Thursday, July 24, 2014

Risk Mitigation

    The heart of information security is the concept of RISK. Every organization encounters different types of risks.The range of risks run from the smallest impact that can be easily managed, to other risks that threaten the very existence of the organization. The importance of safeguarding information security risks from attackers, who seen these avenues as opportunity to cripple businesses,  has risen from obscurity to the forefront of most organizations business plans.

     The multifaceted approach to information security is essential for a solid foundation of risk mitigation. It encompasses 3 basic strategies:

     - Control risks through several different management techniques
   
     - Develop a security policy

     - Promote awareness and training with employees

Controlling Risks

There are several different terms used in context of information security and controlling risk:

     * Threat- A type of action that has potential to cause harm

     * Threat agent- A person or element that has the power to carry out the threat

     * Vulnerability- A flaw or weakness that allows a threat to bypass security

     * Risk- The likelihood the threat agent will exploit the vulnerability

As with the different terms, there are also different strategies for controlling risk. Three of the most common are privilege management, change management, and incident management.

     Privilege management is a persons access level over an object such as a users ability to open a payroll file.. It cover the procedures for managing object authorizations. One element of privilege management is periodic review of subjects privilege over an object. This is known as privilege auditing. Audits server to verify that the security protections implemented by an organization are being followed.The correct privileges should follow the principal of least privilege or minimal amount of privileges need by the employee to perform their job. Most organizations have a written policy that mandates regular reviews.

     Change management refers to the method making modifications and keeping track  of those modifications to network or system configurations. Prevents making changes in a haphazardly way
which could impact future changes and possibly exposing a vulnerability a attacker could exploit.
Two type of changes regarding security need proper documentation, architecture and classification. Architecture deals with devices such as routers, switches or other devices being introduced into the network. A detailed list of their attributes needs complied also. The second type of change is classification, which primarily refers to files or documents. Classification levels are typically standard documents and confidential documents. Uncoordinated changes can result in security vulnerabilities. Many organizations create a change management team to oversee the changes.

     Incident  management refers to when an unauthorized incident occurs, such as an employee copying sensitive material, a response is required. The incident response is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These are often designated before hand, or during the event and are placed in control of the organization which the incident is dealt with, to restore normal functions

List the types of security policies

   Security policies are a set of requirements or rules which are required to set a path to a specific objective. Security policies attempt carefully balance two key elements, balance and trust. An effective security policy should minimize risk while not imposing undue access restrictions on those who need access to resources. A security policy attempts to provide the right amount of trust by balancing no trust and too much trust. Control is the second element that must be balanced. Designing a security  policy involves defining what the policy is, understanding the security policy cycle, and knowing the steps in policy development. The different types of policies are:

Acceptable Use Policy
Access Control Policy
Application Control Policy
Antivirus Policy
Asset Management Policy
Electronic Messaging Policy
IT User Accounts Policy
Monitoring and Logging Policy
Passwords Policy
Remote Access Policy

Describe how awareness and training can provide increased security.

     Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT).  Employees should receive information about who to contact if they discover a security threat and be taught that data is a valuable corporate asset. Regular training is particularly necessary in organizations with high turnover rates and those that rely heavily on contract or temporary staff.  Confirming how well the awareness program is working can be difficult. The most common metric looks for a downward trend in the number of incidents over time.


http://www.comptechdoc.org/independent/security/policies/
http://www.slideshare.net/R_Yanus/Employee-Security-Training1
http://searchconsumerization.techtarget.com/definition/security-awareness-training
Posted by at No comments:

Thursday, July 17, 2014

Business Continuity

Business continuity is defined as " the ability of an organization to maintain its operations and services in the face of a disruptive event." The event could be as basic as an electrical outage or as catastrophic as a category 5 hurricane. When business is disrupted, it can cost money. Lost revenues plus extra expenses means reduced profits. Insurance does not cover all costs and cannot replace customers that defect to the competition. A business continuity plan to continue business is essential. Development of a business continuity plan includes four steps:

 - Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
 - Identify, document, and implement to recover critical business functions and processes.
 - Organize a business continuity team and compile a business continuity plan to manage a business disruption.
 - Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.

Define environmental controls-

As the saying goes, "An ounce of prevention is worth a pound of cure!" Its better to take steps that avoid disruptions rather then trying to recover from them. Preventing disruptions through environmental controls involves using fire suppression, proper shielding, and configuration of HVAC systems. 

Describe the components of redundancy planning-

 - Redundancy planning is crucial part of business continuity. It involves building excess capacity (or redundancy) for your network and computer systems, to protect them against failure. Redundancy planning ultimately ensures the availability of your network infrastructure, including servers, storage, networks, power, and even sites. 

List disaster recovery procedures-


The disaster recovery procedures every enterprise should  incorporate includes the guidelines and procedures to be followed to effectively respond to and recover from  different disaster recovery scenarios. Plan steps that minimize the effects of the disaster and resume mission-critical functions quickly.

 - Implement a Disaster Recovery Plan and test its efficiency.
 - Identify a Recovery Team and their specific responsibilities.
 - Identify what steps to take in advance of an event, and during the event. 
 - Identify Recovery procedures  

Describe incident response procedures-

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs.

 - Secure the crime scene
 - Preserve the evidence
 - Establish a chain of custody
 - Examine the evidence

http://www.ready.gov/business/implementation/continuity
http://dtechghana.com/security/business-continuity/redundancy-planning/
http://searchsecurity.techtarget.com/definition/incident-response
Posted by at No comments:

Wednesday, July 16, 2014

Importance of Passwords


Importance of Passwords
Why length and complexity is important -
As we know, passwords are used to identify yourself, or authenticate your ability to enter a network, your computer, your banking information, and a host of other internet sites we visit daily. "For years we’ve been hearing that a random jumble of letters, numbers and symbols is the recipe for a strong password. But is there more to password security than a few dollar signs and ampersands? (1)" Many sites only require a 6 character password. But as time has progressed and the attackers have refined their craft, more sites are requiring 8 characters minimum with at least one number and a capital letter. As we have come to learn, the longer the password is, the harder it is for attackers to crack.
Attacks on passwords-
Passwords are a secret combination of letters, numbers, and/or characters only the user should know, but  one weakness is that it often requires being committed to memory. There are a variety of attacks that can be used on passwords:
Brute Force- Uses every possible combination of letters, numbers and characters.
Dictionary- Common dictionary words.
Hybrid attacks- Uses both Dictionary and Brute Force.
Rainbow tables- Creating a large pre generated data set.
Social engineering- phishing, shoulder surfing, dumpster diving!
Capturing- Use of a key logger, man-in-the-middle attack.

Limitations on password supplements-
Many people find creating strong passwords for each account cumbersome. One solution is to rely on technology rather then human memory. Modern web browsers such as Firefox, Internet Explorer, and Google chrome allow a user to save a password that has been entered into the web browser (called auto complete Password in IE) through a separate dialog box that pops up over the browser. Auto complete passwords are stored in the Microsoft Windows registry.

There are several disadvantages to using the auto complete feature:
   
    - The user is restricted to that computer where the passwords are located.
    - If other people are allowed to use that computer,  the passwords are accessible to them.

Other types of authentication-

Tokens are typically a small device that share a unique algorithm with the corresponding authentication server. The use of tokens provide a significant increase to the level of security and authentication credentials. The Token generates a code from the algorithm once every 30 to 60 seconds. The code is valid for only brief period of time.

Smart cards can be used as authentication credentials also. They contain an integrated circuit chip that contains the information.

1. security.com/2013/07/09/which-is-more-important-password-complexity-or-length/
 
Posted by at No comments:
Subscribe to: Posts (Atom)