An Overview of Corporate Information Security

Combining Organisational, Physical & IT Security.

By Seán Boran

December 13, 1999.  This article presents an overview of corporate information security, not just in a computer/network context, but also considering social and physical aspects.

Checklists are provided to stimulate analogies in your own corporate environment.

We welcome your feedback on this article.


Security involves prevention, detection, response, monitoring and review measures to reduce perceived risks to acceptable levels. These measures need to be uniform and continuous in domains such as Social/Personal, Computer/Network and Physical.

This article divides up explanation of corporate information security into:

  1. Information Domains
  2. Domain Interfaces
  3. Threats
  4. Sources of threats
  5. Countermeasures
  6. Effects of applied countermeasures

Glossary
Further reading


1. Information domains

Understanding corporate security is about understanding what the key assets in the company are. Today, the key asset is often information. But information alone is not enough, knowledge of how to use valuable information is needed to provide a competitive edge. The value of information may depend on being secret and accurate.

Information can take many forms, hence methods of securing information are various. Instead of dividing information into categories based on content, consider analysing threats to information (and hence its protection) on categories based on methods of processing / storing.
Three "information domains" are defined:

security_space1.gif

 

  1. Physical: Traditionally information is "written down", stored somewhere (e.g. a box, safe, diskette, or computer).  Classical security concentrates on physical protection: buildings, server rooms, access controls etc.
  2. Social/Personal: Successful organisations realise the value of their personnel, the knowledge they hold in their heads and the capabiliy to use that knowledge to corporate advantage.
  3. Logical or Network: Information is also stored on computers and accessed via networks. Documents can be stored "somewhere on the net" that users reference through URLs, UNCs or other abstract notions. The actual location of the data is often unknown to the user, she assumes it's on a server "somewhere". The different beween Internet and Intranet may not be obvious to end users. With this abstraction comes also a certain loss of accountability and responsibility.

Domain Interfaces

Each of these domains contains interfaces to the outside world.

security_space2.gif

 

This may look overwhelming at first, lets look at the domains one by one. The Buzzwords are explained at the end of the article if they are new to you - don't worry, they're just networking technologies.
The numbers in brackets below refer to numbered interfaces above.

Threats

The domain interfaces can be subject to various types of threats, for example:

These threats can result in critical information being lost, copied, deleted, accessed or modified, or services no longer functioning (loss of confidentiality, integrity or availability).

Sources of threats

Before deciding on safeguards to counter the threats listed above, consider:

The nature of the threat. The attackers resources (financial, technical, time), degree of motivation and ease of access should all be considered. For example, most would expect  frequent attacks from the Internet, so firewalls between the Internet and Intranet are frequent. The media often remind us of the exploits of crackers, but what of the disgruntled employee, who has access to critical systems for his daily work? What of the manager who has a gambling habit and is tempted to embezzle to pay debts? Whereas attacks from Internet Crackers may be frequent and technically interesting, they are rarely as financially damaging as deliberate  misuse of systems by employees.

Information lifetime. How is information generated, stored, processed, copied, printed and destroyed?

Information aging. How does time affect the information? e.g. a new pricelist might be sensitive before publication and would published to the world subsequently. A new pricelist replaces an old one, becomes useless.

Nature: The likelihood of natural disasters.

Countermeasures

Security Measures are needed to reduce risks to an acceptable level. If we assume that a possible attacker is external to the organisation, possible measures that could be taken in each of the interfaces (listed in green in the diagram above) are;

Measures for Logical or Network Interfaces:

Technical mechanisms:

The following is a list of mechanisms relevant to specific Interfaces. Note that hardening, resource isolaton, reliability measures and monitoring/auditing are useful on all interfaces.

(0) Authentication

(1) Strong authentication of users, possibly encryption

(2) All mechanisms

(3) Authentication of users or computers, access control, possible encryption.

(4) Encryption

Measures for Social / Personal Interfaces:

Measures for Physical Interfaces:

Assurance / constant vigilance:

Countermeasures against internal attack

On the other hand, if the primary source of attack is expected to be internal (whether malicious or accidental), the focus changes, since attackers might be authorised to bypass access control mechanisms:

  1. Social / Personal:
  2. Logical or Network measures:

Effects of applied countermeasures: Improved Security Properties

Security measures will improve security properties, such as

Assurance: Confidence that security measures are correctly implemented and that a system will behave as expected.

Identification / Authentication: When users or programs communicate with each other, the two parties verify each other's identity, so that they know who they are communicating with.

Accountability/Audit Trail: The ability to know who did what, when, where. Users are responsible and accountable for their actions. Automatic audit trail monitoring and analysis to detect security breaches.

Access Control: Access to specified resources can be restricted to certain entities.

Object Reuse: Objects used by one process may not be reused or manipulated by another process such that security may be violated.

Accuracy / Integrity: Objects (information and processes)  are accurate and complete.

Secure information exchange: Information transmitted adheres to expected levels of authenticity, confidentiality, and non-repudiation.

Reliability / Availability: Information and services are available when needed.

Summary

Knowledge and information are the most important assets of many companies, they need protecton. Information can take many forms, hence methods of securing information are various.

Consider analysing threats to information based on:

Coordinated Countermeasures should help provide a continuous, uniform level of secuity that reduces risks to an acceptable level:


Glossary

 

URL What you type in a Web Browser to get to a site (Uniform Resource Locator)
UNC The way Microsoft names network file shares (Uniform naming convention)
Security is protection of Assets (information, systems and services) against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised.
Confidentiality Sensitive business objects (information & processes) are disclosed only to authorised persons.
Integrity The business need to control modification to objects .
Availability The need to have business objects (information and services) available when needed.
Threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Risk is a measurement of the severity of threats.
Access control The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner.
security policy The set of laws, rules and practices that regulate how assets including sensitive information are managed, protected and distributed within an organisation or specific IT system(s).
ATM
PSTN
ISDN
GSM
X.25
SNA
WAN
Frame relay
Networks & protocols
Asynchronous transfer mode
Normal analog phone lines: (public subscriber telephone network)
Digital phone lines: Integrated digital services network
Digital mobile radio: Global Services Mobile (from french expression)
Digital data lines (ISO standard)
IBM networking protocols (Systems Network Architecture)
Wide area network
A WAN technology used mostly by Telecoms carriers

Other glossaries:

SANS Glossary of Terms Used in Security and Intrusion Detection http://www.sans.org/resources/glossary.php


Further reading

 

Title Author
A Code of Practice for Information Security Management
BS7799, ISBN 0-580-22536-4
www.privacyexchange.org/buscodes/standard/bsi.html
dtiinfo1.dti.gov.uk/security/approach.htm www.dti.gov.uk/CII/bs7799/
British Standards organisation (BSI)
1993
IT Baseline protection manual
www.bsi.bund.de/gshb/english/menue.htm
German BSI
"European Orange Book" ITSEC Information Technology Security Evaluation Criteria
www.itsec.gov.uk/docs/introgds.htm
www.itsec.gov.uk/docs/formal.htm#ITSEC  
EC: F/GB/D/ NL
June 1991
TCSEC "Orange Book" & Common Criteria
www.radium.ncsc.mil/tpep
DoD
Computer Assurance Guidelines
www.lowpay.gov.uk/cag/contents.htm
DTI
EPHOS Security Services
www.nethotel.dk/ephos/en/booku/i3utoc.htm?
EPHOS

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.