14. Exam Essentials for Incident Management

Incident response steps are specifically listed in the CIB as:

  1. Detection
  2. Response
  3. Reporting
  4. Recovery
  5. Remediation and Review

Once an incident is detected, the first response sohould be to limit or contain the scope fo the incident while protecting evidence. Based on governing laws, the incident may need to be reported to official authorities, and if PII is affected, individuals need to be informed. The remediation and review stage includes root cause analysis to determine the cause and recommend a solution to prevent reoccurrence.

Basic preventive measures can prevent many incidents from occurring and they are repeated often. Like keeping systems up-to-date, removing or disabling unneeded protocols and services, using antivirus software, enabling firewalls and using IDSs.

Malicious code is thwarted with a combination of tools. Updated antivirus is the primary tool on each system, at the boundary of the network and on email servers.

Don’t foget about policies enforcing basic security principles such as least privilege to prevent regular users from installing software that may be malicious. Additionally, educating users from installing software that may be malicious. Additionally educating users about the risks and the methods attackers commonly use to spread viruses, helps users understand and avoid dangerous behaviors.

A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone bu the attacker or known only to a limited group of people. On the surface, it sounds like you can’t protect against an unknown vulnerability, but basic security practices go a long way to preventing zero-day exploits. Removing or disabling unneeded protocols and services reduces the attack surface, enabling firewalls blocks many access points, and using intrusion detection systems helps detect potential attacks. Additionally, using tools such as honeypots and padded cells helps protect live networks.

DoS attacks prevent a system from responding to legitimate requests for service. A common DoS attack still used is the SYN flood attack, which disrupts the TCP three-way handshake. Even though older attacks are not as common today because basic precautions block them, you may still be tested on them because many newer attacks are often variations on older methods. Smurf attacks employ an amplification network to send numerous response packets to a victim. Ping-of-death attacks send numerous oversized ping packets to the victim, causing the victim to freeze, crash, or reboot.

Botnets represent significant threats due to the massive number of computers that can launch attacks, so it’s important to know what they are.

A botnet is a collection of compromised PCs organized in a network controlled by a criminal known as a bot herder. Bot herders use a command and control server to remotely control the zombies and often use the botnet to launch attacks on other systems or send spam or phishing emails. Bot herders also rent botnet access out to other criminals.

A man in the middle attack occurs when a malicious user is able to gain a position between the two endpoints of a communications link. While it takes a significant amount of sophistication on the part of an attacker to complete a man in the middle attack, the amount of data obtained from the attack can be significant.

Malicious insiders can perform sabotage against an organization if they become disgruntled for some reason. Espionage is when a competitor tries to steal information, and they may use an internal employee. Basic security principles and immediately disabling accounts for terminated employees limit the damage from these employees.

IDSs and IPSs are important detective and preventive measures against attacks.

Knowledge based using a database. Behavior based using a baseline to create a normal.

An IDS can respond passively by logging and sending notifications, or actively by changing the environment. Some people refer to an active IDS as an IPS, but its important to recognize that an IPS is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target.

HIDS can monitor activity on a single system only and can be discovered by attackers and disabled. NIDS can monitor activity on a network and aren’t as visible to attackers.

A honeypot is a system that often uses pseudo flaws and fake data to lure intruders. Administrators can observe the activity of attackers while they are in the honeypot, as long as attackers are in the honeypot, they are not in the live network. Some IDSs have the ability to transfer attackers into a padded cell after detection. While a honeypot and padded cell are similar, note that a honeypot lures the attacker but the attacker is transferred into the padded cell.

Penetration tests start by discovering vulnerabilities and then mimic an attack to identify what vulnerabilities can be exploited. It’s important to remember pen tests should not be done without express consent and knowledge from management.

Additionally, since pen tests can result in damage, they should be done on isolated systems whenver possible. Remember black box vs white box, vs gray box testing.

Fault tolerance is a common method used to eliminate single points of failure and increase availability. RAID protects against disk failures, failover clusters protect against server failuers, and UPS and generators protect against power failures. It’s important to remember that fault tolerance does not negate the need for backups.

13. Exam Essentials for Security Operations

Need to Know & The principle of least privilege are two standard IT security principles implemented in secure networks. They limit access to data and system so that users and other subjects have access only to what they require.
When these principles are not followed, security incidents result in far greater damage to an organization.

Separation of duties is a basic security principle that ensures that no single person can control all the elements of a critical function or system.

Job rotation, employees are rotated into different jobs or tasks are assigned to different employees.

Collusion is an agreement among multiple persons to perform some unauthorized or illegal actions.

Privileged entities are trusted, but they can abuse their privileges, Because of this, it’s important to monitor all assignment of privileges and the use of privileged operations.

Sensitive information is any type of classified information, and proper management helps prevent unauthorized disclousr resulting in a loss of confidentiality.

Proper management includes marking, handling, storing and destroying sensitive information. The two areas where organization often miss the mark are adequately protecting backup media holding sensitive information and sanitizing media or equipment when it is at the end of its life cycle.

record retention policies ensure that data is kept in a usable state while it is needed and destroyed when it is no longer needed. many laws and regulations mandate keeping data for a specific amount of time, but in the absence of formal regulations, organizations specify the retention period within a policy. Audit trail data needs to be kept long enough to reconstruct past incidents, but the organization must identify how far back they want to investigate. A current trend with many organization sis to reduce legal liabilities by implementing short retention policies with email.

Patch management ensures that systems are kept up-to-date with current patches. you should know that an effective patch management program will evaluate, test, approve, and deploy patches. additionally, be aware that system audits verify the deployment of approved patches to systems. Patch management is often intertwined with change and configuration management to ensure that documentation reflects the changes. when an organization does not have a patch management program it will often experience outages and incidents from known issues that could have been prevented.

Vulnerability management includes routine vulnerability scans and periodic vulnerability assessments. Vulnerability scanners are used to detect known security vulnerabilities and weaknesses such as the absence of patches or weak passwords. They are used to generate reports that indicate the technical vulnerabilities of a system and are an effective check for a patch management program. Vulnerability assessments extend beyond just technical scans and can include reviews and audits to detect vulnerabilities.

Many outages and incidents can be prevented with effective configuration and change management programs. Configuration management ensures that systems are configured similarly and the configuration of systems are known and documented. Baselining ensures that systems are deployed with a common baseline or starting point, and imaging is a common baselining method. Change management helps reduce outages or weakened security from unauthorized changes. A change management process requires changes to be requested, approved, and documented. Versioning uses a labeling or numbering system to track changes in updated versions of software.

Security audits and reviews help ensure that management programs are effective and being followed. They are commonly associated with account management practices and prevent violations with least privilege or need to know principles. However, they can also be performed to oversee patch management, vulnerability management, change management, and configuration management programs.

12. Exam Essentials for Security Architecture, Vulnerabilities, Threats, and Countermeasures

What is multitasking? It is the simultaneous execution of more than one application on a computer and is managed by the operating system.
What is multithreading? Multithreading permits multiple concurrent tasks to be performed within a single process.
Multiprocessing? It is the use of more than one processor to increase computing power.
Multiprogramming? It is similar to programming but takes place on mainframe systems and requires specific programming.

Single State Processors are capable of operating at only one security level at a time. Multistate processors can simultaneously operate at multiple security levels.

Four security modes approved by the federal government for processing information are:
Dedicated systems require that all users have appropriate clearance, access permissions, and need to know for all information stored on a system.
System high mode removes the need-to-know requirement and the access permission requirement. Multilevel mode removes all three requirements.

Two layered operating modes used by most modern processors:
User applications operate in a limited instruction set environment known as user mode. the operating system performs controlled operations in privilged mode, also known as system mode, kernel mode, and supervisory mode.

Types of memory in a computer:
ROM, nonvolatile and can’t be written to by the user
PROM, can be written to by the user
EPROM may be erased using ultraviolet light and then can have new data written.
EEPROM can be erased with electrical current and then have new data written on them.
RAM are volatile and lose their contents when the computer is off.

Security issues surrounding memory components:
3 main security issues:
Data may remain on the chip after power is removed.
Memory chips is highly pilferable
Control of access to memory in a multiuser system.

Describe the different characteristics of storage devices used by computers.
Primary storage is the same as memory
Secondary storage consists of magnetic and optical media that must be first read into primary memory before the CPU can use the data.
Random access storage devices can be read at any point, whereas sequential access devices require scanning through all the data physically stored before the desired location.

There are three main security issues surrounding secondary storage devices: removable media can be used to steal data, access controls must be applied to protect data, and data can remain in media after file deletion or media formatting.

Understand security risks that input and output devices can pose.
They are subject to eavesdropping and tapping, used to smuggle data out of an organization or used to create unauthorized, insecure points of entry into an organization’s system and networks. be prepared to recognize and mitigate such vulnerabilities.

Working with legacy PC devices requires some understanding or IRQs, DMA, and memory-mapped I/O. Be prepared to recognize and work around potential address conflicts and misconfigurations and to integrate legacy devices with Plug and Play counterparts.

Firmware is the software stored on a ROM chip. At the computer level, it contains the basic instructions to start a computer. Firmware is used to provide operating instructions in peripheral devices such as printers.

Process isolation ensures that individual processes can access only their own data.
Layering creates different realms of security within a process and limits communication between them.
Abstraction creates “black-box” interfaces for programmers to use without requiring knowledge of an algorithm’s or device’s inner workings.
Data hiding prevents information from being read from a different security level
Hardware segmentation enforces process isolation and physical controls.

The role of a security policy is to inform and guide the design, development, implementation, testing, and maintenance of some particular system.

Cloud computing is a popular term referring to a concept of computing where processing and storage are performed elsewhere over a network connection rather than locally.
AKA Internet-based computing.

Least privilege ensures that only a minimum number of processes are authorized to run in supervisory mode.
Separation of privilege increases the granularity of secure operations. Accountability ensures that an audit trail exists to trace operations back to their source.

Avoiding single points of failure includes incorporating fault-tolerant systems and solutions into an environment’s design. Fault tolerant systems include redundant or mirrored systems, TFTP servers, and RAID. You should also address power issues and maintain a backup solution.

A covert channel is any method that is used to pass information but that is not normally used for information.

A buffer overflow occurs when the programmer fails to check the size of input data prior to writing the data into a specific memory location. In fact, any failure to validate input data could result in a security violation.

In addition to buffer overflows, programmers can leave back doors and privileged programs on a system after it is deployed. Even well-written systems can be susceptible to time-of-check-to-time-of-use (TOCTTOU) attacks. Any state change could be a potential window of opportunity for an attacker to compromise a system.

11. Exam Essentials for Principles of Security Models, Design, and Capabilities

know the details about each of the access control models and their functions:
The state machine model ensures that all instances of subjects accessing objects are secure.
The information flow model is designed to prevent unauthorized, insecure, or restricted information flow.
The noninterference model prevents the actions of one subject from affecting the system state or actions of another subject.
The Take-Grant model dictates how rights can be passed from subject to another or from a subject to an object.
An access control matrix is a table of subjects and objects that indicates the actions or functions that each subject can perform on each object.
Bell-LaPadula subjects have a clearance level that allows them to access only those objects with corresponding classification levels and below, plus its based on need to know at the current level.
Biba prevents subjects w2ith lower security levels from writing to objects at higher security levels.
Clark-Wilson is an integrity model that relies on auditing to ensure that unauthorized subjects cannot access objects and that authorized users access objects properly.
Biba and Clark-Wilson enforce integrity.
Goguen-Meseguer and Sutherland focus on integrity.
Graham-Denning focuses on the secure creation and deletion of both subjects and objects.

Know the definitions of certification and accreditation.
Certification is the technical evaluation of each part of a computer system to assess its concordance with security standards.
Accreditation is the process of formal acceptance of a certified configuration from a designated authority.

Describe open and closed systems
Open systems are designed using industry standards and are usually easy to integrate with other open systems.
Closed systems are generally proprietary hardware and/or software. Their specifications are not nromally published, and they are usually harder to integrate with other systems.

Confinement, Bounds, and Isolation
Confinement restricts a process to reading from and writing to certain memory locations.
Bounds are the limits of memory a process cannot exceed when reading or writing.
Isolation is the mode a process runs in when it is confined through the use of memory bounds.

Objects and Subjects
Subjects are users or processes that make requests for access to a resource
Objects are the resource.
Security controls use access rules to limit access by a subject to an object.

Here is a list of classes of the TCSEC, ITSEC, and Common Criteria.
D F-D+E0 EAL0, EAL1 Minimal/no protection
C1 F-C1+E1 EAL2 Discretionary security mechanisms
C2 F-C2+E2 EAL3 Controlled access protection
B1 F-B1+E3 EAL4 Labeled security protection
B2 F-B2+E4 EAL5 Structured security protection
B3 F-B3+E5 EAL6 Security domains
A1 F-B3+E6 EAL7 Verified security design

A TCB or Trusted Computing Base is the combination of hardware, software, and controls that form a trusted base that enforces the security policy.

A security perimeter is the imaginary boundary that separates the TCB from the rest of the system. TCB components communicate with non-TCB components using trusted paths.

The reference monitor is a logical part of the TCB that confirms whether a subject has the right to sue a resource prior to granting access. The security kernel is the collection of the TCB components that implement the functionality of the reference monitor.

Common security capabilities include memory protection, virtualization, and trusted platform module (TPM).

10. Exam Essentials for PKI and Cryptographic Applications

Asymmetric key cryptography is another way of saying public key encryption.

Understand the key types used in asymmetric cryptography: public keys are freely shared whereas private keys are kept secret. to encrypt a message, the use the recipient’s public key. To decrypt a message, use your own private key.
To sign a message, use your own private key. to validate a signature, use the sender’s public key.

Be familiar with the three major public key cryptosystems: RSA (which depends upon the difficulty of factoring the product of prime numbers), El Gamal (an extension of the Diffie-Hellman key exchange algorithm that depends upon modular arithmetic), the Elliptic Curve Algorithm (depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length).

A good hash function has the following fundamentals:
They must allow input of any length
Provide a fixed-length output
Make it relatively easy to compute the hash function for any input
Provide one-way functionality
Be collision free

Major hashing algorithms:
SHA-1 (160-bit message digest)
SHA-2 (variable lengths up to 512 bits)

Digital signatures are generated and verified, first using a hashing function to generate a message digest, then encrypt the digest with your private key. to verify the digital signature on a message, decrypt the signature with the sender’s public key and then compare the message digest to the one you generate yourself, if they match, its authentic.

know the components of the Digital Signature Standard (DSS).
DSS uses the SHA-1 message digest function along with one of three encryption algorithms: DSA, RSA or ECDSA
(Digital Signature Algorithm, Rivest, Shamir Adleman, Elliptic Curve DSA)

Understand the PKI.
In the pki, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients certify a certificate using the CA’s public key.

Common applications of cryptography to secure email are: s/mime protocol, another popular security tool is Phil Zimmerman’s PGP.

Common applications of cryptography to secure web activity: The de facto standard for secure web traffic is the HTTP over TLS or the older SSL.

Common applications of cryptography to secure networking: IPSec protocol standard provides a common framework for encrypting network traffic and is built in to a number of common operating systems. In IPSec transport mode, packet contents are encrypted for peer-to-peer communication, in tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.

IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode of tunnel mode, for direct communication between computers or to setup a VPN between networks. IPSec uses two protocols: AH (authentication header) and ESP (encapsulating security payload).

Common cryptographic attacks:
Brute-Force: or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

Known plain-text: the attacker has samples of both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and code books. The term “crib” originated at Bletchley Park, the British World War II decryption operation.[1][2]

Chosen ciphertext: the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

Chosen plain-text: the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme’s secret key.

Meet-in-the-middle: a generic attack, applicable on several cryptographic systems. The internal structure of a specific system is therefore negligible to this attack. It is possible though to combine it with other kinds of attack as has been done.
Naturally it requires the ability to encrypt and decrypt, and the possession of pairs of plaintexts and corresponding ciphertexts.
When trying to improve the security of a block cipher, a tempting idea is to simply use several independent keys to encrypt the data several times using a sequence of functions (encryptions). Then one might think that this doubles or even n-tuples the security of the multiple-encryption scheme, depending on the number of encryptions the data must go through.
The Meet-in-the-Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions (or block ciphers) such that the forward mapping through the first functions is the same as the backward mapping (inverse image) through the last functions, quite literally meeting in the middle of the composed function.

Man-in-the-middle: a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.

Birthday: Exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations (pigeonholes), as described in the birthday problem/paradox.

Replay: network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

9. Exam Essentials for Cryptography and Symmetric Key Algorithms

Understand the role that confidentiality, integrity, and nonrepudiation play in cryptosystems.

Know how cryptosystems can be used to achieve authentication goals by providing assurances as to the identity of the user. one possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypted a message using a key known only to the both of them communicating parties. using either symmetric or asymmetric cryptosystems.

The basic terminology of cryptography.

Understand the difference between a code and a cipher and explain the basic types of ciphers. Codes are cryptographic systems of symbols that operate on word or phrases and are sometimes secret but don’t always provide confidentiality. ciphers, however are always meant to hide the true meaning of a message. know how the following types of ciphers work;
transposition ciphers, substitution ciphers (include 1 time pads), stream ciphers and block ciphers.

Know the requirements for successful use of a one-time pad.
The key must be randomly generated, at least be as long as the message to be encrypted, must be protected against physical disclosure and must be only one time used then discarded.

The concept of zero knowledge proof.

Understand split knowledge: It ensures that no single person has sufficient privileges to compromise the security of the environment.

Understand work function. (or work factor). It’s a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages. usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents.

The importance of key security: The cryptographic keys provide the necessary elements of secrecy to a cryptosystem. modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security.It’s generally agreed that the 56-bit key of the des is no longer sufficiently long enough to provide security.

Know the difference between symmetric and asymmetric cryptosystems.
Symmetric key cryptosystems are fast, rely on a shared secret key but lack support for scalability, easy key distribution, and nonrepudiation. Asymmetric cryptosystems use public-private key pairs for communication between parties but operate much more slowly than symmetric algorithms.

Be able to explain basic operational modes of DES and 3DES.
ECB: Electronic Code Book
CBC: Cipher Block Chaining
CFB: Cipher Feedback Mode,
OFB: Output Feedback Mode (least secure)

3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively.

AES is the Advanced Encryption Standard and is the US government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES algorithm.

8. Exam Essentials for Malicious Code and Application Attacks

Understand the propagation techniques used by viruses. File Inflection, service injection, boot sector infection, macro infection.

Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. It’s essential to update virus definition files in order to maintain protection against newly authored viruses as they emerge.

Passwords are the most common access control mechanism in use today and it is essential that you understand how to protect against attackers who seek to undermine their security. Understand password crackers, dictionary attacks and social engineering and how they are used to defeat password security.

Application attacks are one of the greatest threats to modern computing. Attackers exploit buffer overflows, trap doors, time of check to time of use vulnerabilities and rootkits to gain illegitimate access to a system.

As applications move to the web, developers and security professionals must understand the new types of attacks that exist in this environment and how to protect against them. The most common are xss and sql injection attacks.

Before launching an attack, attackers use IP sweeps to search out active hosts on a network, then port scan, then vulnerability probe which they attack weaknesses found. Understand these attacks to limit the amount of information an attacker can get.

7. Exam Essentials for Software Development Security

Describe the functioning of viruses, worms, trojan horses and logic bombs.
Viruses: oldest form of malicious code objects.
Trojan Horses: Cover application with secret, usually malicious, payload.
Logic bombs: Dormant malicious code that awaits for an event to trigger.
Worms:A viruses designed to spread itself.

Understand the impact each type of threat may have on a system and the methods they use to propagate. Know the basic functioning of agents (aka bots) and the impact they may have on computer/network security.

Understand the functionality behind Java applets and ActiveX controls and be able to determine the appropriate security controls for a given computing environment.

Applets are code objects sent from a server to a client to perform some action (opposite of an agent/bot), like an online mortgage calculator. ActiveX is the Microsoft version of Java Applets.

Explain RDBMSs. Functions of tables/relations, rows/records/tuples, columns/degrees/fields/attributes. Know how relationships are defined between tables and roles of various types of keys. Describe database security threats posed by aggregation and inference.


Know storage:differences between primary memory and virtual memory, secondary storage and virtual storage, random access storage, sequential access storage, and volatile storage and nonvolatile storage.

Expert and neural networks function.
Expert has a knowledge base with if/then rules and an inference engine to draw conclusions based on it (like twenty questions)

Neural simulate the functioning of a human mind to a limited extent by arranging a series of layered calculations to solve problems. Neural networks require extensive training on a particular problem before they are able to offer solutions.

The different models of systems development:
Waterfall model describes a sequential development process that results in the development of a finished product.

The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes.

Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.

Software maturity models help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, to mature software processes.

SW CMM: Software Capability Maturity Model
1: Initial
2: Repeatable
3: Defined
4: Managed
5: Optimizing

I: Initiating
D: Diagnosing
E: Establishing
A: Acting
L: Learning

To memorize, remember this “I, I Dr. Ed, AM LO”
then write it out in two columns

Acting Managed
Learning Optimizing

Know the 3 basic components of change control:
1: Request Control
2: Change Control
3: Release Control

The 4 rings of the ring protection scheme:
0: operating system itself resides here, processes running in this level are often said to be running in supervisory mode or privileged mode. Level 0 processes have full control of all system resources so its essential to ensure that they are fully verified and validated.
The kernel implements the reference monitor, an operating system component that validates all user requests for access to resources against an access control scheme.
1 & 2: device drivers and other operating system services. Most operating systems do not employ these rings.
3: user applications and processes reside here, usually called user mode or protected mode.

The security kernel is the core set of operating system services that handles user requests for access to system resources. the reference monitor is a portion of the security kernel that validates user requests against the system’s access control mechanisms.

Software testing should be designed as part of the development process. Testing should be used as a management tool to improve the design, development, and production process.

4 security modes approved by the DoD: compartmented security mode (all system users must have an appropriate clearance to access all information processed by the system but do not necessarily have a need to know of all information in the system), dedicated security mode (are authorized to process only a specific classification level at a time, all users must have clearance and a need to know that information), multilevel security mode (authorized to process information at more than one level of security even when all system users do not have appropriate clearances), and system-high security mode (authorized to process only information that all system users are cleared to read and have a valid need to know. not trusted to maintain separation between security levels and all information processed by these systems must be handled as if it were classified at the same level as the most highly classified information processed.).

6. Exam Essentials for Risk and Personnel Management

3rd party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements.

Overall risk management is the process of identifying factors that could damage or disclose data, evaluating those factors in light or data value and countermeasure cost, and implementing a cost-effective solution for mitigating or reducing risk is knows as risk management. Risk management lays the foundation for reducing risk overall.

Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To do so, the following must be analyzed:
assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks, and breaches.

Threats come from numerous sources, including IT, humans and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives.

Quantitative risk analysis focuses on hard values and percentages. A complete quantitative analysis is not possible because of the intangible aspects of risk. The process involves asset valuation and threat identification and then determining a threat’s potential frequency and the resulting damage; the result is a cost/benefit analysis of safeguards.

Exposure Factor (EF) is an element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

(SLE) Single Loss Expectancy is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. SLE=AV*EF

(ARO) Annualized Rate of Occurrence is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur within a single year.

(ALE) Annualized Loss Expectancy is an element of quantitative risk analysis that represents the possibly yearly cost of all instances of a specific realized threat against a specific asset. ALE=SLE*ARO

Use the ALE formula before and after a safeguard is implemented, (ALE before – ALE after) – cost of safeguard = value of safeguard to company.

Qualitative risk analysis is based on scenarios than calculations. exact dollar amounts are not assigned in possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects.

The Delphi technique is simply an anonymous feedback-and-response process used to arrive at a consensus to properly evaluate risks and implement solutions.

Reducing risk, risk mitigation, implementing safeguards and countermeasures. Assigning risk or transferring a risk places the cost of loss a risk represents onto another entity or organization. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

Total risk is the amount of risk an organization would face is no safeguards were implemented. To calculate total risk, use this formula: threats * vulnerabilities * asset value = total risk. residual risk is the risk that management has chosen to accept rather than mitigate. the difference between total risk and residual risk is the controls gap. to calculate residual risk: total risk = controls gap = residual risk.

To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements. be developing these mechanisms, you ensure that new hires are aware of the required security standards.

Separation of duties is the security concept of dividing critical, significant, and sensitive work tasks among several individuals, ensuring no one person can compromise system security.

Least privilege, users are granted the minimum amount of access necessary to do their tasks/jobs. Limiting user access limits vulnerability of sensitive information.

Job rotation serves: knowledge redundancy, reduces risk of fraud, data modification, theft sabotage and misuse of information.

Mandatory vacations are used to audit and verify the work tasks and privileges of employees to detect abuse, fraud or negligence.

Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. These are usually called SLAs.

Termination policy defines the procedures for terminating employees. Right? It should include items such as always having a witness, disabling the employee’s network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property.

Before training and education can take place, awareness of security as a recognized entity must be created, then can come training, teaching employees to perform their work tasks and to comply with the security policy. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy.

In order to manage the security function, an organization must implement proper and sufficient security governance. the act of performing a risk assessment to drive the security policy is the clearest and most direct example of management of the security functio. this also relates to budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

5. Exam Essentials for Security Governance Concepts, Principles and Policies

Primary goals are contained in the CIA. The three principles are considered the most important within the realm of security.

Confidentiality is the principle that objects are not disclosed to unauthorized subjects.

Integrity is the principle that objects retain their veracity and are intentionally modified by only authorized subjects.

Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

There are multiple meanings and definitions of privacy, why is it important to protect it and what are the issues surrounding it in the work environment and elsewhere?

Active prevention of unauthorized access to information that is personally identifiable.

Freedom from unauthorized access to information deemed personal or confidential

Freedom from being observed, monitored, or examined without consent or knowledge.

It can be hard to balance individual rights to privacy and the rights or activities of an organization.

Identification is the process by which a subject professes an identity and accountability is initiated. AAA.

The process of verifying or testing that a claimed identity is valid is authentication.

Once a subject is authenticated, its access must be authorized.

Security governance is the collection of practices related to supporting, defining and directing the security efforts of an organization.

Auditing, or monitoring is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. It’s also the process by which unauthorized or abnormal activities are detected. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution and produce problem reports and analysis.

An organization’s security policy can be properly enforced only if accountability is maintained. Security can only be maintained if subjects are held accountable for their actions.

Nonrepudiation ensures that the subject of an event or activity cannot deny said event or activity.

Security management planning is based on 3 basic plans. Strategic, Tactical and Operational.

Strategic plans are long-term plans that are fairly stable and they define the organization’s goals, mission and objectives.

Tactical plans are midterm plans developed to provide more details on accomplishing the goals set forth in the strategic plan.

Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

The elements of a formalized security policy structure are security policy, standards, baselines, guidelines and procedures.

Key security roles are: the Senior Manager, organizational owner, upper management, security professional, user, data owner, data custodian, and auditor.

Know how to implement security awareness training. All new employees require some level of training so they will be able to comply with standards, guidelines, and procedures mandated by the security policy.

Layering simplifies security. Using a multilayered solution allows for numerous controls to guard against threats.

Abstraction is used to collect similar elements into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

Data hiding is preventing data from being discovered or accessed by a subject.

Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. It is an important element in security controls, especially in regards to transmissions between systems.

Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities.

Data is classified to simplify the process of assigning security controls to groups of objects rather than individual objects. There are two common classification schemes: government/military and commercial business/private sector.

Military/Government: Private:
Top Secret Restricted
Secret Confidential
Confidential Internal Use Only
Restricted Public

It’s important to have a declassification policy.

Cobit stands for control objectives for information and related technology. It’s a security concept infrastructure used to organize the complex security solutions of companies.