Planning and Analyzing Your Information Life Cycle
This section introduces the concept of security in general and information security in particular. The intention was also to provide a historical perspective about information security.
Chapter 1, Introduction to Security, highlights three examples of information security breaches recently published on the internet. The first example explains how the encrypted messages can be read by injecting plaintext into HTTPS request and measuring compression changes. The second example explains how the NSA was provided direct access to the networks of some of the big corporations like Google, Yahoo, and Microsoft and how the tapping of information from undersea cables where the information moves unencrypted was carried out. The third example explains the breach of 40 million credit and debit cards, which happened during the busy Christmas season at Target. We then generally describe what security is and describe it as protecting what one has. We also look into the fact that security not only applies to physical assets, but also non-physical assets like confidential information, research information with high value realization potential, intellectual property rights, and security of customers. We also highlight the role of terrorists and disgruntled employees in the breach of security. We then explore why security is important. In this context we look into how every individual and organization wants to preserve its societal status and how the compromise of information security can lead to misuse of the information at the wrong hands. We then look into the importance of protection of business information of value and protection of customer data and that information security should not be implemented for the sake of implementing it, but with all the serious consideration it requires. We also highlight how new technologies, new products, and new applications can also bring new security threats to the fore. We then discuss what happens if we do not care about security with examples from the current world. We then discuss the history of computers and information security. We then explore the information security scenario today. We also discuss how prevention is better than cure and explain the need to build in appropriate controls through risk assessment of what can go wrong. We conclude with information about some of the applicable standards and certifications like ISO27001:2013, PCI DSS by PCI Security Standards Council, and COBIT from ISACA.
Chapter 2, History of Computer Security, starts with the history of exploiting security started with the tapping of telephone lines and how the telephone operators intentionally misdirected the calls and eavesdropped on the conversations. We also look into the role of phreakers like John Draper. Next we look into how bulletin boards became the target of hackers as the people started sharing passwords, credit card numbers thereon. Then we look into Ian Murphys breaking into AT&Ts computers and Kevin Mitnicks stealing of computer manuals of Pacific Bellss switching center. Then we look into how Computer Emergency Response Team (CERT) was formed by government agencies in charge of ARPANET to counter increasing threats to security. We then look into how the 1990s saw more hacking activities such as the Michelangelo virus, the arrest of notorious hacker Kevin Mitnick for stealing credit card data, and the 1998 Solar Sunrise attack targeting Pentagon computers by Ehud Tenebaum. We look into the growth of the Internet and how business-related information became available on the Internet and with the increasing threats the technologies like firewalls, antivirus programs came into existing while on the other hand the viruses, Trojans, and worms were proliferating. We then explore the history of communications and in the context discussed Caesar cipher. We also highlight how the need for secure communications in the context of military information exchange led to cryptography.
We then discuss the role of world wars in the development of coding to exchange the information secretly. In this context we discuss Enigma machine and how Alan Turing succeeded at Bletchley Park in decoding the messages coded through Enigma machine and how this led to the shortening of World War II. We then discuss some of the greatest phreakers and hackers like John Draper and Kevin Mitnick and discuss in todays context of the Internet the role of people like Julian Assange of WikiLeaks and whistleblowers like Edward Snowden in the context of the role of the NSA in the breach of information security.
1. Introduction to Security
Scenario 1: A post on http://threatpost.com , Threatpost, the Kaspersky Lab Security News Service, dated August 5th, 2013 with the title BREACH Compression Attack Steals HTTPS Secrets in Under 30 Seconds by Michael Mimoso, states1:
A serious attack against ciphertext secrets, buried inside HTTPS responses, has prompted an advisory from Homeland Security.
The BREACH attack is an offshoot of CRIME, which was thought dead and buried after it was disclosed in September. Released at last weeks Black Hat USA 2013, BREACH enables an attacker to read encrypted messages over the Web by injecting plaintext into an HTTPS request, and measuring compression changes.
Researchers Angelo Prado, Neal Harris, and Yoel Gluck demonstrated the attack against Outlook Web Access (OWA) at Black Hat. Once the Web application was opened and the Breach attack was launched, within 30 seconds, the attackers had extracted the secret.
Scenario 2: A post on http://threatpost.com , Threatpost, the Kaspersky Lab Security News Service, dated December 30th, 2013 with the title: Most Surprising NSA Capability: Defeating the Collective Security Prowess of the Silicon Valley by Dennis Fisher, states as follows2:
Some of the earliest leaks to emerge from the Edward Snowden cache described a program called PRISM that granted the NSA direct access to networks run by Google, Yahoo, Microsoft, and many other companies. That direct access was quickly interpreted to mean that those companies were giving the agency data links to their servers through which the NSA could collect traffic information on targets. The affected companies quickly denied this; only later was it revealed that direct access came in the form of tapping undersea cables that carry unencrypted traffic between data centers around the world. The revelation triggered an immediate response from Google, Microsoft, and Yahoo, who said that they would be encrypting that traffic in the near future. In addition, some Google engineers had some choice words for the NSAs in-house hackers. In the words of Googles Mike Hearn, The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it is ruined.
What is Security?
The events above are a few of the security breaches that were reported during 2013. There are many security breaches reported every year from different quarters of the world. Some of these may be accidental and some intentional. Some may not be with the intention of making money, while others are done purely with the intention of making money. Some events may be done for one-upmanship or merely for the thrill of breaking the system. With more computers and people interconnected and in turn, connected by the internet, the role of computer security in general and information security in particular, with special emphasis on cybersecurity, is gaining momentum. With technological advances and the spread of technological know-how, information security is certainly a humongous task for everyone! That is, all computer users including the non-technical ones.
![Bollinger Jeff - Crafting the infosec playbook [security monitoring and incident response master plan]](/uploads/posts/book/193800/thumbs/bollinger-jeff-crafting-the-infosec-playbook.jpg)
