|
Key Concepts
Basic Security Goals
Defense-in-Depth
Tools to Improve Security
Additional Security Measures
Don't Neglect Your Security Program
Given the publicity surrounding the increasing numbers of high-profile security failures, information security awareness is at an all-time high, In fact, for the last four years, information security was identified as the most important technology issue for the accounting profession.
Despite relatively high levels of awareness, many organizations still fail to regularly assess their security position, or even take the minimum steps needed to protect their mission-critical data and infrastructure. While this may occur for a number of reasons – limited technical/financial resources, other priorities, or simple avoidance and ignorance – the net result is the same. Organizations and individuals are left vulnerable.
To combat this trend, it’s a good idea to revisit the basics. This article covers the fundamentals of information security, including an overview of basic terms, goals, and examples of tools anyone can use to improve their security readiness.
Back to top
Key Concepts
While specific topics within this issue can vary greatly, discussion about information security is always framed by the relationship among three core concepts: threat, vulnerability, and risk.
1. A threat refers to something beyond an end-user’s control and represents a potential danger to the user’s data or infrastructure. The number of threats is almost endless and come from a wide variety of sources. Some of the more familiar threats include computer viruses, worms, hackers and malicious e-mails. Just as dangerous, but perhaps not as obvious, is the human element, which consists of threats posed by employees, friends or family members and manual override of internal controls.
2. Vulnerability is something within an end-user’s control and usually refers to security readiness in light of a general or specific threat. It can also refer to a security exposure within a particular application or operating system. Common examples of vulnerabilities include known security flaws in Web browsers and operating systems, along with “plug & play” wireless implementations within a home or business.
3. Risk is a function of the first two terms: Risk = Threat x Vulnerability. The greater the threat – applied against a given vulnerability – the higher the risk of compromise.
To illustrate what these terms mean and how they interact, consider the best way to secure and protect your house. The risk that a burglar or other intruder might break into the house and steal your valuables depends on whether the house is in a high-crime (high threat) or low crime (low threat) area, compared to various vulnerabilities, including whether gates, doors and windows are left unlocked (actions within your control).
Back to top
Basic Security Goals
Reduction of overall risk is a primary objective of any Information Technology (IT) security measure. Vulnerabilities lie within one’s control. Therefore, an effective information security approach addresses vulnerabilities to reduce overall risk.
While information security details can get complex at a basic level, any security strategy or initiative must meet three primary goals:
1. Confidentiality – information is only available to authorized individuals.
2. Integrity – only authorized individuals can modify information.
3. Availability – information is accessible to those authorized individuals when they need it.
Back to top
Defense-in-Depth
In order to address these goals and begin to lower overall risk, organizations and end-users should always adopt a multi-layered defense strategy. This concept is often referred to as “defense-in-depth” (DID).
DID is important because no single defense is sufficient in itself to provide adequate security for an organization. Individually, anti-virus software, system patches, backups, routers, firewalls, Spam-blockers, and passwords are essential components of a security strategy. Each plays a key role in protecting an organization’s crucial information and infrastructure. Collectively, they form a resilient DID strategy.
The concept is similar to staying warm in a brutally cold climate. In order to withstand the cold, it’s better to wear a number of clothing layers, rather than just one bulky coat, to remain warm and protected.
Tools to Improve Security
What does a DID strategy look like? Well, that depends on the organization and the types of information being protected. Basically, DID is an array of specific tools and measures that provide maximum protection when used together. Tools individuals or businesses should understand and implement to improve their security posture include the following:
· Anti-virus software – Constantly monitors your machines for worms, viruses and Trojans (also known as malware), and then blocks, eliminates or quarantines those threats.
· Patch management – Ensures that product patches addressing known software vulnerabilities are downloaded and installed on a timely (real-time) basis. New vulnerabilities are discovered almost daily. Critical updates should be installed as soon as they are made available by a vendor.
· Software firewall – Protects against unauthorized external access attempts, as well as monitors for installed software attempting to make unauthorized outbound connections.
· Anti-Spam filter – Monitors all inbound messages and filters out obviously undesirable e-mail based on content, sender and possibly malicious payload.
· Anti-spyware software – Detects adware or spyware looking to log machine usage and transmit information to unauthorized individuals. This software also prevents annoying, potentially malicious pop-ups from hijacking Internet browsing software. Tip: Microsoft’s excellent anti-spyware program, Windows Defender, is available for a free download.
· “Non-public” IP addresses and router – Prevents direct machine visibility to the outside world. Just like every house has a street address, each machine must have an address in order to communicate with others, but not everyone needs to connect with every other machine directly. Instead, a network router can act as an intermediary, communicating with local machines using non-public IP addresses and forwarding all external traffic to/from the Internet as needed on a user’s behalf. When network workstations communicate with the outside world in this manner, they are not visible to other users on the Internet.
Back to top
Additional Security Measures
The following tools can also reinforce your information security strategy:
· Strong passwords – Create the first line of defense against hackers and others seeking unauthorized access to systems and on-line accounts.
· Hardware firewall – Prevents unauthorized external connection attempts and makes systems “invisible” to port scans by outsiders.
· Wireless security – The rapid introduction of wireless functionality in virtually all new computing devices is convenient and a significant security threat. As a result, it is especially critical to keep the following in mind when configuring wireless devices:
o DON’T do a plug-n-play install! Most devices out of the box have all security functionality turned off.
o Password protect the administrative setup of each device and change the password to something other than the vendor-provided default.
o Enable WEP (Wired Equivalency Privacy) and change the keys regularly.
o Enable WEP (Wired Equivalency Privacy) and change the keys regularly
o Enable authorized MAC (Media Access Control) addressees on Wireless Access Points (WAP).
o Walk the perimeter of work areas to determine if rogue WAPs are active.
· Backup – Creating a layered defense to guard against attacks is important, but the ability to recover, if and when systems are compromised, is no less essential.
Back to top
Don't Neglect Your Security Program
Information security is absolutely vital for any business, even the smallest ones. It’s too important an issue to neglect. As many companies have painfully discovered, it is unwise to underestimate the negative consequences of a security breach or successful cyberattack.
By combining the common sense measures described above with a little education and resolve, you can take important steps to improve your security position. This will reduce your risk and increase your chances of maintaining the confidentiality, integrity, and availability of key information.
Back to top
|