INFORMATION SECURITY PRIMER FOR SMALL BUSINESS & CONSULTANTS By Jeffrey Lubetsky, PMP

STOP. THINK. SECURE.

Jeffrey is an Information Systems and Security Practitioner, experienced in the IT and Security industries, with strengths in Incident, Change, and Project Management, non-violent crisis intervention, and training. Please send questions or comments to papers@jeffreylubetsky.com

NOTE TO SECURITY PROFESSIONALS: This is not a certification primer. While the basic concepts of Infosec are constant, I have added my own experiences and perceptions to bring something new to the table for non-information security professional to understand.

NOTE TO EVERYONE: While “Data” and “Information” are used interchangeably throughout this paper to keep things simple, they are technically not the same thing. Data is “raw” (e.g. a list of customers) while Information is a collection of data for a particular purpose (e.g. customer list combined with monthly transactions).

The purpose of this paper is to explain Infosec concepts in simple terms, and explain why *ALL* organisations need to practice Infosec. This will not make you an “expert”, but will allow you to understand the basic concepts of Information Security. The primary target audiences are small business owners, consultants, and non-profit groups. WHAT IS INFOSEC? Information Security (Infosec) is a very simple concept… controlling the access and movement of information. While simple in theory, the application of Infosec can be quite complex. Infosec tends to be perceived as a corporate or government process, with the smaller businesses unable to “do it”, because of great expense and the expertise required. Before Infosec can be explained, some background info needs to be presented. Assets – In very general terms, assets are things that have value. There are tangible (physical) and intangible (non-physical). If you’ve taken an accounting course, great - if not, the differences in assets will be briefly covered. Tangible Assets – are assets that occupy space and matter. Physical Assets (e.g. computers, chairs, vehicles) and People. People are often over-looked as an asset in several ways. Physical assets are much easier to insure against loss or damage. Intangible Assets – these assets exist on “paper” and cannot be touched or held. Information Assets (e.g. customer lists, marketing plans). Logical assets are not information, but can still be valuable (patents, copyrights, licensing agreements). The Asset Overview Diagram shows how assets can be categorised.

Why Do I Need to Know This? As a SMB/Consultant, you will deal with all of these assets on a regular basis, whether you realise it or not. You will always have a customer list, and chances are very good you will deal with information that needs to be kept secret, at least for a certain time period. Understanding asset basics is the key to understanding Infosec and identifying the types of assets you are dealing with.

© 2012 Jeffrey Lubetsky. All Rights Reserved. Page 2 of 5

THE ASSET-SECURITY RELATIONSHIP A proper Infosec program requires the use of both physical and logical security, to protect physical and logical assets. All logical assets exist on a physical asset. Each asset type has its own unique challenges for securing. Physical Security – Consists of the locks, doors, guards, etc, that protect the Physical Assets. Physical Security protects only the physical asset. Further Logical security controls are required to protect the informational assets (e.g. encryption for a database). Logical Security – Are the “sexy” pieces of the Infosec programs, and are the ones that usually make their way into the media and the movies. Examples of logical, security are passwords, encryption, firewalls, and antivirus. Infosec relies upon the Physical Security portion of the Infosec program to first secure the physical assets. Without strong physical security, an Infosec program will fail. How safe is your business data if a thief can walk out of the building with the hard drive from your company web server? Ensure you have adequate Physical security for the assets given their location. The Asset-Security Relationship diagram shows the interdependency of the assets and security types.

Why Do I Need to Know This? When dealing with assets of any type, you need to have an understanding of how and why to secure the physical asset first, then the logical asset. As we will see, proper disposal of the physical asset plays a key role in the Infosec program.

© 2012 Jeffrey Lubetsky. All Rights Reserved. Page 3 of 5

THE ASSET-DATA RELATIONSHIP This is where things start to get a little abstract. The relationship here describes how data (inner circle) is transferred or exchanged through the types of physical assets (outer circle). The middle circle (Computer, Communications, Materials) are the categories of physical assets the data can reside on. While there is crossover in categories (e.g. mobile phone/Wireless), for explanation purposes, the categories remain separated.

The charts below explain the Asset-Data Relationship diagram. Device Description Examples Dangers/Vulnerabilities

Com

pute

rs

Wired A computer hard-wired into a network Desktop PC Interception

Wireless A computer with a wireless network connection

Desktop/laptop with wireless card Interception, malicious remote control of device

Portable Any computer that can be easily moved Laptop/tablet Interception, malicious remote control of device

Com

mun

icat

ions

Voice 2+ people using communication devices Telephone, radio, analogue mobile phone Interception, eavesdropping

Data A computer device communicating Internet chat, email, VoIP Interception, malicious remote control of device

People 2+ people in a face-to-face conversation Discussions in a board room, public place Eavesdropping, interception

Mat

eria

ls

Paper Information printed on paper or similar Catalogues, marketing plans, financial documents

Theft, copying, premature destruction

Media Other media not being paper Video tape, DVD, hard drive, USB stick Theft, copying, premature destruction, data alternation

Other Non-media products Product samples, packaging Theft, dumpster diving, reverse engineering

Some chart clarification:

- Portable: includes small electronic devices (smartphones, tablets etc) whether or not it has network connectivity. - Voice: is using a mechanical or electrical device (telephone, radio, etc.) - People: 2+ people in the same area talking face-to-face

© 2012 Jeffrey Lubetsky. All Rights Reserved. Page 4 of 5

THE INFORMATION LIFECYCLE Like all living things, information has a lifecycle. Sometimes we’re not aware of when it starts, or even of its existence. We should try to define the Information Lifecycle, and enforce its use. The Information Lifecycle should be based upon the appropriate legislation. With regards to privacy, the legislation is very specific about what information can be collected, disseminated, and retained. Violating legislation can have severe negative consequences – especially if it’s medical data, or is privacy related. Small business and consultants are still bound by the one area that is very easy to overlook: legislation. Every level of government has its own privacy legislation (or uses the provincial or federal version). Providing only the information required in performing a specific role will help keep you out of trouble. Often overlooked items are membership lists – is there a business requirement for a coach to have the address of the player, or is emergency contact phone numbers enough? Personally Identifiable Information – is a specific combination of data that will allow someone to be specifically identified.

Creation – this occurs when the information is created (e.g. membership list) Usage/Dissemination – how the information is going to be used, who will be receiving it, and why are they receiving it. Privacy policies fall under this topic. Retention & Destruction – this is where the information is to be kept, for how long and who can access it, as well as how it will be destroyed when no longer required. Another consideration is information review. Privacy legislation tends to have provisions requiring an organisation to allow for the client to review and have incorrect information changed, or deleted. Be prepared to have a policy and process to demonstrate the existence of these processes. THE DATA SECURITY QUAD The Infosec community refers to “Confidentiality, Availability, and Integrity” as the security triad. The Security Triad requires a fourth dimension to deal with ease of which information can be shared –sharing which wasn’t an issue when the Security Triad was conceived. The topics in a nutshell: Confidentiality – ensuring only those people who are supposed to have access to the information do. Availability – makes sure that the information can be accessed when required. Integrity – this ensures that the data is correct as entered, calculations are correct, and data is entered and saved accurately. Publication – this fourth topic deals with how data is to be presented to the end user (email, html, pdf). Information is usually created for a presentation of some type (report, customer bill, etc). Publication considers the integration of confidentiality, availability, and integrity into the final product – not as a security requirement after-thought.

© 2012 Jeffrey Lubetsky. All Rights Reserved. Page 5 of 5

RESIDUAL DATA While you may think you are directly communicating with someone, there will always be Residual Data generated. Whether it’s on a computer (cache, file, hard drive), or another person (listening and/or recording). Residual Data cannot be eliminated, but it can be controlled. If you have sensitive information, ensure the residual data will be protected (encrypted or not recorded).

The chart below provides examples to the residual data problem, and is by no means all-encompassing:

Com

pute

r Device Residual Data Examples

Wired Hard drive; cache; memory devices; network surveillance

Wireless Hard drive; cache; memory devices; electronic surveillance

Portable Hard drive; cache; memory devices; electronic surveillance; data transfers to unknown servers

Com

mun

icat

ions

Device Residual Data Examples

Voice Electronic surveillance; eavesdropping

Data Electronic surveillance; ISP/Carrier

People Eavesdropping; unauthorised recordings

Mat

eria

ls Device Residual Data Examples

Paper Too many copies, improper disposal; impressions (pressure from writing)

Media Quick duplication; improper disposal

Other Improper destruction of samples

SUMMARY Asset Overview explains how to identify the types of assets, and why they are important, so you know what needs to be protected. The Asset-Security Relationship demonstrates the need to protect the tangible and intangible assets, and how they are interdependent upon each other. The Asset-Data Relationship (Computers, Communications, Materials) emphasises how easy it is to have logical information on a physical asset that can have multiple vulnerabilities. The Information Lifecycle (Creation, Usage/Dissemination, Retention/Destruction) shows the necessity of watching your information, and how privacy issues can creep up on you if the information is not managed. The Data Security Quad discusses the four main security concepts (Confidentiality, Availability, Integrity, Publication) that need to be considered when dealing with Infosec. Residual Data between a sender and receiver, demonstrates how information can be easily and unknowingly “distributed”. This shows the importance of being aware of what physical asset(s) you are using, where you are using it/them, and safeguarding the logical assets involved.

© 2012 Jeffrey Lubetsky, All rights reserved. The diagrams may be reproduced for personal use only. Please contact Jeffrey if you want to use them in any business related or training material.