Here’s my revision notes for Information Security…
- Information security
- Information
- Information system
- Committee on National Security Systems [CNSS] Security Model
Information security
“Information security is a well-informed sense of assurance that the information risks and controls are in the balance.”
- James Anderson
Applications
- Crytographic techniques
- Antivirus mechanisms
- Secure Socket Layer -> application level security
- Digital signatures -> authentication
- Biometric and retina scanning
Concepts
Attack
An attack is an act causing damage to the physical or logical resources of a company. They’re classified into :
- Intentional : Hacker trying to break into info. system
- Unintentional : Damage due to natural disasters
- Passive : Reading sensitive data from system
- Active : Doing harm to the system
- Direct : Using one’s own PC for attacking
- Indirect : Attacking by other means
Damage
Harm or loss caused to a system by attackers. Its severity is measured by how much trouble is caused by the attacker.
Exploit
A technique used to compromise a security system.
It starts as a security violation over time followed by an attack focused on any vulnerability in the software or networking components.
A vulnerability is a fault in system, process or security mechanism.
An exploit can also mean gaining resources which one shouldn’t possess either at all or in such a short time. Game exploits such as cheats are an example.
A zero-day exploit is a malware that attackers use to target newly-launched software. It’s called ‘zero-day’ exploit as the developer has zero days to fix it as the attackers can already use it to access systems.
Threat
Threats are objects presenting danger to an asset or resource. They’re either intentional or un-intentional.
Whereas an asset is something the organisation values and wishes to protect.
Threat agent
The specific instance or person who causes a threat.
Access
It’s the ability of a person or object to modify and affect something in the system.
Legal objects consist of authorised users from the organisation. While illegal objects are hackers who try to break into a system.
Subjects and objects
Someone who performs an attack is called a subject.
Someone who is a victim to an attack is called an object.
A computer may be both a subject and an object.
Security posture
Set of all security measures and counter-measures followed by an organisation. It includes policies, training, etc.
Countermeasures
Counter-attack performed over an attack. This can be a policy or security mechanism reducing risk.
Risk
It is the probability of damage or compromise happening to the system. Every action contains a certain level of risk, so organisations try to minimise it.
Policy
It is a set of high-level rules dictating what to do and what not to do.
Cryptography
It’s the art of hiding the original message using a certain cipher.
Information
Information is a piece of data that has a perceived value. Its characteristics[or features] help us decide its value.
This works like a dating website where you’d look for the person with certain features you’ll find desirable.
The features that are desirable are shown by this diagram called the CIA triangle [no, not that CIA association].
CIA stands for :
Confidentiality
It means information is accessible only by authorised members of an organisation. If this is violated by a third party, it’s termed as a security breach.
In other words, confidentiality = privacy.
This information’s classified into 2 types :
- Critical : Requires more security to be enforced; usually includes important documents and transactions.
- Non-critical : Has leeway on security enforcement; may be mitigated using backups and such.
A salami theft is when a hacker uses social engineering for their own benefit.
This hacker acquires small bits of data from employees of an organisation every now and then [usually dropped accidentally] and reconstruct the entire data using this information.
Integrity
Integrity is when information is true in the sense it is accurate, complete, secure and real.
We can check a file’s integrity by monitoring the file’s attributes and hash value using a hashing algorithm.
Hash value is a numeric value of certain length that represents the data in the file. Every file has an unique hash value.
This is because integrity can be compromised [that is, file can be corrupted and such] if the hash value is changed.
Worms and viruses may threaten a file’s integrity.
Worms are malicious programs that can replicate itself independently [and often very quickly] using the victim’s internet or LAN connection.
A virus, on the other hand, is attached to an executable file. It is only activated if the victim triggers it. So, it can’t exist independently.
Availability
This confirms that a suitable authority has the access to the information in the required format.
Information system
We’ve learned about information. Now let’s take a look at the system that will be responsible for protecting it.
Information system is a set of components that collect, modify, store and distribute information. This is done to aid decision-making and feedback.
Software
Software is a set of instructions used to operate computers and execute specific tasks. It includes the applications, OS, etc.
An organisation’s crucial information is stored in the software.
Hardware
Database
Databases store data in them. Security measures are implemented at every level there.
People
People inside the organisation are powerful [or maybe weak] as they provide security to organisation information assets.
Procedures
Procedures are a set of designed instructions to perform a specific action for organisational activities.
They fall apart if the organisation doesn’t provide knowledge on importance of these procedures to employees.
Networks
Committee on National Security Systems [CNSS] Security Model
“Information security is the protection of information and its critical elements, including the systems and hardware that use, store and transmit that information.”
- CNSS
CNSS model provides a way to evaluate information systems security.
Since it was designed by John McCumber in 1991, it’s also known as McCumber Cube. This cube has 27 criteria which the security solution of an organisation must be able to address.