Motivation Mission A lexicon is a dictionary of the words and phrases pertaining to a particular subject. A lexicon ensures that all stakeholders with an interest in a project interpret and use the same language consistently. For example, risk means different things to different people and may mean different things to the same person in different situations.
The discipline covers everything from how high to build the fence outside your business, all the way to how to harden a Windows server. Each best practice is tied directly to a higher, more philosophical security concept, and those concepts are what I intend to discuss here.
These four concepts should constantly be on the minds of all security Concepts of information security politics and technology. Know Thy System Perhaps the most important thing when trying to defend a system is knowing that system.
An good example of this in the information security world is knowledge of exactly what software is running on your systems. What daemons are you running? What sort of exposure do they create? A good self-test for someone in a small to medium-sized environment would be to randomly select an IP from a list of your systems and see if you know the exact list of ports that are open on the machines.
Least privilege simply says that people and things should only be able to do what they need to do their jobs, and nothing else. Well, what often happens is the admin will just put the user doing the backup into the domain admins group — even if they could get it to work another way.
Ultimately this is a principle that is designed to conflict directly with human nature, i. This rule of least privilege simply reminds us not to give into the temptation to do that.
Take the time to make all access granular, and at the lowest level possible. The true idea is that of stacking multiple types of protection between an attacker and an asset. This could be relatively easy given a major vulnerability, but with an infrastructure built using Defense In Depth, it can be significantly more difficult.
The idea is that we should think in reverse — rather than thinking about what needs to be put in place to stop an attack, think instead of what all has to happen for it to be successful. Maybe an attack had to make it through the external router, the firewall, the switch, get to the host, execute, make a connection outbound to a host outside, download content, run that, etc, etc.
What if any of those steps were unsuccessful? Lock down network ACLs. Lock down file permissions. Use network intrusion prevention, use intrusion detection, make it more difficult for hostile code to run on your systems, make sure your daemons are running as the least privileged user, etc, etc.
The benefit is quite simple — you get more chances to stop an attack from becoming successful. The idea is to lock down everything you can at every level. Not just one thing, everything — file permissions, stack protection, ACLs, host IPS, limiting admin access, running as limited users — the list goes on and on.
Treat each element of your defense as if it were the only layer.
The difference between knowing about a successful attack within 5 or 10 minutes vs. Often times having the knowledge early enough can result in the attack not being successful at all, i.
These are the three elements that everyone in the industry is trying to protect. Protecting confidentiality deals with keeping things secret. Integrity deals with making sure things are not changed from their true form.
Availability is a highly critical piece of the CIA puzzle.
As one may expect, attacks against availability are those that make it so that the victim cannot use the resource in question. The most famous example of this sort of attack is the Denial Of Service Attack. The idea here is that nothing is being stolen, and nothing is being modified.
That could be a particular server or even a whole network in the case of bandwidth-based DoS attacks. Consider some common techniques used by attackers — sniffing traffic, reformatting hard drives, and modifying system files.
Finally, someone writing modified system files has compromised the integrity of that system. Thinking in these terms can go a long way toward helping you understand various offensive and defensive techniques. Vulnerability A vulnerability is a weakness in a system.
This one is pretty straight forward because vulnerabilities are commonly labeled as such in advisories and even in the media.
Threat A threat is an event, natural or man-made, that can cause damage to your system. Threats include people trying to break into your network to steal information, fires, tornados, floods, social engineering, malicious employees, etc.Information security means protecting information (data) and information systems from unauthorized access, Key concepts of the COSO framework.
Internal control is a process. It is a means to an end, not an end in itself. The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing information.
Information assurance architecture is itself a complex practice of abstraction requiring a melding of architectural concepts, information assurance concepts, and the development of new terms to describe nuances of the IA 2 practice. Disclaimer: This guide was prepared to help small health care practices learn about the information security considerations that they may need to take into account as they become more reliant on health information technology.
Use of this guide is voluntary and while it includes many important concepts, it. The terms "information technology" and "IT" are widely used in business and the field of computing.
People use the terms generically when referring to various kinds of computer-related work, which sometimes confuses their meaning. The framework within which an organization strives to meet its needs for information security is codified as security policy.
A security policy is a concise statement, by those responsible for a system (e.g., senior management), of information values, protection responsibilities, and organizational commitment. One can implement that policy by taking specific actions guided by management. The concept of security* DAVID A.
BALDWIN Redefining 'security' has recently become something of a cottage industry. 1 Most such efforts, however, are more concerned with redefining the policy agendas of Instability and the New Multidimensional Politics of Security: A Rational Choice Argument for US-EU Cooperation', European Journal of.