What is Information Security?CHAPTER 1 3 much sense.In some environments,however,such security measures might not be enough.In any environment where we plan to put heightened lev- els of security in place,we also need to take into account the cost of replac- ing our assets if we do happen to lose them,and make sure we establish reasonable levels of protection for their value.The cost of the security we put in place should never outstrip the value of what it is protecting When Are We Secure? we secure disconnected from the Internet entirely?From a certain point of view,all of these questions can be answered with a "no. Even if our systems are properly patched,there will always be new attacks to which we are vulnerable.When strong passwords are in use,there will be other ns can be esed。 stoler In sh ort,it is very difficul eo2 od2W3D谢A泥Ml0 Defining when we are insecure is a much easier task,and we can quickly list a number of items that would put us in this state: Not patching our systems Using weak passwords such as "password"or"1234" Downloading programs from the Internet Opening e-mail attachments from unknown senders Using wireless networks without encryption We could go on for some time creating such a list.The good thing is that once we are able to point out the areas in an environment that can cause it to be insecure,we can take steps to mitigate these issues.This problem is akin to cut- ting something in half over and over;there will always be some small portion left to cut again.Although we may never get to a state that we can definitively call "secure,"we can take steps in the right direction. ALERT! The bodies of law that define standards for security vary quite a bit from one industry to another and wildly from one country to another.Organizations that operate globally are very common at present,and we need to take care that we are not violating any such laws in the course of conducting business.We can see exactly such a case when e look at the amerences in data prvacy laws between the onited States and the uropean Union.When in doubt,consult legal counsel betore acting. What is Information Security? CHAPTER 1 3 place our asset in a hermetically sealed vault inside . so that mom’s choc￾olate chip cookie recipe will never come to harm, but that would not make much sense. In some environments, however, such security measures might not be enough. In any environment where we plan to put heightened lev￾els of security in place, we also need to take into account the cost of replac￾ing our assets if we do happen to lose them, and make sure we establish reasonable levels of protection for their value. The cost of the security we put in place should never outstrip the value of what it is protecting. When Are We Secure? Defining the exact point at which we can be considered secure presents a bit of a challenge. Are we secure if our systems are properly patched? Are we secure if we use strong passwords? Are we secure if we are disconnected from the Internet entirely? From a certain point of view, all of these questions can be answered with a “no.” Even if our systems are properly patched, there will always be new attacks to which we are vulnerable. When strong passwords are in use, there will be other avenues that an attacker can exploit. When we are disconnected from the Internet, our systems can be physically accessed or stolen. In short, it is very difficult to define when we are truly secure. We can, however, turn the question around. Defining when we are insecure is a much easier task, and we can quickly list a number of items that would put us in this state: n Not patching our systems n Using weak passwords such as “password” or “1234” n Downloading programs from the Internet n Opening e-mail attachments from unknown senders n Using wireless networks without encryption We could go on for some time creating such a list. The good thing is that once we are able to point out the areas in an environment that can cause it to be insecure, we can take steps to mitigate these issues. This problem is akin to cut￾ting something in half over and over; there will always be some small portion left to cut again. Although we may never get to a state that we can definitively call “secure,” we can take steps in the right direction. Alert! The bodies of law that define standards for security vary quite a bit from one industry to another and wildly from one country to another. Organizations that operate globally are very common at present, and we need to take care that we are not violating any such laws in the course of conducting business. We can see exactly such a case when we look at the differences in data privacy laws between the United States and the European Union. When in doubt, consult legal counsel before acting