Carter Codell – Module 1

Docs: Lecture 1

Tue, 07 Jan 2020 09:53:42 -0500

Overview of Cybersecurity and Information Assurance

Some of the key issues in cybersecurity and information assurance are identify access management, real-time activity monitoring, auditing, and vulnerability management. Cybersecurity security should support the mission on the organization, have explicit responsibilies, require a comprehensive and integrated approach, be periodically reassessed, and be constrained by societal factors.

Common threats:

Errors and omissions
Fraud and theft
Employee sabotage
Loss of physical and infrastructure support
Malicious hackers
Industrial espionage
Malicious code
Foreign government espionage
Threats to personal privacy

Some controls for these threats:

Management	Operational	Technical
policies	personnel / user issues	identification and authentication
program management	preparing for contingencies and disaster	logical access control
risk management	incident reporting and handling	audit trails
life cycle planning	security awareness training	cryptography
assurance	security considerations in support and operations
	physical and environmental security

Management Controls

Policies - program policies, issue-specific and system-specific policies, cost considerations, interdependencies
Program Management - structure of a computer security program, system-level computer security programs, interdependencies, cost considerations
Risk Management - risk assessment, risk mitigation, uncertainty analysis, interdependcies, cost considerations
Life Cycle Planning - benefetis of integrating security in the system life cycle planning, overview of the information security life cycle, computer security act issues for Federal systems
Assurance - accreditation, planning, design and implementation, operational assurance

Operational Controls

Personnel / User Issues - staffing, user administration
Preparing for Contingencies and Disasters - Buiness Plan, BCP, DRP
Incident Reporting and Handling - benefits of an incident handling capability, technical support for incident handling, incident response plans and procedures
Security Awareness Training - behavior, accountability, awareness, training, education, implementation
Security Considerations: Support and Operations - user support, software support, configuration management, backups, media controls, documentation, maintenance
Physical and Environmental Security - physical access controls, fire safety factors, interception of data, mobile and portable systems, failure of supporting utilities, structural collapse, plumbing leaks

Technical Controls

Identification and Authenication - identification, authenication, passwords, dual factor
Logical Access Control - access criteria, access control policies
Audit Trails - benefits, audit trails and logs, audit trail reviews
Cryptography - basic cryptographic technologies, interdependencies

Docs: Risk Assessment Handbook - Chapter 1

Tue, 07 Jan 2020 09:39:28 -0500

Introduction

The Need for an Information Security Program

As more critical and personal information is stored, transmitted, and processed on information systems, more information security regulations are being developed and applied. Since 1995 there has been a surge of new legislation including the Gramm Leach Bliley Act (GLBA) and the Sarbanes-Oxley Act. All of these regulations call for the implementation of an adequate set of information security practices.

The U.S. Federal Government has decided to step in and police agencies and corporations in certain industries. To avoid fines and jail, affected agencies and corporations have to implement minimum security practices.

While these regulations have different requirements, one similarity is that each require the organization to perform an information security risk assessment.

Elements of an Information Security Program

There are a multitude of threats and safeguards, but the answer to threats is not to enact every countermeasure available. An organization should take a risk-based approach to determining the security controls that reduce their threat to a reasonable level. Reasonable is set by guidelines and regulations as well as how much risk an organization is will to accept. Controls can be identified as administrative, physical, and technical. An information security program is a set of controls and its objective is to protect organizational assets from security threats.

Common Core Information Security Practices

A high-level analysis of the core information security practices described above shows a considerable amount of overlap. This overlap defines “information security core practices”.

Unanimous Core Security Practices

Security Responsibility – Security responsibility should be assigned to an individual or entity with the proper authority, visibility, and expertise to perform the job adequately.
Risk Management – The organization's management needs to have an understanding of the risk to its assets and have an approach for addressing those risks.
Risk Assessment – An organization needs a periodic and objective analysis of the effectiveness of the current security controls that protect an organization's assets.
Network Security – An organization must ensure the confidentiality, integrity, and availability of information assets and resources while in transit, processing, or storage.
Security Awareness Training – An effective security awareness training program should be developed and administered to all those who will be given access to the organization's facilities or information systems.
Incident Management – The organization should have a process in place that identifies security incidents in progress or evidence of such incidents in the past. Incident management includes identification, investigation, and reporting.

Majority Core Security Practices

Information Security Policies – The basis of any information security program is the definition of security.
Access Control – Mechanisms must be in place to ensure that only authorized individuals will have access to sensitive information and resources.
Physical Security – Mechanisms must be in place to physically protect organizational equipment, locations, and employees.
BCP and DRP – Business continuity planning and disaster recovery planning ensures that the organization has identified its critical processes and assets, developed a plan for minimizing the loss in the event of a disaster, and periodically tests the plan.
Secure Development Life Cycle – The best way to ensure that an information system or information system component enforces its security policy is to design it securely from the start.
Accountability – The security-relevant actions of users must be recorded and reviewed by security personnel.
Secure Media Handling – Sensitive information stored on media must be handled appropriately to ensure that unauthorized users do not gain access to the data stored on the media.
Oversight of Third Parties – Many organizations allow other service organizations to access or process their sensitive information.

Security Risk Assessment

The security risk assessment measures the strength of the overall security program and provides the information necessary to make planned improvements based on information security risks.

The Role of the Security Risk Assessment

There are four stages of the security risk management process:

Security Risk Assessment – This is an objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability of losses to those assets.
Test and Review – Security testing is the examination of the security controls against the security requirements.
Risk Mitigations – Risks to an organziation's assets are reduced through the implementation of new security controls or the improvement of existing controls.
Operational Security – The implementation and operation of most security controls are performed by operational personnel.

Definition of a Security Risk Assessment

An objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability of losses to those assets.

The Need for a Security Risk Assessment

Checks and Balances
Periodic Review
Risk-Based Spending
Requirement

A security risk assessment can provide some additional, secondary benefits:

the transfer of knowledge from the security assessment team to the organziation's staff,
increased communications regarding security among buiness units,
increased security awareness within the organization, and
the results of the security risk assessment may be used as a measure of the security posture.

Gap Assessment - a review of what exists against an interpretation of what the regulation or guideline requires. Performed at the beginning of the organization's compliance pursuit with a standard or regulation.
Compliance Audit - an objective review of the organization's compliance with a security standard.
Security Audit - a verification that the security controls that have been specified are properly implemented.
Vulnerability Scanning - the testing of the external or internal interfaces of a system in order to identify obvious vulnerabilities.
Penetration Testing - a service provided by an objective team who attempt to penetrate the defenses of an organization in order to demonstrate the effectiveness of the current controls.
Ad Hoc Testing - a search for less obvois vulnerabilities.
Social Engineering - an assessment of the security training, policies, and procedures of the organization by attempting to gain unauthorized access through the human element.
Wardialing - attempting to gain access to information systems through unprotecting modems.

Docs: Risk Management Tools

Tue, 07 Jan 2020 09:38:56 -0500

Strong Security Needs the Right Tools

Inventorying is keeping track of what devices, services, applications, and other assests exist.
Risk Tracking is tracking risks and mitigrations, visualizing risks by severity, and creating reports.
Threat Analysis is assessing the risks to your organization that might arise as a result of threats.
Vulnerability Information is details on what technical vulnerabilities exist and scanning for them.
Monitoring is monitoring the environment for events and incidents.

Docs: Promoting Private Sector Cybersecurity Information Sharing

Tue, 07 Jan 2020 09:38:39 -0500

Organizations must be able to share information related to cybersecurity risks and incidents and collaborate. Sharing must be conducted in a manner that protects the privacy and civil rights of individuals and perserves business confidentiality.

The Department of Homeland Security shall encourage the formation of Information Sharing and Analysis Organizations (ISAOs). ISAOs may be organzied on the basis of sector, sub-sector, region, in response to specific threats or vulnerabilities, etc. Membership to ISAOs may be drawn from public or private sector.

ISAO Standards Organization

The Department of Homeland Security will pick a Standards Organization to identify guidelines for the creating and functioning of ISAOs.

Critical Infrastructure Protection Program

The National Cybersecurity and Communications Integration Center is a critical infrastructure protection program and can entering into voluntary agreements with ISAOs.

Privacy and Civil Liberties Protections

Agencies will ensure that appropriate protections for privacy and civil liberties are incorporated into information sharing.

Docs: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Tue, 07 Jan 2020 09:38:17 -0500

This executive order outlines how the executive branch is like an enterprise which houses citizens’ data. Risk management should work in the executive branch as it does in an organization. Plans with be submitted to the President outlining action items, budget conerns, and recommendations.

Effective risk management requires planning so that maintenance, improvements, and modernization occur in a coordinated way with appropriate regularity.

Docs: National Cyber Strategy of the USA

Tue, 07 Jan 2020 09:37:44 -0500

The National Cyber Strategy outlines how the U.S. will

defend the homeland by protecting networks, systems, functions, and data
promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation
preserve peace and security by stengthening the United States’ ability to deter and punish those who use cyber tools for malicious purposes
expand American influence aborad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

Protect the American People, the Homeland, and the American Way of Life

Objective: Mange cybersecurity risks to increase the security and resilience of the Nation's information and information systems.

Actions:

Further centralize management and oversight of Federal civilian cybersecurity
Align risk management and information technology Activities
Improve Federal supply chain risk mangement
Strengthen Federal contractor cybersecurity
Ensure the Government leads in best and innovative practices
Refine roles and responsibilities
Prioritize actions according to identified national risks
Leverage information and communications technology providers as cybersecurity enablers
Protect our democracy
Incentivize cybersecurity investments
Prioritize national research and development investments
Improve transportation and maritime cybersecurity
Improve space cybersecurity
Improve incident reporting and response
Modernize electronic surveillance and computer crime laws
Reduce threats from transnational criminal organizations in cyberspace
Improve apprehension of criminals located abroad
Strengthen partner nations’ law enforcement capacity to combat criminal cyber activity

Promote American Prosperity

Objective: Preserve U.S. influence in the technological ecosystem and the development of cyberspace as an open engine of economic growth, innovation, and efficiency.

Actions:

Incentivize an adaptable and secure technology marketplace
Prioritize innovation
Invest in next generation infrastructure
Promote the free flow of data across borders
Maintain U.S. leadership in emerging technologies
Promote full-lifecycle cybersecurity
Updata Mechanisms to review foreign investment and operation in the U.S.
Maintain a strong and balanced intellectual property protection system
Protect the confidentiality and integrity of American ideas
Build and sustain the talent pipline
Expand re-skilling and educational opportunities for America's workers
Enhance the Federal cybersecurity workforce
Use executive authority to highlight and reward talent

Preserve Peace through Strength

Objective: Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving U.S. overmatch in and through cyberspace.

Actions:

Encourage universal adherence to cyber norms
Lead with objective, collaborative intelligence
Impose consequences
Build a cyber deterrence initiative
Counter malign cyber influence and information operations

Advance American Influence

Objective: Preserve the long-term openness, interoperability, security, and reliability of the Internet which supports and is reinforced by U.S. interests.

Actions:

Protect and promote Internet freedom
Work with like-minded countries, industry, academia, and civil society
Promote a multi-stakeholder model of Internet governance
Promote interoperable and reliable communications infrastructure and Internet connectivity
Promote and maintain markets for U.S. ingenuity worldwide
Enhance cyber capacity building efforts

Carter Codell – Module 1

Docs: Lecture 1

Overview of Cybersecurity and Information Assurance

Management Controls

Operational Controls

Technical Controls

Docs: Risk Assessment Handbook - Chapter 1

Introduction

The Need for an Information Security Program

Elements of an Information Security Program

Common Core Information Security Practices

Unanimous Core Security Practices

Majority Core Security Practices

Security Risk Assessment

The Role of the Security Risk Assessment

Definition of a Security Risk Assessment

The Need for a Security Risk Assessment

Related Activities

Docs: Risk Management Tools

Strong Security Needs the Right Tools

Docs: Promoting Private Sector Cybersecurity Information Sharing

Information Sharing and Analysis Organizations

ISAO Standards Organization

Critical Infrastructure Protection Program

Privacy and Civil Liberties Protections

Docs: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Docs: National Cyber Strategy of the USA

Protect the American People, the Homeland, and the American Way of Life

Actions:

Promote American Prosperity

Actions:

Preserve Peace through Strength

Actions:

Advance American Influence

Actions: