CompTIA CASP+ CAS-004 – Chapter 01 – Understanding Risk Management Part 4
- Categorizing Data
Let’s start by what should be a review for most of you at this point. Most don’t come directly into the CASP exam. So you’ve probably heard of the three fundamentals or triads of security, and that is CIA confidentiality, integrity, and availability. So what is confidentiality? Well, that’s keeping something secure, preventing the disclosure of data or information to those that aren’t authorized to see it. As a part of this, the sensitivity level needs to be determined before we can put any access controls in place, because data that has higher sensitivity levels are going to have more access controls than data with a lower sensitivity level.
The opposite of confidentiality is disclosure. We’re making this known. And so technologies that deal with confidentiality are things like encryption, steganography, data classifications, and access control list. Integrity is the second part of the triad. Integrity is all about ensuring that data is protected from being modified by unauthorized personnel or being corrupted. So we’re trying to preserve at this point the consistency of the data. So the opposite of integrity would be corruption of the data. And unfortunately, this is something that’s often missed and not even considered.
But it is as important as data confidentiality. I have to know that the data I’m looking at has maintained its integrity, it hasn’t been corrupted. How do we do that? Well, it’s technologies like digital signatures, checksums and hashes that will provide that capability. And then finally, availability. The data has to be accessible. It has to be accessible when it’s needed, it has to be accessible where it’s needed and to whom it’s needed.
Only individuals who need access to the data should be allowed it. But if they can’t access it, then our security mechanisms have fallen through. The opposite of this would be destruction or isolation. Sometimes we consider this, or some people, I should say consider this to be the least important of the three. But there are many attacks that target the availability of data. For instance, denial of service attacks. It’s a security related incident, but it is targeting it’s, not trying to corrupt it’s just trying to prevent the system from being accessed.
So when you think availability, you think high availability, which is often not thought to be related to security, but it certainly is. Load balancing, hot sites, rate arrays for disk drives, those kinds of things would be technologies that would help us to ensure the availability of our data. Every single security control that’s put in place by an organization is going to fulfill at least one of these security principles. We need to understand how to circumvent these security principles. That’s just as important as understanding how to provide them.
So we definitely need a balanced security approach because that’s going to ensure that all three facets are considered when security controls are implemented. Impact levels are categorized based on the CIA triad as well, or these different facets. So low impact is if the loss of any tenant of the CIA could be expected and will have a limited effect on organizational operations, on its assets, on individuals. The potential impact would be moderate if the loss could be expected to have serious adverse effects and then it’s high if it’s expected to have severe or catastrophic effects on operations, assets or individuals. So we do need to classify the impact levels based on those fundamentals of security.
- Incorporating Stakeholder Input
Often security professionals aren’t going to be able to best determine the CIA levels for enterprise information assets, which means we need to talk to somebody who has more knowledge. And so we need to consult with the different asset stakeholders to try to get their input on which level should be assigned for each tenant. For a particular asset, all stakeholders really need to be consulted, not just a few. So, for example, department head should be consulted and they have the biggest influence on CIA decisions about a particular departmental asset, but other stakeholders within the department should be consulted as well.
And that rule really holds true for any security project that an enterprise undertakes. This input is a critical part of the process, especially at the start of the project, because we need to make sure that all their needs are documented and that we gain buy in for the project. Because if later a problem arises with the project and changes need to be made, well, then we can go back to that information and we should also communicate back to the stakeholders before any changes are approved or implemented. And so it’s very helpful to determine the CIA levels.
- Aggregate CIA Scores
Another concept you need to be familiar with is the aggregate CIA score. This is defined by phipps 199. It defines the three impacts for the three security tenants. But organizations have to define their own levels that are going to be unique based on that particular business because really only an organization can determine whether a particular loss is limited, serious or severe. But the, the acronym that we need to know is SC Security category.
This is the expression of the three tenants with their values for a particular organizational entity. So the values are going to then be used to determine which security controls should be implemented. If a particular asset is made up of multiple entities, then you need to calculate the SC for that asset based on the entities that make it up.
And so there’s a particular nomenclature here that’s used to express those values and we can see some examples of that. So for instance, SC public it’s a public It’s website, low confidentiality, moderate integrity, high availability. And it’s pretty easy to understand that SC partner site confidentiality is moderate. So it has a little bit higher confidentiality. Integrity is high. We got to know what’s there is, not corrupted and then it needs to be moderately available. Okay, so this is going to be important because security controls are implemented based on that aggregate CIA score. And that’s actually the term for the FIPS 199 nomenclature that you need to know for the exam.
- Selecting and Implementing Controls
Security professionals also need to ensure that the appropriate controls are selected and implemented in order for organizational assets to be protected. The controls that we select and implement are always going to be based on the CIA requirements in conjunction with the policies implemented by the organization. Now, after you’ve implemented, generally speaking, we’re going to do a gap analysis just to see are there still any security gaps that exist and are there other controls that can be implemented to fill those gaps? When you implement access control as a countermeasure to identify vulnerabilities, you’re dividing things into seven main categories, and these are important for us to understand. The first is compensative. compensative controls are in place to substitute for a primary access control, and they mainly just help to mitigate risk.
They reduce risk to a more manageable level. An example of this type of control would be requiring two authorized signatures to release sensitive or confidential information, or two keys owned by two different people to open a safety deposit box or a safe. Corrective controls are in place to reduce the effect of an attack or any sort of undesirable event.
So we use these to fix or restore the entity that is actually being attacked. So think fire extinguishers, network access or intrusion prevention, which could isolate or terminate a connection. Automatic new firewall rules, server images that would restore a system to its previous state. These are corrective controls and so they’re useful after the event has occurred. Then you have detective controls. These are in place to detect an attack when it’s occurring and to alert the appropriate people. So intrusion detection systems, motion detectors, auditing, job rotation, et cetera. Deterrent controls deter or discourage an attacker.
If we’re using these types of controls, we can usually identify attacks very early in the process because they often trigger preventative or corrective controls. So user identification, fences, lighting, NDAs, security policies, these would all be deterrence directive controls specify the acceptable practice within an organization. So they are there to formalize the security directive of an organization primarily to its employees. The most popular one of these would be the acceptable use policy, which lists out all the proper procedures and behaviors that personnel need to follow. Preventative controls prevent an attack from occurring. So locks, biometric systems, encryption, intrusion prevention, antivirus, these are all preventative controls.
Recovery controls recover a system or a device after an attack has occurred. The primary goal there is just to restore service. And then we have three types of access controls. We have administrative or management, logical or technical and physical. The administrative or management controls are implemented to administer organizations, assets and personnels.
That’s going to include security policies, procedures, standards, baselines guidelines. Security awareness training is a very important administrative control because we’re just trying to improve the organization’s attitude about safeguarding data. Then you have logical or technical controls, which are software and hardware components that are used to restrict access. Firewalls intrusion detection and prevention authentication systems, passwords, biometrics, et cetera. Those are all logical or technical controls. And then physical controls are implemented to protect the facility. So security guards, perimeter security man traps, biometrics security badges, et cetera. Those would all be examples of physical access, us. Control.
- Security Control Frameworks
A lot of organizations have developed security management frameworks as well as methodologies and these help guide security professionals. These include a number of different things security program development standards, enterprise and security architect development framework, security controls, corporate governance methods, process management methods, et cetera.
Standards are and methodologies are often discussed together just because they’re related to one another. Standards are accepted as best practices, whereas frameworks are not. They’re specific or standards are very specific. Frameworks more of a general type of thing and then methodologies are a system of practices, techniques, procedures, rules.
- Options for Frameworks
As you can see here, there’s a very large number of frameworks, and we’re certainly not going to go into the details of every one of these. But you do need to be at least somewhat familiar with what they are. And organizations need to select the framework, the standard, the methodology that represents that organization in the most useful manner, and that’s going to be based on the needs of the stakeholders holders. So the first is ISO IEC, the 27,000 series.
This technically isn’t a framework, but ISO 27,000 is a security program development standard on how to develop and maintain information security management systems. It’s a list of standards which addresses a particular aspect of the security management system. And there’s three pages worth of these different security standards that are developed by the ISO IEC body. You have the Zachman Framework, which is an enterprise architecture framework. It’s essentially a classification system that’s two dimensional. It’s based on different communication questions like what, where? When, why, who and how and how that intersects with different perspectives.
You have the Open Group Architecture framework to GAF, which is another framework that helps organizations to design, to plan, to implement and govern information architectures in the enterprise. Department of Defense Architecture framework organizes a set of products in various views and is primarily used for governmental systems.
Modaf, an architecture framework that divides information into seven different viewpoints. That’s the British Ministry of Defense Architecture framework. Modaf doesn’t really say that, but that’s what it is. You have the Sherwood Applied Business security architecture. SABSA and that’s another just Enterprise security architecture. Framework similar to Zachman. Uses communication questions that intersect with different layers. It’s a risk driven type of architecture. Then you have COBIT control objectives
for information and related technology. This is a security controls development framework that documents a few different principles like meeting stakeholder needs, covering the enterprise from end to end, having a single integrated framework with a holistic approach, and then separating governance from management. The National Institutes of Standards and Technology, NIST, technically called the 800 Series, is a set of documents that describes federal government security policies, procedures and guidelines. There’s a huge number of those based on the particular resource as well.
Then you have High Trust CSF, that’s a privately held US company that works in healthcare technology, and they establish Common Security Framework or CSF, which is used by all organizations that utilize any sort of regulated data. CIS critical security controls is the next Then you have COSO committee of sponsoring organizations, a corporate governance framework that has a number of different interrelated components. Octave is operationally critical. Threat assessment and vulnerability evaluation. ITIL, which is one that many of us are familiar with, a process Management standard, those are developing life cycles and such. Six Sigma, which is something that most have heard of. That’s a process improvement standard that has two different process methodologies that are associated with it. And then CMMI, capability, maturity, model integration. That’s a process improvement approach that addresses three different areas of interest product and service development, service establishment and management, and then product, service and acquisition. And finally, you have the Cram CCTA risk analysis and management method. That’s a qualitative risk analysis and management tool. Now, will you be utilizing all of these as a security professional? No, you’ll be picking or the organization will pick the one framework that works the best for their specific scenario. So, as I said, you don’t need to know the details on all of these, but at least to have heard of them and understand the the function that they provide.
- Extreme Scenario Planning
As a part of security planning, an organization really needs to perform extreme scenario planning. This is also known as worst case scenario planning. It’s very important that we do this because it helps us to anticipate catastrophic events before they occur. And then, of course, we can put in place the appropriate plans.
Now, the first step to this is identifying the threats and analyzing them as well as the threat actors. Anybody who can pose a significant threat to the organization actors can be internal actors like a reckless employee or just somebody who doesn’t know any better. Could be a disgruntled employee, could be somebody who’s internal and a spy could be a vendor. These are all people inside the network. Then you have external actors. External actors are more like competitors data miners, activists, anarchists, irrational individuals.
But they are people outside could include terrorists as well. These two categories are then divided into subcategories of non hostile and hostile. All right? The non hostile, like for instance, on internal would be the reckless employee, untrained employee, and a partner. Everybody else that I mentioned would have been considered hostile. It has to do with their intent. Step two then, is analyzing each threat actor. And we analyze the threat actors according to a set of criteria. They’re then given a ranking which helps us to determine which ones to analyze.
So skill level they have no skill level. Minimal operational, very expert level resources. Is it an individual? Is it a team of people? An organization? A government? The limits. The code of conduct. For instance, visibility overt versus covert versus apathetic. The objective, what are they trying to do? Are they trying to copy? They’re trying to destroy injure? Do they not care what they’re trying to do? They don’t have a real objective. The outcome, acquisition of data.
So theft, gain a business advantage, damage the company systems, cause embarrassment, gain a technical advantage. All of those are potential outcomes. And so it’s with these criteria that the organization can then determine which type of actor it wants to analyze. Following that, they would determine what it really what they really care about protecting, you know, and most of the time that’s done using that Phipps 199 method or some sort of business impact analysis.
- System-Specific Risk Analysis
A risk assessment is a tool that’s used in risk management and it’s used to identify vulnerabilities and threats, to assess the impact of those vulnerabilities and threats and then determine exactly what types of controls we want to implement. Risk assessment or analysis as a whole has four main goals identify assets and their value, identify vulnerabilities and threats, calculate the threat probability and the impact to the business and then balance threat impact with countermeasure cost.
There are several keys to a system specific type of risk analysis. The first is that it should be carried out prior to any mergers and acquisitions that may be occurring or before any new technology and or applications are deployed. Secondly, it should be supported and or directed by senior management. If it’s not, it’s not going to be successful. So management should be defining the purpose and the scope of the risk assessment because they are going to be responsible for allocating personnel, time and budget resources to that project.
- Qualitative Risk Analysis
In order to make risk determination an organization is going to have to perform formal risk analysis. And formal risk analysis is going to ask questions like what corporate assets need to be protected? What are the business needs of the organization? What outside threats are most likely to compromise network security? And there are different types of risk analysis.
The primary two would be qualitative risk analysis and quantitative. And so we want to certainly know the difference between those. Let’s talk about qualitative first. Qualitative risk analysis does not assign monetary and numeric values to all facets of the process. These techniques for qualitative risk analysis are going to include intuition, experience, and best practice techniques.
Best practice techniques like brainstorming, focus groups, surveys, questionnaires meetings, et cetera. And so essentially each member of the group that’s been chosen to participate in this type of analysis is going to use their experience to rank the likelihood of every threat and then the potential damage that could result. There are some advantages to qualitative over quantitative risk analysis and it’s primarily that it prioritizes the risk and identifies areas for immediate improvement in addressing threats. But it has disadvantages as well. All the results are subjective.
It’s based on each individual and the dollar value is not provided. And so that doesn’t really give us a cost benefit analysis or any sort of budget help.
- Quantitative Risk Analysis
The other type is quantitative risk analysis. This, as you might have imagined, just by the name, does assign a monetary and or numeric value to all facets of the risk analysis process. This is going to include the asset value, the threat frequency, the vulnerability, severity, and then the impact and safeguard cost. And so with quantitative we’re using equations to determine total and residual risk. The advantage of this is that it uses less guesswork. It’s all based on formulas.
The disadvantage is it’s more difficult. The equations themselves are going to be difficult. It’s going to take increased time and effort to complete the analysis and it’s also going to increase the amount of data that needs to be gathered. In reality, most risk analysis is going to be some hybrid of the two, both qualitative and quantitative. A lot of times organizations favor using quantitative for assets that are tangible and then qualitative for intangible assets.