A major subset of overall cybersecurity, Information Security focuses on protecting sensitive data and information from the risks of cyberattacks. It covers but is not limited to:
- Computer systems
- Mobile devices
- Networks both on-premises and in the cloud
The fundamental goal of information security is to prevent sensitive data from being compromised by criminals or state actors. InfoSec encompasses a wide range of tasks and practices, spanning from monitoring user behavior to assessing risk to ongoing education. This article will address these topics and provide an introduction to Information Security.
(Stay up to date with these InfoSec conferences & events.)
A definition for information security
Information security (InfoSec) is the protection of information assets and the methods you use to do so. This information may include contract documents, financial data or operational plans that may contain personal or business-confidential information. Often, this information is your competitive edge.
The domain of information security is vital to an organization's survival today. InfoSec allows you to:
- Maintain legitimate communications.
- Prevent the misuse of sensitive information.
Most vulnerable are the records kept on mobile devices such as contact lists, emails, business documents, photos, videos and more. Any personal information that's overshared or mishandled carries serious social consequences for those involved, especially when the perpetrators have malicious intent.
Indeed, as information security has become increasingly important to organizations, the role of the CISO, or chief information security officer, has become significantly more visible.
(Information security is a vital part of cyber hygiene.)
InfoSec vs other security types
In the IT landscape, security can mean a number of things: network security, infrastructure security and the overarching enterprise security.
Comparing InfoSec to physical security highlights significant differences when it comes to security in the digital sphere. How might InfoSec differ from physical security? For one thing, you can't always see an attacker in virtual spaces. Second, you can use encryption to protect your property, which doesn't work with physical theft.
Finally, the criminal intent differs: a burglar may look to take something valuable, while cybercriminals look for financial gain or intellectual property by using our computers against us. Importantly, though, criminal intent doesn’t have to be present in order for information security to be breached: often, it is insider threats — like an employee accidentally sharing a document — that can make you vulnerable.
(Understand vulnerabilities, threat and risk, the fundamental security concepts.)
Components of InfoSec
To understand InfoSec in-depth, it's best to break it down into its components and a hierarchy. First, we can place InfoSec underneath the larger umbrella of cybersecurity. Cybersecurity covers all aspects of cyber threats and security, including InfoSec. This includes:
- Making sure your company stays up to date on the latest software and hardware.
- Training staff on how to ensure their systems are secure.
So, what comprises InfoSec? These components are integral considerations within InfoSec:
Hardware & software
Hardware includes physical security systems and all the devices we use: computers, laptops, monitors, printers, cell phones and tablets and more.
Software includes programs installed on company servers such as firewalls, VPNs, anti-virus software, and so forth. You can also consider software that doesn’t specifically support InfoSec — instead it’s the opposite: the information held in every software and app likely also requires protecting.
(Learn more about IT infrastructure.)
Network security protects all data transmitted through a computer network. Securing the network prevents bad actors from breaching an organization's information or hacking into the cloud or other parts of the organization.
(Read our full network security explainer.)
Human resource (HR) security
In this context, human resources refer to the files that contain employee information. Depending on the type of organization and how it's managed, this information can be extremely important or non-sensitive documents that could still be stolen.
Information security policies
Policies document how a company will operate regarding InfoSec issues. These policies should clearly state how a company will respond to events such as an outsider breaching the system and stealing data or whether the company will compensate a victim for any damages due to negligence.
Security assurance means ensuring that companies can protect their data against cyber threats. This usually means taking measures to ensure the company is using appropriate software and hardware, installing or updating it as needed, and training staff on how to ensure they have security programs in place.
Often part of incident management, breach response is the practical aspect that entails responding after an event such as a breach occurs. This includes contacting the victim and determining what data may have been stolen, the methods used to steal it, and the damages.
Current challenges in Information Security
The common challenge with information security is vulnerability. A vulnerability is a flaw in code that allows somebody else to gain access to resources (e.g., files). It can also be used to gain access to sensitive information such as passwords in cookies. A vulnerability is typically a programming error, but it can be an issue with the way you set a system up.
Some vulnerabilities are security bugs that may cause loss of data integrity or denial of service. Other vulnerabilities allow the execution of arbitrary code or enable privilege escalation. Some applications become popular targets for attacks because of the number of users using them and their critical nature.
A hacker may also use an exploit to bypass a security control such as a buffer overflow or unauthorized access to code that allows it to run on the vulnerable application's machine.
You can find vulnerabilities in many places:
- One of the fastest-growing areas is embedded software, which includes computer systems such as personal digital assistants (PDAs) and automotive systems.
- Many operating system kernels have vulnerabilities that allow local privilege escalation because of faulty design or kernel bugs.
- Some hardware devices have flaws that allow unauthorized access to their electronic control units. Others allow unauthorized access to the system firmware, including the BIOS and OS images.
(Explore vulnerability management.)
How to assess InfoSec vulnerability
The vulnerability assessment process, as defined by the National Institute of Standards and Technology (NIST), is a structured process for identifying vulnerable systems and understanding their risk exposures. This process comprises three phases:
- Finding and assessing vulnerabilities.
- Providing a risk assessment. (This is typically performed by technical personnel.)
- Providing an implementation assurance review. (Typically performed by nontechnical people.)
NIST conducts vulnerability assessments in order to identify potential weaknesses in computer software applications, operating systems, and hardware and communication technologies that potentially affect the confidentiality, integrity or availability of information resources.
InfoSec best practices
There are several methods that organizations should use to reduce the risk of cyberattacks.
Assessing risk & implementing improvements
First, conduct a risk assessment to estimate and understand how much risk is present. You can rank overall risk from low, medium, high, or extreme, with each level having a different priority.
The risk assessment will provide an organization with information such as how much money and time it must spend to mitigate the threat. This analysis also goes through technical implementation and provides information regarding necessary resources, such as:
- Specifications required for hardware and software updates
- The personnel dedicated to supporting and maintaining information security
Putting security defenses into place
Security defenses are the practices and policies that a network employs to:
- Prevent unauthorized access
- Detect and correct improper access attempts
- Mitigate potential threats
Defenses include the physical perimeter, authentication and authorization mechanisms, personal firewalls, intrusion detection systems (IDS), honeypots, digital rights management (DRM), encryption and more. Information security can also involve elements of law enforcement when an organization needs to defend itself against cybercrimes such as hacking.
Many defenses rely on controls and policies to help detect and correct improper or unauthorized access, and we refer to them as security controls. For example, a firewall may provide defense in depth in multiple network access control layers.
Creating & enabling an InfoSec team
In larger organizations, InfoSec is the jurisdiction of one or several teams. The primary task of an InfoSec team is to monitor security measures and assess vulnerabilities. They are responsible for assessing system vulnerabilities, monitoring systems that process sensitive information, identifying attackers within an organization, preventing attacks when possible and minimizing the effects of attacks that do succeed.
An InfoSec team member's role may be to:
- Implement and enforce policies
- Develop a threat management program
- Publicize security policies
- Educate users regarding security issues
As such, these InfoSec professionals probably deal with a variety of tasks and domains, including vulnerability assessment programs, data privacy policies, encryption techniques, requirements for hardware and software updates and ongoing training and education efforts.
Information security will require more attention
As technology advances, so do attacks. Information security is a multifaceted issue that requires professionals who have a variety of skills. For example…
- A system administrator must be understand the security of the hardware and software they support.
- A network engineer must understand network security and how data is transmitted.
- A programmer must know how to write secure code.
An important key to a successful information security program is training employees on all pertinent aspects. All employees must understand how to handle data properly and know where sensitive data should be located so they can protect it.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.