The basis for my thoughts about information security lies in a 5-step process I learned years ago:
- Identification of Threat
- Identification of Vulnerabilities
- Counter-measure development
- Counter-measure implementation
- Assessment of counter-measure’s effectiveness.
When you get to step 5, you loop and do it again, always staying on alert.
1. Identification of Threat: This is where you ask what is out there. You want to know what the bad guys are trying to do. For example, it is a commonly held principle that certain operating systems are more targeted than others. In this area, you are not concerned with “oh I use this system, so I’m ok?” Here, you are asking simply, what are they (the bad guys) doing?
2. Identification of Vulnerabilities: All systems are vulnerable. Here, security holes are matched up with threats. If there is a match, then a counter-measure needs to be developed. No match, no problem.
3. Development of counter-measures: CM development can be the most challenging stage for some people. A realistic and implementable plan needs to be developed that addresses the identified threat/vulnerability combination.
4. Implementation of counter-measures. Once the CMs are mapped out, put them in place.
5. Assessment of CM effectiveness. Did the actions do what they were intended to do?
Then the process is started again.