eBook - ePub
The Basics of Information Security
Understanding the Fundamentals of InfoSec in Theory and Practice
This is a test
- 240 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
The Basics of Information Security
Understanding the Fundamentals of InfoSec in Theory and Practice
Book details
Book preview
Table of contents
Citations
About This Book
As part of the Syngress Basics series, The Basics of Information Security provides you with fundamental knowledge of information security in both theoretical and practical aspects. Author Jason Andress gives you the basic knowledge needed to understand the key concepts of confidentiality, integrity, and availability, and then dives into practical applications of these ideas in the areas of operational, physical, network, application, and operating system security.
The Basics of Information Security gives you clear-non-technical explanations of how infosec works and how to apply these principles whether you're in the IT field or want to understand how it affects your career and business. The new Second Edition has been updated for the latest trends and threats, including new material on many infosec subjects.
- Learn about information security without wading through a huge textbook
- Covers both theoretical and practical aspects of information security
- Provides a broad view of the information security field in a concise manner
- All-new Second Edition updated for the latest information security trends and threats, including material on incident response, social engineering, security awareness, risk management, and legal/regulatory issues
Frequently asked questions
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access The Basics of Information Security by Jason Andress in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
What is Information Security?
In this chapter, we cover some of the most basic concepts of information security. Information security is vital in an era in which data regarding countless individuals and organizations is stored in a variety of computer systems, often not under our direct control. We talk about the diametrically opposing concepts of security and productivity, models that are helpful in discussing security concepts, such as the confidentiality, integrity, and availability (CIA) triad and the Parkerian hexad, as well as the basic concepts of risk and controls to mitigate it. Lastly, we cover defense in depth and its place in the information security world.
Keywords
Administrative; availability; CIA triad; confidentiality; controls; defense in depth; information security; integrity; logical; Parkerian hexad; physical; risks; threats; vulnerabilities
Information in This Chapter
ā¢ What is security?
ā¢ Models for discussing security issues
ā¢ Attacks
ā¢ Defense in depth
Introduction
Information security is a concept that becomes ever more enmeshed in many aspects of our society, largely as a result of our nearly ubiquitous adoption of computing technology. In our everyday lives, many of us work with computers for our employers, play on computers at home, go to school online, buy goods from merchants on the Internet, take our laptops to the coffee shop and check our e-mail, carry our smartphones on our hips and use them to check our bank balances, track our exercise with sensors in our shoes, and so on, ad infinitum.
Although this technology enables us to be more productive and allows us to access a host of information with only a click of the mouse, it also carries with it a host of security issues. If the information on the systems used by our employers or our banks becomes exposed to an attacker, the consequences can be dire indeed. We could suddenly find ourselves bereft of funds, as the contents of our bank account are transferred to a bank in another country in the middle of the night. Our company could lose millions of dollars, face legal prosecution, and suffer damage to its reputation because of a system configuration issue allowing an attacker to gain access to a database containing personally identifiable information (PII) or proprietary information. We see such examples appear in the media with disturbing regularity.
If we look back 30 years, such issues related to computer systems were nearly nonexistent, largely due to the low level of technology implementation and the few people who were using what was in place. Although technology changes at an increasingly rapid rate, and specific implementations arise on a seemingly daily basis, much of the theory that discusses how we go about keeping ourselves secure changes at a much slower pace and does not always keep up with the changes to our technology. If we can gain a good understanding of the basics of information security, we are on a strong footing to cope with changes as they come along.
What is security?
Information security is defined as āprotecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,ā according to US law [1]. In essence, it means we want to protect our data (whereever it is) and systems assets from those who would seek to misuse it.
In a general sense, security means protecting our assets. This may mean protecting them from attackers invading our networks, virus/worms, natural disasters, adverse environmental conditions, power failures, theft or vandalism, or other undesirable states. Ultimately, we will attempt to secure ourselves against the most likely forms of attack, to the best extent we reasonably can, given our environment.
When we look at what exactly it is that we secure, we may have a broad range of potential assets. We can consider physical items that we might want to secure, such as those of inherent value (e.g., gold bullion) or those that have value to our business (e.g., computing hardware). We may also have items of a more ethereal nature, such as software, source code, or data. In todayās computing environment, we are likely to find that our logical assets are at least as valuable as, if not more than, our physical assets. Additionally, we must also protect the people who are involved in our operations. People are our single most valuable asset, as we cannot generally conduct business without them. We duplicate our physical and logical assets and keep backup copies of them elsewhere against catastrophe occurring, but without the skilled people to operate and maintain our environments, we will swiftly fail.
In our efforts to secure our assets, we must also consider the consequences of the security we choose to implement. There is a well-known quote that says, āThe only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guardsāand even then I have my doubtsā [2]. Although we could certainly say that a system in such a state could be considered reasonably secure, it is surely not usable or productive. As we increase the level of security, we usually decrease the level of productivity. With the system mentioned in our quote, the level of security would be very high, but the level of productivity would be very near zero. The goal of a security plan is to find the balance between protection, usability, and cost.
Additionally, when securing an asset, system, or environment, we must also consider how the level of security relates to the value of the item being secured. We can, if we are willing to accommodate the decrease in performance, apply very high levels of security to every asset for which we are responsible. We can build a billion-dollar facility surrounded by razor wire fences and patrolled by armed guards and vicious attack dogs, and carefully place our asset in a hermetically sealed vault inside ā¦ so that momās chocolate chip cookie recipe will never come to harm, but that would not make much sense. In some environments, however, such security measures might not be enough. In any environment where we plan to put heightened levels of security in place, we also need to take into account the cost of replacing our assets if we do happen to lose them and make sure we establish reasonable levels of protection for their value. The cost of the security we put in place should never outstrip the value of what it is protecting.
When are we secure?
Defining the exact point at which we can be considered secure presents a bit of a challenge. Are we secure if our systems are properly patched? Are we secure if we use strong passwords? Are we secure if we are disconnected from the Internet entirely? From a certain point of view, all of these questions can be answered with a āno,ā so the real question is are we reasonably secure.
Even if our systems are properly patched, there will always be new attacks to which we are vulnerable. When strong passwords are in use, there will be other avenues that an attacker can exploit. When we are disconnected from the Internet, our systems can be physically accessed or stolen. In short, it is very difficult to define when we are truly secure. We can, however, turn the question around.
Defining when we are insecure is a much easier task, and we can quickly list a number of items that would put us in this state:
ā¢ Not patching our systems or not patching quickly enough
ā¢ Using weak passwords such as āpasswordā or ā12345678ā
ā¢ Downloading infected programs from the Internet
ā¢ Opening dangerous e-mail attachments from unknown senders
ā¢ Using wireless networks without encryption that can be monitored by anyone
We could go on for some time creating such a list. The good thing is that once we are able to point out the areas in an environment that can cause it to be insecure, we can take steps to mitigate these issues. This problem is akin to cutting something in half over and over; there will always be some small portion left to cut again. Although we may never get to a state that we can definitively call āsecure,ā we can take steps in the right direction.
Alert!
Compliance is a key aspect of any security program and should be coordinated across the organization. The bodies of law that define stan...
Table of contents
- Cover image
- Title page
- Table of Contents
- Copyright
- Dedication
- Author Biography
- Introduction
- Chapter 1. What is Information Security?
- Chapter 2. Identification and Authentication
- Chapter 3. Authorization and Access Control
- Chapter 4. Auditing and Accountability
- Chapter 5. Cryptography
- Chapter 6. Laws and Regulations
- Chapter 7. Operations Security
- Chapter 8. Human Element Security
- Chapter 9. Physical Security
- Chapter 10. Network Security
- Chapter 11. Operating System Security
- Chapter 12. Application Security
- Index