InfoSecMinds

For like-minded people

Classification and labeling – A double edged sword?

May 5

Posted by Vinod Puthuseeri in Information Security, Information Security Risk Assessment | No Comments

I use a public transport to commute between office and home. Recently, I had one gentleman sitting next to me reading a document. I just peeped into the document and all I could instantly read is the document name and it was labeled as “Confidential”.

Now why would somebody read a confidential document during his commute to office on a public transport? Did the classification serve any purpose..? I was getting curious about this and asked him “any urgent review going on…?” He said, “No, why”..? I said, I could see the document classified “Confidential”. He has his explanation as “It is just an old document, maybe sometime in 2006”. Well why the document not re-classified if it was old…?

Read the rest of this entry »

Tags: , , , ,

SSL – How it works

Mar 16

Posted by Vinod Puthuseeri in Information Security, Technical | 1 Comment

Trying to simplify and explain how SSL works. Hope I have not complicated it further.  

Let us consider that someone is trying to call me over the phone and he/she is going to talk to me for the first time. In this case, how does he/she understand that I am the person on the other side of the phone OR is he/she connecting to the right person? Not possible.  

Now if you are in a large organization and the organization maintains an updated directory which lists the contact person, his office location, extension number etc, this is one place for validation and you can be sure that you are reaching the person that you intended too.  

But still there is a chance that someone else might pick up the extension instead of the person you are looking for. Once you have reached the intended person, you will now require to be sure that your conversation is not heard or interpreted by a third party.

Read the rest of this entry »

Tags: , , , , , ,

Assessing C-I-A values.

Dec 23

Posted by Vinod Puthuseeri in CIA Triad, Information Security Risk Assessment, Information Security Risk Management, Risk Assessment | 1 Comment

It is a common discussion during an information security risk assessment exercise at most of the organizations. As a general practice the asset value is derived by weighing the confidentiality ©, Integrity (I) and availability (A) value of an asset. While the assets are categorized into Information, Hardware, Software, Service and People, my argument always has been to say that C-I-A values can be assessed for Information Assets only and for all other it should just be the availability value.

Read the rest of this entry »

Tags: , , ,

Physical Security – At it’s best.

Nov 9

Posted by Vinod Puthuseeri in Physical Security | 1 Comment

Just want to illustrate couple of incidents on physical security that we commonly observe.

Once while driving through a technology park, I was stopped by a couple of security personnel and they requested me to open the boot of my car and there was the second one running a mirror underneath my car and looking at something. Since the amount of different car models that I has come out in market, I assumed that the bottom  of every car must be different and out of curiosity, I just enquired with the security personnel, as to what is he looking for and you will be amazed with the answer. “I am not sure sir, they have asked me to check and I am checking”.

Read the rest of this entry »

Tags: , , ,

Parkerian Hexad

Aug 16

Posted by Vinod Puthuseeri in CIA Triad, ISMS, ISO 27001:2005, Information Security, Information Security Risk Assessment, Information Security Risk Management, Risk Assessment | 2 Comments

The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker, renowned security consultant and writer. The term was coined by M. E. Kabay. The Parkerian hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability).

The Parkerian Hexad attributes are the following:

  • Confidentiality
  • Possession or Control
  • Integrity
  • Authenticity
  • Availability
  • Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Read the rest of this entry »

Tags: ,