Information Security, also commonly known as ‘infosec’, is mostly about protecting information, data and communications from whatever threats. Nothing can be totally secure in practice for a number of reasons, some of them unavoidable, but we can always minimise the chances of a security compromise. Infosec is quite a broad field, which I’ve broken down into the following subject areas:
As the name suggests, this involves a critical analysing a system and the tehnologies deployed, looking for vulnerabilities, areas where the confidentiality, integrity and availability of information assets may be compromised, and areas where certain measures should be deployed. This is part of risk assessment. People who break into networks typically choose the easy targets, so the fewer opportunities available to them, the better.
Good coding practices, like adding input validation, memory protections and measures against code injection, are essential when developing business-critical software and web applications.Sometimes this involves monitoring bug reports like BugTraq and CVE for disclosed vulnerabilities.
Cryptography can protect data against most threats while being communicated and stored, providing it’s done properly. We must assess whether a given cryptographic system is considered strong or weak, how it’s implemented and used, and whether it’s resistant to indirect attacks. A good key management system is also essential, especially where multiple users are concerned.
Network Design and Security
Good network design and layered security is important. Measures include firewalls, VPNs, proper router and switch configuration, VLANs, etc. Networks should also be designed for reliability and resilience.
This can be a tricky area, since we must mimic what the media calls ‘black hat hackers’, and attempt to break into systems (usually networks). This is done to simulate real attacks before they happen, and assess where security is needed. This should be done without disrupting the business operations of the client, and within the limits agreed beforehand. Testing could also cover social engineering and insider attacks.
Malware Analysis and Security
Some anti-malware vendors provide better protection than others, but it’s generally true that basic protection is better than none. The vendors usually reverse-engineer whatever malware they find and send updates to the systems installed by their customers. But it’s not always about installing ready-made solutions, as Trojans and rootkits sometimes remain undetected, and they wouldn’t be found without a deliberate search.
It’s worth reading blogs maintained by vendors such as Sophos and F-Secure to learn about the latest threats and perhaps the common attack vectors. At the moment, almost all malware attacks rely on some element of social engineering, and there appears to be a slight increase in the number of Trojans being reported.
Good account and file administration practices are important. This covers basic things like access control, user privileges, file permissions, etc.
Intelligence and Threat Assessment
Every organisation or network will face its own specific threats and security risks. For example, the client could be a data centre, the military, a small business or home user. Security must be tailored to the specific network to be effective, both in terms of cost and actual protection. What does the client need to protect? How many people have both the capability and intention to compromise the client? Are there current trends we can determine from a range of information sources?
The situation’s always evolving, so, so assessments should either be ongoing or done regularly.
Some kind of methodology should also be used, whether it’s a check list, ISO 27002 or an object-oriented model of the system.
Depends on how clients are certified, their responsibilities and which countries they operate in. Generally there’s a list of requirements the client must somehow meet. This area also includes developing and implementing effective user policies that people actually pay attention to.
A digital forensics investigation could form part of incident response, to gauge the extent and method of a compromise, and perhaps to gather evidence for any criminal case resulting from the incident.
This area’s becoming more important, as people are carrying mobile devices around with them and into the workplace. These are devices that connect to public networks and have the potential to get infected, mislaid or stolen. Some organisations also have measures that prevent the copying of sensitive data to portable devices, or the connection of untrusted client devices to a remote service.
Part of information security involves measures that minimise the effects of incidents on the client’s operations. These can include backup and restoration procedures, disaster management and building some kind of redundancy into the system.
Commercial and Industry Awareness
Finally, commercial and industry awareness is essential, as it’s how we can determine current trends, contemporary threats and the best sources of information. Personally, I’ve also found there are certain professional definitely worth following.