CISSP – Liability, due diligence and negligence.

  • Liability:
    • If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
  • Due Diligence and Due Care:
    • Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
    • Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
    • Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
  • Negligence (and Gross Negligence) is the opposite of Due Care.
    • If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
    • If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.
Continue Reading

CISSP – Need to know, least privilege and objects/subjects.

  • Least Privilege and Need to know.
    • Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less.
    • Need to know – Even if you have access, if you do not need to know, then you should not access the data.
  • Non-repudiation.
    • A user can not deny having performed a certain action. This uses both Authentication and Integrity.
  • Subject and Object.
    • Subject – (Active) Most often users, but can also be programs – Subject manipulates Object.
    • Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
    • Some can be both at different times, an active program is a subject; when closed, the data in program can be object.
Continue Reading

CISSP – IAAA (Identification and Authentication, Authorization and Accountability)

  • Identification:
    • Your name, username, ID number, employee number, SSN etc.
    • “I am Thor”.
  • Authentication:
    • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
    • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
  • Accountability (also often referred to as Auditing)
    • Trace an Action to a Subjects Identity:
    • Prove who/what a given action was performed by (non-repudiation).

Continue Reading

CISSP – the CIA Triad and its opposites.

Confidentiality, Integrity and Availability

  • Finding the right mix of Confidentiality, Integrity and Availability is a balancing act.
  • This is really the corner stone of IT Security – finding the RIGHT mix for your organization.
    • Too much Confidentiality and the Availability can suffer.
    • Too much Integrity and the Availability can suffer.
    • Too much Availability and both the Confidentiality and Integrity can suffer.
  • The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
    • Disclosure – Someone not authorized gets access to your information.
    • Alteration – Your data has been changed.
    • Destruction – Your Data or Systems has been Destroyed or rendered inaccessible.

Continue Reading

CISSP – the CIA Triad – Availability!

We want to keep our System and Data available.

  • We use:
    • IPS/IDS.
    • Patch Management.
    • Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more.
    • SLA’s – How high uptime to we want (99,9%?) – (ROI)
  • Threats:
    • Malicious attacks (DDOS, Physical, System compromise, Staff).
    • Application failures (errors in the code).
    • Component failure (Hardware).

Continue Reading

CISSP – the CIA Triad – Confidentiality!

We want to keep our information confidential. 

  • We use:
    • Encryption for data at rest (for instance AES256), full disk encryption.
    • Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
    • Good best practices for data in use – clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).
    • Strong passwords, multi factor authentication, masking, Access Control, Need-to-Know, Least Privilege.
  • Threats:
    • Attacks on your encryption (cryptanalysis).
    • Social engineering.
    • Key loggers (software/hardware), cameras, Steganography.
    • IOT (Internet Of Things) – The growing number of connected devices we have pose a new threat, they can be a backdoor to other systems.
Continue Reading

CISSP – the CIA Triad!

  • The CIA Triad (AIC)
    • Confidentiality
      • This is what most people think IT Security is.
      • We keep our data secure and our secrets secret.
      • We ensure no one unauthorized can access the data.
    • Integrity
      • How do we protect against modifications of the data and the systems.
      • We ensure the data has not been altered.
    • Availability
        • How do we ensure the data is available when users need to access it.
        • We ensure authorized people can access the data they need, when they need to.

       

Continue Reading

CISSP – Upcoming in-person classes at Honolulu Community College.

Upcoming in-person classes at Honolulu Community College 8/22-9/21:

Continue Reading