Principles of information security 4th edition Chapter 12

NIST SP 800-100
Information Security Handbook: A Guide for Managers provides managerial
guidance for the establishment and implementation of an information security program in particular regarding the ongoing tasks expected of an information security manager once the program is operational and day-to-day operations are established.
Information Security Governance effective information security governance program requires constant review. Agencies should monitor the status of their programs to ensure that: (3 parts)
1. Ongoing information security activities are providing appropriate support to the
agency mission
2. Policies and procedures are current and aligned with evolving technologies, if appropriate
3. Controls are accomplishing their intended purpose
System Development Life Cycle
the system development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep process—initiation, analysis, design, implementation, and maintenance to disposal.
What are the thirteen information
security areas within the SP 800-100
1. Information Security Governance
2. System Development Life Cycle
3. Awareness and Training
4. Capital Planning and Investment Control
5. Interconnecting Systems
6. Performance Measures
7. Security Planning
8. Information Technology Contingency Planning
9. Risk Management
10. Certification, Accreditation, and Security Assessments
11. Security Services and Products Acquisition
12. Incident Response
13. Configuration (or Change) Management
What are the 5 stepos of Configuration (or Change) management
Step 1: Identify Change
Step 2: Evaluate Change Request
Step 3: Implementation Decision
Step 4: Implement Approved Change Request
Step 5: Continuous Monitoring
Identify Change
The first step of the CM process begins with a person or process associated with the information system identifying a need for a change
Evaluate Change Request
After initiating a change request, the effects that the change may have on the system or other interrelated systems must be evaluated.
Implementation Decision
Once the change has been evaluated and tested, one of the following actions should be taken:
1. Approve: Implementation is authorized and may occur at any time after the appropriate authorization signature has been documented.
2. Deny: The request is immediately denied regardless of circumstances and information
3. Defer: Immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made.
Implement Approved Change Request
Once the decision to implement the
change has been made, it should be moved from the test environment into production.
Continuous Monitoring
The CM process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the performance or security posture of the system.
The five subject areas or domains of the maintenance model
External monitoring
Internal monitoring
Planning and risk assessment
Vulnerability assessment and remediation
Readiness and review
external monitoring
within the maintenance model it is to provide the early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount an effective and timely defense.
Three classes of data Sources
1. Vendors
2. CERT organizations
3. Public network sources
Monitoring, Escalation, and Incident Response
The basic function of the external
monitoring process is to monitor activity, report results, and escalate warnings.
Data Collection and Management
Over time, the external monitoring processes should capture information about the external environment in a format that can be referenced both across the organization as threats emerge and for historical use.
Monitoring the Internal Environment
The primary goal of the internal monitoring domain is to maintain an informed awareness of the state of all of the organization’s networks, information systems, and information security
Internal monitoring is accomplished by?
1. Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements.
2. Leading the IT governance process within the organization to integrate the inevitable changes found in all network, IT, and information security programs.
3. Monitoring IT activity in real-time using IDPSs to detect and initiate responses to specific actions or trends of events that introduce risk to the organization’s information assets.
4. Monitoring the internal state of the organization’s networks and systems. This recursive review of the network and system devices that are online at any given moment and of any changes to the services offered on the network is needed to maintain awareness of new and emerging threats. This can be accomplished through automated difference-detection methods that identify variances introduced to the network or system hardware and software.
Network Characterization and Inventory
Organizations should have a carefully
planned and fully populated inventory of all their network devices, communication channels,and computing devices. This inventory should certainly include servers, as well as desktop applications and partner interconnections—that is, network devices, communications channels, and applications that may not be owned by the organization but are essential to the continued operation of the organization’s partnership with another company. The process of collecting this information is often referred to as characterization.
Difference analysis
is a procedure that compares
the current state of a network segment (the systems and services it offers) against a known previous state of that same network segment (the baseline of systems and services).
planning and risk assessment domain
the primary objective of the planning and risk assessment domain is to keep a lookout over the entire information security program, in part by identifying and planning ongoing information security activities that further reduce risk.
Information Security Program Planning and Review
Periodic review of an ongoing information security program coupled with planning for enhancements and extensions is a recommended practice for any organization.
Security Risk Assessments
a method of identifying and documenting
the risk that a project, process, or action introduces to the organization and may also involve offering suggestions for controls that can reduce that risk. The RA process identifies risks and proposes controls
Network connectivity RA:
Used to respond to network change requests and network architectural design proposals. May be part of or support a business partner’s RA.
Dialed modem RA:
Used when a dial-up connection is requested for a system.
Business partner RA
Used when a proposal for connectivity with business partners is being evaluated.
Application RA:
Used at various stages in the life cycle of a business application. Content depends on the project’s position in the life cycle when the RA is prepared. Usually, multiple RA documents are prepared at different stages. The definitive version is prepared as the application is readied for conversion to production.
Vulnerability RA:
Used to assist in communicating the background, details, and proposed remediation as vulnerabilities emerge or change over time.
Privacy RA
Used to document applications or systems that contain protected personal
information that needs to be evaluated for compliance with privacy policies of the
organization and relevant laws.
Acquisition or divesture RA
Used when planning for reorganization as units of the organization are acquired, divested, or moved.
Other RA
Used when a statement about risk is needed for any project, proposal, or
fault that is not contained in the preceding list.
vulnerability assessment and remediation domain
vulnerability assessment and remediation domain is to identify specific, documented vulnerabilities and remediate them in a timely fashion.
How is vulnerability assessment and remediation achieved?
1. Using documented vulnerability assessment procedures to collect intelligence about networks (internal and public-facing), platforms (servers, desktops, and process control),
dial-in modems, and wireless network systems safely.
2. Documenting background information and providing tested remediation procedures for the reported vulnerabilities.
3. Tracking vulnerabilities from when they are identified until they are remediated or the risk of loss has been accepted by an authorized member of management.
4. Communicating vulnerability information including an estimate of the risk and
detailed remediation plans to the owners of the vulnerable systems.
5. Reporting on the status of vulnerabilities that have been identified.
6. Ensuring that the proper level of management is involved in the decision to accept the risk of loss associated with unrepaired vulnerabilities
Penetration testing
a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker).
When are penetration test, or pen test, usually performed?
A penetration test, or pen test, is usually performed periodically as part of a full security
Internet Vulnerability Assessment
Internet vulnerability assessment process is designed to find and document the vulnerabilities that may be present in the public-facing network of the organization.
Intranet Vulnerability Assessment
The intranet vulnerability assessment process is designed to find and document selected vulnerabilities that are likely to be present on the internal network of the organization.
Platform Security Validation
The platform security validation (PSV) process is designed to find and document the vulnerabilities that may be present because there are misconfigured
systems in use within the organization.
Wireless Vulnerability Assessment
The wireless vulnerability assessment process is designed to find and document the vulnerabilities that may be present in the wireless local area networks of the organization.
Modem Vulnerability Assessment
The modem vulnerability assessment process is designed to find and document any vulnerability that is present on dial-up modems connected to the organization’s networks.
Documenting Vulnerabilities
The vulnerability database, like the risk, threat, and attack database, both stores and tracks information.
Remediating Vulnerabilities
The final process in the vulnerability assessment and remediation domain is the remediation phase.
Acceptance or Transference of Risk
some instances, risk must either simply be
acknowledged as being part of an organization’s business process, or else the organization should buy insurance to transfer the risk to another organization.
Threat Removal
some circumstances, threats can be removed without requiring a repair of the vulnerability.
Vulnerability Repair
The optimum solution in most cases is to repair the vulnerability. Applying patch software or implementing a workaround often accomplishes this.
readiness and review domain
The primary goal of the readiness and review domain is to keep the information security program functioning as designed and to keep it continuously improving over time.
Policy needs to be reviewed periodically
Three ways to to improve readiness and review
1. Policy review: Policy needs to be reviewed and refreshed from time to time to ensure that it’s sound—in other words, that it provides a current foundation for the information security program.
2. Program review: Major planning components should be reviewed on a periodic basis
to ensure that they are current, accurate, and appropriate.
3. Rehearsals: When possible, major plan elements should be rehearsed.
Program Review
As policy needs shift, a thorough and independent review of the entire
information security program should be undertaken.
Rehearsals and War Games
Where possible, major planning elements should be rehearsed. Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is
Digital Forensics
In order to protect the organization, and to possibly assist law enforcement in the conduct of an investigation, they must act to document what happened and how.
What are the two key purposes of Digital forensics
1. To investigate allegations of digital malfeasance. A crime against or using digital media, computer technology, or related components (computer as source or object of crime) is referred to as digital malfeasance. To investigate digital malfeasance, you must use digital forensics to gather, analyze, and report the findings of an investigation. This is the primary mission of law enforcement in investigating crimes involving computer technologies or online information.
2. To perform root cause analysis. If an incident occurs and the organization suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access, as well as to determine how pervasive and successful the attack was. This is used primarily by IR teams to examine their equipment after an incident.
The organization must choose one of two approaches when employing digital forensics:
1. Protect and forget.
2. Apprehend and prosecute.
Protect and forget.
This approach, also known as patch and proceed, focuses on the defense of the data and the systems that house, use, and transmit it. An investigation that takes this approach focuses on the detection and analysis of events to determine how they happened, and to prevent reoccurrence. Once the current event is over, who
caused it or why is almost immaterial.
Apprehend and prosecute
This approach, also known as pursue and prosecute, focuses on the identification and apprehension of responsible individuals, with additional attention
on the collection and preservation of potential EM that might support administrative or criminal prosecution. This approach requires much more attention to detail to prevent contamination of evidence that might hinder prosecution.
Digital Forensics Methodology
1. Identify relevant items of evidentiary value (EM)
2. Acquire (seize) the evidence without alteration or damage
3. Take steps to assure that the evidence is at every step verifiably authentic and is
unchanged from the time it was seized
4. Analyze the data without risking modification or unauthorized access
5. Report the findings to the proper authority
Identify Relevant Items
The affidavit or warrant authorizing a search action must specifically identify what items of evidence can be seized.
response team
The principal responsibility of the response team is to acquire the information without altering it.
There are generally two methods of acquiring evidence from a system.
Offline Data Acquisition