Choose two technical controls and discuss how they are used to protect the CIA of information systems: Confidentiality, integrity and availability (CIA)
Information security is a practice that aims at defending and protecting the CIA properties or values of information. This is done through avoiding the potential attacks that can be availed on information, either when moving or stored information. Such includes unauthorized access and other active attacks that aim at manipulating the original text hence compromising on integrity. A compromise on the availability of information is made possible by denial of service attacks.
As concerns information security, confidentiality is all about setting policies that aim at achieving effective prevention of information from people not entitled to its use. This can be achieved by appreciating such security mechanisms as encryption of passwords and data, especially when its use and transmission involves the internet. If the people for whose use and access the information were meant gain access to it, then confidentiality is compromised.
Integrity refers to the need to uphold and successfully maintain accuracy and
In information security, data integrity means maintaining and assuring the accuracy and steadiness of information throughout its life cycle, from creation to disposal. For information to have integrity as a value, it should have withstood any attempts of manipulation and successfully maintained its original state to the very end stage of its life cycle. If the information contained in packets in motion is manipulated, then the information loses its integrity.
Then there is availability as a value of information. This is all about information being accessible to the right people, in the right state and at the right time. Information systems should rise above disruptions and denial of service scenarios so information could be available for use at all times. Availability of information is normally compromised by the denial of service attack.
In a bid to protect and uphold the CIA properties of information, some controls need to be set down by the concerned companies. These security controls are commonly categorized into administrative controls which are also called the procedural controls. These are the policies, standards and procedures set apart and used in protecting security of information in an organization. They serve as the basis on which other controls operate, since implementation of security mechanisms means it’s in conformance with the already set standards and policies. These can be in-house or universal frameworks that calls for certification of an organization. A good example is the ISO certification.
Another set of security controls are the logical controls which are commonly referred to as the technical security controls. These are entirely software based and make use of various applications to ensure effective monitoring, maintenance and access to information. Some of the often used technical controls are the use of passwords for authentication in access, use of firewalls, encryption of data, intrusion detection mechanisms and use of access control lists.
Encryption is basically the change of text from plain text to cipher ext. this is made possible by a process know s cryptography. I this process, some keys are used to change to data into codes that cannot be understood without being decoded into plain text. The sender uses a key to encrypt data before transmission and at receipt the receiver uses another key for decrypting the data. There are two forms of encryption, asymmetric and symmetric encryption. One form makes use of two keys, one private and another public while another form uses only one public key both for encryption and decryption.
Discuss the policies, procedures, plans, and processes involved in security governance.
There are so many dimensions of administrative controls that can be implemented in an organization. These can be security policies, other password related policies, recruitment policies and also policies meant to uphold the standards of discipline in an organization.
Information security policies and procedures are applicable in diverse ways that affect the security of information and also the systems. These include security, operational, technical, networking, management, administrative and communication. Because IT standards are universal, frameworks with international standards have therefore been built to oversee this sensitive sector. (Wessel, 2010)
The existence of various frameworks in charge of IT has been both good and bad. It’s good since it protects end users from compromised policies yet it’s bad since many users want to choose the framework that suits their interests and apply its policies, which are not similar across the various frameworks.
The common frameworks whose policies and procedures are commonly referenced in the event of decision making include ISO 27002, NIST, ITIL and COBIT.
ISO 27002 produced by the International Standards Organization focuses the security of information; that is how it can be achieved, importance and rules governing it. Its main areas of focus are the risk assessment, security policies, governance issues, human resources security, and environment among others.
It has an upper hand over other frameworks and has been widely accepted by most organizations that have put it into practice. It’s also advantaged since it provides for security controls that are so necessary in risk assessment.
ISO 27002 however has some weaknesses. These majorly concern the policies that it gives. Among the major weakness is its failure to be liable. The framework does not take responsibility of and is not answerable to its in-built shortcomings that may affect the organizations adopting it. Preserving confidentiality, integrity, and availability of data is a restatement of the concerns over interruption, interception, modification and fabrication. Discuss how these groups of concepts relate to one another and to risks to the organization.
Ensuring security of information calls for more than protecting the systems and laying down standards. Security experts should focus on awareness of the different possible attacks whose success can greatly compromise the CIA properties of information. These concepts are common in discussions concerning security of information systems.
Interruption is a term that describes various attacks whose aim is to compromise availability of information. A good example of an interruption attack is the denial of service that renders both the system and its services unavailable to its users. A recent interruption scenario is one that was experienced in wordpress.com where the site was not available to its users for a period of time.
Interception is also another concept in information security. This is all about unauthorized users successfully maneuvering their way into the systems and consequently access to information. This can be made possible through hacking and cracking of passwords, eavesdropping and also sniffing of packets in a network.
Just as the name suggests, modification is a type of attack whose major aim is to manipulate information hence compromising on its integrity. This can be made possible by the man in the middle attack, where the attacker modifies the original message. The attacker then stays in the middle of the conversation and modifies the responses and the entire communication to suit the original modification. This way, the concerned parties will not be suspicious. Intentional delivery of information to n unauthorized use is also an aspect of modification.
Fabrication is an attack that manifests itself as a counterfeit. It makes itself possible by successfully bypassing authentication stages such as input of passwords to allow for access. Fabrication can also be implemented through impersonation or even through social engineering. Discuss the effects of connectivity to the internet and new technology on an organization in terms of risks, threats, vulnerabilities, crime, etc.
Advancement in technology and the shift towards globalization made possible by the internet has served as a loophole to more attacks, threats and vulnerabilities. This is true because security experts have not been so keen to raise the security standards in conformance with the advanced technologies. Cyber crime has been at its verge in the recent past, compromising so much on the confidentiality and privacy of internet and system users. Digital privacy is gradually becoming extinct with the increased use of the internet and also advanced technologies. By simple facts of GPS location and access to private information stored in a network, technology users are rendered vulnerable. Locating individuals at any given time is no longer a hurdle, for as long as they are internet users.
Most attacks are also made possible over the internet. a good example are the virus attacks that are developed as an imitation of some good and attractive programs. These are then presented to internet users as some nice programs or documents whose use compromises the security of a system. Social threats have also emerged with the rise of the internet. This is common with the youths in social media where one could investigate n them without their knowledge. Research also indicates that many young people are prone to stress over the social media.
References
Campbell, David. Writing Security: United States Foreign Policy and the Politics of Identity. Minneapolis: University of Minnesota Press, 1998.
Carr, Ian. Computer crime. Farnham, England: Ashgate, 2009.
Executive Office of the United States, The House. National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy: April 2011. CreateSpace Independent Publishing Platform, 2012.
Katerina, Hurric. Cyber security : Recovery and reconstitution of critical networks : Hearing. DIANE Publishing, 2008.
Kizza, Joseph Migga. Computer Network Security. Springer, 2005.
Matt, Curtin. Introduction to network security. New York: Wiley, 1997.
Singh, Brijendra. Data Communications And Computer Networks 2Nd Ed. PHI Learning Pvt. Ltd, 2006.