What's the difference between computer/network
security and information security?
What's the difference between authentication
and authorisation?
What are the threats to my information
security?
What are all these things? (Virus,
Worm, DoS attack, DDoS attack, Hoaxes, Fraud, Penetration attacks)
Why don't you call attackers 'hackers'?
Is it better to do my own security,
or to bring in a third party?
What’s the best way to be secure?
How do I know what needs to be secure?
I talked to a security expert and
he told me how dangerous the Internet is. Is it really that bad?
I already have a firewall, isn't
that enough?
Someone recommended that I have
a security policy. What good does that do?
I don't see my question here,
who do I ask?
Q - What's the difference between computer/network security
and information security?
There is an overlap between information security and computer/network security and the distinction is sometimes confusing. In general, computer and network security deal with protecting information residing on computers or transiting networks. Technical solutions, such as firewalls, anti-virus software, etc. are used to provide computer and network security.
Information security has a broader viewpoint and looks at protecting information throughout the information lifecycle. While it does include the same aspects as computer/network security, it also looks at topics such as authentication of information, authorisation of access, disposal of information, recovery of information, disaster recovery and more. Information security may also deal with protecting data in other forms such as paper documents or the spoken word.
Q - What's the difference between authentication and authorisation?
A - These two words are often confused when dealing with information security. Authentication is the act of verifying or proving of credentials or identity. Authorisation is the act of giving permission or granting access. Authentication and authorisation work hand-in-in in information security. For instance, when you log on to a computer or website, you prove your identity by providing a username and password.This is authentication.You are then granted access (authorised) to utilise certain resources (information or applications) based on your (authenticated) identity.
Q - What are the threats to my information security?
That's not an easy question; it depends on your information and your infrastructure. In general, the things that threaten a typical organisation or individual include: viruses, worms, penetration attacks, Denial of Service (DoS) attacks, Distributed Denial of Service (DDoS) attacks, fraud, hoaxes.
Q - What are all these things?
A - Quickly, they are...
Virus- A computer virus is a type of computer software that is designed to hide in a computer and replicate itself from one computer to another by attaching itself to existing programs or parts of the operating system. Viruses can contain ‘payloads’ which perform certain actions on your computer. Payloads can be malicious, humorous or simply a nuisance. Many of the most common viruses today use email to move from computer to computer.
Worm- Worms are very similar to viruses. The primary difference is that they do not attach themselves to existing programs. Rather they exist as a separate program on your computer.
DoS attack- A Denial of Service attack is an attempt to render a computer or network unusable by sending information that causes the computer/network resources to be consumed.
DDoS attack- The Distributed Denial of Service attack has the same goal as the DoS attack. The difference is that the attack comes from a large number of different computers. These computers (generally) belong to innocent individuals and are under the malicious control of the attacker.
Hoaxes- One of the more interesting types of attack today is the hoax.Hoaxes are email messages that are passed along from person to another. The messages generally claim to be a warning about a virus or worm and include 'proof' that a user's computer has been infected. Often, the message tells a user to remove particular operating system files to remove the virus; sometimes files critical to the operation of your computer. Hoaxes are unique because they rely on the good intentions of people to spread.
Fraud- This type of attack can take many forms. A person calls you up, claiming to work for computer support and asks for your username and password to 'fix a problem.' A person calls the helpdesk claiming to be an employee and says, "I've been on holiday and have forgotten my username and password." You receive an email claiming to be from an online retailer asking you to give your credit card details to complete a transaction.
These are just a few examples of fraud. Often fraudulent attacks offer some promise of personal gain to help lure a victim.
Penetration Attacks- This is an active attempt by an individual to bypass security safeguards on computers and networks. Penetration attacks may have a variety of motivations; personal gain, industrial espionage, revenge or as a personal challenge.
Q- Why don't you call attackers "hackers?"
A- The word 'hacker' has very different meanings for different people. The greater public refers to anyone who performs malicious actions on a computer as a hacker. On the other hand, in the computer and information security communities, a hacker is someone with excellent technical skills. Hackers with good intent are often referred to as 'White Hats' and hackers with bad intent are referred to as 'Black Hats.' Many of the computer attacks today come from relatively unskilled individuals, who use tools and techniques developed by others. These people are known as 'Script Kiddies.'
Q- Is it better to do my own security, or to bring in a third party expert?
A- The answer depends on your situation. Generally, if the situation allows it, you are better off having an in-house security expert. This will allow you to address information security from a strategic viewpoint rather than with just point solutions, such as firewalls. An in-house expert may be supplemented from time to time by consultants to perform audits or penetration tests. If your organisation cannot budget for a full-time security person, you can train technical staff, such as system administrators, in information security. This approach has the risk of leaving security work secondary to other day-to-day tasks. If you do elect to use a third party consultant, try to find one that will provide you will business oriented solutions, rather than ones that are technology oriented.
Q- What's the best way to be secure?
A- Focus on understanding and managing your risk. Too often, security solutions are about technology rather than risk. Understand what is at risk. Know the costs associated with those risks. Learn ways to mitigate your risk. Make business decisions, rather than a technical selections, on the best way to manage your risk
Q - How do I know what needs to be secure?
A- Look at value. If something has value to you or your customers, then it's likely to have value to a potential attacker.
Q- I talked to a security expert and he told me how dangerous the Internet is. Is it really that bad?
A- Sure, there are dangers out there. But maybe you should think of it in a different way. Right now, your body is surrounded by bacteria. They're on your skin, your clothes, and your keyboard, even in the air you breathe. Is that a problem? For the vast majority of us, the answer is no. You may get the occasional cold or flu, but generally we stay healthy. Our natural defences, the immune system, protect us. Our computers and networks don't have a natural immune system, but by taking customary precautions, we can provide reasonable defence from the dangers.
Q - I already have a firewall, isn't that enough?
A - It may be. It depends on what services you use or provide over the Internet. Most attacks these days assume the use of a firewall and depend on software bugs or misuse of the services you provide. In general, the more services that you use or provide, the greater your risk. If you only take advantage of simple services on the Internet like email and web browsing, then a firewall and good anti-virus software may be enough. However if you use or provide more services over the Internet, further steps are probably called for.
Q- Someone recommended that I have a security policy. What good does that do?
A - By itself, a security policy does nothing. But it can be a very useful
tool for establishing the rules for how information is handled within your organisation.
You can use it to define the information lifecycle; who can create, modify,
view or dispose of a document, what uses for which information can be used,
what information is to be kept confidential and what steps must be taken to
protect information. Ideally, an information security policy is the basis for
all information related decisions an organisation will make, including the technical
ones specific to safeguarding electronic data.
Q - I don't see my question here, who do I ask?
A - If you have additional questions you'd like answered, click here.