Practical Information Security Management A Complete

 

A.   Bab 1 : Evolution of a Profession

If you were to liken the IT industry to a three-ring circus, computer security was a sideshow; the unicycling monkey of the IT world. It was staffed by the geekiest, socially awkward technical geniuses who no one really wanted to see, but they were still there in the shadows doing their thing, because they had to be. The focus of security was to configure the technical measures in hardware and software to keep out script kiddies and make sure that systems kept running without the phreakers and hackers stealing precious bandwidth.

Over the next four decades, the world shifted. The adoption of ubiquitous home and enterprise computing saw security professionals dedicate more focus to the information they were protecting. From a metaphorical perspective, security refocused its lens from technology to information, allowing the security experts to consider management systems and processes that they’d never considered before.

This shift away from technology to a more holistic viewpoint of business saw computer security rebranded to information security .

“Cyber has become a ubiquitous prefix in today’s media that means anything concerned with Internet privacy or security. It’s rare that a day goes by without hearing or reading about cyberwar, cyberattacks, cybersecurity, cyberbullying, and cybersafety. But where did this peculiar prefix come from? The first evidence of usage (aside from the Greek root meaning governing ) dates back to the 1940s, when mathematician, Norbert Weiner wrote about cybernetics as computer systems that could one day run on feedback and be self-governing. During the 1980s, the term was prepended to any word to make it sound futuristic or cutting-edge, replacing the less cool terms, digital. In the 1990s, cyber developed an entirely new meaning as cybersex arrived on the scene, referring to virtually making out (among other things) with your partner in dial-up IRCs and online forums. As the years trundled by and the concept of cybersex was largely replaced with online pornography and dating sites, the term was taken back by the government and the military started referring to the next shift in warfare paradigms being into battleground of cyber. And with cyberwarfare, came cybersecurity, cyberattacks, and cyberintelligence. Today, cyber can pretty much be appended to anything you like, but the media has focused its use primarily on the security industry, hence we have all become cybersecurity professionals, whether we like it or not.”

The Language of Security :

a.     CIA

There are three special security properties—sometimes referred to as the three tenets of security— that are fundamentally at the heart of everything we do. Every risk you mitigate and every control you implement is from the perspective of one or more of these properties. Figure 1-2 shows the relationship between confidentiality , integrity , and availability and how they apply to every asset we protect.

1.     Confidentiality

A loss of confidentiality can occur in many ways, such as through the intentional release by someone who has legitimate access, such as a trusted (but not trustworthy) employee or systems administrator. This could have a negative effect on the company’s share price and damage any competitive edge they might have in the market. This might have a knock on effect on profits for years to come.

2.     Integrity

Maintaining integrity ensures the following:

• Unauthorized personnel or processes do not make modifications to data.

• Authorized personnel or processes do not make unauthorized modifications to

information.

• Information is internally and externally consistent.

3.     Availability

Here are a few examples that show just how important availability can be:

• A maintenance company cuts through the main power supply to your datacenter,

but you have no backup generator. Your systems are no longer available to your staff

or customers.

• A hacker launches a denial of service (DOS) attack against your website and your

users are no longer able to browse your inventory or checkout their purchases.

 

b.     Non-Repudiation

There is one additional property—called non-repudiation— that exists alongside the CIA triad and is equally as important to consider in a variety of special circumstances. ISO/IEC 27000:2012 defines non-repudiation as the “ability to prove the occurrence of a claimed event or action and its originating entities . ”

 

c.      Threats and Vulnerabilities

ISO/IEC 27000:2012 defines a threat as “the potential cause of an unwanted incident, which may result in harm to a system or organization.” Threats are any action or actor that may causes an unwanted consequence, such as a breach of confidentiality or loss of service.

 

To be considered a threat, an incident or violation doesn’t have to occur. Your job is to identify that this threat might occur and use this knowledge in a process called risk assessment— more on this later.

 

d.     Risk and Consequence

The management of information risk is at the heart of everything we do in information security management. Risk is defined in ISO/IEC 31000 as “the effect of uncertainty on objectives.” It might not have occurred to you before that risk can have both positive and negative effects on business objectives: a deviation from what is expected could well be a positive shift. This means that some risks result in good outcomes, even if it is somewhat unexpected, such as when the stock market unexpectedly moves in your favor.

 

B.   Bab 2 : Threats and Vulnerabilities

 

      I.          Threats

Threats come from a variety of sources. Some are physical, such as floods and volcanoes, while others are digital, such as from hackers, criminals, disgruntled employees, or competitors. This section looks at the overall threat landscape (this term denotes the plethora of threats that potentially affect our information’s confidentiality, integrity, and availability), the threat actors (the people that enact those threats) and the kinds of malware and weaponized code being used to perpetrate such attacks.

1.     The Deep Web

The hidden network that exists within the Tor service is often referred to as the deep web . However, there are myriad other names it’s been dubbed with over the years, such as the dark web , darknet , and the dark market . No matter what it’s called, it operates much like the rest of the Internet, in terms of websites, file services, and web services, with one main difference: it’s completely anonymous and unindexed (i.e., you can’t find links to these services in Google, Yahoo!, or any other traditional search engine).

It contains a plethora of services, such as all of these criminal hacking and malware pedaling sites, and is the first port of call for researchers and counter-intelligence officers trying to keep ahead of what the cyber criminals are up to.

In effect, the deep web is a collection of connected systems that are protected using the encrypted overlay provided by Tor, which may appear at first glance to work much like the standard Internet, however,there is one main difference (from a user perspective) insomuch that sites are not indexed by standard search engines, such as Google. You’ll not be able to find links to sites, such as the Silk Road, from a Google search; instead, you’ll need to know how to get into the Tor network, and then you’ll need to know the special .onion URL to find your way to that target site.

2.     Malware as a Service

This productizing of malware has led to a restructuring of the exploit marketplace, where hacking as-aservice (HaaS) is now the preferred delivery model. HaaS allows anyone who wants to dabble in cybercrime to get started, even if they have no technical skills at all. Hackers can simply license the malware they need from a developer, or hire the hacking group (by the hour) to launch attacks on their behalf. Obtaining the tools is also very easy. There are websites dedicated to selling malware developers’ wares, where sellers offer tailored services specifically for the purposes of hacking the chosen target. This means the hacker can afflict any combination of negative outcomes on their target with little to no technical knowledge, for a very reasonable service fee.

3.     Criminal Motivations and Capabilities

Some of the most devastating cyberattacks we’ve seen over the past few years demonstrate well how aligned the modern cybercriminal landscape has become with traditional crime:

·       Anthem : This health insurance provider was hacked by an organized crime group

in order to steal customer health records. Health records are extremely useful on the

black market, fetching a much higher price than credit card records, since they can

be used to create false identities, leading to much more significant profits and, unlike

credit card information, your name, address and social security numbers cannot be

changed.

·       OPM : We looked previously at the attack on the US government’s Office of Personnel

Management , however, to classify it against standard criminal activity, it really falls

into the category of espionage.

·       Ashley Madison : This dating site was hacked by a group of activists who believe the

organization was furthering immorality in society by encouraging people to cheat on

their spouses. Activism in cyberspace is known as hacktivism , but it remains activism

nonetheless. Ashley Madison is one of the first hacks that resulted in the deaths of at

least two affected victims.

·       Sony Pictures : The massive and sustained attack on Sony Pictures saw copyright

material leaked onto the Internet, along with emails, celebrity contracts and a

plethora of other potentially damaging material. This hack was attributed to North

Korea by US law enforcement; however, it can’t really be considered as espionage

because it wasn’t politically motivated. Rather, it was posited as revenge for the

portrayal of North Korea’s leader, Kim Jong-un, as a psychotic idiot in the movie skit

The Interview .

 

    II.          Vulnerabilities

 

1.     Technical Vulnerabilities

There are many kinds of technical vulnerability you need to consider when performing a risk assessment for your business. Operating systems and applications have been developed from millions of lines of complex code and often have a variety of errors and oversights that are left in the system once compiled. These errors are not necessarily ones that affect operations therefore are not found until someone specifically tries to find ways to exploit your systems.

2.     Non-Technical Vulnerabilities

As a security manager you need to properly understand how physical and process vulnerabilities affect your business and security and how they should be addressed within a holistic approach to your security architecture. In this section, we’ll look at:

a.      Physical Vulnerabilities

In the previous section in this chapter we looked at some of the physical threats our business systems and information might be affected by, such as fires, floods, and earthquakes.

b.     Process Vulnerabilities

The technical vulnerabilities in systems are just one perspective of where you’ll find weaknesses that can affect a loss of confidentiality, integrity, or availability. Security managers need to be aware of the underlying processes that keep the business safe and ensure that there are minimal vulnerabilities in those that can also lead to a compromise.

c.      People Vulnerabilities

Finally, one of the biggest considerations the information security manager must make is that of how to deal with the vulnerabilities introduced into the organization by staff. People can introduce risk into the systems they manage, through complacency, carelessness, simply not understanding how to do something or why something should be done the way it’s specified, or through malicious intent. We also use people as the developers of our systems, which is where many of these issues come from in the first place, and for any one of myriad reasons, bugs can be introduced into the systems you are developing (both from a software and a hardware point of view).

Source: Campbell, Tony. 2016. Practical Information Security Management. XXVII, 237. Apress.