Information security began around the 1970s, around the same time as the Age of Information. During this time there was an explosion of technology usage and information, more specifically, digital information. Along with this came the rise of cybercrime and hacking to steal valuable information. It would quickly become apparent that information security would become a vital part of properly keeping information safe and secure in the years to come. One of the most important aspects of a business nowadays includes properly and safely securing information. Along with this would be how to protect against unwanted guests online, and physically.
The most important role in information security is the role of the chief information security officer, CISO in short. As the highest-ranking member in information security, they will be involved in all information security principles, to maintain confidentiality, integrity, and availability, also known as the CIA triad model. This is “the industry standard for computer security since the development of the information security framework” (Whitman & Mattord 10). Confidentiality means that data is protected, integrity means that the data is trusted, and availability means that it is accessible. In the scenario that I am appointed CISO of my company with this experience level. I would first assess the current measures of information security in place. This is because for me to begin, I should learn the current system that is in place, so that I may identify potential weaknesses in the system. Starting, I would identify and evaluate all the different kinds of threats.
There is a plethora of threats to a system, one group is malware attacks. Malware is the most common type of cyberattack and they include worms, spyware, ransomware, adware, trojan horses, and much more. Worms are self-replicating malware that would probably spread through our company and work email attachments, text messages, and sharing. Spyware, another kind of malware, would gather information on my company without us knowing. Ransomware locks parts of systems to extort payment to unlock encryption. Adware intends to send undesired popups, banners, and links to show advertisements. While Trojan horses hide their true nature only to activate on command. To protect against these, I would use antivirus software, this is because they are effective at protecting against these kinds of attacks. I could add more protection by using firewalls that filter out unwanted traffic that wants to enter our devices. Software and browsers should also be up to date to protect against malware. It is also important to inform my company employees to avoid clicking suspicious links. I would also consider having different work-specific emails, and devices. This would add even more protection from malware but may increase the cost and complexity.
Another attack that I would identify would be phishing or spoofing attacks. This is another prominent widespread way attackers may try to seize my company’s important information and compromise the system. It usually appears in “legitimate communication systems such as email but has hidden code that redirects reply to third party sites to extract information” (Whitman & Mattord 82) To protect against phishing threats, I would consider company domain names, while also spreading awareness to look out for sketchy emails. Password Attacks are another form of threat where the attackers use common passwords, brute force, or keyloggers, to obtain the login credentials from the victim. To protect against these threats passwords will use alphanumeric with special characters. Included in this requirement is a suggestion for them to be different from other account passwords. Passwords would also have to be changed again every 90 days.
The man-in-the-middle attack is another threat, which is done by “intercepting communications and inserting themselves in between two conversations, convincing the devices that it is the other device” (Whitman & Mattord 101). A way to protect against this threat is to use private Wi-Fi networks that only the employees have access to. Sending confidential information through public Wi-Fi networks can be dangerous. Additionally using secure browsers that encrypt information on devices protects my company from man-in-the-middle attacks. Denial of Service is another attack that is a significant threat to my company, this is because attackers may be able to slow down, or even shut down servers by overloading them. To prevent this kind of attack, I would need to outsource this job to someone that knows how to prevent and counter DDoS attacks. This is because I do not have the current knowledge to know how to regulate internet traffic through my servers. This would be extensively more expensive because I am paying someone else to do part of my job. Although there are more kinds of cyber-attacks, I would identify these as the most threatful and common kinds to my business.
Cyber-attacks are not the only threats that can pose dangers to my company’s information, physical security is also important if you want to keep information secure. “USB hard drives, laptops, tablets, and smartphones allow for information to be lost or stolen because of portability and mobile access” (Hutter 2). This poses a serious security concern to our company. To keep this safe, USBs, hard drives, laptops, tablets, and smartphones should be kept locked and encrypted, when not in use. Additionally, information would be remote, where they must log in and connect to company servers to access company information. When they are inactive, they should automatically be logged out. A policy I would suggest is a response to when users’ physical devices are stolen or lost is for them to contact the company and report it. Their accounts should be locked and kicked off the server just in case, to ensure that the company’s information is kept safe.
After I identified the threats that pose the most problems to my company and analyzed how to defend against them. I would evaluate the need for and the costs of implementing these threats. This way I can assess whether or not it is worth it for me to protect that information. Certain things within my company are just more important than others. Policy making and enforcement of policies are also important parts of information security that I would implement. “You must use a virtual private network and you must use a Radius server” (Meyers 2). These are some of the policies I would have in place for my company because they protect the company’s information. This also allows the company to track and monitor what things one may be doing on the server. Honey pots and traps are another thing that I may consider implementing into the company’s information security. However, this all depends on whether or not it is affordable. Since I do not know how to set this up, I must outsource it to be done.
Intrusion Detection is another thing I would consider for my company. There are usually two ways to do this, one by using the HIDS system, and the other is the NIDS system. “HIDS is antivirus protection, file integrity monitoring and host-based firewalls and kernel call monitoring” (Gibbs 2). While “NIDS collects network traffic and predicts the internal state of the host” (Gibbs 3). I would probably use NIDS since this is faster, but this depends on the type of company it is, and what kind of system is in place. At the end of this certification is important for my company. This is the end of all to know whether or not my company can withstand attacks.
Overall, there are a lot of threats to a company, but I should be aware of what kind of threats may pose the highest risk to my company. Although a lot depends on the kind of company and how valuable they value their information. There is a lot of basic and very necessary information security for all types of businesses. As chief information security officer, it is up to you to implement what you believe is necessary. Although I do not know much about how to implement these protection systems there are ways to outsource and get them done. In the end, getting certified will mean that your system ultimately works.
Resources
Gibbs, P. (2023, July 10). Intrusion Detection Evasion Techniques and Case Studies. SANS Institute. https://www.sans.org/white-papers/37527/
Hutter, M. (2023, January 16). Physical Security. SANS Institute. https://www.sans.org/white-papers/37527/
Meyers, M. (2018, August 28). Comptia Network+ (N10-008) CERT PREP: 8 Network Integration and Operation Online Class: LinkedIn Learning, formerly Lynda.com. LinkedIn. https://www.linkedin.com/learning/comptia-network-plus-n10-007-cert-prep-9-managing-the-network/denial-of-service?resume=false&u=2343682
Whitman, J., & Mattord, J. (2023). Information Security: A Practitioner's Guide. Cengage Learning.