Title: CISSP Certification Prep: Security and Risk Management
1CISSP Certification Prep Security and Risk
Management
Larry Greenblatt NetCom Learning
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
2Agenda
- How to align security with business
- Understand to use control frameworks
- How to manage business risks
- How to identify security threats
- How to manage different vendors
- How to build security awareness
- QA session with the speaker
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
3Process Management
W. Edwards Deming
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
4The Triple Constraints
Scope (customer needs)
Quality
Cost (Budget)
Time (Schedule)
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
5CMMI - Capability Maturity Model Integration
- Carnegie-Mellon Software Engineering Institute
- A process improvement maturity model
- Maturity Levels
- 0 - Incomplete
- 1 - Initial
- 2 - Repeatable
- 3 - Defined
- 4 - Quantitatively Managed
- 5 - Optimized
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
6- Process Immaturity Capability Immaturity Model
(CIMM) - Parody by Capt. Tom Schorsch USAF
- Immaturity Levels
- 0) Negligent Lip Service
- 1) Obstructive Adherence to Ineffective Process
- 2) Contemptuous Fudged Metrics
- 3) Undermining Sabotaging Competitors
https//en.wikipedia.org/wiki/Capability_Immaturit
y_Model
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
7- Cyber Risk Management
- Preventing, Detecting Responding to unforeseen
dangers - From the Greek Rhiza cliffs under water.
- Due Diligence Risk Identification/Analysis
- Think before you act
- Identifying, assessing analyzing risks as well
as understanding appropriate controls to
prevent, detect and respond to negative events - Due Care Risk Mitigation/Handling/Treatment
- Take actions
- Selection, implementation and maintenance of
cost-effective security controls
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
8- Quantitative Analysis
- You can only speak matter of factually about
what you can measure - Objective numeric metrics
- Real numbers
- Concrete percentages
- Monetary values
- Certification
- Insufficient data
Robert Anton Wilson
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
8
9- Qualitative Analysis
- Subjective rankings
- Experience
- Intuition
- Feelings
- Accreditation
- Brainstorming
- The Delphi technique
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
9
10Terminologies
Risk Identification
- Assets Anything of Value
- Ownership, valuation, classification,
entitlements - Threats Things that can cause Loss of Value
- Threat Agent Source of a threat
- Vulnerability Weakness/limitation of the asset
- Exposure Vulnerability is accessible to threat
source
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
11- Value versus Cost
- Value Assets
- Subjective
- Qualitative
- Cost Controls
- Objective
- Quantitative (TCO)
- Cost Benefit Analysis
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
12- Threats
- Anything that can cause a loss of Value
- Malicious attacks
- Accidents
- Natural Disasters
- Fatigue
- Legal liabilities
- Cost to quality
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
12
13Threat Analysis
- Threat Taxonomy
- Man made
- Accidental (most common!!!)
- Intentional
- Natural
- (Technical)
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
14STRIDE
Threat Modeling
- Spoofing of user identity
- Tampering
- Repudiation
- Information disclosure
- Denial of service (D.o.S)
- Elevation of privilege
14
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
15OWASP
Application Threat Modeling
- Four Questions
- 1 What are we building? 2 What can go wrong?
- 3 What are we going to do about that? 4 Did we
do a good enough job?
15
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
16- Common ICT Threats Malware
- Viruses, Worms Trojans
- Rootkits
- Logic bombs
- Bots and botnets
- Spyware
- Ransomware
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
17- Rogue Infrastructure
- Access Points
- DHCP servers
- DNS servers
- Routers
- Certificate Authorities
- Embedded hardware device drivers
- P2P and other illicit servers
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
18- Loss Criteria
- Life
- Branding / Reputation
- Initial loss versus delayed loss
- Aggregate Losses
- Asset
- Productivity
- Opportunity
- (how to quantify?)
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
18
19ISO/IEC 27005
Vulnerabilities
- Hardware
- Software
- Network
- Personnel
- Physical Site
- Organizational
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
20Terminologies
Risk Analysis
- Impact Amount of loss
- Likelihood Frequency of threat
- Exploit An incident of an actual loss event
- Controls Safeguards/Measures/Countermeasures
- Control Failure Policies
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
21- Impact Likelihood
- Impact How much loss?
- Likelihood How Frequent?
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
21
22- Control Analysis
- Development / Acquisition costs
- Design/planning costs
- Implementation Environment modifications
- Maintenance / Testing
- Operating support costs
- Effects on productivity
22
Detective
Responsive
Preventive
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
23- Control Frameworks
- Standards, Guidelines Best Practices
- Internal (Tailored to the Organization)
- External
- NIST
- ISO
- CoBiT
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
24- Outsourcing Control Administration
- Service Management Limitations
- Scheduled Outages
- Force Majeure Events
- Service Agreement Changes
- Security
- Service API Changes
- Service Assurances
- 3rd Party Audits
- Service Monitoring
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
25Control Gap
- A gap in coverage
- Percentage of asset not protected by control.
For example, if insurance covers 80 of loss,
then the Control Gap 20
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
26- Cost Benefit Analysis
- Single Loss Expectancy (SLE)
- Asset Value (AV) x Exposure Factor (EF)
- Annualized Loss Expectancy (ALE)
- SLE x Annualized Rate of Occurrence (ARO)
- Risk x Control Gap Residual Risk
- Addressed in BCP
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
26
27SP800-100 Risk Assessment
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
1998-2018 NetCom Learning
28- Plan Do Check Act
- (SP800-50)
- Select Risk Treatment Measures
- Implement Maintain Controls
- Awareness
- Everyone
- Training
- Administrators
- Education
- Management
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
29Risk Handling / Treatment
- Avoid / Termination
- Reduce
- Planning
- Technologies
- Training
- Transfer
- Accept risk appetite
- Reject Negligence!
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
30SDLC Management
Feasibility N/A In Security Projects
Initiation Basic Description, Schedule, Budget
Requirements Analysis (What) User Needs Functions and Assurance
System Design (How) Checklist of Specific Components (Specs)
Develop / Acquire Build or Buy according to Specs (Verification)
Installation / Testing User Accepts Functions Assurance (Validation)
Operation / Maintain Continuous Upkeep
Retirement / Dispose Data Access Issues
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
31Recorded Webinar Video
To watch the recorded webinar video for live
demos, please access the link https//goo.gl/mc1c
Vd
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
32About NetCom Learning
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
33Recommended Courses
Certified Information Systems Security
Professional (CISSP) Certification Prep - Class
scheduled on Nov 12 CompTIA Advanced Security
Practitioner (CASP) Certification - Class
scheduled on Nov 12 CISM Certification - Class
scheduled on Nov 13 EC-Council CEH Certified
Ethical Hacker v10 CNDA Certified Network
Defense Architect - Class scheduled on Nov 05
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
34The New Role-Based Microsoft Azure Certification
Paths Cross Team Collaboration Increasing
Productivity with Office 365 Groups SharePoint
2019 "Wow" First Look at new SharePoint 2019
Adobe InDesign CC Down and Dirty Tips and Tricks
Architecting for Security on AWS Big Data for
Enterprise Managing Data and Values Top Reasons
to Master Agile Scrum and its Benefits Clean
Architecture Patterns, Practices, and Principles
CEH Understanding Ethical Hacking SQL Server
2017 Application Development Best Practices
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
35Promotions
From Cloud to Security, to Data and AI, to
Networking, to Application Development, to
Design, to Business Process Application all
classes delivered by top-notch instructors in
in-person Instructor-led Classroom or Live
Online. And after you train, treat yourself with
Gift Card rewards. Learn More
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
36Follow Us On
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
37www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266
38THANK YOU !!!
www.netcomlearning.com info_at_netcomlearning.com
(888) 563 8266