logo资料库

CISSP Summary.pdf

发布时间:2022-06-06 发布人:admin 分类:说明书 资料大小:2.20M 资料格式:pdf 举报 版权申诉
第1页 / 共36页
第2页 / 共36页
第3页 / 共36页
第4页 / 共36页
第5页 / 共36页
第6页 / 共36页
第7页 / 共36页
第8页 / 共36页
资料共36页,剩余部分请下载后查看
    Concepts (10) CIA DAD - NEGATIVE - (disclosure alteration and destruction) Confidentiality - prevent unauthorized disclosure, need to know, and least privilege. assurance that information is not disclosed to unauthorized programs, users, processes, encryption, logical and physical access control, Integrity - no unauthorized modifications, consistent data, protecting data or a resource from being altered in an unauthorized fashion Availability - reliable and timely, accessible, fault tolerance and recovery procedures, WHEN NEEDED IAAA – requirements for accountability Identification - user claims identity, used for user access control Authentication - testing of evidence of users identity Accountability - determine actions to an individual person Authorization - rights and permissions granted Privacy - level of confidentiality and privacy protections Risk (12) Not possible to get rid of all risk. Get risk to acceptable/tolerable level Baselines – minimum standards ISO 27005 – risk management framework Budget – if not constrained go for the $$$ Responsibilities of the ISO (15) Written Products – ensure they are done CIRT – implement and operate Security Awareness – provide leadership Communicate – risk to higher management Report to as high a level as possible Security is everyone’s responsibility Control Frameworks (17) Consistent – approach & application Measurable – way to determine progress Standardized – all the same Comprehension – examine everything Modular – to help in review and adaptive. Layered, abstraction Due Care Which means when a company did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps required as countermeasures / controls (safeguards). The benefit of "due care" can be seen as the difference between the damage with or without "due care" safeguards in place. AKA doing something about the threats, Failing to perform periodic security audits can result in the perception that due care is not being maintained Due Diligence means that the company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats Intellectual property laws (24) Patent - grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application Copyright protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70 years after author dies Trade Secret - something that is propriety to a company and important for its survival and profitability (like formula of Coke or Pepsi) DON’T REGISTER – no application Trademarks - words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M) @10 years Wassenaar Arrangement (WA) – Dual use goods & trade, International cryptographic agreement, prevent destabilizing Computer Crimes – loss, image, penalties Regulations SOX, Sarbanes Oxley, 2002 after ENRON and World Online debacle Independent review by external accountants. Section 302: CEO’s CFO’s can be sent to jail when information they sign is incorrect. CEO SIGN Section 404 is the about internal controls assessment: describing logical controls over accounting files; good auditing and information security. Corporate Officer Liability (SOX) - Executives are now held liable if the organization they represent is not compliant with the law. Negligence occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations. COSO – framework to work with Sarbanes-Oxley 404 compliance European laws: TREADWAY COMMISSION Need for information security to protect the individual. Privacy is the keyword here! Only use information of individuals for what it was gathered for (remember ITSEC, the European version of TCSEC that came from the USA/Orange Book, come together in Common Criteria, but there still is some overlap) • • • • strong in anti-spam and legitimate marketing Directs public directories to be subjected to tight controls Takes an OPT-IN approach to unsolicited commercial electronic communications User may refuse cookies to be stored and user must be provided with information • Member states in the EU can make own laws e.g. retention of data COBIT – examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated industry Data Breaches (27) Incident – an event that has potential to do harm Breach – incident that results in disclosure or potential disclosure of data Data Disclosure – unauthorized acquisition of personal information Event – Threat events are accidental and intentional exploitations of vulnerabilities. Laws (28) ITAR, 1976. Defense goods, arms export control act FERPA – Education GLBA, Graham, Leach, Bliley; credit related PII (21) ECS, Electronic Communication Service (Europe); notice of breaches Fourth Amendment - basis for privacy rights is the Fourth Amendment to the Constitution. 1974 US Privacy Act - Protection of PII on federal databases 1980 Organization for Economic Cooperation and Development (OECD) - Provides for data collection, specifications, safeguards 1986 (amended in 1996) US Computer Fraud and Abuse Act - Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment. 1986 Electronic Communications Privacy Act - Prohibits eavesdropping or interception w/o distinguishing private/public Communications Assistance for Law Enforcement Act (CALEA) of 1994 - amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use. 1987 US Computer Security Act - Security training, develop a security plan, and identify sensitive systems on govt. agencies. 1991 US Federal Sentencing Guidelines - Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations 1996 US Economic and Protection of Propriety Information Act - industrial and corporate espionage 1996 Health Insurance and Portability Accountability Act (HIPPA) – amended 1996 US National Information Infrastructure Protection Act - Encourage other countries to adopt similar framework. Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) - Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and security requirements. One of the changes is a change in the way the law treats business associates (BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a covered entity and a BA must be governed by a written contract known as a business associate agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach notification requirements
    Risk Management (52) GOAL - Determine impact of the threat and risk of threat occurring The primary goal of risk management is to reduce risk to an acceptable level. Step 1 – Prepare for Assessment (purpose, scope, etc.) Step 2 – Conduct Assessment - - - - - ID threat sources and events ID vulnerabilities and predisposing conditions Determine likelihood of occurrence Determine magnitude of impact Determine risk Step 3 – Communicate Risk/results Step 4 – Maintain Assessment/regularly Types of Risk Inherent chance of making an error with no controls in place Control chance that controls in place will prevent, detect or control errors Detection chance that auditors won’t find an error Residual risk remaining after control in place Business concerns about effects of unforeseen circumstances Overall combination of all risks aka Audit risk Preliminary Security Examination (PSE): Helps to gather the elements that you will need when the actual Risk Analysis takes place. ANALYSIS Steps: Identify assets, identify threats, and calculate risk. ISO 27005 – deals with risk Risk Assessment Steps (60) Four major steps in Risk assessment? Prepare, Perform, Communicate, Maintain Qualitative (57) Approval – Form Team – Analyze Data – Calculate Risk – Countermeasure Recommendations - REMEMBER HYBRID! .Ethics (33) Just because something is legal doesn’t make it right. Within the ISC context: Protecting information through CIA ISC2 Code of Ethics Canons - - - - Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. Internet Advisory Board (IAB) Ethics and Internet (RFC 1087) Don’t compromise the privacy of users. Access to and use of Internet is a privilege and should be treated as such It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy. Business Continuity plans development (38) - - - Defining the continuity strategy Computing strategy to preserve the elements of HW/SW/ communication lines/data/application Facilities: use of main buildings or any remote facilities People: operators, management, technical support persons Supplies and equipment: paper, forms HVAC Documenting the continuity strategy BIA (39) Goal: to create a document to be used to help understand what impact a disruptive event would have on the business Gathering assessment material - - Org charts to determine functional relationships Examine business success factors Vulnerability assessment - - - Identify Critical IT resources out of critical processes, Identify disruption impacts and Maximum, Tolerable Downtime (MTD) Loss Quantitative (revenue, expenses for repair) or Qualitative (competitive edge, public embarrassment). Presented as low, high, medium. Develop recovery procedures Analyze the compiled information - - Document the process Identify inter- dependability Determine acceptable interruption periods Documentation and Recommendation RTO
    Quantitative Risk Analysis (58) - Quantitative VALUES!! - SLE (single Loss Expectancy) = Asset Value * Exposure factor (% loss of asset) ALE (Annual loss expectancy) = SLE * ARO (Annualized Rate of occurrence) - Accept, mitigate(reduce by implementing controls calculate costs-), Assign (insure the risk to transfer it), Avoid (stop business activity) Loss= probability * cost Residual risk - where cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L). Legally the remaining residual risk is not counted when deciding whether a company is liable. Controls gap - is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: total risk – controls gap = residual risk RTO – how quickly you need to have that application’s information available after downtime has occurred RPO -Recovery Point Objective: Point in time that application data must be recovered to resume business functions; AMOUNT OF DATA YOUR WILLING TO LOSE MTD -Maximum Tolerable Downtime: Maximum delay a business can be down and still remain viable MTD minutes to hours: critical MTD 24 hours: urgent MTD 72 hours: important MTD 7 days: normal MTD 30 days non-essential PLAN Accept Build Risk Team Review Once in 100 years = ARO of 0.01 SLE is the dollar value lost when an asset is successfully attacked Exposure Factor ranges from 0 to 1 NO – ALE is the annual % of the asset lost when attacked – NOT Determination of Impact (61) Life, dollars, prestige, market share Risk Response (61) Risk Avoidance – discontinue activity because you don’t want to accept risk Risk Transfer – passing on the risk to another entity Risk Mitigation – elimination or decrease in level of risk Risk Acceptance – live with it and pay the cost Background checks – mitigation, acceptance, avoidance Accountability Auditability Source trusted and known Cost-effectiveness Security Protection for CIA of assets Other issues created? Risk Framework Countermeasures (63) - - - - - - - If it leaves residual data from its function Controls (68) Primary Controls (Types) – (control cost should be less than the value of the asset being protected) Administrative/Managerial Policy - - Preventive: hiring policies, screening security awareness (also called soft-measures!) Detective: screening behavior, job rotation, review of audit records Technical (aka Logical) - - - - Preventive: protocols, encryption, biometrics smartcards, routers, firewalls Detective: IDS and automatic generated violation reports, audit logs, CCTV(never preventative) Preventive: fences, guards, locks Detective: motion detectors, thermal detectors video cameras Physical (Domain 5) – see and touch - Fences, door, lock, windows etc. Prime objective - is to reduce the effects of security threats and vulnerabilities to a tolerable level Risk analysis - process that analyses threat scenarios and produces a representation of the estimated Potential loss Main Categories of Access Control (67) - - - - - - - Directive: specify rules of behavior Deterrent: discourage people, change my mind Preventative: prevent incident or breach Compensating: sub for loss of primary controls Detective: signal warning, investigate Corrective: mitigate damage, restore control Recovery: restore to normal after incident Control Accuracy Security Consistency Preventive Data checks, validity checks Labels, traffic padding, encryption DBMS, data dictionary Detective Corrective Cyclic Redundancy IDS, audit trails Comparison tools Checkpoint, backups Emergency response Database controls Functional order in which controls should be used. Deterrence, Denial, Detection, Delay Penetration Testing (77) Testing a networks defenses by using the same techniques as external intruders Scanning and Probing – port scanners • • • • Demon Dialing – war dialing for modems Sniffing – capture data packets Dumpster Diving – searching paper disposal areas Social Engineering – most common, get information by asking Penetration testing Blue team - had knowledge of the organization, can be done frequent and least expensive Red team - is external and stealthy White box - ethical hacker knows what to look for, see code as a developer Grey Box - partial knowledge of the system, see code, act as a user Black box - ethical hacker not knowing what to find 4 stages: planning, discovery, attack, reporting vulnerabilities exploited: kernel flaws, buffer overflows, symbolic links, file descriptor attacks other model: footprint network (information gathering) port scans, vulnerability mapping, exploitation, report scanning tools are used in penetration tests flaw hypotheses methodology = operation system penetration testing Egregious hole – tell them now! Strategies - External, internal, blind, double-blind Categories – zero, partial, full knowledge tests Pen Test Methodology (79) Recon/discover - Enumeration - vulnerability analysis - execution/exploitation - document findings/reporting - SPELL OUT AND DEFINE!!!! Control Assessment 76 Look at your posture Deming Cycle (83) Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again
    Terms Wire Tapping eavesdropping on communication -only legal with prior consent or warrant Data Diddling act of modifying information, programs, or documents to commit fraud, tampers with INPUT data Privacy Laws data collected must be collected fairly and lawfully and used only for the purpose it was collected. Water holing – create a bunch of websites with similar names Work Function (factor): the difficulty of obtaining the clear text from the cipher text as measured by cost/time Fair Cryptosystems - In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key. SLA – agreement between IT service provider and customer, document service levels, divorce; how to dissolve relationship SLR (requirements) – requirements for a service from client viewpoint Service level report – insight into a service providers ability to deliver the agreed upon service quality Legislative drivers? FISMA(federal agencies) Phase 1 categorizing, selecting minimum controls, assessment Phase 2: create national network of secures services to assess Identification of Threat (86) Individuals must be qualified with the appropriate level of training. - - - - - Develop job descriptions Contact references Screen/investigate background Develop confidentiality agreements Determine policy on vendor, contractor, consultant, and temporary staff access DUE DILIGENCE Software Licenses (91) Public domain - available for anyone to use Open source - source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone Freeware - proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author's permission Assurance (92) Degree of confidence in satisfaction of security requirements Assurance = other word for security THINK OUTSIDE AUDIT Successful Requirements Gathering 92 Don’t assume what client wants Involve users early Define and agree on scope MORE Security Awareness (96) Technical training to react to situations, best practices for Security and network personnel; Employees, need to understand policies then use presentations and posters etc. to get them aware Formal security awareness training – exact prep on how to do things
    Information classification (110) Categorization – Process of determining the impact of loss of CIA of information to an organization. Identifies the value of the data to the organization. Not all data has same value, demonstrates business commitment to security, Identify which information is most sensitive and vital Criteria - Value, age, useful life, personal association Levels Government, military Unclassified (have FOUO also) Sensitive but unclassified Confidential (some damage) Secret (Serious damage) (Can have Country specific - - - - restrictions also – NZAUS SECRET for New Zealand, Australia and US secret) - Top Secret (Grave damage) Private sector (113) Public; used by public or employees Company Confidential; viewed by all employees but Company Restricted – restricted to a subset of Private; Ex. SSN, credit card info., could cause - - not for general use - employees - damage - Proprietary; trade secrets - Confidential; cause exceptionally grave damage, Sensitive; internal business TS = Confidential/Prop, Secret = Private, Confidential = sensitive Security policies, standards & guidelines (119) Policies first and highest level of documentation Very first is called Senior management Statement of Policy, Stating importance, support and commitment Types - Regulatory (required due to laws, regulations, compliance and specific industry standards!) Advisory (not mandatory but strongly suggested Informative to inform the reader - - Information policy - classifications and defines level of access and method to store and transmit information Security policies - authenticates and defines technology used to control information access and distribution SYSTEM security policy - lists hardware / software to be used and steps to undertake to protect infrastructure Standards - Specify use of specific technologies in a uniform way Guidelines - same as standards but not forced to follow Procedures - detailed steps to perform a task Baseline - minimum level of security Security planning - involves security scope, providing security management responsibilities and testing security measures for effectiveness. Strategic 5 years Tactical shorter than strategic Operational day to day, short term Data Classification Policy (111) Does data need to be encrypted? - Who will have access to data? How is the data to be secured? - - How long is data to be retained? - What method(s) should be used to dispose of data? - - What is the appropriate use of the data? Proper Assess Man REQUIRES (113) 1. Inventory Management – all things 2. Configuration Management - +patching IT Asset Management (ITAM) (114) Full life cycle management of IT assets - - - CMBD; holds relationships between system components – incidents, problems, known error, changes, and releases Single repository Organizationally aligned -scalable US-EU (Swiss) Safe Harbor (124) The EU Data Protection Directive To be replaced, in 2018, by the General Data Protection Regulation (GDPR) Bridge differences in approach and provide a streamlined means for U.S. organizations to comply with European Commissions. STRENGTHING INDIVIDUALS RIGHTS Data obtained fairly and lawfully Data only used for original purpose Adequate, relevant, and not excessive to purpose Accurate and up to date Accessible to the subject Kept secure Destroyed after purpose is complete - - - - - - - Directive on Data Protection; Seven Tenets - - - - - - - Notice; data subjects should be given notice when their data is being collected Choice; data should not be disclosed without the data subject’s consent Onward Transfer; data subjects should be informed as to who is collecting their data Security; collected data should be kept secure from any potential abuses Data Integrity; reliable, only stated purpose Access; data subjects should be allowed to access their data and make corrections to any inaccurate data Enforcement; accountability, data subjects should have a method available to them to hold data collectors accountable for not following the above principles NOT REASON or RETENTION TIME US Org is Data Processors when they classify and handle data, EU company would be Business/Mission owners, US org. would also be Data Administrators Data processors have responsibility to protect privacy of data Dpt. of Commerce holds list of participants Can transfer to non-Safe Harbor entities with permission FTC – overseas compliance framework for organizations wishing to use personal data of EU citizens Self-certify but Dpt. Of Transportation or FTC can enforce Gramm/Leach/Bailey Act delaying application to financial markets Roles and responsibilities Senior Manager ultimate responsibility Information security Officer functional responsibility Ensure policies etc. are written by app. Unit Implement/operate CIRTs Provide leadership for security awareness Communicate risk to senior management Stay abreast of current threats and technology - - - - - Security Analyst Strategic, develops policies and guidelines Data Ownership (128) Data Life - Creation, use, destruction(subservient to security policy) Data/Information Owner - - - - - - - - - - - - Ultimate organizational responsibility for data Categorize systems and data, determine level of classification Required controls are selected for each classification Select baseline security standards Determine impact information has on organization Understand replacement cost (if replaceable) Determine who needs the information and circumstances for release Determine when information should be destroyed Responsible for asset Review and change classification Can delegate responsibility to data custodian Authorize user privileges Data Custodian Responsibilities (129) Day-to-day tasks, grants permission to users in DAC Adhere to data policy and data ownership guidelines Ensure accessibility, maintain and monitor security Dataset maintenance, , archiving Documentation, including updating QA, validation and audits Run regular backups/restores and validity of them Insuring data integrity and security (CIA) - - - - - - - - - Maintaining records in accordance to classification - - Applies user authorization Implement security controls System Owners - Select security controls Administrators - Assign permission to access and handle data End-user - Uses information as their job - Follow instructions in policies and guidelines - - Due care (prevent open view by e.g. Clean desk) Use corporation resources for corporation use Auditor examines security controls QC & QA (131) QC – assessment of quality based on internal standards QA – assessment of quality based on standards external to the process and involves reviewing of the activities and quality control processes.
    Benefits of Data Standards (134) Increased data sharing Considerations (134) Borders Encryption Data Modeling (135) Smallest bits of information the Db will hold – granularity When do we replace – then think about next one CRITICAL = AVAILABILITY Data Remanence (140) Residual physical representation of data that has been in some way erased. PaaS deals with it best in Cloud Remanence - Residual data left on media after erase attempts Remove unwanted remnant data from magnetic tapes - - - - Physical destruction Degaussing Overwriting NOT Reformatting Sanitizing – Series of processes that removes data, ensures data is unrecoverable by any means. Removing a computer from service and disposed of. All storage media removed or destroyed. Degaussing – AC erasure; alternating magnetic fields , DC erasure; unidirectional magnetic field or permanent magnet, can erase tapes Erasing – deletion of files or media, removes link to file, least effective Overwriting/wiping/shredding – overwrites with pattern, may miss Zero fill – wipe a drive and fill with zeros Clearing – Prepping media for reuse at same level. Removal of sensitive data from storage devices in such a way that the data may not be reconstructed using normal system functions or utilities. May be recoverable with special lab equipment. Data just overwritten. Purging– More intense than clearing. Media can be reused in lower systems. Removal of sensitive data with the intent that the data cannot be reconstructed by any known technique. Destruction – Incineration, crushing, shredding, and disintegration are stages of this Encrypt data is a good way to secure files sent through the internet SSD Data Destruction (142) - - - - NIST says to “disintegrate” SSD drives cannot be degaussed, space sectors, bad sectors, and wear space/leveling may hide nonaddressable data, encrypt is the solution Erase encryption key to be unreadable Crypto erase, sanitization, targeted overwrite (best) Buy high quality media – value of data exceeds cost of media Sanitation is business normal, not destruction for costs reasons Reuse - Downgrading equipment for reuse will probably be more expensive than buying new Metadata – helps to label data and prevent loss before it leaves the organization, Data mart - metadata is stored in a more secure container Baselines (154) Select based on the data classification of the data stored/handled - Which parts of enterprise can be protected by the same baseline? Should baseline be applied throughout whole enterprise? At what security level should baseline aim? - - How will the controls be determined? Baseline – Starting point that can be tailored to an organization for a minimum security standard. Common security configurations, Use Group Policies to check and enforce compliance Scoping and Tailoring (157) Narrows the focus and of the architecture to ensure that appropriate risks are identified and addressed. Scoping – reviewing baseline security controls and selecting only those controls that apply to the IT system you’re trying to protect. Tailoring – modifying the list of security controls within a baseline so that they align with the mission of the organization. Supplementation – adding assessment procedures or assessment details to adequately meet the risk management needs of the organization. Link vs. End to End Encryption (174) Link - is usually point to point EVERYTHING ENCRYPTED “Black pipe, black oil, black ping pong balls” all data is encrypted, normally did by service providers End to End – You can see ALL BUT PAYLOAD, normally done by users YOU CAN LAYER THESE ENCRYPTION TYPES Email is not secured unless encrypted NETSCAPE INVENTED SSL, SSLv3 still used USE TLSv1.2 now for test PGP = GnuPG (GNP)– not rely on open S/MIME – secure email Nice to Know Classifying Costs – cost are not a factor in classifying data but are in controls FTP and Telnet are unencrypted! SFTP and SSH provide encryption to protect data and credentials that are used to log in Record Retention Policies – how long data retained and maintained Removable Media – use strong encryption, like AES256, to ensure loss of media does not result in data breach Personnel Retention – Deals with the knowledge that employees gain while employed. Record Retention – retaining and maintaining information for as long as it’s needed Label Data – to make sure data is identifiable by its classification level. Some label all media that contains data to prevent reuse of Public media for sensitive data. Data in RAM is Data in use. CIS – Center for Internet Security; creates list of security controls for OS, mobile, server, and network devices Standards Selection (158 - 185) NIST – National Institute of Standards and Technology NIST SP 800 series - address computer security in a variety of areas 800-14 NIST SP – GAPP for securing information technology systems 800-18 NIST – How to develop security plans 800-27 NIST SP - Baseline for achieving security, five lifecycle planning phases (defined in 800-14), 33 IT security principles - - - - - Initiation Development/Acquisition Implementation Operation/Maintenance Disposal 800-88 - NIST guidelines for sanitation and disposition, prevents data remanence 800-122 - NIST Special Publication – defines PII as any information that can be used to trace a person identity such as SSN, name, DOB, place of birth, mother’s maiden name 800-137 - build/implement info security continuous monitoring program: define, establish, implement, analyze and report, 800-145 - cloud computing FIPS – Federal Information Processing Standards; official series of publications relating to standards and guidelines adopted under the FISMA, Federal Information Security Management Act of 2002. FIPS 199 – Standards for categorizing information and information systems. FIPS 200 – minimum security requirements for Federal information and information systems DOD 8510.01 – establishes DIACAP ISO 15288 – International systems engineering standard covering processes and life cycle stages - - - - Agreement Organization Project-enabling Technical Management Technical Nice to Know COPPA – California Online Privacy Protection Act, operators of commercial websites post a privacy policy if collecting personal information on CA residents Curie Temperature – Critical point where a material’s intrinsic magnetic alignment changes direction. Dar – Data at rest; inactive data that is physically stored, not RAM, biggest threat is a data breach, full disk encryption protects it (Microsoft Bitlocker and Microsoft EFS, which use AES, are apps) DLP – Data Loss/Leakage Prevention, use labels to determine the appropriate control to apply to data. Won’t modify labels in real- time. ECM – Enterprise Content Management; centrally managed and controlled Non-disclosure Agreement – legal agreement that prevents employees from sharing proprietary information PCI-DSS – Payment and Card Industry – Security Standards Council; credit cards, provides a set of security controls /standards Watermark – embedded data to help ID owner of a file, digitally label data and can be used to indicate ownership.
    Systems Engineering & Modeling (194) Common Criteria ISO 15408 - Structured methodology for documenting security requirements, documenting and validating **** A SECURITY PRODUCT MAY BE CERTIFIED Defines a protection profile that specifies the security requirements and protections of a product that is to be evaluated. Organized around TCB entities. Evaluation Assurance Levels (EAL) EAL0 –Inadequate assurance EAL1 –Functionally tested EAL2 –Structurally tested EAL3 –Methodically tested and checked EAL4 –Methodically designed, tested and reviewed EAL5 –Semi formally designed and tested EAL6 –Semi formally verified design and tested EAL7 –Formally verified design and tested - - - - - - - - Target of Evaluation (TOE): the product Protection Profile (PP): set of security requirements for a category of products that meet specific consumer security needs Security Target (ST): identifies the security properties of TOE Security Functional Requirements (SFRs): Specific individual security functions Engineering Principles for IT Security (194) NIST SP 800-27    Initiation; need expressed, purpose documented, impact assessment Development/Acquisition; system designed, purchased, programmed, developed or constructed. Implementation; system tested and installed, certification and accreditation  Operation/Maintenance; performs function, security operations, audits Disposal; disposition of information, HW and SW Physical controls are your first line of defense, and people are your last. ISO/IEC 21827:2008 SSE-CMM (Maturity Model) (196) BIGGEST JUMP IN MATURITY MODEL? 2 – 3. FROM REACTIVE TO PROACTIVE OS Kernel () Loads & runs binary programs, schedules task swapping, allocates memory & tracks physical location of files on computers hard disk, manages IO/OP requests from software, & translates them into instructions for CPU Common System Components (198) Primary Storage – is a temporary storage area for data entering and leaving the CPU Random Access Memory (RAM) – is a temporary holding place for data used by the operating systems. It is volatile; meaning if it is turned off the data will be lost. Two types of RAM are dynamic and static. Dynamic RAM needs to be refreshed from time to time or the data will be lost. Static RAM does not need to be refreshed. Read-Only Memory (ROM) – is non-volatile, which means when a computer is turned off the data is not lost; for the most part ROM cannot be altered. ROM is sometimes referred to as firmware. Erasable and Programmable Read-Only Memory (EPROM) is non- volatile like ROM, however EPROM can be altered. Process states: Stopped; process finishes or must be terminated - - Waiting; the process is ready for continued execution but is waiting for a device or access request Running; executes on the CPU and keeps going until it finishes, its time slice expires, or it is blocked Ready; process prepared to execute when CPU ready - - Multitasking – execute more than one task at the same time Multiprocessing – more than one CPU is involved. Multi-Threading: execute different parts of a program simultaneously Single state machine – operates in the security environment at the highest level of classification of the information within the computer. In other words, all users on that system must have clearance to access the info on that system. Multi-state machine – can offer several security levels without risk of compromising the system’s integrity. CICS – complex instructions. Many operations per instruction. Less number of fetches RISC – reduced instructions. Simpler operations per instruction. More fetches. Software 1 GL: machine language (used directly by a computer) 2GL: assembler 3GL: FORTRAN. Basic pl/1 and C++ 4GL: Natural / focus and SQL 5GL: Prolog, lisp artificial intelligence languages based on logic Memory Protection (200) Segmentation – dividing a computer’s memory into segments. Protection Keying – Numerical values, Divides physical memory up into particular sized blocks, each of which has an associated numerical value called a protection key. Paging – divides memory address space into even size blocks called pages. To emulate that we have more RAM than we have. SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE DEP, Data Execution Prevention – a system-level memory protection feature that is built into the OS DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools. ITIL (208) The ITIL Core includes five publications addressing the overall life cycle of systems. ITIL as a whole identifies best practices that an organization can adopt to increase overall availability, and the Service Transition publication addresses configuration management and change management processes. - - - - - Service Strategy Service Design Service Transition Service Operations Continuous Service Improvement Types of Security Models (210) Defining allowed interactions between subjects (active parties) and objects (passive parties) at a particular moment in time. State Machine Model – describes a system that is always secure no matter what state it is in. If all aspects of a state meet the requirements of the security policy, that state is considered secure. A transition occurs when accepting input or producing output. A transition always results in a new state (also called a state transition). A secure state machine model system always boots into a secure state, maintains a secure state across all transitions, and allows subjects to access resources only in a secure manner compliant with the security policy. Information Flow Model – focuses on the flow of information. Information flow models are based on a state machine model. The Bell-LaPadula and Biba models are both information flow models. Information flow models don’t necessarily deal with only the direction of information flow; they can also address the type of flow. Information flow models are designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security (these are often referred to as multilevel models). The information flow model also addresses covert channels by specifically excluding all non-defined flow pathways. Noninterference Model – is loosely based on the information flow model. However, instead of being concerned about the flow of information, the noninterference model is concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level. Basically, the actions of subject A (high) should not affect the actions of subject B (low) or even be noticed by subject B. The noninterference model can be imposed to provide a form of protection against damage caused by malicious programs such as Trojan horses. Southerland Model Techniques for Ensuring CIA Confinement – to restrict the actions of a program. Simply put, process confinement allows a process to read from and write to only certain memory locations and resources. This is also known as sandboxing. Bounds – a process consist of limits set on the memory addresses and resources it can access. The bounds state the area within which a process is confined or contained. Isolation – When a process is confined through enforcing access bounds that process runs in isolation. Process isolation ensures that any behavior will affect only the memory and resources associated with the isolated process.
    Models (211) MATRIX - - - - - Provides access rights to subjects for objects Access rights are read, write and execute Columns are ACL’s Rows are capability lists Supports discretionary access control BELL-LAPADULA = MAC SUBJECTS/OBJECTS/CLEARANCES/ - - - - - - - - - - Confidentiality model developed by DOD, thus classification Cannot read up (simple e=read security rule) Cannot write down (* property rule AKA CONFINEMENT PROPERTY). Exception is a trusted subject. Uses access matrix to specify discretionary access control Use need to know principle Strong star rule: read and write capabilities at the same level First mathematical model defined tranquility principle in Bell-LaPadula prevents security level of subjects from being changed once they are created Bell-LaPadula is concerned with preventing information flow from a high security level to a low security level. BIBA – MAC “if I in it INTEGRITY MODEL” Models (211) (cont) Graham-Denning - focused on relationship between subjects and objects TAKE-GRANT - - uses a direct graph to specify the rights that subjects can transfer to objects or that subjects can take from other subjects Uses STATES and STATE TRANSTIONS - - - - - - - - Integrity model Cannot read down (simple e=read integrity rule) Simple integrity property cannot write up (* integrity) lattice based (least upper bound, greatest lower bound, flow policy) subject at one level of integrity cant invoke subject at a higher level of integrity Biba is concerned with preventing information flow from a low security level to a high security level. Focus on protecting objects from external threat CLARK WILSON integrity model Cannot be tampered, logged, and consistency Enforces segregation of duty Requires auditing Commercial use - - - - - - Works with SCI Constrained Data items, data item whose - - integrity is to be preserved Access to objects only through programs An integrity verification procedure (IVP) is a procedure that scans data items and confirms their integrity. Information flow model - Each object is assigned a security class and value, and information is constrained to flow in the directions that are permitted by the security policy. Thus flow of information from one security level to another. (Bell & Biba) Brewer and Nash - The Chinese Wall model provides a dynamic access control depending on user’s previous actions. This model prevents conflict of interests from members of the same organization to look at information that creates a conflict of another member of that organization. Lipner Model – Confidentiality and Integrity, BLP + Biba 1st Commercial Model Composition Theories Some other models that fall into the information flow category build on the notion of how inputs and outputs between multiple systems relate to one another— which follows how information flows between systems rather than within an individual system. These are called composition theories because they explain how outputs from one system relate to inputs to another system. There are three recognized types of composition theories: - - - Cascading: Input for one system comes from the output of another system. Feedback: One system provides input to another system, which reciprocates by reversing those roles (so that system A first provides input for system B and then system B provides input to system A). Hookup: One system sends input to another system but also sends input to external entities. MAC – Subjects are labelled as to their level of clearance. Objects are labelled as to their level of classification or sensitivity. Subjects – Users(perform work task), Data Owners(protect data), and Data Custodians (classify and protect data) ITSEC (216) - - - refers to any system being evaluated as a target of evaluation (TOE). does not rely on the notion of a TCB, and it doesn’t require that a system’s security components be isolated within a TCB. includes coverage for maintaining targets of evaluation after changes occur without requiring a new formal evaluation. Certification and Accreditation (216) Certification – is evaluation of security features and safeguards if it meets requirements. Certification is the comprehensive evaluation of the technical and nontechnical security features of an IT system and other safeguards made in support of the accreditation process to establish the extent to which a particular design and implementation meets a set of specified security requirements. Accreditation – the formal declaration by the designated approving authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Once accreditation is performed, management can formally accept the adequacy of the overall security performance of an evaluated system. System accreditation – a major application or general support system is evaluated. Site accreditation – the applications and systems at a specific, self-contained location are evaluated. Type accreditation – an application or system that is distributed to a number of different locations is evaluated. Product Evaluation Models (216) Trusted Computer System Evaluation Criteria TCSEC: (Orange book) From the U.S. DoD, it evaluates operating systems, application and systems. It doesn’t touch the network part. It only addresses confidentiality! ITSEC TCSEC Explanation 1 2 3 4 5 6 7 D C1 C2 B1 B2 B3 A minimal protection, any systems that fails higher levels DAC; (identification, authentication, resource protection). DAC; Controlled access protection (object reuse, protect audit trail). MAC; (security labels) based on Bell LaPadula security model. Labeled security (process isolation, devices MAC; Structured protection (trusted path, covert channel analysis). Separate operator/admin roles. Configuration management MAC; security domain (trusted recovery, Monitor event and notification). MAC; Formal, verified protection Operational assurance requirements for TCSEC are: - - - - - System Architecture System Integrity Covert Channel analysis Trusted Facility Management Trusted recovery Rainbow series: Red = trusted network, Orange = TCSEC evaluation Brown = trusted facilities management dcsmmmTan = audit, Aqua = glossary. Green = password management Information Technology Security Evaluation Criteria ITSEC: it is used in Europe only, not USA. Addresses CIA. Unlike TCSEC it evaluates functionality and assurance separately. Assurance from E0 to E6 (highest) and F1 to F10 (highest). Therefore a system can provide low assurance and high functionality or vice-versa.
    分享到:
    收藏

    相关推荐

    资料库

    安全技术

    共收录1285份资料,累计4个分类,关注成员有19位,主要包括:网络攻防,系统安全,其它,网络安全

    热门标签

    网络攻防 系统安全 其它 网络安全

    最新资料