25 nov 2014

Consultas WMI



Genérica
Set objWMIService = GetObject("winmgmts:\\" & host & "\root\cimv2")
Registro
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & host & "\root\default:StdRegProv")
Políticas
Set objRsop=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & host & "\root\rsop\computer")

Usuarios locales: "Select * from Win32_UserAccount Where LocalAccount = True"
Grupos locales: "Select * from Win32_Group  Where LocalAccount = True"
Usuarios dentro de un grupo: SELECT * FROM Win32_GroupUser WHERE (groupcomponent = 'win32_group.name="Administrators",domain="MyHostName"')
Informacion de un User Profile: "Select * From Win32_UserProfile"
Servicios: "Select * from Win32_Service"
Shares: "Select * from Win32_Share"

Politicas

"select * from RSOP_SecuritySettingNumeric where precedence=1"
"Select * from RSOP_UserPrivilegeRight where precedence=1"
"Select * from RSOP_PolicySetting where precedence=1"
"Select * from RSOP_AuditPolicy where precedence=1"

26 ago 2014

MOOC de Seguridad de la Informacion y Gestion de Riesgos en Coursera

Hoy empiezan en Coursera (https://www.coursera.org/) estos 3 cursos en formatos MOOC (http://es.wikipedia.org/wiki/MOOC) que son impartidos por la Universidad de Washington:
El temario de los cursos se ve interesante, así que si tienen tiempo es una buena manera de mantenerse actualizado (y gratis).

Y para los que no podemos estar todo el día en la PC o laptop también se cuenta con la App de coursera en las tiendas de android y apple.


2 ago 2014

Obteniendo informacion desde un HTML con python


Un poco de código para extraer información mediante un script en python , algo básico, para empezar a familiarizarme con las librerías disponibles en Kali.

Las librerías usadas:

  • urllib2 para descargar el código html de una pagina web
  • beutifulsoup para extraer los enlaces que contiene
  • urlparse para validar que los enlaces sean validos y extraer el hostname
  • finalmente, la libreria dns para extraer la IP de los nombres de dominios obtenidos

url_extractor.py
# pylint: disable-msg=C0301
'''
apt-get install html5lib
apt-get install python-beautifulsoup
apt-get install python-lxml 
apt-get install python-pyquery 

http://yuji.wordpress.com/2008/05/14/python-basics-of-python-dictionary-and-looping-through-them/
http://stackoverflow.com/questions/493819/python-join-why-is-it-string-joinlist-instead-of-list-joinstring
'''

from utils import utils

def main():
    '''
    para que pylint no muestre tantos mensajes =)
    http://stackoverflow.com/questions/709490/python-code-convention-using-pylint
    '''
    url = "www.google.com"
    html = utils.HtmlExtractor(url)
    #aseguramos que url siempre comienze por http:// o https://
    url = html.get_url()
    #print html.get_body()
    data_extractor = utils.DataExtractor(html.get_body(), url, only_href = True)
    urls = data_extractor.get_urls()
    print "URLS: "
    for temp in urls:
        print temp
    domains = data_extractor.get_domains(urls)
    print "Dominios: "
    for temp in domains:
        print temp
    ips = data_extractor.get_ips_for_domains(domains)
    for key in ips.iterkeys():
        print key, ": ", " ".join(ips[key])

if __name__ == "__main__":
    main()

utils/utils.py
'''

http://docs.python.org/library/urlparse.html
http://docs.python.org/tutorial/errors.html
http://docs.python.org/library/urllib2.html
http://docs.python.org/library/urllib2.html#urllib2.Request
http://www.crummy.com/software/BeautifulSoup/documentation.html
http://blog.elcodiguero.com/python/23-eliminar-duplicados-lista.html
http://www.mail-archive.com/dnspython-users@dnspython.org/msg00006.html
http://www.dnspython.org/examples.html
http://docs.python.org/release/2.5.2/lib/typesmapping.html
'''
from urlparse import urlparse
import urllib2
import BeautifulSoup
import dns.resolver

def valida_url(url):
    '''
    
    @param url:
    @type url:
    '''
    #si la url no empieza por http temp https lo anexa al inicio
    if url[:7].lower() != "http://" or url[:8].lower() != "https://":
        url = "http://" + url
    #verificamos que es una url completa, es decir, contiene al hostname
    temp = urlparse(url)
    if temp.hostname is None:
        url = None
    return url

# pylint: disable-msg=W0232
class _MyRedirects(urllib2.HTTPRedirectHandler):
    '''
    Clase de redireccion
    '''
# pylint: disable-msg=C0301,R0913,C0111
    def http_error_301(self, req, fpc, code, msg, headers):
        print code, " http_error_301 ", headers['Location']
        return urllib2.HTTPRedirectHandler.http_error_301(self, req, fpc, code, msg, headers)
# pylint: disable-msg=C0301,R0913,C0111
    def http_error_302(self, req, fpc, code, msg, headers):
        print code, " http_error_302 ", headers['Location']
        return urllib2.HTTPRedirectHandler.http_error_302(self, req, fpc, code, msg, headers)
# pylint: disable-msg=C0301,R0913,C0111
    def http_error_303(self, req, fpc, code, msg, headers):
        print code, " http_error_303 ", headers['Location']
        return urllib2.HTTPRedirectHandler.http_error_303(self, req, fpc, code, msg, headers)
# pylint: disable-msg=C0301,R0913,C0111
    def http_error_307(self, req, fpc, code, msg, headers):
        print code, " http_error_304 ", headers['Location']
        return urllib2.HTTPRedirectHandler.http_error_307(self, req, fpc, code, msg, headers)

class HtmlExtractor(object):
    '''
    Clase que extrae el codigo HTML de un origen.
    '''
    def __init__(self, url):
        '''
        
        @param url: URL completa, no acepta rutas relativas o absolutas
        @type url: string
        '''
        self.follow_redirects = False
        self.html_body = None
        self.url = valida_url(url)
        if self.url is None:
            raise ValueError("URL No valida")


    def get_url(self):
        '''
        retorna la url parseada, por ejemplo:
        para www.google.com.pe retorna http://www.google.com.pe
        '''
        return self.url


    def get_body(self, follow_redirects = False):
        '''
        Retorna el html resultante de la peticion.
        
        @param follow_redirects: En caso de estar seteado a verdadero, interpreta los mensajes HTTP 301, 302
        @type follow_redirects: boolean
        '''
        self.follow_redirects = follow_redirects
        request = urllib2.Request(self.url)
        opener = urllib2.build_opener(_MyRedirects())
        content = opener.open(request)
        self.html_body = content.read()
        return self.html_body





class DataExtractor(object):
    '''
    Clase para extraer Datos de un html.
    
    url -- direccion desde la cual se extrajo el html, opcional si se desea que se 
    interpreten las rutas relativas o absolutas que se puedan encontrar en el html
    
    only_href -- Solamente devuelve el contenido de los href, el texto entre las etiquetas  no necesariamente puede coincidir con el valor
    '''
    def __init__(self, html_body, url = None, only_href = False):
        self.html_body = html_body
        self.url = url
        self.only_href = only_href
        self.urls = []
        self.domains = []
        self.domain_ips = {}


    def get_urls(self):
        '''
        devuelve todas las URL encontradas en el html analizado
        '''
        result = BeautifulSoup.BeautifulSoup(self.html_body)
        lst_tag = result.findAll("a")
        for c_url in lst_tag:
            self.urls.append(c_url["href"])
        return self.urls


    def get_domains(self, urls = None):
        '''
        
        @param urls: Listado de urls a extraer los dominios, es la informacion devuelta por
        get_urls()
        @type urls: list
        '''
        if urls is None:
            self.urls = self.get_urls()
        for url in urls:
            temp = urlparse(url)
            if temp.hostname is None:
                continue
            self.domains.append(temp.hostname)
        return dict.fromkeys(self.domains).keys()


    def get_ips_for_domains(self, domains = None):
        '''
        
        @param domains: Listado de dominios a extraer los IP, es la informacion devuelta por
        get_domains()
        @type domains: list
        '''
        if domains is None:
            self.domains = self.get_domains()
        for domain in domains:
            answer = dns.resolver.query(domain, 'A')
            temp = []
            for rdata in answer:
                temp.append(rdata.address)
            self.domain_ips[domain] = temp
        return self.domain_ips

29 jul 2014

Mi entorno python en windows

Para mis pruebas de Hy (http://hy.readthedocs.org/en/latest/) y diversos scripts que normalmente ejecuto en Linux.

Usaré python 2.7, teniendo en cuenta hacer código migrable a python3, el porqué no usar python3 es debido a que algunas librerías no están migradas aún a python3.

Sistema base: windows 8.1 64 bits

Python (Seleccionar agregar python al PATH durante la instalación)
https://www.python.org/downloads/

Setup tools
Ejecutar PowerShell como administrador y ejecutar lo siguiente
(Invoke-WebRequest https://bootstrap.pypa.io/ez_setup.py).Content | python -

Pip
Ejecutar PowerShell como administrador y ejecutar lo siguiente
(Invoke-WebRequest https://raw.githubusercontent.com/pypa/pip/master/contrib/get-pip.py).Content | python -

PyWin32
Descargar la ultima versión disponible desde http://sourceforge.net/projects/pywin32/
PD: Instalarla como usuario estándar, cuando lo intente como administrador por algún motivo fallaba en windows 8.1

Agregar rutas al PATH en PowerShell
setx PATH "%PATH%;C:\Python27\Scripts"

Pylint
python code static checker
pip install pylint

Ipython
pip install ipython

BeautifulSoup4
Para automatizar el analisis de código HTML
pip install beautifulsoup4

Hy
"Hy is a lisp dialect, but one that converts its structure into Python" =)
pip install hy

libdnet
No existe un instalador oficial para python 2.7 pero desde https://twitter.com/dloss/status/18457222544
http://dirk-loss.de/scapy/dnet-1.12.win32-py2.7.exe

dpkt
"fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols"
El texto menciona python 2.6 pero tambien sirve para 2.7
https://code.google.com/p/dpkt/downloads/detail?name=dpkt-1.7.win32.exe&can=2&q=

pypcap
"simplified object-oriented Python extension module for libpcap"
Tampoco tiene instalador oficial pero lo obtuve de aqui https://code.google.com/p/pypcap/issues/detail?id=36
https://pypcap.googlecode.com/issues/attachment?aid=360000000&name=pcap-1.1.win32-py2.7.exe&token=ABZ6GAdluPCo_hMK4vnsnR7oKqP_Gjomow%3A1406650615796

scapy
http://www.secdev.org/projects/scapy/doc/installation.html
http://bb.secdev.org/scapy/downloads/scapy-2.2.0.zip

wireshark
instalar la version de 32 bits
www.wireshark.org

Pycrypto
http://www.voidspace.org.uk/python/modules.shtml#pycrypto
http://www.voidspace.org.uk/downloads/pycrypto26/pycrypto-2.6.win32-py2.7.exe

dnspython
"dnspython is a DNS toolkit for Python. It supports almost all record types"
pip install dnspython

IDE:
Aptana Studio (Pydev)
http://www.aptana.com/products/studio3/download

20 jul 2014

Mi experiencia para el examen de Certificación CISSP

A estas alturas ya no es necesario una presentación del CISSP y los dominios que cubre, si estás buscando información sobre cómo dar el examen es natural que previamente hayas pasado por la página principal de (ISC)2; sino, ésta es la URL: https://www.isc2.org/CISSP/Default.aspx 

Un curso de preparacion para el examen CISSP cuesta alrededor de $4500, lo que no lo hace viable a menos que dispongas de esa cantidad o que la empresa esté dispuesta a pagarla. En mi caso preferí ir por la ruta de la auto preparación e invertir en adquirir una Tablet así como los libros y/o ebooks referentes a la certificación. 

No pretendo aconsejar una estrategia de estudio o sobre cual dominio iniciar porque es dependiente de la experiencia personal, por mis otras certificaciones de seguridad algunos dominios fueron muy fáciles para mí, mientras que otros los tuve que estudiar más detenidamente (por ejemplo, seguridad física). Mi recomendación es leer los objetivos de cada dominio, crear una lista de cuales son aquellos en los que se tiene experiencia, cuales no y en base a ello elaborar un plan de preparación propio.

El uso de flashcard o apuntes por dominios también es recomendable. Igualmente, es mejor preparar uno propio que usar de otra persona o uno pre-elaborado (los míos están en los otros links pero no creo que les sean de utilidad, son solamente conceptos y palabras claves que me ayudaron, los publique para tenerlos accesibles desde cualquier PC).

Este es el listado de recursos que utilicé para mi certificación, espero que les sea de utilidad.

Libros adquiridos: 
Eric Conrad CISSP Study Guide (Principal)
CISSP AIO 6th (Referencia)
Eric Conrad Eleventh Hour CISSP: Study Guide (Repaso durante la última semana)

Recursos Free:
CISSP - Open security training info (the slides) : http://opensecuritytraining.info/CISSP-Main.html

Preguntas de preparación: Felizmente aquí no existe algo parecido a los braindump (personalmente tengo una pésima opinión sobre ese modo de aprobar una certificación, que no hace más que devaluar una certificación). Si quieres aprobar el examen vas a tener que esforzarte :)

CCCure.org Practice exam (version de pago)
McGrawHill Questions
Preguntas en los libros

Foros:
http://www.techexams.net/forums (En ingles, una comunidad muy activa y comparten sus experiencias, muy recomendable)
Grupos varios de linkedin, Google+  (basta poner CISSP en el campo de búsqueda y apareceran los principales)

Como curiosidad, si estas interesado en saber cuantos CISSP hay en tu país lo puedes consultar desde aquí:
https://www.isc2.org/member-counts.aspx 

22 jun 2014

CISSP: Physical Security

Perimeter defenses
Fences
Gates
Bollards
Lights
CCTV
Locks
- Key locks
- Master and core keys
Combination locks
Smart cards
Magnetic Stripe cards
Mantraps
Turnstiles
Motion detectors
Doors
Windows
Walls, floors, ceilings
Guards
Dogs
Restricted areas and escorts

Site Selection
Topography
Utility reliability
Crime

Site Design and configuration issues
Site marking
Shared tenancy
Adjacent buildings
Shared demarc

System defenses
Asset tracking
Port control
Drive and tape encryption
Media storage and transportation

Media cleaning and destruction
Paper shredders
Overwriting
Degaussing
Destruction

Environmental Control

Electrical faults
- Blackout
- Brownout
- Fault
- Surge
- Spkie
- Sag

Surge protectors
Uninterruptible Power Supplies (UPS)
Electromagnetic interference
HVAC
Heat/ Humidity
Static
Corrosion
Airbone contaminants

Detectors:
Heat detectors
Smoke detectors
Flame detectors

Personal safety
Evacuation routes
- Roles:
- Procedures
Duress warning systems
Travel safety

Fire:
Class A
Class B
Class C
Class D
Class K

Suppression agents:
Water
Soda acid
Dry powder
Wet chemical
CO2
Halon
Halon subtitutes: Argon, FE-13, FM200, Inergen


Sprinkler systems
Wet pipe
Dry pipe
Deluge
Preaction
Portable fire extinguisher

CISSP: Legal, Regulations, Investigations and Compliance

Legal Systems:
Civil Law (legal system): judicial precedents do not carry the weight they do under common law
Common Law
Religious law
Customary law

Common law
criminal law
Civil law
Administrative law

Computer Crime
Computer system as a target
Computer as a tool

Intellectual property:
Trademark
Patents
Copyright
- First sale
- Fair use
Licenses
Trade secrets

Intellectual property attacks:
Counterfeiting
Dilution
Cybersquatting
Typosquatting

Privacy
Opt-out
Opt-in
EU Dataprotection Directive
EU-US safe harbor


Forensics

Forensic Media Analysis
Allocated space
Unallocated space
Slack space
Bad blocks/clusters/sectors

Live forensics
Network forensics

Concepts:
Evidence
Real evidence
Direct evidence
Circumstantial evidence
Corroborative evidence
Hearsay
Best evidence
Secondary evidence
Chain of custody
Entrapment
Enticement


Ethics
ISC Code of ethic
Computer Ethics Institute
IAB Ethics and the Internet

CISSP: Operations Security

Administrative Security

Personnesl Controls:

Leats Privilege
Need to know
Separation Of duties
Rotation of duties?Job rotation
Mandatory leave/forced vacation
Non-disclosure agreement (NDA)
Backgroud checks
Privilege monitoring

CISSP: Cryptography

Cryptography can provide confidentiality and integrity.
Diffusion: Plaintext should be diffused (disperser)
Confusion: relation between plaintext and ciphertext should be confused (or random)

Substitution: Replace one character for another
Permutation (transposition): Anagram style

Monoalphabetic cipher: susceptible to frequency analysis
Polyalphabetic cipher.


Crypto History
Egyptian hieroglyphics
Spartan scytale
Rotation Cipher: Caesar cipher, ROT-13
Vigenere cipher
Cipher disk
Jefferson disk
Book cipher and running-key cipher
Codebook
One-time pad
Vernam cipher
Purple
Enigma
SIGABA

Crypto Laws
COCOM
Wassenaar Arrangement



Symmetric Cryptography

DES: Standard name that describes DEA (Data Encryption Algorithm)
ECB
CBC
CFB
OFB
CTR

TDES: Standar name that describe TDEA

1TDES EDE
2TDES EDE
3TDES EDE

AES: Standar name that describe Rijndael
ShiftRows
MixColumns
SubBytes
AddRoundKey

Blowfish and Twofish
RC5 and RC6

Asymmetric Cryptography

Asymetric methods:
Factoring prime numbers
Discrete logarithm
Elliptic curve cryptography

Hash Functions
MD5
SHA1
SHA2
HAVAL

Cryptographic Attacks
Bruteforce
Social engineering
Known plaintext
Chosen plaintext and adaptive chosen plaintext
Chosen ciphertext and adaptive chosen plantext
Meet-in-the-middle attack
Know Key
Differential cryptanalysis
Linear cryptanalysis
Side-channel attacks
Implementation attacks
Birthday attack
Key clustering


Digital Signature: Provide authentication and integrity, non-repudiation
Message Authenticate Code (MAC)
HMAC
PKI

21 jun 2014

CISSP: BCP and DRP

Business Continuity Plan (BCP):
Business oriented. Long term, strategic.

List of plans
Disaster Recovery Plan
Continuity of Operations Plan
Business Recovery Plan
Continuity of Support Plan
Cyberincident Response Plan
Occupant Emergency Plan
Crisis Management Plan

Threats:
Natural:
Human:
Environmental:


Concepts:
RTO: the amount of time allowed for the recovery of a business function
RPO
WRT

Process:
Respond
Activate team
Communicate
Assess
Reconstitution

Developing:
Project Initiation
Scope the project
Business Impact Analysis
Identify Preventive Controls
Recovery Strategy
Plan Design and Development
Implementation, Training and Testing
BCP/DRP Maintenance

Disaster Recovery Plan (DRP):
IT Focus. Short term, tactical.

Recovery Options:
Redundant Site
Hot Site
Warm Site
Cold Site
Reciprocal Agreement
Mobile Site
Subscription Service

The site should be in a geographic area that is unlikely to be negatively affected by the same disaster event
The site should have the same amount of physical access restrictions as the primary site


Test types:
Checklist
Structured Walk-Througth/Tabletop
Simulation test/walkthrough drill
Parallel test/Parallel processing
Partial and complete (Full-Interrupt) test

CISSP: Software Development Security

Application Development Methods
Waterfall Model: Linear application development. Rigid phases
Sashimi model:
Agile Software Development:
Scrum
Extreme Programming

Spiral Model: Designed to control Risk
Rapid Application Development: Protypes.

SDLC 
Prepare Security Plan
Initiation
Development/Adquisition
Implementation
Operation/Maintenance
Disposal

Software Vulnerabilities:
Buffer Overflow
Cross Site Scripting
Privilege escalation

Software Testing Methods
Static Testing
Dynamic Testing
WhiteBox
BlackBox

Testing Levels:
Unit Testing
Installation Testing
Integration Testing
Regression Testing
Acceptance Testing



Software Capability Maturity Model (CCM)
Initial
Repeatable
Defined
Managed
Optimizing

Database Systems
Relational:
-DDL
-DML
Hierarchical
Object Oriented

IA
Expert Systems: Knowledge base, Inference Engine
Neural Networks: Training



Issues:
Aggregation
Inference

Mobile Code
Java
ActiveX



20 jun 2014

CISSP: Security Architecture and Design

Computer Architecture:
Certification
Accreditation
Assurance
Protection Mechanisms
Trusted Computer Base
Security Modes (MAC)

Reference Monitor: Kernel mediates all access between subjects and objects
Layering: Modular tiers
Abstraction: Hidden details from the user
Domain:
Security Domain: Group of subjects and objects with similar security requirements

Covert Channel: Any communication that violates security policy.
Covert Storage Channel
Covert Timing channel
Race COnditions (TOCTOU)


Models:
MATRIX:
Take Grant: Direct graphs. State transitions.
Bell-LaPadula: Confidentiality. First Mathematical model.
BIBA: Integrity. Lattice based.
Clark Wilson: Integrity. Access to object throught programs.
Information Flow Model:
Brewer and Nash: Chinese Wall model.


Evaluation Criteria
TCSEC (Orange Book): Trusted Computer System Evaluation Criteria

TCSEC Requirements:
D: Minimal protection
C: Discretionary Protection
C1: Discretionary Security Protection
C2: Controlled Access Protection
B: Mandatory Protection
B1: Labeled Security Protection
B2: Structured protection
B3: Security Domains
A: Verified Protection
A1: Verified Design



ITSEC: Information Technology Security Evaluation Criteria

Common Criteria (ISO 15408):

EAL1: Functionally Tested
EAL2: Structurally tested
EAL3: Methodically tested
EAL4: Methodically designed, tested and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed and tested
EAL7: Formally verified, designed and tested

ST: Security Target
TOE: Target Of Evaluation
PP: Protection Profile

19 jun 2014

CISSP: Telecommunications and Network Security

Circuit-switched: Dedicated
Packet-switched:
Layered design
Private IP range:

OSI Model

Application Layer
Presentation Layer
Session Layer: (SOCKS)
Transport Layer
Network Layer: Packets
Data Link layer: Frames
Physical Layer: Electrical signals

TCP/IP Model
Application: data
Transport: segment
Internet: Packet
Network Access:

Encapsulation vs demultiplexing(de-encapsulation)
48bits MAC address vs EUI64 MAC address
IPv4 (32 bits address)
IPv6 (128 bits address)

ATM: Uses fixed length cells
HDLC vs SDLC
Frame Relay: No error recovery


Firewalls:
Packet filter:
Stateful
Proxy
Application-layer
Circuit-level

Firewall Design:
Bastion Host
Dual Homed host
Screened host
DMZ Network:
Classic DMZ: screened subnet dual firewall. Two firewalls
Three-legged DMZ: One firewall

Network Attacks:

TCP SYN Flood
LAND Attack
Smurf Attack
Fragle Attack
Teardrop Attack

Secure Communications:

Authentication Protocols:
PAP / CHAP:
801.1X / EAP

VPN:
PPTP / L2TP
IPSec
SSL / TLS

Wireless
WPA2: Robust Security Network
WPA2: AES + CCMP
WPA: RC4 + TKIP

CISSP: Access Control

Flow of information between subject (active entity) and object (passive entity)
Subjects: Clearance, capability
Object: Clasiffication, ACL

Principles:
Least privilege:
Separation of duties:


Identification:
Authentication
Authorization:
Accountability:

Controls types:
Administrative
Technical (logical)
Physical

Controls categories:
Directive:
Preventive:
Detective:
Corrective:
Recovery:
Deterrent:

Types:

Mandatory Access Control (MAC): Use labels
Discretionary Access Control (DAC)
Non-discretionary Access Control

Type I: Something you Know
Type II: Something you Have
Type III: Something you Are

Biometric:
Retina: Change over time, Invasion privacy
Iris: Remains (comparatively), not invasive
Minutiae:
Type I Error: FRR (False Reject Rate)
Type II Error: FAR (False Acceptance Rate)
CER (Crossover Error Rate) or Equal Error rate

Single Sign On (SSO)
Pro:
Cons:

Kerberos:
Symetric crypto
KDC
AS
TGT
TGS

SESAME:

KRYPTONIGHT

Directory Services:

Access Control Methodologies:

Centralized:
RADIUS:
DIAMETER:
CALLBACK:
CHAP
TACACS+

Smart Cards:
Contact
Contactless
Combi card

Identity Management:
Directory based
Web access management
Password management
Account management

Provisioning
Profile update

Threats:
Computing: DDOS, Unauthorized software, Software defects
Physical: Unauthorized access, electronic emanations
Personal: Social engineering

17 jun 2014

CISSP: Information Security Governance and Risk Management

Information Security Governance

(human) safety is always the priority

Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
  • Data Integrity: Protect information (data)
  • System Integrity: Protect a system
Availability: Access to information when is needed
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.

Information classification:
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)

Security awareness: Change user behavior
Security training: Provide skill

Policies: High-level. Mandatory (compulsory)
Procedures: Step-by-step
Standars: Specific use of technology
Guidelines: Recommendations
Baselines:

Security Planning:
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals

Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
Security Analyst
Owner:
Custodian:
User:
Auditor:

Due Care:
Due diligence:
"Prudent man rule"

Certification: Detailed inspection
Accreditation: Data owner acceptance

Risk Management:
Assets: Valuable resources. People are the most valuable asset.
Threat agent:
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
Control (countermeasure):

  • Qualitative Analysis: Values
  • Quantitative Analysis: Expert Opinion (subjective)
AV: Asset Value

EF: Exposure Factor
SLE: Single Loss Expectancy (AV x EF)
ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard

Risk Choices:
Accept
Mitigate
Transfer
Avoid