Friday, September 26, 2014

Chapter 5: Natural Territorial Reinforcement

  • Third CPTED strategy that creates physical designs that emphasize or extend the company's physical sphere of influence so legitimate users feel a sense of ownership of that space. 
  • Implemented through use of walls, fences, landscaping, light fixtures, flags, clearly marked addresses, and decorative sidewalks.
  • The goal is to create a sense of dedicated community.
  • Companies implement territorial reinforcement so employees feel proud of their environment and have a sense of belonging.
  • The territorial reinforcement strategy are implemented to give potential offenders an impression of not belonging and their activities are a risk of being observed.
Posted by at No comments:
Chapter 5: Natural Surveillance
  • Natural surveillance is the use and placement of physical environment features, personnel walkways, and activity areas in ways that maximize visibility (Harris, 440).
  • The goal of natural surveillance is to make criminals feel uncomfortable by providing many ways observers could potentially see them and to make all other people feel safe and comfortable with an open well-designed environment. 
  •  Surveillance can also take place through organized means (security guard), mechanical means (CCTV), and natural strategies (straight lines of sight, low landscaping, raised entrances).  
  • Examples:
    • walkways and bicycle paths in a park so there is a steady flow of pedestrians who could identify malicious activity. 
    • Buildings with large windows that overlook sidewalks and parking lots.
    • Shorter fences so people can see what is taking place on both sides of the fence.
    • More light in high-risk areas (stairs, parking areas, bus stops, laundry rooms, children's play areas, dumpsters, and recycling stations).
Posted by at No comments:
Chapter 5: Natural Access Control

  • What is Natural Access Control?
    • One of the three main strategies to bring together to bring together the physical environment and social behavior to increase overall protection. 
    • Natural Access Control is the guidance of people entering an leaving a space by the placement of doors, fences, lighting, and even landscaping.  
    • Examples:
      • External bollards with light in them for an office building
        • The bollards themselves protect the facility from physical destruction because it prevents people from driving their car into the building. 
        • The light emitted helps ensure criminals do not have a dark place to hide. 
        • The way the light and bollards are placed guide people along the sidewalk to the entrance. 
    • The landscape, sidewalks, lighted bollards, and clear sight lines are used as natural access controls that work together to make individuals feel they are in a safe environment and help dissuade criminals by working as deterrents. 
    • An environment's space should be divided into zones with different security levels. 
    • Each zone should have a specific protection level required of it which helps to dictate the types of controls that should be put into place. 
    • Access controls should be in place to control and restrict individuals from going from one security zone to the next and it should be in place for all facility entrances and exits. 
  • Controls that are commonly used for access controls within different organizations:
    • Limit the number of entry points.
    • Force all guests to go to a front desk and sign in before entering the environment.
    • Reduce the number of entry points even further after hours or during weekend, when not as many employees are around. 
    • Implement sidewalks and landscaping to guide the public to a main entrance.
    • Implement a back driveway for suppliers and deliveries, which is not easily accessible to the public.
    • Provide lighting for the pathways the public should follow to enter a building to help encourage that only one entry is used for access. 
    • Implement sidewalks and grassy areas to guide vehicle traffic to only enter and exit through specific locations.
    • Provide parking in the front of the building (not the back or side) so people will be directed to enter the intended entrance. 
Posted by at No comments:

Wednesday, September 24, 2014

Chapter 5: Crime Prevention Through Environmental Design
  • Crime Prevention Through Environmental Design (CPTED):
    • Is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior (Harris, 435).
    • Concept developed in 1960s.
    • The concept of CPTED is that our physical environment can be manipulated to create a behavioral effects that can reduce crime and fear of crime for individuals. 
    • Examples:
      • Hedges and planters around a facility should not be taller than 2.5 feet, this is prevent anyone from using them to gain access to windows.
      • A data center should be located at the center of a facility in case any external forces cause damage to the facility, the facility's walls will absorb the damage instead of the data center. 
      • Street furnishing, such as benches and tables, can encourage people to sit and watch what is going on around them and discourage criminal activity. 
      • A corporation's landscape should not include wooded areas or other places where intruders can hide. 
  • CPTED vs. Target Hardening:
    • What is target hardening?
      • Target hardening focuses on denying access through physical and artificial barriers such as alarms, locks, fences etc. 
    • Negative aspect of target hardening:
      • Traditional target hardening can lead to restriction on use, enjoyment, and aesthetics of an environment. 
    • Example:
      • A company wants to protect a side door. If they are using the traditional target hardening approach they would put locks, alarms, and cameras on the door or even hire a security guard to watch the door. But, if the company goes with the more subtle approach of CPTED they would ensure there is no sidewalk leading to the door from the front of the building. They would also ensure no tall trees or bushes are blocking the ability to view someone using the door. 
  • The best approach is to build an environment from a CPTED approach and also apply target-hardening components on top of the design where needed. 
  • The CPTED provides three main strategies to bring together the physical environment and social behavior to increase overall protection: natural access control, natural surveillance, and natural territorial reinforcement.
Posted by at No comments:

Tuesday, September 23, 2014

Chapter 5: Steps to take before a physical security program can be rolled out

  1. Identify a team of internal employees and/or external consultants who will build the physical security program through the following steps.
  2. Carry out a risk analysis to identify the vulnerabilities and threats and to calculate the business impact of each threat.
  3. Identify regulatory and legal requirements that the organization must meet and maintain.
  4. Work with management to define and acceptable risk level for the physical security program.
  5. Derive the required performance baseline from the acceptable risk level.
  6. Create countermeasure performance baseline from the acceptable rick level.
  7. Create countermeasure performance metrics.
  8. Develop criteria from the results of the analysis, outlining the level of protection and performance required for the following categories of the security program:
    1. Deterrence
    2. Delaying
    3. Detection
    4. Assessment
    5. Response
  9. Identify and implement countermeasures for each program category
  10. Continuously evaluate countermeasures against the set baselines to ensure the acceptable risk level is not exceeded. 
Posted by at No comments:
Chapter 5: The Planning Process

  • An organization's physical security program should address the following goals:
    • Crime and disruption prevention through deterrence: fences, security guards, warning signs etc.
    • Reduction of damage through the use of delaying mechanisms: layers of defenses that slow down adversary (e.g. locks, security personnel, and barriers).
    • Crime or disruption detection: smoke detectors, motion detectors, CCTV etc.
    • Incident assessment: response of security guards to detected incidents and determination of damaged level.
    • Response procedures: fire suppression mechanisms, emergency response processes, law enforcement notification, and consultation with outside security professionals.
  • To understand how effective the physical security program is or how beneficial it is to the organization, the program should be monitored through a performance-base approach. This means that you should devise measurements and metrics to gauge the effectiveness of your countermeasures. 
  • The physical security team needs to carry out a risk analysis. The analysis will identify the organization's vulnerabilities, threats, and business impacts.  The team presents their findings to management and work with them to define an acceptable risk level for physical security program. The team then develops baselines (minimum level of security) and metrics to evaluate and determine if the baselines are being met by the countermeasures. The performance of the countermeasures should be continuously evaluated. 
Posted by at No comments:
Chapter 5: Physical and Environmental Security

  • Physical security has a different set of vulnerabilities, threats, and countermeasures from a computer and information security. Physical security deals with physical destruction, intruders, environmental issues, theft, and vandalism. Therefore, when security professionals look at physical security they, they are conserved with how people can physically enter an environment and cause damages. 
  • Threats that an organization faces falls into these broad categories:
    • Natural environment threats: flood, earthquakes, storms, tornadoes etc.
    • Supply system threats: power distribution outages, communications interruptions and interruption of other resources (water, gas, air filtration etc.).
    • Manmade threats: unauthorized access (both internal and external), explosions, damage by disgruntled employees, employee errors and accidents, vandalism, fraud, theft etc. 
    • Politically motivated threats: strikes, riots, civil disobedience, terrorist attacks, bombings etc.
  • The primary consideration above all is that nothing should impede life safety goals, so protecting human life is the first priority.
  • Physical security program should comprise safety and security mechanisms.
    • Safety deals with the protection of life and assets against fire, natural disasters, and devastating accidents. It addresses vandalism, theft, and attacks by individuals.
    • Physical security must be implement based on layered defense model, the physical controls should work together in tiered architecture.
Posted by at No comments:
Chapter 4: Operating System Components

  • Process Management:
    • Processes:
      • Are applications that work as individual units and the operating system also has several different processes carrying out various types of functionality. 
      • Set of instructions that is actually running.
      • Programs are not processes until they load into memory and are activated by the operating system.
      • After the process is created, the operating system assigns resources to it such as memory segments, CPU time slot (interrupt), access to system application programming interfaces (APIs), and files to interact with. 
      • A process is a collection of the instructions and the assigned resources. 
      • Functionality of individual processes are providing displaying data onscreen, spooling print jobs, and saving data to temporary files.
    • Multitasking:
      • Operating systems start out as cooperative and then evolve into preemptive multitasking.
      • Cooperative multitasking:
        • Used in Window's 3.x and early Machintosh systems.
        • Required process to voluntarily release resources they were using.
        • Not a stable environment because if programmer did not write his code properly to release a resource when his application was done using it, the resource would be committed indefinitely to his application resulting in unavailability to other processes. 
      • Preemptive multitasking:
        • Used in Window's 9x and later versions in Unix systems.
        • The operating system controls how long a process can use a resource. 
        • The operating systems can suspend a process that is using CPU to allow another process to have access to it, this is called time sharing.
    • A process can be in a running state where the CPU is executing its instructions and data, and it can be in ready state, the process is waiting to send instructions to the CPU. The process can also be in blocked state, this is where the process is waiting for input data, such as keystrokes, from a user. 
    • When a process is blocked, it is waiting for some type of data to be sent to it. 
    • The operating system is responsible for creating new processes, assigning them resources, synchronizing their communication, and making sure nothing insecure is taking place. 
    • Two Categories of Interrupts:
      • Maskable Interrupt:
        • Assigned to an event that may not be overly important and the programmer can indicate that if that interrupt calls, the program does not stop what it is doing (Harris, 316).
      • Nonmaskable interrupts:
        • Can never be overridden by an application because the event that has this type of interrupt assigned to it is critical (Harris, 316).

Posted by at No comments:

Thursday, September 18, 2014

Chapter 4: Multiprocessing

  • When a specialized computer has more then one CUP for increased performance, and operating system must be developed specifically. This ensures the compute can understand and work with more than one processor. 
  • Symmetric mode is when the processors are handed work as needed. You can see this in Figure 4-5 from the CISSP All-in-One Exam Guide book example CPU 1 and 2 are an example of symmetric mode. 
  • When a process needs instructions to be executed, a scheduler determines which processor is ready for more work and sends it on. 
  • Asymmetric mode is when a processor is dedicated to a specific task or application and all other software would run on a different processor. In Figure 4-5, you can see an example of this in CPU 3 and 4. CPU 4 is dedicated to one application and its threads while CPU 3 is used by the operating system. 
  • Asymmetric mode usually indicates that the computer has some type of time-sensitive application that needs its own personal processor. Therefore, the system scheduler sends instructions from the time-sensitive application to CPU 4 and sends all the other instructions from the operating systems and other applications to CPU 3. 
Posted by at No comments:
Chapter 4: Security Architecture and Design Continue

  • The Importance of Control Unit:
    • Basically, the control unit controls when instructions are executed and enables applications to process data, but the control unit does not actually process the data.
    • While different applications' code and operating system instructions are being executed, the control unit manages and synchronizes the system.
    • The control unit gets the code, interprets the code, and oversees execution of the different instruction sets. 
    • The control unit is responsible for determining what application instructions get processed and in what priority and what time. 
    • CUP's time is sliced into individual units which is assigned to processes. 
    • The operating system can carry out several different function at one time, this is called multitasking, but the CPU actually has to execute instructions in a serial fashion (one at a time). 
  • Types of registers:
    1. General register: 
      1. Hold variables and temporary results as the ALU (arithmetic logic unit) works through its execution steps.
      2. Like a scratch pad which you use while working.
    2. Special registers:
      1. Dedicated registers
      2. Hold information such as program counter, stack pointer, and program status word (PSW).
        1. PSW :
          1. holds different conditions bits, and one bit indicates whether the CUP should be working in user mode.
    3. Program counter:
      1. Contains memory address of the next instruction to be fetched.
  • How do operating systems protect themselves:
    • Operating systems need to protect themselves from applications, software utilities, and user activities if they are going to provide a stable and safe environment. 
    • One protection mechanisms is implemented through different execution mode uses. 
    • CPU carries out instructions and it works in a user mode of a lower privilege level. Many of the CPU's instructions and functions are not available to the requesting application. This is because developers of the operating system and CPU do not know who developed the application or how it is going to react.
  • How do processes communicate to other processes and the CPU:
    • Processes communicate to other processes and the CPU through the process of stacking and the CPU needs to keep track of where it is in each stack. This is called stack pointer. 
    • Stack is a data structure in memory that the process can read from and write to in a last in, first out (LIFO) fashion (Harris, 309).
    • Each stack is a level of information that tells the processes something, weather it is an introduction, how to respond, containing data etc. Once the first item on the stack is executed, then the stack pointer moves down to tell the CPU where the next pice of data is located.

Posted by at No comments:

Wednesday, September 17, 2014

Chapter 4: Computer Architecture

 What is a computer architecture?
A computer architecture is made up of all the parts of a computer system that are necessary for it to function. This includes the operating system, memory chip, logic circuits, storage devices, input and output devices, security components, buses, and networking interface.

The Central Processing Unit (CPU):

  • The brains of a computer.
  • It fetches instructions from memory and executes them.
  • It's a piece of hardware with it's own instructions set that is used to carry out tasks.
  • Each CPU has a specific architecture and set of instructions.
  • Operating systems have to be designed to work within CUP architecture because it has to be able to "speak the language" of the processor (processor's instruction set).
How does the CPU work?
  • There is a chip within the CPU that is only a couple of square inches.
  • The chip contains millions of transactions.
  • All operations within the CPI are performed by electrical signals that work in different voltages in different combinations. 
  • The different voltages are held in transistor that represent 0's and 1's to the operating system. 
  • Registers contained in the CPU point to memory location which houses the next executable instruction. 
  • A register is a temporary storage location that holds the information that tells the CPU what it's next job is. 
  • Actual execution of the instructions is done by the arithmetic logic unit (ALU) with is considered the brain of the CPU.
    • ALU performs mathematical functions and logical operations on data. 

Posted by at No comments:

Tuesday, September 16, 2014

Chapter 4: Roles of an Architect

 Architects need to capture of the goals that the system is suppose to accomplish for each stakeholder. There are many stakeholders in a project that can be concerned about different aspects of the system. For example, a stakeholder can be concern with functionality of the system, another can be concerned about performance or interoperability or security. It is the role of the architect to create documentations that formally describe the architecture of the system for each stakeholder and their concerns and viewpoints. It is the responsibility of the stakeholder to review the documentation created by the architect to make sure everything is accounted for. Once the architecture is approved, then the software developers and developers can start building the systems.

Examples of stakeholders for a system are: users, operations, maintainers, developers, and suppliers. Previously, system architectures were developed to meet the identified stakeholder's concerns of functionality, interoperability, and performance but recently a new concern of security has arise.

Security goals have to be defined before the architecture of a system is created. Specific security views of the system needs to be created to help guide the design and development phases.

Figure 4-1 is an example of a "Formal architecture terms and relationship" from Harris's CISSP Exam Guide book.

Posted by at No comments:
Chapter 4: Security Architecture and Design

 Computer Security:

  • Computer security means different things to different people.
  • Information security should consist of the three main attributes: 
    • Availability: prevention of loss from access to data and resources
    • Integrity: prevention of unauthorized modification of data and resources
    • Confidentiality: prevention of unauthorized disclosure of data and resources
System Architecture:
  • What is an architecture?
    • An architecture is a tool used to conceptually understand structure and behavior of a complex entity through different views (Harris, 300). 
  • What is an architecture description?
    • It is a formal description and representation of a system, components that make it up, interactions and interdependencies between those components, and relationships to the environment (Harris, 300).
  • An architecture is a high level overview of the overall process of system development. The architecture is what needs to be understood before we can design and develop. In the architecture level we ask the following questions:
    • Why are we building this system?
    • Who is going to use it and why?
    • How is it going to be used?
    • What environment will it work within?
    • What type of security and protection is required?
    • What does it need to be able to communicate with?
  • The answers to the questions above will outline the main goals the system must achieve and they help to construct the system at an abstract level. 
  • Why is involved in the system phase?
    • Gathering system requirement specifications.
    • Use modeling languages to establish how system will accomplish design goals (e.g. required functionality, compatibility, fault tolerance, extensibility, security, usability, and maintainability).
    • Modeling language is commonly graphical to help visualize the system from a static structural view and dynamic behavioral view. 
  • What is involved in the development phase?
    • Individual programmers are assigned a part of the system they are responsible fore.
    • The coding of the software begins and the creation of the hardware starts. 
  • What is a system?
    • A system can be an individual computer, application, set of subsystems, set of computers, or a set of network made up of computers and applications. 
    • It can be simplistic such as a single-user operating system for a specific task or it can be complex such as a distributed environment or very focused subsystems.

Posted by at No comments:

Sunday, September 14, 2014

Chapter 3: Other Technologies for the CISSP Exam

Legacy Single Sign-On (SSO):
  • How are SSO products used as an Identity Management solutions or as part of a large IdM enterprise-wide solution?
    • SSO technology allows users to authenticate one time and then access resources in the environment without needing to re-authenticate. 
    • The difference with SSO technology and password synchronization is that password synchronization will take the user's password and update each user account on each different system application with that password. When a user requests access to a network application, the application will send over a request for credentials, but the request will be intercepted by SSO software and the login prompts from the network will fill in the necessary identification and authentication information for the user.  
    • Vulnerability:
      • If an attacker is able to get their hands on the user's credentials then the attacker will have all the resources of that user. 
    • Negative Aspect:
      • SSO solutions may create a bottleneck (single point of failure) if SSO server goes down and users are unable to access their network resources. 
      • Costly
      • All of user's credentials for company's resources are stored in one location 
Account Management:
  • What is account management?
    • Deals with creating user accounts on all systems, modifying the account privileges when necessary, and decommissioning the accounts when they are no longer needed (Harris, 177).
  • Issue with account management:
    • Account are often created by the IT department manually on different systems and users are given excessive rights and permissions. Often times, when an employee leaves the company many or all the accounts stay active.
    • Conclusion: 
      • Allowing administrators to manage user accounts across multiple systems
  • How are accounts set up?
    • When a new user needs an account, a network administrator will set up the account(s) and provide the user with certain privileges and permissions. administrators don't know what resources to allow the user to have access to and often they have to "wing it." This is how users access to too much stuff. 
    • Solution:
      • Implementing a workflow process that allows for a request for a new user account. The request has to be approved, usually by the employee's manager, then the accounts are automatically set up on the systems, or a ticket is generated for technical staff to set it up. This works the same for when an account needs to be updated or deleted. 
    • Pros of a workflow process:
      • Reduces potential errors common in account management practice
      • Each step is logged and tracked which provides accountability and documentation for backtracking if something goes wrong
      • Only necessary access is provided for each account
      • "Orphan" accounts that are still active when employees leave are removed
      • Make auditors happy



Posted by at No comments:

Wednesday, September 10, 2014

Chapter 3: Identity Management

 A. What is Identity Management?
  • Identity management is just a broad term to describe the different products that identify, authenticate, and authorize users through automated means.
  • Many people view IdM as user account management, access control, password management etc.
  • It is too large and contains many components that people don't understand the entire picture, they only understand the component they work with.
  • The goal of IdM is to simplify administration of tasks and bring order to the chaos because there are so many different types of employees with different access rights it's difficult to manage them all. 
B. Describe the change from traditional IdM and the present IdM
  • Traditionally IdM was managed through a manual process with directory services with permission, access control lists (ACLs), and profiles. Presently, traditional methods have been replaced with automated applications with functionality that work together to create an identity management infrastructure. 
  • Identity Management Technologies covered in the CISSP exam are the following:
    • Directories
    • Web access management
    • Password management
    • Legacy single sign-on
    • Account management
    • Profile update
C.  Directories:
  • A directory has information pertaining to the company's network resources and users.
  • Most follow a hierarchal database form which is based on the X.500 standard, and a type of protocol, such as Lightweight Directory Access Protocol (LDAP), which allows subjects and applications to interact with the directory.
    • What this means is that applications can request information about a user by making a LDAP request to the directory and the users can also request information about the resource by using a similar request. 
  • How does the directory work?
    • The directory is composed of objects that are managed by a directory service.
    • A directory service allows administrators to configure and manage how identification, authentication, authorization, and access control takes place within the network and on individual systems. 
    • The objects in the directory are labeled/identified with namespaces.
  • The problem with using a directory product for identity management is that legacy devices and applications cannot be managed by the directory service because they were not built with the necessary client software. 
D. Web Access Management:
  • Web Access Management (WAM) software helps controls what users can access when using a web browser to interact with web-based enterprise assets. 
  • An infrastructure is usually made up of a web server farm (many servers), directory that contains users' account and attributes, database, couple of firewalls, some routers, which is all laid out in a tiered architecture. 
  • WEM can be thought of as a gateway between users and the corporate web-based resources, it acts as a plug-in for  web server and works as a front-end process.
  • WAM console allows administrators to configure access levels, authentication requirements, and account setup workflow steps, and perform overall maintenance. 
E. Password Management:
  • It takes a lot of time and resources to manage passwords for an entire organization especially if there are many employees that have to constantly update their passwords for different platforms. 
  • The following are common password management approaches:
    • Password Synchronization:
      • reduces complexity of keeping up with different passwords for different systems
    • Self-Service Password Reset
      • reduces help-desk call volumes by allowing users to reset their own password
    • Assisted Password Reset
      • reduces resolution process for password issues for the help desk

Posted by at No comments:

Tuesday, September 9, 2014

Chapter 3: Access Control Overview:

 A. What is Access control?
  • Access controls are security features that helps control users and systems communication and their interactions with other systems and resources.
  • Access protects the system and resources from unauthorized access.
  • Broad term that covers different mechanisms which enforces access control features on computer systems, networks, and information.
  • It is the first line of defense to guarding against unauthorized access to systems and network resources.
  • Access control allows organizations to control, restrict, monitor, and protect resource availability, integrity, and confidentiality.
B. What is an Access?
  • Access is the flow of information between a subject and an object (Harris, 157).
C. What is a Subject?
  • A subject is an active entity that request access to an object or the data within an object (Harris, 157).
  • Examples of a subject: 
    • user
    • program
    • process that access an object to accomplish a task
D. What is an Object?

  • An object is a passive entity that contains information or needed functionality (Harris, 158).
  • Therefore, when a program accesses a file, you think of the program is the subject and the file as the object.
  • Examples of Object:
    • Computer
    • Database
    • File
    • Computer program
    • Directory
    • Field contained in a table within a database
E. Security Principles:
  • What are the three main security principles?
    • Availability:
      • Information, systems, and resources must be available to users in a timely manner where productivity will not be affected.
    • Integrity:
      • Integrity entails accurate, complete, and protected from unauthorized modification.
      • Integrity protects data or resource from being altered by an unauthorized user.
    • Confidentiality
      • Confidentiality assures information is not disclosed to unauthorized individuals, programs, or processes.
D. Identification, Authentication, Authorization, and Accountability:
  • What is Identification?
    • Identification describes the method of ensuring a subject (user, program, or process) is the entity it claims to be.
    • Username or account numbers are a common way of identification. 
    • To fully be authenticated, the subject usually is required to provide a second identification such as password, passpharse, cryptographic key, personal identification number (PIN), anatomical attribute, or token. 
  • Logical Access Controls:
    • Technical tools used for identification, authentication, authorization, and accountability (Harris, 161).



  • Steps for authentication:
    • Authentication is a two-step process:
      1. Entering public information (username, employee number, account number, department ID).
      2. entering private information (static password, smart token, cognitive password, one-time password, PIN).
E. Identification and Authentication:
  • Three general factors for authentication:
    1. Authentication by knowledge 
      • Something a person knows
      • Pros: least expensive to implement
      • Cons: another person can acquire the knowledge and agin unauthorized access to resources
      • Examples:
        • Password
        • PIN
        • Mother's maiden name
        • Combination to a lock
    2. Authentication by ownership
      • Something a person has
      • Pros: common for accessing facilities, sensitive areas, or authenticate systems
      • Cons: lost or stolen resulting in unauthorized access
      • Examples:
        • Key
        • Swipe card
        • Access card
        • Badge
    3. Authentication by characteristic
      • Something a person
      • Based on a unique physical attribute
      • Biometrics
  • Strong authentication is defined as having two out of the three methods.
  • Creating or issuing secure identities:
    • Include three key aspects:
      • Uniqueness:
        • Identifiers that are specific to an individual (unique ID)
        • Examples:
          • Fingerprints
          • Retina scans
      • Nondescriptive:
        • The credentials should not indicate the purpose of the account
        • Examples:
          • User ID should not be "Administrator," "Backup_oporator," or "CEO"
      • Issuance:
        • Provided by another authority as a means of presenting identity
        • Examples:
          • ID cards
  • Summary of Identification Component Requirement:
    • When issuing identification values to users, the following should be in place:
      • Each value should be unique, for user accountability.
      • A standard naming scheme should be followed.
      • The value should be nondescriptive of the user's position or tasks
      • The value should not be shared between users. 


Posted by at No comments:

Monday, September 8, 2014

Chapter 2: Security Controls Development

The Control Objectives for Information and related Technology (Cobit):
Cobit is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI) (Harris, 55). So, basically, Cobit defines goals for controls that need to be used properly to manage IT and it helps to ensure IT alines with the business goals.

Cobit can be broken down into four domains:

  1. Acquire and Maintain Application Software
  2. Acquire and Maintain Technology Infrastructure
  3. Install and Accredit Systems
  4. Manage Changes
The positive aspect of Cobit is that it helps with providing goals and guidance for companies to follow when they purchase, install, test, and accredit IT products. Cobit operates by a "checklist," it provides a list of things companies can thing through accomplish when they carry out different IT functions. It is like a roadmap that companies can follow. A majority of the security compliance auditing practices used in industries today are based off of Cobit.

COSO:
Cobit was actually derived from the Committee of Sponsoring Organization (COSO) framework. The framework is made up of the following components:

  • Control Environment:
    • The control environment is basically management's philosophy and operating style and the companies culture pertaining to ethics and fraud.
  • Risk Assessment :
    • Risk assessment establishes risk objectives and the ability to manage internal and external change.
  • Control Activities:
    • Control activities are policies, procedures, and practices put in place to reduce risk.
  • Information and Communication:
    • Is structure that ensures the right people get the right information at the right time.
  • Monitoring:
    • Monitoring detects and responds to control deficiencies. 
ITIL:
Information Technology Infrastructure Library (ITIL) are best practices for IT service management. Companies have a hard time communicating between business and IT therefore, they inefficiently blend their business objectives and IT functions. This creates confusion, misunderstandings, missed headlines and opportunities, but most importantly it increase cost in time and labor. All this confusion can be frustrating and they is why ITIL was created. ITIL is a customized framework that provides goals, general activities necessary to achieve the goals, and the input and output values for each process required to meet the goals. But, ITIL is more focused toward internal services level agreements between IT and the "customers" it serves. 

Six Sigma:
Six Sigma is a process improvement methodology of Total Quality Management (TQM).  Six sigma is used to improve process quality and it uses statistics to measure operation efficiencies and reduce variations, defects, and waste. 

Security Program Life Cycle:
A security program has a life cycle that is ALWAYS continuing. This is due to the fact that security should be constantly evaluated and improved upon. Harris describes the life cycle of a process as:
  1. Plan and organize
  2. Implement
  3. Operate and maintain
  4. Monitor and evaluate


            


Posted by at No comments:

Thursday, September 4, 2014

Chapter 2 Continue: A Brief History of "Security Program"

The roots of our "security program" came from the United Kingdom in 1995. The British Standard 7799 (BS7799) is the outlines we use for our information security management system (ISMS). There was a strong need for centralization because there was so many various security controls developed by different organizations. The BS7799 actually has two parts, part one outlines control objectives and how to achieve those objectives and part two outlines how a security program is set up and maintained. The BS7799 covers a wide range of topics including:

1. Information security policy for the organization
2. Creation of information security infrastructure
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communication and operations management
7. Access control
8. System development and maintenance
9. Business continuity management
10. compliance

When organizations around the world need to develop an internal security program, all they had to go by was the BS7799. Therefor, there was a strong need to globally standardize BS7799.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) took on the role to globally standardize BS7799. ISO is the world's largest developer and publisher of international standards. The ISO and IEC went through and modularize the different components of the ISMS and came up with the ISO/IEC 27000 series. ISO follows Plan-Do-Check-Act (PDCA) cycle, which is an interactive process that is used in business process quality control programs. Planning establishes objectives and makes plans, Do deals with the implementation of the plan, Check measures results to understand if objectives are met and Act guides you on how to improve the plans to bette achieve success.

Enterprise Architecture Development:
An enterprise security architecture is the guide when implementing solutions to ensure business needs are met. Also enterprise security architecture provides standard protection across environment and reduces the unknown risks. The advantage of having an enterprise architecture is that it allows you to not only understand the company from different views, but also you can understand how a change that takes place in one level will affect items at other levels as well.

To develop an architecture, the first step is to identify stakeholders. Stakeholders are individuals who will be looking at and using the architecture. The next step is to develop the views, how the information important to different stakeholders will be illustrated in the most useful manner.

Zachman Architecture Framework:
The Zachman framework is a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give an understanding of the enterprise. This framework was developed in the 1980s on the bases of the principles of classical business architecture and the goal was to be able to look at the same organization from different views.

You can find more information about the Zachman Architecture Framework at: https://www.zachman.com/.

The Open Group Architecture Framework (TOGAF):
TOGAF has its origins in the U.S. Department of Defense and it is used to develop architecture types such as Business, Data, Applications, and Technology Architecture.




This method is iterative and cyclic process which allows requirements to be continuously reviewed and you can update the individual architectures as needed. Several other architectures discussed in the book includes:

  • Department of Defense Architecture Framework (DoDAF)
  • British Ministry of Defense Architecture Framework (MODAF)
  • Enterprise security architecture
  • Sherwood Applied Business Security Architecture (SABSA)



Posted by at No comments:

Tuesday, September 2, 2014

Chapter 2: Information Security Governance and Risk Management

Like every topic, it's important to learn about the fundamentals before we dive into learning the details. In the beginning of chapter two, our primary focus to learn about the fundamental principles of security. The core goal of security is to provide availability, integrity, and confidentiality protection for the critical assets of a company. This core goal is usually referred to as the AIC triad.

The goal of Availability protection is to make sure the individuals who need access to certain data and resources have that ability in a timely and reliable manner. Integrity can be compromised when the system is attacked or users make mistakes, but if strict access controls, intrusion detection, and hashing are but in place then the integrity of the system can be upheld. Finally, Confidentiality ensures the necessary levels of security is enforced so that unauthorized discloser can be prevented.

I wanted to point out an interesting discovery, until I read it in the book, I never knew that when information security is dealt with, the common viewpoint is only keeping secrets secret or confidentiality. We really don't realize that there was more too it, integrity and availability threats are overlooked.

We all talk about security, but what exactly does it mean? To understand security, I have to use the definition given in the book. Security is defined by the terms: vulnerability, threat, risk and exposure. Although these terms are used interchangeably they actually have different meanings. If there are security vulnerabilities then the system lacks countermeasures or there is a weakness in a countermeasure that's in place currently. Threats are viewed as potential dangers that can occur if there are vulnerabilities in the system.  Risk is the likelihood of a threat actually occurring and the corresponding business impacts. Exposure is the instance of being exposed to losses due to the risk. A control is the countermeasure to reduce the potential risk.  

Now that we know what security is, we want to know the different control mechanisms that are used to stop threats from occurring. There are three different control types:

         a. Administrative controls: management-oriented, "soft-controls"
         b. Technical controls: software and hardware components, "logical controls"
         c. Physical controls: protect facility, personnel, and resources.

These controls are implemented by the method of defense-in-depth, which is the use of multiple security controls in a layered approach.


As you can see, Figure 2-2 is an example from the book "All In One CISSP Exam Guide Sixth Edition" of a defense-in-depth control method. It is important to know the control types, but more importantly you should understand the different functionalities of security controls. The different functionalities are preventive, detective, corrective, deterrent, recovery, and compensating. 



Posted by at No comments:
Subscribe to: Comments (Atom)