A Multilayered Approach to Information Security

<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBP76UXazG1serNFQ9zPjacpGef7OpR1iowRHpje-FG-Gh9zqEWa2PToaky_xECm0fLjx4Li_nUc56vJq_foPPOgUtOo0E1PQzr_kT6KoNeFLutNLLJDKAg7r3WhLucZrCYywvKTXWuMRB/s1600/confidentiality.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBP76UXazG1serNFQ9zPjacpGef7OpR1iowRHpje-FG-Gh9zqEWa2PToaky_xECm0fLjx4Li_nUc56vJq_foPPOgUtOo0E1PQzr_kT6KoNeFLutNLLJDKAg7r3WhLucZrCYywvKTXWuMRB/s1600/confidentiality.png" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;">Establishing multiple layers of defense is critical to protecting valuable information assets. An effective multilayered defense involves not only defining and defending the system perimeter, but also preempting and deterring attacks, implementing tools that can deflect attacks, and then constantly monitoring for intruders and learning from their methods. Together, these various defense mechanisms provide for an information security strategy which supports the confidentiality, integrity, and availability of the system, while simultaneously mitigating many of the risks inherent in a world that relies so heavily on information and communication technologies. Remember: a layered defense strategy is best!</span><br /><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Many organizational information systems are subjected to a constant barrage of attacks. Fortunately there are also many tools and techniques available that can be used to limit the number of attacks that will be successful. Beginning outside of the boundaries of a system, preemption and external deterrence methods can be used in order to prevent attacks. For those intrusion attempts that make it through the system perimeter, we can use internal deterrence mechanisms and deflection mechanisms. If all else fails and the attack is successful, it is critical to be able to detect the attack and respond to and learn from it as quickly as possible. In so doing, we can contain the damage and limit the likelihood that a similar attack will succeed in the future. A multilayered security strategy thus represents the best chance possible of providing a solid defense against attacks in light of the competing objectives of confidentiality, integrity, and system availability.</span></div>

A Multilayered Approach to Information Security

Establishing multiple layers of defense is critical to protecting valuable information assets. An effective multilayered defense involves not only defining and defending the system perimeter, but also preempting and deterring attacks, implementing tools that can deflect attacks, and then constantly …

Read more »

Physical, Procedural, and Technical Controls in Information Security

<div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJUCtkIeCrUz2fpKTxBkfH4Kl5eA3GLI3a_RowX3y4H-gc9k82YcSpxSkL_oDOy7UaYzt5C9fiO6soTYme7hV6iVTpygUjYv-231XDM3Y31XouwcTv8r_9aBwjMMKhdEb11m4UnbgfBzT/s1600/controls.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJUCtkIeCrUz2fpKTxBkfH4Kl5eA3GLI3a_RowX3y4H-gc9k82YcSpxSkL_oDOy7UaYzt5C9fiO6soTYme7hV6iVTpygUjYv-231XDM3Y31XouwcTv8r_9aBwjMMKhdEb11m4UnbgfBzT/s1600/controls.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">In this post, I will briefly discuss the three major types or categories of controls that can be used to defend information systems – namely (1) physical controls, (2) procedural controls, and (3) technical controls. First, physical controls are those controls which seek to prevent an attack through the use of something tangible. Examples of physical controls include mechanisms such as walls, locks, security guards, security cameras, backup copies or real-time replication of data, and the use of natural or man-made disaster-protection devices such as smoke alarms or fire extinguishers.</span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">In addition to physical controls, information security personnel can also rely upon procedural and administrative controls to protect information systems. Procedural and administrative controls are guidelines or agreements that require or advise people to act in certain ways with the goal of protecting information assets. Procedural and administrative controls include mechanisms such as laws and local regulations, organizational policies, procedures, or guidelines, methods of protecting intellectual property such as copyrights, patents, or trade secrets, and contracts or other documents that govern the relationship between two or more parties.</span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Finally, we have technical controls. Technical controls are controls or countermeasures that use technology-based contrivances in order to protect information systems from harm. These can include mechanisms such as passwords, access controls for operating systems or application software programs, network protocols, firewalls and intrusion detection systems, encryption technology, network traffic flow regulators, and so forth. When used together, the adoption of these different types of controls allows for the establishment of a layered defense, and provides the best chance possible of preventing information systems from suffering harm.</span></div><div class="MsoNormal"><o:p></o:p></div>

Physical, Procedural, and Technical Controls in Information Security

In this post, I will briefly discuss the three major types or categories of controls that can be used to defend information systems – namely (1) physical controls, (2) procedural controls, and (3) technical controls. First, physical controls are those controls which seek to prevent an attack through…

Read more »

Using Multiple Controls or Countermeasures for Information Security

<div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">In this post I would like to talk about using multiple controls or countermeasures for information security purposes. To begin, consider a castle in the Middle Ages. You may have noticed that many castles were built in locations that leveraged natural obstacles in order to protect the castle during an attack. A castle, for example, might be built on the edge of a cliff such that there are fewer points of attack. Further, castles often had a surrounding moat -- that is, a man-made band of water surrounding the castle -- which would help to further protect it from attackers. Additional controls might have included a drawbridge, heavy crenellated walls, strong gates, towers, or guards who use passwords. When considered together, it quickly becomes obvious that the defensive strategy used for castles in the Middle Ages was to rely on a multilayered defense, and a similar strategy should be used to defend information assets today. <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEI1OpBJedSvfrUHIMO9obvd6qTRT1atOzXEkWAri0XFIcEv5R4cFh6XkPerc-jY-pLJT6ZSHrKQ06YRbzicAiDSo6F8q_VBQxWLSiAuyuEQN_O6MySpYc07Ywd1fiC28hlphpRlXimXU3/s1600/castle.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEI1OpBJedSvfrUHIMO9obvd6qTRT1atOzXEkWAri0XFIcEv5R4cFh6XkPerc-jY-pLJT6ZSHrKQ06YRbzicAiDSo6F8q_VBQxWLSiAuyuEQN_O6MySpYc07Ywd1fiC28hlphpRlXimXU3/s1600/castle.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Whereas castles used controls such as walls, moats, guards, and so forth, information security personnel can use controls such as encryption, software controls, hardware controls, societal and organizational policies and procedures, physical controls, and so forth in order to protect information assets. Just as with the castle, using a single control or countermeasure would almost certainly be insufficient to establish an adequate defense for information assets. Instead, information security personnel should adopt a multilayered approach.</span></div><div class="MsoNormal"><o:p></o:p></div>

Using Multiple Controls or Countermeasures for Information Security

In this post I would like to talk about using multiple controls or countermeasures for information security purposes. To begin, consider a castle in the Middle Ages. You may have noticed that many castles were built in locations that leveraged natural obstacles in order to protect the castle during …

Read more »

Defending against Attacks on Information Systems

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1N2sJWndyYwv4sT-IHQPFI8GOHjCiHIhjL5iv-6LxZXAkAejsRGpHWdbBxz6SUTo3nbaPbx95jOS3HvaLrlqFGmkXZ8rx_tsmSK-CHsZ55qX2y9XEvKqZ6eDfWL_zSrU4pFx6qAtkY_i5/s1600/methods+of+defense.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1N2sJWndyYwv4sT-IHQPFI8GOHjCiHIhjL5iv-6LxZXAkAejsRGpHWdbBxz6SUTo3nbaPbx95jOS3HvaLrlqFGmkXZ8rx_tsmSK-CHsZ55qX2y9XEvKqZ6eDfWL_zSrU4pFx6qAtkY_i5/s1600/methods+of+defense.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">In broad terms, there are six different approaches that can be used to defend information systems against attacks by malicious parties. The first of these approaches is prevention, and preventing an attack can be accomplished by either blocking the attack, or by entirely closing or eliminating a vulnerability. Remember that an attack occurs when someone intentionally exploits a vulnerability. If we are therefore able to close or entirely eliminate the vulnerability, then the attack cannot occur. The second method of defense is deterrence, and deterring an attack can be accomplished by finding ways to make the attack more difficult to carry out. The third method of defense is deflection, and in order to deflect an attack, another target must be provided for the attacker which seems to be more attractive than the original target. In this way, it may be possible to artfully encourage the attacker to pursue a target that is of little real value.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">After prevention, deterrence, and deflection, the fourth approach to defending information systems is through mitigation. An attack can be mitigated by taking steps to make the impact of the attack less severe. If despite our best efforts we are unable to prevent, deter, or deflect an attack, then the best strategy is to have mechanisms in place which will contain the damage.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">The fifth method of defense is detection, and detection can take place either while an attack is in progress, or after the attack has been completed. If an attack can be detected while it is still underway, then it may be possible to stop the attack immediately, thus preventing further harm. It is, however, important to realize that detecting an attack after it has taken place can also be of great value. If an attack can be detected after it has taken place, then it may be possible to repair the damage and learn from the attack by determining exactly how the system was compromised. Such information can be useful in identifying and closing vulnerabilities, thus preventing similar attacks from being successful in the future.</span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Finally, the sixth method of defense is to recover from an attack. It is necessary to have mechanisms in place such as organizational protocols, backup copies of data, and so forth that allow us to quickly recover from a successful attack. Recovery is a legitimate method of defense because if an attacker finds that the effects of her attack are short-lived and quickly fixed, then she may be less likely to attack us in the future.</span></div><div class="MsoNormal"><o:p></o:p></div>

Defending against Attacks on Information Systems

In broad terms, there are six different approaches that can be used to defend information systems against attacks by malicious parties. The first of these approaches is prevention, and preventing an attack can be accomplished by either blocking the attack, or by entirely closing or eliminating a vul…

Read more »

Prerequisites for Attacking an Information System

<div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzCXm-qsDzwAJDf3UxSSMJsUYIlXktYXzzn9B5ieW1XIZJpm3uTIxL2k2NAbod2UQITgEqdS-955782RpPdF5kBNiWisBRVopd4xx7hZuupTR-DLTi21WWzFvvk54CWQOEvu7FMZtqp_g/s1600/attack+prerequisites.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzCXm-qsDzwAJDf3UxSSMJsUYIlXktYXzzn9B5ieW1XIZJpm3uTIxL2k2NAbod2UQITgEqdS-955782RpPdF5kBNiWisBRVopd4xx7hZuupTR-DLTi21WWzFvvk54CWQOEvu7FMZtqp_g/s1600/attack+prerequisites.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">In order for an attack on an information system to succeed, an attacker must possess three specific things: (1) <i>method</i>, (2) <i>opportunity</i>, and (3) <i>motive</i>. One useful way of remembering these prerequisites is through the acronym MOM (<u>M</u>ethod, <u>O</u>pportunity, and <u>M</u>otive). In the context of conducting attacks on information systems, method refers to the skills, knowledge, tools, experience, and so forth that an attacker must have in order for an attack to be realistically attempted. Opportunity, by contrast, refers to the time and the necessary access that are required in order for an attacker to attempt an attack on an information system. Finally, motive simply refers to the purpose for conducting an attack or the reason for which an attacker desires to carry out an attack.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><span style="font-family: Arial, Helvetica, sans-serif;">From an information security perspective, it is critical that security personnel understand these three prerequisites for conducting attacks on information systems. If any of these three prerequisites can be eliminated -- that is, if we are able to effectively remove or disrupt an attacker’s method, opportunity, or motive -- then the attack will not succeed. If efforts aimed at defending against attacks on information infrastructure or protecting information assets are to have the best chance possible of succeeding, those efforts should therefore target one or more of these three prerequisites.</span><br /><div class="MsoNormal"><o:p></o:p></div>

Prerequisites for Attacking an Information System

In order for an attack on an information system to succeed, an attacker must possess three specific things: (1) method, (2) opportunity, and (3) motive. One useful way of remembering these prerequisites is through the acronym MOM (Method, Opportunity, and Motive). In the context of conducting attack…

Read more »

Harm and the Value of Information Assets

<br /><div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujEMTmSP6ZVtjsmsYfS90AWK8q_TSPT2ogtFyv3a8oMQRPyCZU7w8lahvMMcjzaEHUAmZUNJfd2QSIgjgUOFAYbvCmT-8UyiZd8unEVtPuHwcZhg1k8AzyAZ_jAf5BDiLoMo2lQgiIeRU/s1600/harm.png" imageanchor="1" style="clear: left; display: inline !important; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujEMTmSP6ZVtjsmsYfS90AWK8q_TSPT2ogtFyv3a8oMQRPyCZU7w8lahvMMcjzaEHUAmZUNJfd2QSIgjgUOFAYbvCmT-8UyiZd8unEVtPuHwcZhg1k8AzyAZ_jAf5BDiLoMo2lQgiIeRU/s1600/harm.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">Although in an <a href="http://computersecurityconcepts.blogspot.com/2013/09/harm-and-information-assets.html">earlier post</a> I discussed the four types of acts that can cause harm to an information system, here I would like to briefly discuss harm itself. Harm refers to the negative consequences that can arise from an actualized threat. That is, if a vulnerability in an information system is exploited such that a threat becomes a reality, then harm refers to the implications of the actualized threat. Note that the quantity or amount of harm that is sustained from a successful attack is often a subjective matter. Different people in different organizations will naturally assign different values to their information assets, and with different values assigned to assets, an identical attack would be perceived to cause different amounts of harm to two different organizations.<o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRH6STDubjYiUheeWktC35vMeNFO0YdlhWHp7stm7dr3vsjn-9wLGhRH-wxTU6ayhxkRo6IlyyIj3jTn1Ru6R8ZR2IzSFavUMMd0ahFKRrijsKTnGcs-mUxcC2KDT3dT3XedoSDJllZkY/s1600/value+of+information.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRH6STDubjYiUheeWktC35vMeNFO0YdlhWHp7stm7dr3vsjn-9wLGhRH-wxTU6ayhxkRo6IlyyIj3jTn1Ru6R8ZR2IzSFavUMMd0ahFKRrijsKTnGcs-mUxcC2KDT3dT3XedoSDJllZkY/s1600/value+of+information.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">Quantifying harm is further complicated by the fact that the value of information assets commonly changes over time. Consider, for example, the value of the transaction records that your bank maintains for your checking account. If a malicious attacker were able to successfully delete or modify some of the records associated with your checking account, and if those records were associated with recent transactions that took place within the past few days, then your bank would almost certainly consider the attacker to have caused more harm than if the compromised records were associated with transactions from 10 years ago. This example speaks to the relationship between the value of information and time -- most modern information scientists believe that on average, the value of information assets degrades over time according to an exponential decay function. Put another way, new data are usually more valuable than older data.</span><o:p></o:p></div>

Harm and the Value of Information Assets

Although in an earlier post I discussed the four types of acts that can cause harm to an information system, here I would like to briefly discuss harm itself. Harm refers to the negative consequences that can arise from an actualized threat. That is, if a vulnerability in an information system is ex…

Read more »

Types of Information System Attackers

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYa0CEoSg0u-inIpFbrGsTt1kAnpcFGNljB5Wq5GGV0bX0rifdHFxFcWkPjPOSOcPRYe0cxI94nZYt0X8dMBDE_Fh_4WGDmMBC4dnZt_SlhciI7Kzz4twQKGQj0COMjqrbxHqpokzuN44O/s1600/hacker.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYa0CEoSg0u-inIpFbrGsTt1kAnpcFGNljB5Wq5GGV0bX0rifdHFxFcWkPjPOSOcPRYe0cxI94nZYt0X8dMBDE_Fh_4WGDmMBC4dnZt_SlhciI7Kzz4twQKGQj0COMjqrbxHqpokzuN44O/s1600/hacker.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Who are these people who seek to compromise the confidentiality, integrity, or availability of our information assets? Surprisingly, many attackers are simply amateurs who act opportunistically. As an example, such an amateur might find someone’s lost mobile device or laptop computer and decide to sift through the files, or perhaps might be a script kiddie or wannabe hacker who finds pre-packaged hacking tools on some underground website, and attempts to apply those tools to the computers at her school or place of work. <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Amateurs notwithstanding, there are also hackers (or <i>white-hats</i>) and crackers (or <i>black-hats</i>), with the difference between the two depending upon the attacker’s intent. Specifically, hackers are attackers whose intent in attacking a system is non-malicious, while crackers are attackers who attack a system with the intent of causing harm. A computer security expert, for example, might be hired by a company to try to break into an information system for the purpose of evaluating the robustness of the system’s defenses. Such an attacker would be properly classified as a hacker (or as a white-hat). By contrast, an attacker who attacks a system with a malicious goal -- such as stealing data or disrupting the availability of the system -- would be properly classified as a cracker (or as a black-hat). <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><br /><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Some common types of crackers include both career criminals and organized crime syndicates who seek to engage in malicious breaches of information security for the purpose of financial or other gain. More recently, the information security world has also witnessed the rise of cyber terrorists, who are not necessarily affiliated with a particular state or government, but nevertheless are conducting attacks on information systems in support of some ideological or political agenda. Finally, and importantly, there are state-supported information warriors and spies. Most modern countries -- including powerful countries such as the United States and China -- employ vast armies of information warriors whose job it is to surveil government offices, military organizations, and even corporations in other countries for the purpose of collecting intelligence through digital means. Further, such officially sanctioned digital espionage is no longer just a minor consideration. In the United States, for example, the Department of Defense now considers cyberspace to be the fifth battlefield (with the first four battlefields being land, sea, air, and space). With cyberspace being acknowledged as a legitimate battlefield, substantial portions of many nations’ defense assets are now being directed toward efforts aimed at establishing superiority in cyberspace.</span><o:p></o:p></div>

Types of Information System Attackers

Who are these people who seek to compromise the confidentiality, integrity, or availability of our information assets? Surprisingly, many attackers are simply amateurs who act opportunistically. As an example, such an amateur might find someone’s lost mobile device or laptop computer and decide to s…

Read more »