Information security, sometimes referred to as InfoSec, is a strategy to protect data and prevent unauthorized access to store, use, copy or modify data. In information security, data can refer to information in both physical and electronic formats.
The information security process requires that a set of guidelines are followed regardless of whether the data is in use, at rest or in transit.
The core objectives of information security are:
Confidentiality – Ensuring that information is restricted to a limited number of people
Integrity – Ensuring that the data is accessed only by authorized individuals
Availability – Availability of data ensures that the information is always available at all times by ensuring the hardware, software or IT infrastructure being used to access data are always functional
These three objectives are commonly referred to as the CIA Triad.
Types of Threats
In information security, anything that threatens data falls under the category of threats, which could be:
Natural – Earthquakes, storms, floods, fire, landslides, etc.
Competitors – Industry espionage, illegal infiltration, and competitive research
Media – Exposed trade secrets, bad press and publicity
Organized or Political – Espionage, terrorism, computer warfare, wiretapping, etc
Hackers – Social engineering, ransomware, malware, spyware, trojans, viruses, DDoS, DNS poisoning, etc
Criminal – Information blackmailing, kidnapping, extortion, theft, bribery, etc
Employee – Human error, tampering, negligence, sabotage, vandalism, theft, etc
These threats can lead to theft of data, unauthorized access, misuse, data leakage, loss of data due to equipment, physical damage and equipment or logical failure.
Cyber Crimes
Government agencies, hospitals, businesses, financial institutions, and many other industry sectors constantly gather and maintain a large amount of information pertaining to clients, customers and employees.
This data may contain an individual’s personal information such as health information, contact details, addresses, photos, email addresses, etc. Hackers commit cyber crimes to steal this information which is then used as leverage against either the company or the concerned individual.
You are now 20 times more likely to be robbed while sitting at your computer by a criminal based overseas than held up in the street, according to the opening line of a report posted by The Telegraph this year.
Furthermore, a survey was conducted by ITworldcanada at the beginning of this year revealing that 28% of Canadian firms have been hit by cybercrime in the last 24 months.
Risk Management
Risk management is the process of identifying and assessing risks, and dedicating resources to monitor and minimize them.
In information security, risks refer to threats and vulnerabilities that could lead to data becoming exposed to third parties not authorized to access it.
In order to take appropriate countermeasures, a dedicated team is typically put in charge of conducting regular assessments for:
Security policies
Communications
Asset management
Human resources
Compliance
Business continuity
Information security incident management
Access control
Security classification for information
Not all data generated is equal. Some may require the highest level of protection while others need less.
Information is not classified randomly. There is a process to be followed and criteria to be met. Some of the basic criteria are:
Value of the data to an organization
On the basis of the owner of the information
Law and regulatory requirements
Organizations usually have pre-defined labels for different types of data classification such as public, private, confidential, top secret, protected, unofficial, etc.
Access Controls
Access control is a technique used in information security in order to restrict access rights to systems, applications, and information to a limited number of people. It follows a selective restriction process so only a select few people are authorized for access.
The two main types of Access controls are:
Physical – Regulating access to floors, buildings, data centers, server rooms, etc.
Logical – Regulating access to systems, applications, networks, etc
There are various models of Access Controls, which are:
Attribute-based Access Control (ABAC) – The access rights are granted to the user through the use of policies after evaluating various attributes
Discretionary Access Control (DAC) – The system administrator or the owner of the data may decide who can or cannot access the information
History-Based Access Control (HBAC) – Users’ activities are evaluated in real time. The behavior and pattern of user interactions forms the basis of deciding whether the user should be allowed to access the data
Identity-Based Access Control (IBAC) – The network or system administrators manage the access based on the user’s needs
Mandatory Access Control (MAC) – Users may require a security clearance when the data is classified with security labels
Organization-Based Access control (OrBAC) – The policy designer defines the security policies independently
Role-Based Access Control (RBAC) – Access rights are predefined by the role of the user within a company. The user’s access rights are outlined along with the job title
Rule-Based Access Control (RAC) – An organization may define rules as to when the information may be accessed. For eg. access may not be allowed after 6pm or after working hours
Responsibility Based Access control – The user’s rights may be decided by the responsibilities assigned to him/her. The rights may be subject to change at the beginning or end of the given responsibility
Cryptography
The word cryptography is derived from greek and literally means “hidden writing”. Cryptography is a form of communication which only allows the sender and receiver to read and understand the message.
The original message may be hidden inside an image. Or, the message may be replaced by a string of letters, numbers, and special characters that make the message appear unintelligible to everyone except the sender and the receiver.
The process of conversion from the original plaintext information to the to unreadable format is known as Encryption. And the process of re-conversion of the information from an unreadable format to original plaintext information is known as Decryption. The former is done at the sender’s end while the latter is done at the receiver’s end.
Programs which encrypt and decrypt information are referred to as Encryption Algorithms. Many different types of encryption algorithms have been developed over the years. The same encryption algorithms must be used on the both the sender’s and receiver’s end for a successful encryption.
Governance
NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.
It also specifically states that information security governance should not be confused with IT security management.
To put it in simpler words, companies today have their security frameworks segregated into many smaller frameworks. A security team is charged with the responsibility of carrying out security throughout the entire company.
It is virtually impossible for a small security team to both manage and secure the whole company. Information security governance makes sure that the security framework integrates all aspects (personnel, business processes, training, firewalls, etc) to ensure the survival of an organization.
Cloud Security – SECaaS
Security as a Service, also referred to as cloud security, is a security maintenance service that a business outsources to a third party vendor on either a subscription or pay-as-you-go basis for cost efficiency. The security service is either delivered through the cloud or provided in-house by the service provider. Under this scenario, the third party is ultimately responsible for the security management of the company.
An example of security as a service would be an anti-virus software solution delivered over the internet. The vendor is responsible for regularly updating the databases and definitions, updating the software and scanning at regular intervals.
Security Assessments
Security Assessments are an integral part of information security. They are conducted in order to locate and identify risks and vulnerabilities.
There are several methods for conducting security assessments, including:
Vulnerability Assessment – To check for weaknesses within a system, application or network that can be potentially leveraged by intruders to compromise data
Security Audits – Conducted by authorities to check if the concerned organization is in compliance with relevant rules and regulations
Penetration Testing – A company provides tasks to penetration testers to find back door entries into the system by pretending to be an outsider, in order to find and fix loopholes. It is possible they may only be required to find loopholes and a different department may be given the task to fix or patch them
Security Policy – A set of documents, updated regularly, outlining an organization’s plans to protect its IT assets
Risk Assessment – Conducted to determine what risks the company faces and which ones are acceptable. It assesses various levels of risks
IT Security Assessments Report – A report with detailed findings of a security assessment, along with steps to be taken to fix any security issues discovered
Web Security
Web or web application security is a branch of information security concerned with website security, web application security and the integrity of web based services.
Cloud vendors deliver their services through the internet via the user’s web browser. Hackers usually try to find loopholes in various levels such as networks, web browser flaws, website flaws and web-based application flaws in application codes.
Web security encompasses techniques to find security loopholes and other vulnerabilities and fix them.
Email Security
Email security refers to the security procedures a company needs to undertake in order to secure email operations.
When sending and receiving emails, the email security team is expected to monitor any confidential information leaving the company network.
More importantly, they are expected to check for any harmful messages coming in from an outside network. Hackers are known to attack a user or company using various attack vectors such as phishing attacks, virus attacks and spamming.
Identity and Access Management
Identity and access management (IAM) is a framework developed to regulate and manage a user’s electronic identities.
The administrator is expected to provide, revoke or manage selective and conditional access rights for a user. Some of the benefits of IAM include:
Confidentiality of Data – Restricts the number of users accessing certain information
Performance – Helps enhance performance by removing users not needed for a process and thereby avoiding having too many active sessions
Segregated Tasks – Helps avoid confusion in terms of access by clearly defining groups along with their users who are the only authorized people to perform a specific task
Enhanced Security – IAM frameworks strengthen security by creating increased awareness
Data Loss
Data Loss is a critical concern of information security as it can threaten the viability of businesses, forcing many to shut down.
Some of the factors leading to data loss are:
Increasing threats and attacks – Hackers have been extremely active in the past few years, excelling in finding loopholes in networks, applications, etc to find avenues for removing or stealing data
Inside threats – Disgruntled employees are known to harm companies using a variety of methods, leveraging insider information that hackers would lack
Accidental information sharing – An employee may unknowingly share sensitive information with an outsider without being aware of their actions
Cloud-based storage and services – An employee may use unsecured personal cloud-based storage to store confidential company information
The global cumulative cost of cyber crime in 2018 alone is believed to have been $600 billion. Thus far, Equifax has had the single most
Now, more than ever, web security matters. With the ever-increasing rate of technological expansion comes increased attempts to breach security and steal information. Don’t let
More than ever before, the time is right to make the jump to HTTPS if you haven’t already. HTTPS has grown in popularity quickly, with over
Cybersecurity as EMR Support It’s no surprise that hacking is becoming a growing threat as our world becomes only more connected. Healthcare IT services simply
There’s never been a time when hackers have reaped the fruits of their malevolent work as the last decade. With the emergence of ransomware as
In March, 2011, two hackers, “Ne0h” and “TinKode” compromised MySQL.com and posted the site’s customer usernames and passwords. According to the pair, they used the site’s
Almost two decades ago, Salesforce.com introduced the idea of delivering business applications over the internet. Today, most enterprises are shifting to the cloud. Consequently, businesses
It might not be a stretch to suggest that information security is the single biggest threat in this modern age, especially in a tech world
For entrepreneurs used to paying for every third-party service they use in their business, it is easy to dismiss free encryption services. Yet, not all
Disasters such as earthquakes and floods are the usual suspects that come to one’s mind when thinking about disasters that affect a business. Unfortunately, there
