Basic Information Security Concepts

Several different concepts are helpful in understanding information security and the laws that affect it. Laws that regulate information security often use risk management, the process of understanding the risks that an organization faces and then taking steps to address or mitigate them, to justify them. You will briefly learn about basic risk management concepts and terms here.

Vulnerabilities

A vulnerability is a weakness or flaw in an information system. They may be construction or design mistakes, as well as flaws in how an internal safeguard is used or not used. Not using antivirus software on a computer, for instance, is a vulnerability. Vulnerabilities can be exploited (used in an unjust way) to harm information security.

There are many different types of vulnerabilities. You can classify them into the following broad categories:

• People
• Process
• Facility
• Technology

People can cause several vulnerabilities. For example, one employee could know too much about a critical function in an organization. This is a violation of the separation of duties principle. This rule requires that two or more employees must split critical task functions so that no one employee knows all of the steps of the critical task. When only one employee knows all of the steps of a critical task, that employee can use the information to harm the organization. The harm may go unnoticed if other employees cannot access the same information or perform the same function.

Process-based vulnerabilities are flaws or weaknesses in an organization’s procedures that an attacker can exploit to harm security. Process-based vulnerabilities include missing steps in a checklist, as well as not having a checklist in the first place. Another process vulnerability is the failure to apply hardware and software vendor patches in a timely manner. A patch is a piece of software or code that updates a program to address security or other operational problems. Patches are available for many types of software, including operating systems. Software and information systems may be open to attack if patches are not properly applied.

Facility-based vulnerabilities are weaknesses in physical security. Buildings, equipment, and other property are resources an organization must protect. An example of poor physical security is an organization that does not have a fence around its property. Another is an open server room that any employee can access.

Vulnerabilities also can be technology based. Improperly designed information systems fall into this category. Some design flaws allow people to access information systems without permission. After gaining entry, the person may enter unauthorized code or commands that disrupt the system. Unpatched and outdated applications are technology vulnerabilities. So are improperly configured equipment, such as firewalls or routers.

Customers do not like flaws in the products that they buy. Therefore, they expect vendors to inform them quickly about product flaws. Vulnerability management programs make sure that vendors find any flaws in their products and quickly correct them. They also ensure that customers are made aware of problems so they can take protective action. The Microsoft Corporation, for example, issues a monthly security bulletin for customers that lists known vulnerabilities in the company’s products. The bulletin also explains how to address them. This bulletin is part of Microsoft’s vulnerability management program.

Exploits are successful attacks against a vulnerability. They take place in a period known as the window of vulnerability, as shown in FIGURE 1-2. This window opens when someone discovers a vulnerability and closes when a vendor reduces or eliminates it. Exploits take place while the window is open.

The window of vulnerability is a notable concept. In some ways, this window is shrinking fast because more people are interested in information security. Many people have developed the skills to find new vulnerabilities. Often they report them to the company that provides the product or service so the company can fix the vulnerability. Not all people act with good intentions, however: There are also people with the skills needed to find and exploit vulnerabilities who do so for financial gain.

The number of vulnerabilities appears to be growing. The National Vulnerability Database (NVD) recorded almost 52 new vulnerabilities per day in December 2019.¹ One reason for this could be that information systems are becoming larger and more complex. Another possibility is that as more people work together to create new systems, the likelihood of introducing flaws increases. Poor programming practices may be another reason. Vulnerabilities also may be increasing because of a lack of quality controls to make sure that systems are secure and work as intended.

The number of known vulnerabilities also may be increasing because some developers use well-known programming codes and components to design systems. They also use well-known software in the systems they design. Using familiar components makes it easier for many people to work together on the same project. There are dangers, however. The better known the code, hardware, or software, the greater the chance that an attacker also has the necessary skills to find vulnerabilities in the final product.

Threats

Threats are anything that can harm an information system. They are successful exploits against vulnerabilities. A threat source—which is a person or a circumstance—carries out a threat or causes it to take place.

It is worth taking some time to understand how vulnerabilities and threats are related. For example, an organization may have few controls to prevent an employee from deleting critical computer files. This lack of controls is the vulnerability. A well-meaning employee could delete files by mistake. In this case, the employee is the threat source. The threat is the action of deleting the critical files. If the employee deletes the files, a successful exploit of the vulnerability has taken place. If the files are not recoverable, or recoverable only at great expense, the incident harms the organization and its security. In this example, availability and integrity are compromised.

Threats fall into broad categories:

• Human—Threats carried out by people. Common examples are internal and external attackers. Even the loss of key personnel in some instances is a type of human threat. People threats include both good actors and bad actors. Good actors include well-meaning employees; bad actors are attackers who intend to harm an organization.
• Natural—Uncontrollable events such as earthquakes, tornadoes, fires, and floods. These types of threats are not predictable, and organizations cannot control these types of threats.
• Technological and operational—Threats that operate inside information systems to harm information security goals. Malicious code is an example of these threats. Hardware and software failures are technology threats. Improperly running processes are also threats.
• Physical and environmental—Facility-based threats. These types of threats can include a facility breach caused by lax physical security. Loss of heating or cooling within a facility is an example of an environmental threat.

Threats are either deliberate or accidental. Accidental threats are the results of either unintentional actions or inactions. You can think of accidental threats as mistakes or “acts of God.” Unintended equipment failure also is an accidental threat.

Mistakes most often are the result of well-meaning employees. The file deletion example at the beginning of this section is an accidental threat. The TSA employee improperly posting the manual to a website, as mentioned earlier, is also an accidental threat. Organizational policy and security training and awareness can help mitigate such mistakes.

An act of God that disrupts services or compromises information security is an accidental threat. Earthquakes, tornadoes, floods, and wildfires caused by lightning or other natural events, are all examples of acts of God. It is hard for organizations to plan for these types of threats, although they can take basic precautions against some types of natural disasters by building redundant systems. An organization also may choose not to build facilities in areas prone to environmental instability.

All organizations must plan for equipment failure. Sometimes equipment breaks through no fault of its operators. Sometimes it reaches the end of its life and simply stops working. Unfortunately, it is hard for organizations to plan for such failures. This is especially true if the equipment that fails is particularly specialized or expensive. Organizations can mitigate this type of threat by building redundant systems and keeping spare parts on hand.

Deliberate threats are intentional actions taken by attackers. Both internal and external attackers are deliberate threats. Internal attackers have current relationships with the organization that they are targeting. They can cause a lot of damage in computer systems because they have special knowledge about those systems. Internal attackers are often called malicious insider threats because they use their legitimate access to knowingly harm an organization. Upset employees are often the cause of internal attacks. They might wish to harm the organization by causing a loss of productivity. They also may wish to embarrass the organization or hurt its reputation. These attackers may purposefully delete files or disclose information without permission. They also may intentionally disrupt the availability of information systems.

Internal attackers also can take advantage of lax physical security. They might do this to steal resources such as confidential information. Theft of resources is a problem for many organizations.

In 2007, a former Coca-Cola employee was sentenced to 8 years in prison for stealing Coca-Cola trade secrets. She also was ordered to pay $40,000 in restitution.² This employee stole Coca-Cola secrets and tried to sell them to rival Pepsi. Surveillance video showed the employee putting company documents into bags and leaving the building. She did the same thing with a container of a Coca-Cola product sample. All of these actions were violations of Coca-Cola company policies. The theft was discovered when Pepsi informed Coca-Cola.

External attackers are another concern. They usually have no current relationship with the organization they are targeting. Some are former employees with special knowledge about the organization. External hackers include spies, saboteurs, and terrorists. Many seek financial gain. Others want to embarrass an organization, make a political statement, or exploit systems for a challenge.

Organizations must take steps to avoid threats. When an employee leaves an organization, the organization should promptly remove his or her access to information systems and to physical property. Good information security practices also help reduce threats posed by external attackers. These include patching known vulnerabilities in hardware and software. They also include monitoring access to systems and engaging in logging and audit review.

Risks

A risk is the likelihood that a threat will exploit a vulnerability and cause harm to the organization. These impacts from threats vary but can generally be sorted into six categories:

• Financial—Risks that affect financial resources or financial operations
• System/Service—Risks that impact how an organization provides information technology (IT) systems and services
• Operational—Risks that affect the normal operation of information systems and services
• Reputational—Risks that negatively affect an organization’s reputation or brand
• Compliance—Risks that relate to a possible violation of a law, regulation, or organizational policy
• Strategic—Risks that may have a lasting impact on an organization’s long-term viability

You can measure impact in terms of money costs or by perceived harm to the organization.

Not all risks receive or require the same level of attention from an organization. Organizations engage in complex risk analysis and risk management programs to classify and respond to risks. A brief overview of some risk analysis and management terms is included here.

Risk analysis is the process of reviewing known vulnerabilities and threats. Organizations generally classify the probability that a threat will exploit a vulnerability as low, medium, or high. They then attempt to assess the impact of a successful exploit. An organization should address risks that have large impacts on the organization and its information security.

All organizations must assess risk, as well as respond to it. Organizations have several options for responding to risk. Common responses include:

• Risk avoidance
• Risk mitigation
• Risk transfer
• Risk acceptance

Organizations apply safeguards to respond to vulnerabilities, threats, and, ultimately, risk. A safeguard is any protective action that reduces exposure to vulnerabilities or threats. A risk response strategy determines how safeguards should be applied.

Organizations can try to get rid of risk by applying safeguards to fix vulnerabilities and control threats. Risk avoidance is the process of applying safeguards to avoid a negative impact. A risk avoidance strategy seeks to eliminate all risk. This is often very difficult or expensive.

Organizations also can mitigate risk to reduce, but not eliminate, a negative impact. This response strategy is called risk mitigation. Using this strategy, organizations apply safeguards to vulnerabilities and threats to lower risk to an acceptable level. The amount of risk left over after applying safeguards is called residual risk.

Organizations also transfer risk. In a strategy of risk transfer, an organization passes its risk to another entity, at which point the risk impact is borne by the other entity. An organization might choose this type of strategy when the cost of mitigating risk is more expensive than transferring it. For example, organizations could purchase cyber liability insurance in response to a potential risk. By purchasing these policies, which have grown popular in the last several years, the organization transfers its risk to the insurance company, which bears the cost of any risk impact. While the terms of these insurance policies vary, they can cover losses caused by unauthorized access to information systems, system interruption, and crime.

An organization also can decide to deliberately take no action against an identified risk, which is called risk acceptance. This type of strategy means that avoiding, mitigating, or transferring risk is not part of the organization’s risk response plan. Organizations do not take decisions to accept risk lightly, but may choose to accept the risk if the cost of the risk itself is less than the cost to avoid, mitigate, or transfer the risk.

Safeguards

A safeguard reduces the harm posed by information security vulnerabilities or threats and may eliminate or reduce the risk of harm. They are controls or countermeasures, terms that can be used interchangeably.

FYI

Safeguards belong to different classifications according to how they work. These classification levels are:

• Administrative
• Technical
• Physical

Administrative safeguards are rules implemented to protect information and information systems. These safeguards usually take the form of organizational policies, which state the rules of the workplace. Laws and regulations may influence these safeguards. One common administrative safeguard is the workplace rule of need to know.

By applying need to know, an employer gives employees access only to the data they need to do their jobs. An employee does not receive access to any other data even if he or she has appropriate clearance. Using need-to-know principles makes it harder for unauthorized access to occur and protects confidentiality. There eventually should be technical enforcement of these principles. However, the first step is specifying that a workplace will follow them.

Technical safeguards, also called logical safeguards, are the rules that state how systems will operate and are applied in the hardware and software of information systems. Technical safeguards include automated logging and access-control mechanisms, firewalls, and antivirus programs. Using automated methods to enforce password strength is a technical control.

One technical safeguard that companies use to protect information security is the access control rule of least privilege. This rule, which is very similar to the need-to-know rule, means that systems should always run with the least amount of permissions needed to complete tasks. For example, some operating systems allow administrators to set up different privilege levels for system users. This helps enforce least privilege concepts. Users with administrative privileges can access all system functions, and therefore can fully manipulate and modify the system and its resources.

Local users, in contrast, have fewer privileges. They are able to use only some programs or applications. They cannot add, modify, delete, or manipulate the computer system. Power users have more privileges than local users but fewer privileges than administrators do. Power users may use and access many functions of the computer system. However, they may not modify critical functions of the operating system.

Physical safeguards are actions that an organization takes to protect its actual, tangible resources. These safeguards keep unauthorized individuals out of controlled areas and people away from sensitive equipment. Common physical safeguards are:

• Key-card access to buildings
• Fences
• Doors
• Locks
• Security lighting
• Video surveillance systems
• Security guards
• Guard dogs

A more sophisticated example of a physical security control is a mantrap, as shown in FIGURE 1-3. A mantrap is a method of controlled entry into a facility that provides access to secure areas such as a research lab or data center. This method of entry has two sets of doors on either end of a small room. When a person enters a mantrap through one set of doors, the first set must close before the second set can open. This process effectively “traps” a person in the small room.

Often a person must provide different credentials at each set of mantrap doors. For example, the first set of doors might allow access to the mantrap via a card reader, in which an employee scans an identification badge to gain entry. The second set of doors then may require a different method to open, such as entering a PIN on a keypad. Technicians often configure mantraps so that both sets of doors lock if a person cannot provide the appropriate credentials at the second set of doors. When locked in a mantrap, the person must await “rescue” by a security guard or another official.

Mantraps are not just for highly sensitive data centers or labs. Some apartment buildings apply a modified mantrap concept to building entry. In these buildings, any individual can access the lobby area of the apartment building. However, only people with keys or access cards may pass through a locked security door and enter the building’s interior. Usually, only residents have the proper credentials to enter the interior. Guests to the building need to use an intercom or telephone system to contact the resident they want to visit. The apartment resident can then “buzz” guests through the locked door to allow access to the building’s interior.

You also can classify safeguards based on how they act. These classification levels are:

• Preventive
• Detective
• Corrective

Preventive controls are safeguards used to prevent security incidents. These controls keep an incident from happening. For example, door locks are a preventive safeguard, because they help keep intruders out of the locked area. Fencing around a building is a similar preventive control. Teaching employees how to avoid information security threats is another preventive control.

Detective controls are safeguards put in place in order to detect, and sometimes report, a security incident while it is in progress. Examples of detective controls include logging system activity and reviewing the logs. Log review can look for unauthorized access or other security anomalies that require attention. An anomaly is something strange or unusual—activity that is not normal.

Corrective safeguards are automated or manual controls put in place in order to limit the damage caused by a security incident. Some types of databases allow an administrator to “roll back” to the last known good copy of the database in the event of an incident. Corrective controls also can be quite simple: locking doors inadvertently left unlocked, for example.

TABLE 1-1 summarizes the safeguards described in this section.

TABLE 1-1 A Safeguards Matrix

Choosing Safeguards

Organizations may have difficulty choosing safeguards, so they use reference guides to help with this task. Two of the most common guides are the “ISO/IEC 27002:2013, Information Technology—Security Techniques—Code of Practice for Information Security Controls” (2013) and “NIST Special Publication 800-53 (Rev. 4), Security and Privacy Controls for Federal Information Systems and Organizations” (2013).

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) first published ISO/IEC 27002 in December 2000. These two groups work together to create standards for electronic technologies. ISO/IEC 27002 has 14 major sections. Each discusses a different category of information security safeguards or controls. They explain why organizations should use the listed controls and how to use them. Security practitioners often use ISO/IEC 27002 as a practical guide for developing security standards and best practices.

“NIST Special Publication 800-53 (Rev. 4), Security and Privacy Controls for Federal Information Systems and Organizations” was published in 2013 (and updated in 2015) by the National Institute of Standards and Technology (NIST). This document states the minimum safeguards required in order to create an effective information security program. NIST developed this guidance specifically for federal agency use on federal information systems. Many nongovernmental organizations also use the document to help guide their own information security programs. Revision 5 of this guidance, currently titled “Security and Privacy Controls for Information Systems and Organizations,” was published in 2017. This draft was still undergoing the review process at the time this chapter was written.