Information security (InfoSec): The Complete Guide
Information security (InfoSec) enables organizations to protect digital and analog information. InfoSec provides coverage for cryptography, mobile computing, social media, as well as infrastructure and networks containing private, financial, and corporate information. Cybersecurity, on the other hand, protects both raw and meaningful data, but only from internet-based threats.
Organizations implement information security for a wide range of reasons. The main objectives of InfoSec are typically related to ensuring confidentiality, integrity, and availability of company information. Since InfoSec covers many areas, it often involves the implementation of various types of security, including application security, infrastructure security, cryptography, incident response, vulnerability management, and disaster recovery.
This guide provides an in-depth look into the field of information security, including definitions as well as roles and responsibilities of CISOs and SOCs. You will also learn about common information security risks, technologies, and certifications.
In this article, we’ll look at:
- What is information security?
- Types of information security
- What a CISO does
- Definition and types of security operations centers (SOC)
- Common information security risks
- Information security technologies
- Examples of information security in the real world
- Information security certifications
What Is information security?
InfoSec, or information security, is a set of tools and practices that you can use to protect your digital and analog information. InfoSec covers a range of IT domains, including infrastructure and network security, auditing, and testing. It uses tools like authentication and permissions to restrict unauthorized users from accessing private information. These measures help you prevent harms related to information theft, modification, or loss.
Information Security vs Cybersecurity
Although both security strategies, cybersecurity and information security cover different objectives and scopes with some overlap. Information security is a broader category of protections, covering cryptography, mobile computing, and social media. It is related to information assurance, used to protect information from non-person-based threats, such as server failures or natural disasters. In comparison, cybersecurity only covers Internet-based threats and digital data. Additionally, cybersecurity provides coverage for raw, unclassified data while information security does not.
Information Security Goals in an Organization
There are three main objectives protected by information security, collectively known as CIA:
- Confidentiality—prevents unauthorized users from accessing information to protect the privacy of information content. Confidentiality is maintained through access restrictions. Breaches of confidentiality can occur due to human error, intentional sharing, or malicious entry.
- Integrity—ensures the authenticity and accuracy of information. Integrity is maintained by restricting permissions for editing or the ability to modify information. Loss of integrity can occur when analog information is not protected from environmental conditions, digital information is not transferred properly, or when users make unapproved changes.
- Availability—ensures that authorized users can reliably access information. Availability is maintained through continuity of access procedures, backup or duplication of information, and maintenance of hardware and network connections. Loss of availability can occur when networks are attacked due to natural disasters, or when client devices fail.
Types of Information Security
When considering information security, there are many subtypes that you should know. These subtypes cover specific types of information, tools used to protect information and domains where information needs protection.
Application security strategies protect applications and application programming interfaces (APIs). You can use these strategies to prevent, detect and correct bugs or other vulnerabilities in your applications. If not secured, application and API vulnerabilities can provide a gateway to your broader systems, putting your information at risk.
Much of application security is based on specialized tools for application shielding, scanning and testing. These tools can help you identify vulnerabilities in applications and surrounding components. Once found, you can correct these vulnerabilities before applications are released or vulnerabilities are exploited. Application security applies to both applications you are using and those you may be developing since both need to be secured.
Infrastructure security strategies protect infrastructure components, including networks, servers, client devices, mobile devices, and data centers. The growing connectivity between these, and other infrastructure components, puts information at risk without proper precautions.
This risk is because connectivity extends vulnerabilities across your systems. If one part of your infrastructure fails or is compromised, all dependent components are also affected. Due to this, an important goal of infrastructure security is to minimize dependencies and isolate components while still allowing intercommunications.
Cloud security provides similar protections to application and infrastructure security but is focused on cloud or cloud-connected components and information. Cloud security adds extra protections and tools to focus on the vulnerabilities that come from Internet-facing services and shared environments, such as public clouds. It also tends to include a focus on centralizing security management and tooling. This centralization enables security teams to maintain visibility of information and information threats across distributed resources.
Another aspect of cloud security is a collaboration with your cloud provider or third-party services. When using cloud-hosted resources and applications, you are often unable to fully control your environments since the infrastructure is typically managed for you. This means that cloud security practices must account for restricted control and put measures in place to limit accessibility and vulnerabilities stemming from contractors or vendors.
Cryptography uses a practice called encryption to secure information by obscuring the contents. When information is encrypted, it is only accessible to users who have the correct encryption key. If users do not have this key, the information is unintelligible. Security teams can use encryption to protect information confidentiality and integrity throughout its life, including in storage and during transfer. However, once a user decrypts the data, it is vulnerable to theft, exposure, or modification.
To encrypt information, security teams use tools such as encryption algorithms or technologies like blockchain. Encryption algorithms, like the advanced encryption standard (AES), are more common since there is more support for these tools and less overhead for use
Incident response is a set of procedures and tools that you can use to identify, investigate, and respond to threats or damaging events. It eliminates or reduces damage caused to systems due to attacks, natural disasters, system failures, or human error. This damage includes any harm caused to information, such as loss or theft.
A commonly used tool for incident response is an incident response plan (IRP). IRPs outline the roles and responsibilities for responding to incidents. These plans also inform security policy, provide guidelines or procedures for action, and help ensure that insight gained from incidents is used to improve protective measures.
Vulnerability management is a practice meant to reduce inherent risks in an application or system. The idea behind this practice is to discover and patch vulnerabilities before issues are exposed or exploited. The fewer vulnerabilities a component or system has, the more secure your information and resources are.
Vulnerability management practices rely on testing, auditing, and scanning to detect issues. These processes are often automated to ensure that components are evaluated to a specific standard and to ensure vulnerabilities are uncovered as quickly as possible. Another method that you can use is threat hunting, which involves investigating systems in real-time to identify signs of threats or to locate potential vulnerabilities.
Disaster recovery strategies protect your organization from loss or damage due to unforeseen events. For example, ransomware, natural disasters, or single points of failure. Disaster recovery strategies typically account for how you can recover information, how you can restore systems, and how you can resume operations. These strategies are often part of a business continuity management (BCM) plan, designed to enable organizations to maintain operations with minimal downtime.
Who are CISOs?
Chief information security officers (CISOs) are people responsible for managing and ensuring the protection of an organization’s information. This role may be a stand-alone position or be included under the responsibilities of the vice president (VP) of security or the chief security officer (CSO).
The responsibilities of a CISO include managing:
- Security operations—includes real-time monitoring, analysis, and triage of threats.
- Cyber risk and cyber intelligence—includes maintaining current knowledge of security threats and keeping executive and board teams informed of the potential impacts of risks.
- Data loss and fraud prevention—includes monitoring for and protecting against insider threats.
- Security architecture—includes applying security best practices to the acquisition, integration, and operation of hardware and software.
- Identity and access management—includes ensuring proper use of authentication measures, authorization measures, and privilege granting.
- Program management—includes ensuring proactive maintenance of hardware and software through audits and upgrades.
- Investigations and forensics—includes collecting evidence, interacting with authorities, and ensuring that postmortems are performed.
- Governance—includes verifying at all security operations operate smoothly and serving as a mediator between leadership and security operations.
What Is a Security Operations Center?
A security operations center (SOC) is a collection of tools and team members that continuously monitor and ensure an organization’s security. SOCs serve as a unified base from which teams can detect, investigate, respond to, and recover from security threats or vulnerabilities. In particular, SOCs are designed to help organizations prevent and manage cybersecurity threats.
The main idea behind a SOC is that centralized operations enable teams to more efficiently manage security by providing comprehensive visibility and control of systems and information. These centers combine security solutions and human expertise to perform or direct any tasks associated with digital security.
Three main models are used to implement SOCs:
- Internal SOC—composed of dedicated employees operating from inside an organization. These centers provide the highest level of control but have high upfront costs and can be challenging to staff due to difficulty recruiting staff with the right expertise. Internal SOCs are typically created by enterprise organizations with mature IT and security strategies.
- Virtual SOC—use managed, third-party services to provide coverage and expertise for operations. These centers are easy to set up, highly scalable, and require fewer upfront costs. The downsides are that organizations are reliant on vendors and have less visibility and control over their security. Virtual SOCs are often adopted by small to medium organizations, including those without in-house IT teams.
- Hybrid SOC—combine in-house teams with outsourced teams. These centers use managed services to supplement gaps in coverage or expertise. For example, to ensure 24/7 monitoring without having to arrange internal overnight shifts. Hybrid SOCs can enable organizations to maintain a higher level of control and visibility without sacrificing security. The downside of these centers is that costs are often higher than virtual SOCs and coordination can be challenging.
Common Information Security Risks
In your daily operations, many risks can affect your system and information security. Some common risks to be aware of are included below.
Social engineering attacks
Social engineering involves using psychology to trick users into providing information or access to attackers. Phishing is one common type of social engineering, usually done through email. In phishing attacks, attackers pretend to be trustworthy or legitimate sources requesting information or warning users about a need to take action. For example, emails may ask users to confirm personal details or log in to their accounts via an included (malicious) link. If users comply, attackers can gain access to credentials or other sensitive information.
Advanced persistent threats (APT)
APTs are threats in which individuals or groups gain access to your systems and remain for an extended period. Attackers carry out these attacks to collect sensitive information over time or as the groundwork for future attacks. APT attacks are performed by organized groups that may be paid by competing nation-states, terrorist organizations, or industry rivals.
Insider threats are vulnerabilities created by individuals within your organization. These threats may be accidental or intentional, and involve attackers abusing “legitimate” privileges to access systems or information. In the case of accidental threats, employees may unintentionally share or expose information, download malware, or have their credentials stolen. With intentional threats, insiders intentionally damage, leak, or steal information for personal or professional gain.
Cryptojacking, also called crypto mining, is when attackers abuse your system resources to mine cryptocurrency. Attackers typically accomplish this by tricking users into downloading malware or when users open files with malicious scripts included. Some attacks are also performed locally when users visit sites that include mining scripts.
Distributed denial of service (DDoS)
DDoS attacks occur when attackers overload servers or resources with requests. Attackers can perform these attacks manually or through botnets, networks of compromised devices used to distribute request sources. The purpose of a DDoS attack is to prevent users from accessing services or to distract security teams while other attacks occur.
Ransomware attacks use malware to encrypt your data and hold it for ransom. Typically, attackers demand information, that some action be taken, or payment from an organization in exchange for decrypting data. Depending on the type of ransomware used, you may not be able to recover data that is encrypted. In these cases, you can only restore data by replacing infected systems with clean backups.
Man-in-the-middle (MitM) attack
MitM attacks occur when communications are sent over insecure channels. During these attacks, attackers intercept requests and responses to read the contents, manipulate the data, or redirect users.
There are multiple types of MitM attacks, including:
- Session hijacking—in which attackers substitute their own IP for legitimate users to use their session and credentials to gain system access.
- IP spoofing—in which attackers imitate trusted sources to send malicious information to a system or request information back.
- Eavesdropping attacks—in which attackers collect information passed in communications between legitimate users and your systems.
Information Security Technologies
Creating an effective information security strategy requires adopting a variety of tools and technologies. Most strategies adopt some combination of the following technologies.
Firewalls are a layer of protection that you can apply to networks or applications. These tools enable you to filter traffic and report traffic data to monitoring and detection systems. Firewalls often use established lists of approved or unapproved traffic and policies determining the rate or volume of traffic allowed.
Security incident and event management (SIEM)
SIEM solutions enable you to ingest and correlate information from across your systems. This aggregation of data enables teams to detect threats more effectively, more effectively manage alerts, and provide better context for investigations. SIEM solutions are also useful for logging events that occur in a system or reporting on events and performance. You can then use this information to prove compliance or to optimize configurations.
Data loss prevention (DLP)
SIEM solutions DLP strategies incorporate tools and practices that protect data from loss or modification. This includes categorizing data, backing up data, and monitoring how data is shared across and outside an organization. For example, you can use SIEM solutions DLP solutions to scan outgoing emails to determine if sensitive information is being inappropriately shared.
Intrusion detection system (IDS)
IDS solutions are tools for monitoring incoming traffic and detecting threats. These tools evaluate traffic and alert on any instances that appear suspicious or malicious.
Intrusion prevention system (IPS)
IPS security solutions are similar to IDS solutions and the two are often used together. These solutions respond to traffic that is identified as suspicious or malicious, blocking requests or ending user sessions. You can use IPS solutions to manage your network traffic according to defined security policies.
User behavioral analytics (UBA)
UBA solutions gather information on user activities and correlate those behaviors into a baseline. Solutions then use this baseline as a comparison against new behaviors to identify inconsistencies. The solution then flags these inconsistencies as potential threats. For example, you can use UBA solutions to monitor user activities and identify if a user begins exporting large amounts of data, indicating an insider threat.
Blockchain cybersecurity is a technology that relies on immutable transactional events. In blockchain technologies, distributed networks of users verify the authenticity of transactions and ensure that integrity is maintained. While these technologies are not yet widely used, some companies are beginning to incorporate blockchain into more solutions.
Endpoint detection and response (EDR)
EDR cybersecurity solutions enable you to monitor endpoint activity, identify suspicious activity, and automatically respond to threats. These solutions are intended to improve the visibility of endpoint devices and can be used to prevent threats from entering your networks or information from leaving. EDR solutions rely on continuous endpoint data collection, detection engines, and event logging.
Cloud security posture management (CSPM)
CSPM is a set of practices and technologies you can use to evaluate your cloud resources’ security. These technologies enable you to scan configurations, compare protections to benchmarks, and ensure that security policies are applied uniformly. Often, CSPM solutions provide recommendations or guidelines for remediation that you can use to improve your security posture.
Examples of Information Security in the Real World
There are many ways to implement information security in your organization, depending on your size, available resources, and the type of information you need to secure. Below are three examples of how organizations implemented information security to meet their needs.
DLP at Berkshire Bank
Berkshire Bank is an example of a company that decided to restructure its DLP strategy. The company wanted to gain access to more detailed reporting on events. Their old system only provided general information when threats were prevented, but the company wanted to know specifics about each event.
To make this change, Berkshire Bank adopted Exabeam solutions to provide managed DLP coverage. This coverage included improved visibility into events and centralized DLP information into a single timeline for greater accessibility. With this enhanced information, Berkshire’s security team can investigate events better and take meaningful preventative action.
SOC at Grant Thornton
Grant Thornton is an organization that partnered with Exabeam to improve its SOC. The company sought to improve its ability to protect system information and more effectively achieve security goals. Through partnership, Grant Thornton created a data lake, serving as a central repository for their data and tooling.
This centralization improved the efficiency of their operations and reduced the number of interfaces that analysts needed to access. Centralization also made it possible for the company to use advanced analytics, incorporating their newly aggregated data.
Incident Response at WSU
To defend against a growing number of advanced threat actors, Wright State University (WSU) implemented Exabeam incident response solutions. They took this action to detect incidents more quickly, investigate activity more thoroughly, and respond to threats more effectively.
The tooling WSU adopted includes a security orchestration, automation, and response (SOAR) solution and a user and entity behavior analytics (UEBA) solution. These tools enable WSU to detect a wider range of threats, including dynamic or unknown threats, and to respond to those threats automatically. These tools provide important contextual information and timely alerts for threats that solutions cannot automatically manage so you can quickly take action and minimize damage.
Information Security Certifications
Another important aspect when implementing information security strategies is to ensure that your staff are properly trained to protect your information. One common method is through information security certifications. These certifications ensure that professionals meet a certain standard of expertise and are aware of best practices.
Numerous certifications are available from both nonprofit and vendor organizations. Two of the most commonly sought certifications are:
- CompTIA Security+—ensures a basic level of cybersecurity training. It covers core knowledge related to IT security and is intended for entry-level professionals, such as junior auditors or penetration testers. This certification is offered through the Computing Technology Industry Association.
- Certified Information Systems Security Professional (CISSP)—ensures knowledge of eight information security domains, including communications, assessment and testing, and risk management. It is intended for senior-level professionals, such as security managers. This certification is available from the International Information System Security Certification Consortium (ISC)².
Improving Your Information Security with Exabeam
The flexibility and convenience of IT solutions like cloud computing and the Internet of Things (IoT) have become indispensable to many organizations, including private companies and governments, but they also expose sensitive information to theft and malicious attacks. It’s not possible to avoid the Internet, but you can ensure that you have a system in place to secure your information and manage breaches when they do occur.
Exabeam is a third-generation SIEM platform that is easy to implement and use, and includes advanced functionality per the revised Gartner SIEM model:
- Advanced Analytics and Forensic Analysis—threat identification with behavioral analysis based on machine learning, dynamically grouping of peers and of entities to identify suspicious individuals, and lateral movement detection.
- Data Exploration, Reporting and Retention—unlimited log data retention with flat pricing, leveraging modern data lake technology, with context-aware log parsing that helps security analysts quickly find what they need.
- Threat Hunting—empowering analysts to actively seek out threats. Provides a point-and-click threat hunting interface, making it possible to build rules and queries using natural language, with no SQL or NLP processing.
- Incident Response and SOC Automation—a centralized approach to incident response, gathering data from hundreds of tools and orchestrating a response to different types of incidents, via security playbooks. Exabeam can automate investigations, containment, and mitigation workflows.
Exabeam enables SOCs, CISCOs, and InfoSec security teams to gain more visibility and control. Using Exabeam, organizations can cover a wide range of information security risks, ensuring that information remains secure, accessible, and available. Learn more about Exabeam’s next-generation cloud SIEM.
See Additional Guides on Key Information Security Topics
Exabeam, together with several partner websites, has authored a large repository of content that can help you learn about many aspects of information security. Check out the articles below for objective, concise reviews of key information security topics.
Information Security Core Concepts
Authored by Exabeam
Security Operations Center (SOC) Guide
Authored by Exabeam
See top articles in our security operations center guide:
Security Information and Event Management (SIEM) Core Concepts
Authored by Exabeam
Advanced SIEM Security Guide
Authored by Exabeam
Incident Response Guide
Authored by Cynet
IT Disaster Recovery Guide
Authored by Cloudian
Health Data Management Guide
Authored by Cloudian
Other Information Security Resources
See these additional information security topics covered by Exabeam’s content partners.