Chapter 0 (3-6) (14-16)

Information Security - (Confidentiality, Integrity, Availability)

- Protection of the CIA
- Information assets, in storage, processing of policy, education, training and
awareness, and technology

Security
- Quality or state of being secure and free from danger or harm
- Actions taken to make someone or something secure

Designing security policy and deploying a security solution (sequence)

Identification - Claiming an identity when accessing a secured system

Authentication - Proving your identity is valid

Authorization - Allows and denials of access for a specific identity

Auditing - Records the log of events and activities of the system

Accounting - Reviews log files to hold subjects accountable for their actions

Nonrepudiation - Ensures that the subject of an activity or event cannot deny that the
(undeniable) event occurred

8 Domains of CISSP CBK

Security and - General information security and risk management topics
Risk Management - Coverage of fundamental security principles of the CIA
- Coverage of all aspects of business continuity planning
→ information and requirements gathering
→ business impact analysis
→ recovery point objectives
- Risk management concepts with the introduction of threat modeling
and integration of risk management into the acquisition and
management of hardware, software, and service contracts

Key areas of knowledge

- Understand and apply concepts of the CIA
- Apply security governance principles
- Compliance
- Understand legal and regulatory issues in a global context
- Understand professional ethics
- Develop and implement documented security policies, standards,
procedures, and guidelines
- Understand business continuity requirements
- Contribute to personnel security policies
- Understand and apply risk management concepts
- Understand and apply threat modeling
- Establish and manage information security education, training, and
 awareness

Chapter 1 (4-9) (15-17) (25) (58-61)

Security?
- Quality or state of being secure and free from danger or harm
- Actions taken to make someone or something secure
- An organization should have multiple layers of security to protect :
- Operations
- Physical infrastructure
- People
- Functions
- Communications
- Information
- Protection of information and critical elements includes
- Systems and hardware that use, store, and transmit information
- It includes information security management, data security, and network security
- CIA triad
- List of critical characteristics of information

Security Objectives
Confidentiality - Preserving authorized restrictions on information access and disclosure
- Protecting personal privacy and proprietary information

Integrity - Guarding against improper information modification or destruction

- Ensuring information non-repudiation and authenticity

Availability - Ensuring timely and reliable access and use of information

Security Best Practices

Need-to-know - Users should only have access to information or system that
enable them to perform their assigned job functions

Least privilege - Users should only have sufficient access privilege that allow them
to perform their assigned work

Separation of duties - Separate the duties involving sensitive, valuable or critical

information to multiple people
- No single person should be responsible to complete the task
alone
- No single person should be responsible for approving his own
work (Double confirmation by someone else)

Job rotation - To reduce risk of collusion

- To ensure no single point of failure
 Mandatory vacation - To allow auditors to review records

Relationship between Threat, Risk, and Countermeasure

Threat Agent - An entity that may act on a vulnerability

Threat - Any potential danger to information life cycle

Vulnerability - A weakness or flaw that may provide an opportunity for a threat

agent

Risk - The likelihood of a threat agent explots the discovered vulnerability

Exposure - An instance of being compromised by a threat agent

Countermeasure/ - An administrative, operational, or logical mitigation against potential

sageguard risks

Security Controls
- The management, operations and technical safeguard or countermeasures employed within
and organization information system
→ To protect the C.I.A of the system and its information

Categories of Security Controls

Management - Policies, Standards, Processes, Procedures, & Guidelines
(Administrative) → Administrative Entities: Executive-Level
Controls

Operational - Operations Security (Executive of Policies, Standards & Process,

(Physical) Controls Education & Awareness)
→ Service Providers: IA, Program Security, Personnel Security
- Physical Security (Facility or Infrastructure Protection)
→ Locks, Foors, Walls, Fence
→ Service Providers: Guards, Dogs

Tehnical (Logical) - Access Controls, Identification & Authorization, Confidentiality,

Controls Integrity, Availability, Non-Repudiation
→ Service Providers: Security Engineer, Helpdesk

Critical Characteristics of Information

Availability - Describes how data is accessible and correctly formatted for use
without interference or obstruction

Accuracy - Describes how data is free or errors and has the value that the user
expects

Authenticity - Describes how data is original rather than reproduced

 Confidentiality - Describes how data is protected from disclosure or exposure to
unauthorized individuals or system

Integrity - Describes how data is whole, complete, and uncorrupted

Utility - Describes how data has value or usefulness for an end purpose

Possession - Describes how data’s ownership or control is legitimate or authorized

Security Professionals and the Organization

- Required to support a diverse information security program
- Senior management is the key component
→ Chief Inromation Offier (CIO)
- Senior technology officer
- Responsible for advising the senior executives on strategic planning
→ Chief Information Security Officer (CISO)
- Responsible for assessment, management, and implementation of IS
- Reports directly to the CIO
- Additional administrative support and technical expertise are required
→ To implement details of the IS program

Information Security Project Team

- A small functional team of people
→ Experienced in one or multiple facets of required technical and nontechnical areas:
- Champion (A senior executive who promotes the project)
- Team Leader (A project manager)
- Security policy developers (Poeple who undertsnad the culture and policies)
- Risk assessment specialists (People who understand financial risk)
- Security professionals (Well-educated in all aspects of information security)
- Systems administrators (People with the primary responsibility for administering)
- End users (A selection of users from various departments)

Chapter 2 (50-71) (1 Diagram)

Risk Identification
- Know how to identify, classify and prioritize an organization information assests
Risk Assessment
- Evaluate the relative risk for each vulnerability
- Risk rating or score to each information asset

Risk Control
- Once the ranked vulnerability risk worksheet is complete
- The organization must choose one of five strategies to control each risk
→ Defense (Protection)
→ Transference (Transfer to someone else to bear the risk)
→ Mitigation (Lower down impact)
→ Acceptance (Take the risk, no control)
→ Termination (Stop the activities, no need to bear the risk)

Defense - Attempts to prevent exploitation of the vulnerability

- preferred approach
- Can be done by countering threats, removing asset vulnerabilities,
limiting asset access and adding protective safeguards
- 3 common method of defense:-
→ Application of policy
→ Education and training
→ Applying technology

Transference - Attempts to shift risk to other assets, processes or organization

- Organization should hire individuals that provide security management
- Transfer the risk to another organizaton experienced in dealing those
risk

Mitigation - Attempts to reduce the impact of an attack

- Includes 3 types of plans:-
→ Incident response (IR) - Define the action to take
→ Disaster recovery (DR) - Most common mitigation procedure,
preparations for the recovery process
→ Business continuity (BC) - Emcompasses the continuation of
business activities

Acceptance - Do nothing to protect and accept the outcome of the exploitation

- Valid only when the service, information does not justify the cost of
 protection

Termination - Directly avoid business activities that introduce uncontrollable risks

- May seek an alternate mechanism to meet the customer needs

Chapter 3 (14-16) (21-23) (29-39) (1 attack with scenario)

Espionage间谍 and Trespass
- Access of protected information by unauthorized individuals
- Competitive intelligence (legal) vs industrial espionage (illegal)
- Shoulder surfing can occur anywhere a person accesses confidential information
- Controls let trespassers know they are encroaching on organization’s cyberspace
- Hackers use skill, guile or fraud to bypass controls protecting others’ information

Expert hackers
- Develop software scripts and program exploits
- Usually a master of many skills
- Will often create attack software and share with others

Unskilled hackers
- More unskilled hackers than expert hackers
- Use expert hacker’s written software to exploit a system
- Usually do not fully understand the systems they hack

Terms for system rule breakers:

- Cracker → cracks or removes software protection designed to prevent unauthorized
duplication
- Phreaker → hacks the public telephone system to make free calls or disrupt services

Password attacks
- Cracking
- Brute force
- Dictionary
- Rainbow tables
- Social engineering

Human Error or Failure

- Performed without malicious intent or in ignorance
- Causes included Inexperience, Improper training, and Incorrect assumptions
- Employee is the greatest threats to an organization’s data
- Employee mistakes can easily lead to:
→ Data revelation
→ Entry of erroneous data
→ Delete or modify data accidentally
→ Data storage in unprotected areas
→ Fail to protect information
- Many threats can be prevented with training
- Social engineering convince people to reveal access credentials or other valuable
information to an attacker

Social Engineering
- People are the weakest link
- Even if you have the best technology → firewalls, intrusion-detection system
- Advance-fee fraud → Money and small advance fee or personal banking inforamtion
- Phishing → attempt to gain personal confidential information that redirects user to
theird-party site by having embedded code within the mail

Software Attacks
- Malware is used to gain access to protected systems via hidden means
- Occur when an individual design and deploy software to attack a system
- Types of attacks include:
→ Back door
=>
→ Denial-of-service (DoS)
=>

Malware - Intent to destroy or steal information

Virus Consists of code that attach to program to take control

of the target

Worms Replicate until they completely fill available resources

such as memory

Trojan Malware disguised

Back door - Gaining accessto system using known or newly discovered access
mechanism

Denial-of-service - An attack that sends a large number of connection request to a

(DoS) target to make the system overloaded and cannot respond to
legitimate request for service
- Unable to run the website

Distributed - Request launched against a target from many locations

denial-of-service simultaneously to make the system overload
(DDOS)

Mail bombing (also - Routes large amount of email to target to overwhelm the receiver
a DoS)

Spam - Unsolicited commercial email

- Annoying than an attack

Packet sniffer - It monitors data traveling over network

 - It can be used both for legitimate management proposes and for
stealing information from a network

Spoofing - Technique used to gain unauthorized access

Pharming - An attack that redirect the users to a fake site for the purpose of
obtaining private information

Man-in-the-middle - Attacker monitors the network packets, modifies them, and inserts
them back into the network.
- An attack that perform between the target user and the server