Cybersecurity Standards, Laws, and Policies Review

Security Framework

Set of policies, guidelines, and best practices designed to manage an organization's information security risks

Confidentiality

-Unauthorized disclosure;

-Access controls are the primary mechanism to restrict users from accessing sensitive information without permission;

-Human Error

Integrity

-Unauthorized alteration/modification;

-Protecting liability and the correctness of data;

-Clark Wilson Model;

-Digital Signatures

Clark Wilson Model

Separation of duties/separation of processes, no one person can compromise the integrity of a business process

Digital Signatures

Verify the signer, verify the data being signed, verify the date and time

Availability

-Denial attacks;

-Authorized subjects are granted timely and uninterrupted access to objects;

-Redundant Components, High Availability, Fault Tolerance

Redundant Components

Protects system against single point of failure

High Availability

Protects services against failure of single server

Fault Tolerance

Protects services against a disruption of a small failure

Criminal Law

Forms the bedrock of the body of laws that keep society safe

Civil Law

-Forms the bulk of the US body of laws;

-Trademarks, protecting intellectual property (IP)

Administrative Law

-Executive Branch is responsible;

-Federal regulations have regulatory laws

Search Warrant (4th Amendment)

Detailed description of the legal bounds of the search and seizure

Administrative Investigations

That are not operational in nature may require stronger information collection standard

Criminal Investigations

Standard of Evidence-Proof Beyond a Reasonable Doubt

Computer Crime

First computer security issues addressed by legislators

Privacy Act of 1974

-Set the standards for all information privacy and security laws that followed;

-Limits the ability of federal agencies to disclose private information of individuals to other people/agencies without prior written consent of those individuals;

-Mandates that agencies maintain only the records necessary for conducting their business and that those records are destroyed when they are no longer needed for a legitimate function of government

Electronic Communications Privacy Act (ECPA) of 1986

Makes it a crime to invade the electronic privacy of an individual

Computer Fraud & Abuse Act (CFAA) of 1984

-First major piece of cybercrime-specific legislation in the US;

-Written to cover computer crimes that crossed state boundaries to avoid infringing on states' rights;

-Access classified or financial information in a "federal interest system" without authorization

Computer Abuse Amendments Act of 1994

-Outlawed creation of malicious code that can cause damage to a system;

-Covers any computer use in interstate commerce rather than just "federal interest"

Federal Information Security Management Act (FISMA) of 2002

-Required agencies and their contractors to include activities around infosec management;

-National Institute of Standards and Technology (NIST) responsible for developing implementation guidelines

Children's Online Privacy Protection Act (COPPA) of 1998

-Makes a series of demands on websites that cater to children or knowingly collect information from children;

-Parents must be given verifiable consent to the collection of information about children younger than the age of 13 prior to collection

Graham-Leech-Bliley Act (GLBA) of 1999

-Relaxed the regulations concerning the services each organization could provide;

-Required financial institutions (banks) to provide written Privacy Policies to all customers

USA Patriot Act of 2001

-Greatly broadened powers of law enforcement organizations and intelligence agencies - including monitoring digital communication;

-Allows law enforcement agencies to obtain a blanket authorization for a person to be monitored for all communications

-Internet Service Providers (ISPs) may voluntarily provide the government with a big range of information

Family Educational Rights and Privacy Act (FERPA)

-Specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government;

-Grants certain privacy rights to students older than 18 and parents of minor students;

-Parents/students have the right to inspect any educational records maintained by the institution on the student

Health Insurance Portability and Accountability Act (HIPAA) of 1996

Covers privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations

Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009

-Amended HIPAA - updating many of its privacy and security requirements;

-Changed how the law treats associate organizations that handle Personal Health Information (PHI) on behalf of a HIPAA-covered entity;

-Introduced Data Breach Notification Requirements

General Data Protection Regulation (GDPR)

-European Union passed new, comprehensive law covering protection of EU citizen Personal Information (PI) in 2016; -Replaced the Data Protection Directive (DPD);

-Applies to organizations based both in and outside of the EU that collect information on EU residents;

-Right to be Forgotten

EU/US Privacy Shield

Safe harbor agreement between the EU and US for data privacy.

Transatlantic Data Privacy Framework (DPF)

-Created to provide US organizations with reliable methods for PI data transfers to the US - from the EU, UK, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law;

-Requires US organizations to self-certify their compliance.

California Consumer Protection Act (CCPA)

-Sweeping privacy law passed in 2018, went into effect in 2020 - modeled after GDPR;

-Right to know what's being collected;

-Right to be forgotten;

-Right to opt out of the sale of their personal information;

-Right to exercise their privacy rights without fear of discrimination or retaliation for their use.

Federal Information Systems Modernization Act (FISMA)

-Centralizing federal cybersecurity responsibility within the Department of Homeland Security (DHS);

-Exception 1: Department of Defense (DoD) cyber issues remain Secretary of Defense's responsibility;

-Exception 2: Office of the Director of National Intelligence (ODNI) is responsible for intelligence-related issues.

Cybersecurity Enhancement Act

National Institute of Standards and Technology (NIST) charged with responsibility for coordinating nationwide work on voluntary cybersecurity standards.

International Organization for Standardization (ISO)

Flexible information security collection of standards that can be applied to all types and sizes of organizations.

National Cybersecurity Protection Act

New law that charged the Department of Homeland Security (DHS) with establishing a national cyber security and communications integration center.

Defense in Depth

Protections and more protections and more protections, and the closer to the goods, there are stronger protections.

Zero Trust

Security concept where nothing inside the organization is automatically trusted.

Intellectual Property (IP)

-Anything that you can't hold in your hand;

-Examples: brand names, secret recipes

Copyright

-Guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work;

-Protected until 70 years after the death of the last surviving author

Copyright-Software

Protection for software includes the source code

-Does not protect the ideas or process behind the software

Patents

Invention must be new, useful, and not obvious

Trade Secrets

-IP that is critical to an organization's business, disclosure to competitors and/or public would result in significant damage;

-Examples: Coca-Cola & KFC secret recipes;

-Any authorized personnel with a need-to-know who does have this type of access is bound by a Non-Disclosure Agreement (NDA)

Risk

Possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result

Asset

Anything that you use

Asset Valuation

Value assigned to that asset

Threats

Any potential occurrence that may cause an undesirable outcome

Threat Agent/Actor

Hackers, people, programs (hardware, software)

Threat Events

Accidental occurrences and intentional exploitations of vulnerabilities - natural or person-made

Threat Vector

Path or means by which an attack or attacker can gain access to a target in order to cause harm

Vulnerability

Weakness in an asset

Exposure

When you have something that is susceptible to loss

Safeguards

Protection mechanism-anything that removes or reduces a vulnerability

Attack

Exploit a vulnerability

Breach

Successfully exploits a vulnerability

Risk Management

-Identifying factors that could damage or disclose assets;

-Evaluating those factors in light of asset value and countermeasure cost;

-Implementing cost-effective solutions for mitigating or reducing risk

Qualitative Risk Analysis

Assigns subjective and intangible values to the loss of an asset

Quantitative Risk Analysis

Assigns real dollar figures to the loss of an asset

Risk Mitigation

Implementation of safeguards, security controls, countermeasures to eliminate vulnerabilities or block threats

Risk Assignment

Assigning or transferring risk

Risk Deterrence

Process of implementing deterrents to would be violators of security and policy

Risk Avoidance

Process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option

Risk Acceptance

The result after a cost/benefit analysis shows countermeasure costs outweigh the possible cost of loss due to risk

Risk Rejection

Denying that a risk exists

Risk Appetite

The total amount of risk an organization is willing to carry across all assets

Risk Capacity

The level of risk an organization is able to carry

Risk Tolerance

The amount of risk an organization will accept per individual asset-threat pair

Risk Limit

Maximum level of risk above the risk target that will be tolerated before further risk management actions are taken

NIST Risk Management Framework

Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

Technical/Logical Controls

Hardware or software mechanisms used to manage access, your virtual stuff

Physical Controls

If I can touch it, locks on a door

Administrative Controls

Policies, Standards, Procedures, Baselines, Guidelines

Policies

High-level of what the organization is trying to accomplish

Standards

Providing consistency in control

Procedures

Highly detailed task-oriented instructions to ensure the integrity through consistency

Baselines

Tailored version of a Standard

Guidelines

Best practices with flexibility

Security Control

Refers to a broad range of controls that perform such tasks as ensuring only authorized users can log on and preventing unauthorized users from gaining access to resources

Preventive Controls

-Stop unwanted or unauthorized activity from occurring

-Example: fences

Deterrent Controls

-Deployed to discourage security policy violations

-Example: security guards

Detective Controls

-Deployed to discover or detect unwanted or unauthorized activity

-Example: motion detectors

Compensating Controls

Deployed to provide various options to other existing controls to aid in enforcement and support of security policies

Corrective Controls

-Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred

-Example: terminating malicious activity

Recovery Controls

-Extension of corrective controls but have more advanced or complex abilities

-Example: backups and restores

Directive Controls

-Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies

-Example: security policy requirements

Security Control Assessment (SCA)

Formal evaluation of a security infrastructure's mechanisms against a baseline or reliability expectation

Sensitive Data

Any information that isn't public or unclassified

Personally Identifiable Information (PII)

Any information that can identify an individual

Protected Health Information (PHI)

Any health-related information that can be related to a specific person

Proprietary

Ownership of it (think property)

Proprietary Data

Any data that helps an organization maintain a competitive edge

Government Data Classification

Top Secret, Secret, Confidential, Unclassified

Data at Rest

Any data stored on media such as system hard drives, solid-state drives (SSDs), external USB drives, storage area networks (SANs), and backup tapes

Data in Transit

Any data transmitted over a network

Data in Use

Data in memory or temporary storage buffers while an application is using it

Privacy by Design (PbD)

A guideline to integrate privacy protections into products during the early design phase rather than attempting to tack it on at the end of development

Bell-LaPadula Model (BLP)

-Prevents the leaking or transfer of classified information to less secure clearance levels;

-Deals with confidentiality;

-No read-up, read down, no write down, write up

Biba Model

-Was designed after the Bell-LaPadula model;

-Deals with integrity;

-No read down, read up, no write up, write down

Business Continuity Planning (BCP)

Provide a quick, calm, and efficient response in the event of an emergency and to enhance a company's ability to recover from a disruptive event promptly

Disaster Recovery Plan (DRP)

Should be set up so it can almost run on autopilot, everyone knows what they need to do, who to communicate

Cold Sites

Standby facilities large enough to handle the processing load of an organization and equipped with appropriate electrical and environmental support systems