Information Security Handbook E-Book

BIRMINGHAM - MUMBAI

Information Security Handbook

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: December 2017

Production reference: 1071217

ISBN 978-1-78847-883-0

www.packtpub.com

Credits

Author

Darren Death

Copy Editor

Safis Editing

Reviewers

Abhinav Rai

Heath Renfrow

Project Coordinator

Judie Jose

Commissioning Editor

Gebin George

Proofreader

Safis Editing

Acquisition Editor

Heramb Bhavsar

Indexer

Pratik Shirodkar

Content Development Editor

Abhishek Jadhav

Graphics

Tania Dutta

Technical Editor

Mohd Riyan Khan

Production Coordinator

Aparna Bhagat

About the Author

Darren Death is an information security professional living in the DC Metropolitan Area. During his 17-year technology career, he has supported the private and public sector at the local, state, and national levels. Darren has worked for organizations such as the Department of Justice, Library of Congress, and the Federal Emergency Management Agency. Darren currently works for Artic Slope Regional Corporation as its chief information security officer. In this role, Darren is responsible for the ASRC Enterprise Information Security program, where he manages the Information Security program across the 3 billion dollar ASRC portfolio crossing many business sectors to include energy, financial services, hospitality, retail, construction, and federal government contracting.

Darren is very active in the information security community and can be heard at many conferences throughout the year speaking on many of the topics covered in this book. Infragard is an organization that is dedicated to sharing information and intelligence working to prevent hostile acts against the United States. In this role, he teaches students the building blocks that go into establishing a successful information security program.

About the Reviewers

Abhinav Rai has been associated with information security professional and has experience in web application security, network security, mobile application security, web services security, source code review, and configuration audit. He is currently working as an information security professional.

He has completed his degree in computer science and his postgraduate diploma in IT infrastructure, systems and security. He also holds a certificate in communication protocol design and testing. He can be reached at [email protected].

Mr. Heath Renfrow has served the Chief Information Security Officer for multiple global organizations, and most recently as the CISO for United States Army Medicine, where he was awarded the 2017 Global CISO of the year by EC-COUNCIL, the largest cyber training body in the world. Mr. Renfrow has 20 years of global cyber security professional experience, and is considered one of the leading cyber experts today. He holds Bachelors in Science in Information Technology, and a Master’s of Science in Cyber Studies. Mr. Renfrow also holds numerous industry leading certifications, including Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (C|EH).

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review of this book's Amazon page at https://www.amazon.com/dp/1788478835/.

If you'd like to join our team of regular reviewers, you can e-mail us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Information and Data Security Fundamentals

Information security challenges

Evolution of cybercrime

The modern role of information security

IT security engineering

Information assurance

The CIA triad

Organizational information security assessment

Risk management

Information security standards

Policies

Training

Key components of an effective training and awareness program

Summary

Defining the Threat Landscape

What is important to your organization and who wants it?

Compliance

Hackers and hacking

Black hat hacker

White hat or ethical hacker

Blue hat hacker

Grey hat hacker

Penetration testing

Hacktivist

Script kiddie

Nation state

Cybercrime

Methods used by the attacker

Exploits

Hacker techniques

Methods of conducting training and awareness

Closing information system vulnerabilities

Vulnerability management

The case for vulnerability management

Summary

Preparing for Information and Data Security

Establishing an information security program

Don't start from scratch, use a framework

Security program success factors

Executive or board support

Supporting the organization's mission

Rightsizing information security for the organization

Security awareness and training program

Information security built into SDLC

Information security program maturity

Information security policies

Information security program policy

Operational policy

System-specific policy

Standards

Procedures

Guidelines

Recommended operational policies

Planning policy

Access control policy

Awareness and training policy

Auditing and accountability policy

Configuration management policy

Contingency planning policy

Identification and authentication policy

Incident response policy

Maintenance policy

Media protection policy

Personnel security policy

Physical and environmental protection policy

Risk assessment policy

Security assessment policy

System and communications protection policy

System and information integrity policy

Systems and services acquisitions policy

Summary

Information Security Risk Management

What is risk?

Who owns organizational risk?

Risk ownership

What is risk management?

Where is your valuable data?

What does my organization have that is worth protecting?

Intellectual property trade secrets

Personally Identifiable Information – PII

Personal Health Information – PHI

General questions

Performing a quick risk assessment

Risk management is an organization-wide activity

Business operations

IT operations

Personnel

External organization

Risk management life cycle

Information categorization

Data classification looks to understand

Data classification steps

Determining information assets

Finding information in the environment

Disaster recovery considerations

Backup storage considerations

Types of storage options

Questions you should ask your business users regarding their information's location

Questions you should ask your IT organization regarding the information's location

Organizing information into categories

Examples of information type categories

Publicly available information

Credit card information

Trade secrets

Valuing the information and establishing impact

Valuing information

Establishing impact

Security control selection

Information security frameworks

Security control implementation

Assessing implemented security controls

Authorizing information systems to operate

Monitoring information system security controls

Calculating risk

Qualitative risk analysis

Identifying your organizations threats

Identifying your organizations vulnerabilities

Pairing threats with vulnerabilities

Estimating likelihood

Estimating impact

Conducting the risk assessment

Management choices when it comes to risk

Quantitative analysis

Qualitative risk assessment example

Summary

Developing Your Information and Data Security Plan

Determine your information security program objectives

Example information security program activities

Elements for a successful information security program

Analysis to rightsizing your information security program

Compliance requirements

Is your organization centralized or decentralized?

Centralized

Decentralized

What is your organization's business risk appetite?

How mature is your organization?

Helping to guarantee success

Business alignment

Information security is a business project not an IT project

Organizational change management

Key information security program plan elements

Develop your information security program strategy

Establish key initiatives

Define roles and responsibilities

Defining enforcement authority

Pulling it all together

Summary

Continuous Testing and Monitoring

Types of technical testing

SDLC considerations for testing

Project initiation

Requirements analysis

System design

System implementation

System testing

Operations and maintenance

Disposition

SDLC summary

Continuous monitoring

Information security assessment automation

Effective reporting of information security status

Alerting of information security weakness

Vulnerability assessment

Business relationship with vulnerability assessment

Vulnerability scanning

Vulnerability scanning process

Vulnerability resolution

Penetration testing

Phases of a penetration test

Difference between vulnerability assessment and penetration testing

Examples of successful attacks in the news

Point of sale system attacks

Cloud-based misconfigurations

Summary

Business Continuity/Disaster Recovery Planning

Scope of BCDR plan

Business continuity planning

Disaster recovery planning

Focus areas for BCDR planning

Management

Operational

Technical

Designing the BCDR plan

Requirements and context gathering – business impact assessment

Inputs to the BIA

Outputs from the BIA

Sample BIA form

Define technical disasters recovery mechanisms

Identify and document required resources

Conduct a gap analysis

Develop disaster recovery mechanisms

Develop your plan

Develop recovery teams

Establish relocation plans

Develop detailed recovery procedures

Test the BCDR plan

Summary

Incident Response Planning

Do I need an incident response plan?

Components of an incident response plan

Preparing the incident response plan

Understanding what is important

Prioritizing the incident response plan

Determining what normal looks Like

Observe, orient, decide, and act – OODA

Incident response procedure development

Identification – detection and analysis

Identification – incident response tools

Observational (OODA) technical tools

Orientation (OODA) tools

Decision (OODA) tools

Remediation – containment/recovery/mitigation

Remediation - incident response tools

Act (Response) (OODA) tools

Post incident activity

Lessons-learned sessions

Incident response plan testing

Summary

Developing a Security Operations Center

Responsibilities of the SOC

Management of security operations center tools

Security operation center toolset design

Using already implemented toolsets

Security operations center roles

Log or information aggregation

Log or information analysis

Processes and procedures

Identification – detection and analysis

Events versus alerts versus incidents

False positive versus false negative/true positive versus true negative

Remediation – containment/eradication/recovery

Security operations center tools

Security operations center advantages

MSSP advantages

Summary

Developing an Information Security Architecture Program

Information security architecture and SDLC/SELC

Conducting an initial information security analysis

Purpose and description of the information system

Determining compliance requirements

Compliance standards

Documenting key information system and project roles

Project roles

Information system roles

Defining the expected user types

Documenting interface requirements

Documenting external information systems access

Conducting a business impact assessment

Inputs to the BIA

Conducting an information categorization

Developing a security architecture advisement program

Partnering with your business stakeholders

Information security architecture process

Example information security architecture process

Summary

Cloud Security Consideration

Cloud computing characteristics

Cloud computing service models

Infrastructure as a Service – IaaS

Platform as a Service – PaaS

Software as a Service – SaaS

Cloud computing deployment models

Public cloud

Private cloud

Community cloud

Hybrid cloud

Cloud computing management models

Managed service provider

Cloud service provider

Cloud computing special consideration

Cloud computing data security

Data location

Data access

Storage considerations

Storage types

Storage threats

Storage threat mitigations

Managing identification, authentication, and authorization in the cloud computing environment

Identification considerations

Authentication considerations

Authorization considerations

Integrating cloud services with the security operations center

Cloud access security brokers

Special business considerations

Summary

Information and Data Security Best Practices

Information security best practices

User accounts

Limit administrator accounts

Using a normal user account where possible

Least privilege/role separation

Password security

Least functionality

Updates and patches

Secure configurations

Step 1: Developing a policy that enforces secure configuration baselines

Step 2: Developing secure configuration baselines

Step 3: Integrating secure configuration baselines into the SDLC

Step 4: Enforcing secure configuration baselines through automated testing and remediation

Application security

Conducting a web application inventory

Least privileges

Cookie security

Web application firewalls

Implementing a secure coding awareness program

Network security

Remote access

Wireless

Mobile devices

Summary

Preface

Information security has become a global challenge that is impacting organizations across every industry sector. C-Suite and board level executives are beginning to take their obligations seriously and as a result require competent business-focused advice and guidance from the organization's information security professionals. Being able to establish a fully developed, risk-based, and business-focused information security program to support your organization is critical to ensuring your organization's success moving into the future.

In this book, we will explore what it takes to establish an information security program that covers the following aspects:

Focusing on business alignment, engagement, and support

Utilizing risk-based methodologies

Establishing effective organizational communication

Implementing foundational information security hygiene practices

Implementing information security program best practices

What this book covers

Chapter 1, Information and Data Security Fundamentals, provides the reader with an overview of key concepts that will be examined throughout this book. The reader will understand the history, key concepts, components of information, and data security. Additionally, the reader will understand how these concepts should balance with business needs.

Chapter 2, Defining the Threat Landscape, understanding the modern threat landscape, helps you as the information security professional in developing a highly effective information security program that can mount a secure defense against modern adversaries in support of your organization's business/mission goals and objectives. In this chapter, you will learn: How to determine what is important to your organization, potential threats to your organization, Types of hackers/adversaries, methods used by the hacker/adversary, and methods of conducting training and awareness as it relates to threats.

Chapter 3, Preparing for Information and Data Security, helps you to learn the important activities required to establish an enterprise-wide information security program with a focus on executive buy-in, policies, procedures, standards, and guidelines. Additionally, you will learn: Planning concepts associated with information security program establishment; Information security program success factors; SDLC Integration of the information security program; Information security program maturity concepts; and best practices related to policies, procedures, standards, and guidelines.

Chapter 4, Information Security Risk Management, explains the fundamentals of information security risk management, which provides the main interface for prioritization and communication between the information security program and the business. Additionally, you will learn: Key information security risk management concepts; How to determine where valuable data is in your organization; Quick risk assessment techniques; How risk management affects different parts of the organization; How to perform information categorization; Security control selection, implementation, and testing; and Authorizing information systems for production operations.

Chapter 5, Developing Your Information and Data Security Plan, speaks about the concepts necessary to develop your information security program plan. Your program plan will be a foundational document that will establish how your information security program will function and interact with the rest of the business. Additionally, you will learn: How to develop the objectives for your information security program, elements of a successful information security program, information security program business / mission alignment, information security program plan elements, and establishing information security program enforcement.

Chapter 6, Continuous Testing and Monitoring, explains that it is important for the information security professional to understand that vulnerabilities in information system are a fact of life that is not going away anytime soon. The key to protecting the modern information system is continued vigilance through continuous technical testing. In this chapter, you will learn: Technical testing capabilities at your disposal, Testing integration into the SDLC, Continuous monitoring considerations, Vulnerability assessment considerations, and Penetration testing considerations.

Chapter 7, Business Continuity/Disaster Recovery Planning, encompasses two separate but related disciplines that work together. Business Continuity Planning serves to ensure that an organization can effectively understand what business processes and information are important to the continued operations and success of the organization. Disaster Recovery Planning serves to develop a technical solution that supports the business needs of the organization in the event of a system outage. In this chapter, you will learn: The scope and focus areas of the BCDR plan and designing, implementing, testing, and maintaining the BCDR plan.

Chapter 8, Incident Response Planning, speaks about an incident response plan  and procedures that your information security program implements to ensure that you have adequate and repeatable processes in place to respond to an information security incident that occurs against your organizational network or information systems. In this chapter, you will learn: Why you need an incident response plan, What components make up the incident response plan, Tools and techniques related to incident response, The incident response process, and the OODA loop and how it can be applied to incident response.

Chapter 9, Developing a Security Operations Center, serves as your centralized view into your enterprise information systems. The security operations center goal is to ensure that this view is real-time so that your organization can identify and respond to internal and external threats as quickly as possible. In this chapter, you will learn: What comprises the responsibilities of the security operations center; security operations center tool management and design; security operations center roles, processes, and procedures; and internal versus outsourced security operations center implementation considerations.

Chapter 10, Developing an Information Security Architecture Program, explains that Security Architecture establishes rigorous and comprehensive policies, procedures, and guidelines around the development and operationalization of an Information Security Architecture across the enterprise information technology deployed within an organization. Additionally, you will learn about: Incorporating security architecture into the system development life cycle process, conducting an initial information security analysis, and Developing a security architecture advisement program.

Chapter 11, Cloud Security Consideration, enables on-demand and ubiquitous access to a shared pool of configurable outsourced computing resources such as networks, servers, storage, and applications. In this chapter, you will learn: cloud computing characteristics; Cloud computing service, deployment, and management models; and Special information security consideration as it relates to Cloud Computing.

Chapter 12, Information and Data Security Best Practices, speaks about a selection of best practices to help ensure the overall information security health of your organization's information systems. The topics covered in this chapter include information security best practices related to: user account security, least functionality, updates and patching, secure configurations, application security, and network security.

What you need for this book

This book will guide you through the installation of all the tools that you need to follow the examples. You will need to install Webstorm version 10 to effectively run the code samples present in this book.

Who this book is for

This book is targeted at the information security professional looking to understand the key success factors needed to build a successful business-aligned information security program. Additionally, this book is well suited for anyone looking to understand the key aspects of an information security program and how they should be implemented within an organizational culture.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning. Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "The next lines of code read the link and assign it to the<script>123</script>.

New terms and important words are shown in bold. 

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide atwww.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/InformationSecurityHandbook_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title. To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the internet, please provide us with the location address or website name immediately so that we can pursue a remedy. Please contact us [email protected] with a link to the suspected pirated material. We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Information and Data Security Fundamentals

Computers have been instrumental to human progress for more than half a century. As these devices have become more sophisticated they have come under increasing attack from those looking to disrupt organizations using these systems. From the first boot sector virus to advanced, highly-complex, nation-state threats, the ability for an adversary to negatively impact an organization has never been greater. While the attacker has become more sophisticated, our ability to prepare for and defend against the attacker has also become very sophisticated. Throughout this book, I will discuss what it takes to establish an information security program that helps to ensure an organization is properly defended.

The first chapter will provide the reader with an overview of key concepts that will be examined throughout this book. The reader will learn the history, key concepts, components of information, and data security. Additionally, the reader will understand how these concepts should balance with business needs.

The topics covered in this chapter include the following:

Information security challenges

The evolution of cybercrime

The modern role of information security:

IT security engineering

Information assurance

The CIA triad

Organizational information security assessments

Risk management

Information security standards

Policies

Training

Information security challenges

The threats faced by today's organizations are highly complex and represent a real danger. The ability to mount an attack has become very simple due to many factors including the following:

End user

: End users that use our information systems are prone to clicking on website URLs and launching attachments in emails

Malware kits

: Paying hackers for DIY kits to easily develop your own malware

Cloud computing

: Cheap and easy access to computing resources helps to ensure easy access to processing power

Exploit subscription services

: Underground services that an attacker can subscribe to, to get the latest exploits

An attacker can take these tools, string them together with tutorials found online (as well as their own knowledge and resources), and build a sophisticated attack that could affect millions of computers worldwide.

Modern computer systems were never really developed to be secure. From the very beginning, computers have had an inherent trust factor built into them. Designers did not take into account the fact that adversaries might exploit their systems to harvest the valuable assets they contained. Security therefore, came in the form of bolt-ons or bandages, for solving an inherent problem. This still continues to this day. If you look at a modern computer science program, cybersecurity is often not included. This leads us to the modern internet, overflowing with vulnerable software and operating systems that require constant patches because security has always been an afterthought. Instead of security being built into an information system from the beginning, we are faced with an epidemic of vulnerable systems around the world.

The computer power of the average individual has greatly increased over the past few decades. This has resulted in an increase of sanctioned, and unsanctioned, personally-owned devices processing organizational data and being connected to corporate networks. All of these unmanaged devices are often set up to accommodate speed and convenience for a personal user and do not take into account the requirements of corporate information security.

Many organizations see information security as a hindrance to productivity. It is common to see business leaders, as well as IT personnel, avoid the discussion surrounding security with the fear that security will prevent the corporation from achieving its mission. Implementing security within a project Systems Development Life Cycle (SDLC) may be fought against, as team members may believe security will prevent a project from being completed on time or viewed as an impediment to a business' financial gain. Tools such as multi-factor authentication (MFA) or Virtual Private Networks (VPN) may be resisted as the business might not want to invest the capital for such solutions, due to not understanding the technology and how it would minimize the cyber risk posture of the organization.

Overcoming these challenges requires that the information security leader has a strong understanding of the organizations that they work for and that communication is effectively maintained. The information security professional must integrate with all functional/business owners within their organization. This will allow the security professional to help determine the risk posture of each business area, and help the business owner make sound risk-based decisions. Information security must offer solutions to the business leader's challenges versus adding new challenges for the business leader to solve. Additionally, the information security professional must work and collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is actually needed. Work to foster a relationship where the information security group is sought out for answers rather than avoided.

Evolution of cybercrime

As computer systems have now become integral to the daily functioning of businesses, organizations, governments, and individuals we have learned to put a tremendous amount of trust in these systems. As a result, we have placed incredibly important and valuable information on them. History has shown, that things of value will always be a target for a criminal. Cybercrime is no different. As people flood their personal computers, phones, and so on with valuable data, they put a target on that information for the criminal to aim for, in order to gain some form of profit from the activity. In the past, in order for a criminal to gain access to an individual's valuables, they would have to conduct a robbery in some shape or form. In the case of data theft, the criminal would need to break into a building, sifting through files looking for the information of greatest value and profit. In our modern world, the criminal can attack their victims from a distance, and due to the nature of the internet, these acts would most likely never meet retribution.

In the 70s, we saw criminals taking advantage of the tone system used on phone networks. The attack was called phreaking, where the attacker reverse-engineered the tones used by the telephone companies to make long distance calls.

In 1988, the first computer worm made its debut on the internet and caused a great deal of destruction to organizations. This first worm was called the Morris worm, after its creator Robert Morris. While this worm was not originally intended to be malicious it still caused a great deal of damage. The U.S. Government Accountability Office in 1980 estimated that the damage could have been as high as $10,000,000.00.

1989 brought us the first known ransomware attack, which targeted the healthcare industry. Ransomware is a type of malicious software that locks a user's data, until a small ransom is paid, which will result in the issuance of a cryptographic unlock key. In this attack, an evolutionary biologist named Joseph Popp distributed 20,000 floppy disks across 90 countries, and claimed the disk contained software that could be used to analyze an individual's risk factors for contracting the AIDS virus. The disk however contained a malware program that when executed, displayed a message requiring the user to pay for a software license. Ransomware attacks have evolved greatly over the years with the healthcare field still being a very large target.

The 90s brought the web browser and email to the masses, which meant new tools for cybercriminals to exploit. This allowed the cybercriminal to greatly expand their reach. Up till this time, the cybercriminal needed to initiate a physical transaction, such as providing a floppy disk. Now cybercriminals could transmit virus code over the internet in these new, highly vulnerable web browsers. Cybercriminals took what they had learned previously and modified it to operate over the internet, with devastating results. Cybercriminals were also able to reach out and con people from a distance with phishing attacks. No longer was it necessary to engage with individuals directly. You could attempt to trick millions of users simultaneously. Even if only a small percentage of people took the bait you stood to make a lot of money as a cybercriminal.

The 2000s brought us social media and saw the rise of identity theft. A bullseye was painted for cybercriminals with the creation of databases containing millions of users' personal identifiable information (PII), making identity theft the new financial piggy bank for criminal organizations around the world.

This information coupled with a lack of cybersecurity awareness from the general public allowed cybercriminals to commit all types of financial fraud such as opening bank accounts and credit cards in the name of others.

Today we see that cybercriminal activity has only gotten worse. As computer systems have gotten faster and more complex we see that the cybercriminal has become more sophisticated and harder to catch. Today we have botnets, which are a network of private computers that are infected with malicious software and allow the criminal element to control millions of infected computer systems across the globe. These botnets allow the criminal element to overload organizational networks and hide the origin of the criminals:

We see constant ransomware attacks across all sectors of the economy

People are constantly on the lookout for identity theft and financial fraud

Continuous news reports regarding the latest point of sale attack against major retailers and hospitality organizations

The modern role of information security

The role that information security plays has changed over the years and today, with information security professionals being brought in at the executive level of organizations, they have become critical members that contribute to the overall success of business operations. When information security first became a discipline, its focus was all about securing IT configurations and putting security tools in place. As time has progressed, it became apparent that you cannot properly secure an IT environment without first understanding the needs of an organization's business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by tying cybersecurity to the business' functions.

IT security engineering

IT security engineering is the application of security principles to information technology. In our modern world, this really can mean just about anything, from a server to a refrigerator, once you start to consider the Internet of Things (IoT). There are so many new devices being built daily that are IP addressable, essentially making them mini-servers, which introduces potential vulnerabilities. Additionally, it is important to consider the security needs for devices that are non-networked or may be air gapped. Nonnetworked, or air-gapped, environments still have the capability to communicate through out-of-band means, such as a USB thumb drive, allowing an attacker to communicate with them. A mature organization should have staff specifically targeted at looking at information technology security concerns, working with business and information technology leadership to secure IT systems and protect the environment from attackers.

Information assurance

Information assurance is the act of working with business and IT leadership to ensure that the confidentiality, integrity, and availability requirements for a given asset are fully understood. Those requirements should be fully tested in a test environment prior to being integrated into the production environment, in order to ensure that they are secure and do not cause interoperability issues.

The activities associated with information assurance inform the activities associated with IT security regarding the specific technical controls needed to properly protect a given asset. Requirements are driven by the business/mission owner.

For example, a medical device might be deemed by a business/mission owner to be confidentiality-high, integrity-high, and availability-moderate (because they can revert to old school medical techniques):

The CIA triad

The CIA triad is a key tenet at the core of information security. This tool is used to help the information security professional think about how to best protect organizational data:

Confidentiality

: It has to do with whether or not information is kept secret or private. Mechanisms should be employed, such as encryption, which will render the data useless if it was accessed in an unauthorized manner.

Integrity

: It has to do with whether the information is kept accurate. Information should not be modified in an unauthorized manner and safeguards should be put in place that allows for detectable and timely unauthorized changes.

Availability

: It has to do with ensuring that information is available when it is needed. This control can be accomplished by implementing tools ranging from battery backup at the data center, to a content distribution network in the cloud:

Organizational information security assessment

We must remember that information security is meant to compliment the business/mission process, and that each process owner will have to determine what risk is acceptable for their organization. We, as information security experts, can only offer recommendations (fixes, mitigations, and so on), but the business/mission owner is ultimately the individual who makes such decisions.

It is important to understand that in most cases, organizations must share information in today's digital economy in order to be successful. The key to a successful information security program is to properly categorize data and ensure that only those that are authorized to access the data have the rights to do so. This means that you need to look at data and your organization's staff members, business partners, vendors, and customers, and determine who should have access to the various types of data within your organization.

There are two main ways to conduct an assessment of your organization's IT and business process as they relate to information security:

Internal assessment

: An internal assessment can be viewed in two ways:

An initial assessment could be used to provide the context for the inclusion of a third-party assessment. This would be an appropriate course of action if your information security program lacked the skills to conduct a thorough information security assessment, or your organization prefers third-party assessments over internal assessments.

If your organization does not require a third-party assessment, and if you have the resources and skills to complete an information security assessment, the internal information security program can conduct its own assessment.

Third-party assessment

: The third-party assessment can be viewed in two ways:

A third-party assessment provides an objective view and can often be used to arbitrate between the information security group and IT operations. The third party brings in an unbiased observer to develop the organization's assessment, alleviating internal infighting.

While this has benefits over an initial assessment, this is usually the only mechanism for an assessment that is tied to compliance.

The following is an abbreviated example to begin the process of performing an internal assessment:

Conduct an initial internal assessment:

As an information security leader you need to understand the organization you work in:

Meet with business and IT leaders:

Depending on the business function of your organization, acquire all past audit (PCI, HIPPA, and so on) reports, to determine what was found, addressed, not addressed, and so on.

Meet with subject matter experts.

Document areas for improvement and places where you can celebrate current successes.

Brief leadership on your findings.

Based on your findings recommend to leadership that a third party be brought in to dig deeper:

No matter the results of the internal review, a third-party validator should be brought in, at least on a biannual basis to test your security program. This includes:

Information security program reviews.

Red team penetration test capability.

Conduct a third-party assessment:

Work with IT leadership and subject matter experts to discuss the purpose of the assessment:

Make sure that the assessment is

non-punitive

:

Ensure that everyone understands that you are conducting an assessment to build a plan and roadmap. The purpose is not to fire individuals or to point out mistakes.

Ensure that the third-party assessment has management buy-in and support:

Without top-level support (Board, CEO), it might be easy for individuals to ignore your assessors.

Ensure that the third party has access to the internal resources required:

Make sure that there is a clear plan and that this plan is communicated to everyone that will be involved in the assessment.

Conduct the assessment and produce the findings.

A plan of action and milestones should then be developed with each business owner, to allow those owners to build their strategies of risk management, risk acceptance, or risk transfer.