Table of Contents
What is Information Security?
Data in an increasingly valuable and vulnerable resource. Historically, we would secure it under lock and key, encrypt it using a cipher, or even hide it in plain sight. Of course, the more valuable the information, the more vulnerable it was to theft.
But what is information security in 2022?
Today, information security – or infosec – is more important than ever. In our hyper-connected digital age, information breaches have serious and far-reaching consequences.
Modern information security measures come in a variety of forms, many of which we will cover in this article. We also discuss the most common threats your business needs to be prepared for.
Types of Information Security
Information security is a broad field with many sub-fields. Information security training is therefore a robust area of study.
Many infosec workers specialize in a particular branch, like cyber security, application security, infrastructure security, cloud security, disaster recovery, and so on.
While each branch is distinct, they share three fundamental principles.
A threat is an umbrella term that encompasses any potential danger to your system’s confidentiality, integrity, and availability. Threats can be intentional or accidental, external or internal. A black hat hacker is a deliberate threat, while accidental threats can be anything from a natural disaster to a faulty circuit breaker.
The first question to ask yourself when identifying possible threats is, “How can this system be compromised?”
The difference between threats and vulnerabilities is subtle. A threat is a potential danger; a vulnerability is a weakness in a system that allows a threat to be actualized.
It’s important to identify the critical vulnerabilities in your systems. These are flaws that are easily exploited by malicious entities. When assessing vulnerabilities, reflect on a system’s weaknesses and determine how a threat could affect it. This leads us to our third, corrective principle.
Once you’ve established how a system’s weaknesses can be exploited, you can start to devise and implement security measures to prevent it. These are known as controls.
Controls are safeguards that fix vulnerabilities and mitigate threats, in order to protect the system’s confidentiality, integrity, and availability (CIA). Controls can be physical, procedural, or technical in nature. Infosec controls largely fall into the latter category.
Interested in learning more? Check out these blogs:
Information Security Threats
Cyber criminals have a variety of motives. Some hackers steal information for resale, as in the case of identity theft, while others steal for ideological purposes, like when Edward Snowden leaked confidential NSA files to the public in 2013.
Whatever the motive, however, there are only a handful of ways these criminals accomplish their goals. Broadly speaking, these are theft, alteration of information, and denial of service. Let’s take a look at some of the specific methods used to enact harm.
1. Social Engineering Attacks
The manipulation of human psychology is the goal of social engineering attacks. This is a category of cybercrime that includes phishing emails.
Phishing emails are fraudulent emails disguised as legitimate ones. The objective is to fool the target into clicking a malware-infected link or sharing sensitive information, such as financial info or login credentials.
In perhaps one of the most complicated social engineering attacks recorded, Twitter was compromised in July of 2020. Hackers used a phone spear phishing attack to gain access to low-level employee accounts and parlayed this account access into additional social engineering attacks to get top level administrative privileges.
With access to Twitter’s agent tool, the hackers changed the login privileges of several high profile user accounts to tweet out a Bitcoin scam. Given how high profile the breach was, it was quickly shut down by Twitter, though the affected accounts were limited in access until the security issues could be resolved.
2. Malware Attacks
Malware comprises a broad category of malicious software that includes:
- And more
Malware attacks are designed to exploit or harm systems, devices, or data. Because malware must be downloaded to a computer, it usually arrives in the form of a clickable link or downloadable file in an email. It is therefore commonly used in social engineering attacks to trick people into collaborating.
One of the most pernicious malware programs is the Zeus or Zbot trojan. Built in 2007, this trojan can carry out a number of malicious tasks, but is most commonly used for keystroke logging to steal personal information such as banking information.
Zeus has been found in the websites of companies such as Bank of America, Oracle, Amazon, and Business Week. It’s estimates that Zeus has caused more than $100 million since it was created.
3. Man-in-the-Middle Attacks
As the name implies, man-in-the-middle attacks (MiTM) occur when the information path between a user and a server is intercepted by a secret third-party.
The user’s IP address is taken over by the hacker, which allows them to steal information, alter content, or serve malware. MiTM attacks are very common in unsecured Wi-Fi networks.
In 2015, 49 people were nabbed in an extensive man-in-the-middle scheme in which they planted malware on medium and large company networks. This malware then intercepted emails, searching for payment requests.
When it found a payment request, it directed the account holder to a false payment form where login credentials and one-time passwords were intercepted and used to steal money. In total, the thieves stole around $6.8 million.
4. Insider Threats
Insider threats occur when the actions of an employee lead to a vulnerability in your organization. This can either be deliberate or accidental.
Employees may unwittingly open a phishing email that contains malware, have their login credentials stolen, or accidentally share sensitive information. Alternatively, some individuals in your company may purposely exploit vulnerabilities for their own personal gain.
The best way to avoid unintentional insider threats is by educating your employees on the types, dangers, and prevalence of cyber crime. Insider threats can be mitigated by implementing layers of security, such as data security.
Insider threats are common in sensitive industries and organizations. The intelligence community was subject to a number of leaks in coordination with WikiLeaks revealing surveillance programs and possible war crimes.
5. Advanced Persistent Threats (APT)
Typically directed at big corporations and public sector organizations, advanced persistent threats (APT) occur when unauthorized parties use advanced hacking methods to gain access to information or systems over an extended period of time.
Threats are advanced when they use tools or data unavailable to the general public. Having access to a software’s proprietary source code or state surveillance data would be examples of advanced methods.
APTs are typically perpetrated by state-connected actors which use the intelligence of their state for their hacks. The first named advanced persistent threat, Comment Crew, is a hacking organization linked to the Chinese government.
Comment Crew has been active since at least 2002. One of their more notorious hacks was of Coca-Cola in 2009. At the time, China Huiyuan Juice Group, a private Chinese juice company, was in negotiations to be acquired by Coca-Cola.
Comment Crew infiltrated the Coca-Cola networks with a spear phishing email. For at least a month, they exfiltrated documents weekly relating to the company’s negotiation strategy. The deal fell through.
6. Distributed Denial of Service Attacks (DDoS)
A denial of service (DOS) attack describes both a category and method of harm. DOS attacks occur when a network is inundated with false service requests, leaving legitimate requests unattended and thereby freezing the system’s ability to fulfill them.
There’s also the more powerful variant of a DoS attack known as a distributed denial of service (DDoS) attack. This version utilizes multiple systems to orchestrate an attack against network security.
In 2012, cyberactivist hacking collective Anonymous organized a massive DDoS campaign against several target websites in response to the takedown of file storage and exchange site Mega Upload by the FBI.
Members of the collective encouraged users on Twitter to download the Low Orbit Ion Cannon tool which automates DoS attacks. All told, over 5,600 people used the tool to take down the websites of the Motion Picture Association of America, the Recording Industry Association of America, Universal Music, the US Copyright Service, the Department of Justice, and the FBI.
7. SQL Injection Attack
Principles of Information Security
According to the Computer Security Resource Center (CSRC), infosec is defined as:
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
From this definition, we can extract the three principles of information security. They are confidentiality, integrity, and availability – known as CIA for short – and describe the fundamentals of information assurance.
This principle of confidentiality concerns the protection of sensitive information from unauthorized users.
Personal examples include your social security number and medical records. In the private sector, this could be anything from employee information to trade secrets. In government, military intelligence is a major target.
The principle of integrity refers to the continual maintenance of data and systems. The objective is to prevent undetected or unauthorized changes, whether deliberate or incidental.
Attacks that undermine information integrity often take the form of altering or falsifying data. File editing, the sharing of illicit content, or sending unsolicited messages are all examples of integrity breaches.
The principle of availability is about ensuring that data, applications, networks, and systems are accessible to authorized users.
DDoS attacks are common threats to availability. These attacks inhibit legit users from querying a server, effectively disrupting the normal flow of operations. This is usually done in a bid to disable corporate or government systems.
There are trade-offs between each pillar of the CIA trifecta. For instance, too much confidentiality can have a negative effect on availability. Likewise, too much availability can compromise integrity.
This trade-off means that there aren’t any out-of-the-box solutions. That’s why a customized solution is absolutely essential for your business and its dynamic needs.
Start Protecting Information Now
Now that we’ve answered the question of “what is information security?”, it’s time to apply these principles to your business. More than ever, information is at a high risk of being stolen or manipulated. In fact, since the pandemic began, Interpol has discovered a radical increase in cybercrime.
But is falling victim to cybercrime really as bad as it seems?
According to Verizon, a single data breach can cost a company anywhere between $800 and $650,000, with the average being a whopping $21,659. Additionally, 5% of attacks actually cost upwards of $1 million dollars. As the saying goes, an ounce of prevention is worth a pound of cure.
At Foresite, we offer information security programs and information security training tailored to your business. These include programs designed and implemented to meet your unique and changing needs. You’ll work alongside an expert information security manager to help you with your incident response plan, data integrity, network security, and more.
Don’t wait – contact us and request your quote today.
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.