Principles of Information System Security

Software TestingAutomation TestingTesting Tools

What is the definition of information security (InfoSec)?

The methods and practices that businesses employ to secure information are referred to as information security (or InfoSec). This also contains policy settings that prohibit unauthorized individuals from gaining access to company or personal data. InfoSec is a rapidly expanding and changing discipline that encompasses everything from network and infrastructure security to testing and auditing.

Information security safeguards sensitive data against illegal access, alteration, or recording, as well as any disturbance or destruction. The purpose is to protect vital data such as customer account information, financial information, and intellectual property.

Robbery of private information, data manipulation, and data erasure are all repercussions of security events. Attacks may stymie work operations and harm a company's image, as well as incur a monetary cost.

Organizations should formulate a budget for security and make sure they're prepared to identify, react to, and prevent threats like phishing, malware, viruses, malicious insiders, and ransom ware.

What are the three information security principles?

Confidentiality, integrity, and availability are the three core concepts of information security. More than one of these principles must be implemented in every aspect of the information security program. The CIA Triad is their collective name.

Confidentiality

Confidentiality safeguards are in place to avoid unauthorized information dissemination. The confidentiality principle's goal is to keep personal information confidential and only make it public and available to those who possess it or need it to accomplish their organizational tasks.

Integrity

Protection against unwanted data modifications (additions, deletions, revisions, and so on) is included in consistency. The integrity principle assures that data is correct and dependable, and that it is not tampered with in any way, whether mistakenly or deliberately.

Availability

The capacity of a system to create software systems and data completely accessible when a customer requires it is known as availability. The goal of availability is to develop technological infrastructure, applications, and data accessible when they're required for a business process or by a company's customers.

Cyber Security vs. Information Security

In terms of breadth and aim, information security varies from cyber security. Although the two phrases are sometimes used interchangeably, cyber security is a subclass of information security. Physical security, endpoint security, data encryption, and network security are all included under the umbrella of information security. It's also linked to information assurance, which safeguards data against dangers like natural catastrophes and server outages.

Cyber security is mainly concerned with technological dangers and the methods and technologies that may be used to avoid them. Another similar area is data security, which main job is to prevent an organization's data from being exposed to unapproved people or group by mistake or maliciously.

Policy on Information Security

An Information Security Policy (ISP) is a collection of guidelines that govern people when they use technology. Information security policies may be created by businesses to guarantee that staff and customers follow security rules and processes. Only authorized individuals should have access to delicate systems and information, according to security regulations.

Developing an efficient security policy and ensuring compliance are critical stages in avoiding and managing security risks. Update your policy on a regular basis depending on corporate changes, new threats, lessons learned from prior intrusions, and changes to security systems and technologies to make it genuinely effective.

Create your information security plan realistic and practical. To address the demands and emergency of various departments within the business, an exceptions system with a consent procedure must be implemented, allowing departments or people to diverge from the norms in certain instances.

Serious Threats to Information Security

There are thousands of identified attack vectors and hundreds of kinds of information security risks. We'll go through some major dangers that security teams at contemporary businesses are concerned about.

Systems those are insecure or poorly secured

Security measures are often compromised as a result of the pace and technical development. In other circumstances, systems are built without security and continue operational as legacy systems inside an enterprise. Organizations must recognize and reduce the danger by protecting or patching these vulnerable systems, decommissioning them, or isolating them.

Attacks on Social Media

Many individuals have social media accounts, where they accidentally expose a great deal of personal information. Attackers may use social media to conduct assaults directly, such as distributing malware via social media messaging, or indirectly, such as analyzing user and organizational vulnerabilities and designing an attack using information gathered from these sites.

Social Engineering

Social engineering is the practice of sending emails and messages to people in order to persuade them to do activities that may jeopardize their security or reveal personal information. Psychological triggers such as curiosity, haste, and fear are used by attackers to influence users.

People are more likely to cooperate with a social engineering message if the source looks to be trustworthy, such as by clicking a link that installs malware on their device or by supplying personal information, passwords, or financial information.

Organizations can reduce the risk of social engineering by educating users about the risks and training them to recognize and reject suspicious communications. Furthermore, technical methods may be utilized to prevent people from undertaking risky acts such as clicking on strange links or downloading unexpected files, or to halt social engineering at its source.

Endpoint Malware

Endpoint malware is a kind of malware that infects computers. Endpoint devices used by organizational users include desktop computers, laptops, tablets, and mobile phones, many of which are privately owned and not under the jurisdiction of the organization, and all of which connect to the Internet on a regular basis.

Malware, which may be communicated through a number of methods and can result in endpoint compromise as well as privilege escalation to other corporate systems, is a key danger on all of these endpoints.

Traditional antivirus software is inadequate to stop all contemporary kinds of malware, hence other methods to endpoint security, such as endpoint detection and response, are being developed (EDR).

Encryption isn't available

Encryption methods encrypt data so that only users with secret keys may decode it. It is particularly successful in preventing data loss or corruption in the event of equipment loss or theft, or in the event that an organization's systems are hacked.

Unfortunately, because of its complexity and the absence of legal requirements connected with effective implementation, this measure is often disregarded. Organizations are increasingly using encryption, either via the purchase of encryption-capable storage devices or the use of specialized security technologies.

Misconfiguration of Security

Web applications, databases, and Software as a Service (SaaS) applications, as well as Infrastructure as a Service (IaaS) from providers like Amazon Web Services, are among the technology platforms and tools used by modern enterprises.

Security features are available in enterprise-grade platforms and cloud services, but they must be set by the company. A security breach may occur as a consequence of security misconfiguration owing to neglect or human mistake. Another issue is "configuration drift," in which a system's proper security configuration may rapidly get out of date, leaving it susceptible without the knowledge of IT or security personnel.

Using technology platforms that continually monitor systems, discover configuration gaps, and notify or even automatically correct configuration flaws that render systems susceptible, organizations may prevent security misconfiguration.

Attacks: Active vs. Passive

The goal of information security is to safeguard businesses against hostile assaults. Active and passive attacks are the two main forms of assaults. Active assaults are more difficult to avoid, therefore identifying, mitigating, and recovering from them is a priority. Strong security measures make passive assaults simpler to avoid.

Active Assault

Intercepting a communication or message and changing it for malicious purposes is an active attack. An active assault may take three different forms −

  • Interruption - the attacker pretends to be one of the conversing parties and interrupts the original conversation by sending additional, malicious messages.

  • Modification - the attacker takes current communications and either replays or alters them to obtain an edge on one of the conversing parties.

  • Fabrication - the creation of fictitious or synthetic communications, usually with the goal of establishing service denial (DoS). Users are unable to access systems or execute routine tasks as a result of this.

Passive Assault

In a passive attack, an attacker observes and monitors a system, copying data without affecting it. The information is then used to disrupt networks or breach target systems.

The attackers do not alter the communication or target systems in any way. This makes detection more challenging. Encryption, on the other hand, may assist avoid passive assaults by obscuring data and making it more difficult for attackers to exploit.

Active AttacksPassive Attacks
Change the content of messages, communications, or data.Make no changes to the data or systems.
Poses a risk to sensitive data's availability and integrity.Threatens the confidentiality of critical information.
It's possible that organizational structures may be harmed.Organizational structures are not immediately harmed as a result of this.
Victims are usually aware of the incident.The majority of the times, the victims are unaware of the assault.
Detection and mitigation are the primary security concerns.The main emphasis of security is on prevention.

Data Protection and Information Security Laws

The rules and regulations of the areas where an organization conducts business are always in conflict with information security. Data protection legislation are in place all around the globe to improve the privacy of personal data and impose limitations on how businesses may acquire, keep, and use it.

Personal identifiable information (PII) is the subject of data privacy, which is mainly concerned with how the data is handled and utilized. Any data that may be directly connected to the user, such as a user's name, ID number, date of birth, physical address, or phone number, is considered PII. Artifacts such as social media postings, profile photographs, and IP addresses may also be included.

General Data Protection Regulation

General Data Protection Regulation (GDPR) is the European Union's (EU) most well-known privacy regulation. This legislation governs the collection, use, storage, security, and transfer of personal information about EU citizens.

The GDPR applies to every firm that does business with EU people, regardless of whether the company is situated within or outside of the EU. Violations of the standards might result in penalties of up to 4% of worldwide sales, or €20 million.

The GDPR's key objectives are −

  • Personal data privacy has been declared a core human right.

  • Implementing the standards for privacy criterion

  • The application of privacy standards should be standardized.

The GDPR protects the following sorts of data −

  • Name, ID number, date of birth, and address are examples of personal information.

  • IP address, cookies, location, and other web data

  • Information about health, including diagnosis and prognosis

  • Voice data, DNA, and fingerprints are examples of biometric data.

  • Communication that is kept private

  • Images and video

  • Data from a cultural, social, or economic perspective

Data Protection Legislation in the United States

Despite the implementation of various restrictions, there are presently no federal laws in the United States managing data privacy in general. Particular kinds or uses of data are, nonetheless, protected by certain restrictions. These are some of them −

  • The Federal Trade Commission Act forbids businesses from misrepresenting customers about privacy rules, failing to safeguard client privacy effectively, and deceptive advertising.

  • The Children's Online Privacy Protection Act governs the acquisition of personal information about children.

  • The Health Insurance Portability and Accountability Act (HIPAA) governs how health information is stored, shared, and used.

  • The Gramm Leach Bliley Act (GLBA) governs how financial organizations and banks gather and preserve personal information.

  • The Fair Credit Reporting Act governs the collection, use, and accessibility of credit information and records.

The Federal Trade Commission (FTC) is also in charge of safeguarding users from fraudulent or unfair transactions, as well as data security and privacy. The FTC has the authority to make rules, enforce laws, penalize violators, and investigate suspected corporate fraud.

In addition to federal rules, 25 states in the United States have passed data-related legislation. The California Consumer Privacy Act is the most well-known example (CCPA). California individuals have the right to view private information, seek deletion of private information, and opt-out of data collection or selling under the legislation, which took effect in January 2020.

There are also other regional rules, such as −

  • CPS 234 APRA (Australian Prudential Regulatory Authority)

  • The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada (PIPEDA)

  • Personal Data Protection Act of Singapore (PDPA)

raja
Published on 26-Nov-2021 05:02:58
Advertisements