discussion 1 – Emerging threats and countermeasures

After this weeks readings and your own research, describe and discuss ways, if any, we can safely share security data.Are there precautions we can take, technical solutions we can use, e.g., like using the CIA triad, or should we just not share these kinds of data? Feel free to argue for and against, just make sure to back up your statements with scholarly support.

Please make your initial post at least 500 to 600 words. Please add APA 7 format and intext citations and mention all the references used in the paper with indent hanging format.

At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources from the UC Library. Use proper citations and references in your post.

Chapter 1
Security Governance Through Principles and Policies

Understand and Apply Concepts of

Confidentiality

,

Integrity

, and

Availability

CIA Triad

AAA Services

Protection Mechanisms

overview

CIA Triad
Confidentiality
Integrity
Availability

Confidentiality
Sensitivity
Discretion
Criticality
Concealment
Secrecy
Privacy
Seclusion
Isolation

Integrity 1/3
Preventing unauthorized subjects from making modifications
Preventing authorized subjects from making unauthorized modifications
Maintaining the internal and external consistency of objects

Integrity 2/3
Accuracy: Being correct and precise
Truthfulness: Being a true reflection of reality
Authenticity: Being authentic or genuine
Validity: Being factually or logically sound
Nonrepudiation: Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event

Integrity 3/3
Accountability: Being responsible or obligated for actions and results
Responsibility: Being in charge or having control over something or someone
Completeness: Having all needed and necessary components or parts
Comprehensiveness: Being complete in scope; the full inclusion of all needed elements

Availability
Usability: The state of being easy to use or learn or being able to be understood and controlled by a subject
Accessibility: The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
Timeliness: Being prompt, on time, within a reasonable time frame, or providing low latency response

AAA Services
Identification
Authentication
Authorization
Auditing
Accounting/
Accountability

Protection Mechanisms
Layering/Defense in Depth
Abstraction
Data Hiding
Security through obscurity
Encryption

Evaluate and Apply Security Governance Principles
Alignment of Security Function
Security Management Plans
Organizational Processes
Change Control/Management
Data Classification
Organizational Roles and Responsibilities
Security Control Frameworks
Due Care and Due Diligence
overview

Alignment of Security Function
Alignment to Strategy, Goals, Mission, and Objectives
Security Policy
Based on business case
Top-Down Approach
Senior Management Approval
Security Management:
InfoSec team, CISO, CSP, ISO

Security Management Plans
Strategic
Tactical
Operational

Organizational Processes
Security governance
Acquisitions and divestitures risks:
Inappropriate information disclosure
Data loss
Downtime
Failure to achieve sufficient return on investment (ROI)

Change Control/
Management 1/2
Implement changes in a monitored and orderly manner. Changes are always controlled.
A formalized testing process is included to verify that a change produces expected results.
All changes can be reversed (also known as backout or rollback plans/procedures).
Users are informed of changes before they occur to prevent loss of productivity.

Change Control/
Management 2/2
The effects of changes are systematically analyzed to determine whether security or business processes are negatively affected.
The negative impact of changes on capabilities, functionality, and performance is minimized.
Changes are reviewed and approved by a change approval board (CAB).

Data Classification 1/2
Determines: effort, money, and resources
Government/military vs. commercial/private sector
Declassification

Data Classification 2/2
1. Identify the custodian, define responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external transfer.
7. Create an enterprise-wide awareness program.

Organizational Roles and Responsibilities
Senior Manager
Security Professional
Data Owner
Data Custodian
User
Auditor

Security Control Frameworks
COBIT (see next slide)
Used to plan the IT security of an organization and as a guideline for auditors
Information Systems Audit and Control Association (ISACA)
Open Source Security Testing Methodology Manual (OSSTMM)
ISO/IEC 27001 and 27002
Information Technology Infrastructure Library (ITIL)

Control Objectives for Information and
Related Technologies (COBIT)
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

Due Care and Due Diligence
Due care is using reasonable care to protect the interests of an organization.
Due diligence is practicing the activities that maintain the due care effort.

Develop, Document, and Implement
Security Policy, Standards, Procedures, and Guidelines
Security Policies
Security Standards, Baselines, and Guidelines
Security Procedures
overview

Security Policies
Defines the scope of security needed by the organization
Organizational, issue-specific, system-specific
Regulatory, advisory, informative

Security Standards, Baselines, and Guidelines
Standards define compulsory requirements
Baselines define a minimum level of security
Guidelines offer recommendations on how standards and baselines are implemented

Security Procedures
Standard operating procedure (SOP)
A detailed, step-by-step how-to
To ensure the integrity of business processes

Understand and Apply Threat Modeling Concepts and Methodologies
Threat Modeling
Identifying Threats
Threat Categorization Schemes
Determining and Diagramming Potential Attacks
Performing Reduction Analysis
Prioritization and Response
overview

Threat Modeling
Microsoft’s Security Development Lifecycle (SDL)
“Secure by Design, Secure by Default, Secure in Deployment and Communication”
(also known as SD3+C)
Proactive vs. reactive approach

Identifying Threats
Focused on Assets
Focused on Attackers
Focused on Software

Threat Categorization Schemes
STRIDE
Process for Attack Simulation and Threat Analysis (PASTA)
Trike
Visual, Agile, and Simple Threat (VAST)

STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege

PASTA 1/2
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling and Simulation (AMS)
Stage VII: Risk Analysis and Management (RAM)

PASTA 2/2

Determining and Diagramming Potential Attacks
Diagram the infrastructure
Identify data flow
Identify privilege boundaries
Identify attacks for each diagrammed element

Diagramming to Reveal Threat Concerns

Performing Reduction Analysis
Decomposing
Trust boundaries
Data flow paths
Input points
Privileged operations
Details about security stance and approach

Prioritization and Response
Probability × Damage Potential ranking
High/medium/low rating
DREAD system
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Apply Risk-Based Management
Concepts to the Supply Chain
Resilient integrated security
Cost of ownership
Outsourcing
Integrated security assessments
Monitoring and management
On-site assessment
Document exchange and review
Process/policy review
Third-party audit (AICPA SOC1 and SOC2)

Conclusion
Read the Exam Essentials
Review the Chapter
Perform the Written Labs
Answer the Review Questions

CISSP
Certified Information Systems
Security Professional

Copyright ©

2

0

1

8

by John Wiley & Sons, Inc., Indianapolis, Indiana.
Used with permission.

1

CISSP Focus

CISSP focuses on security:

Design

Architecture

Theory

Concept

Planning

Managing

2

Topical Domains

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

3

Exam Topic Outline

www.isc2.org/Certifications/CISSP

Download the CISSP Exam Outline

Previously known as the Candidate Information Bulletin

4

Prequalifications

For taking the CISSP exam:

5

years full-time paid work experience

Or, 4 years experience with a recent college degree

Or, 4 years experience with an approved security certification, such as CAP, CISM, CISA, Security+, CCNA Security, MCSA, MCSE, and GIAC

Or, Associate of (ISC)2 if you don’t yet have experience

Agree to (ISC)2 Code of Ethics

5

CISSP Exam Overview

CISSP-CAT (Computerized Adaptive Testing)

Minimum

10

0 questions

Maximum

15

0 questions

25 unscored items mixed in

3 hours to take the exam

No score issues, just pass or fail

Must achieve “passing standard” for each domain within the last

7

5 questions seen

6

Exam Retakes

Take the exam a maximum of 3 times per

12

-month period

Wait 30 days after your first attempt

Wait an additional

9

0 days after your second attempt

Wait an additional 180 days after your third attempt

You will need to pay full price for each additional exam attempt.

7

Question Types

Most questions are standard multiple choice with four answer options with a single correct answer

Some questions require to select two, select three, or select all that apply

Some questions may be based on a provided scenario or situation

Advanced innovative questions may require drag-and-drop, hot-spot, or re-order tasks

8

Exam Advice

Work promptly, don’t waste time, keep an eye on your remaining time

It is not possible to return to a question.

Try to reduce/eliminate answer options before guessing

Pay attention to question format and how many answers are needed

Use the provided dry-erase board for notes

9

Updates and Changes

As updates, changes, and errata are need for the book, they are posted online at:

www.wiley.com/go/cissp8e

Visit and write in the corrections to your book!

10

Exam Prep Recommendations

Read each chapter thoroughly

Research each practice question you get wrong

Complete the written labs

View the online flashcards

Use the 6 online bonus exams to test your knowledge across all of the domains

Consider using: (ISC)² CISSP Official Practice Tests, 2nd Edition (ISBN:978-1-

11

9-47592-7)

11

Completing Certification

Endorsement

A CISSP certified individual in good standing

Within 90 days of passing the exam

After CISSP, consider the post-CISSP Concentrations:

Information Systems Security Architecture Professional (ISSAP)

Information Systems Security Management Professional (ISSMP)

Information Systems Security Engineering Professional (ISSEP)

12

Book Organization 1/2

Security and Risk Management

Chapters 1-4

Asset Security

Chapter 5

Security Architecture and Engineering

Chapters 6-10

Communication and Network Security

Chapters 11-12

13

Book Organization 2/2

Identity and Access Management (IAM)

Chapters 13-

14

Security Assessment and Testing

Chapter 15

Security Operations

Chapters

16

-19

Software Development Security

Chapters 20-21

14

Study Guide Elements

Exam Essentials

Chapter Review Questions

Written Labs

Real-World Scenarios

Summaries

15

Additional Study Tools

www.wiley.com/go/cissptestprep

Electronic flashcards

Glossary in PDF

Bonus Practice Exams:

6x 150 question practice exams covering the full range of domain topics

16