In the security field, best practices always fall within what is referred to as the AIC (or CIA) Triad. AIC stands for availability, integrity, and confidentiality; the idea being that every security action taken is in response to at least one of these three areas. Availability refers to the reliability and the timely access of information. It is generally ensured through the utilization of backup devices. One the availability of the information has been established, it is necessary to focus on its integrity. This deals with the assurance of accuracy and the reliability of the information the user is receiving. This is done by preventing unauthorized modifications through strict access controls, intrusion detection, and hashing methods. The third piece of the triad is the confidentiality of information. In other words, important data needs to be unavailable to unauthorised individuals. This can be preformed through encrypting data, network traffic padding, strict access contols, data classification, and proper personnel training.
When assessing whether or not to implement a solution to the issues in these areas there are two important questions that need to be asked. "Does this solution carry out the required tasks?" "How sure are we of the level of protection this solution provides?" These are generally referred to as funtional requirements and assurance requirements respectively. One practice to be avoided as a result of these requirements is that of security through obscurity. This is a practice often utilized by uninformed and untrained individuals who believe that having a strange appoach to their security method will prevent hackers from being able to crack their system. This is never an appropriate substitute for a properly implemented security program.
Wednesday, February 23, 2011
Monday, February 21, 2011
Ch. 3 Information Security and Risk Management
The third chapter, as the title implies, deals with the management of risk that a company may come in contact with through the use of information security. This is not the most technical area in itself, but it is the starting point for the rest of the security domains. Without a valid security plan, the other security measures become nothing more than very expensive squirt guns. You may be able to use them to handle small problems, but one large issue or security exploitation can cause major problems, as opposed to a well developed security program, which provides greater protection against more dangerous issues.
As hinted at in the previous post, the key to a successful security program is the involvement of management in a top-down approach. In a well formed company, the information owners, generally senior executives, are responsible for establishing resource access guidelines and the security administration is responsible for making sure these guidelines are implemented correctly. Basically the guys at the top need to lay out who gets what access and the security administration should just be responsible for the technical part of it. One important reason for this approach is the validation of due care. This legal term implies that management made an effort to protect their assets and prevents them from being legally responsible for any claims of negligence. Having a top-down security structure is one way of helping to prove due care was taken if a situation ever arises.
In order to implement a program, three levels of controls are utilized: administrative, technical, and physical. The first layer protecting sensitive information is made up of the administrative controls. These include personnel screening, policy development, general risk-management, etc. The second layer is formed by the technical or logical controls. This is what is traditionally thought of when one talks about security work; access control mechanisms, password management, infrastructure configuration, authentication methods, etc. The final layer consists of the physical controls. These would include anything from security guards to fences to intrusion monitoring.
As hinted at in the previous post, the key to a successful security program is the involvement of management in a top-down approach. In a well formed company, the information owners, generally senior executives, are responsible for establishing resource access guidelines and the security administration is responsible for making sure these guidelines are implemented correctly. Basically the guys at the top need to lay out who gets what access and the security administration should just be responsible for the technical part of it. One important reason for this approach is the validation of due care. This legal term implies that management made an effort to protect their assets and prevents them from being legally responsible for any claims of negligence. Having a top-down security structure is one way of helping to prove due care was taken if a situation ever arises.
In order to implement a program, three levels of controls are utilized: administrative, technical, and physical. The first layer protecting sensitive information is made up of the administrative controls. These include personnel screening, policy development, general risk-management, etc. The second layer is formed by the technical or logical controls. This is what is traditionally thought of when one talks about security work; access control mechanisms, password management, infrastructure configuration, authentication methods, etc. The final layer consists of the physical controls. These would include anything from security guards to fences to intrusion monitoring.
Wednesday, February 16, 2011
Ch. 2 Security Trends
Ch. 2 is a very broad chapter in the sense that it just tries to convey the idea of how important security has become in the last 50 years. In the beginning of the computer age, security wasn't really a factor as only a handful of people knew how to operate them and the tasks being accomplished were low risk computations. Shon Harris described it as working in a "glass house". Eventually computer usage became more common place and it quickly became evident that it was necessary to protect the users from themselves. If "the common man" was allowed uncontrolled access to data, information was corrupted and systems compromised. Finally the need for more security measures arose as more people began to push the envelope of what they could do with the new technology.
Since this time "information warfare" has erupted around the world, encompassing everything from DOS (denial of service) attacks on a companies web site to direct hack attacks on a countries infrastructure (water, power, etc.). It's becoming easier and easier for individuals to became "hackers" in today's environment as hacking tools are more prevalent and easier to use than ever. To get an idea of some of the more publicized crimes committed by hackers, you can check out www.cybercrime.gov .
People are finally starting to understand the importance of security in maintaining public confidence in one's image (whether it be a company or a government), and the damage an information leak can cause. Military personel and law enforcement officers are being trained in IT crime prevention and detection. The U.S. government has even developed organizations to help identify crucial areas and work with the private sector to establish the most secure environment possible. This started with the PCCIP (President's Commission on Critical Infrastructure Protection) under President Clinton. Most recently a large portion of the responsibility for cyber security has fallen on the DHS (Department of Homeland Security) under President Bush.
This chapter briefly identifies the OECD (Organization for Economic Co-operation and Development) as being required knowledge for the exam and specifies that it will be covered again later. Essentially though, it is a group of about 100 countries (only 30 of which are actually members) working together to promote trade and economic growth. It outlines a set of guidelines, called the OECD Principles, which provide recommended corporate governance rules for countries to consider implementing.
How this all applies to the average security enthusiast, i.e. yours truly, is that along with the increasing reliance on technology and computers in today's environment comes a need for better security practices. This is essentially achieved by following two principles. Security must be a management driven, and security must be a layered endeavor.
As far as management goes, I'm going to quote Mr. Harris, as I don't think I could say it any better:
As far as layering is concerned, it is a very easy concept to understand. Any given system can have multiple weaknesses and possible points of penetration. The only way to protect this system is to, not only have security measures which protect each possible area, but measures that can all protect the system at the same time, while working together. A single weak point or inconsistency in the security can provide an entrance for a skilled hacker.
Now we start moving into the real meat of the text with Chapter 3...
Since this time "information warfare" has erupted around the world, encompassing everything from DOS (denial of service) attacks on a companies web site to direct hack attacks on a countries infrastructure (water, power, etc.). It's becoming easier and easier for individuals to became "hackers" in today's environment as hacking tools are more prevalent and easier to use than ever. To get an idea of some of the more publicized crimes committed by hackers, you can check out www.cybercrime.gov .
People are finally starting to understand the importance of security in maintaining public confidence in one's image (whether it be a company or a government), and the damage an information leak can cause. Military personel and law enforcement officers are being trained in IT crime prevention and detection. The U.S. government has even developed organizations to help identify crucial areas and work with the private sector to establish the most secure environment possible. This started with the PCCIP (President's Commission on Critical Infrastructure Protection) under President Clinton. Most recently a large portion of the responsibility for cyber security has fallen on the DHS (Department of Homeland Security) under President Bush.
This chapter briefly identifies the OECD (Organization for Economic Co-operation and Development) as being required knowledge for the exam and specifies that it will be covered again later. Essentially though, it is a group of about 100 countries (only 30 of which are actually members) working together to promote trade and economic growth. It outlines a set of guidelines, called the OECD Principles, which provide recommended corporate governance rules for countries to consider implementing.
How this all applies to the average security enthusiast, i.e. yours truly, is that along with the increasing reliance on technology and computers in today's environment comes a need for better security practices. This is essentially achieved by following two principles. Security must be a management driven, and security must be a layered endeavor.
As far as management goes, I'm going to quote Mr. Harris, as I don't think I could say it any better:
Good security does not begin and end with erecting a firewall and installing antivirus software. Good security is planned, designed, implemented, and maintained, and is capable of evolving. For security to be a good fit for a company, it must be in line with the company's business goals and objectives. Management needs to understand security issues and how security affects the company and its customers so that proper resources, time, and funding can be provided. In other words, information security should be applied in a top-down approach.If management doesn't specify what needs to be protected and from whom, it becomes very diffucult for the IT staff to improve the situation and they essentially become firefighters as opposed to a developmental asset.
As far as layering is concerned, it is a very easy concept to understand. Any given system can have multiple weaknesses and possible points of penetration. The only way to protect this system is to, not only have security measures which protect each possible area, but measures that can all protect the system at the same time, while working together. A single weak point or inconsistency in the security can provide an entrance for a skilled hacker.
Now we start moving into the real meat of the text with Chapter 3...
Wednesday, February 9, 2011
Delays & Chapter 1
Hello friends. Sorry for the delay since my last post, but there were some issues between amazon.com and UPS, which resulted in a delay in getting my book. All is well now, as the situation has been resolved and the book has arrived. Unfortunately this delay has already put me behind in the schedule. To compensate, I will try to push through the material a little faster than normal for the next couple of weeks.
With that here is an overview of Chapter 1: Becoming a CISSP.
First of all, CISSP stands for Certified Information Systems Security Professional. It is a certification given by the International Information Systems Security Certification Consortium (ISC)2, and it is used as a means of asserting an individuals competency in the 10 domains of the CISSP Common Body of Knowledge (CBK).
The test is made up of 250 multiple choice questions, each of which contains 4 possible answers. Only 225 of the 250 questions are actually graded, and these 225 are graded on a 1000 point scale. Not all questions are weighted the same in value, and a score of 700 is needed to pass. The remaining 25 questions are referred to as research questions. Research questions are added to each exam to test their integrity before being added to the bank of actual test questions. Each person is given a full 6 hours to complete all of the questions and you are permitted to move through the test however you see fit. The exam contains both concept based questions, as well as scenario based ones. There is no limit to the number of times you can take the test, nor is there any required wait time between tests if you fail.
In order to gain the certification, the candidate is required to not only pass the test, but to meet certain professional work requirements as well, such as working full time in at least two of the ten domains. They are also required to obtain an endorsement from a currently certified (ISC)2 professional. Finally, the individual must read and sign the Code of Ethics, which can be found here.The certification is respected on an international level, adding to its value in this era of globalization.
With that here is an overview of Chapter 1: Becoming a CISSP.
First of all, CISSP stands for Certified Information Systems Security Professional. It is a certification given by the International Information Systems Security Certification Consortium (ISC)2, and it is used as a means of asserting an individuals competency in the 10 domains of the CISSP Common Body of Knowledge (CBK).
The test is made up of 250 multiple choice questions, each of which contains 4 possible answers. Only 225 of the 250 questions are actually graded, and these 225 are graded on a 1000 point scale. Not all questions are weighted the same in value, and a score of 700 is needed to pass. The remaining 25 questions are referred to as research questions. Research questions are added to each exam to test their integrity before being added to the bank of actual test questions. Each person is given a full 6 hours to complete all of the questions and you are permitted to move through the test however you see fit. The exam contains both concept based questions, as well as scenario based ones. There is no limit to the number of times you can take the test, nor is there any required wait time between tests if you fail.
In order to gain the certification, the candidate is required to not only pass the test, but to meet certain professional work requirements as well, such as working full time in at least two of the ten domains. They are also required to obtain an endorsement from a currently certified (ISC)2 professional. Finally, the individual must read and sign the Code of Ethics, which can be found here.The certification is respected on an international level, adding to its value in this era of globalization.
Subscribe to:
Comments (Atom)