API tools faq
paste
Advertisement
xdxdxd123

Untitled

xdxdxd123
Jan 13th, 2018
150
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.01 KB | None | 0 0
raw download clone embed print report
  1. 1.1.2 Security Roles and Concepts
  2. Security Roles and Concepts
  3. In order to be an effective Security Administrator you've got to be familiar with the concepts and the roles surrounding information security.
  4. We're going to talk about those here.
  5. Assets
  6. The first concept in information security that you need to be familiar with is that of an asset. An asset is simply something that has value to an
  7. individual or an organization. In the context of information security we're talking about information of some sort.
  8. For example, let's suppose we have a server in our organization and on this server there is a database that contains customer and order
  9. information. This database has a lot of value to the organization, therefore, it is an asset.
  10. Threats
  11. The next security concept that you need to be aware of is that of a threat. Now as you might guess a threat is simply an entity that can cause the
  12. loss of an asset. Now it's important that you differentiate between the actual loss of an asset or simply the threat of the loss of an asset. At this
  13. point we're simply talking about the threat, the risk, what could potentially happen.
  14. In our example here, how could that database be compromised? An example here of a threat is some type of data breach or exploit that results
  15. in the loss of this database, of this database being stolen in some way.
  16. Threat Agents
  17. Next we have the threat agent. The threat agent is a person or entity that can actually carry out a threat. Now in this example we're looking at the
  18. loss of information in this database. So what could possibly be a threat agent? It could be an attacker on the outside, or it could be an internal
  19. attacker. An example of an external threat agent might be an organized crime association who wants this information to steal credit card
  20. numbers. An internal threat might be a disgruntled employee who's mad at the organization because it got a bad performance review and wants
  21. revenge.
  22. Vulnerability
  23. Next we have the concept of a vulnerability. A vulnerability is simply a weakness that allows the threat to be carried out. In this example, a
  24. weakness could be the fact that this disgruntled internal employee is an information security professional who has a degree of access to this
  25. physical server system. That's a weakness.
  26. Exploit
  27. And then finally we have the concept of an exploit, which is simply a procedure or a piece of software or whatever that takes advantage of this
  28. vulnerability to actually carry out the threat. So in this example let's say that our server that's hosting our customer database has a USB port on
  29. the front here that is enabled. So it works. And that's one of the things folks have to weigh out when they're dealing with information security
  30. with servers in particular, and that is do you allow the USB ports on the system to actually be active. You find many times that security policies
  31. for an organization says no USB ports. They may even go so far as to say no USB ports on individual user's desktop systems because it's just
  32. such a vulnerability. In this case all you have to do is stick a thumb drive into that USB port and all of a sudden, with the right level of access, that
  33. customer database could go onto that thumb drive. And to make matters worse we have a disgruntled employee here who has physical access
  34. to this server system and he has a thumb drive, and he is upset because of his bad performance review that he got so he's going to copy this
  35. database file onto that thumb drive and sell it to the highest bidder, whoever/whatever he thinks he can make a little money or damage the
  36. company in some way. That is an exploit.
  37. Risk Management
  38. So as a Security Administrator what do you do? Well it's actually all a matter of risk management. Because if we wanted to we could make the
  39. system totally secure. We could take that server, lock it in a room, take away the key cards from everybody so nobody has any physical access
  40. whatsoever. We can unplug it from the network, we could disable all the USB ports, we could throw away the keyboard and the mouse and the
  41. monitor so that nobody can access the data on that system. And it is secure at that point? Probably, it's fairly secure. Is it useful? No, not even
  42. useful anymore, at which point it ceases being an asset, it now doesn't have any value because it can no longer perform it's function which is to
  43. store the database that manages our customer information.
  44. So what you have to do is weigh the risks and the benefits. You have to weight the risk of the threat agent carrying out the exploit against the
  45. benefit of actually having the vulnerability in place. You might be saying what do you mean, having the vulnerability in place? Benefits to having
  46. vulnerability? There actually are benefits to having a vulnerability. In other words, allowing physical access to the server. How much is that worth?
  47. is it better to force everybody to have remote access into the server system or is it more cost effective to have somebody to have physical access
  48. to the server to manage it? Is it worth having an enabled USB port on the s
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!