Infosec stands for information security. This is the process of protecting company information assets from any type of risk. Cybersecurity is all about protecting information assets against cyber attacks. However, information security can also be used to physically secure information assets.
What goals should Information Security have?
Information security should aim to preserve the CIA triad within organizations. These are the elements of the CIA triad:
Confidentiality This is a way to ensure that only authorized users have access. If a company is subject to a data breach, or a data leak, and the information of individuals is accessed by criminals or employees who don’t have the appropriate authorization, confidentiality may be compromised. You can use the following security measures to protect confidentiality:
- Encryption – Encrypting information means that even an unauthorized user can gain access to it, the information without the decryption keys will remain unreadable and confidentiality will be maintained.
- Strong Passwords Having strong passwords reduces the chance that someone can access your accounts or other resources by guessing the password.
- Two-factor authentication: 2FA adds to the traditional login information (username, password) by requiring an additional code prior to granting access.
- Identity and Access Management: IAM is a practice that ensures that the right people have access to the resources. This is known as the “least privilege mode”, which means that only the necessary resources should be granted to users. This ensures the confidentiality of information.
- Proper technical controls: These include firewalls and security groups. These controls stop people from accessing company networks and prevent them from obtaining company information.
- Physical locks and doors: These physical security measures, such as cabinet locks, vaults, biometric scans and door locks, prevent people from entering the company and taking company documents.
Companies like KFC, coca cola and others keep their trade secrets and intellectual property in safe vaults.
Integrity To prevent information being altered by unauthorized persons and to ensure that the information is accurate and trustworthy. It is illegal to alter information by anyone who isn’t authorized, inside or outside the company. For example, if the CFO submits a document for review or examination by the director of finances. In order to make the department look better or to launder money, the director of finance might try to alter the information without the director of finances knowing. To be able to trust the integrity of a document, you need to know if it has been altered without your knowledge. In the event that data is lost or stolen, you must be able to retrieve all data, or at least most, from a trusted source. To maintain integrity, there are some controls that you can employ:
- Hashes: A hash refers to the output of a hashing algorithm like MD5 or SHA. A hash algorithm can take any message and generate a fixed-sized value, called a hash. It is usually 12 characters in length. A different hash will be generated if any character is altered in the original message. You can test later to determine if the message has been altered by creating a hash from it when you first get it.
Let’s say that I have a Word document on March 10, 2020. I then use a hash algorithm to generate the hash 123456789. On March 15th, I want to check to see if anyone modified the file. I can then use the hash algorithm again. If the hash is different, it means that someone altered the file’s contents. - Secure Backups: If you ever have doubts regarding the integrity of a system’s data, you can create secure backups and then reboot it using the backups. To ensure that your backups are not altered, you can use hashes. You can rest assured that the information used to reboot your system is correct. This information is crucial in the event of a ransomware attack on your company.
- Controlling user access: You can limit the ability of users to modify information without permission by controlling who has edit access.
Note how the hash changes dramatically due to a period at its end.
Availability To ensure that information is available to authorized persons whenever they are needed. A website such as Netflix is an example. Most companies want 99.9% availability, which would mean that Netflix should be available 99.99% of all times. There are many ways to make sure your company has high uptime.
- Off-site backups: You can have off-site backups in case of an emergency. This will ensure that you have the data you need to restart your systems and continue your business.
- Disaster Recovery & Business Continuity Planning – These plans show how your company should react to certain situations like earthquakes, floods and fires.
- Redundancy is when multiple instances of network devices or lines of communication are created so that one device or line doesn’t fail.
- Failover is a backup system that automatically switches to production in the event of a failure in the primary system.
- Virtualization is the creation of a virtual (or software) version of something that actually exists. This usually takes just one piece of hardware. It allows it to run multiple operating systems in virtual machines (VMs). This way, you can have redundancy even if you only have one physical machine.
- Monitoring the environment properly: This is important. You need tools such as a SIEM to monitor your environment. You will be able to identify problems in your environment as soon as they occur and can take action immediately.
This is an example of redundancy in Amazon Web Services resilience recommendations
These three principles are popular, but there’s a fourth.
Non repudiation:This allows users to not deny they have done a specific action. It also makes it possible to hold people responsible for their actions. It is important that people are held accountable for their actions. This will help deter bad behavior. If someone violates company policy or the law, they can be punished and corrective actions taken. These tools will help you enforce non repudiation.
- Account monitoring and logging: Logging the activities of users across different accounts is important so you can track who did what. Each user should have their own account in order to prove that they did something.
- Digital Signatures: digital signatures work in the same way as written signatures. They verify an individual’s identity. This is used to sign contracts or messages.
- Request for a read receipt Most platforms let you request a read receipt when you send email, text, or notification. This proves that the message was received by the recipient and also records the time.
Final Thoughts
Information security has four main goals. These include the CIA triad and non repudiation. They are important not only for protecting company interests but also to protect consumers’ privacy by keeping their data out of reach of those who shouldn’t. There are many privacy laws that require companies to take reasonable steps to protect their customers’ information. To ensure sufficient protection, it is important that companies have multiple security controls in place for each of these three components.
