0x00 exam tips
Risk assessment is used to collect data, and risk analysis studies the collected data to determine what actions should be taken.
0x01 Risk management
The risk in a safe environment refers to the possibility of destruction and the derivative situation after the destruction.
风险管理(Risk Management)
It is the process of identifying and evaluating risks, reducing them to an acceptable level and ensuring that this level is maintained.
The main risks of information security:
- Physical destruction
Physical damage
fires, floods, deliberate destruction, power outages and natural disasters. - Artificially sabotage the
Human interaction
accidental or intentional behavior or lazy work attitude that may reduce production efficiency. - Equipment failure
Equipment malfunction
system or peripheral equipment failure. - Internal and external attacks on
Inside and outside attacks
hackers, crackers and attacks. - Data misuse
Misuse of data
shares business secrets, fraud, espionage, and theft. - Data loss
Loss of data
causes information loss, intentionally or unintentionally, through destructive methods. - Application
Application error
error calculation errors, input errors, and buffer overflows.
NIST SP 800-39
Three layers of risk management are defined:
- At the organizational level, focusing on the risks of the entire business means that it will build the rest of the session and set important parameters, such as risk
tolerance. - At the business process level, processing is risky to the organization's main functions, such as defining
the criticality of the information flow between the organization and its partners or customers . This is the bottom layer. - At the information system level , risks are resolved from the perspective of information systems.
Information System Risk Management Strategy
Proper risk management requires a firm commitment from senior management and a documented process that ISRM
supports the organization ’s mission, information system management ( ) strategy, and appointed ISRM team. The company should select a member to manage the team in a large organization. This member should spend 50-70% of the time on risk management. The management must invest the necessary training for this member and provide them with risk analysis tools to ensure the smooth progress of risk management.
Risk management process
- The risk framework
Frame risk
defines the context in which all other risk activities occur. - To assess the risk
Assess risk
, before taking any action to reduce the risk, the risk must be assessed. Respond to risk
To respond to risks , in order to deal with risks, match limited resources with priority control.- To monitor risks
Monitor risk
, in order to be ahead of the disruptors, we need to constantly monitor the effectiveness of our control measures designed for risks.
0x02 threat modeling
Threat modeling: A process that describes the adverse effects that a threat source can implement on an asset.
Fragility
1. Information
The core of the information system is 信息
potentially the most valuable asset for the
computer. The information in the Computer Information System (CIS) is expressed as 数据
.
Classification of data:
静态数据
, Internal personnel copy these data to the U disk and provide it to unauthorized personnel, thereby compromising its confidentiality.传输中的数据
, The data is intercepted and modified by external personnel on the network, and then continue to be transmitted (called a man-in-the-middle attack), thereby compromising its integrity.使用中的数据
, Malicious processes use "TOC / TOU" or "race conditions" vulnerabilities to delete data, thereby compromising its usability.
2. Process Processes
process vulnerabilities can be regarded as a specific software vulnerability.
3. Personnel
Treat people as the weakest link in the safety chain.
- Social engineering
Social engineering
- Social network
Social networks
- password
Passwords
Threaten
The potential causes of adverse events may cause damage to the system or organization.
Threat source classification:
- Malicious attacker
- Insider
- Natural event
attack
Three important components that form the core of the threat model
- Existing loophole
- Viable attack
- Capable threat
The terms 攻击链
and 杀死链
they refer to a specific type of attack tree without branches, only from one stage or action to one stage.
The attack tree is more expressive because it shows the many ways an attacker can accomplish each goal.
Subtractive analysisReduction Analysis
The attack tree itself also produces a technique called "subtractive analysis".
- Reduce the number of attacks we must consider. To find the common ground to reduce the number of conditions that need to be reduced.
- Reduce the threat posed by attacks. When you implement mitigation techniques, the closer you are to the root node, the more you can use a control to mitigate attacks from leaf nodes.
0x03 Risk assessment and analysis
A risk assessment (actually a risk management tool) method can identify vulnerabilities and threats and assess the possible losses, thereby determining how to implement security protection measures. After evaluating the risk, the results can be analyzed.
The risk analysis has the following 4 main objectives:
- Identify assets and their value to the organization.
- Identify vulnerabilities and threats.
- Quantify the likelihood of potential threats and their impact on the business.
- Achieve budget balance between the impact of threats and the cost of countermeasures.
Risk analysis provides a cost / benefit ratio cost/benefit comparison
, which is the ratio between the cost of protective measures used to protect a company from threats and the cost of the expected loss.
The correct question raised by the risk assessor
- What events (threat events) may occur?
- What is the potential impact (risk)?
- How often do they occur (frequency)?
Examples of common dangers:
risk has 潜在损失(直接损失)
and 延迟损失(次生灾害)
.
Risk assessment method
NIST
- (1) Evaluation preparation
- (2) Conduct an assessment
a. Identify threat sources and events
b. Identify threats and induced conditions
c. Determine the probability of occurrence
d. Determine the magnitude of impact
e. Determine the risk - (3) Communication results
- (4) Maintenance assessment
The NIST risk management method focuses on computer system and IT security issues. It is a method that focuses only on the operational level of the enterprise rather than the higher strategic level.
FRAP
Facilitating the risk analysis process Facilitated Risk Analysis Process
, the core of this qualitative approach is to focus only on those systems that do need to be evaluated to reduce costs and time.
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation操
Critical threats, assets, and vulnerability assessments are designed specifically for those who manage and guide information security risk assessments within the company. They place the staff within the organization in a position of authority to enable them to determine the assessment The best way.
AS/NZS4360
A broader approach to risk management has been adopted. This approach focuses on the health of the company from a business perspective rather than a security perspective.
ISO/IEC27005
Is it an international standard? It stipulates how to manage risk within the framework of ISMS
FMEA
Failure mode and impact analysis Failure Modes and Effect Analysis
is a method to determine functions, identify function failures, and evaluate the causes and effects of failures through a structured process.
CRAMM
Central computing and telecommunications agency risk analysis and management methods. The method is divided into 3
different stages: defining goals, evaluating risks, and identifying countermeasures.
Risk analysis methods
Risk analysis has 定量
and 定性
the two methods.
-
Quantitative risk analysis attempts to assign specific and meaningful numbers to all elements of the risk analysis process.
The most commonly used formulas are single loss expectationsSLE
and annual loss expectationsALE
资产价值*暴露因子=SLE
SLE*年发生比率=ALE
-
Qualitative risk analysis does not present the results of specific measurements, but only ranks risks such as red, yellow, and green.
Qualitative analysis techniques include判断
,最佳实践
,直觉
and经验
technology Examples of qualitative data collection are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, individual meetings and interviews.
Qualitative and quantitative comparison
Disadvantages of quantitative methods
- The calculation is more complicated. Can management understand how these values are calculated?
- There are no automated tools available, and this process completely requires manual completion.
- A lot of basic work needs to be done to gather detailed information related to the environment.
- There is no corresponding standard. Each supplier interprets its evaluation process and results differently.
Disadvantages of qualitative methods
- Evaluation methods and results are relatively subjective.
- Unable to establish monetary value for cost / benefit analysis.
- It is difficult to track risk management using subjective measures.
- There is no corresponding standard. Each supplier interprets its evaluation process and results differently.
protection mechanism
Identify current security mechanisms and evaluate their effectiveness. The risk analysis team must evaluate the function and effectiveness of the protective measures.
A security countermeasure must have good business meaning, which means that the countermeasure is very cost-effective (the benefits outweigh the costs). This requires another analysis: cost / benefit analysis.
(实现防护措施前的ALE)-(实现防护措施后的ALE)-(防护措施每年的成本)=防护措施对公司的价值
Total risk and residual risk
安全工作永无止境
Deal with risk
There are four basic ways to deal with risk:
- Transfer
- avoid
- ease
- accept
Outsourcing
Functions can be outsourced, but risks cannot be outsourced.
0x04 risk management framework
A risk management framework is Risk Management Frameworks, RMF
defined as a structured process that allows organizations to identify and assess risks, reduce them to an acceptable level, and ensure that they are maintained at that level. In essence, it RMF
is a structured approach to risk management.
Common framework:
- NI8T RMF (SP 800-37r1)
- ISO 31000:2009
- ISACA IT risk
- COSO Enterprise Risk Management-Integrated Framework
Six steps of RMF traffic
- (1) Classification of information systems
- (2) Selection of security control
- (3) Implementation of security control
- (4) Evaluation of safety control
- (5) Information system authorization
- (6) Supervision of safety control
0x05 business continuity and disaster recovery
As a security professional, you need to develop various plans for unexpected situations.
- The goal of disaster recovery is to minimize the impact of a disaster or interruption.
- The goal of the disaster recovery plan is to deal with the disaster and its consequences after the disaster
- Disaster recovery plans are usually centered on information technology (IT).
灾难恢复计划(Disaster Recovery Plan, DRP)
It is a plan that is implemented when everything is still in emergency mode, where everyone is competing to bring all critical systems back online.
业务连续性规划(Business Continuity Plan,BCP)
Take a broader solution to the problem. It can include restoring key systems in another environment while repairing the original facility during the planned implementation, allowing the right person to return to the right location during this time, and performing business in different modes until normal conditions are restored until. It also involves dealing with customers, partners and shareholders through different channels, until everything is restored to
normal.
Business Continuity Management (Business Continuity Managnent) BCM
is the overall management process, which should include DRP
and BCP
.
Standards and best practices
NIST SP 800-34
ISO/IEC 27031 :2011
Good Practice Guidelines, GPG
, Best Practice Guidelines for Business Continuity Association, BCM Best Practices
Management Practices:
-Strategy and Procedure Management
-Embedding BCM
Technology Practices in Organizational Culture :
-Understanding Organization
-Determining BCM Strategy
-Formulating and Implementing BCM Response
-Drilling, Maintenance And revision
DRI
International Association of Business Continuity Planners Professional Practice Best Practices and Framework
BCP project management
SWOT
Analysis represents strengths / weaknesses / opportunities / threats (Strengths / Weaknesses / Opportunities / τhreats),
- The characteristics of the superior project team make it have a greater advantage than other teams.
- Weaknesses are characteristics that put the team at a disadvantage relative to other teams.
- Opportunities can contribute to the success of the project
- Elements that threaten to cause a project to fail
业务影响分析(Business Impact Analysìs)
It is considered to be a functional analysis. In BIA, the BCP team collects data through interviews and literature sources to document the business functions, activities and transactions of the enterprise, divide the business function levels of the enterprise, and finally formulate a classification scheme to express The importance level of each individual function The
interruption time that the company can tolerate refers to the longest downtime ( Maximurn Tolerable Downtime,MTD
) or the maximum interruption time ( Maximum Period Time of Disruption, MPTD
) that can be tolerated
The shorter the MTD, the higher the restoration priority of the function in question.
- Non-essential 30 days
- 7 days
- Important 72 hours
- Emergency 24 hours
- Key minutes to hours
BCP strategy mainly includes 范围、任务说明、原则、指南和标准
.
0x06 Personnel safety
-
职责分离Separation of duties
It can be ensured that an important task is not completed by one person alone. Separation is a preventive management control that is put in place to reduce potential fraud.- Knowledge segmentation
- Dual control
-
岗位轮换rotation of duties
It is management detection and control. If it is put in place, fraudulent activities can be discovered. -
强制休假mandatory vacation
, Employees working in sensitive areas are forced to go on vacation and can detect fraudulent errors or activities. -
招聘实践
, Sign confidentiality agreement, background check. -
解雇
- The dismissed employee must leave the company immediately under the supervision of a manager or security guard.
- The dismissed employee must hand in all identification badges or keys, request to complete the resignation conversation and return the company's property.
- The company shall immediately disable or modify the account and password of the dismissed employee.
-
安全意识培训
- The organization should adopt different methods to strengthen the concept of security awareness.
- Screen banners, employee manuals and even posters can be used to remind employees of their responsibilities and the need for good safety practices.
-
学位或证书
0x07 Security governance
What is governance?
对管理的管理就是治理!
Security governance is a framework that allows the organization ’s security goals to be set and communicated by senior management, communicates and communicates at different levels of the organization, grants entity authority to implement and enforce security measures, and provides a method to verify these necessary Implementation of security activities.
0x08 moral
- To protect society and public interests, the necessary public trust and confidence.
- Act appropriately, be honest, fair, responsible and obey the law.
- Provide clients with due diligence and competent service.
- Develop and protect professional reputation.