2018 CISSP Mentor Program Session 2

CISSP® MENTOR
PROGRAM SESSION #2
BRAD NIGH, DIRECTOR OF CONSULTING SERVICES, FRSECURE
EVAN FRANCEN, CEO & CO-FOUNDER,FRSECURE
2018 – CLASS #2

CISSP® MENTOR PROGRAM – SESSION #2
You ready?! Let the journey begin…
CISSP® MENTOR PROGRAM

Agenda – Domain 1: Security and Risk Management
• Cornerstone Information Security Concepts
• Legal and Regulatory Issues
• Security and 3rd Parties
• Ethics
• Information Security Governance
• Access Control Defensive Categories and Types
• Risk Analysis
• Types of Attackers

DOMAIN 1: SECURITY AND RISK MANAGEMENT
Terms and Definitions to Memorize
• CIA Triad
• Confidentiality - prevent the unauthorized disclosure of information: keep data
secret.
• Integrity - prevent unauthorized modification of information: keep data
accurate.
• Availability - ensures that information is available when needed
• Identity
• Subject - An active entity on an information system
• Object - A passive data file

Terms and Definitions to Memorize
• Risk – The likelihood of something bad happening and the impact if it did;
threats (bad event) and vulnerabilities (weakness)
• Annualized Loss Expectancy (or ALE) - the cost of loss due to a risk over a
year
• Safeguard (or “control”) - a measure taken to reduce risk
• Total Cost of Ownership (or TCO) – total cost of a safeguard/control
• Return on Investment (or ROI) - money saved by deploying a safeguard

Cornerstone Information Security Concepts
Definition of “information security” (don’t forget):
Information security is managing risks to the confidentiality,integrity,and
availability of information using administrative,physical and technical controls.
“Most organizations overemphasize technical controls to protect confidentiality and do so at the
expense of other critical controls and purposes.”

Balance is critical
Opposite of C I A is D A D (Disclosure, Alteration, and Destruction)

• Prevent unauthorized access; disclosure, or read access.
• Keeping data secret.
• Data accessible to subjects with clearance, formal approval, and a need to know.

• Prevent unauthorized modification, or write access.
• Two types; data integrity and system integrity.

• Ensure that data is available when needed.
• Confidentiality and integrity compete with availability;locking down data make
it less accessible/available.

Information security is about risk management, not risk elimination.
In order to determine risk, we must first determine what our most important (or
critical assets) are.
We use safeguards (or controls) to protect our assets and mitigate (not eliminate)
risk. Risk tolerance is the amount of risk that the business is willing to tolerate (or
accept).

Definition of “privacy” (don’t forget):
Privacy is managing risks to the confidentiality,integrity,and availability of
personally identifiable information (or PII) using administrative,physical and
technical controls.
Privacy is part of information security, but often treated as separate issues.

Identity and Authentication, Authorization and Accountability (IAAA or AAA)
First identity…
• Nothing more than a claim.
• Like,“I am Brad” or my username is “bnigh”.
• Name, username, ID number, employee number, etc.
• Should be non-descriptive, but often are descriptive.
• Without proof (next slide), you’ll have to just take my word for it.

Then authentication…
• Proof that I am who I say I am. A subject proves identity to another subject or object.
• Password, PIN code, picture, biometric, etc.
• Identification and authentication must be separate and ideally different (SSN –
OOPS!)
• An identity is stolen when the authenticator is also stolen. A stolen password leads to
a stolen identity…

Then authentication, there are three types (or factors):
• Something you know; password, PIN number, etc.
• Something you have; tokens, phone, debit card, etc.
• Something you are; biometrics (fingerprint, retina scan, etc.)
• Using two (or more) factors is called “strong” authentication, multi-factor
authentication, 2FA, MFA, etc.

Once a subject has been identified and authenticated, they must be
authorized to do something. Authorization…
• What actions is a subject permitted to perform?
• Read, write, execute.
• Privileges, rights, permissions, etc.

Just because a subject has been authorized (or permitted) by a system to do
something, doesn’t mean that the subject should do something.The principle
of need to know still applies.

Very similar, but slightly different:
• Least Privilege is tied to rights; basically what I can do with and in the system.
• Need to Know is tied to information; basically what I can with information.
A violation of least privilege can easily violate the need to know principle.
"Over 30 percent of respondents admit to having no policy in place for managing administrator access”

Subjects and Objects
• A subject is an active entity; users, services, applications, etc.
• An object is a passive entity; paper, database tables, etc.
• An entity can be a subject in one instance and an object in another. It really
depends on context.
Expect the exam to use these definitions and test you on them. – very testable

Due Care and Due Diligence
Is what you are doing reasonable?
• Conduct an information security risk assessment?
• Make logical risk-based information security decisions?
• Not knowing what your most significant risk is?
• Ignorance?

Those are our “cornerstone” information security concepts.They
are foundational, so master them. ☺

Legal and Regulatory Issues
Major Legal Systems
• There are four major legal systems that are covered in the exam:
• Civil Law
• Common Law
• Religious Law
• Customary Law
• There are different legal systems in different parts of the world. Be aware of
what legal system is used in whatever country you’re operating in!

Major Legal Systems – Civil Law (Legal System)
• Most common legal system throughout the world.
• Codified laws (or statutes)
• A legislative body (or branch) is usually tasked with creating the laws/statutes.
• Judicial body (or branch) interprets the law.
• No (or very little) weight is given to judicial precedent or outcomes from
previous cases.

Major Legal Systems – Common Law (Legal System)
• The legal system in the United States, Canada, U.K. and others
• Codified laws (or statutes)
• A legislative body (or branch) is usually tasked with creating the laws/statutes.
• Much weight is given to judicial precedent and outcomes from previous cases.
Judicial interpretations of the laws can change over time.
This is the most likely legal system to be referred to on the exam.

Within the Common Law (legal system)

Major Legal Systems – Common Law (Legal System)  Criminal Law
• Victim is society – promote and maintain an orderly and law-abiding citizenry
• Require proof beyond a reasonable doubt
• Deter crime and punish offenders
• Incarceration
• Financial penalties
• Even execution…

Major Legal Systems – Common Law (Legal System)  Criminal Law

Major Legal Systems – Common Law (Legal System)  Civil Law
• Victim is an individual, group, or organization
• Most commonly between private parties
• One act can be prosecuted under both criminal and civil procedures
• Damages are financial (often):
• Statutory Damages – prescribed by the law (even if no loss or injury to the victim)
• Compensatory Damages – awarded to compensate a victim for loss or injury
• Punitive Damages – to punish and discourage really bad behavior
• Burden of proof is the preponderance of the evidence (think tipping the scale)

Major Legal Systems – Common Law (Legal System)  Civil Law

Major Legal Systems – Common Law (Legal System)  Administrative Law
• Laws enacted by governmental agencies
• Typically the legislature or President issues an administrative law
• The agency interprets the law and enforces it
• Government-mandated compliance
• Examples include FCC regulations, HIPAA, FDA regulations, FTC regulations,
etc.
• Very little, if any, recourse.

Major Legal Systems – Common Law (Legal System)  Administrative Law

Liability
• Who should be held accountable?
• Who should we blame?
• Who should pay?!
• Apply the Prudent Man Rule
• Due Care
• Due Diligence

Legal Aspects of Investigations
• Collecting and handling evidence is a critical legal issue – some evidence
carries more weight than others
• Some evidence is more important than others, or carry more weight
• Evidence should be relevant, authentic, accurate, complete, and convincing.
• Need to understand the five types of evidence.

Types of evidence
• Real Evidence – consists of tangible or physical objects; a computer or hard drive is real
evidence, but the data is NOT.
• Direct Evidence – testimony from a first hand witness using one or more of his/her five senses;
non-first hand evidence is called “hearsay”.
• Circumstantial Evidence – establishes the circumstances related to points in the case or other
evidence; not good to use alone to prove a case.
• Corroborative Evidence – evidence to strengthen a fact or element of a case; provides
additional support, but cannot establish a fact on its own.
• Hearsay Evidence – second hand evidence normally considered inadmissible in court (Rule
802), but there are exceptions (Rule 803)…

Hearsay Evidence
• The general inadmissibility of hearsay evidence is defined in Rule 802 Federal Rules
of Evidence of the United States
• Numerous rules (namely 803 and 804 here) provide exceptions to Rule 802
• Business and computer generated records (logs) are generally considered to be
hearsay evidence.
• Rule 803 provides for the admissibility of a record or report that was “made at or near
the time by,or from information transmitted by,a person with knowledge,if kept in the
course of a regularly conducted business activity,and if it was the regular practice of
that business activity to make the memorandum,report, record or data compilation.”

Hearsay Evidence
• We always preserve the original, create a binary copy, and conduct an
investigation using the copy, not the original.
• Rule 1001 allows for the admissibility of binary disk and physical memory
images;“if data are stored in a computer or similar device, any printout or other
output readable by sight, shown to reflect the data accurately, is an ‘original’.
• Opposing counsel will question the validity of the data used in an investigation.

• Best Evidence Rule – courts prefer the best evidence possible; evidence should be
relevant, authentic, accurate, complete, and convincing – direct evidence is always
best.
• Secondary Evidence – common in cases involving computers; consists of copies vs.
originals – logs and documents from computers are considered secondary
• Chain of Custody – chain of custody form
• Prosecuting computer crimes (criminal) is hard…

Legal Aspects of Investigations – Evidence Integrity
• The quality of the evidence will be challenged in court (or at least assume it will
be).
• The integrity of the evidence is a critical forensic function
• Checksums can ensure that no data changes occurred as a result of the
acquisition and analysis.
• One-way hash functions such as MD5 or SHA-1 are commonly used for this
purpose. (Pro tip: MD5 in practice is weak and not preferred)

Legal Aspects of Investigations – Reasonable Searches
• Fourth Amendment to the United States Constitution protects citizens from
unreasonable search and seizure
• In ALL cases, the court will determine if evidence was obtained legally
• Law enforcement needs a search warrant issued by a judge (in most cases)
• Plain sight
• Public checkpoints
• Exigent circumstances – immediate threat to human life or of evidence destruction
• Only apply to law enforcement and those operating under the “color of law” – Title 18. U.S.C.
Section 242 – Deprivation of Rights Under the Color of Law
CAUTION: If law enforcement tells you to do something during an investigation, you may be operating
under the color of law, which means you must comply with the 4th Amendment. If law enforcement is not
involved, a search warrant is not required.

Legal Aspects of Investigations – Entrapment & Enticement
• Entrapment – persuades someone to commit a crime who
otherwise had no intent to commit a crime – valid legal defense
• Enticement – persuades someone to commit a crime who already
had the intent to commit a crime – not a valid defense.
Honeypots

Intellectual Property – Trademarks and Servicemarks
• Trademarks – ® and ™
• Creation of a distinguishing brand
• Applies to name, logo, symbol, or image (usually)
• ™ can be used freely by anyone; unregistered trademark
• ® is a registered trademark with the U.S. Patent and Trademark
Office
• A superscript “SM” can be used to brand a service
FISA™ and FISASCORE®

Intellectual Property – Trademarks and Servicemarks

Intellectual Property – Patents
• Provide a (legal) monopoly to the patent holder in exchange
for the patent holder making their invention public
• Invention must be “novel” and “unique”
• Generally patents provide exclusivity for 20 years
• After patent expiration, the invention can be produced and
sold by anyone

Intellectual Property – Copyrights
• Software is typically covered under copyright law
• Limitations:
• First sale – allow a legitimate purchaser to sell the software (or
video, music, etc.) to someone else
• Fair use – allows for duplication without the consent of the copyright
holder, subject to the Copyright Act of 1976
• Licenses – contract between the consumer and provider; provides
explicit limitations on the use and distribution of software; EULAs

Intellectual Property – Copyrights
• Implied copyright on all artistic works.
• People can file for a registered copyright with the Copyright
Office.
• Enforceable term for copyright is 70 years after the death of the
author.
• Corporate copyright term is 95 years after the first publication or
120 years after creation, whichever comes first.

Intellectual Property – Trade Secrets
• Business-proprietary information that is essential for the organization to
compete in the marketplace.
• “Secret sauce”
• Must be “actively protected” to be enforceable; using due care and due
diligence
• If an organization does not take reasonable steps to protect a trade
secret, it is assumed that the organization doesn’t enjoy a competitive
advantage from the trade secret, leading to a conclusion that it’s not
actually a trade secret at all.

Intellectual Property – Intellectual Property Attacks
• Piracy and copyright infringement – Pirate Bay, Bit Torrent, etc.
• Cybersquatting & Typosquatting
• Counterfeiting
• Dilution (not really an attack)
• Band-aid
• Kleenex

Privacy
• Confidentiality of personally-identifiable information
(subset of security)
• Examples of PII; names/email addresses (maybe), Social
Security Numbers (SSN), Protected Health Information
(“PHI”), bank account information (sort of), etc.
• There are numerous privacy laws throughout the world

Privacy – European Union Privacy (EU Data Protection Directive)
• Aggressive pro-privacy law
• Notifying individuals of how their data is gathered and used
• Allow for opt-out for sharing with 3rd parties
• Opt-in required for sharing “most” sensitive data
• Reasonable protections
• No transmission out of EU unless the receiving country is perceived to
have adequate (equal) privacy protections; the U.S. does NOT meet this
standard. EU-US Safe Harbor, optional between organization and EU.

Privacy – Organization for Economic Cooperation and Development (OECD) Privacy
Guidelines
• Not Mandatory - Eight driving principles:
• Collection Limitation Principle
• Data Quality Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle

Privacy – EU-US Safe Harbor
• For use where U.S. companies don’t have EU-compliant
privacy practices.
• Give US based organizations the benefit of authorized data
sharing
• Voluntarily consent to data privacy principles that are consistent
with the EU Data Protection Directive

Other Important Rules and Laws - HIPAA
• Health Insurance Portability and Accountability Act (HIPAA not HIPPA)
• Overseen by the Department of Health and Human Services (DHS), enforced by
the Office for Civil Rights (OCR)
• Three rules; Privacy Rule, Security Rule, and Breach (notification) Rule
• Applies to “covered entities” and also (now) “business associates”
• Originally passed in 1996, Security Rule finalized in 2003, modified in 2009
(HITECH), and Omnibus Rule in 2013
• Security Rule mandates certain administrative, physical, and technical
safeguards
• Risk analysis is required

Other Important Rules and Laws
• Electronic Communications Privacy Act (ECPA)
• Protection of electronic communications against warrantless wiretapping
• Amended/weakened by the PATRIOT Act
• Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030
• Most commonly used law to prosecute computer crimes
• Enacted in 1986
• Amended in 1989, 1994, 1996, 2001, 2002 (PATRIOT Act), and 2008 (Identity Theft
Enforcement and Restitution Act)

• PATRIOT Act of 2001
• Expands law enforcement electronic monitoring capabilities
• Allows search and seizure without immediate disclosure
• Gramm-Leach-Bliley Act (GLBA)
• Applies to financial institutions; driven by the Federal Financial
Institutions Examination Council (FFIEC); enforced by member
agencies, OCC, FDIC, FRB, NCUA, and CFPB
• Enacted in 1999, requires protection of the confidentiality and integrity
of consumer financial information

• California Senate Bill 1386 (SB1386)
• Regulates the privacy of personal information
• One of the first data breach notification laws
• Sarbanes-Oxley Act of 2002 (SOX)
• Directly related to the financial scandals in the late 90s
• Regulatory compliance standards for financial reporting
• Intentional violations can result in criminal penalties

• Payment Card Industry Data Security Standard (PCI-DSS)
• Applies to cardholder (credit and debit) data
• Created by the major card brands;VISA, MasterCard, Discover, etc.
• NOT governmental and NOT a law (yet)
• Requires merchants (and others) to meet a minimum set of security
requirements
• Mandates security policy, devices, control techniques, and monitoring

Breach Notification Laws
• 47 48 (New Mexico) states have enacted breach notification laws
• There is no Federal breach notification law
• Conflicts arise in interpretations, jurisdictions, and definitions
• Safe harbors may (or may not) be provided if the data was encrypted,
depending on the state
There are also two data protection laws and numerous data destruction laws.
To make matters worse, there are data openness laws and Freedom of
Information Act considerations!

Vendor Risk Management Considerations
• Attestation – How can you attest to the fact that vendors are
protecting assets adequately? Risk assessments (FISA™), SOC 2
(Type 1 and 2), ISO Certification, HITRUST, Shared Assessments,
PCI-DSS ROC, etc.
• Right to Penetration Test & Right to Audit
• Procurement
• Acquisitions
• Divestures

ISC2® Code of Ethics
• Very testable
• Must be agreed to in order to become CISSP
• Preamble, cannons (mandatory), and guidance (advisory)
• Cannons:
• Protect society, the commonwealth, and the infrastructure
• Act honorably, honestly, justly, responsibly, and legally
• Provide diligent and competent service to principals
• Advance and protect the profession
• Cannons are applied in order; if there are conflicts go with the higher
one.

Computer Ethics Institute
Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer
files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness

Computer Ethics Institute
6. Thou shalt not copy or use proprietary software for which you have not
paid.
7. Thou shalt not use other peoples computer resources without
authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are
writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and
respect for your fellow humans.

Internet Activities Board (IAB) Ethics
• “Ethics and the Internet”
• Defined as a Request for Comment (RFC), #1087
• Published in 1987
• Considered unethical behavior:
• Seeks to gain unauthorized access to the resources of the Internet
• Disrupts the intended use of the Internet
• Wastes resources (people, capacity, computer) through such actions
• Destroys the integrity of computer-based information
• Compromises the privacy of users

Information Security Governance
Security Policy and Related Documents
• Policy (Mandatory)
• Purpose
• Scope
• Responsibilities
• Compliance
• Policy types
• Program policy
• Issue-specific policy
• System-specific policy

Information Security Governance
Security Policy and Related Documents
• Procedures
• Mandatory
• Step-by-step guidance
• Standards
• Mandatory
• Specific use of a technology
• Guidelines
• Recommendations; discretionary
• Advice/advisory
• Baselines (or benchmarks)
• Usually discretionary
• Uniform methods of implementing a standard

Access Control Defensive Categories and Types
Personnel Security Considerations
• Security Awareness and Training
• Actually two different things
• Training teaches specific skills
• Awareness activities are reminders
• Background Checks
• Criminal history, driving records, credit checks, employment verification, references, professional claims, etc.
• More sensitive roles require more thorough checks; one-time and ongoing
• Employee Termination
• Formalized disciplinary process (progressive)
• Exit interviews, rights revocation, account reviews, etc.
• Dealing with Vendors, Contractors, 3rd Parties
• Outsourcing and Offshoring

Access Control Defensive Categories and Types
• Categories
• Administrative Controls
• Technical Controls
• Physical Controls
• Types
• Preventive
• Detective
• Corrective
• Recovery
• Deterrent
• Compensating
Very testable; you may be given
a scenario or control description
and need to provide the category
and type.
In order to be sure of the control
type, you need to clearly
understand context.

Risk Analysis
• All decisions should be driven by risk.
• Most people don’t assess risk well (formally or informally)
• Assets
• Threats
• Vulnerabilities
• Risk = Threat x Vulnerability
• Risk = Threat x Vulnerability x Impact (better)
Risk is arguably the most overused
and misunderstood concept in
security.
I disagree with the book. Risk is the
likelihood of something bad
happening and the impact if it did.

Risk Analysis
• Risk calculations
• Risk analysis matrix
• Annualized Loss Expectancy (ALE = SLE x ARO)
• AssetValue (AV)
• Market Approach
• Income Approach
• Cost Approach
• Exposure Factor (EF) – expressed as a percent of asset exposed (given a threat and
vulnerability)
• Single Loss Expectancy (SLE = AV x EF)
• Annual Rate of Occurrence (ARO)

Risk Analysis
• Total Cost of Ownership (TCO) - ROSI
• Budget and Metrics – I can’t manage what I can’t measure
• Risk Choices
• Accept the risk; document risk acceptance criteria
• Mitigate the risk
• Transfer the risk; insurance?
• Risk Avoidance

Risk Analysis 1) Qualitative Risk Analysis 2) Quantitative Risk Analysis
Risk Management Process (NIST SP 800-30 outlines a 9-step process)
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis (vulnerabilities)
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Types of Attackers
• Hackers
• Black hat (or “Cracker” or “malicious hacker”)
• White hat (or “ethical hacker”)
• Gray hat (confused/identity crisis)
• Script Kiddies – low skill, can click and type, use tools/scripts made by
others
• Outsiders vs. Insiders
• Hacktivist
• Bots and Botnets
• Phishers and Spear Phishers (also vishers and whalers or whaling)

THAT’S IT. NEXT?
CONGRATS! That was a lot of information, but now you get a whole four
days to digest it.
• Please spend time reading Chapter 1 & 2, if you haven’t already.
• Please come with questions on Tuesday (4/17).We will recap some of
today’s material and cover questions in the next class.
• Evan will be here in person on Tuesday.
• No class next Thursday, so we have time to catch-up and master this!
See you Tuesday!

2018 CISSP Mentor Program Session 2

More Related Content

What's hot (20)

Similar to 2018 CISSP Mentor Program Session 2 (20)

More from FRSecure (19)

Recently uploaded (20)

2018 CISSP Mentor Program Session 2