As defined earlier in Chapter 2, "Foundations and Principles of Security," designing and implementing a sound IT security architecture and framework requires a thorough analysis and examination of how availability, integrity, and availability (A-I-C Triad) is designed and implemented on the IT infrastructure components and assets in the overall information security plan.
Attacks on an IT infrastructure and assets can disrupt availability of service resulting in the following:
Attacks on an IT infrastructure and assets can disrupt the integrity of information that organizations disseminate:
Caution
Attacks on an IT infrastructure and assets can disrupt the confidentiality of information and data assets. Attacks can expose confidential information such as corporate or intellectual property secrets, financial information, and health records, which can result in identity theft. Maintaining the confidentiality of privacy records and financial data pertaining to individuals is now subject to laws, mandates, and regulations dictated by HIPAA and GLBA.
Unfortunately, implementing a robust IT security architecture and framework and conducting a risk and vulnerability assessment is not something that can be taken lightly by an organization. This is true given that many IT systems and applications were not designed with security in mind; many organizations are struggling to deal with the lack of security in their IT infrastructure components and applications that are currently in production. Security was always an afterthought and now for the first time, information security is in the forefront of system requirements definitions and system designs.
Security as a process would define an entire development life cycle that incorporates security requirements into the system or application design from the very beginning. By designing a system (hardware, software, or multiplatforms) or application (software code) from the ground up that includes security requirements for availability, integrity, and confidentiality, minimization of the risks, threats, and vulnerabilities can be designed into the system or application up front. Security as a process would have security requirements incorporated throughout all the steps of the system or application development and design life cycle. These steps include the following:
As shown in Figure 3.3, step 4 in the System Development Life Cycle incorporates security design within the design and development phase of the life cycle. This is an important first step to ensure that the proper security controls, security objectives, and security goals are initiated properly.
Figure 3.3. Security in the development life cycle.
This IT security process is what is currently missing from many organizations when it comes to designing and implementing new IT systems and applications throughout the organization. As organizations incorporate security requirements and design into the development life cycle, more IT systems and applications will have the inherent security controls to ensure that the availability, integrity, and confidentiality goals and objectives are achieved.
When conducting a risk and vulnerability assessment on IT systems and applications, examination of the defined security goals and objectives can be done. This examination will include a review of the IT system's or applications' security requirements and how they were implemented in production. Understanding this void in the development life cycle will help IT organizations fill the void with proper security requirements and security design steps in the overall development effort. By implementing the proper security controls and requirements into the system and application design up front, minimization of exposure to risks, threats, and vulnerabilities can be achieved, thus eliminating costly security countermeasures and other security controls around the IT system or application that lacks the proper security controls.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template