How much of your time, if done properly, should Planning and Protection take up, compared to Response?
If all is done well with planning and protection, the two should take up about 90% of your time.
What is the hardest, and most important, part of information security planning?
Management is the hardest and most important part of information security. Security is a process, not a product.
What is comprehensive security?
Comprehensive security is the state of having closed off all possible avenues of attack. This is pretty damn tricky, but very important.
What is weakest link failure?
Weakest link failure is the concept that it only takes one failure in any component or part of a security process to invalidate security efforts.
How is it best to manage security?
Security management must, MUST be formalized and continuous.
When should security be factored into a new system?
Security should be considered at the very beginning of the design of a system, within the SDLC.
What’s the difference between police and security?
Security prevents “crime”. Police punish it more often than not, but rarely prevent.
How can IT security be planned?
IT security can be planned by identifying current security gaps, identifying the threat environment, laws and standards that impact security, and then identifying the corporate resources that need to be protected, calculating the worth of a resource compared to the cost of protecting it. The ones that provide the most return get protected first, and the rest get coverage as cycles move forward.
What are the benefits and downsides of having IT security located within IT?
With IT security located within IT, there will be a lot of technical compatibility, but it makes it rather hard for “whistle-blowing” on IT. It’s recommended that security be placed outside of IT, for that reason, although there are downsides (silo’d knowledge).
Why is it important to have “top management support”?
Top management support brings with it a significant increase in budget, but just as important, it also brings a good example to follow; if top management isn’t following ITSec, then no one else will. The inverse of this is true.
What is the best way to treat users? Or rather, how not to treat them?
THE USER IS NOT STUPID, JUST UNDER-EDUCATED.
What is Single Loss Expectancy? How is it calculated?
Single Loss Expectancy (SLE) is the expected loss to an organization in the event of a compromise of a specific asset. This is calculated by taking the Asset Value (AV) and multiplying it by the Exposure Value (EV), which is the percentage of loss in value an asset suffers from being compromised.
What is Annualized Loss Expectancy? How is it calculated?
Annualized Loss Expectancy (ALE) is the expected loss per year that an asset is projected to have, based on the probability of a compromise. This is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO, the odds of a compromise happening in a year).
What is classic risk analysis, and what are some problems with it?
Classic risk analysis takes a look at the Annualized Loss Expectancy and compares it to the annualized cost of the countermeasures, and determines the total value of the countermeasure (whether or not it’s cost-effective to prevent the loss).
This is good, but there are problems. Attack and defense costs will need to be calculated with discounted values (net present value), depreciation, that sort of thing. Also, not all compromises involve actual “loss” of data. Finally, the actual ARO is all but impossible to predict accurately.
For what reasons is security management hard?
Security management is hard because it is abstract. That’s a lot of it. Also, the idea that all avenues of attack must be covered, and that if even one fails, they’re all basically gone, well. That doesn’t make it any easier. Finally, companies usually have a lot to protect.
List the three stages in the plan–protect–respond cycle. Is there a sequential flow between the stages?
Plan, protect, respond. Simple enough. There actually is not a sequential flow, all three stages are occurring at once, and feed into one another.
Of the plan-protect-respond cycle, which phase consumes the most time?
The wide majority of time is spent on the protection phase.
What is the definition of protection?
Protection is the plan-based creation and operation of countermeasures.
What is the definition of response?
Response is recovery according to plan.
What is the key factor to making security an enabler rather than a frustration?
To make security an enabler over a frustration, it is important to make security an early part of any given project.
In developing an IT security plan, what would a company do first?
The first step of developing an IT security plan is to first identify the existing security, weaknesses and strengths.
What are the major categories that drive IT security?
The major categories that drive IT security are the threat environment, laws and regulations, corporate structure, mergers, etc.
When can the Federal Trade Commission (FTC) act on companies?
The FTC can act on companies when they fail to take reasonable precautions to protect private information.
What is the usual title of the manager of the security department?
The manager of the security department is generally called the Chief Security Officer (CSO), or Chief Information Security Officer (CISO).
Why is the HR department important to security?
HR is important to security because it is responsible for training, including security training. It also handles hiring and firing employees, and needs to work alongside security throughout these processes.
What are the three main types of corporate auditing units?
The three types of corporate auditing units are:
Internal Auditing - Examines organizational units for efficiency, effectiveness, and adequate controls.
Financial Auditing - Examines financial processes for efficiency, effectiveness, and adequate controls.
IT Auditing - Examines processes involving IT for efficiency, effectiveness, and adequate controls.
What is a Managed Security Service Provider?
A MSSP, or Managed Security Service Provider, is a system that takes event logs for a company’s network and monitors it for suspicious events, only notifying only for major incidents requiring events.
What are the two main advantages of using a Managed Security Service Provider?
The main two benefits of using a managed security service provider are that an MSSP is experienced in dealing with threats and attacks, compared to an internal department, who might deal with one or two a year.
The other main benefit is independence. An MSSP can hold accountable everyone in a company, including IT and security staff.
What security concerns are not usually outsourced?
Security planning and policy are generally not outsourced, as they are too vital and company-specific.
Why is information assurance a poor name for IT security?
Information assurance leads to the idea that a company can guarantee the confidentiality of information, and that is not true.
Why is reasonable risk the goal of IT security?
Reasonable risk is preferable because absolute security isn’t possible, and getting close to it can impact performance and be unpleasant.
What are some negative consequences of IT security?
Some negative consequences of IT security would be psychological and productivity costs, and extensive expense.
What is exposure factor?
Exposure factor is the percentage of an asset’s value that is lost in a breach.
What is single loss expectancy?
Single loss expectancy is the amount of damage that would be sustained to a specific asset in a breach.
What is the annualized probability/rate of occurrence?
The annualized rate of probability/occurrence is the expected number of times an attack will succeed in a year. Notoriously inaccurate.
What is the annualized loss expectancy?
The annualized loss expectancy is how much a company stands to lose from an asset due to attacks in a given year.
What are some flaws with classic risk analysis?
Some flaws in classic risk analysis are:
Uneven Multi-Year Cash Flows - Security countermeasures tend to get cheaper after their first year, and their benefits tend to increase. Over time, this inverts.
Total Cost of Incident - It’s damn hard to properly calculate loss of “value” in a breach.
Many-to-Many Relationships - Classic risk analysis assumes there’ll be one countermeasure to one asset; shit no, firewall protects everyone, baby. Basically, one countermeasure can work on multiple assets at once.
What are four ways of responding to risk?
The four methods of responding to risk are: Risk Reduction - Adopting active countermeasures to risks. Risk Acceptance - Understanding risks and doing nothing, generally when the cost of a countermeasure is greater than the damage that the risk could inflict. Risk Transference (Insurance) - As long as reasonable countermeasures are in place, insurance will cover damages of risks. Risk Avoidance - Flat-out not taking an action that seems too risky. "Kills" innovation, though.
What is technical security architecture?
Technical security architecture is all of a company’s technical countermeasures and how those countermeasures are organized into a complete system of protection.
Why is technical security architecture needed?
Technical security architecture allows a company to have a good understanding of the structure of their security, and allows them to see areas of weakness when compared to the security needs of the company.
Why do firms not immediately replace their legacy security technology?
There are many reasons that a company might not replace its legacy security technology immediately; expense, technical complexity, difficulty of planning and implementation, and so on.
What is the difference between the “Defense In Depth” philosophy and “Weakest Link”?
Defense in Depth refers to the idea of having multiple different, independent and overlapping countermeasures in place, so that if one fails, the others remain up. Weakest link refers to one countermeasure that is itself composed of multiple interdependent components.
Why are central security management consoles dangerous?
A central security management console would give an illicit user the ability to do massive damage.
Why are central security management consoles desirable?
Having a centralized location to manage security makes management and coordination considerably easier. This prevents things like inconsistent policies from being implemented.
Why is border management important?
Border management is important because it keeps networks properly secured against the rest of the world.
Why isn’t border management a complete security solution?
Border management (firewalls ‘n such) aren’t complete solutions because they don’t adhere to defense-in-depth.
Why is remote connection from home a dangerous thing?
Often, connecting remotely from home involves using the users’ home computers, which can have god-only-knows-what on them, and lets that stuff onto the secured network.
Why are interorganizational systems dangerous?
Interorganizational systems are dangerous because neither of the two companies can enforce their security standards on the other, or shit, even learn about the other’s security in general, leaving weaknesses.
What’s so great about centralized security management?
Centralized security management is important because it allows for policies to be deployed easily from one or a few secure points, consistently, across all devices, immediately.
What is a policy?
A policy is a statement of what should be done under certain circumstances. Note, what should be done, not how it should be done.
What is implementation?
Implementation is how a policy is performed.
What’s the difference between policy and implementation?
A policy sets the general goal and vision of what should occur under circumstances, and is generally static. Implementation can change as the required work to enact that policy may change.
What are the categories of security policy?
These are the categories of security policy:
Corporate Policy - This is the topmost level of security policy, defining a firm’s stance on security. It should be brief and to the point.
Major Policy - More detailed than the corporate policy, the major policy are broad, but detailed. Things like email policies, hiring and termination policies, etc.
Acceptable Use Policy - An AUP details important points of a major policy as it applies specially to users, in a legally binding way.
Policies for Specific Resources/Countermeasures - The most detailed, these are necessary to fill in the ambiguity still left by Major Policies when it comes to individual needs.
What is the difference between standards and guidelines?
Standards are mandatory implementation guidance, and they must be met. Guidelines are discretionary. The only requirement of a guideline is that it must be considered, not followed.
When are guidelines appropriate?
Guidelines are appropriate in complex or uncertain situations where rigid standards might get snarled up. Think of situations where exceptions to the hard-and-fast rule might pop up from time to time.
What is implementation guidance?
Implementation guidance is a way of limiting the “discretion” of implementers, trying to avoid bad implementation decisions when implementing policies, and trying to keep some consistency in implementation.
What are some types of implementation guidance?
Some forms of implementation guidance are as follows:
Procedures - Procedures are highly detailed instructions as to the actions that must be taken by specific employees.
Processes - For more managerial positions, processes are necessary. Processes are high-level descriptions of what needs to be done, as it is often difficult to reduce everything to a series of low-level instructions.
Baselines - Baselines are meant to describe the necessary accomplishments, without actually describing the actions themselves required to produce them. Baselines must usually be tailored to specific situations.
Best Practices - Best practices are examples of what the top firms in an industry are doing about security.
How does segregation of duties impact procedures?
Segregation of duties, if it’s being honored, would require that a procedure not be undertaken entirely by one person, to prevent them from being unchecked and causing possible harm. Mind you, collusion between people can still make this happen, but this helps.
How are best practices different than recommended practices?
Best practices are examples distilled from top companies, generally applied. Recommended practices are prescriptive statements about what companies should do.