Information Technology Security Fundamentals
eBook - ePub

Information Technology Security Fundamentals

Glen Sagers, Bryan Hosack

  1. 174 pagine
  2. English
  3. ePUB (disponibile sull'app)
  4. Disponibile su iOS e Android
eBook - ePub

Information Technology Security Fundamentals

Glen Sagers, Bryan Hosack

Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni

Informazioni sul libro

Information security is at the forefront of timely IT topics, due to the spectacular and well-publicized breaches of personal information stored by companies. To create a secure IT environment, many steps must be taken, but not all steps are created equal. There are technological measures that increase security, and some that do not do, but overall, the best defense is to create a culture of security in the organization. The same principles that guide IT security in the enterprise guide smaller organizations and individuals. The individual techniques and tools may vary by size, but everyone with a computer needs to turn on a firewall and have antivirus software. Personal information should be safeguarded by individuals and by the firms entrusted with it. As organizations and people develop security plans and put the technical pieces in place, a system can emerge that is greater than the sum of its parts.

Domande frequenti

Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Information Technology Security Fundamentals è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Information Technology Security Fundamentals di Glen Sagers, Bryan Hosack in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Betriebswirtschaft e Informationsmanagement. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.

Informazioni

Editore
Business Expert Press
Anno
2015
ISBN
9781606499177
Argomento
Betriebswirtschaft
Categoria
Informationsmanagement
CHAPTER 1
Security and Information Assurance
People are concerned about data and information security threats. Both internal and external data breaches are a concern.1 What is security? What is information assurance? How are they the same and how are they different? And perhaps, most importantly, why does it matter whether we call it information assurance or security? The last question is the easiest to answer, put simply, it does not matter much. Information assurance is an overarching construct that includes information security, network security, data security, and a few other “securities” thrown in. In other words, information assurance is the enterprise view of security, highlighting the fact that the reason for all security measures a firm takes is to ensure that vital company information remains secure.
A commonly used model in information assurance is known as the CIA model. CIA stands for confidentiality, integrity, and availability.2 These three tenets cover (almost) all the needs of managers to assure the control of company information. Confidentiality entails making sure that only authorized users have access to information. Integrity, or more properly, data integrity, requires that data be accurate and trustworthy, and moreover, that any unauthorized alteration of the data, whether malicious or accidental, can be detected. Availability simply means that authorized users can access information at any time. There are many ways to accomplish the goals of CIA, which will be outlined in this book.
A concept related to information assurance is risk. Risks, and risk management, are part and parcel of information assurance. The goal of all information assurance is the management of risk associated with generating and storing information, whether on a computer, on paper, or in any other format. Bruce Schneier, a security guru, stated that “Security is both a feeling and a reality. And they are not the same.”3 Schneier notes that true security is mathematical, calculated based on the probability of risk versus the effectiveness of countermeasures. But there is also a psychological component to security, whether our personal security or information security. For example, you may feel very much at risk of identity theft, but feel that your home is relatively invulnerable to burglary. However, these perceptions may not match your real risk of either event. If we misestimate the true risk we face, we will not take adequate precautions or implement proper countermeasures.
Security management focuses on managing and mitigating risk. The goal of information assurance is to correctly estimate the risk in order to get adequate security for a reasonable price. There is no such thing as perfect security, and the strength of a countermeasure should be chosen appropriately for the sensitivity of the asset. An e-commerce firm’s database of product descriptions may not be especially confidential and may be protected by only long, complex passwords. Their customer information database, containing credit card information, is much more sensitive and may require both a long, complex password and a fingerprint to allow access.
Deciding how much risk your organization faces is a very difficult process, and classical risk analysis is of little help. Several factors contribute to the fact that classical risk analysis does not work. First, there is usually a many-to-many relationship between protection measures and the resources protected. For example, one firewall might protect your server and multiple desktops. That same server is likely protected not only by the firewall but also by antivirus software, an intrusion detection system, and other security measures. Thus, determining how much of the cost of protection can be attributed to one asset is difficult if not impossible. The other, and perhaps more daunting, challenge is that the likelihood of a certain type of event occurring is largely unknowable. Even knowing what types of attacks the organization faced last year does not predict what will happen in the next year. These and other factors make it nearly impossible to even pin down whether a given investment is “paying for itself” in terms of return on investment.
All is not lost, however. Instead of trying for hard numbers, a firm can be well served by prioritizing assets based on their criticality and sensitivity of the information contained on the systems. Security improvements can then be prioritized, and in a given year, the most critical remaining assets can be protected, within the allowances of that year’s budget. For example, as operating systems reach end-of-life, as recently occurred with Windows XP, and soon with Windows Server 2003,4 the threat of attacks against software that no longer receives fixes increases greatly, to say, nothing of simple failures of old equipment.5 Therefore, priority should be given to replacing these resources, then turning attention to the next-most critical assets.
Information assurance and security in the enterprise
All companies face variations on the same threats, regardless of their size or industry. Every firm faces both internal and external risks, as well as risks created by connections to other firms, whether suppliers, consultants, or partners. Firms also face physical security risks that impact their information technology (IT) systems.
Internal security has many components; however, one that cannot be overlooked is the concept of insider threat. Insider threat is simple enough conceptually; those on the inside of the organization can represent the biggest threat to its security. The problem is that these same individuals are also the biggest asset to the firm. This dichotomy makes it very difficult to police those who have the most knowledge and therefore could do the most harm. Perhaps the most dangerous are those individuals who manage IT and security; they know the most about the systems and ways around them. Recent events, including Edward Snowden and others delivering classified documents to various “leak” websites and media outlets, only serve to underscore the magnitude of the threat.6
What can be done to manage the insider threat? There are various small measures that can be taken. Discussing all of them is outside the scope of this chapter, or indeed, this book, but a list of a few is appropriate.7
1. Monitor logs. Log monitoring software looks for patterns indicating improper actions. Monitor logs of critical assets and actions of critical employees more closely.
2. Rotate job roles. Rotation makes it harder to carry out complex attacks.
3. Use separation of duties. Those who can make changes should not be able to approve those changes.
4. Organize data according to sensitivity. Grant access to sensitive data to only those who “need to know.”
5. Enforce least access. Give only the bare minimum access for employees to do their job, no more.
External threats to the organization may be myriad, but the majority are common to all organizations. The classical, or perhaps more accurately stereotypical, “hacker” is mostly a Hollywood construct. There are certainly antisocial introverts bent on wreaking havoc, defacing websites, and gaining “cred” with their peers, but they are likely not the most dangerous. While there may be a thrill in placing electronic graffiti, the real money is in money. Increasingly, criminals are the main enemy. Blackmail, theft, extortion, and similar crimes may be easier to accomplish in the virtual world than the physical, but the crimes themselves have not changed in thousands of years. Criminals and organized crime represent a real threat to today’s firms. Other threats include competitors, who may engage in industrial espionage, and even national espionage. Finally, malware such as viruses may not be directly aimed at your company, but there are many automated attacks looking for easy targets. In fact, 92 percent of breaches can be attributed to nine basic patterns, according to Verizon’s annual report8:
1. Point-of-sale intrusions
2. Web application attacks
3. Insider privilege misuse
4. Physical theft or loss of computing assets
5. Miscellaneous human errors such as e-mailing confidential information
6. Crimeware (such tools as bank information theft malware and so-called ransomware, which locks files unless a ransom is paid)
7. Card skimmers (which steal credit/debit card numbers as the card is swiped at a point-of-sale device)
8. Denial-of-service attacks
9. Cyberespionage
These threats run the gamut of ways that attackers get to confidential information. As can be seen, at least three of the nine are directly related to obtaining money, and several more likely lead to information that can be used to extort money from the victim.
Interorganizational security
Today’s organizations engage in partnerships and supplier/client relationships with many other organizations. While this practice is nothing new, the last decade has changed those relationships in a very real way. Electronic data interchange (EDI), also known as business-to-business (B2B) or electronic order systems, and the related concepts of “just-in-time” ordering and delivery mean that automated machine-to-machine (M2M) transactions flow at an unprecedented rate. A large company in the 1990s might place thousands of orders a week with suppliers, and some automation was in place, but most orders were handled by a human at some point in the process. Whether a human faxed the order, or entered it into a computer system, a sanity check was in place. Today, many orders are simply placed and fulfilled automatically. If a factory’s automated inventory system is tampered with, too few or too many key components for the company’s flagship “Widget Y” will be delivered, stopping production or causing logistical errors when there is no place for the excess parts.
The dangers related to EDI and M2M communication do not stop with ordering systems. Many B2B systems share private data with partners, and firms must be able to trust that only the correct information flows between partners and that it is only seen by authorized parties in the other firm. Consider the healthcare industry. A doctor’s office, a lab, a pharmacy, a hospital, and an insurance company may all have information about patient James S. His doctor has a comprehensive history of all visits, his own diagnoses, records of tests, and a list of prescriptions that he takes. The lab needs only certain information to positively identify James when he comes in for a test, along with data indicating which tests to perform, but not information on previous diagnoses. The pharmacy needs to know what medications are prescribed, but does not need lab results or a history of all the drugs James has taken in the past. The hospital needs much the same information as the doctor, but many of the doctor’s previous diagnoses are immaterial to the current illness; last year’s flu does not impact a gallbladder problem this year. Last, the insurance must know what has been diagnosed, and what tests were performed and medications dispensed in order to pay the providers. The Health Insurance Portability and Accountability Act (HIPAA) mandates that only relevant information be shared among parties; even if a lab wanted historical data about a patient, they likely could not obtain it without the patient’s written consent. If the information of James S. is disclosed to an unauthorized party, HIPAA provides for financial penalties against the discloser.9
Besides ensuring that only the right partner firm gets access to information, businesses need to be sure that within the partner organization, only authorized individuals have access to data. In our healthcare scenario, the doctor needs to be sure that the orders sent to the lab can be read by only lab techs in order to perform the tests, but that a receptionist, for example, would not be able to access a full history of all tests performed on a patient. This would avoid the scenario of a receptionist giving away James’ medical history to a reporter when he decides to run for public office, or an insurer trying to deny claims based on a preexisting condition. Before entering into B2B relationships with other companies, a firm should exercise due diligence in ensuring that the partner’s information assurance practices, policies, standards, and procedures are in line with their own and any regulatory requirements.
As with any confidential data, a firm must ensure that B2B data is passed securely between partners. Two basic modes of securing documents can be used; a firm could encrypt the documents before transmission, and the partner would decrypt them, or the communications pipeline could be secured from end-to-end. Both approaches have advantages and disadvantages, discussed in Chapters 4 and 6.
One other avenue of attack that is sometimes overlooked in security is making sure that outsiders employed by your firm are vetted. Whether hiring a consulting firm or a janitorial service, an organization must be sure that adequate background checks are being performed on employees by the other organization.10 The depth of the background check required will vary; a janitorial service cleaning only public areas of the firm’s buildings may be less of a security risk than one hired to clean private offices. Similarly, vendors should be vetted before being allowed into private areas; and unexpected visits from vendors (or worse, someone unknown wearing a vendor’s shirt!), should be viewed with suspicion. Receptionists and others should be trained to make a phone call to confirm identity and purpose of unscheduled visits or unknown people. After all, it is quite easy for a visitor to take pictures of confidential documents with a camera phone.
Physical asset protection
IT assets take many forms. The information stored on a machine is often much more valuable than the computer itself, but that does not make the s...

Indice dei contenuti

  1. Cover
  2. Half Title Page
  3. Title Page
  4. Copyright Page
  5. Dedication
  6. Contents
  7. Preface
  8. Chapter 1: Security and Information Assurance
  9. Chapter 2: Operating System Security
  10. Chapter 3: Data Security: Protecting Your Information
  11. Chapter 4: Keeping the Electronic Highways Safe
  12. Chapter 5: We Released What?!? (Application Security)
  13. Chapter 6: Cracking the Code (Cryptography)
  14. Chapter 7: Danger! Danger! Danger! (Penetration Testing)
  15. Chapter 8: Disaster Recovery
  16. Chapter 9: Integrating Your Security Plan across the Enterprise
  17. Chapter 10: Conclusion
  18. Glossary
  19. Appendix A
  20. Endnotes
  21. Index
Stili delle citazioni per Information Technology Security Fundamentals

APA 6 Citation

Sagers, G., & Hosack, B. (2015). Information Technology Security Fundamentals ([edition unavailable]). Business Expert Press. Retrieved from https://www.perlego.com/book/402543/information-technology-security-fundamentals-pdf (Original work published 2015)

Chicago Citation

Sagers, Glen, and Bryan Hosack. (2015) 2015. Information Technology Security Fundamentals. [Edition unavailable]. Business Expert Press. https://www.perlego.com/book/402543/information-technology-security-fundamentals-pdf.

Harvard Citation

Sagers, G. and Hosack, B. (2015) Information Technology Security Fundamentals. [edition unavailable]. Business Expert Press. Available at: https://www.perlego.com/book/402543/information-technology-security-fundamentals-pdf (Accessed: 14 October 2022).

MLA 7 Citation

Sagers, Glen, and Bryan Hosack. Information Technology Security Fundamentals. [edition unavailable]. Business Expert Press, 2015. Web. 14 Oct. 2022.