CISSP Certification Prep: Security and Risk Management by Netcom Learning

CISSP Certification Prep: Security and Risk Management

Larry Greenblatt NetCom Learning www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Agenda

• • • • • • •

How to align security with business Understand to use control frameworks How to manage business risks How to identify security threats How to manage different vendors How to build security awareness Q&A session with the speaker

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Process Management

W. Edwards Deming

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

The Triple Constraints

Scope (customer needs)

Quality Time (Schedule) www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Cost (Budget) ÂŠ1998-2018 NetCom Learning

CMMI - Capability Maturity Model Integration ®

• Carnegie-Mellon Software Engineering Institute • A process improvement maturity model • Maturity Levels – 0 - Incomplete – 1 - Initial – 2 - Repeatable – 3 - Defined – 4 - Quantitatively Managed – 5 - Optimized www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Process Immaturity | Capability Immaturity Model (CIMM)

• Parody by Capt. Tom Schorsch USAF • Immaturity Levels: – 0) Negligent – Lip Service – 1) Obstructive – Adherence to Ineffective Process – 2) Contemptuous – Fudged Metrics – 3) Undermining – Sabotaging Competitors

https://en.wikipedia.org/wiki/Capability_Immaturity_Model www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Cyber Risk* Management Preventing, Detecting & Responding to unforeseen dangers *From the Greek “ Rhiza” = cliffs under water.

• Due Diligence: Risk Identification/Analysis – Think before you act – Identifying, assessing & analyzing risks as well as understanding appropriate controls to prevent, detect and respond to negative events • Due Care: Risk Mitigation/Handling/Treatment – Take actions – Selection, implementation and maintenance of cost-effective security controls www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Quantitative Analysis

“You can only speak matter of factually about what you can measure”*  Objective numeric metrics: 

Real numbers  Concrete percentages  Monetary values 

Certification  “Insufficient data” 

*Robert Anton Wilson www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Qualitative Analysis

• Subjective rankings – Experience – Intuition – Feelings

• Accreditation

• Brainstorming • The Delphi technique

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Risk Identification

Terminologies • Assets – Anything of Value – Ownership, valuation, classification, entitlements • Threats – Things that can cause Loss of Value – Threat Agent – Source of a threat • Vulnerability – Weakness/limitation of the asset

• Exposure – Vulnerability is accessible to threat source

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Value versus Cost

• Value – Assets – Subjective

– Qualitative

• Cost – Controls – Objective – Quantitative (TCO)

• Cost Benefit Analysis

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threats

“Anything that can cause a loss of Value”

• Malicious attacks • Accidents • Natural Disasters • Fatigue

• Legal liabilities • Cost to quality www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threat Analysis

• Threat Taxonomy: – Man made • Accidental (most common!!!) • Intentional

– Natural – (Technical)

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Threat Modeling

STRIDE • Spoofing of user identity

• Tampering • Repudiation • Information disclosure • Denial of service (D.o.S) • Elevation of privilege 14 www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Application Threat Modeling

OWASP

â&#x20AC;˘ Four Questions: 1 What are we building?

2 What can go wrong? 3 What are we going to do about that? 4 Did we do a good enough job?

15 www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Common ICT Threats Malware

• Viruses, Worms & Trojans

– Rootkits – Logic bombs

– Bots and botnets – Spyware – Ransomware

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Rogue Infrastructure

• Access Points • DHCP servers • DNS servers • Routers • Certificate Authorities

• Embedded hardware & device drivers • P2P and other illicit servers www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Loss Criteria

• Life • Branding / Reputation

• Initial loss versus delayed loss • Aggregate Losses: – Asset – Productivity – Opportunity

– (how to quantify?) www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Vulnerabilities

• ISO/IEC 27005 – Hardware – Software – Network – Personnel – Physical Site

– Organizational



blog.trendmicro.com

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Risk Analysis

Terminologies • Impact – Amount of loss • Likelihood – Frequency of threat • Exploit – An incident of an actual loss event

• Controls – Safeguards/Measures/Countermeasures – Control Failure Policies

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Impact & Likelihood

• Impact – How much loss? • Likelihood – How Frequent?

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Control Analysis

• Development / Acquisition costs

• Design/planning costs • Implementation & Environment modifications • Maintenance / Testing • Operating support costs • Effects on productivity

Preventive

Detective

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Control Frameworks 

Standards, Guidelines & Best Practices



Internal (Tailored to the Organization)



External 

NIST



ISO



CoBiT

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Outsourcing Control Administration 



Service Management – Limitations: ▬

Scheduled Outages

▬

Force Majeure Events

▬

Service Agreement Changes

▬

Security

▬

Service API Changes

Service Assurances ▬

3rd Party Audits

▬

Service Monitoring www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Control Gap

• A “gap” in coverage • Percentage of asset not protected by control. For example, if insurance covers 80% of loss, then the Control Gap = 20%

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Cost Benefit Analysis

• Single Loss Expectancy (SLE) – Asset Value (AV) x Exposure Factor (EF)

• Annualized Loss Expectancy (ALE) – SLE x Annualized Rate of Occurrence (ARO)

• Risk x Control Gap = Residual Risk

– Addressed in BCP

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

SP800-100 Risk Assessment

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Plan Do Check Act

(SP800-50)

• Select Risk Treatment Measures • Implement & Maintain Controls • Awareness – Everyone

• Training – Administrators

• Education – Management www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

Risk Handling / Treatment

• Avoid / Termination • Reduce – Planning – Technologies – Training

• Transfer • Accept “risk appetite” • Reject – Negligence!

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

SDLC Management

Feasibility

N/A In Security Projects

Initiation

Basic Description, Schedule, Budget

Requirements Analysis

User Needs; Functions and Assurance

(What)

System Design (How)

Checklist of Specific Components (Specs)

Develop / Acquire

Build or Buy according to Specs (Verification)

Installation / Testing

User Accepts Functions & Assurance (Validation)

Operation / Maintain

Continuous Upkeep

Retirement / Dispose

Data Access Issues

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Recorded Webinar Video

To watch the recorded webinar video for live demos, please access the link: https://goo.gl/mc1cVd

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

About NetCom Learning

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Recommended Courses

» Certified Information Systems Security Professional (CISSP) Certification Prep - Class scheduled on Nov 12 » CompTIA Advanced Security Practitioner (CASP) Certification - Class scheduled on Nov 12

» CISM Certification - Class scheduled on Nov 13 » EC-Council CEH: Certified Ethical Hacker v10 & CNDA: Certified Network Defense Architect - Class scheduled on Nov 05

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

The New Role-Based Microsoft Azure Certification Paths Cross Team Collaboration: Increasing Productivity with Office 365 Groups SharePoint 2019 "Wow" | First Look at new SharePoint 2019 Adobe InDesign CC: Down and Dirty Tips and Tricks Architecting for Security on AWS Big Data for Enterprise: Managing Data and Values Top Reasons to Master Agile Scrum and its Benefits Clean Architecture: Patterns, Practices, and Principles CEH: Understanding Ethical Hacking SQL Server 2017: Application Development Best Practices www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

Promotions

From Cloud to Security, to Data and AI, to Networking, to Application Development, to Design, to Business Process & Application; all classes delivered by top-notch instructors in in-person Instructor-led Classroom or Live Online. And after you train, treat yourself with Gift Card rewards. Learn More www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266

ÂŠ1998-2018 NetCom Learning

THANK YOU !!!

www.netcomlearning.com | info@netcomlearning.com | (888) 563 8266