GCS 2-1: Risks-Domains

Course 2 (Manage Security Risks) Module 1 (Security Domains)

Security posture

An organization’s ability to manage its defense of critical assets and data, and react to change.

Security and Risk Management

1st CISSP Domain

Asset Security

2nd CISSP Domain

Security Architecture and Engineering

3rd CISSP Domain

Communication and Network Security

4th CISSP Domain

Security and Risk Management

Focused on defining security goals and objectives, risk mitigation, compliance, business continuity, and legal regulations.

Risk mitigation

The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach.

Business continuity

An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans.

Asset Security

Focused on securing digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data.

Security Architecture and Engineering

Focused on optimizing data security by ensuring effective tools, systems, and processes are in place to protect an organization’s assets and data.

Shared responsibility

All individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security.

Communication and Network Security

Focused on managing and securing physical networks and wireless communications.

Identity and Access Management

Focused on access and authorization to keep data secure, by making sure users follow established policies to control and manage assets.

Components of IAM

Identification, Authentication, Authorization, Accountability

Identification

When a user verifies who they are by providing a user name, an access card, or biometric data such as a fingerprint.

Authentication

The verification process to prove a person’s identity, such as entering a password or PIN.

Authorization

Takes place after a user’s identity has been confirmed and relates to their level of access, which depends on the role in the organization.

Accountability

Refers to monitoring and recording user actions, like login attempts, to prove systems and data are used properly.

Security Assessment and Testing

Focused on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

Security Operations

Focused on conducting investigations and implementing preventative measures.

Software Development Security

Focused on using secure coding practices.

Elements of security and risk management

Security goals and objectives, risk mitigation processes, compliance, business continuity plans, legal regulations, professional and organizational ethics.

Information Security

Aka InfoSec

InfoSec design processes

Incident response, vulnerability management, application security, cloud security, infrastructure security.

Asset security processes

Conducting a security impact analysis, establishing a recovery plan, and managing data exposure.

Security architecture and engineering design principles

Threat modeling, least privilege, defense in depth, fail securely, separation of duties, keep it simple, zero trust, trust but verify.

Principle of least privilege

The concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer’s issue; then remove access when the customer’s issue is resolved.

Penetration testers

Aka pen testers

Security operation processes

Training and awareness, reporting and documentation, intrusion detection and prevention, SIEM tools, log management, incident management, playbooks, post-breach forensics, reflecting on lessons learned.

Social engineering

A manipulation technique that exploits human error to gain private information, access, or valuables.

Social engineering

An example of a threat.

Threat

Any circumstance or event that can negatively impact assets.

Risk

Anything that can impact the confidentiality, integrity, or availability of an asset. It’s the likelihood of a threat occurring.

Lack of backup protocols

An example of a risk to an organization

Low-risk asset

Information that would not harm the organization’s reputation or ongoing operations, and would not cause financial damage if compromised.

Medium-risk asset

Information that’s not available to the public and may cuase some damage to the organization’s finances, reputation, or ongoing operations.

High-risk asset

Information protected by regulations or laws, which if compromised would have a severe impact on an organization’s finances, ongoing operations, or reputation.

Vulnerability

A weakness that can be exploited by a threat.

Risk

Both a vulnerability and threat must be present in order for there to be a _______.

Ransomware

A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access.

Layers of the web

Surface web, deep web, dark web.

Surface web

The layer that most people use. It contains content that can be accessed using a web browser.

Deep web

This layer generally required authorization, i.e. an organization’s intranet, since it can only be employees or others who have been granted access.

Dark web

This layer can only be accessed by using special software. It carries negative connotations because it is the preferred layer for criminals because of the secrecy it provides.

Key impacts of threats, risks, and vulnerabilities

Financial, identity theft, reputation

Financial impact

Includes interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations.

Identity theft impact

Organizations must decide to store private customer, employee, and outside vendor data, and for how long. Storing any type of sensitive data presents a risk to the organization. Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web. That’s because the dark web provides a sense of secrecy and threat actors may have the ability to sell data there without facing legal consequences.

Reputation impact

A solid customer base supports an organization’s mission, vision, and financial goals. An exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization’s reputation.

National Institute of Standards and Technology

Aka NIST

NIST Risk Management Framework

Aka NIST RMF

Risk Management Framework

Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

RMF Step 1: Prepare

Activities that are necessary to manage security and privacy risks before a breach occurs.

RMF Step 2: Categorize

Used to develop risk management processes and tasks.

RMF STep 3: Select

Choose, customize, and capture documentation of the controls that protect an organization.

RMF Step 4: Implement

Implement security and privacy plans for the organization.

RMF Step 5: Assess

Determine if established controls are implemented correctly.

RMF Step 6: Authorize

Being accountable for the security and privacy risks that may exist in an organization.

RMF Step 7: Monitor

Be aware of how systems are operating.

Examples of digital assets

Social Security Numbers, unique national identification numbers, dates of birth, bank account numbers, mailing addresses.

Examples of physical assets

Payment kiosks, servers, desktop computers, office spaces.

Common risk management strategies

Acceptance, Avoidance, Transference, Mitigation

Acceptance

Accepting a risk to avoid disrupting business continuity.

Avoidance

Creating a plan to avoid the risk altogether.

Transference

Transferring risk to a third party to manage.

Mitigation

Lessening the impact of a known risk.

Health Information Trust Alliance

Aka HITRUST

Insider threats

Staff members or venders abuse their authorized access to obtain data that may harm an organization.

Advanced persistent threats

Aka APTs

Advanced persistent threats

A threat actor maintains unauthorized access to a system for an extended period of time.

External risk

Anything outside the organization that has the potential to harm organizational assets, such as theat actors attempting to gain access to private information.

Internal risk

A current or former employee, vendor, or trusted partner who poses a security risk.

Legacy systems

Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system.

Multiparty risk

Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions.

Software compliance/licensing

Software that is not updated or in compliance, or patches that are not installed in a timely manner.

Open Web Application Security Project

Aka OWASP

OWASP

They publish a standard awareness document about the top 10 most critical security risks.

Examples of vulnerabilities

ProxyLogon, ZeroLogon, Log4Shell, PetitPortam, Security logging and monitoring failures, server-side request forgery.

ProxyLogon

A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means that a threat actor can complete a user authentication process to deploy malicious code from a remote location.

ZeroLogon

A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.

Log4Shell

Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.

PetitPotam

Affects Windows NTLM. It is a theft technique that allows a LAN-based attacker to initiate an authentication request.

Local Area Network

Aka LAN

New Technology LAN Manager

Aka NTLM

Security logging and monitoring failures

Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it.

Server-side request forgery

Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.