Identify or Explain Examples of Risk Management Fundamentals and the Basic Tenets of Security

An important key to establishing any kind of security policy or regime is to assess and manage potential risks, and associated responses. Here, risk management fundamentals include

• Understanding the true monetary value of information (and hence, associated risks).

• Understanding how information security relates to potential business problems (an important aspect of risk management).

• Understanding that the ramifications of an attack on computer systems or networks can include destruction or alteration of data, financial loss, misuse of resources, and damage to public confidence.

• Understanding how to perform a risk assessment, as described in Step by Step FF1 (which appears later in this section).

• Understanding the four options involved in handling risks, as shown in Table 2 (which appears later in this section).

  Summary table 2. Four Options for Handling Risk

  Option	Explanation
  Eliminate the risk	Getting rid of the root cause of the risk.
  Minimize the risk	Reducing the risk to an acceptable level of loss, damage, or harm.
  Accept the risk	Recognizing the potential impact of a risk, and deliberately choosing to make no amelioration.
  Transfer the risk	Taking out an insurance policy to transfer the potential impact of a risk in exchange for a fixed cost or premium.

  
  

• Understanding risk analysis, which is the process of reviewing all aspects of a resource you seek to protect, to determine possible risks to which that resource is subject. Develop appropriate countermeasures to eliminate or reduce the risk as needed. It depends either on quantitative analysis (measuring risk or loss in specific numerical terms) or qualitative analysis (measuring risk or loss in subjective terms before assessing cost or value).

• Understanding data classification, which consists of classifying data according to its value as part of risk assessment, is also essential. Table 3 (which appears later in this section) covers numerous important potential classification criteria.

  Summary table 3. Data Classification Criteria

  Criterion	Explanation
  Sensitivity	Although it may not do irreparable harm to an organization if everyone learned its payroll details, most organizations restrict that information on a need-to-know basis. It's a good idea to consider the implications of making data or some related resource public knowledge when assessing its sensitivity. The more sensitive a resource, the tighter its access controls should be.
  Proprietariness	Some data related to practices, procedures, processes, or trade secrets that could blunt an organization's competitive edge if disclosed to outsiders can rightfully be viewed as valuable and private property. Here, the more private and/or valuable this property, the tighter its access controls should be.
  Confidentiality	Some information is meant to be kept secret, restricted to only a small circle of authorized individuals. This includes financial plans or reports, upcoming sales or advertising campaigns, or other information that could adversely affect an organization if made public prematurely (or at all). Again, the more confidential and/or valuable such information, the tighter its access controls must be.
  Privacy	Certain information may be obtained during interviews, research, investigation, or through privileged relationships that should never be made public. This could relate to doctor-patient or attorney-client privilege, or to reasonable or legal expectations of privacy. This helps explain why privacy policies are becoming so prevalent on Web sites and in customer-vendor interactions of all kinds. The more private such information, the tighter its access controls must be.
  Potential liability	Beyond privacy concerns, legal agreements, such as nondisclosure, employee, copyrights, or other contracts, may require an individual or organization to preserve information provided by or through a third party. Given that unauthorized disclosure can lead to legal and financial penalties in many cases, information held in trust for or on behalf of others must also be subject to tight access controls.
  Intelligence value	Seemingly innocuous documents such as telephone lists, discarded paperwork, purchase orders, and the like can often reveal valuable information to competitors or malefactors. When tempted to assume that a document or resource has no value and therefore needs no access controls, ask “What's the worst that could happen if our competitors got this?” or “How could this information be used to subvert or bypass security measures?” Very few documents require no access controls at all, unless specifically designed for public use.

  
  

Likewise, basic tenets of security involve

• Identifying and classifying sensitive data.

• Understanding the need for access controls, and how they may be applied.

• Ways to protect data and systems, including passwords, encryption, access controls, and backups.

• Avoiding common security errors, such as top vulnerabilities identified by SANS (these are covered in Chapter 1, “Information Security Essentials”).

• Assigning trained people to maintain security.

• Dealing directly and adequately with operational aspects of security.

• Ensuring that the overall security infrastructure is appropriate, so that it is not necessary to rely on firewalls or other boundary devices to provide security.

• Developing a proactive and aggressive stance toward dealing with security problems (rather than avoiding them).

• Understanding that computer information security is an ongoing process, not something easily satisfied by installing antivirus software or applying a few patches to a computer operating system.

• The three cornerstones of information security are data availability, data integrity, and data confidentiality.

• Data availability means that information is available whenever it's needed. This requires planning to avoid or mitigate denial-of-service attacks.

• Data integrity means that once stored, data remains pristine and unaltered. Achieving data integrity requires establishing correct access controls, installing active checks on integrity to detect potential compromise (such as one-way hash functions or checksum databases), and maintaining backups to restore possibly compromised data.

• Data confidentiality means that information is available only to those with a valid need to know. Here, correct access controls and active means to protect data in storage or in transit, including encryption, help ensure proper confidentiality.

• Understanding what kinds of attackers perpetrate them, as described in Table 4 (included later in this section).

  Summary table 4. Types of Attackers

  Type of Attacker	Explanation
  Accidental hacker	Those who break into systems inadvertently, either from inside or outside an organization. Accidental hackers usually stop when they realize they've accessed a system without authorization.
  New hacker	Newcomers to the hacking world are also known as “script kiddies” because they often use scripts that originate with other, more experienced hackers to penetrate systems. Often, they do not intend to do damage, but simply to see how far they can get.
  Expert hacker	Individuals who possess intimate, detailed knowledge of operating systems, networks, protocols, and so forth, who exploit vulnerabilities methodically and systematically. Often, they are the sources for scripts, exploit reports, and hacker tools.
  Insider	Employees, consultants, contractors, or other trusted members of a company; their privileged knowledge and insight gives them maximum ability to do damage. Insiders account for over 80% of security incidents, according to a 2000 FBI study.

  
  

• Understanding what motivates hackers is essential to protecting your information assets. Possible motives include money, personal grievance, curiosity, mischief, peer and public attention, and competitive advantage.

• Recognize and understand categories into which security attacks may fall, as described in Table 5 (included later in this section).

  Summary table 5. Types of Attacks

  Type of Attack	Explanation
  Intrusion	An active attack in which a hacker actually breaks into a computer system, and then performs one or more acts to steal, delete, or modify information, implant malicious code, establish bogus controls or security configurations, or shut down systems altogether.
  Passive attack	When a hacker or insider scans or monitors system behavior and activity to gain more information about a system or network.
  Denial-of-service attack	Usually abbreviated DoS, these attacks inundate systems or networks with bogus traffic, or create sessions or communications that never complete, and deny legitimate users access by consuming all (or most) available resources.
  Distributed DoS attack	A special form of DoS attack in which hackers involve numerous systems in generating the traffic or behavior that mounts a DoS attack against a system or network. Unwitting secondary systems may run malicious code to implement the attack, and are sometimes called zombies.

  
  

• Understanding how and why to develop a security policy, which is a set of rules and guidelines that dictate how an organization should protect, manage, and enforce controls over its assets. See Table 6 later in this section for categories of coverage in a security policy.

  Summary table 6. Minimum Categories to Cover in a Security Policy

  Policy Category	Explanation
  Data access	Defines the appropriate use of corporate resources.
  Applications access	Defines who has access to the applications within the organization.
  Network access	Defines how users are allowed to access corporate network resourcess.
  Software	Defines the policy on downloading and/or installing third-party software on corporate machines.
  Privacy	Defines the established corporate privacy rules. Many companies state that corporate email is not private, and that all email communications are owned by the company.
  Business continuity plan	Defines the steps to take to continue business operations in the event of a disaster.
  Remote access	Defines the acceptable methods that allow remote users to access corporate resources.

  
  

• A clear definition and understanding of user authentication, the method whereby users prove their identities to a system, and the various methods by which authentication may be performed.

• An understanding of security administration, which defines the practices and procedures whereby a security policy is implemented, audited, maintained, and enforced.

• An appreciation for the importance of and methods for establishing physical security arrangements is another cornerstone of best security practices. This topic is covered in its own section under this general heading.

Maintaining Physical Security

The extent of your physical security arrangements depends upon the sensitivity of your data and the level of perceived threat. A physical security plan may include some or all of the following measures:

• Access Control Devices. Range from a simple lock on the door to sophisticated biometric devices that use fingerprints, retinal scans, or voiceprint patterns to identify personnel before granting access to sensitive facilities.

• Surveillance Devices. Permit active monitoring of sensitive areas 24 hours a day. Where 24-hour security is maintained, you may have your devices monitored by a security guard. If a building is unmanned during evening hours, you may attach motion detectors to a system that pages responsible personnel if an alarm is triggered. Be sure to comply with local laws if using surveillance devices.

• Environmental Monitors. Provide relatively inexpensive early warnings of physical threats and may even provide insurance discounts. Don't neglect the devastating effects that fire, flood, or other disasters (natural or man-made) might inflict on your systems.