Security Papers

Subscribe in a reader

Physical Security:Managing the Intruder (Chapter 13 of Enterprise Security: A Practitioner's Guide)

Published: 12/08/2012

No information security guide is complete without a chapter about securing physical access to information resources. After all, physical access gives even the moderately skilled attacker access to the network, unencrypted workstations and servers, and hardcopy information just waiting for someone to come by and pick it up. Have you looked at the output bin on your shared fax machines and printers, lately?

Physical security does include more than stopping human intruders. However, information on heating, cooling, fire suppression systems, and power backup is available simply by discussing your needs with your facilities management staff. It is not so easy when it comes to intrusion controls. It takes more than a lock or two to secure sensitive information and critical systems. This is the realm of the security professional’s expertise.

In this chapter, we look at the objectives of physical security and various controls to meet those objectives. When you finish, you will have the skills necessary to have an informed discussion with facilities and business management about what is right and what is missing in your organization’s physical security plan.

Read entire paper at http://resources.infosecinstitute.com/physical-security-managing-intruder/


Applications of Biometrics (Chapter 12 of Enterprise Security: A Practitioner's Guide)

Published: 11/12/2012

Passwords are not secure and are useless as an access control... at least that's what many vendors and security consultants try to tell managers today. Instead, these purveyors of change claim that biometrics solves all password issues and improves productivity. While this is partially true, it falls short of reality.

Like all controls, whether or not you implement biometrics is a business decision. It is a decision based on data classifications, operating environments, available budget, and opportunity costs. In this chapter, we see how to meet these challenges by understanding the advantages and disadvantages of biometrics in general. We also look at these same characteristics associated with specific types of biometrics solutions; no one solution fits all implementations across businesses or across all operations in a single business.

Read entire paper at http://resources.infosecinstitute.com/chapter-12-applications-of-biometrics/


Identity Management and Access Controls (Chapter 11 of Enterprise Security: A Practitioner's Guide)

Published: 8/24/2012

Access controls help us restrict whom and what accesses our information resources, and they possess four general functions: identity verification, authentication, authorization, and accountability. These functions work together to grant access to resources and constrain what a subject can do with them.

This chapter reviews each access control function, four approaches to access control/role management, and takes a look at the future of access controls.

Read entire paper at http://resources.infosecinstitute.com/identity-management/


Virtualization Security (Chapter 10 of Enterprise Security: A Practitioner's Guide)

Published: 7/12/2012

Virtualization brings significant value to business managers and engineers attempting to keep pace with business pressure for additional servers. It enables maximum use of hardware resources while introducing an increased flexibility in how organizations design and implement new solutions. However, it also introduces new security concerns. Until recently, organizations had to leverage security controls not specifically designed to protect virtual environments. However, upgrades to VMware and Microsoft virtualization solutions provide better monitoring and segregation of critical virtual systems.

In this chapter, I address general concerns related to virtualization security. I focus on what questions you should ask during a risk assessment of a virtualized environment, using Microsoft and VMware virtualization solutions as examples to demonstrate concepts.

Read entire paper at http://resources.infosecinstitute.com/chapter-10-virtualization-security/


Securing Remote Access (Chapter 9 of Enterprise Security: A Practitioner's Guide)

Published: 6/27/2012

Remote access is no longer just about a laptop or home desktop user connecting to catch up on some work or update customer and order information. The explosion of consumer devices in the hands of our employees changes how we look at remote connectivity. In addition to supporting various platforms and proprietary operating systems, traditional security controls do not provide sufficient granularity for policy enforcement. This results in either lax security or inflexibility in how we deliver business services.

In this chapter, look at remote access challenges faced by today's competitive organizations. Further, we explore new ways to deploy access controls for traditional remote connectivity methods like IPSec and SSL VPN.

Read entire paper at http://resources.infosecinstitute.com/securing-remote-access/


UEFI and the TPM: Building a foundation for platform trust (Chapter 8 of Enterprise Security: A Practitioner's Guide)

Published: 6/19/2012

Traditional boot processes cannot stop sophisticated attacks instantiated before operating system load. Consequently, we need a method to ensure that when the operating system loads and the user logs in, the system is "clean"and trusted. The Unified Extensible Firmware Interface (UEFI) and the Trusted Platform Module (TPM) specification provide the components and processes necessary to achieve this objective.

In this chapter, we take a close look at both the TPM and the UEFI. We then step through a trusted boot process showing how they help ensure safe suer authentication and sensitive information processing.

Read entire paper at http://resources.infosecinstitute.com/uefi-and-tpm-2/


The Role of Cryptography in Information Security (Chapter 7 of Enterprise Security: A Practitioner's Guide)

Published: 6/11/2012

After its human resources, information is an organization's most important asset. As we have seen in previous chapters, security and risk management is data centric. All efforts to protect systems and networks attempt to achieve three outcomes: data availability, integrity, and confidentiality. And as we have also seen, no infrastructure security controls are 100% effective. In a layered security model, it is often necessary to implement one final prevention control wrapped around sensitive information: encryption.

Encryption is not a security panacea. It will not solve all your data-centric security issues. Rather, it is simply one control among many. In this chapter, we look at encryption's history, its challenges, and its role in security architecture.

Read entire paper at http://resources.infosecinstitute.com/role-of-cryptography/


End-user Device Security (Chapter 6 of Enterprise Security: A Practitioner's Guide)

Published: 5/04/2012

We do not protect just desktops or laptops anymore. End-user device security is increasing in scope as user behavior and organizational requirements change. With these changes, our challenges as security practitioners grow exponentially.

In this chapter, I touch on traditional device security, but I focus on protecting smartphones, tablets, and other methods employees use to spread data far and wide.

Read entire paper at http://resources.infosecinstitute.com/end-user-chapter-6/


VLAN Network Segmentation and Security (Chapter 5 of Enterprise Security: A Practitioner's Guide)

Published: 4/18/2012

The foundation of acceptable risk is a minimized, monitored, and managed attack surface. The process of achieving this state is attack surface reduction (ASR). ASR closes all but required doors leading to system assets and constrains other with access rights, monitoring, and response.

This chapter is based on the work of Howard, Pincus, and Wing. I modified and added to their relative attack surface quotient analysis to make it less academic and more practical for daily application.

Read entire paper at http://resources.infosecinstitute.com/vlan-network-chapter-5/


Attack Surface Reduction (Chapter 4 of Enterprise Security: A Practitioner's Guide)

Published: 2/17/2012

The foundation of acceptable risk is a minimized, monitored, and managed attack surface. The process of achieving this state is attack surface reduction (ASR). ASR closes all but required doors leading to system assets and constrains other with access rights, monitoring, and response.

This chapter is based on the work of Howard, Pincus, and Wing. I modified and added to their relative attack surface quotient analysis to make it less academic and more practical for daily application.

Read entire paper at http://resources.infosecinstitute.com/attack-surface-reduction/


Building the Foundation: Architecture Design (Chapter 3 of Enterprise Security: A Practitioner's Guide)

Published: 1/30/2012

Security enables the business; that is the central theme of this book. However, how do we ensure that what we daily implement consistently meets this objective? This is the purpose of architecture designs and the processes and documentation supporting them. In this chapter, we define the various types of enterprise architectures, how to integrate them into strategic and tactical business objectives, and how to build from business need to system and network design.

Read entire paper at http://resources.infosecinstitute.com/architecture-design-chapter-3/


Risk Management (Chapter 2 of Enterprise Security: A Practitioner's Guide)

Published: 1/20/2012

As security practitioners, we need a working definition of security supported by the tools necessary to measure, report, and mitigate unwanted risk to physical and electronic information assets. In this chapter, we step through a risk assessment of a medium-sized business' customer invoicing database. Our goal is to determine the risk or a threat agent gaining direct access to sensitive customer data.

Read entire paper at http://resources.infosecinstitute.com/risk-management-chapter-2/


Security: A working definition (Chapter 1 of Enterprise Security: A Practitioner's Guide)

Published: 12/12/2011

Security is defined in various ways, depending on perspective. Business managers might see it as a collection of pesky, cost-increasing regulatory mandates. Information Technology (IT) professionals might see it as competition with the bad guys; the player who wins owns the network. Security defined in these and other limited ways is not really what security professionals should support every day.

What we need is a working definition of security that shows how it adds value to an organization. For example, protecting customer privacy enhances customer retention and limits customer-driven litigation. Another example is maintaining the availability and accuracy of information necessary for business operation. Yet another is the protection of competitive advantage by safeguarding intellectual property. These examples all have one thing in common: managing risk.

Read entire paper at http://resources.infosecinstitute.com/enterprise-security-book-chapter-1/