Please reply one paragraph of your thoughts of the below research:
During my research, I came across a sentence that resounded with me. "Information security is the assurance and reality that information systems can operate as intended in a hostile environment" (Shostack, 2012, p.8). This now lends itself to the question, what means the most to me in Information Security?
I could dive into how the early security protocols of computers back to the ARPANET was to secure the data at each end of the transmission. But that wouldn't really sum up what Information Security means to me. Yes, information needs to be secured while in transit, but it only transitions at certain times. So there isn't a constant ingress or egress of information across the network.
But the information still exists. It spends most of the time in stasis on the systems that hold the information, whether it is Amazon, or my bank, or even at my doctor's office.
While thinking about this, I read about a Paul Karger, and was astounded to realize he actually performed the first Penetration Testing on the Multics military Operating System in 1974. This was the most secure Operating System in the world, and he was able to exploit it very easily.
He made some observations that the true weakness of security was at the Operating System (OS) level more than when the data was transmitted. Granted, this doesn't mean that network security is not risky, it is simply observing that data at the OS level is more susceptible to attacks by malicious software such as Trojan Horses.
His efforts pioneered things like implementing mandatory access controls and a utilizing a secure kernel. Paul Karger's paper Thirty Years Later: Lessons from the Multics Security Evaluation is a great read on how he was able to identify weaknesses on a Computer System that, even more 30 years later, are still causing issues with computing systems. His observations, in my honest opinion, are almost prophetic, and I am baffled how his recommendations have not been more closely followed.
Dealing with the multitude of systems and networks I have seen in my time, the division of power between roles in IT was imminent. It was dangerous to have someone that had access to accounts and roles, have access to network security as well.
A division of power allowing one team to handle network health/data reliability in transit must be different than the team to handle roles and access-control to systems and services, which must also be different than the team to manage intrusion detection and emergency response. Segmenting the roles greatly improves the ability to mitigate the risk. This also allows the best use of least privilege.
I personally was called in to counter a series of attacks on a network that originated from a computer system that had a weak password.
In that instance, the person had administrative rights to the network with the exact same password used on a system. That allowed the intruder access to systems and network administrative rights. Dividing the roles makes everything easier, even though it requires the user to have two logins to perform two different roles.
While I am on the topic of weak passwords, the latest thing I dealt with in Information Security was the implementations of passphrases as a replacement for the password. It is hard to get people to deviate from the password requirements that have been used for so many years, but the use of a passphrase is exponentially more secure than a password. I say this for two reasons:
1.) People will always be the weakest link to Information Security. The purposefully use easily identifiable passwords to make their logins easier, which makes them easier to crack. and
2.) if a more strict password requirement is needed, people have a tendency to write them down and keep them in easily discovered location or right out in the open.
I have even seen the more difficult passwords are given to others a s a way to mitigate "getting locked out" which now means passwords are shared to any number of people, thereby reducing the effectiveness of the password. In fact, just recently, the National Institute of Science and Technology (NIST) has agreed that passwords should be replaced.
This can also be referenced in NIST Update: Passphrases In, Complex Passwords Out by Thu Pham. Having dealt with this personally, I can see this being one of the biggest changes in the Cybersecurity front in the foreseeable future.