The safety and welfare of society and the common good, duty to our principals and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behaviour

Therefore, strict adherence to this code is a condition of certification

Protect society, the common good necessary public trust and confidence and the infrastructure

Act honroably, honestly, justly, responsibly, and legally

Provide diligent and competant service to principles

Advance and protect the profession

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other peoples computer work

3. Thou shalt not snoop around in other people's computer files.

4. Thou shalt not use a computer to steal

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not copy or use propriety software for which you have not paid.

7. Thou shalt not use other people's computer resourceswithout authorisation or proper compensation.

8. Thou shalt not appropriate other people's intellectual output.

9. Thou shalt think about the social consequences of the program you are writting or the system you are designing

10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humas

Integirty

Perform duties in accordance with existing laws, excercising the highest moral principles

Objectivity

Perform all duties in a fair manner and without prejudice

Proffessional Competance and Due Care

Perform services diligently and with profesionalism

Confidentiality

Respect and safeguard confidential information and excersise due care to prevent improper disclosure.

The Hats of Hacking

White Hat

Ethical hacking

Grey Hat

Often illegal, but with good intentions

Black Hat

Almost always illegal and for personal gain

Ensure that data is not disclosed to unauthorised users

Identification, Authentication and authorisation

Access Controls

Data Encryption

If it falls into the wrong hands

Requires Training

Example:Printers

Maintaing ther consistency, accuracy and trustworthiness of data - entire life cycle

Ensure data cannot be altered by unauthorised users

Hashing algorithm can ensure the data has not changed

Audit logging track changes

Ensure that IT systems and data are available when needed to authorised users

Not everyone needs data 24/7

Effects cost

Fault tolerance and redudancy

Networks, disks, servers, services

On going maintenance

Backups, updates, DR plans

Privacy

Confidentiality and Privacy are different. Remember Personally Identifiable Information (PII)

Isn't the same as confidentiality

Privacy relates to pernally identifialble information (PII)

Not all personal information is confidential or private

Organisations will ahve spesfic legal definitions

Ensures a person cannont believable dent taking an action

Enforced with audit logging and digital signatures

Example: Filemanagement

Example: Email

Example: Rough Administrator

Least privilidge

Grant subjects (users) access to objects (files) with only permissions they need to accomplish their tasks

Example: Discretionary Access Control ist (DACL)

No single person has complete access to the entire transaction

Helps to prevent fraud

Example: Clark-Wilson model

Example: chineese Wall

Controls - think safeguard and countermeasures

The techniques, process, procedures, means and methods that will reduce vulnerabilities in a system

Controls - Reduce threats and vulnerabilities - reduces losses

Controls can be technical or non technical

Documentation - baselines, policies, standars, procedures, guidelines

Prevent loss due to risk

Omplemented through written security policies and procedures

Examples:

SOD, Least Privilidge, Password policies

Background checks Encryption of data

Security Cameras, security guards

Identify an event is occuring or has occured

Provide evidence on prevention controls - working or not

Examples:

Home Securitym Intrusion Detectsion Systmes (IDS)

Antivirus software that identifies malware

aduit logs, physical inventories, forensic analysis

Takes action to correct or reverse the effects of an event

May work in conjuction with detecive controls

Examples

Anti-virus software that can remove or isolate malware

Disaster Recovery Plans

Prcedures for Backup/Recovery

Beware of the Dog - the Dog

Compensating and deterrent controls

Could be classified as preventative, detective or corrective

Often identified seperately in security docmunetation

Compensation Controls

These are backups to the primary control, in case a primary fails

Example:- SOD - someone gets sick

Detterent controls

Controls that attepmt to deter an attack

Example beware of the dag - the sign

Participate in Asset Management

Lifecycle

Keeping Track

Evaluate your assets

Inveory and Prioritze

Quantitative Approach

Which assets have lost $ value

Qualitative Approach

Irreplaceable or mission critical Subjective

Design

Contruction

Commisioning

Operating

Maintaining

Reporting

Upgrading

Disposing

Asset mangement works in conjuction with other lifecycle and evaluation process

Certification and accreditation

Evaluation criteria and policies

System Development Life Cycle (SDLC)

Adding, Invetorying and removing

Inculdes: Desktops, Laptops, mobile devices, router switches, servers

Not all hardware should be added to an inventory

A computer mouse is cheap and not worth the cost of invetory management

Driven by internal policy decisions usually cost

How to Manage:

Simple: Serial numbers, asset tags written to a spreadsheet, Barcode tags and scanners

Software based: Microsoft System Centre Configuration Manager

What software is in the organisation

Example Operating systems and applications

Helps to validate software licensing agreements

Discovers unknown or unwanted software

Can be discovered and managed using management software:

Microsoft System Centre Configuration Manager

Not easy to inventory because its easy to copy

Data classification - determines security restrictions and backup policies

US Goverment: Top Secret, Secret, Confidential, Sensative, Public

With Classification, decisions based on criteria can be made

Location of sensative data

How often certain data is backed up

What data is restored first

What data is encrypted and by which alogrithm

Determine how to dispose of data assets

Help Employees know what data is valuable and ensure its protection

Storage

Where is data stored

What concerns about portable media

Storage should be labelled with classification and encrypted important

Archive and retention

Where is data archivedand how long for

Data Loss Prevention (DLP)

Preventing leakage of important data

Destruction

How and when to deploy data

Contains information about Security controls

Sometimes known as logical controls

Implememnted through technical means

Hardware , software, firmware

Includes identification and authentication controls

Includes auditing and accountability controls

Operational Controls

Soemtimes know as physical controls

Implemented by people

Incldues user awareness training

Includes configuration and change management

Includes availability practices and contingency planning

Sometimes known as admistrative or management controls

Focuses on the management of risk

Implemented through managerial practices and written documents

Policies, procedures and guidelines

Provides direction to employees including IT

Remove or disable unused protocols

Remove or disable unused services

Remove unused software

Change defaults - passwords

Keep system updated

Enable firewalls

Include ant-malware software

Control Implementation

Nist Guide for conducting risk assesments

NIST SP 800-53 R4

NIST SP 800-30 R1

Security Documentation: Policy

Participate in change management

Change management

Change Management

Process that allows IT and others to examine changes before implemented

Ensure changes are made only with authorization

Configuration

Management

Establish a configuration and prevent unauthorsed changes from occuring

Prevent changes that could effect security controls

Implementation of Configuration Management Plan

Must be actionable

Acheivable in specified time frame

Account for sufficient resources to complete tasks

Must include security impact assessment

Include formalized testing and reporting

Incluude enforement and monitoring

Include chain of approvals

Maintain CIA

Prevent new vulnerabilities due t change

Communicate downtime in advance

changes should be reversible

Require SOD

Uncover and document changes to system due to change

How does this impact the system?

Does the change alter security controls?

Check against CIA Triad

To fully understand how change impacts a system, you need a baseline

System Architecture/Interoperability of Systems

Create and document baselines

What does the system look like

Perform utilization

State of configuration

If I need to rebuild this, so I have all the information

Does the change/configuration affect other systems

After change, update baseline

Testing/Implementing Patching, Fixes and updates

Without patches, fixes and updates - failure occurs

Don't test in production

Create a testing environment

Accuracy counts

Understand the impact to the entire system

System Development Lifecycle

(SCLD)

Participate in Security Awareness and Training

Why Training

Increases organizational security successes

Increase overall security posture

Gives employees the ability to participate

If you see something unusual - report it

Educates organzational expectations and regulations

Educates vulerabilities and threats

Improves the safety and welfare of humanity

Security Policies and Compliance

Security Policies

Make aware the importance and rational for the organizational security policies

Gain user acceptance

The need to follow best practicies

provided through on the job, manatory meetings onlinetrainin, etc.

Security Policies and Compliance

Compliance

Manadated regulatory compliance training

Explain Accounting and Auditing controls

HIPAA - Health Insurance Portability and Accountability

PCI DSS - payment card Industry Data security Standard

SOX

Behaviours

Physical Security

Use only authorised computers\devices

Don't setup your own Wifi

Lock your office and computer

Report unusual activity

Wear your security badges

Never hold the door for unknown people

Challenge tailgaters

Habbits

Password behaviours

Clean desk policy

Data Handling

Use of personally owned devices

Safe computing practices

Training and re-training about latest threats

Kepp yourself and othewrs informed about zero day exploits

Use a veriety of ways to communicate

Meetings, bullentin boards, monthly newsletters

Topics should include

Phishing attacks, social engineering, New virusus

Remind them about home

Personally Identifiable information

What is P11

SNN, Birthdate, biometric

Information that is linked to them

Medical records, finacial info, employee files, background checks

Educate Employees

Regulations, breach examples, latest scans

Social Networking

Do not post sensitive company information

Careful with your own info

Malware, cross-site scripting, phishing and other attacks are common

Remember , shortened URL's can go anywhere

File sharing directly between computers, often for music and movies

Often banned in many orgs

Files often contain malware

a conduit for data leakage

Pirated software is illegal in the office and at home

Participate in Physical Security Operations

Environmental Design

What controls prevent unauthorised access

Fences

Controlled gates

Electronic gate, security guard

Barriers

Metal and cement

Location

Hill, Moutains

Mechanical and electronic access controls

Standards

UL - underwriters laboratories

BHMA - Builders Hardware Manufacturers Association

ANSI - American National Standards institute

CEN - European Committee for Standardization

Locks and keys

Codes and Cards

Cominations

Including biometric devices

Physical Security Behaviour

Use only authorized computer/devices

Lock your office and computer

Report unusual activity

Check security badges

Walk people out without ID to security

Never hold the door for unknown people

Challenge tailgaters

Cover you hand when enetering a pin

CCTV - closed-circuit television

PTZ - Pan-tilt-zoom

IR - Infrared

IP Camera

IP## rating protective

TVL - TV lines of resolution

Codex - H264, MPEG

Security Cameras

International Protection Standards

IEC 60529

IP Ratings - IP## protective

solids and liquids

IP54 - Dust resistent, water resistent

IP66 - dustproof, water resistent

IP67 - Dustproof, waterproof

Immersion to 1 meter in depth

IP68 - Dustproof, waterproof

Immersion long term to specified pressure

IP69k - dustproof, waterproof

Protected from steam jet cleaning

Laptops

Phones and Tablets

Smart Watches and future devices

USB/CD/DVD