May 25, 2013

1.6.9 TKIP

TKIP

Temporal Key Integrity Protocol (TKIP) is a security protocol defined by the IEEE 802.11 wireless networking specification. TKIP was designed to replace WEP without requiring the replacement of legacy hardware. Customers could take advantage of it by updating firmware instead of having to replace hardware.1

TKIP is a "wrapper" that goes around the existing WEP encryption.  TKIP comprises the same encryption engine and RC4 algorithm defined for WEP.  However, the key used for encryption in TKIP is 128 bits long.  This solves the first problem of WEP: a too-short key length.2

It is the encryption method used in Wi-Fi Protected Access (WPA).

References:

1.6.6 LEAP

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a proprietary EAP protocol, also known as Lightweight EAP. It was created by the company Cisco Systems for its line of Wireless LAN Access Points as a way to address the security weaknesses in WEP.

Security of LEAP relies on the strength of the organization’s password policy. With LEAP the organization should use complex passwords that make it computationally infeasible to attempt an offline dictionary or brute force attack.1

References:

1.6.3 WEP

WEP

Wired Equivalent Privacy (WEP) is the original security standard used in wireless networks to encrypt the wireless network traffic1. It adds security to 802.11 Wi-Fi networks at the data link layer (OSI model Layer 2) using a combination of hexadecimal digits.

Hexadecimal digits include ten numbers (0 – 9) and six letters (A – F). WEP uses a combination of these hexadecimal digits to create WEP keys. For example:
8734CDEA08432FACDE65748ACC
There are three keys sizes in use with WEP: 10, 26 and 58 digit key lengths.

A 10 digit hexadecimal key size results in a 40 or 64-bit WEP key. Note: each hexadecimal character represents four bits, resulting in a 40-bit key. 40-bit keys can be concatenated with a 24-bit initialization vector (IV) to generate a 64-bit WEP key.

A 26 digit hexadecimal key size results in a 104 or 128-bit WEP key. Note: as each hexadecimal character represents four bits, this yields a 104-bit key. If this is concatenated with a 24-bit initialization vector (IV) it generates a (104 + 24) or 128-bit WEP key.

A 58 digit hexadecimal key size results in a 256-bit WEP key, which includes the 24-bit IV.
WEP Encryption Process
A WEP key is concatenated with an initialization vector (IV), and this combined key is used as the seed for an RC4 keystream that is XORed (exclusive OR) with the wireless LAN data. A different IV stream is used for each frame, and therefore a different combined key is used to create a new RC4 keystream for each frame.

Vulnerabilities have been exposed where repeated IVs, along with the adaptation of a stream cipher (RC4) to create the block cipher, have resulted in an insecure encryption mechanism that can be cracked with what are now commonly available tools.2

Note: XOR is a logical operation which yields true if exactly one (but not both) of two conditions is true.3

Note: WEP is no longer considered to be secure.4

References:

1.6.2 WPA2

WPA2

Wi-Fi Protected Access II (WPA2) is a security protocol developed to protect wireless network communications. WPA2 is also known as the IEEE 802.11i standard. It is certified by the Wi-Fi Alliance in 2004:

Table 1: Wi-Fi Security Timeline1

Date
Milestone
September 1997 IEEE 802.11 standard ratified, including WEP
April 2000 Wi-Fi CERTIFIED program launched, with support for WEP
May 2001 IEEE 802.11i task group created
April 2003 WPA introduced with:
• IEEE 802.1X authentication
• Temporal Key Integrity Protocol (TKIP) encryption
• Support for EAP-Transport Layer Security (EAP-TLS)
September 2003 WPA mandatory for all Wi-Fi CERTIFIED equipment
June 2004 IEEE 802.11i amendment ratified
September 2004 WPA2 introduced with:
• IEEE 802.1X authentication
• AES encryption
• Support for EAP-TLS
April 2005 Support for four additional EAP-types added:
• EAP-Tunneled TLS Microsoft Challenge Handshake Authentication Protocol Version 2 (EAP-TTLS/MSCHAPv2)
• Protected EAP Version 0 (PEAPv0)/EAP-MSCHAPv2
• Protected EAP Version 1 (PEAPv1)/EAP Generic Token Card (EAP-GTC)
• EAP-Subscriber Identity Module (EAP-SIM)
March 2006 WPA2 mandatory for all Wi-Fi CERTIFIED equipment
January 2007 Wi-Fi Protected Setup program launched
November 2007 IEEE 802.11w task group created
May 2009 Support for EAP-AKA and EAP-FAST added
January 2012 Support for Protected Management Frames added to WPA2

WPA2 includes an encryption and an authentication protocol:
  1. The encryption protocol is Advanced Encryption Standard (AES), it is used to secure wireless networks and protect data.
  2. IEEE 802.1X is the authentication protocol. It provides authentication and network access control features.
It also provides mutual authentication with Pre-Shared Key (PSK; in Personal mode) and with IEEE 802.1X / EAP (in Enterprise mode).

WPA2 operates in two modes: Enterprise and Personal:
  1. In Enterprise mode, WPA2 takes advantage of IEEE 802.1X Authentication, Authorization, Accounting (AAA) servers to monitor and manage traffic, define user-specific authentication levels, and offer guest access services.
  2. Home and small-office networks typically run WPA2 in Personal mode (WPA2-Personal). In personal mode the network Service Set Identifier (SSID) and a passphrase entered by the user are used to derive the security key.
WPA2 uses the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an Advanced Encryption Standard (AES) based encryption protocol, which uses the same key is used for both encryption and integrity protection.

References

May 22, 2013

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence


Risk-avoidance, transference, acceptance, mitigation, deterrence


Risk Avoidance

Risk Avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to being exposed to the risk. One of the problems with risk avoidance is that it may require you to also avoid activities that may be otherwise beneficial.

Risk avoidance is the most effective countermeasure to risk, however it is often not possible due to organizational requirements and business drivers.

Risk Transference

With risk transference, you share some of the burden of the risk with another entity, such as an insurance company. You do not completely offload the risk, you mitigate it through partnerships. An example policy might pay out if you could prove that all necessary measures to reduce the risk were taken and you still were harmed.

Another example of risk transference is outsourcing to a managed service provider. And you have service level agreements (SLA) that state which party is responsible for managing which risks.

Risk Mitigation

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:
  • Keep security messages fresh and in circulation.
  • Target new employees and current staff members.
  • Set goals to ensure a high percentage of the staff is trained on security best practices.
  • Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk Deterrence

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they persist. The easiest way to think of risk deterrence is as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing potential attackers that you are taking steps to identify intrusion and prosecute it.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk Acceptance

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the internal parties must know that it exists and how it can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept it.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing about it.

In risk acceptance, the risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

  • Risk Appetite – the level of risk tolerance.
  • Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
  • Threat – A threat is the potential that a vulnerability will be identified and exploited.
  • Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.

Research References:

  1. http://certcities.com/editorial/columns/story.asp?EditorialsID=447
  2. http://www.informit.com/articles/article.aspx?p=1809117&seqNum=2
  3. http://studydroid.com/index.php?page=viewPack&packId=220486
  4. CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  5. CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

2.1.5 Qualitative vs. Quantitative Risks


Qualitative Vs. Quantitative Risks

Risk is the potential that a specific action (or lack of action) will lead to a loss, where “loss” is an undesirable outcome.

In information security risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization".1

In the book, Security Risk Management Body of Knowledge, Julian Talbot posits that, “A security risk is any event that could result in the compromise of organizational assets, the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities constitutes a compromise of the asset, and includes the risk of harm to people.”

Risk = Threat × Vulnerability

Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level.

Risk analysis identifies risks, estimates the effect of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk.2

Risk is present in any system; however risk management should be commensurate with the risk. The two general approaches for risk assessment are quantitative and qualitative risk assessment.

Qualitative Risk Assessment

In the qualitative risk assessment, the probability of a risk and the impact the risk can have on the system is identified and assigned values. Qualitative risk assessment assigns ranges and probabilities as it is difficult to place an exact value on many types of risks. The goal of qualitative risk assessment is to get a general basic idea as opposed to standard results. Qualitative risk assessment uses both tangible and intangible factors in determining risks.

Intangible factors include harm to the company brand.

Users increasingly are demanding data driven results. Perhaps I should say, where the penalties of risk are significant, particularly where safety, lawsuits or reputation is at stake, organizations are increasingly demanding data driven results.

Qualitative risks generally depend on the perspective of the person who is making the evaluation as such they are more difficult to measure. Risk is assigned through a variety of quasi-quantitative methods such as surveys, probabilities and focus groups. Since the values are subjectively assigned, the result is a qualitative measure.

Quantitative Risk Assessment

Quantitative risk assessment measures risk, taking into account the probability of an incident occurring and the likely loss or cost of that event, using exact monetary values, as much as possible .

The resulting value is called the Annual Loss Expectancy (ALE)

Qualitative risks are opinion-based and subjective. Quantitative risks are cost-based and objective.

Plans need to be made in order to test and to audit existing procedures with quantitative means as much as possible.  In this scenario it is necessary to be able to think like a hacker.  Imagine the structure of your network and try to find out the locations where a hacker might enter.
  1. What are the most common entrance points with current hacking innovation?  Check out hacker blogs and gatherings.  Determine which locations are vulnerable based on your research.  Consider additional tools available on the market to help with these vulnerabilities.  For example add additional switches, hubs and routers to help with data control and management.
  2. Create an audit form and audit your network periodically, e.g. twice a year.  Monitor current parameters on firewalls including your password policy. Do you require strong passwords, particular on critical or highly connected subsystem? It is good practice to keep your users informed and educated. Educated users are more likely to buy into your security policies.
  3. Present the adverse effects of successful attacks and the benefits of good risk management to your users. The benefits could be cost savings, availability, and community appeal. Find out what will motivate the users and use that to drive home the point. What happens if an IT security control fails? What happens if the company exposes customer financial data to hackers or the company is hit with a crippling malware attack. Deploy common sense remediation methodologies. Do all this in an effort to get user buy in.

References:

  1. ISO/IEC 27005:2008
  2. CompTIA® Security+™ SY0-301 Exam Cram, Third Edition
  3. Talbot, Julian, and Miles Jakeman. Security Risk Management Body of Knowledge. Hoboken: John Wiley & Sons, 2009. Print.

2.1.4 Risk Calculation in Projects

Risk Calculation in Projects

Few systems are free of risks. The job of the risk/security professional is to identify the risk, estimate the potential cost and recommend appropriate action.

Risk Management is a field that has seen major growth and development in the past few years.  This growth has risen to meet the growth of risk in the field.  The expectation for any projects is that it be successful, which means they meet deadlines, stay on budget and fulfill the statement of work.

In IT for example, you should continually try to uncover the risks in your systems. For example, are your employees streaming Netflix videos on company time, are they visiting suspected compromised sites? These actions are each potentially very harmful to the organization. How does the cost of preventing or avoiding the risk compare to the cost of allowing or ignoring it.

There are a range of methods for calculating risk and minimizing the danger they pose to the success of your project.  They all make use of procedures of risk assessments and measurements. As the information generated continues to grow and our rate of information consumption continues to increase, more often than not, we consume or take action on information without the proper risk assessment on the information.

At one point the Internet (known then as ARPAnet) was a set of 50 kbps lines connecting four computers. The risks then were very different.1 The network today has increased in both size and complexity and the risk has increased alongside it.

McAfee defines risk as a “function of threat and asset, plus a risk multiplier”.2 This is saying that risk is outcome-based. The outcome or effect of a successful intrusion at a bank is more critical than an intrusion at a site with less valuable data. Before a threat is identified as a risk, a determination of the cost of the risk and the risk management is made against value of the asset. Once the threat is identified as a risk, risk mitigation programs must be deployed to mitigate or minimize the risk and its cost.

What factors are available to help you to determine the highest risks for an event?
  1. Calculate the probability of the event, if possible based on real data.
  2. Conduct research on your client, their background, business drivers and key roles.  For every calculated risk, generate an agile project plan to manage it.
  3. Control the risk.  Hire a certified ethical hacker (CEH)3 for instance to try and break into the network, apply stress on the network and measure the outcome.
The likelihood and outcome of a risk has a strong impact on your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is Annual Loss Expectancy (ALE). You must calculate the chance of a risk occurring, sometimes called the Annual Rate of Occurrence (ARO), and the potential loss of revenue based on a specific period of downtime, which is called the Single Loss Expectancy (SLE). By multiplying these factors together, you arrive at the ALE.

Chance of a Risk Occurring

Potential Loss of Revenue Over a Period of Downtime

Likelihood and Impact of a Risk
Annual Rate of Occurrence (ARO)
x
Single Loss Expectancy (SLE)
=
Annual Loss Expectancy (ALE)

ALE is how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk.

When conducting a risk assessment, it is important to prioritize. Consider the likelihood of an event occurring and its impact to your organization. Focus on the events that have a significant impact. Not every risk should be weighted equally.

The three categories commonly used to identify the likelihood of a risk: High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.

Annualized Rate of Occurrence (ARO) is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) values.

When computing risk, remember the following:
Annual Rate of Occurrence (ARO)
x
Single Loss Expectancy (SLE)
=
Annual Loss Expectancy (ALE)

Asset Value (AV)
x
Exposure Factor (EF)
=
Single Loss Expectancy (SLE)

Thus, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.

Annual Rate of Occurrence (ARO)

Single Loss Expectancy (SLE)

Annual Loss Expectancy (ALE)
7
x
$1,000

$7,000
0.1

$100

The Annualized Loss Expectancy (ALE), a calculation that is used to identify risks and calculate the expected loss each year, is the expected monetary loss for an asset due to a risk over a one year period. An important feature of the Annualized Loss Expectancy (ALE) is that it can be used directly in a cost-benefit analysis. If a threat or risk has ALE of $5,000, then it may not be worth spending more resources per year on a security measure which will eliminate it.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

Quantitative calculations assign dollar amounts.

Study Guides & References:

  • http://www.riskythinking.com/glossary/annualized_loss_expectancy.php
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

Resources:

  1. Unless you consider the system crashing on the first attempt to send the “login” prompt.
  2. https://kc.mcafee.com/corporate/index?page=content&id=KB73862&actp=LIST
  3. http://www.eccouncil.org/

Additional Resources:

  • History of Computing Project: - www.thocp.net/index.html
  • Risk Mitigation: - http://www.alea.org/public/airbeat/back_issues/jan_feb_2008/Mitigating%20Risk.pdf
  • Petrocelli, T. D. (2006). Data protection and information lifecycle management. Upper Saddle River, NJ: Prentice Hall Professional Technical Reference. 

2.1.3 Importance of Policies in Reducing Risk

Importance of Policies in Reducing Risk

Policies are used by organizations to define and govern behavior. Information is the core resource of IT organizations. As a result several types of policies are created to preserve and protect it in a consistent and reliable manner. Policies are created to fulfill legal, regulatory and security requirements. Let’s focus on the security-related policies.

Privacy Policy

In a (business) transaction there is an exchange of resources. In a business-to-consumer transaction, the consumer usually exchanges money for a product or service. Often, to facilitate the transaction, personally identifiable information (PII) is generated. The value of this information is becoming more apparent. The Privacy Act of 19741 established guidelines and restrictions on how the US federal government can collect, use and share PII. Other federal laws establish rules for corporations and other organizations to manage its users’ private information in specific circumstances, e.g.
  • HIPAA2
    • HIPAA is the acronym for the Health Insurance Portability and Accountability Act passed by Congress in 1996. With respect to IT, HIPAA mandates industry-wide standards for health care information on electronic billing and other processes; and requires the protection and confidential handling of protected health information.
  • Gramm-Leach-Bliley Act (GLBA)3
    • The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information.
  • Children’s Online Privacy Protection Act (COPPA)4
    • COPPA protects the privacy of children. It states, that it is unlawful for an online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child under the age of 13, to collect personal information from a child in a manner that violates the regulations.
In addition to these government sponsored protections, organizations create and publish their own policies aimed at bolstering transparency of how its users’ “private” information is secured and consumed.

Typical of a lot of privacy policies are these section headings from PayPal’s Privacy Policy:
  • Binding Corporate Rules
  •  How we collect information about you
  • How we use Cookies
  • How we protect and store personal information
  • How we use the personal information we collect
  • Marketing
  • How we share personal information with other PayPal users
  • How we share personal information with other parties
  • Using PayPal Access
  • How you can restrict PayPal from sharing your personal information
  • How you can access or change your personal information
  • How you can contact us about privacy questions
Other names for privacy policies include data use policy and terms of service.

Acceptable Use Policy

An acceptable use policy (AUP), is a set of rules created by the owner of an online resource (network, website, system, etc.) that states etiquettes that a user must agree to in order to be given access to the online resource. An AUP defines the intended uses of the resource, unacceptable behavior and the consequences for non-compliance.

A good AUP will cover provisions for network etiquette, mention limits on the use of network resources, and clearly indicate of the level of privacy a member on the network should expect.5 A good AUP will maximize the common use of the resource and reduce the potential for legal action.

An acceptable use policy is also known as an acceptable usage policy or fair use policy.

Security Policy

A policy is a living document that outlines specific requirements or rules that must be met and outlines why those rules are needed.6 It is updated continuously to adapt to evolving business and technology requirements.

A security policy defines what it means to be secure for a system, organization or other entity.7 It states in writing the rules and procedures that entities accessing IT assets must comply with in order to preserve the confidentiality, integrity and availability of the IT assets. These assets face threats from a wide array of predictable and unpredictable sources and the threats include malicious software, hacking and denial of service attacks. Security policies provide policies and procedures that support and bolster the technical steps taken to secure the system and organization.

International Organization of Standardization (ISO) and the US National Institute of Standards and Technology (NIST) are two governing bodies that have published standards for creating security policies. ISO 17799 provides a comprehensive set of guidelines and controls comprising best practices in information security whereby it can be used as a basis to develop security policy.8

Mandatory Vacations

Mandatory vacations policy is a type of Human Resource (HR) policy which states that active employees should be absent from the office and their duties for an uninterrupted period of time. HR policies cover issues that directly affect anyone doing business for the organization (employees or non-employees). If you ask an HR professional, his justifications will include that this policy avoids burning out and improves productivity.9

To the Security professional, the mandatory vacations policy is an effective internal security control. It essentially ensures that periodically someone else is looking over the activities of an employee and will possibly uncover any fraudulent activities by that individual.

In the Risk Management Manual of Examination Policies, the Federal Deposit Insurance Corporation (FDIC) endorsed the concept of mandatory vacations by saying, “Such a policy is considered an important internal safeguard largely because of the fact that perpetration of an embezzlement of any substantial size usually requires the constant presence of the embezzler in order to manipulate records, respond to inquiries from customers or other employees, and otherwise prevent detection.”10


It is logical that mandatory vacation (along with job rotation and separation of duties) should be a part of an overall HR and Security policy. The organization should avoid a situation where an individual has complete control of important business processes without adequate supervision and oversight. These policies help protect against loss of critical skillsets and acts as a check against fraudulent activities.

These practices also protect against the loss of a critical skill set due to injury, death, or another form of personnel separation.

Job Rotation

Job rotation creates a mechanism where two or more employees can periodically switch roles. Job rotation is promoted by Human Resources (HR) as a valuable tool in the overall training program. The Security department will endorse it as an effective security control by exposing employee process to other employees, possibly uncovering fraudulent or otherwise inappropriate behavior.

Job rotation promotes cross-training and knowledge sharing and helps to expose fraudulent activities.

Separation of Duties

Separation of duties (SoD) dictates that important functions should be broken into multiple tasks and each task performed by separate individuals. The goal is to ensure that no single individual can dominate a process from beginning to end and as should be able to skirt security policies and take advantage of the system for personal gain.

SoD helps prevent conflict of interest and provides a mechanism to detect failures in security controls.
The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it.11


Section 404 of the Sarbanes-Oxley Act requires management to report on the adequacy of the company’s internal control on financial reporting. One of the tools companies and auditors have to meet this requirement is to implement separation of duties policies in the organization.

Least Privilege

In their paper on “The Protection of Information in Computer Systems”, Altzer and Schroeder write, “Every program and every user of the system should operate using the least set of privileges necessary to complete the job”. This policy “limits the damage that can result from an accident or error.”

The least privilege policy gives individuals (or applications) only the minimum amount of privileges they need to perform a task. This is similar to the military concept of “need to know” which states that access to information must be necessary for the conduct of one’s official duty.

People or process should have the least authority necessary to perform a task. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.12

Reference:

  1. The Privacy Act of 1074: http://www.justice.gov/opcl/privstat.htm
  2. HIPAA: http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00%20WhatisHIPAA.aspx
  3. GLBA: http://epic.org/privacy/glba/
  4. COPPA: http://www.ftc.gov/ogc/coppa1.htm
  5. AUP: http://compnetworking.about.com/od/filetransferprotocol/a/aup_use_policy.htm
  6. Security Policy: http://www.sans.org/security-resources/policies/
  7. Security Policy: http://en.wikipedia.org/wiki/Security_policy
  8. Security Policy: http://www.sans.org/reading_room/whitepapers/policyissues/security-policy-roadmap-process-creating-security-policies_494
  9. Mandatory Vacations: http://hr.blr.com/HR-news/Benefits-Leave/Vacations/Make-Vacation-Mandatory-to-Avoid-Employee-Burnout-
  10. Mandatory Vacation: http://www.fdic.gov/regulations/safety/manual/section4-2.html#basicElements
  11. http://www.pearsonitcertification.com/articles/article.aspx?p=1809117&seqNum=2
  12. http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP

Additional References:

2.1.2 False Positives

False positives

“A legitimate file inadvertently detected as 'infected', 'malicious' or 'suspicious' (also known as a False Positive or a False Alarm).” (f-secure)

From mathematics to medicine, from internet security to robotics, the term False positive is used as a jargon that implies a paradoxical condition where a value is said to be TRUE although it is FALSE in reality. A false positive is also known as a false alarm or false detection.

The security definition of a false positive goes like this “The erroneous identification of a threat or dangerous condition that turns out to be harmless. E.g., false positives often occur in intrusion detection systems.” (PC MAG encyclopedia)

A false negative occurs when a security system fails to realize an actual risk. Anytime a virus gets through an anti-virus scan, it is termed as a false negative. Possible reasons for a false negative include a check not yet being written (maybe the vulnerability is new), user error (maybe you didn't select the right policy, or maybe your configuration needs tweaking).


Although the term False positive is used in many subsystems (e.g. scanners, application firewalls, intrusion detection and prevention systems), it implies only one thing, a false detection or a false alarm. In the security realm, anti-virus software and intrusion detection systems have this condition. When a harmless file is flagged as a virus only because it contains a string of characters that match a string from an actual virus, a false positive is said to occur. In 2008, AVG erroneously identified the user32.dll file as a potential Trojan virus. This led to several BSOD (Blue Screen of Death) crashes among AVG users. In 2010, corporate editions of McAfee security suite, falsely flagged “svchost.exe”, a necessary Windows XP process, as a virus.

False positives in intrusion detection system (IDS) reduce the performance of the system and also have worse consequence. When a false alarm goes off with a legitimate user, IDS false positive is said to have occurred. An IDS false negative may introduce a security risk by allowing unauthorized users access to the system.

Reducing false positives
Several algorithms are followed to reduce false positive errors in cyber security and intrusion detection systems. One such famous example is the heuristic bloodhound technology followed by Symantec antivirus corp. This technology uses heuristic algorithm to effectively distinguish virus program from a harmless file.
Categories of false positive in network based IDS:
  1. Reactionary Traffic alarms: Traffic from local/other networks is misinterpreted as a malicious attack. In reality, it is just another false positive error.
  2. Equipment-related alarms: Unrecognized packets that are generated from some network devices may cause this type of false positive error in intrusion detection system. Load balancers may be the culprit here. 
  3. Protocol Violations: Software errors and bugs cause this type of false positive error. Regular software updating and debugging will solve this type of error.
  4. True False Positives: Random false positives caused by IDS software errors constitute true false positives.
  5. Non Malicious alarms: Some non-malicious occurrences are wrongly identified as threats. These are classified as non-malicious false positives.
Understanding false positives and its implication in the security arena helps a learner differentiate a bad security algorithm from a good security algorithm and the importance of false positive heuristics in Intrusion Detection System and anti-virus software.

Reference:


2.1.1 Control Type

Control Type

The very essence of computer security is the assessment and management of security risks in an organization. Evaluating and taking necessary actions to tackle these risks is defined as control.

A security risk could be anything from malicious code to social engineering. Risk management includes Risk acceptance, avoidance, mitigation, deterrence, and transference. Control type is a risk mitigation strategy employed in various levels for effective risk management.

Control types are mitigation strategies followed in order to control the impact of risks by defending vulnerabilities and preventing exploits, thereby reducing the likely impact of a security risk. This is brought about by a strategy called multi-layered defensive strategy or “Defense in depth”.

Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. (Rouse)

This strategy was first developed by the military to defend strategic military asset with layers of defense that force the attacker to expend more energy, resource and supplies (Small, 2011). As a military strategy, the primary goal of each layer is to delay an attack, giving up space to gain time to generate effective countermeasures. This strategy is adapted by the cyber world to protect the confidentiality, integrity and availability of data and information in a computer network.

In order to mitigate risks, three general types of controls are used, they are: management control, technical control and operational control.
  1. Management control: Management controls are security controls for an information system that focus on the management of risk and the management of information system security. They are involved with administrative and management level mitigation of security risks through methods such as effective security policies, Business Continuity management, regulatory compliance and vulnerability assessments. As an example, some companies follow a policy that prevents employees from taking laptops, other gadgets and storage devices to the work place. This prevents the risk of data theft by employees and the like. An example for this type of control policy is ISO/IEC 27001:2005. This Internet Security Management Systems (ISMS) standard recommends a set of criteria and policy for an organization to defend itself from security threats.

  2. Technical control: Technical controls are security controls for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. (NIST) They involve control measures like access control, authentication methods, encryption services, and data classification services. It includes devices, processes, protocols, and measures used to protect the confidentiality, integrity and availability (CIA) of sensitive information (James E. Purcell, 2007).

  3. Operational control: Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems). (NIST)

    They include incident handling, contingency planning, computer support and physical and environmental security and user awareness training. A critical part of this control is the physical security control. Security measures such as CCTVs, controlled access, safety gears, etc. comes under this type.
Most controls apply across the boundaries between management, operational, and technical. Several security controls are employed to tackle different security related issues. Understanding the purpose behind each of them helps a learner differentiate why one method scores over another in a particular scenario. This knowledge is vital when it comes to formulating a strategy to mitigate threats and securing vulnerabilities. 

Reference: