Category: Security

Information security, sometimes referred to as InfoSec, is a strategy to protect data and prevent unauthorized access to store, use, copy or modify data. In information security, data can refer to information in both physical and electronic formats.

The information security process requires that a set of guidelines are followed regardless of whether the data is in use, at rest or in transit.

The core objectives of information security are:

  1. Confidentiality – Ensuring that information is restricted to a limited number of people
  2. Integrity –  Ensuring that the data is accessed only by authorized individuals
  3. Availability – Availability of data ensures that the information is always available at all times by ensuring the hardware, software or IT infrastructure being used to access data are always functional

These three objectives are commonly referred to as the CIA Triad.

Types of Threats

In information security, anything that threatens data falls under the category of threats, which could be:

  1. Natural – Earthquakes, storms, floods, fire, landslides, etc.
  2. Competitors – Industry espionage, illegal infiltration, and competitive research
  3. Media – Exposed trade secrets, bad press and publicity
  4. Organized or Political – Espionage, terrorism, computer warfare, wiretapping, etc
  5. Hackers – Social engineering, ransomware, malware, spyware, trojans, viruses, DDoS, DNS poisoning, etc
  6. Criminal – Information blackmailing, kidnapping, extortion, theft, bribery, etc
  7. Employee –  Human error, tampering, negligence, sabotage, vandalism, theft, etc

These threats can lead to theft of data, unauthorized access, misuse, data leakage, loss of data due to equipment, physical damage and equipment or logical failure.

Cyber Crimes

Government agencies, hospitals, businesses, financial institutions, and many other industry sectors constantly gather and maintain a large amount of information pertaining to clients, customers and employees.

This data may contain an individual’s personal information such as health information, contact details, addresses, photos, email addresses, etc. Hackers commit cyber crimes to steal this information which is then used as leverage against either the company or the concerned individual.

You are now 20 times more likely to be robbed while sitting at your computer by a criminal based overseas than held up in the street, according to the opening line of a report posted by The Telegraph this year.

Furthermore, a survey was conducted by ITworldcanada at the beginning of this year revealing that 28% of Canadian firms have been hit by cybercrime in the last 24 months.

Risk Management

Risk management is the process of identifying and assessing risks, and dedicating resources to monitor and minimize them.

In information security, risks refer to threats and vulnerabilities that could lead to data becoming exposed to third parties not authorized to access it.

In order to take appropriate countermeasures, a dedicated team is typically put in charge of conducting regular assessments for:

  1. Security policies
  2. Communications
  3. Asset management
  4. Human resources
  5. Compliance
  6. Business continuity
  7. Information security incident management
  8. Access control

Security classification for information

Not all data generated is equal. Some may require the highest level of protection while others need less.

Information is not classified randomly. There is a process to be followed and criteria to be met. Some of the basic criteria are:

  1. Value of the data to an organization
  2. On the basis of the owner of the information
  3. Law and regulatory requirements

Organizations usually have pre-defined labels for different types of data classification such as public, private, confidential, top secret, protected, unofficial, etc.

Access Controls

Access control is a technique used in information security in order to restrict access rights to systems, applications, and information to a limited number of people. It follows a selective restriction process so only a select few people are authorized for access.

The two main types of Access controls are:

  1. Physical – Regulating access to floors, buildings, data centers, server rooms, etc.
  2. Logical – Regulating access to systems, applications, networks, etc

There are various models of Access Controls, which are:

  1. Attribute-based Access Control (ABAC) – The access rights are granted to the user through the use of policies after evaluating various attributes
  2. Discretionary Access Control (DAC) – The system administrator or the owner of the data may decide who can or cannot access the information
  3. History-Based Access Control (HBAC) – Users’ activities are evaluated in real time. The behavior and pattern of user interactions forms the basis of deciding whether the user should be allowed to access the data
  4. Identity-Based Access Control (IBAC) – The network or system administrators manage the access based on the user’s needs
  5. Mandatory Access Control (MAC) – Users may require a security clearance when the data is classified with security labels
  6. Organization-Based Access control (OrBAC) – The policy designer defines the security policies independently
  7. Role-Based Access Control (RBAC) – Access rights are predefined by the role of the user within a company. The user’s access rights are outlined along with the job title
  8. Rule-Based Access Control (RAC) – An organization may define rules as to when the information may be accessed. For eg. access may not be allowed after 6pm or after working hours
  9. Responsibility Based Access control – The user’s rights may be decided by the responsibilities assigned to him/her. The rights may be subject to change at the beginning or end of the given responsibility

Cryptography

The word cryptography is derived from greek and literally means “hidden writing”. Cryptography is a form of communication which only allows the sender and receiver to read and understand the message.

The original message may be hidden inside an image. Or, the message may be replaced by a string of letters, numbers, and special characters that make the message appear unintelligible to everyone except the sender and the receiver.

The process of conversion from the original plaintext information to the to unreadable format is known as Encryption. And the process of re-conversion of the information from an unreadable format to original plaintext information is known as Decryption. The former is done at the sender’s end while the latter is done at the receiver’s end.

Programs which encrypt and decrypt information are referred to as Encryption Algorithms. Many different types of encryption algorithms have been developed over the years. The same encryption algorithms must be used on the both the sender’s and receiver’s end for a successful encryption.

Governance

NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

It also specifically states that information security governance should not be confused with IT security management.

To put it in simpler words, companies today have their security frameworks segregated into many smaller frameworks. A security team is charged with the responsibility of carrying out security throughout the entire company.

It is virtually impossible for a small security team to both manage and secure the whole company. Information security governance makes sure that the security framework integrates all aspects (personnel, business processes, training, firewalls, etc) to ensure the survival of an organization.

Cloud Security – SECaaS

Security as a Service, also referred to as cloud security, is a security maintenance service that a business outsources to a third party vendor on either a subscription or pay-as-you-go basis for cost efficiency. The security service is either delivered through the cloud or provided in-house by the service provider. Under this scenario, the third party is ultimately responsible for the security management of the company.

An example of security as a service would be an anti-virus software solution delivered over the internet. The vendor is responsible for regularly updating the databases and definitions, updating the software and scanning at regular intervals.

Security Assessments

Security Assessments are an integral part of information security. They are conducted in order to locate and identify risks and vulnerabilities.

There are several methods for conducting security assessments, including:

Vulnerability Assessment – To check for weaknesses within a system, application or network that can be potentially leveraged by intruders to compromise data

Security Audits – Conducted by authorities to check if the concerned organization is in compliance with relevant rules and regulations

Penetration Testing – A company provides tasks to penetration testers to find back door entries into the system by pretending to be an outsider, in order to find and fix loopholes. It is possible they may only be required to find loopholes and a different department may be given the task to fix or patch them

Security Policy – A set of documents, updated regularly, outlining an organization’s plans to protect its IT assets

Risk Assessment – Conducted to determine what risks the company faces and which ones are acceptable. It assesses various levels of risks

IT Security Assessments Report – A report with detailed findings of a security assessment, along with steps to be taken to fix any security issues discovered

Web Security

Web or web application security is a branch of information security concerned with website security, web application security and the integrity of web based services.

Cloud vendors deliver their services through the internet via the user’s web browser. Hackers usually try to find loopholes in various levels such as networks, web browser flaws, website flaws and web-based application flaws in application codes.

Web security encompasses techniques to find security loopholes and other vulnerabilities and fix them.

Email Security

Email security refers to the security procedures a company needs to undertake in order to secure email operations.

When sending and receiving emails, the email security team is expected to monitor any confidential information leaving the company network.

More importantly, they are expected to check for any harmful messages coming in from an outside network. Hackers are known to attack a user or company using various attack vectors such as phishing attacks, virus attacks and spamming.

Identity and Access Management

Identity and access management (IAM) is a framework developed to regulate and manage a user’s electronic identities.

The administrator is expected to provide, revoke or manage selective and conditional access rights for a user. Some of the benefits of IAM include:

  1. Confidentiality of Data – Restricts the number of users accessing certain information
  2. Performance – Helps enhance performance by removing users not needed for a process and thereby avoiding having too many active sessions
  3. Segregated Tasks – Helps avoid confusion in terms of access by clearly defining groups along with their users who are the only authorized people to perform a specific task
  4. Enhanced Security – IAM frameworks strengthen security by creating increased awareness

Data Loss

Data Loss is a critical concern of information security as it can threaten the viability of businesses, forcing many to shut down.

Some of the factors leading to data loss are:

  1. Increasing threats and attacks – Hackers have been extremely active in the past few years, excelling in finding loopholes in networks, applications, etc to find avenues for removing or stealing data
  2. Inside threats – Disgruntled employees are known to harm companies using a variety of methods, leveraging insider information that hackers would lack
  3. Accidental information sharing – An employee may unknowingly share sensitive information with an outsider without being aware of their actions
  4. Cloud-based storage and services – An employee may use unsecured personal cloud-based storage to store confidential company information
web security

Why web security should no longer be overlooked in the web development stage

Now, more than ever, web security matters. With the ever increasing rate of technological expansion comes increased attempts to breach security and steal information. Don’t let this happen to you. By designing your website with security in mind from the...

/ September 25, 2017
pasted image 0 (1)

Why You Should Move to HTTPS Right Now

More than ever before, the time is right to make the jump to HTTPS if you haven’t already. HTTPS has grown in popularity quickly, with over 85% of websites now making use of the format. Starting in October, Google Chrome will mark...

/ September 22, 2017
Healthcare it

Healthcare IT Security Is Under Attack – Here’s How to Better Protect EMR Data

Cybersecurity as EMR Support It’s no surprise that hacking is becoming a growing threat as our world becomes only more connected. Healthcare IT services simply cannot function in their current state without a comprehensive healthcare IT security system to back...

/ June 22, 2017
internet copyright protection law illustration

How Ransomware Can Affect the Legal Industry

There’s never been a time when hackers have reaped the fruits of their malevolent work as the last decade. With the emergence of ransomware as a real threat to businesses and individuals alike, everybody is trying to figure out how...

/ June 14, 2017
sql injection

How to Fix the SQL Injection Vulnerability in Ruby on Rails

In March, 2011, two hackers, “Ne0h” and “TinKode” compromised MySQL.com and posted the site’s customer usernames and passwords. According to the pair, they used the site’s SQL Injection (SQLi) vulnerabilities to launch the attack. Just over a year later, D33Ds Company,...

/ February 6, 2017
Identity and access management

4 Tips to securing business data with an Identity and Access Management System

Almost two decades ago, Salesforce.com introduced the idea of delivering business applications over the internet. Today, most enterprises are shifting to the cloud. Consequently, businesses are having to hire cloud computing experts to train their employees to use cloud applications....

/ December 26, 2016
web application attacks

The Significance of Web App Security In The Face Of Rising Web Application Attacks

It might not be a stretch to suggest that information security is the single biggest threat in this modern age, especially in a tech world dominated by trends and advanced technologies like cloud computing, mobile computing, and big data. With...

/ December 21, 2016
Data protection

3 Free Must-Use Encryption Services For 21st Century Businesses

For entrepreneurs used to paying for every third-party service they use in their business, it is easy to dismiss free encryption services. Yet, not all encryption services available for free are ludicrous. In fact, a number of them might surprise...

/ December 20, 2016
Data breach

What a Typical Plan to Avoid a Data Breach Looks Like

Disasters such as earthquakes and floods are the usual suspects that come to one’s mind when thinking about disasters that affect a business. Unfortunately, there are other unforeseen circumstances as well which could lead to similar consequences. Some of them...

/ December 19, 2016
security as a service comcept image

How Security as a Service Overcomes Challenges of a Traditional Security Setup

Security as a Service is yet another branch of cloud-based services. It is referred to as SaaS, SECaaS and simply cloud security. What is Security as a Service? Security as a Service refers to a set of security based services delivered...

/ December 18, 2016