CISSP Certification Prep: Security and Risk Management

1
CISSP Certification Prep Security and Risk
Management
Larry Greenblatt NetCom Learning
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
2
Agenda

• How to align security with business
• Understand to use control frameworks
• How to manage business risks
• How to identify security threats
• How to manage different vendors
• How to build security awareness
• QA session with the speaker

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
3
Process Management
W. Edwards Deming
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
4
The Triple Constraints
Scope (customer needs)
Quality
Cost (Budget)
Time (Schedule)
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
5
CMMI - Capability Maturity Model Integration

• Carnegie-Mellon Software Engineering Institute
• A process improvement maturity model
• Maturity Levels
• 0 - Incomplete
• 1 - Initial
• 2 - Repeatable
• 3 - Defined
• 4 - Quantitatively Managed
• 5 - Optimized

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
6

• Process Immaturity Capability Immaturity Model
  (CIMM)
• Parody by Capt. Tom Schorsch USAF
• Immaturity Levels
• 0) Negligent Lip Service
• 1) Obstructive Adherence to Ineffective Process
• 2) Contemptuous Fudged Metrics
• 3) Undermining Sabotaging Competitors

https//en.wikipedia.org/wiki/Capability_Immaturit
y_Model
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
7

• Cyber Risk Management
• Preventing, Detecting Responding to unforeseen
  dangers
• From the Greek Rhiza cliffs under water.
• Due Diligence Risk Identification/Analysis
• Think before you act
• Identifying, assessing analyzing risks as well
  as understanding appropriate controls to
  prevent, detect and respond to negative events
• Due Care Risk Mitigation/Handling/Treatment
• Take actions
• Selection, implementation and maintenance of
  cost-effective security controls

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
8

• Quantitative Analysis
• You can only speak matter of factually about
  what you can measure
• Objective numeric metrics
• Real numbers
• Concrete percentages
• Monetary values
• Certification
• Insufficient data

Robert Anton Wilson
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
8
9

• Qualitative Analysis
• Subjective rankings
• Experience
• Intuition
• Feelings
• Accreditation
• Brainstorming
• The Delphi technique

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
9
10
Terminologies
Risk Identification

• Assets Anything of Value
• Ownership, valuation, classification,
  entitlements
• Threats Things that can cause Loss of Value
• Threat Agent Source of a threat
• Vulnerability Weakness/limitation of the asset
• Exposure Vulnerability is accessible to threat
  source

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
11

• Value versus Cost
• Value Assets
• Subjective
• Qualitative
• Cost Controls
• Objective
• Quantitative (TCO)
• Cost Benefit Analysis

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
12

• Threats
• Anything that can cause a loss of Value
• Malicious attacks
• Accidents
• Natural Disasters
• Fatigue
• Legal liabilities
• Cost to quality

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
12
13
Threat Analysis

• Threat Taxonomy
• Man made
• Accidental (most common!!!)
• Intentional
• Natural
• (Technical)

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
14
STRIDE
Threat Modeling

• Spoofing of user identity
• Tampering
• Repudiation
• Information disclosure
• Denial of service (D.o.S)
• Elevation of privilege

14
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
15
OWASP
Application Threat Modeling

• Four Questions
• 1 What are we building? 2 What can go wrong?
• 3 What are we going to do about that? 4 Did we
  do a good enough job?

15
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
16

• Common ICT Threats Malware
• Viruses, Worms Trojans
• Rootkits
• Logic bombs
• Bots and botnets
• Spyware
• Ransomware

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
17

• Rogue Infrastructure
• Access Points
• DHCP servers
• DNS servers
• Routers
• Certificate Authorities
• Embedded hardware device drivers
• P2P and other illicit servers

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
18

• Loss Criteria
• Life
• Branding / Reputation
• Initial loss versus delayed loss
• Aggregate Losses
• Asset
• Productivity
• Opportunity
• (how to quantify?)

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
18
19
ISO/IEC 27005
Vulnerabilities

• Hardware
• Software
• Network
• Personnel
• Physical Site
• Organizational

• blog.trendmicro.com

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
20
Terminologies
Risk Analysis

• Impact Amount of loss
• Likelihood Frequency of threat
• Exploit An incident of an actual loss event
• Controls Safeguards/Measures/Countermeasures
• Control Failure Policies

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
21

• Impact Likelihood
• Impact How much loss?
• Likelihood How Frequent?

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
21
22

• Control Analysis
• Development / Acquisition costs
• Design/planning costs
• Implementation Environment modifications
• Maintenance / Testing
• Operating support costs
• Effects on productivity

22
Detective
Responsive
Preventive
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
23

• Control Frameworks
• Standards, Guidelines Best Practices
• Internal (Tailored to the Organization)
• External
• NIST
• ISO
• CoBiT

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
24

• Outsourcing Control Administration
• Service Management Limitations
• Scheduled Outages
• Force Majeure Events
• Service Agreement Changes
• Security
• Service API Changes
• Service Assurances
• 3rd Party Audits
• Service Monitoring

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
25
Control Gap

• A gap in coverage
• Percentage of asset not protected by control.
  For example, if insurance covers 80 of loss,
  then the Control Gap 20

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
26

• Cost Benefit Analysis
• Single Loss Expectancy (SLE)
• Asset Value (AV) x Exposure Factor (EF)
• Annualized Loss Expectancy (ALE)
• SLE x Annualized Rate of Occurrence (ARO)
• Risk x Control Gap Residual Risk
• Addressed in BCP

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
26
27
SP800-100 Risk Assessment
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
28

• Plan Do Check Act
• (SP800-50)
• Select Risk Treatment Measures
• Implement Maintain Controls
• Awareness
• Everyone
• Training
• Administrators
• Education
• Management

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
29
Risk Handling / Treatment

• Avoid / Termination
• Reduce
• Planning
• Technologies
• Training
• Transfer
• Accept risk appetite
• Reject Negligence!

www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
30
SDLC Management
Feasibility N/A In Security Projects
Initiation Basic Description, Schedule, Budget
Requirements Analysis (What) User Needs Functions and Assurance
System Design (How) Checklist of Specific Components (Specs)
Develop / Acquire Build or Buy according to Specs (Verification)
Installation / Testing User Accepts Functions Assurance (Validation)
Operation / Maintain Continuous Upkeep
Retirement / Dispose Data Access Issues
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
31
Recorded Webinar Video
To watch the recorded webinar video for live
demos, please access the link https//goo.gl/mc1c
Vd
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
32
About NetCom Learning
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
33
Recommended Courses
Certified Information Systems Security
Professional (CISSP) Certification Prep - Class
scheduled on Nov 12 CompTIA Advanced Security
Practitioner (CASP) Certification - Class
scheduled on Nov 12 CISM Certification - Class
scheduled on Nov 13 EC-Council CEH Certified
Ethical Hacker v10 CNDA Certified Network
Defense Architect - Class scheduled on Nov 05
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
34
The New Role-Based Microsoft Azure Certification
Paths Cross Team Collaboration Increasing
Productivity with Office 365 Groups SharePoint
2019 "Wow" First Look at new SharePoint 2019
Adobe InDesign CC Down and Dirty Tips and Tricks
Architecting for Security on AWS Big Data for
Enterprise Managing Data and Values Top Reasons
to Master Agile Scrum and its Benefits Clean
Architecture Patterns, Practices, and Principles
CEH Understanding Ethical Hacking SQL Server
2017 Application Development Best Practices
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
35
Promotions
From Cloud to Security, to Data and AI, to
Networking, to Application Development, to
Design, to Business Process Application all
classes delivered by top-notch instructors in
in-person Instructor-led Classroom or Live
Online. And after you train, treat yourself with
Gift Card rewards. Learn More
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
36
Follow Us On
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
37
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
38
THANK YOU !!!
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266