FUNDAMENTALS OF INFORMATION SECURITY FOR SERVICE …€¦ · Fundamentals of Information Security for Service Providers 4 Integrity Integrity is about ensuring that data hasn’t

FUNDAMENTALS OF INFORMATION

SECURITY FOR SERVICE PROVIDERS

A SPECIAL REPORT BY INGRAM MICRO2019

Don’t just sell, excel

© 2019 Ingram Micro Inc. All rights reserved. Ingram Micro and the Ingram Micro logo are trademarks used under license by Ingram Micro Inc. All other trademarks are the property of their respective companies. Products available while supplies last. Prices subject to change without notice. 3/19 KH2019.10581

Table of Contents

02 TOC

03 What Is Information Security?

The Core Security Model: CIA

Confidentiality

04 Integrity

Availability

Layered Security and Defense in Depth

05 Understanding Risk

What Is Risk?

What Are Vulnerabilities?

What Are Threats?

Mitigating Risk

06 Basic Security Controls

Access Controls

07 Logging, Auditing and Accountability

Cryptography

08 Operational Security

Network Security

10 Host and Application Security

11 Bringing It All Together

Get Additional Security Guidance

About Ingram Micro

Fundamentals of Information Security for Service Providers 2

FUNDAMENTALS OF INFORMATION SECURITY FOR SERVICE PROVIDERS

3© Ingram Micro 2019

What Is Information Security?The ubiquitous adoption of information technology has blossomed into a modern business environment of features, capabilities, capacity and scale unimaginable just a generation ago. Today, business organizations of every type, from traditional financial institutions and insurance carriers to cutting-edge retailers and services providers, rely on a breathtakingly complex, interconnected system of digital assets and applications to connect with the world and deliver their wares.

As technologies evolve, the ecosystem transforms. New services are created, new applications are developed and new business models are born. In this modern IT era, consumers are more engaged and satisfied, workers are more productive and businesses are more dependent than ever on technology and data as drivers of innovation and profitability.

Lurking behind all of the positive benefits of the IT-driven business world, however, are some troubling questions. In a world where digital assets are often more valuable than physical ones, what happens if the systems and data we’ve come to rely on are damaged or stolen? How can we protect the crown jewels of a modern, digitized organization in an increasingly hostile world where threats abound and perimeters are obliterated by the internet, global connectivity and cloud computing?

The answer is information security—robust, thoughtfully crafted, diligently applied layers of policy, process, procedure and control designed to protect an organization’s digital assets from attackers, thieves, vandals, malware, power outages, equipment failure, natural disasters, and any other threat to critical data and systems.

Information security is far from a perfect science. Indeed, an organization is never 100 percent safe from all possible threats. The security practitioner’s job is to defend an organization in the best manner possible using the resources available to mitigate those risks most likely to be exploited and to defend against those compromises that would cause the greatest harm.

The Core Security Model: CIADriving the conversation around information security is a set of core principles that serve as a foundation for the terms and concepts security professional use when approaching matters of risk management. Confidentiality, integrity and availability, or CIA, form the security triad used by most in information security to frame the elements that must be addressed in a holistic security program.

ConfidentialityConfidentiality efforts prevent the disclosure of data to those not authorized to view it. Attacks focused on interception pose the greatest threat to confidentiality. Security methods such as access controls and encryption play a major role in assuring the confidentiality of digital information.




IntegrityIntegrity is about ensuring that data hasn’t been changed in an unauthorized way or by an unauthorized party. The biggest threats to data integrity are attacks that focus on interruption, modification or fabrication. Security controls such as hashing, digital signatures, certificates and other non-repudiation technologies help guarantee the integrity of information.

AvailabilityThe goal of availability is to assure that data and services are accessible and fully functional whenever needed. As with integrity, the primary threats to availability involve interruption, modification or fabrication attacks. Some of a security team’s efforts to address availability include the implementation of redundancy and fault tolerance; proper maintenance and patching of critical IT systems; and data business continuity, and disaster recovery (BCDR) protocols.

Layered Security and Defense in DepthFor most of the past two decades, the concepts of layered security and defense in depth drove much of the thinking in IT security. The concepts are fairly simple. Think of an organization as a series of concentric layers beginning with data and moving outward through applications, hosts, internal networks, the perimeter and the external network. With that structure in mind, apply multiple security controls within each layer so that the environment remains protected even if the defense in one layer should fail.

While layered security and defense in depth are challenged—and arguably less effective—in today’s cloud-centric, perimeter-less environments, they remain a good way to map available security controls to logical parts of the organization in order to mitigate risk.



In a proper application of layered security, several defensive controls such as logging, auditing, firewalls, and intrusion prevention and detection appear in multiple layers. In this report, we’ll take a closer look at many of the individual controls listed here. But the salient point about layered security and defense in depth is that no single control is as effective as a well-thought-out schema of interlocking and redundant defenses that work together to protect the organization.

Understanding RiskThe primary goal of the security professional is to reduce risk. Since so much of the security practice is dedicated to the assessment, mitigation and even acceptance of risk, it’s important for the practitioner to understand the vernacular of risk management.

What Is Risk?Simply put, risk is the probability—a combination of possibility and likelihood—that a threat will exploit a vulnerability with the result being some kind of harm to the organization via a loss of confidentiality, integrity or availability. Organizational risks include business disruption, financial losses, damage to reputation, loss of intellectual property, competitive disadvantage, privacy violations, lawsuits, fines and other legal ramifications.

What Are Vulnerabilities?A vulnerability is a weakness in hardware, software, configuration, etc., with the potential to be exploited to the detriment of the business. Things like unpatched systems, weak authentication protocols and poorly managed admin accounts introduce significant vulnerabilities into the IT environment.

What Are Threats?A threat is any person, event or circumstance with the ability to exploit a vulnerability at the expense of some element of the CIA security triad. Hackers, disgruntled employees, human error and natural disasters such as earthquakes and hurricanes are all examples of threats facing a modern organization with critical digital assets.

Mitigating RiskMitigating, or reducing, risk lowers the probability that a threat will be able to exploit a vulnerability. Risks are mitigated by applying safeguards, also known as security controls. Most controls are powerless to reduce threats; a hurricane can’t be stopped and hackers will continue to attack systems and write malware. Security practitioners mitigate risk, therefore, by reducing vulnerabilities to known threats or by lowering the potential damage that can be caused by a threat.

Endpoint protections like antivirus and antispam, for example, can reduce or eliminate the negative impact of malware by intercepting it before it can damage or exfiltrate data. Similarly, robust backup and recovery protocols limit system downtime and data loss in the event of a hurricane. In both cases, the threat remains constant, but risk is mitigated by countermeasures that address the underlying vulnerability.



Basic Security ControlsAs noted, protecting an organization’s data and systems and mitigating risk require the judicious application of controls. Understanding what weapons are in the security practitioner’s arsenal and how they work—alone and in concert with other safeguards and countermeasures—is critical to crafting effective security programs.

Security controls come in three main types:

Technical controls: Controls that apply a technology solution to reduce vulnerabilities and mitigate risk. Examples are antivirus software, firewalls, IDS/IPS and encryption.

Management controls: These controls apply security assessment and planning activities to deliver ongoing reduction of risk exposure. Examples of these controls include penetration tests, risk and vulnerability assessments and threat modeling.

Operational controls: These are the controls delivered via the day-to-day operations of the security team or the security service provider. Asset inventories, data classification, security awareness training, configuration and change management, and BCDR protocols are all examples of this type of control.

The goal here is to look at the fundamental security controls most commonly applied as part of a typical information security and risk-management program.

Bear in mind that a steady stream of security products and services from industry vendors continues to expand this list with innovations driven by artificial intelligence, machine learning, automation and other emerging technologies. These seemingly endless new offerings often blur the line between traditional control sets or seek to create entirely new control categories.

While these next-generation products are important in a dynamic information security environment, one should bear in mind that the overwhelming majority of cyberattacks are neither highly customized nor particularly sophisticated. Most rely on well-known vulnerabilities in unpatched or poorly configured systems.

Getting one’s arms around the basics is the first and most important step a security practitioner can take on the road to becoming an effective and responsible defender of data and systems.

Access ControlsAccess controls give organizations the power to determine what people, applications or systems can interact with their digital environment and how those actors can view, alter or remove files and data. Access controls are generally broken down into identification, authentication and authorization.

Identification is simply the act of claiming or professing an identity. When a user enters a username or email address, they’re claiming to be that entity for the purpose of accessing systems or data. Access control systems don’t grant access based on a claim of identity alone.



Authentication involves a second requirement, typically a password or PIN number, that works to prove that the identity of the user is real. In multifactor authentication, users often must provide more than one input—a password and an ephemeral passcode from an SMS message, for example—in order to authenticate their identity.

Authorization is the final link in the access control chain. Systems won’t grant access to a user even if they prove their identity unless that particular combination of ID and password is authorized by administrators to access the systems in question.

Security practitioners achieve access control that’s both effective and user friendly through well organized account and directory management, role-based controls, strong password policies, biometrics, dual-factor and multifactor authentication, single sign on, and federation systems.

Logging, Auditing and AccountabilityEvent logs are a window into the health and security posture of an organization. Capturing and analyzing log data is an important method for ensuring policy adherence, detecting compromises and limiting damage from cybersecurity incidents. System event logs and firewall and router access logs, along with the telemetry from antivirus platforms, server applications, system performance monitors and other sources, provide a wealth of insight into the who, what, where and when of activities in a protected environment. In the event of an attack, log data can be critical to establishing the scope of damage and closing the door to future threats.

Keeping vast amounts of log data is of limited use, however, if the information isn’t regularly reviewed and subject to periodic audit. Routine audits that include insights from log data are invaluable for establishing that policies around account management, authorized use and data classification, for example, are being adhered to.

CryptographyThe controls provided by cryptography are important to both the integrity and confidentiality elements of the security triad.

Hashing: A hash, or checksum, is a number that’s produced when a complex algorithm is applied to data such as a file or the text of a message. Not to be confused with encryption, an effective hash is irreversible—that is, it’s not possible, under ordinary circumstances, to turn the checksum back into the content that created it.

The value of hashing lies in its ability to assure that nothing in the source data, file or message has been altered. An unaltered file will always produce the same hash, while the change of even a single character will result in a very different hash. Comparing hashes is therefore an effective way to ensure the integrity of files.

Hashing is also used as a way to store passwords in a system without revealing the password to others. When a user enters a password, the system stores it as a hash. Subsequent authentication attempts simply compare the stored hash to a new hash of the submitted password. Viewing the repository of passwords would reveal only a collection of meaningless and irreversible checksums of no value to an attacker.



Encryption: In order to prevent unauthorized disclosure of data, security professionals apply strong encryption to the contents of files and messages. Unlike hashes, encrypted data is meant to be decoded back into its original form by an authorized party.

Most encryption methods use an algorithm to perform some mathematical encoding of the data and a set of keys that can be used to encrypt and decrypt data based on user authorization. Encryption is said to be either symmetrical or asymmetrical based on whether a single key or multiple keys are used at either end of the file transfer. Public-key encryption is an example of asymmetric cryptography.

The two types of cryptography can be combined, as in digitally signed documents, which use both a hash of the message and a public-key infrastructure to guarantee both the integrity and the confidentiality of a document or message.

Operational SecurityOperational controls bring together the policies and protocols established by the security provider. These controls are designed not only to reduce the organization’s attack surface and mitigate risk, but also to guide the actions of response and recovery assets in the event of a cybersecurity incident.

Some examples of operational security elements include:

Security policies: These comprehensive documents, created after careful assessment of the risk profile and mitigation requirements of an organization, lay out the security plan in high-level terms and establish goals for risk management. Typical security policies include personnel issues like privacy and acceptable use, account management issues such as the handling of admin credentials and account sharing, and data policies covering classification and distribution.

Incident-response plans: These protocols cover the actions taken in response to an attack or incident. Once the incident-response team is identified and responsibilities assigned, the incident-response steps can be defined to cover preparation, identification, isolation, damage control, notifications and escalation, reporting, recovery, and documentation of lessons learned.

The human element: A major part of operational security involves awareness training for users who are often a weak link in even the most rigorously defended organization. Security awareness programs aim to mitigate the risk of threats such as phishing attacks and business email compromise by training users to recognize and avoid them. The most effective security programs are ones that serve up role-based training targeted at various user types and follow that instruction with regular testing to validate compliance.

Network SecurityNetwork security controls deliver protections for all three elements of the CIA security triad. Using technical, operational and management controls, the safeguards on this list are specifically designed to target network threats and stop them from spreading. As discussed, network security involves multiple layers of defenses designed to provide fail-safe protection from compromise of proprietary information and critical systems.



Some key network security controls include:

Network segmentation: Separating the network into discrete trust zones makes enforcing security policies easier and mitigates the damage that can be done if an attacker breaches one area of the environment. Access to various parts of a segmented network can be provided based on criteria such as host identity, role or location.

Firewalls: Network-based firewalls filter traffic between the trusted internal network and untrusted external networks such as the internet using sets of rules defined by the security team and informed by the organization’s overarching security policies. Firewalls have become increasingly advanced over the past decade, adding stateful inspection and application-specific traffic awareness. So-called next-generation firewalls (NGFWs) integrate multiple capabilities and threat awareness and are often incorporated into more complete unified threat management (UTM) solutions.

Intrusion prevention and detection systems: IDS/IPS solutions scan network traffic to identify malicious behavior and actively block attacks in progress. Most network-based IDS/IPS systems detect attacks by comparing traffic patterns to predefined signatures or by heuristically spotting anomalies that differ from known normal behavior.

Data loss prevention: Data loss prevention (DLP) controls leverage tags used in data classification schemas to control access to sensitive information and stop unauthorized users from downloading, forwarding or printing critical files without permission. To be successful, most DLP protocols depend on thorough and ongoing classification of data across the organization.

VPNs: Virtual private networks use encryption technology to secure the connection between a user endpoint device and the corporate network. Usually relying on the public internet to make the connection, VPNs leverage IPsec or SSL (Secure Sockets Layer) to create a secure tunnel through which the device and the network can communicate.

Email security: Addressing a major area of weakness in most organizations, email security controls such as antispam and antiphishing solutions are deployed to block inbound attacks and control outgoing messages in an effort to prevent system infection and data loss.

Mobile device management (MDM): With the increase of remote workers and always-on connectivity for users has come an increase in threats targeting mobile devices and the applications that run on them. The controls encapsulated in an MDM platform can authenticate users, enforce security policy based on device status and configure network connections to keep communications secure and private.

Wireless network management: Like mobile devices, wireless LANs have become both ubiquitous and increasingly attractive to attackers. Because wireless networks lack the security inherent to wired networks, securing them requires a separate set of specific controls, such as setting up segregated guest networks, using devices that adhere to the Wi-Fi Protected Access 2 or 3 (WPA2 or WPA3) standard, deploying a purpose-built wireless intrusion detection and prevention system, patching all wireless routers and access points rigorously, and using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) to secure authentication transactions and communications.



Host and Application SecurityServers, desktops, laptops, tablets and smartphones make up the environment of host devices. Diligent operational security efforts such as asset inventories, automated discovery, and configuration and change management are critical for deploying hosts in a secure state and keeping them that way throughout the IT lifecycle. Because host devices are often under the control of users with varying degrees of technical acumen and security sensibilities, endpoints and hosts are frequent targets of attack by intruders, criminals, rogue insiders, viruses, worms, Trojans, ransomware and spyware. In the case of the Internet of Things (IoT), most hosts are unattended and rarely seen, patched or updated, making the maintenance of a solid security posture even more challenging.

Implementing host security goes beyond the access controls already discussed, requiring some foundational security approaches, including:

System and application hardening: In order to secure hosts beyond their default state and reduce their attack surface, best practices call for hardening procedures such as disabling or removing unnecessary services, eliminating unnecessary applications, disabling unused accounts and locking down remote-access management interfaces.

Application whitelisting or blacklisting: Software restriction policies can be used to control what applications may or may not be installed or used in the environment, which enhances security posture and makes ongoing maintenance of the hosts easier.

Patch management: The discovery and disclosure of new software-related vulnerabilities is nearly a daily occurrence. Robust patch management, including the use of automated patching and updating, is vital for keeping systems free of bugs and weaknesses that can threaten the stability and security of an organization and its assets.

Antivirus and antispam tools: Malware and phishing attacks remain a top-tier threat to most organizations. Basic antivirus controls are critical for detecting and blocking threats to the endpoint that arrive in email, via visits to corrupted websites or on infected storage media. While antivirus solutions are traditionally signature-based and reliant on manual or scheduled system scans, today’s offerings are increasingly automated and can defend hosts in real time using heuristic-based analysis.

Host-based firewalls and IDS/IPS: Like their network counterparts, firewalls and intrusion defensive controls built specifically for host devices act as valuable layered security elements, examining traffic and activity and thwarting malicious use attempts either by enforcing established rules or through behavior-based analytics.



Bringing It All TogetherIn the era of digitization and digital transformation, businesses are more reliant than ever on the data they amass and the systems they use to process and store it. This reality makes information security a vital component not just to IT but to the organization at large.

No amount of effort can make an IT environment 100-percent secure, but being armed with a logical model to guide risk assessment and mitigation efforts greatly improves the chances for success. Focusing on the security triad of confidentiality, integrity and availability provides a framework for managing risk. Knowledge of the technical, management and operational controls available to address vulnerabilities provides the components of a solid security program.

Applying basic controls according to the concepts of layered security and defense in depth gives defenders the best shot at keeping systems and data from falling prey to threats both natural and manmade.

Information security is a rich and nuanced discipline, far more complex than the basics covered here. For the information security professional looking for a solid foundation on which to build effective security programs for businesses of almost any size or specialty, however, these fundamentals continue to serve as the core of good security and risk management practice.

Get Additional Security GuidanceSecurity isn’t easy. Solution providers looking to develop or expand in security need skills, access to products, business development resources and sales support. Find all the information and guidance you need in the Ingram Micro Security Playbook. The new guide provides insights into security risk trends, sales cycles and methodologies, skills and business development support, and marketing and sales support resources.

About Ingram MicroIngram Micro helps businesses realize the promise of technology. It delivers a full spectrum of global technology and supply chain services to businesses around the world. Deep expertise in technology solutions, mobility, cloud and supply chain solutions enables its business partners to operate efficiently and successfully in the markets they serve. Unrivaled agility, deep market insights, and the trust and dependability that come from decades of proven relationships, set Ingram Micro apart and ahead. More at www.ingrammicro.com.

http://www.ingrammicro.com

Documents

FUNDAMENTALS OF INFORMATION SECURITY FOR SERVICE …€¦ · Fundamentals of Information Security for Service Providers 4 Integrity Integrity is about ensuring that data hasn’t