Information Security Handbook

4.8 (5 reviews total)
By Darren Death
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Information and Data Security Fundamentals

About this book

Having an information security mechanism is one of the most crucial factors for any organization. Important assets of organization demand a proper risk management and threat model for security, and so information security concepts are gaining a lot of traction. This book starts with the concept of information security and shows you why it’s important.

It then moves on to modules such as threat modeling, risk management, and mitigation. It also covers the concepts of incident response systems, information rights management, and more. Moving on, it guides you to build your own information security framework as the best fit for your organization. Toward the end, you’ll discover some best practices that can be implemented to make your security framework strong.

By the end of this book, you will be well-versed with all the factors involved in information security, which will help you build a security framework that is a perfect fit your organization’s requirements.

Publication date:
December 2017
Publisher
Packt
Pages
330
ISBN
9781788478830

 

Chapter 1. Information and Data Security Fundamentals

Computers have been instrumental to human progress for more than half a century. As these devices have become more sophisticated they have come under increasing attack from those looking to disrupt organizations using these systems. From the first boot sector virus to advanced, highly-complex, nation-state threats, the ability for an adversary to negatively impact an organization has never been greater. While the attacker has become more sophisticated, our ability to prepare for and defend against the attacker has also become very sophisticated. Throughout this book, I will discuss what it takes to establish an information security program that helps to ensure an organization is properly defended.

The first chapter will provide the reader with an overview of key concepts that will be examined throughout this book. The reader will learn the history, key concepts, components of information, and data security. Additionally, the reader will understand how these concepts should balance with business needs.

The topics covered in this chapter include the following:

  • Information security challenges
  • The evolution of cybercrime
  • The modern role of information security:
    • IT security engineering
    • Information assurance
    • The CIA triad
  • Organizational information security assessments
  • Risk management
  • Information security standards
  • Policies
  • Training
 

Information security challenges


The threats faced by today's organizations are highly complex and represent a real danger. The ability to mount an attack has become very simple due to many factors including the following:

  • End user: End users that use our information systems are prone to clicking on website URLs and launching attachments in emails
  • Malware kits: Paying hackers for DIY kits to easily develop your own malware
  • Cloud computing: Cheap and easy access to computing resources helps to ensure easy access to processing power
  • Exploit subscription services: Underground services that an attacker can subscribe to, to get the latest exploits

An attacker can take these tools, string them together with tutorials found online (as well as their own knowledge and resources), and build a sophisticated attack that could affect millions of computers worldwide.

Modern computer systems were never really developed to be secure. From the very beginning, computers have had an inherent trust factor built into them. Designers did not take into account the fact that adversaries might exploit their systems to harvest the valuable assets they contained. Security therefore, came in the form of bolt-ons or bandages, for solving an inherent problem. This still continues to this day. If you look at a modern computer science program, cybersecurity is often not included. This leads us to the modern internet, overflowing with vulnerable software and operating systems that require constant patches because security has always been an afterthought. Instead of security being built into an information system from the beginning, we are faced with an epidemic of vulnerable systems around the world.

The computer power of the average individual has greatly increased over the past few decades. This has resulted in an increase of sanctioned, and unsanctioned, personally-owned devices processing organizational data and being connected to corporate networks. All of these unmanaged devices are often set up to accommodate speed and convenience for a personal user and do not take into account the requirements of corporate information security.

Many organizations see information security as a hindrance to productivity. It is common to see business leaders, as well as IT personnel, avoid the discussion surrounding security with the fear that security will prevent the corporation from achieving its mission. Implementing security within a project Systems Development Life Cycle (SDLC) may be fought against, as team members may believe security will prevent a project from being completed on time or viewed as an impediment to a business' financial gain. Tools such as multi-factor authentication (MFA) or Virtual Private Networks (VPN) may be resisted as the business might not want to invest the capital for such solutions, due to not understanding the technology and how it would minimize the cyber risk posture of the organization.

Overcoming these challenges requires that the information security leader has a strong understanding of the organizations that they work for and that communication is effectively maintained. The information security professional must integrate with all functional/business owners within their organization. This will allow the security professional to help determine the risk posture of each business area, and help the business owner make sound risk-based decisions. Information security must offer solutions to the business leader's challenges versus adding new challenges for the business leader to solve. Additionally, the information security professional must work and collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is actually needed. Work to foster a relationship where the information security group is sought out for answers rather than avoided.

 

Evolution of cybercrime


As computer systems have now become integral to the daily functioning of businesses, organizations, governments, and individuals we have learned to put a tremendous amount of trust in these systems. As a result, we have placed incredibly important and valuable information on them. History has shown, that things of value will always be a target for a criminal. Cybercrime is no different. As people flood their personal computers, phones, and so on with valuable data, they put a target on that information for the criminal to aim for, in order to gain some form of profit from the activity. In the past, in order for a criminal to gain access to an individual's valuables, they would have to conduct a robbery in some shape or form. In the case of data theft, the criminal would need to break into a building, sifting through files looking for the information of greatest value and profit. In our modern world, the criminal can attack their victims from a distance, and due to the nature of the internet, these acts would most likely never meet retribution.

In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance calls.

In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in 1980 estimated that the damage could have been as high as $10,000,000.00.

1989 brought us the first known ransomware attack, which targeted the healthcare industry. Ransomware is a type of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a message requiring the user to pay for a software license. Ransomware attacks have evolved greatly over the years with the healthcare field still being a very large target.

The 90s brought the web browser and email to the masses, which meant new tools for cybercriminals to exploit. This allowed the cybercriminal to greatly expand their reach. Up till this time, the cybercriminal needed to initiate a physical transaction, such as providing a floppy disk. Now cybercriminals could transmit virus code over the internet in these new, highly vulnerable web browsers. Cybercriminals took what they had learned previously and modified it to operate over the internet, with devastating results. Cybercriminals were also able to reach out and con people from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to make a lot of money as a cybercriminal.

The 2000s brought us social media and saw the rise of identity theft. A bullseye was painted for cybercriminals with the creation of databases containing millions of users' personal identifiable information (PII), making identity theft the new financial piggy bank for criminal organizations around the world.

This information coupled with a lack of cybersecurity awareness from the general public allowed cybercriminals to commit all types of financial fraud such as opening bank accounts and credit cards in the name of others.

Today we see that cybercriminal activity has only gotten worse. As computer systems have gotten faster and more complex we see that the cybercriminal has become more sophisticated and harder to catch. Today we have botnets, which are a network of private computers that are infected with malicious software and allow the criminal element to control millions of infected computer systems across the globe. These botnets allow the criminal element to overload organizational networks and hide the origin of the criminals:

  • We see constant ransomware attacks across all sectors of the economy
  • People are constantly on the lookout for identity theft and financial fraud
  • Continuous news reports regarding the latest point of sale attack against major retailers and hospitality organizations
 

The modern role of information security


The role that information security plays has changed over the years and today, with information security professionals being brought in at the executive level of organizations, they have become critical members that contribute to the overall success of business operations. When information security first became a discipline, its focus was all about securing IT configurations and putting security tools in place. As time has progressed, it became apparent that you cannot properly secure an IT environment without first understanding the needs of an organization's business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by tying cybersecurity to the business' functions.

IT security engineering

IT security engineering is the application of security principles to information technology. In our modern world, this really can mean just about anything, from a server to a refrigerator, once you start to consider the Internet of Things (IoT). There are so many new devices being built daily that are IP addressable, essentially making them mini-servers, which introduces potential vulnerabilities. Additionally, it is important to consider the security needs for devices that are non-networked or may be air gapped. Nonnetworked, or air-gapped, environments still have the capability to communicate through out-of-band means, such as a USB thumb drive, allowing an attacker to communicate with them. A mature organization should have staff specifically targeted at looking at information technology security concerns, working with business and information technology leadership to secure IT systems and protect the environment from attackers.

Information assurance

Information assurance is the act of working with business and IT leadership to ensure that the confidentiality, integrity, and availability requirements for a given asset are fully understood. Those requirements should be fully tested in a test environment prior to being integrated into the production environment, in order to ensure that they are secure and do not cause interoperability issues.

The activities associated with information assurance inform the activities associated with IT security regarding the specific technical controls needed to properly protect a given asset. Requirements are driven by the business/mission owner.

For example, a medical device might be deemed by a business/mission owner to be confidentiality-high, integrity-high, and availability-moderate (because they can revert to old school medical techniques):

Relationship between Information Assurance and IT Security

The CIA triad

The CIA triad is a key tenet at the core of information security. This tool is used to help the information security professional think about how to best protect organizational data:

  • Confidentiality: It has to do with whether or not information is kept secret or private. Mechanisms should be employed, such as encryption, which will render the data useless if it was accessed in an unauthorized manner.
  • Integrity: It has to do with whether the information is kept accurate. Information should not be modified in an unauthorized manner and safeguards should be put in place that allows for detectable and timely unauthorized changes.
  • Availability: It has to do with ensuring that information is available when it is needed. This control can be accomplished by implementing tools ranging from battery backup at the data center, to a content distribution network in the cloud:
 

Organizational information security assessment


We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.

It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.

There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:

  • Internal assessment: An internal assessment can be viewed in two ways:
    • An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.
    • If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.
  • Third-party assessment: The third-party assessment can be viewed in two ways:
    • A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.
    • While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.

Note

Recommendation In my experience, the best way to start your information security program is to take a hybrid approach to conducting your initial assessment.

The following is an abbreviated example to begin the process of performing an internal assessment:

  1. Conduct an initial internal assessment:
    1. As an information security leader you need to understand the organization you work in:
      1. Meet with business and IT leaders:
        1. Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.
      2. Meet with subject matter experts.
      3. Document areas for improvement and places where you can celebrate current successes.
      4. Brief leadership on your findings.
    2. Based on your findings recommend to leadership that a third party be brought in to dig deeper:
      1. No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:
        1. Information security program reviews.
        2. Red team penetration test capability.
  2. Conduct a third-party assessment:
    1. Work with IT leadership and subject matter experts to discuss the purpose of the assessment:
      1. Make sure that the assessment is non-punitive:
        1. Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire individuals or to point out mistakes.
    2. Ensure that the third-party assessment has management buy-in and support:
      1. Without top-level support (Board, CEO), it might be easy for individuals to ignore your assessors.
    3. Ensure that the third party has access to the internal resources required:
      1. Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.
    4. Conduct the assessment and produce the findings.
    5. A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.
 

Risk management


After having conducted a security assessment of the organization it will then become necessary to take your security assessment data and conduct a risk assessment. In conducting a risk assessment you can begin to prioritize the activities that you want to implement first, second, and so on, as you build your security program. During the risk assessment, you will want to take what you learned from the organization's leaders and ensure your prioritization serves the organization's goals so that you effectively describe your assessment and plan in business terms. Ultimately, the introduction of an information security program is one of organizational change. You want to ensure that you are presenting the changes you wish to make in organizational terms versus IT terms. This will help you to win the approval of leadership, which will provide you with the needed authority and funding to make changes to the organization.

Managing an information security program is really about risk management. Ultimately, how an organization deals with specific vulnerabilities in its IT systems, business processes, and staff has to do with its ability to manage risk. Organizational leaders are going to want to understand how vulnerabilities found in the assessment are going to impact the organization's ability to conduct business or serve their customers. Leadership will also want to understand the likelihood of a risk occurring and what the potential impact could be if this occurred.

It is important to identify the possible business impact of the risk. Each business owner will have its own risk concerns, and each business risk will be tied to a business function/dollar amount. Recommendations for fixes, mitigations, and so on, should tie into the return on investment (ROI). For example:

  • A HIPPA violation could cost an organization millions, however, a solution to the risk might only cost $38,000 annually, which will mitigate the risk and lower the overall risk posture.
  • If you break that $38,000 down by the number of users who have access to the data, say 11,000, you come down to $3.45 per user for minimizing the risk posture. Your return on investment is easy to argue, and gain leadership support for.

Armed with this information, you can build out a plan that describes the specific IT implementations that need to be carried out in an organization based on the assessments that were previously conducted and the risk assessment that followed. The plan contains the priorities identified in the risk assessment process.

Based on the risk assessment, you will know the following:

  • What the top risks are in the organization
  • What the most valuable assets are for your organization
  • What risks are most likely to occur
  • What the impacts will be when a risk occurs

With this information, you have everything necessary to build a well-supported evidence-based plan to move your organization forward as it changes to implement modern information security practices.

 

Information security standards


Information security standards are published works by various professional organizations which attempt to encapsulate the guidance necessary to properly secure an IT system. Different standards have applicability to different industries, such as payment card versus healthcare, but tend to cover the full breadth of applicable system-related components, such as network devices, workstations, servers, software, user interaction with systems, system process interactions, data transmission, and storage. It is very important to understand that information security standards are not checklists.

When implementing a security standard for your organization you must look at the standard and decide how you will implement it for you organization. In most cases, the standard information is not prescriptive in that it does not tell you what tools to implement and how to implement them. You need to work with your IT and business teams to determine the best tools for the job and how they should be implemented within your infrastructure. It is also important to note that implementing a standard does not mean that you have effectively secured your organization. This is the trap of thinking of a standard as a checklist. You must look at an information security standard as a place to start. It is up to the information security professional to implement a standard in an effective way that properly secures the organization and mitigates risk to acceptable levels.

The following are some popular standards that are used around the globe:

  • ISO 27001 and 27002 (https://www.iso.org/isoiec-27001-information-security.html):
    • A set of requirements which provide a framework for an organization to plan, and assess their security.
    • It has a very specific mechanism. An organization can contract a third party to verify their security controls and so be deemed compliant with 27001.
  • Voluntary NIST Cybersecurity Framework (https://www.nist.gov/cyberframework):
    • Guidance developed to help private sector entities and critical infrastructure develop an effective risk-based approach to implementing cybersecurity.
    • Provides information security activities, outcomes, references, and detailed guidance necessary for planning a well-functioning information security program.
    • Voluntary.
  • HIPPA (https://www.hhs.gov/hipaa/):
    • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the secretary of the U.S. department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.
    • To fulfill this requirement, HHS published what is commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or standards for privacy of individually identifiable health information, establishes national standards for the protection of certain health information. The security standards for the protection of electronic protected health information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
    • Mandatory requirement for any organization processing HIPPA-related data (Personal Health Information (PHI)).
  • PCI DSS (https://www.pcisecuritystandards.org/):
    • The PCI Data Security Standard (DSS) provides a framework for developing a payment card data security process, which includes prevention, detection, and incident response to security incidents.
    • Mandatory requirement for any organization processing payment card data.
 

Policies


A policy is a foundational aspect to the development of a strong information security program. When developing a policy, you should ensure that you follow a few key principles:

  • Receive board-level / CEO approval and support:
    • Without CEO or board-level backing, a security program is doomed to fail
  • You should only create a policy that you intend to follow:
    • This means do not create a policy for the sake of the documentation. A policy that sits on the shelf and is never used does not help anyone.
    • Policies that you don't follow will be used by an auditor to show that you are deficient:
      • If you have policies follow them.
  • Ensure your policies are implementable:
    • There are many ways that a security standard can be met, and your policies should reflect the way that your organization wants to implement a standard
    • Do not describe four points in a policy if you intend to only implement two of them if those two provide adequate risk mitigation
  • A policy needs to take into account the organization's appetite for accepting risk:
    • Consider the value of the information that your organization owns.
    • Consider what would happen to the organization if you lost control over the confidentiality, integrity, and/or availability of the information:
      • Are you trying to safeguard trade secrets or sensitive proprietary information (confidentiality)?
      • Does information need to be accurate at all times (integrity)?
      • Could the organization effectively operate without its information (availability)?
    • Answers to questions like these, combined with an understanding of you organizations risk appetite, will inform your policy development.
 

Training


In our modern era, human interaction is a key vector used to exploit an information system. Whether you are looking at attacks such as ransomware, or exploits against critical infrastructure, the easiest avenue into a system is by tricking the user to run a piece of software. The key way that we can make sure that our users are prepared for these attacks is by implementing an effective training and awareness program.

Key components of an effective training and awareness program

An effective training and awareness program is necessary to ensure successful implementation of your information security program. A training and awareness program will be the primary mechanism used to communicate organizational user roles and responsibilities from an information security perspective:

  • Secondary media products:
    • This includes things like giveaways (squeezy balls), alert notifications, posters, or social media.
    • These serve to remind users about information security principles that you are communicating through other mechanisms.
    • The key here is to keep information brief and manageable. If you need to read for more than ten seconds, it is too long.
  • Primary media products:
    • This includes things such as email newsletters, websites, and inclusions in corporate magazines.
    • These have more contact and are distributed on a periodic basis.
    • The key here is to not overwhelm the user. If you send out an email newsletter every week, you may find your newsletter in the spam folder.
  • Yearly information security awareness training:
    • This is training provided every year, where you communicate all of your information security requirements for the user into a single presentation
    • The preferred method for implementing this training is computer-based, through a learning management system:
      • This helps you to easily record users that have completed training and their scores
    • This training should include a mechanism to test the users' understanding:
      • The test should not be an information security vocabulary test:
        • The user should know not to click on URLs and attachments they do not trust
        • The user does not need to be test on the difference between phishing or spear phishing
    • Use the yearly training as an opportunity to have your users validate or revalidate their acceptance of your organization's acceptable use policy:
      • The training should cover every aspect of the Acceptable Use Policy
  • Events:
    • This includes lunch time presentations, webinars, and presenting at corporate, divisional, or team meetings
    • It is very important to deliver the information security message to your organization in person where possible:
      • Webinars are useful in geographically-distributed organizations
    • Getting 15 minutes to speak at the finance or HR teams quarterly meeting is a great way to answer questions that an entire group may have

For example, payroll and benefit processors may have questions on PII handling and protections.

References:

 

Summary


In this chapter, we covered introductory topics on implementing an effective information security program. We discussed the following:

  • Information security challenges faced by the organization and the information security program
  • The evolution of cybercrime over time and its impact
  • The role of information security in the organization
  • The concept of confidentiality, integrity, and availability
  • An introduction to information security assessments
  • An introduction to risk management
  • The roles of information security standards and training
  • How awareness and training benefit the organization

In the next chapter, we will define the threat landscape. We will be discussing the people, processes, and technologies that need to be defended against to ensure your organization's continued security.

About the Author

  • Darren Death

    Darren Death is an information security professional living in the DC Metropolitan Area. During his 17-year technology career, he has supported the private and public sector at the local, state, and national levels. Darren has worked for organizations such as the Department of Justice, Library of Congress, and the Federal Emergency Management Agency. Darren currently works for Artic Slope Regional Corporation as its chief information security officer. In this role, Darren is responsible for the ASRC Enterprise Information Security program, where he manages the Information Security program across the 3 billion dollar ASRC portfolio crossing many business sectors to include energy, financial services, hospitality, retail, construction, and federal government contracting.

    Darren is very active in the information security community and can be heard at many conferences throughout the year speaking on many of the topics covered in this book. Infragard is an organization that is dedicated to sharing information and intelligence working to prevent hostile acts against the United States. In this role, he teaches students the building blocks that go into establishing a successful information security program.

    Browse publications by this author

Latest Reviews

(5 reviews total)
Entrega fácil e super rápida!
All you need for a great and easy overview for any ongoing security analyst....
no problems downloading files.

Recommended For You

Book Title
Unlock this book and the full library for FREE
Start free trial