CISSP AIO7 Study Notes-Chapter 1 Security and Risk Management 1.11-1.18

0x00 exam tips

Risk assessment is used to collect data, and risk analysis studies the collected data to determine what actions should be taken.

---

0x01 Risk management

The risk in a safe environment refers to the possibility of destruction and the derivative situation after the destruction.

风险管理(Risk Management)It is the process of identifying and evaluating risks, reducing them to an acceptable level and ensuring that this level is maintained.

The main risks of information security:

• Physical destruction Physical damagefires, floods, deliberate destruction, power outages and natural disasters.
• Artificially sabotage the Human interactionaccidental or intentional behavior or lazy work attitude that may reduce production efficiency.
• Equipment failure Equipment malfunctionsystem or peripheral equipment failure.
• Internal and external attacks on Inside and outside attackshackers, crackers and attacks.
• Data misuse Misuse of datashares business secrets, fraud, espionage, and theft.
• Data loss Loss of datacauses information loss, intentionally or unintentionally, through destructive methods.
• Application Application errorerror calculation errors, input errors, and buffer overflows.

NIST SP 800-39Three layers of risk management are defined:

• At the organizational level, focusing on the risks of the entire business means that it will build the rest of the session and set important parameters, such as risk
  tolerance.
• At the business process level, processing is risky to the organization's main functions, such as defining
  the criticality of the information flow between the organization and its partners or customers . This is the bottom layer.
• At the information system level , risks are resolved from the perspective of information systems.

Information System Risk Management Strategy

Proper risk management requires a firm commitment from senior management and a documented process that ISRMsupports the organization ’s mission, information system management ( ) strategy, and appointed ISRM team. The company should select a member to manage the team in a large organization. This member should spend 50-70% of the time on risk management. The management must invest the necessary training for this member and provide them with risk analysis tools to ensure the smooth progress of risk management.

Risk management process

• The risk framework Frame riskdefines the context in which all other risk activities occur.
• To assess the risk Assess risk, before taking any action to reduce the risk, the risk must be assessed.
• Respond to riskTo respond to risks , in order to deal with risks, match limited resources with priority control.
• To monitor risks Monitor risk, in order to be ahead of the disruptors, we need to constantly monitor the effectiveness of our control measures designed for risks.

---

0x02 threat modeling

Threat modeling: A process that describes the adverse effects that a threat source can implement on an asset.

Fragility

1. Information
The core of the information system is 信息potentially the most valuable asset for the
computer. The information in the Computer Information System (CIS) is expressed as 数据.

Classification of data:

• 静态数据, Internal personnel copy these data to the U disk and provide it to unauthorized personnel, thereby compromising its confidentiality.
• 传输中的数据, The data is intercepted and modified by external personnel on the network, and then continue to be transmitted (called a man-in-the-middle attack), thereby compromising its integrity.
• 使用中的数据, Malicious processes use "TOC / TOU" or "race conditions" vulnerabilities to delete data, thereby compromising its usability.

2. Process Processes
process vulnerabilities can be regarded as a specific software vulnerability.

3. Personnel
Treat people as the weakest link in the safety chain.

• Social engineeringSocial engineering
• Social networkSocial networks
• passwordPasswords

Threaten

The potential causes of adverse events may cause damage to the system or organization.
Threat source classification:

• Malicious attacker
• Insider
• Natural event

attack

Three important components that form the core of the threat model

• Existing loophole
• Viable attack
• Capable threat

The terms 攻击链and 杀死链they refer to a specific type of attack tree without branches, only from one stage or action to one stage.

The attack tree is more expressive because it shows the many ways an attacker can accomplish each goal.

Subtractive analysisReduction Analysis

The attack tree itself also produces a technique called "subtractive analysis".

• Reduce the number of attacks we must consider. To find the common ground to reduce the number of conditions that need to be reduced.
• Reduce the threat posed by attacks. When you implement mitigation techniques, the closer you are to the root node, the more you can use a control to mitigate attacks from leaf nodes.

---

0x03 Risk assessment and analysis

A risk assessment (actually a risk management tool) method can identify vulnerabilities and threats and assess the possible losses, thereby determining how to implement security protection measures. After evaluating the risk, the results can be analyzed.

The risk analysis has the following 4 main objectives:

• Identify assets and their value to the organization.
• Identify vulnerabilities and threats.
• Quantify the likelihood of potential threats and their impact on the business.
• Achieve budget balance between the impact of threats and the cost of countermeasures.

Risk analysis provides a cost / benefit ratio cost/benefit comparison, which is the ratio between the cost of protective measures used to protect a company from threats and the cost of the expected loss.

The correct question raised by the risk assessor

• What events (threat events) may occur?
• What is the potential impact (risk)?
• How often do they occur (frequency)?

Examples of common dangers:

risk has 潜在损失（直接损失）and 延迟损失（次生灾害）.

Risk assessment method

NIST

• (1) Evaluation preparation
• (2) Conduct an assessment
  a. Identify threat sources and events
  b. Identify threats and induced conditions
  c. Determine the probability of occurrence
  d. Determine the magnitude of impact
  e. Determine the risk
• (3) Communication results
• (4) Maintenance assessment

The NIST risk management method focuses on computer system and IT security issues. It is a method that focuses only on the operational level of the enterprise rather than the higher strategic level.

FRAP
Facilitating the risk analysis process Facilitated Risk Analysis Process, the core of this qualitative approach is to focus only on those systems that do need to be evaluated to reduce costs and time.

OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation操Critical threats, assets, and vulnerability assessments are designed specifically for those who manage and guide information security risk assessments within the company. They place the staff within the organization in a position of authority to enable them to determine the assessment The best way.

AS/NZS4360
A broader approach to risk management has been adopted. This approach focuses on the health of the company from a business perspective rather than a security perspective.

ISO/IEC27005 Is it an international standard? It stipulates how to manage risk within the framework of ISMS

FMEA
Failure mode and impact analysis Failure Modes and Effect Analysisis a method to determine functions, identify function failures, and evaluate the causes and effects of failures through a structured process.

CRAMM
Central computing and telecommunications agency risk analysis and management methods. The method is divided into 3different stages: defining goals, evaluating risks, and identifying countermeasures.

Risk analysis methods

Risk analysis has 定量and 定性the two methods.

• Quantitative risk analysis attempts to assign specific and meaningful numbers to all elements of the risk analysis process.
  The most commonly used formulas are single loss expectations SLEand annual loss expectationsALE

  • 资产价值*暴露因子=SLE
  • SLE*年发生比率=ALE

• Qualitative risk analysis does not present the results of specific measurements, but only ranks risks such as red, yellow, and green.
  Qualitative analysis techniques include 判断, 最佳实践, 直觉and 经验
  technology Examples of qualitative data collection are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, individual meetings and interviews.

Qualitative and quantitative comparison

Disadvantages of quantitative methods

• The calculation is more complicated. Can management understand how these values ​​are calculated?
• There are no automated tools available, and this process completely requires manual completion.
• A lot of basic work needs to be done to gather detailed information related to the environment.
• There is no corresponding standard. Each supplier interprets its evaluation process and results differently.

Disadvantages of qualitative methods

• Evaluation methods and results are relatively subjective.
• Unable to establish monetary value for cost / benefit analysis.
• It is difficult to track risk management using subjective measures.
• There is no corresponding standard. Each supplier interprets its evaluation process and results differently.

protection mechanism

Identify current security mechanisms and evaluate their effectiveness. The risk analysis team must evaluate the function and effectiveness of the protective measures.

A security countermeasure must have good business meaning, which means that the countermeasure is very cost-effective (the benefits outweigh the costs). This requires another analysis: cost / benefit analysis.
(实现防护措施前的ALE)-(实现防护措施后的ALE)-(防护措施每年的成本)=防护措施对公司的价值

Total risk and residual risk

安全工作永无止境

Deal with risk

There are four basic ways to deal with risk:

• Transfer
• avoid
• ease
• accept

Outsourcing

Functions can be outsourced, but risks cannot be outsourced.

---

0x04 risk management framework

A risk management framework is Risk Management Frameworks, RMFdefined as a structured process that allows organizations to identify and assess risks, reduce them to an acceptable level, and ensure that they are maintained at that level. In essence, it RMFis a structured approach to risk management.
Common framework:

• NI8T RMF (SP 800-37r1)
• ISO 31000:2009
• ISACA IT risk
• COSO Enterprise Risk Management-Integrated Framework

Six steps of RMF traffic

• (1) Classification of information systems
• (2) Selection of security control
• (3) Implementation of security control
• (4) Evaluation of safety control
• (5) Information system authorization
• (6) Supervision of safety control

---

0x05 business continuity and disaster recovery

As a security professional, you need to develop various plans for unexpected situations.

• The goal of disaster recovery is to minimize the impact of a disaster or interruption.
• The goal of the disaster recovery plan is to deal with the disaster and its consequences after the disaster
• Disaster recovery plans are usually centered on information technology (IT).

灾难恢复计划(Disaster Recovery Plan, DRP)It is a plan that is implemented when everything is still in emergency mode, where everyone is competing to bring all critical systems back online.

业务连续性规划(Business Continuity Plan,BCP)Take a broader solution to the problem. It can include restoring key systems in another environment while repairing the original facility during the planned implementation, allowing the right person to return to the right location during this time, and performing business in different modes until normal conditions are restored until. It also involves dealing with customers, partners and shareholders through different channels, until everything is restored to
normal.

Business Continuity Management (Business Continuity Managnent) BCMis the overall management process, which should include DRPand BCP.

Standards and best practices

NIST SP 800-34

ISO/IEC 27031 :2011

Good Practice Guidelines, GPG, Best Practice Guidelines for Business Continuity Association, BCM Best Practices
Management Practices:
-Strategy and Procedure Management
-Embedding BCM
Technology Practices in Organizational Culture :
-Understanding Organization
-Determining BCM Strategy
-Formulating and Implementing BCM Response
-Drilling, Maintenance And revision

DRI International Association of Business Continuity Planners Professional Practice Best Practices and Framework

BCP project management

SWOTAnalysis represents strengths / weaknesses / opportunities / threats (Strengths / Weaknesses / Opportunities / τhreats),

• The characteristics of the superior project team make it have a greater advantage than other teams.
• Weaknesses are characteristics that put the team at a disadvantage relative to other teams.
• Opportunities can contribute to the success of the project
• Elements that threaten to cause a project to fail
  

业务影响分析(Business Impact Analysìs）It is considered to be a functional analysis. In BIA, the BCP team collects data through interviews and literature sources to document the business functions, activities and transactions of the enterprise, divide the business function levels of the enterprise, and finally formulate a classification scheme to express The importance level of each individual function The

interruption time that the company can tolerate refers to the longest downtime ( Maximurn Tolerable Downtime，MTD) or the maximum interruption time ( Maximum Period Time of Disruption, MPTD) that can be tolerated

The shorter the MTD, the higher the restoration priority of the function in question.

• Non-essential 30 days
• 7 days
• Important 72 hours
• Emergency 24 hours
• Key minutes to hours

BCP strategy mainly includes 范围、任务说明、原则、指南和标准.

---

0x06 Personnel safety

• 职责分离Separation of dutiesIt can be ensured that an important task is not completed by one person alone. Separation is a preventive management control that is put in place to reduce potential fraud.

  • Knowledge segmentation
  • Dual control

• 岗位轮换rotation of dutiesIt is management detection and control. If it is put in place, fraudulent activities can be discovered.

• 强制休假mandatory vacation, Employees working in sensitive areas are forced to go on vacation and can detect fraudulent errors or activities.

• 招聘实践, Sign confidentiality agreement, background check.

• 解雇

  • The dismissed employee must leave the company immediately under the supervision of a manager or security guard.
  • The dismissed employee must hand in all identification badges or keys, request to complete the resignation conversation and return the company's property.
  • The company shall immediately disable or modify the account and password of the dismissed employee.

• 安全意识培训

  • The organization should adopt different methods to strengthen the concept of security awareness.
  • Screen banners, employee manuals and even posters can be used to remind employees of their responsibilities and the need for good safety practices.

• 学位或证书
  

---

0x07 Security governance

What is governance?

对管理的管理就是治理！

Security governance is a framework that allows the organization ’s security goals to be set and communicated by senior management, communicates and communicates at different levels of the organization, grants entity authority to implement and enforce security measures, and provides a method to verify these necessary Implementation of security activities.

---

0x08 moral

• To protect society and public interests, the necessary public trust and confidence.
• Act appropriately, be honest, fair, responsible and obey the law.
• Provide clients with due diligence and competent service.
• Develop and protect professional reputation.