With digital transformation and big data, information is an invaluable resource. Information allows us to communicate, conduct transactions, and build businesses, but it can also be weaponized if it falls into the wrong hands.
In this article, we’ll look at:
- What is information security?
- Information security goals in an organization
- Types of information security
- Examples of information security in the real world
- Information security certifications
What Is information security?
Information security, sometimes abbreviated as InfoSec, encompasses the tools and processes organizations use to protect their information. This includes setting policies to ensure unauthorized persons cannot access business or personal information. InfoSec is a constantly growing and evolving field with many areas of specialization ranging from network and infrastructure security to testing and auditing.
Information security prevents the inspection, recording, modification, disruption, or destruction of sensitive information like account details or biometrics. Repercussions of security incidents can include identity theft, tampering with information, or data wiping. From a business perspective, security disruptions interrupt workflow and cost money while damaging a company’s reputation. Organizations need to allocate funds for security and ensure that their personnel are equipped to detect and deal with threats from software attacks like phishing, malware, viruses, malicious insiders, and ransomware.
Information Security vs Cybersecurity
Information security differs from cybersecurity in terms of scope and objectives. There is often confusion regarding these two terms, with many using them interchangeably, and some defining InfoSec as a subcategory of cybersecurity. However, information security is, in fact, the broader category, covering many areas including social media, mobile computing, and cryptography, as well as aspects of cybersecurity. It is also closely related to information assurance, which involves preserving information from threats like natural disasters and server malfunctions.
Cybersecurity exclusively covers threats involving the internet, so it often overlaps with information security. Information security can also be distinguished from data security. Information can be either physical or digital, and only online information falls under the category of cybersecurity. Cybersecurity that deals with raw data is not classified as information security.
Figure 1: Information security vs cyber security.
Information security goals in an organization
Information security focuses on the three objectives, confidentiality, integrity, and availability, which are collectively known as CIA:
- Confidentiality—preventing the disclosure of information to unauthorized users. This requires implementing access restrictions to protect personal privacy and proprietary information. Failure to maintain confidentiality, whether as a result of an accident or an intentional breach, can have severe consequences for businesses or individuals, who often cannot undo the damage. For example, a compromised password is a breach of confidentiality, and once it has been exposed, there is no way to make it secret again. The most publicized security incidents often involve a breach of confidentiality.
- Data integrity—ensuring the accuracy and authenticity of data. Only authorized persons may edit data, and they need to follow procedures to prevent former employees from retaining the ability to alter company data. A failure of integrity could, for example, allow a malicious attacker to redirect traffic from your website, or to edit or delete the content on your website.
- Availability—authorized users should have reliable access to information when they need it. This often requires collaboration between departments, such as development teams, network operations, and management. An example of a common threat to availability is a denial of service (DoS) attack, where an attacker overloads or crashes the server to prevent users from accessing a website.
Types of Information Security
Application security involves protecting software applications by preventing, detecting, and fixing bugs and vulnerabilities. Software vulnerabilities often affect web and mobile applications, as well as application programming interfaces (APIs). They provide an entry point for malicious attacks, so you need to be able to find and fix them. Specialized tools for security testing and application shielding provide protection for various aspects of your application portfolio.
Security testing lets you assess coding threats so you can commit code safely. It can be static, involving code analysis at fixed points in the development pipeline; dynamic, involving analysis of running code; or interactive, which combines elements of both. App shielding tools like firewalls make it harder for hackers to carry out attacks.
Much of the security process takes place during the development stage, but efforts to secure your apps must continue after deployment. The responsibility for application security should cut across multiple teams, from network and desktop operations to development.
Cloud security includes the protection of data, applications, and infrastructures involved in cloud computing. High-level security concerns—unauthorized data exposure and leaks, weak access controls, susceptibility to attacks, and availability disruptions—affect traditional IT and cloud systems alike.
It can be a challenge to safely build and host your software on the cloud. Since cloud computing involves shared environments you have to make sure your process is adequately isolated. You also need to ensure that any third-party cloud applications you use are safe. However, centralization facilitates the management of your cloud security needs.
Some IT departments are reluctant to move mission-critical systems to the cloud. All cloud models, whether public, private, or hybrid, are susceptible to threats. You can apply a set of policies, controls, and tools to help protect your systems and data, maintain compliance with licenses and regulations, and safeguard the privacy of your users. For example, authentication rules limit access to authorized users or devices.
Your cloud provider may offer solutions for cloud security, which is the joint responsibility of your organization and provider. You need to choose the right security solution to protect your organization from threats like unauthorized access and data breaches while reaping the benefits of cloud computing.
Cryptography covers a range of techniques for communicating in a secure manner. Cryptography and encryption are becoming increasingly important as organizations store, edit, and transmit sensitive information online. You can use encryption to protect the confidentiality and integrity of your data while in transit and at rest and digital signatures to validate the authenticity of your data.
Examples of cryptography include blockchains and the advanced encryption standard (AES). A blockchain is a ledger of records or “blocks” that helps secure, among other things, cryptocurrencies like Bitcoin. AES is a symmetric key algorithm used by the US government to protect classified information.
Traditional security perimeters protecting digital infrastructures are becoming blurred. As organizations take advantage of information technology and the internet, critical infrastructures like data centers, internal and external networks, servers, desktops, and mobile devices have become highly interconnected. This makes them vulnerable to threats like sabotage by a disgruntled employee or cyber terrorist groups, information warfare waged by private profiteers or rival countries, and natural disasters like earthquakes or hurricanes that can damage physical structures.
The interdependence of infrastructures means that a failure or disruption in one system can spread to others. You can reduce this risk by restricting access points between networks. You should also ensure all your data is backed up, which can mitigate the damage to your infrastructure.
An incident response plan (IRP) in place allows you to prepare for breaches and mitigate the damage. This includes detecting and investigating suspicious activity so you can contain the threat and restore your system in the event of an attack. If you don’t respond immediately to a security incident, it can result in greater damage or system collapse, as well as litigation. It is also important to notify anyone who may be affected by the breach as soon as possible.
An IRP in the form of a clear set of written instructions ensures that your computer security incident response team (CSIRT) knows how to respond to an information security breach, and lets you manage the aftermath and reduce recovery time and costs. The response team should be preselected and include information security staff as well as representatives from the legal and human resource departments.
Include a mechanism for recording evidence for forensic analysis and legal purposes in the plan. The data from previous security incidents can help you discover or prevent a recurrence.
Vulnerability management is a means of reducing the risk of flaws in code or in the design of an application. When you expand your infrastructure, provide access to new users, or add new applications to your system, you are also increasing the potential vectors for attack. You can also find new vulnerabilities in old code.
Build in a schedule to constantly scan your digital environment for potential vulnerabilities so you can apply patches or remove defective code. Having a system in place to assess the risks associated with vulnerabilities will help you find and prioritize remediation. It is important to identify vulnerabilities early on so can save your organization the costs of a breach.
Examples of information security in the real world
Data Loss Prevention at Berkshire Bank
Berkshire Bank wanted to restructure its data loss prevention (DLP) solution to provide more detailed reports. They turned to Exabeam to help manage their new DLP and provide greater visibility by combining all the data on user behaviour into a single user-friendly timeline. The ease of use also reduces ramp-up time and allows the security team to be proactive.
In the past, the bank’s security team would receive alerts saying only that a user attempted to send something and it was blocked. Now, they can track how many attempts were made, if the blocked object was being sent via email, and if the user also tried to print it or load it onto a USB. This allows security analysts to determine whether this activity was malicious.
Security operations center at Grant Thornton
A security operations center (SOC) is the team responsible for cybersecurity at the organizational level, combining tools and practices to monitor, assess, and defend information systems. Without a clear SOC charter, the IT security team may not have authority across the network and over sub-environments. To help the SOC achieve its goals and protect the company’s systems and data, Grant Thornton partnered with Exabeam.
The Exabeam solution created a central repository for all of the data and tools in the form of a data lake. Centralization saves time, as analysts don’t have to search across multiple tools to find security issues. The SOC can also use advanced analytics, which are tightly integrated into the security solution, and generate answers to security issues automatically.
Incident Response at WSU
Security threats are often predictable, but they can also be harder to detect, requiring responses with many steps. Wright State University (WSU) found a growing trend of advanced threat actors adjusting their techniques to avoid detection. WSU implemented Exabeam to better detect, understand, and deal with complex information security threats.
Exabeam Security Management Platform’s security orchestration, automation, and response (SOAR) tool makes incident response more efficient and effective, while a user and entity behavior analytics (UEBA) tool provides insights into security incidents. Analysts can program Incident Responder playbooks to take partial or fully automated actions. SOAR scans for and eliminates malware files, identifies the source of the attacker’s IP address, notifies the user, and performs a post-analysis cleanup.
By automating investigation and mitigation processes, WSU’s security teams can improve the success of their response plan. The WSU incident response plan details response steps, including an intrusion checklist, and addresses the usage of security tools.
Information security certifications
Information security practitioners require training and certification to ensure they are equipped to deal with various IT security tasks. Certifications for cybersecurity personnel can vary. Basic certificates may suffice for junior IT professionals, while the chief information security officer (CISO) or certified information security manager (CISM) of your organization may require more advanced training. Nonprofit organizations typically provide widely accepted security certifications, but some products require vendor-specific training.
Provided by the US-based Computing Technology Industry Association, this certification represents the most basic level of training for any cybersecurity professional. The exam covers the core knowledge necessary to identify and solve IT security issues. It is suitable for entry-level positions like junior auditors and penetration testers.
Certified Information Systems Security Professional (CISSP)
CISSP is an advanced certification provided by the International Information System Security Certification Consortium, known as (ISC)². It isn’t suitable for all cybersecurity personnel and is typically reserved for senior positions like security managers.
The flexibility and convenience of IT solutions like cloud computing and the internet of things have become indispensable to many organizations, including private companies and governments, but they also expose sensitive information to theft and malicious attacks. It’s not possible to avoid the internet, but you can ensure that you have a system in place to secure your information and manage breaches when they do occur.