The information has become important regardless of the type of information in the information age we live in. For this reason, data security stands out as a valuable element. An introduction has been made to what information security means in light of fundamental principles such as confidentiality, integrity, and accessibility under the heading of Fundamentals of Information Security. Certain concepts have been explained, and the components of information security, risk management strategies, access control methods, and precautions to be taken against today’s cyber threats have been briefly explained. Thus, this is aimed to address complex situations at remarkable points in terms of protecting both the personal data of individuals and the digital assets of institutions in a simple and understandable language. In addition, the concepts discussed in the fields of network and network security will be examined on a conceptual basis under more than one heading from different points.

1- Access Control Categories and Types

  • Administrative (Directive) Controls: These are organizational rules and procedures. They include policies, procedures, and guidelines for monitoring and managing information systems. Examples include security training and awareness programs, emergency planning, and risk assessments.
  • Operational Controls: These include controls that are primarily implemented by humans rather than automated systems. Examples include user management, change controls, log analysis, and incident response procedures.
  • Technical (Logical) Controls: These include controls implemented through technology to automate security processes. They include hardware or software mechanisms to manage access and protect resources and systems. Examples include software, hardware, or operating systems that include firewalls, intrusion detection systems, antivirus software, encryption, and operating system access control models.
  • Physical Controls: These controls aim to protect facilities, equipment, and other physical assets from external threats. They include areas such as locks, dogs, security personnel, fences, or walls.
Control Types

In information security, controls are also classified according to their functions. These are:

  • Preventive: A type of control that prevents an incident from occurring. This could be a firewall or encryption.
  • Detective: A type that detects an incident before or after an attack. This could be a security guard, logs, or a camera.
  • Corrective: A type that can stop an attack or solve the problem. This could be an antivirus or patches.
  • Recovery: A type that helps the process of recovery after an attack or incident. This could be FKM, backups, or hot/cold areas.
  • Deterrent: A type that deters the incident but is not enough to stop it. This could be a guard, sign, dog, fence, or lighting.
  • Compensating: A type of control that compensates for an incident. For example, there is a fence in a garden, and this fence is broken. This is the situation where a guard is assigned to the relevant area to compensate for this situation.
  • Directive: A type that directs, limits, or controls user actions to enforce or encourage compliance with security policies, best practices, or Standard Operating Procedures (SOPs).
Control Types Classification

2- CIA Trilogy

The CIA trilogy is a control mechanism used as a basic guide in determining information security policies and procedures. Institutions and systems perform risk analysis, take security measures, and develop intervention plans against incidents by considering these three principles. The effectiveness of the CIA trilogy depends on the technological infrastructure of the relevant network, the human factor, the implemented security policies, and the current threat environment. Hardware, software, operating systems, firewalls, routers, or encryption systems are included in this control mechanism.

  • Confidentiality: Privacy Principle. This ensures that only authorized persons access the data. Violations of confidentiality are generally caused by weak passwords, shared passwords, use of keyloggers, or weak use of crypto algorithms. Using MFA makes these vulnerabilities more difficult.
  • Integrity: Authorized Access. This ensures that only authorized users can access the data in a way that ensures data integrity. At this stage, methods such as cryptography, checksum, and hash can be used to ensure security.
  • Availability: Authorized persons can access the relevant data when needed. The best way to ensure this is to have redundant structures and to ensure that the devices are constantly working properly.
CIA

There are 3 basic components at this stage, but depending on the service provided, which ones should be given more importance varies. If one of these bases is violated, the other two are as meaningless as if they were violated. For example, after an attack where public trust is lost, the Confidentiality principle is compromised for the CIA.

The focus is on increasing the awareness of IT users in the first stage and changing their habitual behaviors. Later, the focus should be on stages such as separating networks, making secure updates for devices with old software, and producing solutions for possible problems.

3-Laws

  • Criminal Law: In criminal law, the victim is society. The evidence must be beyond doubt. Most cybercrimes are included in this scope. The penalties are intended to deter others from committing the crime.
  • Civil Law: In Civil Law, the victim is an individual, group, or organization. The proof must be overwhelming. Penalties are usually given as a fine and are intended to compensate the victims.
  • Administrative Law: These are laws created by government agencies in the USA. For example, a law protecting the health information of US citizens is included in this tab.
  • Private Regulations: Private regulations are general rules given to procedures or standards. They are not laws.
  • Customary Law: Customary Law is laws that focus on personal behavior and behavioral patterns. This covers the traditions and customs of the region.
  • Religious Law: Religious Law is ethical and moral laws applied based on religious beliefs in a particular region.
Laws

-Some examples of laws are given below.
Health Insurance Portability and Accountability Act (HIPAA): Health Insurance Portability and Accountability Act.
Electronic Communication Privacy Act (ECPA): Electronic Communications Privacy Act
Computer Fraud and Abuse Act (CFAA): Computer Fraud and Abuse Act
Payment Card Industry Data Security Standard (PCI-DSS): Credit Card Issuance Standards Set
GDPR: General Data Protection Regulation (Europe)

4- Security Management Principles

  • Values: Includes ethics, principles, and beliefs.
  • Vision: Includes hoped-for and expected goals.
  • Mission: Includes motivation and purpose. May include policies, strategies or actions.
    • Rules (Mandatory): High level and not specific.
    • Standards (Mandatory): Specifically describe high technology.
    • Guidelines (Non-Mandatory): Recommendations or explanations.
    • Procedures (Mandatory): Low level and proceed by explaining step by step.

Business Continuity Plan (BCP)

A business continuity plan is a set of protection and recovery systems created against threats and risks that may arise for organizations. This includes plans that specify how work will continue in the event of an unplanned outage. These plans or processes are specified below.

  • COOP (Continuity of Operation Plan) – Process of Continuing Daily Work
  • CCP (Crisis Communication Plan) – Proper Ensuring Business and External Communication in Case of Disaster
  • CIRP (Cyber ​​Incident Response Plan) – Intervention Plan
  • OEP (Occupant Emergency Plan) – Disaster Environment, Building or Evacuation Drill Plan
  • BRP (Business Recovery Plan) – Plan for Returning to Normal Process after Disaster
  • CSP (Continuity of Support Plan) – Plan for Using Systems as Long as Needed
  • CMP (Crisis Management Plan) – Planning the Entire Process (Human Life is the Most Important)

5-Incident Management

Adheres to NIST 800-61 and CIRT (Computer Cyber ​​Incident Response Team) procedures.

  • Event: An observable change that will occur in a situation; that does not have to be negative.
  • Alert: A warning triggered when an event occurs.
  • Incident: The occurrence of more than one negative event. In fact, in some security literature, a single event can be considered an “incident”. In other words, the size or accumulation of the event determines the severity of the situation, while a single critical event can be considered important.
  • Problem: Problems that we do not know how to occur are called problems.
  • Inconvenience: Defines a failure that does not cause damage. The system continues to operate, but there is a problem.
  • Emergency: Indicates an emergency.
  • Disaster: A disaster situation includes events that will stop the systems from operating for 24 hours or more.
  • Catastrophe: This means the destruction of all systems as a result of the event. This creates the need for Disaster Recovery.

The Incident Response Life Cycle consists of 8 stages in total.

  • i. Preparation – The work planning process
  • ii. Detection – The process of determining whether there is a problem.
  • iii. Response – The process that includes responses to whether or not a problem exists.
  • iv. Mitigation – The process in which strategies are implemented to reduce the impact of problems.
  • v. Reporting – The process in which problems, strategies, times, and current status are reported.
  • vi. Recovery – The process in which all systems are restored to working order and problems are resolved.
  • vii. Remediation – The process in which affected systems are saved from this impact and ensured to work properly.
    viii. Lessons Learned – The entire process is reviewed from the beginning, lessons are learned, improvements are made, and the cycle starts over.

6- Disaster Recovery Plan

In general, all disasters and all situations should be examined in detail, and solutions should be produced for all possibilities in order not to disrupt business continuity along with life safety. All plans should be updated with every infrastructure change. For example, working from home provides a solution for disasters such as snowfall, traffic accidents, pandemics, etc. NIST800-34 is a certification process that focuses on emergency planning. ISO 22301 focuses on Business Continuity Management Systems and is supported by ISO 27031.

DRP is an iterative process and should always be updated and improved.

  • Mitigation: This is applied before a disaster in risk management and helps to mitigate the effects of the negative process that will be experienced. Drills, personnel training, simulations, disaster scenarios, and awareness processes are examples of this situation.
  • Preparation: This is the entire preparation process that ensures that vehicles and people are ready for the DRP situation.
    • DRP Review: Responsible teams examine the plans, correct missing or faulty points, and add them to the plan.
    • Read-Through (Checklist): They are informed about the plan, and what will be done step by step is learned.
    • Talk/Walk-Through: The plan is discussed, and what will be done step by step is discussed and noted.
    • Simulation Test: The DRP scenario is created and tested in simulation part by part.
    • Physical Tests (Partial Interruption): The DRP scenario is physically applied, and deficiencies are eliminated.
  • Response: That is the stage of taking action to mobilize the relevant personnel in line with the procedures. Informing the relevant teams and informing the managers can be examples of this situation.
  • Recovery: When the plans, procedures, and people are suitable, this is the stage of implementing the DRP.

Now, we will talk about some terms that are important in the DRC process.

  • BIA (Business Impact Analysis): This is the analysis that determines which system is critical and how long it is not a problem to be out of service.
  • RPO (Recovery Point Objective): This is the target that determines how much data will be lost in the return scenario. For example, if server backups are taken once a week, the loss of the last 1 week after the backup is accepted in a possible scenario.
  • MTD (Maximum Tolerable Downtime): MTD > RTO + WTO
    • RTO (Recovery Time Objective): This is the time that indicates how long it will take to restore the system. Hardware.
    • WRT (Business Recovery Time): This is the time to configure the system, operating system or programs. Software.
  • MTBF (Mean Time between Failures): The average failure time, life of a new product.
  • MTTR (Mean Time to Repair): This is the average repair time of a failed system.
  • MOR (Minimum Operating Requirements): The minimum time for service to be resumed in the event of a disaster.
  • Redundant Site: The name given to the backup area where a second copy of the product or information owned by the main data center is located. This covers the data in real time and can be set to failover in the event of a disaster. If something happens, this is possible to switch traffic to the redundant site.

How to prepare for BCP and DRP?

  1. Project Impact Scope is Determined
  2. Business Impact Analysis is Prepared – Specific stages are created for systems and their functions. The interruption tolerance periods of these stages are determined.
  3. What is Owned and What Needs to be Owned in the Future is Determined – That can be a redundancy, an update, or a new technology or system.
  4. Processes and Systems that Need to be Improved are Determined
  5. Recovery Plan, Teams, Guidelines, and Scenarios are Prepared
  6. Training or Drill is Implemented for User Awareness
  7. Regular Backup Is Provided in All Systems
  8. All Processes are Implemented in Regular Periods Starting from 1, Period is Determined

Analysis ➔ Solution Design ➔ Implementation ➔ Test & Acceptance ➔ Maintenance ➔ Analysis …

The 8 stages specified should always repeat themselves in a cycle. In this way, the existing plan can remain up-to-date and complete before a possible disaster occurs.

7- Data Security

Data is in different states within 3 systems. This is necessary to protect them with encryption under all circumstances.

  1. Data at Rest: These are unused or static data. Data in a device, passwords used to access the device should be encrypted and used.
  2. Data in Motion: These are data that travel in network traffic. End-to-end encryption should be used until the data is transmitted from the receiver to the transmitter in traffic.
  3. Data in Use: These are data that are actively used. Active data cannot be encrypted because encrypted data cannot be read by the application or the user. The best security precaution that can be taken at this stage is user awareness and having the right security policy or devices.

8- IAAA

IAAA (Identification, Authentication, Authorization, Accounting) is a port-based access and control mechanism that provides secure access, authorization, and session tracking for systems connected to the local network in network security as the IEEE 802.1X standard. In this way, the local network infrastructure is protected. EAP, PPP, RADIUS, and TACACS+ are the most widely used AAA protocols. Thanks to the 802.1x protocol, RADIUS acts as the “security guard” of a network by authenticating users, while EAP-TLS secures TLS certificates to protect certificate-based connections and data transfer between servers. All identities and passwords are centralized using the AAA protocol. Identities and passwords are encrypted using specific algorithms. For this reason, user accounts are protected from third parties.

IAAA

Identification

Identity consists of provable identity information that represents the person, such as username information, user ID information, employee ID information, name and surname information, and ID number information found on the relevant device.

Authentication

Authentication is the first stage, where a person can log in to a certain system by verifying their identity information. There are five different types of authentication.

  • Type 1 Authentication (Password, Password Question, PIN Code, etc.). Cheapest type. – Something you know.
  • Type 2 Authentication (ID, Passport, Smart Card, Token, Cookie on PC, etc.). – Something you have.
    • Token Types ➔ It is divided into two as an HOTP (HMAC Based) and TOTP (Time Based).
      • HOTP (HMAC Based) – A one-time token code is created and is valid until used.
      • TOTP (Time Based) – A continuous token code is created over a certain period and is valid until synced.
  • Type 3 Authentication (Biometric Traces: Fingerprint, Iris or Retina Scan, Facial Geometry, etc.). – The most expensive, most reliable type, unique. A physical thing that belongs to you.
  • Type 4 Authentication (IP/MAC Addresses). – Something that identifies you somewhere.
  • Type 5 Authentication (Signature, Pattern Lock, Certificate). – Something special that you do or have.

Authorization

In the Authorization section, Identity and Access Control Management models applied at this point are mentioned when deciding which data the person should access in the relevant system after the identity verification approval.

  • Mandatory Access Control (MAC) – Objects have labels assigned to them, and the subjects have permission. This permission should replace the label assigned to the object for you to access the object. That is frequently preferred in military services.
  • Role-Based Access Control (RBAC) – Although this is one of the most frequently used methods, IT teams often prefer this when connecting to the products they manage.
  • Discretionary Access Control (DAC) – This is the model in which product, device, or resource owners determine the access rights and access limits on their own resources.
  • Rule-Based Access Control (RB-RBAC) – This is the model in which access is provided according to predefined rules.
  • Attributed-Based Access Control (ABAC) – This is the access model that includes if-then statements that define the user, request, resource, and action. Conditional access is applied, and more detailed rules are determined for access. This is a model where authorizations such as reading and writing can be defined separately. Which is frequently used in remote access given to consultants.
  • Context-Based Access Control – This is a limited model that covers requests coming from a specific country within a specific time period or requests made through specific ports.
  • Content-Based Access Control – This is a model that covers hiding or showing relevant data for specific users.

Accounting

This is the section where all transactions are tracked and recorded. That enables the user who passes the identity verification steps to connect to the system to be tracked in real time and also to be tracked from the access log records. Each activity performed is recorded as date and time. The recorded data is used to obtain certain statistics, to make measurements and evaluations, or as a verifier when any problems are encountered. The main purpose at this stage is to protect objects from subjects. Because objects can be manipulated by subjects.

  • Subject (Active) – Users or applications can be given as examples.
  • Object (Passive) – Data or paper documents can be given as examples.
Lütfen bu gönderiye bir puan ver.
[Total: 0 Average: 0]