A Multilayered Approach to Information Security

<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBP76UXazG1serNFQ9zPjacpGef7OpR1iowRHpje-FG-Gh9zqEWa2PToaky_xECm0fLjx4Li_nUc56vJq_foPPOgUtOo0E1PQzr_kT6KoNeFLutNLLJDKAg7r3WhLucZrCYywvKTXWuMRB/s1600/confidentiality.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBP76UXazG1serNFQ9zPjacpGef7OpR1iowRHpje-FG-Gh9zqEWa2PToaky_xECm0fLjx4Li_nUc56vJq_foPPOgUtOo0E1PQzr_kT6KoNeFLutNLLJDKAg7r3WhLucZrCYywvKTXWuMRB/s1600/confidentiality.png" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;">Establishing multiple layers of defense is critical to protecting valuable information assets. An effective multilayered defense involves not only defining and defending the system perimeter, but also preempting and deterring attacks, implementing tools that can deflect attacks, and then constantly monitoring for intruders and learning from their methods. Together, these various defense mechanisms provide for an information security strategy which supports the confidentiality, integrity, and availability of the system, while simultaneously mitigating many of the risks inherent in a world that relies so heavily on information and communication technologies. Remember: a layered defense strategy is best!</span><br /><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Many organizational information systems are subjected to a constant barrage of attacks. Fortunately there are also many tools and techniques available that can be used to limit the number of attacks that will be successful. Beginning outside of the boundaries of a system, preemption and external deterrence methods can be used in order to prevent attacks. For those intrusion attempts that make it through the system perimeter, we can use internal deterrence mechanisms and deflection mechanisms. If all else fails and the attack is successful, it is critical to be able to detect the attack and respond to and learn from it as quickly as possible. In so doing, we can contain the damage and limit the likelihood that a similar attack will succeed in the future. A multilayered security strategy thus represents the best chance possible of providing a solid defense against attacks in light of the competing objectives of confidentiality, integrity, and system availability.</span></div>

A Multilayered Approach to Information Security

Establishing multiple layers of defense is critical to protecting valuable information assets. An effective multilayered defense involves not only defining and defending the system perimeter, but also preempting and deterring attacks, implementing tools that can deflect attacks, and then constantly …

Read more »

Physical, Procedural, and Technical Controls in Information Security

<div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJUCtkIeCrUz2fpKTxBkfH4Kl5eA3GLI3a_RowX3y4H-gc9k82YcSpxSkL_oDOy7UaYzt5C9fiO6soTYme7hV6iVTpygUjYv-231XDM3Y31XouwcTv8r_9aBwjMMKhdEb11m4UnbgfBzT/s1600/controls.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJUCtkIeCrUz2fpKTxBkfH4Kl5eA3GLI3a_RowX3y4H-gc9k82YcSpxSkL_oDOy7UaYzt5C9fiO6soTYme7hV6iVTpygUjYv-231XDM3Y31XouwcTv8r_9aBwjMMKhdEb11m4UnbgfBzT/s1600/controls.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">In this post, I will briefly discuss the three major types or categories of controls that can be used to defend information systems – namely (1) physical controls, (2) procedural controls, and (3) technical controls. First, physical controls are those controls which seek to prevent an attack through the use of something tangible. Examples of physical controls include mechanisms such as walls, locks, security guards, security cameras, backup copies or real-time replication of data, and the use of natural or man-made disaster-protection devices such as smoke alarms or fire extinguishers.</span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">In addition to physical controls, information security personnel can also rely upon procedural and administrative controls to protect information systems. Procedural and administrative controls are guidelines or agreements that require or advise people to act in certain ways with the goal of protecting information assets. Procedural and administrative controls include mechanisms such as laws and local regulations, organizational policies, procedures, or guidelines, methods of protecting intellectual property such as copyrights, patents, or trade secrets, and contracts or other documents that govern the relationship between two or more parties.</span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Finally, we have technical controls. Technical controls are controls or countermeasures that use technology-based contrivances in order to protect information systems from harm. These can include mechanisms such as passwords, access controls for operating systems or application software programs, network protocols, firewalls and intrusion detection systems, encryption technology, network traffic flow regulators, and so forth. When used together, the adoption of these different types of controls allows for the establishment of a layered defense, and provides the best chance possible of preventing information systems from suffering harm.</span></div><div class="MsoNormal"><o:p></o:p></div>

Physical, Procedural, and Technical Controls in Information Security

In this post, I will briefly discuss the three major types or categories of controls that can be used to defend information systems – namely (1) physical controls, (2) procedural controls, and (3) technical controls. First, physical controls are those controls which seek to prevent an attack through…

Read more »

Using Multiple Controls or Countermeasures for Information Security

<div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">In this post I would like to talk about using multiple controls or countermeasures for information security purposes. To begin, consider a castle in the Middle Ages. You may have noticed that many castles were built in locations that leveraged natural obstacles in order to protect the castle during an attack. A castle, for example, might be built on the edge of a cliff such that there are fewer points of attack. Further, castles often had a surrounding moat -- that is, a man-made band of water surrounding the castle -- which would help to further protect it from attackers. Additional controls might have included a drawbridge, heavy crenellated walls, strong gates, towers, or guards who use passwords. When considered together, it quickly becomes obvious that the defensive strategy used for castles in the Middle Ages was to rely on a multilayered defense, and a similar strategy should be used to defend information assets today. <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEI1OpBJedSvfrUHIMO9obvd6qTRT1atOzXEkWAri0XFIcEv5R4cFh6XkPerc-jY-pLJT6ZSHrKQ06YRbzicAiDSo6F8q_VBQxWLSiAuyuEQN_O6MySpYc07Ywd1fiC28hlphpRlXimXU3/s1600/castle.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEI1OpBJedSvfrUHIMO9obvd6qTRT1atOzXEkWAri0XFIcEv5R4cFh6XkPerc-jY-pLJT6ZSHrKQ06YRbzicAiDSo6F8q_VBQxWLSiAuyuEQN_O6MySpYc07Ywd1fiC28hlphpRlXimXU3/s1600/castle.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Whereas castles used controls such as walls, moats, guards, and so forth, information security personnel can use controls such as encryption, software controls, hardware controls, societal and organizational policies and procedures, physical controls, and so forth in order to protect information assets. Just as with the castle, using a single control or countermeasure would almost certainly be insufficient to establish an adequate defense for information assets. Instead, information security personnel should adopt a multilayered approach.</span></div><div class="MsoNormal"><o:p></o:p></div>

Using Multiple Controls or Countermeasures for Information Security

In this post I would like to talk about using multiple controls or countermeasures for information security purposes. To begin, consider a castle in the Middle Ages. You may have noticed that many castles were built in locations that leveraged natural obstacles in order to protect the castle during …

Read more »

Defending against Attacks on Information Systems

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1N2sJWndyYwv4sT-IHQPFI8GOHjCiHIhjL5iv-6LxZXAkAejsRGpHWdbBxz6SUTo3nbaPbx95jOS3HvaLrlqFGmkXZ8rx_tsmSK-CHsZ55qX2y9XEvKqZ6eDfWL_zSrU4pFx6qAtkY_i5/s1600/methods+of+defense.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1N2sJWndyYwv4sT-IHQPFI8GOHjCiHIhjL5iv-6LxZXAkAejsRGpHWdbBxz6SUTo3nbaPbx95jOS3HvaLrlqFGmkXZ8rx_tsmSK-CHsZ55qX2y9XEvKqZ6eDfWL_zSrU4pFx6qAtkY_i5/s1600/methods+of+defense.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">In broad terms, there are six different approaches that can be used to defend information systems against attacks by malicious parties. The first of these approaches is prevention, and preventing an attack can be accomplished by either blocking the attack, or by entirely closing or eliminating a vulnerability. Remember that an attack occurs when someone intentionally exploits a vulnerability. If we are therefore able to close or entirely eliminate the vulnerability, then the attack cannot occur. The second method of defense is deterrence, and deterring an attack can be accomplished by finding ways to make the attack more difficult to carry out. The third method of defense is deflection, and in order to deflect an attack, another target must be provided for the attacker which seems to be more attractive than the original target. In this way, it may be possible to artfully encourage the attacker to pursue a target that is of little real value.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">After prevention, deterrence, and deflection, the fourth approach to defending information systems is through mitigation. An attack can be mitigated by taking steps to make the impact of the attack less severe. If despite our best efforts we are unable to prevent, deter, or deflect an attack, then the best strategy is to have mechanisms in place which will contain the damage.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">The fifth method of defense is detection, and detection can take place either while an attack is in progress, or after the attack has been completed. If an attack can be detected while it is still underway, then it may be possible to stop the attack immediately, thus preventing further harm. It is, however, important to realize that detecting an attack after it has taken place can also be of great value. If an attack can be detected after it has taken place, then it may be possible to repair the damage and learn from the attack by determining exactly how the system was compromised. Such information can be useful in identifying and closing vulnerabilities, thus preventing similar attacks from being successful in the future.</span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Finally, the sixth method of defense is to recover from an attack. It is necessary to have mechanisms in place such as organizational protocols, backup copies of data, and so forth that allow us to quickly recover from a successful attack. Recovery is a legitimate method of defense because if an attacker finds that the effects of her attack are short-lived and quickly fixed, then she may be less likely to attack us in the future.</span></div><div class="MsoNormal"><o:p></o:p></div>

Defending against Attacks on Information Systems

In broad terms, there are six different approaches that can be used to defend information systems against attacks by malicious parties. The first of these approaches is prevention, and preventing an attack can be accomplished by either blocking the attack, or by entirely closing or eliminating a vul…

Read more »

Prerequisites for Attacking an Information System

<div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzCXm-qsDzwAJDf3UxSSMJsUYIlXktYXzzn9B5ieW1XIZJpm3uTIxL2k2NAbod2UQITgEqdS-955782RpPdF5kBNiWisBRVopd4xx7hZuupTR-DLTi21WWzFvvk54CWQOEvu7FMZtqp_g/s1600/attack+prerequisites.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxzCXm-qsDzwAJDf3UxSSMJsUYIlXktYXzzn9B5ieW1XIZJpm3uTIxL2k2NAbod2UQITgEqdS-955782RpPdF5kBNiWisBRVopd4xx7hZuupTR-DLTi21WWzFvvk54CWQOEvu7FMZtqp_g/s1600/attack+prerequisites.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">In order for an attack on an information system to succeed, an attacker must possess three specific things: (1) <i>method</i>, (2) <i>opportunity</i>, and (3) <i>motive</i>. One useful way of remembering these prerequisites is through the acronym MOM (<u>M</u>ethod, <u>O</u>pportunity, and <u>M</u>otive). In the context of conducting attacks on information systems, method refers to the skills, knowledge, tools, experience, and so forth that an attacker must have in order for an attack to be realistically attempted. Opportunity, by contrast, refers to the time and the necessary access that are required in order for an attacker to attempt an attack on an information system. Finally, motive simply refers to the purpose for conducting an attack or the reason for which an attacker desires to carry out an attack.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><span style="font-family: Arial, Helvetica, sans-serif;">From an information security perspective, it is critical that security personnel understand these three prerequisites for conducting attacks on information systems. If any of these three prerequisites can be eliminated -- that is, if we are able to effectively remove or disrupt an attacker’s method, opportunity, or motive -- then the attack will not succeed. If efforts aimed at defending against attacks on information infrastructure or protecting information assets are to have the best chance possible of succeeding, those efforts should therefore target one or more of these three prerequisites.</span><br /><div class="MsoNormal"><o:p></o:p></div>

Prerequisites for Attacking an Information System

In order for an attack on an information system to succeed, an attacker must possess three specific things: (1) method, (2) opportunity, and (3) motive. One useful way of remembering these prerequisites is through the acronym MOM (Method, Opportunity, and Motive). In the context of conducting attack…

Read more »

Harm and the Value of Information Assets

<br /><div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujEMTmSP6ZVtjsmsYfS90AWK8q_TSPT2ogtFyv3a8oMQRPyCZU7w8lahvMMcjzaEHUAmZUNJfd2QSIgjgUOFAYbvCmT-8UyiZd8unEVtPuHwcZhg1k8AzyAZ_jAf5BDiLoMo2lQgiIeRU/s1600/harm.png" imageanchor="1" style="clear: left; display: inline !important; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujEMTmSP6ZVtjsmsYfS90AWK8q_TSPT2ogtFyv3a8oMQRPyCZU7w8lahvMMcjzaEHUAmZUNJfd2QSIgjgUOFAYbvCmT-8UyiZd8unEVtPuHwcZhg1k8AzyAZ_jAf5BDiLoMo2lQgiIeRU/s1600/harm.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">Although in an <a href="http://computersecurityconcepts.blogspot.com/2013/09/harm-and-information-assets.html">earlier post</a> I discussed the four types of acts that can cause harm to an information system, here I would like to briefly discuss harm itself. Harm refers to the negative consequences that can arise from an actualized threat. That is, if a vulnerability in an information system is exploited such that a threat becomes a reality, then harm refers to the implications of the actualized threat. Note that the quantity or amount of harm that is sustained from a successful attack is often a subjective matter. Different people in different organizations will naturally assign different values to their information assets, and with different values assigned to assets, an identical attack would be perceived to cause different amounts of harm to two different organizations.<o:p></o:p></span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRH6STDubjYiUheeWktC35vMeNFO0YdlhWHp7stm7dr3vsjn-9wLGhRH-wxTU6ayhxkRo6IlyyIj3jTn1Ru6R8ZR2IzSFavUMMd0ahFKRrijsKTnGcs-mUxcC2KDT3dT3XedoSDJllZkY/s1600/value+of+information.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjRH6STDubjYiUheeWktC35vMeNFO0YdlhWHp7stm7dr3vsjn-9wLGhRH-wxTU6ayhxkRo6IlyyIj3jTn1Ru6R8ZR2IzSFavUMMd0ahFKRrijsKTnGcs-mUxcC2KDT3dT3XedoSDJllZkY/s1600/value+of+information.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">Quantifying harm is further complicated by the fact that the value of information assets commonly changes over time. Consider, for example, the value of the transaction records that your bank maintains for your checking account. If a malicious attacker were able to successfully delete or modify some of the records associated with your checking account, and if those records were associated with recent transactions that took place within the past few days, then your bank would almost certainly consider the attacker to have caused more harm than if the compromised records were associated with transactions from 10 years ago. This example speaks to the relationship between the value of information and time -- most modern information scientists believe that on average, the value of information assets degrades over time according to an exponential decay function. Put another way, new data are usually more valuable than older data.</span><o:p></o:p></div>

Harm and the Value of Information Assets

Although in an earlier post I discussed the four types of acts that can cause harm to an information system, here I would like to briefly discuss harm itself. Harm refers to the negative consequences that can arise from an actualized threat. That is, if a vulnerability in an information system is ex…

Read more »

Types of Information System Attackers

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYa0CEoSg0u-inIpFbrGsTt1kAnpcFGNljB5Wq5GGV0bX0rifdHFxFcWkPjPOSOcPRYe0cxI94nZYt0X8dMBDE_Fh_4WGDmMBC4dnZt_SlhciI7Kzz4twQKGQj0COMjqrbxHqpokzuN44O/s1600/hacker.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYa0CEoSg0u-inIpFbrGsTt1kAnpcFGNljB5Wq5GGV0bX0rifdHFxFcWkPjPOSOcPRYe0cxI94nZYt0X8dMBDE_Fh_4WGDmMBC4dnZt_SlhciI7Kzz4twQKGQj0COMjqrbxHqpokzuN44O/s1600/hacker.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Who are these people who seek to compromise the confidentiality, integrity, or availability of our information assets? Surprisingly, many attackers are simply amateurs who act opportunistically. As an example, such an amateur might find someone’s lost mobile device or laptop computer and decide to sift through the files, or perhaps might be a script kiddie or wannabe hacker who finds pre-packaged hacking tools on some underground website, and attempts to apply those tools to the computers at her school or place of work. <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Amateurs notwithstanding, there are also hackers (or <i>white-hats</i>) and crackers (or <i>black-hats</i>), with the difference between the two depending upon the attacker’s intent. Specifically, hackers are attackers whose intent in attacking a system is non-malicious, while crackers are attackers who attack a system with the intent of causing harm. A computer security expert, for example, might be hired by a company to try to break into an information system for the purpose of evaluating the robustness of the system’s defenses. Such an attacker would be properly classified as a hacker (or as a white-hat). By contrast, an attacker who attacks a system with a malicious goal -- such as stealing data or disrupting the availability of the system -- would be properly classified as a cracker (or as a black-hat). <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><br /><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Some common types of crackers include both career criminals and organized crime syndicates who seek to engage in malicious breaches of information security for the purpose of financial or other gain. More recently, the information security world has also witnessed the rise of cyber terrorists, who are not necessarily affiliated with a particular state or government, but nevertheless are conducting attacks on information systems in support of some ideological or political agenda. Finally, and importantly, there are state-supported information warriors and spies. Most modern countries -- including powerful countries such as the United States and China -- employ vast armies of information warriors whose job it is to surveil government offices, military organizations, and even corporations in other countries for the purpose of collecting intelligence through digital means. Further, such officially sanctioned digital espionage is no longer just a minor consideration. In the United States, for example, the Department of Defense now considers cyberspace to be the fifth battlefield (with the first four battlefields being land, sea, air, and space). With cyberspace being acknowledged as a legitimate battlefield, substantial portions of many nations’ defense assets are now being directed toward efforts aimed at establishing superiority in cyberspace.</span><o:p></o:p></div>

Types of Information System Attackers

Who are these people who seek to compromise the confidentiality, integrity, or availability of our information assets? Surprisingly, many attackers are simply amateurs who act opportunistically. As an example, such an amateur might find someone’s lost mobile device or laptop computer and decide to s…

Read more »

Understanding Threats to Information Systems

<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheomyyZrQDxbKlHFBtwQrjl1IzysuRRLoAw5lY7Zx6lEzzYLpXvOLxxvRUfRZTeUyBoRlbv7_sSrvOojv9H6nhsWepOfKmeD1CRpvergNffKKm0iy_yxFRg7dT64y92knbAOW9oQilO9dk/s1600/threats+to+IS.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheomyyZrQDxbKlHFBtwQrjl1IzysuRRLoAw5lY7Zx6lEzzYLpXvOLxxvRUfRZTeUyBoRlbv7_sSrvOojv9H6nhsWepOfKmeD1CRpvergNffKKm0iy_yxFRg7dT64y92knbAOW9oQilO9dk/s1600/threats+to+IS.png" /></a></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">To better understand the various ways in which the confidentiality, integrity, or availability of information assets can be threatened, consider first that threats to information systems can be subdivided into two major groups: (1) threats that originate from nature, and (2) threats that originate from human beings. With respect to the former, there are myriad natural threats which might prove injurious to information systems, including disasters such as floods, fires, earthquakes, mudslides, tornadoes, sinkholes, hurricanes, and so forth. With respect to the latter, it is important to consider the intention of the human being who poses the threat when classifying threats that originate from humans. <o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">Among threats that originate from human beings, the intention of the human who poses the threat might be benign or it might be malicious. As examples of benign or non-malicious intent, consider situations in which harm is caused by accident or through a simple human error, such as when someone trips over a power cord or accidentally deletes an important file. These examples are illustrative of harm that is actualized through benign or non-malicious intent. When there is malicious intent -- that is, when a human being seeks to deliberately cause harm to an information system -- that malicious intent can be classified as either random or targeted. The difference between random and targeted malicious attacks depends simply upon whether the attacker is targeting a specific organization, individual, or entity. If a specific target is under intentional attack, then we can classify the attack as a directed, targeted malicious attack. If, however, an attacker engages in a malicious attack and does so without the intention of harming a specific organization, individual, or entity, then we can classify the attack as a random malicious attack.<o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div><br /><div class="MsoNormal"><span style="font-family: Arial, Helvetica, sans-serif;">By using this topology to understand and classify threats to information systems, organizations can design and prepare proper policies and defensive countermeasures to mitigate those threats.</span><o:p></o:p></div>

Understanding Threats to Information Systems

To better understand the various ways in which the confidentiality, integrity, or availability of information assets can be threatened, consider first that threats to information systems can be subdivided into two major groups: (1) threats that originate from nature, and (2) threats that originate f…

Read more »

Integrity, Availability, and Information Security

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBSJKJHs7xR3Fl86JjSPdKxSV2eADlMtVyfL2CIHbwBMnAfdsJYBAmta8tl-UWb8VKnB5FUOtmiIDl96uZdnV0nNLk1a7z1yuZ2Ks9p6tHFUhQYxiZ62CyC_TqXZDi9IE4qxgJKLvclrOR/s1600/integrity+and+availability.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBSJKJHs7xR3Fl86JjSPdKxSV2eADlMtVyfL2CIHbwBMnAfdsJYBAmta8tl-UWb8VKnB5FUOtmiIDl96uZdnV0nNLk1a7z1yuZ2Ks9p6tHFUhQYxiZ62CyC_TqXZDi9IE4qxgJKLvclrOR/s1600/integrity+and+availability.png" /></a></div><span style="font-family: Arial, Helvetica, sans-serif;">In an </span><a href="http://computersecurityconcepts.blogspot.com/2013/09/confidentiality-and-information-security.html" style="font-family: Arial, Helvetica, sans-serif;">earlier post</a><span style="font-family: Arial, Helvetica, sans-serif;">, I discussed confidentiality in the context of information security. In this post, I would like to elaborate on the remaining two components of the C-I-A security triad -- namely, integrity and availability. In order to understand the difference between confidentiality and integrity, remember that confidentiality is concerned with <i>access </i>to information assets, whereas integrity is concerned with <i>preventing unauthorized modification</i> of assets. Integrity, of course, is more difficult to measure than confidentiality because it is context dependent; that is, integrity has different meanings in different situations. Further, integrity of information assets is not a simple binary, true/false proposition. Instead, there are degrees of data integrity. For these reasons it is necessary for each organization to establish its own criteria by which to measure and evaluate the integrity of its information assets.</span><br /><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Broadly speaking, availability refers to the capacity of an information system to make information assets readily accessible to authorized parties in a timely and reliable manner. As with integrity, availability is also context dependent, and is thus a very complex issue. Put another way, availability means different things to different people. A CEO, for example, might measure availability by whether she can access her corporate dashboard while traveling. To a data analyst, by contrast, availability might be measured by whether she can carry out her statistical analyses in a timely manner without having to wait for the system to execute her requests. As a general set of guidelines, then, we might consider information assets to be available when organizational information systems (1) respond in a timely manner to user requests, (2) allocate resources among users fairly and equitably, (3) incorporate hardware and software that are fault-tolerant, and (4) employ a solid concurrency control strategy in order to accommodate situations in which multiple users are attempting to use the same information assets at the same time.</span></div>

Integrity, Availability, and Information Security

In an earlier post, I discussed confidentiality in the context of information security. In this post, I would like to elaborate on the remaining two components of the C-I-A security triad -- namely, integrity and availability. In order to understand the difference between confidentiality and integri…

Read more »

Confidentiality and Information Security

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia5bxwFDl2OkpqKBRBMYh1jP05qoy-jYK6IxjDKn-RVmMNz4_dTHmwkOem3Kw2ggDzgQk8G5M4Wc-KCSkBQfp9EPW8_u_MED_fHq_K1rFwPa_NSSxxaxyBepo7CrsUUMPqjlQ22tyfk4IP/s1600/confidentiality.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia5bxwFDl2OkpqKBRBMYh1jP05qoy-jYK6IxjDKn-RVmMNz4_dTHmwkOem3Kw2ggDzgQk8G5M4Wc-KCSkBQfp9EPW8_u_MED_fHq_K1rFwPa_NSSxxaxyBepo7CrsUUMPqjlQ22tyfk4IP/s1600/confidentiality.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">When it comes to confidentiality, a good information security strategy is to adopt the need-to-know basis for determining who has access to which data and when they have access to those data. Essentially, this paradigm states that a user should, by default, have access to no system capabilities or information assets. The assets or capabilities that are ultimately granted to the user, then, are done so only on a need-to-know basis. Similar to the need-to-know policy for data access, access to physical assets such as a server room or a network closet should also be granted only on a need-to-know basis. Put another way, system users and information technology workers should be provided with all of the information assets and access that they need to do their jobs effectively, </span><i style="font-family: Arial, Helvetica, sans-serif;">and nothing more</i><span style="font-family: Arial, Helvetica, sans-serif;">.</span><br /><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><div class="MsoNormal"></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Another interesting consideration with respect to confidentiality is the question of how we know if a user truly is the person or system that they claim to be. This question speaks directly to the difference between identification and authentication. In generic terms, identification can be thought of as the process of proving that someone is who they say they are. By contrast, authentication is the process of proving that something is genuine, true, or authentic. In the world of information security, it is often very difficult or infeasible to truly identify a real human being or a specific system. Instead, we commonly use methods of authentication, and in so doing we assume that the credentials being used for purposes of authentication are being used only by the real-world system or human being to whom those credentials apply. This is, of course, a risky assumption, since through malicious or non-malicious means it might be very possible for another person to obtain your login credentials. If that person were then to use those credentials to login to, say, your social networking account, as far as the social networking site is concerned, that person <i>is </i>you. After having received appropriate credentials, the system will assume that the malicious party is, in fact, the real-world human being to whom those credentials actually belong. Confidentiality is thus difficult to ensure with 100% certainty, but it is nevertheless often the easiest security goal to assess in terms of whether or not efforts aimed at ensuring confidentiality have been successful.</span></div>

Confidentiality and Information Security

When it comes to confidentiality, a good information security strategy is to adopt the need-to-know basis for determining who has access to which data and when they have access to those data. Essentially, this paradigm states that a user should, by default, have access to no system capabilities or i…

Read more »

Harm and Information Assets

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj47jnJHA25GxSKb-evVH7fLbBelrTlqCkVYxS0EOP5uvstcSwlQlNiEsHQcLOWEYaDhhiqdy5_zlux-zfX5ITnCUANAOYIL5hUVZn5AHigJoSs3I_g4LB2067CwVxaGh1Ofdv3OFkUNfzR/s1600/harmful+acts.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj47jnJHA25GxSKb-evVH7fLbBelrTlqCkVYxS0EOP5uvstcSwlQlNiEsHQcLOWEYaDhhiqdy5_zlux-zfX5ITnCUANAOYIL5hUVZn5AHigJoSs3I_g4LB2067CwVxaGh1Ofdv3OFkUNfzR/s1600/harmful+acts.png" /></a><span style="font-family: Arial, Helvetica, sans-serif;">In this post, I’d like to discuss harmful acts in the context of information assets. To begin, <a href="http://computersecurityconcepts.blogspot.com/2013/09/the-pillars-of-information-security.html">recall</a> that information security seeks to protect the confidentiality, integrity, and availability of information assets. With this in mind, consider that there are four distinct ways in which harm can be caused to an information asset. The first way in which an information asset can be harmed is through <i>interception</i>. As an example, a malicious party may intercept valuable information assets while they are in transit over a network, thereby harming the confidentiality of those assets, and potentially degrading their value. The second way in which information assets can be harmed is through <i>interruption</i>. A malicious party might, for example, disrupt an information system’s ability to perform its tasks, or might interrupt the transmission of information assets, thus harming the availability of those assets. The third way in which information assets can be harmed is through <i>modification</i>. A malicious party who modifies an information asset without proper authorization is causing harm by degrading the integrity of that asset. Finally, the fourth way in which information assets can be harmed is through <i>fabrication</i>. As an example, a malicious party might fabricate an identity or might fabricate phony information assets for the purpose of causing harm.</span><br /><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><span style="font-family: Arial, Helvetica, sans-serif;">In summary, then, we can consider each of these four acts -- interception, interruption, modification, and fabrication -- to be a harmful act because it can erode the confidentiality, integrity, or availability of an information asset.</span>

Harm and Information Assets

In this post, I’d like to discuss harmful acts in the context of information assets. To begin, recall that information security seeks to protect the confidentiality, integrity, and availability of information assets. With this in mind, consider that there are four distinct ways in which harm can be …

Read more »

The Pillars of Information Security

<div class="MsoNormal"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-HiRWyJ2UHygtlopLZdfm5T-GpmH2CSOIihTsQIq3CHBEsNrawlIlkxhhFToWyMRtEee8hgJDicEw8DCAqPll5JuTY0Edxk_9aK31uHPKNZYJhBma-ITvVF-dEG1v5cI6yxC0XZSO22k/s1600/security+pillars.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO-HiRWyJ2UHygtlopLZdfm5T-GpmH2CSOIihTsQIq3CHBEsNrawlIlkxhhFToWyMRtEee8hgJDicEw8DCAqPll5JuTY0Edxk_9aK31uHPKNZYJhBma-ITvVF-dEG1v5cI6yxC0XZSO22k/s1600/security+pillars.png" /></a></div><span style="font-family: Arial,Helvetica,sans-serif;"><span id="goog_1946619458"></span><span id="goog_1946619459"></span>I’d like to begin this post by discussing information security threats in the context of what has come to be known as CIA -- confidentiality, integrity, and availability. The acronym CIA and the concepts for which it stands are commonly referred to as the <i>security triad</i>. One useful way of thinking about information security threats is that they are circumstances which have the potential to interfere with the confidentiality, integrity, or availability of an information system. Confidentiality, then, is simply the ability of the system to ensure that information assets are viewable or accessible only by authorized parties. Integrity, by contrast, is the ability of a system to ensure that information assets are modifiable or changeable only by authorized parties. Finally, availability refers to the ability of a system to ensure that information assets are usable by and accessible to all authorized parties. Confidentiality, integrity, and availability can also be seen as goals or objectives of information security, since together they represent three very desirable properties of an information system.</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">While the CIA security triad has been around for many decades, more recently other desirable system properties have also been identified; namely, authentication, non-repudiation, and auditability. With respect to the first two of these properties -- that is, authentication and non-repudiation -- we are referring here to information systems that support communication or messaging with other systems or other users. In this regard, authentication refers to the ability of a system to confirm the identity of the sender. For example, imagine that you receive a message from your boss which instructs you to immediately discontinue working on a critical organizational project, and instead direct your attention to another task. As the receiver of such a message, you would like to be able to confirm the identity of the sender; that is, you would like to be certain that it truly was your boss who sent the message to you. On the other side of technology-supported messaging is the concept of non-repudiation, which is a property of an information system in which a sender cannot convincingly deny having sent a message. Returning to our previous example, if you received a message from your boss instructing you to immediately discontinue working on a critical project, and if we assume that your boss genuinely did send that message, a desirable property of the system from your perspective would be to ensure that your boss could not deny having sent the message. Finally, we have auditability as a desirable system property. Auditability is simply the ability of a system to trace all actions related to a given information asset. If something goes awry in the future, auditability allows us to trace backward through time and determine who performed which actions at which times in order to ensure that responsible parties are held to account.</span></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><span style="font-family: Arial,Helvetica,sans-serif;">Together, these six concepts -- confidentiality, integrity, availability, authentication, non-repudiation, and auditability -- represent the pillars of information security.</span></div>

The Pillars of Information Security

I’d like to begin this post by discussing information security threats in the context of what has come to be known as CIA -- confidentiality, integrity, and availability. The acronym CIA and the concepts for which it stands are commonly referred to as the security triad. One useful way of thinking a…

Read more »

Vulnerabilities, Threats, and Controls in Information Security

<span style="font-family: Arial,Helvetica,sans-serif;">In <a href="http://computersecurityconcepts.blogspot.com/2013/09/information-security-and-human.html">an earlier post</a>, I noted that one of the major goals of information security is to mitigate security risks. Another major goal of information security as a discipline and as a profession is to try to protect valuable information assets. In order to approach the study of methods of protecting these assets, we can adopt what is known as a <i>vulnerability/threat/control</i> framework. To begin, consider a vulnerability, which is a weakness in some aspect of an information system. If a vulnerability is exploited, then that exploitation has the potential to cause loss or harm. A human being who intentionally exploits a vulnerability is perpetrating an attack on the system. An attack, then, can be defined as an intentional exploitation of a system vulnerability. Next, we can consider a threat, which is simply a set of circumstances that has the potential to cause loss or harm. As we will see shortly, threats and vulnerabilities are very closely related. Finally, we have controls, which are things that we do or things that we have which help to eliminate or reduce a vulnerability. Note that another name for a control is a <i>countermeasure</i>.</span><br /><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">When first learning about information security, many people become confused regarding the difference between a threat, a vulnerability, and a control. I will therefore provide a simple example that I hope will help you to remember the difference between these three security concepts. Imagine that you are walking over a bridge. Whenever you walk over a bridge there is always a certain threat to your safety; namely, that the bridge might collapse underneath you.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0ytd7wnla8sEVsNBTHYjrJJyutGpXipgVKRWajUZmqFue0a1SD8vLLQExKIxl8cnsVmcISmpt4UnEWaLE2rlTE79LOrHi-yd9REGafIqFK3iS5IUaIUJ40g_UnEXun3oyvLePj_CAqxcI/s1600/bridge+01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0ytd7wnla8sEVsNBTHYjrJJyutGpXipgVKRWajUZmqFue0a1SD8vLLQExKIxl8cnsVmcISmpt4UnEWaLE2rlTE79LOrHi-yd9REGafIqFK3iS5IUaIUJ40g_UnEXun3oyvLePj_CAqxcI/s1600/bridge+01.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">Here, the possibility of the bridge collapsing is a threat to your safety. Now imagine that there is a weakness in the bridge. For this example, let’s say that the mortar between the blocks of stone from which the bridge is constructed has begun to crumble or deteriorate.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy5Bwz12VxQif0qTr3IOjkEXECjfG_YawT06-dIAywXv27-TC984NSubURfxFhBYqfht6vXjAJnLp1edaBWdYXYg3i5NR8tvJhyphenhyphentlZTzczeDfzkqouxSVxNO2E0LngOKypTdMc7EvQs6fI/s1600/bridge+02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy5Bwz12VxQif0qTr3IOjkEXECjfG_YawT06-dIAywXv27-TC984NSubURfxFhBYqfht6vXjAJnLp1edaBWdYXYg3i5NR8tvJhyphenhyphentlZTzczeDfzkqouxSVxNO2E0LngOKypTdMc7EvQs6fI/s1600/bridge+02.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">The weaknesses in the mortar are vulnerabilities, and if those vulnerabilities were to be exploited, the threat of the bridge collapsing would be actualized, and might cause you physical harm.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJFOM5pXsxFlx8zmAw4Zg7PXZPtYmgCG_K3h8uksuLQ_vR1wHRo1FYRYLqO9gNI3ntJtJy0BG-mmYQc1K_t2_2rMf8yQFE5s5IY_AIod5F0bOJ9_59OGv7NTJyGunzrJRhZh9YtAzIn9BL/s1600/bridge+03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJFOM5pXsxFlx8zmAw4Zg7PXZPtYmgCG_K3h8uksuLQ_vR1wHRo1FYRYLqO9gNI3ntJtJy0BG-mmYQc1K_t2_2rMf8yQFE5s5IY_AIod5F0bOJ9_59OGv7NTJyGunzrJRhZh9YtAzIn9BL/s1600/bridge+03.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;">A control, then, is something that we do or something that we have which helps us to eliminate or reduce a vulnerability. In this example, we might apply bracing to reinforce the bridge or we might try to repair the cracks in the concrete, thus reducing the possibility that the vulnerability will be exploited.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhisy2E_f5jzEmj_Ziw0pBXqTNpTCkYkhwmrdWlcHhXz-IuVdfQeMbBkftUestKSQMuf7z2bowKRo7FBopVOuKYWcRPuqij4pI5NlhDhvPu8w_fmHSOziNrI9aNneDUGvgct_6dbOSIa5xB/s1600/bridge+04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhisy2E_f5jzEmj_Ziw0pBXqTNpTCkYkhwmrdWlcHhXz-IuVdfQeMbBkftUestKSQMuf7z2bowKRo7FBopVOuKYWcRPuqij4pI5NlhDhvPu8w_fmHSOziNrI9aNneDUGvgct_6dbOSIa5xB/s1600/bridge+04.png" /></a></div><div style="text-align: center;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div><span style="font-family: Arial,Helvetica,sans-serif;"></span><span style="font-family: Arial,Helvetica,sans-serif;">Broadly, then, threats are blocked or prevented from being actualized by controlling vulnerabilities.</span>

Vulnerabilities, Threats, and Controls in Information Security

In an earlier post, I noted that one of the major goals of information security is to mitigate security risks. Another major goal of information security as a discipline and as a profession is to try to protect valuable information assets. In order to approach the study of methods of protecting thes…

Read more »

On the Valuation of Information Assets

<span style="font-family: Arial,Helvetica,sans-serif;">When considering the diagram below, remember that the perceived value of an information asset depends in part upon the ease with which that asset can be replaced. Certain components of an information system such as hardware, mobile devices, operating systems, and off-the-shelf software can be easily replaced. By contrast, custom applications, custom mobile apps, files, and data are often unique and essentially irreplaceable.</span><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjydKt3BBe6i3GA83efg0hgSZJurve6sOstx2Hd3ajSAmLXlsP2glfTC6Rief11En43GwJJtIGVA1dYYOOCZBaX9LHAlE8o4m-5AmMk_ODnH99xIKKTf2wJ8uqxT-wDEYyc022CnaiYzoQQ/s1600/asset+valuation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjydKt3BBe6i3GA83efg0hgSZJurve6sOstx2Hd3ajSAmLXlsP2glfTC6Rief11En43GwJJtIGVA1dYYOOCZBaX9LHAlE8o4m-5AmMk_ODnH99xIKKTf2wJ8uqxT-wDEYyc022CnaiYzoQQ/s1600/asset+valuation.png" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: Arial,Helvetica,sans-serif;"></span> <div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: Arial,Helvetica,sans-serif;">Perhaps you can think of an example in your own life where you or someone you know has lost a laptop computer or a mobile device. Many times people who lose such devices are not upset primarily about the loss of the physical device or the physical hardware itself, but rather are upset about the loss of their photos, documents, or other valuable data. It is such files and data items that represent much of the value of an information system to its users, and we can understand intuitively through examples such as this why the value of an information asset commonly depends upon the ease with which that asset can be replaced.</span>

On the Valuation of Information Assets

When considering the diagram below, remember that the perceived value of an information asset depends in part upon the ease with which that asset can be replaced. Certain components of an information system such as hardware, mobile devices, operating systems, and off-the-shelf software can be easily…

Read more »

Information Assets and the Scope of Information Security

<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicWdtpOu_FFplsX_9ufNmVsJe-QllgkFm1tbVtfczhAmLQpysnH6krEH9vnKrwAVXqCdfLuTG29kIyPdIjFHSwcrHC9qe3VgQ-mMCZSOzXwtIVf5JE7ShD6PySbUv50tIcsdzPWJEU4iU9/s1600/information+assets.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicWdtpOu_FFplsX_9ufNmVsJe-QllgkFm1tbVtfczhAmLQpysnH6krEH9vnKrwAVXqCdfLuTG29kIyPdIjFHSwcrHC9qe3VgQ-mMCZSOzXwtIVf5JE7ShD6PySbUv50tIcsdzPWJEU4iU9/s1600/information+assets.png" /></a></div><span style="font-family: Arial,Helvetica,sans-serif;">When thinking about information security, it’s important to remember that as a discipline and as a profession, information security has a vast scope. Information security involves protecting components as small as tiny integrated circuits all the way up to massive clusters of servers that may involve thousands of unique machines. Information security involves protecting local private networks that people may have in their homes or apartments all the way up to massive wide-area networks or even the entire Internet. Information security involves protecting hardware, software, operating systems, databases, networks, and so forth.<br /><br />Clearly, the scope of inquiry in information security is vast, continuously changing, and ever-growing. Broadly speaking, however, we can think about information security as being concerned with the protection of information assets. When we say “information assets”, we are referring to the elements of an information system that have <i>value</i>. Since value lies at the core of determining where we should focus our information security efforts, a critical first step is to identify precisely which information assets within our organization have the greatest value, and to whom those items have value.<br /><br />One good way of thinking about information technology assets is to subdivide those assets into three categories. First, we have hardware assets, which can include computing systems, mobile devices, networks, and communications channels. Second, we have software assets, which can include operating systems, off-the-shelf application programs, mobile apps, as well as custom or customized application programs. Third, we have data assets, which include our files or databases -- that is, the information that we generate in our daily lives or in the process of carrying out our business. As we will see in our discussion of <a href="http://computersecurityconcepts.blogspot.com/2013/09/on-valuation-of-information-assets.html">asset valuation</a>, it is often these data assets that have the greatest value of all.</span>

Information Assets and the Scope of Information Security

When thinking about information security, it’s important to remember that as a discipline and as a profession, information security has a vast scope. Information security involves protecting components as small as tiny integrated circuits all the way up to massive clusters of servers that may involv…

Read more »

Computer Security and Information Technology Failure

<div class="separator" style="clear: both; text-align: center;"></div><span style="font-family: Arial,Helvetica,sans-serif;">Although many people think of the world of information privacy and security as one characterized by hackers, cyber terrorists, or government-sponsored information espionage, in reality the scope of information privacy and security is much broader. One way of understanding this scope is to consider computer security from the perspective of IT failures. Modern information technologies can fail for many different reasons. First, consider physical failures. These are, after all, hardware devices, and hardware can and does fail. Even in the modern era many of our computational technologies still rely on moving parts, and the failure of any of these moving parts can cascade to cause a wider failure of the information technology as a whole. Further, electronic components can fail, and when such components fail intermittently, the cause of the problem can be more difficult to diagnose than when they fail permanently. It is therefore important for managers and system administrators not only to expect that their physical IT devices will fail, but also to develop plans for how to address those failures when they inevitably occur.</span><br /><span style="font-family: Arial,Helvetica,sans-serif;"></span><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfIOZuHWxHS1h0Nv0oy7F41nEZJkVW0IjCbwx2S2noV67r37gbeXgEFNjeqd8ygGYNZFJWluZHdNx_E6lFLkCaGV1Hagwqxo5bZ4lUPkLkmgss07LUztkGixb9R1w5YT0iiTAEC73d2shJ/s1600/failures.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfIOZuHWxHS1h0Nv0oy7F41nEZJkVW0IjCbwx2S2noV67r37gbeXgEFNjeqd8ygGYNZFJWluZHdNx_E6lFLkCaGV1Hagwqxo5bZ4lUPkLkmgss07LUztkGixb9R1w5YT0iiTAEC73d2shJ/s1600/failures.png" /></a></div><div style="text-align: left;"></div><div style="text-align: left;"><span style="font-family: Arial,Helvetica,sans-serif;">Beyond physical failures, there are also other types of information technology failures, and these can best be understood by considering the intersection of two different dimensions, as shown in the diagram above. Along one dimension, we have a spectrum which ranges from malicious to non-malicious. That is, the source of the failure is caused by someone either intentionally or unintentionally. Along the other dimension, we have a spectrum which ranges from harmless to catastrophic. Plotting these two dimensions against each other provides us with a geometric space in which we can easily classify our non-physical information technology failures. Failure, then, might be non-malicious and harmless, it might be non-malicious but catastrophic, it might be malicious but cause no harm, or in the worst scenario, it may be a malicious attack that causes catastrophic damage to our information assets. Again remember that information security has a broad scope, and information security addresses each of these different types of failures. What’s more, information security addresses failures that have never before been seen, or which do not currently exist. That sentiment, I believe, speaks to the dynamism and constant change that characterize the world of information security.</span></div>

Computer Security and Information Technology Failure

Although many people think of the world of information privacy and security as one characterized by hackers, cyber terrorists, or government-sponsored information espionage, in reality the scope of information privacy and security is much broader. One way of understanding this scope is to consider c…

Read more »

Information Security and Human Dependence on Computers

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr15JjdbFbgV9KuQJWs042toE5HecwnycxYnQIvut0qcChm2rxzWqUH1grx4vpSuhrX3JQvEB93D_K4a1_-dcVjIanZ2hpgXbrCH3Sitb5sXFSrdqPuv1NjNBoyc3WSzwQMbkfmf5Jnz8U/s1600/dependence+on+computers.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="1" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr15JjdbFbgV9KuQJWs042toE5HecwnycxYnQIvut0qcChm2rxzWqUH1grx4vpSuhrX3JQvEB93D_K4a1_-dcVjIanZ2hpgXbrCH3Sitb5sXFSrdqPuv1NjNBoyc3WSzwQMbkfmf5Jnz8U/s1600/dependence+on+computers.png" /></a><span style="font-family: Arial,Helvetica,sans-serif;">How dependent are you upon information and communication technologies? If you’re like most people in the developed world, your day-to-day activities are increasingly characterized by interactions with technology. Computational capabilities are being embedded in a rapidly increasing number and variety of products ranging from athletic shoes to kitchen appliances to implantable medical devices, and with every passing day, computers are hence controlling, administering, and making decisions about more and more aspects of our daily lives.<br /><br />What we can conclude from this is that we are becoming more and more dependent on these information and communication technologies every single day, and this situation has very important implications with respect to our privacy and security. To better understand why, consider the relationship between our dependence on technology and risk: Because we live in a world where we are increasingly entrusting our lives and our livelihoods to computer technologies, and because those technologies are not entirely dependable, safe, or secure, our increasing reliance upon information and communication technologies carries with it many new risks that were not present prior to the rise of the Information Age. As a discipline and as a profession, then, one of the major goals of information security is to find ways of mitigating these risks -- that is, to allow us to have our information technology cake and eat it too.</span>

Information Security and Human Dependence on Computers

How dependent are you upon information and communication technologies? If you’re like most people in the developed world, your day-to-day activities are increasingly characterized by interactions with technology. Computational capabilities are being embedded in a rapidly increasing number and variet…

Read more »

Philosophical Thoughts on Information Security

<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0eCzjBXCmrMUdmjZNLBt1fS5VnXxZRmUw7xR0iU6IPWk0QzxlF9D-cNVMkgkpsEa6OzIO19FwLNgUaBn52odnez05tqEhyphenhyphen1GUjUI42_ZZf-F_z6Cx02W0dLXHMjaTQYXBbeSDdlg8N3UO/s1600/philosophy+and+security.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" border="1" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0eCzjBXCmrMUdmjZNLBt1fS5VnXxZRmUw7xR0iU6IPWk0QzxlF9D-cNVMkgkpsEa6OzIO19FwLNgUaBn52odnez05tqEhyphenhyphen1GUjUI42_ZZf-F_z6Cx02W0dLXHMjaTQYXBbeSDdlg8N3UO/s1600/philosophy+and+security.png" style="display: inline; margin-top: 5px;" title="" /></a><span style="font-family: Arial,Helvetica,sans-serif;">To begin this <a href="http://computersecurityconcepts.blogspot.com/">series of posts</a> on computer and information security, I wanted to pose an interesting philosophical question: namely, why is information security necessary? Although many of the investments that are made into information privacy and security are not related to malicious attacks, there is nevertheless an extraordinarily large amount of investment in information privacy and security mechanisms that is targeted toward protecting systems against attacks by malicious parties. From a philosophical perspective, it’s important to consider what this says about humanity. On the one hand it shows that we are certainly curious creatures, but on the other hand it shows that we as a species are not particularly trustworthy or scrupulous, and we also seem to be quite greedy.<br /><br />There are many people, organizations, and even governments in the world that would be very happy to steal personal, private information from you or your organization for their own gain. In light of the widespread proliferation of these would-be attackers, such behavior appears to be a natural trait of human beings in virtually all cultures. It is, I believe, important to note that if humans did not behave in this way, then the quantity of time, money, and other resources that individuals, organizations, and governments must invest into protecting their information assets would be much less than it is today.</span>

Philosophical Thoughts on Information Security

To begin this series of posts on computer and information security, I wanted to pose an interesting philosophical question: namely, why is information security necessary? Although many of the investments that are made into information privacy and security are not related to malicious attacks, there …

Read more »