Security Policy for Information Security

internet secure
In this post I am going to reference a well-known security policy that was developed to identify problem areas and the recommended solutions when dealing with information security. This policy is known as the CIA and stands for: Confidentiality, Integrity, and Availability. This triad was developed so people will think about these important aspects of security when implementing security controls. There should be a balance between these three aspects of security to ensure the proper use and control of your security solutions.

Confidentiality is, as the word implies, having something be confidential or secure. In essence, privacy is security and confidentiality means that third party individuals cannot read information if they do not have access to it. Data to think about keeping confidential is data stored on a computer (temporary data, data saved, etc.), data stored for backup, data in transit, and data intended for another person. Confidentiality will be the main focus point of this article as it is most often referred to as the most important aspect of security.

Integrity and is specifically referring to data integrity. Integrity is the act of ensuring that data was not modified or deleted by parties that are not authorized to do so. It also ensures that if the data was changed, that the authorized person can know about it. Simply, if you send a message to someone, you want to make sure that the person does not receive a message that was altered during transit. Integrity also confirms that you are in fact speaking to who you think you are speaking to (for example: we download an add-on from the website, you want to make sure that you are downloading from that website and not an unscrupulous third-party).

Finally, the A stands for Availability and ensures that when you need the data it is available to you. Not only does data have to be available to you, but it has to be reasonably accessible. There's no point in security controls if you cannot access the data! This component is a concern, but for the average end user, there is not much that can be done to ensure availability when dealing with webpages, or IRC servers or anything else managed by a third party host. For this reason we will not be discussing Availability except for backing up your data in this guide.

Recommendations

Windows was not built with security in mind, therefor should not be used. Tails is recommended as it is a live DVD or USB that was created to preserve your anonymity and privacy. It allows you to browse the internet anonymously and safely as all applications are preconfigured to run through Tor. Other uses includes encrypting your files, sending and receiving emails and instant messaging, photo editing, document editing and more. Tails also operates completely in RAM so it does not leave a trace on your computer. RAM is Random Access Memory and is wiped when the machine shuts down. Everything that you want saved is done so in secure, encrypted persistent storage. link. Step-by-step instructions for installing Tails can be found here. Another distro I would recommend is Whonix. Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. If you cannot use Tails or Whonix – or better yet – do not want to use them, you should make sure that Windows is secure.

Windows

  1.     Truecrypt] – I would download TrueCrypt and enable FDE (Full Disk Encryption) to make sure that all evidence is encrypted thus allowing you to secure your data . If you do not want to enable FDE, I would create a container and have a Virtual Machine inside the container. Otherwise, EVIDENCE CAN BE EASILY GATHERED BY INVESTIGATORS.
  2.     Tor Browser Bundle– This allows you to browse the internet anonymously. Using TBB will also allow you to visit .onion sites as well as to join the .onion IRC servers with TBB’s instance or Tor.
  3.     Anti-Virus and a Firewall – This will keep your computer protected from viruses as well as remote intruders (most all-in-one anti-virus software has these features).
  4.     I have decided to move a recommendation from later on in this guide to up here. One good recommendation is to create and use a standard account with no Administrative privileges. This way, if a virus is executed, it only has the privileges of the account that you are in. Also, I would make sure your username does not contain your full name as many applications such as Pidgin can share this information. Furthermore, make sure that you create a Windows password that is difficult to guess/attack, as your computer can be explored using that password, over the network.
  5.     (Optional) TorChat – TC is a chat application that runs over Tor to provide an anonymous way to chat.
  6.     (Optional) IRC Client – An IRC client allows you to enter Tor chat rooms to talk to many individuals at one time. You will need one with proxy settings so you can run the client through Tor. Make sure to NOT use DCCas it can expose your IP address. There are several IRC servers that run over Tor (.onion addresses) that you can use. They are all logically connected, so connecting to one will connect you to all.
  7.     (Optional) GPG – for sharing messages and files back and forth over a common medium, GPG ensures confidentiality and integrity.
sample security

Sample Security Checklist
  •     Check authentication
  •     Checking authorization and access control
  •     Auditing your system
  •     Verifying firewalls, proxy settings, and other security
  •     Verifying encryption for both public and private key encryption
  •     Check communication encryption, including: email, chat, web browsing, and Operating  System data
  •     Update system software, including Anti-Virus software and scanners
  •     Backup and storing sensitive data securely
  •     Harden your system by removing unnecessary software and services

Things to be mindful of
  •     Don’t assume that something is secured by another layer or process. Verify that the data is secured and that the data being transmitted over the network or the internet is protected from attackers. Different levels of sensitivity means different levels of security
  •     Know the limitations of each security product. Each product addresses a specific set of issues within a specific context. Make sure to know the differences between the employed solutions and how they protect you. For example, using a VPN does not stop anyone one from stealing your laptop and gathering all your data. Use several layers of security for maximum security.
  •     Do not relay on authentication at the session initiation alone. Use several levels of authentication to ensure that the person you are communicating with is whom they say they are and vice versa.
  •     Assume everything you use is insecure and treat everything like a security threat. Build your security model based on what you do; security is dynamic, not static.
  •     Plan for handling failures, errors, intrusions, and downtime. Focus on what to do when things go bad. Plan and practice that plan. Good security means nothing if what you do does not work.

Diposkan oleh
Label:

No comments:

Post a Comment

Feedback from readers of my posts show so I expected.
Comments written just typed the words were polite, suggestions for improvement are posting to constructive criticism.
A comment which has nothing to do with the post, leaving the active link or spam.
In order to create a discussion for the creation of useful knowledge sharing