Students Again

Cryptography and firewalls – two of the tools security specialists use to protect information systems

.

Increased services to both vendors and employees create worlds of possibilities in satisfying customer needs, but they also create risks where none existed before; risk to the confidentiality, integrity, and availability of confidential or sensitive data. Although concern for the well-being of society can be a powerful motivator for information security managers, increasing governmental regulation such as privacy legislation and the fear of unwanted publicity over a hacked site often are what drive these managers to action. The security of computer networks will continue to increase in importance as more business is conducted over the internet.

A degree in information security prepares students to:

• Identify the information security risks that an organization faces.
• Associate these risks with problems related to technology and human beings.
• Identify and evaluate the technology tools available to minimize risk, reduce system vulnerabilities, and maintain computer services.
• Oversee the development of a secure information security (IS) infrastructure.
• Keep abreast of IS policies, laws, and market forces and perform impact analysis for an organization.
• Maintain professional growth in IS disciplines.

Important steps for professionals wishing to enter the InfoSec world:

• Get the right certifications
• Certified Information Systems Security Professional (CISSP)
• Global Information Assurance Certification (GIAC)
• Consider earning a graduate degree in information security
• One that connects technical with business training
• Increase your disaster recovery and risk management skills
• Understand how to keep an organization running after disaster strikes.
• Build a home laboratory
• Use available freeware and shareware to learn on your own.
• Give something back to the information security community
• Work with professional organizations and certification groups to develop best practices and enhance the Common Body of Knowledge.
• Get on a project working with strategic partners
• Something that will give you experience with different members of the industry and broad exposure to the far-reaching issues of information security.
• Consider an internship in IS if you’re still in school
• Take a second look at government jobs
• A wide range of educational experiences is a good foundation for an InfoSec career melding hard-core computer courses with liberal arts studies.

An umbrella of information security:

InfoSec Careers:

Security Administrators – work along side system administrators and database administrators to assure that an appropriate separation of duties exist to prevent abuse of privilege when new computer systems are implemented and users begin to access these systems.

• Help to establish new user accounts
• Assure auditing mechanisms are present and operational
• Assure that communication between systems are securely implemented
• Assist in troubleshooting problems ad responding to incidents that could compromise confidentiality, integrity, or availability of the systems.

Access Coordinators – Delegated the authority on behalf of the system owner to establish and maintain the user base that is permitted to access and use the system in the normal course of their job duties.

Security Architects and Network Engineers – Design and implement network infrastructures that are built with security in mind.

• Firewall designs
• Intrusion detection systems
• How to configure servers and desktop computers to comply with these policies.

Security Consultants – Work with project-development teams to perform risk analysis of new systems by balancing the needs of business with the threats that stem from opening up access to data or managing new information that could compromise the business if it fell into the wrong hands.

Security Testers – White-hat hackers paid to test the security of newly acquired and newly developed or redeveloped systems.

Policy Makers and Standards Developers – Look to outside regulators and executive management to set the tone and establish the specific rules of the road when interacting or managing information systems.

Compliance Officers – Check to see that employees remain in compliance with security policies and standards as they use information systems in their daily work.

Incident Response Team Members – Alerted when an intrusion or security incident occurs and decide how to stop the attack or limit the damage as they collect and analyze forensics data for interacting with law enforcement personnel and executive management.

Governance and Vendor Managers – Assure that outsourced functions are operating within security policies and standards.

Many of the topics information technology students study in school can be carried directly from the classroom to the workplace. Security is a little different. Although their technical skills are certainly important, the best security specialists combine their practical knowledge of computers and networks with general theories about security, technology, and human nature.

Principle-based analysis to solve security problems:

1. There is no such thing as security

The first principle of information security (IS): Given enough time, tools, skill, and inclination, a hacker can break through any security measure.

2. The three security goals are confidentiality, integrity, and availability

All information security measures try to address at least one of three goals:

• Protect the confidentiality of data
• Preserve the integrity of data
• Promote the availability of data for authorized use

These goals form the confidentiality, integrity, availability (CIA) triad. The CIA triad is the basis of all security programs.

Confidentiality is sometimes referred to as the “principle of least privilege,” meaning that users should only be given enough privilege to perform their duties, and no more.

Common confidentiality controls are user IDs and passwords

The CIA triad:

 

Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes. Integrity models have three goals:

• Prevent unauthorized users from making modifications to data or programs.
• Prevent authorized users from making improper or unauthorized modifications.
• Maintain internal and external consistence of data and programs.

Availability models keep data and resources available for authorized use, especially during emergencies or disasters.

Three common challenges of availability:

• Denial of Service (DoS) due to intentional attacks or because of undiscovered flaws in implementation.
• Loss of information system capabilities because of natural disasters or human actions.
• Equipment failures during normal use.

Some of the activities that preserve confidentiality, integrity, and/or availability are:

• Granting of access only to authorized personnel
• Applying encryption to information that will be sent out over the internet
• Periodic testing of operating system security to uncover new vulnerabilities
• Developing a disaster recovery plan to assure that the business can continue to exist in the event of a disaster or loss of access by personnel

3. Defense in depth as a strategy

Layered security is called defense in depth

Defense in depth is security implemented in overlapping layers to provide the three elements needed to secure assets: prevention, detection, and response. Defense in depth also means that the weaknesses of one security layer are offset by the strengths of two or more layers.

The security of each of these mechanisms must be thoroughly tested before deployment to ensure that the integrated system is suitable for normal operations.

4. When left on their own, people tend to make the worst security decisions. Study after study shows how little it takes to convince someone to give up their credentials in exchange for trivial or worthless goods.

5. Computer security depends on two types of requirements: functional and assurance

• Functional requirements describe what a system should do
• Assurance requirements describe hoe functional requirements should be implemented and tested

Both sets of requirements need to answer:

• Does the system do the right things?
• Does the system do the right things in the right way?

Verification: the process of confirming that one or more predetermined requirements or specifications are met

Validation: a determination of the correctness or quality of the mechanisms used in meeting the needs

Most of today’s commercial off-the-shelf (COTS) software and systems stop at the first step, verification, without bothering to test for obvious security vulnerabilities in the final product.

6. Security through obscurity is not an answer

Many in the information security industry believe that if hackers don’t know how software is secured, security is better. Although this may seem logical, it’s actually untrue. Security through obscurity means that hiding the details of the security mechanisms is sufficient to secure the system alone.

Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all.

If the security of a system is maintained by keeping the implementation of the system a secret, once the first person discovers how the security mechanism works, the entire system collapses – and someone is always determined to discover these secrets. The better bet is to make sure that no one mechanism is responsible for the security of the entire system.

7. Security = risk management

It’s critical to understand that spending more on securing an asset than the intrinsic value of the asset is a waste of resources.

All security work is a careful balance between the level of risk and the expected reward of expending a given amount of resources. Security is not concerned with eliminating all threats within a system or facility but with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability.

Risk analysis and risk management are central themes to securing information systems. Once risks are well understood, there are three possible outcomes:

The risks are mitigated (countered)

Insurance against the losses that would occur should a system be compromised is acquired

The risks are accepted and the consequences are managed

Risk assessment and risk analysis are concerned with placing an economic value on assets to best determine appropriate countermeasures that protect them from losses.

Two factors for determining the degree of risk:

• What is the consequence of a loss?
• What is the likelihood that this loss will occur?

Consequences/likelihood matrix for risk analysis:

Once a risk rating has been determined, one of the following actions may be required:

• Extreme risk: immediate action required
• High risk: senior management attention needed
• Moderate risk: management responsibility must be specified
• Low risk: manage by routine procedures

Terms and concepts:

Vulnerability – refers to a known problem within a system or program

Exploit – is a program or “cookbook” on how to take advantage of a specific vulnerability

Attacker – is the link between a vulnerability and an exploit

8. The three types of security controls are preventative, detective, and responsive Controls and countermeasures must be implemented as one or more of these above types; else the controls are not there for the purpose of security. The principle of defense in depth dictates that a security mechanism serves a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it’s happening or after it has been discovered. These controls are the basic toolkit for the security practitioner who mixes and matches them to carry out the objectives of confidentiality, integrity, and/or availability by using people, processes, or technology to bring them to life.

9. Complexity is the enemy of security. The more complex a system gets, the harder it is to secure.

10. Fear, uncertainty, and doubt do not work in selling security. Information security managers must justify all investments in security using techniques of the trade. When spending resources can be justified with good, solid business rationale, security requests are rarely denied.

11. People, process, and technology are all needed to adequately secure a system or facility

Dual control – one person acts as a countermeasure to the other. Chances are less likely that both people will make an error in judgment or act maliciously.

Separation of duties – no one person in an organization should have the ability to control or close down a security activity.

Process controls are implemented to assure that different people can perform the same operations exactly in the same way each time. Processes are documented as procedures on how to carry out an activity related to security.

All faith should never be put into technology. Technology can fail, and without people to notice and fix technical problems, computer systems would stall permanently.

People, process, and technology controls are essential elements of several areas of practice in information technology (IT) security including:

• Operations security
• Applications development security
• Physical security
• Cryptography

The people, process, and technology triad:

12. Open disclosure of vulnerabilities is good for security!

Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security

The need to know trumps the need to keep secrets in order to give users the right to protect themselves.