Monday, July 25, 2016

Information Security and Risk Management

Security Definitions

Vulnerability:
·        Weakness in Mechanism that can threaten the confidentiality, Integrity, or availability of an asset.
·        Lack of countermeasure
Risks Probability of a threat becoming real, and the corresponding potential damages
Threat someone uncovering the threat and exploiting it
Exposure When vulnerability exists in an environment
Countermeasure A control put into place to mitigate potential loss

 Some Examples of Vulnerability that are not always obvious
·        Lack of security understanding
o   Real security requires real knowledge
o   Technical to C-level in companies
·        Misuse of access by authorized users
o   Authorization creep
o   Can now be criminal offense according to specific laws
·        Concentration of responsibilities
o   Separation of duties
·        Not being able to react quickly
o   No response team or procedure
·        Lack of communication structure
·        Lack of ways to detect fraud
o   Rotation of duties
o   Technologies and processes

Risk – What does it really mean?

·        Probability of a Vulnerability being exploited by a threat and resulting business impact
·        Vulnerability or risk management?
·        Goal of risk management
o   Optimal security at minimal cost

Examples:

Information Gathering – Customer Information/Sensitive Information – High Risk
Attack – Password Guessing, Phishing, war dialing, escalation of privileges, exploit of vulnerability
Information Gathering – OS, Version, Service detection, port scanning, vulnerability scanning
Foot-printing – IP, email, phone number discovery, news group, DNS and website info – Low Risk


AIC Triad

·        Availability
o   Usability, timeliness
o   Prevents disruption of service
o   Protects production and productivity
·        Integrity
o   Accuracy, completeness
o   Prevents unauthorized modification
o   Protects data and production environment
·        Confidentiality
o   Secrecy, sensitivity, privacy
o   Prevents unauthorized disclosure of data
o   Protects sensitive data and processes

Social Engineering

To effectively collect information from human subjects, you may need to gather background first
·        Organization Website
·        Company directory
·        Other Employees
·        Address and phone numbers
·        Background on the organization
·        News articles/press releases
Foot-printing!



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)