2
Information Security can often seem difficult and confusing. There are new threats almost every day. That means we all struggle to stay aware within both our online and physical environments. New threats and vulnerabilities call for vigilant updating of anti-virus/malware detection software, as well as patching applications and operating systems.
At the office, depending upon policy, much of this regular security maintenance is handled by the IT staff, and the changes are ‘pushed’ to your desktop, laptop or mobile device. The more invisible the better, for both our users and our IT staff:
• Most of us wouldn’t have the time to implement the many updates required and this can be fairly technical, too!
• The IT staff wants and needs to maintain version control for stability and security, while also managing software licenses across the enterprise.
• It’s best to have it all centrally controlled.
However, at the heart of most security efforts, whether at work, at home or on the road, there are a few fundamental principles which can be applied over and over again – boosting your awareness more than ever. (And yes, we know you may have heard or read this: ‘over and over again’.)
Since the 1970s, classic wisdom holds that security is based upon the C-I-A triad:
1. Confidentiality: Keeping secrets a secret and protecting information from those not authorized to access or see it. 2. Integrity: Ensuring that
information is not altered without proper authorization.
3. Availability: Making all systems available to users when they need them.
This Classic Security Triad has valiantly stood the test of time, and despite many attempts to the contrary, is widely accepted as the foundation of all information security principles.
In many organizations, information security includes more than just the technology alone. Consider these two statements:
• Computers don’t attack computers. People attack computers.
• Cyberspace, the internet and organizational networks are not actually virtual. They are made up of physical objects we can touch and feel.
Thus, to more properly effect computer/information security, we need to overlap or integrate several security disciplines. The Integrated InfoSec Triad consists of:
Physical Security Cyber Security People Security
The easiest way to think of this triad is P-C-P.
When organizations integrate the P-C-P domains into their strategy, effectiveness of all security levels is significantly increased. Mobile and home/personal environments benefit just as much as at work.
This approach is called synergy, a term coined by Buckminster Fuller meaning the “whole is greater than the sum of the parts.” Synergistic results occur with information security when we combine seemingly dissimilar security disciplines. Data Leaks Accuracy Email / SMS / IM Power Outage Phishing User ID & Passwords Infected Files or Websites Messy Desk Hard Copies Patches & Updates DDoS Database Accuracy Identity Theft Network Congestion Public Area Printers/Copiers Trade Secrets
C
• •
•
I
•
C I
•
•
I A
C I
•
C
• •
C I
•
C
• •
C
• •
• •
A
C
•
A
•
I
•
C I A
• •
A
C
• •
C
• •
3
Physical Domain
In the physical domain, we can
also apply the C-I-A triad. For example, confidentiality might relate to keeping the locations of power and communications lines secret. Availability might be about controlling access to network closets or data centers. Integrity
could mean making sure that intruders do not breach the physical perimeters of your organization.
Physical Security is absolutely
critical to information security.
The following types of questions help partner Physical and Cyber security.
1. Who has physical access to computers in the offices, mission critical data centers, operations units and the floors where they reside, back up systems, and disaster recovery facilities?
2. Who has physical access to the power feeds, the voice, and network communications rooms?
3. Where is the backup and/or hot site facility? If the primary systems are destroyed, how fast can redundant sites be brought online?
4. How are generators and backup power supplies protected? Are mission critical systems all physically located at the same place or dispersed for maximum survivability?
A failure in any one of the above
areas can cause tremendous
trouble in day-to-day operations. These things are most likely kept totally transparent to you and your co-workers, handled by IT and your Physical Security departments, but the issues apply to any organization with information and data that
must be managed and protected. Understanding the way it all fits into the big picture of security can certainly be helpful in creating your own individual awareness posture.
Cyber Domain
Enhanced physical security improves cyber security, and in many ways they do work together to yield stronger overall security.
1. Using biometric identification for building and/or mission critical physical access. ID badges are not “Proof Positive” of anyone’s ID. 2. Matching the physical access
control databases to a centralized network identification point. If a person is logged-on to the network but has never entered the building, there is a potential security violation.
3. Using location dependent ‘Proximity Tags’ as a means of network log-on instead of passwords.
4. Never leaving power company, telephone company or other non-secure 3rd party personnel alone. If they arrive unexpectedly or without an appointment, keeping them at the front desk, calling their offices, and verifying their identity and the reason they are there.
People Domain
People security is the third, and may be the most important leg of the P-C-P Security Triad.
Ideally, all employees will make themselves active participants in corporate security and recognize that they are one of most important ingredients in protecting data and networks.
The same C-I-A principles apply to the domain of people.
Confidentiality could mean keeping the identity, location, travel plans and job function of certain individuals private.
Accuracy in your job is about personal and operational integrity
in your daily lives. You can view social engineers as attempting to violate many aspects of security in the people domain.
Lastly, you need to be available to
get to work, take care of your family or be reachable when required.
People can have the most
profound impact on an
organization’s security posture. Security awareness is really about behavior because any kind of error
can compound itself quickly in a networked environment.
1. Responding to potentially hostile emails.
2. Inappropriate social media behavior.
3. Careless handling of PII (Personally Identifiable Information).
4. Not recognizing all types of social engineering.
5. Poor password choices.
4
There is a long-running, nighttime comic TV show that is often referred to as “SNL”. Most of us have heard of it, know of it and may still watch it. Now take that acronym and it becomes the
easy-to-remember triad for password security: S-N-L. Symbols, Numbers, Letters.
Passwords are supposed to provide secure access to networks and resources and we must handle them with the greatest care. Passwords also protect your banking, shopping, and dozens of other personal online activities. Learning one good set of habits when creating passwords is highly recommended and that’s where the S-N-L triad comes in. Symbols, numbers, and letters are essential in the creation of strong passwords.
Accessing hardware and software resources usually consists of two steps.
• First you have to tell the system or web site “who” you are by entering your name, User_ID, email address, or other personal identification code.
• Secondly, a well-designed access control will then “challenge” you to authenticate your identity. Generally you do that by entering a strong, well-chosen password.
Since many user identification methods are well known, such as a company email format, we must almost always assume that our User_ID is an
open secret, such as in an employee directory or on professional social media websites. Thus, passwords become even more important and must be protected at all times, in all places, at all costs.
One of the best tricks for making a password easy to remember and hard to guess is using the S-N-L triad method, a combination of:
• Symbols (%!*~>? etc.) • Numbers (0-9)
• Letters (UPPER & lower case) A favorite technique that security experts like to use is song titles, lyrics, book/movie titles, phrases, and other “easy to remember, hard to guess”
character sequences. Then, you can apply a personal algorithm (simple process and rules) to generate a fairly large number of much easier to remember and harder to crack (or guess) access codes.
See how this might work below where we’ve outlined a step-by-step approach to creating your own personal algorithm.
(At home, after creating your new S-N-L password you can safely test its strength at: https://www.grc.com/ haystack.htm)
NOTE: This information is presented as an aid for creating and managing strong passwords. Please make
