Information Security

The Importance of Information Protection

• Information is an important asset. In business,

information is often one of the most important assets a
company possesses.
• Organizations classify information in different ways in
order to differently manage aspects of its handling, such
as labeling distribution (who gets to see it), duplication
(how copies are made and handled), release (how it is
provided to outsiders), storage (where it is kept),
encryption (if required), disposal (whether it is
shredded or strongly wiped), and methods of
transmission (such as e-mail, fax, print, and mail).
The Importance of Information Protection

• Companies may have confidential information,

such as research and development plans,
manufacturing processes, strategic corporate
information, product roadmaps, process
descriptions etc.
• This type of information is available to external
audiences only for business-related purposes and
only after entering a nondisclosure agreement
(NDA) or equivalent obligation of confidentiality
The Importance of Information Protection

• Specialized information or secret information may

include trade secrets, such as formulas, production
details, and other intellectual property, proprietary
methodologies and practices that describe how services
are provided, research plans, electronic codes,
passwords, and encryption keys.
• If disclosed, this type of information may severely
damage the company’s competitive advantage.
• It is usually restricted to only a few people or
departments within a company and is rarely disclosed
outside the company
The Importance of Information Protection

• In some business sectors, the protection of

information is not just desirable, it’s
mandatory. For example, health care
organizations are heavily regulated and must
comply with the security requirements of the
Health Insurance Portability and
Accountability Act of 1996 (HIPAA).
The Evolution of Information Security
• Figure 1-2 shows the original security model for academic institutions. Compare this model
with the government model shown in Figure 1-1. Note that these two models are
diametrically opposite—the government model blocks everything, while the academic
model allows everything. There is plenty of room in between these two extremes.
 Evolution of information security
• A closed-door approach doesn’t work when you
need to allow thousands or millions of people to
have access to the services on your network.
• Likewise, an open-door approach doesn’t work
when you need to protect the privacy of each
individual who interacts with the services on your
network.
• E-commerce and business required a more blended
approach of providing limited access to data in a
controlled fashion
 Evolution of information security
• Virtual private networks (VPNs) were
developed to provide a secure channel (or
tunnel) from one network to another.
 Justifying Security Investment
• How do you justify spending money on security?
• First there was FUD—fear, uncertainty, and
doubt. Without really measuring anything or
delivering specific results, executives were simply
frightened into spending money.
• Return on investment (ROI) is a metric used to
understand the profitability of an investment. ROI
compares how much you paid for an investment
to how much you earned to evaluate its efficiency
 Justifying Security Investment
• The Annualized Loss Expectancy (ALE) is the
expected monetary loss that can be expected
for an asset due to a risk over a one year
period.
• The Egghead Software case study presented
earlier in this chapter is a good example of
how failure to focus on security can cause a
major business loss that greatly exceeds the
value of the assets themselves.
 Benefits of good security
• The business benefits of security are hard to express in terms
of a simple monetary value.
• good security practices enable business to prosper.
• They help provide a solid foundation upon which the business
can expand and grow.
• Robust information security practices not only reduce risks
and costs, but also provide new opportunities for revenue.
• Today that view has evolved to focus on enabling business on
a global scale, using new methods of communication.
• By improving access to the information that drives its
business, every company can expand its business influence on
a global scale, regardless of the company’s size or location.
Information, one of the important assets a company
possesses, is even more valuable when shared with those
authorized to have it.
 Benefits of good security
• Good security practices allow companies to perform their
operations in a more integrated manner, especially with their
customers.
• By carefully controlling the level of access provided to each
individual customer, a company can expand its customer base
and the level of service it can provide to each individual
customer, without compromising the safety and integrity of its
business interests, its reputation, and its customers’ assets.

• Specific benefits of a strong security program are business

agility, cost reduction, and portability.
 Saas
• Software as a service (or SaaS) is a way of
delivering applications over the Internet—as a
service. Instead of installing and maintaining
software, you simply access it via the Internet,
freeing yourself from complex software and
hardware management.
 Business Agility
• Business Agility is the ability to compete and thrive in the digital age by
quickly responding to market changes and emerging opportunities
with innovative, digitally-enabled business solutions.
• Manufacturers want to reach individual customers and increase sales
through e-commerce web sites.
• Web sites require connections to back-end resources like inventory
systems, customer databases, and material and resource planning
(MRP) applications.
• Extranets need to allow partners and contractors to connect to
development systems, source code, and product development
resources.
• And SaaS applications deliver business process tools over the Internet
to customers
 Business Agility
• Knowledge is power—in business, the more you know, the better
you can adapt.
• Strong security provides insight into what is happening on the
network and, consequently, in the enterprise. Weak security leaves
many companies blind to the daily flow of information to and from
their infrastructure.
• If a company’s competitors have better control of their information,
they have an advantage.
• The protection of a company’s information facilitates new business
opportunities, and business processes require fewer resources
when managed efficiently and securely.
• Contemporary security technologies and practices make life easier,
not harder.
 Cost Reduction
• Data loss due to mishandling, misuse, or mistakes can be
expensive
• An increasing number of attacks are categorized as advanced
persistent threats (APTs).
• These attacks are designed to deploy malware into a network
and remain undetected until triggered for some malicious
purpose.
• Often, the goal of the attacks is theft of financial information or
intellectual property.
• Loss of service or leakage of sensitive data can result in fines,
increased fees, and an overall decrease in corporate reputation
and stock price.
• Strong security reduces loss of information and increases
service availability and confidentiality.
 Portability
• Portability means that software and data can
be used on multiple platforms or can be
transferred/transmitted within an
organization, to a customer, or to a business
partner.
• To meet the demands of today’s businesses
and consumers, architectures and networks
need to be designed with security controls
baked in as part of the development process.
 Portability
• Portability also enables business and creates
value. For example, Apple’s ability to both host
music and allow personal music libraries to be
synchronized to a tablet, mobile phone, and
MP3 player has greatly increased Apple’s
bottom line.
 Security Methodology
Information security is concerned with
protecting information in all its forms, whether
written, spoken, electronic, graphical, or using
other methods of communication.

Network security is concerned with protecting

data, hardware, and software on a computer
network.
 Security Methodology
A defender who overlooks a vulnerability risks
the exploitation of that vulnerability.

The best approach to security is to consider

every asset in the context of its associated risk
and its value, and also to consider the
relationships among all assets and risks.
 Security Methodology
The basic assumptions of security are as follows:
• We want to protect our assets.
• There are threats to our assets.
• We want to mitigate those threats.
These hold true for any branch of security.

Three aspects of security can be applied to any

situation—defense, detection, and
deterrence. These are considered the three Ds of
security.
 Defence

Defensive measures reduce the likelihood of

a successful compromise of valuable assets,
thereby lowering risk and potentially saving the
expense of incidents that otherwise might not be
avoided.

Conversely, the lack of defensive

measures leaves valuable assets exposed, inviting
higher costs due to damage and loss.
 Detection
Another aspect of security is detection.

In order to react to a security incident, you first

need to know about it.

Examples of detective controls include video

surveillance cameras in local stores (or even on your
house), motion sensors, and house or car alarm systems
that
alert passers-by of an attempted violation of a security
perimeter.
 Detection
A security operations center (SOC) can be used
to monitor these controls.

Without adequate detection, a security breach

may go unnoticed for hours, days, or even
forever.
 Deterrence

Deterrence is another aspect of security.

It is considered to be an effective method of

reducing the frequency of security compromises,
and thereby the total loss due to security incidents.

Many companies implement deterrent controls for

their own employees, using threats of discipline
and termination for violations of policy.
 Authority
A security program charter defines the purpose, scope, and
responsibilities of the security
organization and gives formal authority for the program.

the security organization is responsible for information

protection, risk management, monitoring, and response.

It might also be responsible for enforcement, such as

reprimanding or even terminating employees or contract
workers, but more commonly that authority is vested in the
Human Resources department.
 Authority
A resourcing plan is an ongoing strategy for
providing the headcount needed to operate
the security function.
 Framework
The security policy provides a framework for the
security effort.