If you can read an object, it is not hidden from you.

14. 

What is the primary goal of change management?

A.     Maintaining documentation

B.     Keeping users informed of changes

C.     Allowing rollback of failed changes

D.     Preventing security compromises

D. The prevention of security compromises is the primary goal of change management.

15. 

What is the primary objective of data classification schemes?

A.     To control access to objects for authorized subjects

B.     To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity

C.     To establish a transaction trail for auditing accountability

D.     To manipulate access controls to provide for the most efficient means to grant or restrict functionality

B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

16. 

Which of the following is typically not a characteristic considered when classifying data?

A.     Value

B.     Size of object

C.     Useful lifetime

D.     National security implications

B. Size is not a criteria for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.

17. 

What are the two common data classification schemes?

A.     Military and private sector

B.     Personal and government

C.     Private sector and unrestricted sector

D.     Classified and unclassified

A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.

18. 

Which of the following is the lowest military data classification for classified data?

A.     Sensitive

B.     Secret

C.     Sensitive but Unclassified

D.     Private

B. Of the options listed, secret is the lowest classified military data classification.

19. 

Which commercial business/private sector data classification is used to control information about individuals within an organization?

A.     Confidential

B.     Private

C.     Sensitive

D.     Proprietary

B. The private commercial business/private sector data classification is used to protect information about individuals.

20. 

Data classifications are used to focus security controls over all but which of the following?

A.     Storage

B.     Processing

C.     Layering

D.     Transfer

C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.

Answers

1. 

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

2. 

A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.

3. 

B. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

4. 

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

5. 

C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.

6. 

D. Without integrity, confidentiality cannot be maintained.

7. 

C. Accessibility of data, objects, and data is the goal of availability. If a security mechanism offers availability, then it offers a high level of confidence that the data, objects, and resources are accessible by authorized subjects.

8. 

B. Privacy is freedom from being observed, monitored, or examined without consent or knowledge.

9. 

D. Users should be aware that e-mail messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

10. 

D. A challenge/response token device is almost exclusively used as an authentication factor, not an identification factor.

11. 

C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.

12. 

B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.

13. 

A. Preventing an authorized reader of an object from deleting that object is just an access control, not data hiding. If you can read an object, it is not hidden from you.

14. 

D. The prevention of security compromises is the primary goal of change management.

15. 

B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

16. 

B. Size is not a criteria for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.

17. 

A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.

18. 

B. Of the options listed, secret is the lowest classified military data classification.

19. 

B. The private commercial business/private sector data classification is used to protect information about individuals.

20. 

C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.

 

Chapter 1: Security Management Practices

Overview

In our first chapter, we enter the domain of Security Management. Throughout this book, you will see that many Information Systems Security domains have several elements and concepts that overlap. Although all other security domains are clearly focused, this domain introduces concepts that we extensively touch upon in both the Operations Security (Chapter 6) and Physical Security (Chapter 10) domains. A CISSP professional will be expected to know the following:

·         Basic security management concepts

·         The difference between policies, standards, guidelines, and procedures

·         Security awareness concepts

·         Risk management (RM) practices

·         Data classification levels

We will examine the InfoSec domain of Security Management by using the following elements:

·         Concepts of Information Security Management

·         The Information Classification process

·         Security Policy implementation

·         The roles and responsibilities of Security Administration

·         Risk Management Assessment tools

·         Security Awareness training

 

Note 

Throughout the book we have footnotes that will help direct the reader to additional study sources.

Domain Definition

The InfoSec domain of Security Management incorporates the identification of information data assets with the development and implementation of policies, standards, guidelines, and procedures. It defines the management practices of data classification and risk management. It also addresses confidentiality, integrity, and availability by identifying threats, classifying the organization's assets, and rating their vulnerabilities so that effective security controls can be implemented.

 

Management Concepts

Under the heading of Information Security Management concepts, we will discuss the following:

·         The big three: Confidentiality, Integrity, and Availability

·         The concepts of identification, authentication, accountability, authorization, and privacy

·         The objective of security controls (to reduce the impact of threats and the likelihood of their occurrence)

System Security Life Cycle

Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle, but most contain five basic phases: initiation, development/acquisition, implementation, operation, and disposal.

Chapter 11 in the ISSEP study section describes systems security engineering in more detail, but let's get to know the basic steps of the system security life cycle. The order of these phases is[*]:

1.      Initiation phase.  During the initiation phase, the need for a system is expressed and the purpose of the system is documented.

2.      Development/acquisition phase.  During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed.

3.      Implementation phase.  During implementation, the system is tested and installed or fielded.

4.      Operation/maintenance phase.  During this phase, the system performs its work. The system is almost always being continuously modified by the addition of hardware and software and by numerous other events.

5.      Disposal phase.  The disposal phase of the IT system life cycle involves the disposition of information, hardware, and software.

The Big Three

Throughout this book, you will read about the three tenets of InfoSec: Confidentiality, Integrity, and Availability (C.I.A.), as shown in Figure 1-1. These concepts represent the three fundamental principles of information security. All of the information security controls and safeguards and all of the threats, vulnerabilities, and security processes are subject to the C.I.A. yardstick.

Image from bookImage from book
Figure 1-1: The C.I.A. triad.

Confidentiality.  The concept of confidentiality attempts to prevent the intentional or unintentional unauthorized disclosure of a message's contents. Loss of confidentiality can occur in many ways, such as through the intentional release of private company information or through a misapplication of network rights.

Integrity.  The concept of integrity ensures that:

·         Modifications are not made to data by unauthorized personnel or processes

·         Unauthorized modifications are not made to data by authorized personnel or processes

·         The data is internally and externally consistent; in other words, that the internal information is consistent among all subentities and that the internal information is consistent with the real-world, external situation

Availability.  The concept of availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. In other words, availability guarantees that the systems are up and running when needed. In addition, this concept guarantees that the security services that the security practitioner needs are in working order.

 

Note 

The reverse of confidentiality, integrity, and availability is disclosure, alteration, and destruction (D.A.D.).

Other Important Concepts

There are also several other important concepts and terms that a CISSP candidate must fully understand. These concepts include identification, authentication, accountability, authorization, and privacy, and are found frequently throughout the book:

Identification.  The means by which users claim their identities to a system. Most commonly used for access control, identification is necessary for authentication and authorization.

Authentication.  The testing or reconciliation of evidence of a user's identity. It establishes the user's identity and ensures that the users are who they say they are.

Accountability.  A system's capability to determine the actions and behaviors of a single individual within a system and to identify that particular individual. Audit trails and logs support accountability.

Authorization.  The rights and permissions granted to an individual or process that enable access to a computer resource. Once a user's identity and authentication are established, authorization levels determine the extent of system rights that a user can hold.

Privacy.  The level of confidentiality and privacy protection given to a user in a system. This is often an important component of security controls. Privacy not only guarantees the fundamental tenet of confidentiality of a company's data, but also guarantees the data's level of privacy, which is being used by the operator.

NIST 33 Security Principles

In June 2001, the National Institute of Standards and Technology's (NIST) Information Technology Laboratory (ITL) published NIST Special Publication (SP) 800-27, "Engineering Principles for Information Technology Security (EP-ITS)" to assist in the secure design, development, deployment, and life cycle of information systems. It presents 33 security principles that start at the design phase of the information system or application and continue until the system's retirement and secure disposal. Some of the 33 principles that are most applicable to security management are[*]:

Principle 1.  Establish a sound security policy as the foundation for design.

Principle 2.  Treat security as an integral part of the overall system design.

Principle 5.  Assume that external systems are insecure.

Principle 6.  Identify potential trade-offs between reducing risk and increased costs and decreases in other aspects of operational effectiveness.

Principle 7.  Implement layered security; ensure there is no single point of vulnerability (see sidebar).

Principle 11.  Minimize the system elements to be trusted.

Principle 16.  Isolate public access systems from mission critical resources (e.g., data, processes, etc.).

Principle 17.  Use boundary mechanisms to separate computing systems and network infrastructures.

Principle 22.  Authenticate users and processes to ensure appropriate access control decisions both within and across domains.

Principle 23.  Use unique identities to ensure accountability.

Principle 24.  Implement least privilege.

Trade-Off Analysis (TOA)

 ISSEP   The simplest examples of a trade-off analysis are the choices we make every minute of every day, often subconsciously, weighing the pros and cons of any action and the benefit versus the cost of each decision. In security management, this cost versus benefit analysis is a very important process. The need for, or value of, a particular security control must be weighed against its impact or resource allocation drain and its usefulness. Any company can have exemplary security with an infinite budget, but there is always a point of diminishing returns, when the security demands interfere with the primary business. Making the financial case to upper management for various security controls is a very important part of a security manager's function.

Image from bookImage from book

Layered Security Architecture

Security designs should consider a layered approach to address or protect against a specific threat or to reduce vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. The need for layered protections is important when commercial-off-the-shelf (COTS) products are used. The current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in levels, requiring additional work by attackers to accomplish their goals.

(Source: NIST SP 800-27, "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)")

Image from bookImage from book

 

A trade-off analysis can be formal or informal, depending upon the audience and the intent of the analysis. If the audience of the TOA is higher management or a client, often a formalized TOA, supported by objective evidence, documentation, and reports will be necessary. If the TOA is intended to be examined by internal staff or department, often it can be less formal. But the fundamental concepts and principles still apply in either case.

TOA Elements

The steps in a TOA are similar to the steps in the systems engineering methodology (see Chapter 11). The general steps in the TOA (formal or informal) are:

1.      Define the Objective.  The TOA is started by identifying the requirements that the solution must fulfill. These requirements can be expressed in terms of measures of effectiveness (MOEs).

2.      Identify Alternatives.  An effort must be made to identify the possible potential courses of action and include all promising candidate alternatives. Any course of action or possible candidate solution that fails to comply with any essential requirement should be rejected.

3.      Compare Alternatives.  The candidate solutions should be compared with one another with respect to each of the MOEs. The relative order of merit is judged by the cumulative rating of all the MOEs.

The detailed steps in a formal trade-off analysis process include:

1.      Define the objectives.

2.      Identify viable alternatives.

3.      Define the selection criteria.

4.      Assign weighing factors to selection criteria.

5.      Assign value ratings for alternatives.

6.      Calculate competitive scores.

7.      Analyze the results.

8.      Create the TOA report.

Objectives of Security Controls

The objective of security controls is to reduce vulnerabilities to a tolerable level and minimize the effect of an attack. To achieve this, the organization must determine the impact that an attack might have on an organization and the likelihood that the loss could occur. The process that analyzes various threat scenarios and produces a representative value for the estimated potential loss is constituted in the Risk Analysis (RA).

Controls function as countermeasures for vulnerabilities. There are many kinds, but generally they are categorized into four types[*]:

·         Deterrent controls reduce the likelihood of a deliberate attack.

·         Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact. Preventative controls inhibit attempts to violate security policy.

·         Corrective controls reduce the effect of an attack.

·         Detective controls discover attacks and trigger preventative or corrective controls. Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums.

To visualize the effect of security controls, it might help to create a matrix, wherein the y-axis represents the level of impact of a realized threat and the x-axis represents the likelihood of the threat being realized. When the matrix is created, it produces the graph shown in Figure 1-2. A properly implemented control should move the plotted point from the upper right — the threat value defined before the control was implemented — to the lower left (that is, toward 0,0) after the control is implemented. This concept is also useful when determining a control's cost/benefit ratio.

Image from bookImage from book
Figure 1-2: Simple threat matrix.

Therefore, an improperly designed or implemented control will show very little to no movement in the point before and after the control's implementation. The point's movement toward the 0,0 range could be so small (or in the case of badly designed controls, in the opposite direction) that it does not warrant the expense of implementation.

Image from bookImage from book

OMB Circular A-130

The Office of Management and Budget Circular A-130, revised November 30, 2000, requires that a review of the security controls for each major government application be performed at least every three years. For general support systems, OMB Circular A-130 requires that the security controls either be reviewed by an independent audit or self review. Audits can be self-administered or independent (either internal or external). The essential difference between a self-audit and an independent audit is objectivity; however, some systems may require a fully independent review. More information on auditing can be found in Chapter 6.

Image from bookImage from book

 

The goal, the 0,0 point (no threat with no likelihood), is obviously impossible to achieve because a very unlikely threat could still exist and have some measurable impact. For example, the possibility that a flaming pizza delivery van will crash into the operations center is extremely unlikely; however, this situation would likely have a fairly serious impact on the availability of computing resources.

[*] Source: NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems."

[*] Source: NIST SP 800-27, "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)," and "Federal Systems Level Guidance for Securing Information Systems," James Corrie, August 16, 2001.

[*] Source: Introduction to Risk Analysis, C & A Security Risk Analysis Group and NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems."

Information Classification Process

The first major process that we examine in this chapter is the concept of Information Classification. The Information Classification process is related to the domain of Business Continuity Planning and Disaster Recovery Planning because both focus on business risk and data valuation, yet it is still a fundamental concept in its own right — one that a CISSP candidate must understand.

Information Classification Objectives

There are several good reasons to classify information. Not all data has the same value to an organization. Some data is more valuable to the people who are making strategic decisions because it aids them in making long-range or short-range business direction decisions. Some data, such as trade secrets, formulas, and new product information, is so valuable that its loss could create a significant problem for the enterprise in the marketplace by creating public embarrassment or by causing a lack of credibility.

For these reasons, it is obvious that information classification has a higher, enterprise-level benefit. Information can have an impact on a business globally, not just on the business unit or line operation levels. Its primary purpose is to enhance confidentiality, integrity, and availability and to minimize the risks to the information. In addition, by focusing the protection mechanisms and controls on the information areas that need it the most, you achieve a more efficient cost-to-benefit ratio.

Information classification has the longest history in the government sector. Its value has long been established, and it is a required component when securing trusted systems. In this sector, information classification is used primarily to prevent the unauthorized disclosure of information and the resultant failure of confidentiality.

You can also use information classification to comply with privacy laws or to enable regulatory compliance. A company might wish to employ classification to maintain a competitive edge in a tough marketplace. There might also be sound legal reasons for a company to employ information classification, such as to minimize liability or to protect valuable business information.

Information Classification Benefits

In addition to the reasons mentioned previously, employing information classification has several clear benefits to an organization. Some of these benefits are as follows:

·         Demonstrates an organization's commitment to security protections

·         Helps identify which information is the most sensitive or vital to an organization

·         Supports the tenets of confidentiality, integrity, and availability as it pertains to data

·         Helps identify which protections apply to which information

·         Might be required for regulatory, compliance, or legal reasons

Information Classification Concepts

The information that an organization produces or processes must be classified according to the organization's sensitivity to its loss or disclosure. These data owners are responsible for defining the sensitivity level of the data. This approach enables the security controls to be properly implemented according to the classification scheme.

Classification Terms

The following definitions describe several governmental data classification levels ranging from the lowest level of sensitivity to the highest:

1.      Unclassified.  Information designated as neither sensitive nor classified. The public release of this information does not violate confidentiality.

2.      Sensitive but Unclassified (SBU).  Information designated as a minor secret but might not create serious damage if disclosed. Answers to tests are an example of this kind of information. Health care information is another example of SBU data.

3.      Confidential.  Information designated to be of a confidential nature. The unauthorized disclosure of this information could cause some damage to the country's national security. This level applies to documents labeled between SBU and Secret in sensitivity.

4.      Secret.  Information designated of a secret nature. The unauthorized disclosure of this information could cause serious damage to the country's national security.

5.      Top Secret.  The highest level of information classification. The unauthorized disclosure of Top Secret information will cause exceptionally grave damage to the country's national security.

In all of these categories, in addition to having the appropriate clearance to access the information, an individual or process must have a "need to know" the information. Thus, an individual cleared for Secret or below is not authorized to access Secret material that is not needed for him or her to perform assigned job functions.

In addition, the following classification terms are also used in the private sector (see Table 1-1):

1.      Public.  Information that is similar to unclassified information; all of a company's information that does not fit into any of the next categories can be considered public. While its unauthorized disclosure may be against policy, it is not expected to impact seriously or adversely the organization, its employees, and/or its customers.

2.      Sensitive.  Information that requires a higher level of classification than normal data. This information is protected from a loss of confidentiality as well as from a loss of integrity due to an unauthorized alteration. This classification applies to information that requires special precautions to assure the integrity of the information by protecting it from unauthorized modification or deletion. It is information that requires a higher-than-normal assurance of accuracy and completeness.

3.      Private.  This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees. For example, salary levels and medical information are considered private.

4.      Confidential.  This classification applies to the most sensitive business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. This information is exempt from disclosure under the provisions of the Freedom of Information Act or other applicable federal laws or regulations. For example, information about new product development, trade secrets, and merger negotiations is considered confidential.

Table 1-1: Private/Commercial Sector Information Classification Scheme

Definition

Description

Public Use

Information that is safe to disclose publicly

Internal Use Only

Information that is safe to disclose internally but not externally

Company Confidential

The most sensitive need-to-know information

An organization may use the high, medium, or low classification scheme based upon its C.I.A. needs and whether it requires high, medium, or low protective controls. For example, a system and its information may require a high degree of integrity and availability, yet have no need for confidentiality.

The designated owners of information are responsible for determining data classification levels, subject to executive management review. Table 1-2 shows a simple H/M/L data classification for sensitive information.

Table 1-2: H/M/L Data Classification

Category

Description

High

Could cause loss of life, imprisonment, major financial loss, or require legal remediation if the information is compromised.

Medium

Could cause noticeable financial loss if the information is compromised.

Low

Would cause only minor financial loss or require minor administrative action for correction if the information is compromised

(Source: NIST Special Publication 800-26, "Security Self-Assessment Guide for Information Technology Systems.")

Classification Criteria

Several criteria may be used to determine the classification of an information object:

Value.  Value is the number one commonly used criteria for classifying data in the private sector. If the information is valuable to an organization or its competitors, it needs to be classified.

Age.  The classification of information might be lowered if the information's value decreases over time. In the Department of Defense, some classified documents are automatically declassified after a predetermined time period has passed.

Useful Life.  If the information has been made obsolete due to new information, substantial changes in the company, or other reasons, the information can often be declassified.

Personal Association.  If information is personally associated with specific individuals or is addressed by a privacy law, it might need to be classified. For example, investigative information that reveals informant names might need to remain classified.

Information Classification Procedures

There are several steps in establishing a classification system. These are the steps in priority order:

1.      Identify the administrator and data custodian.

2.      Specify the criteria for classifying and labeling the information.

3.      Classify the data by its owner, who is subject to review by a supervisor.

4.      Specify and document any exceptions to the classification policy.

5.      Specify the controls that will be applied to each classification level.

6.      Specify the termination procedures for declassifying the information or for transferring custody of the information to another entity.

7.      Create an enterprise awareness program about the classification controls.

Distribution of Classified Information

External distribution of classified information is often necessary, and the inherent security vulnerabilities will need to be addressed. Some of the instances when this distribution is necessary are as follows:

Court order.  Classified information might need to be disclosed to comply with a court order.

Government contracts.  Government contractors might need to disclose classified information in accordance with (IAW) the procurement agreements that are related to a government project.

Senior-level approval.  A senior-level executive might authorize the release of classified information to external entities or organizations. This release might require the signing of a confidentiality agreement by the external party.

Information Classification Roles

The roles and responsibilities of all participants in the information classification program must be clearly defined. A key element of the classification scheme is the role that the users, owners, or custodians of the data play in regard to the data. These roles are important to remember.

Various officials and organizational offices are typically involved with computer security. They include the following groups:

·         Senior management

·         Program managers

·         Application owners

·         Computer security management

·         Technology providers

·         Supporting organizations

·         Users

Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. While senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

Owner

An information owner might be an executive or manager of an organization. This person is responsible for the information assets that must be protected. An owner is different from a custodian. The owner has the final corporate responsibility of data protection, and under the concept of due care the owner might be liable for negligence because of the failure to protect this data. The actual day-to-day function of protecting the data, however, belongs to a custodian.

The responsibilities of an information owner could include the following:

·         Making the original decision about what level of classification the information requires, which is based upon the business needs for the protection of the data

·         Reviewing the classification assignments periodically and making alterations as the business needs change

·         Delegating the responsibility of the data protection duties to the custodian

The information owner for information stored within, processed by, or transmitted by a system may or may not be the same as the System Owner. Also, a single system may utilize information from multiple Information Owners. The Information Owner is responsible for establishing the rules for appropriate use and protection of the subject data/information (rules of behavior). The Information Owner retains that responsibility even when the data/information are shared with other organizations.[*]

The System Owner is responsible for ensuring that the security plan is prepared and for implementing the plan and monitoring its effectiveness. The System Owner is responsible for defining the system's operating parameters, authorized functions, and security requirements.

Custodian

The owner of information delegates the responsibility of protecting that information to the information custodian. IT systems personnel commonly execute this role. The duties of a custodian might include the following:

·         Running regular backups and routinely testing the validity of the backup data

·         Performing data restoration from the backups when necessary

·         Maintaining those retained records IAW the established information classification policy

The custodian might also have additional duties, such as being the administrator of the classification scheme.

User

In the information classification scheme, an end user is considered to be anyone (such as an operator, employee, or external party) who routinely uses the information as part of his or her job. This person can also be considered a consumer of the data — someone who needs daily access to the information to execute tasks. The following are a few important points to note about end users:

·         Users must follow the operating procedures defined in an organization's security policy, and they must adhere to the published guidelines for its use.

·         Users must take "due care" to preserve the information's security during their work (as outlined in the corporate information use policies). They must prevent "open view" from occurring (see sidebar).

·         Users must use company computing resources only for company purposes and not for personal use.

Organizations should ensure an effective administration of users' computer access to maintain system security, including user account management, auditing, and the timely modification or removal of system access.[*] This includes:

User Account Management.  Organizations should have a process for requesting, establishing, issuing, and closing user accounts, tracking users and their respective access authorizations, and managing these functions.

Management Reviews.  It is necessary to periodically review user accounts. Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, and whether required training has been completed.

Detecting Unauthorized/Illegal Activities.  Mechanisms besides auditing and analysis of audit trails should be used to detect unauthorized and illegal acts, such as rotating employees in sensitive positions, which could expose a scam that required an employee's presence, or periodic re-screening of personnel.

Employee Termination

Although actually under the purview of Human Resources, it's important that the ISO understand the impact of employee terminations on the integrity of the computer systems. Normally there are two types of terminations, friendly and unfriendly, and both require specific actions.

Friendly terminations should be accomplished by implementing a standard set of procedures for outgoing or transferring employees.[*] This normally includes:

·         The removal of access privileges, computer accounts, authentication tokens.

·         The briefing on the continuing responsibilities for confidentiality and privacy.

·         The return of company computing property, such as laptops.

·         The continued availability of data. In both the manual and the electronic worlds this may involve documenting procedures or filing schemes, such as how documents are stored on the hard disk and how they are backed up. Employees should be instructed whether or not to "clean up" their PC before leaving.

·         If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured.

Given the potential for adverse consequences during an unfriendly termination, organizations should do the following:

·         System access should be terminated as quickly as possible when an employee is leaving a position under less-than-friendly terms. If employees are to be fired, system access should be removed at the same time (or just before) the employees are notified of their dismissal.

·         When an employee notifies an organization of the resignation and it can be reasonably expected that it is on unfriendly terms, system access should be immediately terminated, or as soon as is feasible.

Image from bookImage from book

Open View

The term open view refers to the act of leaving classified documents in the open where an unauthorized person can see them, thus violating the information's confidentiality. Procedures to prevent open view should specify that information is to be stored in locked areas or transported in properly sealed containers, for example.

Image from bookImage from book

 

·         During the notice of termination period, it may be necessary to assign the individual to a restricted area and function. This may be particularly true for employees capable of changing programs or modifying the system or applications.

·         In some cases, physical removal from the offices may be necessary.

In either scenario, network access and system rights must be strictly controlled.

[*] Source: NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems."

[*] Source: NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems."

[*] Source: NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems."

Security Policy Implementation

Security policies are the foundation of a sound security implementation. Often organizations will implement technical security solutions without first creating this foundation of policies, standards, guidelines, and procedures, unintentionally creating unfocused and ineffective security controls.

We discuss the following questions in this section:

·         What are policies, standards, guidelines, and procedures?

·         Why do we use policies, standards, guidelines, and procedures?

·         What are the common policy types?

Policies, Standards, Guidelines, and Procedures

A policy is one of those terms that can mean several things. For example, there are security policies on firewalls, which refer to the access control and routing list information. Standards, procedures, and guidelines are also referred to as policies in the larger sense of a global information security policy.

A good, well-written policy is more than an exercise created on white paper — it is an essential and fundamental element of sound security practice. A policy, for example, can literally be a lifesaver during a disaster, or it might be a requirement of a governmental or regulatory function. A policy can also provide protection from liability due to an employee's actions, or it can control access to trade secrets.

NIST categorizes computer system security policies into three basic types:

·         Program policy — used to create an organization's computer security program

·         Issue-specific policies — used to address specific issues of concern to the organization

·         System-specific policies — technical directives taken by management to protect a particular system

Program policies and issue-specific policies both address policy from a broad level, usually encompassing the entire organization. Program policy is traditionally more general and strategic; for example, the organization's overall computer security program may be defined in a program policy. An issue-specific policy is a nontechnical policy addressing a single or specific issue of concern to the organization, such as the procedural guidelines for checking disks brought to work or email privacy concerns. Issue-specific policies are similar to program policies, in that they are not technically focused.

However, program policy and issue-specific policies do not provide sufficient information or direction, for example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policies fill this need. A system-specific policy is technically focused and addresses only one computer system or device type.

Table 1-3 helps illustrate the difference between these three types of NIST policies.

Table 1-3: NIST Security Policy Types

Policy Type

Description

Example

Program policy

High-level program policy

Senior-level management statement

Issue-specific policy

Addresses single issue

Email privacy policy

System-specific policy

Single-system directives

Router access control lists

(Source: National Institute of Standards and Technology, "An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.")

Policy Types

In the corporate world, when we refer to specific polices rather than a group policy, we generally refer to those policies that are distinct from the standards, procedures, and guidelines. As you can see from the policy hierarchy chart in Figure 1-3, policies are considered the first and highest level of documentation, from which the lower level elements of standards, procedures, and guidelines flow. This order, however, does not mean that policies are more important than the lower elements. These higher-level policies, which are the more general policies and statements, should be created first in the process for strategic reasons, and then the more tactical elements can follow.

Image from bookImage from book
Figure 1-3: Security Policy Hierarchy.

Senior Management Statement of Policy.  The first policy of any policy creation process is the Senior Management Statement of Policy. This is a general, high-level statement of a policy that contains the following elements:

·         An acknowledgment of the importance of the computing resources to the business model

·         A statement of support for information security throughout the enterprise

·         A commitment to authorize and manage the definition of the lower-level standards, procedures, and guidelines

Regulatory.  Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization operates.

Regulatory polices commonly have two main purposes:

1.      To ensure that an organization is following the standard procedures or base practices of operation in its specific industry

2.      To give an organization the confidence that it is following the standard and accepted industry policy

Advisory.  Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory. Most policies fall under this broad category.

Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.

Informative.  Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.

Especially high visibility should be afforded the formal issuance of security policy. This is because nearly all employees at all levels will in some way be affected, major organizational resources will be addressed, and many new terms, procedures, and activities will be introduced.

Including security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions, guest speakers, question/answer forums, and newsletters can be beneficial.

Image from bookImage from book

Senior Management Commitment

Fundamentally important to any security program's success is the senior management's high-level statement of commitment to the information security policy process and the senior management's understanding of how important security controls and protections are to the enterprise's continuity. Senior management must be aware of the importance of security implementation to preserve the organization's viability (and for their own "due care" protection) and must publicly support that process throughout the enterprise.

Image from bookImage from book

 

Standards, Guidelines, and Procedures

The next level down from policies is the three elements of policy implementation: standards, guidelines, and procedures. These three elements contain the actual details of the policy, such as how it should be implemented and what standards and procedures should be used. They are published throughout the organization via manuals, the intranet, handbooks, or awareness classes.

It is important to know that standards, guidelines, and procedures are separate yet linked documents from the general polices (especially the senior-level statement). Unfortunately, companies will often create one document that satisfies the needs of all of these elements. This situation is not good. There are a few good reasons why they should be kept separate:

·         Each of these elements serves a different function and focuses on a different audience. Also, physical distribution of the policies is easier.

·         Security controls for confidentiality are different for each policy type. For example, a high-level security statement might need to be available to investors, but the procedures for changing passwords should not be available to anyone who is not authorized to perform the task.

·         Updating and maintaining the policy is much more difficult when all the policies are combined into one voluminous document. Mergers, routine maintenance, and infrastructure changes all require that the policies be routinely updated. A modular approach to a policy document will keep the revision time and costs down.

Standards.  Standards specify the use of specific technologies in a uniform way. This standardization of operating procedures can be a benefit to an organization by specifying the uniform methodologies to be used for the security controls. Standards are usually compulsory and are implemented throughout an organization for uniformity.

Guidelines.  Guidelines are similar to standards; they refer to the methodologies of securing systems, but they are only recommended actions and are not compulsory. Guidelines are more flexible than standards and take into consideration the varying nature of the information systems. Guidelines can be used to specify the way standards should be developed, for example, or to guarantee the adherence to general security principles.

Procedures.  Procedures embody the detailed steps that are followed to perform a specific task. Procedures are the detailed actions that personnel must follow. They are considered the lowest level in the policy chain. Their purpose is to provide detailed steps for implementing the policies, standards, and guidelines previously created. Practices is also a term that is frequently used in reference to procedures.

Baselines.  Once a consistent set of baselines has been created, we can design the security architecture of an organization and develop standards. Baselines take into consideration the difference between various operating systems, for example, to ensure that the security is being uniformly implemented throughout the enterprise.

Roles and Responsibilities

Although members of an organization frequently wear multiple hats, defined roles and responsibilities are important in the security administration process. Also, roles and responsibilities are central to the separation of duties concept — the concept that security is enhanced through the division of responsibilities in the production cycle. Therefore, it is important that individual roles and responsibilities are clearly communicated and understood (see Table 1-4).

Table 1-4: Roles and Responsibilities

Role

Description

Senior Manager

Has the ultimate responsibility for security

InfoSec Officer

Has the functional responsibility for security

Owner

Determines the data classification

Custodian

Preserves the information's CIA

User/Operator

Performs IAW the stated policies

Auditor

Examines security

Some of these roles are:

Senior Management.  Executive or senior-level management is assigned the overall responsibility for the security of information. Senior management might delegate the function of security, but they are viewed as the end of the food chain when liability is concerned.

Information Systems Security Professionals.  Information systems security professionals are delegated the responsibility for implementing and maintaining security by the senior-level management. Their duties include the design, implementation, management, and review of the organization's security policy, standards, guidelines, and procedures.

Data Owners.  As we previously discussed in the section titled "Information Classification Roles," data owners are primarily responsible for determining the data's sensitivity or classification levels. They can also be responsible for maintaining the information's accuracy and integrity.

Users.  As we previously discussed in the section titled "Information Classification Roles," users are responsible for following the procedures set out in the organization's security policy during the course of their normal daily tasks.

Information Systems Auditors.  Information systems auditors are responsible for providing reports to the senior management on the effectiveness of the security controls by conducting regular, independent audits. They also examine whether the security policies, standards, guidelines, and procedures effectively comply with the company's stated security objectives.

Risk Management

A major component of InfoSec is Risk Management (RM). RM's main function is to mitigate risk. Mitigating risk means to reduce risk until it reaches a level that is acceptable to an organization. We can define RM as the identification, analysis, control, and minimization of loss that is associated with events.

The identification of risk to an organization entails defining the following basic elements:

·         The actual threat

·         The possible consequences of the realized threat

·         The probable frequency of the occurrence of a threat

·         The extent of how confident we are that the threat will happen

Many formulas and processes are designed to help provide some certainty when answering these questions. We should point out, however, that because life and nature are constantly evolving and changing, we cannot consider every possibility. RM tries as much as possible to see the future and to lower the possibility of threats impacting a company.

 

Note 

It's important to remember that the risk to an enterprise can never be totally eliminated; that would entail ceasing operations. Risk management means finding out what level of risk the enterprise can safely tolerate and still continue to function effectively.

Principles of Risk Management

The RM task process has several elements, primarily including the following:

·         Performing a Risk Analysis, including the cost-benefit analysis of protections

·         Implementing, reviewing, and maintaining protections

To enable this process, you will need to determine some properties of the various elements, such as the value of assets, threats, and vulnerabilities and the likelihood of events. A primary part of the RM process is assigning values to threats and estimating how often (or how likely) that threat will occur. To perform this task, several formulas and terms have been developed, and the CISSP candidate must fully understand them. The terms and definitions listed in the following section are ranked in the order that they are defined during the Risk Analysis (RA).

The Purpose of Risk Analysis

The main purpose of performing a Risk Analysis is to quantify the impact of potential threats — to put a price or value on the cost of a lost business functionality. The two main results of an RA — the identification of risks and the cost/benefit justification of the countermeasures — are vitally important to the creation of a risk mitigation strategy.

There are several benefits to performing an RA. It creates a clear cost-to-value ratio for security protections. It also influences the decision-making process dealing with hardware configuration and software systems design. In addition, it helps a company focus its security resources where they are needed most. Furthermore, it can influence planning and construction decisions, such as site selection and building design.

Terms and Definitions

The following are RA terms that the CISSP candidate will need to know:

Asset.  An asset is a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. The loss of the asset could intangibly affect confidentiality, integrity, or availability, or it could have a tangible dollar value. It could also affect the ability of an organization to continue in business. The value of an asset is composed of all of the elements that are related to that asset — its creation, development, support, replacement, public credibility, considered costs, and ownership values.

Threat.  Simply put, the presence of any potential event that causes an undesirable impact on the organization is called a threat. As we will discuss in the Operations Domain, a threat could be man-made or natural and could have a small or large effect on a company's security or viability.

Vulnerability.  The absence or weakness of a safeguard constitutes a vulnerability. A minor threat has the potential to become a greater or more frequent threat because of a vulnerability. Think of a vulnerability as the threat that gets through a safeguard into the system. Combined with the terms asset and threat, vulnerability is the third part of an element that is called a triple in risk management.

Safeguard.  A safeguard is the control or countermeasure employed to reduce the risk associated with a specific threat or group of threats.

Exposure Factor (EF).  The EF represents the percentage of loss that a realized threat event would have on a specific asset. This value is necessary to compute the Single Loss Expectancy (SLE), which in turn is necessary to compute the Annualized Loss Expectancy (ALE). The EF can be a small percentage, such as the effect of a loss of some hardware, or a very large percentage, such as the catastrophic loss of all computing resources.

Single Loss Expectancy (SLE).  An SLE is the dollar figure that is assigned to a single event. It represents an organization's loss from a single threat and is derived from the following formula:

Asset Value ($) ´ Exposure Factor (EF) = SLE

For example, an asset valued at $100,000 that is subjected to an exposure factor of 30 percent would yield an SLE of $30,000. While this figure is defined primarily in order to create the Annualized Loss Expectancy (ALE), it is occasionally used by itself to describe a disastrous event for a Business Impact Assessment (BIA).

Annualized Rate of Occurrence (ARO).  The ARO is a number that represents the estimated frequency with which a threat is expected to occur. The range for this value can be from 0.0 (never) to a large number (for minor errors, such as misspellings of names in data entry). How this number is derived can be very complicated. It is usually created based upon the likelihood of the event and the number of employees that could make that error occur. The loss incurred by this event is not a concern here, only how often it occurs.

For example, a meteorite damaging the data center could be estimated to occur only once every 100,000 years and will have an ARO of .00001. In contrast, 100 data entry operators attempting an unauthorized access attempt could be estimated at six times a year per operator and will have an ARO of 600.

Annualized Loss Expectancy (ALE).  The ALE, a dollar value, is derived from the following formula:

Single Loss Expectancy (SLE) ´ Annualized Rate of Occurrence (ARO) = ALE

In other words, an ALE is the annually expected financial loss to an organization from a threat. For example, a threat with a dollar value of $100,000 (SLE) that is expected to happen only once in 1,000 years (ARO of .001) will result in an ALE of $100. This example helps to provide a more reliable cost-benefit analysis. Remember that the SLE is derived from the asset value and the Exposure Factor (EF). Table 1-5 shows these formulas.

Table 1-5: Risk Analysis Formulas

Concept

Derivation Formula

Exposure Factor (EF)

Percentage of asset loss caused by threat

Single Loss Expectancy (SLE)

Asset Value x Exposure Factor (EF)

Annualized Rate of Occurrence (ARO)

Frequency of threat occurrence per year

Annualized Loss Expectancy (ALE)

Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)

Overview of Risk Analysis

We now discuss the four basic elements of the Risk Analysis process:

1.      Quantitative Risk Analysis

2.      Qualitative Risk Analysis

3.      Asset Valuation Process

4.      Safeguard Selection

Quantitative Risk Analysis

The difference between quantitative and qualitative RA is fairly simple: Quantitative RA attempts to assign independently objective numeric values (hard dollars, for example) to the components of the risk assessment and to the assessment of potential losses. Qualitative RA addresses more intangible values of a data loss and focuses on other issues, rather than on the pure, hard costs.

When all elements (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability) are measured, rated, and assigned values, the process is considered to be fully quantitative. Fully quantitative risk analysis is not possible, however, because qualitative measures must always be applied. Thus, you should be aware that just because the figures look hard on paper does not mean it is possible to foretell the future with any certainty.

A quantitative risk analysis process is a major project, and as such it requires a project or program manager to manage the main elements of the analysis. A major part of the initial planning for the quantitative RA is the estimation of the time required to perform the analysis. In addition, you must also create a detailed process plan and assign roles to the RA team.

A Preliminary Security Examination (PSE) is often conducted before the actual quantitative RA. The PSE helps to gather the elements that you will need when the actual RA takes place. A PSE also helps to focus an RA. Elements that are defined during this phase include asset costs and values, a listing of various threats to an organization (in terms of threats to both the personnel and the environment), and documentation of the existing security measures. The PSE is normally then subject to a review by an organization's management before the RA begins.

Any combination of the following techniques can be used in gathering information relevant to the IT system within its operational boundary[*]:

Questionnaire.  The questionnaire should be distributed to the applicable technical and nontechnical management personnel who are designing or supporting the IT system.

On-Site Interviews.  On-site visits also allow risk assessment personnel to observe and gather information about the physical, environmental, and operational security of the IT system.

Document Review.  Policy documents, system documentation, and security- related documentation can provide good information about the security controls used by and planned for the IT system.

Automated Scanning Tools.  Proactive technical methods can be used to collect system information efficiently.

Risk Analysis Steps

The three primary steps in performing a risk analysis are similar to the steps in performing a Business Impact Assessment (see Chapter 8). A risk analysis is commonly much more comprehensive, however, and is designed to be used to quantify complicated, multiple-risk scenarios.

The three primary steps are as follows:

1.      Estimate the potential losses to assets by determining their value.

2.      Analyze potential threats to the assets.

3.      Define the Annualized Loss Expectancy (ALE).

Estimate Potential Losses

To estimate the potential losses incurred during the realization of a threat, the assets must be valued by commonly using some sort of standard asset valuation process (we describe this task in more detail later). This process results in an assignment of an asset's financial value by performing the EF and the SLE calculations.

Analyze Potential Threats

Here, we determine what the threats are and how likely and often they are to occur. To define the threats, we must also understand the asset's vulnerabilities and perform an ARO calculation for the threat and vulnerabilities.

Image from bookImage from book

Automated Risk Analysis Products

There are several good automated risk analysis products on the market. The main objective of these products is to minimize the manual effort expended to create the risk analysis and to provide the capability to forecast expected losses quickly and with differing input variations. The creation of a database during an initial automated process enables the operator to rerun the analysis by using different parameters to create a what-if scenario. These products enable the users to perform calculations quickly in order to estimate future expected losses, thereby determining the benefit of their implemented safeguards.

Image from bookImage from book

 

All types of threats should be considered in this section, no matter whether they seem likely or not. It might be helpful to organize the threat listing into the types of threats by source or by their expected magnitude. In fact, some organizations can provide statistics on the frequency of various threats that occur in your area. In addition, the other domains of InfoSec discussed in this book have several varied listings of the categories of threats.

Some of the following categories of threats could be included in this section:

Data Classification.  Data aggregation or concentration that results in data inference, covert channel manipulation, a malicious code/virus/Trojan horse/worm/logic bomb, or a concentration of responsibilities (lack of separation of duties).

Information Warfare.  Technology-oriented terrorism, malicious code or logic, or emanation interception for military or economic espionage.

Personnel.  Unauthorized or uncontrolled system access, misuse of technology by authorized users, tampering by disgruntled employees, or falsified data input.

Application/Operational.  An ineffective security application that results in procedural errors or incorrect data entry.

Criminal.  Physical destruction or vandalism, the theft of assets or information, organized insider theft, armed robbery, or physical harm to personnel.

Environmental.  Utility failure, service outage, natural disasters, or neighboring hazards.

Computer Infrastructure.  Hardware/equipment failure, program errors, operating system flaws, or a communications system failure.

Delayed Processing.  Reduced productivity or a delayed funds collection that results in reduced income, increased expenses, or late charges.

Define the Annualized Loss Expectancy (ALE)

Once we have determined the SLE and ARO, we can estimate the ALE by using the formula that we previously described.

Results

After performing the Risk Analysis, the final results should contain the following:

·         Valuations of the critical assets in hard costs

·         A detailed listing of significant threats

·         Each threat's likelihood and possible occurrence rate

·         Loss potential by a threat — the dollar impact that the threat will have on an asset

·         Recommended remedial measures and safeguards or countermeasures

Remedies

There are three generic remedies to risk that might take the form of either one or a combination of the following three:

Risk Reduction.  Taking measures to alter or improve the risk position of an asset throughout the company

Risk Transference.  Assigning or transferring the potential cost of a loss to another party (like an insurance company)

Risk Acceptance.  Accepting the level of loss that will occur and absorbing that loss

The remedy chosen will usually be the one that results in the greatest risk reduction while retaining the lowest annual cost necessary to maintain a company.

Qualitative Risk Analysis

As we mentioned previously, a qualitative RA does not attempt to assign hard and fast costs to the elements of the loss. It is more scenario-oriented, and as opposed to a quantitative RA, a purely qualitative risk analysis is possible. Threat frequency and impact data are required to do a qualitative RA, however.

In a qualitative risk assessment, the seriousness of threats and the relative sensitivity of the assets are given a ranking, or qualitative grading, by using a scenario approach and creating an exposure rating scale for each scenario.

During a scenario description, we match various threats to identified assets. A scenario describes the type of threat and the assets facing potential loss and selects safeguards to mitigate the risk.

Qualitative Scenario Procedure

After the threat listing has been created, the assets for protection have been defined, and an exposure level rating is assigned, the qualitative risk assessment scenario begins. See Table 1-6 for a simple exposure rating scale.

Table 1-6: Simple Exposure Rating Level Scale

Rating Level

Exposure Percentage

Blank or 0

No measurable loss

1

20% loss

2

40% loss

3

60% loss

4

80% loss

5

100% loss

The procedures in performing the scenario are as follows:

·         A scenario is written that addresses each major threat.

·         The business unit managers review the scenario for a reality check.

·         The RA team recommends and evaluates the various safeguards for each threat.

·         The RA team works through each finalized scenario by using a threat, asset, and safeguard.

·         The team prepares their findings and submits them to management.

After the scenarios have all been played out and the findings are published, management must implement the safeguards that were selected as being acceptable and begin to seek alternatives for the safeguards that did not work.

Asset Valuation Process

There are several elements of a process that determine the value of an asset. Both quantitative and qualitative RA (and Business Impact Assessment) procedures require a valuation to be made of the asset's worth to the organization. This valuation is a fundamental step in all security auditing methodologies. A common universal mistake made by organizations is not accurately identifying the information's value before implementing the security controls. This situation often results in a control that is ill suited for asset protection, is not financially effective, or is protective of the wrong asset. Table 1-7 demonstrates quantitative versus qualitative RA.

Table 1-7: Quantitative versus Qualitative RA

Property

Quantitative

Qualitative

Cost/benefit analysis

Yes

No

Financial hard costs

Yes

No

Can be automated

Yes

No

Guesswork involved

Low

High

Complex calculations

Yes

No

Volume of information required

High

Low

Time/work involved

High

Low

Ease of communication

High

Low

Reasons for Determining the Value of an Asset

Here are some additional reasons to define the cost or value that we previously described:

·         The asset valuation is necessary to perform the cost-benefit analysis.

·         The asset's value might be necessary for insurance reasons.

·         The asset's value supports safeguard selection decisions.

·         The asset valuation might be necessary to satisfy due care and prevent negligence and legal liability.

Elements that Determine the Value of an Asset

Three basic elements determine an information asset's value:

1.      The initial and ongoing cost (to an organization) of purchasing, licensing, developing, and supporting the information asset

2.      The asset's value to the organization's production operations, research and development, and business model viability

3.      The asset's value established in the external marketplace and the estimated value of the intellectual property (trade secrets, patents, copyrights, and so forth)

Safeguard Selection Criteria

Once the risk analysis has been completed, safeguards and countermeasures must be researched and recommended. There are several standard principles that are used in the selection of safeguards to ensure that a safeguard is properly matched to a threat and to ensure that a given safeguard most efficiently implements the necessary controls. Important criteria must be examined before selecting an effective countermeasure.

Cost-Benefit Analysis

The number one safeguard selection criteria is the cost effectiveness of the control to be implemented, which is derived through the process of the cost-benefit analysis. To determine the total cost of the safeguard, many elements need to be considered (including the following):

·         The purchase, development, and/or licensing costs of the safeguard

·         The physical installation costs and the disruption to normal production during the installation and testing of the safeguard

·         Normal operating costs, resource allocation, and maintenance/repair costs

The simplest calculation to compute a cost-benefit for a given safeguard is as follows:

(ALE before safeguard implementation) – (ALE after safeguard implementation) – (annual safeguard cost) = value of safeguard to the organization

For example, if an ALE of a threat has been determined to be $10,000, the ALE after the safeguard implementation is $1,000, and the annual cost to operate the safeguard totals $500, then the value of a given safeguard is thought to be $8,500 annually. This amount is then compared against the startup costs, and the benefit or lack of benefit is determined.

This value can be derived for a single safeguard or can be derived for a collection of safeguards though a series of complex calculations. In addition to the financial cost- benefit ratio, other factors can influence the decision of whether to implement a specific security safeguard. For example, an organization is exposed to legal liability if the cost to implement a safeguard is less than the cost resulting from the threat realized and the organization does not implement the safeguard.

Level of Manual Operations

The amount of manual intervention required to operate the safeguard is also a factor in the choice of a safeguard. In case after case, vulnerabilities are created due to human error or an inconsistency in application. In contrast, automated systems require fail-safe defaults to allow for manual shutdown capability in case a vulnerability occurs. The more automated a process, the more sustainable and reliable that process will be.

In addition, a safeguard should not be too difficult to operate, and it should not unreasonably interfere with the normal operations of production. These characteristics are vital for the acceptance of the control by operating personnel and for acquiring the all-important management support required for the safeguard to succeed.

Auditability and Accountability Features

The safeguard must allow for the inclusion of auditing and accounting functions. The safeguard must also have the capability for auditors to audit and test it, and its accountability must be implemented to effectively track each individual who accesses the countermeasure or its features.

Recovery Ability

The safeguard's countermeasure should be evaluated with regard to its functioning state after activation or reset. During and after a reset condition, the safeguard must provide the following:

·         No asset destruction during activation or reset

·         No covert channel access to or through the control during reset

·         No security loss or increase in exposure after activation or reset

·         No operator access or rights in the default state until the controls are fully operational

Image from bookImage from book

Back Doors

A back door, maintenance hook, or trap door is a programming element that gives application maintenance programmers access to the internals of the application, thereby bypassing the normal security controls of the application. While this function is valuable for the support and maintenance of a program, the security practitioner must be aware of these doors and provide a means of control and accountability during their use.

Image from bookImage from book

 

Vendor Relations

The credibility, reliability, and past performance of the safeguard vendor must be examined. In addition, the openness (open source) of the application programming should also be known in order to avoid any design secrecy that prevents later modifications or allows unknown applications to have a back door into the system. Vendor support and documentation should also be considered.

[*] Source: NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems."

Security Awareness

Although this section is our last for this chapter, it is not the least important. Security awareness is often an overlooked element of security management because most of a security practitioner's time is spent on controls, intrusion detection, risk assessment, and proactively or reactively administering security.

It should not be that way, however. People are often the weakest link in a security chain because they are not trained or generally aware of what security is all about. Employees must understand how their actions, even seemingly insignificant actions, can greatly impact the overall security position of an organization.

Employees must be aware of the need to secure information and to protect the information assets of an enterprise. Operators need training in the skills that are required to fulfill their job functions securely, and security practitioners need training to implement and maintain the necessary security controls.

All employees need education in the basic concepts of security and its benefits to an organization. The benefits of the three pillars of security awareness training — awareness, training, and education — will manifest themselves through an improvement in the behavior and attitudes of personnel and through a significant improvement in an enterprise's security.

The purpose of computer security awareness, training, and education is to enhance security by:

·         Improving awareness of the need to protect system resources

·         Developing skills and knowledge so computer users can perform their jobs more securely

·         Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

An effective computer security awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security awareness and training program should encompass the following seven steps[*]:

1.      Identify program scope, goals, and objectives.

2.      Identify training staff.

3.      Identify target audiences.

4.      Motivate management and employees.

5.      Administer the program.

6.      Maintain the program.

7.      Evaluate the program.

Making computer system users aware of their security responsibilities and teaching them correct practices helps users change their behavior. It also supports individual accountability because without the knowledge of the necessary security measures and to how to use them, users cannot be truly accountable for their actions.

Awareness

As opposed to training, security awareness refers to an organization's personnel being generally, collectively aware of the importance of security and security controls. In addition to the benefits and objectives we previously mentioned, security awareness programs also have the following benefits:

·         Make a measurable reduction in the unauthorized actions attempted by personnel.

·         Significantly increase the effectiveness of the protection controls.

·         Help to avoid the fraud, waste, and abuse of computing resources.

Image from bookImage from book

The Need for User Security Training

All personnel using a system should have some kind of security training that is specific either to the controls employed or to general security concepts. Training is especially important for those users who are handling sensitive or critical data. The advent of the microcomputer and distributed computing has created an opportunity for the serious failures of confidentiality, integrity, and availability.

Image from bookImage from book

 

Personnel are considered "security aware" when they clearly understand the need for security, how security impacts viability and the bottom line, and the daily risks to computing resources.

It is important to have periodic awareness sessions to orient new employees and refresh senior employees. The material should always be direct, simple, and clear. It should be fairly motivational and should not contain a lot of techno-jargon, and you should convey it in a style that the audience easily understands. The material should show how the security interests of the organization parallel the interest of the audience and how they are important to the security protections.

Let's list a few ways that security awareness can be improved within an organization without a lot expense or resource drain:

Live/interactive presentations.  Lectures, videos, and computer-based training (CBT).

Publishing/distribution.  Posters, company newsletters, bulletins, and the intranet.

Incentives.  Awards and recognition for security-related achievement.

Reminders.  Login banner messages and marketing paraphernalia such as mugs, pens, sticky notes, and mouse pads.

One caveat here: It is possible to oversell security awareness and to inundate personnel with a constant barrage of reminders. This will most likely have the effect of turning off their attention. It is important to find the right balance of selling security awareness. An awareness program should be creative and frequently altered to stay fresh.

Training and Education

Training is different from awareness in that it utilizes specific classroom or one-onone training. The following types of training are related to InfoSec:

·         Security-related job training for operators and specific users

·         Awareness training for specific departments or personnel groups with security- sensitive positions

·         Technical security training for IT support personnel and system administrators

·         Advanced InfoSec training for security practitioners and information systems auditors

·         Security training for senior managers, functional managers, and business unit managers

In-depth training and education for systems personnel, auditors, and security professionals is very important and is considered necessary for career development. In addition, specific product training for security software and hardware is vital to the protection of the enterprise.

A good starting point for defining a security training program could be the topics of policies, standards, guidelines, and procedures that are in use at an organization. A discussion of the possible environmental or natural hazards or a discussion of recent common security errors or incidents — without blaming anyone publicly — could work. Motivating the students is always the prime directive of any training, and their understanding of the value of security's impact to the bottom line is also vital. A common training technique is to create hypothetical security vulnerability scenarios and then to get the students' input on the possible solutions or outcomes.

[*] Source: NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems."

Assessment Questions

You can find the answers to the following questions in Appendix A.

1. 

Which choice below is an incorrect description of a control?

a.       Detective controls discover attacks and trigger preventative or corrective controls.

b.      Corrective controls reduce the likelihood of a deliberate attack.

c.       Corrective controls reduce the effect of an attack.

d.      Controls are the countermeasures for vulnerabilities.

b The other three answers are correct descriptions of controls.

2. 

Which statement below is accurate about the reasons to implement a layered security architecture?

a.       A layered security approach is not necessary when using COTS products.

b.      A good packet-filtering router will eliminate the need to implement a layered security architecture.

c.       A layered security approach is intended to increase the work-factor for an attacker.

d.      A layered approach doesn't really improve the security posture of the organization.

c Security designs should consider a layered approach to increase the work-factor an attacker must expend to successfully attack the system.

3. 

Which choice below represents an application or system demonstrating a need for a high level of confidentiality protection and controls?

a.       Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.

b.      The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.

c.       Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up by either paper documentation or on disk.

d.      The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.

b Although elements of all of the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality.

4. 

Which choice below is NOT a concern of policy development at the high level?

a.       Identifying the key business resources

b.      Identifying the type of firewalls to be used for perimeter security

c.       Defining roles in the organization

d.      Determining the capability and functionality of each role

b Answers a, c, and d are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer d is the final step in the policy creation process and combines steps a and c. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity.

5. 

Which choice below is NOT an accurate statement about the visibility of IT security policy?

a.       The IT security policy should not be afforded high visibility.

b.      The IT security policy could be visible through panel discussions with guest speakers.

c.       The IT security policy should be afforded high visibility.

d.      The IT security policy should be included as a regular topic at staff meetings at all levels of the organization.

a The other three answers are correct statements about the visibility of IT security policy.

6. 

Which question below is NOT accurate regarding the process of risk assessment?

a.       The likelihood of a threat must be determined as an element of the risk assessment.

b.      The level of impact of a threat must be determined as an element of the risk assessment.

c.       Risk assessment is the first process in the risk management methodology

d.      Risk assessment is the final result of the risk management methodology.

d Risk assessment is the first process in the risk management methodology.

7. 

Which choice below would NOT be considered an element of proper user account management?

a.       Users should never be rotated out of their current duties.

b.      The users' accounts should be reviewed periodically.

c.       A process for tracking access authorizations should be implemented.

d.      Periodically re-screen personnel in sensitive positions.

a The other answers are elements of proper user account management.

8. 

Which choice below is NOT one of NIST's 33 IT security principles?

a.       Implement least privilege.

b.      Assume that external systems are insecure.

c.       Totally eliminate any level of risk.

d.      Minimize the system elements to be trusted.

c Risk can never be totally eliminated. NIST IT security principle #4 states: `Reduce risk to an acceptable level.`

9. 

How often should an independent review of the security controls be performed, according to OMB Circular A-130?

a.       Every year

b.      Every three years

c.       Every five years

d.      Never

b OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years.

10. 

Which choice below BEST describes the difference between the System Owner and the Information Owner?

a.       There is a one-to-one relationship between system owners and information owners.

b.      One system could have multiple information owners.

c.       The Information Owner is responsible for defining the system's operating parameters.

d.      The System Owner is responsible for establishing the rules for appropriate use of the information.

b A single system may utilize information from multiple Information Owners.

11. 

Which choice below is NOT a generally accepted benefit of security awareness, training, and education?

a.       A security awareness program can help operators understand the value of the information.

b.      A security education program can help system administrators recognize unauthorized intrusion attempts.

c.       A security awareness and training program will help prevent natural disasters from occurring.

d.      A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

c The other answers are generally accepted benefits of security awareness, training, and education.

12. 

Who has the final responsibility for the preservation of the organization's information?

a.       Technology providers

b.      Senior management

c.       Users

d.      Application owners

b Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. Although senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

13. 

Which choice below is NOT an example of an issue-specific policy?

a.       Email privacy policy

b.      Virus-checking disk policy

c.       Defined router ACLs

d.      Unfriendly employee termination policy

c Answer c is an example of a system-specific policy - in this case the router's access control lists. The other three answers are examples of issue-specific policy, as defined by NIST.

14. 

Which statement below is NOT true about security awareness, training, and educational programs?

a.       Awareness and training help users become more accountable for their actions.

b.      Security education assists management in determining who should be promoted.

c.       Security improves the users' awareness of the need to protect information resources.

d.      Security education assists management in developing the in-house expertise to manage security programs.

b The other answers are correct statements about security awareness, training, and educational programs.

15. 

Which choice below is an accurate statement about standards?

a.       Standards are the high-level statements made by senior management in support of information systems security.

b.      Standards are the first element created in an effective security policy program.

c.       Standards are used to describe how policies will be implemented within an organization.

d.      Standards are senior management's directives to create a computer security program.

c Answers a, b, and d describe policies. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.

16. 

Which choice below is a role of the Information Systems Security Officer?

a.       The ISO establishes the overall goals of the organization's computer security program.

b.      The ISO is responsible for day-to-day security administration.

c.       The ISO is responsible for examining systems to see whether they are meeting stated security requirements.

d.      The ISO is responsible for following security procedures and reporting security problems.

b Answer a is a responsibility of senior management. Answer c is a description of the role of auditing. Answer d is the role of the user, or consumer, of security in an organization.

17. 

Which statement below is NOT correct about safeguard selection in the risk analysis process?

a.       Maintenance costs need to be included in determining the total cost of the safeguard.

b.      The best possible safeguard should always be implemented, regardless of cost.

c.       The most commonly considered criteria is the cost effectiveness of the safeguard.

d.      Many elements need to be considered in determining the total cost of the safeguard.

b Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.

18. 

Which choice below is usually the number-one-used criterion to determine the classification of an information object?

a.       Value

b.      Useful life

c.       Age

d.      Personal association

a Value of the information asset to the organization is usually the first and foremost criteria used in determining its classification.

19. 

What are high-level policies?

a.       They are recommendations for procedural controls.

b.      They are the instructions on how to perform a Quantitative Risk Analysis.

c.       They are statements that indicate a senior management's intention to support InfoSec.

d.      They are step-by-step procedures to implement a safeguard.

c. High-level policies are senior management statements of recognition of the importance of security controls to the mission of the organization.

20. 

Which policy type is MOST likely to contain mandatory or compulsory standards?

a.       Guidelines

b.      Advisory

c.       Regulatory

d.      Informative

c Answer b, advisory policies, might specify penalties for noncompliance, but regulatory policies are required to be followed by the organization. Answers a and d are informational or recommended policies only.

21. 

What does an Exposure Factor (EF) describe?

a.       A dollar figure that is assigned to a single event

b.      A number that represents the estimated frequency of the occurrence of an expected threat

c.       The percentage of loss that a realized threat event would have on a specific asset

d.      The annual expected financial loss to an organization from a threat

c Answer a is an SLE, b is an ARO, and d is an ALE.

22. 

What is the MOST accurate definition of a safeguard?

a.       A guideline for policy recommendations

b.      A step-by-step instructional procedure

c.       A control designed to counteract a threat

d.      A control designed to counteract an asset

c Answer a is a guideline, b is a procedure, and d is a distracter.

23. 

Which choice MOST accurately describes the differences between standards, guidelines, and procedures?

a.       Standards are recommended policies, whereas guidelines are mandatory policies.

b.      Procedures are step-by-step recommendations for complying with mandatory guidelines.

c.       Procedures are the general recommendations for compliance with mandatory guidelines.

d.      Procedures are step-by-step instructions for compliance with mandatory standards.

d The other answers are incorrect.

24. 

What are the detailed instructions on how to perform or implement a control called?

a.       Procedures

b.      Policies

c.       Guidelines

d.      Standards

Image from book

25. 

How is an SLE derived?

a.       (Cost – benefit) ´ (% of Asset Value)

b.      AV ´ EF

c.       ARO ´ EF

d.      % of AV – implementation cost

b. A Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.

26. 

What is a noncompulsory recommendation on how to achieve compliance with published standards called?

a.       Procedures

b.      Policies

c.       Guidelines

d.      Standards

Image from book

27. 

Which group represents the MOST likely source of an asset loss through inappropriate computer use?

a.       Crackers

b.      Hackers

c.       Employees

d.      Saboteurs

c Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.

28. 

Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian?

a.       The custodian implements the information classification scheme after the initial assignment by the owner.

b.      The data owner implements the information classification scheme after the initial assignment by the custodian.

c.       The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme.

d.      The custodian implements the information classification scheme after the initial assignment by the operations manager.

Image from book

29. 

What is an ARO?

a.       A dollar figure assigned to a single event

b.      The annual expected financial loss to an organization from a threat

c.       A number that represents the estimated frequency of an occurrence of an expected threat

d.      The percentage of loss that a realized threat event would have on a specific asset

c Answer a is the definition of SLE, b is an ALE, and d is an EF.

30. 

Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?

a.       SLE ´ ARO

b.      Asset Value (AV) ´ EF

c.       ARO ´ EF – SLE

d.      % of ARO ´ AV

a Answer b is the formula for an SLE, and answers c and d are nonsense.

Answers

1. 

b

The other three answers are correct descriptions of controls.

2. 

c

Security designs should consider a layered approach to increase the work-factor an attacker must expend to successfully attack the system.

3. 

b

Although elements of all of the systems described could require specific controls for confidentiality, given the descriptions above, system b fits the definition most closely of a system requiring a very high level of confidentiality. Answer a is an example of a system requiring high availability. Answer c is an example of a system that requires medium integrity controls. Answer d is a system that requires only a low level of confidentiality.

4. 

b

Answers a, c, and d are elements of policy development at the highest level. Key business resources would have been identified during the risk assessment process. The various roles are then defined to determine the various levels of access to those resources. Answer d is the final step in the policy creation process and combines steps a and c. It determines which group gets access to each resource and what access privileges its members are assigned. Access to resources should be based on roles, not on individual identity.

5. 

a

The other three answers are correct statements about the visibility of IT security policy.

6. 

d

Risk assessment is the first process in the risk management methodology.

7. 

a

The other answers are elements of proper user account management.

8. 

c

Risk can never be totally eliminated. NIST IT security principle #4 states: "Reduce risk to an acceptable level."

9. 

b

OMB Circular A-130 requires that a review of the security controls for each major government application be performed at least every three years.

10. 

b

A single system may utilize information from multiple Information Owners.

11. 

c

The other answers are generally accepted benefits of security awareness, training, and education.

12. 

b

Senior management has the final responsibility through due care and due diligence to preserve the capital of the organization and further its business model through the implementation of a security program. Although senior management does not have the functional role of managing security procedures, it has the ultimate responsibility to see that business continuity is preserved.

13. 

c

Answer c is an example of a system-specific policy — in this case the router's access control lists. The other three answers are examples of issue-specific policy, as defined by NIST.

14. 

b

The other answers are correct statements about security awareness, training, and educational programs.

15. 

c

Answers a, b, and d describe policies. Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization.

16. 

b

Answer a is a responsibility of senior management. Answer c is a description of the role of auditing. Answer d is the role of the user, or consumer, of security in an organization.

17. 

b

Performing a cost-benefit analysis of the proposed safeguard before implementation is vital. The level of security afforded could easily outweigh the value of a proposed safeguard. Other factors need to be considered in the safeguard selection process, such as accountability, auditability, and the level of manual operations needed to maintain or operate the safeguard.

18. 

a

Value of the information asset to the organization is usually the first and foremost criteria used in determining its classification.

19. 

c.

High-level policies are senior management statements of recognition of the importance of security controls to the mission of the organization.

20. 

c

Answer b, advisory policies, might specify penalties for noncompliance, but regulatory policies are required to be followed by the organization. Answers a and d are informational or recommended policies only.

21. 

c

Answer a is an SLE, b is an ARO, and d is an ALE.

22. 

c

Answer a is a guideline, b is a procedure, and d is a distracter.

23. 

d

The other answers are incorrect.

24. 

a

25. 

b.

A Single Loss Expectancy is derived by multiplying the Asset Value with its Exposure Factor. The other answers do not exist.

26. 

c

27. 

c

Internal personnel far and away constitute the largest amount of dollar loss due to unauthorized or inappropriate computer use.

28. 

a

29. 

c

Answer a is the definition of SLE, b is an ALE, and d is an EF.

30. 

a

Answer b is the formula for an SLE, and answers c and d are nonsense.

 

 


 

Chapter 3: Security Management Practices

Overview

This chapter presents the following:

·         Security management responsibilities

·         Difference between administrative, technical, and physical controls

·         Three main security principles

·         Risk management and risk analysis

·         Security policies

·         Information classification

·         Security-awareness training

We hear about viruses causing millions of dollars in damages, hackers from other countries capturing credit card information from financial institutions, web sites of large corporations and governments being defaced for political reasons, and hackers being caught and sent to jail. These are the more exciting aspects of computer security, but realistically these activities are not what the average corporation or security professional usually has to deal with when it comes to daily or monthly security tasks. Although viruses and hacking get all the headlines, security management is the core of a company’s business and information security structure.

Security Management

Security management includes risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education. These core components serve as the foundation of a corporation’s security program. The objective of security, and a security program, is to protect the company and its assets. A risk analysis identifies these assets, discovers the threats that put them at risk, and estimates the possible damage and potential loss a company could endure if any of these threats become real. The results of the risk analysis help management construct a budget with the necessary funds to protect the recognized assets from their identified threats and develop applicable security policies that provide direction for security activities. Security education takes this information to each and every employee within the company so that everyone is properly informed and can more easily work toward the same security goals.

Security management has changed over the years because networked environments, computers, and the applications that hold information have changed. Information used to be held in a mainframe, which is a more centralized network structure. The mainframe and management consoles that were used to access and configure the mainframe were placed in a centralized area instead of the distributed networks we see today. Only certain people were allowed access and only a small set of people knew how the mainframe worked, which drastically reduced security risks. Users were able to access information on the mainframe through dumb terminals (they were called this because they had little or no logic built into them). This also drastically reduced the need for strict security controls to be put into place. However, the computing society did not stay in this type of architecture. Now, most networks are filled with personal computers that have advanced logic and processing power, users know enough about the systems to be dangerous, and the information is not centralized within one “glass house.” Instead, the information lives on servers, workstations, and other networks. Information passes over wires and airways at a rate that was not even conceived of 10 to 15 years ago.

The Internet, extranets (business partner networks), and intranets not only make security much more complex, they make security even more critical. The core network architecture has changed from being a localized, stand-alone computing environment to a distributed computing environment that has increased exponentially with complexity. Although connecting a network to the Internet adds more functionality and services for the users and expands the company’s visibility to the Internet world, it opens the floodgates to potential security risks.

Today, a majority of organizations could not function if they were to lose their computers and computing capabilities. Computers have been integrated into the business and individual daily fabric, and their sudden unavailability would cause great pain and disruption. Many of the larger corporations already realize that their data is as much an asset to be protected as their physical buildings, factory equipment, and other physical assets. As networks and environments have changed, so has the need for security. Security is more than just a firewall and a router with an access list; these systems have to be managed, and a big part of security is managing the actions of users and the procedures they follow. This brings us to security management practices, which focus on the continuous protection of company assets.

Security Management Responsibilities

Okay, who is in charge and why?

In the world of security, management’s functions involve determining objectives, scope, policies, priorities, standards, and strategies. Management needs to define a clear scope and, before 100 people run off in different directions trying to secure the environment, determine actual goals that are expected to be accomplished from a security program. Management also needs to evaluate business objectives, security risks, user productivity, and functionality requirements and objectives. Finally, management must define steps to ensure that all of these issues are accounted for and properly addressed.

Many companies look at the business and productivity elements of the equation only and figure that information and computer security fall within the IT administrator’s responsibilities. In these situations, management is not taking computer and information security seriously, the consequence of which is that security will most likely remain underdeveloped, unsupported, underfunded, and unsuccessful. Security needs to be addressed at the highest levels of management. The IT administrator can consult with management on the subject, but the security of a company should not be delegated entirely to the IT administrator.

Security management relies on properly identifying and valuing a company’s assets, and then implementing security policies, procedures, standards, and guidelines to provide integrity, confidentiality, and availability for those assets. Various management tools are used to classify data and perform risk analysis and assessments. These tools identify vulnerabilities and exposure rates and rank the severity of identified vulnerabilities so that effective countermeasures can be implemented to mitigate risk in a cost-effective manner. Management’s responsibility is to provide protection for the resources it is responsible for and the company overall. These resources come in human, capital, hardware, and informational forms. Management must concern itself with ensuring that a security program is set up that recognizes the threats that can affect these resources and be assured that the necessary protective measures are put into effect.

The necessary resources and funding need to be available and strategic representatives need to be ready to participate in the security program. Management must assign responsibility and identify the roles necessary to get the security program off the ground and keep it thriving and evolving as the environment changes. Management must also integrate the program into the current business environment and monitor its accomplishments. Management’s support is one of the most important pieces of a security program. A simple nod and a wink will not provide the amount of support required.

The Top-Down Approach to Security

I will be making the rules around here. Response: You are nowhere near the top—thank goodness!

When a house is built, the workers start with a blueprint of the structure, then pour the foundation, and then erect the frame. As the building of the house continues, the workers know what the end result is supposed to be, so they add the right materials, insert doors and windows as specified in the blueprints, erect support beams, provide sturdy ceilings and floors, and add the plaster and carpet and smaller details until the house is complete. Then inspectors come in to ensure that the structure of the house and the components that were used to make it are acceptable. If this process did not start with a blueprint and a realized goal, the house could end up with an unstable foundation and doors and windows that don’t shut properly. This house would not pass inspection; thus, a lot of time and money would have been wasted.

Building a security program is analogous to building a house. When designing and implementing a security program, the project managers need to determine the functionality and realize the end result expected. Many times, companies just start locking down computers and installing firewalls without taking the time to understand the overall security requirements, goals, and assurance levels they expect from security as a whole within their environment. The team involved in the process should start from the top with very broad ideas and terms and work its way down to detailed configuration settings and system parameters. At each step, the team needs to keep in mind the overall security goals so that each piece that it adds is sure to provide more granularity to the intended goal; this helps the team to avoid splintering the main objectives by running in 15 different directions at once.

The security policy works as a blueprint for a company’s security program and provides the necessary foundation to build upon. This policy needs to be taken seriously from the beginning and developed with the idea that it will continually be reviewed to ensure that all security components stay in step and work to accomplish the same objectives and business goals.

The next step is to develop and implement procedures, standards, and guidelines that support the security policy and identify the security countermeasures and methods that need to be put into place. Once these items are developed, the security program increases in granularity by developing baselines and configurations for the chosen security controls and methods.

If security starts with a solid foundation and develops over time with understood goals and objectives, a company does not need to make drastic changes midstream. The process can be methodical, requiring less time, funds, and resources, and provide a proper balance between functionality and protection. This is not the norm, but with your insight, maybe you can help your company approach security in a more controlled manner. You could provide the necessary vision and understanding of how security should be properly planned, implemented, and evolved in an organized manner, thereby helping the company to avoid a result that is a giant heap of security products that are disjointed and full of flaws.

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management and work their way through middle management and then to staff members. In contrast, a bottom-up approach refers to a situation in which the IT department tries to develop a security program without getting proper management support and direction. A bottom-up approach is usually less effective, not broad enough, and doomed to fail. A top-down approach makes sure that the people actually responsible for protecting the company’s assets (senior management) are driving the program.

Security Administration and Supporting Controls

If there is not a current security administration role, one should be established by management. The security administration role is directly responsible for monitoring a majority of the facets of a security program. Depending on the organization, security needs, and size of the environment, the security administration may consist of one person or a group of individuals who work in a central or decentralized manner. Whatever its size, the security administration requires a clear reporting structure, understanding of responsibilities, and testing and monitoring capabilities, to make sure that compromises do not slip in because of a lack of communication or comprehension.

Information owners should dictate which users can access their resources and what those users can do with those resources after they access them. The security administration’s job is to make sure that these objectives are implemented. The following controls should be utilized to achieve the management’s security directives:

·         Administrative controls   Include the developing and publishing of policies, standards, procedures, and guidelines; the screening of personnel; conducting security-awareness training; and implementing change control procedures.

·         Technical controls (also called logical controls)   Consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices, and configuration of the infrastructure.

·         Physical controls   Entail controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls.

Figure 3–1 illustrates how the administrative, technical, and physical controls work together to provide the necessary level of protection.

Image from bookImage from book
Figure 3–1: Administrative, technical, and physical controls should work in a synergistic manner to protect a company’s assets.

The information owner is usually a senior executive within the management group of the company, or head of a specific department. The information owner has the corporate responsibility for data protection and would be the one held liable for any negligence when it comes to protecting the company’s information assets. The person who holds this role is responsible for assigning classifications to information and dictating how the data should be protected. If the information owner does not lay out the foundation of data protection and ensure that the directives are being enforced, she would be violating the due care concept.

 

Note 

Due care is a legal term and concept used to help determine liability in a court of law. If someone is practicing due care, then they are acting responsibly and will have a lower probability of being found negligent and liable if something bad takes place.

By having a security administration group, a company ensures that it does not lose focus on security and that it has a hierarchical structure of responsibility in place. The security officer’s job is to ensure that management’s security directives are fulfilled, not to construct those directives in the first place. There should be a clear communication path between the security administration group and senior management to ensure that the security program receives the proper support and that management makes the decisions. Too often, senior management is extremely disconnected from security issues, despite the fact that when a serious security breach takes place, senior management has to explain the reasons to business partners, shareholders, and the public. After this humbling experience, the opposite problem tends to arise—senior management becomes too involved. A healthy relationship between the security administration group and senior management should be developed from the beginning and communication should easily flow in both directions.

Image from bookImage from book

Example of Security Management

Anyone who has been involved with a security initiative understands that it involves a balancing act between securing an environment and still allowing the necessary level of functionality so that productivity is not affected. A common scenario that occurs at the start of many security projects is that the individuals in charge of the project know the end result they want to achieve and have lofty ideas of how quick and efficient their security rollout will be, but they fail to consult the users regarding what restrictions will be placed upon them. The users, upon finding out about the restrictions, then inform the project managers that they will not be able to fulfill certain parts of their job if the security rollout actually takes place as planned. This usually causes the project to screech to a halt. The project managers then have to initialize the proper assessments, evaluations, and planning to see how the environment can be slowly secured and how to ease users and tasks delicately into new restrictions or ways of doing business. Failing to consult users during the planning phase causes a lot of headaches and wastes time and money. Individuals who are responsible for security management activities must realize that they need to understand the environment and plan properly before they try to kick off the implementation phase of a security program.

Image from bookImage from book

 

Inadequate management can undermine the entire security effort in a company. Among the possible reasons for inadequate management are that management does not fully understand the necessity of security; security is in competition with other management goals; management views security as expensive and unnecessary; or management applies lip service instead of real support to security. Powerful and useful technologies, devices, software packages, procedures, and methodologies are available to provide the exact level of security required, but without proper security management and management support, none of this really matters.

Fundamental Principles of Security

Now, what are we trying to accomplish again?

There are several small and large objectives of a security program, but the main three principles in all programs are availability, integrity, and confidentiality. These are referred to as the AIC triad. The level of security required to accomplish these principles differs per company, because each has its own unique combination of business and security goals and requirements. All security controls, mechanisms, and safeguards are implemented to provide one or more of these principles, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles. Figure 3–2 illustrates the AIC triad. Some documentation on this topic may reverse the acronym order, and call it the CIA triad. It still refers to the same concepts shown in Figure 3–2.

Image from bookImage from book
Figure 3–2: The AIC triad

Availability

Emergency! I can’t get to my data! Response: Turn the computer on!

The systems and networks should provide adequate capacity in order to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick manner so that productivity is not negatively affected. Single points of failure should be avoided, backup measures should be taken, redundancy mechanisms should be in place when necessary, and the negative effects from environmental components should be prevented. Necessary protection mechanisms need to be in place to protect against inside and outside threats that could affect the availability and productivity of the network, systems, and information. Availability ensures reliability and timely access to data and resources to authorized individuals.

System availability can be affected by device or software failure. Backup devices should be used and available to quickly replace critical systems, and employees should be skilled and available to make the necessary adjustments to bring the system back online. Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability. These issues are addressed in detail in Chapter 6. Systems should be protected from these elements, properly grounded electrically, and closely monitored.

Denial-of-service (DoS) attacks are popular methods for hackers to disrupt a company’s system availability and productivity. These attacks are mounted to reduce the ability of users to access system resources and information. To protect against these attacks, only the necessary services and ports should be available on systems, and intrusion detection systems (IDS) should monitor the network traffic and host activities. Certain firewall and router configurations can also reduce the threat of DoS attacks and possibly stop them from occurring.

Integrity

Integrity is upheld when the assurance of accuracy and reliability of information and systems is provided, and unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in a concerted manner to maintain and process data correctly and move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.

Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data. When an attacker inserts a virus, logic bomb, or back door into a system, the system’s integrity is compromised. This can, in turn, negatively affect the integrity of information held on the system by corruption, malicious modification, or replacement of data with incorrect data. Strict access controls, intrusion detection, and hashing can combat these threats.

Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user with a full hard drive may unwittingly delete configuration files under the mistaken assumption that deleting a boot.ini file must be okay because they don’t remember ever using it. Or, for example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000,000 instead of $300. Incorrectly modifying data kept in databases is another common way that users accidentally corrupt data, a mistake that can have lasting effects.

Security should streamline the users’ capabilities and give them only certain choices and functionality so that errors become less common and less devastating. System-critical files should be restricted from the users’ view and access. Applications should provide mechanisms that check for valid and reasonable input values. Databases should let only authorized individuals modify data, and data in transit should be protected by encryption or other mechanisms.

Confidentiality

Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination.

Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing, stealing password files, and social engineering. These topics will be addressed in more depth in later chapters, but briefly, shoulder surfing is when a person looks over another person’s shoulder and watches their keystrokes or views data as it appears on a computer screen. Social engineering is when one person tricks another person into sharing confidential information by posing as someone authorized to have access to that information.

Users can intentionally or accidentally disclose sensitive information by not encrypting it before sending it to another person, by falling prey to a social engineering attack, by sharing a company’s trade secrets, or by not using extra care to protect confidential information when processing it.

Confidentiality can be provided by encrypting data as it is stored and transmitted, by using network traffic padding, strict access control, and data classification, and by training personnel on the proper procedures.

Availability, integrity, and confidentiality are critical principles of security. You should understand their meaning, how they are provided by different mechanisms, and how their absence can negatively affect an environment, all of which help you to best identify problems and provide proper solutions.

Security Definitions

I am vulnerable and see you as a threat. Response: Good.

The words “vulnerability,” “threat,” “risk,” and “exposure” often are used to represent the same thing even though they have different meanings and relationships to each other. It is important to understand each word’s definition, but more important to understand its relationship to the other concepts.

A vulnerability is a software, hardware, or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. This vulnerability may be a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lax physical security that allows anyone to enter a server room, or nonenforced password management on servers and workstations.

A threat is any potential danger to information or systems. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information or destroy a file’s integrity.

A risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an intentional or unintentional mistake that may destroy data. If an IDS is not implemented on a network, there is a higher likelihood that an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

An exposure is an instance of being exposed to losses from a threat agent. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.

A countermeasure, or safeguard, is put into place to mitigate the potential risk. A countermeasure may be a software configuration, a hardware device, or procedure that eliminates a vulnerability or reduces the likelihood that a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.

If a company has antivirus software but does not keep the virus signatures up-to-date, this is a vulnerability. The company is vulnerable to virus attacks. The threat is that a virus will show up in the environment and disrupt productivity. The likelihood of a virus showing up in the environment and causing damage is the risk. If a virus infiltrates the company’s environment, then a vulnerability has been exploited and the company is exposed to loss. The countermeasures in this situation are to update the signatures and install the antivirus software on all computers. The relationships among risks, vulnerabilities, threats, and countermeasures are shown in Figure 3–3.

Image from bookImage from book
Figure 3–3: The relationships among the different security components

Applying the right countermeasure can eliminate the vulnerability and exposure and reduce the risk. The company cannot eliminate the threat agent, but it can protect itself and prevent this threat agent from exploiting vulnerabilities within the environment.

References

·         NIST Computer Security Resource Center csrc.ncsl.nist.gov

·         CISSP and SSCP Open Study Guides www.cccure.org

·         CISSP.com www.cissps.com

Image from bookImage from book

Order of Concepts

The proper order in which to evaluate these concepts as they apply to your own network is threat, exposure, vulnerability, countermeasures, and finally risk. This is because there can be a threat (new SQL attack) but unless your company has the corresponding vulnerability (SQL server with the necessary configuration), then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.

Image from bookImage from book

 

 

 

Organizational Security Model

My security model is shaped like a pile of oatmeal. Response: Lovely.

An organizational security model is a framework made up of many entities, protection mechanisms, logical, administrative, and physical components, procedures, business processes, and configurations that all work together in a synergistic way to provide a security level for an environment. Each model is different, but all models work in layers: one layer provides support for the layer above it and protection for the layer below it. Because a security model is a framework, companies are free to plug in different types of technologies, methods, and procedures to accomplish the necessary protection level for their environment. Figure 3–4 illustrates the pieces that can make up a security model.

Image from bookImage from book
Figure 3–4: A comprehensive and effective security model has many integrated pieces.

Effective security requires a balanced approach and application of all security components and procedures. Some security components are technical (access control lists and encryption) and some are nontechnical (physical and administrative, such as developing a security policy and enforcing compliance), but each has an important place within the framework, and if one is missing or incomplete, the whole framework may be affected.

A security model has various layers, but it also has different types of goals to accomplish in different timeframes. You might have a goal for yourself today to brush your teeth, run three miles, finish the project you have been working on, and spend time with your kids. These are daily goals, or operational goals. You might have midterm goals to complete your master’s degree, write a book, and get promoted. These take more time and effort and are referred to as tactical goals. Your long-term goals may be to retire at age 55, save enough money to live comfortably, and live on a houseboat. These goals are strategic goals because they look farther into the future.

The same thing happens in security planning. Daily goals, or operational goals, focus on productivity and task-oriented activities to ensure that the company functions in a smooth and predictable manner. A midterm goal, or tactical goal, could be to integrate all workstations and resources into one domain so that more central control can be achieved. Long-term goals, or strategic goals, could be to move all the branches from dedicated communication lines to frame relay, implement IPSec virtual private networks (VPNs) for all remote users, and integrate wireless technology with the necessary security measures into the environment.

This approach to planning is called the planning horizon. A company usually cannot implement all changes at once, and some changes are larger than others. Many times, certain changes cannot happen until other changes take place. If a company wants to implement its own certificate authority and implement a full public key infrastructure (PKI) enterprise-wide, this cannot happen in a week if the company currently works in decentralized workgroups with no domain structure. So, its operational goals would be to keep production running smoothly and make small steps toward readying the environment for a domain structure. Its tactical goal would be to put all workstations and resources into a domain structure, and centralize access control and authentication. Its strategic goal would be to have all workstations, servers, and devices within the enterprise use the PKI to provide authentication, encryption, and more secure communication channels.

Security works best if the company’s operational, tactical, and strategic goals are defined and work to support each other, which can be much harder than it sounds.

Security Program Components

I have a security policy, so I must have a security program. Response: You have just begun, my friend.

Today, organizations, corporations, government agencies, and individuals are more involved in information security than ever before. With more regulations being promulgated by governments, continuing increases in both the number of attacks and the cost of fighting hackers and malware, and increasing dependence upon computing technology, concerns about information security are expanding from IT departments to the board rooms.

Most security professionals welcome this shift because it means that the decision makers are finally involved and more progress can be made enterprise-wide. Experienced security professionals have always known that technology is just a small portion of overall organizational security. Business people, who are now becoming more responsible and liable for security, are not so thrilled about this shift.

The common scenario in businesses and organizations is as follows: A CEO and board members eventually are forced to look at information security because of new regulations, because the costs of viruses and attacks have reached a threshold, or because a civil suit has been filed regarding a security breach. The company typically hires a consultant, who tells the CEO and board that they need a security policy and a network assessment. The company usually pays for both to be done and, with that accomplished, believes that the company is secure. However, this is a false sense of security, because the company still has no security program.

The company then hires a security officer (typically called either Corporate Security Officer [CSO] or Corporate Information Security Officer [CISO]). Senior management hires this person so that it can delegate all security activities and responsibilities, and get security off of their desk, but fails to give this person any real authority or budget. Then, when security compromises take place, the CSO becomes the sacrificial lamb—because we always need someone to blame.

Now, as security professionals, we have three choices for dealing with this common scenario:

·         Stick our heads in the sand and hope all of this just goes away.

·         Continue to be frustrated and confused, develop ulcers, and shake our fists at the unfriendly security gods in the sky.

·         Understand that we, as a society, are in the first basic steps of our evolution in information security and therefore must be committed to learn and practice the industry’s already developed best practices.

Image from bookImage from book

Confusion and Security

Today, many business-oriented people who are not security professionals are responsible for rolling out security programs and solutions. Without proper education and training on these matters, companies end up wasting a lot of time and money.

Image from bookImage from book

Image from bookImage from book

 

Developing and rolling out a security program is not as difficult as many organizations make it, but it is new to them and new things are usually scary and confusing. This is why they should turn to standards and industry best practices, which provide the guidance and recipe for how to set up and implement a full security program.

The most commonly used standard is ISO 17799, which was derived from the de facto standard British Standard 7799 (BS 7799). It is an internationally recognized Information Security Management Standard that provides high-level, conceptual recommendations on enterprise security. It consists of two parts. Part 1 is an implementation guide with guidelines on how to build a comprehensive information security infrastructure. Part 2 is an auditing guide based on requirements that must be met for an organization to be deemed compliant with ISO 17799.

While there has been planty of controversy regarding the benefits and drawbacks of ISO 17799, it is the agreed upon mechanism to describe security processes and is the benchmark we use to indicate a “correct infrastructure.” It is made up of ten domains, which are very close to the CISSP Common Body of Knowledge (CBK).

The ISO 17799 domains are as follows:

·         Information security policy for the organization   Map of business objectives to security, management’s support, security goals, and responsibilities.

·         Creation of information security infrastructure   Create and maintain an organizational security structure through the use of security forum, security officer, defining security responsibilities, authorization process, outsourcing, and independent review.

·         Asset classification and control   Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.

·         Personnel security   Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.

·         Physical and environmental security   Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.

·         Communications and operations management   Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.

·         Access control   Control access to assets based on business requirements, user management, authentication methods, and monitoring.

·         System development and maintenance   Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity, and software development procedures.

·         Business continuity management   Counter disruptions of normal operations by using continuity planning and testing.

·         Compliance   Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.

The ISO 17799 outlines the components that should make up each and every security program implemented today. Since companies and organizations are different, the emphasis on specific components may vary from one security program to the next, but each security program should be made up of these core elements.

References

·         The ISO 17799 Service & Software Directory www.iso17799software.com

·         The ISO 17799 Directory www.iso-17799.com

·         The ISO 17799 Community Portal www.17799.com

Business Requirements: Private Industry vs. Military Organizations

Which security model an organization should choose depends on its critical missions and business requirements. Private industry usually has much different missions and requirements than those of the military. Private industry thrives by beating the competition, which is done through marketing and sales, solid management decisions, understanding the target audience, and understanding the flow and ebb of the market. A private-sector business has a better chance of being successful if its data is readily available, so processing order requests and fulfilling service orders can happen quickly and painlessly for the customer. The data also needs to be accurate to satisfy the customers’ needs. Out of the three security services (availability, integrity, and confidentiality), data integrity and availability usually rank higher than confidentiality to most private-sector businesses when compared to military requirements.

The military also thrives by beating its competition (other countries or its enemies), which requires proper training, readiness, intelligence, and deployment. Although the private industry does need a degree of secrecy and ensured confidentiality, confidentiality does not play as important of a role as it does with a military organization. The military has more critical information that must not fall into the wrong hands; therefore, out of the three main security services, confidentiality is the most important to the military sector. Thus, a military installation must implement a security model that emphasizes confidentiality and is stricter than a private-sector organization’s security model.

Information Risk Management

Life is full of risk.

Risk is the possibility of damage happening and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100 percent secure environment. Every environment has vulnerabilities and threats to a certain degree. The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.

Risks to a company come in different forms, and they are not all computer related. When a company purchases another company, it takes on a lot of risk in the hope that this move will increase its market base, productivity, and profitability. If a company increases its product line, this can add overhead, increase the need for personnel and storage facilities, require more funding for different materials, and maybe increase insurance premiums and the expense of marketing campaigns. The risk is that this added overhead might not be matched in sales; thus, profitability will be reduced or not accomplished.

When we look at information security, there are several types of risk a corporation needs to be aware of and address properly. The following items touch on the major categories:

·         Physical damage   Fire, water, vandalism, power loss, and natural disasters

·         Human interaction   Accidental or intentional action or inaction that can disrupt productivity

·         Equipment malfunction   Failure of systems and peripheral devices

·         Inside and outside attacks   Hacking, cracking, and attacking

·         Misuse of data   Sharing trade secrets, fraud, espionage, and theft

·         Loss of data   Intentional or unintentional loss of information through destructive means

·         Application error   Computation errors, input errors, and buffer overflows

The threats need to be identified, classified by category, and evaluated to calculate their actual magnitude of potential loss. Real risk is hard to measure, but prioritizing the potential risks in order of which risk needs to be addressed first is attainable.

Who Really Understands Risk Management?

Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is “big business” today, the focus is more on applications, devices, protocols, viruses, and hacking. Although these items all need to be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.

Security is now a business issue, but businesses operate to make money, not to just be secure. A business is concerned with security only if it threatens its bottom line, which it can in many ways: loss of reputation and customer base after a database of credit card numbers is compromised; loss of thousands of dollars in operational expenses from a new computer worm; loss of proprietary information as a result of successful company espionage attempts; loss of confidential information from a successful social engineering attack; and so on. It is critical that security professionals understand these individual threats, but it is more important that they understand how to calculate the risk of these threats and map them to business drivers.

Knowing the difference between the definitions of “vulnerability,” “threat” and “risk” may seem trivial to you, but it is more critical than most people truly understand. A vulnerability scanner can identify dangerous services that are running, unnecessary accounts, and unpatched systems. That is the easy part. But if you have a security budget of only $120,000 and you have a long list of vulnerabilities that need attention, do you have the proper skill to know which ones should be dealt with first? Since you have a finite amount of money and an almost infinite number of vulnerabilities, how do you properly rank the most critical vulnerabilities to ensure that your company is addressing the most critical issues and providing the most return on investment of funds?

This is what risk management is all about, and to organizations, corporations, and businesses across the world, it is more important than IDS, ethical hacking, malware, and firewalls. But risk management is not as “sexy” and therefore does not get its necessary attention or implementation.

Information Risk Management Policy

How do I put all of these risk management pieces together? Response: Let’s check out the policy.

Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an IRM policy, and a delegated IRM team.

The IRM policy should be a subset of the organization’s overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies. The IRM policy should address the following items:

·         Objectives of IRM team

·         Level of risk the company will accept and what is considered an acceptable risk

·         Formal processes of risk identification

·         Connection between the IRM policy and the organization’s strategic planning processes

·         Responsibilities that fall under IRM and the roles that are to fulfill them

·         Mapping of risk to internal controls

·         Approach for changing staff behaviors and resource allocation in response to risk analysis

·         Mapping of risks to performance targets and budgets

·         Key indicators to monitor the effectiveness of controls

The IRM policy provides the infrastructure for the organization’s risk management processes and procedures and should address all issues of information security, from personnel screening and the insider threat to physical security and firewalls. It should provide direction on how the IRM team relates information on company risks to senior management and how to properly execute management’s decisions on risk mitigation tasks.

Risk Management Team

Each organization is different in its size, security posture requirements, and security budget. One organization may have one individual responsible for IRM (poor soul) or a team that works in a coordinated manner. The overall goal of the team is to ensure that the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place:

·         An established risk acceptance level provided by senior management

·         Documented risk assessment processes and procedures

·         Procedures for identifying and mitigating risks

·         Appropriate resource and fund allocation from senior management

·         Contingency plans where assessments indicate that they are necessary

·         Security-awareness training for all staff members associated with information assets

·         Ability to establish improvement (or risk mitigation) teams in specific areas when necessary

·         Mapping of legal and regulation compliancy requirements to control and implement requirements

·         Development of metrics and performance indicators to be able to measure and manage various types of risks

·         Ability to identify and assess new risks as the environment and company changes

·         Integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities

Obviously, this list is a lot more than just buying a new shiny firewall and calling the company safe.

The IRM team, in most cases, is not made up of employees with the dedicated task of risk management. It consists of people who already have a full-time job in the company and are now tasked with something else. Thus, senior management support is necessary, so that proper resource allocation can take place.

Of course, all teams need a leader, and IRM is no different. One individual should be singled out to run this rodeo and, in larger organizations, this person should be spending 50 to 70 percent of their time in this role. Management needs to dedicate funds for this person to have the necessary training and risk analysis tools to ensure that it is a successful endeavor.

Risk Analysis

I have determined that our greatest risk is this paperclip. Response: Nice work.

Risk analysis, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible damage to determine where to implement security safeguards. Risk analysis is used to ensure that security is cost effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security components, and spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of money that should be applied to protecting against those risks in a sensible manner.

A risk analysis has four main goals:

·         Identify assets and their values

·         Identify vulnerabilities and threats

·         Quantify the probability and business impact of these potential threats

·         Provide an economic balance between the impact of the threat and the cost of the countermeasure

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of safeguards to the potential cost of loss. A safeguard, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the safeguard itself. This means that if a facility is worth $100,000, it does not make sense to spend $150,000 trying to protect it.

It is important to figure out what you are supposed to be doing before you dig right in and start working. Anyone who has worked on a project without a properly defined scope can attest to this statement. Before an assessment and analysis is started, the team needs to carry out project sizing to understand what assets and threats are to be evaluated. Most assessments are focused on physical security, technology security, or personnel security. Trying to assess all of them at the same time can be quite an undertaking.

One of the team’s tasks is to create a report that details the asset valuations. Senior management needs to review and accept the lists, and make them the scope of the IRM project. If management determines at this early stage that some assets are not important, the risk assessment team will not spend further time or resources to evaluate those assets. During discussions with management, everyone involved needs to have a firm understanding of the value of the security ACI triad—availability, confidentiality, and integrity—and how it directly relates to business needs.

Management should outline the scope, which most likely will be dictated by regulations and funds. Many projects have run out of funds, and consequently stopped, because proper project sizing was not conducted at the onset of the project. Don’t let it happen to you.

A risk analysis helps integrate the security program objectives with the company’s business objectives and requirements. The more the business and security objectives are in alignment, the more successful the two will be. The analysis also helps the company draft a proper budget for a security program and its constituent security components. Once a company knows how much its assets are worth and the possible threats they are exposed to, it can make intelligent decisions on how much money to spend on protecting those assets.

A risk analysis needs to be supported and directed by senior management if it is going to be successful. Management needs to define the purpose and scope of the analysis, appoint a team to carry out the assessment, and allocate the necessary time and funds to conduct the analysis. It is essential for senior management to review the outcome of the risk assessment and analysis and act on its findings. What good is it to go through all the trouble of a risk assessment and not react to its findings? Surprisingly, this does happen.

Risk Analysis Team

Each organization has different departments. Each department has its own functionality, resources, tasks, and quirks. For the most effective risk analysis, an organization needs to build a risk analysis team that includes individuals from many or all departments, to ensure that all of the threats are identified and addressed. The team members may be part of management, application programmers, IT staff, systems integrators, and operational managers—indeed, any key personnel from key areas of the organization. This mix is necessary because if the risk analysis team comprises only individuals from the IT department, it may not understand, for example, the types of threats the accounting department faces with data integrity issues, or how the company as a whole would be affected if the accounting department’s data files were wiped out by an accidental or intentional act. Or, as another example, the IT staff may not understand all the risks the employees in the warehouse would face if a natural disaster were to hit, or what it would mean to their productivity and how it would affect the organization overall. If the risk analysis team is unable to include members from various departments, it should, at the very least, make sure to interview people in each department so that it fully understands and can quantify all threats.

The risk analysis team also needs to include people who understand the processes that are part of their individual departments, meaning individuals who are at the right levels of each department. This is a difficult task, since managers tend to delegate any sort of risk analysis task to lower levels within the department. However, these lower levels may not have adequate knowledge and understanding of the processes that the risk analysis team may need to deal with.

When looking at risk, there are several questions that are helpful to keep in mind. Raising these questions helps to ensure that the risk analysis team and senior management know what is important. Team members need to ask the following: What event could occur (threat event)? What could be the potential impact (risk)? How often could it happen (frequency)? What level of confidence do we have in the answers to the first three questions (certainty)?

Viewing threats with these questions in mind helps the team to focus on the tasks at hand and assists in making the decisions more accurate and relevant.

Value of Information and Assets

If information does not have any value, then who cares about protecting it?

The value placed on information is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, and what benefit another party would gain if it were to obtain the data. If a company does not know the value of the information and the other assets it is trying to protect, it does not know how much money and time it should spend on protecting them. If you were in charge of making sure that Russia does not know the encryption algorithms used when transmitting information to and from U.S. spy satellites, you would use more extreme (and expensive) security measures than you would use to protect your peanut butter and banana sandwich recipe from your next-door neighbor. The value of the information supports security measure decisions.

The previous examples refer to assessing the value of information and protecting it, but this logic applies toward an organization’s facilities, systems, and resources. The value of the company’s facilities needs to be assessed, along with all printers, workstations, servers, peripheral devices, supplies, and employees. You do not know how much is in danger of being lost if you don’t know what you have and what it is worth in the first place.

Costs That Make Up the Value

An asset can have both quantitative and qualitative measurements assigned to it, but these measurements need to be derived. The actual value of an asset is determined by the cost it takes to acquire, develop, and maintain it. The value is determined by the importance it has to the owners, authorized users, and unauthorized users. Some information is important enough to a company to go through the steps of making it a trade secret.

The value of an asset should reflect all identifiable costs that would arise if there were an actual impairment of the asset. If a server cost $4000 to purchase, this value should not be input as the value of the asset in a risk assessment. Rather, the cost of replacing or repairing it, the loss of productivity, and the value of any data that may be corrupted or lost need to be accounted for to properly capture the amount the company would lose if the server were to fail for one reason or another.

The following issues should be considered when assigning values to assets:

·         Cost to acquire or develop the asset

·         Cost to maintain and protect the asset

·         Value of the asset to owners and users

·         Value of the asset to adversaries

·         Value of intellectual property that went into developing the information

·         Price others are willing to pay for the asset

·         Cost to replace the asset if lost

·         Operational and production activities that are affected if the asset is unavailable

·         Liability issues if the asset is compromised

·         Usefulness and role of the asset in the organization

Understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it. A very important question is how much it could cost the company to not protect the asset.

Determining the value of assets may be useful to a company for a variety of reasons, including the following:

·         To perform effective cost/benefit analyses

·         To select specific countermeasures and safeguards

·         To determine the level of insurance coverage to purchase

·         To understand what exactly is at risk

·         To conform to due care and comply with legal and regulatory requirements

Assets may be tangible (computers, facilities, supplies) or intangible (reputation, data, intellectual property). It is usually harder to quantify the values of intangible assets, which may change over time. How do you put a monetary value on a company’s reputation? That’s harder to solve than the Rubik’s Cube.

Identifying Threats

Okay, what should we be afraid of?

Earlier it was stated that the definition of a risk is the probability of a threat agent exploiting a vulnerability to cause harm to a computer, network, or company and the resulting business impact. There are many types of threat agents that can take advantage of several types of vulnerabilities, resulting in a variety of specific threats, as outlined in Table 3-1, which represents only a sampling of the risks that many organizations would have to address in their risk management programs.

Table 3–1: Relationship of Threats and Vulnerabilities

Threat Agent

Can Exploit This Vulnerability

Resulting in This Threat

Virus

Lack of antivirus software

Virus infection

Hacker

Powerful services running on a server

Unauthorized access to confidential information

Users

Misconfigured parameter in the operating system

System malfunction

Fire

Lack of fire extinguishers

Facility and computer damage, and possibly loss of life

Employee

Lack of training or standards enforcement

Lack of auditing

Sharing mission-critical information

Altering data inputs and outputs from data processing applications

Contractor

Lax access control mechanisms

Stealing trade secrets

Attacker

Poorly written application

Lack of stringent firewall settings

Conducting a buffer overflow

Conducting a denial-of-service attack

Intruder

Lack of security guard

Breaking windows and stealing computers and devices

There are other types of threats that can happen within a computerized environment that are much harder to identify than those listed in Table 3-1. These other threats have to do with application and user errors. If an application uses several complex equations to produce results, the threat can be difficult to discover and isolate if these equations are incorrect or if the application is using inputted data incorrectly. This can result in illogical processing and cascading errors as invalid results are passed on to another process. These types of problems can lie within applications’ code and are very hard to identify.

User errors, intentional or accidental, are easier to identify, by monitoring and auditing user activities. Audits and reviews need to be conducted to discover if employees are inputting values incorrectly into programs, misusing technology, or modifying data in an inappropriate manner.

Once the vulnerabilities and associated threats are identified, the ramifications of these vulnerabilities being exploited need to be investigated. Risks have loss potential, meaning what the company would lose if a threat agent were actually to exploit a vulnerability. The loss may be corrupted data, destruction of systems and/or the facility, unauthorized disclosure of confidential information, a reduction in employee productivity, and so on. When performing a risk analysis, the team also needs to look at delayed loss when assessing the damages that can occur. Delayed loss has negative effects on a company after a vulnerability is initially exploited. The time period can be anywhere from 15 minutes to years after the exploitation. Delayed loss may include reduced productivity over a period of time, reduced income to the company, accrued late penalties, extra expense to get the environment back to proper working conditions, delayed collection of funds from customers, and so forth.

For example, if a company’s web servers are attacked and taken offline, the immediate damage could be data corruption, the man-hours necessary to place the servers back online, and the replacement of any code or components that may be required. The company could lose productivity if it usually accepts orders and payments via its web site. If it takes a full day to get the web servers fixed and back online, the company could lose a lot more sales and profits. If it takes a full week to get the web servers fixed and back online, the company could lose enough sales and profits to not be able to pay other bills and expenses. This would be a delayed loss. If the company’s customers lose confidence in it because of this activity, it could lose business for months or years. This is a more extreme case of delayed loss.

These types of issues make more complex the process of properly quantifying losses that specific threats could cause, but they need to be taken into consideration to ensure that reality is represented in this type of analysis.

So, up to now, we have secured management’s support of the risk analysis, constructed our team so that it represents different departments in the company, placed a value on each of the company’s assets, and identified all the possible threats that could affect the assets. We have also taken into consideration all potential and delayed losses the company may endure per asset per threat. The next step is to use qualitative or quantitative methods to calculate the actual risk the company faces.

Quantitative Risk Analysis

As previously mentioned, there are two types of approaches to risk analysis: quantitative and qualitative. Quantitative risk analysis attempts to assign real and meaningful numbers to all elements of the risk analysis process. These elements may include safeguard costs, asset value, business impact, threat frequency, safeguard effectiveness, exploit probabilities, and so on. When all of these are quantified, the process is said to be quantitative. Quantitative risk analysis also provides concrete probability percentages when determining the likelihood of threats. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks.

Purely quantitative risk analysis is not possible, because the method attempts to quantify qualitative items, and there are always uncertainties in quantitative values. If a severity level is high and a threat frequency is low, it is hard to assign corresponding numbers to these ratings and come up with a useful outcome.

Quantitative and qualitative approaches have their own pros and cons, and each applies more appropriately to some situations than others. Company management and the risk analysis team, and the tools they decide to use, will determine which approach is best.

 

Note 

Quantitative analysis uses risk calculations that attempt to predict the level of monetary losses and the percentage of chance for each type of threat. Qualitative analysis does not use calculations, but is more situation and scenario based.

Automated Risk Analysis Methods

Collecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. There are several automated risk analysis tools on the market that can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print out reports and comprehensive graphs to be presented to the management.

 

Note 

Vulnerability assessment and risk analysis tools are available in freeware and commercial versions. Obtaining serious results often requires taking a serious approach to finding the tools that best serve the accuracy of the project.

The objective of these tools is to reduce the manual effort of these tasks, perform calculations quickly, estimate future expected losses, and determine the effectiveness and benefits of the security countermeasures chosen. Most automatic risk analysis products port information into a database and run several types of scenarios with different parameters to give a panoramic view of what the outcome will be if different threats come to bear. For example, after such a tool has all the necessary information inputted, it can be rerun several times with different parameters to compute the potential outcome if a large fire were to take place; the potential losses if a virus were to damage 40 percent of the data on the main file server; how much the company would lose if an attacker were to steal all the customer credit card information held in three databases; and so on. Running through the different risk possibilities gives a company a more detailed understanding of which risks are more critical than others, and thus which ones to address first. Figure 3–5 shows a simple example of this process.

Image from bookImage from book
Figure 3–5: A simplistic example showing the severity of current threats verses the probability of them occurring

Steps of a Risk Analysis

There are many methods and equations that could be used when performing a quantitative risk analysis, and many different variables that can be inserted into the process. This section covers some of the main steps that should take place in every risk analysis.

Step 1: Assign Value to Assets   For each asset, answer the following questions to determine its value:

·         What is the value of this asset to the company?

·         How much does it cost to maintain?

·         How much does it make in profits for the company?

·         How much would it be worth to the competition?

·         How much would it cost to re-create or recover?

·         How much did it cost to acquire or develop?

·         How much liability are you under pertaining to the protection of this asset?

Step 2: Estimate Potential Loss per Threat   To estimate potential losses posed by threats, answer the following questions:

·         What physical damage could the threat cause and how much would that cost?

·         How much loss of productivity could the threat cause and how much would that cost?

·         What is the value lost if confidential information is disclosed?

·         What is the cost of recovering from this threat?

·         What is the value lost if critical devices were to fail?

·         What is the single loss expectancy (SLE) for each asset, and each threat?

This is just a small sample of questions that should be answered. The specific questions will depend upon the types of threats the team uncovers.

Step 3: Perform a Threat Analysis   Take the following steps to perform a threat analysis:

·         Gather information about the likelihood of each threat taking place from people in each department, past records, and official security resources that provide this type of data.

·         Calculate the annualized rate of occurrence (ARO), which is how many times the threat can take place in a 12-month period.

Step 4: Derive the Overall Loss Potential per Threat   To derive the overall loss potential per threat, do the following:

·         Combine potential loss and probability.

·         Calculate the annualized loss expectancy (ALE) per threat by using the information calculated in the first three steps.

·         Choose remedial measures to counteract each threat.

·         Carry out cost/benefit analysis on the identified countermeasures.

Step 5: Reduce, Transfer, or Accept the Risk   For each risk, you can choose whether to reduce, transfer, or accept the risk:

·         Risk reduction methods

o        Install security controls and components.

o        Improve procedures.

o        Alter environment.

o        Provide early detection methods to catch the threat as it’s happening and reduce the possible damage it can cause.

o        Produce a contingency plan of how business can continue if a specific threat takes place, reducing further damages of the threat.

o        Erect barriers to the threat.

o        Carry out security-awareness training.

·         Risk transfer   Buy insurance to transfer some of the risk, for example.

·         Risk acceptance   Live with the risks and spend no more money toward protection.

Because we are stepping through a quantitative risk analysis, real numbers are used and calculations are necessary. Single loss expectancy (SLE) and annualized loss expectancy (ALE) were mentioned in the previous analysis steps. The SLE is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place:

·         asset value×exposure factor (EF)=SLE

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. So, for example, if a data warehouse has the asset value of $150,000, it might be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged (and not more, because of a sprinkler system and other fire controls, proximity of a firehouse, etc.), in which case the SLE would be $37,500. This figure is derived to be inserted into the ALE equation:

·         SLE×annualized rate of occurrence (ARO)=ALE

Image from bookImage from book

Accepting Risk

When a company decides to accept a risk, the decision should be based on cost (countermeasure costs more than potential loss) and an acceptable level of pain (company can live with the vulnerability and threat). But the company must also understand that this is a visibility decision, insofar as accepting a specific risk may impact its industry reputation.

Image from bookImage from book

 

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a one-year timeframe. The range can be from 0.0 (never) to 1.0 (at least once a year) to greater than one (several times a year) and anywhere in between. For example, if the probability of a flood taking place in Mesa, Arizona is once in 1000 years, the ARO value is 0.001.

So, if a fire taking place within a company’s data warehouse facility can cause $37,500 in damages and the frequency, or ARO, of a fire taking place has an ARO value of 0.1 (indicating once in ten years), then the ALE value is $3750 ($37,500×0.1=$3750).

The ALE value tells the company that if it wants to put in controls or safeguards to protect the asset from this threat, it can sensibly spend $3750 or less per year to provide the necessary level of protection. Knowing the real possibility of a threat and how much damage, in monetary terms, that the threat can cause is important to determining how much should be spent to try to protect against that threat in the first place. It would not make good business sense for the company to spend more than $3750 per year to protect itself from this threat.

Now that we have all these numbers, what do we do with them? Let’s look at the example in Table 3-2, which shows the outcome of a risk analysis. With this data, the company can make intelligent decisions on what threats need to be addressed first because of the severity of the threat, the likelihood of it happening, and how much could be lost if the threat were realized. The company now also knows how much money it should spend to protect against each threat. This will result in good business decisions, instead of just buying protection here and there without a clear understanding of the big picture. Because the company has a risk of losing up to $6500 if data is corrupted by virus infiltration, up to this amount of funds can be earmarked toward providing antivirus software and methods to ensure that a virus attack will not happen.

Table 3–2: Breaking Down How SLE and ALE Values Are Used

Asset

Threat

Single Loss Expectancy (SLE)

Annualized Rate of Occurrence (ARO)

Annual Loss Expectancy (ALE)

Facility

Fire

$230,000

.1

$23,000

Trade secret

Stolen

$40,000

.01

$400

File server

Failed

$11,500

.1

$1150

Data

Virus

$6500

1.0

$6500

Customer credit card info

Stolen

$300,000

3.0

$900,000

We have just explored the ways of performing risk analysis through quantitative means. This method tries to measure the loss in monetary value and assign numeric sums to each component within the analysis. As stated previously, however, a pure quantitative analysis is not achievable because it is impossible to assign the exact figures to each component and loss values. Although we can look at past events, do our best to assess the value of the assets, and contact agencies that provide frequency estimates of disasters happening in our area, we still cannot say for a fact that we have a 10 percent chance of a fire happening in a year and that it will cause exactly $230,000 in damage. In quantitative risk analysis, we can do our best to provide all the correct information, and by doing so we will come close to the risk values, but we cannot predict the future and how much the future will cost us or the company.

Results of a Risk Analysis

The risk analysis team should have clearly defined goals that it is seeking. The following is a short list of what generally is expected from the results of a risk analysis:

·         Monetary values assigned to assets

·         Comprehensive list of all possible and significant threats

·         Probability of the occurrence rate of each threat

·         Loss potential the company can endure per threat in a 12-month time span

·         Recommended safeguards, countermeasures, and actions

Although this list looks short, there is usually an incredible amount of detail under each bullet item. This report will be presented to senior management, which will be concerned with possible monetary losses and the necessary costs to mitigate these risks. Although the reports should be as detailed as possible, there should be executive abstracts so that senior management may quickly understand the overall findings of the analysis.

Qualitative Risk Analysis

I think we are secure. Response: Great! Let’s all go home.

Another method of risk analysis is qualitative, which does not assign numbers and monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures. Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed and the culture of the company and individuals involved with the analysis.

Image from bookImage from book

Uncertainty

In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate. This is expressed as a percentage, from 0 percent to 100 percent. If you have a 30 percent confidence level in something, then it could be said that you have a 70 percent uncertainty level. Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.

Image from bookImage from book

 

The team that is performing the risk analysis gathers personnel who have experience and education on the threats being evaluated. When this group is presented with a scenario that describes threats and loss potential, each member responds with their gut feeling and experience on the likelihood of the threat and the extent of damage that may result.

A scenario approximately one page in length is written for each major threat. The “expert,” who is most familiar with this type of threat, should review the scenario to ensure that it reflects how an actual threat would be carried out. Safeguards that would diminish the damage of this threat are then evaluated, and the scenario is played out for each safeguard. The exposure possibility and loss possibility can be ranked as high, medium, or low on a scale of 1 to 5 or 1 to 10. Once the selected personnel rank the possibility of a threat happening, the loss potential, and the advantages of each safeguard, this information is compiled into a report and presented to management to help it make better decisions on how best to implement safeguards into the environment. The benefits of this type of analysis are that communication has to happen among the team members to rank the risks, safeguard strengths and weaknesses are identified, and the people who know these subjects the best provide their opinions to management.

Let’s look at a simple example of a qualitative risk analysis.

The risk analysis team writes a one-page scenario explaining the threat of a hacker accessing confidential information held on the five file servers within the company. The risk analysis team then distributes the one-page scenario to a team of five people (the IT manager, database administrator, application programmer, system operator, and operational manager), who are also given a sheet to rank the threat’s severity, loss potential, and each safeguard’s effectiveness, with a rating of 1 to 5, 1 being the least severe, effective, or probable. Table 3-3 shows the results.

Table 3–3: Example of a Qualitative Analysis

Threat=Hacker Accessing Confidential Information

Severity of Threat

Probability of Threat Taking Place

Potential Loss to the Company

Effective-ness of Firewall

Effectiveness of Intrusion Detection System

Effective-ness of Honeypot

IT manager

4

2

4

4

3

2

Database administrator

4

4

4

3

4

1

Application programmer

2

3

3

4

2

1

System operator

3

4

3

4

2

1

Operational manager

5

4

4

4

4

2

Results

3.6

3.4

3.6

3.8

3

1.4

This data is compiled and inserted into a report and presented to management. When management is presented with this information, it will see that its staff (or a chosen set of security professionals) feels that purchasing a firewall will protect the company from this threat more than purchasing an intrusion detection system, or setting up a honeypot system.

Image from bookImage from book

Delphi Methods

In this text we are describing the consensus Delphi method, where experts help to identify the highest-priority security issues and corresponding countermeasures. Another Delphi method, Modified Delphi technique, is a silent form of brainstorming. Participants develop ideas individually and silently with no group interaction. The ideas are submitted to a group of decision makers for consideration and action.

Image from bookImage from book

 

This is the result of looking at only one threat, and the management will view the severity, probability, and loss potential of each threat so that it knows which threats cause the greatest risk and should be addressed first.

Delphi Technique

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result to a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group writes down his or her opinion of a certain threat on a piece of paper and turns it into the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them back to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.

Quantitative vs. Qualitative

So which method should we use?

Each method has its advantages and disadvantages, some of which are outlined in Table 3-4 for purposes of comparison.

Table 3–4: Quantitative vs. Qualitative Characteristics

Attribute

Quantitative

Qualitative

Requires simple calculations

 

X

Requires more complex calculations

X

 

Involves high degree of guesswork

 

X

Provides general areas and indications of risk

 

X

Is easier to automate and evaluate

X

 

Used in risk management performance tracking

X

 

Provides credible cost/benefit analysis

X

 

Uses independently verifiable and objective metrics

X

 

Provides the opinions of the individuals who know the processes best

 

X

Shows clear-cut losses that can be accrued within one year’s time

X

 

The risk analysis team, management, risk analysis tools, and culture of the company will dictate which approach, quantitative or qualitative, will be used. The goal of either method is to estimate a company’s real risk and rank the severity of the threats so that the correct countermeasures can be put into place within a practical budget.

Table 3-4 refers to some of the positive aspects of the qualitative and quantitative approaches. But, not everything is always easy. In deciding to use either a qualitative or quantitative approach, the following points might need to be considered:

Qualitative Cons:

·         The assessments and results are basically subjective.

·         Usually eliminates the opportunity to create a dollar value for cost/benefit discussions.

·         Difficult to track risk management objectives with subjective measures.

·         Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Quantitative Cons:

·         Calculations are more complex. Can management understand how these values were derived?

·         Without automated tools, this process is extremely laborious.

·         Big need to gather detailed information about environment.

·         Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Protection Mechanisms

Okay, so we know we are at risk, we know the probability of it happening, now what do we do?

The next step is to identify the current security mechanisms and evaluate their effectiveness.

Because a company has such a wide range of threats, not just computer viruses and attackers, each threat type needs to be addressed and planned for individually. Access control mechanisms used as security safeguards are discussed in Chapter 4. Software applications and data malfunction considerations are covered in Chapter 5. Site location, fire protection, site construction, power loss, and equipment malfunctions are examined in detail in Chapter 6. Telecommunication and networking issues are analyzed and presented in Chapter 7. Business continuity and disaster recovery concepts are addressed in Chapter 9. All of these subjects have their own associated risks and planning requirements.

This section addresses identifying and choosing the right countermeasures for computer systems. It gives the best attributes to look for and the different cost scenarios to investigate when comparing different types of countermeasures. The end product of the analysis of choices should demonstrate why the selected control is the most advantageous to the company.

Countermeasure Selection

A security countermeasure, sometimes called a safeguard, must make good business sense, meaning that it is cost-effective and that its benefit outweighs its cost. This requires another type of analysis: a cost/benefit analysis. A commonly used cost/benefit calculation for a given safeguard is

(ALE before implementing safeguard)(ALE after implementing safeguard)(annual cost of safeguard)=value of safeguard to the company

For example, if the ALE of the threat of a hacker bringing down a web server is $12,000 prior to implementing the suggested safeguard, and the ALE is $3000 after implementing the safeguard, and the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8350 each year.

The cost of a countermeasure is more than just the amount that is filled out on the purchase order. The following items need to be considered and evaluated when deriving the full cost of a countermeasure:

·         Product costs

·         Design/planning costs

·         Implementation costs

·         Environment modifications

·         Compatibility with other countermeasures

·         Maintenance requirements

·         Testing requirements

·         Repair, replacement, or update costs

·         Operating and support costs

·         Effects on productivity

Consider an example. Company A decides that to protect many of its resources, purchasing an IDS is warranted. So, the company pays $5500 for an IDS. Is that the total cost? Nope. This software should be tested in an environment that is segmented from the production environment to uncover any unexpected activity. After this testing is complete and the IT group feels that it is safe to insert the IDS into its production environment, the IT group must install the monitoring management software, install the sensors, and properly direct the communication paths from the sensors to the management console. The IT group may also need to reconfigure the routers to redirect traffic flow, and definitely needs to ensure that users cannot access the IDS management console. Finally, the IT group needs to configure a database to hold all attack signatures, and then run simulations.

Anyone who has worked in an IT group knows that some adverse reaction almost always takes place in this type of scenario. Network performance can take an unacceptable hit after installing this product, if it is an inline or proactive product. Users may no longer be able to access the Unix server for some mysterious reason. The IDS vendor may not have explained that two more service patches are necessary for the whole thing to work correctly. Staff time will need to be allocated for training, and to respond to all of the correct and incorrect alerts the new IDS sends out.

So, for example, the cost of this countermeasure could be $5500 for the product, $2500 for training, $3400 for the lab and testing time, $2600 for the loss in user productivity once the product was introduced into production, and $4000 in labor for router reconfiguration, product installation, troubleshooting, and installation of the two service patches. The real cost of this countermeasure is $18,000. If our total poten-tial loss was calculated at $9000, we went over budget by 100 percent when applying this countermeasure for the identified risk. Some of these costs may be hard or impossible to identify before they are incurred, but an experienced risk analyst would account for many of these possibilities.

Functionality and Effectiveness of Countermeasures

The countermeasure doesn’t work, but it’s pretty. Response: Good enough.

The risk analysis team will need to evaluate the safeguard’s functionality and effectiveness. When selecting a safeguard, some attributes are more favorable than others. Table 3-5 lists and describes attributes that should be considered before purchasing and committing to a security protection mechanism.

Table 3–5: Characteristics to Seek When Obtaining Safeguards

Characteristic

Description

Modular in nature

It can be installed or removed from an environment without adversely affecting other mechanisms.

Provides uniform protection

A security level is applied to all mechanisms it is designed to protect in a standardized method.

Provides override functionality

An administrator can override the restriction if necessary.

Defaults to least privilege

When installed, it defaults to a lack of permissions and rights instead of installing with everyone having full control.

Independence of safeguard and the asset it is protecting

The safeguard can be used to protect different assets, and different assets can be protected by different safeguards.

Flexibility and security

The more security the safeguard provides, the better. This functionality should come with flexibility, which enables you to choose different functions instead of all or none.

Clear distinction between user and administrator

A user should have fewer permissions when it comes to configuring or disabling the protection mechanism.

Minimum human intervention

When humans have to configure or modify controls, this opens the door to errors. The safeguard should require the least amount of input from humans as possible.

Easily upgraded

Software continues to evolve, and updates should be able to happen painlessly.

Auditing functionality

There should be a mechanism that is part of the safeguard that provides minimum and/or verbose auditing.

Minimizes dependence on other components

The safeguard should be flexible and not have strict requirements about the environment into which it will be installed.

Easily useable, acceptable, and tolerated by personnel

If the safeguards provide barriers to productivity or add extra steps to simple tasks, users will not tolerate it.

Must produce output in usable and understandable format

Important information should be presented in a format easy for humans to understand and use for trend analysis.

Must be able to reset safeguard

The mechanism should be able to be reset and returned to original configurations and settings without affecting the system or asset it is protecting.

Testable

The safeguard should be able to be tested in different environments under different situations.

Does not introduce other compromises

The safeguard should not provide any covert channels or back doors.

System and user performance

System and user performance should not be greatly affected.

Proper alerting

Thresholds should be able to be set as to when to alert personnel of a security breach, and this type of alert should be acceptable.

Does not affect assets

The assets in the environment should not be adversely affected by the safeguard.

Safeguards can provide deterrence attributes if they are highly visible. This tells potential evildoers that adequate protection is in place and that they should move on to an easier target. Although the safeguard may be highly visible, evildoers should not be able to attain the way that it works, enabling them to attempt to modify the safeguard, or know how to get around the reaches of the protection mechanism. If users know how to disable the antivirus program that is taking up CPU cycles or know how to bypass a proxy server to get to the Internet without restrictions, they will do it.

Putting It Together

To perform a risk analysis, a company first decides what assets need to be protected and to what extent. It also indicates the amount of money that can go toward protecting specific assets. Next, it needs to evaluate the functionality of the available safeguards and determine which ones would be most beneficial for the environment. Finally, the company needs to appraise and compare the costs of the safeguards. These steps and the resulting information enable management to make the most intelligent and informed decisions about selecting and purchasing countermeasures. Figure 3–6 illustrates these steps.

Image from bookImage from book
Figure 3–6: The main three steps in risk analysis

Image from bookImage from book

We Are Never Done

Only by reassessing the risks, on a periodic basis, can a statement of safeguard performance be trusted. If the risk has not changed, and the safeguards implemented are functioning in good order, then it can be said that the risk is being properly mitigated. Regular IRM monitoring will support the information security risk ratings.

Vulnerability analysis and continued asset identification and valuation are also important tasks of risk management monitoring and performance. The cycle of continued risk analysis is a very important part of determining whether the safeguard controls that have been put in place are appropriate and necessary to safeguard the assets and environment.

Image from bookImage from book

 

Total Risk vs. Residual Risk

The reason that a company implements countermeasures is to reduce its overall risk to an acceptable level. As stated earlier, no system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk.

Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. A company may choose to take on total risk if the cost/benefit analysis results indicate that this is the best course of action. For example, if there is a small likelihood that a company’s web servers can be compromised and the necessary safeguards to provide a higher level of protection cost more than the potential loss in the first place, the company will choose not to implement the safeguard, choosing to deal with the total risk.

There is an important difference between total risk and residual risk and which type of risk a company is willing to accept. The following are conceptual formulas:

·         threats×vulnerability×asset value=total risk

·         (threats×vulnerability×asset value)×controls gap=residual risk

During a risk assessment, the threats and vulnerabilities are identified. The possibility of a vulnerability being exploited is multiplied by the value of the assets that are being assessed, which results in the total risk. Once the controls gap (protection the control cannot provide) is factored in, the result is the residual risk. Implementing countermeasures is a way of mitigating risks. Because no company can remove all threats, there will always be some residual risk. The question is what level of risk the company is willing to accept.

Handling Risk

Now that we know about the risk, what do we do with it?

Once a company knows the amount of total and residual risk it is faced with, it must decide how to handle it. There are four basic ways of dealing with risk: transfer it, reject it, reduce it, or accept it.

Many types of insurance are available to companies to protect their assets. If a company decides that the total or residual risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company.

If the company implements countermeasures, this reduces the risk. If a company is in denial about its risk or ignores it, it is rejecting the risk, which can be very dangerous and is unadvisable. The last approach is to accept the risk, which means the company understands the level of risk it is faced with and the potential cost of damage and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

References

·         Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

·         Carnegie Mellon Software Engineering Institute www.sei.cmu.edu/organization/programs/sepm/risk/

·         Handbook of Information Security Management, Domain 3, “Risk Management and Business Continuity Planning,” Micki Krause and Harold F.Tipton, Editors (CRC Press LLC) www.cccure.org/Documents/HISM/223–228.html

·         Security Metrics Guide for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf

·         Threat and Risk Assessment Working Guide (Government of Canada, 1999) www.cse-cst.gc.ca/en/documents/publications/gov_pubs/itsg/itsg04.pdf

Policies, Standards, Baselines, Guidelines, and Procedures

The risk assessment is done. Let’s call it a day. Response: Nope, there’s more.

Computers and the information that is processed on them usually have a direct relationship with a company’s critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible. A comprehensive management approach needs to be developed to accomplish these goals successfully.

For a company’s security plan to be successful, it needs to start at the top level and be useful and functional at every single level within the organization. Senior management needs to define the scope of security and identify and decide what needs to be protected and to what extent. Management must understand the regulations, laws, and liability issues that it is responsible for complying with regarding security and ensure that the company as a whole fulfills its obligations. Senior management also needs to determine what is to be expected from employees and what the consequences of noncompliance will be. These decisions should be made by the individuals who will be held ultimately responsible if something goes wrong.

A security program contains all the pieces necessary to provide overall protection to a corporation and sets forth a long-term security strategy. A security program should have security policies, procedures, standards, guidelines, baselines, security-awareness training, an incident response plan, and a compliance program. The human resources and legal departments need to be involved in the development and enforcement of some of these elements.

The language, level of detail, formality of the policy, and supporting mechanisms should be examined by the policy developers. Security policies, standards, guidelines, and procedures must be developed with a realistic view to be most effective. Highly structured organizations usually follow guidelines in a more uniform way. Less structured organizations may need more explanation and emphasis to promote compliance. The more detailed the rules are, the easier it is to know when one has been violated. However, overly detailed documentation and rules can prove to be more burdensome than helpful. On the other hand, many times, the more formal the rules, the easier they are to enforce. The business type, its culture, and its goals need to be evaluated to make sure the proper language is used when writing security documentation.

Security Policy

Oh look, this paper tells us what we need to do. I am going to put smiley face stickers all over it.

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, issue-specific policy, or system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

The organizational security policy has several important characteristics that need to be understood and implemented:

·         Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.

·         It should be an easily understood document that is used as a reference point for all employees and management.

·         It should be developed and used to integrate security into all business functions and processes.

·         It should be derived from and support all legislation and regulation applicable to the company.

·         It should be reviewed and modified as a company changes, such as through adoption of a new business model, merger with another company, or change of ownership.

·         Each iteration of the policy should be dated and under version control.

·         The units and individuals who are governed by the policy must have access to the applicable portions and not be expected to have to read all policy material to find direction and answers.

An issue-specific policy, also called a functional implementing policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, specifies which e-mail functionality employees can or cannot use, and addresses specific privacy issues.

As a more specific example, an e-mail policy might state that management can read any employee’s e-mail messages that reside on the mail server, but not when they reside on the user’s workstation. The e-mail policy might also state that employees cannot use e-mail to share confidential information or to pass inappropriate material, and may be subject to monitoring of these actions. Before they use their e-mail clients, employees should be asked to confirm that they have read and understand the e-mail policy, either by signing a confirmation document or clicking Yes in a confirmation dialog box. The policy provides direction and structure for the staff by indicating what they can and cannot do. It informs the users of the expectations of their actions, and it provides liability protection in case an employee cries “foul” for any reason dealing with e-mail use.

 

Note 

A policy needs to be technology- and solution-independent. It needs to outline the goals and missions, but not tie the organization to specific ways of accomplishing them.

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, applications, and data. This type of policy may provide an approved software list, which contains a list of applications that may be installed on individual workstations. This policy may describe how databases are to be used and protected, how computers are to be locked down, and how firewalls, IDSs, and scanners are to be employed.

Policies are written in broad terms to cover many subjects in a general fashion. Much more granularity is needed to actually support the policy, and this happens with the use of procedures, standards, and guidelines. The policy provides the foundation. The procedures, standards, and guidelines provide the security framework. And the necessary security components, implementations, and mechanisms are used to fill in the framework to provide a full security program and secure infrastructure.

Image from bookImage from book

Types of Policies

Policies generally fall into one of the following categories:

·         Regulatory   This type of policy ensures that the organization is following standards set by specific industry regulations. This policy type is very detailed and specific to a type of industry. This is used in financial institutions, health care facilities, public utilities, and other government-regulated industries.

·         Advisory   This type of policy strongly advises employees regarding which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, handle financial transactions, or process confidential information.

·         Informative   This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

Image from bookImage from book

 

Standards

Some things you just gotta do.

Standards refer to mandatory activities, actions, rules, or regulations. Standards can give a policy its support and reinforcement in direction. Standards could be internal, or externally mandated (government laws and regulations).

Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform manner across the organization. An organizational standard may require all employees to have their company identification badges on their person at all times, to challenge unknown individuals about their identity and purpose for being in a specific area, or to encrypt confidential information. These rules are usually compulsory within a company, and if they are going to be effective, they need to be enforced.

As stated in an earlier section, there is a difference between tactical and strategic goals. A strategic goal can be viewed as the ultimate endpoint; the tactical goals are the steps to achieve it. As shown in Figure 3–7, standards, guidelines, and procedures are the tactical tools used to achieve and support the directives in the security policy, which is considered the strategic goal.

Image from bookImage from book
Figure 3–7: Policy establishes the strategic plans, and the lower elements provide the tactical support.

Baselines

There are a couple of definitions for baseline. A baseline can refer to a point in time that is used as a comparison for future changes. Once risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Let’s say that your doctor has told you that you are 400 pounds because of your diet of donuts, pizza, and soda. (This is very frustrating to you because the TV commercial said you could eat whatever you wanted and just take their very expensive pills each day and lose weight.) The doctor tells you that you need to exercise each day and get your heart rate double its normal rate for 30 minutes twice a day. How do you know when you are at double your heart rate? You find out your baseline (regular heart rate) by using one of those arm thingies with a little ball attached. So you start at your baseline and continue to exercise until you have doubled it or die, whichever comes first.

Baselines are also used to define the minimum level of protection that is required. In security, specific baselines can be defined per system type, which indicates the necessary settings and the level of protection that is being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. This means that only systems that have gone through the Common Criteria process and achieved this rating can be used in this department evaluation. Once the systems are properly configured, this is the necessary baseline. When new software is installed, when patches or upgrades are applied to existing software, or when other changes take place to the system, there is a good chance that the system may no longer be providing its necessary minimum level of protection (its baseline). Security personnel must assess the systems as changes take place and ensure that the baseline level of security is always being met. If a technician installs a patch on a system and does not assess its new baseline, there could be new vulnerabilities introduced into the system that will allow evildoers easy access into the network.

 

Note 

Baselines that are not technology-oriented should be created and enforced within organizations as well. For example, a company can mandate that all employees must have a badge with a picture ID in view while in the facility at all times. It can also state that visitors must sign in at a front desk and be escorted while in the facility. If these are followed, then this creates a baseline of protection.

Guidelines

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. There are always gray areas in life, and guidelines can be used as a reference during those times. Whereas standards are specific mandatory rules, guidelines are general approaches that provide the necessary flexibility for unforeseen circumstances.

A policy might state that access to confidential data must be audited. A supporting guideline could further explain that audits should contain sufficient information to allow for reconciliation with prior reviews. Supporting procedures would outline the necessary steps to configure, implement, and maintain this type of auditing.

Procedures

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.

Procedures are considered the lowest level in the policy chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues.

Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. If a policy states that all individuals who access confidential information must be properly authenticated, the supporting procedures will explain the steps for this to happen by defining the access criteria for authorization, how access control mechanisms are implemented and configured, and how access activities are audited. If a standard states that backups should be performed, then the procedures will define the detailed steps necessary to perform the backup, the timelines of backups, the storage of backup media, and so on. Procedures should be detailed enough to be both understandable and useful to a diverse group of individuals.

Image from bookImage from book

Modular Elements

Standards, guidelines, and baselines should not be in one large document. Each has a specific purpose and a different audience. A document describing how to be in compliance with a specific regulation may go to the management staff, whereas a detailed procedure on how to properly secure a specific operating system would be directed toward an IT member. Keeping standards, guidelines, and baselines separate and modular in nature helps for proper distribution and updating when necessary.

Image from bookImage from book

 

To tie these items together, let’s walk through an example. A corporation’s security policy indicates that confidential information should be properly protected. It states the issue in very broad and general terms. A supporting standard mandates that all customer information held in databases must be encrypted with the Advanced Encryption Standard (AES) algorithm while it is stored and that it cannot be transmitted over the Internet unless IPSec encryption technology is used. The standard indicates what type of protection is required and provides another level of granularity and explanation. The supporting procedures explain exactly how to implement the AES and IPSec technologies, and the guidelines cover how to handle cases when data is accidentally corrupted or compromised during transmission. All of these work together to provide a company with a security structure.

Implementation

Where are the policies that we spent $100,000 to develop? Response: What is a policy again?

Unfortunately, security policies, standards, procedures, baselines, and guidelines often are written because an auditor instructed a company to document these items, but then they live on a file server and are not shared, explained, or used. To be useful, they need to be put into action. No one is going to follow the rules if people don’t know that the rules exist. Security policies and the items that support them not only have to be developed, but also have to be implemented and enforced.

To be effective, employees need to know about security issues within these documents; therefore, the policies and their supporting counterparts need visibility. Awareness training, manuals, presentations, newsletters, and legal banners can achieve this visibility. It needs to be clear that the directives came from senior management and that the full management staff supports these policies. Employees need to understand what is expected of them in their actions, behaviors, accountability, and performance.

Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue. If a company fires an employee because he was downloading pornographic material to the company’s computer, the employee may take the company to court and win if the employee can prove that he was not properly informed of what was considered acceptable and unacceptable use of company property and what the consequences were. Security-awareness training is covered in later sections, but understand that companies that do not supply this to their employees are not practicing due care and can be held negligent and liable in the eyes of the law.

Image from bookImage from book

Due Care and Due Diligence

Due care and due diligence are terms that are used throughout this book. Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing and implementing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats. So, due diligence is understanding the current threats and risks and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.

Image from bookImage from book

 

References

·         NCSA Security Policies and Procedures www.ncsa.uiuc.edu/UserInfo/Security/policy/

·         SANS Institute Security Policy Project www.sans.org/resources/policies

·         Information Security Policy World www.information-security-policies-and-standards.com

Information Classification

My love letter to my dog is top secret. Response: As it should be.

Earlier, this chapter touched upon the importance of recognizing what information is critical to a company and assigning a value to it. The rationale behind assigning values to different types of data is that it enables a company to gauge the amount of funds and resources that should go toward protecting each type of data, because not all data has the same value to a company. After the exercise of identifying important information, it should then be properly classified. A company has a lot of information that is created and maintained. The reason to classify data is to organize it according to its sensitivity to loss, disclosure, or unavailability. Once data is segmented according to its sensitivity level, the company can decide what security controls are necessary to protect different types of data. This ensures that information assets receive the appropriate level of protection, and classifications indicate the priority of that security protection. The primary purpose of data classification is to indicate the level of confidentiality, integrity, and availability protection that is required for each type of data set.

Data classification helps ensure that the data is protected in the most cost-effective manner. Protecting and maintaining data costs money, but it is important to spend this money for the information that actually requires protection. Going back to our very sophisticated example of U.S. spy satellites and the peanut butter and banana sandwich recipe, a company in charge of encryption algorithms used to transmit data to and from U.S. spy satellites would classify this data as top secret and apply complex and highly technical security controls and procedures to ensure that it is not accessed in an unauthorized method and disclosed. On the other hand, the sandwich recipe would have a lower classification, and your only means of protecting it might be to not talk about it.

Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed. For example, in a corporation, confidential information may be accessed only by senior management and a select few others throughout the company. Accessing the information may require two or more people to enter their access codes. Auditing could be very detailed and monitored daily, and paper copies of the information may be kept in a vault. To properly erase this data from the media, degaussing or zeroization procedures may be required. Other information in this company may be classified as sensitive, allowing a slightly larger group of people to view it. Access control on the information classified as sensitive may require only one set of credentials. Auditing happens but is only reviewed weekly, paper copies are kept in locked file cabinets, and the data can be deleted using regular measures when it is time to do so. Then, the rest of the information is marked public. All employees can access it, and no special auditing or destruction methods are required.

Private Business vs. Military Classifications

Earlier we touched on how organizations choose different security models, depending upon the type of organization, its goals, and its objectives. Military organizations are more concerned than most private-sector businesses about not disclosing confidential information. Private-sector businesses are usually more concerned with the integrity and availability of data. These different perspectives affect data classification also.

To properly implement data classifications, a company must first decide upon the sensitivity scheme its is going to use. One company may choose to use only two layers of classifications, while another company may choose to use more. Table 3–6 explains the types of classifications available. Note that some classifications are used for commercial businesses, whereas others are military classifications.

The following shows the levels of sensitivity from the highest to the lowest for commercial business:

·         Confidential

·         Private

·         Sensitive

·         Public

The following shows the levels of sensitivity from the highest to the lowest for the military:

·         Top secret

·         Secret

·         Confidential

·         Sensitive but unclassified

·         Unclassified

Table 3–6: Commercial Business and Military Data Classification

Classification

Definition

Examples

Organization That Would Use This

Public

·         Disclosure is not welcome, but it would not cause an adverse impact to company or personnel.

·         How many people are working on a specific project

·         Upcoming projects

Commercial business

Sensitive

·         Requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion.

·         Requires higher than normal assurance of accuracy and completeness.

·         Financial information

·         Details of projects

·         Profit earnings and forecasts

Commercial business

Private

·         Personal information for use within a company.

·         Unauthorized disclosure could adversely affect personnel, or company

·         Work history

·         Human resources information

·         Medical information

Commercial business

Confidential

·         For use within the company only.

·         Data that is exempt from disclosure under the Freedom of Information Act or other laws and regulations.

·         Unauthorized disclosure could seriously affect a company.

·         Trade secrets

·         Health care information

·         Programming code

·         Information that keeps a company competitive

Commercial business/Military

Unclassified

·         Data is not sensitive or classified.

·         Computer manual and warranty information

·         Recruiting information

Military

Sensitive but unclassified (SBU)

·         Minor secret.

·         If disclosed, it could cause serious damage.

·         Medical data

·         Answers to test scores

Military

Secret

·         If disclosed, it could cause serious damage to national security.

·         Deployment plans for troops

·         Nuclear bomb placement

Military

Top secret

·         If disclosed, it could cause grave damage to national security.

·         Blueprints of new wartime weapons

·         Spy satellite information

·         Espionage data

Military

It is important to not go overboard and come up with a long list of classifications, which will only cause confusion and frustration for the individuals who are going to use the system. The classifications should not be too restrictive and detailed-oriented, either, because many types of data may need to be classified.

Each classification should be unique and separate from the others and not have any overlapping effects. The classification process should also outline how information and applications are controlled and handled through their life cycles (from creation to termination).

Once the scheme is decided upon, the company or government agency needs to develop the criteria it is going to use to decide what information goes into which classification. The following list shows some criteria parameters that an organization may use to determine the sensitivity of data:

·         Usefulness of data

·         Value of data

·         Age of data

·         The level of damage that could be caused if the data were disclosed

·         The level of damage that could be caused if the data were modified or corrupted

·         Legal, regulatory, or contractual responsibility to protect the data

·         Effects the data has on national security

·         Who should be able to access the data

·         Who should maintain the data

·         Where the data should be kept

·         Who should be able to reproduce the data

·         What data requires labels and special marking

·         Whether encryption is required for the data

·         Whether separation of duties is required

Data is not the only thing that needs to be classified. Applications and sometimes whole systems need to be classified. The applications that hold and process classified information need to be evaluated for the level of protection that they provide. You do not want a program filled with security vulnerabilities to process and “protect” your most sensitive information. The application classifications should be based on the assurance (confidence level) the company has in the software and the type of information it can store and process.

 

Note 

An organization needs to make sure that whoever is backing up classified data—and whoever has access to backed-up data—has the necessary clearance level. A large security risk can be introduced if low-end technicians with no security clearance can have access to this information during their tasks.

 

Image from bookImage from book

Data Classification Procedures

The following outlines the necessary steps for a proper classification program:

1.      Define classification levels.

2.      Specify the criteria that will determine how data is classified.

3.      Have the data owner indicate the classification of the data she is responsible for.

4.      Identify the data custodian who will be responsible for maintaining data and its security level.

5.      Indicate the security controls, or protection mechanisms, that are required for each classification level.

6.      Document any exceptions to the previous classification issues.

7.      Indicate the methods that can be used to transfer custody of the information to a different data owner.

8.      Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian.

9.      Indicate termination procedures for declassifying the data.

10.  Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels.

Image from bookImage from book

 

Now that we have chosen a sensitivity scheme, the next step is to specify how each classification should be dealt with. We need to specify provisions for access control, identification, and labeling along with how data in specific classifications is stored, maintained, transmitted, and destroyed. We also need to iron out auditing, monitoring, and compliance issues. Each classification requires a different degree of security and, therefore, different requirements from each of the mentioned items.

Classification Controls

As mentioned earlier, which types of controls are implemented per classification depends upon the level of protection that management and the security team have determined is needed. The numerous types of controls available are discussed throughout this whole book. But some considerations pertaining to sensitive data and applications are common across most organizations:

·         Strict and granular access control for all levels of sensitive data and programs (see Chapter 4 for coverage of access controls, along with file system permissions that should be understood)

·         Encryption of data while stored and while in transmission (see Chapter 8 for coverage of all types of encryption technologies)

·         Auditing and monitoring (determine what level of auditing is required and how long logs are to be retained)

·         Separation of duties (determine whether two or more people need to be involved in accessing sensitive information to protect against fraudulent activities; if so, define and document procedures)

·         Periodic reviews (review classification levels, and the data and programs that adhere to them, to ensure that they are still in alignment with business needs; data or applications may also need to be reclassified or declassified, depending upon the situation)

·         Backup and recovery procedures (define and document)

·         Change control procedures (define and document)

·         File and file system access permissions (define and document)

References

·         Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1 http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf

·         Handbook of Information Security Management, Domain 4, Chapter 4–1–1, “Information Classification: A Corporate Implementation Guide,” by Jim Appleyard (CRC Press LLC) www.cccure.org/Documents/HISM/303-308.html

Layers of Responsibility

Senior management and other levels of management understand the vision of the company, the business goals, and the objectives. The next layer down is the functional management, whose members understand how their individual departments work, what roles individuals play within the company, and how security affects their department directly. The next layers are operational managers and staff. These layers are closer to the actual operations of the company. They know detailed information about the technical and procedural requirements, the systems, and how the systems are used. The employees at these layers understand how security mechanisms integrate into systems, how to configure them, and how they affect daily productivity. Each layer has a different insight into what type of role security plays within an organization. Each layer should have input into the best security practices, procedures, and chosen controls to ensure that the agreed upon security level provides the necessary level of protection without negatively affecting the company’s productivity.

Although each layer is important to the overall security of an organization, there are specific roles that must be clearly defined. Individuals who work in smaller environments (where everyone has to wear several hats) may get overwhelmed with the number of roles that are presented next. Many commercial businesses do not have this level of structure in their security teams, but many government agencies and military units do. What you need to understand are the responsibilities that need to be assigned, and whether they are assigned to just a few people or to a large security team. These roles are the data owner, data custodian, system owner, security administrator, security analyst, application owner, supervisor (user manager), change control analyst, data analyst, process owner, solution provider, user, product line manager, and the guy who gets everyone coffee.

Data Owner

The data owner (information owner) is usually a member of management, in charge of a specific business unit, and is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data that he is responsible for and alters that classification if the business needs arise. This person is also responsible for ensuring that the necessary security controls are in place, ensuring that proper access rights are being used, defining security requirements per classification and backup requirements, approving any disclosure activities, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And it is the data owner who will deal with security violations pertaining to the data he is responsible for protecting. The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

Data Custodian

Hey you, custodian, clean up my mess! Response: Wrong type of custodian.

The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT department, and the duties include performing regular backups of the data, periodically validating the integrity of the data, restoring data from backup media, retaining records of activity, and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.