Information Security: Context and

Introduction
WEEK 1
Not every data can be an information. Data can be called as information when it is
interpreted in a context and given meaning. For example, “14041989″ is data. And if
we know that this is date of birth of a person, then it is information. So, Information
means data which has some meaning. Information security is all about protecting the
information, which generally focus on the confidentiality, integrity, availability
(CIA).

• Information can be considered as some meaning conveyed by a sequence of

symbols.
• Security is a state of being free from danger or threats.
• Information security is defined as the practice of defending information from
unauthorised access, use, disclosure, disruption, modification, inspection,
recording or destruction
• Cybersecurity: The ability to protect or defend the use of cyberspace from
cyber attacks.

Going by these definition, cyber security is all about security of anything in cyber
realm, while information security is all about security of information regardless of the
realm. So, from these definitions, one can think that information security is super set
of cyber security.

The CIA Triad - Confidentiality, Integrity and Availability is a well established model
in information security, which focuses on three key aspects:

• Confidentiality: a system should ensure that only authorised users access

information; that information is stored or transmitted to ensure that
unauthorised users cannot access it.
• Integrity: a system should ensure completeness, accuracy and an absence of
unauthorised modifications in all its components.
• Availability: a system and all system’s components are available and
operational when required by any authorised users.
The RMIAS has a wider scope than the CIA Triad.
Information Assurance has a different emphasis than Information Security – it is
multi-disciplinary and its focus is to reduce risks to information and information
systems including physical security, people aspects such as awareness and training as
well as processes and governance within an organisation.
So combining Information Security and Information Assurance we can address the
risks to information systems and all manner of the controls we can put in place:
technical, physical, procedural and personnel.

Lets look briefly at 4 dimensions of RMIAS:

• Information Systems Security Lifecycle illustrates a temporal aspect and the
application of some development methodology that will create, deploy,
measure, refine and finally retire an information systems / solution in the
context of the business / organisation.
• Information taxonomy through which we can describe the information being
protected and its lifecycle from creation to destruction. Here we consider every
category of information by form, state, sensitivity and location.
• Security Goals define the set of goals that can be applied in the context of an
organization, business or system. The model here is an expansion of the CIA
Triad to become the “IAS octet”
• Security countermeasures we can define as a technique or process used to
achieve the required security goals. From an IAS perspective the selection of
security measures is carried out from the perspective of cost-effectiveness and
business efficiency. This set of countermeasures covers technical business,
legal and human factors.
WEEK 2
Security services are specific security goals that we may wish to achieve.
• Confidentiality is the assurance that data cannot be viewed by an unauthorised
user
• Data integrity is the assurance that data has not been altered in an
unauthorised (which includes accidental) manner. This assurance applies from
the time that the data was last created, transmitted or stored by an authorised
user. Data integrity is not concerned with the prevention of alteration of data,
but provides a means for detecting whether data has been manipulated in an
unauthorised way.
• Data origin authentication is the assurance that a given entity was the
original source of received data. No matter the intermediary for forwarding.
• Non-repudiation is the assurance that an entity cannot deny a previous
commitment or action.
• Entity authentication is the assurance that a given entity is involved and
currently active in a communication session. In other words, if a technique
provides entity authentication of Alice then this means that by applying the
technique we can be sure that Alice is really engaging with us now, in ‘real
time’.

Relationships between security services

DATA ORIGIN AUTHENTICATION IS A STRONGER NOTION THAN DATA
INTEGRITY
NON-REPUDIATION OF A SOURCE IS A STRONGER NOTION THAN DATA
ORIGIN AUTHENTICATION
DATA ORIGIN AUTHENTICATION AND ENTITY AUTHENTICATION ARE
DIFFERENT
DATA ORIGIN AUTHENTICATION PLUS A FRESHNESS CHECK CAN
PROVIDE ENTITY AUTHENTICATION
CONFIDENTIALITY DOES NOT IMPLY DATA ORIGIN AUTHENTICATION
Symmetric encryption is a type of encryption where only one key (a secret key) is
used to both encrypt and decrypt electronic information. Examples: AES (Advanced
Encryption Standard) DES (Data Encryption Standard).

Public-key cryptography, or asymmetric cryptography, is a cryptographic system

that uses pairs of keys: public keys which may be disseminated widely, and private
keys which are known only to the owner. Effective security only requires keeping the
private key private; the public key can be openly distributed without compromising
security. In such a system, any person can encrypt a message using the receiver's
public key, but that encrypted message can only be decrypted with the receiver's
private key.
The opposite path is the Digital signatures in which a message is signed with the
sender's private key and can be verified by anyone who has access to the sender's
public key. This verification proves that the sender had access to the private key, and
therefore is likely to be the person associated with the public key. This also ensures
that the message has not been tampered with, as a signature is mathematically bound
to the message it originally was made with, and verification will fail for practically
any other message, no matter how similar to the original message. Integrity and non-
repudiation.
USOS DE CADA UNO**
Knowledge of the encryption algorithm
There tend to be two different approaches to designing encryption algorithms, which
result in most encryption algorithms being classified as either:
• Publicly known algorithms: thefull details of the algorithm are in the public
domain and can be studied by anyone.
• Proprietary algorithms: the details of the algorithm are only known by the
designers and perhaps a few selected parties.
In the case of publicly known encryption algorithms, an attacker knows the
encryption algorithm. In the case of proprietary encryption algorithms, an attacker
may well know the name of the encryption algorithm and certain basic properties, but
it is not intended that they know any of the details of how it performs the encryption
and decryption processes.
THE IMPACT OF KERCKHOFFS’ SECOND PRINCIPLE
THE CASE FOR PUBLICLY KNOWN ALGORITHMS
There are many reasons why it might be preferable to use a publicly known
algorithm:
• Scrutiny: A cryptographic algorithm that is in the public domain has the
chance to be studied by a wide range of experts. If they all agree that the
algorithm seems to be a good one then there are strong reasons to believe that
the algorithm is secure. Such an algorithm could then be adopted by public
standardisation bodies. In contrast, a proprietary algorithm may only have been
assessed by a handful of experts.
• Interoperability: It is much easier to adopt and implement publicly known
algorithms in open networks. If an organisation wishes to regularly secure
communications with external clients then use of a proprietary algorithm
means that all the clients will either have to be given the algorithm
specification, or the software or hardware necessary to run it.
• Transparency: Businesses may find it easier to convince a trading partner that
their systems are secure if the security techniques that they employ, which
includes the cryptographic algorithms, are open to assessment by their partners.
If an algorithm is proprietary then partners may want to perform independent
evaluations of its strength.

A cryptographic algorithm is only one part of the wider system in which it is

implemented. So we can think of a cryptosystem as consisting of the algorithm. So
critical part of a cryptosystem could be:
• Implementation
• The management of the keys
• End points

Encryption algorithms are very crucial components of cryptosystems, but in many

ways they're the least likely part of a cryptosystem to be vulnerable. The most
common places we might expect to see weaknesses are the implementation, the
management of the keys, and management of data when it's not encrypted. Plaintext,
how's it exists at the end points of the system?
PROBLEMS WITH SYMMETRIC CRYPTOGRAPHY

Symmetric trust. Since the sender and receiver have to share the same symmetric
key, there is an implication that, to an extent, the sender and receiver ‘trust’ one
another. This ‘trust’ arises since anything cryptographic that the sender can do (by
deploying the symmetric key), the receiver can also do (by deploying the same key).

Key establishment. The sender and the receiver need to agree on a symmetric key in
advance of use of a symmetric cryptosystem. Thus the sender and receiver need to
have access to a secure key establishment mechanism.

We will see shortly that public-key cryptography can be used in an attempt to

overcome these problems.

THE BRIEFCASE PROTOCOL

However, nothing ever comes for free. There are two major problems with the
briefcase protocol:
• Authentication. The very freedom we gain through being able to securely
communicate with an entity we had no prior trust relationship with, comes with
a significant vulnerability. This is a lack of assurance we have indeed securely
communicated with the entity we think we are communicating with. Alice has
no guarantees (other than the word of the courier) that it is Bob who applies the
second padlock. There is no authentication of any type in the briefcase
 protocol. While it is true we did not specify authentication in our requirements,
the briefcase protocol illustrates the dangers of omitting authentication as a
requirement in such a scenario.
• Efficiency. The briefcase protocol involves three journeys (or passes) between
Alice and Bob. This is clearly inefficient since we normally require a message
to be passed securely using just one communication. We must do better than
this because in many applications communication bandwidth is expensive.

A BLUEPRINT FOR A PUBLIC-KEY CRYPTOSYSTEM

• The keys used to encrypt and decrypt should be different.
• Anyone who wants to be a receiver needs a unique decryption key.
• Anyone who wants to be a receiver needs to publish an encryption key.
• Some guarantee of the authenticity of a public key needs to be provided.
• It should not be feasible to deduce the plaintext from knowledge of the
ciphertext and the public key.
• It should not be feasible to deduce the private key from the public key.

In this analogy, Alice faces two challenges. Firstly she has to acquire Bob’s padlock.
Secondly, and more significantly, Alice has to be sure it really is Bob’s padlock she is
using.
Symmetric cryptography is generally very, very fast. Public-key cryptography
involves little delays. It involves hard computational work for a computer to do, so
it's slow. And in fact, despite the advantages of key management for public-key
cryptography, and in general we don't want to use it unless we have to.
So in this example of buying something from an online store, we're forced to use
public-key cryptography somehow. But we also know that public-key cryptography is
rather slow. So can we get away with surgically using it just for what we need and not
more than that? SSL/TLS. Combining symmetric and public-key cryptography to get
the best of both worlds. The idea is really very straight forward.
So your web browser might generate a symmetric key. Encrypt that using the public
key of the online store. Pass that across the online store. It then recovers or decrypts
to obtain that symmetric key. And now that symmetric key is used to encrypt the bulk
data traffic. And in this way we've harnessed the best of both worlds.
WEEK 3
In information security and other computer science related fields, we consider three
different states for data information or data. Data at rest, data in use, and data in
motion. The two first are for Computer security and the third one is for Network
Security.

From a business perspective this information is classified in different categories

according its sensitivity. Depending on this classification, different controls will
apply when storing, using or transmitting the information through a network.

Computer networks can be grouped in two categories depending whether the

connection is established through a physical cable or not.
• Wired networks refer to those networks where nodes are connected using a
physical link (cable). This kind of network is also called Local Area Networks
(LAN). In order to eavesdrop an Ethernet connection, the attacker requires
physical access to the Ethernet cable or the devices that are connected to the
device (routers and Ethernet switches).
• In a wireless (or non-wired) network, the nodes connect to each other by
transmitting radio waves through the air. An attacker will only require specific
hardware to receive transmissions over a certain frequency to be able to read
the information being sent through that network to/from a mobile device.
◦ Bluetooth: Personal Area Networks (PAN) or Personal Wireless Area
Networks (PWAN).
◦ WiFi: Wireless LAN (WLAN) networks.
◦ Cellular networks are a kind of Wide Area Network (WAN).

Depending on the nature of the network connection and/or security requirements, we

can use different security protocols to protect our connection.

However, information is not the only thing put at risk, when connecting information
systems to a network, also devices, for example A denial of service attack, or DOS,
overloads the computer system.

Examples of threats: denial of service, malware, phishing, or intrusions.

Security systems are used to detect and mitigate these threats. For example: firewalls,
intrusion detection systems(IDS) and honeypots.

Authentication refers to the process follow to verify that a certain attribute provided
by an entity is true. In information security we use authentication to verify the
identity of persons or systems involved in interactions. Once the user or system has
been authenticated, we use authorization to decide whether he has the rights to
perform the action he is trying to execute.

Generally speaking, access control works in the following way. A user wants to
perform an operation over a certain resource. The access to the resource is governed
by what we call an access control policy. This policy defines a set of rules that allows
the access control system to determine if the identity is allowed to execute the
operation of the resource. If the policy determines that the user has the right to
perform that operation of the resource, the system will proceed with the operation.

There are many access control models, like discretionary, mandatory, and role based
access controls.
• Discretionary access control, each resource has an owner which decides the
access rights to the resource. The owner can grant or revoke access, or even
transfer the ownership of the resource to other users.
• In mandatory access control, access rights are assigned centrally. Users can
access resources as stated in the policy. However, they don't own resources, so
they cannot transfer access rights or modify the ownership of the resource.
• Finally, in role based access control, users are assigned to different roles based
on the functions. Then, its role is assigned with specific permissions. In this
way, the management of access rights is a matter of just assigning appropriate
roles for each user in the system. This kind of access control makes it very easy
to add or modify user access rights when they change requirements within the
same organization.

Having appropriate access control model and access control policy is a key point to
enforce the security of a system or organization.

Vulnerabilities are weaknesses in a system that can negatively affect the security
properties of the system. Vulnerabilities appear because developing computer systems
is a very complex task.

Vulnerabilities can be introduced in a system through many phases of development

life cycle independently of the model adopted(Analysis, desing, implementation,
deployment, maintenance). It is important to solve the problems with the
vulnerabilities from the first phase so that they do not multiply in the following
phases. The effects of that access will depend on the vulnerability exploited and the
system that was breached. But they can range from data breach to malware spreading
through the organization. In order to avoid them, several processes must be carried
out during the whole development lifecycle. These constitute what is known as the
secure software development lifecycle.

System Security Tools examples(features information systems and Security

products):
• Security features of operating systems:
• Host intrusion detection systems.
• Anti virus software.

Modern operating systems were designed with security in mind, and include many
features information systems and networks remain safe from threats. Examples of
such features information systems:
• Disk encryption
• Application sign-in: First, it identifies the developer form application. Second,
the authority can verify the security of the application before providing and
signing certificate. And third, it provides an easy method to prevent the
applications from unknown sources.
• Memory protection techniques: such as address space layout randomization
and data execution prevention Protects systems from executing arbitrary code
when a software vulnerability is been exploit. ASLR randomizes the location
of code in the system memory. These makes more difficult to locate which
parts of the memory hold the program the exploit once to take advantage of.

Security products like host intrusion detection systems and anti-virus software. Host
intrusion detection systems analyze the operations executed on the host. And
sometimes an network traffic going to that host to identify malicious activities. As
network intrusion detection systems, host intrusion detection systems can identify
malicious behaviors by matching previously know malicious patterns, or identifying
abnormal behavior.

WEEK 4

Unfortunately, security is not only about the technical means to achieve it, but also
about the processes and people involved in those processes. Security management is
concerned with how to use the security technologies in the real world to protect
organizational assets. This means putting together the technical aspects of security,
processes, and people so organizations can achieve their business goals.

Security management is not only deciding which security technology to use. Security
controls need to be configured, integrated into the organization, monitored, updated,
and replaced as necessary. Security management covers all aspects that help an
organization to preserve the three famous security goals. These are, as you probably
already know, confidentiality, integrity, and availability. In the context of security
management, confidentiality means that information assets should only be read by
those users that are entitled to do so. Integrity is about preventing users modifying
organizational assets when they do not have the necessary authorization. Finally,
availability means that organization assets can be accessed by authorized users when
needed. Security management also provides accountability and auditability, and
serves to put compliance to standards and regulations.

Security management activities related to staff include initial vetting of new

employees, security training, and awareness, among others. At some point, these
controls may fail as security incidents will happen. Security management processes
also include incident management procedures to ensure that the organization can keep
doing business and the incident impact is kept to a minimum. Security management
processes also include incident management procedures to ensure that the
organization can keep doing business and the incident impact is kept to a minimum.

Security management allows us to use security technologies effectively. It provides us

with the tools to optimize the way people interact with technology so the risks that
arise from these interactions are mitigated. Security management processes help us
ensure that confidentiality, integrity, and availability of organizational assets are met.
It also serves to ensure regulatory compliance, and recovery from security incidents.
Implementing security management processes won't save us, unfortunately, from
security incidents. But it will, for sure, reduce them and help organizations achieve
their security goals.

• What was the security management process in place at the company when the
breached occurred?
• What went wrong?
• What do you think would prevent such a breach from happening again?

The ISO.IEC 27000 series of standards is a series of information on Security

Management Standards.

The series provides definitions of basic terminology. Descriptions on how to establish

and operate an information security management system. Guidance on security
controls and guidance on risk assessment and security audit. The ISO 27000 series
also includes a range of cyber specific supplements that can be used to adapt security
processes to specific sectors like cloud services or telecoms. The 27000 is constructed
in five categories. The first category includes The 27000 standard. And it's basically
terminology and definitions. The second category covers requirement standards and
includes 27001, 27006 and 27009. The ISO 27001 sets down the requirements for an
implementation of an information security management system. These requirements
allow organizations to claim compliance against ISO 27001.
As a result, this is the key standard in the whole 27000 series.

The ISO 27006 establishes the requirements for bodies providing audit and
certification of information security management systems. These requirements must
be fulfilled by any organization willing to provide ISMS certification.

The ISO 27009 explains how to include additional requirements for a specific sectors.
The third category of standards included in the 27000 series are the Guidelines

standards. These include 27002, 27003, 27004, 27005, 27007, 27013 and 27014. The
27002 provides a catalog of security controls and guidance on their use. This is the
oldest member of the series and this a direct descendent of the BS7799. 27003
provides ISMS implementation guidance. 270004 provides guidance on how to
measure the effectiveness of an ISMS and its controls. 27005 deals with risk
management. And finally, 27007 is related towards a team. The fourth category for
standards are Sector-Specific standards, these includes 27010, 11, 15, 17, 18 and 19.
These standards are applicable to specific sectors, like telecommunications, financial
services, cloud services, and personally identifiable information processors. Finally,
the last category includes the control specific guideline standards. These provide a
more detailed set of guidelines for guiding security controls mentioned across the rest
of the documents of the series. These include, among others, 27031, which describes
guidelines to ensure business continuity, the 27032, which provides guidelines for
cybersecurity, and the 27033 which describes network security concepts. The 27000
series of standards are developed by the ISO/IEC joint technical committee 1,
subcommittee 27, hence the name of the series. As you may imagine, the information
included in these standards must be updated frequently to reflect the new
developments, and threats in business sectors. The members of subcommittee 27
meet twice a year in person to update and propose new documents to be added to the
27000 series. The 27000 series is a set of information security standards that
establishes a set of requirements, recommendations and guidelines to implement
information security. The ISO 27001 is the most important standard of the series.
Organizations can request to be certified against this standard. When an organization
obtains a 27001 certification, it means that a third party has verified that the
organization implements an information security management system that will fill all
the requirements of the 27001 standard.

Plan-Do-Check-Act model(P-D-C-A)
• Plan what you need to do to achieve the obkective
• Do what you planned
• Check that what you have done achieves what you had planned for it to
achieve and identify any gaps or shortfalls.
• Act on the findings of the check phase to address the gaps and/or improve the
efficiency and effectiveness of what you have in place
Requirements applicable to an ISMS or other management system:
• Document controles
• Internal audit
• Management review

A security policy describes the specific rules that must be followed to keep the
organization secure. Policies are different from standards. A standard is a collection
of requirements that must be met by everyone conforming to that standard. Standards
like that 27 something series go beyond the organization boundaries, while security
policies are applied within the organization scope.

In most cases, an organization will have several security policies depending on the
level of the organization and the area they want to cover. At the higher level of the
organization, the security policy should set out the organization's approach to
managing its information security objectives. At a lower level, information security
policies should be supported by the topic specific policies. These detail the
implementation of information security controls and are typically structured to
address the needs of a certain target of groups within the same organization.
Information security policies should address requirements created by business
strategy, regulation, legislation and contracts. And of course, the information security
threat landscape. Security policies are only useful if the affected employees and
departments within the organization are aware of their existence and contents. One
common method of informing employees about security policies are the information
security awareness program. When designing a security policy, there are several
factors to take into consideration like the size, the culture and the business goals of
the organization

A security control, is any kind of measure we put in place, to reduce the risk of a
breach and achieve the security goals of an organization. The ISO IEC 27002
provides a list of common user security controls and best practices on their
implementation. Security controls are organized by categories, depending on the topic
or security goal they allow you to achieve. Some of these categories may seem
straightforward because of the close relation they have to technical aspects of
information security. These include access control, cryptography, communication
security, asset and media management and incident management among others.

Secure development lifecycle is also another kind of security control. This control
introduces a series of tasks through the software development process to avoid the
appearance of software vulnerabilities. The tasks includes establishing a secure
development environment, performing source code review and security testing and
verifying a third party and outsource software components. Other not so obvious
categories of security controls include human resources, physical security, system
acquisition, and supplier relations, among others. Security controls can be technical,
like cryptography or access control. Or organizational, like human resources and
supplier relations. Not all security controls need to be implemented. That will depend
on the needs of the organization, the regulations and the business processes it
executes. However, it is very important that you know the system of all of them, and
you can justify when a specific security control is not required.

Risk management is the process of identifying, analyzing, evaluating and treating

risks. This definition does not include as you can see, any aspect of information
security. And in fact, risk management is much broader than information security. It
covers all the risk that may stop an organization from achieving their business goals,
but what is risk? In general terms, risk is defined as the probability of something
harmful happen. In the information security field, we use risk to measure the
likelihood of something harmful affecting an organization asset, but we also measure
the impact of that event within the organization.

The iterative process of risk management consists of the following sub processes.
Context establishment, risk assessment, risk treatment, risk acceptance, risk
communication and consultation. And finally, risk monitoring and review. First, we
need to establish the context of the risk assessment process. This includes
establishing which assets will be taken into account. The risk that will be looked and
how they will be evaluated. Risk assessment is the main process of risk management.
In this phase, risks are identified, measured and prioritized. Risks can be quantified or
qualitatively described. During risk assessment, we determine the value of
information assets. Identify the potential threats and vulnerabilities that exist. Identify
the existing controls and their effect determine the potential consequences of the risk.
And finally, we prioritize them according to a quantified measure or a qualitatively
rescription of the risk. The risk treatment phase involves implementing the necessary
measures to treat the risk. There are many different ways of treating a risk. A risk can
be reduced by implementing correction or prevention controls. It can be eliminated
by eliminating the source of the risk. It can be shared with an insurance company, for
example, or it can just be accepted. The risk acceptance phase serves to gather all the
accepted risk, so they are explicitly acknowledged by the managers of the
organization. This step is important when some risks are accepted, because of
financial resource. Risk communication is used to communicate the existing risk and
the treatment controls to managers and other staff. This can help avoid security
breaches while the treatment controls are being implemented.

Finally, identified risks are monitored and reviewed. This is required to ensure that
the risk management process keeps updated and the treatment controls are
implemented. Risk management is an iterative process which goal is to identify,
analyze, evaluate and treat risk. Risk management is not only about reducing risk.
Risk management is about identifying them and finding the best possible treatment
within the organization for those that go beyond acceptable level.
Risk assessment involves risk identification, risk analysis, and risk evaluation.
• Risk identification: Risk identification determines how, where and why a
potential loss may happened. Risk identification requires first to identify all the
assets within the scope of the risk assessment. Then we must identify the
threats that may harm the previously identified assets. A threat can come from
a natural or a human source. Can be accidental or deliberate, and can come
from the inside or the outside of the organization. Risk identification also
identifies the possible vulnerabilities that may be exploited by the threats and
assists in controls to avoid those vulnerabilities from being exploited. Finally
we must identify the consequences that could be caused by the realization of
the identified threats.
• Risk analysis: we provided a qualitative and quantitative measure of the risks
that affect our assets. These generally involve measuring the likelihood of an
event to happen, and the impact of that event. When measuring likelihood, we
generally consider the skills and motivation of the attacker, and the difficulty to
exploit the system vulnerability. When measuring impact, we'll look at the cost
involved on the effect, the threat has confidentiality, integrity and availability
of the asset. Cost must be measured in terms of its effect on the business
processes of the organization.

Once we have estimated the likelihood and impact of a threat scenario, we can
estimate the level of risk this scenario generates. Risk estimation combines the
likelihood of an event to happen with its impact. If both are determined using
quantitative measures, risk is generally the result of the multiplication. If both are
determined using qualitative measures, risk is generally measured using a risk
correcting table.

The results of the risk assessment are used to decide whether the risk should be
treated and prioritize the implementation of treatment controls.

Today, you can not worry only about yourself, you need to also worry about the
people, the organizations, you interact with and the laws that regulate those
interactions. And depending on the country you are in, you will probably have laws
about privacy and data protection, national security, anti-terrorism and financial
governance. As the business methods and technologies are constantly evolving, these
laws have to be frequently updated. This has a lot of impact in how business works
and even in some cases, you may find yourself breaking a regulation you were not
aware ever existed. Security management processes should identify which business
processes are subject to certain legislations and laws and provide the necessary
controls to ensure that the restrictions and requirements imposed by those laws are
met. This process can be really complex and challenging for big corporations, as they
might be subject to regulations from different countries which are contradictory.
Unfortunately, regardless of our efforts, security incidents will happen eventually.
These incidents can affect the confidentiality, integrity, and availability of assets. If
we prepare for these incidents before they happen, we will be best prepared to act
when the moment arrives. There are five phases in the management of a security
incident. Reporting, investigation, assessment, corrections, and review.
• Reporting consists of capturing all the possible information about the security
event. This includes the first time the event was noticed. The identity of the
first responder. The location or asset that was affected by the event. A
description of the event. The impact of the event. And of course, all the actions
taken after it.
• Investigation: responders analyze the assets affected by the event. The analysis
of these assets may require the use of forensic procedures. Incidence that
involve law enforcement will require a proper handling of the evidence, of
course.
• Assessment: reviewing the information gathered about the event and deciding
if the event should be classified as a security incident. Security incidents are
security events who have relevant impact on the security properties of the
organization assets. When a security event is raised to security incident, the set
of planned responses are triggered. All the decisions made during the incident
assessment should be logged in the incident report.
• Correction: implementation of any corrective actions necessary to respond to
the incident. Enabling backup servers is an example of a correction action.
Corrective actions should also be logged in the incident report.
• Review: the incident management, the correction controls applied to mitigate
the security incidents are reviewed. Additionally, this phase reviews all the
other processes that were affected by the assets involved in the event. For
instance, a risk management process may need to be updated after a security
incident to reflect the new controls imposed and the new likelihood of such
events to happen again.

In some cases, security events may put at risk the immediate continuity of the
business processes. In these cases, the corrections phase is prioritized over the other
phases. Some organizations may develop a specific plan for these extreme scenarios.
These are called business continuity plans. Whether we like it or not, security
incidents will happen within our organization. Preparing for such incidents is a key
factor in successfully responding and recovering from them. Some security incidents
can put at risk the continuity of a business. To prepare for such events, the
information security team should developed a business continuity plan that outlines
the main measures to implement to continue operations after a major incident or
disaster happens.
WEEK 5

Producers - any company/business that creates, manufactures, sells, installs,

maintains or runs security products or services. The next video in this lesson expands
on the producer.

Consumer - a company that consumes (purchases, instals, uses) products to secure

their business. The set of products will depend on the business requirements and on
external factors such as laws, regulations, directives, standards, best practices, etc.
with which they need to comply or choose to implement.

Vertical is used to denote a set of similar types of business, for example it might refer
to retail, or banking, or government

Verticals can also be used to denote sets of producers, such as anti-virus vendors,
network security vendors and so on.

The Enforcer community helps to regulate and support the overall network of
producers and consumers.

"Interactions" take place at a variety of points. Between enforcers and consumers and
producers, consumers and producers, producers and producers and consumers and
consumers..…

The presentation identifies a wide variety of producer types - covering products

through to services.
• Vendors create products and services to meet security needs
• Value added reseller – provide products plus associated services such as
installation, training, maintenance
• System Integrators – produce solutions that mix and match vendor products to
meet the needs of a customer. Often include all of a VAR functionality plus
system engineering and consultancy. For example Accenture provide system
integration.
• Consultants – offer a wide variety of services from management to deep
technical. There are a wide range of companies from large multi-nationals
through to small bespoke companies offering consultancy in the security sector.
 • Service Provider (outsource) – companies that provide various operational
services to customers e.g. providing security solutions for BYOD (Bring Your
Own Devices), providing SOC (Security Operation Centres), DR (Disaster
Recovery), BC (Business Continuity), etc.
• Service Providers (services) – telecoms, ISPs, cellular/mobile etc. Of course
many of these service providers may offer the outsourced products in the bullet
point above.
Categorising by products.

Critical Infrastructure is identified by governments. And through a process where

they characterize the value and criticality of different services within the
environment, they can determine what is critical to a country and what isn't.

Consumers can cooperate, and not only with themselves, but with the whole
community. Banks for example.

Critical infrastructure here has been categorised by value and criticality. The
criticality scale uses the impact on essential services, economic impact, and impact
on life as a basis to determine what is critical. In the UK we have:

• Communications
• Emergency Services
• Energy/Power
• Financial services
 • Food
• Government
• Health
• Transport
• Water
• Defence/Military
• Civil nuclear
• Space
• Chemicals

Verticals. Market analysts such as Gartner, Forrester, IDC etc. create verticals as a
basis for classifying or categorising markets. As mentioned in the video there are a
wide number of these, such as:

• Banking and securities

• Communications, media and services
• Manufacturing and natural resources
• Government
• Insurance
• Retail
• Healthcare
• Education
• Military

From my perspective, the one thing that we've missed critically from this is the
adversary.
We need adversaries in this model because a lot of what we do is actually driven by
adversaries.
And these adversaries can be individuals, gangs, businesses. They can be national and
international.
They can even be a nation state, as we've seen from some news reports. And the
drivers for adversaries are much the same as they are for any business.