Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1.1.2 Security Roles and Concepts
- Security Roles and Concepts
- In order to be an effective Security Administrator you've got to be familiar with the concepts and the roles surrounding information security.
- We're going to talk about those here.
- Assets
- The first concept in information security that you need to be familiar with is that of an asset. An asset is simply something that has value to an
- individual or an organization. In the context of information security we're talking about information of some sort.
- For example, let's suppose we have a server in our organization and on this server there is a database that contains customer and order
- information. This database has a lot of value to the organization, therefore, it is an asset.
- Threats
- The next security concept that you need to be aware of is that of a threat. Now as you might guess a threat is simply an entity that can cause the
- loss of an asset. Now it's important that you differentiate between the actual loss of an asset or simply the threat of the loss of an asset. At this
- point we're simply talking about the threat, the risk, what could potentially happen.
- In our example here, how could that database be compromised? An example here of a threat is some type of data breach or exploit that results
- in the loss of this database, of this database being stolen in some way.
- Threat Agents
- Next we have the threat agent. The threat agent is a person or entity that can actually carry out a threat. Now in this example we're looking at the
- loss of information in this database. So what could possibly be a threat agent? It could be an attacker on the outside, or it could be an internal
- attacker. An example of an external threat agent might be an organized crime association who wants this information to steal credit card
- numbers. An internal threat might be a disgruntled employee who's mad at the organization because it got a bad performance review and wants
- revenge.
- Vulnerability
- Next we have the concept of a vulnerability. A vulnerability is simply a weakness that allows the threat to be carried out. In this example, a
- weakness could be the fact that this disgruntled internal employee is an information security professional who has a degree of access to this
- physical server system. That's a weakness.
- Exploit
- And then finally we have the concept of an exploit, which is simply a procedure or a piece of software or whatever that takes advantage of this
- vulnerability to actually carry out the threat. So in this example let's say that our server that's hosting our customer database has a USB port on
- the front here that is enabled. So it works. And that's one of the things folks have to weigh out when they're dealing with information security
- with servers in particular, and that is do you allow the USB ports on the system to actually be active. You find many times that security policies
- for an organization says no USB ports. They may even go so far as to say no USB ports on individual user's desktop systems because it's just
- such a vulnerability. In this case all you have to do is stick a thumb drive into that USB port and all of a sudden, with the right level of access, that
- customer database could go onto that thumb drive. And to make matters worse we have a disgruntled employee here who has physical access
- to this server system and he has a thumb drive, and he is upset because of his bad performance review that he got so he's going to copy this
- database file onto that thumb drive and sell it to the highest bidder, whoever/whatever he thinks he can make a little money or damage the
- company in some way. That is an exploit.
- Risk Management
- So as a Security Administrator what do you do? Well it's actually all a matter of risk management. Because if we wanted to we could make the
- system totally secure. We could take that server, lock it in a room, take away the key cards from everybody so nobody has any physical access
- whatsoever. We can unplug it from the network, we could disable all the USB ports, we could throw away the keyboard and the mouse and the
- monitor so that nobody can access the data on that system. And it is secure at that point? Probably, it's fairly secure. Is it useful? No, not even
- useful anymore, at which point it ceases being an asset, it now doesn't have any value because it can no longer perform it's function which is to
- store the database that manages our customer information.
- So what you have to do is weigh the risks and the benefits. You have to weight the risk of the threat agent carrying out the exploit against the
- benefit of actually having the vulnerability in place. You might be saying what do you mean, having the vulnerability in place? Benefits to having
- vulnerability? There actually are benefits to having a vulnerability. In other words, allowing physical access to the server. How much is that worth?
- is it better to force everybody to have remote access into the server system or is it more cost effective to have somebody to have physical access
- to the server to manage it? Is it worth having an enabled USB port on the s
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement