Information security

Information security
information security means protecting information (data) and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Security management is a process of defining the security controls in order to protect the information assets.
Security Objectives
Protect the company and its assets.
Manage Risks by Identifying assets, discovering threats and estimating the risk
Provide direction for security activities by framing of information security policies, procedures, standards, guidelines and baselines
Information Classification
Security Organization and
Security Education
Security Management Responsibilities
Determining objectives, scope, policies, re expected to be accomplished from a security program
Evaluate business objectives, security risks, user productivity, and functionality requirements.
Define steps to ensure that all the above are accounted for and properly addressed
Approaches to Build a Security Program
Top-Down Approach
The initiation, support, and direction comes from the top management and work their way
through middle management and then to staff members.
Treated as the best approach but seems to based on the I get paid more therefor I must know more about everything type of mentality.
Ensures that the senior management who are ultimately responsible for protecting the company assets is driving the program.
Bottom-Up Approach
The lower-end team comes up with a security control or a program without proper
management support and direction.
It is oft considered less effective and doomed to fail for the same flaw in thinking as above; I
get paid more therefor I must know more about everything.
Since advancement is directly tied to how well you can convince others, who often fall outside of your of job duties and department, as to your higher value to the company as stated by your own effective written communication this leads to amazing resume writers and take no blame style of email responses that seems to definitely lead to the eventual failure of company’s standards and actual knowledge. It is often covered up by relationships which form at the power levels within any group of people and those who are considered so-called experts having no real idea what is really involved under the hood of the reports/applications they use and no proof presented in emails written
when self declared claims of their expertise is made or blame is to be put on another.
Security Controls
Security Controls can be classified into three categories
Administrative Controls which include

Developing and publishing of policies, standards, procedures, and guidelines.
Screening of personnel.
Conducting security-awareness training and
Implementing change control procedures.
Technical or Logical Controls which include
Implementing and maintaining access control mechanisms.
Password and resource management.
Identification and authentication methods
Security devices and Configuration of the infrastructure.
Physical Controls which include
Controlling individual access into the facility and different departments
Locking systems and removing unnecessary floppy or CD-ROM drives
Protecting the perimeter of the facility
Monitoring for intrusion and
Environmental controls.
Security Note: It is the responsibility of the information owner (usually
a Sr. executive within
the management group or head of a specific dept) to protect the data and is the due care (liable by the court of law) for any kind of negligence
The Elements of Security
Vulnerability
It is a software, hardware, or procedural weakness that may provide an attacker the open door
he is looking for to enter a computer or network and have unauthorized access to resources
within the environment.
Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.  E.g.: a service running on a server, unpatched applications or operating system software, unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.
Threat
Any potential danger to information or systems.  A threat is a possibility that someone (person, s/w) would identify and exploit the vulnerability.  The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat agent could be an intruder accessing the network through a port on the firewall
Risk
Risk is the likelihood of a threat agent taking advantage of vulnerability and the corresponding business impact.
Reducing vulnerability and/or threat reduces the risk. E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
Exposure
An exposure is an instance of being exposed to losses from a threat agent.
Vulnerability exposes an organization to possible damages.
E.g.:If password management is weak and password rules are not enforced, the company is
exposed to the possibility of having users’ passwords captured and used in an unauthorized manner.
Countermeasure or Safeguard
It is an application or a s/w configuration or h/w or a procedure that mitigates the risk.
E.g.: strong password management, a security guard, access control mechanisms within an operating system, the implementation of basic input/output system (BIOS) passwords, and security-awareness training.
The Relation Between the Security Elements
Example: If a company has antivirus software but does not keep the virus signatures up-to-date, this is vulnerability. The company is vulnerable to virus attacks.
The threat is that a virus will show up in the environment and disrupt productivity.
The likelihood of a virus showing up in the environment and causing damage is the risk.
If a virus infiltrates the company’s environment, then vulnerability has been exploited and the company is exposed to loss.
The countermeasures in this situation are to update the signatures and install the antivirus software on all computers
Threat Agent gives rise to Threat exploits Vulnerability leads to Risk can damage Assets and causes an Exposure can be counter measured by Safeguard directly effects Threat Agent
Alternative Description:
A threat agent causes the realization of a threat by exploiting a vulnerability. The measurement of the extent that this exploitation causes damage is the exposure. The organizational loss created within the exposure is the impact. Risk is the probability that a threat event will generate loss and be realized within the organization.
Example:
Target: A bank contains money.
Threat: There are individuals who want, or need, additional money.
Vulnerability: The bank uses software that has a security flaw.
Exposure: 20% of the bank’s assets are affected by this flaw.
Exploit: By running a small snippet of code (malware), the software can be accessed illegally.
Threat Agent: There are hackers who have learned how to use this malware to control the bank’s software.
Exploitation: The hackers access the software using the malware and steal money.
Impact: The bank loses monetary assets, reputation, and future business.
Risk: The likelihood that a hacker will exploit the bank’s software vulnerability and impact the bank’s reputation and monetary resources.
Confidentiality
Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidentiality should prevail while data resides on systems and devices within the network, as it is transmitted and once it reaches its destination.
Threat sources
Network Monitoring
Shoulder Surfing- monitoring key strokes or screen
Stealing password files
Social Engineering- one person posing as the actual
Countermeasures
Encrypting data as it is stored and transmitted.
By using network padding
Implementing strict access control mechanisms and data classification
Training personnel on proper procedures.
Integrity
Integrity of data is protected when the assurance of accuracy and reliability of information and system is provided, and unauthorized modification is prevented.
Threat sources
Viruses
Logic Bombs
Backdoors
Countermeasures
Strict Access Control
Intrusion Detection
Hashing
Availability
Availability ensures reliability and timely access to data and resources to authorized individuals.
Threat sources
Device or software failure.
Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability.
Denial-of-service (DoS) attacks
Countermeasures
Maintaining backups to replace the failed system
IDS to monitor the network traffic and host system activities
Use of certain firewall and router configurations

(Visited 163 times, 1 visits today)
Share this:

Written by