As a CISSP you need to know the following security capabilities of information systems:

  • Compliance
  • Security and risk management (business continuity, compliance, law, regulations, risks, and security) and principles of security governance
  • Concepts of integrity, confidentiality, and availability
  • Regulatory and legal issues and professional ethics
  • Guidelines for standards, security policies, and procedures
  • Memory protection

Compliance

Compliance in information security can be seen as a demonstration or a function of reporting on whether the security programs used in an organization meet the specified security standards prescribed by the regulatory bodies such as the Sarbanes-Oxley Act, HIPAA, or PCI.

With the increase in the number of rules and regulations imposed by the governing bodies (keeping pace with the rise in cybersecurity threats), the importance of regulatory compliance is becoming more and more prominent in different organizational setup. The organizations came up with the formation of posts such as regulatory/ chief/ corporate compliance officers and hiring employees with an exclusive focus on making sure that the organization meets the complex yet stringent legal mandates of information security.

The Difference Between Security and Compliance

Confusing compliance and security is one of the commonest misconceptions. Often people think they are identical. But they are very different. While security means the measures taken to protect the sensitive information of an organization, compliance is the reporting function of whether the security functions of an organization meet the specified standard laid out the governing bodies (Sarbanes-Oxley Act, HIPAA or PCI).

Security Risk Management and Information Security Governance

Information security governance is the means of controlling, managing, influencing and directing the decisions of an organization regarding information security. The objective of an organization’s information security governance is to build a management framework that will help initiate as well as control proper implementation and functioning of the information security policies within an organization.

It decides who is accountable for security management in the organization, the extent of their authority, and when or how to engage the expertise of a third party. Information security cannot be treated as an isolated discipline and calls for designing and maintaining a protected setting to support the security of the sensitive data of an organization. It requires organization-wide commitment, decision-making, and input. Effective information security is only possible with the cooperation, active involvement, and collaboration of all the decision-makers, stakeholders, and the entire community of users. Organizations have to give information security the same level of respect as the other fundamental areas of business receive.

On the other hand, risk management is the assessment, identification, and prioritizing of the associated information security risks, followed by economical and coordinated application of available resources to deal with the situation (i.e., to monitor, minimize, and control the chance or impact of unforeseen cases of a security breach).

The two main aspects of information security management are risk assessment and risk management.  These two are widely known attributes and are generally accepted as parts of the risk management procedure. Risk management is a recurring process to deal with the planning, monitoring, implementation, control, and analysis of the implementation of the measures taken and further enforcement of the security policies. On the other hand, risk assessment focuses on the temporary view of the risks assessed while defining the parameters of the whole risk management process. Typically, risk assessment is carried out at a definite time interval, such as once in a year or as per demand.

Confidentiality, Integrity, and Availability

These three attributes (confidentiality, integrity, and availability) are well-known as the CIA triad, the three most critical components of information security. This is a well-accepted model intended to guide information security policies within an institute. To evade any confusion with the Central Intelligence Agency, it is also called the AIC triad (i.e., availability, integrity, and confidentiality).

Here confidentiality is known as a set of rules that limit the unauthorized access to information, integrity stands for the assurance that the available information is accurate and trustworthy, and availability is the guarantee that authorized persons will have a consistent access to the information.

Law and Ethics in Information Security

Information security professionals are expected to have detailed understanding of and respect toward the ethical considerations and available laws and regulations that govern the use of sensitive information, whether personal or organizational. While laws are the mandates or rules that forbid certain behavior, ethics are governed more by cultural morals. However, the laws are generated from the ethics defining the communally acceptable behaviors. The major difference between laws and ethics is that laws have the governing body’s authority, but ethics are purely driven by cultural morals. However, the information security mandates that protecting sensitive personal and organizational information from unauthorized access is both the ethically and the lawfully acceptable duty of an information security professional.

Data Security

Data security is an important part of the modern world where most of the sensitive information is kept in electronic form. The main aspect of data security implies that data, both at rest and in transit, are protected and data leak protection is implemented. Moreover, it involves other operational, administrative, and architectural controls. All the measures should be specifically reflected in the software coding of the software features.

The Cyber Security Framework Includes:

  • Cryptographic protection
  • Denial of service protection
  • Information on shared resources
  • Protection of information at rest
  • Transmission confidentiality and integrity
  • Transmission of security attributes

The above controls have to be implemented by different means, like processing labels applied to information, software security architecture, appropriate use of cryptography, and error handling.

Data at Rest

Data at rest, in general, refers to the in storage that is persistent. This includes information stored on tape or disk. On the other hand, data in use usually refers to information being processed by the CPU or RAM, i.e., the central processing unit and the random access memory of a computer.

Data in Transit

Data in transit can be divided into two distinct categories: Data flowing over an untrusted or public network or data flowing through a private network (an enterprise or corporate local area network or LAN). Data in motion are also often referred as data in transit.

Memory Protection

This is essential to prevent any malware or bug present within a process from affecting other processes, or even the whole operating system itself. Moreover, an attempt to access unauthorized/un-owned memory may result in faults in the hardware, such as the storage violation exception or segmentation fault. This usually causes the offending process to terminate abnormally.

Memory protection for the purpose of computer security has several additional techniques including executable space protection and randomization of address space layout.

Memory protection can be done by:

Segmentation: Segmentation is the process of dividing the memory of a computer into several segments. A memory location can be identified through a memory location reference that includes a value to identify a segment and specifies any offset within that segment.

Using paged virtual memory: Equal-sized block division of the memory address space is done in paging. The equal-sized blocks are known as pages. On the physical memory of the computer, each page can exist in any location using the virtual memory hardware or it can be flagged as being protected. With the help of virtual memory, it is possible to get a linear virtual memory address space that can be used to access blocks, which are fragmented over the address space of physical memory. The majority of the computer architectures supporting the paging also use pages as the foundation of memory protection.

Protection keys: MPK or memory protection key is a mechanism that divides the physical memory into particular size blocks (as small as 4 kiB). Each of these blocks has a numerical value associated, which is known as a protection key. Every process also contains an associated protection key. When a memory is accessed the hardware checks whether the protection key of the current process matches with an associated value of the memory block that being accessed. An exception occurs if a mismatch of protection key takes place.

Simulated segmentation: Simulation is used for program monitoring and interpreting the instructions of machine code in several types of computer architectures. This offers memory protection through the use of a segmentation scheme and further validating the length of each instruction and target address in real time, prior to executing them in reality. The target address and length have to be calculated by the simulator and compared with a list comprising a range of valid addressed concerning the environment of the thread. Examples of simulated segmentation are dynamic memory blocks (obtained through the thread’s inception) or static memory slots which are valid and shared (the validity may change throughout the life of the thread, depending on contexts).

Capability-based addressing: Another method for memory protection is capability-based addressing, which is, however, not used in modern commercial computers. This method revolves around the replacement of pointers by capabilities or protected objects which can be created only through the use of privileged instructions. These instructions can be executed only by the kernel, or another authorized process. Effectively, this enables the kernel control that may have access to objects in memory without needing to use any separate spaces for address or context switches.

Dynamic Tainting: This is a technique that protects programs from accessing memory illegally. When memory allocation is done at runtime, dynamic tainting is used to taint the memory as well as the corresponding pointer. The same taint mark is used to achieve this. Then the taint marks are propagated suitably while executing the program. This is checked each time accession of the memory address (m) through a pointer (p) takes place. Whenever the taint marks related to (m) and (p) vary, the execution is stopped following reports of an illegal access.

Virtualization: Existing security mechanism with its processes cannot protect the virtual environment and its components. Virtualization produces a different network that can be regarded as a hybrid of the new logical or virtual environment and the well-established network that is physically centered. It made a massive impact in a short time in the world of IT and networking. Already it has offered major cost savings as well as returns on investments for enterprises, cloud computing, and data centers. However, there seems to be a lag in understanding the virtualized environment and virtualization from the viewpoint of security.

Security Benefits of Virtualization

Some or the security benefits of virtualization are:

  • In virtualization, centralized storage is used to prevent important data loss in instances of the device being lost, compromised, or stolen.
  • As proper isolation of VMs and applications takes place, during an attack only one application on one operating system get affected.
  • Upon proper configuration, a virtual environment is capable of providing the flexibility that allows system sharing without the need to share vital data across the systems.
  • A VM can be taken back to the previous uninfected state, even after it gets infected.
  • Hardware reductions occurring because of virtualization improve the physical security because fewer devices are required, eventually resulting in fewer data centers.
  • Incident handling will be better with server virtualization because it is possible for servers to revert back to any prior state to examine what happened during and before an attack.

References

http://bit.ly/2hGakOF

http://bit.ly/2gWIvAf

http://bit.ly/2hKcolW

http://bit.ly/2gMB4IJ

http://bit.ly/2gMy8f8

 

Be Safe

Section Guide

Aroosa
Ashraf

View more articles from Aroosa

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Aroosa
Ashraf

View more articles from Aroosa