Veritas News – Information Assurance and Security

Veritas News Service Report

By Samly P. Hall

14May12

Information Assurance and Security

Times have changed dramatically over the last few decades, especially with today’s rapidly changing technologies and the increased risk of attacks, spying, and identity intrusions.  I have gathered this working data on some of the newest forms of Information Access in the security world being discussed.  Information

security,  known as InfoSec, is defined as the protection of information and the systems and hardware that use, store, and transmit the information.  The need for information security knowledge gets more pressing every year.  The FBI teams up with the Computer Security Institute every year to do a survey about computer crimes.  A recent survey indicated that quantified losses due to computer crime were up 42% over the year before.

Information assurance (IA) and information security (IS) are often incorrectly used interchangeably, but the two terms are not synonymous.  The people who make up the U.S. government define IA as  “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” This definition can be simplified to “the complete preservation of information confidentiality, integrity and availability in all of the information’s various states, otherwise known as the C.I.A. Model.”

Information security is a large subset of IA, which deals primarily with the more glorious tools and tactics for protecting information from threats such as con artists (phishing), hackers (exploits) and malicious code (viruses). IA covers a much broader spectrum of information management and protection such as certification and accreditation (C&A), business continuity planning (BCP), compliance and disaster recovery planning (DRP).

 To better understand the management of information assurance and security, one must become familiar with the key characteristics of information that make it valuable.  The C.I.A. triangle has been the industry standard for computer security since the development of the main frame.  The C.I.A. triangle is founded on three desirable characteristics of information – Confidentiality, Integrity, and Availability – that are as important today as they were when first put forth.  However, present day needs have made these three concepts alone inadequate because they are limited in scope and cannot encompass the constantly changing environment of Information Technology and Information Security needs.  The C.I.A triangle, therefore, has expanded into a more comprehensive list of critical characteristics of information.  This list contains confidentiality, integrity, availability, privacy, identification, authentication, authorization, and accountability. It is critical that computer users of all types, whether at their job or at home understand how to protect themselves and their organizations from attacks.  Four distinct areas that a user should be knowledgeable about include Access Controls, Policy, Cryptography, and Forensics.  Access Controls, Policy, and Cryptography can be checked against the expanded C.I.A triangle to ensure user security, assurance, and safety.  Digital forensics is also an important topic that a computer user should be made aware of.  When an unauthorized incident occurs, such as an attacker penetrating network defenses, a response is required.  These incident response procedures include forensic science and properly responding to a computer forensics event.  Below is a manual I have put together regarding Access Controls, Policy, Cryptography, and Forensics.

—–Access Controls Part 1—–

What is Access Control?

            – The process by which resources or services are granted or denied on a computer     system or network.

– “Access controls are security features that control how users and systems          communicate and interact  

  with other systems and resources.”

-“Access controls give organizations the ability to control, restrict, monitor, and protect                resource

  availability, integrity, and confidentiality.”

Best Practices for Access Control

            -Separation of duties–system is not vulnerable to actions performed by a single person.

-Job rotation–limits amount of time that individuals are in a position to manipulate security configurations.

-Also cross training and mandatory vacations.

            -Least privilege

            -Implicit deny–if a condition is not explicitly met, then it is to be rejected.     

Access Control Methods

            -Administrative Control

            -Technical Controls

            -Physical Controls 

Administrative Controls

            -Policies and procedures

            -Personnel controls-incorporate access into HR, what happens when we hire, fire people, someone   

              Resigns– do they retain privileges?

            -Supervisory structure-a supervisor should be responsible for employee’s actions.

            -Security awareness training

            -Testing

Technical Controls

            -Enable policy enforcement where human behavior is difficult to regulate

            -User name/password

            -Encryption

-System Access Control-use access control technologies and security

  technologies to enforce rules. There are many different models of this.     

            -Biometrics

            -Remote Access Authentication Protocol

            -Network Monitoring and Intrusion Detection

Physical Controls

            -Computer security

                        -USB ports, DVD drives

                        -Locking up server racks

            -Perimeter security

-Badges, closed-circuit TV, fences, lighting, motion detectors, sensors, alarms, location of

 building, signs.

                        -Single point of entry, emergency exits

            -Man trap

            -Guards and dogs

            -Control zones-areas that require higher level of security

                        -Located away from public access

                        -Unobtrusive

                        -Extra rules-no cameras, recording devices, searches

            -Logged entry

                        -Visitors

To download the entire report, click here

Original article:
http://www.hourofthetime.com/wordpresstest/?p=8644

Dit bericht is geplaatst in Veritas Nieuws Service. Bookmark de permalink.

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *