Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Information Security Frameworks and Information Security Architecture

Information security framework provides guidance for the effective implementation of information security in the organization and development of an effective information security architecture, which in turn, provides assurance that information security has been effectively employed in the organization. One word of caution here: “Whatever the level of implementation, you cannot be 100% assured of information security”. However, if you have implemented security measures effectively, this will enable you to control many of the security threats and prepare you to be quick in providing reactive responses to the threats. Organizations can only be defensive in their approach as an offensive strategy is illegal. Such framework or architecture enables you to either prevent or detect and react to attacks or to recover from attacks.

In order to protect information and data from the above threats, organizations typically have “layers of protection.” This practice of layering defenses improves an organization's overall security posture. Successful organizations have layers of security, as shown in the Figure 3-3.

Figure 3-3. A layered approach to security

As you can see in Figure 3-3, these five layers of security support and complement each other. While the Access or User Layer ensures clear authentication and authorization, the security clearance through appropriate controls, the Application security layer ensures effective controls over web servers, databases, and applications through various controls like encryption and identity management. The Network security layer provides protection through controls like the firewall, IDS/IPS while the Platform/Host security layer ensures controls like Host IDS/IPS, and anti-virus software, whereas the Physical security layer ensures controls like secured access, asset control, and fire protection.

The Platform/Host Security is ensured primarily through the hardening of the servers. Root / administrator passwords are changed from the default passwords to strong passwords and are tightly controlled. Furthermore, the anti-virus solutions of repute when installed on the servers provide significant protection for them from malware or spyware infections. Security patches are released by most of the operating system vendors periodically. The timely application of these to the concerned server after testing the impact of them on the applications working on such platforms/hosts ensures that these servers are well protected. Similarly, drivers need to be maintained and updated as needed. Periodic preventive maintenance of these hosts to clean up space, remove unwanted files, archive unwanted data, defragment disks, ensure up-to-date and relevant patch updates, and software or driver upgrades, will ensure continued performance. Otherwise, there may be a performance degrade which impacts availability and increases security threats. Similarly, the maintenance of facilities and utilities, such as temperature controls in the server room/data center, humidity controls in the server room/data center, and preventive maintenance of UPS, help ensure secure systems. Weak administrator passwords can also put the servers at risk.

As we saw earlier in this chapter, network security is the next protective layer that connects the hosts/platforms to others. Some aspects that need to be ensured here are that the network equipment is hardened, default passwords are invariably replaced with stronger passwords, all the network equipment such as routers are configured correctly, and protocols are used appropriately depending upon the infrastructure and organizational needs. Firewalls and IDS/IPS need to be set up appropriately with relevant configurations and policies so that they are able to detect, alert, or prevent some of the attacks. Weak administrator passwords, weak or unprotected encryption keys, or misconfigurations can be exploited and can place the organizations and its business at risk. Networks are prone to other types of attacks such as spoofing, man in the middle attacks, sniffing, or eavesdropping, leading to impersonation or loss or misuse of data. Networks are also prone to such vulnerabilities like session hijacking and denial of service attacks.

Application security is a major issue worldwide. Web servers and databases need to be secured by appropriate installations and configurations. In this fast-paced world, the focus on completion of software development and its delivery has become more important than its security. Surprisingly, most of these applications are not tested for security. These applications can be prone to attacks like SQL injection, buffer overflows, and invalidated data inputs which can eventually lead to the compromise of the host systems on which they are running. Similarly, ineffectively tested or misconfigured applications may lead to processing errors or not validating the errors, leading to the loss of integrity of the data. Weak authentication and authorization mechanisms built into these applications or misconfiguration of these applications may lead to unauthorized access or other issues like corruption of data and the like. Defects in applications can not only lead to errors in data but such defects related to security can lead to security breaches. Applications not patched on a timely basis may be prone to viruses or the exploitation of such security flaws or errors. It is also possible that the interface between two applications is weak, which leads to an insecure transfer of data between these applications, and subsequent exposure of this data to others.

Access to systems is regulated by the access control layer. Access control layers have to be set up as per the organization's access control policy. Some of the access control models of interest are mandatory access control, discretionary access control, and non-discretionary access control models. Some of the access control administration models are the centralized administration model, decentralized administration model, and the hybrid administration model. Both the internal and external access controls and external need to be appropriately handled. Authentications and authorizations have to be set up appropriately. Primary threats due to an improperly configured access layer are unauthorized or have incorrect access or denial of appropriate access. Over time, it has been observed that single authentication mechanisms are broken relatively easily, making multiple authentications preferable for maximum security.

The other important layer is the physical security layer. Traditionally, security guards and locks were the primary means of physical security. Because of the human element involved where negligence or ignorance lead to security threats, complementary security controls like biometric access (finger prints, iris scan, etc.), access through smart cards coupled with passcodes, and the like, are implemented. Selection of an appropriate location for the organization protects it from potential natural hazards like floods. Having secured electrical wiring with the appropriate safety mechanisms like well-maintained earth pits, UPS for regulated power, trippers, and fuses provides substantial security from electrical fires. Good practices like not storing flammables like diesel, petrol, other chemicals in the premises, and not storing easily flammable materials like empty cartons or huge quantities of old papers reduce the threats of fire. Proper visitor control mechanisms and control over the entry and exit points can reduce the propensity for physical intrusion or unauthorized physical access or sabotage, vandalism, espionage, theft, and destruction of systems. Policies not followed by employees can allow such threats due to tailgating which is a very common issue at most organizations. Ignorance and incompetence, and a lack of awareness and training can lead to mistakes.

Layers of security provide complementary controls which mean that a threat not controlled by one layer is controlled by other layer and vice versa. Some of the threats may be controlled by multiple layers also. Thus, a layered approach, which is an integrated approach, provides better protection to the organization than a single layered approach. The controls built through the layered approach normally defend the organization against most threats.

This effectively means that the threat has to percolate multiple layers before it is effective.

“Defense-in-depth” builds over a layered security approach and complements it through additional mechanisms, especially for monitoring, alerting, and emergency response, including disaster recovery, as applicable. This normally includes forensic analysis and criminal activity reporting. This is also complemented where required by authorized personnel activity auditing.1 Normally, the defense-in-depth strategy monitors current activities, and alerts you to imminent threats, thus enabling you to counter such threats through an emergency response or quick recovery, whereas multi-layered security control strategy delays the threat and provides ample time to react. For defense-in-depth to be effective at monitoring the speed at which the traffic/data is monitored and analyzed, and for the alerts to be communicated to the relevant tools or experts for further action, the analysis should be very high for such emergency responses to be effective.1 Furthermore, such tools should have the capability to provide zero or very limited false alerts. Also, a team of experts like the Computer Emergency Response Team (CERT) should be formed and trained to handle such alerts and deal with emergency responses. Sometimes, it is impossible to avoid or counter an attack,

but alerts need to be investigated immediately. This requires a forensic analysis capability in the organization. As organizations cannot carry out a counter-offensive in response to an attack because of legal restrictions, particularly in the case of such attacks where the solution is not immediately known, it is advisable to involve agencies like internet service providers or government security agencies (as appropriate to the gravity of the situation) so that the appropriate responses or corrective mechanisms may be identified and implemented at the earliest possible time.

There are various Security Frameworks that are provided by various standards or models or methodologies.

Some of these are:

• An Information Security Management Systems Framework provided by Information Technology – security techniques – information security management systems – requirements (ISO/IEC 27001:2013) supported by Information Technology – security techniques – code of practice for information security controls (ISO/IEC 27002:2013) and related standards.

• NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View complemented by 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

• SABSA® ( SABSA® is a registered trademark of The SABSA Institute which governs and co-ordinates the worldwide development of the SABSA Method.)

None of them use the same layers, but all have core layering concepts in common either depicted directly or indirectly through means such as the control objectives.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science