Introduction
Security Threats
External and Internal Threats
-
Weak Security Policies, including:
-
Unclassified or improperly classified information, leading to the divulgence or unintended sharing of confidential information with others, particularly outsiders.
-
Inappropriately defined or implemented authentication or authorization, leading to unauthorized or inappropriate access.
-
Undefined or inappropriate access to customer resources or contractors/suppliers, leading to fraud, misuse of information, or theft.
-
Unclearly defined roles and responsibilities, leading to no lack of ownership and misuse of such situations.
-
Inadequate segregation of duties, leading to fraud or misuse.
-
Unclearly delineated hierarchy of “gatekeepers” who are related to information security, leading to assumed identities.
-
Weak Security Administration, including:
-
Weak administrative passwords being misused to steal data or compromise the systems.
-
Weak user passwords allowed in the system and applications, leading to unauthorized access and information misuse.
-
Inappropriately configured systems and applications, leading to errors, wrong processing, or corruption of data.
-
Non-restricted administrative access on the local machines and/or network, leading to misuse of the system or infection of the systems.
-
Non-restricted access to external media such as USB or personal devices, leading to theft of data or infection of the systems.
-
Non-restricted access to employees through personal devices or from unauthenticated networks and the like, leading to data theft.
-
Unrestricted access to contractors and suppliers leading to theft or misuse of information including through dumpster diving or shoulder surfing.
-
Unrestricted website surfing, leading to infections of viruses, phishing, or other malware.
-
Unrestricted software downloads leading to infection, copyright violations, or software piracy.
-
Unrestricted remote access leading to unauthorized access or information theft.
-
Accidentally deleting data permanently.
-
Lack of user security awareness, including:
-
Identity theft and unauthorized access due to weak password complexity.
-
Not following company policies, such as appropriate use of assets, clean desk policy, or clear screen policy, leading to virus attacks or confidential information leakage.
-
Divulging user IDs and/or passwords to others, leading to confidential information leakage.
-
Falling prey to social engineering attacks.
-
Falling prey to phishing and similar attacks.
-
Downloading unwanted software, applications, or images or utilities/tools leading to malware, viruses, worms, or Trojan attacks.
-
Improper e-mail handling/forwarding leading to the loss of reputation or legal violations.
-
Improper use of utilities like messengers or Skype and unauthorized divulgence of information to others.
-
Inappropriate configuration or relaxation of security configurations, leading to exploitation of the systems.
-
Entering incorrect information by oversight and not checking it again or processing the wrong information.
-
Ignoring security errors and still continuing with transactions, leading to the organization being defrauded.
External Threats | Internal Threats |
---|---|
Physical Threats | Human Threats |
Natural disasters like cyclones, hurricanes, floods, earthquakes, etc. | Frauds, misuse of assets or information |
Fire | Errors or mistakes by the employees |
Terrorist threats like bombs, hostage situation | Espionage, Shoulder surfing |
Hardware destruction | Social Engineering by the employees |
Physical intrusion | Exploitation of lack of knowledge or ignorance of fellow employees |
Sabotage | Use of weak administrator passwords or passwords of others and gaining unauthorized access |
Theft of the assets and Intellectual Property sensitive assets/information | Theft |
Network Threats
| Policies not executed or followed |
Sniffing or Eavesdropping | Improper segregation of duties leading to fraud or misuse |
TCP/IP issues like snooping, authentication attacks, connection hijacking | Malware infection threats due to infected media usage or unauthorized software downloads |
Spoofing |
Internal Application Issues
|
Man in the middle attack | Invalidated inputs |
Denial of service attacks | Misconfigured application leading to errors or wrong processing |
SQL injection | Inappropriate error or exception handling leading to issues |
Exploitation of default passwords on network equipment being unchanged | Parameter manipulations; Manipulation of Buffer Overflows |
Exploitation of weak encryption | Unauthorized access |
Software Issues
|
Other Issues
|
Defects leading to errors | Unrestricted access to USB leading to pilferage of information |
Defects being exploited | System or data corruption may be due to power surges, temperature control failure or for other reasons |
Malware like Viruses, Worms, Trojans, Back doors | Hardware failure due to malfunctioning |
Bots or Botnets | Infrastructure like UPS failure due to improper maintenance |
Invalidated inputs | |
Authentication attacks | |
Exploitation of misconfigurations | |
Session Management related issues | |
Inappropriate error handling or exception handling by the applications | |
Buffer overflow issues | |
Cryptography wrongly handled by applications | |
Parameter manipulations | |
Operating system related issues – security flaws in the operating system | |
Human Threats
| |
Social engineering | |
Attack by hackers/man in the middle | |
Blackmail, extortion | |
Espionage | |
Compliance Threats
|
Information Security Frameworks and Information Security Architecture
-
An Information Security Management Systems Framework provided by Information Technology – security techniques – information security management systems – requirements (ISO/IEC 27001:2013) supported by Information Technology – security techniques – code of practice for information security controls (ISO/IEC 27002:2013) and related standards.
-
NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View complemented by 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.
-
SABSA® ( SABSA® is a registered trademark of The SABSA Institute which governs and co-ordinates the worldwide development of the SABSA Method.)
Information Security Management Systems Framework Provided by ISO/IEC 27001:2013
NIST Special Publication 800-39 complemented by 800-53
-
The components of risk management
-
The multi-tiered risk management approach
-
Risk management at the organization level (Tier 1)
-
Risk management at the mission/business process level (Tier 2)
-
Risk management at the information system level (Tier 3)
-
Risk related to trust and trustworthiness
-
The effects of organizational culture on risk
-
Relationships among key risk management concepts
-
A general overview of the risk management process
-
How organizations establish the context for risk-based decisions
-
How organizations assess risk
-
How organizations respond to risk
-
How organizations monitor risk over time
-
Multi-tiered risk management
-
The structure of security controls and how the controls are organized into families
-
Security control baselines as starting points for the tailoring process
-
The use of common controls and inheritance of security capabilities
-
External environments and service providers
-
Assurance and trustworthiness
-
Revisions and extensions to security controls and control baselines
-
Selecting the appropriate security control baselines
-
Tailoring the baseline controls, including developing specialized overlays
-
Documenting the security control selection process
-
Applying the selection process to new and legacy systems
SABSA®
Security Layer | Description |
---|---|
Business View or Contextual Security Architecture | The goals the business wants to achieve; the functional description of the same; the users, their requirements, their numbers, etc.; locational requirements and dependencies; usage patterns over time, etc. Primary considerations are: the business and its assets which need to be protected and the business needs for information security; business risks expressed in terms of business opportunities and the threats to business assets; business processes that require security; structural aspects of business security including external support structures; business geography and location-related aspects of business security; the time-related aspects of business security. |
Architect’s View or Conceptual Security Architecture | What needs to be protected expressed in terms of SABSA Business Attributes; the importance of protection in terms of controls and enablement objectives; how to achieve this protection through high-level technical and management security strategies, business process mapping framework; who is involved in the security management in terms of roles and responsibilities; where the architect wants the protection to be conceptualized in terms of security domains; when the protection is relevant in terms of a business time-management framework. |
Designer’s View or Logical Security Architecture | The business information that needs to be secured; security and risk management requirements for securing the business related information; specifying the logical security services and how they fit with each other; specifying the entities, their inter-relationships, their attributes, authorized roles and privilege profiles, etc.; specifying the security domains and inter-domain relationships; specifying the security related calendar and time-frames, etc. |
Builder’s View or Physical Security Architecture | Specifying the business data model and the security related data structures; specifying the rules that drive the logical decision making within the system; specifying the security mechanisms including the physical applications, middleware, servers, etc.; specifying people dependency in terms of human interface and access control systems; specifying the physical layout of the security technology infrastructure, etc. |
Tradesman’s View or Component Security Architecture | ICT components including data repositories and processors; risk management related tools; process tools and standards; personnel management tools and products; locator tools and standards; step timings and sequencing tools, etc. |
Service Manager’s View or Service Security Management Architecture | Service delivery management; operational risk management; process delivery management; personnel management; environment management; schedule management. |
Framework | SABSA® | NIST SP 80-39 & 80-53 | ISO/IEC 27001:2013 |
---|---|---|---|
Advantages
| 1. Business focused 2. Consideration zone is enterprise. 3. Multi-Layered approach covering essential aspects. 4. Steps provided to clearly guide the implementation of infrastructure security architecture. 5. Compulsorily involves different views. 6. Various stakeholders including business users are involved in arriving at the information security architecture. | 1. Business focused 2. Consideration zone is organized 3. Well-focused risk identification, management and control framework built in–multi-tiered risk assessment. | 1. Consideration zone is normally organization. 2. Well-focused risk identification, management and control framework. 3. Several controls which can be useful are suggested 4. Each control has been explained in detail in ISO/IEC 27002:2013. 5. There are many guidelines by ISO which support the above like ISO/IEC 31000:2009, etc. |
Disadvantages
| 1. Some risks may not be considered if the risk assessment methodology used is not robust, as the focus is more on business enablement and business considerations may out-focus the risks. | 1. Success depends upon the involvement of relevant stakeholders with appropriate knowledge, experience and expertise and on identifying the risks appropriately. | 1. No layered focus specified directly but only specified indirectly through the control clauses. Success depends upon involvement of all relevant stakeholders and the expertise in proper risk assessment and risk treatment. |
Pillars of Security
People
Organization of Information Security
The Need for Independence
Specific Roles and Responsibilities
Audit Committee or Information Security Committee at the Board Level
Information Security Sponsor or Champion
-
Promote the culture of information security in the organization
-
Communicate strongly and sincerely the need for information security
-
Appoint/assign other such roles so as to effectively implement information security within the organization
-
Support the funding of information security projects
-
Demonstrate a high commitment to information security
Chief Information Security Officer or Information Security Officer
-
Understand the information security risks to the entire organization, including to the business, information processing facilities, IT environment, and physical environment, both from the external and internal perspective
-
Ensure that the risk assessment is carried out and the risk mitigation plans are put into effect when necessary
-
Guide the entire organization on the need for information security
-
Determine appropriate policies in the context of various areas of relevance to information security
-
Determine and publish various procedures or work instructions to implement the policies of relevance to information security
-
Educate and motivate internal and external stakeholders, including the suppliers and contractors to effectively implement information security requirements
-
Analyze information security incidents and take the corrective actions as appropriate to information security related incidents
-
Ensure that personnel of the organization, suppliers, contractors, and customers as necessary are educated or are made aware of the means of ensuring information security
-
Coordinate with external agencies/forums to understand the prevailing or possible information security issues
-
Report the status of information security in the organization to the CEO, the president, or the Board, as required
Information Security Forum
Information Security Specialists
Project Managers
Data Owners
Data Custodians
Users of the data
Role | Responsibility |
---|---|
Audit Committee of the Board | • An advocate of information security at the board level and convince other board members of the importance of information security • Bring sufficient focus on information security aspects in various decision making processes |
Information Security Champion or Sponsor | • Promote the culture of information security within the organization • Assign/appoint appropriate roles to effectively support information security • Promote strongly and sincerely the need for information security |
CISO | • Ensure proper risk assessment and determination of appropriate controls • Ensure the definition of appropriate policies, procedures, and processes • Coordinate with other agencies and forums to understand threats to information security • Report the status of information security to the management • Motivate and train employees, contractors, and suppliers on information security do’s and don’ts |
Information Security Forum | • Ensure collaboration across all functions/departments-including business • Ensure a focus on the execution of information security across the organization |
Information Security Specialists | • Provide an unbiased and frank opinion on current or potential risks related to information security • Assist the CISO in an effective understanding and implementation of information security requirements, risks, architecture, products, and technology |
Project Managers | • Consider information security related risks and mitigate them throughout the project life cycle |
Data Owner | • Understand the characteristics and sensitivity of the data and provide the appropriate access/restrict access • On a periodical basis, review the access granted to ensure its continued appropriateness |
Data Custodian | • Ensure the safety of the data and act as per the directions of the data owners |
Users of the Data | • Ensure that data is used only for the purposes for which it is intended • Follow all the policies, procedures, and processes diligently to ensure the security of information assets |
Authority for Information Security
Policies, Procedures, and Processes
-
Information Security Management Systems Policy
-
Access Control Policy
-
Information Classification and Handling Policy
-
Physical and Environmental Security Policy
-
Acceptable Use of Assets Policy
-
Clear Desk and Clear Screen Policy
-
Privacy and Protection of Personally Identifiable Information Policy
-
Mobile Devices and Teleworking Policy
-
Backup Policy
-
Restrictions on Software Installations and Use Policy
-
Protection from Malware Policy
-
Management of Technical Vulnerabilities Policy
-
Information Transfer Policy
-
Communications Security Policy
-
Cryptographic Controls Policy
-
Policy on Supplier Relationships
Technology
Information Security Concepts
CIA Triad
Confidentiality
-
You have decided on a business strategy to counter a competitor and it is leaked to others accidentally or by an aggrieved senior management person who just left the organization.
-
You have innovated a new technological idea and want to patent it. But, before you patent it, the same idea is copied by someone and further passed on to someone else and is patented by them instead.
-
The patient information and medical records of the patients you have stored have been stolen and made public.
-
You find that one of the administrative passwords is compromised and significant data of confidential nature has been stolen.
Integrity
-
You have received a letter purported to be from a customer company and they have sought some important information to be divulged to one of their suppliers. You find something fishy in the letter and upon investigation, you find that the letter was fake and originated by a supplier company and not by the customer company.
-
You divulged critical, confidential information about the strategy of your competitor company, purported to be leaked by one of their employees, but you find that it was conveyed to you in a misleading way in order for you to make the wrong decision.
-
You were given the correct information, but only a portion of it, whereas the other portion of the information which was crucial if you would have been told would have given you an entirely different perspective on the matter.
Availability
-
You are required to send an important note to your customer and you find that your e-mail system or Internet is not responding.
-
You are required to carry out certain work and your reference documents are in a particular database and the particular database is down for technical reasons.
-
You are required to initiate an important request through one of your applications and you find that the application is not responding.
Parkerian Hexad
-
“Confidentiality” is defined as the “quality or state of being private or secret; known only to a limited few.”
-
“Possession or Control” is defined as “a state of having in or taking into one’s control or holding at one’s disposal; actual physical control of property by one who holds for himself, as distinguished from custody; something owned or controlled.”
-
“Integrity” is defined as “unimpaired or unmarred condition; soundness; entire correspondence with an original condition; the quality or state of being complete or undivided; material wholeness.”
-
“Authenticity” is defined as “authoritative, valid, true, real, genuine, or worthy of acceptance or belief by reason of conformity to fact and reality.”
-
“Availability” is defined as “capable of use for the accomplishment of a purpose, immediately usable, accessible, may be obtained.”
-
“Utility” is defined as “useful, fitness for some purpose.”
Implementation of Information Security
Risk Assessment
Planning and Architecture
Gap Analysis
Integration and Deployment
Operations
Monitoring
Legal Compliance and Audit
Crisis Management
Principles of Information Security
-
Principle 1: Computer Security Supports the Mission of the Organization
-
As we have seen, every organization has objectives to achieve, whether they are business goals or social goals. Any other system is rendered useless, whether it be information technology system or procedures or otherwise, if it does not enable the achievement of these primary objectives of the organization in conjunction with the goals of these systems too.
-
Principle 2: Computer Security is an Integral Element of Sound Management
-
This principle is straight forward and it cannot be more relevant than in today’s world. In today’s well connected world, where the attacks can happen on any system from any other part of the world and nobody can be absolutely sure of the protection put in place, information security can be ignored only at the peril of an organization.
-
Principle 3: Computer Security Should Be Cost-Effective
-
At the end of the day, every organization has to sustain, continue to sustain, and grow its business and profitability. Even organizations with social objectives have limited funding available to them and the expectation is that they use it judiciously. Hence, just because an excellent security system is available in the market, one should not go ahead with it unless the benefits accrued by its usage are far more than the costs of their purchase and implementation. This is one of the fundamental requirements for any organization of any size in any business.
-
Principle 4: Systems Owners Have Security Responsibilities Outside Their Own Organization
-
Today, in the era of the Internet and web applications, many of the systems are used by users, whether employees or customers, from outside the organizational physical boundaries. Every individual has the right to be assured that the system or applications that she/he is using is secure. It is the organization’s responsibility to ensure that safety is built into these applications and their users are duly assured of the security in them. No organization can shirk its responsibility in this regard as the growth of business, in recent times, depends on new tools of doing business.
-
Principle 5: Computer Security Responsibilities and Accountability Should Be Made Explicit
-
Having clarity is what makes the difference when it comes to achievement. As we have seen, decisions are not made by the people who are normally working with the data because the authorities are not clearly defined and assigned. Such a state of confusion can lead to disasters in organizations today, as computer security incidents or breaches and disasters on account of them have to be dealt with using speed, precision, and clarity. In our discussions, earlier in this chapter, we have elaborated on the whys and hows of clear demarcation for information security, roles, responsibilities, and authorities will ensure successful compliance towards information security. Negligence cannot be excused in the field of information security as organizations can be severely affected with reputation loss, business loss, penalties, etc. Accountability is brought in clearly and effectively through clarity on roles, responsibilities, and authorities.
-
Principle 6: Computer Security Requires a Comprehensive and Integrated Approach
-
Most of the organizations operate in a highly competitive environment. For their efficiency and effectiveness, all aspects of business, business enablers and business protection systems have to work in perfect harmony and need to complement and supplement each other seamlessly into a comprehensive and integrated approach. This is what we emphasized throughout our discussions in this chapter, including in the context of information security frameworks / architecture.
-
Principle 7: Computer Security Should Be Periodically Reassessed
-
As we discussed earlier, changes are the only constant in this world. In the changing context, we need to navigate in the right direction. In order to check for our direction and do course corrections, we need to do periodical reassessment of the organizational computer security. We have already discussed the benefits of the periodical gap analysis through periodical risk assessment as a means of course correction.
-
Principle 8: Computer Security is Constrained by Societal Factors
-
It is true that there is a possibility of conflict between information security requirements and societal factors, e.g. logging activities and privacy requirements. While each of them has significance of their own, we need to ensure a balance between these. The balancing depends upon the context and expectations. It is possible that under certain circumstances, one can complement and support the other.
Chapter Summary
-
In this chapter, we attempted to lay a strong foundation for the next few chapters. We explored four important layers of information security, namely Physical Security (which includes Hardware Security), Network Security (which includes Communications Security), Software Security (which includes Operating System Security, Applications Security and Security of Utilities/Tools), and Human Security (which is people) related. We saw how each of these layers contribute to overall information security at any organization. We also saw how the policies, procedures, and processes contribute to the overall scheme of information security. Through a context diagram, we also depicted various important controls of each of these layers.
-
We explored various security threats and categorized them into external threats and internal threats based on the origin of these threats. Then we identified some of the important external and internal threats under each of the layers, including Physical Security, Network Security, Software Security, and Human Security.
-
We also explored the generic multi-layered approach to information security architecture which can be used by any organization and we looked at important components of each of these layers. We also looked at additional aspects covered by “defense-of-depth” and how it can help an organization to respond to information security breaches or incidents. We touched upon some of the important frameworks/architectural models of information security like ISO/IEC 27001:2013 complemented by ISO/IEC 27002:2013, NIST SP-39 and SP-53 and SABSA. We then explored the above frameworks/architectural models in detail and how these lead to a secure information security architecture for any organization. We also looked at the advantages and disadvantages of each of these.
-
We examined the three important pillars of security: People, Policies, Procedures and Processes, and Technology. We explored how the organization has to equip itself for effective implementation of information security, the importance of independence of information security personnel, and what the typical information security roles and responsibilities are. We also stressed the need for clearly specifying the authorities related to information security. We then detailed how policies, processes, and technology effectively contribute to and support people in implementing information security.
-
We discussed the CIA triad (which was the traditionally accepted model of information security) and the Parkerian Hexad which extended upon the CIA triad. We explored some of the important definitions of confidentiality, integrity and availability from the U.S.Code/NIST and other standards/forums. We went through the fact that various definitions are in variant with each other. We also looked at the variances between the definitions from NIST and those from the Parkerian Hexad. We also looked at some of the examples of each properties of information security as per CIA and as per the Parkerian Hexad.
-
We suggested one approach for effectively implementing information security in any organization, that is, both a new organization and an existing organization. We elaborated upon the need for risk assessment and the various frameworks for risk assessment, importance of appropriate planning, and the need for having robust information security architecture, periodical gap analysis, and the need for execution discipline in operations, the importance of regular monitoring, the importance of legal compliance and periodic audits, and crisis management.