Skip to main content
Engineering LibreTexts

8.1.1: 8.1.1-Information Security

  • Page ID
    64548
  • Information Security

    Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or at least reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g. electronic or physical, tangible (e.g. paperwork) or intangible (e.g. knowledge). Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data (also known as the CIA triad) while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

    • Identifying information and related assets, plus potential threats, vulnerabilities and impacts;
    • Evaluating the risks;
    • Deciding how to address or treat the risks i.e. to avoid, mitigate, share or accept them;
    • Where risk mitigation is required, selecting or designing appropriate security controls and implementing them;
    • Monitoring the activities, making adjustments as necessary to address any issues, changes and improvement opportunities.

    To standardize this discipline, academics and professionals collaborate to offer guidance, policies, and industry standards on password, antivirus software, firewall, encryption software, legal liability, security awareness and training, and so forth. This standardization may be further driven by a wide variety of laws and regulations that affect how data is accessed, processed, stored, transferred and destroyed. However, the implementation of any standards and guidance within an entity may have limited effect if a culture of continual improvement isn't adopted.

    Definition

    Various definitions of information security are suggested below, summarized from different sources:

    1. "Preservation of confidentiality, integrity and availability of information. Note: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved." (ISO/IEC 27000:2009)[3]
    2. "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability." (CNSS, 2010)[4]
    3. "Ensures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability)." (ISACA, 2008)[5]
    4. "Information Security is the process of protecting the intellectual property of an organisation." (Pipkin, 2000)[6]
    5. "...information security is a risk management discipline, whose job is to manage the cost of information risk to the business." (McDermott and Geer, 2001)[7]
    6. "A well-informed sense of assurance that information risks and controls are in balance." (Anderson, J., 2003)[8]
    7. "Information security is the protection of information and minimizes the risk of exposing information to unauthorized parties." (Venter and Eloff, 2003)[9]
    8. "Information Security is a multidisciplinary area of study and professional activity which is concerned with the development and implementation of security mechanisms of all available types (technical, organizational, human-oriented and legal) in order to keep information in all its locations (within and outside the organization's perimeter) and, consequently, information systems, where information is created, processed, stored, transmitted and destroyed, free from threats.Threats to information and information systems may be categorized and a corresponding security goal may be defined for each category of threats. A set of security goals, identified as a result of a threat analysis, should be revised periodically to ensure its adequacy and conformance with the evolving environment. The currently relevant set of security goals may include: confidentiality, integrity, availability, privacy, authenticity & trustworthiness, non-repudiation, accountability and auditability." (Cherdantseva and Hilton, 2013)[2]
    9. Information and information resource security using telecommunication system or devices means protecting information, information systems or books from unauthorized access, damage, theft, or destruction (Kurose and Ross, 2010).

    Overview

    At the core of information security is information assurance, the act of maintaining the confidentiality, integrity and availability (CIA) of information, ensuring that information is not compromised in any way when critical issues arise. These issues include but are not limited to natural disasters, computer/server malfunction, and physical theft. While paper-based business operations are still prevalent, requiring their own set of information security practices, enterprise digital initiatives are increasingly being emphasized, with information assurance now typically being dealt with by information technology (IT) security specialists. These specialists apply information security to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory. Such devices can range from non-networked standalone devices as simple as calculators, to networked mobile computing devices such as smartphones and tablet computers. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber attacks that often attempt to acquire critical private information or gain control of the internal systems.

    The field of information security has grown and evolved significantly in recent years. It offers many areas for specialization, including securing networks and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning, electronic record discovery, and digital forensics. Information security professionals are very stable in their employment. As of 2013 more than 80 percent of professionals had no change in employer or employment over a period of a year, and the number of professionals is projected to continuously grow more than 11 percent annually from 2014 to 2019.

    Difference Between Information Security and Cybersecurity

    The terms cybersecurity and information security are often used interchangeably.As they both are responsible for security and protecting the computer system from threats and information breaches and often cybersecurity and information security are so closely linked that they may seem synonymous and unfortunately, they are used synonymously.

    If we talk about data security it’s all about securing the data from malicious user and threats. Another question is that what is the difference between data and information? One important point is data is unformatted, or unorganized information. For example “100798” is data and if we know that it’s the date of birth of a person then it is information because it has a context.

    CYBER SECURITY INFORMATION SECURITY
    It is the practice of protecting the data from outside the resource on the internet. It is all about protecting information from unauthorized user, access and data modification or removal in order to provide confidentiality, integrity, and availability.
    It is about the ability to protect the use of cyberspace from cyber attacks. It deals with protection of data from any form of threat.
    Cybersecurity to protect anything in the cyber realm. Information security is for information irrespective of the realm.
    Cybersecurity deals with danger against cyberspace. Information security deals with the protection of data from any form of threat.
    Cybersecurity strikes against cyber crimes, cyber frauds and law enforcement. Information security strives against unauthorized access, disclosure modification and disruption.
    On the other hand cyber security professionals with cyber security deals with advanced persistent threat. Information security professionals is the foundation of data security and security professionals associated with it prioritize resources first before dealing with threats.
    It deals with threats that may or may not exist in the cyber realm such as a protecting your social media account, personal information, etc. It deals with information assets and integrity confidentiality and availability.

    Information vs Network Security

    Network Security

    Network Security is the measures taken by any enterprise or organization to secure its computer network and data using both hardware and software systems. This aims at securing the confidentiality and accessibility of the data and network. Every company or organization that handles large amount of data, has a degree of solutions against many cyber threats.

    Cyber Security

    Cyber Security is the measures to protect our system from cyber attacks and malicious attacks. It is basically to advance our security of the system so that we can prevent unauthorized access of our system from attacker. It protects the cyberspace from attacks and damages. Cyberspace can be hampered by inherent vulnerabilities that cannot be removed sometimes.

    Figure \(\PageIndex{1}\): Information vs Cyber vs Netwrok Security. ("3 Security" by pp_pankaj, Geeks for Geeks is licensed under CC BY-SA 4.0)

    Difference between Network Security and Cyber Security:

    Network Security Cyber Security
    It protects the data flowing over the network. It protects the data residing in the devices and servers.
    It is a subset of cyber security. It is a subset of information security.
    It protects anything in the network realm. It protects anything in the cyber realm.
    It deals with the protection from DOS attacks. It deals with the protection from cyber attacks.
    Network Security strikes against trojans. Cyber Security strikes against cyber crimes and cyber frauds.
    It includes viruses and worms. It includes phishing and pre-texting.
    Network security ensures to protect the transit data only. Cyber security ensures to protect entire digital data.
    It secures the data travelling across the network by terminals. It deals with the protection of the data resting.

    Threats

    In Information security threats can in many forms: software attacks, theft of intellectual property, identity theft, theft of equipment or information, sabotage, and information extortion. This page contains a great deal of important information. There is a similar article by Cisco that covers these same topics, it may be a bit more up to date. Find it at: "What Is the Difference: Viruses, Worms, Trojans, and Bots?"

    A threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase, harm object or objects of interest.

    Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware, virus, worms, bots are all same things. But they are not the same, the only similarity is that they are all malicious software.

    Malware is a combination of 2 terms, Malicious and Software. So Malware basically means malicious software that can be an intrusive program code or a anything that is designed to perform malicious operations on system.

    The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any specific types of behavior.

    1. Virus – A computer virus is software usually hidden within another seemingly innocuous program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action (such as destroying data).[21] An example of this is a PE infection, a technique, usually used to spread malware, that inserts extra data or executable code into PE files.[22]
    2. Worm - a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
    3. Trojan horses are generally spread by some form of social engineering, for example, where a user is duped into executing an e-mail attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by drive-by download. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller (phoning home) which can then have unauthorized access to the affected computer, potentially installing additional software such as a keylogger to steal confidential information, cryptomining software or adware to generate revenue to the operator of the trojan.[30] While Trojan horses and backdoors are not easily detectable by themselves, computers may appear to run slower, emit more heat or fan noise due to heavy processor or network usage, as may occur when cryptomining software is installed. Cryptominers may limit resource usage and/or only run during idle times in an attempt to evade detection.

      Unlike computer viruses and worms, Trojan horses generally do not attempt to inject themselves into other files or otherwise propagate themselves.[31]

      In spring 2017 Mac users were hit by the new version of Proton Remote Access Trojan (RAT)[32] trained to extract password data from various sources, such as browser auto-fill data, the Mac-OS keychain, and password vaults.[33]

    4. Bots – can be seen as advanced form of worms. They are automated processes that are designed to interact over the internet without the need of human interaction. They can be good or bad. Malicious bot can infect one host and after infecting will create connection to the central server which will provide commands to all infected hosts attached to that network called Botnet.

    Malware is referenced by several terms, depending on how it operates within the larger categories specified above. Below is a short description of many of the most well known types of malware.

    1. Adware – is not exactly malicious but it can breach the privacy of a user. Adware displays ads on computer’s desktop or inside individual programs. They often come attached with free software downloaded from a variety os web sites. They monitor the sites the user visits, determines those topics of interest to the user, and then display relevant ads. An attacker can embed malicious code inside the software and adware can monitor your system activities and can even compromise your machine.
    2. Spyware – is software that monitors the users activity on computer and provides the collected information to a pre-determined adversary. Spyware are generally dropped by Trojans, viruses or worms. Once dropped they installs themselves and sits silently to avoid detection.
      One of the most common example of spyware is KEYLOGGER. The basic job of keylogger is to record user keystrokes with timestamp. Thus capturing interesting information like username, passwords, credit card details etc.
    3. Ransomware – is a type of malware that will either encrypt your files or will lock your computer making it inaccessible either partially or wholly. A message will be displayed asking for money as ransom in exchange for the key to enable the user to unlock the computer.
    4. Scareware – masquerades as a tool to help fix your system but when the software is executed it will infect your system or completely destroy it. The software will display a message to frighten you and force to take some action like pay them to fix your system.
    5. Rootkits – are designed to gain administrative privileges in the user's system. Once administrative access is gained, the adversary access to all data and files, allowing them to veiw, download or destroy whatever the adversary wants.
    6. Zombies – work similar to Spyware. The infection mechanism is the same but zombies can sit dormant waiting for the adversary to issue commands or perhaps waiting for a specific task to be completed by the user themselves.

    No matter what they look like, or how they accomplish their work, malware is intent on disrupting or destroying data. The adversary is interested in one or more of the following:

    • Theft of intellectual property means violation of intellectual property rights like copyrights, patents etc.
    • Identity theft means to act someone else to obtain person’s personal information or to access vital information they have like accessing the computer or social media account of a person by login into the account by using their login credentials.
    • Theft of equipment and information is increasing these days due to the mobile nature of devices and increasing information capacity.
    • Sabotage means destroying company’s website to cause loss of confidence on part of its customer.
    • Information extortion means theft of company’s property or information to receive payment in exchange. For example ransomware may lock victims file making them inaccessible thus forcing victim to make payment in exchange. Only after payment victim’s files will be unlocked.

    With each day that passes there are new and more malicious threats. Below is the brief description of these new generation threats.

    • Technology with weak security – With the advancement in technology, new technology gadgets are being released in the market, and most of them provide some sort of networking or remote access capabilities. Very few have any secure built in or have any thought about following information security principles.
    • Social media attacks – the adversary identifies and infects a cluster of websites that persons of a particular organization visit, allowing the adversary to steal information.
    • Mobile Malware – the reality is that malware is not limited to desktop/laptop systems. With the plethora of apps that are available from the mobile device app stores, there is a huge opportunity for user's to inadvertently download malware onto their mobile devices..
    • Outdated Security Software – with new threats emerging everyday, updating a system with the latest patches, especially security patches should be a high priority in order to maintain a fully secured environment.
    • Corporate data on personal devices – many organizations allow employees to "bring your own device" (BYOD). Devices like laptops, tablets, even the use of USB drives, and cloud storage in the workplace can create serious security breaches.
    • Social Engineering – is the art of manipulating people so that they give up their confidential information like bank account details, password etc. These criminals can trick you into giving your private and confidential information or they will gain your trust to get access to your computer to install a malicious software- that will give them control of your computer. For example email or message from your friend, that was probably not sent by your friend. Criminal can access your friends device and then by accessing the contact list he can send infected email and message to all contacts. Since the message/ email is from a known person recipient will definitely check the link or attachment in the message, thus unintentionally infecting the computer. There is an AWESOME video example of social engineering - it is only about 3:00 minutes long. ( I apologize for the single curse word that is used right at the end of the video)

    CIA Triad

    Information security is not only about securing information from unauthorized access. Information security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be anything like your profile on social media, your data in mobile phone, your biometrics etc. Thus information security spans so many areas like cryptography, mobile computing, forensics, online social media etc.

    Information Security programs are built around 3 objectives, commonly known as CIA – Confidentiality, Integrity, Availability.

    CIA-Triad.png
    Figure \(\PageIndex{1}\): CIA Triad. ("CIA Triad" by Patrick McClanahan is licensed under CC BY-SA 4.0)

    These are the objectives which should be kept in mind while working in the information security realm.

    Confidentiality

    Confidentiality means that only the authorized individuals/systems can view sensitive or classified information. Data being sent over the network should not be accessed by unauthorized individuals. The attacker may try to capture the data using different tools available on the Internet and gain access to your information. A primary way to avoid this is to use encryption techniques to safeguard your data so that even if the attacker gains access to your data, he/she will not be able to decrypt it. Encryption standards include AES(Advanced Encryption Standard) and DES (Data Encryption Standard). Another way to protect your data is through a VPN tunnel. VPN stands for Virtual Private Network and helps the data to move securely over the network.

    Integrity

    The next thing to talk about is integrity. Well, the idea here is making sure that data has not been modified. Corruption of data is a failure to maintain data integrity. To check if our data has been modified or not, we make use of a hash function.

    We have two common types : SHA (Secure Hash Algorithm) and MD5(Message Direct 5). Now MD5 is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1. There are also other SHA methods that we could use like SHA-0, SHA-2, SHA-3.

    Let’s assume Host ‘A’ wants to send data to Host ‘B’ maintaining integrity. A hash function will run over the data and produce an arbitrary hash value H1 which is then attached to the data. When Host ‘B’ receives the packet, it runs the same hash function over the data which gives a hash value H2. Now, if H1 = H2, this means that data’s integrity has been maintained and the contents were not modified.

    Availability

    This means that the data should be readily available to its users. This applies to systems and to networks - not simply the data, but the technology necessary to obtain and view the data need to be available. To ensure availability, the network/system administrator should maintain hardware, make regular upgrades, have a plan for fail-over and prevent bottleneck in a network. Attacks such as DoS or DDoS may render a network unavailable as the resources of the network gets exhausted. The impact may be significant to the companies and users who rely on the network as a business tool. Thus, proper measures should be taken to prevent such attacks.

    Along with the 3 objectives that make up the CIA triad, there are 3 additional concepts that are often mentioned in regards to information security. In fact the ISO/IEC 27001, an international standard on how to manage information security, mentions the following concepts as part of an organizations information security management plan. These 3 additional concepts are:

    • Non-repudiation – means one party cannot deny receiving a message or a transaction nor can the other party deny sending a message or a transaction. For example in cryptography it is sufficient to show that message matches the digital signature signed with sender’s private key and that sender could have a sent a message and nobody else could have altered it in transit. Data Integrity and Authenticity are pre-requisites for Non repudiation.
    • Authenticity – means verifying that users are who they say they are and that each input arriving at destination is from a trusted source.This principle if followed guarantees the valid and genuine message received from a trusted source through a valid transmission. For example if take above example sender sends the message along with digital signature which was generated using the hash value of message and private key. Now at the receiver side this digital signature is decrypted using the public key generating a hash value and message is again hashed to generate the hash value. If the 2 value matches then it is known as valid transmission with the authentic or we say genuine message received at the recipient side
    • Accountability – means that it should be possible to trace actions of an entity uniquely to that entity. For example as we discussed in Integrity section Not every employee should be allowed to do changes in other employees data. For this there is a separate department in an organization that is responsible for making such changes and when they receive request for a change then that letter must be signed by higher authority for example Director of college and person that is allotted that change will be able to do change after verifying his bio metrics, thus timestamp with the user(doing changes) details get recorded. Thus we can say if a change goes like this then it will be possible to trace the actions uniquely to an entity.

    At the core of information security is information assurance, which means the act of maintaining CIA of information, ensuring that information is not compromised in any way when critical issues arise. These issues are not limited to natural disasters, computer/server malfunctions etc.

    Thus, the field of information security has grown and evolved significantly in recent years. It offers many areas for specialization, including securing networks and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning etc.

    Parkerian Hexad

    The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker in 1998. The Parkerian hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability).

    hexad.jpg
    Figure \(\PageIndex{1}\): Parkerian Hexad. ("Advice: Security vs. Utility " by L. Marzigliano is in the Public Domain)

    The Parkerian Hexad added the following three additional elements:

    Authenticity

    Authenticity refers to the veracity of the claim of origin or authorship of the information. For example, one method for verifying the authorship of a hand written document is to compare the handwriting characteristics of the document to a sampling of others which have already been verified. For electronic information, a digital signature could be used to verify the authorship of a digital document using public-key cryptography (could also be used to verify the integrity of the document).

    Possession

    Possession or control: Suppose a thief were to steal a sealed envelope containing a bank debit card and its personal identification number. Even if the thief did not open that envelope, it's reasonable for the victim to be concerned that the thief could do so at any time. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

    Utility

    Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications–and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available–they just wouldn't be useful in that form. Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

    Types of Attacks

    In an Information Security context there are 4 broad based categories of attacks:

    1. Fabrication
    2. Interception
    3. Interruption
    4. Modification

    Fabrication

    As stated above, fabrication is one of the four broad-based categories used to classify attacks and threats. A fabrication attack creates illegitimate information, processes, communications or other data within a system.

    Often, fabricated data is inserted right alongside authentic data. When a known system is compromised, attackers may use fabrication techniques to gain trust, create a false trail, collect data for illicit use, spawn malicious or extraneous processes. In addition, fabricated data may reduce confidence in genuine data with the affected system.

    Farication.gif
    Figure \(\PageIndex{1}\): Fabrication Attack. ("Secuity Attacks: Fabriaction" by Unknown, CS Dept - Texas Tech University is licensed under CC BY-SA 4.0)

    Examples of Fabrication attacks include:

    • SQL Injection
    • Route Injection
    • User / Credential Counterfeiting
    • Log / Audit Trail Falsification
    • Email Spoofing

    Mitigate the attack :

    • Use of Authentication and authorization mechanisms
    • Using Firewalls
    • Use Digital Signatures - Digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document.

    Interception

    An interception is where an unauthorized individual gains access to confidential or private information. Interception attacks are attacks against network the confidentiality objective of the CIA Triad.

    interception.gif
    Figure \(\PageIndex{1}\): Interception Attacks. ("Security Attacks: Interception" by Unknown, CS Dept - Texas Tech University is licensed under CC BY-SA 4.0)

    Examples of Interception attacks:

    • Eavesdropping on communication.
    • Wiretapping telecommunications networks.
    • Illicit copying of files or programs.
    • Obtaining copies of messages for later replay.
    • Packet sniffing and key logging to capture data from a computer system or network.

    Mitigate the attack :

    • Using Encryption - SSL, VPN, 3DES, BPI+ are deployed to encrypts the flow of information from source to destination so that if someone is able to snoop in on the flow of traffic, all the person will see is ciphered text.
    • Traffic Padding - It is a function that produces cipher text output continuously, even in the absence of plain text. A continuous random data stream is generated. When plaintext is available, it is encrypted and transmitted. When input plaintext is not present, the random data are encrypted and transmitted. This makes it impossible for an attacker to distinguish between tree data flow and noise and therefore impossible to deduce the amount of traffic.

    Interruption

    In an interruption attack, a network service is made degraded or unavailable for legitimate use. They are the attacks against the availability of the network.

    Interryuption.gif
    Figure \(\PageIndex{1}\): Interruption Attack. ("Security Attacks: Interruption" by Unknown, CS Dept - Texas Tech University is licensed under CC BY-SA 4.0)

    Examples of Interruption attacks :

    • Overloading a server host so that it cannot respond.
    • Cutting a communication line.
    • Blocking access to a service by overloading an intermediate network or network device.
    • Redirecting requests to invalid destinations.
    • Theft or destruction of software or hardware involved.

    Mitigate the attack:

    • Use Firewalls - Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Modern stateful firewalls like Check Point FW1 NGX and Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic.
    • Keeping backups of system configuration data properly.
    • Replication.

    Modification

    Modification is an attack against the integrity of the information. Basically there is three types of modifications.

    • Change: Change existing information. The information is already existed but incorrect. Change attacks can be targeted at sensitive information or public information.
    • Insertion: When an insertion attack is made, information that did not previously exist is added. This attack may be mounted against historical information or information that is yet to be acted upon.
    • Deletion : Removal of existing information.
    modification.gif
    Figure \(\PageIndex{1}\): Modification Attack. ("Security Attacks: Modification" by Unknown, CS Dept - Texas Tech University is licensed under CC BY-SA 4.0)

    Examples of Modification attacks include:

    • Modifying the contents of messages in the network.
    • Changing information stored in data files.
    • Altering programs so they perform differently.
    • Reconfiguring system hardware or network topologies.

    Mitigate the attack :

    • Introduction of intrusion detection systems (IDS) which could look for different signatures which represent an attack.
    • Using Encryption mechanisms
    • Traffic padding
    • Keeping backups
    • Use messaging techniques such as checksums, sequence numbers, digests, authentication codes

    Vulnerability

    A vulnerability is a weaknesses in a system that provides adversaries the opportunity to compromise assets. All systems have vulnerabilities. Even though the technologies and tools are improving the number of vulnerabilities are increasing. Vulnerabilities come from 4 main sources: hardware, software, network and procedural vulnerabilities.

    1. Hardware Vulnerability:
    A hardware vulnerability is a weakness which can used to attack the system hardware through physically or remotely.
    For example:

    1. Old version of systems or devices
    2. Unprotected storage
    3. Unencrypted devices, etc.

    2. Software Vulnerability:
    A software error happen in development or configuration such as the execution of it can violate the security policy.
    For examples:

    1. Lack of input validation
    2. Unverified uploads
    3. Cross-site scripting
    4. Unencrypted data, etc.

    3. Network Vulnerability:
    A weakness happen in network which can be hardware or software.
    For examples:

    1. Unprotected communication
    2. Malware or malicious software (e.g.:Viruses, Keyloggers, Worms, etc)
    3. Social engineering attacks
    4. Misconfigured firewalls

    4. Procedural Vulnerability:
    A weakness happen in an organization operational methods.
    For examples:

    1. Password procedure – Password should follow the standard password policy.
    2. Training procedure – Employees must know which actions should be taken and what to do to handle the security. Employees must never be asked for user credentials online. Make the employees know social engineering and phishing threats.

    Risk in Cybersecurity

    There are many threats actors in the world including nation states, criminal syndicates and various enterprises, hacktivists and insiders. These advisaries have a variety of motivation often include financial gain, corporate or government espionage, and military advantage. These concern is the launch of cyber attacks through the exploitation of vulnerabilities. There are a number of vulnerabilities in both hardware and software that can be exploited from outside or inside. The vulnerability could be unpatched software, unsecured access points, and poorly configured systems. The consequence is the harm caused to an exploited organization by a cyberattack, the organization will have to face a lot of things including a loss of sensitive data. It will affect the company’s customer base, reputation, financial standing and may lose a great deal of customers. The consequence can be very costly to the organization. Cyber risk is commonly defined as exposure to harm or loss resulting from breaches of or attacks on information systems.

    Risk Management

    A risk is nothing but intersection of assets, threats and vulnerability.

    A+T+V = R

    NIST SP 800-30 Risk Management Guide for Information Technology Practitioners defines risk as a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

    So the main components of Risk Assessment are:

    • Threats
    • Vulnerability
    • Impact (i.e. potential loss)
    • Likelihood of occurrence (i.e. the probability that an event – threat successful exploit of a vulnerability – will occur)

    Threats are anything that can exploit a vulnerability accidentally or intentionally and destroy or damage an asset. An asset can be anything: people, property or information. An asset is what we are trying to protect and a threat is what we are trying to protect against. Vulnerability means a gap or weakness in our protection efforts.

    Threat Source is the exploitation of a vulnerability or a situation either intentionally or unintentionally.

    The complete process of Risk Management can be divided into following stages:

    1. Context Establishment
    2. Risk Assessment
    3. Risk Management/ Mitigation
    4. Risk Communication
    5. Risk Monitoring and Review
    6. IT Evaluation and Assessment

    1. Context Establishment –
    In this step information about the organization and basic criteria, purpose, scope and boundaries of risk management activities are obtained. In addition to this data, it is important to gather details about the organization in charge of risk management activities.

    Organization’s mission, values, structure, strategy, locations and cultural environment are studied to have a deep understanding of it’s scope and boundaries.
    The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps.

    The main role inside organization in charge of risk management activities can be seen as:

    • Senior Management
    • Chief information officer (CIO)
    • System and Information owners
    • the business and functional managers
    • the Information System Security Officer (ISSO) or Chief information security officer (CISO)
    • IT Security Practitioners
    • Security Awareness Trainers

    2. Risk Assessment –
    Risk Management is a recurrent activity, on the other hand Risk assessment is executed at discrete points and until the performance of the next assessment. Risk Assessment is the process of evaluating known and postulated threats and vulnerabilities to determine expected loss. It also includes establishing the degree of acceptability to system operations.

    Risk Assessment receives input and output from Context establishment phase and output is the list of assessed risk risks, where risks are given priorities as per risk evaluation criteria.

    1. Risk Identification –
      In this step we identify the following:

      Thus output includes the following:

      • assets
      • threats
      • existing and planned security measures
      • vulnerabilities
      • consequence
      • related business processes
      • list of asset and related business processes with associated list of threats, existing and planned security measures
      • list of vulnerabilities unrelated to any identified threats
      • list of incident scenarios with their consequences
    2. Risk Estimation –
      There are 2 methods for Risk Assessment:

      1. Quantitative Risk Assessment – This methodology is not mostly used by the organizations except for the financial institutions and insurance companies. Quantitative risk is mathematically expressed as Annualised Loss Expectancy (ALE). ALE is the expected monetary loss that can be expected for an asset due to a risk being realised over a one-year period.

      2. Qualitative Risk Assessment – Qualitative Risk Assessment defines likelihood, impact values and risk in subjective terms, keeping in mind that likelihood and impact values are highly uncertain. Qualitative risk assessments typically give risk results of “High”, “Moderate” and “Low”. Following are the steps in Qualitative Risk Assessment:

      • Identifying Threats: Threats and Threat-Sources must be identified. Threats should include threat-source to ensure accurate estimation. It is important to compile a list of all possible threats that are present across the organization and use this list as the basis for all risk management activities. Some of the examples of threat and threat-source are:
        • Natural Threats- floods, earthquakes etc.
        • Human Threats- virus, worms etc.
        • Environmental Threats- power failure, pollution etc.
      • Identifying Vulnerabilities: Vulnerabilities are identified by numerous means. Some of the tools are:
        • Vulnerability Scanners – This is the software the compare the operating system or code for flaws against the database of flaw signatures.
        • Penetration Testing – Human Security analyst will exercise threats against the system including operational vulnerabilities like Social Engineering.
        • Audit of Operational and Management Controls – Operational and management controls are reviewed by comparing the current documentation to best practices for example ISO 17799 and by comparing actual practices against current documented processes.
      • Relating Threats to Vulnerabilities: This is the most difficult and mandatory activity in Risk Assessment. T-V pair list is established by reviewing the vulnerability list and pairing a vulnerability with every threat that applies, then by reviewing the threat list and ensuring that all the vulnerabilities that that threat-action/threat can act against have been identified.
      • Defining Likelihood: Likelihood is the probability that a threat caused by a threat-source will occur against a vulnerability. Sample Likelihood definitions can be like:

        Low -0-30% chance of successful exercise of Threat during a one year period

        Moderate – 31-70% chance of successful exercise of Threat during a one year period

        High – 71-100% chance of successful exercise of Threat during a one year period

        This is just a sample definations. Organization can use their own definitaion like Very Low, Low, Moderate, High, Very High.

      • Defining Impact: Impact is best defined in terms of impact upon confidentiality, integrity and availability. Sample definitions for impact are as follows:
        Confidentiality Integrity Availability
        Low Loss of Confidentiality leads to Limited effect on organization Loss of Integrity leads to Limited effect on organization Loss of Availability leads to Limited effect on organization
        Medium Loss of Confidentiality leads to Serious effect on organization Loss of Integrity leads to Serious effect on organization Loss of Availability leads to Serious effect on organization
        High Loss of Confidentiality leads to Severe effect on organization Loss of Integrity leads to Severe effect on organization Loss of Availability leads to Severe effect on organization
      • Assessing Risk: Assessing risk is the process to determine the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. Sample Risk Determination Matrix is as follows:
        Impact
        High Moderate Low
        Likelihood High High High Moderate
        Moderate High Moderate Low
        Low Moderate Low Low
      • Risk Evaluation
        T
        he risk evaluation process receives as input the output of risk analysis process. It first compares each risk level against the risk acceptance criteria and then prioritize the risk list with risk treatment indications.
    3. Risk Mitigation/ Management
      Risk Mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. Since eliminating all risk in an organization is close to impossible thus, it is the responsibility of senior management and functional and business managers to use the least-cost approach and implement the most appropriate controls to decrease risk to an acceptable level.
      As per NIST SP 800 30 framework there are 6 steps in Risk Mitigation.
      • Risk Assumption: This means to accept the risk and continue operating the system but at the same time try to implement the controls to
      • Risk Avoidance: This means to eliminate the risk cause or consequence in order to avoid the risk for example shutdown the system if the risk is identified.
      • Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls)
      • Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
      • Research and Acknowledgement: In this step involves acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
      • Risk Transference: This means to transfer the risk to compensate for the loss for example purchasing insurance guarantees not 100% in all cases but alteast some recovery from the loss.
    4. Risk Communication
      The main purpose of this step is to communicate, give an understanding of all aspects of risk to all the stakeholder’s of an organization. Establishing a common understanding is important, since it influences decisions to be taken.
    5. Risk Monitoring and Review
      Security Measures are regularly reviewed to ensure they work as planned and changes in the environment don’t make them ineffective. With major changes in the work environment security measures should also be updated.Business requirements, vulnerabilities and threats can change over the time. Regular audits should be scheduled and should be conducted by an independent party.
    6. IT Evaluation and Assessment
      Security controls should be validated. Technical controls are systems that need to tested and verified. Vulnerability assessment and Penetration test are used for verifying status of security controls. Monitoring system events according to a security monitoring strategy, an incident response plan and security validation and metrics are fundamental activities to assure that an optimal level of security is obtained. It is important to keep a check on new vulnerabilities and apply procedural and technical controls for example regularly update software.

    Risks and Vulnerabilities

    As an Officer, a leader and manager, one of your jobs will be to assess and manage risk; fortunately you have been managing risk your entire life and continue to do so each day. All we are doing here is honing your risk management skills with a more formalized process and applying that process to the Cyber Domain.

    Learning Outcomes

    After completing this discussion and the activities you should be able to:

    • Explain what a formalized risk assessment process supports/allows
    • Describe the general steps of a risk assessment process
    • Explain the factors of assessing risks
    • Apply the risk assessment process to cyber domain scenarios

    Introduction

    You assess and manage risk on a daily basis, and you have been doing so your entire life. Why do we look both ways before we walk across a road? Because there is a risk of being hit by a car. The impact of a pedestrian being hit by a car is high (serious injury or death) so we mitigate (reduce) the risk of being hit by looking both ways before we cross the road. Just as in the physical world, there are threats in the cyberspace.

    Terminology

    risk
    A measure of the extent to which an entity is threatened by a potential circumstance or event.
    impact
    An adverse effect that results from an event occurring.
    vulnerability
    A weakness in a system that can be exploited by a threat that adversely affects the system, results in an adverse impact. [general context]
    A weakness in an information system that can be exploited to compromise a pillar of cyber security. [cyber domain context]
    threat
    An actor or event with the potential to adversely impact an information system.
    capability
    The knowledge and skill set required by a threat to carry out an event.
    opportunity
    The resources and positioning required by a threat to carry out an action.
    intent
    The motivation of a threat to carry out an action.

    The Risk Management Tradeoff

    Risk Management Tradeoff
    Figure \(\PageIndex{1}\): Functionality, Risk, Cost. ("Functionality, Risk, Cost" by Unknown, U.S. Naval Academy - Cyber Science Dept is in the Public Domain, CC0)

    There is a fundamental tension between the services an information system provides (functionality), and security. A building with no doors or windows is quite secure, but pretty limited in its utility. Similarly, an information system with no way for data to flow in or out is very secure, but it is unable to provide a service. The more services you provide/allow, the more ways in and out of your system that need securing. Thus, for each service one needs to weigh the value of the service against the security implications of providing/allowing it. We weigh the risk against the functionality (benefits) and cost to make a decision on how to proceed.

    Often times there is no one right answer as to whether a service should be provided/allowed, and the answer is highly situational. The amount of risk that is acceptable for your grandmother's computer is likely different than the computer used by the Chief of Naval Operations (CNO).

    What process do we need to go through to assess risk? What are the factors we need to consider? You already have an intuition of what many of the important factors are. What are the benefits of providing or using the service? What are the impacts if the service is compromised? What vulnerabilities are there in providing or using the service? What threats are working to compromise the service? What are the risks inherent in providing/allowing that service? This requires a better understanding of the factors that comprise risk, and leads to developing a repeatable process to assess risk.

    Risk Factors

    Risk Factors
    Figure \(\PageIndex{1}\): DoD Risk Model. ("DoD Risk Model" by Unknown, U.S. Naval Academy - Cyber Science Dept is in the Public Domain, CC0)

    In the cyber domain, just as in all domains, there are various factors that go into assessing risk. Risk Assessment can be viewed as a function with inputs, a process, and outputs. In general risk is viewed as a function of likelihood of occurrence of an event and impact of an event, risk( likelihood, impact ).

    Intuitively, if we increase the likelihood of a negative event occurring, the risk severity increases, and vice versa. This is also the case with impact, if the impact of a negative event occurring increases, the risk severity increases.

    Likelihood of Occurrence

    Likelihood of occurrence can be decomposed into two main components: threat and vulnerability. Threat is any circumstance or event that has the potential to adversely impact our system. Threat can be adversarial (purposely caused by a person) or non-adversarial (caused by an accident or natural event such as a hurricane). Vulnerability represents a weakness in an information system that can be exploited, often by an adversarial threat actor.

    Not all vulnerabilities are equal, there are factors that we can assess a vulnerability with. The risk assessment team will ask and answer questions such as (OWASP):

    • (Discoverable) How easy is it for an adversary to discover the vulnerability?
    • (Exploitable) How easy is it for an adversary to exploit the vulnerability?
    • (Awareness) How well known is the vulnerability?
    • (Detectable) How likely is an exploit to be detected?

    Just as vulnerabilities, threats are also assessed using various factors. The risk assessment team will ask and answer questions such as (OWASP):

    • (Capability) How technically skilled is an adversary?
    • (Capability) How much does the adversary know about the target system?
    • (Opportunity) Does the adversary have the resources (technology) to exploit a vulnerability?
    • (Opportunity) Is the adversary in a position to exploit a vulnerability?
    • (Intent) How motivated is an adversary to find and exploit a vulnerability?
    • (Intent) Does the actor performing the exploit intend harm?

    Impact

    Impact assessments focus on the resulting damage if a vulnerability is exploited. A single vulnerability may have multiple impacts within the cyber domain, both technological and non-technological. We can apply concepts from conventional operations such as: deceive, deny, disrupt, degrade, and destroy.

    Technical impacts are associated to the Pillars of Cyber Security. For example, if the password file for a web based service is compromised, the Authentication pillar is impacted.

    Non-technical impacts are associated with the operations and relationships of an organization:

    • (Personnel) To what extent are personnel put in physical danger if the vulnerability is exploited?
    • (Equipment) To what extent is equipment put in physical danger if the vulnerability is exploited?
    • (Operations) To what extent will the success of operations be endangered?
    • (Capabilities) To what extent will the capabilities of the organization be damaged?
    • (Reputation) To what extent will the organization's reputation be damaged?
    • (Financial) What will the financial damage to the organization be?

    The to what extent part of assessing impact is not always simple to quantify or qualify.

    Common Vulnerability Scoring System

    The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD). One of the 
    tools provided with the NVD is the Common Vulnerability Scoring System (CVSS). The CVSS supports cyber domain risk assessment 
    efforts.
    Example: CVSS – ShellShock

    The Risk Management Process

    Risk Management Process
    Figure \(\PageIndex{1}\): Risk Management Process. ("Risk Management Process" by Unknown, U.S. Naval Academy - Cyber Science Dept is in the Public Domain, CC0)

    A common first question when presented with a formalized process is: Why is this process necessary?. Following a formalized method allows for the a given process to be repeated; the repeatability allows us to assess process changes and determine if improvement efforts actually achieved the desired results or not. In other words, formalized processes allow us to compare and contrast.

    There a number of different methods for assessing risk, most of the methods include a feedback (process improvement) step at the end, making a risk assessment a continual cyclic process. The following are general steps to assessing and managing risk:

    Risk assessment begins with identifying risks associated with a task or system. We will use crossing a road as an example. Here are some of the risks associated with crossing a road:

    1. Risk assessment begins with identifying risks associated with a task or system. We will use crossing a road as an example. Here are some of the risks associated with crossing a road:
    Risk
    Trip and fall
    Hit by bike
    Hit by car
    Fined for jaywalking

    We can look at risk from the viewpoint of the pedestrian or from the driver. In the cyber domain we look at risk from the offensive or defensive viewpoint. In fact, being proficient at assessing and managing risks in the cyber domain requires looking at risks from both an offensive and defensive perspective; a yin and yang.

    1. Analyze the Risk

    Risks are assessed to determine severity based on the event's likelihood and impact. Risks can be assessed using a quantitative (assigned a numeric value) or a qualitative scale (assigned to a category such as low or high). The tables below are extracted from NIST SP800-30 and provide general guidance on how to define likelihood and impact both qualitatively and quantitatively.

    NIST SP800-30 Likelihood Assessment Scale
    NIST SP800-30 Impact Assessment Scale

    Going back to the crossing the road example, we can now assign a qualitative value to each of the risks that were identified in the first step.

    Risk Likelihood of Occurrence Impact
    Trip and fall Low (2) Very Low (0)
    Hit by bike Moderate (5) Moderate (5)
    Hit by car High (8) High (8)
    Fined for jaywalking Low (2) Very Low (0)
    1. Prioritize the Risk

    Organizations do not have infinite resources and therefore cannot eliminate or even address all possible risks. Risks must be prioritized by severity so that an appropriate strategy can be developed in line with resource constraints. Generally this just consists of ordering the identified risks from most severe to least severe by assigning quantitative values based on the qualitative values above.

    Priority Risk Likelihood of Occurrence Impact
    1 Hit by car High (8) High (8)
    2 Hit by bike Moderate (5) Moderate (5)
    3 Fined for jaywalking Low (2) Very Low (0)
    4 Trip and fall Low (2) Very Low (0)
    1. Address the Risk

    Once a risk has been identified, assigned a severity, and prioritized we can determine how the risk will be addressed. There are four strategies for addressing risk:

    Note that ignoring risk is not a legitimate strategy. The table below shows our road crossing example with risk strategies applied.

    Priority Risk Likelihood of Occurrence Impact Strategy
    1 Hit by car High High Control - Look both ways before crossing
    2 Hit by bike Moderate Moderate Control - Look both ways before crossing
    3 Fined for jaywalking Low Very Low Avoid - Only cross at designated crosswalks
    4 Trip and fall Low Very Low Accept

    It is impossible to nullify risk; there is risk in any action. Any risk that remains after a strategy has been applied is known as residual risk. For example, we choose to control our risk of being hit by a car by looking both ways before crossing. While this greatly reduces our risk it does not eliminate it. There is residual risk that a car may suddenly accelerate or take some other unexpected action.

    1. Monitor the Risk

    Risk management is a process. After strategies have been applied to each risk they need to be continually monitored to determine their effectiveness. Questions to ask include:

    • Are you using resources effectively?
    • Is the risk management strategy working as expected?
    • Have any new risks been identified?
    • Have any risks changed?
    • Have any new threats or vulnerabilities been identified?
    • Are new controls available?

    If you can answer yes to any of those questions the risk management process should be repeated and results updated. Regardless, the risk management process should be executed on a periodic basis.

    Incident Management in Cyber Security

    In the field of cybersecurity, incident management can be defined as the process of identifying, managing, recording, and analyzing the security threats and incidents related to cybersecurity in the real world. This is a very important step after a cyber disaster or before a cyber disaster takes place in an IT infrastructure. This process includes knowledge and experience. Good incident management can reduce the adverse effects of cyber destruction and can prevent a cyber-attack from taking place. It can prevent the compromising of a large number of data leaks. An organization without a good incident response plan can become a victim of a cyber-attack in which the data of the organization can be compromised at large.

    There is a five-step process for incident management in cybersecurity given by the ISO/IEC Standard 27035. They are as follows.
    Step-1 :
    The process of incident management starts with an alert that reports an incident that took place. Then comes the engagement of the incident response team (IRT). Prepare for handling incidents.

    Step-2 :
    Identification of potential security incidents by monitoring and report all incidents.

    Step-3 :
    Assessment of identified incidents to determine the appropriate next steps for mitigating the risk.

    Step-4 :
    Respond to the incident by containing, investigating, and resolving it (based on the outcome of step 3).

    Step-5 :
    Learn and document key takeaways from every incident.

    Some tips for security incident management :

    • Each and every organization needs to have a good and matured plan for the security incident management process, implementing the best process is very useful to make a comprehensive security incident management plan.
    • Create a security incident management plan with supporting policies including proper guidance on how incidents are detected, reported, assessed, and responded. It should have a checklist ready. The checklist will be containing actions based on the threat. The security incident management plan has to be continuously updated with security incident management procedures as necessary, particularly with lessons learned from prior incidents.
    • Creating an Incident Response Team (IRT) which will work on clearly defined roles and responsibilities. The IRT will also include functional roles like finance, legal, communication, and operations.
    • Always create regular training and mock drills for security incident management procedures. This improves the functionality of the IRT and also keep them on their toes.
    • Always perform a post-incident analysis after any security incident to learn from any success and failure and make necessary adjustments to the program and incident management processes when needed.

    Necessary part of incident response :
    Always make a habit of collecting evidence and analyze forensics which is a necessary part of incident response. For these circumstances, the following things are needed.

    1. A well-defined policy to collect evidence to ensure that it is correct and very much sufficient to make it admissible in the Court of Law.
    2. It is also importantly needed to have the ability to employ forensics as needed for analysis, reporting, and investigation.
    3. The personnel of the IRT must be trained in cyber forensics, functional techniques and would also have some knowledge in the legal and governance.

    Defense in Depth

    Defense in depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle.

    Background

    The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived. by the National Security Agency (NSA) as a comprehensive approach to information and electronic security. The term defense in depth in computing is inspired by a military strategy of the same name, but is quite different in concept. The military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time, envelop, and ultimately counter-attack an opponent, whereas the information security strategy simply involves multiple layers of controls, but not intentionally ceding ground (cf. honeypot.).

    Controls

    Defense in depth can be divided into three areas: Physical, Technical, and Administrative.

    Physical controls

    Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems and the like.

    Technical controls

    Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and authentication. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

    Administrative controls

    Administrative controls are an organization's policies and procedures. Their purpose is to ensure that there is proper guidance available in regards to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.

    Commonly used methods

    Using more than one of the following layers constitutes an example of defense in depth.

    System/application security:
    Antivirus software
    Authentication and password security
    Encryption
    Hashing passwords
    Logging and auditing
    Multi-factor authentication
    Vulnerability scanners
    Timed access control
    Internet Security Awareness Training
    Sandboxing
    Intrusion detection systems (IDS)

    Network security:
    Firewalls (hardware or software)
    Demilitarized zones (DMZ)
    Virtual private network (VPN)

    Physical security:
    Biometrics
    Data-centric security
    Physical security (e.g. deadbolt locks)

    Adapted from:
    "Incident Management in Cyber Security" by user_7wot, Geeks for Geeks is licensed under CC BY-SA 4.0

    References

    1. OWASP. OWASP Risk Rating Methodology. retrieved: 30 Oct 2014.
    2. Risk Equation
    3. National Institute for Standards and Technology (NIST) Special Publication 800-30: Guide for Conducting Risk Assessments

    Adapted from:
    "Risks and Vulnerabilities" by Unknown, U.S. Naval Academy - Cyber Science Dept is in the Public Domain, CC0

    Adapted from:
    "Risk Management for Information Security | Set-1" by rashi_garg, Geeks for Geeks is licensed under CC BY-SA 4.0
    "Risk Management for Information Security | Set-2" by rashi_garg, Geeks for Geeks is licensed under CC BY-SA 4.0

    Adapted from:
    "Vulnerabilities in Information Security" by theinthaythimg, Geeks for Geeks is licensed under CC BY-SA 4.0

    Adapted from:
    "Network Security" by Unknown, CS Dept - Texas Tech University is licensed under CC BY-SA 4.0

    Adapted from:
    "What is Information Security?" by rashi_garg, Geeks for Geeks is licensed under CC BY-SA 4.0

    Adapted from:
    "Malware" by Multiple Contributors, Wikipedia is licensed under CC BY-SA 3.0
    "Threats to Information Security" by rashi_garg, Geeks for Geeks is licensed under CC BY-SA 4.0

    Adapted from:
    "Difference between Network Security and Cyber Security" by pp_pankaj, Geeks for Geeks is licensed under CC BY-SA 4.0

    Adapted from:
    "Difference between Cyber Security and Information Security" by Stranger1, Geeks for Geeks is licensed under CC BY-SA 4.0

    Adapted from:
    "Information security" by Multiple Contributors, Wikipedia is licensed under CC BY-SA 3.0

    • Was this article helpful?