When teaching “InfoSec 101,” I reflect back on my early career as a reporter, and focus on answering the standard questions: who, what, why, where, when, and how. Since this is a Scrappy Book, let’s throw caution to the wind and take them out of order:
Why Do We Need InfoSec?
Because our stuff is valuable. Sure, it’s mostly invisible stuff, but so are integrity, justice, and love. Back when we made valuable stuff we could see, we locked the stuff up. Information? That simply supported the business. Today, information often is the business. In some sense, the challenge we face today is in the lack of “stuff.” My paycheck isn’t “real” money. It is information transferred from my employer’s bank account to mine. My 401K is just numbers in a book. The virtual world is becoming more “real” everyday. But how do I know if something “un-real” has been stolen? An even more unsettling question, how do I know if something un-real has been altered, or just copied without taking it?
Who?
Everybody.
A chain is only as strong as its weakest link. So everybody has to be a pillar of infosec strength! Executive management must enthusiastically support and adequately fund a security program. The tech guys must do their propeller-head things, such as implementing so-called foolproof technical controls wherever possible so that the majority of us simply cannot screw up. And last, but really really certainly not least, every single one of those gosh-darned end users must understand the threats, stop their running-with-scissors behavior, and implement good security practices that they maintain day after day. Just as Willie Sutton said that he robbed banks because “that’s where the money is,” attackers will go after end users because that’s where the valuable information is.
What?
We’ve all heard of the “elevator speech:” explaining something in the time it takes an elevator to travel from the ground floor to the top of a reasonably tall building. For an information security professional, the elevator speech can be distilled down to three letters: the “CIA triad.” The components are:
– Confidentiality: The assurance that information remains “secret,” or not accessible to those who should not see it, which usually includes most of the 1.5 billion people with Internet access.
– Integrity: The assurance that information has not been tampered with by any of those multi-billion peeps.
– Availability: The assurance that information and/or systems can be accessed at all times, a criteria that pretty much guarantees that the first two criteria are almost impossible to meet with absolute certainty.
Where?
Everywhere we possibly can, which often is referred to as “defense in depth,” or DiD. The analogy used for years by information security professionals was that of a castle, surrounded by a deep moat and protected by thick stone walls. A less powerful, but tastier, metaphor is “The crunchy shell around the soft, chewy center.” This logic is easily understood since it applies outside of the infoworld. In the real world we build fences around the compound, hire guards, and put locks on the doors. In the infoworld, we use logical access controls: PC login credentials, network login credentials, file access controls, and role-based access.
When?
The simple answer is always: 24 hours a day, 7 days a week, 365 days a year. The threats never sleep, and neither can the protection.
How?
“Impossible” problems call for creative and innovative solutions. A winning combination consists of physical, technical, and administrative (PTA – easy to remember if you’ve ever had a kid in school) mechanisms:
– Physical: locks, guards, doors, badges, alarms.
– Technical: hardware, software, network architecture, host hardening.
– Administrative: policies, passwords, file access control.
We’ll address common technical, physical, and administrative security techniques in the next three entries.