15 Information Assurance and Security

 Students will be able to identify Threats, Risks and Vulnerabilities in Information System
 Students will be able to analyze Data Security Policies/Administration Security and Design secure systems
 Students will be able to describe Information Systems Security concepts

What does it mean Information Assurance?

 Information assurance is a field that safeguards the integrity of data used by individuals or organizations.
 It is the practice of assuring information and managing risks related to the use, processing, storage, and
transmission of information.
 Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and
confidentiality of user data.
► To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized
change (integrity), and available to an authorized entity when it is needed (availability).
► The major change that affected security is the introduction of distributed systems and the use of networks and
communications facilities for carrying data between terminal user and computer and between computer and
computer.
► With computers we now have new concerns namely automated attacks, privacy breach, ease of theft etc.
► Automated attacks
The speed of computers makes several attacks worthwhile.
► Privacy concerns
Collecting information about people and later misusing it is turning out to be a
huge problem,
► ease of theft / Distance does not matter
it is far easier and cheaper to attempt an attack on the computer system of
the bank, sitting at home! It may be far

 Information security : is the protection of information and its critical elements:

 Information security : is the protection of information and information systems from unauthorized access

The three key Goals/objectives that are at the heart of information

security.
i. Confidentiality: This term covers two related concepts:

- Confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized
individuals

- Privacy: Assures that individuals control or influence what information related to them may be collected and stored and
by whom and to whom that information may be disclosed.
Example: Grade information should only be available to students, their parents, and employees that require the information to
 do their job.

ii. Integrity: This term covers two related concepts:

- Data integrity: Assures that information and programs are changed only in a specified and authorized manner.

- System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.
Example: Several aspects of integrity are illustrated by the example of a hospital patient’s allergy information stored in a
database. The doctor should be able to trust that the information is correct and current. Now suppose that an employee
(e.g., a nurse) who is authorized to view and update this information deliberately falsifies the data to cause harm to the hospital.

iii. Availability: Assures that systems work promptly and service is not denied to authorized users.
E.g. A search for a website resulting unavailability

 Digital Privacy
 Information privacy: is the notion that individuals should have the freedom, or right, to determine how their
digital information, mainly that pertaining to personally identifiable information, is collected and used.
 Communication privacy: is the notion that individuals should have the freedom, or right, to communicate
information digitally with the expectation that their communications are secure; meaning that messages and
communications will only be accessible to the sender's original intended recipient.
 Individual privacy : is the notion that individuals have a right to exist freely on the internet, in that they can
choose what types of information they are exposed to, and more importantly that unwanted information should not
interrupt them.
 The OSI security architecture : focuses on
 Security attack :
It is any action that compromises the security of information owned by an organization.
 Security mechanism :
A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security
attack.
 Security service
A processing or communication service that enhances the security of the data processing systems and the
information transfers of an organization.
 What is Security?
• Security is the mechanism of protecting Our stuff from unauthorized access, Harms and related activities.

 A successful organization should have multiple layers of security in place:

– Physical security
– Personal security
– Operations security
– Communications security
– Network security
Students will be able to identify Threats, Risks and Vulnerabilities in
Information System

Security is about

• Threats (bad things that may happen, e.g. your money getting stolen)

• Vulnerabilities (weaknesses in your defenses, e.g. your front door being made of thin wood and glass)

• Attacks (ways in which the threats may be actualized,

• e.g. a thief breaking through your weak front door while you and the neighbors are on holiday)

Vulnerability vs threat vs risk

These terms are frequently used together, but they do explain three separate components of
cybersecurity. In short, we can see them as a spectrum:

 First, a vulnerability exposes your organization to threats.

 A threat is a malicious or negative event that takes advantage of a vulnerability.
 Finally, the risk is the potential for loss and damage when the threat does occur.

What is a vulnerability?
Let’s start with vulnerabilities. A vulnerability is a weakness, flaw or other shortcoming
in a system (infrastructure, database or software), but it can also exist in a process, a set
of controls, or simply just the way that something has been implemented or deployed.
There are different types of vulnerabilities, we can sum them up generally as:

 Technical vulnerabilities, like bugs in code or an error in some hardware or

software.
 Human vulnerabilities, such as employees falling for phishing, smishing or other
common attacks.

Some vulnerabilities are routine: you release something and quickly follow up with a
patch for it. The issue with the weakness is when it is unknown or undiscovered to your
team. If it’s left as-is, this weakness could be vulnerable to some attack or threat. For
example, a vulnerability is leaving your door unlocked overnight. It alone isn’t a
problem, but if a certain person comes along and enters that door, some bad, bad things
might happen.
Here, the more vulnerabilities you have, the greater potential for threats and the higher
your risk. That makes sense, of course, but the sheer scale is enormous: according to UK
server and domain provider Fasthosts, organizations can have thousands — even
millions! — of potential vulnerabilities. Recent examples of vulnerabilities include
the Microsoft Exchange vulnerabilities and the Log4j vulnerabilities, both from
2021. The CVE is a dictionary of publically disclosed vulnerabilities and exposures, a
primary source of knowledge in the security field.

What is a threat?
In cybersecurity, the most common understanding of a threat is anything that
could exploit a vulnerability, which could affect the confidentiality, integrity or
availability of your systems, data, people and more. (Confidentiality, integrity and
availability, sometimes known as the CIA triad, is another fundamental concept of
cybersecurity.)

A more advanced definition of threat is when an adversary or attacker has the

opportunity, capability and intent to bring a negative impact upon your operations,
assets, workforce and/or customers. Examples of this can
include malware, ransomware, phishing attacks and more — and the types of threats out
there will continue to evolve.
Importantly, not all threats are the same, according to Bob Rudis, Vice President Data
Science at GreyNoise Intelligence. And that’s where threat intelligence comes in. Rudis
says:
“An attacker may have the intent and capability to do harm, but no opportunity.”
For example, your organization may have no vulnerabilities to exploit due to a solid
patch management program or strong network segmentation policies that prevent access
to critical systems. Chances are likely, however, that you do have vulnerabilities, so let’s
consider the risk factor.

What is a risk?
Risk is the probability of a negative (harmful) event occurring as well as the potential of
scale of that harm. Your organizational risk fluctuates over time, sometimes even on a
daily basis, due to both internal and external factors.
A slightly more technical angle, the Open FAIR body of knowledge defines cyber risk
as the probable frequency and probably magnitude of loss. Sounds complicated, until we
break it down: “For starters,” Rudis says, "there is no ethereal risk. Something is at risk,
be it a system, device, business process, bank account, your firm’s reputation or human
life.”
This is where cybersecurity teams can begin to measure that risk:

1. Estimate how often an adversary or attacker is likely to attempt to exploit a

vulnerability to cause the desired harm.
2. Gauge how well your existing systems, controls and processes can standup to
those attempts.
3. Determine the value of the impact or harm the adversary may cause if the
adversary is indeed successful.

One way of describing risk was consequence X likelihood, but as security teams have
advanced their processes and intelligence, we see that you have to also account for the
safeguards you’ve already put in place.

Risk = threat x vulnerability

This is another way of looking at risk, albeit a bit simplified:
Vulnerability x Threat = Risk
We can sum up this calculation with the concepts from above: that a single vulnerability
multiplied by the potential threat (frequency, existing safeguards, and potential value
loss) can give you an estimate of the risk involved. In order for organizations to begin
risk mitigation and risk management, you first need to understand your vulnerabilities
and the threats to those vulnerabilities. This is no small task.

Real-world example
Your organization might be looking to protect all its data, likely through data encrpytion
methods and other approaches. It’s incredibly expensive, so you must pare down which
ones to protect the best.
You could think about the risk involved in this way: if the mechanism for protecting
certain data fails in some way, you’ll have one or more vulnerabilitities. And if there is a
threat actor who finds and exploits this vulnerability, the threat is realized.
Here, your risk is how valuable it would be to lose that data to the threat actor.

Risk management best practices

Part of the problem with risk is this universal truth: you cannot eliminate or entirely
protect against all threats, no matter how advanced your systems. This is where the
practice of risk management comes in: a routine, ongoing practice where the right
personnel are regularly reviewing risks in order to minimize the potential for certain
threats to occur.

Difference Between Threat, Vulnerability and Risk

in Computer Network
The Threat, Vulnerability, and Risk these terms are interrelated but not the same. In
this article, we are going to discuss the difference between them and how they are
related to each other.

Threat
A cyber threat is a malicious act that seeks to steal or damage data or discompose the
digital network or system. Threats can also be defined as the possibility of a successful
cyber attack to get access to the sensitive data of a system unethically. Examples of
threats include computer viruses, Denial of Service (DoS) attacks, data breaches,
and even sometimes dishonest employees.
Types of Threat
Threats could be of three types, which are as follows:
1. Intentional- Malware, phishing, and accessing someone’s account illegally, etc.
are examples of intentional threats.
2. Unintentional- Unintentional threats are considered human errors, for example,
forgetting to update the firewall or the anti-virus could make the system more
vulnerable.
 3. Natural- Natural disasters can also damage the data, they are known as natural
threats.
Vulnerability:
In cybersecurity, a vulnerability is a flaw in a system’s design, security procedures,
internal controls, etc., that can be exploited by cybercriminals. In some very rare cases,
cyber vulnerabilities are created as a result of cyberattacks, not because of network
misconfigurations. Even it can be caused if any employee anyhow downloads a virus or
a social engineering attack.

Types of Vulnerability
Vulnerabilities could be of many types, based on different criteria, some of them are:
1. Network- Network vulnerability is caused when there are some flaws in the
network’s hardware or software.
2. Operating system- When an operating system designer designs an operating
system with a policy that grants every program/user to have full access to the
computer, it allows viruses and malware to make changes on behalf of the
administrator.
3. Human- Users’ negligence can cause vulnerabilities in the system.
4. Process- Specific process control can also cause vulnerabilities in the system.
Risk:
Cyber risk is a potential consequence of the loss or damage of assets or data caused by a
cyber threat. Risk can never be completely removed, but it can be managed to a level
that satisfies an organization’s tolerance for risk. So, our target is not to have a risk-free
system, but to keep the risk as low as possible.
Cyber risks can be defined with this simple formula- Risk = Threat + Vulnerability.
Cyber risks are generally determined by examining the threat actor and type of
vulnerabilities that the system has.
Types of Risks
There are two types of cyber risks, which are as follows:
1. External- External cyber risks are those which come from outside an organization,
such as cyberattacks, phishing, ransomware, DDoS attacks, etc.
2. Internal- Internal cyber risks come from insiders. These insiders could have
malicious intent or are just not be properly trained.

Difference Between Threat, Vulnerability, and Risk

Threat Vulnerability Risks

Take advantage of
Known as the weakness in
vulnerabilities in the
hardware, software, or designs, The potential for loss or destruction of data is
system and have the
which might allow cyber threats caused by cyber threats.
potential to steal and
to happen.
1. damage data.

Generally, can’t be
Can be controlled. Can be controlled.
2. controlled.

It may or may not be

Generally, unintentional. Always intentional.
3. intentional.

Can be blocked by Vulnerability management is a Reducing data transfers, downloading files

managing the process of identifying the from reliable sources, updating the software
problems, then categorizing them, regularly, hiring a professional cybersecurity
4. vulnerabilities.
prioritizing them, and resolving team to monitor data, developing an incident
 Threat Vulnerability Risks

the vulnerabilities in that order. management plan, etc. help to lower down the
possibility of cyber risks.

Can be detected by identifying mysterious

Can be detected by anti- Can be detected by penetration
emails, suspicious pop-ups, observing unusual
virus software and threat testing hardware and many
password activities, a slower than normal
detection logs. vulnerability scanners.
5. network, etc.

Students will be able to analyze Data Security Policies/Administration

Security and Design secure systems

What is a security policy?

A security policy (also called an information security policy or IT security policy) is a document
that spells out the rules, expectations, and overall approach that an organization uses to maintain
the confidentiality, integrity, and availability of its data. Security policies exist at many different
levels, from high-level constructs that describe an enterprise’s general security goals and principles
to documents addressing specific issues, such as remote access or Wi-Fi use.

A security policy is frequently used in conjunction with other types of documentation such as
standard operating procedures. These documents work together to help the company achieve its
security goals. The policy defines the overall strategy and security stance, with the other documents
helping build structure around that practice. You can think of a security policy as answering the
“what” and “why,” while procedures, standards, and guidelines answer the “how.”

Four reasons a security policy is important

Security policies may seem like just another layer of bureaucracy, but in truth, they are a vitally
important component in any information security program. Some of the benefits of a well-designed
and implemented security policy include:

1. Guides the implementation of technical controls

A security policy doesn’t provide specific low-level technical guidance, but it does spell out the
intentions and expectations of senior management in regard to security. It’s then up to the security or
IT teams to translate these intentions into specific technical actions.

For example, a policy might state that only authorized users should be granted access to proprietary
company information. The specific authentication systems and access control rules used to
implement this policy can change over time, but the general intent remains the same. Without a place
to start from, the security or IT teams can only guess senior management’s desires. This can lead to
inconsistent application of security controls across different groups and business entities.

2. Sets clear expectations

Without a security policy, each employee or user will be left to his or her own judgment in deciding
what’s appropriate and what’s not. This can lead to disaster when different employees apply different
standards.

Is it appropriate to use a company device for personal use? Can a manager share passwords with their
direct reports for the sake of convenience? What about installing unapproved software? Without
clear policies, different employees might answer these questions in different ways. A security policy
should also clearly spell out how compliance is monitored and enforced.

3. Helps meet regulatory and compliance requirements

Documented security policies are a requirement of legislation like HIPAA and Sarbanes-Oxley, as
well as regulations and standards like PCI-DSS, ISO 27001, and SOC2. Even when not explicitly
required, a security policy is often a practical necessity in crafting a strategy to meet increasingly
stringent security and data privacy requirements.

4. Improves organizational efficiency and helps meet business objectives

A good security policy can enhance an organization’s efficiency. Its policies get everyone on the
same page, avoid duplication of effort, and provide consistency in monitoring and enforcing
compliance. Security policies should also provide clear guidance for when policy exceptions are
granted, and by whom.

To achieve these benefits, in addition to being implemented and followed, the policy will also need
to be aligned with the business goals and culture of the organization.
Three types of security policies
Security policies can vary in scope, applicability, and complexity, according to the needs of different organizations.
While there’s no universal model for security policies, the National Institutes of Standards and Technology (NIST)
spells out three distinct types in Special Publication (SP) 800-12:

1. Program policy

Program policies are strategic, high-level blueprints that guide an organization’s information security program. They
spell out the purpose and scope of the program, as well as define roles and responsibilities and compliance
mechanisms. Also known as master or organizational policies, these documents are crafted with high levels of input
from senior management and are typically technology agnostic. They are the least frequently updated type of policy,
as they should be written at a high enough level to remain relevant even through technical and organizational changes.

2. Issue-specific policy

Issue-specific policies build upon the generic security policy and provide more concrete guidance on certain issues
relevant to an organization’s workforce. Common examples could include a network security policy, bring-your-own-
device (BYOD) policy, social media policy, or remote work policy. These may address specific technology areas but
are usually more generic. A remote access policy might state that offsite access is only possible through a company-
approved and supported VPN, but that policy probably won’t name a specific VPN client. This way, the company can
change vendors without major updates.

3. System-specific policy

A system-specific policy is the most granular type of IT security policy, focusing on a particular type of system, such
as a firewall or web server, or even an individual computer. In contrast to the issue-specific policies, system-specific
policies may be most relevant to the technical personnel that maintains them. NIST states that system-specific policies
should consist of both a security objective and operational rules. IT and security teams are heavily involved in the
creation, implementation, and enforcement of system-specific policies but the key decisions and rules are still made
by senior management.

Seven elements of an effective security policy

Security policies are an essential component of an information security program, and need to be properly crafted,
implemented, and enforced. An effective security policy should contain the following elements:

1. Clear purpose and objectives

This is especially important for program policies. Remember that many employees have little knowledge of security
threats, and may view any type of security control as a burden. A clear mission statement or purpose spelled out at the
top level of a security policy should help the entire organization understand the importance of information security.

2. Scope and applicability

Every security policy, regardless of type, should include a scope or statement of applicability that clearly states to
who the policy applies. This can be based around the geographic region, business unit, job role, or any other
organizational concept so long as it's properly defined.

3. Commitment from senior management

Security policies are meant to communicate intent from senior management, ideally at the C-suite or board level.
Without buy-in from this level of leadership, any security program is likely to fail. To succeed, your policies need to
be communicated to employees, updated regularly, and enforced consistently. A lack of management support makes
all of this difficult if not impossible.

4. Realistic and enforceable policies

While it might be tempting to base your security policy on a model of perfection, you must remember that your
employees live in the real world. An overly burdensome policy isn’t likely to be widely adopted. Likewise, a policy
with no mechanism for enforcement could easily be ignored by a significant number of employees.

5. Clear definitions of important terms

Remember that the audience for a security policy is often non-technical. Concise and jargon-free language is
important, and any technical terms in the document should be clearly defined.

6. Tailored to the organization’s risk appetite

Risk can never be completely eliminated, but it’s up to each organization’s management to decide what level of risk is
acceptable. A security policy must take this risk appetite into account, as it will affect the types of topics covered.

7. Up-to-date information

Security policy updates are crucial to maintaining effectiveness. While the program or master policy may not need to
change frequently, it should still be reviewed on a regular basis. Issue-specific policies will need to be updated more
often as technology, workforce trends, and other factors change. You may find new policies are also needed over
time: BYOD and remote access policies are great examples of policies that have become ubiquitous only over the last
decade or so.

Ten questions to ask when building your security policy

For a security policy to succeed in helping build a true culture of security, it needs to be relevant and realistic, with
language that’s both comprehensive and concise. If that sounds like a difficult balancing act, that’s because it is.
While there are plenty of templates and real-world examples to help you get started, each security policy must be
finely tuned to the specific needs of the organization.

Whether you’re starting from scratch or building from an existing template, the following questions can help you get
in the right mindset:

1. How will you align your security policy to the business objectives of the organization?

2. Who will I need buy-in from? Is senior management committed?

3. Who is the audience for this policy

4. What is the policy scope?

5. How will compliance with the policy be monitored and enforced?

6. What regulations apply to your industry? For instance GLBA, HIPAA, Sarbanes-Oxley, etc.

7. What is the organization’s risk appetite?

 8. What kind of existing rules, norms, or protocols (both formal and informal) are already present in the
organization?

9. How often should the policy be reviewed and updated?

10. How will policy exceptions be handled?

Security policy examples

A large and complex enterprise might have dozens of different IT security policies covering different areas. The
policies you choose to implement will depend on the technologies in use, as well as the company culture and risk
appetite. That said, the following represent some of the most common policies:

1. Program or organizational policy: This high-level security blueprint is a must for all organizations, and
spells out the goals and objectives of an information security program. The program policy also specifies roles
and responsibilities, compliance monitoring and enforcement, and alignment with other organizational policies
and principles.

2. Acceptable use policy: This is an issue-specific policy that defines the acceptable conditions under which an
employee can access and use the company’s information resources.

3. Remote access policy: This issue-specific policy spells out how and when employees can remotely access
company resources.

4. Data security policy: Data security can be addressed in the program policy, but it may also be helpful to have
a dedicated policy describing data classification, ownership, and encryption principles for the organization.

5. Firewall policy: One of the most common system-specific policies, a firewall policy describes the types of
traffic that an organization’s firewall(s) should allow or deny. Note that even at this level, the policy still
describes only the “what”; a document describing how to configure a firewall to block certain types of traffic
is a procedure, not a policy.

Security policy templates and more

As we’ve discussed, an effective security policy needs to be tailored to your organization, but that doesn’t mean you
have to start from scratch. Security policy templates are a great place to start from, whether drafting a program policy
or an issue-specific policy. Here’s a quick list of completely free templates you can draw from:

1. SANS Institute security policy templates: The highly respected SANS Institute has a collection of mostly
issue-specific security policies that have been created through a consensus between some of the most
experienced subject matter experts out there. These templated policies are completely free to use, but
remember to customize them to your organization.

2. PurpleSec security policy templates: Security consulting firm PurpleSec also provides free to use security
templates as a community resource. You’ll find password policies, email security policies, network security
policies and more on their website.
 3. HealthIT.gov security policy template: This template from the National Learning Consortium and The Office
of the National Coordinator for Health Information Technology focuses on topics relevant to the healthcare
industry, particularly electronic medical records.

Several online vendors also sell security policy templates that are more suitable for meeting regulatory or compliance
requirements like those spelled out in ISO 27001. Keep in mind though that using a template marketed in this fashion
does not guarantee compliance.

You can also draw inspiration from many real-world security policies that are publicly available. However, simply
copying and pasting someone else’s policy is neither ethical nor secure.

1. UC Berkeley security policy: The published security policies from this well-known university are both
comprehensive and easy to read, proving that an impressive security policy can be both.

2. City of Chicago security policy: America’s third-largest city also maintains an easily digestible index of
security policies for its staff, contractors, and vendors.

3. Oracle security policy: This lengthy security policy from technology giant Oracle provides an unusual look at
a major corporate security policy, which is often not distributed externally.

Security policy FAQs

Q: What is the main purpose of a security policy?

A: A security policy serves to communicate the intent of senior management with regards to information security and
security awareness. It contains high-level principles, goals, and objectives that guide security strategy.

Q: What are major security policies?

A: Three types of security policies in common use are program policies, issue-specific policies, and system-specific
policies. Program policies are the highest-level and generally set the tone of the entire information security program.
Issue-specific policies deal with a specific issues like email privacy. System-specific policies cover specific or
individual computer systems like firewalls and web servers.

Q: Do I need to have a security policy?

A: Many pieces of legislation, along with regulatory and security standards, require security policies either explicitly
or as a matter of practicality. Having at least an organizational security policy is considered a best practice for
organizations of all sizes and types.

Q: How do I create a security policy?

A: There are many resources available to help you start. NIST’s An Introduction to Information Security (SP 800-
12) provides a great deal of background and practical tips on policies and program management. The SANS Institute
maintains a large number of security policy templates developed by subject matter experts.

Final thoughts

A security policy is an indispensable tool for any information security program, but it can’t live in a vacuum. To
provide comprehensive threat protection and remove vulnerabilities, pass security audits with ease, and ensure a quick
bounceback from security incidents that do occur, it’s important to use both administrative and technical controls
together. The Varonis Data Security Platform can be a perfect complement as you craft, implement, and fine-tune
your security policies. Contact us for a one-on-one demo today.
Administrative Security Controls: Policies, Training, &
More
Administrative security controls include any security measures focused on managing people. They
encompass a wide range of approaches, including formal policies, procedural guidelines, risk mitigation
strategies, and training activities. In contrast to technical controls, which focus on technology, and
physical controls, which pertain to physical objects and spaces, administrative controls are all about
human behavior.

Below, we’ll dig into the broad categories of administrative security controls, including policies,
procedures, guidelines, testing, and training. Read on.

Security Policies
Company policies are written requirements that employees must follow. Typically, every company
policy addresses a single key point of concern. That keeps the information within a policy cohesive,
ensuring that necessary details are well-covered and limiting misunderstandings relating to the topic.

Security policies aim to ensure right-action among employees, keeping systems safe by promoting
desired behavior or preventing undesirable actions. Below are a few examples of some of the
administrative security policies in place at many companies.

Password Policies
A password policy sets requirements for the use of passwords, including complexity standards, change
frequencies, and re-use timelines. It may also outline additional requirements, such as best practices
about storing password information.

Access Control Policies

An access control policy outlines rules regarding who can access various resources within an
organization. Usually, it begins with a document that defines access levels within the organization. Once
the guidelines are in place, the policy is implemented, aligning employee access with the agreed-upon
levels.

In most cases, a policy of least privilege is the best approach. It ensures that employees only have access
to resources that are genuinely necessary for their role. Anything that isn’t directly relevant is
subsequently restricted.

Data Collection Policies

Data collection policies outline where and how various kinds of information can reside within company
systems. This can include rules about saving sensitive data on specific servers, computers, or mobile
devices, as well as when encryption is mandatory.

Additionally, data collection policies usually describe what’s considered sensitive data by the
organization. Some companies are bound by regulations that others aren’t. As a result, outlining
industry-related requirements within data collection policies is common, ensuring employees are fully
aware of what’s necessary based on their field.
Device Usage Policies
With many companies going fully or partially remote, devices can pose a substantial risk to an
organization. Through policies concerning laptops and other mobile devices, companies can outline what
kind of devices are allowed, and the activities that can occur through them.

Security Awareness and Training

Security education is another key element to maintaining administrative security controls. Through
formal training programs, workers learn about risks present in the environment, making them more
aware of potential attack vectors.

Additionally, sharing details about company policies and security-oriented best practices is typically part
of the process. That ensures that employees know what’s expected of them, as well as what they should
do when they encounter various situations.

Often, training activities need to occur regularly. Along with including formal security instruction during
employee onboarding, it’s wise to require annual refresher courses. That way, you can make employees
aware of new threats, policy adjustments, procedure changes, or anything else that may impact how they
should act in various scenarios.

Security Assessments and Tests

Administrative security controls can involve a variety of detection-oriented activities. Often, these help
determine whether various policies and procedures are being used correctly, as well as to identify
potential holes that could be exploited.

Risk assessments and vulnerabilities assessments can both fall in this category. They involve active steps
to examine policies and procedures to determine if shortcomings are present, creating opportunities to
address them. Additionally, they help define the likelihood of a system becoming compromised, as well
as the level of damage that would happen if an incident occurred.

Penetration testing can also qualify as an administrative security control. Again, it’s designed to explore
the capabilities of existing policies, procedures, and practices, with the goal of determining if there is an
issue that could be exploited.

Often, the use of assessments and tests is ongoing. Policies and procedures aren’t guaranteed to reflect
best practices forever. New threats emerge consistently. As a result, continuous evaluation is essential,
creating opportunities to update policies and processes when the need arises.

Contingency Planning
Contingency planning involves creating strategic approaches to various incidents. While the creation of
the plan is proactive, the steps outlined are mainly reactive in nature. It gives the organization a
framework for action after an issue arises, functioning as a roadmap that moves the company towards
recovery.

In many cases, a contingency plan is closer to a collection of procedures instead of a single one. It can
include business continuity and disaster recovery planning, cyberattack response procedures, and crisis
management processes. When taken together, the various plans cover a broad range of incidents,
ensuring that the organization is prepared to take right action regardless of the event that’s taking place.

Change Management
When it comes to security, changes to a system, process, or resource can introduce unanticipated risk.
Change management is a common defense against the unexpected, increasing the odds that assets will
remain secure.

Change management qualifies as an administrative security control since its main focus is to ensure
right-action among personnel. Like policies, it defines desirable behavior within a particular context.

With change management, the company sets policies and guidelines that dictate how changes to internal
and external procedures and systems can or can’t move forward. The goal is to ensure that unapproved,
unexamined alterations aren’t put into place. Instead, a thorough vetting becomes mandatory, reducing
the chances of unintended consequences.

Are Administrative Security Controls Enough on Their Own?

Since administrative security controls are often incredibly robust, some may wonder if they can support
security in a broad sense on their own. While they can be quite effective, administrative security controls
are only one part of the comprehensive security equation.

Ideally, companies should couple administrative controls with technical and physical controls. A
combined approach adds more layers. As a result, attackers have more to navigate in order to breach a
system.

Are Administrative Security Controls Necessary?

To put it simply, yes, administrative security controls are necessary.

Without critical policies in place, employees may not know how to do their part to keep systems, assets,
and data secure. Without well-defined procedures, there may be confusion about how to support
prevention or address incidents. Finally, if you don’t provide critical training, you can’t guarantee
exposure to vital information.

When it comes to security, taking advantage of every tool is essential. Otherwise, the risk of an incident
is significantly greater, putting your company, employees, and customers at risk.

Students will be able to describe Information Systems Security

concepts
The Information Security Triad: Confidentiality,
Integrity, Availability (CIA)

Confidentiality

The security triad

Protecting information means you want to want to be able to restrict access to those who are allowed to
see it. This is sometimes referred to as NTK, Need to Know. Everyone else should be disallowed from
learning anything about its contents. This is the essence of confidentiality. For example, federal law
requires that universities restrict access to private student information. Access to grade records should be
limited to those who have authorized access.

Integrity
Integrity is the assurance that the information being accessed has not been altered and truly represents
what is intended. Just as a person with integrity means what he or she says and can be trusted to
consistently represent the truth, information integrity means information truly represents its intended
meaning. Information can lose its integrity through malicious intent, such as when someone who is not
authorized makes a change to intentionally misrepresent something. An example of this would be when a
hacker is hired to go into the university’s system and change a student’s grade.

Integrity can also be lost unintentionally, such as when a computer power surge corrupts a file or
someone authorized to make a change accidentally deletes a file or enters incorrect information.

Availability
Information availability is the third part of the CIA triad. Availability means information can be accessed
and modified by anyone authorized to do so in an appropriate timeframe. Depending on the type of
information, appropriate timeframe can mean different things. For example, a stock trader needs
information to be available immediately, while a sales person may be happy to get sales numbers for the
day in a report the next morning. Online retailers require their servers to be available twenty-four hours a
day, seven days a week. Other companies may not suffer if their web servers are down for a few minutes
once in a while.

Tools for Information Security

In order to ensure the confidentiality, integrity, and availability of information, organizations can choose
from a variety of tools. Each of these tools can be utilized as part of an overall information-security
policy.

Authentication
The most common way to identify someone is through their physical appearance, but how do we identify
someone sitting behind a computer screen or at the ATM? Tools for authentication are used to ensure
that the person accessing the information is, indeed, who they present themselves to be.

Authentication can be accomplished by identifying someone through one or more of three factors:

1. Something they know,

2. Something they have, or

3. Something they are.

For example, the most common form of authentication today is the user ID and password. In this case,
the authentication is done by confirming something that the user knows (their ID and password). But this
form of authentication is easy to compromise (see sidebar) and stronger forms of authentication are
sometimes needed. Identifying someone only by something they have, such as a key or a card, can also
be problematic. When that identifying token is lost or stolen, the identity can be easily stolen. The final
factor, something you are, is much harder to compromise. This factor identifies a user through the use of
a physical characteristic, such as a retinal scan, fingerprint, or facial geometry. Identifying someone
through their physical characteristics is called biometrics.

RSA SecureID token

A more secure way to authenticate a user is through multi-factor authentication. By combining two or
more of the factors listed above, it becomes much more difficult for someone to misrepresent
themselves. An example of this would be the use of an RSA SecurID token. The RSA device is
something you have, and it generates a new access code every sixty seconds. To log in to an information
resource using the RSA device, you combine something you know, such as a four-digit PIN, with the
code generated by the device. The only way to properly authenticate is by both knowing the
code and having the RSA device.

Access Control
Once a user has been authenticated, the next step is to ensure that they can only access the information
resources that are appropriate. This is done through the use of access control. Access control determines
which users are authorized to read, modify, add, and/or delete information. Several different access
control models exist. Two of the more common are: the Access Control List (ACL) and Role-Based
Access Control (RBAC).

An information security employee can produce an ACL which identifies a list of users who have the
capability to take specific actions with an information resource such as data files. Specific permissions
are assigned to each user such as read, write, delete, or add. Only users with those permissions are
allowed to perform those functions.

ACLs are simple to understand and maintain, but there are several drawbacks. The primary drawback is
that each information resource is managed separately, so if a security administrator wanted to add or
remove a user to a large set of information resources, it would be quite difficult. And as the number of
users and resources increase, ACLs become harder to maintain. This has led to an improved method of
access control, called role-based access control, or RBAC. With RBAC, instead of giving specific users
access rights to an information resource, users are assigned to roles and then those roles are assigned the
access. This allows the administrators to manage users and roles separately, simplifying administration
and, by extension, improving security.

The following image shows an ACL with permissions granted to individual users. RBAC allows
permissions to be assigned to roles, as shown in the middle grid, and then in the third grid each user is
assigned a role. Although not modeled in the image, each user can have multiple roles such as Reader
and Editor.

Comparison of ACL and

RBAC

Sidebar: Password Security

So why is using just a simple user ID and password not considered a secure method of authentication? It
turns out that this single-factor authentication is extremely easy to compromise. Good password policies
must be put in place in order to ensure that passwords cannot be compromised. Below are some of the
more common policies that organizations should use.
  Require complex passwords. One reason passwords are compromised is that they can be easily
guessed. A recent study found that the top three passwords people used
were password, 123456 and 12345678.[1] A password should not be simple, or a word that can be
found in a dictionary. Hackers first attempt to crack a password by testing every term in the
dictionary. Instead, a good password policy should require the use of a minimum of eight
characters, at least one upper-case letter, one special character, and one digit.
 Change passwords regularly. It is essential that users change their passwords on a regular basis.
Also, passwords may not be reused. Users should change their passwords every sixty to ninety
days, ensuring that any passwords that might have been stolen or guessed will not be able to be
used against the company.
 Train employees not to give away passwords. One of the primary methods used to steal
passwords is to simply figure them out by asking the users for their password. Pretexting occurs
when an attacker calls a helpdesk or security administrator and pretends to be a particular
authorized user having trouble logging in. Then, by providing some personal information about
the authorized user, the attacker convinces the security person to reset the password and tell him
what it is. Another way that employees may be tricked into giving away passwords is through e-
mail phishing. Phishing occurs when a user receives an e-mail that looks as if it is from a trusted
source, such as their bank or employer. In the e-mail the user is asked to click a link and log in to
a website that mimics the genuine website, then enter their ID and password. The userID and
password are then captured by the attacker.

Encryption
Many times an organization needs to transmit information over the Internet or transfer it on external
media such as a flash drive. In these cases, even with proper authentication and access control, it is
possible for an unauthorized person to gain access to the data. Encryption is a process of encoding data
upon its transmission or storage so that only authorized individuals can read it. This encoding is
accomplished by software which encodes the plain text that needs to be transmitted (encryption). Then
the recipient receives the cipher text and decodes it (decryption). In order for this to work, the sender and
receiver need to agree on the method of encoding so that both parties have the same message. Known
as symmetric key encryption, both parties share the encryption key, enabling them to encode and decode
each other’s messages.

An alternative to symmetric key encryption is public key encryption. In public key encryption, two keys
are used: a public key and a private key. To send an encrypted message, you obtain the public key,
encode the message, and send it. The recipient then uses their private key to decode it. The public key
can be given to anyone who wishes to send the recipient a message. Each user simply needs one private
key and one public key in order to secure messages. The private key is necessary in order to decrypt a
message sent with the public key.

Notice in the image how the sender on the left creates a plaintext message which is then encrypted with a
public key. The ciphered text is transmitted through the communication channel and the recipient uses
their private key to decrypt the message and then read the plain text.
 Public Key Encryption

Sidebar: Blockchain and Bitcoin

Blockchain
Introduced in 2008 as part of a proposal for Bitcoin, Blockchain is a peer-to-peer network which
provides an open, distributed record of transactions between two parties. A “peer-to-peer” network is
one where there is no server between the two nodes trying to communicate. Essentially, this means that
each node acts as a server and a client.

Supporters see blockchain as a tool to simplify all types of transactions: payments, contracts, etc.
Motivation comes from the desire to remove the middleman (lawyer, banker, broker) from transactions,
making them more efficient and readily available across the Internet. Blockchain is already being used to
track products through supply chains.
Blockchain is considered a foundational technology, potentially creating new foundations in economics
and social systems. There are numerous concerns about Blockchain and its adoption. Consider the
following:

 Speed of adoption. Initially there is a great deal of enthusiasm by a small group. However,
adoption on a larger scale can take a great number of years even decades for a worldwide
acceptance of a new method of doing business.
 Governance. The banking sector, both in individual countries (U. S. Federal Reserve System) and
the world at large (the International Monetary Fund), controls financial transactions. One purpose
of these organizations is an attempt to avoid banking and financial systems collapse. Blockchain
will result in the governance of financial transactions shifting away from these government-
controlled institutions.
 Smart contracts. The smart contract will re-shape how businesses interact. It is possible for
blockchain to automatically send payment to a vendor the instant the product is delivered to the
customer. Such “self-executing” contracts are already taking place in banking and venture capital
funding. [9]

Many are forecasting some universal form of payment or value transfer for business transactions.
Blockchain and Bitcoin are being used to transform banking in various locations around the world. The
following Bitcoin section includes a look at a new banking venture in Tanzania, East Africa.

Bitcoin

Bitcoin logo

Bitcoin is a world wide payment system using cryptocurrency. It functions without a central bank,
operating as a peer-to-peer network with transactions happening directly between vendors and buyers.
Records for transactions are recorded in the blockchain. Bitcoin technology was released in 2009. The
University of Cambridge estimated there were 2.9 and 5.8 million unique users of bitcoin in
2017.[10] This web site provides more information about bitcoin.

A major bitcoin project is underway in Tanzania. Business transactions in this East African country are
fraught with many challenges such as counterfeit currency and a 28% transaction fee on individuals who
do not have a bank account. Seventy percent of the country’s population fall into this category. Benjamin
Fernandes, a Tanzanian and 2017 graduate of Stanford Graduate School of Business, is co-founder of
NALA, a Tanzanian firm working to bring cryptocurrency to a country where 96% of the population
have access to mobile devices. NALA’s goal is to provide low cost transactions to all of the country’s
citizens through cryptocurrency.[11] You can read more of this cryptocurrency venture here.

Backups
Another essential tool for information security is a comprehensive backup plan for the entire
organization. Not only should the data on the corporate servers be backed up, but individual computers
used throughout the organization should also be backed up. A good backup plan should consist of
several components.

 Full understanding of the organization’s information resources. What information does the
organization actually have? Where is it stored? Some data may be stored on the organization’s
servers, other data on users’ hard drives, some in the cloud, and some on third-party sites. An
organization should make a full inventory of all of the information that needs to be backed up and
determine the best way to back it up.
 Regular backups of all data. The frequency of backups should be based on how important the
data is to the company, combined with the ability of the company to replace any data that is lost.
Critical data should be backed up daily, while less critical data could be backed up weekly. Most
large organizations today use data redundancy so their records are always backed up.
 Offsite storage of backup data sets. If all backup data is being stored in the same facility as the
original copies of the data, then a single event such as an earthquake, fire, or tornado would
destroy both the original data and the backup. It is essential the backup plan includes storing the
data in an offsite location.
 Test of data restoration. Backups should be tested on a regular basis by having test data deleted
then restored from backup. This will ensure that the process is working and will give the
organization confidence in the backup plan.

Besides these considerations, organizations should also examine their operations to determine what
effect downtime would have on their business. If their information technology were to be unavailable for
any sustained period of time, how would it impact the business?

Additional concepts related to backup include the following:

 Uninterruptible Power Supply (UPS). A UPS provides battery backup to critical components of
the system, allowing them to stay online longer and/or allowing the IT staff to shut them down
using proper procedures in order to prevent data loss that might occur from a power failure.

 Alternate, or “hot” sites. Some organizations choose to have an alternate site where an exact
replica of their critical data is always kept up to date. When the primary site goes down, the
alternate site is immediately brought online so that little or no downtime is experienced.
As information has become a strategic asset, a whole industry has sprung up around the technologies
necessary for implementing a proper backup strategy. A company can contract with a service provider to
back up all of their data or they can purchase large amounts of online storage space and do it themselves.
Technologies such as Storage Area Networks (SAN) and archival systems are now used by most large
businesses for data backup.

Firewalls

Diagram of a network configuration with firewalls, a router,

and a DMZ.

Firewalls are another method that an organization can use for increasing security on its network. A
firewall can exist as hardware or software, or both. A hardware firewall is a device that is connected to
the network and filters the packets based on a set of rules. One example of these rules would be
preventing packets entering the local network that come from unauthorized users. A software firewall
runs on the operating system and intercepts packets as they arrive to a computer.

A firewall protects all company servers and computers by stopping packets from outside the
organization’s network that do not meet a strict set of criteria. A firewall may also be configured to
restrict the flow of packets leaving the organization. This may be done to eliminate the possibility of
employees watching YouTube videos or using Facebook from a company computer.

A demilitarized zone (DMZ) implements multiple firewalls as part of network security configuration,
creating one or more sections of their network that are partially secured. The DMZ typically contains
resources that need broader access but still need to be secured.

Intrusion Detection Systems

Intrusion Detection Systems (IDS) can be placed on the network for security purposes. An IDS does not
add any additional security. Instead, it provides the capability to identify if the network is being attacked.
An IDS can be configured to watch for specific types of activities and then alert security personnel if that
activity occurs. An IDS also can log various types of traffic on the network for analysis later. It is an
essential part of any good security system.

Sidebar: Virtual Private Networks

Using firewalls and other security technologies, organizations can effectively protect many of their
information resources by making them invisible to the outside world. But what if an employee working
from home requires access to some of these resources? What if a consultant is hired who needs to do
work on the internal corporate network from a remote location? In these cases, a Virtual Private
Network (VPN) is needed.

Diagram of VPN (click to enlarge). Attribution to

Ludovic.ferre.

A VPN allows a user who is outside of a corporate network to take a detour around the firewall and
access the internal network from the outside. Through a combination of software and security measures,
a VPN provides off-site access to the organization’s network while ensuring overall security.

The Internet cloud is essentially an insecure channel through which people communicate to various web
sites/servers. Implementing a VPN results in a secure pathway, usually referred to as a tunnel, through
the insecure cloud, virtually guaranteeing secure access to the organization’s resources. The diagram
represents security by way of the functionality of a VPN as it “tunnels” through the insecure Internet
Cloud. Notice that the remote user is given access to the organization’s intranet, as if the user was
physically located within the intranet.
Physical Security
An organization can implement the best authentication scheme in the world, develop superior access
control, and install firewalls and intrusion detection, but its security cannot be complete without
implementation of physical security. Physical security is the protection of the actual hardware and
networking components that store and transmit information resources. To implement physical security,
an organization must identify all of the vulnerable resources and take measures to ensure that these
resources cannot be physically tampered with or stolen. These measures include the following.

 Locked doors. It may seem obvious, but all the security in the world is useless if an intruder can
simply walk in and physically remove a computing device. High value information assets should
be secured in a location with limited access.
 Physical intrusion detection. High value information assets should be monitored through the use
of security cameras and other means to detect unauthorized access to the physical locations where
they exist.
 Secured equipment. Devices should be locked down to prevent them from being stolen. One
employee’s hard drive could contain all of your customer information, so it is essential that it be
secured.
 Environmental monitoring. An organization’s servers and other high value equipment should
always be kept in a room that is monitored for temperature, humidity, and airflow. The risk of a
server failure rises when these factors exceed acceptable ranges.
 Employee training. One of the most common ways thieves steal corporate information is the
theft of employee laptops while employees are traveling. Employees should be trained to secure
their equipment whenever they are away from the office.

Security Policies
Besides the technical controls listed above, organizations also need to implement security policies as a
form of administrative control. In fact, these policies should really be a starting point in developing an
overall security plan. A good information security policy lays out the guidelines for employee use of the
information resources of the company and provides the company recourse in the event that an employee
violates a policy.

According to the SANS Institute, a good policy is “a formal, brief, and high-level statement or plan that
embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified
subject area.” Policies require compliance. Failure to comply with a policy will result in disciplinary
action. A policy does not list the specific technical details, instead it focuses on the desired results. A
security policy should be based on the guiding principles of confidentiality, integrity, and availability.[2]

Web use is a familiar example of a security policy. A web use policy lays out the responsibilities of
company employees as they use company resources to access the Internet. A good example of a web use
policy is included in Harvard University’s “Computer Rules and Responsibilities” policy, which can be
found here.

A security policy should also address any governmental or industry regulations that apply to the
organization. For example, if the organization is a university, it must be aware of the Family Educational
Rights and Privacy Act (FERPA), which restricts access to student information. Health care
organizations are obligated to follow several regulations, such as the Health Insurance Portability and
Accountability Act (HIPAA).

A good resource for learning more about security policies is the SANS Institute’s Information Security
Policy Page.

 Authentication : It means that correct identity is known to communicating parties. This property ensures that the parties
are genuine not impersonator.
 Authorization : This property gives access rights to different types of users.
◦ For example a network management can be performed by network administrator only.
Attacks threatening confidentiality
In general, two types of attack threaten the confidentiality of information: snooping and traffic analysis.

Snooping : refers to unauthorized access to or interception of data.

Traffic analysis : refers other types of information collected by an intruder by monitoring online traffic.

Attacks threatening integrity

The integrity of data can be threatened by several kinds of attack:

 Modification
A modification attack is an attempt to modify information that the attacker is not authorized to modify.

 Masquerading (impersonation)
A masquerade takes place when one entity pretends to be a different entity.

 Replaying
Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

 Repudiation
In a repudiation attack, false information may be given or a real event or transaction may be denied.

Types of attacks
→ A passive attack attempt to learn or make use of the information without changing the content of the message
and disrupting the operation of the communication.
 Passive attacks do not affect system resources
- Eavesdropping, monitoring
- The goal of the opponent is to obtain information that is being transmitted
Two types of passive attacks
- Release of message contents
- Traffic analysis
Passive attacks are very difficult to detect
- Message transmission apparently normal
• No alteration of the data
• Examples of passive attacks are: -- Eavesdropping , traffic analysis, and traffic monitoring.
→ An active attack attempts to interrupt, modify, delete, or fabricate messages or information thereby disrupting
normal operation of the network.
Some examples of active attacks include: ◦ Jamming, modification, denial of service (DoS), and message replay.

- Active attacks try to alter system resources or affect their operation

◦ Modification of data, or creation of false data

- Four categories
◦ Masquerade of one entity as some other
◦ Replay previous message
◦ Modification of messages
◦ Denial of service (DoS): preventing normal use
◦ A specific target or entire network

- Difficult to prevent
◦ The goal is to detect and recover

 Network Security and Cryptography

- Security through obscurity: In this model, a system is secure simply because nobody knows
about its existence and contents. This approach cannot work for too long

- Hot Security : the security for each host is enforced individually.

- NETWORK SECURITY: is to control network access to various hosts and their services,
rather than individual host security.
□ This is a very efficient and scalable model.

 INTRODUCTION TO NUMBER THEORY

- Mathematics plays a crucial role in cryptography!
- 2000 years ago Julius Caesar used a simple substitution cipher (replace each letter of message by
a letter a fixed distance – k – away)
- for example, k = 3. Then “SCIENCE” transforms into: VFLHQFH

 The Internet Organizations and RFC Publication

 Internet Architecture Board (IAB): Responsible for defining the overall architecture
 Internet Engineering Task Force (IETF): The protocol engineering and development
 Internet Engineering Steering Group (IESG): Responsible for technical management of IETF
activities
 Security related incidents reported include
- A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network,
making it inaccessible to its intended users