Key Security Concepts

Network security is necessary to protect personal network hardware and clients from unwanted access, theft, damage, and other problems. The internet is the number one source of security threats. Control your network to protect it from these threats. The primary goal of network security is to protect Internet-connected machines from viruses and hackers. Firewalls, routers, and other devices give you control over your network’s security. Allow unauthorized access to unidentified individuals by undermining your own network security.

 

Key Security Concepts:

• Asset: Anything of value to a company is considered an asset. If you are aware of the assets you are trying to protect, their value, their location, and their vulnerabilities, you will be more effective in how much time, effort, and money you invest in protecting those assets. You can make decisions.
• Vulnerability: A security flaw in the hardware, software, or configuration of a device or process is called a “vulnerability.” Parties responsible for remediating such vulnerabilities should conduct vulnerability testing on a regular basis.
• Risk: The likelihood of being targeted by a particular attack, the likelihood of a successful attack, and overall exposure to a particular threat are all referred to as ‘risk’. As you can see, there is risk where there is both vulnerability and danger.
• Threat: A particular type of attack source and means is called a “threat”. A threat analysis is performed to determine how best to protect your system against a particular threat or class of threats.
• Exploit: An exploit is a method or tool used by an attacker to exploit a vulnerability and damage a target system.
• Countermeasures: Countermeasures are protections that reduce possible risks. Countermeasures reduce the likelihood that an attacker can exploit a risk by reducing or eliminating the vulnerability.

Classification by Data:

Some form of data classification is required to protect assets and allocate resources as efficiently as possible. By determining which data is of value, administrators can focus on protecting the most valuable data. Without classification, data stewards struggle to effectively protect data, and IT administrators struggle to allocate resources efficiently.

Where classification of information is a regulatory obligation (required by law), there may be liability concerns related to maintaining correct data. By properly classifying data and applying appropriate confidentiality, integrity, and availability controls, data stewards can effectively protect data based on legal, liability, and ethical standards. If companies take classification seriously, you’ll find that everyone takes information security seriously too. While there are global differences in the techniques and terminology used to describe data, some trends are emerging. Many government agencies, especially the military, often use the following classification system for their data:

• Unclassified: Information that requires little or no protection with respect to confidentiality, integrity, or availability. 
• Restricted: Information whose disclosure could harm your organization. Although not used by all countries, this classification is typical of NATO (North Atlantic Treaty Organization) member states. 
• Data that must meet confidentiality standards is considered confidential. This method has the lowest classification data at this level. 
• Secret: Information that you go to great lengths to keep secret because disclosure could have dire consequences. Usually, far fewer people have access to this data than those who are authorized to access it. 
• Top-secret information spends a great deal of time and often costs a great deal of money to keep it secret because its disclosure can be so damaging. Usually only a few people with a need to know have access to sensitive information. 
• SBU: Sensitive but unclassified: A general classification used by governments that, while embarrassing if disclosed, would not constitute a serious security breach. SBU is a comprehensive classification that also includes the words “For Official Use Only”.

For a classification system to work, it must play many roles. The most common roles are:

• Owner: The owner (typically the senior manager who manages the business entity) is ultimately responsible for the information. Owners organize data, choose administrators, and generally control their actions. Owners are ultimately responsible for their materials, so it is important that you regularly review all confidential information. 
• Custodian: The custodian is typically a member of her IT team who is responsible for day-to-day data maintenance. Data owners select security controls because they do not require technical knowledge, but stewards mark data to ensure it is applied. The custodian regularly backs up data and ensures the security of backup her media to maintain data availability. As part of their retention obligations, custodians are also required to frequently review their data security settings.
• User: User is not responsible for classifying data or organizing classified materials. Users are responsible for using data in accordance with established operating procedures to maintain the security of data under their control. 

Vulnerability Classification:

It is also essential to understand the shortcomings of operational and security measures. This understanding makes security design more effective. To better understand the sources of system vulnerabilities, it may be helpful to categorize them during analysis. The following general categories can be used to categorize key systems and asset vulnerabilities:

• Faults in policy
• Design flaws
• Protocol shortcomings
• Software weaknesses
• Misconfiguration
• Hostile code
• Human element

This list only includes some vulnerability categories. Multiple vulnerabilities can be identified for each of these categories.
There are a number of industry initiatives focused on classifying hazards to the public. The following well-known and freely accessible catalogs can be used as models for vulnerability analysis.

• Common Vulnerabilities and Exposures (CVE): A publicly available list of known information security vulnerabilities and exposures. Visit http://cve.mitre.org to find out. This database enables data exchange between security solutions and provides standard identifiers that serve as benchmark index points for evaluating the coverage of tools and services. 
• The US government’s National Vulnerability Database (NVD) is a standard-compliant repository of vulnerability management data. This data enables automation of compliance, security measurement and vulnerability management. NVD maintains a database of product names, impact measurements, security-related software bugs, configuration errors, and security checklists. 
• The standard used to rate and classify security vulnerabilities in the computer and networking industry is the Common Vulnerability Scoring System (CVSS). The standard focuses on evaluating one vulnerability against another to help administrators prioritize tasks. Major industry players such as McAfee, Qualys, Tenable and Cisco have adopted this standard. See http://www.first.org/cvss for more information, databases, and calculators. There are a number of industry initiatives focused on classifying hazards to the public. The following well-known and freely accessible catalogs can be used as models for vulnerability analysis.

Classification of countermeasures:

Threats are the most important element to understand, after assets (data) and vulnerabilities. Organizations use a variety of controls as part of their security architecture to implement comprehensive protection after considering threat vectors. These security controls can be categorized in various ways. One of them is the type of control. One of the three categories that best describes these controls:

• Controls that are primarily administrative in nature: rules and procedures such as training on security awareness, standards, and practices for security, tests, and audits for security, background checks on employees and contractors, proper recruiting procedures, and controls for modification and configuration.
• Technology: hardware, software, electronics, and other controls such as Firewalls, RFID cards, Systems for Network Admission Control, RADIUS and TACACS+ servers, equipment for biometric authentication, systems for preventing intrusion (IPS), ACL-equipped routers, concentrators, and clients for virtual private networks (VPNs), solutions for one-time passwords (OTP).
• Physical: Mainly mechanical control such as methods for Discontinuous power systems (UPS), detecting intruders, systems for suppressing fires, Systematic positive airflow, security personnel, Locks \sSafes \sRacks.