In this chapter, we will review the goals of an information security program, and you will be introduced to the information security model, a three-dimensional model, which will be the foundation for learning the concepts of confidentiality, integrity, and availability.
- 1.
Identify the concepts of confidentiality, integrity and availability.
- 2.
Perform packet-level analysis.
Information Security Model
In 1991, John McCumber created a model framework for establishing and evaluating information security (information assurance) programs, in what is now known as The McCumber Cube . This security model is depicted as a three-dimensional cube-like grid composed of information security properties or desired goals, information states, and safeguards.
- 1.Desired Goals : The first dimension of the information security model is made up of the three information security properties. The three desired goals include confidentiality, integrity, and availability. Use the acronym CIA to help remember these three principles.
Confidentiality prevents the disclosure of information for unauthorized people, resources, and processes.
Integrity ensures that system information or processes have not been modified.
Availability ensures that information is accessible by authorized users when it is needed.
- 2.
Information States : Data can be stored on a hard drive and can also be transmitted across a network or the Internet. Data can also be processed through manipulation by software. The second dimension of the information security model consists of processing, storage, and transmission.
- 3.
Safeguards : Technology is usually what most information technology (IT) professionals think of when contemplating solutions to the information security puzzle. Policies and procedures provide the foundation for an organization. How would you know how to configure your firewall, a technology-based solution, without the proper policies and procedures to guide you? Educating employees through security awareness training program is an absolute must so that the security measures implemented within an organization are effective.
Everything that you learn about information security can be related back to one of the cells of this three-dimensional model.
Operational Model of Computer Security
The operational model of computer security is composed of different technologies. Protection is the sum of prevention (like firewalls or encryption) plus measures that are used for detection (like an intrusion detection system, audit logs, or honeypot) and response (backup incident response or computer forensics).
Prevention: Access controls, firewalls, and encryption
Detection: Audit logs, intrusion detection, and honeypot
Response: Backup incident response, and computer forensics
Diversity of Defense
- 1.
Layered security provides the most comprehensive security. Limit access to reduce threats; if attackers can penetrate one layer, diversity ensures that they cannot use the same method to penetrate other layers.
- 2.
Obscuring information can be a way of protecting it. If an attacker does not know which operating system is running on a device, he cannot determine its weaknesses as easily.
- 3.
Different systems of security such as keeping a system simple from the inside but complex from the outside can be beneficial.
Communications Security
Cryptosecurity: Cryptosecurity is the component that ensures that cryptosystems are sound and being used properly.
Transmission Security: Transmission security measures protect transmissions from interception.
Physical Security: Provides the physical measures that safeguard classified equipment, data, and documents.
Emission Security: Includes measures taken to prevent an unauthorized person from intercepting or analyzing emanations, or the electronic signals that a device may produce.
Access Control
Access control defines a number of protection schemes which can be used to prevent unauthorized access to a computer system or network. Many devices can be configured with an access control list, or an ACL, to define whether a user has certain access privileges. Just because you can log onto the corporate network does not mean that you have permission to use the high-speed color printer.
Authentication
Authentication verifies the identity of a user. The subject needs to produce (1) a password, (2) a token or card (i.e., a badge), or (3) a type of biometric such as a fingerprint.
Authentication involves access control which deals with the ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device). If you go to an ATM for cash, you need your bank card which is considered something you have for which you need to know the PIN. This is an example of multifactor authentication or requiring more than one type of authentication. The most popular form of authentication is the use of passwords.
Social Engineering
Social engineering is the art of convincing an individual to provide you with confidential information. No technology is required here, just the gift of gab. The success of social engineering plays on the fact that most individuals in the business community are customer service-oriented and do their best to be of assistance. Remember, the weakest link in the security chain of a company is its people.
It is the process of convincing an individual to provide confidential information or access to an unauthorized individual.
It is one of the most successful methods that attackers use to gain access to computer systems and networks.
It exploits the fact that most people have an inherent desire to be helpful or avoid confrontation.
It gathers seemingly useless bits of information that, when put together, divulge other sensitive information.
Security Trends
The level of sophistication of attacks has increased, but the level of knowledge necessary to exploit vulnerabilities has decreased. The sheer volume of attacks is increasing, and for most organizations, it is not a question of if, but when. As the popularity of mobile devices increases, so does mobile malware. Think about the recent popularity of social networks. It does not take very long for a technology to become popular followed closely by ways to exploit the vulnerabilities associated with the technology.
Unauthorized access
Phishing
Bots on network
Due Care and Due Diligence
- 1.
Due care looks at the steps an organization takes to protect the company, its resources, and its employees by having policies and procedures in place.
- 2.
Due diligence requires that management have continual activities to ensure that protective measures are maintained and are operational. The standard here is one of a “prudent person.” Would a prudent person find the activities appropriate and sincere?
Summary
The goals of an information security program include the foundational concepts of confidentiality, integrity, and availability. These three principles are aspects that comprise the framework of the information security model. In this lesson you learned about different levels of defenses and the importance of access control. Stay informed regarding the latest security trends to help prevent security vulnerabilities associated with technology.
Resources
Information Assurance: https://searchcompliance.techtarget.com/definition/information-assurance
CIA Triad: www.techrepublic.com/blog/it-security/the-cia-triad/488/
McCumber Cube: www.captechu.edu/blog/learning-language-of-cybersecurity