Assessing Information Security

Assessing Information Security: Strategies, Tactics, Logic and Framewortk

A VLADIMIROV
K GAVRILENKO
A MICHAJLOWSKI
Copyright Date: 2014
Edition: 2
Published by: IT Governance Publishing
Pages: 424
https://www.jstor.org/stable/j.ctt14jxsjw
  • Cite this Item
  • Book Info
    Assessing Information Security
    Book Description:

    Build a strategic response to cyber attacks

    The activities of the cyber criminal are both deliberate and hostile, and they can be compared to military operations. Many people in business understand that the insights from the classics of military strategy are as relevant to modern commerce as they are to war. It is clear that organisations need to develop a view of cybersecurity that goes beyond technology: all staff in the organisation have a role to play, and it is the senior managers who must ensure, like generals marshalling their forces, that all staff know the cyber security policies that explain what to do when under attack.

    Cyber crime… cyber war?

    With this in mind, the authors have drawn on the work of Clausewitz and Sun Tzu, and applied it to the understanding of information security that they have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict.

    Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.

    About the authors

    Dr Andrew Vladimirovis a security researcher. His fields of expertise include network security and applied cryptography, and he has extensive experience of performing information security assessments. He and his fellow authors are the founders of Arhont Ltd, a leading information security consultancy.

    Konstantin Gavrilenkohas over 15 years of experience in IT and security. As a researcher, information security is his speciality, and he has a particular interest in wireless security. He holds a BSc in management science from De Montfort University and an MSc in management from Lancaster University.

    Andriej Michajlowskiis an expert on network security. His research interests include user and device authentication mechanisms, and wireless networking security. He has extensive experience carrying out internal and external information security assessments. He is a graduate of the University of Kent at Canterbury and he holds an MBA.

    Buy today, in any format. We'll send you a download link right away, or dispatch today for fast delivery to your selected destination.

    eISBN: 978-1-84928-600-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-6)
  2. PREFACE
    (pp. 7-10)
  3. ABOUT THE AUTHORS
    (pp. 11-13)
  4. Table of Contents
    (pp. 14-16)
  5. INTRODUCTION
    (pp. 17-33)

    A thorough treatise dedicated to various aspects of information security auditing – including successfully passing an audit – must cover why and what kind of assessments have to be performed subject to a particular situation. This, in itself, depends on a variety of variables, both external (regulations, litigation, customer requirements) and internal (business strategy, plans, politics, culture). Such a thorough treatise is further expected to elaborate by whom, when, how, and in which specific sequence they should be executed. It ought to address how to present the audit results in the most palatable manner and which corrective actions these findings...

  6. CHAPTER 1: INFORMATION SECURITY AUDITING AND STRATEGY
    (pp. 34-81)

    Rephrasing Clausewitz, to produce a workable scheme for information security assessments is one of the tasks that are inherently simple, yet the simplest thing is difficult to implement. It is simple because the underlying logic is clear. It can be formulated in a minute. Here it comes from the (independent) auditor’s viewpoint:

    Find out about the assessment’s goals and conditions.

    Plan the appropriate actions.

    Select the corresponding methodologies and tools.

    Check and test everything you can within the limits of budget, requirements, time and means.

    Ensure that you have collected a sufficient volume of quality objective evidence.

    Analyse it.

    Pull...

  7. CHAPTER 2: SECURITY AUDITING, GOVERNANCE, POLICIES AND COMPLIANCE
    (pp. 82-129)

    In the previous chapter we emphasised that the most dangerous flaws are the flaws of security strategy. We have also discussed a few examples of such flaws. Strategic failures generate chain reactions of secondary and collateral shortcomings, many of which eventually become exploitable vulnerabilities – technical, process and human. This is common sense that applies to numerous fields of expertise:

    ‘When your strategy is deep and far reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations...

  8. CHAPTER 3: SECURITY ASSESSMENTS CLASSIFICATION
    (pp. 130-182)

    In theory, everything must be thoroughly assessed and verified to eliminate all kinds of security vulnerabilities and gaps. In the real world, however, there are limitations imposed by both budget and time. Because of these restrictions, the most critical areas must be identified to be audited first. Or, unfortunately, to be the only areas where the state of information security is to be assessed for the foreseeable future. Making a correct, well-informed decision concerning the necessary information security audit’s scope, priorities, spectrum and characteristics can be an intricate task. We shall thoroughly address it in the next chapter of this...

  9. CHAPTER 4: ADVANCED PRE-ASSESSMENT PLANNING
    (pp. 183-220)

    Planning is vital. Planning is vision, direction and structure incarnate. In the rapidly changing sphere of information security, however, it has to be done with utmost care. Plans must always make allowance for the turn of the tide and our inevitable companion the friction. If they fail so, plans will become rigid. From a strategic advantage they will turn into an obstacle of equally grand proportions. There are situations in which having inadequate plans is worse than having no plans at all. At least, in the latter case there are still some possibilities of swift adaptation. Enforcement of stagnant plans...

  10. CHAPTER 5: SECURITY AUDIT STRATEGIES AND TACTICS
    (pp. 221-287)

    The previous chapters put heavy emphasis on governance, management and policy issues in relation to assessing information security. They are also heavily centred on the issues of strategic significance. It is time to pull up your sleeves and dive into the realm of tactics. Inevitably, this means that the upcoming discourse will have to be more technically inclined. As stated in this book’s preface, however, providing detailed checklists or hands-on testing manuals is not the intended goal. We are not competing with, for example, OSSTMM (Open Source Security Testing Methodology Manual), not to mention more specific in-depth guides like OWASP...

  11. CHAPTER 6: SYNTHETIC EVALUATION OF RISKS
    (pp. 288-334)

    Discovering and evaluating vulnerabilities and gaps without the thorough analysis of risks they introduce is as good as doing recon without using its results. In fact, for the risk analysis phase all previous security audit stages are nothing more than the necessary reconnaissance. One of the fundamental principles ofchapter 1states that‘information security assessment always operates with probabilities’. Gauging these probabilities is a fine science and art that has to be fully mastered by at least a single member of the auditing team. It is absolutely essential for success of both the assessment and its follow-up acts. For...

  12. CHAPTER 7: PRESENTING THE OUTCOME AND FOLLOW-UP ACTS
    (pp. 335-386)

    As emphasised in the closing part of the previous chapter, properly presenting information security assessment results is essential for the overall success. Which tangible outcome does the company or organisation expect from the security audit performed? First of all is the assessment report. Beyond this, the accompanying presentations and debriefs are likely to be requested. In addition, assistance from the auditors can be called for during the assessment follow-up. After all, the ones who have offered the remedial advice are expected to be the experts in all the suggested remedies. There is no point in recommending a solution you are...

  13. CHAPTER 8: REVIEWING SECURITY ASSESSMENT FAILURES AND AUDITOR MANAGEMENT STRATEGIES
    (pp. 387-420)

    Even if you studied and comprehended everything said in this, and other relevant sources on information security auditing, everything can still go terribly wrong. There are always some inevitable influences of chance, human error, technical fault and sudden environment change. Because of the latter, quite often both the auditee and the auditors have to make important decisions on the basis of insufficient information and in a very limited timeframe. This might lead to a variety of shortcomings on both sides, which can easily amplify their net negative effects when synchronised. As a result, a security audit or, even worse, successive...

  14. ITG RESOURCES
    (pp. 421-424)