Skip to main content


Showing posts from 2014

2.2.6 Implement policies and procedures to prevent data loss or theft

Implement policies and procedures to prevent data loss or theft There is no “one size fits all” solution to information security. The security controls should be designed to fit the risk and should be backed up by a robust set of policies and procedures and a well-trained user and staff base. The threat of data loss or theft is a risk to the organization. The organization typically will respond by conducting a risk analysis and then employ appropriate risk management strategies. A risk analysis is the identification of the risk and planning of a mitigation technique to manage the risk. Risk identification involves a systematic identification of all assets and a cataloging of vulnerabilities and threats against each asset. For example, the company’s Internet facing web site is vulnerable if it is not secured effectively in a DMZ and if the backend database is not stored on a redundant storage array. The associated threats include hackers modifying the web pages and dat

2.2.5 Perform routine audits

Perform routine audits An audit is a formal and systematic assessment of how closely the organization's policies and procedures are being deployed against the organization’s assets. There are various types of audits including information security and financial audits. With respect to information security, it is important to perform routine audits periodically in order to maintain a secure environment. An information security audit is the formal review of how the confidentiality, availability and integrity of the organization’s information is secured. Formal security audits are typically conducted by outside agents with the full permission and cooperation of the organization. Security audits are formal and systematic. The scope of the security audit should be pre-defined and include all assets related to the organization’s information security including: personnel databases email servers cloud passwords storage access control lists security policy network

2.2.4 User rights and permissions reviews

User rights and permissions reviews A privilege is a property of an agent, such as a user while a permission is a property of an object, such as a file. A privilege lets the agent do things that are not ordinarily allowed while permission says which agents are permitted to use the object, and what they are permitted to do (e.g. read it, modify it). ‡ A privilege is an ability or activity that a user account is granted permission to perform. Privileges or rights are something you are allowed to do based on who you are. One or more privileges are bundled together to form a role. A role is a predefined set of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task. A privilege is a permission to perform an action. Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned. Users are assigned privileges based on their roles or work activ

2.2.1 Implement security controls based on risk

Implement security controls based on risk Assets like data have intrinsic value and as such an associated risk of misuse. Misuse in this case is a euphemism for falling into the wrong hands, lost, fraudulently modified, etc. Security controls are the measures that can be taken to protect assets from misuse. Risk is the potential that a specific action (or lack of action) will lead to a loss; where “loss” is an undesirable outcome. Where the risk is low, security controls aimed at protecting the asset can be minimum. Where the risk is high, security control measures should be elevated appropriately. The organization will decide what measures or security controls to implement based on likelihood of risk. The controls the organization will undertake can range from minimal to elevated.  Depending on the cost of mitigating the risk, the organization can decide to follow one of the following risk management approaches: Risk Acceptance – is being fully aware of the risk and

3.2.18 Client-Side Attacks

Client-side attacks Because that’s where the money is . – Quote apocryphally attributed to bank robber Willie Sutton when ask why he robbed banks. People create structures to provide security from attack for their persons and property. As with most security mechanisms, it becomes an “arms race”; the attacker devising increasingly sophisticated measures to penetrate the defense and the defenders improving their security profile to repel the penetration attempts. Nomadic humans first formed camps as a way leverage resources and protect each other from attacks by marauders and other hostile forces. As the attacks against the camps became more sophisticated, the protections evolved to repel the threat. The camps evolved into forts, forts became castles, castles grow into fortified towns, etc. At each stage, the strength of the fortification becomes a deterrent to the attacker who then cast about for more effective penetration techniques or an easier target. In computing

3.2.15 Malicious Insider Threat

Malicious insider threat We have met the enemy and he is us. – Walter Crawford Kelly, Jr. IT security professionals and laypeople alike are aware of IT security threats posed by external forces such as hackers, malware, denial of service attacks, etc. Systems and policies to mitigate these “outsider” security threats such as firewalls, intrusion detection and prevention systems, antivirus software, etc. are well defined. However these security mitigation efforts are largely ineffective against what several studies have recognized as a significant threat to an organization’s security profile, the malicious insider. † Electronic Crimes most costly or damaging to an organization Bob Bragdon, VP and publisher, CSO puts it this way “Cyber threats can come from outside and inside the organization. Public awareness has been largely focused on the more sensational successful cyber espionage attacks from nation-states, but the fact is insiders with malicious intent also p

3.2.14 Privilege Escalation

Privilege escalation In this context of computer security, privilege escalation is the malicious acquisition or exercise of escalated access to resources that are normally reserved for administrative or other authorized users or applications. When applied in an unauthorized way, privilege escalation is a security violation and is enabled by a flaw in the configuration, services, installed software or operating system. It results in a regular user being given more access than was intended by the developer or the administrator. In November 2013, Microsoft issued a security advisory on vulnerability that would allow privilege escalation exploits in computers running Windows XP and Windows Server 2003. The security advisory (2914486) reads in part, “The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or