CyberSecurity: Regulatory Compliance, Law and Ethics

Most security organizations within larger organizations are asked to performed or lead the effort to meet external compliance requirements. These efforts take place within the larger framework of professional ethics and with an understanding of the legal requirements within which the organization operates.

Those employed in the area of cybersecurity are expected to conform to a higher level of ethical and legal performance than other professional fields. Cybersecurity professionals are trusted with the secrets of the organization, specifically information that the organization uses to do its work. This requires a level of trust that far exceeds that of an average employee. As a cybersecurity professional, if the organization can't trust you, then who can they trust? This requires a firm understanding of the ethical, legal, and regulatory environment.



Ethics, Laws and Regulations
Ethics are the general accepted behaviors of a society. Laws are those ethics that have been formalized so that the state may act on behalf of the people in enforcing desired behavior. Regulations, from our perspective, are those practices that are enforced by agencies of government or other entities that have the ability to force compliance.
There are several key laws that directly affect cybersecurity. The following is a brief overview of the most critical.

• The Computer Fraud and Abuse (CFA) Act of 1986 is one of the first federal computer laws, and established definitions and penalties for misuse of computer. 
• The Computer Security Act (CSA) of 1987 protects federal computer systems by establishing minimum acceptable security practices for federal agencies. 
• The Federal Privacy Act (FPA) of 1974 protects personal information, and restricts its use by the federal government. 
• The Electronic Communications Privacy Act (ECPA) prohibits the interception and recording of communications except in certain circumstances. 
• The Health Insurance Portability & Accountability Act of 1996, also known as HIPAA, requires the protection of personal medical information without that person's explicit permission. 
• HITECH, the Health Information Technology for Economic and Clinical Health care, increased the scope of HIPAA to include all businesses related to the process of health care.
• Financial Services Modernization Act of 1999, also know as Gramm-Leach-Bliley or GLB, established clear requirements for the financial industry to protect your information and privacy. 
• US Copyright Law protects intellectual property, restricting use by others to approved use and fair use as specifically defined. 
• Sarbanes-Oxley (SOX) Act of 2002 requires executives of financial services companies to assume direct and personal accountability for the completeness and accuracy of financial reporting and record keeping. 
• The Digital Millennium Copyright Act, also known as DMCA, is a US law passed in response to European Union laws restricting the use of intellectual property and combating copyright infringement. 
• The payment card industry data security standards (PCI DSS) applies to organizations that accept payment cards or process the data used in payment card transactions. It includes requirements for required practices to secure the data from those transactions for firms that use them. 

Deterring unethical behavior uses these tools, policy, education and training, and technology to protect information. Three categories of unethical behavior are usually targeted.

• Ignorance, 
• accident and 
• intent. 

Studies have also found that we can deter undesirable behavior through the use of policies and laws but only if three conditions are present.

• One, policy violators must fear the penalty. 
• Two, they must expect that they have a higher probability of being caught. 
• And three, they must expect there's a high probability that the penalty will be applied. 

Most security organizations and larger organizations are asked to perform or lead the effort to meet external compliance requirements. These efforts take place within the larger framework of professional ethics and an understanding of the legal requirements within which the organization operates.

CyberSecurity: Risk Management

1. The identification and assessment of levels of risk in an organization describes: Risk Analysis
2. Two of the activities involved in risk management include identifying risks and assessing risks. Creating an inventory of information assets is part of the risk assessment process?
3. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of Risk assessment estimate factors.
4. Mitigation describes an organization’s efforts to reduce damage caused by a realized incident or disaster through planning and preparation.
5. Risk appetite can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility? 

Cryptography: Problems and Solutions

1. You have found an old ciphertext, where you know that the plaintext discusses cryptographic
methods. You suspect that a Vigenere cipher has been used and therefore look for repeated
strings in the ciphertext.
You find that the string TICRMQUIRTJR occurs twice in the ciphertext. The first occurrence
starts at character position 10 in the text and the second at character position 241 (we start
counting from 1).
You make the inspired guess that this ciphertext sequence is the encryption of the plaintext
word cryptography. If this guess is correct, what is the key ?
Hint : Analyze the possible periods.

Solution:
To estimate the period we use the Kasiski test. The distance between the two occurrences
given is
241 − 10 = 231 = 3 · 7 · 11
positions.

Possible periods are thus 3, 7 and 11. If the guess is correct, we can immediately find the
corresponding shifts: at position 10 the shift is
T − c = 19 − 2 = 17 = r

Similar computations for the other positions gives the shift keys
rrectcorrect

We now see that this is not periodic with periods 3 or 11, while period 7 is possible. The keyword
of length 7 starts at position 15; hence the keyword is
correct.

CyberSecurity: Risk Management Quiz

1. The identification and assessment of levels of risk in an organization describes which of the following?

• Risk identification
• Risk management
• Risk reduction
• Risk analysis

2. Two of the activities involved in risk management include identifying risks and assessing risks. Which of the following activities is part of the risk assessment process?

• Assigning a value to each information asset
• Creating an inventory of information assets
• Classifying and organizing information assets into meaningful groups
• Calculating the severity of risks to which assets are exposed in their current setting

3. The likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability are each examples of _____.

• Risk assessment estimate factors
• Vulnerability mitigation controls
• Attack analysis calculation
• Exploit likelihood equation

4. Which of the following describes an organization’s efforts to reduce damage caused by a realized incident or disaster through planning and preparation?

• Mitigation
• Transference
• Avoidance
• Acceptance

5. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?

• Risk appetite
• Risk termination
• Residual risk
• Risk assurance

CyberSecurity: Risk Management Practice Quiz

1. Having an established risk management program means that an organization's assets are completely protected.

• True
• False

2. The InfoSec community often takes on the leadership role in addressing risk.

• True
• False

3. Some threats can manifest in multiple ways, yielding multiple vulnerabilities for an asset-threat pair.

• True
• False

4. An evaluation of the threats to information assets, including a determination of their potential to endanger the organization is known as exploit assessment.

• True
• False

5. A prioritized lists of assets and threats can be combined with exploit information into a specialized report known as a TVA worksheet.

• True
• False

Answer:
1. False
Reason: Risk management programs do not assure complete protection, rather they demonstrate a diligent effort to assure protection.
2. True:
Reason: Because members of the InfoSec community best understand the threats and attacks that introduce risk, they often take a leadership role in addressing risk.
3. True:
Reason: Since assets operate in a common defended environment, threats that can attack one asset can often attack other assets as well. Likewise, many threats are capable of multiple modes of operation, allowing them to bypass many common defenses.
4. False
Reason: Vulnerability assessment is the process of finding weaknesses. Exploits are a means of using the weakness to cause the loss.
5 False:
Reason: Vulnerabilities are the weaknesses, exploits are the means by which vulnerabilities are used against the defender.

CyberSecurity: Risk Management - The Risk Assessment Process

In order to begin the risk assessment phase, the organization uses the list of information assets it has identified and prioritizes assets and the threats facing them to compare information assets to threats. The resulting list of vulnerabilities are those that remain risks to the organization. This list should be created for each information asset to document its vulnerability to each possible or likely attack. The best way found to do this documentation is the threat vulnerability asset, or TVA, Table.



As shown, it would list assets along the x-axis from most to least valuable and lists threats along the y-axis from most to least dangerous. At the intersection of the asset and threat pair, list the vulnerabilities that the threat might use to cause a loss to the asset. Now, we move onto assess the risk that exists in each of the TVA tables. Risk is commonly calculated as the likelihood that a threat to an asset will result in an adverse impact which is then multiplied by the consequences or impact of that attack.



That value is then increased by an estimate of how reliable our values of both likelihood and impact are, known as a confidence interval. Many approaches to assessing likelihood exist. One example of some likelihood ratings on a scale of 0 to 5 is shown here. Likewise, there are many ways to assess impact. Here is an example of some impact ratings on a scale of zero to five.

    

Before the organization can proceed with the final phase of risk management, activities, which is risk control, it needs to understand how much risk is acceptable to management. Some organizations have a very low tolerance for risk. Such as banking and other financial services firms. Other types of organization may tolerate more risk. The amount of risk that remains after all current levels are implemented is known as residual risk. Any organization may reach a point in the risk management process and find that the documented residual risk is low enough to accept being within the bounds of its risk appetite. They would end the current risk management cycle and document everything for the next cycle.



Once the organization has assessed the current level of risk facing its information assets and defined its risk appetite, it can move to the final phase of risk management. And that's called Risk Control. In the Risk Control phase, organizations employ one or more of the five strategies of risk control.

1. Defense, which is applying safeguards that eliminate or reduce the remaining uncontrolled risk. 
2. Transference, which is shifting risk to other areas or outside entities. 
3. Mitigation, which is reducing the impact to information assets should an attacker successful exploit a vulnerability. 
4. Acceptance. That's understanding the consequences of choosing to leave a risk uncontrolled and then formally accepting the risk that remains without an attempt at control. 
5. And the final is termination. And that's removing or discontinuing the information asset from the organization's operating environment all together. 

Risk management is an essential process for every organization. There are many formalized models for risk management in the marketplace, and many organizations are using consulting resources to assist them in finding the optimum means to reduce operational risk.

CyberSecurity: Risk Management - The Risk Identification Process

At its heart, information security is all about managing risk.

What is risk? 
Risk is the probability of a loss. It's the chance of something adverse happening to our interests.

Risk Management?
Risk management is understanding how bad the loss from an adverse event can be, and how we can get the risk down to a level we can absorb. A loss is an event that can negatively affect our information assets, such as  

• unauthorized/unwanted access,  
• destruction, 
• modification,  
• theft or  
• denial of access. 

Risk management involves a preparation and planning phase followed by a risk identification phase, a risk assessment phase, a risk appetite determination phase, and then a risk control phase.

• Risk identification is where we seek to determine if risk exists from known vulnerabilities as well as threats that we can identify that may attempt to exploit those vulnerabilities or find new ways to cause us loss. 
• Risk assessment is the determination of the extent to which our assets are at risk. 
• In determining our risk appetite, we determine and document how much risk we can tolerate? 
• Risk control is where we plan additional appropriate controls to reduce excessive risk to that defined acceptable level. 

Risk management also means that we continue to monitor our risk environment until we need to begin the process again.



Risk identification is the first phase of the process, the first step in risk identification involves identifying, classifying, and prioritizing our assets. Information assets are found across the organization not just in data basis or on service. Information exists in filling cabinets, on personal computers and numerous other locations. Once identified, assets must be evaluated and place in the classes or categories to determine who cannot access to it. Many approaches to classifying data exist. One common approach is signs asset as one of public, official use only, or confidential. After classification, assets must be assess for a value it has to the organization. Using this information, we'll be able to determine each assets needed level of protection.

When assessing the value of an information asset, there are a number of questions we could use.
Like: Which information asset...

• is the most critical to the success of the organization?
• generates the most revenue?
• generates the highest profitability?
• is the most expensive to replace?
• is the most expensive to protect?
• loss or compromise would be the most embarrassing or cause the greatest liability? 

Placing an exact dollar value on most assets is very difficult. However, we can place relative values to help us prioritize them. One method uses a weighted factor table to assess and compare the worth of our assets.



This is done by first listing the criteria we care about and then assessing each asset using those criteria. This allows the creation of a weighted score. Which helps us to compare the value of dissimilar assets within our organization. The second step in risk identification is to identify and prioritize the threats to our information assets. We can identify threats by looking for studies and surveys published in trade and academic journals. This study published by the communications of the ACM, identified 12 categories of threats to information security.



Other such lists have been published as well. Just as we assessed our assets, we must assess the threats facing them. The questions shown here could be used as criteria in a weighted table to prioritize threats.



Threat Assessment questions: Which Threat:

• Present danger to this organization's information assets in its current environment?
• represent the gravest danger to the organization's information assets?
• have the highest probability of success?
• could result in the greatest loss if successful?
• is the organization least prepared to handle?
• cost the most to protect against?
• cost the most to recover from?

Summary:
There are four ways of managing risk

1. avoiding the risk – avoidance would mean stopping the activity that is causing the risk. For example, deleting all banking information and unsubscribing from internet banking would avoid the risks associated with the information assets related to banking.
2. modifying the risk (likelihood and/or impact) – this involves choosing and implementing a security mechanism that reduces the likelihood of a successful attack, or the impact that would result from such an attack. For example, installing an up to date antivirus application can prevent the attacker from using malware to gain access to the computer holding the internet banking information.
3. transferring the risk to others – typically involves taking out insurance to cover any losses in the event the threat materialises.
4. accepting the risk – would mean choosing not to implement any of these countermeasures, choosing instead to monitor the information asset for any attacks.