Week 1
- General Overview of the CISO Arena
- Technical Security (Technology Problem)
- Firewalls
- Intrusion Detection
- Network Security
- Viruses/Worms/Crimeware
- System Hardering
- Encryption
- Engineering
- Information Security (Business Problem)
- Risk Management
- Business Continuity/Disaster Planing
- Intelectual Property
- Business/Financial Integrity
- Regulatory Compliance
- Industry Espionage
- Privacy
- Forensics & Investigation
- Strategic Security (Critical Security Problem)
- Terrorism & CyberCrime
- Regional Interests
- National State Interests
- Inteligence
- Professional Alliances
- Politics
- Strategies & Tactics
- People stats on Internet: one of 25 people is sociopath, on Internet is about 1,3 billion people and 41 million of them out there
- Objectives
- Confidentiality
- Availability
- Integrity
- CISO most important role in company
- CISO key element's talent set
- Inteligence
- Trusted Alliance
- Innovative Thinking
- Risk Management
- Compliance Challenges
- Talking with lawyers and insurence underwrites not with technologists
- Key Functions
- Information & Computer Security
- Business Continuity (Business Continuity Plan - BCP)/ Continuity of Operations (COOP)/Disaster Recovery Planning
- Privacy
- Critical Infrastructure Protection
- Emergency Communications
- Every day is unique
- Must reading books, news, blogs (rss feed), regulations, presentations,
- Strategic Security Plan Elements
- Different from environment to environment
- Prioritize tasks/response list
- Electronic harassement of an employee is most important that spam in mailboxes, ...
- Employees and safety is number one
- Security professional need to be business savvy
- Business (enterprise) security not Technical (technology) security
- Kutz & Vines - recommended book for CISSP
- Typical roles in security job
- Practitioner - Operator/Analyst, Forensic Investigator, Engineer, Architect, Incident Responder
- Auditor
- Security Project Manager
- App Security Specialist
- Consultant - special topic is Penetration Testing
- Vendor/Entrepreneur
- Executive
- Getting Experience
- Internships
- Apprenticeships
- Entry-level jobs
- Public Service - like PRISEM analyst
Week 2
- GRC - Governance, Risk Management and Compliance
- Organizational Information Assurance : Governance ( Goal of System -> Policy -> Procedures & Practices; Mechanisms -> Security Awareness Training -> Secure SYstem -> Audit Feedback -> back to beginning to Goal of System -> ...)
- NIST document - developing an information assurance plan for an organization Guide for Developing Security Plans for Federal Information Systems
- McCumber Cube - help for think through all of the place in a system where security may be a problem (https://en.wikipedia.org/wiki/McCumber_cube)
- Questions: What CISO needs to implement within an organization
- Questions: Understand how information assurance fits into the compliance and regulatory regime of an organization
- Evolution: Agricultural Age -> Industrial Age -> Information Age
- Information Age
- Linear thinking - Cause and effect
- Knowledge through intellectual property (good or bad?)
- Work in time zones, online, collaborations
- Internet users in the world distributions - Asia, Europe, North America, Latin America, Africa, Middle East, Oceania/Australia
- Internet penetration rates - North America, Oceania/Australia, Europe, Latin America, Middle East, Asia, Africa
- Symantec Threat Report
- Security & Privacy - two faces of the same coin
- Security - Outward Facing
- Privacy - Inward Facing
- Castle Approach - ( work or doesn't work???)
- perimeter defense is firewall
- layered defense are AV, IDS, IPS
- You will never own a perfectly secure system!!!
- There are some basic rules for protecting your person on Internet
- McCumber Cube
- Security - 3 core + 2 additional security services
- Confidentiality - who can see the information?
- Integrity - how do you verify change?
- Availability - Can information be accessed when needed?
- Non-repudiation - you are who you say are
- Authentication - identity verification
- States
- Transmission
- Storage
- Processing
- Controls
- Human factors
- Policy and Practices
- Technology
- McCumber Cube -> Organizational Information Assurance
- Every wire (connection) is potential place for intrusion, bad behaviour
- Castle Approach - Security paradigma which doesn't work now
Week 3
- GRC - Governance, Risk Management, Compliance
- Governance
- Corporate Governance - processes, customs, policies, laws,...
- Information Technology Governance - subset of Corporate Governance focused on IT and risk management
- Governance Framework
- not a revolution but an evolution
- flexible
- accommodate functional disciplines across business units
- Risk Management
- Risk Identification
- Identify events, factors - advices: keep an eye on the ball, listen and look through the organization, categorize risks, looks from all angles
- Risk Analysis
- Risk Management
- COBIT, ITIL
- Control & Compliance
- Incident Response
- Policy
- Common Law, Code Law, Religious Law
- Multicultural complexity
- What is a policy
- Established form of business communication
- Designed to achieve some purpurose
- Guiding principle for influencing decision/actions
- Baseline for compliance
- Foundation for information security management
- Good Policy
- Arises from business goal
- Based on clear statement
- Describes what is wanted of individuals/groups
- Readilu understood by all
- Writing policy
- Don't use acronyms
- Clear, concise, simple language
- Words must, should
- Policy fades over time
- Must be well communicated
- Test policy
- Digital Forensics
- Part of Incidents response
- 3R's of Accountable Systems - defensive
- Resistance
- Recognition
- Recovery
- 4R's of Accountable System - active defense
- Malware
- Business change a policy
- System doesn't change a policy
- Policy must by on some abstraction layer then you don't care about technology
- Analyzing policy
- There isn't one best policy
- Gap analysis = current state -> requirement state
- Risk assessment
- Policy links
- Analyzing policy
- No arbitrory standards for good policy - policy depend of business
- Policy frameworks ITIL, COBIT, ISO27000, NIST, ISO17799
Week 4
- IA - Information Assurance
- IA Planning
- GRC - Governance, Risk Management and Compliance
- Baked in or Bolted on - Baked in is right
- Employees say about GRC - department of NO
- Restrictions, Commands, Constraint
- The Rule of Law - comply with law
- Poor Legal System hurts Economies
- Using ISO certification - 9000, 9001, 14000
- NIST - Introduction to Computer Security
- Strategic planning
- SWOT analysis
- Mission statement - write it!
- IA Strategy
- One page
- Continuous process
- Build personal connection through the company
- Data sensitivity
- Rainbow series
- Protection Mechanism Concepts - Rings (like Castle Approach)
- Security Labeling
- Label (mark) data - confidental, secret, top secret,...
- Assurance Level - TCSEC/ITSEC/CC
- TTSEC- D->C1->C2->B1->B2->B3->A1
- Common Criteria - EAL[1-7]
- International standard
- FIPS
- Deming Cycle - PDCA - Plan->Do->Check->Adjust
Week 5
- Technologies in Information Assurance Planing
- Simple start for planing is using NIST documents
- Grey book - Escalation Archetype
- Problem challenge
- Target must proctect their system in every time
- Intruder has time, costs,...
- Threats
- Malware is Big Business
- Targeted Attack
- Vulnerabilities
- Controls
- Implementing systems to be safe
- NIST 800-53: Controls
- Control Mechanism - firewall, IDS, antivirus, access control system, authentication system, encryption
- Access Control
- Authentication - something you have/know/are
- Authorization
- Cryptography
- Elliptic Curve Cryptography (ECC) - certicom
- Public Key Cryptography
- Knapsack - used for crypto but broken
- Factorization
- Hendrik Lenstra
- Elliptic Curve - some type of graph like y ^ 2 = x ^ 3 - x
- Number field sieve
- Trusted Computing Base (TCB)
- OS protection
- Access control
- Reference monitor
- Kernel???
Week 6
- Human factors - managing people
- Vetting, training, monitoring
- Weakest link
- People Controls - Hiring, Managing, Firing
- NIST 800-50
- Identity Theft
- Google Hacking - mining sensitive data from Google search engine
- Insider threat
- Psychosocial Risk - a lot of indicators
- Employee privacy - ethical consideration
- Termination Process - revoke access/change passwords/...
- Social Engineering
- Economics Behaviour
- Organizational Behaviour
- Managing Human Factor
Week 7
- Business Continuity, Disaster Recovery, Incident Response, Digital Forensics
- People Factor -> weakest link
- You will never own a perfectly secure system!!!
- Business Continuty Plan (BCP)
- How to preserve critical business functions
- Preparation, testing and maintenance of processes to recover
- Active part of continuity planing
- Disasters
- Natural - fire, flod, tornado, earthquake,...
- Manmade - plane crash, vandalism, loss of personnel,...
- CIA - Confidentiality, Integrity, Availability
- BCP Objectives - create, document, test, update
- BCP scope
- Data center
- Distributed operations
- Personnel, networks, power
- All aspects of the IT environment
- Creating a BCP requires senior management support in 5 phases
- Project Management & initiation - Build team, support from management, risk analysis, initial report to management, approval from managamenet
- Business Impact Analysis (BIA) - Maximum Tolerance Downtime (MTD) agreement from management, Maximum Tollerable Outage (MTO)
- Recovery Strategies - based on MTDs
- Plan design & development - detailed information
- Testing, Maintenance, awareness training - "Until it's tested, you don't have a plan!"
- BCP team likely becomes the DR team
- Incident Response (IR)
- Digital Forensics (DF)
- There is no standards for DF
- Why have a PLAN?
- Responsible things to do
- How much does it cost per day?
- Audit requiments
- It makes good business sense
- Do your business recovery initiatives satisfy - Auditors, Inverstors, Regulatory, Clients, Employees
- Security Breach involved by
- The Hacker
- The Computer Owner
- Person(s) Impacted by breach
- Person who facilitates use of data obtained in hack