CISSP Module 01 Summary
It is All About Risk and What You Do About it.
The tiles that protect from the rain were put in a sunny day — Chinese Proverb.
Let’s start week one of our CISSP prep journeys and learn the information security principles, and the importance of risk management.
The CIA (Confidentiality, Integrity, Availability) triad summarizes the goals of information security.
- Confidentiality: only authorized users can access the data.
- Integrity: only authorized modification is allowed.
- Availability: data is always available for authorized users.
Besides the CIA triad, other important principles come to the surface. such as;
- Non-repudiation: users cannot deny having performed an action.
- Authentication: verifying a claimed identity.
Differentiate between confidentiality, integrity, and availability.
How about DDD?
The opposites of the CIA triad principles are Disclosure, Destruction, and Denial.
- Disclosure: data is revealed to unauthorized entities.
- Destruction: data is tempered or deleted.
- Denial: data is made non-available to authorized users.
Governing a company states how it should be managed, security governance doesn’t differ that much. It is the ensemble of roles, responsibilities, policies, and procedures that help make security decisions.
Security as a corporate function needs to support the business and help the organization meets its goals. It also participates in decision-making and governance processes to facilitate the different mergers, acquisitions, and divestitures challenges related to informational assets.
Security roles and responsibilities
It is defined by the organization’s goals and environment. They vary from a company to another but it is most common to have:
- Senior Management to drive the organization toward its goals and dictate the policies.
- Security Managers, Officers, or Directors (leaders) report to senior management, advise on security, draft the policies, and manage operations.
- Security Personnel performs security processes and activities. They report to the security managers.
- Security Administrators execute the procedures, implement, manage, and maintain security solutions. They report to security or IT managers.
- Users do not have security duties but are required to comply with the corporate policies and procedures and use systems and assets in a secure way.
Security control frameworks
They are implemented to help put in place and concretize the corporate security governance. It is the blueprint that dictates the structure, design, and management of the policies, procedures, and controls. Here below some examples of the most known and recognized security frameworks:
ISO is the International Standardization Organization frameworks are recognized worldwide, the most famous security frameworks from ISO are from the ISO 2700x series:
- ISO 27001 for ISMS aka Information Security Management System, a policy-based framework to help you implement solid security governance. Both organizations and individuals can be certified in ISO 27001.
- ISO 27002 for best practices and control selection.
RMF — Risk Management Framework or NIST SP 800–37 by NIST — National Institute of Standards and Technology. It defines the process to implement to manage risks effectively and the implementation of NIST SP 800–53 security and privacy controls.
ITIL — Information Technology Infrastructure Library by Axelos, is a set of best practices for ITSM— Information Technology Service Management to align IT with the business.
COBIT — Control Objectives for Information and Related Technologies by ISACA — Information Systems Audit and Control Association defines how IT and security functions should be managed and documented, and offers maturity levels to track each function.
CSA STAR — Security Trust and Assurance Registry by CSA — Cloud Security Alliance is a list of all cloud service providers who are compliant with the STAR framework regulations, standards, and requirements.
SABSA — Sherwood Applied Business Security Architecture is a risk-based framework for developing security architecture and service management.
Due care and due diligence
Due Care is what the organization owes to its customer.
Due Diligence is any activity (action) that provides due care.
Risk Management Concepts
Risk is the possibility or likelihood of something bad happening. It is evaluated based on the assets (tangible or not) value (monetary or relative) as part of a Business Impact Analysis activity.
Threats are aspects that introduce risks to an organization. Vulnerabilities are any present weaknesses that might cause a risk to occur.
Risk Assessment is the identification of potential risks the organization might face (Exposure), their probability of occurrence (Likelihood), and the harm they might cause to the organization (Impact).
The risk assessment can be done in a subjective manner (Qualitative) through brainstorming sessions and SWOT analysis Or done objectively (Quantitative) using statistical methods that result in numbers (ALE =SLE x ARO).
- ALE — Annual Loss Expectancy: Estimated annual loss related to a particular risk (it is calculated as stated above).
- SLE — Single Loss Expectancy: Expected loss due to the risk being assessed. SLE = Asset Value (AV) x Exposure Factor (EF)
- ARO — Annual Rate of Occurrence: how often the risk might occur within a calendar year.
If a risk has a chance to occur once every 5 years (ARO=1/5=0.2), can cause a loss of (SLO=$70,000), the annual loss expectancy for this risk would be (ALE=SLE x ARO = $70,000 x 0.2 = $14,000).
The Response to risks differs based on the context, scenarios, and organizations. A loss could be accepted by a company if the impact is tolerable, transferred like when it is covered by insurance, avoided when possible, or mitigated through response and recovery activities or security controls in place.
In order to help manage and respond to risks, companies use risk frameworks, such as ISO 31000 and COSO (Committee of Sponsoring Organizations) for enterprise risk management, ISO 27005, ISACA, and NIST RMF for IT.
Nevertheless, these principles can be also applied to the supply chain and used to assess suppliers, vendors, contractors, and customers using ISO certified auditors, CSA STAR, or SOC.
Threat modeling is an analysis process to identify how the event causing a threat could be realized.
It requires looking at assets from a threat actor (attacker) point of view.
The goal of threat modeling is to address any discovered weaknesses and make sure it is not exploitable.
Performing threat modeling at the early stages of software development helps create secure by design products and reduce the development cost. An example of threat modeling tools is Microsoft’s threat classification system “STRIDE”.
- Information Disclosure
- Denial of Service
- Elevation of Privilege
Security Controls are the countermeasure to mitigate risks. They could be in a form of tool, mechanism, or process and belong to one or multiple types, according to how they have been implemented:
- Physical Security Control: controls are implemented using a palpable component.
- Technical/Logical Security Control: controls are implemented using electronic systems.
- Administrative Security Control: controls are implemented using policies and procedures.
The security controls can also be classified by how they operate, their role, and function:
- Directive Security Control: it imposes a requirement.
- Deterrent Security Control: it reduces the likelihood of risk from happening.
- Preventive Security Control: it blocks an event from occurring.
- Compensative Security Control: it is a control that takes effect in case the primary one fails or is not sufficient to mitigate the risk.
- Detective Security Control: it reveals and reports when an event occurs.
- Corrective Security Control: it is a curative control, such as restoration.
- Recovery Security Control: it restores the operations back to its initial state.
The best approach to protect an organization (assets) is to have a layered approach or defense-in-depth, having multiple layers of controls reduces the chances of compromise.
After implementing the different security layers, it is crucial to monitor it and make sure that all the controls are operating effectively, and perform periodic security control assessments, vulnerability assessments, and penetration testing.
Security, Legal, and Compliance Requirements
Minimum requirements should be defined as security objectives to mitigate the risks related to each asset.
When a company uses 3rd party services, a service level agreement SLA must be established between both parties to guarantee an acceptable level of quality, performance, and security.
Compliance is (important, sometimes mandatory) to adhere to a directive that addresses a specific subject, such as risk, information security, or privacy.
One of the key business tools is “Contractual Mandates” or “Contract”, an agreement that requires both parties to agree voluntarily upon. Laws and regulations make sure that both parties follow the contract’s requirements.
PCI DSS (Payment Card Industry Data Security Standard) is an example of a contract between card issuers and entities accepting it as a payment form. It requires entities to protect the card and cardholder data.
Standards are publications grouping sets of techniques to achieve a specific goal. In the case of cybersecurity, it states how to achieve an acceptable security state in general, or how to secure specific systems or industries.
Standards can be set by courts (legal Standards), by organizations (Industry standards), or government bodies (Regulatory Standards).
Some examples are NIST, ISO 27001, ISO 27005, GDPR, SOX, HIPAA, APPI, GLBA, PIPEDA, FISMA, etc.
Legal and Regulatory Issues
Let’s first talk about computer crimes before getting into legal restrictions. Cybercrimes can start with malicious software (Malware), gaining unauthorized access to a system a network, extorting money in exchange for data (Ransomware), exfiltrating data, etc.
Intangible assets or IP (Intellectual Property) are subject to cybercrimes and require more attention and protection. DRM (Digital Right Management) systems help to protect proprietary data by adding an extra layer of protection to restrict access.
International trade restrictions restrict the usage or export of some technologies such as encryption algorithms and mechanisms for defense purposes, or the flow of data out of the international boundaries (e.g GDPR (EU), Privacy Shield (US)).
The most common privacy terms are PII (Personal Identifiable Information such as name, tax id, phone, address), Data Subject (Person that the PII points to), Data Owner or Controller (whoever creates or collects PII), Data Processor (Processes PII), and Data Custodian (Daily manages PII).
Policies, Procedures, Standards, and Guidelines
- Policies are the written form of governance.
- Standards are specific instructions to follow in order to meet a defined goal.
- Procedures are detailed recurrent steps to perform a task.
- Guidelines are like standards but not mandatory.
A good example of policies and procedures is the Personal Security ones. It is critical to ensure that employees are trustworthy. This can be done through :
- Candidate screening and hiring (Job description, references, employment history, background check, and financial profile)
- Employment agreements and policies (handbooks, contracts, and NDAs.)
- Onboarding process (contract terms, job description, training, NDA)
- Termination process (lock accounts, recover assets, interview, NDA)
- Vendor, Consultant and Contractors Agreements (escort, distinct accounts, and identification, NDA)
Training and Awareness
Humans represent the weakest security layer and the highest risk organizations face. This is what makes phishing attacks the #1 attack vector used by threat actors.
The most effective measure to have human-centric protection capable of mitigating this risk is to have a solid ongoing and automated training and awareness training targeting the weakest users more often based on their behavior.
it can be done through education (formal classes by accredited institutions), training (semi-formal by vendors of subject matter experts), or awareness (informal and not scheduled).
Business continuity and disaster recovery are crucial for an organization's longevity. It is the process of creating systems that make sure the business-critical functions remain operational (BC or Business Continuity) in the case of incident and policies, tools, and procedures (DR or Disaster Recovery) to recover regular operations.
BC and DR rely on the value of the assets determined by the BIA or Business Impact Analysis process, and the scope defined by how long an organization can survive if a critical system goes down (MAD or Maximum Allowable Downtime), the target tome to recover a system (RTO or Recovery Time Objective), and much data can be lost (RPO or Recovery Point Objective).
Adherence to the ISC2 code of ethics is a condition of certification.