CISSP Training
Pages 566-631
Tim JensenStaridLabs
Security Awareness Training
Designed to tell why a policy exists
Show practical examples and ways to identify threats
Turn employees into human security sensors
Topics
Corporate security policies
Organization's security program
Regulatory compliance requirements for the organization
Social Engineering
Business continuity
Disaster Recovery
Topics Cont'd
Emergency Management (hazmat, biohaz, etc)
Security incident response
Data classification
Information labeling and handling
Personnel security, safety, and soundness
Physical Security
Topics Still Cont'd
Appropriate computing resource use
Proper care and handling of security credentials (usernames, passwords)
Risk assessment
Accidents, errors, or omissions
Teaching why policy is necessary
Show real world examples of security failures that could have been fixed with policy
Security teams identify risks to the company and create policies to mitigate just the risks present. Without policy every risk would have mitigation even if the risk didn't apply to the company/department
Why are security policies important
The end goal of security policies is to protect:The organization
The employees
The Assets of the company
(It's customers when possible)
Questions to answer in training
How does all this security stuff affect my job at the company?
Do I have to do it?
If I don't do it, what are you going to do?
All this security crap is just going to waste time and make my job harder!
What should I be looking for?
Awareness Activities
Formal training courses
Posters
Business unit walk throughs
Security articles/reminders on intranet
Appointment of a 'security awareness mentor'
Security Awareness Day activies, prizes, recognition for winners
Sponsor event with security organization (ISSA, ISACA, SANS, ISC2, Infragard, etc)
Provide trinkets for the users within the organization that support security management principles
Promote Security Awareness Week/month
Provide security reference materials to employees (books, videos, websites)
Job Training
Employees should be professionally trained on the systems/processes they manage.
Lack of training leads to misconfigurations or process gaps which can lead to compromise
It's the sign of a good employee to self learn. It's the sign of bad management to blindly trust that the employee is doing so.
Vendor neutral vs vendor certifications
Performance Metrics
Consistent metrics allow for the identification of security gaps, identify is process improvements helped or hurt, and identify non-compliance
Can be walkthroughs, quizes, or etc
Managing the Security Function
IS Security Officers
The Information Security Officer is accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability.
The security officer typically doesn't have the resources available to perform all of these functions and must depend on involvement from other departments/individuals
Must keep up with emerging technologies and risks
Security officers often operate CIRT teams
Provides the leadership for the information security awareness program by ensuring that the program is delivered in a meaningful, understandable way to the intended audience.
Bridging IT with Executives
IS Security Officers translate threats based on configuration/technoligies into:What is the real perceived threat?
What is the risk (impact/probability)
What is the cost of the safeguard?
What will be the residual risk?
How long will the project take (time, money, people, systems)
Reporting
Security officer should report as high in the organization as possible to:Maintain visibility of the importance of security
Limit the distortion or inaccurate translation of the message
Budget
Security maintains it's own budget as well as ensures each applicable department's budget contains funds for security training/remediation
Work Metrics
Automated metric systems should be implimented to rate the day to day security and long term trends.Helpdesk tickets/hour/day
Inbound email/hour/day
Outbound email/hour/day
Inbound connections at border firewallPackets dropped at border firewall
Packets dropped at internal firewall
Employee hours spent on compliance reporting
Report metrics how effective is each report? Has it ever caught anything?
Interdepartmental resources
Buy doughnuts for:System Admins
Database Admins
Network Admins
Privacy Officers
Compliance Officers
Legal
Law Enforcement
QA testers
Helpdesk
Budget Officers
Procurement Specialists
Business Analysts
Administrative Professionals
Enterprise Architects
Software Developers
Strategic Planning
Make 3-5 year plans
Review annually or before
Tactical Plans
6-18 month plans for specific purposes: reducing vulnerabilities, etc
Review Security Program
Anaully review security program for completeness and to identify gaps
Domain 4
Software Development Security
Jem JensenStaridLabs
Overview
Planning, programming, and management of software systems
Includes both operating systems and applications
Software is layered, kind of like networkingHardware, drivers, OS, utilities and applications
Software Development Life Cycle
SDLC is is project management process used to plan, execute, and control a software development project
Can differ from project to project
Specific model should best fit the project
Basic SDLC Phases
Project initiation and planning
Functional requirements definition
System design specifications
Development and implementation
Documentation and common program controls
Acceptance
Testing and evaluation control
Transition to production
Project initiation and planning
Vision, goal
Proposed technical solution
Documentation: charter, scopeInclude objectives, strategy, costs, time estimates, milestones
Usually ends with management signoff on charter and/or scope
Project initiation and planning
Security professional mental checklist:Is particular info sensitive? (alone or together)
Has info owner determined the info value?
Classifications/Categories?
Is there a risk of sensitive info exposure?
Will data be transmitted or stored in public?
Are controlled areas required?
What systems interconnect with this?
How will this affect the org culture?
Could the company become dependent upon it?
Functional requirements definition
Define end-user needs
Formalize security requirements
Often rolled-into project initiation phase for small projects
System design specifications
Design:System architecture
System outputs
System interface
Security features
Generally based on over-all architecture for the company
Development and implementation
Generate:Source code
Test cases
Perform unit tests and functional tests
Perform vulnerability analysis on code
Documentation and common program controls
Controls for editing data within the program
What types of logging the program does
How program versions should be stored
Tests and integrity checks
Acceptance
Ideally, an independent group develops test data and tests the code
Should simulate live environment for good tests
Ensure the application meets security requirements and specifications
Testing and Evaluation Controls
Test data should include:Data at the ends of acceptable ranges
Data beyond acceptable bounds
Various data points between acceptable range
Random data
Data validations review data before and after each test to ensure data has not been changed inadvertently
Bounds checking
Testing and Evaluation Controls
Never use production dataSanitize test data
Test all changes
Management should be informed and sign off on testing results
Transition to Production
Train new users
Implement the systemInstallation
Data conversions (if needed)
Parallel operations (to reduce disruption)
Revisions
Regular evaluation and audits
Should incorporate security planning to avoid future problems
Document failuresHelps to justify future enhancements
Maturity Models
CMMCapability Maturity Model
Framework to product higher quality software products
Continual optimization of processes
ISO 9000?
Operation and Maintenance
Monitor performance of the system
Detect defects and weaknesses
Verify changes don't impact existing functionality or circumvent security measures
Change Management
Track changes in software and systems to prevent unintended or unauthorized changes
Should be a formal cycle with planning, approval, testing, and documentation
Patch management
Should include testing and rollback features
Top Related