In Mainframe days, risk was lesser as not many people know the technology. Today’s infrastructure is complex and has many people and devices interacting with each other. Software is also becoming complex. The more complex the software is, the more difficult it is secure it. Now, security is important as it protects our data and privacy.
FUNDAMENTAL PRINCIPLES OF SECURITY: Availability, Integrity and Confidentiality are three fundamental principles of security on which most the security controls are built and risk of vulnerabilities are assessed
Availability means being able to provide resources and data in time.
Mechanisms to provide availability: Redundant disks, clustering, Database backup
Mechanisms to provide availability: Redundant disks, clustering, Database backup
Integrity means being able to protect the resources and data from unreliable and unauthorized modifications.
Mechanisms to provide Integrity: Access Control, Hashing, Change control
Shoulder surfing is when a person looks over the shoulder to observe keystrokes or data entered. Social engineering is when a person poses as an authorized person and tries to retrieve the data.
Mechanisms to provide Integrity: Access Control, Hashing, Change control
Shoulder surfing is when a person looks over the shoulder to observe keystrokes or data entered. Social engineering is when a person poses as an authorized person and tries to retrieve the data.
Confidentiality means keeping the secrecy of resources and data away from unauthorized access.
Mechanisms to provide confidentiality: whole disk or database encryption, encrypted transmission (IPSec, SSL, SSH), Access Control
Mechanisms to provide confidentiality: whole disk or database encryption, encrypted transmission (IPSec, SSL, SSH), Access Control
SECURITY DEFINITIONS:
Vulnerability: A flaw in the system or a lack of countermeasure that allows an attacker to intrude into the system. Eg: Unpatched Software
Threat: A potential danger caused by exploiting a vulnerability. Eg: A virus may disrupt the system. Threat agent is one who causes the threat.
Risk: The likelihood of exploiting a vulnerability and the corresponding business impact.
Exposure: An instance of being exposed to losses. Eg: A virus has disrupted the system and exposed the company to loses.
Control or countermeasure is out in place to mitigate the risk of a vulnerability. Eg: Patching or updating the signatures of antivirus software.
Threat: A potential danger caused by exploiting a vulnerability. Eg: A virus may disrupt the system. Threat agent is one who causes the threat.
Risk: The likelihood of exploiting a vulnerability and the corresponding business impact.
Exposure: An instance of being exposed to losses. Eg: A virus has disrupted the system and exposed the company to loses.
Control or countermeasure is out in place to mitigate the risk of a vulnerability. Eg: Patching or updating the signatures of antivirus software.
CONTROL TYPES
- Administrative or Soft Control: Management Oriented. Eg: Security Documentation, Risk Management, Trainings
- Technical or Logical Control: Software or hardware security controls. Eg: Firewalls, Intrusion Detection Systems, Antivirus, Encryption
- Physical Control: To protect facility, personnel and resources. Eg: Security guards, swipe cards, fences
Defence-in-Depth: Employing a combination of different controls at various layers to make an intrusion difficult. Type of control implemented depends on the threats a company faces and number of layers of controls depends on the sensitivity of data to be protected.
Control categories:
- Deterrent Control: Intend to discourage a potential attacker
- Preventive Control: Intend to avoid on incident from happening
- Corrective Control: Intend to rectify software or hardware component after an attack
- Recovery Control: Helps to recover a system to its normal operation after an attack
- Detective Control: Helps to identify an attack
- Compensating Control: An alternative control with the same functionality
SECURITY FRAMEWORKS
Security through obscurity is assuming your enemies are unaware of your internal implementation, hence cannot attack your system. Eg: building a custom encryption standard is insecure compared to implementing a proven encryption algorithm.
Some standard bodies who established the frameworks
- ISO: International Organization for Standardization
- IEC: International Electrotechnical Commission
- ISACA: Information Systems Audit and Control Association
- ITGI: IT Governance Institute
- NIST: National Institute of Standards and Technology
- COSO: Committee of Sponsoring Organizations
US congress passed Clinger-Cohen act which requires federal agencies to improve their IT expenditures.
British Standard 7799 (BS 7799): 1995 by British Standards Institution. Covers information required to plan, design and implement an organization’s Information Security Management System (ISMS).
It covers security policies, processes and mechanisms like
- Security Policies Preparation
- Asset Classification
- Access Controls
- Physical Security
- Security Infrastructure
- Change Controls
- Business Continuity and Disaster recovery
- Secure Software implementation policies
BS 7799 was improved by ISO and IEC as ISO/IEC 27000 series of standards. ISO standards are based on Plan, Do, Check, Act (PDCA) cycle.
- ISO/IEC 27000 – Overview and Vocabulary
- ISO/IEC 27001 – ISMS Requirements
- ISO/IEC 27002 – Code of practice for information security management
- ISO/IEC 27003 – Guideline for ISMS implementation
- ISO/IEC 27004 – Guideline for information security management measurement and metrics framework
- ISO/IEC 27005 – Guideline for information security RISK management
- ISO/IEC 27006 – Guidelines for bodies providing certification and audit for ISMS
- ISO/IEC 27007 – Guideline for ISMS auditing
- ISO/IEC 27011 – Information Security Management guidelines for telecommunication organizations
- ISO/IEC 27031 – Guideline for Information and communications technology readiness for business continuity
- ISO/IEC 27033-1 – Guideline for Network Security
- ISO 27799 – Guideline for Information Security Management in health organizations
Enterprise Architectures:
Stakeholders are people who use the data or application. Views is the state or format of data required for each stakeholder.
Zachman Architecture: It was developed by John Zachman. Looks at the application in two dimensional view with basic questions What, Where, When, Why, Who, How on one side and different roles Planner, Designer, Implementer, Owner, Builder, Worker on the other side. It helps to identify enterprise functionality and data from the perspective of various users.
No comments:
Post a Comment