Computers have been instrumental to human progress for more than half a century. As these devices have become more sophisticated they have come under increasing attack from those looking to disrupt organizations using these systems. From the first boot sector virus to advanced, highly-complex, nation-state threats, the ability for an adversary to negatively impact an organization has never been greater. While the attacker has become more sophisticated, our ability to prepare for and defend against the attacker has also become very sophisticated. Throughout this book, I will discuss what it takes to establish an information security program that helps to ensure an organization is properly defended.
The first chapter will provide the reader with an overview of key concepts that will be examined throughout this book. The reader will learn the history, key concepts, components of information, and data security. Additionally, the reader will understand how these concepts should balance with business needs.
The topics covered in this chapter include the following:
The threats faced by today's organizations are highly complex and represent a real danger. The ability to mount an attack has become very simple due to many factors including the following:
An attacker can take these tools, string them together with tutorials found online (as well as their own knowledge and resources), and build a sophisticated attack that could affect millions of computers worldwide.
Modern computer systems were never really developed to be secure. From the very beginning, computers have had an inherent trust factor built into them. Designers did not take into account the fact that adversaries might exploit their systems to harvest the valuable assets they contained. Security therefore, came in the form of bolt-ons or bandages, for solving an inherent problem. This still continues to this day. If you look at a modern computer science program, cybersecurity is often not included. This leads us to the modern internet, overflowing with vulnerable software and operating systems that require constant patches because security has always been an afterthought. Instead of security being built into an information system from the beginning, we are faced with an epidemic of vulnerable systems around the world.
The computer power of the average individual has greatly increased over the past few decades. This has resulted in an increase of sanctioned, and unsanctioned, personally-owned devices processing organizational data and being connected to corporate networks. All of these unmanaged devices are often set up to accommodate speed and convenience for a personal user and do not take into account the requirements of corporate information security.
Many organizations see information security as a hindrance to productivity. It is common to see business leaders, as well as IT personnel, avoid the discussion surrounding security with the fear that security will prevent the corporation from achieving its mission. Implementing security within a project Systems Development Life Cycle (SDLC) may be fought against, as team members may believe security will prevent a project from being completed on time or viewed as an impediment to a business' financial gain. Tools such as multi-factor authentication (MFA) or Virtual Private Networks (VPN) may be resisted as the business might not want to invest the capital for such solutions, due to not understanding the technology and how it would minimize the cyber risk posture of the organization.
Overcoming these challenges requires that the information security leader has a strong understanding of the organizations that they work for and that communication is effectively maintained. The information security professional must integrate with all functional/business owners within their organization. This will allow the security professional to help determine the risk posture of each business area, and help the business owner make sound risk-based decisions. Information security must offer solutions to the business leader's challenges versus adding new challenges for the business leader to solve. Additionally, the information security professional must work and collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is actually needed. Work to foster a relationship where the information security group is sought out for answers rather than avoided.
As computer systems have now become integral to the daily functioning of businesses, organizations, governments, and individuals we have learned to put a tremendous amount of trust in these systems. As a result, we have placed incredibly important and valuable information on them. History has shown, that things of value will always be a target for a criminal. Cybercrime is no different. As people flood their personal computers, phones, and so on with valuable data, they put a target on that information for the criminal to aim for, in order to gain some form of profit from the activity. In the past, in order for a criminal to gain access to an individual's valuables, they would have to conduct a robbery in some shape or form. In the case of data theft, the criminal would need to break into a building, sifting through files looking for the information of greatest value and profit. In our modern world, the criminal can attack their victims from a distance, and due to the nature of the internet, these acts would most likely never meet retribution.
In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance calls.
In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in 1980 estimated that the damage could have been as high as $10,000,000.00.
1989 brought us the first known ransomware attack, which targeted the healthcare industry. Ransomware is a type of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a message requiring the user to pay for a software license. Ransomware attacks have evolved greatly over the years with the healthcare field still being a very large target.
The 90s brought the web browser and email to the masses, which meant new tools for cybercriminals to exploit. This allowed the cybercriminal to greatly expand their reach. Up till this time, the cybercriminal needed to initiate a physical transaction, such as providing a floppy disk. Now cybercriminals could transmit virus code over the internet in these new, highly vulnerable web browsers. Cybercriminals took what they had learned previously and modified it to operate over the internet, with devastating results. Cybercriminals were also able to reach out and con people from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to make a lot of money as a cybercriminal.
The 2000s brought us social media and saw the rise of identity theft. A bullseye was painted for cybercriminals with the creation of databases containing millions of users' personal identifiable information (PII), making identity theft the new financial piggy bank for criminal organizations around the world.
This information coupled with a lack of cybersecurity awareness from the general public allowed cybercriminals to commit all types of financial fraud such as opening bank accounts and credit cards in the name of others.
Today we see that cybercriminal activity has only gotten worse. As computer systems have gotten faster and more complex we see that the cybercriminal has become more sophisticated and harder to catch. Today we have botnets, which are a network of private computers that are infected with malicious software and allow the criminal element to control millions of infected computer systems across the globe. These botnets allow the criminal element to overload organizational networks and hide the origin of the criminals:
The role that information security plays has changed over the years and today, with information security professionals being brought in at the executive level of organizations, they have become critical members that contribute to the overall success of business operations. When information security first became a discipline, its focus was all about securing IT configurations and putting security tools in place. As time has progressed, it became apparent that you cannot properly secure an IT environment without first understanding the needs of an organization's business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by tying cybersecurity to the business' functions.
IT security engineering is the application of security principles to information technology. In our modern world, this really can mean just about anything, from a server to a refrigerator, once you start to consider the Internet of Things (IoT). There are so many new devices being built daily that are IP addressable, essentially making them mini-servers, which introduces potential vulnerabilities. Additionally, it is important to consider the security needs for devices that are non-networked or may be air gapped. Nonnetworked, or air-gapped, environments still have the capability to communicate through out-of-band means, such as a USB thumb drive, allowing an attacker to communicate with them. A mature organization should have staff specifically targeted at looking at information technology security concerns, working with business and information technology leadership to secure IT systems and protect the environment from attackers.
Information assurance is the act of working with business and IT leadership to ensure that the confidentiality, integrity, and availability requirements for a given asset are fully understood. Those requirements should be fully tested in a test environment prior to being integrated into the production environment, in order to ensure that they are secure and do not cause interoperability issues.
The activities associated with information assurance inform the activities associated with IT security regarding the specific technical controls needed to properly protect a given asset. Requirements are driven by the business/mission owner.
For example, a medical device might be deemed by a business/mission owner to be confidentiality-high, integrity-high, and availability-moderate (because they can revert to old school medical techniques):
Relationship between Information Assurance and IT Security
The CIA triad is a key tenet at the core of information security. This tool is used to help the information security professional think about how to best protect organizational data:
We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.
It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.
There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:
Recommendation
In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.
The following is an abbreviated example to begin the process of performing an internal assessment:
After having conducted a security assessment of the organization it will then become necessary to take your security assessment data and conduct a risk assessment. In conducting a risk assessment you can begin to prioritize the activities that you want to implement first, second, and so on, as you build your security program. During the risk assessment, you will want to take what you learned from the organization's leaders and ensure your prioritization serves the organization's goals so that you effectively describe your assessment and plan in business terms. Ultimately, the introduction of an information security program is one of organizational change. You want to ensure that you are presenting the changes you wish to make in organizational terms versus IT terms. This will help you to win the approval of leadership, which will provide you with the needed authority and funding to make changes to the organization.
Managing an information security program is really about risk management. Ultimately, how an organization deals with specific vulnerabilities in its IT systems, business processes, and staff has to do with its ability to manage risk. Organizational leaders are going to want to understand how vulnerabilities found in the assessment are going to impact the organization's ability to conduct business or serve their customers. Leadership will also want to understand the likelihood of a risk occurring and what the potential impact could be if this occurred.
It is important to identify the possible business impact of the risk. Each business owner will have its own risk concerns, and each business risk will be tied to a business function/dollar amount. Recommendations for fixes, mitigations, and so on, should tie into the return on investment (ROI). For example:
Armed with this information, you can build out a plan that describes the specific IT implementations that need to be carried out in an organization based on the assessments that were previously conducted and the risk assessment that followed. The plan contains the priorities identified in the risk assessment process.
Based on the risk assessment, you will know the following:
With this information, you have everything necessary to build a well-supported evidence-based plan to move your organization forward as it changes to implement modern information security practices.
Information security standards are published works by various professional organizations which attempt to encapsulate the guidance necessary to properly secure an IT system. Different standards have applicability to different industries, such as payment card versus healthcare, but tend to cover the full breadth of applicable system-related components, such as network devices, workstations, servers, software, user interaction with systems, system process interactions, data transmission, and storage. It is very important to understand that information security standards are not checklists.
When implementing a security standard for your organization you must look at the standard and decide how you will implement it for you organization. In most cases, the standard information is not prescriptive in that it does not tell you what tools to implement and how to implement them. You need to work with your IT and business teams to determine the best tools for the job and how they should be implemented within your infrastructure. It is also important to note that implementing a standard does not mean that you have effectively secured your organization. This is the trap of thinking of a standard as a checklist. You must look at an information security standard as a place to start. It is up to the information security professional to implement a standard in an effective way that properly secures the organization and mitigates risk to acceptable levels.
The following are some popular standards that are used around the globe:
A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:
In our modern era, human interaction is a key vector used to exploit an information system. Whether you are looking at attacks such as ransomware, or exploits against critical infrastructure, the easiest avenue into a system is by tricking the user to run a piece of software. The key way that we can make sure that our users are prepared for these attacks is by implementing an effective training and awareness program.
An effective training and awareness program is necessary to ensure successful implementation of your information security program. A training and awareness program will be the primary mechanism used to communicate organizational user roles and responsibilities from an information security perspective:
For example, payroll and benefit processors may have questions on PII handling and protections.
References:
In this chapter, we covered introductory topics on implementing an effective information security program. We discussed the following:
In the next chapter, we will define the threat landscape. We will be discussing the people, processes, and technologies that need to be defended against to ensure your organization's continued security.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.