Slide Deck CISSP Class Session 3

FRSecure 2016 CISSP
Mentor Program
EVAN FRANCEN, PRESIDENT & CO-FOUNDER - FRSECURE
CLASS SESSION #3

CISSP Mentor Program Session #3
Domain 1: Security and Risk Management - Review
• Information Security Governance
• Administrative Controls
• Risk Analysis
• ALE, TCO, ROI (or ROSI)
• Legal Systems
• Ethics

Domain 1: Security and Risk Management – Quiz Review

Domain 1: Security and Risk Management –
Current Events
Privacy; Apple vs. FBI (http://www.apple.com/privacy/government-
information-requests/)
http://www.scmagazine.com/federal-court-bucks-trend-rules-
general-liability-insurance-covers-data-breach/article/489320/
http://www.zdnet.com/article/singapore-penalises-firms-for-data-
breaches/

Domain 2: Asset Security (Protecting Security of Assets)
• Classifying Data
• Ownership
• Memory and Remanence
• Data Destruction
• Determining Data Security Controls

Classifying Data (or Data Classification)
Labels
Objects have labels – Subjects have clearances
• Data classification scheme
• Executive Order 12356 (http://www.archives.gov/federal-register/codification/executive-
order/12356.html) - Top Secret, Secret, and Confidential
• Company/Private Sector – Confidential, Internal Use Only, Public
• Security Compartments; documented need to know and clearance

Clearance
Objects have labels – Subjects have clearances
• Formal approval/authorization to specific levels of information
• Not really used as much in the private sector
• “All About Security Clearances” from the US Department of State;
http://www.state.gov/m/ds/clearances/c10978.htm
• Standard Form 86 is a 127 page questionnaire!

Formal Access Approval
• Documented
• Access requests should be approved by the owner, not the manager and
certainly not the custodian (more to follow)
• Approves subject access to certain objects
• Subject must understand all rules and requirements for access
• Best practice is that all access requests and access approvals are auditable

Data Classification Policy (Sample)
• Three roles; data owner, data custodian, and data user
• Three classifications; Confidential, Internal Use, and Public
• In real life; easy to document and hard to implement
• Data Classification defines sensitive information  data handling
requirements  data storage requirements and in some cases data retention
requirements

Data Owner:
The Data Owner is normally the person responsible for, or dependent upon the business process associated with
an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted,
stored, deleted, and otherwise processed.
The Data Owner determines the appropriate value and classification of information generated by the owner or
department;
The Data Owner must communicate the information classification when the information is released outside of the
department and/or FRSecure Sample;
The Data Owner controls access to his/her information and must be consulted when access is extended or
modified; and
The Data Owner must communicate the information classification to the Data Custodian so that the Data
Custodian may provide the appropriate levels of protection.

Data Custodian:
The Data Custodian maintains the protection of data according to the
information classification associated to it by the Data Owner.
The Data Custodian role is delegated by the Data Owner and is usually
Information Technology personnel.

Data User:
The Data User is a person, organization or entity that interacts with data for the
purpose of performing an authorized task. A Data User is responsible for using
data in a manner that is consistent with the purpose intended and in compliance
with policy.

Confidential Data:
Confidential data is information protected by statutes, regulations, company policies or contractual language.
Data Owners may also designate data as Confidential.
Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-
know” basis only.
Disclosure to parties outside of the company must be authorized by Executive Management, approved by the
Information Security Committee, or be covered by a binding non-disclosure or confidentiality agreement.
Examples of Confidential Data include Protected Health Information (“PHI”)/Medical records, Financial
information, including credit card and account numbers, Social Security Numbers, Personnel and/or payroll
records, Any data identified by government regulation to be treated as confidential, or sealed by order of a court
of competent jurisdiction, and any data belonging to a customer that may contain personally identifiable
information

Minimum Protection Requirements for Confidential Data
When stored in an electronic format must be protected with a minimum level of authentication to
include strong passwords, wherever possible.
When stored on mobile devices and media, protections and encryption measures provided through
mechanisms approved by FRSecure Sample IT Management must be employed.
Must be stored in a locked drawer, room, or area where access is controlled by a guard, cipher lock,
and/or card reader, or that otherwise has sufficient physical access control measures to afford
adequate protection and prevent unauthorized access by members of the public, visitors, or other
persons without a need-to-know.
Must be encrypted with strong encryption when transferred electronically to any entity outside of
FRSecure Sample (See FRSecure Sample Encryption Policy).

When sent via fax, must be sent only to a previously established and used address or one that has been verified as using a
secured location
Must not be posted on any public website
Must be destroyed when no longer needed subject to the FRSecure Sample Data Retention Policy. Destruction may be
accomplished by:
“Hard Copy” materials must be destroyed by shredding or another approved process that destroys the data beyond either
recognition or reconstruction as per the FRSecure Sample Data Destruction and Re-Use Standard.
◦ Electronic storage media that will be re-used must be overwritten according to the FRSecure Sample Data Destruction and Re-Use
Standard.
◦ Electronic storage media that will not be re-used must be physically destroyed according to the FRSecure Sample Data
Destruction and Re-Use Standard.
◦ Deleting files or formatting the media is NOT an acceptable method of destroying Confidential Data.

The FRSecure Sample Information Security Committee must be
notified in a timely manner if data classified as Confidential is lost,
disclosed to unauthorized parties or is suspected of being lost or
disclosed to unauthorized parties, or if any unauthorized use of
FRSecure Sample information systems has taken place or is
suspected of taking place.

Minimum Labeling Requirements for Confidential Data
If possible, all Confidential Data must be marked, regardless of the
form it takes. Confidential Data will be marked using the word
“Confidential” in bold, italicized, red font (i.e. Confidential). The
marking should be placed in the right corner of the document
header or footer.

Internal Data:
Internal Data is information that must be guarded due to proprietary, ethical, or privacy
considerations and must be protected from unauthorized access, modification,
transmission, storage or other use. This classification applies even though there may
not be a civil statute requiring this protection. Internal Data is information that is
restricted to personnel designated by the company, who have a legitimate business
purpose for accessing such data.
Examples of Internal Data include Employment data, Business partner information
where no more restrictive non-disclosure or confidentiality agreement exists, Internal
directories and organization charts, Planning documents, and Contracts

Minimum Protection Requirements for Internal Data
Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
Must be protected by a non-disclosure or confidentiality agreement before access is allowed
Must be stored in a closed container (i.e. file cabinet, closed office, or department where physical controls are in place
to prevent disclosure) when not in use
Must be destroyed when no longer needed subject to the FRSecure Sample Data Retention Policy. Destruction may be
accomplished by:
◦ “Hard Copy” materials must be destroyed by shredding or another approved process which destroys the data beyond either
recognition or reconstruction as per the FRSecure Sample Data Destruction and Re-Use Standard.
◦ Electronic storage media shall be sanitized appropriately by overwriting or degaussing prior to disposal as per the FRSecure Sample
Data Destruction and Re-Use Standard.
Is the “default” classification level if one has not been explicitly defined.

Minimum Labeling Requirements for Internal Data
If possible, all Internal Data should be marked, regardless of the form it takes.
Internal Data will be marked using the word “Internal” in bold, italicized, blue
font (i.e. Internal). The marking should be placed in the right corner of the
document header or footer.

Public Data:
Public data is information that may or must be open to the general public. It is defined
as information with no existing local, national, or international legal restrictions on
access or usage. Public data, while subject to FRSecure Sample disclosure rules, is
available to all FRSecure Sample employees and all individuals or entities external to the
corporation.
Examples of Public Data include Publicly posted press releases, Publicly available
marketing materials, Publicly posted job announcements, Disclosure of public data must
not violate any pre-existing, signed non-disclosure or confidentiality agreements.

Minimum Protection Requirements for Public Data
There are no specific protection requirements for Public Data.
Minimum Labeling Requirements for Internal Data
If possible, all Public Data should be marked, regardless of the form it takes.
Public Data will be marked using the word “Public” in bold, italicized, black font
(i.e. Public). The marking should be placed in the right corner of the document
header or footer.

Ownership
• Business Owners
• Data Owners
• System Owners
• Owner responsibilities must be documented and owners must be trained
• Segregation of duties

Memory and Remanence
• Data Remanence
• Memory
• Cache Memory; fast and close to CPU
• register file (contains multiple registers); registers
are small storage locations used by the CPU to
store instructions and small amounts of data
• Level 1 cache; located on the CPU
• Level 2 cache; connected to (but not on) the CPU
• SRAM (Static Random Access Memory)

Memory
• RAM (Random Access Memory)
• Volatile
• Modules installed in slots on motherboard (traditionally)
• DRAM (Dynamic Random Access Memory)
• Slower and cheaper
• Small capacitors to store bits (data)
• Capacitors leak charge and must be continually refreshed
• SRAM (Static Random Access Memory)
• Fast and expensive
• Latches called “flip-flops” to store bits (data)
• Does not require refreshing

Memory
• ROM (Read Only Memory)
• Can be used to store firmware; small programs that don’t change much and configurations
• PROM (Programmable Read Only Memory) – written to once; usually by the manufacturer
• EPROM (Erasable Programmable Read Only Memory) – can be “flashed”; usually with ultraviolet light
• EEPROM (Electrically Erasable Programmable Read Only Memory) – can be “flashed”; electrically
• PLD (Programmable Logic Device) – field-programmable device; EPROMs, EEPROMs, and Flash Memory are
all PLDs
• Flash Memory
• Can be a security nightmare
• Specific type of EEPROM
• Written in larger sectors (or chunks) than other EEPROMs
• Faster than other EEPROMS, but slower that magnetic drives

Memory
• Solid State Drives (SSDs)
• Combination of EEPROM and DRAM
• Sanitization can be a challenge
• Garbage collection - working in the background, garbage collection systematically identifies
which memory cells contain unneeded data and clears the blocks of unneeded data during
off-peak times to maintain optimal write speeds during normal operations.
• TRIM command - (known as TRIM in the ATA command set, and UNMAP in the SCSI
command set) allows the operating system to inform a solid-state drive (SSD) which blocks
of data are no longer considered in use and can be wiped internally.
• ATA Secure Erase can be used to remove data securely

Data Destruction
◦ Deleting data and/or formatting a hard drive is not a viable/secure
method for destroying sensitive information.
◦ Deleting a file only removes the entry from the File Allocation Table
(FAT) and marks the block as “unallocated”. The data is still there and
often times it’s retrievable.
◦ Reformatting only replaces the old FAT with a new FAT. The data is still
there and often times it’s retrievable.
◦ Data that is left over is called remnant data, or “data remanence”.

Data Destruction
◦ Data that is left over is called
remnant data, or “data
remanence”.
◦ Hundreds of data recovery tools
available, one good resource to
check out is ForsensicsWiki.org
(http://www.forensicswiki.org/w
iki/Tools:Data_Recovery)

Data Destruction
Overwriting
◦ Also called shredding or wiping
◦ Overwrites the data and removes the FAT entry
◦ Secure overwriting/wiping overwrites each sector of a hard drive (or media).

Data Destruction
Overwriting
◦ One pass is enough (as long as each sector is
overwritten).
◦ Tools include Darik's Boot And Nuke (DBAN),
CBL Data Shredder, HDDErase, KillDisk and
others.
◦ Windows built-in cipher command.

Data Destruction
Deguassing
◦ Destroys the integrity of magnetic media using a
strong magnetic field
◦ Most often destroys the media itself, not just the
data

Data Destruction
Destruction (Physical)
◦ The most secure method of destroying data.
◦ Physical destruction of the media.
◦ Incineration, pulverization, shredding, and acid.
◦ A hammer to the spindle works, and so does a
rifle.
◦ Pretty cheap nowadays. Look for a National
Association of Information Destruction (NAID)
certified vendor and get a certificate of
destruction.
◦ Onsite vs. offsite

Data Destruction
Shredding
◦ Most people think of paper.
◦ Strip-cut vs. Cross-cut
◦ A determined attacker can defeat (maybe)
◦ Easy to audit
◦ Many breaches attributed to poor document
disposal
◦ Dumpster diving

Determining Data Security Controls
Certification and Accreditation
• Two related but entirely different terms.
• Certification is the validation that certain (owner-specified) security
requirements have been met.
• Accreditation is a formal acceptance of the certification by the owner.
• In an ideal world, certification and accreditation would be required before
production deployment.

Standards and Control Frameworks
PCI-DSS
• Payment Card Industry Data Security Standard
• Maintained by Payment Card Industry Security Standards Council (PCI-SSC)
• Comprehensive security standard originally sanctioned/developed by the
major card brands (VISA, MasterCard, Discover, etc.)
• Applies to payment card (credit and debit) security
• QSAs, ASVs, CDE, etc.

PCI-DSS
• PCI-DSS only applies to the Cardholder Data Environment (CDE), so scope is really important
• Core principles of the PCI-DSS include:
• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
• Version 3.2 just released, see
https://www.pcisecuritystandards.org/security_standards/index.php
• Major breaches include Target, Home Depot, Heartland Systems, Dairy Queen, etc.

OCTAVE®
• Operationally Critical Threat, Asset, and Vulnerability Evaluation(sm)
• Risk management framework developed by Carnegie Mellon University (see:
http://www.cert.org/resilience/products-services/octave/)
• Three phase process for managing risk (latest version actually has four, but for the
test three is good):
• Phase 1 – staff knowledge, assets and threats
• Phase 2 – identify vulnerabilities and evaluate safeguards (or controls)
• Phase 3 – risk analysis and risk mitigation strategy

ISO 17799 and 27000 Series
• Broad and flexible information security standards maintained by the International
Organization for Standardization (ISO) – based in Geneva
• Derived from the British Standard (BS) 7799 Part 1, renamed to ISO/IEC 27001 to
align with the 27000 series of standards.
• There are more than 30 ISO/IEC 27000 standards, the main ones being:
• ISO 27001 (Information technology - Security Techniques)
• ISO 27002 (Code of practice for information security management)
• ISO 27005 (Information security risk management)
• ISO 27799 (Information security management in health using ISO/IEC 27002)

ISO 17799 and 27000 Series
• ISO 27002:2005 is mentioned in the book as
the latest; however, ISO 27002:2013 is actually
the latest
• Copyrighted and licensed standard
• See:
http://www.iso.org/iso/home/standards/mana
gement-standards/iso27001.htm

COBIT
• Control Objectives for Information and related Technology, current version is v5
• Developed and maintained by the Information Systems Audit and Control
Association (ISACA; www.isaca.org)
• 34 Information Technology Processes across four domains
• Four domains:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

ITIL
• Information Technology Infrastructure Library
• Best services in IT Service Management (ITSM)
• See: www.itil-officialsite.com
• Five “Service Management Practices – Core Guidance” publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

NIST CSF
• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
• Probably not testable, but certainly applicable
• Result of Executive Order (EO) 13686, Improving Critical Infrastructure Cybersecurity
• Gaining in popularity. See: http://www.nist.gov/cyberframework/
• Core, Implementation Tiers, and Framework Profile
• Core is comprised of five Functions (Identify, Protect, Detect, Respond, and Recover),
Categories, and Subcategories
• Major frameworks and standards are represented
• Voluntary

NIST SP 800-53
• Not mentioned in the book yet, but this is a big deal for FISMA and
government systems.
• Usually goes hand-in-hand with FIPS 199, FIPS 200, and NIST SP 800-60
• Just mentioning now, more later

Scoping and Tailoring
• Not really standard terminology
• Scoping – which portions of the standard will be employed
• Tailoring – customization of the standard to fit the organization

Protecting Data in Motion & Data at Rest
Encryption and Physical Security
• Rule of thumb… If I cannot be assured of physical security, I should consider
encryption.
• Data in transit – if I cannot be assured of physical security (routers, switches, firewalls,
transmission media, etc.), I should consider encryption
• Data at rest – if I cannot be assured of physical security (flash drives, laptops, poorly
secured datacenters, insecure office spaces, backup tapes, etc.), I should consider
encryption
• Encryption is your friend!

Introduction to Domain 3: Security Engineering (Engineering and
Management of Security)
Theoretical & Conceptual
• Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats, and Countermeasures

Introduction to Domain 3: Security Engineering (Engineering and Management of
Security)(cont.)
Encryption
• Cornerstone Cryptographic Concepts
• History of Cryptography
• Types of Cryptography
• Cryptographic Attacks
• Implementing Cryptography
Physical Security
• Perimeter Defenses
• Site Selection, Design, and Configuration
• System Defenses
• Environmental Controls

Questions?
We made it through Class #3!
Quiz Forthcoming
Homework for Thursday (5/5)
◦ Start reading Chapter 4/Domain 3: Security Engineering (Engineering and
Management of Security) – We will cover everything up to encryption
(Cornerstone Cryptographic Concepts on page 147)
◦ Complete the quiz, starting on page 98 for now. I will try to create another
supplemental quiz too. Can I trust you to not look at the answers on page 100
yet?
◦ Come with questions!
Have a great evening, talk to you Thursday!

Questions?
Hopefully about security.
Thank you!
Evan Francen
◦ FRSecure
◦ efrancen@frsecure.com
◦ 952-467-6384

Slide Deck CISSP Class Session 3

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Slide Deck CISSP Class Session 3 (20)

More from FRSecure (20)

Recently uploaded (20)

Slide Deck CISSP Class Session 3