- Risk Management: The identification, and assessment of risk.
- Assets: Any part of our infrastructure that we are worried about getting harmed. Servers, network, services, applications, storage, people, intangible (such as reputation)
- Vulnerability: Weakness to an asset that leaves it open to bad things happening to it. eg) unlocked server room door, not changing default passwords
- Threats: The bad action or event, that could occur if a vulnerability were exploited. A threat is an abstract concept describing the scenario in which a vulnerability is leveraged.
- Threat Agent: The actor which carries out the threat (eg: hackers, criminals and bad storms that cause floods)
- Impact: The actual harm which may be caused by a threat. It can be things like costs, labor, downtime, etc. It can be viewed through both a quantitative or qualitative lens.
- Mitigation: Action taken to reduce the impact of a risk
- Pentesting: An outside party looks for vulnerabilities and will then provide a report on them
- Vulnerability Assessment:
- Threat Assessment: Finds threats applicable to your infrastructure.
Risk Identification / Risk Assessment
Looking at and cataloging all assets. This is part of a vulnerability assessment.
Security Control Types
- Administrative Control: Policies, awareness, training
- Technical Control: Computers, firewalls, passwords, encryption, authentication
- Physical Control: Gates, guards, keys, mantraps
Security Control Functions
- Deterrent: deters the actor from attempting the threat
- Preventative: does not allow the actor to attempt the threat
- Detective: recognizes an actor’s threat (eg: Background Check)
- Corrective: mitigates the impact of a manifested threat
- Compensating: provides alternative fixes to anything above which we can’t perform how we want
Interesting Security Controls
- Mandatory Vacation: may help with fraud detection, determining noticeably different patterns of activity when someone is away
- Job Rotation: rapid replacement if someone mission-critical gets sick. Allows for cross-training
- Multi-person Control: requires more than one person to perform a specific action. Accessing sensitive documents, entering a secure area, etc
- Separation of Duties: single individuals should all critical or privileged duties across the board. At least two people should be required to perform sensitive functions
- Principle of Least Privilege: minimum permission or knowledge required to effectively perform the job
Defense in Depth
- Diversity: Different controls applied (eg: one door, a guard, camera, then an airlock, etc).
- Redundancy: The same type of security control, more than once. (eg: Several doors to reach a room)
Diversity is important for effective defense in depth. For example, it’s better to have two internet connections from different providers compared to two internet connections from the same provider. This is an example of vendor diversity
It’s important to use a diverse set of controls, physical, technical, and administrative.
Case Study: Block Facebook - could be a technical control to block Facebook via a firewall, or an administrative control such as an acceptable use policy.
IT Security Governance
Governance is the set of overarching rules that define how an organization and its personnel conduct themselves. IT security governance defines how an organization and its personnel conduct IT Security.
Sources of IT Security Governance:
- Laws and Regulations (eg: HIPAA)
- Standards (Government standards, such as ISO) and (Industry standards, such as PCI-DSS)
- Best Practices (eg: vendor best practices)
- Common Sense
Two types of governance documents:
- Policies: A document which defines how we will do something. Example: Acceptable use policy. Very broad, used as directives (we will do X). Defines roles and responsibilities. You may have a policy that indicates strong passwords must be used.
- Organization Standard: Much more detailed than a policy. Defines the level of performance of a policy. You may have an organizational standard that passwords of at least 12 characters, with uppercase, lowercase, number and symbols must be used. Some organizations incorporate standards into policies
Security controls come from policies and standards. Policies and standards don’t define how we implement the policy or standard.
- Procedure: A step by step process to perform a specific task.
Start with sources of governance, and begin building policies and standards. Once policies and standards are defined, procedures may be defined.
- Guidelines: Guidelines are optional, don’t have to be clearly defined but gives an idea for how to implement something. Everything else is required, but guidelines are optional information.
Types of Security Policies
- Acceptable Use Policy: A well-known policy, defines what a person can or cannot do with the organization’s IT assets. Covers things like personal use of computers, no pron, no buying/selling things on eBay during company hours, where to store documents, etc. Usually uses very broad strokes.
- Data sensitivity and Classification Policy: A policy that defines how important or sensitive data is. Often used for mandating labels that must be applied to documents, such as “SECRET” or “TOP SECRET”.
- Access Control Policy: Defines how people get access to data or other resources. Could cover many different things, for example how to use smart cards, passwords, or other authentication methods. Could be what roles have access to specific data. May be incorporated into AUP or data classification policies.
- Password Policy: Defines how we deal with passwords, not just length and complexity. May also be part of another policy instead of standalone. May also define password recovery, account lockouts, password changes, and password history, etc.
- Care and Use of Equipment: Might be contained within AUP, however, we are specifically talking about the physical assets, how equipment is borrowed, how to maintain the equipment, what to do if the equipment is broken, etc
- Personnel Policy: Deals with the people who have access to our data. Examples could include background checks, security clearance, job rotations, mandatory vacations, etc.
Quantitative Risk Calculation
Asset value goes beyond just the cost of buying a replacement asset, it’s more complicated than that. Labour, downtime, and other factors must be considered. The value of an asset should take all of these costs into consideration. You also need not assign asset values to only individual system components, but an entire facility could be considered an asset on its own.
- Exposure Factor: Percentage of an asset that’s lost due to an incident. A number from 0 to 1.
- Single Loss Expectancy (SLE): The cost required to resolve a specific incident. Asset Value * Exposure Factor = Single Loss Expectancy
- Annualized Rate of Occurrence (ARO): eg: Chance of flood is once every 20 years. 1/20 = 0.05.
- Annualized Loss Expectancy (ALE): Allows us to take SLE * ARO = Annualized Loss Expectancy. This allows us to generalize the cost of operating due to known risks.
- Mean Time to Repair (MTTR): Mean time required to repair a system component and bring the component back online
- Mean Time to Failure (MTTF): Mean time a system component will remain operational until it fails
- Mean Time Between Failure (MTBF): MTBF = MTTR + MTTF
Business Impact Analysis
- Determine mission processes (eg: company websites, revenue streams, etc. A water cooler in the kitchen is not a mission process)
- Identify critical systems (eg: servers, )
- Single point of failure
- Identify resource requirements
- Identify recovery priorities
- PIA: Privacy Impact Assessment. When you want to introduce system changes, such as collecting a user’s birthday in your app, you should perform a privacy impact assessment. It’s a tool that can help anticipate the risk related to the project before it starts. Sometimes it’s required due to legislation, for instance when dealing with PHI. Reviews the collection, use, disclosure, and retention of data being collected.
- PTA: Privacy Threshold Assessment is a process that a company uses to analyze how personal information is protected within an IT system. It’s a questionnaire to determine whether the system contains PII and whether a PIA is required. The PTA determines whether or not there are privacy implications.
- RTO: Recovery Time Objective is the minimum time necessary to restore a critical system to operation. Another way to think is the maximum time a critical system can be down without substantial impact.
- RPO: Recovery Point Objective is the maximum amount of data that can be lost without substantial impact. (How recent was your latest backup?)
Types of Data
Data sensitivity/data labeling. All data is of different importance to us. Labeling data allows the recipients of the data to know how the data should be handled or shared.
- Public Data: No restriction of any form, within the public domain. GIS information, postal code of an address, etc.
- Confidential Data: One party offers to a second party, but only to that party. I will give you some information, but I don’t want you to share it. Nondisclosure agreements are common.
- Private Data: Information that is private to an individual. Social insurance number, PII (personally identifiable information).
- Proprietary Data: Like private information but instead of a person, it’s for an organization. eg: The formula for Coke-Cola.
- Private Health Information (PHI): Anything related to the health of an individual. Similar to Private data, but regulated in different ways as its often shared with specific industry partners.
- Owner: The person which has the legal responsibility for the data. In most corporate situations, the owner is the corporation, not a person. Not all data is owned by the company though, for instance, vendor data or personal data could be stored and processed but not owned by a data
- Steward/custodian: The group or person who’s job is to maintain the accuracy and integrity of data
- Privacy Officer: The person who is in charge of ensuring data adheres to privacy policies and procedures
We characterize users of data into roles.
- Users: Standard permissions needed to complete their tasks. They understand functions and may be able to notice irregularities in data. The most common person, they can access data. They are responsible for reporting irregularities in the data which could constitute a data breach.
- Privileged Users: Increased access and control over the data or system relative to the user
- Executive User: User who makes the strategic decisions about data, for example, policies are set, backups are validated, etc. Typically has read-only access to all data.
- System Administrators: Complete control over the data, in charge of the day to day manipulation and administration of the dataset. They set permissions for all other users, etc. Assigned by the system owner, these people implement security controls
- Data Owner / System Owner: Legal ownership of this particular data set or system. This is a management level role. Responsible to maintain the security of the system. The system owner defines a system administrator.
Training & Onboarding / Offboarding
- Onboarding: The process of bringing on new users. The process is often large and ensures that the person is fit for the task and should include a review of all policies and procedures. It includes things such as background checks, NDA’s, accepting policies, reviewing SOP’s, specialized issues (eg: clean desk policy), rules of behavior, general security policies (eg: social media usage). Training doesn’t end with the onboarding process - it must go on indefinitely and following any changes. It’s often good to give refreshers from time to time.
- Offboarding: Disable accounts, return credentials, exit interview (knowledge transfer is important!)
- PII: Ongoing training should be provided to help people identify PII. Examples include full name, home address, email address, passport number, vehicle registration, date of birth, etc.
Third Party Agreements
- Business Partners Agreement (BPA): Generic document used when two entities which to do business together. Includes the primary entities, time frame (maybe ongoing), dissolution conditions, financial issues, management. BPA’s are very common in the private sector.
- Service Level Agreement (SLA): An agreement between a customer and service provider. Contains the service which is provided, minimum up-time of service (including penalties or discounts if not achieved), the response time (as well as contacts), start and end date, or conditions of dissolution.
- Interconnection Security Agreement (ISA): Mostly used in government (comes from NIST 800-47). Defines how two government entities make data interconnections safely and securely. Contains a statement of requirements (also provides justification), what specific systems are interconnecting (and facilities), system security considerations (what information is being connected, what services are being used?, what encryption is used?), topological drawing (showing connection locations, IP addresses, etc), signature authority (time frame for the interconnection, technical reviews and security reviews). This is not a legal document but is a technical document. Often reinforced with a memorandum of understanding
- Memorandum of Understanding/Agreement (MoU): Often accompanies ISA. Describes the purpose of the interconnection, relevant authorities (who is in charge on either end), specify the responsibilities (things like downtime, billing, legal issues), as well as defines terms of the agreement (costs, who pays), termination/reauthorization conditions.