Information Security is a process that moves through phases building and strengthening itself along the way. Security is a journey not a destination. Although the Information Security process has many strategies and activities , we can group them all into three distinct phases -prevention, detection, and response.
The ultimate goal of the information security process is to protect three unique attributes of information. They are:
•Confidentiality – Information should only be seen by those persons authorized to see it. Information could be confidential because it is proprietary information that is created and owned by the organization or it may be customers ’ personal information that must be kept confidential due to legal responsibilities .
•Integrity– Information mus t not be corrupted, degraded, or modified. Measures
must be taken to insulate information from accidental and deliberate change.
•Availability– Information must be kept available to authorized pers ons when they need it.
Attacks compromise systems in a number of ways that affect one if not all of these attributes . An attack on confidentiality would be unauthorized disclosure of information. An attack on integrity would be the destruction or corruption of information and an attack on availability would be a disruption or denial of services . Information security protects these attributes by:
There is an age-old advisory that says , “It’s too late to sharpen your s word when the drum beats for battle”. Make no mis take, we are in a war and we mus t prepare for the cyber battles by sharpening our s kills . Information security professionals must continuously mature their capabilities by working smarter not harder. It is always better to prevent, then to pursue and prosecute. Preventing an incident requires careful analysis is and planning. Information is an asset that requires protection commensurate with its value. Security measures must be taken to protect information from unauthorized modification, destruction, or disclosure whether accidental or intentional. During the prevention phase, security policies , controls and processes should be designed and implemented. Security policies , security awareness programs and access control procedures , are all interrelated and should be developed early on. The information security policy is the cornerstone from which all else is built.
The first objective in developing a prevention strategy is to determine “what” must be protected and document these “whats” in a formal policy. The policy must define the responsibilities of the organization, the employees and management. It should also fix responsibility for implementation, enforcement, audit and review. Additionally, the policy must be clear, concise, coherent and cons is tent in order to be understood. Without clear understanding, the policy will be poorly implemented and subsequent enforcement, audit and review will be ineffective. Once management endorses a completed policy, the organization needs to be made aware of its requirements .
2.Security Awareness :
Security awareness is a process that educates employees on the importance of security, the use of security measures , reporting procedures for security violations , and their responsibilities as outlined in the information security policy. Security awareness programs should be utilized for this purpose. The program should be a continuous process that maintains awareness level for all employees . The program should be designed to address organization wide issues as well as more focused specialized training needs . The program should stress teamwork and the importance of active participation. To motivate individuals , a recognition process should be adopted to give out awards or rewards for employees that perform good security practices .
3.Access Controls :
Access is the manner by which the user utilizes the information systems to get information. Naturally all users should not have the ability to access all systems and its information. Access should be restricted and granted on a need to know basis . To manage this access we establish user accounts by issuing identifiers , authentication methods to verify these identifiers and authorization rules that limit access to resources .
•Identification– Identification is a unique identifier. It is what a user –(person, client, software application,hardware, or network) uses to differentiate its elf from other objects .
A user presents identification to show who he/she is . Identifiers that are created for users should not be shared with any other users or groups . Once a user has an identifier the next s tep taken to access a resource is authentication.
•Authentication – Authentication is the process of validating the identity of a user. When a user presents its identifier, prior to gaining access, the identifier (identification) must be authenticated. Authentication verifies identities thereby providing a level of trust. There are three basic factors used to authenticate an identity. They are:
1.Something you know– The pass word is the most common form used. However, secret phrases and PIN numbers are also utilized. This is known as one-factor or single authentication. This form is weakened due to poor pass word s election and storage.
2.Something you have– This authentication factor is something you have, such as an identification card, smartcard or token. Each requiring the user to possess “something” for authentication. A more reliable authentication process would require two factors such as something you know with something you have. This form is known as the two-factor or multilevel authentication.
3. Something you are– The strongest authentication factor is something you are. This is a unique physical characteristic such as a fingerprint, retina pattern or DNA. The measuring of these factors is called biometrics . The strongest authentication process would require all three factors . Facilities or applications that are highly secret or sensitive will utilize all three factors to authenticate a user. However, biometrics on the surface appears to be a panacea, its not. There are weaknesses and to work the verifier needs to verify two things . These requirements are outlined in a Counterpane.com article by Bruce Schneier, titled “Biometrics: Uses and Abuses”. The author indicates that the verifier needs to verify two things . The first is that the biometric came from the person at the time of verification and secondly, that the biometric matches the master biometric on file. Without these two biometric authentication requirements this factor won’t work.
•Authorization– Authorization is the process of allowing users who have been identified and authenticated to use certain resources . Limiting access to resources by establishing permission rules provides for better control over users actions . Authorization should be granted on the principle of least privilege. Least privilege is granting no more privilege than is required to perform a task/job, and the privilege should not extend beyond the minimum time required to complete the task. This restrictive process limits access , creates a separation of duties and increases accountability.
Here are some tips to help prevent your digital life from being stolen, whether it be a password breach or an internet-wide vulnerability.
Make sure you’ve got a superstrong, unique password. In other words, ensure that your password is difficult to guess. One way to come up with a creative password is to brainstorm a random sentence. Take the first letter of each word in that sentence and use that acronym as the base for your password.
Don’t use the same password for multiple services. Using the same term for all of your passwords leaves your entire digital life vulnerable to attack. This means that if a hacker has one password, he or she has all of your passwords.
Enable two-factor authentication. Many services, including Google, offer two-factor authentication for logging into your account. Instead of simply entering a username and password to log in, the website will prompt you to enter a code sent to your smartphone to verify your identity.
Apply software updates when necessary. Apple, Google, and Microsoft typically include security bug fixes and patches in their most recent software updates. So don’t ignore those annoying prompts and keep your software up-to-date.
Carefully read the permissions before installing apps. This is one of the most prominent ways in which malicious apps can gain access to your personal information. These types of issues have been especially present in the Google Play store. A lot of apps ask for a lengthy list of permissions, and that doesn’t mean they’re all ill-intentioned. But it’s important to be aware of the types of information your apps are accessing, which can include your contacts, location, and even your phone’s camera.
Check the app publisher before installing. There have been numerous instances in which scammers have published apps in the Google Play store posing as another popular app. For example, in late 2012 an illegitimate developer posted an imposter app in Google Play pretending to be “Temple Run.” A quick look at the publisher shows that the app comes from a developer named “apkdeveloper,” not the game’s true publisher Imangi Studios.
Avoid inserting hard drives and thumbdrives you don’t trust into your computer . If you find a random USB stick, don’t let your curiosity tempt you to plug it in. Someone could have loaded malware onto it hoping that an interested person was careless enough to insert it into their device. If you don’t trust the source, you’re better off not putting your computer at risk.
Make sure a website is secure before you enter personal information. Look for the little padlock symbol in front of the web address in the URL bar. Also, make sure the web address starts with the prefix https://. If these things aren’t there, then the network isn’t secure and you shouldn’t enter any data you wouldn’t want made public.
Don’t send personal data via email. Sending critical information such as credit card numbers or bank account numbers puts it at risk of being intercepted by hackers or cyber attacks.
Keep an eye out for phishing scams. A phishing scam is an email or website that’s designed to steal from you. Often times, a hacker will use this email or website to install malicious software onto your computer. These web entities are designed to look like a normal email or website, which is how hackers convince their victims to hand over personal information. Phishing scams are typically easy to spot, but you should know what to look out for. Many of these emails contain spell errors and are written in poor grammar.
Avoid logging into your important accounts on public computers. Sometimes you’ve got no choice but to use a computer at the coffee shop, library, or local FedEx. But try not to do it frequently, and make sure you completely wipe the browser’s history when you’re finished.
Back up your personal files to avoid losing them. You should keep a copy of all important files in the cloud and on some sort of hard drive. If one of them gets hacked or damaged, you’ll still have a backup copy.
© 2017 – 2018, Techrunnr. All rights reserved.