FAQ on General
Information Security Basics
Information is an asset to all individuals and businesses. Information Security, in general, refers to the protection of these assets in order to achieve Confidentiality, Integrity and Availability (C-I-A)
There is no exact definition, but the term is generally used to refer to protection of any IT infrastructure, information systems and related resources with respect to confidentiality, integrity and availability.
It is always a good idea to use a systematic approach to IT security.
Physical security refers to the protection of hardware, computer equipment, and other IT assets from external physical threats, such as unauthorised access, theft, or loss of backup media during transportation to external sites.
Application security refers to the security measures built into a software application itself in order to provide a secure computing environment. Common application security measures include authentication of the application, an access matrix for different levels of users, input validation to avoid the possibility of application flaws such as a buffer overflow, and application logging features, etc. Application owners should determine with the development team application security requirements according to the criticality of the application in the design phase, as well as the sensitivity of the data to be processed.
The following network protection guidelines will help:
Information security management involves a combination of prevention, detection and reaction processes. It is a cycle of iterative activities and processes that require ongoing monitoring and control. The cycle includes the following:
As a business owner, you should consider the value of your information systems and other IT assets in terms of the daily business of the organisation in order to determine the appropriate level of security. The impact of any security incident to your reputation, as well as the proper continuity of your business, should be considered. A process called risk analysis is normally used to identify what assets to protect, their relative importance to the proper operation and business of the organisation, and the priority ranking or level of security protection. The result should be a well-defined list of security requirements for your organisation.
A security policy sets the standards for a set of security specifications. It states what aspects of Information Security are of paramount importance to the organisation, and thus a security policy can be treated as a basic set of mandatory rules that must be observed. The policy should be observed throughout the organisation and should be in accordance with your security requirements, and your organisation's business objectives and goals.
Security standards, guidelines and procedures are tools that can be used to implement and enforce a security policy. More detailed managerial, operational and technical issues can be addressed. These documents provide detailed steps and advice to assist users and system administrators in complying with the requirements in security policy. Standards, guidelines and procedures may require more frequent reviews than the security policy itself.
A security policy should be practical, and work for your organisation. The following should be considered:
Developing a security policy requires the active support and ongoing participation of individuals from multiple ranks and functional units within the organisation. A working group or task force can be formed to develop the policy. In general, this group can include empowered representatives from senior management, technical personnel, operational personnel, and business users. Senior management represents the interests of the organisation's goals and objectives, and can provide the overall guidance, assessment and decision-making. Technical personnel can provide technical input and feasibility assessments for various security mechanisms or aspects of technology. Business users represent the users of related systems who may be directly affected by the policy. Sometimes, a third party consultant may need to be involved, to review the draft security policy.
First, identify a group of personnel who should be involved in developing the security policy. Second, make all necessary plans for activities, resources required and schedules. Third, determine the core security requirements, and establish the organisation's security policy accordingly. A draft security policy should then be reviewed and agreed by various stakeholders. The process of drafting might require several iterations before a security policy can be established.
As technologies, business environments and security requirements change over time, the security policy should be reviewed periodically (e.g. once every two years) in order to keep abreast of changes.
An IT security policy must address procedures and behaviours that can be changed. It is also important to recognise that there are always exceptions to every security rule. Keep the policy as flexible as possible in order that it remains viable for a longer time.
The CONTENTS of an IT security policy should address the following questions:
With a security policy in place, all staff will be able to clearly understand what is and is not permitted in the organisation relating to the protection of information assets and resources. This helps raise the level of security consciousness of all staff. In addition, a security policy provides a baseline from which detailed guidelines and procedures can be established. It may also help to support any decision to prosecute in the event of serious security violations.
Even if a security policy has obtained formal approval, putting a good security policy in place is another story. This requires a series of steps:
Security Awareness & Training
Security Awareness is crucial to ensuring that all related parties understand the risks, and accept and adopt good security practices. Training and education can provide users, developers, system administrators, security administrators and related parties with the necessary skills and knowledge needed to implement appropriate security measures.
Commitment and communication
No policy can be fully implemented unless all users and related parties are fully committed to complying with it. Good communication is ensured if users and third parties:
Enforcement And Redress
This refers to the task of enforcement of rights arising from implementation of the policy, and redress for any violations of those rights. Organisations should set up procedures to provide prompt assistance in investigative matters relating to breaches of security.
On-going Involvement of All Parties
An effective security policy also relies on a continuous exchange of information, consultation, co-ordination and co-operation among users and business units. Injection of knowledge on standards, methods, codes of practice and other expertise on security from external organisations will also help keep the security policy up-to-date and relevant.
Security Risk Assessment and Audit
A security assessment is the process of evaluating the security of an IT environment, including the network and the information systems. Security administrators or third party consultants usually use software tool called a vulnerability scanner specially designed to search out the security risks and vulnerabilities on internal hosts and workstations. In addition, adequacies in operation procedures would also be evaluated as part of the security assessment.
In general, a security risk assessment is conducted at the very beginning of a system deployment project to identify what security measures are required; or when there is a major change to the information assets or their environment. As new security vulnerabilities emerge from time to time, security risk assessments should be conducted regularly, for example once every two years.
A security Audit is a process or event where the IT security policy or standards are used as a basis to determine the overall state of existing protection, and to verify whether existing protection is being performed properly. It aims to determine whether the current environment is securely protected in accordance with the defined IT security policy.
Before performing a security assessment or audit, the organisation should define the scope of the security audit, and the budget and duration allowed for the assessment / audit.
A security audit only provides a snapshot of the vulnerabilities in a system at a particular point in time. As technology and the business environment changes, periodic and ongoing reviews will inevitably be required. Depending on the criticality of the business, a security audit might be conducted yearly, or every two years.
A security audit is a complex task requiring skilled and experienced personnel; it must be planned carefully. To perform the audit an independent and trusted third party is recommended. This third party can be another group of in-house staff or an external audit team, dependent on the skills of the internal staff and the criticality / sensitivity of the information being audited.
Security Incident Handling
An IT security incident is an adverse event in an information system and/or network that poses a threat to computer or network security with respect to availability, integrity and confidentiality. Such incidents can result in the destruction of data and disclosure of information.
However, adverse events such as natural disasters, hardware/software breakdowns, data line failures, power disruptions, etc. are generally excluded.
Security incident handling is a set of continuous processes governing the activities before, during and after a security incident occurs.
Security incident handling begins with planning and preparing the right resources, then developing proper procedures to be followed, such as escalation and security incident response procedures.
When a security incident is detected, a security incident response is initiated by responsible parties using predefined procedures. A security incident response represents the activities or actions carried out to tackle the security incident and to restore the system to normal operation. Specific incident response teams are usually established to perform certain tasks within the security incident.
When the incident is over, follow up action is taken to evaluate the incident and to strengthen security protection against a recurrence. Planning and preparation tasks will be reviewed and revised accordingly to ensure that there are sufficient resources available (including manpower, equipment and technical knowledge) along with properly defined procedures to deal with similar incidents in future.
Do not share your personal information online. This includes your name, home address, email address, HKID number, telephone number, etc. when filling on-line forms, or chatting with people you don't know using instant messaging tools, unless there is a specific reason for them to know. Proper security measures, such as SSL should be in place when entering your personal information.
Think carefully before giving out your personal information online, as it could end up being used for other purposes you didn't intend. Secure your email by digitally signing and encrypting messages before transmission and storage. Safeguard your personal computer because it is physically open to attack or theft. Change your password regularly and keep it secret. Try not to use insecure, easy to guess passwords such those derived from a word in the dictionary.
You should select a password that is difficult to guess and keep that password as secret as possible. Passwords should also be changed immediately if a password has to be reset, or upon receipt of a new password. Administrators should ensure that each new user is given a strong initial password instead of using a default one known to all staff in the organisation. Procedures should be set up to ensure that only the real person requesting the password can get that password. No passwords should be displayed in plain language on screen at any time. User passwords should also be encrypted using secure algorithms when stored.
Passwords should be well protected at all times. When stored in databases or servers, security controls such as access control and encryption should be applied to protect passwords. Passwords are often a key component to any system login, so they must be encrypted when transmitted over any un-trusted or insecure communication network. If password encryption is not possible, other controls such as changing the password more frequently should be implemented.
Follow these DOs:
Follow these DON'Ts:
In addition, be mindful of the safety of your data when using public wireless networks and/or public computer facilities.
You'll be a smart Internet user if you protect yourself in the following areas:
An intrusion is a set of actions that attempt to compromise the availability, confidentiality and integrity of an information system.
Intrusion detection is the methodology by which intrusions are uncovered. This includes the detection of external intruders breaking into a system as well as internal users misusing system resources.
Firewalls are only part of a total integrated security system, and they have limitations. Firewalls can neither alert you to ALL intrusions, nor stop ALL security breaches. Unless you are constantly monitoring for intrusions, you cannot know for sure if your firewall is blocking all intrusions. IDS / IPS can be installed and used at strategic locations to continuously collect and examine information for suspicious activity 7 days a week, 24 hours per day. IPS also provides an active response system to stop the source of attacks or to minimise the impact of any attacks.
An intrusion detection system cannot help you to solve or fix all security incidents. It cannot tell you exactly who and how the attack occurred, nor can it tell you the intention of the attacker. It can only provide information about the origin of the attack and the IP address of the originating attack. You will need to analyse all relevant logs in order to identify the real attacker.
A firewall is a system that enforces an access control policy between two networks. In general, a firewall is used to block network traffic coming from outside the network to the inside, and permit traffic from the inside to communicate to the outside world. A firewall can also provide logging and auditing functions to record all traffic passing through. In other words, a firewall can protect the internal network against attacks from outside by defining an access control policy to permit or deny traffic. However, a firewall cannot protect against attacks that do not go through the firewall itself, and cannot protect against attacks like viruses or data driven attacks that ride inside network traffic permitted by the firewall (such as web traffic). Proper configuration of a firewall plays a very important role in ensuring its effectiveness in terms of security protection.
The Internet is a world-wide "network of networks" that uses the TCP/IP protocol suite for communication. Internet connectivity offers enormous benefits in terms of increased access to information. However, the Internet suffers from significant and widespread security problems.
The fundamental problem is that the Internet was not designed to be secure. A number of TCP/IP services are vulnerable to security threats such as eavesdropping and spoofing. Email, passwords, and file transfers can be monitored and captured using readily available software.
Internet services need stronger authentication and cryptography mechanisms, and these mechanisms must be interoperable. Internet information enquiry or transaction processing requires user authentication. Audit and backup of authentication information may also be required. Sensitive and personal data should be properly encrypted.
In general, Internet security covers a wide range of issues such as identification and authentication, computer virus protection, software licensing, remote access, dial-up access, physical security, firewall implementation and other aspects relating to the use of the Internet.
You can check by using the following statements to determine if the information of your organisation is safe:
If the answer to some of these statements is no, your organisation may still posses a number of security holes that are exposed to threats.
When evaluating whether to apply a security patch or not, the risks associated with installing the patch should be assessed. Carefully compare the risk posed by the vulnerability with the risk of installing the patch. Other compensating controls should be on standby, and these may include:
In addition to matching the specific user and business requirements, including product functionality and budget constraints, organisations should also take the following factors into consideration when considering a robust and secure patch management solution:
Some patch management products have more vulnerabilities than others. Organisations should choose an appropriate solution that looks less likely to be vulnerable itself, which in turn will reduce the need to patch the software regularly. Research should be conducted first to independently verify the product concerned. A complex product may mean more code and services that in turn might introduce more vulnerabilities. It may be wise to select a less complicated and more mature product.
Some patch management solutions are agent-based while others are agent-less. Organisations should evaluate any impact to their systems (such as performance, stability and compatibility), if agents are to be deployed across a large number of machines.
Vendor Responsiveness to New Vulnerabilities
Organisations should also take note of the speed with which the solution vendor responds to new vulnerabilities with patches and updates.
Ease of Deployment and Maintenance
The easier the patch management solution is to deploy and maintain, the lower the implementation and ongoing maintenance costs to the organisation.
A good patch management solution should provide comprehensive logging facilities that help system administrators easily keep track of the status of software fixes and patches on individual systems.