Information Security Essentials: Resilience, Cryptography, and Physical Safeguards
Business Resilience & Recovery Planning
Contingency Planning: The overall planning for unexpected adverse events.
Core Concepts in Contingency Planning
Business Impact Analysis (BIA)
Business Impact Analysis (BIA): An investigation and assessment of the impact that adverse events may have on an organization. It assumes the worst has already happened, and decisions are made based on its results, which inform Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) decisions.
Recovery Metrics
- Maximum Tolerable Downtime (MTD): The total amount of disruption time the organization is willing to accept; the maximum length of time a business function can be inoperable without harm to the business.
- Recovery Time Objective (RTO): The maximum acceptable system downtime; the length of time it will take to recover a system.
- Recovery Point Objective (RPO): The point in time before disruption when data is available to restore; the maximum amount of data the organization is willing to lose.
- Work Recovery Time (WRT): The time and effort necessary to resume business functions after disruption.
Incident, Disaster, and Business Continuity
Incident Response (IR)
Incident Response (IR): A reactive measure.
Incident: An adverse event against information assets with a realistic chance of success, posing a threat to the CIA (Confidentiality, Integrity, Availability) of information resources.
Disaster Recovery Plan (DR Plan)
Disaster Recovery Plan (DR Plan): A plan to reinstate operations.
An incident is considered a disaster when:
- The organization is unable to control the impact of an incident.
- The level of damage is so severe that quick recovery is impossible.
The key role of DR is to establish operations at the organization’s primary site. The DR team uses the DR plan to complete this action.
Business Continuity Plan (BC Plan)
Business Continuity Plan (BC Plan): In cases where the disaster also affects operations, the BC plan is activated and executed concurrently with the DR plan. The BC plan establishes critical functions at an alternate site, allowing the DR team to focus on reestablishment at the primary sites.
Recovery Site Strategies
- Hot Sites: High cost ($$$). Active utilities and communication, equipment active, data ready. Time until operations are resumed: seconds to hours.
- Warm Sites: Moderate cost ($$). Utilities and equipment are ready, but no data. Time until operations are resumed: hours to days.
- Cold Sites: Low cost ($). No utilities, equipment, or data. Time until operations are resumed: days to weeks.
Data Backup and Restoration
Classic Backup and Recovery
Classic Backup and Recovery: Involves finding a new location, installing the server, connecting networks, installing the system, etc., which takes significantly longer.
Testing Contingency Plans
Testing Contingency Plans:
- Desk check
- Structured walk-through (alternate is talk-through)
- Simulation
- Full interruption
Redundant Power Sources
Redundant Power Sources:
- Emergency Generator
- Uninterruptible Power Supply (UPS)
- Redundant routers in a network
- Redundant Array of Independent Disks (RAID)
Data Recovery Methods
Data Recovery Plans:
- Traditional data backups
- Electronic vaulting
- Remote journaling
- Database shadowing
Backup Rule and Types
3-2-1 Backup Rule: Three copies of important data on at least two different media, with at least one copy stored off-site (e.g., daily on-site backups, weekly off-site backups).
Incremental vs. Differential Backups:
- Incremental: Only includes data that has changed since the previous backup.
- Differential: Contains all data that has changed since the last full backup.
Digital Forensics Fundamentals
Digital Forensics: A method used by investigators to examine the results of an incident to determine what happened and how it occurred. It is used to investigate allegations of digital malfeasance and perform root cause analysis.
Key Forensic Terms
- Digital Malfeasance: A crime involving digital media.
- Evidentiary Material: Any information that could potentially support an organization’s legal case.
- Affidavit: Sworn testimony where an investigating agent requests permission to search and take evidentiary material (EM).
Cryptography and Secure Communications
Cryptographic Foundations
Cryptography: The process of making and using codes to secure information.
Hash Algorithms
Hash Algorithms: Hashing creates a unique digital fingerprint; no key is needed. Hashes are fixed, unique, and original, used to store passwords securely, verify message integrity, and confirm identity.
Hash Function: Mathematical algorithms that generate a digest to confirm a message’s identity and integrity.
Encryption and Decryption
Encryption: The process of changing original text into a secret message using a cryptographic key.
- Symmetric Encryption: Fast, using one key shared for both encryption and decryption (e.g., AES – Advanced Encryption Standard).
- Asymmetric Encryption: Uses two keys: one to encrypt and the other to decrypt. A public key can be shared freely, but the private key must never be shared. This method takes longer. The RSA algorithm was the first public-key encryption algorithm used for public use.
- Support Confidentiality: Plaintext is encrypted with the public key and decrypted with the private key.
- Support Authentication: Plaintext is encrypted with the private key; the sender is the only one with the private key.
Decryption: The process of using the key to change the secret message back to its original form.
Plaintext: Unencrypted data that is to be encrypted, or the output of decryption.
Ciphertext: The scrambled and unreadable output of encryption.
Public-Key Infrastructure (PKI)
Public-Key Infrastructure (PKI): Integrates a system of software, encryption methodologies, protocols, and legal agreements. Based on public-key cryptosystems, it protects the transmission and reception of information. Protections enabled include: Confidentiality, Integrity, Authentication, Non-repudiation, and Obfuscation.
Digital Identity and Non-Repudiation
Digital Signatures
Digital Signatures: Created in response to the rising need to verify information transferred, digital signatures use asymmetric encryption processes to support non-repudiation. The Digital Signature Standard (DSS) is the NIST standard for digital signature algorithm usage by federal information systems.
Digital Certificates
Digital Certificates: An electronic document issued by a Certificate Authority (CA) that contains an entity’s public key and certifies the identity of the owner of that particular public key.
Data Hiding and Secure Protocols
Steganography
Steganography: The process of hiding messages within digital encoding so they are undetectable.
Secure Communication Protocols
Secure Communication Protocols:
- SSL (Secure Sockets Layer): Enables secure network communications.
- HTTPS (Hypertext Transfer Protocol Secure): Enables secure browser communications.
- S/MIME (Secure/Multipurpose Internet Mail Extensions) / PEM (Privacy-Enhanced Mail): Enable secure transmission of email.
- Pretty Good Privacy (PGP): Enables secure transmission of email and TCP/IP communications.
- Secure Electronic Transactions (SET): Enables secure web transactions.
- WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access): Enable secure network communications over wireless connections. WPA overcomes all WEP shortcomings.
- IPsec (Internet Protocol Security): Secures communications across IP-based networks (LANs, WANs, and the Internet).
Security Assessments & Physical Safeguards
Vulnerability Assessment and Remediation
Vulnerability Assessment and Remediation: The identification and remediation of vulnerabilities without disrupting normal business operations.
Vulnerability Assessment Processes
5 Vulnerability Assessment Processes:
- Internet VA: Identifies vulnerabilities present in an organization’s public network.
- Intranet VA: Identifies vulnerabilities likely to be present on the internal network.
- Platform Security Validation (PSV): Identifies vulnerabilities that may be present due to misconfigured systems within the organization.
- Wireless VA: Identifies vulnerabilities that may be present in wireless local area networks within the organization.
- Penetration Testing: Performed by an outside entity to simulate a real attack.
Penetration Testing Methodologies
Penetration Testing (Pen Testing):
Pen Testing Targets
- Web applications
- Network services
- Wireless security
- Humans (Social Engineering)
Engagement Types
- Passive: Observe and document (e.g., Protocol analyzer).
- Active: Interact and document (e.g., Network scanner, Web app scanner, Honeypots, Social Engineering).
Knowledge Levels
- Overt: Performed with the permission of management and the full knowledge and awareness of IT and security personnel.
- Covert: Done with permission but without the knowledge and awareness of IT and security personnel.
- White Box: An overt test, faster, more focused on a specific aspect.
- Grey Box: A mix of white and black box approaches.
- Black Box: A covert test, most realistic.
Pen Test Steps
Steps of a Pen Test: Reconnaissance > Exploitation > Reporting and Documentation.
Essential Physical Security Controls
Physical Security: Equally as important as cybersecurity.
Secure Facility Design
Secure Facility: A physical location engineered with controls, where security is enhanced by its location, and control choices depend on the organization’s needs.
Perimeter and Access Controls
Physical Security Controls:
- Perimeter Control: Walls, Fencing, Gates.
- Guards: Possess human judgment and reasoning.
- Dogs: Possess keen sense of smell and hearing.
Locks and Keys
Locks & Keys:
- Locking Mechanisms: Mechanical, Electromechanical.
- Lock Categories: Manual, Programmable, Electronic, Biometric.
- Fail-Safe Lock: Unlocked position at failure.
- Fail-Secure Lock: Locked position at failure.
Electronic Monitoring
Electronic Monitoring: Cameras with video recorders, including Closed-Circuit Television (CCTV) systems.
Power Management and Environmental Controls
Power Quality Issues
- Noise: Interference that can result in inaccurate time clocks or unreliable blocks inside the CPU.
Grounding and Protection
- Grounding: Protects against equipment damage and human injury.
- Ground Fault Circuit Interruption (GFCI) equipment: Provides added protection in areas where water accumulates.
Power Sources
- Power Sources: Uninterruptible Power Supply (UPS), temporary and gas-powered generators (for more permanent solutions).
Physical Access Control Measures
- Tailgating: Gaining unauthorized entry by closely following another person.
- Mantraps: A small room with separate entry and exit points designed to restrain a person who fails an access authorization attempt.