Confidentiality

Confidentiality seeks to prevent the unauthorized disclosure of information; it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data. An example of a confidentiality attack would be the theft of personally identifiable information (PII), such as credit card information.

Integrity

Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data.

Availability

Availability ensures that information is available when needed. Systems need to be usable (available) for normal business use. An example of attack on availability would be a denial of service (DoS) attack, which seeks to deny service (or availability) of a system.

Disclosure, alteration, and destruction

The CIA triad may also be described by its opposite: disclosure, alteration, and destruction (DAD). Disclosure is the unauthorized release of information, alteration is the unauthorized modification of data, and destruction is making systems or data unavailable. While the order of the individual components of the CIA acronym sometimes changes, the DAD acronym is shown in that order.

Identity and authentication

Identity is a claim: If your name is “Person X,” you identify yourself by saying, “I am Person X.” Identity alone is weak because there is no proof. You can also identify yourself by saying, “I am Person Y.” Proving an identity claim is called authentication. You authenticate the identity claim, usually by supplying a piece of information or an object that only you possess, such as a password or your passport.

Authorization

Authorization describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs.

Accountability

Accountability holds users accountable for their actions. This is typically done by logging and analyzing audit data. Enforcing accountability helps keep honest people honest. For some users, knowing that data is logged is not enough to provide accountability; they must know that the data is logged and audited, and that sanctions may result from violation of policy.

Civil law (legal system)

The most common of the major legal systems is that of civil law, which is employed by many countries throughout the world. The system of civil law leverages codified laws or statutes to determine what is considered to be within the bounds of law. Though a legislative branch typically wields the power to create laws, there will still exist a judicial branch that is tasked with interpretation of the existing laws. The most significant difference between civil and common law is that under civil law judicial precedents and particular case rulings do not carry the weight they would have under common law.

Common law

Common law is the legal system used in the United States, Canada, the United Kingdom, and most former British colonies, amongst others. As we can see by the short list above, English influence has historically been the main indicator of common law being used in a country. The primary distinguishing feature of common law is the significant emphasis on particular cases and judicial precedents as determinants of laws. Though there is typically also a legislative body tasked with the creation of new statutes and laws, judicial rulings can at times supersede those laws. Because of the emphasis on judges’ interpretations, there is significant possibility that as society changes over time, so can judicial interpretations.

Religious and customary law

Religious law serves as the third of the major legal systems. Religious doctrine or interpretation serves as the primary source of legal understanding and statutes. While Christianity, Judaism, and Hinduism have all had significant influence on national legal systems, Islam serves as the most common source for religious legal systems. Sharia is an example of Islamic law that uses the Qur’an and Hadith as its foundation.

Customary law refers to those customs or practices that are so commonly accepted by a group that the custom is treated as a law. These practices can be later codified as laws in the more traditional sense, but the emphasis on the prevailing acceptance of a group is quite important.

Criminal law

Criminal law pertains to those laws where the victim can be seen as society itself. While it might seem odd to consider society the victim when an individual is murdered, the goal of criminal law is to promote and maintain an orderly and law-abiding citizenry. Criminal law can include penalties that remove an individual from society by incarceration or, in some extreme cases in some regions, death. The goals of criminal law are to deter crime and to punish offenders.

Due to the severity of depriving criminals of either freedom or their lives, the burden of proof in criminal cases is beyond any reasonable doubt.

Civil law

In addition to civil law being a major legal system in the world, it also serves as a type of law within the common law legal system. Another term associated with civil law is tort law, which deals with injury (loosely defined), resulting from someone violating their responsibility to provide a duty of care. Tort law is the primary component of civil law, and it is the most significant source of lawsuits that seek damages.

In the United States, the burden of proof in a criminal court is beyond a reasonable doubt, while the burden of proof in civil proceedings is the preponderance of the evidence. “Preponderance” means more likely than not. Satisfying the burden of proof requirement regarding the preponderance of the evidence in a civil matter is much easier than meeting the burden of proof requirement in criminal proceedings. The most common types of financial damages are presented in Table 1.1.

Administrative law

Administrative law or regulatory law is law enacted by government agencies. The executive branch (deriving from the Office of the President) enacts administrative law in the United States. Government-mandated compliance measures are administrative laws. Some examples of administrative law are FCC regulations, Health Insurance Portability and Accountability Act (HIPAA) security mandates, FDA regulations, and FAA regulations.

Gross negligence

Gross negligence is the opposite of due care. It is a legally important concept. For example, if you suffer loss of PII, but can demonstrate due care in protecting the PII, you are on stronger ground in a legal proceeding. If you cannot demonstrate due care (ie, you acted with gross negligence), you are in a much worse legal position.

Evidence

Evidence is one of the most important legal concepts for information security professionals to understand. Information security professionals are commonly involved in investigations, and they often have to obtain or handle evidence during the investigation.

Evidence integrity

Evidence must be reliable. It is common during forensic and incident response investigations to analyze digital media. It is critical to maintain the integrity of the data during the course of its acquisition and analysis. Checksums can ensure that no data changes occurred as a result of the acquisition and analysis. One-way hash functions such as MD5 or SHA-1 are commonly used for this purpose. Chain of custody requires that once evidence is acquired, full documentation must be maintained regarding who or what handled the evidence and when and where it was handled.

Entrapment and enticement

Entrapment is when law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime. Enticement could still involve agents of law enforcement making the conditions for commission of a crime favorable, but the difference is that the person is determined to have already broken a law or is intent on doing so.

Trademark

Trademarks are associated with marketing. A trademark allows for the creation of a brand in order to distinguish the source of products or services. A name, logo, symbol, or image represents the most commonly trademarked items. In the United States, there are two different symbols that are used by an individual or organization in order to protect distinctive marks. The superscript TM symbol, as seen in Fig. 1.2, can be used freely to indicate an unregistered mark. The circle R symbol, as seen in Fig. 1.3, is used with marks that have been formally registered as a trademark with the US Patent and Trademark Office.

Patent

Patents provide a monopoly to the patent holder regarding the right to use, make, or sell an invention for a period of time in exchange for the patent holder’s promise to make the invention public. During the life of the patent, the patent holder can, through the use of civil litigation, exclude others from leveraging the patented invention. Obviously, in order for an invention to be patented, it should be novel and unique. The patent term, which is the length that a patent is valid, varies by region and also by the type of invention being patented. Generally, in both Europe and the United States, the patent term is 20 years from the initial filing date.

Copyright

Copyright represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works and is typically denoted by the circled c symbol, as shown in Fig. 1.4. The purpose of a copyright is to preclude unauthorized duplication, distribution, or modification of a creative work. Note that it is the form of expression that is protected, not the subject matter or ideas represented.

Licenses

Software licenses are a contract between a provider of software and the consumer. Though there are licenses that provide explicit permission for the consumer to do virtually anything with the software, including modifying it for use in another commercial product, most commercial software licensing provides explicit limits on the use and distribution of the software. Software licenses, such as end-user license agreements (EULAs), are an unusual form of contract because using the software typically constitutes contractual agreement, even though a small minority of users read the lengthy EULA.

Trade secrets

Trade secrets are business-proprietary information that is important to an organization’s ability to compete. The organization must exercise due care and due diligence in the protection of their trade secrets. Noncompete and nondisclosure agreements are two of the most common protection methods used.

European union privacy

The European Union has taken an aggressive proprivacy stance while balancing the needs of business. Commerce would be impacted if member nations had different regulations regarding the collection and use of PII. The EU Data Protection Directive allows for the free flow of information while still maintaining consistent protection of citizen data in each member nation.

OECD privacy guidelines

The Organisation for Economic Co-operation and Development (OECD), though often considered exclusively European, consists of 30 member nations from around the world. The members include such countries as the United States, Mexico, Australia, Japan, and the Czech Republic, as well as prominent European countries. The OECD provides a forum in which countries can focus on issues that impact the global economy. The OECD will routinely issue consensus recommendations that can serve as an impetus to change current policies and legislation in the OECD member countries and beyond.

EU-US safe harbor

An interesting aspect of the EU Data Protection Directive is that the personal data of EU citizens may not be transmitted, even when permitted by the individual, to countries outside of the EU unless the receiving country is perceived by the EU to adequately protect their data. This presents a challenge regarding the sharing of the data with the United States, which is perceived to have less stringent privacy protections. To help resolve this issue, the United States and the European Union created the Safe Harbor framework that will give US-based organizations the benefit of authorized data sharing. In order to participate, US organizations must voluntarily consent to data privacy principles that are consistent with the EU Data Protection Directive.

Service level agreements

Service level agreements (SLA) identify key expectations that the vendor is contractually required to meet. SLAs are widely used for general performance expectations, but are increasingly leveraged for security purposes as well. SLAs primarily address availability.

Attestation

Information security attestation involves having a third-party organization review the practices of the service provider and make a statement about the security posture of the organization. The goal of the service provider is to provide evidence that they can and should be trusted. Typically, a third party provides attestation after performing an audit of the service provider against a known baseline.

Right to penetration test/right to audit

The right to penetration test and right to audit documents provide the originating organization with written approval to perform their own testing or have a trusted provider perform the assessment on their behalf.

An alternative to the right to penetration test/right to audit documents is for the service provider to present the originating organization with a third-party audit or penetration test that the service provider had performed.

The (ISC)²® code of ethics canons in detail

The first and therefore most important canon of the (ISC)²® Code of Ethics requires the information security professional to “protect society, the commonwealth, and the infrastructure.”¹ The focus of the first canon is on the public and their understanding and faith in information systems. Security professionals are charged with the promotion of safe security practices and the improvement of the security of systems and infrastructure for the public good.

The second canon in the (ISC)²® Code of Ethics charges information security professionals to “act honorably, honestly, justly, responsibly, and legally.”¹ This canon is fairly straightforward, but there are a few points worth emphasizing here. One point that is detailed within this canon is related to laws from different jurisdictions found to be in conflict. The (ISC)²® Code of Ethics suggests that priority be given to the jurisdiction in which services are being provided. Another point made by this canon is in regard to providing prudent advice and cautioning the security professional against unnecessarily promoting fear, uncertainty, and doubt.

The (ISC)²® Code of Ethics’ third canon requires that security professionals “provide diligent and competent service to principals.”¹ The primary focus of this canon is ensuring that the security professional provides competent service for which he or she is qualified and which maintains the value and confidentiality of information and the associated systems. An additional important consideration is to ensure that the professional does not have a conflict of interest in providing quality services.

The fourth and final canon in the (ISC)²® Code of Ethics mandates that information security professionals “advance and protect the profession.”¹ This canon requires that the security professionals maintain their skills and advance the skills and knowledge of others. Additionally, this canon requires that individuals protect the integrity of the security profession by avoiding any association with those who might harm the profession.

Policy

Policies are high-level management directives. Policy is mandatory; for example, even if you do not agree with your company’s sexual harassment policy, you still must follow it.

Policy is high level, and it does not delve into specifics. A server security policy would discuss protecting the confidentiality, integrity, and availability of the system, usually in those terms. It may discuss software updates and patching. The policy would not use low-level terms like “Linux” or “Windows.” In fact, if you converted your servers from Windows to Linux, your server policy would not change. However, other documents, like procedures, would change.

Procedures

A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory.

Here is a simple example procedure for creating a new user:

1. Receive a new-user request form and verify its completeness.

2. Verify that the user’s manager has signed the form.

3. Verify that the user has read and agreed to the user account security policy.

4. Classify the user’s role by following role-assignment procedure NX-103.

5. Verify that the user has selected a secret word, such as his or her mother’s maiden name, and enter it into the help desk account profile.

6. Create the account and assign the proper role.

7. Assign the secret word as the initial password, and set “Force user to change password on next login to ‘True.’”

8. Email the new account document to the user and their manager.

The steps of this procedure are mandatory. Security administrators do not have the option of skipping Step 1, for example, and create an account without a form.

Other safeguards depend on this procedure. For example, when a user calls the help desk as a result of a forgotten password, the help desk will follow their “forgotten password” procedure, which includes asking for the user’s secret word. The help desk cannot do that unless Step 5 was completed; without that word, the help desk cannot securely reset the password. This mitigates the risks of social engineering attacks, during which an imposter tries to trick the help desk into resetting a password for an account he or she is not authorized to access.

Standards

A standard describes the specific use of technology, often applied to hardware and software. “All employees will receive an ACME Nexus-6 laptop with 8 GB of memory, a 3.3 GHZ quad core central processing unit (CPU), and 500-gigabyte disk” is an example of a hardware standard. “The laptops will run Windows 10 Enterprise, 64-bit version” is an example of a software (operating system) standard.

Standards are mandatory. Not only do they lower the TCO of a safeguard, but they also support disaster recovery.

Guidelines

Guidelines are discretionary recommendations. A guideline can be a useful piece of advice, such as “To create a strong password, take the first letter of every word in a sentence, and mix in some numbers and symbols. ‘I will pass the CISSP® exam in six months!’ becomes ‘Iwptcei6m!’”

Baselines

Baselines are uniform ways of implementing a standard. “Harden the system by applying the Center for Internet Security Linux benchmarks” is an example of a baseline (see https://benchmarks.cisecurity.org for the Security Benchmarks division of the Center for Internet Security, a great resource). The system must meet the baseline described by those benchmarks.

Baselines are discretionary. It is acceptable to harden the system without following the aforementioned benchmarks, as long as it is at least as secure as a system hardened using the benchmarks. Formal exceptions to baselines will require senior management sign-off.

Table 1.2 summarizes the types of security documentation.

Security awareness and training

Security awareness and training are often confused. Awareness changes user behavior, while training provides a skill set.

Reminding users to never share accounts or write their passwords down is an example of awareness. It is assumed that some users are doing the wrong thing, and awareness is designed to change that behavior.

Security training teaches a user how to do something. Examples include training new help desk personnel to open, modify, and close service tickets; training network engineers to configure a router, or training a security administrator to create a new account.

Background checks

Organizations should conduct a thorough background check before hiring an individual. This includes a check of criminal records and verification of all experience, education, and certifications. Lying or exaggerating about education, certifications, and related credentials is one of the most common examples of dishonesty in regards to the hiring process.

Employee termination

Termination should result in immediate revocation of all employee access. Beyond account revocation, termination should be a fair process. There are ethical and legal reasons for employing fair termination, but there is also an additional information security advantage. An organization’s worst enemy can be a disgruntled former employee, who, even without legitimate account access, knows where the weak spots are. This is especially true for IT personnel.

Vendor, consultant, and contractor security

Vendors, consultants, and contractors can introduce risks to an organization. They are not direct employees, and sometimes have access to systems at multiple organizations. If allowed to, they may place an organization’s sensitive data on devices not controlled (or secured) by the organization.

Third-party personnel with access to sensitive data must be trained and made aware of risks, just as employees are. Background checks may also be required, depending on the level of access required. Information security policies, procedures, and other guidance should apply as well. Additional policies regarding ownership of data and intellectual property should be developed. Clear rules dictating where and when a third party may access or store data must be developed.

Outsourcing and offshoring

Outsourcing is the use of a third party to provide information technology (IT) support services that were previously performed in-house. Offshoring is outsourcing to another country.

Both can lower TCO by providing IT services at a reduced cost. They may also enhance the IT resources available to a company (especially a small company), which can improve confidentiality, integrity, and availability of data.

Offshoring can raise privacy and regulatory issues. For example, for a US company that offshores data to Australia, there is no HIPAA, the primary regulation covering health care data in the United States in Australia. There is no SOX (Sarbanes-Oxley, protecting publicly traded data in the United States), no Gramm-Leach-Bliley Act (GLBA, which protects financial information in the United States), etc. Always consult with legal staff before offshoring data. Contracts must ensure that data is protected, regardless of where it is located.

Asset value

The asset value (AV) is the value of the asset you are trying to protect. In this example, each laptop costs $2500, but the real value is the PII. Theft of unencrypted PII has occurred previously and has cost the company many times the value of the laptop in regulatory fines, bad publicity, legal fees, staff hours spent investigating, etc. The true average AV of a laptop with PII for this example is $25,000 ($2500 for the hardware, and $22,500 for the exposed PII).

Tangible assets, such as computers or buildings, are straightforward to calculate. Intangible assets are more challenging. For example, what is the value of brand loyalty? According to Deloitte, there are three methods for calculating the value of intangible assets: market approach, income approach, and cost approach:

• Market approach: This approach assumes that the fair value of an asset reflects the price at which comparable assets have been purchased in transactions under similar circumstances.

• Income approach: This approach is based on the premise that the value of an … asset is the present value of the future earning capacity that an asset will generate over its remaining useful life.

• Cost approach: This approach estimates the fair value of the asset by reference to the costs that would be incurred in order to recreate or replace the asset.⁵

Exposure factor

The exposure factor (EF) is the percentage of value an asset loses due to an incident. In the case of a stolen laptop with unencrypted PII, the EF is 100%, because the laptop and all of the data are gone.

Single-loss expectancy

The single-loss expectancy (SLE) is the cost of a single loss. SLE is the AV multiplied by the EF. In our case, SLE is $25,000 (AV) times 100% (EF), or $25,000.

Annual rate of occurrence

The annual rate of occurrence (ARO) is the number of losses suffered per year. For example, when looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is 11.

Annualized loss expectancy

The ALE is the yearly cost due to a risk. It is calculated by multiplying SLE by the ARO. In our case, it is $25,000 (SLE) multiplied by 11 (ARO), or $275,000.

Table 1.4 summarizes the equations used to determine the ALE.

Accept the risk

Some risks may be accepted. In some cases, it is cheaper to leave an asset unprotected due to a specific risk, rather than make the effort and spend the money required to protect it. This cannot be an ignorant decision; all options must be considered before accepting the risk.

Mitigating risk

Mitigating risk means lowering the risk to an acceptable level. Lowering risk is also called risk reduction, and the process of lowering risk is also called reduction analysis. The laptop encryption example given in the previous ALE section is an example of mitigating the risk. The risk of lost PII due to stolen laptops was mitigated by encrypting the data on the laptops. The risk has not been eliminated entirely; a weak or exposed encryption password could expose the PII, but the risk has been reduced to an acceptable level.

In some cases, it is possible to remove specific risks entirely; this is called eliminating the risk.

Transferring risk

The insurance model depicts transferring risk. Most homeowners do not assume the risk of fire for their houses; they pay an insurance company to assume that risk for them. The insurance companies are experts in risk analysis; buying risk is their business.

Risk avoidance

A thorough risk analysis should be completed before taking on a new project. If the risk analysis discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.