Information Security Science
eBook - ePub

Information Security Science

Measuring the Vulnerability to Data Compromises

  1. 406 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Information Security Science

Measuring the Vulnerability to Data Compromises

About this book

Information Security Science: Measuring the Vulnerability to Data Compromises provides the scientific background and analytic techniques to understand and measure the risk associated with information security threats. This is not a traditional IT security book since it includes methods of information compromise that are not typically addressed in textbooks or journals. In particular, it explores the physical nature of information security risk, and in so doing exposes subtle, yet revealing, connections between information security, physical security, information technology, and information theory. This book is also a practical risk management guide, as it explains the fundamental scientific principles that are directly relevant to information security, specifies a structured methodology to evaluate a host of threats and attack vectors, identifies unique metrics that point to root causes of technology risk, and enables estimates of the effectiveness of risk mitigation. This book is the definitive reference for scientists and engineers with no background in security, and is ideal for security analysts and practitioners who lack scientific training. Importantly, it provides security professionals with the tools to prioritize information security controls and thereby develop cost-effective risk management strategies. - Specifies the analytic and scientific methods necessary to estimate the vulnerability to information loss for a spectrum of threats and attack vectors - Represents a unique treatment of the nexus between physical and information security that includes risk analyses of IT device emanations, visible information, audible information, physical information assets, and virtualized IT environments - Identifies metrics that point to the root cause of information technology risk and thereby assist security professionals in developing risk management strategies - Analyzes numerous threat scenarios and specifies countermeasures based on derived quantitative metrics - Provides chapter introductions and end-of-chapter summaries to enhance the reader's experience and facilitate an appreciation for key concepts

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Information Security Science by Carl Young in PDF and/or ePUB format, as well as other popular books in Business & Information Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2016
Print ISBN
9780128096437
eBook ISBN
9780128096468
Topic
Business
Subtopic
Information Management
Index
Business
Part I
Threats, risk and risk assessments
Chapter 1: Information Security Threats and Risk
Chapter 2: Modeling Information Security Risk
Chapter 1

Information Security Threats and Risk

Abstract

This chapter discusses the distinction between threats and risk. In particular, the risk factor is introduced. Risk factors for various threats and attack vectors are highlighted throughout the text since they are essential to formulating an effective security risk management strategy. Probability distributions are introduced in a detailed discussion of the likelihood component of risk.

Keywords

threat
risk
risk assessment
risk factors
likelihood
vulnerability
impact
probability distributions

Introduction

Information Security Risk

This book is about estimating the vulnerability to unauthorized access to information by individuals with malicious intent. Attack scenarios range from simple visual observations of white boards or computer monitors and conversation overhears to sophisticated compromises of radiating electromagnetic signals. Many of these scenarios can be modeled using well-established physical principles that provide insights into the magnitude of the vulnerability to information security threats.
Such estimates may appear straightforward, but there are many scenarios of concern and the spectrum of vulnerabilities is broad. This is evident from the following examples:
ā€¢ electromagnetic signals leaking from a computer located in a country known to sponsor information security attacks against foreign companies;
ā€¢ a wireless network in the vicinity of a drive-by hacker with one of the network access points promiscuously radiating signal energy to the street;
ā€¢ sensitive conversations that can be overheard by occupants of another floor in a multitenant office building;
ā€¢ white boards, keyboards, and computer monitor screens in the direct line-of-sight of distant buildings;
ā€¢ employees informally conversing on a company balcony while surrounded by properties of unknown control/ownership;
ā€¢ information technology (IT) networks and systems that communicate via the Internet.
Traditional texts on information security and indeed most organizations often focus on the last bullet. In fact, entire departments are routinely dedicated to network security. It is no secret that the exploitation of IT vulnerabilities has increased in recent years, and the criticality of IT infrastructure demands a disproportionate share of attention. As a consequence, other attack vectors have been ignored despite the fact that they may be simpler to execute and could have equally significant impact.
The historical evidence suggests that IT risk deserve special attention. But despite that attention, traditional security risk management strategies have arguably been less than effective. Notably, these strategies include numerous and varied security controls. In fact, there is often an abundance of IT security data derived from these controls. But it is not clear such data are yielding insights into risk on a strategic level.
Indeed, IT risk managers are sometimes overwhelmed with data that are intended to identify the risk of information loss. But such data are traditionally used in support of tactical remediation efforts. Problems often recur because such remedies are inherently narrow in scope. Sometimes this abundance of data actually blinds organizations to the most significant risk factors for information compromise, which include business practices, security governance, physical security of information assets, and user behavior in addition to poor or inappropriate IT implementation.
One phenomenon that contributes to the ineffectiveness of current security strategies is the difficulty in quantifying IT risk. Why is this so difficult? The reasons are threefold:
ā€¢ IT security incidents typically result from the confluence of related issues. The contributions of each issue can vary and it can be difficult to assess their relative magnitudes.
ā€¢ Robust statistics on actual IT incidents are either nonexistent or not particularly helpful in assessing risk.
ā€¢ Controlled experiments to determine the effectiveness of risk mitigation in IT environments are difficult to conduct.
The result is an absence of useful models pertaining to IT risk. So it is not easy to rigorously confirm the effectiveness of a particular security strategy.
The problem is exacerbated by the fact that IT protocols and systems have antagonistic objectives: ensuring data security and facilitating communication. To be sure, facilitating communication invites risk. In fact, the very existence of a network is a risk factor for information compromise. Despite continued efforts to ensure data security, these technologies spawn new vulnerabilities each day. The popularity of the Internet in conjunction with well-advertised attacks on systems drives the nearly singular focus on technology as both the culprit and the cure for information security ills.
Information security risk scenarios can admittedly be complex with interrelated elements. In many cases this complexity precludes the formulation of reliable risk models. Finally, the diversity of attackers and their respective motives makes precise statements on the likelihood of a future incident difficult if not impossible.

Information Security in a Routine Business Scenario

The following example illustrates the variety of information security issues that are relevant to even routine business scenarios. Consider an everyday meeting between individuals in a conference room. This event is likely repeated thousands of times each day around the world. Meeting attendees use the gifts provided by Mother Nature to generate, detect, and process acoustic energy in the form of speech.
What is the level of assurance that the acoustic energy will be confined to that conference room and not be overheard by individuals in other parts of the building? For example, acoustic energy propagating within the conference room might couple to building structural elements and be heard by individuals in an adjoining room or even another floor.
Moreover, if the conf...

Table of contents

  1. Cover
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Biography
  7. Foreword
  8. Preface
  9. Acknowledgments
  10. Part I: Threats, risk and risk assessments
  11. Part II: Scientific fundamentals
  12. Part III: The compromise of signals
  13. Part IV: Information technology risk
  14. Part V: The physical security of information assets
  15. Epilogue
  16. Appendix A: The Divergence and Curl Operators
  17. Appendix B: Common Units of Electricity andĀ Magnetism
  18. Appendix C: Capacitive and Inductive Coupling inĀ Circuits
  19. Appendix D: Intermediate Frequency (IF) Filtering of Signals
  20. Appendix E: An Indicative Table of Contents forĀ an Information Security Policy
  21. Index