Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers Domain 5: Protection of Information Assets. This provides assurance that the organizations security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. This lesson also discusses task and knowledge statements. Participants also learn about theft and computer crimes such as fraud and theft as well as methods of attacking a system such as phishing and spearfishing. Internet worms and Trojan horses; which are methods of electronic attacks are also in this lesson as well as persistent electronic attack techniques such as the salami technique and source routing. The lessons concludes with methods of implementing administrative protection as well as data classification. [toggle_content title="Transcript"] Okay, welcome to domain five of the CISA prep course. In this domain we're talking about protecting our information assets. This constitutes roughly 30% of the exam. So in this case we'll be dealing with our policies and procedures and different standards that the organization uses to protect their valuable assets. Trying to provide that level of assurance that's required to know that everything is being done correctly within the available resources. So starting with our task statements. We'll be looking at policies and procedures, making sure that they align correctly with the business objectives. Then we'll think about the different controls that are in-use in the environment, that are used for monitoring and other access and making sure that those are done correctly. Then we'll evaluate the classification of our data to make sure that process or those processes are being followed correctly and that we have the required controls in-place to provide the protection objectives of the organization. Then we'll think about our physical access controls. Making sure that those are adequate and providing the level of protection that's needed. Then we'll think about and talk about our back-ups, how do we deal with off-site storage? How do we make sure that all of our assets are properly safeguarded? Moving onto our knowledge statements for domain five; we start with our security controls and our security awareness programs. Moving on to responding to incidents and the escalation procedures involved in that kind of activity. Looking at our logical access controls, otherwise known as our technical access controls. How do we deal with the security controls for our hardware, software and licenses, in addition to our database systems? Virtualization of our systems is an important consideration, because nowadays more and more organizations are virtualizing their servers. Then we have our network security controls to consider. We'll talk about our Internet access controls. The different protocols that might be allowed and different techniques for dealing with allowing those controls or customizing them as needed. Different attacks that hackers might launch or other adversaries. Our different testing techniques; doing social engineering testing, vulnerability scanning, data leakage considerations. Then we'll talk a little bit about encryption techniques and how those apply to what the organization does. PKI is also important. We'll talk about mobile and wireless devices a little bit more. How social networking and message boards and blogs are relevant to what the organization does. A little bit of a discussion on our voice communications and the security related to this. We'll talk about our data classification standards and our physical security controls as it relates to identification and authentication of those people who require access. Then we'll follow-up at the end of the chapter with talking about how we deal with confidential information. How is it transported? How do we dispose of it? Okay, so starting with protecting our information assets, we've got some objectives here to think about. We want to start thinking about the threats to those assets. How do we quantify those? How do we qualify those to know which ones are worth protecting against, which ones are worth mitigating to some extent and so on. We'll look at the challenges of dealing with wireless communication: some of the security considerations there. We'll talk a little bit about confidentiality as it relates to encryption. Some of the controls that we use for our portable devices, and then some of the security testing that might need to be done in order to ensure that our thoughtful deployment and implementation of controls is actually being effective. So let's start with talking about some of our threats. We know what theft is. This is taking information or taking some kind of asset or resource that doesn't belong to you, it belongs to the organization, typically. That's what we're talking about. Fraud is a misrepresentation to gain some kind of an advantage. Sabotage also self-explanatory; you're trying to destroy someone else's property, maybe in a very devious or clever way. There's also the concept of blackmail, where someone is being forced to pay money in order to avoid getting prosecuted for something that they've done. Industrial espionage is a hardcore reality of competitive organizations, or even competitive governments, trying to understand what their competition is doing and then using that obtained information to try and gain some kind of an edge. We have threats of unauthorized disclosure, or data leakage. Loss of credibility. Legal repercussions from engaging in some of this activity is also something that needs to be understood. Who are the perpetrators when it comes to these different types of scenarios? We know that hackers are a big threat. Also crackers in the sense of someone that's maybe trying to break into physical security devices like safes. The terms 'hacker' and 'cracker' are sort of synonymous, if we go back far enough in history, although hacker used to be a complimentary term. In more recent times it's considered a derogatory term, or an insult; someone that's doing their activity for illegal purposes. We know that we have script kiddies. These are people that are just using tools that have already been created that are simple enough to use and you just click a few buttons and you're causing problems, or doing some level of hacking. We might have ethical hackers that go bad, or they go rogue. They gain skills to stay on the legal side of the fence, but then decide to switch over to the illegal side of activity, maybe because it's more profitable or exciting. Who knows what their motives might be. Then we have different attack methods. Passive attacks are mostly involved with observation or research. The target doesn't necessarily even know that they're being observed. Versus someone doing some network analysis where this is detectable activity because you're doing some reconnaissance some scanning, investigating different configurations of network topologies, and so on. Eavesdropping used to be something that you had to do in person within earshot, but obviously there's many ways to do this electronically, sniffing data on the wire, sniffing wireless information. Alright, so let's talk a little bit about some of the active attacks that we have to be aware of. Social engineering: this is a very broad topic but it's basically the idea that someone's tricking you into doing something that you didn't want to do or didn't know that you didn't want to do. Trying to get information like passwords, or the names of individuals that you work with. Phishing is going after a group of people trying to lure them into clicking a link or opening an attachment. Sometimes it's done for identity theft reasons, or to try to gather credentials; tricking someone into going to a website so you can get their login and password. Spear phishing, on the other hand, is going after a single person with phishing-type techniques. We know that dumpster diving is literally crawling through the trash looking for sensitive information that was discarded without being shredded or destroyed. Then we have to think about various types of persistent electronic threats. Malware, in a general sense, is malicious software. The malicious software that could take advantage of an existing vulnerability, or it creates the conditions that cause a vulnerability or a weakness. Trojan horses, these are programs that are hidden inside of legitimate programs that the unsuspecting user will execute and then infect their system with some form of malware. Viruses and worms we talked about a little bit earlier. So we should have a pretty good understanding of what those constitute, and some of the preventative and detective controls that might be needed in order to keep the organization's assets resilient. Then we have logic bombs. Logic bombs rely on certain conditions being met before they execute their activities. Maybe it's a certain time of the day or a certain day of the month that the logic bomb does its work. Time bombs are similar wherein a software function or the software application itself will stop working after a certain amount of time has passed. This could be a legitimate thing that happens when you install a trial version of a software, for instance. Trap doors, or otherwise known as back-doors, are ways to get into an application without authentication. Maybe they were used during testing of the software but then they were mistakenly left in. They weren't removed, and then hackers find those back-doors or trapdoors and gain access to an application or to a system. Rootkits, another dangerous thing to consider. This is software that gets on your system through the same mechanisms that viruses and Trojans do typically. The rootkit replaces trusted components within your operating system with malicious versions that try to hide the presence of their activities. This gives the attacker various tools to infect the system with viruses or install back-doors, escalate privileges and so on. We also have brute force attacks. These can take on many forms. Typically they're discussed in relation to logins and passwords. A brute force attack in relation to a login would mean that every single possible password of a certain length will be tried until the correct one is found. Then we have denial of service and distributed denial of service attacks. In a general sense, denial of service means that you're preventing legitimate users from accessing some resource. If you do a distributed denial of service attack, now the attacker is using many computers, dozens, maybe even hundreds or thousands of computers to all attack at the same time. That's a much more large-scale attack and that's usually done in order to bring web servers down and to cause problems for governments and large organizations. We have to think about botnets where computers that are controlled by the attacker usually for performing denial of service or distributed denial of service attacks. The computer gets infected, it joins the botnet and now the attacker sends it instructions and tells it what to do in a coordinated fashion. We have to think about SQL injection. This goes back to the input validation concept I discussed in the last module. If we don't check the input to make sure it's correct, hackers can inject commands to interact with a database, or to run scripts or do other operations which are not expected and basically considered unsafe for the security and integrity of those systems. Cross-Site Scripting also falls under this category, where you're able to instruct the application server to do something it wasn't intended to do. We might also deal with wardriving. That's driving around looking for unsecured wireless access points. There's also war walking, where you walk around with a wireless device looking for unsecured networks. What about the salami technique? This is stealing very small amounts of financial resources, maybe rounding every transaction off to the nearest dollar and pocketing the difference. People that do this are typically on the inside committing fraud as a privileged insider, and those small amounts, a nickel here, 20 cents there, a penny here and there, can add up to large amounts of money under the right circumstances. Reploying packets or picking the route that a packet takes through the network are also traditional hacker techniques. So what kind of administrative protections can we put into place for these types of attacks? We need to have the right policies in-place first of all, then those controls would flow from the policies. So we classify our data, we use the correct physical security considerations. Make sure we have adequate and appropriate access controls. We want to know that our risk assessment policies are being followed correctly and that we're identifying problems before they become larger. We also want to know that our communications are being protected, whether that's electronic communications or voice communication. Acceptable use policies need to be defined. Any policies regarding telecommuting need to be carefully designed so that we can ensure remote access for legitimate reasons, but also be able to detect fraudulent remote access. We know that incident response policies are important for detecting problems in the organization and then dealing with them in a timely fashion. What about data classification? If something's classified, that means that the data's protected. There should be policies and procedures in-place to control access and dissemination of classified information. If it's unclassified, you still need some policies and procedures to deal with that but basically the information might be treated as public. We just want to make sure that it's correct information and that it can't be tampered with by some outside forces. [/toggle_content]