260 likes | 355 Views
Domain 1 - Security and Risk Management. Confidentiality, integrity, and availability concepts – CIA Security Governance principles Compliance, Legal, and Regulatory issues – SOX and Regulatory Guidelines – There will be memorization questions on the test
E N D
Domain 1 - Security and Risk Management • Confidentiality, integrity, and availability concepts – CIA • Security Governance principles • Compliance, Legal, and Regulatory issues – SOX and Regulatory Guidelines – There will be memorization questions on the test • Processional ethics – Know the ISC2 code by heart • Security policies, standards, procedures, and guidelines – what is suggested vs what is mandatory
Confidentiality, Integrity and Availability • Security Triad • Confidentiality: Has everything to do with encryption • Integrity: Keeping the data from being altered (hashing) • Availability: Keeping the systems up and available
Confidentiality - Fundamentals • Categories: Symmetric, Asymmetric, Hash • Systems • Algorithmic • Older • Secret Algorithm • Keyed Systems • Newer • Secrecy is provided by the key • Known algorithm • Encryption Strength: Strength of the algorithm, Secrecy of the keys, Length of the keys
Confidentiality – Encryption Definitions • Link Encryption – encrypting data on the network • IPSec • L2TP • End-to-end Encryption – Encryption from the source to system/client to server • SSL • Repudiation – denial of sending a message • Traffic Analysis – Inference of information from analysis of traffic • Traffic Padding – Generation of spurious data units • Work Factor – Effort/time needed to overcome a protective measure
Confidentiality – Symmetric/Private Key • Uses the same key to encrypt/decrypt • DES • 56 bit key, industry standard • Block cipher • Diffusion and confusion • NIST • Fast and simple • Problems – single key distribution, can be cracked • Cipher block chaining, electronic code book, cipher feedback, output feedback • Confusion – spread the influence of a plain text character • Diffusion – Conceals the statistical connection between cipher and plain text
Confidentiality – Symmetric/Private Key, cont. • 3DES • 112 or 168 bit • DES but with 2 or 3 keys • IDEA • 128 bit • RC4 • Variable length • Blowfish • 1-448 bit • Two Fish • Up to 256 bit
Confidentiality – Symmetric/Private Key, cont. • AES (Rijandael) • 128, 192, or 256 bit • Support smart cards and 32/64 bit processors • NIST Competition winner
Confidentiality – Asymmetric/Public Key • An answer to the symmetric key distribution problem • Based on Public keys and private key pairs • Algorithms • SHA – 160 bit hash • MDS – 128 bit hash • RSA – factoring two large prime numbers • ECC – Elliptic curve discreet logarithms, faster than RSA
Confidentiality – Asymmetric/Public Key, cont. • Confidentiality • Plain text is encrypted with the receivers public key, only receiver can decrypt • DSS – SHA 160 bits • Integrity – provided by hashing • Combats MITM attacks
Confidentiality – PKI • Two key (asymmetric) encryption system for communication • Framework, not a specific technology • Provides authentication and confidentiality • Digital Certificates • Associate a public key with an individual/company • Issued by a Certificate Authority (CA) • Responsible for issuing, revoking, and distributing certificates • Often trusted 3rd party such as DigiCert, Verisign
Availability • Site and Servers are always up • Hot site: Complete duplicate, near complete backups, full computer systems, mirror the data environment. Lowest RTO (Recovery time objective) • Warm site: Smaller scale, higher RTO, several day to weeks old backups • Cold site: Least expensive to operate, highest RTO. No hardware setup, but may be available.
Availability - RAIDS • Raid 0 – no redundancy, stripes data evenly. N drives, N times performance. • Raid 1 – mirroring • Raid 2 – Stripes data at the bit level – Error correction - no longer used in practice • Raid 3 – byte level striping with dedicated parity disk, I/O requires all disks to read/write • Raid 4 – block level striping with dedicated parity disk • Raid 5 – block level striping, distributed parity, all but one to operate. Requires at least 3 disks
Governance, Legal and Ethics – ISC2 ethics • Conduct themselves with highest standards of ethical, moral, and legal behavior • Not commit any unlawful or unethical act • Appropriately report unlawful behavior • Support effort to promote prudent information security measures • Provide competent service to their employees and clients • Execute responsibilities with highest standards • Not misuse information in which they com into contact with during their duties
Governance, Legal and Ethics – Evidence • Best evidence – original • Secondary evidence – Copy • Direct evidence – proves or disproves an act based upon the five senses, witnesses • Conclusive evidence – Inconvertible, overrides all evidence • Circumstantial – interference on other information • Hearsay – Not based on first hand knowledge • Exceptions: Made during the regular conduct of the business or witness • Made at or near the time of occurrence of act being investigated
Governance, Legal and Ethics – Policies • Policy • General management statements • Standards • Specific mandatory controls • Guidelines • Recommendations or best practices • Procedures • Step by Step instructions