Let's start with a brief recap of high school concepts, such as the difference between data and information. In many cases, both should be treated as important assets, though there is an important difference.
Data is the raw piece of a fact, which describes something; information is the output of a process of elaboration of raw data.
Tip
Think about a sensitive digital document containing strategic company plans. If someone sees the raw bits of this document, no one could probably gain any kind of advantage from it. Instead, if these bits (the data) are properly translated by some software into a human-readable document, information is generated.
I mentioned that both of these are important, since raw data can produce a lot of information. However, it is generally accepted that information has much more value as it represents the output of a high value transformation process.
It is probably well known that the most widely-accepted principles of IT security are confidentiality, integrity, and availability. Despite many security experts defining even more indicators/principles related to IT security, most security controls are focused on these principles, since the vulnerabilities are often expressed as a breach of one (or many) of these three. These three principles are also known as the CIA triangle:
Confidentiality: This is about disclosure.
A breach of confidentiality means that somewhere, some critical and confidential information has been disclosed unexpectedly.
Integrity: This is about state of information.
A breach of integrity means that information has been corrupted or, alternatively, the meaning of the information has been altered unexpectedly.
Availability: This is about interruption.
A breach of availability means that information access is denied unexpectedly.
Ensuring confidentiality, integrity, and availability means that information flows are always monitored and the necessary controls are enforced.
We say that a breach means an exposure, which is caused by an event that occurred when exploiting a vulnerability located in some point of the involved process.
Tip
Those events are often called incidents, since they expose a system to loss or damage. Later, we you learn how to identify the threats of a system, which is one of the main purposes of Information Security Management (ISM).
As you can see from the the three principles discussed, for each security principle we need to ensure that information flows are always monitored and the necessary controls are enforced. The first is a basic milestone of information security, since all the information flows have to be known and documented by an officer in order to plan which controls should be enforced. The second part, instead, is related to a specific principle; security measures vary from one principle to another, as follows:
The examples of the measures for confidentiality are:
Applying classification signs on a company's documents could help people understand which grade of secrecy is applied.
Applying a deny-all policy and allowing only a minimal set of permissions to users will reduce the risk of a loss of confidentiality.
The examples of the measures for integrity are:
A data validation policy for users involved in data entry or data manipulation helps to reduce the probability of errors and, consequently, a loss of integrity.
Continuous backups could mitigate the damage of data corruption, by restoring the most recent and consistent version of data.
The examples of the measures for availability are:
Having at least two power sources for critical IT infrastructure increases the availability of a system in case damage is suffered by one of them. This is an example of redundancy.
Again, backups can be also be viewed as measures to increase availability since, in the case of a hardware failure, a good backup procedure could reduce the downtime dramatically.
Sometimes we encounter other principles related to security, such as non-repudiation, authenticity, utility, possession, and more. I prefer to reduce all the principles to the CIA triangle, since I think the other ones are specializations of this base model.
In this book, we will try to teach you that security should not be delegated to fancy tools or to all-in-one salvation software, but it is primarily related to the awareness of people involved in business processes. Companies should (and must) implement internal procedures to assess themselves by a security perspective, documenting the risks they are subjected to and the measures to mitigate (if necessary) these risks.
This is, in summary, the purpose of a Security Management System which, when talking about IT, becomes an Information Security Management System (ISMS).
In the previous sections, we talked about risks, vulnerabilities, threats, and incidents; now let us try to give an example.
A company hires sales representatives, giving them a PC with essential tools of trade, Customer Relationship Management (CRM) access, and a database of clients with their details (that is, the past revenues). The person in charge of security decides to force users in mobility to use a Virtual Private Network (VPN) to connect to the company network and to choose a strong password for the desktop access. However, if the PC's hard drive is not fully encrypted, the company is vulnerable to loss of confidentiality, in the case of theft or loss; the threat is that someone could attach the hard drive to another PC and read all the plain data. The risk associated with this event is the likelihood of a sales representative losing the PC or a thief stealing it, regardless of using the information contained in it. The measures in this case could be at least two: avoid saving sensitive data on the PC, making it a stateless device (or thin client), or performing a full disk encryption. In both cases, someone taking physical access and ownership of the device cannot take advantage of the information contained in it.
In this example, we used the appropriate terminology to describe a typical real-world scenario. Please note that security controls (or measures) could themselves lead to new risks. Imagine a company policy that forces each PC to be encrypted with a key. In the case of the user losing this key, the PC would become useless even for people who have the right to access it. Again, if the disk key is a number, writing it down on the back cover of the PC completely avoids the benefit introduced by the encryption policy (a thief could steal both the PC and the key, gaining access to the device's sensitive information). These are two cases when measures to ensure confidentiality introduce new risks related to availability and confidentiality.
This is one of the reasons why a planned, documented, and formal ISMS is really needed by most companies who are dealing in information.
Tip
The process of understanding, assessing, and documenting current threats and risks is often known as due diligence, while the actual implementation of these measures to protect the company from threats is known as due care.
Medium or big companies approach ISM by appointing a dedicated staff member as the Information Security Officer (ISO), who is usually in charge of a division (or a small portion of a company), and a Chief Information Security Officer (CISO), who is usually in charge of implementing the security strategy for the entire company.
Tip
Why are dedicated staff needed to implement security?
Although the implementation of ISMS seems a like one-time task, it is, in fact, a continuous process of iterative improvement, based on the monitoring of the actual procedures, that have been placed as a result of the previous implementation. As in software development, it is hard to say "it's finished" for a particular piece of software; rather, when a software has been released, new functionalities or fixing must be made accordingly to new business requirements. In ISM, it is the same.
A threat should not always be contrasted; regarding the previous example, if the possible loss in the PC costs of the sales representative (in terms of the information lost) is less than the measure to fight against this threat (by implementing proper measures), the company could accept the risk. Today, it is often very cheap to protect a PC (through encryption, for instance), but there are other cases where it would be convenient to avoid an expensive implementation. This conclusion can be made only after a documented process of analysis.
As per the book Foundations of Information Security, Van Haren by Jule Hintzbergen, Kees Hintzbergen, Andre Smulders, and Hans Baars, a risk could be accepted or mitigated by five kind of countermeasures: preventive, reductive, detective, repressive, and corrective measures.
Coming back to the previous example, we may face this situation:
A PC with sensitive data is given to an employee
A thief could steal it (or the employee could lose it)
A preventive measure would make this an impossible risk; for example, by avoiding giving PCs to the employees. A reductive measure would reduce the likelihood of the risk, by forcing the employees to be always be hard connected to their devices. A detective measure helps to promptly realize that an incident has occurred, by placing some localization device on the PC, which is somehow connected to a real-time tracking system. A repressive measure would limit the consequences of an incident, for example, by remote wiping the stolen (or lost) PC. Finally, a corrective measure would recover the consistent state before the incident, by providing a new PC for the employees. As previously said, a risk could also be accepted. In such cases, no countermeasures are taken, but the risk should be documented as well.