Prevention, Detection, and Response
There is an age-old advisory that says, “It’s too late to sharpen your sword when
the drum beats for battle”. Make no mistake, we are in a war and we must prepare for
the cyber battles by sharpening our skills. Information security professionals must
continuously mature their capabilities by working smarter not harder. It is always better
to prevent, then to pursue and prosecute. Preventing an incident requires careful
analysis and planning.
Information is an asset that requires protection commensurate with its value.
Security measures must be taken to protect information from unauthorized
modification, destruction, or disclosure whether accidental or intentional. During the
prevention phase, security policies, controls and processes should be designed and
implemented. Security policies, security awareness programs and access control
procedures, are all interrelated and should be developed early on. The information
security policy is the cornerstone from which all else is built.
- Security Policy:
The first objective in developing a prevention strategy is to determine “what”
must be protected and document these “whats” in a formal policy. The policy must
define the responsibilities of the organization, the employees and management. It
should also fix responsibility for implementation, enforcement, audit and review.
Additionally, the policy must be clear, concise, coherent and consistent in order to be
understood. Without clear understanding, the policy will be poorly implemented and
subsequent enforcement, audit and review will be ineffective. Once management
endorses a completed policy, the organization needs to be made aware of its
requirements.
- Security Awareness:
Security awareness is a process that educates employees on the importance of
security, the use of security measures, reporting procedures for security violations, and
their responsibilities as outlined in the information security policy. Security awareness
programs should be utilized for this purpose. The program should be a continuous
process that maintains an awareness level for all employees. The program should be
designed to address organization wide issues as well as more focused specialized
training needs. The program should stress teamwork and the importance of active
participation. To motivate individuals, a recognition process should be adopted to give
out awards or rewards for employees that perform good security practices.
- Access Controls:
Access is the manner by which the user utilizes the information systems to get
information. Naturally all users should not have the ability to access all systems and its
information. Access should be restricted and granted on a need to know basis. To manage this access we establish user accounts by issuing identifiers, authentication
methods to verify these identifiers and authorization rules that limit access to resources.
- Identification – Identification is a unique identifier. It is what a user –
(person, client, software application, hardware, or network) uses to
differentiate itself from other objects. A user presents identification to show
who he/she is. Identifiers that are created for users should not be shared with
any other users or groups. Once a user has an identifier the next step taken to
access a resource is authentication.
- Authentication – Authentication is the process of validating the identity of a
user. When a user presents its identifier, prior to gaining access, the identifier
(identification) must be authenticated. Authentication verifies identities
thereby providing a level of trust. There are three basic factors used to
authenticate an identity. They are:
1. Something you know – The password is the most common form
used. However, secret phrases and PIN numbers are also utilized.
This is known as one-factor or single authentication. This form is
weakened due to poor password selection and storage.
2. Something you have – This authentication factor is something
you have, such as an identification card, smartcard or token. Each
requiring the user to possess “something” for authentication. A
more reliable authentication process would require two factors
such as something you know with something you have. This form
is known as the two-factor or multilevel authentication.
3. Something you are – The strongest authentication factor is
something you are. This is a unique physical characteristic such as
a fingerprint, retina pattern or DNA. The measuring of these
factors is called biometrics. The strongest authentication process
would require all three factors. Facilities or applications that are
highly secret or sensitive will utilize all three factors to
authenticate a user. However, biometrics on the surface appears to
be a panacea, its not. There are weaknesses and to work the verifier
needs to verify two things. These requirements are outlined in a
Counterpane.com article by Bruce Schneier, titled “Biometrics:
Uses and Abuses”. The author indicates that the verifier needs to
verify two things. The first is that the biometric came from the
person at the time of verification and secondly, that the biometric
matches the master biometric on file. Without these two biometric
authentication requirements this factor won’t work.
3. Authorization– Authorization is the process of allowing users who have
been identified and authenticated to use certain resources. Limiting access to
resources by establishing permission rules provides for better control over
users actions. Authorization should be granted on the principle of least
privilege. Least privilege is granting no more privilege than is required to perform a task/job, and the privilege should not extend beyond the minimum
time required to complete the task. This restrictive process limits access,
creates a separation of duties and increases accountability.
