An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks.
The principle behind an ISMS is that an organization should design, implement and maintain a set of policies, processes and systems to manage risks to its information assets. ISO/IEC 27001 incorporates the typical "Plan-Do-Check-Act" (PDCA) approach:
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase objective is to review and evaluate the performance of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
International information security standards
- Risk assessment and treatment - analysis of the organization's information security risks
- Security policy - management direction
- Organization of information security - governance of information security
- Asset management - inventory and classification of information assets
- Human resources security - security aspects for employees joining, moving and leaving an organization
- Physical and environmental security - protection of the computer facilities
- Communications and operations management - management of technical security controls in systems and networks
- Access control - restriction of access rights to networks, systems, applications, functions and data
- Information systems acquisition, development and maintenance - building security into applications
- Information security incident management - anticipating and responding appropriately to information security breaches
- Business continuity management - protecting, maintaining and recovering business-critical processes and systems
- Compliance - ensuring conformance with information security policies, standards, laws and regulations
Threat & its classifications
Spoofing of user identity
Information disclosure (privacy breach or Data leak)
Denial of Service (D.o.S.)
Threat Agents
Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
Threat agents can take one or more of the following actions against an asset
- Access – simple unauthorized access
- Misuse – unauthorized use of assets (identity theft, setting up a porn distribution service on a compromised server etc.)
- Disclose – the threat agent illicitly discloses sensitive information
- Modify – unauthorized changes to an asset
- Deny access – includes destruction, theft of a non-data asset, etc.
Vulnerability
In computer security, vulnerability is a weakness which allows an attacker to reduce a system's information assurance.
Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
A security risk may be classified as vulnerability. The usage of vulnerability with the same meaning of risk can lead to confusion. The risk is tied to the potential of a significant loss. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability — a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled.
Type of vulnerabilities includes:
- Memory safety violations, such as Buffer overflows
- Input validation errors, such as SQL injection, Code injection, E-mail injection, Directory traversal, Cross-site scripting in web applications HTTP header injection, HTTP response splitting
- Privilege-confusion bugs, such as Cross-site request forgery in web applications, Click jacking, FTP bounce attack, Privilege escalation
"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.
Vulnerability Management Programs
While program definitions vary in the industry, Gartner, a prominent IT Analyst company, defines Six steps for vulnerability management programs
Define Policy - Organizations must start out by determining what the desired security state for their environment is. This includes determining desired device and service configurations and access control rules for users accessing resources.
Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.
Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing). These vulnerabilities are then prioritized using risk and effort-based criteria. Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.
Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.
Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event.
Vulnerability Management for Applications versus Hosts and Infrastructure
Vulnerability Management for Applications versus Hosts and Infrastructure
Host and infrastructure vulnerabilities can often be addressed by applying patches or changing configuration settings. Custom software or application-based vulnerabilities often require additional software development in order to fully mitigate. Technologies such as web application firewalls can be used in the short term to shield systems, but to address the root cause, changes must be made to the underlying software.
Managing Known Vulnerabilities versus Unknown Vulnerabilities
Managing Known Vulnerabilities versus Unknown Vulnerabilities
Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners. These tools look for vulnerabilities known and reported by the security community, and which typically are already fixed by relevant vendors with patches and security updates.
Zero-day vulnerabilities are problems that vulnerability scanners cannot detect, and which also do not have any patches or updates available from vendors. Unknown Vulnerability Management process augments the known vulnerability management by introducing tools and techniques such as network analyzers for mapping attack surface.
