Category: Security

Information security, sometimes referred to as InfoSec, is a strategy to protect data and prevent unauthorized access to store, use, copy or modify data. In information security, data can refer to information in both physical and electronic formats.

The information security process requires that a set of guidelines are followed regardless of whether the data is in use, at rest or in transit.

The core objectives of information security are:

1. Confidentiality – Ensuring that information is restricted to a limited number of people
2. Integrity –  Ensuring that the data is accessed only by authorized individuals
3. Availability – Availability of data ensures that the information is always available at all times by ensuring the hardware, software or IT infrastructure being used to access data are always functional

These three objectives are commonly referred to as the CIA Triad.

Types of Threats

In information security, anything that threatens data falls under the category of threats, which could be:

1. Natural – Earthquakes, storms, floods, fire, landslides, etc.
2. Competitors – Industry espionage, illegal infiltration, and competitive research
3. Media – Exposed trade secrets, bad press and publicity
4. Organized or Political – Espionage, terrorism, computer warfare, wiretapping, etc
5. Hackers – Social engineering, ransomware, malware, spyware, trojans, viruses, DDoS, DNS poisoning, etc
6. Criminal – Information blackmailing, kidnapping, extortion, theft, bribery, etc
7. Employee –  Human error, tampering, negligence, sabotage, vandalism, theft, etc

These threats can lead to theft of data, unauthorized access, misuse, data leakage, loss of data due to equipment, physical damage and equipment or logical failure.

Cyber Crimes

Government agencies, hospitals, businesses, financial institutions, and many other industry sectors constantly gather and maintain a large amount of information pertaining to clients, customers and employees.

This data may contain an individual’s personal information such as health information, contact details, addresses, photos, email addresses, etc. Hackers commit cyber crimes to steal this information which is then used as leverage against either the company or the concerned individual.

You are now 20 times more likely to be robbed while sitting at your computer by a criminal based overseas than held up in the street, according to the opening line of a report posted by The Telegraph this year.

Furthermore, a survey was conducted by ITworldcanada at the beginning of this year revealing that 28% of Canadian firms have been hit by cybercrime in the last 24 months.

Risk Management

Risk management is the process of identifying and assessing risks, and dedicating resources to monitor and minimize them.

In information security, risks refer to threats and vulnerabilities that could lead to data becoming exposed to third parties not authorized to access it.

In order to take appropriate countermeasures, a dedicated team is typically put in charge of conducting regular assessments for:

1. Security policies
2. Communications
3. Asset management
4. Human resources
5. Compliance
6. Business continuity
7. Information security incident management
8. Access control

Security classification for information

Not all data generated is equal. Some may require the highest level of protection while others need less.

Information is not classified randomly. There is a process to be followed and criteria to be met. Some of the basic criteria are:

1. Value of the data to an organization
2. On the basis of the owner of the information
3. Law and regulatory requirements

Organizations usually have pre-defined labels for different types of data classification such as public, private, confidential, top secret, protected, unofficial, etc.

Access Controls

Access control is a technique used in information security in order to restrict access rights to systems, applications, and information to a limited number of people. It follows a selective restriction process so only a select few people are authorized for access.

The two main types of Access controls are:

1. Physical – Regulating access to floors, buildings, data centers, server rooms, etc.
2. Logical – Regulating access to systems, applications, networks, etc

There are various models of Access Controls, which are:

1. Attribute-based Access Control (ABAC) – The access rights are granted to the user through the use of policies after evaluating various attributes
2. Discretionary Access Control (DAC) – The system administrator or the owner of the data may decide who can or cannot access the information
3. History-Based Access Control (HBAC) – Users’ activities are evaluated in real time. The behavior and pattern of user interactions forms the basis of deciding whether the user should be allowed to access the data
4. Identity-Based Access Control (IBAC) – The network or system administrators manage the access based on the user’s needs
5. Mandatory Access Control (MAC) – Users may require a security clearance when the data is classified with security labels
6. Organization-Based Access control (OrBAC) – The policy designer defines the security policies independently
7. Role-Based Access Control (RBAC) – Access rights are predefined by the role of the user within a company. The user’s access rights are outlined along with the job title
8. Rule-Based Access Control (RAC) – An organization may define rules as to when the information may be accessed. For eg. access may not be allowed after 6pm or after working hours
9. Responsibility Based Access control – The user’s rights may be decided by the responsibilities assigned to him/her. The rights may be subject to change at the beginning or end of the given responsibility

Cryptography

The word cryptography is derived from greek and literally means “hidden writing”. Cryptography is a form of communication which only allows the sender and receiver to read and understand the message.

The original message may be hidden inside an image. Or, the message may be replaced by a string of letters, numbers, and special characters that make the message appear unintelligible to everyone except the sender and the receiver.

The process of conversion from the original plaintext information to the to unreadable format is known as Encryption. And the process of re-conversion of the information from an unreadable format to original plaintext information is known as Decryption. The former is done at the sender’s end while the latter is done at the receiver’s end.

Programs which encrypt and decrypt information are referred to as Encryption Algorithms. Many different types of encryption algorithms have been developed over the years. The same encryption algorithms must be used on the both the sender’s and receiver’s end for a successful encryption.

Governance

NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

It also specifically states that information security governance should not be confused with IT security management.

To put it in simpler words, companies today have their security frameworks segregated into many smaller frameworks. A security team is charged with the responsibility of carrying out security throughout the entire company.

It is virtually impossible for a small security team to both manage and secure the whole company. Information security governance makes sure that the security framework integrates all aspects (personnel, business processes, training, firewalls, etc) to ensure the survival of an organization.

Cloud Security – SECaaS

Security as a Service, also referred to as cloud security, is a security maintenance service that a business outsources to a third party vendor on either a subscription or pay-as-you-go basis for cost efficiency. The security service is either delivered through the cloud or provided in-house by the service provider. Under this scenario, the third party is ultimately responsible for the security management of the company.

An example of security as a service would be an anti-virus software solution delivered over the internet. The vendor is responsible for regularly updating the databases and definitions, updating the software and scanning at regular intervals.

Security Assessments

Security Assessments are an integral part of information security. They are conducted in order to locate and identify risks and vulnerabilities.

There are several methods for conducting security assessments, including:

Vulnerability Assessment – To check for weaknesses within a system, application or network that can be potentially leveraged by intruders to compromise data

Security Audits – Conducted by authorities to check if the concerned organization is in compliance with relevant rules and regulations

Penetration Testing – A company provides tasks to penetration testers to find back door entries into the system by pretending to be an outsider, in order to find and fix loopholes. It is possible they may only be required to find loopholes and a different department may be given the task to fix or patch them

Security Policy – A set of documents, updated regularly, outlining an organization’s plans to protect its IT assets

Risk Assessment – Conducted to determine what risks the company faces and which ones are acceptable. It assesses various levels of risks

IT Security Assessments Report – A report with detailed findings of a security assessment, along with steps to be taken to fix any security issues discovered

Web Security

Web or web application security is a branch of information security concerned with website security, web application security and the integrity of web based services.

Cloud vendors deliver their services through the internet via the user’s web browser. Hackers usually try to find loopholes in various levels such as networks, web browser flaws, website flaws and web-based application flaws in application codes.

Web security encompasses techniques to find security loopholes and other vulnerabilities and fix them.

Email Security

Email security refers to the security procedures a company needs to undertake in order to secure email operations.

When sending and receiving emails, the email security team is expected to monitor any confidential information leaving the company network.

More importantly, they are expected to check for any harmful messages coming in from an outside network. Hackers are known to attack a user or company using various attack vectors such as phishing attacks, virus attacks and spamming.

Identity and Access Management

Identity and access management (IAM) is a framework developed to regulate and manage a user’s electronic identities.

The administrator is expected to provide, revoke or manage selective and conditional access rights for a user. Some of the benefits of IAM include:

1. Confidentiality of Data – Restricts the number of users accessing certain information
2. Performance – Helps enhance performance by removing users not needed for a process and thereby avoiding having too many active sessions
3. Segregated Tasks – Helps avoid confusion in terms of access by clearly defining groups along with their users who are the only authorized people to perform a specific task
4. Enhanced Security – IAM frameworks strengthen security by creating increased awareness

Data Loss

Data Loss is a critical concern of information security as it can threaten the viability of businesses, forcing many to shut down.

Some of the factors leading to data loss are:

1. Increasing threats and attacks – Hackers have been extremely active in the past few years, excelling in finding loopholes in networks, applications, etc to find avenues for removing or stealing data
2. Inside threats – Disgruntled employees are known to harm companies using a variety of methods, leveraging insider information that hackers would lack
3. Accidental information sharing – An employee may unknowingly share sensitive information with an outsider without being aware of their actions
4. Cloud-based storage and services – An employee may use unsecured personal cloud-based storage to store confidential company information