I review companies’ information security policies, practices, and procedures for a living. I tell them when they’re doing well, and when they suck (and have to do it nicely). This past week, I was looking at a small business which is special in that they legitimately have to be concerned about targeted attacks (also known as “Advanced Persistent Threats” which I consider a bullshit term), and their network isn’t up-to-snuff.
In a diversion from personal finance stuff, I’m going to create a short series on protecting yourselves – as people with home networks, laptops, desktops, media servers, blogs, etc. You may not be subject to targeted attacks, but you are subject to attacks just for the hell of it – and that’s more than enough motivation for most attackers. Hopefully, some of you find this interesting and useful.
Information Security Basics
There are three things to be concerned about when it comes to information security: Confidentiality, Integrity, and Availability (CIA). Each particular company or situation will focus on 1-2 of those, with the 3rd being relegated to “the back burner”. But, it’s really important to at least consider all three areas.
Confidentiality is keeping information from people who should not have access to it (for whatever reason). Confidentiality means keeping your data under wraps, keeping it from prying eyes, keeping the information from “leaking” outside of the folks who are authorized. It also means preventing people from being in a position to access the data in an unauthorized manner: not letting someone have access to a system where that data is stored.
Integrity is one area that tends to get ignored (except in financial circles). It means protecting information from unauthorized modification. Financial institutions and folks that deal with SOX are really concerned about integrity – after all, if you can change one digit in the following string, you’re a very rich person: “1,000,000”. Integrity also comes into play in legal disputes and digital forensics. Because it’s *very* easy to change electronic information, and electronic information tends to be “hoarded”, it’s an important topic. For personal files, integrity is important because one byte change in a photo, can “corrupt” the photo and you can no longer see it (although, this bleeds into availability).
You want to be able to access your information when you need it and where you need it. This is generally the biggest concern of Internet based companies like Amazon – they lose money if you can’t get to their site. Personal users also want to be able to get to their data when they need it. For example, there’s a new virus out which will encrypt your entire hard drive (and all attached network drives) and won’t unlock the drive until you pay a ransom. All of a sudden, you don’t have access to your pictures, your files, and possibly your records for business/tax purposes.
Information Security Controls
There are multiple ways to protect Confidentiality, Integrity, and Availability, and those are called controls. You can have a “technical” control, where the systems enforce the control (like a locking screensaver), or you can have a “policy” control, where a policy dictates what to do/not do, and you expect people to follow those controls. Generally, the policy controls aren’t as strong, but in some cases, there’s not much a choice because a technical control doesn’t exist. I’ll be talking about both, but for a home user, “policy” controls are the easiest (cheapest) to implement and are “good enough”.