Information Security: A Coherent Approach
(Page 1 of 4 )
Information security is one thing every IT department has to deal with. But how can system administrators be certain that they’re tackling it in the most effective way? This article will go over the most common threats presented to system administrators and discuss the measures they need to take in order to protect themselves against attack.
In late 2007 a loose collaboration of infosec professionals from the security website noticebored.com and iso27001security newsgroup decided to attempt to find a definitive answer to that question by pooling their extensive knowledge and experience. Their conclusion: a coherent and worthwhile approach requires those responsible for security to understand the key threats that exist for their systems, as well as the potential impact of falling to victim to any of these. They also need a clear grasp of the particular vulnerabilities that expose their systems to these threats. Finally, they need to implement effective and prioritized measures to address the vulnerabilities and combat the threats.
Threat, impact and risk
Virtually all of the major threats identified by the group were malicious individuals or organizations with a direct interest in launching attacks against IT systems. These included members of criminal and terrorist organizations, individual cyber-criminals, malware authors, fraudsters, hackers and unethical business competitors. The group even went as far as to include nation-states as potential threats. However, there were exceptions to the "malicious outsider" profile of the typical threat.
Topping the overall threat list, significantly, is the threat posed by obligations under the prevailing legal and regulatory framework. Security professionals are clearly concerned at the prospect of being required by law to release sensitive data. There are few effective measures against such compulsion. The only other exceptions were natural disasters, such as storms and floods, and the threat posed by advances in technology itself, which will force obsolescence on all current encryption algorithms in the near future.
For the most part, however, it is necessary to understand the motivations of those who pose a threat to a system in order to counter them. These motivations must also be considered within the context of the variety of activities in which an organization is engaged. For example, a criminal or business competitor intent on seeking out specific information in order to commit fraud or blackmail poses a very different level of potential impact than the malware author or curious hacker whose sole intention may be to cause disruption or anxiety.
This is not to underestimate the potential impact of such disruption, but to help prioritize countermeasures according to the level of the most serious potential impact. At the other extreme, a nation state may be in search of information that could pose a genuine threat to national security. If you are responsible for such information, this will clearly inform the extent and nature of your security controls.
A first step towards improving the suitability of a security strategy is often the gathering and analysis of this kind of information. This can assist an organization in identifying not just the threats to which it is most vulnerable, but those that carry the risk of greatest impact given the unique characteristics of the individual organization and its systems.
Next: Vulnerability >>
More Server Administration Articles
More By Bruce Coker
