Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017

FRSecure 2016 CISSP Mentor Program

EVAN FRANCEN , PRESIDENT & CEO – FRSECUREBRAD NIGH , SENIOR INFORMATION SECURITY ANALYST - FRSECURE

CLASS SESSION #2

CISSP Mentor Program Session #2

Domain 1: Security and Risk Management(e.g., Security, Risk, Compliance, Law, Regulations, Business Continuity• Cornerstone Information Security Concepts• Legal and Regulatory Issues• Security and 3rd Parties• Ethics• Information Security Governance• Access Control Defensive Categories and Types• Risk Analysis• Types of Attackers


Cornerstone Information Security Concepts Information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of information.

“Most organizations overemphasize technical controls to protect confidentiality and do so at the expense of other critical controls and purposes.”


Cornerstone Information Security Concepts Information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and availability of information.

Balance is critical

Opposite of C I A is D A D (Disclosure, Alteration, and Destruction)


Cornerstone Information Security Concepts Privacy is the application of administrative, physical, and technical controls to protect the confidentiality, of personally identifiable information (“PII”).


Cornerstone Information Security ConceptsIdentity, Authentication, Authorization, and Accountability (“AAA”)• Identity is who I am.• Often a name, username, ID number, employee number, etc.• You’d have to take my word for it if I don’t prove it.• Social engineers often profess an identity without proving it.


Cornerstone Information Security ConceptsIdentity, Authentication, Authorization, and Accountability (“AAA”)• Authentication is proving who I am.• Often a password, PIN code, picture, etc.• Identity without authentication is pretty much useless• If I steal your authentication, I get to be you!• Identity and authentication should be different (SSN)


Cornerstone Information Security ConceptsIdentity, Authentication, Authorization, and Accountability (“AAA”)• Three types (or factors) of authentication• Something only you know; password, PIN number, etc.• Something only you have; tokens, phone, debit card, etc.• Something only you are; biometrics• Using two (or more) factors is called “strong” authentication or multi-factor

authentication


Cornerstone Information Security ConceptsIdentity, Authentication, Authorization, and Accountability (“AAA”)• What the system will allow me to do• After I identify and authenticate• Authorization is tied to identity• Sometimes referred to as privileges or rights


Cornerstone Information Security ConceptsIdentity, Authentication, Authorization, and Accountability (“AAA”)• A record of what I did• Before and after authentication• Accountability is also tied to identity. If my identity (and authentication) is

stolen or shared, there is no accountability.• Shared accounts are bad.• Non-repudiation; the ability to prove that someone (or something)

performed an action.


Cornerstone Information Security ConceptsVery similar, but slightly different:• Least Privilege is tied to rights; basically what I can do with

and in the system.• Need to Know is tied to information; basically what I can with

information.

I violation of least privilege can easily violate the Need to Know principle.

"Over 30 percent of respondents admit to having no policy in place for managing administrator access” http://www.businessnewsdaily.com/4614-managing-administrator-access-security.html#sthash.o753cCcv.dpuf

http://www.businessnewsdaily.com/4614-managing-administrator-access-security.html#sthash.o753cCcv.dpuf

http://www.businessnewsdaily.com/4614-managing-administrator-access-security.html#sthash.o753cCcv.dpuf


Cornerstone Information Security ConceptsSubjects and Objects• A subject is an active entity; users, services, applications, etc.• An object is a passive entity; paper, database tables, etc.• An entity can be a subject in one instance and an object in another. It really

depends on context.

Expect the exam to use these definitions and test you on them.


Cornerstone Information Security ConceptsDefense-in-depth• The concept stresses the importance of not relying upon a single (or single

layer) of controls.• Multiple controls (or safeguards) to protect (or reduce risk to) information

assets.• Bypassing one control leads to the occurrence of another.


Cornerstone Information Security ConceptsDue Care and Due Diligence• Be careful to not provide legal guidance. Lawyers do that.• Both concepts rely on the “prudent man” rule. What would a prudent man

do in a similar situation? • Due care is doing what the prudent man would do.• Due diligence is management (formal) of due care.• Negligence (and gross negligence) is not practicing due care. Some people go

as far as calling this reckless.


Legal and Regulatory IssuesCompliance is critical! Although “compliance” and “security” are two different things.• More detailed instruction about compliance is provided when we get to

Domain 9: Legal, Regulations, Investigations, and Compliance.• Compliance is doing what you’ve been told to do or what you’ve been

commanded to do.• Security is using administrative, physical, and technical controls to protect (or

manage risks related to) confidentiality, integrity, and availability of information.


Legal and Regulatory IssuesMajor Legal Systems• There are four major legal systems that are covered in the exam:• Civil Law• Common Law• Religious Law• Customary Law• There are different legal systems in different parts of the world. Be aware of

what legal system is used in whatever country you’re operating in!


Legal and Regulatory IssuesMajor Legal Systems – Civil Law• A very Most common legal system throughout the world.• Codified laws (or statutes)• A legislative body (or branch) is usually tasked with creating the

laws/statutes.• Judicial body (or branch) interprets the law.• No (or very little) weight is given to judicial precedent or outcomes from

previous cases.


Legal and Regulatory IssuesMajor Legal Systems – Common Law• The legal system in the United States, Canada, U.K. and others• Codified laws (or statutes)• A legislative body (or branch) is usually tasked with creating the laws/statutes.• Much weight is given to judicial precedent and outcomes from previous cases.

Judicial interpretations of the laws can change over time.

This is the most likely legal system to be referred to on the exam.


Legal and Regulatory IssuesMajor Legal Systems – Religious Law• Religious doctrine and/or interpretation is the source of laws/statutes.• Extent and degree of interpretation and enforcement varies greatly from

jurisdiction to jurisdiction.• Islam is the most common source for religious legal systems.• Sharia Law• Qur’an and Hadith are used.


Legal and Regulatory IssuesMajor Legal Systems – Customary Law• Refers to the customs or practices within a jurisdiction.• The laws/statutes are often undocumented, but generally well-understood.• Best practices negligence


Legal and Regulatory IssuesWithin the Common Law (legal system)


Legal and Regulatory IssuesWithin the Common Law (legal system) – Criminal Law• Victim is society – promote and maintain an orderly and law-abiding citizenry• Require proof beyond a reasonable doubt• Deter crime and punish offenders


Legal and Regulatory IssuesWithin the Common Law (legal system) – Civil Law• Victim is an individual, group, or organization• Most commonly between private parties• One act can be prosecuted under both criminal and civil procedures• Damages are financial (often):• Statutory Damages – prescribed by the law (even if no loss or injury to the victim)• Compensatory Damages – awarded to compensate a victim for loss or injury• Punitive Damages – to punish and discourage really bad behavior• Burden of proof is the preponderance of the evidence (think tipping the scale)


Legal and Regulatory IssuesWithin the Common Law (legal system) – Civil Law


Legal and Regulatory IssuesWithin the Common Law (legal system) – Administrative Law• Laws enacted by governmental agencies• Typically the legislature or President issues an administrative law• The agency interprets the law and enforces it• Government-mandated compliance• Examples include FCC regulations, HIPAA, FDA regulations, FTC regulations,

etc.


Legal and Regulatory IssuesWithin the Common Law (legal system) – Administrative Law


Legal and Regulatory IssuesLiability• Who should be held accountable• Who should we blame• Who should pay!• Apply the Prudent Man Rule• Due Care• Due Diligence


Legal and Regulatory IssuesLegal Aspects of Investigations• Collecting and handling evidence is a critical legal issue – some evidence carries more weight than

others• Types of evidence• Real Evidence – consists of tangible or physical objects; a computer or hard drive is real evidence, but the data is NOT.• Direct Evidence – testimony from a first hand witness using one or more of his/her five senses; non-first hand

evidence is called “hearsay”.• Circumstantial Evidence – establishes the circumstances related to points in the case or other evidence; not good to

use alone to prove a case.• Corroborative Evidence – evidence to strengthen a fact or element of a case; provides additional support, but cannot

establish a fact on its own.• Hearsay Evidence – second hand evidence normally considered inadmissible in court (Rule 802), but there are

exceptions (Rule 803)…


Legal and Regulatory IssuesLegal Aspects of Investigations - Hearsay Evidence• There are rules (namely Rule 803 and Rule 804) within the Federal Rules of Evidence of the

United States that permit exclusions to Rule 802• Business and computer generated records (logs) are generally considered to be hearsay

evidence.• Rule 803 allows for records or reports that were “made at or near the time by, or from

information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation”• Rule 1001 allows for the admissibility of binary disk and physical memory images; “if data are

stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’.


Legal and Regulatory IssuesLegal Aspects of Investigations• Best Evidence Rule – courts prefer the best evidence possible; evidence should

be relevant, authentic, accurate, complete, and convincing – direct evidence is always best.• Secondary Evidence – common in cases involving computers; consists of copies

vs. originals – logs and documents from computers are considered secondary• Evidence Integrity – evidence must be reliable; hashes, copies vs. originals, etc.• Chain of Custody – chain of custody form• Prosecuting computer crimes (criminal) is hard…


Legal and Regulatory IssuesLegal Aspects of Investigations – Reasonable Searches• Fourth Amendment to the United States Constitution protects citizens from

unreasonable search and seizure• In ALL cases, the court will determine if evidence was obtained legally• Law enforcement needs a search warrant issued by a judge (in most cases)• Plain sight• Public checkpoints• Exigent circumstances – immediate threat to human life or of evidence destruction• Only apply to law enforcement and those operating under the “color of law” – Title 18. U.S.C.

Section 242 – Deprivation of Rights Under the Color of Law


Legal and Regulatory IssuesLegal Aspects of Investigations – Entrapment & Enticement• Entrapment – persuades someone to commit a crime who otherwise had no

intent to commit a crime – valid legal defense• Enticement – persuades someone to commit a crime who already had the

intent to commit a crime – not a valid defense.

Honeypots


Legal and Regulatory IssuesIntellectual Property – Trademarks and Servicemarks• Trademarks – ® and ™• Creation of a distinguishing brand• Applies to name, logo, symbol, or image (usually)• ™ can be used freely by anyone; unregistered trademark• ® is a registered trademark with the U.S. Patent and Trademark Office• A superscript “SM” can be used to brand a service


Legal and Regulatory IssuesIntellectual Property – Trademarks and Servicemarks


Legal and Regulatory IssuesIntellectual Property – Patents• Provide a monopoly to the patent holder in exchange for the patent holder

making their invention public• Invention must be “novel” and “unique”• Generally patents provide exclusivity for 20 years• After patent expiration, the invention can be produced and sold by anyone


Legal and Regulatory IssuesIntellectual Property – Copyright• Software is typically covered under copyright law• Limitations:• Fair sale – allow a legitimate purchaser to sell the software (or video, music, etc.) to

someone else• Fair use – allows for duplication without the consent of the copyright holder, subject to the

Copyright Act of 1976• Licenses – contract between the consumer and provider; provides explicit

limitations on the use and distribution of software; EULAs


Legal and Regulatory IssuesIntellectual Property – Trade Secrets• Business-proprietary information that is essential for the organization to

compete in the marketplace.• “Secret sauce”• Must be “actively protected” to be enforceable; using due care and due

diligence• If an organization does not take reasonable steps to protect a trade secret, it is

assumed that the organization doesn’t enjoy a competitive advantage from the trade secret, leading to a conclusion that it’s not actually a trade secret at all.


Legal and Regulatory IssuesIntellectual Property – Intellectual Property Attacks• Constant problem• Piracy and copyright infringement – Pirate Bay, Bit Torrent, etc.• Cybersquatting & Typosquatting• Counterfeiting• Dilution (not really an attack)


Legal and Regulatory IssuesIntellectual Property – Intellectual Property Attacks


Legal and Regulatory IssuesPrivacy• Confidentiality of personally-identifiable information (subset of security)• Examples of PII; names/email addresses (maybe), Social Security Numbers

(SSN), Protected Health Information (“PHI”), bank account information (sort of), etc.• There are numerous privacy laws throughout the world


Legal and Regulatory IssuesPrivacy – European Union Privacy (EU Data Protection Directive)• Aggressive pro-privacy law• Notifying individuals of how their data is gathered and used• Allow for opt-out for sharing with 3rd parties• Opt-in required for sharing “most” sensitive data• Reasonable protections• No transmission out of EU unless the receiving country is perceived to have

adequate (equal) privacy protections; the U.S. does NOT meet this standard. EU-US Safe Harbor, optional between organization and EU.


Legal and Regulatory IssuesPrivacy – European Union Privacy (EU Data Protection Directive)


Legal and Regulatory IssuesPrivacy – Organization for Economic Cooperation and Development (OECD) Privacy Guidelines• 30 member nations from around the world (including U.S.)• Focus on issues that impact the global economy• OECD Guidelines on the Protection of Privacy and Transborder Flows of

Personal Data; issued in 1980• Eight principles…


Legal and Regulatory IssuesPrivacy – Organization for Economic Cooperation and Development (OECD) Privacy Guidelines• Eight driving principles:• Collection Limitation Principle• Data Quality Principle• Purpose Specification Principle• Use Limitation Principle• Security Safeguards Principle• Openness Principle• Individual Participation Principle• Accountability Principle• Not mandatory


Legal and Regulatory IssuesOther Rules and Laws• Health Insurance Portability and Accountability Act (HIPAA not HIPPA)• Overseen by the Department of Health and Human Services (DHS), enforced by the Office

for Civil Rights (OCR)• Three rules; Privacy Rule, Security Rule, and Breach (notification) Rule• Applies to “covered entities” and also (now) “business associates”• Originally passed in 1996, Security Rule finalized in 2003, modified in 2009 (HITECH), and

Omnibus Rule in 2013• Security Rule mandates certain administrative, physical, and technical safeguards• Risk analysis is required


Legal and Regulatory IssuesOther Rules and Laws• Electronic Communications Privacy Act (ECPA)• Protection of electronic communications against warrantless wiretapping• Amended/weakened by the PATRIOT Act• Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030• Most commonly used law to prosecute computer crimes• Enacted in 1986• Amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT Act), and 2008 (Identity Theft

Enforcement and Restitution Act)


Legal and Regulatory IssuesOther Rules and Laws• PATRIOT Act of 2001• Expands law enforcement electronic monitoring capabilities• Allows search and seizure without immediate disclosure• Gramm-Leach-Bliley Act (GLBA)• Applies to financial institutions; driven by the Federal Financial Institutions Examination

Council (FFIEC); enforced by member agencies, OCC, FDIC, FRB, NCUA, and CFPB• Enacted in 1999, requires protection of the confidentiality and integrity of consumer

financial information


Legal and Regulatory IssuesOther Rules and Laws• California Senate Bill 1386 (SB1386)• Regulates the privacy of personal information• One of the first data breach notification laws• Sarbanes-Oxley Act of 2002 (SOX)• Directly related to the financial scandals in the late 90s• Regulatory compliance standards for financial reporting• Intentional violations can result in criminal penalties


Legal and Regulatory IssuesOther Rules and Laws• Payment Card Industry Data Security Standard (PCI-DSS)• Applies to cardholder (credit and debit) data• Created by the major card brands; VISA, MasterCard, Discover, etc.• NOT governmental and NOT a law (yet)• Requires merchants (and others) to meet a minimum set of security requirements• Mandates security policy, devices, control techniques, and monitoring


Legal and Regulatory IssuesBreach Notification Laws• 47 48 (New Mexico) states have enacted breach notification laws• There is no Federal breach notification law• Conflicts arise in interpretations, jurisdictions, and definitions• Safe harbors may (or may not) be provided if the data was encrypted, depending on

the state

There are also two data protection laws and numerous data destruction laws. To make matters worse, there are data openness laws and Freedom of Information Act considerations!


Security and 3rd PartiesVendor Risk Management Considerations• Attestation – How can you attest to the fact that vendors are protecting

assets adequately? Risk assessments (FISA™), SOC 2 (Type 1 and 2), ISO Certification, HITRUST, Shared Assessments, PCI-DSS ROC, etc.• Right to Penetration Test & Right to Audit• Procurement• Acquisitions• Divestures


EthicsISC2® Code of Ethics• Very testable• Must be agreed to in order to become CISSP• Preamble, cannons (mandatory), and guidance (advisory)• Cannons:• Protect society, the commonwealth, and the infrastructure• Act honorably, honestly, justly, responsibly, and legally• Provide diligent and competent service to principals• Advance and protect the profession• Cannons are applied in order; if there are conflicts go with the higher one.


EthicsComputer Ethics Institute• Ten Commandments of Computer Ethics1. Thou shalt not use a computer to harm other people.2. Thou shalt not interfere with other people’s computer work.3. Thou shalt not snoop around in other people’s computer files.4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to bear false witness6. Thou shalt not copy or use proprietary software for which you have not paid.7. Thou shalt not use other peoples computer resources without authorization or proper compensation.8. Thou shalt not appropriate other people’s intellectual output.9. Thou shalt think about the social consequences of the program you are writing or the system you are

designing.10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.


EthicsInternet Activities Board (IAB) Ethics• “Ethics and the Internet”• Defined as a Request for Comment (RFC), #1087• Published in 1987• Considered unethical behavior:• Seeks to gain unauthorized access to the resources of the Internet• Disrupts the intended use of the Internet• Wastes resources (people, capacity, computer) through such actions• Destroys the integrity of computer-based information• Compromises the privacy of users


Information Security GovernanceSecurity Policy and Related Documents• Policy (Mandatory)• Purpose• Scope• Responsibilities• Compliance• Policy types• Program policy• Issue-specific policy• System-specific policy


Information Security GovernanceSecurity Policy and Related Documents• Procedures• Mandatory• Step-by-step guidance• Standards• Mandatory• Specific use of a technology• Guidelines• Recommendations; discretionary• Advice/advisory• Baselines (or benchmarks)• Usually discretionary• Uniform methods of implementing a standard


Information Security GovernancePersonnel Security Considerations• Security Awareness and Training• Actually two different things• Training teaches specific skills• Awareness activities are reminders

• Background Checks• Criminal history, driving records, credit checks, employment verification, references, professional claims, etc.• More sensitive roles require more thorough checks; one-time and ongoing

• Employee Termination• Formalized disciplinary process (progressive)• Exit interviews, rights revocation, account reviews, etc.

• Dealing with Vendors, Contractors, 3rd Parties• Outsourcing and Offshoring


Access Control Defensive Categories and Types• Categories• Administrative Controls• Technical Controls• Physical Controls• Types• Preventive• Detective• Corrective• Recovery• Deterrent• Compensating

• Very testable; you may be given a scenario or control description and need to provide the category and type.

• In order to be sure of the control type, you need to clearly understand context.


Risk Analysis• All decisions should be driven by risk.• Most people don’t assess risk well (formally or informally)• Assets• Threats• Vulnerabilities• Risk = Threat x Vulnerability• Risk = Threat x Vulnerability x Impact (better)

• Risk is arguably the most overused and misunderstood concept in security.

• I disagree with the book. Risk is the likelihood of something bad happening and the impact if it did.


Risk Analysis• Risk calculations• Risk analysis matrix• Annualized Loss Expectancy (ALE = SLE x ARO)• Asset Value (AV)• Market Approach• Income Approach• Cost Approach• Exposure Factor (EF) – expressed as a percent of

asset exposed (given a threat and vulnerability)• Single Loss Expectancy (SLE = AV x EF)• Annual Rate of Occurrence (ARO)


Risk Analysis• Total Cost of Ownership (TCO) - ROSI• Budget and Metrics – I can’t manage what I can’t measure• Risk Choices• Accept the risk; document risk acceptance criteria• Mitigate the risk• Transfer the risk; insurance?• Risk Avoidance


Risk Analysis• Qualitative Risk Analysis• Quantitative Risk Analysis• Risk Management Process (NIST SP 800-30 outlines a 9-step process)1. System Characterization2. Threat Identification3. Vulnerability Identification4. Control Analysis (vulnerabilities)5. Likelihood Determination6. Impact Analysis7. Risk Determination8. Control Recommendations9. Results Documentation


Types of Attackers• Hackers• Black hat (or “Cracker” or “malicious hacker”)• White hat (or “ethical hacker”)• Gray hat (confused/identity crisis)• Script Kiddies – low skill, can click and type, use tools/scripts made by others• Outsiders vs. Insiders• Hacktivist• Bots and Botnets• Phishers and Spear Phishers (also vishers and whalers or whaling)

Questions?PHEW!!! We made it.Homework for Tuesday (4/4)

◦ Read Chapter 3/Domain 2: Asset Security (Protecting Security of Assets) – Pages 81 through 98 (short!); I will probably cover more on Tuesday though. Feel free to read into Chapter 4/Domain 3: Security Engineering (Engineering and Management of Security)

◦ Complete the quiz (or we’ll cover on Tuesday)◦ Come with questions!

Have a great weekend!

Questions? Hopefully about security.

Thank you!

Evan Francen◦ FRSecure◦ [email protected]◦ 952-467-6384

Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017

Education

Transcript of Slide Deck – Session 2 – FRSecure CISSP Mentor Program 2017