CNSS Model

Security Model
What is CNSS?
Introduction
• CNSS SECURITY MODEL is a framework used by the
US government to classify and protect information
systems and data based on their sensitivity and
importance to national security.
• It makes standard and has levels (in simple words
keeping in consideration of data sensitivity and
importance this framework helps to protect it).
• It is also known as the “Committee on National
Security Systems”.
Classification
Levels
• Unclassified (is used for information and systems that don’t
have sensitive or classified data. We follow regular security
practices, but there are no special categories involved).
• Confidential (Protection of private information from
unauthorized access).
• Secret (highly sensitive information that could cause
serious damage)
• Top secret (extremely sensitive information that
unauthorized disclosure could result in highly damaged
security of the nation)
Operational model of
security

• Operational Model of Security: are framework and set

of practices that organizations implement to manage and
maintain security across IT
Systems and assets effectively (in simple words rules/set
of practices that organizations use to maintain security).
Key Principles and activities
• Risk Management: Identifying and managing potential security
risks.
• Security Policies & Procedures: Establishing clear rules and
steps for security.
• Access Control: Ensuring that only authorized individuals can
access sensitive information.
• Security Awareness and Training: Educating employees about
online security.
• Security Monitoring: Continuously monitoring systems to detect
and address issues.
• Security Patch Management: Regularly updating and fixing
security vulnerabilities.
• Security Audits and Compliance: Assessing adherence to
security rules and regulations.
Key Principles and activities
• Physical Security: Protecting physical access to computers and
data.
• Business Continuity and Disaster Recovery: Planning for
emergencies and maintaining operations.
• Security Documentation: Maintaining records of security
actions and plans.
• Vendor Risk Management: Ensuring third-party companies
protect your data.
• Change Management: Safely implementing updates and
changes to systems.
• Security Testing and Evaluation: Testing to identify and
address security weaknesses.
Security Attacks
• Security attacks are deliberate and malicious acts
(unethical acts) and attempts that affect confidentiality,
integrity, and availability of information(in simple
words unethical acts that invade in our systems are
security attacks).
• There are two types of attacks:
• Passive Attacks
• Active Attacks
Threat vs Attack
• Threats are the • Attacks are done
dangers you’re aware deal. They are actual
of like if some actions that harm
unauthorized person your privacy
can enter your privacy (confidentiality,
it’s the danger. integrity, and
• Think of threats availability of
as what-ifs. information).
Active vs Passive
Attack
• Passive Attacks (a • Active Attacks (a
type of attack where type of attack in
an attacker attacks which the attacker
and tries to gain takes deliberate
access without actions to disrupt and
disrupting the harm the
target/victim). target/victim).
Types of Active Attack
• Masquerade Attack: Pretending to be someone you’re not. Attackers
impersonate legitimate users or systems to gain unauthorized access.
• Replay Attack: Imagine someone copying and playing back your
recorded voice to trick a security system. Attackers reuse intercepted
data or commands to deceive systems.
• Denial of Service (DoS) Attack: It’s like jamming a door so nobody
can get in. Attackers overwhelm a system, making it slow or
unavailable to users.
• Distributed Denial of Service (DDoS) Attack: Picture a huge crowd
blocking an entrance. Multiple computers flood a target, making it
inaccessible due to an overwhelming number of requests.
• Man-in-the-Middle (MitM) Attack: Imagine someone intercepting
your messages in a game of telephone. Attackers secretly intercept and
alter communication between two parties.
Types of Passive Attack

• Eavesdropping: It’s like secretly listening to someone’s private

conversation. Hackers intercept and quietly listen to your data
without you knowing.
• Traffic Analysis: Think of it as spying on a busy highway.
Attackers watch the flow of data to figure out patterns and
gather information without directly accessing the content.
Security
Mechanism
• Encryption: It’s like putting your data in a secret code. Converts
information into a secure format to prevent unauthorized access.
• Decryption: The process of decoding encrypted data, like unlocking the
secret code to access information.
• Firewalls: Think of them as digital bouncers. They filter network traffic,
allowing only authorized data to pass through and blocking potential
threats.
• IDS (Intrusion Detection System): This is like a security alarm. It
monitors network or system activity for suspicious behavior or signs of
attacks.
• ACLs (Access Control Lists): Imagine setting up a guest list for a party.
ACLs dictate who is allowed or denied access to specific resources or data.
Security
Mechanism
• Antivirus: It’s your digital immune system. Scans and removes
malicious software to keep your devices healthy.
• MFA (Multi-Factor Authentication): Like using both a key and
a fingerprint to open a safe. Requires multiple methods to verify
your identity, making it harder for unauthorized access.
• Patch Management: Think of it as keeping your software up to
date. It fixes vulnerabilities in your systems to prevent potential
attacks.
Security Services
• Authentication: It’s like verifying your identity at a secret club entrance.
Proves that you are who you claim to be before granting access.
• Authorization: Think of it as determining what you’re allowed to do
inside that secret club once you’re in. Defines the actions and resources
users are permitted to access.
• Data Integrity: Imagine ensuring that your message wasn’t tampered
with during delivery. It guarantees that data remains accurate and
unaltered.
• Confidentiality: It’s like whispering a secret to a trusted friend. Keep
your sensitive information hidden from unauthorized eyes.
• Non-Repudiation: Picture signing a contract with a unique fingerprint.
Prevents someone from denying their actions or transactions.
Security Services
• Availability: Think of it as ensuring the club is open when you
want to go. Ensures that systems and data are accessible when
needed and not disrupted by attacks.
• · Audit and Logging: It’s like having a record of everyone
who enters the club. Keeps a detailed history of activities for
security monitoring and investigation.
These security services are like the essential building blocks that,
when combined with security mechanisms, create a strong
defense against cyber threats.
How to
implement?
Step 1: Build an Information Security Team
• The first step in information security is to decide who needs a seat at the table.
• One side of the table holds the executive team, made up of senior-level
associates responsible for crafting the mission and goals of the security
program, setting security policies, risk limitations, and more.
• On the other side of the table sits the group of individuals responsible for
daily security operations.
• As a whole, this group designs and builds the framework of the security
program.
Step 2: Inventory and Manage Assets
• The security team’s first job is to understand which assets exist, where those
assets are located, ensure the assets are tracked, and secure them properly.
• In other words, it’s time to conduct an inventory of everything that could
contain sensitive data, from hardware and devices to applications (both
internally and third party developed) to databases, shared folders, and more.
• Once you have your list, assign each asset an owner, then categorize them by
importance and value to your organization should a breach occur.
Step 3: Assess Risk
• To assess risk, you need to think about threats and vulnerabilities.
Start by making a list of any potential threats to your organization’s assets, then score
these threats based on their likelihood and impact.
• These vulnerabilities can consist of people (employees, clients, third parties),
processes or lack thereof, and technologies in place.
Step 4: Manage Risk
• Now that you have your risks ranked, decide whether you want to reduce, transfer,
accept, or ignore each risk.
• Reduce the risk: Identify and apply fixes to counter the risk (e.g., setting up a
firewall, establishing local and backup locations, purchasing water leak detection
systems for a data center).
• Transfer the risk: Purchase insurance for assets or bring on a third party to take
on that risk.
• Accept the risk: If the cost to apply a countermeasure outweighs the value of
the loss, you can choose to do nothing to mitigate that risk.
• Avoid the risk: This happens when you deny the existence or potential impact of a
risk, which is not recommended as it can lead to irreversible consequences.
Step 6: Inventory and Manage Third Parties
• Make a list of vendors, suppliers, and other third parties who have access to your
organization’s data or systems, then prioritize your list based on the sensitivity of the
data.
• Once identified, find out what security measures high-risk third parties have in place
or mandate necessary controls.
• Be sure to consistently monitor and maintain an updated list of all third-party
vendors.
Step 7: Apply Security Controls
• You’ve been busy identifying risks and deciding on how you’ll handle each one.
• For the risks you want to act on, it’s time to implement controls. These controls will
mitigate or eliminate risks.
• They can be technical (e.g., encryption, intrusion detection software, antivirus,
firewalls), or non-technical (e.g., policies, procedures, physical security, and
personnel).
• One non-technical control you’ll implement is a Security Policy, which serves as the
umbrella over a number of other policies such as a Backup Policy, Password Policy,
Access Control Policy, and more
Step 8: Establish Security Awareness Training
• Conduct frequent security awareness trainings to share your information
security plan and how each employee plays a role in it.
• After all, new security measures and policies do nothing if employees
working with the data are not educated on how to minimize risk.
Step 9: Audit, audit, audit
• The best way to determine the effectiveness of your information security
program is to hire a third-party auditor to offer an unbiased assessment on
security gaps.
• In some cases, this is mandatory to confirm compliance. Third-party
assessors can also perform vulnerability assessments, which include
penetration tests to identify weaknesses in your organization’s networks,
systems, and applications, along with audits against criteria such as
ISO 27001, PCI DSS, FedRAMP, and HITRUST; as well as SOC 2® reports
using the AICPA Trust Service Principles.
• Your company can also conduct internal audits to assess controls, policies,
procedures, risk management, and more.