Information Security : Introduction, Principle and Defence
What is Information Security? or Information Security Definition
Information Security is (Also Referred to as Info-Sec) a Methods or processes to protection of any kind of data or information which can be misused, modify, disrupt or destroy by unauthorized Access.
|Information Security: Introduction, Principle, and Defence|
In this article, I will be discussing our first topic in our series of lessons on information privacy and security before I get into the primary content I wanted to pose an interesting philosophical question namely,
Why is an information security management is Important or Need for information security?
although many of the investments that are made into information privacy and security are not related to malicious attacks there is nevertheless an extraordinarily large amount of investment in information privacy and security mechanisms that are targeted toward protecting systems against attacks by malicious parties.
From a philosophical perspective, it's important to consider what this says about humanity on the one hand it shows that we are certainly curious creatures but on the other hand, it shows that we as a species are not particularly trustworthy and we're also greedy there are many people organizations and even governments in the world that would be very happy to steal personal private information from you or your organization for their own gain.
This appears to be a natural trait of human beings in virtually all cultures and I think it's important to note that if we were not like this as a species the quantity of time money and other resources that individuals organizations and governments must invest into protecting their information assets would be much less than it is today.
Information Privacy And Security
With those philosophical thoughts in mind let's begin with how dependent are you upon information and communication technology well if you're like most people in the developed world your day-to-day activities are increasingly characterized by interactions with technology.
Computational capabilities are being embedded in a rapidly increasing number and variety of products anything from athletic shoes to kitchen appliances to implantable medical devices and what this means is that with every passing day computers are controlling and administering and making decisions about more and more aspects of our daily lives.
What we can conclude from this situation is that we are becoming more and more dependent on these information and communication technologies every single day and this situation has very important implications with respect to our privacy and security.
Dependence on Information Technology and Risk
To better understand why to consider the relationship between our dependence on technology and risk because we live in a world where we are increasingly entrusting our lives and our livelihoods to computer technologies and because those technologies are not entirely dependable safe or secure our increasing reliance upon these information and communication technologies brings with it plenty of new risks that were not present prior to the rise of the Information Age.
As a discipline and as a profession then one of the major goals of information security is to find ways of mitigating these risks that is to allow us to have our cake and eat it too.
How Information Technology Fails?
Although many people think of the world of information privacy and security as one characterized by hackers, cyber terrorists, or government-sponsored information espionage in reality the scope of information privacy and security is much broader and one way of understanding the breadth of this scope is to consider information security from the perspective of IT failures.
Our modern information technologies can fail for many different reasons first consider
Physical failures - these are hardware devices and hardware can and does fail even in the modern era many of our computational technologies still rely on moving parts and a failure of any of these moving parts can cascade to cause a wider failure of the information technology as a whole further electronic component can fail and when these components fail permanently the cause of the problem is much easier to diagnose than when they fail intermittently it is therefore important for managers and system administrators not only to expect that their physical IT devices will fail but also to develop plans for how to address those failures when they inevitably occur.
Beyond physical failures, we have other types of information technology failures as well and these can best be understood by considering the intersection of two different dimensions along one dimension we have a spectrum which ranges from malicious to non-malicious that is the source of the failure is caused by someone intentionally or unintentionally and along the other dimension, we have a spectrum which ranges from harmless to catastrophic plotting these two dimensions against each other provides us with a geometric space in which we can easily classify our non-physical information technology failures.
A failure then might be non-malicious and harmless it might be non-malicious but catastrophic it might be malicious but cause no harm or in the worst scenario it may be a malicious attack that causes catastrophic damage to our information assets again remember that information security has a broad scope and information security addresses each of these different types of failures what's more information security addresses failures that have never before been seen or do not currently exist and that statement speaks to the dynamism and constant change that characterizes the world of information security.
Scope of Information Security
So when thinking about information security remember that it has a vast scope we're talking here about protecting anything from tiny little integrated circuits all the way up to massive clusters of servers that may involve thousands of unique machines.
It's about protecting a local private network that you may have in your home or your apartment all the way up to massive wide area networks or even the entire internet.
About protecting hardware software operating systems databases networks etc the scope of inquiry in computer security is vast continuously changing and ever-growing.
Broadly speaking however we can think about computer security as being concerned with protecting information assets.
What Should we protect in Information Security?
When we say information assets what we're referring to are elements of the information system that have value since value lies at the core of where we should focus our information security efforts a critical first step is identifying what within our organization has value and to whom do those items have value one good way of thinking about information technology assets is to subdivide assets into three categories.
first, we have
Hardware assets and these can in our computing systems mobile devices networks and communications channels
next, we have software assets these can include operating systems off-the-shelf application programs mobile apps as well as custom or customized application programs
and finally, we have data assets these are our files our databases the information that we generate in our daily lives or in carrying out our business, and as we will see it is often this class of assets that has the greatest value of all.
|Information Technology Assets|
when considering this diagram remember that the perceived value of an asset depends in part upon the ease with which that asset can be replaced certain components of an information system such as Hardware mobile devices operating systems off-the-shelf software can be easily replaced by contrast custom applications or mobile apps and our data are often unique and irreplaceable.
Perhaps you can think of an example in your own life where you or someone you've known has lost say a laptop computer or a mobile device many times they are upset not so much about the loss of the physical device the physical Hardware itself but more so about the photos the course documents the data that they had for work etc.
It is those files those data items that represent much of the value of the system to its users and we can understand intuitively through examples such as this why the value of an asset often depends upon the ease with which we are able to replace that asset.
Vulnerability - Threat - Control Framework
Earlier in our discussion, we said that one of the major goals of information security was to mitigate security risks another major goal of information security as a discipline and as a profession is to try to protect our valuable information assets and in order to approach the study of methods of protecting these assets we will adopt what's known as a vulnerability-threat-control framework.
To begin consider a vulnerability this is a weakness in some aspect of an information system if a vulnerability is exploited it has the potential to cause loss or harm and a human being who intentionally exploits a vulnerability is perpetrating an attack on the system so an attack then can be defined as intentional exploitation of a system vulnerability.
Next, we can consider a threat now a threat is simply a set of circumstances that has the potential to cause loss or harm and as we will see shortly threats and vulnerabilities are very closely related
finally, we have controls and the control is something that we do or something that we have which helps to eliminate or reduce a vulnerability another name for control is a countermeasure.
Now many people when they are first learning about information security become confused about the difference between a threat a vulnerability and control so let me provide you with a simple example that I hope will help you to remember the difference between these three concepts
Imagine that you are walking over a bridge whenever you walk over a bridge there is always a certain threat to your safety namely that the bridge might collapse under so the possibility of the bridge collapsing is a threat to your safety now if there is a weakness in the bridge say that there is a crack in the cement or the mortar between the blocks of stone from which the bridge is constructed has begun to crumble or deteriorate those weaknesses are vulnerabilities and if those vulnerabilities were to be exploited the threat of the bridge collapsing would be actualized and that might actually cause you physical harm a control then is something that we do or something that we have which helps us to eliminate or reduce a vulnerability in this example we might apply bracing to reinforce the bridge or we may try to repair the cracks in the concrete thus reducing the possibility that the vulnerability will be exploited.
Threats are blocked or prevented from being actualized by controlling vulnerabilities next I'd like to talk about threats and what has come to be known as C-I-A that is confidentiality integrity and availability.
Information Security Principles
This acronym C-I-A and the concepts for which it stands is commonly referred to as the security triad and we can think about threats as interfering with the confidentiality, integrity, or availability of an information system.
Confidentiality then is simply the ability of a system to ensure that assets are viewable or accessible only by authorized parties.
Integrity by contrast is the ability of a system to ensure that assets are modifiable or changeable only by authorized parties .
and finally availability refers to the ability of a system to ensure that assets are usable by and accessible to all authorized parties.
confidentiality integrity and availability can also be seen as goals or objectives of information security since together they represent three very desirable properties of an information system.
The CIA principle has been around for many decades more recently other desirable system properties have also been identified and these are authentication, non-repudiation, and auditability
with respect to the first two of these that is authentication and non-repudiation we are speaking here of systems that allow for communication or messaging with other systems or other users and in this regard authentication refers to the ability of a system to confirm the identity of a sender for example if you receive a message from your manager which instructs you to immediately stop working on the project that you have been working on for the past year and turn your attention to another project you as the receiver of that message would like to be able to confirm the identity of the sender that is you would like to know that it truly was your boss who sent that message to you
on the other side of this is non-repudiation and this is a property of a system in which a sender cannot convincingly deny having sent a message returning to our previous example if you received such a message from your manager instructing you to immediately discontinue working on a project and if we assume that your manager genuinely did send that message a desirable property of the system from your perspective would be to ensure that your manager could not deny having sent that message.
finally, we have auditability as a desirable system property and this is simply the ability of a system to trace all actions that are related to a given asset that way if something goes wrong in the future we can trace back through time and determine who did what and when in order to ensure that responsible parties are held to account.
How harm can be caused to an information system
harmful acts and harm can be caused to an information system in four general ways
through interception for example I might intercept valuable information flowing over a network.
interruption for example I might disrupt the information system's ability to carry out its tasks.
modification in which I might seek to modify an information system or modify its information assets without being properly authorized to do so
and fabrication in which I might fabricate an identity or I might fabricate new information assets for the purpose of doing harm to the system as a whole.
Each of these four acts is a harmful act because it can affect a system's ability to ensure confidentiality integrity or availability next I would like to discuss some additional details about confidentiality integrity and availability.
Beginning first with confidentiality when it comes to confidentiality a good information security strategy is to adopt the need-to-know basis for determining who has access to data and when they have access to those data essentially.
The idea here is that by default the user of a system should not have access to anything and the information assets or capabilities that they are given with respect to the system are done so only on a need-to-know basis that is we should provide system users and information workers with all of the information assets that they need to do their jobs effectively and nothing more another interesting consideration.
with respect to confidentiality is the question of how do we know if a user is a person or the system that they claim to be and this question speaks directly to the difference between identification and authentication we can think of identification as the process of proving that someone is who they say they are by contrast we can think of authentication as the process of proving that something is genuine or true or authentic in the world of information security.
it is often very difficult or infeasible to truly identify a real human being or a specific system instead we commonly use methods of authentication rather than identification and we assume that the credentials being used for authentication are being used only by the real world human being or system to whom those credentials apply.
This is of course a risky assumption since through malicious or non-malicious means it might be very possible for me to obtain your login information and your password and if I were then to use that information to log in to say your social networking account as far as the social networking site is concerned I am by providing your credentials the system is assuming that I am the real-world human being to whom those credentials belong.
Similar to the need-to-know policy for data access to physical assets such as the server room or the network closet should also be granted only on a need-to-know basis.
Confidentiality then is difficult to ensure with 100% certainty but it is often the easiest to assess in terms of whether or not our efforts at confidentiality have been successful.
When thinking about the difference between confidentiality and integrity just remember that confidentiality is concerned with access to information assets whereas integrity is concerned with preventing unauthorized modification of assets.
Integrity of course is more difficult to measure than confidentiality because it is context-dependent it means different things in different situations and what's more there are degrees of integrity for these reasons it's necessary for each organization to establish its own criteria by which integrity can be measured and evaluated as with integrity availability is also context-dependent.
it a very complex issue put another way availability means different things to different people.
To a CEO for example availability might mean can I access my corporate email from home while to a data analyst availability might mean can I carry out my analyses in a timely manner without having to wait an unacceptably long period of time in order for the system to process.
my request as the general set of guidelines then we might consider an asset to be available when there is a timely request-response fair allocation of resources fault tolerance built into the system ease-of-use and a good concurrency control strategy in place in order to address situations in which multiple users are attempting to use the same asset at the same time.
|Threats in Information Security|
to summarize our discussion of threats then consider that threats can be caused by some natural event such as a fire, a power failure, an earthquake, a mudslide, a tornado, a sinkhole, a hurricane, etc.
or by human causes that is the threat is caused by something that a human being has done in the case of a human-caused threat the intention of the human might be benign or it might be malicious as examples of benign or non-malicious intent we can consider a situation in which harm is caused through a simple human error or perhaps someone trips over a power cord or accidentally deletes an important file these are all examples of harm that is actualized through a benign or non-malicious intent.
when there is malicious intent however that is when a human being is intending to cause harm we can then classify that malicious intent as either random or directed and the difference between random or directed malicious attacks is simply whether the attacker is targeting a specific organization individual or entity if a specific target is under intentional attack then we can classify that as a directed malicious attack otherwise if an attacker engages in a malicious attack and they do so without the intention of harming a specific organization entity or individual then we can classify that as a random malicious attack.
Types of Attackers in Information Security
Amateurs - Who then are these attackers who seek to compromise the confidentiality integrity or availability of our information systems well surprisingly many attackers are simple amateurs they act opportunistically for example perhaps they find someone's lost mobile device or laptop computer and they decide to look through the files on that computer or perhaps they are script kiddies or wannabe hackers who find hacking tools on some website that they apply to their home computers or the computers at their school or place of work.
Hackers - outside of amateurs we also have hackers and crackers with the difference here being that hackers generally are attackers who have a non-malicious intent they like to break into systems and look around or break into a system just to prove that they can do it
Crackers - cracker, by contrast, has a malicious intent they're breaking into a system with the goal of causing harm stealing data disrupting the confidentiality availability or integrity of the system among these crackers.
Career Criminals - career criminals organized crime syndicates who seek to engage in malicious breaches of information security for the purpose of financial
Cyber Terrorists - more recently we've seen the rise of cyber terrorists who are not necessarily affiliated with a particular state or government but nevertheless are conducting attacks on information systems in support of some ideological or political agenda.
Supported information Experts - and of course we have state-supported information warriors and spies most modern countries including powerful countries like the United States and China employ vast armies of information warriors whose job it is to try to spy on the government's or military organizations of other countries and collect intelligence through digital means what's more this is no longer just a minor consideration in the United States, for example, the Department of Defense now considers cyberspace to be the fifth battlefield the first for being land sea air and space and now cyberspace is considered the fifth battlefield and a substantial amount of the nation's defense assets are being invested in efforts aimed at ensuring the nation's information superiority in cyberspace.
What Harm Attackers can cause to Information Security?
Harm refers to the negative consequences that can arise from an actualized threat that is if a vulnerability in a system were to be exploited such that a threat became a reality what would be the implications of that actualized threat this is a very difficult question to answer because the quantity or the amount of harm that is sustained from a successful attack is often a subjective matter.
Different people and different organizations will assign different values to their information technology assets and with different values assigned to the same assets, an identical attack would be perceived as causing a different amount of harm to two different organizations what's more the value of many information assets can change over time.
Consider for example the value of the transactions that your bank maintains for your checking account if a malicious attack were launched against your bank and the attackers were able to successfully delete or modify the transactions for your checking account that took place in the last few days then we would almost certainly consider that act to have caused more harm more damage than if the same attackers had modified transaction data for your account where the transactions were 8 or 10 years old.
this situation speaks to the relationship between the value of information and time most modern information scientists believe that the value of an information asset degrades over time according to an exponential decay function and this simply means that as a general rule on average newer data is usually more valuable than older data in order for an attack.
How Attackers work to gain access to Information (Method - Opportunity - Motive)
to succeed an attacker needs method, opportunity, and motive and you can remember these by the acronym MOM.
The Method here refers to the skill the knowledge the tools and so forth which are necessary in order for an attack to be attempted.
Opportunity refers to the time and the necessary access that is required in order for an attack to be attempted.
Motive is simply a reason to attempt an attack from an information security perspective.
If any of these three items is eliminated that is if we're able to eliminate method or opportunity or motive the attack will not succeed therefore efforts aimed at defending against attacks on information infrastructure can target one or more of these three items method opportunity or motive.
Methods of Defense against Attacks
Speaking more specifically we have six approaches that we can use to defend our information systems.
1.Prevent Attacks -
the first of these approaches is prevention and this is accomplished by blocking an attack or by entirely closing or eliminating a vulnerability remember that attack occurs when a human being intentionally exploits a vulnerability if we are therefore able to close or entirely eliminate that vulnerability the attack cannot occur.
2.Deter Attack -
our second method of defense is to deter an attack and deterrence involves a strategy in which we attempt to make the attack more difficult to accomplish.
3.Deflect Attack -
Our third method is to deflect an attack and deflection involves providing another target for the attacker which seems to be more attractive than the original target in this way the attacker will pursue a target that is less valuable to us.
4.Mitigate Attack -
fourth we can mitigate an attack that is we can take steps to make the impact of an attack less severe if we are unable to prevent deter or deflect an attack our best strategy is to have mechanisms in place which will contain the damage.
5.Detect Attack -
our fifth method of defense is the detection and this can refer to detecting an attack while it is in progress or after it has taken place if we're able to detect an attack while it is underway we may be able to stop it but it is also important to realize that detecting an attack after it has taken place also has great value if we're able to detect an attack after it has taken place we may be able to repair and what's more we may be able to learn from the attack that is how is our system compromised and we can then use that information to hopefully close a vulnerability thus preventing a similar attack in the future.
6.Recovery From Attack -
and finally, our sixth method of defense is to recover from an attack we need to have mechanisms in place such as backup copies of data organizational protocols, etc that allow us to quickly recover from a successful attack if an attacker finds that the effects of their attack are quickly fixed then they are less likely to attack us in the future.
A multi-layered approach to Implementing Controls or Security Measures
next, I'd like to talk about the multi-layered approach to implementing controls or countermeasures for information security purposes consider a castle in the Middle Ages castles were often built in locations that leveraged natural obstacles in order to protect the castle during an attack an example might be building the castle on the edge of a cliff such that the side parallels with the cliff is much less likely to be attacked once more castles often had a surrounding moat that is a man-made band of water surrounding the castle which would help to further protect it from attackers additional controls included a drawbridge heavy walls with crenelations at the top strong gates towers guards who use swords together then we can see that the defensive strategy for these castles in the Middle Ages was built around a multi-layered defense.
A similar strategy is used in information security today we use controls such as encryption software controls Hardware controls societal and organizational policies and procedures physical controls etc in order to establish a multi-layered defense for our information systems.
Physical controls are those controls that seek to prevent an attack through the use of something tangible examples might include walls locks security guards security cameras backup copies a real-time replication of data or the implementation of natural or man-made disaster protection mechanisms such as smoke alarms and fire extinguishers.
we also have procedural and administrative controls and these are controls that use commands or agreements that require or advise people to act in certain ways with the goal of protecting our information assets so procedural or administrative controls might include things such as laws and local regulations, organizational policies procedures or guidelines methods of protecting intellectual property such as copyrights, patents or trade secrets and the use of contracts or regulations which govern the relationships between two or more parties.
and finally, we have technical controls and technical controls our controls or countermeasures that rely upon technology in order to help prevent an attack these can include mechanisms such as passwords access controls for operating systems or application software programs network protocols firewalls and intrusion detection systems encryption technology network traffic flow regulators, etc.
when used together the adoption of these different types of controls allows us to establish a layered defense and gives us the best chance possible of preventing harm to our information systems put another way by defining and defending the perimeter of our system prepare and deterring attacks providing for the deflection of attacks and then constantly monitoring for intruders and learning from their attacks we can create an information security strategy which supports the confidentiality integrity and availability of the system while simultaneously mitigating many of the risks which are inherent in a world that relies so heavily on information and communication technologies.
|Multi-layered defense strategy|
remember a layered defense strategy is best and this diagram illustrates this philosophy many different attempts might be made at breaking into our system and we have many tools and techniques available in order to limit the number of successful attacks outside of the boundaries of our system we can use preemption or external deterrence methods in order to prevent attacks and for those intrusion attempts that make it through our system perimeter we then have internal deterrence mechanisms deflection mechanisms and if all else fails and the attack is successful we want to be able to detect the attack and respond to and learn from it as quickly as possible thus limiting the likelihood that a similar attack would succeed in the future.
so we'll multi-layered security strategy gives us the best chance possible of providing a solid defense against attacks in light of the competing objectives of confidentiality integrity and system availability while my friends thus end our introduction to computer security I hope that you learn something interesting in this lesson and until next time have a great day.