1 / 15

Domain 1 - Security and Risk Management

Domain 1 - Security and Risk Management. Confidentiality, integrity, and availability concepts – CIA Security Governance principles Compliance, Legal, and Regulatory issues – SOX and Regulatory Guidelines – There will be memorization questions on the test

tjensen
Download Presentation

Domain 1 - Security and Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain 1 - Security and Risk Management • Confidentiality, integrity, and availability concepts – CIA • Security Governance principles • Compliance, Legal, and Regulatory issues – SOX and Regulatory Guidelines – There will be memorization questions on the test • Processional ethics – Know the ISC2 code by heart • Security policies, standards, procedures, and guidelines – what is suggested vs what is mandatory

  2. Confidentiality, Integrity and Availability • Security Triad • Confidentiality: Has everything to do with encryption • Integrity: Keeping the data from being altered (hashing) • Availability: Keeping the systems up and available

  3. Confidentiality - Fundamentals • Categories: Symmetric, Asymmetric, Hash • Systems • Algorithmic • Older • Secret Algorithm • Keyed Systems • Newer • Secrecy is provided by the key • Known algorithm • Encryption Strength: Strength of the algorithm, Secrecy of the keys, Length of the keys

  4. Confidentiality – Encryption Definitions • Link Encryption – encrypting data on the network • IPSec • L2TP • End-to-end Encryption – Encryption from the source to system/client to server • SSL • Repudiation – denial of sending a message • Traffic Analysis – Inference of information from analysis of traffic • Traffic Padding – Generation of spurious data units • Work Factor – Effort/time needed to overcome a protective measure

  5. Confidentiality – Symmetric/Private Key • Uses the same key to encrypt/decrypt • DES • 56 bit key, industry standard • Block cipher • Diffusion and confusion • NIST • Fast and simple • Problems – single key distribution, can be cracked • Cipher block chaining, electronic code book, cipher feedback, output feedback • Confusion – spread the influence of a plain text character • Diffusion – Conceals the statistical connection between cipher and plain text

  6. Confidentiality – Symmetric/Private Key, cont. • 3DES • 112 or 168 bit • DES but with 2 or 3 keys • IDEA • 128 bit • RC4 • Variable length • Blowfish • 1-448 bit • Two Fish • Up to 256 bit

  7. Confidentiality – Symmetric/Private Key, cont. • AES (Rijandael) • 128, 192, or 256 bit • Support smart cards and 32/64 bit processors • NIST Competition winner

  8. Confidentiality – Asymmetric/Public Key • An answer to the symmetric key distribution problem • Based on Public keys and private key pairs • Algorithms • SHA – 160 bit hash • MDS – 128 bit hash • RSA – factoring two large prime numbers • ECC – Elliptic curve discreet logarithms, faster than RSA

  9. Confidentiality – Asymmetric/Public Key, cont. • Confidentiality • Plain text is encrypted with the receivers public key, only receiver can decrypt • DSS – SHA 160 bits • Integrity – provided by hashing • Combats MITM attacks

  10. Confidentiality – PKI • Two key (asymmetric) encryption system for communication • Framework, not a specific technology • Provides authentication and confidentiality • Digital Certificates • Associate a public key with an individual/company • Issued by a Certificate Authority (CA) • Responsible for issuing, revoking, and distributing certificates • Often trusted 3rd party such as DigiCert, Verisign

  11. Availability • Site and Servers are always up • Hot site: Complete duplicate, near complete backups, full computer systems, mirror the data environment. Lowest RTO (Recovery time objective) • Warm site: Smaller scale, higher RTO, several day to weeks old backups • Cold site: Least expensive to operate, highest RTO. No hardware setup, but may be available.

  12. Availability - RAIDS • Raid 0 – no redundancy, stripes data evenly. N drives, N times performance. • Raid 1 – mirroring • Raid 2 – Stripes data at the bit level – Error correction - no longer used in practice • Raid 3 – byte level striping with dedicated parity disk, I/O requires all disks to read/write • Raid 4 – block level striping with dedicated parity disk • Raid 5 – block level striping, distributed parity, all but one to operate. Requires at least 3 disks

  13. Governance, Legal and Ethics – ISC2 ethics • Conduct themselves with highest standards of ethical, moral, and legal behavior • Not commit any unlawful or unethical act • Appropriately report unlawful behavior • Support effort to promote prudent information security measures • Provide competent service to their employees and clients • Execute responsibilities with highest standards • Not misuse information in which they com into contact with during their duties

  14. Governance, Legal and Ethics – Evidence • Best evidence – original • Secondary evidence – Copy • Direct evidence – proves or disproves an act based upon the five senses, witnesses • Conclusive evidence – Inconvertible, overrides all evidence • Circumstantial – interference on other information • Hearsay – Not based on first hand knowledge • Exceptions: Made during the regular conduct of the business or witness • Made at or near the time of occurrence of act being investigated

  15. Governance, Legal and Ethics – Policies • Policy • General management statements • Standards • Specific mandatory controls • Guidelines • Recommendations or best practices • Procedures • Step by Step instructions

More Related