1. Security Principles

Triad:

Confidentiality

Permitting authorized access to info/protecting it

A security professional’s obligation is to:

• Regulate access: Protect data, but allow to authorized individuals

PII: Personally Ident. Info: Any data about someone that could ID them PHI: Protected Health Info: Data regarding one's health Sensitivity: Importance of info; need to protect it because of this

Integrity

Info used in a way that is complete, accurate, consistent, useful

1. Info/Data: Data Integrity: Hasn't been altered in an unauthorized way

   • Storage protection: Processing/transit: No: errors, info loss, mods

   • Recorded, used, maintained to ensure completeness

2. Systems/Processes: Integrity: Maintenance of good configs/function

   • Awareness of current states/condition

   • Documenting/understanding states at certain points

   Baseline: Current state of info/if protected

   • Comparing baselines with states validates integrity

3. Org: Reliability dictated by laws/regulations

4. People & Actions

Availability

Access to systems and data when users need it

1. Timely, reliable access; Not 100% of the time; Downtimes exist

2. Meets requirements of business

Criticality: Degree orgs depend on info NIST SP 800-60 Vol. 1, Rev. 1

Authentication

Authentication

Process of verifying and proving people are who they say they are

Three common methods:

1. Something you know: Passwords/passphrases

2. Something you have: Tokens, memory or smart cards

Token: An object possessed to authenticate identity NISTIR 7711

3. Something you are: Biometrics, measurable characteristics

Biometrics: Bio characteristics: Fingerprints, hand geometry, voice, eyes

Methods of Authentication

Two types:

1. SFA: Single-Factor Authentication: One method of authentication

2. MFA: Multi-Factor Authentication: Two or more methods

   • Knowledge-based: Secret differentiates auth/unauth users

   • PIN: Personal ID Number: Created passwd/secret only you know

   • Vuln to SE, brute-force attacks

Non-Repudiation

Legal: A user can't falsely deny having done an action

• Example: Paying for an item/signing a receipt

• Capability to determine whether an action was done

• Example: Denial: Making purchases online/denying it

• Important all participants trust online transactions

Privacy

Right of individuals to control the distribution of their info

• Legislation/compliance with existing policy

• Laws define protection

  • GDPR

  • HIPAA

---

Risk Management

Risk

Risk: Measuring the extent an entity is threatened by a potential event:

1. Adverse impacts, likelihood of occurrence 

Infosec risk: Unauthorized access, use, disclosure, disruption, modification, destruction

Threat actors include:

• Insiders: deliberate, human error, gross incompetence

• Outsiders: Planned, opportunistic, discovering vulnerability

• Formal entities, nonpolitical: Business competitors, cybercriminals

• Formal entities, political: Terrorists, nation-states, hacktivists

• Intel & info gatherers: Any of above

Vocabulary

Threat Vector: The way a threat actor carries out objectives Vulnerability: Inherent weakness and flaws in systems Likelihood: Considers the probability of a vulnerability being exploited Impact: Measured harm expected from consequences of exposure

Risk Identification: Categorizing, estimating potential for disruption Risk Assessment: Estimating and prioritizing assets

Risk Treatment

Making decisions about the best actions regarding identified, prioritized risk

Avoidance

Attempting to eliminate risk entirely

1. Stopping operation for some; all activities exposed to a risk

2. May choose when potential impact is too high; great

Acceptance

Taking no action to reduce risk

1. Conducting business with the risk without action

2. Impact or likelihood is negligible, or benefit offsets it

Mitigation

Taking actions to prevent; reduce possibility of risk

1. Remediation, controls, policies, procedures, standards to minimize

2. Can't always mitigate, can implement safety measures

Transference

Passing risk to another party who will accept the impact

1. Analyze risk through qualitative/quantitative measure for cause

2. Risk matrixes help ID priority: Intersection of likelihood, impact

Tolerance

What risks are companies willing to take in respect of rewards?

• Low tolerance means more investment

Security Controls: Safeguards to CIA  

Physical

Hardware: Badge readers, building structures

1. Controlling, directing, people movement through equipment

2. Protection, control over entry, parking lots

3. Supported by technical controls in an overall system

Technical

Logical: Controls computers/networks directly implement

1. Can provide automated protection from misuse

2. Facilitates detection of violations; supports security requirements

3. Configuration settings/parameters stored as data, hardware

Administrative

Managerial: Guidelines aimed at people: Frameworks, constraints, standards for human behavior

Governance Elements/Processes

Procedures

Detailed steps to complete a task that supports dept/org policies

• Explicit, repeatable activities needed to accomplish specific task(s) 

Policies

Provides guidance to ensure org supports industry standards & regulations. Informed by law(s) and specify what to follow

• Broad range of issues/ideas: Not detailed: Establishes context

• Sets strategic direction/priorities

• Operating with policies/procedures that support regulations/widely accepted best practices

• Governance policy: Moderate/control decision-making for compliance

Standards

Frameworks that introduce policies/procedures in support of regulation

• ISO: Develops/publishes standards on tech

• NIST: National Institute of Standards/Tech: US

  • Publishes variety of standards in addition to infosec ones

    • Many requirements for gov agencies

• IETF: Internet Engineering Task Force: Standards in comm protocols

• IEEE: Institute of Electrical/Electronics Engineers:

  • Standards for telecom, engineers & similar

Regulations

Commonly laws. Typically carry financial penalties for noncompliance

• Can be imposed by gov at national/regional/local level

• HIPAA: Health Insurance Portability/Accountability Act: 1996:

  • Governs use of PHI in US

  • Violation carries fines/imprisonment for individuals/companies

  • GDPR: General Data Protection Regulation: EU: Control use of PII

ISC2 Code of Conduct

Certification is a privilege. Every ISC2 member is required to commit to fully support the ISC2 Code of Ethics

Code of Ethics Preamble

The safety/welfare of society/the common good, duty to principals, and each other, requires we adhere, to the highest ethical standards of behavior

Code of Ethics Canons

Members have a duty to the following four entities:

1. Protect society, common good, public trust/confidence, infrastructure

2. Act honorably, honestly, justly, responsibly, legally

3. Provide diligent/competent service

4. Advance and protect the profession