Friday, July 1, 2022

Principle of Information Security: Module 2 The Need for Information Security (Part 3)

Today’s organizations are under immense pressure to acquire and operate integrated, efficient, and capable applications. A modern organization needs to create an environment that safeguards these applications, particularly those that are important elements of the organization’s infrastructure—operating system platforms, certain operational applications, electronic mail (e-mail), and instant messaging (IM) applications, like text messaging (short message service, or SMS). Organizations acquire these elements from a service provider, or they implement their own. Once an organization’s infrastructure is in place, management must continue to oversee it and not relegate its management to the IT department.

To perform effectively, organizations must employ secure infrastructure hardware appropriate to the size and scope of the enterprise. For instance, a small business may get by in its start-up phase using a small-scale firewall, such as a small office/home office (SOHO) device.

In general, as an organization grows to accommodate changing needs, more robust technology solutions should replace security technologies the organization has outgrown. An example of a robust solution is a commercial-grade, unified security architecture device, complete with intrusion detection and prevention systems, public key infrastructure (PKI), and virtual private network (VPN) capabilities. Modules 8, 9 and 10 describe these technologies in more detail.

Information technology continues to add new capabilities and methods that allow organizations to solve business information management challenges. In recent years, we have seen the emergence of the Internet and the Web as new markets. Cloud-based services, which have created new ways to deliver IT services, have also brought new risks to organizational information, additional concerns about the ways these assets can be threatened, and concern for how they must be defended.

Around 500 B.C., the Chinese general Sun Tzu Wu wrote The Art of War, a military treatise that emphasizes the importance of knowing yourself as well as the threats you face.* To protect your organization’s information, you must

  1. know yourself—that is, be familiar with the information to be protected and the systems that store, transport, and process it—and

  2. know your enemy; in other words, the threats you face.

To make sound decisions about information security, management must be informed about the various threats to an organization’s people, applications, data, and information systems. As discussed in Module 1, a threat represents a potential risk to an information asset, whereas an attack represents an ongoing act against the asset that could result in a loss. Threat agents damage or steal an organization’s information or physical assets by using exploits to take advantage of vulnerabilities where controls are not present or no longer effective. Unlike threats, which are always present, attacks exist only when a specific act may cause a loss. For example, the threat of damage from a thunderstorm is present throughout the summer in many places, but an attack and its associated risk of loss exist only for the duration of an actual thunderstorm. The following sections discuss each of the major types of threats and corresponding attacks facing modern information assets.

To investigate the wide range of threats that pervade the interconnected world, many researchers have collected information on threats and attacks from practicing information security personnel and their organizations. While the categorizations may vary, threats are relatively well researched and understood.


Post a Comment