Information Security
Information Security vs
Information Security
(Amazon.com: Principles of Information Security (MindTap Course List): 9780357506431 )
Introduction to Infosec.
Information security, or Infosec, is a crucial aspect of modern business operations. IT Security Manager at Northside Hospital, Martin Fisher, emphasizes the importance of aligning infosec with a company's culture and objectives. This is echoed by many practitioners in the field. The opening scenario in this chapter highlights the consequences of not properly balancing information risks and controls. In this scenario, a lack of knowledge on malware causes problems for a company and its management. As you progress through the chapters of this book, you will gain a deeper understanding of infosec and learn how to better handle situations like the one described in the scenario. However, before diving into the specifics, it's important to have a grasp on the history and evolution of infosec.
The History of Information Security.
The origins of information security can be traced back to the early days of computing, specifically during World War II. As the first mainframe computers were developed and utilized to aid in code-breaking efforts, the need for computer security became paramount. The Enigma machine, shown in Figure 1-1, was one such cryptographic device that required multiple levels of security to protect it and the information it held.
This led to the implementation of new processes, as well as the use of established methods, to ensure the confidentiality of data. Access to sensitive military locations, for example, was tightly controlled through the use of badges, keys, and facial recognition technology. As the need to maintain national security grew, so too did the complexity and sophistication of computer security measures.
What Is Security?
Security is the act of protecting against harm, intentional or otherwise. This includes protecting national sovereignty, assets, resources, and citizens, as well as the operations, physical infrastructure, people, functions, communications, and information of an organization. Multiple layers of security are necessary to effectively protect against potential threats.
The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical components, including the systems and hardware that use, store, and transmit the information. Information security encompasses various areas such as information security management, data security, and network security. The CNSS model of information security is built upon the C.I.A. triad, which has been the standard in computer security in both industry and government since the development of mainframes. The C.I.A. triad standard is based on the three characteristics of information that give it value to organizations: confidentiality, integrity, and availability. However, the C.I.A. triad model is now viewed as insufficient in addressing the constantly changing environment of information security. The threats to the confidentiality, integrity, and availability of information have evolved into a vast collection of events, such as accidental or intentional damage, destruction, theft, unintended or unauthorized modification, or other misuse from human or nonhuman threats. To address these complexities, the CNSS has developed a more robust model that includes a list of critical characteristics of information. This expanded model will be described in the next section. Despite this, the C.I.A. triad terminology is still used in the chapter for its breadth of material.
Key Information Security Concepts
This book uses many terms and concepts that are essential to any discussion of information security. Some of these terms are illustrated in Figure 1-7; all are covered in greater detail in subsequent chapters.
Access: Access refers to a subject or object's ability to use, manipulate, modify, or affect another subject or object. Authorized users have legal access to a system, while hackers must gain illegal access to a system. Access controls regulate this ability.
Asset: Asset refers to the organizational resource that is being protected. Assets can be logical, such as a website, software, or data, or physical, such as a person, computer system, hardware, or other tangible object. Information assets are particularly important in security efforts.
Attack: An attack refers to an intentional or unintentional act that can damage or compromise information and the systems that support it. Attacks can be active or passive, intentional or unintentional, direct or indirect. A passive attack could be someone casually reading sensitive information not intended for them, while an intentional attack could be a hacker attempting to break into an information system. An unintentional attack could be a natural disaster, like a lightning strike causing a building fire. Direct attacks originate from the threat itself, while indirect attacks originate from a compromised system or resource controlled by a threat. An example of an indirect attack is a botnet, a group of compromised computers controlled by a hacker to attack systems and steal user information or conduct distributed denial-of-service attacks.
Control, safeguard, or countermeasure:
Effective security measures, protocols, and procedures play a crucial role in protecting an organization from attacks, minimizing risk, addressing vulnerabilities, and enhancing overall security. The implementation of controls at different levels and of various types is thoroughly examined in the subsequent chapters.
Exploit: An exploit is a method employed to gain unauthorized access to a system. It can be used as a verb or a noun. Threat actors may attempt to exploit a system or other information asset for their personal gain. An exploit can also be a documented technique used to exploit a vulnerability or exposure, commonly found in software. These vulnerabilities or exposures can be either inherent in the software or created by the attacker. Exploits make use of existing software tools or custom-made software components.
Exposure: The state of being vulnerable or open to potential harm. In the context of information security, exposure refers to a known vulnerability that can be exploited by attackers.
Loss: The harm or damage caused to an information asset, which can be as a result of unauthorized or unintended modification, destruction, disclosure, or denial of use. When an organization's information is stolen, it has suffered a loss.
Protection profile or security posture: The comprehensive set of controls, policies, education, training, awareness, and technology implemented by an organization to safeguard its assets. These terms may also be used interchangeably with the term "security program", although a security program typically encompasses the management aspect of security, including planning, personnel, and subordinate programs.
Risk: The likelihood of an unwanted event or loss occurring. Organizations must minimize risk to align with their risk appetite, which refers to the amount and type of risk they are willing to accept.
Subjects and objects of attack: A computer can be either the subject of an attack, which is an agent used to conduct the attack, or the object of an attack, which is the target entity. A computer can also be both the subject and object of an attack, For example, it can be compromised by an attack (object) and then used to attack other systems (subject).
Threat: A potential event or situation that could harm an organization's operations and assets. The terms "threat source" and "threat" are often used interchangeably, but for the purpose of simplifying the discussion, the term "threat" will refer to both.
Threat agent: A specific component of a threat, such as an external professional hacker like Kevin Mitnick who was convicted of hacking into phone systems. Natural disasters like lightning strikes, hailstorms, and tornadoes are examples of threat agents that fall under the category of "acts of God/acts of nature."
Threat event: The occurrence of an event caused by a threat agent. For example, damage caused by a storm would be considered a threat event. This term is commonly used interchangeably with the term "attack."
The Need for Security
An information security program has a unique mission, which is to safeguard information assets, including the systems that store them, to ensure they remain secure and functional. Organizations invest significant resources to maintain their information assets, and if it weren't for the threat of attacks, these resources could be used exclusively to improve these systems. Unfortunately, the threat of attacks on information assets is ongoing and the need for information security continues to grow as the attacks become more advanced. Some organizations consider both information and systems as part of their definition of an information asset, while others prefer to differentiate between information-based assets such as data, databases, and applications that use data, and media such as systems and networks that store and transmit data. For this purpose, we will include both data and systems assets in our definition of the term.
In order to effectively protect their information assets, organizations must have a clear understanding of the environment in which they reside. This includes identifying potential threats to the organization, its information, and the environment itself. This chapter will provide an overview of this environment and detail the various threats that organizations must be aware of in order to develop an effective information security program.
Information security performs four important functions for an organization:
Protecting the organization’s ability to function
Protecting the data and information the organization collects and uses, whether physical or electronic
Enabling the safe operation of applications running on the organization’s IT systems
Safeguarding the organization’s technology assets
Protecting Functionality
TThe success of an information security program relies on the cooperation and involvement of three key groups: general management, IT management, and information security management. Each group plays a crucial role in ensuring the program is effective in protecting the organization's ability to function. While some managers may perceive information security as a technically complex task, it is important to note that it is primarily a management responsibility. Implementing information security involves risk management, policy creation and enforcement, rather than focusing solely on the technology. Similar to managing payroll, which involves more management than mathematical calculations, managing information security requires a comprehensive approach that includes risk management, policy, and enforcement. As the noted information security author Charles Cresson Wood writes:
In fact, a lot of [information security] is good management for information technology. Many people think that a solution to a technology problem is more technology. Well, not necessarily.… So a lot of my work, out of necessity, has been trying to get my clients to pay more attention to information security as a management issue in addition to a technical issue, information security as a people issue in addition to the technical issue.
An organization's information security program must be viewed in terms of its impact on the business and the cost of any potential disruptions, rather than just a technical issue. Each community of interest, including general management, IT management, and information security management, must consider the business implications and cost of security breaches or interruptions in their decision-making process. This approach ensures that information security is integrated into the overall business strategy and not treated as a separate or isolated concern.
Protecting Data That Organizations Collect and Use
Data is essential for an organization's operations and ability to provide value to customers. Businesses, educational institutions, and government agencies all rely on information systems to conduct transactions and deliver services. Even when transactions are not conducted online, information systems and the data they process are necessary for the creation and movement of goods and services. As a result, data security is a critical component of information security, including protecting data during transmission, processing, and storage. The value of data makes it a prime target for attackers looking to steal, corrupt, or sabotage it. An effective information security program, implemented and managed by organization, is necessary to protect the integrity and value of the organization's data.
Many organizations store crucial data in databases, which are managed by specialized software called a database management system (DBMS). Maintaining the confidentiality, integrity, and availability of data managed by a DBMS is known as database security. This is achieved by implementing a variety of control approaches that are common to many areas of information security. Database security covers a wide range of topics, including managerial, technical, and physical controls. Managerial controls involve the development of policies, procedures, and governance. Technical controls, such as access control, authentication, auditing, application security, backup and recovery, encryption, and integrity controls, are used to secure databases. Physical controls include the use of data centers with locked doors, fire suppression systems, video surveillance, and physical security personnel.
The principles of information security are highly relevant to the field of database security. One indication of this overlap is that the International Information Systems Security Certification Consortium (ISC)2, which evaluates candidates for several well-regarded information security certification programs, recognizes experience as a database administrator towards the experience requirement for the Certified Information Systems Security Professional (CISSP) certification. This demonstrates the strong correlation between the two fields and how knowledge and skills in one area can be applied in the other.
Enabling the Safe Operation of Applications
Organizations today are facing increasing pressure to acquire and use advanced, efficient and capable applications. In order to remain competitive, organizations need to create an environment that ensures the security of these applications, particularly those that are essential parts of the organization's infrastructure such as operating systems, operational applications, email and instant messaging. These systems can be procured from a service provider or developed in-house. Once the infrastructure is in place, it is the responsibility of management to oversee its security and not delegate it solely to the IT department.
Safeguarding Technology Assets in Organizations
In order to function effectively, organizations must use secure infrastructure hardware that is appropriate for their size and scope. For example, a small business may initially use a small-scale firewall such as a small office/home office (SOHO) device.
As the organization grows and its needs change, it may need to replace these security technologies with more robust solutions. Examples of robust solutions include commercial-grade, unified security architecture devices that include features such as intrusion detection and prevention systems, public key infrastructure (PKI) and virtual private network (VPN) capabilities. These technologies are discussed in more detail in chapters 6 through 8 of this textbook.
Information technology continues to evolve and provide organizations with new ways to manage and utilize their business information. The emergence of the Internet and the Web has created new opportunities for organizations to reach new markets. Cloud-based services, which offer more flexible and cost-effective ways to deliver IT services, have also introduced new risks to organizational information, raising concerns about how these assets can be protected from threats and how to ensure their security.
Compromises to Intellectual Property
Many organizations create or support the development of intellectual property (IP) as part of their business operations. IP includes trade secrets, copyrights, trademarks, and patents, and is protected by copyright law and other laws. It carries the expectation of proper attribution or credit to its source and may require the acquisition of permission for its use. For example, the use of some IP may require specific payments or royalties before a song can be used in a movie or before the distribution of a photo in a publication. The unauthorized use of IP constitutes a threat to information security. Employees may have access privileges to a variety of IP, including purchased and developed software and organizational information, as many employees typically need to use IP to conduct day-to-day business. It's important for organizations to have strict controls and guidelines for the use of IP to prevent unauthorized access or misuse.
Organizations often purchase or lease IP from other organizations and must comply with purchase or licensing agreements for its fair and responsible use. The most common IP violation is the unauthorized use or duplication of software-based intellectual property, also known as software piracy. Most software is licensed to a specific purchaser, and its use is restricted to a single user or designated users within an organization. If a user copies the program to another computer without obtaining another license or transferring the license, the user has violated the copyright. The unauthorized use of software is still a significant issue today, and organizations must ensure strict compliance with software licenses and copyright laws to avoid potential legal and financial consequences.
Software licenses are strictly enforced by regulatory and private organizations and software publishers use various control mechanisms to prevent copyright infringement. In addition to laws against software piracy, there are also watchdog organizations such as the Software & Information Industry Association (SIIA) and the Business Software Alliance (BSA) that investigate allegations of software abuse. BSA estimates that around 39% of software installed on computers globally in 2015 was not properly licensed. This number is only slightly lower than the 43% reported in the 2013 BSA global study. Additionally, about 26% of employees who responded to the 2015 study admitted to installing unauthorized software on computers at work, with over 84% of those employees installing two or more software packages. BSA also reports a modest global decline in the use of unlicensed software, down 4% from 2013 to an estimated commercial value of $52.2 billion. The BSA's software piracy reporting website is also available for the public.
Deviations in Quality of Service
An organization's information system relies on the successful operation of various interdependent support systems, including power grids, data and telecommunications networks, parts suppliers, service vendors, and even janitorial staff and garbage haulers. Any of these support systems can be interrupted by severe weather, employee illnesses, or other unforeseen events. Quality of service can also be affected by accidents such as a backhoe damaging an ISP's fiber-optic link. Even if a backup provider is online and in service, they may only be able to supply a fraction of the bandwidth needed for full service. This degradation of service is a form of availability disruption. Disruptions in Internet service, communications, and power supplies can have a significant impact on the availability of information and systems. Organizations must have robust contingency plans in place to minimize the impact of disruptions and ensure the continued availability of critical information and systems.
Internet Service Issues
In companies that heavily rely on the internet and the World Wide Web to conduct their operations, a failure of the internet service provider (ISP) can greatly affect the accessibility of information. This can be especially problematic for organizations that have remote employees such as sales staff or telecommuters. When these off-site workers are unable to access the main systems, they are forced to resort to manual procedures to continue their work. The Federal Communications Commission (FCC) in the United States maintains the Network Outage Reporting System (NORS) which, as per FCC regulation 47 C.F.R. Part 4, requires communication providers to report any outages that disrupt services at critical facilities such as emergency services and airports.
When an organization entrusts its web servers to a web hosting provider, the provider becomes responsible for managing all internet services and maintaining the hardware and operating system software used to operate the website. These web hosting services are typically accompanied by a Service Level Agreement (SLA). In the event that the service provider fails to meet the terms of the SLA, they may be subject to penalties to cover the losses incurred by the client. However, these compensation payments are often not sufficient to cover the losses caused by the outage. Although vendors may advertise high availability or uptime, even an availability rate that may seem acceptable can result in significant financial losses for the organization. For example, in August 2013, the Amazon.com website experienced a 30 to 40 minute outage, resulting in a loss of between $3 million and $4 million.
Communications and Other Service Provider Issues
Other essential services can also affect an organization's operations. These include telephone, water, sewage, garbage collection, cable television, natural gas or propane, and custodial services. The disruption or loss of these services can greatly impact an organization's ability to function. For instance, most facilities require a steady water supply to operate their air-conditioning systems. Even in colder climates, modern facilities rely on air-conditioning to keep them running. In the event of a failure of the sewage system, the organization may be forced to close its doors to employees. While it's possible to compare pricing options from different service providers using online utilities, it's less common to find a comparative analysis of availability or downtime.
Power Irregularities
Fluctuations in power supply from utilities can lead to issues such as power surplus, shortages and outages. These fluctuations can cause problems for organizations that do not properly condition power for their IT equipment. In the United States, the standard power supply is 120-volt, 60-cycle power, which is usually provided through 15- and 20-amp circuits. In contrast, Europe, Africa, Asia, South America and Australia use 230-volt, 50-cycle power. This difference in voltage levels can cause damage to computing equipment if an organization is not prepared, resulting in significant losses. When power voltage levels deviate from the norm, such as during a spike, surge, sag, fault, noise, brownout or blackout, an organization's electronic equipment, particularly networking equipment, computers, and computer-based systems, which are particularly susceptible to fluctuations, can easily be damaged or destroyed. To mitigate these risks, organizations can use power-conditioning options such as surge suppressors for small computers and network systems, or more expensive solutions such as uninterruptible power supplies (UPS) which can protect against spikes, surges, sags and even blackouts of a limited duration. UPSs are discussed in more detail in chapter 9 "Physical Security."
Espionage or Trespass
Espionage or trespassing is a well-known and wide-ranging category of electronic and human activities that can compromise the confidentiality of information. When an unauthorized individual gains access to information that an organization is trying to protect, the act is classified as espionage or trespassing. Attackers can use various methods to access the information stored in an information system. Some information-gathering techniques are legal, such as using a web browser to conduct market research. These legal techniques are collectively referred to as competitive intelligence. When information gatherers use techniques that cross legal or ethical boundaries, they are engaging in industrial espionage. Many countries that are considered allies of the United States engage in industrial espionage against American organizations. When foreign governments are involved, these activities are considered espionage and a threat to national security.
Some forms of espionage are relatively low-tech. One such example is called "shoulder surfing", as shown in Figure 2-6. This technique is used in public or semi-public settings when individuals gather information that they are not authorized to have. Instances of shoulder surfing occur at computer terminals, desks, and ATMs; on buses, airplanes, or subways, where people use smartphones and tablets; and in other places where employees may access confidential information.
Shoulder surfing is a violation of unwritten etiquette among professionals who deal with information security in the workplace. It is considered a breach of etiquette, an invasion of privacy and a threat to the security of confidential information, if one sees another person entering personal or private information into a system and fails to look away as the information is entered. It's important to respect others' privacy and security of information while working in a professional environment.
Acts of trespassing can result in unauthorized physical or virtual actions that allow information gatherers to enter premises or systems without permission. Organizational controls are often used to mark the boundaries of an organization's virtual territory and to give notice to trespassers that they are encroaching on the organization's cyberspace. Authentication and authorization controls, such as multi-factor authentication, can help organizations protect valuable information and systems by providing multiple layers of protection against unauthorized access and trespassing.
The typical perpetrator of espionage or trespassing is the hacker, who is often portrayed in popular culture as a skilled individual who can stealthily manipulate computer networks, systems, and data to uncover confidential information. However, the reality is far less glamorous. The profile of the typical hacker has changed from that of a 13 to 18-year-old male with limited parental supervision who spends all their free time on the computer, to an individual with fewer identifiable attributes (see Figure 2-7). In reality, a hacker often spends many hours studying the types and structures of targeted systems, and uses their skills, deception or fraud to try to bypass controls placed on someone else's information.
Legal, Ethical, and Professional Issues in Information Security
As an aspiring information security professional or an IT professional with security responsibilities, it is crucial to understand the scope of an organization's legal and ethical responsibilities. Information security professionals play a critical role in an organization's approach to managing responsibility and liability for privacy and security risks. In today's litigious societies, laws are often enforced in civil courts, where large damages can be awarded to plaintiffs who bring suits against organizations. These damages can be punitive, as a deterrent for future transgressions.
To minimize liability and reduce risks from electronic and physical threats, and to reduce losses from legal action, information security practitioners must have a thorough understanding of the current legal environment, stay up to date with laws and regulations, and be aware of new and emerging issues. By educating management and employees of an organization on their legal and ethical obligations and the proper use of information technology and information security, security professionals can help keep an organization focused on its primary business objectives.
In the first section of this chapter, you will learn about the legislation and regulations that impact the management of information within an organization. In the second section, you will learn about the ethical considerations related to information security, and the professional organizations that have established codes of ethics. This chapter is meant to serve as a reference for the legal aspects of information security and as a guide in planning your professional career in the field of information security.
In general, people willingly give up certain aspects of personal freedom for the sake of social order. This is often a necessary but somewhat ironic proposition, as Benjamin Franklin once said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." As Jean-Jacques Rousseau explained in "The Social Contract, or Principles of Political Right," the rules that members of a society create to balance the individual rights of self-determination against the needs of the society as a whole are referred to as laws. The key difference between laws and ethics is that laws are enforced by a governing body, whereas ethics are based on cultural norms and moral principles. Some ethical standards are universal, such as the prohibitions of murder, theft, assault, and arson, which are generally upheld in ethical and legal codes throughout the world.
Organizational Liability and the Need for Counsel
When an organization does not demand or even encourage strong ethical behavior from its employees, or if the organization itself does not behave ethically, there can still be legal liability for the wrongs committed, even if there is no breach of criminal law. Liability includes the legal responsibility to make restitution for any harm caused. The employer can be held financially liable for the actions of an employee, even if the employer did not authorize the act. Organizations increase their liability if they refuse to take measures known as "due care", which means they act legally and ethically, and "due diligence", which means they ensure compliance with these standards of expected behavior. Given the internet's global reach, those who could be injured or wronged by an organization's employees could live anywhere in the world. Under the U.S legal system, any court can assert its authority over an individual or organization if it can establish jurisdiction, which is sometimes referred to as "long-arm jurisdiction" when laws are applied to parties in distant locations. It is often favorable to the injured party to try a case in the injured party's home area.
Policy Versus Law
Within an organization, information security professionals help maintain security by establishing and enforcing policies. As discussed in more detail in Chapter 4, "Planning for Security", these policies function as organizational laws, complete with penalties, judicial practices, and sanctions to ensure compliance. Like laws, these policies must be carefully crafted and implemented to ensure that they are comprehensive, appropriate, and applied fairly to all employees. The key difference between a policy and a law is that ignorance of a policy is an acceptable defense. Policies must be able to withstand legal challenges, as employees may contest their dismissal based on a violation of a policy. For a policy to be enforceable, it must meet the following five criteria:
Dissemination (distribution): Proper dissemination of policies within an organization is critical for ensuring that all employees are aware of and understand their responsibilities and obligations. One effective way to accomplish this is through offering comprehensive training and education on the policies and their requirements. This can include in-person training sessions, online tutorials, or interactive quizzes that test comprehension. By providing clear and easily accessible information, organizations can increase the likelihood that employees will understand and comply with the policies.
Review (reading): The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for employees who are illiterate, reading-impaired, and unable to read English. Common techniques include recordings of the policy in English and alternate languages.
Comprehension (understanding): The organization must be able to demonstrate that the employee understands the requirements and content of the policy. Common techniques include quizzes and other assessments.
Compliance (agreement): The organization must also be able to demonstrate that the employee has agreed to comply with the policy. This can be done through the use of logon banners, which require employees to acknowledge their agreement to the policy before accessing company resources, or through the use of signed agreements.
Uniform enforcement: The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment. This ensures that all employees are held to the same standard and prevents discrimination or favoritism.
Only when all of these conditions are met can an organization penalize employees who violate a policy without fear of legal retribution.
Types of Law
There are a number of ways to categorize laws within the United States. In addition to the hierarchical perspective of local, state, federal, and international laws, most U.S. laws can be categorized based on their origins:
Constitutional Law: Constitutional laws, which are based on the U.S. Constitution and its amendments. These laws establish the framework for the federal government and define the rights and freedoms of citizens.
Statutory Law: Statutory laws, which are laws passed by the legislative branch of government at the federal, state, and local levels. These laws cover a wide range of topics, such as criminal law, taxes, labor laws, and environmental regulations.
Regulatory or Administrative Law: Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations.
Common Law, Case Law, and Precedent: Common law, which is based on the principles and precedents established by court decisions.This type of law is typically associated with the legal system in the U.S. and the UK.
Administrative law, which is created by government agencies and departments to regulate specific industries or activities. These laws are usually created to implement statutory laws and are enforced by the agencies that create them.
International law, which is created by treaty or international agreement and applies to the relations between countries. Examples include trade agreements and human rights conventions.
Principles of Infosec.
The fundamental principles of information security include maintaining confidentiality, ensuring integrity, and guaranteeing availability. Each aspect of a comprehensive security program should be constructed to uphold one or more of these principles. Together, they are referred to as the CIA Triad.
Confidentiality
Measures for confidentiality aim to prevent unauthorized sharing of information. The goal of the confidentiality principle is to keep personal information protected and to ensure that it can only be viewed and accessed by those who possess it or require it for their job responsibilities within the organization.
Integrity
Integrity entails protection against unauthorized modifications (such as additions, deletions, or alterations) to data. The principle of integrity ensures that data is accurate and dependable, and cannot be altered mistakenly or deliberately.
Availability
Availability refers to ensuring that a system's software and data are readily accessible when required by a user, or at a specified time. The goal of availability is to make technology infrastructure, applications, and data available as needed for organizational processes or for the organization's clients.
Information Security vs Cybersecurity
IInformation security and cybersecurity are distinct but related concepts. The terms are often used interchangeably, but more accurately, cybersecurity is a subset of information security. Information security encompasses a wide range of areas such as physical security, endpoint security, data encryption, and network security, and is closely linked to information assurance which protects information from threats such as natural disasters and server failures.
Cybersecurity, on the other hand, specifically deals with technology-based threats and employs practices and tools to prevent or minimize them. Another related field is data security, which concentrates on safeguarding an organization's data from accidental or intentional exposure to unauthorized parties.
Information Security Policy
An Information Security Policy (ISP) is a set of guidelines that instruct individuals on the proper use of IT resources. Organizations can establish information security policies to ensure that employees and other users comply with security protocols and procedures. The purpose of security policies is to ensure that only authorized users have access to sensitive systems and information.
Creating a comprehensive and effective security policy and enforcing compliance is a crucial step in preventing and addressing security threats. To keep your policy relevant and effective, it is important to regularly update it based on changes within the organization, emerging threats, lessons learned from previous breaches, and advancements in security systems and tools.
It's important to make the information security strategy practical and feasible. To meet the needs and priorities of different departments within the organization, it may be necessary to establish a system of exceptions, with an approval process, allowing departments or individuals to deviate from the rules in specific circumstances.
Top Information Security Threats
There are countless categories of information security threats and an abundance of known threat vectors. Here are a few of the key threats that are a major concern for security teams in modern organizations:
Unsecure or Poorly Secured Systems
Unsecure or poorly secured systems can pose a significant risk to an organization. As technology advances rapidly, security measures can sometimes fall by the wayside. In other cases, systems may be developed without proper security considerations, and continue to operate within an organization as legacy systems. It is important for organizations to identify these vulnerable systems and take steps to mitigate the risks they pose. This can include securing or patching them, decommissioning them, or isolating them from the rest of the network. Keeping the systems up to date and implementing security measures is crucial to protect the organization from potential breaches. It's important for organizations to conduct regular security assessments and audits to identify and address any potential vulnerabilities in their systems.
Social Media Attacks
Social media has become a ubiquitous part of many people's lives, and as a result, users often inadvertently share a vast amount of personal information on these platforms. Attackers can take advantage of this by launching attacks through social media, such as spreading malware through messages, or by collecting information from social media profiles to identify vulnerabilities in users and organizations and use that information to plan an attack. It's important for individuals to be aware of the information they are sharing on social media and to use privacy settings to limit access to their personal information.
Social Engineering
Social engineering is a tactic used by attackers where they send emails or messages that deceive users into taking actions that could potentially compromise their security or reveal private information. Attackers exploit psychological triggers such as curiosity, urgency, or fear to manipulate users. Because the source of a social engineering message appears to be trustworthy, people are more likely to comply with the requests, such as clicking on a link that installs malware on their device or providing personal information, credentials, or financial details.
To protect against social engineering, organizations can educate their users on the dangers of social engineering and train them to recognize and avoid suspicious messages. Additionally, technical systems can be employed to block social engineering at its source or prevent users from taking dangerous actions, such as clicking on unknown links or downloading unknown attachments. Implementing strong security practices, having a incident response plan in place and regularly testing the defense mechanisms against social engineering attack can also help organizations to protect against such attacks.
Malware on Endpoints
Endpoint devices, such as desktop computers, laptops, tablets, and mobile phones, are widely used within organizations, many of which are personally owned and not under the organization's control, and all of which connect regularly to the Internet. One of the primary threats on all these endpoints is malware, which can be transmitted through various means and can result in the compromise of the endpoint itself and also lead to privilege escalation to other organizational systems.
Traditional antivirus software is not enough to block all modern forms of malware and more advanced methods for securing endpoints, such as endpoint detection and response (EDR) are being developed. EDR tools provide continuous monitoring, protection, and response capabilities to detect, investigate and respond to advanced threats and malware that are bypassing traditional security controls. Other endpoint protection solutions include Application Control, Device Control, and Firewall, which can provide additional layers of security.
It's important for organizations to implement security measures on endpoint devices, including implementing endpoint security software, setting policies for device access, and training users on how to identify and avoid malware. Organizations should also regularly update their endpoint protection software, and conduct regular security assessments to detect and remediate vulnerabilities on endpoint devices.
Lack of Encryption
Encryption is a process that encodes data so that it can only be decoded by users with secret keys. It is an effective way to prevent data loss or corruption in case of equipment loss or theft, or in case organizational systems are compromised by attackers. Despite its effectiveness, encryption is often overlooked because of its complexity and the lack of legal requirements for proper implementation.
However, more and more organizations are adopting encryption by purchasing storage devices or using cloud services that support encryption, or by using specialized security tools.
Security Misconfiguration
Modern organizations use a vast number of technological platforms and tools, particularly web applications, databases, and Software as a Service (SaaS) applications, or Infrastructure as a Service (IaaS) from providers like Amazon Web Services.
These platforms and services often have built-in security features, but they must be properly configured by the organization in order to be effective. Security misconfigurations, which can be caused by negligence or human error, can lead to security breaches. Another issue is "configuration drift," where a system's correct security configuration becomes outdated, making it vulnerable without the knowledge of IT or security staff.
Organizations can mitigate security misconfigurations by using platforms that continuously monitor systems, identify configuration gaps, and alert or automatically remediate any issues that make systems vulnerable. Regular security assessments, vulnerability scanning, and regular security audits can also help to identify misconfigurations and vulnerabilities in the systems.
Performing regular security testing, including penetration testing, also helps organizations to identify vulnerabilities and misconfigurations that might otherwise go unnoticed, and to take action to remediate them before they can be exploited by attackers.
Active vs Passive Attacks
Information security is implemented to safeguard organizations against malicious attacks. There are two primary types of attacks: active and passive. Active attacks are considered more challenging to prevent and the focus is on detecting, mitigating, and recovering from them. Passive attacks, on the other hand, are easier to prevent with robust security measures.
Organizations can implement security measures such as firewalls, intrusion detection and prevention systems, and security information and event management (SIEM) systems to detect and prevent passive attacks. To prevent active attacks, organizations can implement security measures such as threat intelligence, endpoint protection, incident response plans and regular security testing, and incident response training to detect and respond to active attacks. It's important for organizations to have a comprehensive security strategy in place, which includes both preventive and detective measures to protect against both types of attacks and respond to them effectively.
Active Attack
Active attacks are the ones in which the attacker seeks to cause harm or disrupt the operations, like malware, phishing, DDoS attacks etc.
There are three common variants of an active attacks:
Interruption—the attacker interrupts the original communication and creates new, malicious messages, pretending to be one of the communicating parties.
Modification—the attacker uses existing communications, and either replays them to fool one of the communicating parties, or modifies them to gain an advantage.
Fabrication—creates fake, or synthetic, communications, typically with the aim of achieving denial of service (DoS). This prevents users from accessing systems or performing normal operations.
Passive Attack
Passive attacks, on the other hand, are the ones where the attacker seeks to gain unauthorized access to sensitive information, like sniffing network traffic, eavesdropping, and shoulder surfing etc.
The attackers do not make any changes to the communication or the target systems. This makes it more difficult to detect. However, encryption can help prevent passive attacks because it obfuscates the data, making it more difficult for attackers to make use of it.
Information Security and Data Protection Laws
Information security is implemented to safeguard organizations against malicious attacks. There are two primary types of attacks: active and passive. Active attacks are considered more challenging to prevent and the focus is on detecting, mitigating, and recovering from them. Passive attacks, on the other hand, are easier to prevent with robust security measures. Active attacks are the ones in which the attacker seeks to cause harm or disrupt the operations, like malware, phishing, DDoS attacks etc. Passive attacks, on the other hand, are the ones where the attacker seeks to gain unauthorized access to sensitive information, like sniffing network traffic, eavesdropping, and shoulder surfing etc.
Organizations can implement security measures such as firewalls, intrusion detection and prevention systems, and security information and event management (SIEM) systems to detect and prevent passive attacks. To prevent active attacks, organizations can implement security measures such as threat intelligence, endpoint protection, incident response plans and regular security testing, and incident response training to detect and respond to active attacks. It's important for organizations to have a comprehensive security strategy in place, which includes both preventive and detective measures to protect against both types of attacks and respond to them effectively.
Data Protection Laws in the European Union (EU): the GDPR
The General Data Protection Regulation (GDPR) is one of the most well-known privacy laws in the European Union (EU). This regulation governs the collection, use, storage, security, and transmission of data related to EU residents. The GDPR applies to any organization that processes the personal data of EU citizens, regardless of whether the company itself is based inside or outside the European Union.
Organizations that fail to comply with the GDPR guidelines may face fines of up to 4% of global annual revenues or €20 million, whichever is higher. The GDPR applies to a wide range of data-processing activities, including data collection, storage, and transfer. It also gives EU citizens new rights over their personal data, including the right to access, correct, and delete their data, as well as the right to data portability.
Organizations that process personal data of EU citizens must appoint a Data Protection Officer(DPO), implement strict data protection policies, and regularly conduct Data Protection Impact Assessments (DPIA). They also have to notify the individuals and the regulatory authorities in case of a data breach. It's important for organizations to familiarize themselves with the GDPR and related data protection laws and regulations and take necessary steps to comply with them.
The main goals of the GDPR are:
Setting the privacy of personal data as a basic human right
Implementing privacy criteria requirements
Standardization of how privacy rules are applied
GDPR includes protection of the following data types:
Personal information such as name, ID number, date of birth, or address
Web data such as IP address, cookies, location, etc.
Health information including diagnosis and prognosis
Biometric data including voice data, DNA, and fingerprints
Private communications
Photos and videos
Cultural, social or economic data
Last updated