Read an Excerpt
Managing Information Security
SYNGRESSCopyright © 2010 ELSEVIER Inc.
All right reserved.
Chapter OneInformation Security Essentials for IT Managers: Protecting Mission-Critical Systems
Albert Caballero Terremark Worldwide, Inc.
Information security involves the protection of organizational assets from the disruption of business operations, modification of sensitive data, or disclosure of proprietary information. The protection of this data is usually described as maintaining the confidentiality, integrity, and availability (CIA) of the organization's assets, operations, and information.
1. Information Security Essentials for IT Managers, Overview
Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing. For information security managers, it is crucial to maintain a clear perspective of all the areas of business that require protection. Through collaboration with all business units, security managers must work security into the processes of all aspects of the organization, from employee training to research and development. Security is not an IT problem; it is a business problem.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Scope of Information Security Management
Information security is a business problem in the sense that the entire organization must frame and solve security problems based on its own strategic drivers, not solely on technical controls aimed to mitigate one type of attack. As identified throughout this chapter, security goes beyond technical controls and encompasses people, technology, policy, and operations in a way that few other business objectives do. The evolution of a risk-based paradigm, as opposed to a technical solution paradigm for security, has made it clear that a secure organization does not result from securing technical infrastructure alone. Furthermore, securing the organization's technical infrastructure cannot provide the appropriate protection for these assets, nor will it protect many other information assets that are in no way dependent on technology for their existence or protection. Thus, the organization would be lulled into a false sense of security if it relied on protecting its technical infrastructure alone.
CISSP 10 Domains of Information Security
In the information security industry there have been several initiatives to attempt to define security management and how and when to apply it. The leader in certifying information security professionals is the Internet Security Consortium, with its CISSP (see sidebar, "CISSP 10 Domains: Common Body of Knowledge") certification. In defining required skills for information security managers, the ISC has arrived at an agreement on 10 domains of information security that is known as the Common Body of Knowledge (CBK). Every security manager must understand and be well versed in all areas of the CBK.
In addition to individual certification there must be guidelines to turn these skills into actionable items that can be measured and verified according to some international standard or framework. The most widely used standard for maintaining and improving information security is ISO/IEC 17799:2005. ISO 17799 (see Figure 1.1) establishes guidelines and principles for initiating, implementing, maintaining, and improving information security management in an organization.
A new and popular framework to use in conjunction with the CISSP CBK and the ISO 17799 guidelines is ISMM. ISMM is a framework (see Figure 1.2) that describes a five-level evolutionary path of increasingly organized and systematically more mature security layers. It is proposed for the maturity assessment of information security management and the evaluation of the level of security awareness and practice at any organization, whether public or private. Furthermore, it helps us better understand where, and to what extent, the three main processes of security (prevention, detection, and recovery) are implemented and integrated.
ISMM helps us better understand the application of information security controls outlined in ISO 17799. Figure 1.3 shows a content matrix that defines the scope of applicability between various security controls mentioned in ISO 17799's 10 domains and the corresponding scope of applicability on the ISMM Framework.
What Is a Threat?
Threats to information systems come in many flavors, some with malicious intent, others with supernatural powers or unexpected surprises. Threats can be deliberate acts of espionage, information extortion, or sabotage, as in many targeted attacks between foreign nations; however, more often than not it happens that the biggest threats can be forces of nature (hurricane, flood) or acts of human error or failure. It is easy to become consumed in attempting to anticipate and mitigate every threat, but this is simply not possible. Threat agents are threats only when they are provided the opportunity to take advantage of a vulnerability, and ultimately there is no guarantee that the vulnerability will be exploited. Therefore, determining which threats are important can only be done in the context of your organization. The process by which a threat can actually cause damage to your information assets is as follows: A threat agent gives rise to a threat that exploits a vulnerability and can lead to a security risk that can damage your assets and cause an exposure. This can be countermeasured by a safeguard that directly affects the threat agent. Figure 1.4 shows the building blocks of the threat process.
Threats are exploited with a variety of attacks, some technical, others not so much. Organizations that focus on the technical attacks and neglect items such as policies and procedures or employee training and awareness are setting up information security for failure. The mantra that the IT department or even the security department, by themselves, can secure an organization is as antiquated as black-and-white television. Most threats today are a mixed blend of automated information gathering, social engineering, and combined exploits, giving the perpetrator endless vectors through which to gain access. Examples of attacks vary from a highly technical remote exploit over the Internet, social- engineering an administrative assistant to reset his password, or simply walking right through an unprotected door in the back of your building. All scenarios have the potential to be equally devastating to the integrity of the organization. Some of the most common attacks are briefly described in the sidebar titled "Common Attacks."
Impact of Security Breaches
The impact of security breaches on most organizations can be devastating; however, it's not just dollars and cents that are at stake. Aside from the financial burden of having to deal with a security incident, especially if it leads to litigation, other factors could severely damage an organization's ability to operate, or damage the reputation of an organization beyond recovery. Some of the preliminary key findings from the 2008 CSI/FBI Security Report  (see Figure 1.8) include
Financial fraud cost organizations the most, with an average reported loss of close to $500,000.
The second most expensive activity was dealing with bots within the network, reported to cost organizations an average of nearly $350,000.
Virus incidents occurred most frequently, respondents said—at almost half (49%) of respondent organizations.
Some things to consider:
How much would it cost your organization if your ecommerce Web server farm went down for 12 hours?
What if your mainframe database that houses your reservation system was not accessible for an entire afternoon?
What if your Web site was defaced and rerouted all your customers to a site infected with malicious Java scripts?
Would any of these scenarios significantly impact your organization's bottom line?
2. Protecting Mission-Critical Systems
The IT core of any organization is its mission-critical systems. These are systems without which the mission of the organization, whether building aircraft carriers for the U.S. military or packaging Twinkies to deliver to food markets, could not operate. The major components to protecting these systems are detailed throughout this chapter; however, with special emphasis on the big picture an information security manager must keep in mind, there are some key components that are crucial for the success and continuity of any organization. These are information assurance, information risk management, defense in depth, and contingency planning.
Information assurance is achieved when information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.
Information Risk Management
Risk is, in essence, the likelihood of something going wrong and damaging your organization or information assets. Due to the ramifications of such risk, an organization should try to reduce the risk to an acceptable level. This process is known as information risk management. Risk to an organization and its information assets, similar to threats, comes in many different forms. Some of the most common risks and/or threats are
Physical damage. Fire, water, vandalism, power loss, and natural disasters.
Human interaction. Accidental or intentional action or inaction that can disrupt productivity.
Equipment malfunctions. Failure of systems and peripheral devices.
Internal or external attacks. Hacking, cracking, and attacking.
Misuse of data. Sharing trade secrets; fraud, espionage, and theft.
Loss of data. Intentional or unintentional loss of information through destructive means.
Application error. Computation errors, input errors, and buffer overflows.
The idea of risk management is that threats of any kind must be identified, classified, and evaluated to calculate their damage potential . This is easier said than done.
Administrative, Technical, and Physical Controls
For example, administrative, technical, and physical controls, are as follows:
Administrative controls consist of organizational policies and guidelines that help minimize the exposure of an organization. They provide a framework by which a business can manage and inform its people how they should conduct themselves while at the workplace and provide clear steps employees can take when they're confronted with a potentially risky situation. Some examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies that form the basis for the selection and implementation of logical and physical controls. Administrative controls are of paramount importance because technical and physical controls are manifestations of the administrative control policies that are in place.
Technical controls use software and hardware resources to control access to information and computing systems, to help mitigate the potential for errors and blatant security policy violations. Examples of technical controls include passwords, network- and host-based firewalls, network intrusion detection systems, and access control lists and data encryption. Associated with technical controls is the Principle of Least Privilege, which requires that an individual, program, or system process is not granted any more access privileges than are necessary to perform the task.
Physical controls monitor and protect the physical environment of the workplace and computing facilities. They also monitor and control access to and from such facilities. Separating the network and workplace into functional areas are also physical controls. An important physical control is also separation of duties, which ensures that an individual cannot complete a critical task by herself.
During risk analysis there are several units that can help measure risk. Before risk can be measured, though, the organization must identify the vulnerabilities and threats against its mission-critical systems in terms of business continuity. During risk analysis, an organization tries to evaluate the cost for each security control that helps mitigate the risk. If the control is cost effective relative to the exposure of the organization, then the control is put in place. The measure of risk can be determined as a product of threat, vulnerability, and asset values—in other words:
Risk = Asset x Threat x Vulnerability
There are two primary types of risk analysis: quantitative and qualitative. Quantitative risk analysis attempts to assign meaningful numbers to all elements of the risk analysis process. It is recommended for large, costly projects that require exact calculations. It is typically performed to examine the viability of a project's cost or time objectives. Quantitative risk analysis provides answers to three questions that cannot be addressed with deterministic risk and project management methodologies such as traditional cost estimating or project scheduling:
What is the probability of meeting the project objective, given all known risks?
How much could the overrun or delay be, and therefore how much contingency is needed for the organization's desired level of certainty?
Where in the project is the most risk, given the model of the project and the totality of all identified and quantified risks?
Qualitative risk analysis does not assign numerical values but instead opts for general categorization by severity levels. Where little or no numerical data is available for a risk assessment, the qualitative approach is the most appropriate. The qualitative approach does not require heavy mathematics; instead, it thrives more on the people participating and their backgrounds. Qualitative analysis enables classification of risk that is determined by people's wide experience and knowledge captured within the process. Ultimately, it is not an exact science, so the process will count on expert opinions for its base assumptions. The assessment process uses a structured and documented approach and agreed likelihood and consequence evaluation tables. It is also quite common to calculate risk as a single loss expectancy (SLE) or annual loss expectancy (ALE) by project or business function.
Defense in Depth
The principle of defense in depth is that layered security mechanisms increase security of a system as a whole. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system . This is a process that involves people, technology, and operations as key components to its success; however, those are only part of the picture. These organizational layers are difficult to translate into specific technological layers of defenses, and they leave out areas such as security monitoring and metrics. Figure 1.9 shows a mind map that organizes the major categories from both the organizational and technical aspects of defense in depth and takes into account people, policies, monitoring, and security metrics.
Excerpted from Managing Information Security Copyright © 2010 by ELSEVIER Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.