An Information Security System is usually described using a technical vocabulary. It is worth noting that any error in the system can imply a significant loss of resources.
Sometimes is not clear where to start studying this type of system. Although in most cases it is better to hire a specialist, there are principles that everyone should know. These principles facilitate the viability and quality assessment of the ISS.
In this post, I’ll show you the similarities of a computer security system with a physical protection system to facilitate its understanding.
Some technical details will be omitted, and I will focus only on showing you how it works.
Components of a generic Information Security System and a Physical Security System
In the table below, you can see the components of both types of security systems. Remember some technical concepts are omitted for the sake of understanding the big picture.
Information Security System | Physical Security System |
Internet | City |
Intrusion Detection System | Security guard, Security camera |
Demilitarized zone (DMZ) | Lobby |
Firewall | Security guard |
Local Area Net (LAN) | Employee zone |
Firewall, backup, internal servers | Company resources |
Firewall role in an Information Security System
(The security guard at the entrance door)
When you arrive at a place where the physical security system is, the doorman greets you. There may be a card access control, or in our house, it may be the door lock.
For you to go inside the building, the electronic system or lock must “evaluate” if you are authorized to enter. This can be done in different ways in the physical security system. There can be a list of authorized personnel and ask for identification, then de doorman verifies if you meet the requirements before letting you in. With the lock in your house, you must have the right key, otherwise, you won’t be able to go inside of the house.
In an Information Security System, the firewall fulfils this function.
Like the doorman, a firewall has rules to analyze who is authorized to enter. Those rules are typically configured in two ways:
- allow everything except certain network connections (or people in the case of the doorman).
- not to allow anyone except authorized connections on a list. This method is the most secure and is the one that is applied in most private network’s firewalls.
The most important thing to configure in a firewall is the rules. This will enforce what data/guest/users/network connections can have to the organization network.
A firewall must be placed between the internet (in the case of an office it will be you) and the network of the organization/company (the office).
The rules that define what connections are allowed into the network can be compared to the indications given to a security guard. The rules must be clear and concise so it won’t be errors.
Pfsense is an open-source firewall you can use in your network. If your network access speed requirements are very high, then you should consider a hardware firewall. Hardware solutions are usually more expensive.
Demilitarized Zone (DMZ)
(the lobby)
When the doorman (or the security guard) lets you in, you go to the lobby of the organization. In the lobby, there must be a person willing to assist you and provide the service you request or indicate which area you should go to.
In a house, you would have access to the sitting room. That is, where the visitors are attended.
The equivalent of the lobby in an Information Security System is the demilitarized zone (DMZ).
The DMZ is where the servers that interact with other networks are placed. For example, the e-mail server and the internet connection server for browsing, among others.
Any service that you provide through the internet must be placed in that area so that connections are not made to your internal network.
Although in principle the DMZ belongs to your network, it is placed in a different area than the users’ computers. Another firewall is placed between those two areas, to add a security layer. Similarly, it is like placing a security guard between the lobby and the employee’s offices, which in an organization is the restricted area.
Internal network
(restricted area)
So far we have:
- A security guard at the entrance of the organization
- A lobby to serve visitors
- Another guard who verifies that only workers can access the office area
It is common that from the internet you shouldn’t be able to access the internal network of an organization. In the same way that an “unknown person” in the street should not be able to access the internal office area or your house.
If the organization provides services to visitors, this office should be in a specific area for those services.
On the network, it must be placed in the DMZ or a network space for this purpose. This type of office should never be next to the offices dedicated to the internal functioning of the organization. Yes, you are right, this is for security purposes, as you might see in several buildings that you usually visit.
Workers enter their offices through the service entrance. In the Information Security System, the service entrance is equivalent to sitting in front of the computer and working in the internal network, without entering from the internet (lobby).
Another way to do it is through the internet using a secure and authorized connection in the firewall (we will talk about a secure connection later). The secure connection is equivalent to having an ID that allows security guards to identify you as a worker and allow you to go from the lobby to the office area.
VLAN role in an Information Security System
(offices)
If an organization is small, all the workers can be in the same office. If the company is large, it is usually divided into departments and organized in different offices.
Being in different offices is safer because workers can only see and hear what is being spoken in their area. They do not have information from another area unless they walk, call, receive it by mail, etc. and ask for it. Sometimes all employees have access to certain information that is considered common for all areas. In this case, the information is published in a place where all the employees have access.
The equivalent of creating several offices in an organization is to segment the network for the different work areas and limit the visibility between them.
One technology that makes it easy to implement this is Virtual Local Networks (VLANs). The other option is to wire the networks as a separate network, but this is more expensive.
VLANs make it easy to segment a network into multiple subnets. Then, one can treat them as separate networks with different configurations. In addition, you can define which ones are connected to each other and which ones are not connected, depending on the level of security or isolation that is needed for that subnet.
For example, we can create a VLAN for each organizational unit or department. Everyone should have access to the organization services but should not be able to see the computers connected to another area. To share information between two areas, employees can send the info by mail or can copy it to a file server.
A good option is to create an internal cloud in the company. We can use free technologies such as Oncloud or NextCloud to create the cloud.
To create the VLANs, you must use a network switch (hardware) that can support VLANs or do it using software. Before deciding on buying a network switch, you need to be clear on how many VLANs are needed and what they are going to be used for. The cost of the equipment must be cheaper than wiring those same networks independently.
Server protection
(the security guard in the safe)
Information is the most important asset that is stored and transmitted in a computer network. It is like money for a bank or food for a farm.
The bank uses a safe deposit box to keep the money safe. The farmer uses a warehouse, refrigeration chambers or cold room, etc. to keep its products safe. Then, both of them put in place security measures to prevent theft, losses from other types of incidents (flooding, storms, etc.).
In a computer network, the information is stored in servers or users’ computers. A user computer contains the user information. Servers store the information of many users, the company, financial data, etc. It is very important to prevent this information from being stolen, modified without authorization or destroyed.
When someone refers to a computer attack, the first thing that usually comes to or mind is a hacker who got access to the servers from the internet and caused damage to the company. This type of attack is always a risk. However, statistically, this type of attack is more likely to be executed by an internal user.
The internal user has access to the internal network, has authentication passwords, access to various services according to their position and the trust of the other users. This means that if the internal user has any reason to try an attack on the network, the chances of success are multiplied.
For this reason, it is necessary to protect servers from both external and internal attacks. A good practice is to have a firewall between internal servers and users and allocate a network area only for servers.
Users must access those servers. Therefore, the firewall should give access only to the specific services that a certain user should have access to. For example: to an internal website, finance system, logistics applications, etc. depending on the specific user access level.
Each user must strictly have access to the services that he/she needs to carry out his/her work. No user should have direct access to the servers. These servers are accessible to the applications that display the information to the user. This is one of the most difficult firewalls to configure due to the number of rules that must be implemented.
An equivalent in real life is as follows: a company have a security guard in each warehouse. Each security guard has a list (probably different) of the people who can enter the specific warehouse. The security guard must keep a record of who enters and the time they went in, as well as any important information about the access. A well-configured firewall, apart from the access rules, has a log record where it stores all the information relevant to the specific access to the network.
Intrusion Detection System
(Security cameras and sensors)
So far we have seen:
- The placement of guards (firewall).
- Need for a lobby (DMZ).
- A proposal to organize the offices (VLAN).
- Protection of our warehouses or safe deposit boxes (Servers).
Suppose someone attacks one of the guards and tries to open the warehouse door to steal what they are trying to protect. We should have measures in place to detect the violation and take action to prevent the intruder from achieving his or her goals.
In a protection system, we can achieve this by placing security cameras and specialists supervising that everything is in order. You can also place motion sensors, fire sensors, alarms etc.
In the security system of a network these types of systems also exist, they are the Intrusion Detection Systems (IDS).
We can group IDS as follows:
- Network IDS: Analyze network traffic for attack patterns and notify when a possible attack is detected. This is the equivalent of the security cameras and the guard who watches through the monitors.
- Host IDS (HIDS): They are installed on the computers and report when there is an unauthorized access attempt, among other alerts. It is the equivalent of putting a sensor in a safe deposit box to detect when someone is trying to open it.
- Intrusion Prevention System (IPS): we can configure this type of IDS with automatic actions that should happen when the system detects certain behavior. It works like a sensor that activates the fire-response system or automatically closes a security door.
There are several IDS available on the internet. Suricata is one of them, it is free and open source. It is very important to keep your internal database of attack patterns up to date so that you can detect them. The same happens with antivirus.
Information Security Systems Monitoring
There are also more complete security solutions such as Security Information and Event Management (SIEM). Depending on which one is installed, it can offer the following functionalities:
- Comprehensive monitoring platform with dashboards and summaries of the security status in real-time.
- IDS, HIDS.
- Scan for vulnerabilities in computers.
- Relate information from attempted attacks with existing vulnerabilities.
- Schedule responses and inform the specialists through graphs and reports on the state of network security.
SIEMs combine IDS with other tools to cover all these functions. One proposal can be to use OSSIM, it is a free SIEM and has a paid version called Alien Vault SIEM.
Updates
(Building Materials)
When a security system is established there is a very important detail that is sometimes not taken into account. Imagine that in your company you have security guards, security cameras, sensors, a lobby, an office area with a lock on all doors and automatic fire systems. But the walls are made of cardboard, the security guards are between 80 and 95 years old, the fire systems do not work and the locks of the offices are opened with any key. Then your security system, although it would be well designed, would be useless.
The same is true if your IT security systems are out of date. The updates correct vulnerabilities that are detected, make the systems faster and more robust. Therefore, it is necessary to update them frequently.
Computer systems usually have mechanisms for periodic updates. When you present a proposal for a computer security system, one of the topics to analyze is how the updates will be managed.
VPN role in an Information Security System
(Secure access to the company)
As mentioned above, to get access to an office through the main door, an employee must have identification. So, the security guard allows him or her to enter the premises. In a computer network, a secure connection is needed so that other users connected to the Internet cannot see the information that is transmitted through the network. To ensure this, we use an encrypted connection.
The Virtual Private Network (VPN) technology establishes secure connections between several users through the use of cryptographic protocols. VPNs manage connections and make it feel like users are on the same network (the same office) when in fact they are connecting from outside the entity through the internet.
More importantly, all traffic is done over a secure connection. On the internet, there are free VPNs, Paid VPNs and software to create your VPN, like OpenVPN. It is always good advice to consult a cryptography specialist to get advice on how to implement this type of system.
Backups in a computer security system
(Spare parts)
Even though you can take all possible security measures and precautions, your security system does not guarantee 100% security, no system is infallible.
A part of a computer security system is what to do if a failure occurs. For this, it is important to consider 2 elements:
- The first is a contingency plan so that each specialist or user knows what to do (Emergency exit on a building).
- The second one is to have backup copies of the information and the software used to process the information (having original documents and copies in different places).
Each organization must be an Information Security Plan with the details described above.
Managing backups is a topic that requires an article for itself, but there are some elementary points. Backup copies should ensure that information and computer systems that are critical to the organization are restored in the shortest possible time. An active research area in Databases is replication.
Those backups work like spare parts in a car. If a tire is damaged, it is replaced with a spare tire.
Of course, in the case of computer security, it is recommended to first try to detect if you are being the subject of an attack. This is to prevent the newly replaced tire from being damaged again.
Luckily for everyone, digital information can be copied and backed up in its entirety, just like computer systems. The problem is that making a copy of everything requires double the space to be able to store the original and the copy. If you make regular copies and keep 1 or 2 historical copies, then you need 3 or 4 times the storage space. That translates into storage expenses.
For this reason, it is important to define what is important (and what is not important) to save in a backup. For example, critical servers and information can be backed up daily and daily information saved for a week.
Anything that is not critical is backed up once a month. Anything that does not affect operation much is not backed at all, etc.
The analysis must be objective, security versus budget. Then schedule various types of copies depending on the importance of the information. It should be clear the time required to restore the software or information so that it affects the operation of the organization as little as possible.
Conclusions
An Information Security System from the conceptual point of view is not very different from another security system. It is important to have a clear idea of how each of its elements should work.
In this article, we described four main elements/components. This does not mean that they are the only elements we should consider. There are also procedures, user preparation, antivirus, etc.
It is important to bear in mind that in any case, whenever you gain in security, you lose in performance. For example, it is not the same to arrive at work, enter the office and have the computer on and your session open to work; than having to show the ID to the gate guard, then show it to the office area guard, wait for him to check it, take out the key, open the door, and put the password into the computer to start working.
Each security element generates a delay in the process and in the case of computer security it works in the same way. So, the analysis is how much I need to gain in security and how much I am willing to lose in performance and, above all, how much I am willing to pay for it. In your analysis, also consider the importance of the information and systems you are trying to protect.
This article is focused on understanding a computer security system and possible risks from the network. These are not the only risks. Information can also be stolen via USB or by applying social engineering techniques to steal information from users without using any specialized software. Security systems would not detect it as an attack, but they are equally dangerous for the organization.
Related articles: