- What is it?
- Why Use?
- Audit and Risk Analysis
- Security Auditing
- Intrusion Tests
- Business Continuity
- Social Engineering and Training
What is it?
Information Security is the protection of information from a group of threats, with the objective of:
- Preserving the continuity of the business,
- Maximize the return of the investment
- Minimize the risks,
- Applying the principles of confidentiality, integrity and availability.
We categorize as information, all purport and inside information about the content (metadata), or available data with value to an organization, as it’s useful to perform its activities.
Information security stands on 3 fundamental topics, and they are Confidentiality, Integrity and Availability. We aim to protect the actives through the enforcing of the aspects mentioned above.
Confidentiality – The principle of confidentiality has the objective to guarantee that only the authorized users have access to information they are settled to see and manage. This implies restricted access if the user is not authorized to access data.
Integrity – In information security, integrity assures precision and conscience of information during its lifecycle. So information can be modified to be unrecognizable or authorized.
Availability – This Principle assures uninterrupted access to information, during its lifecycle, every time it is needed by the user.
The Information is one of the most important actives in a company, being diversified in varied supports (digital and non-digital). The value of stored information in the systems of an organization is increasingly important for its good functioning; however, there are more and more threats to security of information of an organization, whether external, as in cases of hackers, motivated for fun or profit, or internal, motivated for lack of information or knowledge, oversight or purposeful intention.
Besides that, vulnerabilities are discovered regularly in systems or applications used daily by companies, and the same can be explored to have access to information confidential and fundamental for the organization.
Due to the exponential growth of information, it is now crucial to store and protect data in a secure way (keeping confidentiality) nonetheless maintaining the accuracy of the data (integrity) and immediate access when registered (availability).
On the other hand there are a bunch of important services to minimize the risk and maximize security levels of organizations, as the followings:
- Risk Analysis
- Penetration Test
- Business Continuity
- Formation and Social Engineering
Audit and Risk Analysis
The audit process or risk analysis has as main objective to identify and evaluate the risk, and posteriorly recommend measures of mitigation in a way of reducing the risk to acceptable levels to the institution.
Through an audit of risk analysis, companies may obtain the following benefits:
- Significant improvements in security of information systems that store, process and transmit the organization’s information.
- Better management on the implementation of processes.
- Bigger and enhanced control over company’s actives.
- Allow a better management of the institution’s risks.
- Allow the administration of a company to take better choices in investments of Information Security.
The steps to take in an audit or risk analysis are the following:
- Defining the scope and organizational context ;
- Risk Identification;
- Calculus of risk estimates;
- Risk evaluation;
- Communication of the risk and controls for mitigation;
- Implementation of controls;
- Acceptation of final risks;
Risk Analysis can be quantitative or qualitative, depending on the organizations objectives and its maturity, wherein can be advantageous to adopt two of the available options.
At the qualitative analysis the risk is usually classified with values like Low, Medium or High. Or any other values settled by who defines the metric of risk analysis.
The quantitative analysis is used when it’s meant to quantify financially the actives, as well as the associated impacts, that way the calculated risk can be indicated numerically.
The penetration testing has for objective evaluate security of systems and networks of companies, by simulating external and intern attacks followed by the analysis of the results of the same attacks. Involves the verification of potential vulnerabilities and their ease to explore and have illegal access to any type of information.
The purpose of these intrusion tests is the creation of reports that mention not only the vulnerabilities but their risk grade too, as well as corrective measures to be applied that improve the security of systems and networks. There are two main types of penetration tests – external and internal, or “black-box” and “white-box”. The external tests usually imply the entity that practices the test to have no knowledge or internal access to the structure of the company while in test. The intern or “white-box” implies a previous knowledge of the systems to be tested, like network configurations, outside services, IP’s, etc. Or which has access to the client infra-structure, so that it is possible to check vulnerabilities from the inside of the organization.
The main benefits of completing audits or penetration tests are the reasons for the big steps companies take towards protecting their information and infra-structure against all the conventional attacks existing, significantly decreasing their exposure and risk to loss of information, also minimizing financial losses.
Security Audits to Websites
Nowadays, all users depend on critic operations through internet, for example: Online shopping, Home Banking, IPTV, Online Games, ETC…
How can you guarantee security parameters (Confidentiality, Integrity and Availability) are not at risk?
Besides security, what is the part of your company more exposed (or vulnerable) to attacks? Is your website safe?
The WEB security audits or WEB penetration tests have as objective to evaluate websites security, web applications or web services, through the simulation of attacks intern or external and confirmation of the results of these attacks. Including the analysis of potential vulnerabilities and they’re probability and difficulty to explore, with illegal access to information of the website, or even turning it offline.
Type of tests:
There are two types of tests; they can be with authentication or without authentication.
The ones without authentication have as objective the website on a casual user point of view.
On the other hand, if there is any method of authentication or website management (ex: backoffice, intranet, extranet), an analysis “with authentication” is carried out, in which is simulated the behaviour of an attacker, with the minimum privileges of a common user. In this scenery the objective is to verify the existing vulnerabilities, and also the possibility of exploring the way to access information, outside the scope of an authenticated user.
The used methodology consists in 4 phases
- Gather of information about the structure to test.
- Identify possible vulnerabilities.
- Exploration of vulnerabilities.
- Report of the exploration on the identified and tested vulnerabilities.
Have you ever thought how much time can your organization live without systems of information and without working?
The unforeseen happens, and consequences are mostly unpredictable. Each incident is unique, unfolds unexpectedly, affecting the response and reaction capacities in time, in order to stop or reverse the course of events.
There is thus the necessity to be prepared for the unexpected through a Business Continuity Plan, which should be integral part of a plan of crisis management, covering the entire organization.
A BCP is fundamental to mitigate the loss of receipts and avoid extra costs. Apart from that insurance does not always cover all the risks neither can it recover all the clients that eventually seek the competition.
The best preparation for an incident, accident or disaster, is to have implemented and tested a PCB that every element of the organization knows about and is responsible for executing it. The lack of a BCP not only means the organization will take longer to react to an incident, as it could never be able to recover and therefore being forced to shut down.
A BCP implies the business to keep running or getting it back up in case of incident or disaster, whether it be caused by phenomenal disasters (for example fire, cyclones, floods, etc.), public health (epidemic, virus, etc.), acts of terrorism (attacks via internet), malicious activities or even human errors.
A BCP defines procedures and instructions for the organization to follow in any of these cases, covers politics and procedures management, material resources, humans and partners, among others.
An integrated BCP, in a Disaster Recovery Plan, cannot be confused by this. As the DRP’s main objectives are to recover the IT infrastructure and the post-crisis operations. The BCP scopes the business continuity of all the organization after that crisis, in a structured and supported way.
The development of a BCP consists in 5 distinct phases:
a. BIA – Business Impact Analysis (aims to identify the critical functions or a specific schedule and the resources that support them)
b. Threat and Risk Analysis (identification of threats and analysis of risks relative to different threats)
c. Scenes of Impact (attends to mark varied impact scenes, from its durability to damage extension)
d.Recovery requirements (identification of all procedures and needed processes for global recovery.
- Solution design (scopes the development of a solution for business continuity)
- Implementation (execution of the Business continuity plan)
- Tests and organizational acceptation (carrying out tests and adapting the solution to the structure and culture of the organization
- Maintenance (analysis of the adequacy of the implementation and application of any contingency plans)
The IT component includes some items, as networks, servers, desktops and laptops and many wireless devices. The capacity to manage the productivity of the office becomes critical. This way, strategies of recovery for Information systems should be widely developed and technology should be recovered in time to respond to business necessities. The manuals should be an integral part of the IT plan, so that the business can continue while systems are being recovered.
In summary, a BCP (Business Continuity Plan), also called BCRP (Business Continuity and Resiliency Plan) identifies the processes and procedures to perform in case of incident, evaluates the external and internal exposure of an organization to threats , synthesizing all resources in order to provide an effective prevention and recovery for the organization while maintaining the competitive advantage and the integrity of the system .
Social engineering (related to information security) is a term that relates to the art of handling people, in order to obtain some information in order to circumvent a particular safety obstacle. The manipulation of people or users can be achieved in various ways, such as through telephone conversations, e- mails and personal contacts.
At such cases, try to use up the power of persuasion to manipulate a particular user to reveal some information that was not supposed to be public, such as passwords.
This is a method used frequently by malicious attackers, as it consists in the exploration of what’s considered by many as the weakest leak in the security chain, the user. Sometimes with lack of adequate training, users are not sensitive to this type of attack and thus become the first entry point in the organization.
To bridge this gap, the DRC develops a set of tests and metrics to evaluate the sensitivity of users, social engineering attacks and prepares formations, more or less technical, to create changes in mentality when it comes to information security.
The goal is to reduce the risk properly forming employees, so that they can become the first line of defence, rather than the first line of weakne