That being said, the nature of my profession makes me a little bit more attuned to information security issues than perhaps the next guy (maybe not guys sitting right next to me as I write this considering that they do the same work as I do, but perhaps the next guy in the mall or something) and whether I like it or not it becomes part of my nature. To me, thinking about threat, vulnerabilities and risks is about as natural as breathing. This fact, however, is not true to majority of digital innovators and users out there.

Security often takes a back seat behind functionality and ease of use. Often times the key decision points on the marketability of the product relies upon the functionality and the ease of use of that particular product. How secure that product is (unless it is of course a security product) is often an afterthought. Market forces demands this and the bad guys knows this. Facebook for example did not become famous because it assured its users their privacy or that their account are secure, it became the leading social network engine in the Internet because of all the functionalities that it offers and how easy it is to use.

You can imagine these three key facets of security, functionality and ease of use in the form of a triangle wherein each facet represents a corner of the triangle. Now imagine placing an imaginary ball inside that triangle and as you move the ball closer to one corner the farther it gets from the other two corners. What this essentially means that the more you focus on security for example, you will often sacrifice functionality and ease of use and likewise you sacrifice security if you focus on either of the other two.

In essence security is inversely proportional to functionality and ease of use. More of than not there is always the tendency to sacrificing security in favor of either of the two facets even though in the back of our head there could be potential trouble. What that potential trouble could be is often pretty hard to easily see or decipher and hence we assume that it is worth the risk.

So after that long intro, let’s get back into the meet of this topic. So really, “Why Information Security?” (The security guy in me just yelled out “D-uh!”, but I’ll ignore him).

There are obviously a multitude of answers to this question. I can imagine that even your everyday non-infosec person can probably list out a good number of reasons, so I won’t dwell on each of them with specificity, but rather I’ll try present it abstractly in the context of what security professionals call the Information Security Triad or 3 Key Elements of Information Security: Confidentiality, Integrity and Availability also known as the CIA of Security.

Not that you can just simply Google the definition for these three, but I’ll be the good blogger and define them for you and besides it helps build this blog’s keyword ranking, or so I hope:

• Confidentiality
  • According the International Organization of Standardization (ISO) in ISO-17799, which can technically say as the InfoSec bible, confidentiality is defined as “ensuring that information is accessible only to those authorized to have access.” In other words, keeping your secret a secret and not ending up in Wikileaks or something to that effect.
• Integrity
  • According to the Virginia Tech website, integrity is concerned with the protection against unauthorized modification or destruction of information. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination. In the simplest of terms, imagine a poster of a famous politician and a vandal came in drew a Pancho Villa mustache on the image. Now imagine a hacker having the ability to change a message. Julian Assange sends an e-mail to the President, “I would like to surrender.” Instead, the President receives, “I think you look good in suspenders.” Not cool.
• Availability
  • In simplest of terms, it is primarily concerned with ensuring that information is available to those who need access to the information and are allowed to access the information. Imagine wanting to check your credit card balance or wanting to pay your credit card debt online before you get dinged by the interest and late fees, only to realize that the site is down because it was targeted by Wikileaks supporters for denial-of-service.

I have mentioned Wikileaks several times in the previous paragraph because the recent news about this organization presents a really good case study on answering the question of “Why Information Security”.

• Confidentiality – no disclosure of data
• Integrity – no alteration of data
• Availability – no destruction of data

Common Remote Connections

• xDSL – Digital Subscriber Line
• Cable Modem
• Wireless
• ISDN – Integrated Services Digital Network

Common Tools in Securing External Remote Connections

• VPN – Virtual Private Network
• SSL – Secure Socket Layer
• SSH – Secure Shell

Technologies for Remote Access Authentication

• RADIUS –  Remote Authentication Dial In User Service – is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991 as an access server authentication and accounting protocol and later brought into the IETF standards. (Source: http://en.wikipedia.org/wiki/RADIUS)
• TACACS – Terminal Access Controller Access-Control System - is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. (Source: http://en.wikipedia.org/wiki/TACACS)

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. Once you click the button please check your shopping cart at the upper right hand side of the page to complete your order. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.

Types Remote Node Authentication

• PAP – Password Authentication Protocol – clear text
• CHAP – Challenge Handshake Authentication Protocol – protects password

Remote User Management

• Justification of remote access
• Support issues
• Hardware & software distribution

Intrusion Detection Process

• Notification
• Remediation

Remote Access Security Management focuses in the creation of:

• Host and networked based monitoring
• Event notification
• CIRT – Computer Incident Response Team
  • CIRT Performs
    • Analysis of event
    • Response to incident
    • Escalation path procedures
    • Resolution – post implementation follow-up

Confidentiality – ensure that information is not disclosed to unauthorized person

Integrity

• Prevention of modification by unauthorized users
• Prevention of unauthorized changes by otherwise authorized users
• Internal and external consistency
  • Internal consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)
  • External consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse)

Availability – ability of authorized personnel to access information on time and as necessary

Planning to take the CISSP Exam? Get a copy of my personal notes (300plus pages worth) that I used to pass the exam for only $25.00. Click the Add To Cart Button to Purchase Plus you will also get copies of notes from other CISSPs. Learn more about this package by visiting this blog entry: CISSP REVIEW NOTES I USED TO PASS THE EXAM. CLICK BELOW TO MAKE YOUR PURCHASE NOW. All Purchases are securely processed through Paypal. IMPORTANT NOTICE: I MANUALLY REVIEW ALL ORDERS. SO ONCE YOU PURCHASE THE PRODUCT, THERE WILL BE SOME DELAY ON YOU RECIEVING AN E-MAIL FROM ME WITH THE LINK TO THE DOWNLOAD AREA OF THE PRODUCT. YOU WILL GET A RESPONSE FROM ME WITHIN 24-48 HOURS.