Protection of Information Assets

Video Activity

This lesson covers Domain 5: Protection of Information Assets. This provides assurance that the organizations security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. This lesson also discusses task and knowledge statements. Participants also learn about theft and computer c...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Description

This lesson covers Domain 5: Protection of Information Assets. This provides assurance that the organizations security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. This lesson also discusses task and knowledge statements. Participants also learn about theft and computer crimes such as fraud and theft as well as methods of attacking a system such as phishing and spearfishing. Internet worms and Trojan horses; which are methods of electronic attacks are also in this lesson as well as persistent electronic attack techniques such as the salami technique and source routing. The lessons concludes with methods of implementing administrative protection as well as data classification. [toggle_content title="Transcript"] Okay, welcome to domain five of the CISA prep course. In this domain we're talking about protecting our information assets. This constitutes roughly 30% of the exam. So in this case we'll be dealing with our policies and procedures and different standards that the organization uses to protect their valuable assets. Trying to provide that level of assurance that's required to know that everything is being done correctly within the available resources. So starting with our task statements. We'll be looking at policies and procedures, making sure that they align correctly with the business objectives. Then we'll think about the different controls that are in-use in the environment, that are used for monitoring and other access and making sure that those are done correctly. Then we'll evaluate the classification of our data to make sure that process or those processes are being followed correctly and that we have the required controls in-place to provide the protection objectives of the organization. Then we'll think about our physical access controls. Making sure that those are adequate and providing the level of protection that's needed. Then we'll think about and talk about our back-ups, how do we deal with off-site storage? How do we make sure that all of our assets are properly safeguarded? Moving onto our knowledge statements for domain five; we start with our security controls and our security awareness programs. Moving on to responding to incidents and the escalation procedures involved in that kind of activity. Looking at our logical access controls, otherwise known as our technical access controls. How do we deal with the security controls for our hardware, software and licenses, in addition to our database systems? Virtualization of our systems is an important consideration, because nowadays more and more organizations are virtualizing their servers. Then we have our network security controls to consider. We'll talk about our Internet access controls. The different protocols that might be allowed and different techniques for dealing with allowing those controls or customizing them as needed. Different attacks that hackers might launch or other adversaries. Our different testing techniques; doing social engineering testing, vulnerability scanning, data leakage considerations. Then we'll talk a little bit about encryption techniques and how those apply to what the organization does. PKI is also important. We'll talk about mobile and wireless devices a little bit more. How social networking and message boards and blogs are relevant to what the organization does. A little bit of a discussion on our voice communications and the security related to this. We'll talk about our data classification standards and our physical security controls as it relates to identification and authentication of those people who require access. Then we'll follow-up at the end of the chapter with talking about how we deal with confidential information. How is it transported? How do we dispose of it? Okay, so starting with protecting our information assets, we've got some objectives here to think about. We want to start thinking about the threats to those assets. How do we quantify those? How do we qualify those to know which ones are worth protecting against, which ones are worth mitigating to some extent and so on. We'll look at the challenges of dealing with wireless communication: some of the security considerations there. We'll talk a little bit about confidentiality as it relates to encryption. Some of the controls that we use for our portable devices, and then some of the security testing that might need to be done in order to ensure that our thoughtful deployment and implementation of controls is actually being effective. So let's start with talking about some of our threats. We know what theft is. This is taking information or taking some kind of asset or resource that doesn't belong to you, it belongs to the organization, typically. That's what we're talking about. Fraud is a misrepresentation to gain some kind of an advantage. Sabotage also self-explanatory; you're trying to destroy someone else's property, maybe in a very devious or clever way. There's also the concept of blackmail, where someone is being forced to pay money in order to avoid getting prosecuted for something that they've done. Industrial espionage is a hardcore reality of competitive organizations, or even competitive governments, trying to understand what their competition is doing and then using that obtained information to try and gain some kind of an edge. We have threats of unauthorized disclosure, or data leakage. Loss of credibility. Legal repercussions from engaging in some of this activity is also something that needs to be understood. Who are the perpetrators when it comes to these different types of scenarios? We know that hackers are a big threat. Also crackers in the sense of someone that's maybe trying to break into physical security devices like safes. The terms 'hacker' and 'cracker' are sort of synonymous, if we go back far enough in history, although hacker used to be a complimentary term. In more recent times it's considered a derogatory term, or an insult; someone that's doing their activity for illegal purposes. We know that we have script kiddies. These are people that are just using tools that have already been created that are simple enough to use and you just click a few buttons and you're causing problems, or doing some level of hacking. We might have ethical hackers that go bad, or they go rogue. They gain skills to stay on the legal side of the fence, but then decide to switch over to the illegal side of activity, maybe because it's more profitable or exciting. Who knows what their motives might be. Then we have different attack methods. Passive attacks are mostly involved with observation or research. The target doesn't necessarily even know that they're being observed. Versus someone doing some network analysis where this is detectable activity because you're doing some reconnaissance some scanning, investigating different configurations of network topologies, and so on. Eavesdropping used to be something that you had to do in person within earshot, but obviously there's many ways to do this electronically, sniffing data on the wire, sniffing wireless information. Alright, so let's talk a little bit about some of the active attacks that we have to be aware of. Social engineering: this is a very broad topic but it's basically the idea that someone's tricking you into doing something that you didn't want to do or didn't know that you didn't want to do. Trying to get information like passwords, or the names of individuals that you work with. Phishing is going after a group of people trying to lure them into clicking a link or opening an attachment. Sometimes it's done for identity theft reasons, or to try to gather credentials; tricking someone into going to a website so you can get their login and password. Spear phishing, on the other hand, is going after a single person with phishing-type techniques. We know that dumpster diving is literally crawling through the trash looking for sensitive information that was discarded without being shredded or destroyed. Then we have to think about various types of persistent electronic threats. Malware, in a general sense, is malicious software. The malicious software that could take advantage of an existing vulnerability, or it creates the conditions that cause a vulnerability or a weakness. Trojan horses, these are programs that are hidden inside of legitimate programs that the unsuspecting user will execute and then infect their system with some form of malware. Viruses and worms we talked about a little bit earlier. So we should have a pretty good understanding of what those constitute, and some of the preventative and detective controls that might be needed in order to keep the organization's assets resilient. Then we have logic bombs. Logic bombs rely on certain conditions being met before they execute their activities. Maybe it's a certain time of the day or a certain day of the month that the logic bomb does its work. Time bombs are similar wherein a software function or the software application itself will stop working after a certain amount of time has passed. This could be a legitimate thing that happens when you install a trial version of a software, for instance. Trap doors, or otherwise known as back-doors, are ways to get into an application without authentication. Maybe they were used during testing of the software but then they were mistakenly left in. They weren't removed, and then hackers find those back-doors or trapdoors and gain access to an application or to a system. Rootkits, another dangerous thing to consider. This is software that gets on your system through the same mechanisms that viruses and Trojans do typically. The rootkit replaces trusted components within your operating system with malicious versions that try to hide the presence of their activities. This gives the attacker various tools to infect the system with viruses or install back-doors, escalate privileges and so on. We also have brute force attacks. These can take on many forms. Typically they're discussed in relation to logins and passwords. A brute force attack in relation to a login would mean that every single possible password of a certain length will be tried until the correct one is found. Then we have denial of service and distributed denial of service attacks. In a general sense, denial of service means that you're preventing legitimate users from accessing some resource. If you do a distributed denial of service attack, now the attacker is using many computers, dozens, maybe even hundreds or thousands of computers to all attack at the same time. That's a much more large-scale attack and that's usually done in order to bring web servers down and to cause problems for governments and large organizations. We have to think about botnets where computers that are controlled by the attacker usually for performing denial of service or distributed denial of service attacks. The computer gets infected, it joins the botnet and now the attacker sends it instructions and tells it what to do in a coordinated fashion. We have to think about SQL injection. This goes back to the input validation concept I discussed in the last module. If we don't check the input to make sure it's correct, hackers can inject commands to interact with a database, or to run scripts or do other operations which are not expected and basically considered unsafe for the security and integrity of those systems. Cross-Site Scripting also falls under this category, where you're able to instruct the application server to do something it wasn't intended to do. We might also deal with wardriving. That's driving around looking for unsecured wireless access points. There's also war walking, where you walk around with a wireless device looking for unsecured networks. What about the salami technique? This is stealing very small amounts of financial resources, maybe rounding every transaction off to the nearest dollar and pocketing the difference. People that do this are typically on the inside committing fraud as a privileged insider, and those small amounts, a nickel here, 20 cents there, a penny here and there, can add up to large amounts of money under the right circumstances. Reploying packets or picking the route that a packet takes through the network are also traditional hacker techniques. So what kind of administrative protections can we put into place for these types of attacks? We need to have the right policies in-place first of all, then those controls would flow from the policies. So we classify our data, we use the correct physical security considerations. Make sure we have adequate and appropriate access controls. We want to know that our risk assessment policies are being followed correctly and that we're identifying problems before they become larger. We also want to know that our communications are being protected, whether that's electronic communications or voice communication. Acceptable use policies need to be defined. Any policies regarding telecommuting need to be carefully designed so that we can ensure remote access for legitimate reasons, but also be able to detect fraudulent remote access. We know that incident response policies are important for detecting problems in the organization and then dealing with them in a timely fashion. What about data classification? If something's classified, that means that the data's protected. There should be policies and procedures in-place to control access and dissemination of classified information. If it's unclassified, you still need some policies and procedures to deal with that but basically the information might be treated as public. We just want to make sure that it's correct information and that it can't be tampered with by some outside forces. [/toggle_content]

Video Transcription
00:04
Okay, Welcome to domain five of the C. I s a prep course. And this domain, we're talking about protecting our information assets.
00:12
This constitutes roughly 30% of the exam. So in this case, will be dealing with our policies and procedures and different standards that the organization uses
00:22
to protect their valuable assets. Trying to provide that level of assurance that's required
00:28
to know that everything is being done correctly
00:30
within the available resource is
00:34
so starting with our task statements,
00:37
we'll be looking at policies and procedures,
00:39
making sure that they aligned correctly with the business objectives.
00:44
Then we'll think about the different controls they're in use in the environment.
00:48
They're used for monitoring and other access,
00:52
making sure that those air done correctly.
00:55
Then we'll evaluate the classification of our data
00:59
to make sure that process or those processes are being followed correctly in that we have the the
01:06
required controls in place to provide the protection objectives of the organization.
01:11
Then we'll think about our physical access controls,
01:15
making sure that those are adequate and providing the level of protection that's needed.
01:22
And then we'll think about and talk about our backups. How do we deal with offsite storage.
01:27
How do we make sure that all of our assets are properly safeguarded? Moving on to our knowledge statements for domain five.
01:37
We start with our security controls and our security awareness programs
01:42
moving on to responding to incidents
01:45
and the escalation procedures involved in that kind of activity.
01:49
Looking at our logical access, controls or otherwise, those are technical access controls.
01:55
How do we deal with the security controls for our hardware, software and licenses?
02:00
In addition to our database systems?
02:04
Virtual ization of our systems is an important consideration because nowadays born, more organizations are virtual izing their servers.
02:13
Then we have our network security controls to consider.
02:16
We'll talk about our Internet access controls
02:22
the different protocols that might be allowed in different techniques for dealing with allowing those controls or
02:28
customizing them as needed.
02:30
Different attacks that hackers might launch or other adversaries
02:36
are different testing techniques, doing social engineering, testing vulnerability, scanning
02:43
data leakage considerations.
02:46
Then we'll talk a little bit about encryption techniques and how those apply to what the organization does.
02:52
Piquet eyes also important.
02:54
We'll talk about mobile and wireless devices a little bit more. How social networking and message boards and blog's
03:01
are relevant to what the organization does.
03:05
A little bit of a discussion on our
03:07
voice, communications and the security related to this
03:12
talk about our data classifications, standards
03:15
and our physical security controls as it relates to identification and authentication of those people who require access.
03:23
And then we'll follow up
03:25
with the end of the chapter with talking about
03:30
how we deal with confidential information. How is it transported? How do we dispose of it? Okay, so starting with protecting our information assets,
03:38
we've got some objectives here to think about. Want to think about our start thinking about the threats to those assets? How do we quantify those? How do we qualify those to know which ones are worth protecting against which ones are are worth mitigating to some extent
03:55
and so on.
03:58
Well, look at the
04:00
challenges of dealing with wireless communications, some of the security considerations there.
04:05
We'll talk a little bit about confidentiality as relates to encryption
04:11
some of the controls that we use for our portable devices
04:15
and then some of the security testing that might need to be done in order to ensure that our thoughtful deployment an implementation of controls is actually being affected.
04:26
So let's start with talking about some of our threats. We know what theft is. This is taking information or taking some kind of asset or resource
04:34
that doesn't belong to you. It belongs to the organization. Typically, that's what we're talking about.
04:40
Fraud is misrepresentation to gain some kind of advantage.
04:45
Sabotage, also self explanatory or trying to
04:48
destroy someone else's property may be in a very devious or clever way.
04:55
There's also the concept of blackmail
04:58
where someone is being forced to pay money in order to avoid getting
05:02
prosecuted for something that they've done.
05:05
Industrial espionage is a hard core reality of competitive organisations or even competitive governments trying to understand what their competition is doing and then, using that obtained information to try to gain some kind of an edge. We have threats of unauthorized disclosure or data leakage.
05:25
Loss of credibility.
05:27
Legal percussions from engaging in some of this activity is also something that needs to be understood.
05:32
Who are the perpetrators when it comes to these different types of scenarios, we know that hackers are a big threat
05:40
also, crackers in the sense of someone that may be trying to break into physical security devices like Safe's
05:47
the terms hacker cracker sort of synonymous if we go back far enough in history. Although Hacker used to be a complimentary term
05:57
in more recent times, it's consider a derogatory term or an insult
06:00
someone that's doing their activity for illegal purposes.
06:05
We know that we have script kiddies.
06:08
These are people that are just using tools that have already been created that are simple enough to use that. You just click a few buttons and you're causing problems or doing some level of hacking.
06:20
We might have ethical hackers that go bad or they go rogue,
06:24
that gain skills
06:26
to stay on the legal side of the fence, but then decide to switch over to the to the illegal side of activity. Maybe because it's more profitable or exciting.
06:35
Who knows what their motives might be
06:38
that we have different attack methods?
06:40
Passive attacks
06:42
are mostly involved with
06:44
observation or research.
06:46
The target doesn't necessarily even know that they're being observed.
06:50
Vs
06:51
someone doing some network analysis where this is detectable activity
06:56
because you're
06:57
you're doing
07:00
some reconnaissance of scanning, investigating different configurations of networked apologies and so on.
07:06
Eavesdropping used to be something that you had to do in person within earshot.
07:12
But obviously there's many ways to do this. Elektronik Lee snooping data on the wire
07:16
sniffing wireless information
07:19
All right, so let's talk a little bit about some of the act of attacks that we have to be aware of.
07:25
Social engineering. This is a very broad topic, but it's basically the idea that someone is tricking you into doing something that you
07:32
didn't want to do or didn't know that you didn't want to dio trying to get information like passwords or the names of individuals that you work with.
07:42
Fishing is going after
07:44
a group of people trying to lure them
07:47
into clicking a link or opening an attachment.
07:50
Sometimes it's done for identity theft reasons or
07:55
to try to
07:57
gather credentials, tricking someone into going to a website so you can
08:01
get their log in. And password
08:03
spearfishing, on the other hand, is going after a single person
08:07
with fishing type techniques.
08:09
We know that dumpster diving is literally crawling through the trash, looking for sensitive information
08:15
that was discarded without being shredded or destroyed.
08:18
Then we have to think about various types of persistent Elektronik threats,
08:24
malware and a general sense is malicious software,
08:28
um,
08:28
the malicious software that could take advantage of an existing vulnerability or creates the conditions
08:33
that the cause of vulnerability or weakness.
08:37
Trojan horses.
08:39
These are programs that are hidden side of legitimate programs
08:43
that the unsuspecting user will execute and then infect their system with some form of malware,
08:50
viruses and worms. We talked about that earlier,
08:52
so we should have a pretty good understanding of what those constitute and some of the the
08:58
preventative and detective controls that might be needed in order to keep the organization's assets resilient
09:07
that we have logic bombs
09:07
logic Bombs rely on certain conditions being met before they execute their
09:13
their activities. Maybe it's a certain time of the day or certain day of the month
09:18
that the logic bomb does its work
09:22
time bombs are similar
09:24
where in a software function or the software application itself
09:30
will stop working after a certain amount of time has passed.
09:33
This could be a legitimate thing that happens when you install a trial version of a software, for instance,
09:41
trapdoors or otherwise known as back doors are ways to get into a application without authentication. Maybe they were used during testing of the software, but then they were mistakenly left in. They weren't removed. And then hackers find those back doors or trap doors
09:56
and gain access to an application or to a system
10:01
root kits and other dangerous thing to consider.
10:03
This is software that
10:05
gets on your system for the same mechanisms that viruses in trojans do typically.
10:11
And the root kit
10:13
replaces trusted components within your operating system with malicious versions that try to hide the presence of their activities.
10:20
This gives the attacker various tools to infect a system with viruses or install backdoors, escalate privileges and so on.
10:28
We also have brute force attacks.
10:31
These come take on many forms. Typically, they're discussed in relation to log ins and passwords.
10:37
A brute force attack in relation to a log in would mean that every single possible password of a certain length will be tried until the correct one is found,
10:48
and we have denial of service and distributed denial of service attacks.
10:52
In a general sense to now, service means that you're preventing legitimate users from accessing some resource.
11:00
If you do a distributed denial of service attack.
11:03
Now the attacker is using many computers. Dozens, maybe even hundreds or thousands of computers all attack at the same time.
11:11
That's a much more large scale attack, and that's usually done in order to bring Web servers down and to cause problems for governments and large organizations.
11:22
We have to think about bod nuts,
11:24
where computers that are controlled by the attacker, usually for performing denial of service, are distributed. Denial of service attacks.
11:33
The computer gets infected, it joins the botnet
11:35
and now the attack or sends an instruction that tells it what to do in a coordinated fashion.
11:41
We have to think about sequel injection. This goes back to the input validation concept I discussed in the last module.
11:48
If we don't check the import to make sure it's correct,
11:52
packers can inject commands to interact with the database or to run scripts or do other operations which are not expected and
12:01
basically considered unsafe
12:03
for the security and integrity of those systems.
12:07
Cross site scripting also falls under this category.
12:09
Are you able to instruct the application server to do something it wasn't intended to? D'oh!
12:16
We might also deal with
12:18
war driving that's driving around looking for unsecured wireless access points.
12:24
There's also war walking
12:26
where you walk around with a wireless device looking for unsecured
12:30
networks.
12:31
What about the salami technique?
12:33
This is stealing very small amounts of of financial resource is
12:39
maybe rounding every transaction off to the nearest dollar, pocketing the difference.
12:45
Uh,
12:45
people that do this are typically on the inside, committing fraud as a privileged insider,
12:50
and those small amounts of nickel here 20 cents there a penny here and there can add up to large amounts of money under the right circumstances.
13:01
Replying packets
13:01
or picking the route that a packet takes through the network are also traditional hacker techniques.
13:09
So what kind of administrative protections can we put into place
13:13
for these types of attacks?
13:15
We need to have the right policies in place. First of all, then those controls would flow from the policies. So we classify our data. We use the correct physical security considerations,
13:26
make sure we have adequate and appropriate access controls.
13:31
I want to know that our risk assessment policies are being followed correctly and there were identifying problems before they become
13:37
larger.
13:39
We also want to know that our communications are being protected. Whether that's Elektronik, communications or voice communication,
13:46
acceptable use policies need to be defined.
13:50
Any policies regarding telecommuting?
13:54
I need to be carefully designed so that we could ensure remote access for legitimate reasons, but also be able to detect
14:01
fraudulent remote access.
14:05
We know that incident response policies are important
14:09
for detecting problems in the organization and then dealing with them in a timely fashion.
14:13
What about data classification? Something's classified. That means that the data is protected.
14:20
There should be policies and procedures in place
14:22
to control access
14:24
and dissemination of classified information.
14:26
If it's unclassified, you still need some policies and procedures to deal with that. But basically the information might be treated as public.
14:37
We just want to make sure that that it's correct information and that it can't be tampered with by some outside forces.
Up Next
Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By