For the last century society has experienced the most intense tech evolution breakthrough throughout history. And if before the word security was used in most cases to refer to physical violence and threats, now, with the development of technology it has changed the base definition. Information and sensitive confidential data became weapons, which can damage no worse than a sharp knife. So, the definition information security came into language and practice. What it is, which tasks it solves, and how to use it — this Falcongaze article aims to answer the main questions about information security.
Information security is a set of measures and technical tools for preventing the spread of confidential information about society's facilities that can cause direct or indirect harm to their work. Such information may be presented by company measures to avoid competitive threats or deal with unscrupulous employees; secret technologies, government secrets, and personal data. All of that information can be used in unfair ways. Information Security is meant to prevent the spread of such information.
Information security is based on three key principles, which allow to form a coherent approach to its implementation. The main principles are system confidentiality, integrity of measures, and accessibility.
System confidentiality
IS ensuring directly connects with interacting with sensitive confidential information and personal data. The entire data set should be treated with attention throughout the analysis chain. The analyzed information can only be viewed by subjects who have been authorized after verification and should remain private to all others.
Integrity of Information Security measures
This principle encourages to consider data security ensurement as a coherent process, with no exceptions or indulgences unless they are predetermined. This approach gives an impartial assessment of the state of affairs and also shows the real picture of what is happening.
Accessibility
It is a possibility for approved entities to get the access to any part of data, and the security services responsiveness to query processing.
Indeed, the main goal of information security is to ensure the safety of confidential information about a company, person, or state; and to level out the negative impact that can harm the company or individual. However, that doesn’t mean that every possible threat to data security has only a negative aim: to destroy the object of interest. It’s not always like this.
Information is frequently needed for analysis purposes: to compare competitors’ products with our own, to analyze the efficiency of business strategy, and to enhance internal company processes. Various sources can be used to get such information: employees of the company, documentation, intellectual property (inventions, utility models, industrial designs, patents, etc.), technical storage media, software, and others. The choice of source depends on the tools available, the objectives, and the potential usefulness of the data obtained.
A threat is a potential or actual action directed at causing material or moral damage to a company or individual. Naturally, in order to set up a data defense process, it is necessary to understand what risks and threats a company may face. Commonly, there are three main groups of threats:
These risks may include the following:
Here is an example of a threat to information security due to technogenic reason. For instance, Play’s ransomware attack on IT company Xplain in Switzerland caused damage to the local rail network and many of the state facilities. Hackers received in disposal more than 1,3 million files, among which 65 000 documents belonged to the Swiss Federal Government. Play managed to realize the threat to information security through phishing newsletters that contained malware.
Another example from 2010. At that time, the Win32/Stuxnet network worm had spread to a large number of private and public computer systems. This virus exploited Microsoft Windows system vulnerabilities (zero-day vulnerability), intercepting and modifying the information flow between Simatic S7 programmable logic controllers and SimaticWinCC (Siemens) SCADA system workstations. It went down in history as the first malware that harmed not only digital data but also caused real physical damage to equipment. The main source of the spread was infected USB drives.
One of the examples of an anthropogenic type of threat to company security may be the Colonial Pipeline case. It is the largest pipeline system in the USA and the main gas and oil vendor from the Gulf of Mexico to the entire East Coast. On the 7th of May 2020 in the Colonial Pipeline system, there was registered a case of ransomware infection. As became clear later, an attack was launched by hacker group DarkSide. Their aim was to get 5 million dollars of ransom. Even after the transfer of money, the company wasn’t able to quickly restore its business processes. It has led to large-scale crisis in several states and fuel shortages at the moment.
The guilty party from the Colonial Pipeline was one of the employees whose password was used in attack. Through this password to the VPN service, the hackers were able to gain access to the corporate system. The employee had previously used the same password to register another account, the information about which was already on the Darknet.
One more example: a hack of celebrities’ Twitter accounts in July 2020. Then hackers managed to publish the link to the message with the collection of cryptocurrency. The message was saying, “Send me 1 BTC and receive back 2." From that attack suffered accounts of Tesla and SpaceX CEO Elon Mask, Amazon founder Jeff Bezos, one of the largest private investors and head of Berkshire Hathaway Warren Buffett, ex-president of the USA Barack Obama, official accounts of Google, Apple, and many other companies.
As a result of the attack, nearly 300 people sent to crypto wallets a little bit more than 110 000 dollars. The situation also had a negative impact on Twitter itself: irreparable damage was caused to its reputation, and the price of stocks fell by 4.5%. The main source of information for the scammers was a Twitter employee who, in the words of the hackers themselves, “literally did everything for them.”
It’s impossible to restrict the scope of information security. In some way, the unauthorized spread of information can damage every aspect of personal life, harm companies, and even harm governments. And still, we can allocate a few spheres where the use of data protection services is crucial.
As we can see, the need for information security exists in all the main areas of state and economic life. There is one rule to determine the need to use data protection services. Generally, this rule implies to legal entities (private or state), whose activities involve a large amount of sensitive confidential data as well as information that is constantly changing depending on external or internal factors (e.g., banks and exchange rates, airline and domestic schedules, railroad schedules, and so on). With such a scale of change, the main aim of information security is to track and prevent negative scenarios.
It is commonly decided to allocate several types of measures that ensure informational security. Each of those measures ensures safety in its own segment of responsibility. However, it’s impossible to say that just one of those measures will be enough to prevent and eliminate potential threats to IS. One of the main principles of data protection is complexity. And the more measures a company or individual can include in their security system, the more reliable the entire protection system will be.
Measures of ensuring informational security divided into:
Let’s talk about each of that measures.
It is the creation and adaptation of regulatory frameworks, international regulators, institutions, etc. to meet the needs of ensuring a comprehensive, effective, yet legal approach to information security. A lot of regulators today provide IS services even though they are not directly related to this sphere by their activities. The UN Security Council monitors the international agenda and can make recommendations on the implementation of IS systems to various nations. This also includes international product certification and standardization companies. For example, the International Consortium for Information Systems Security Certification (CISSP) and International Organization for Standardization (ISO) certifications are popular.
Legal measures also include the development and adoption of legal acts within the framework of state regulatory policies in this area, and the creation and optimization of licensing and IS management bodies in each country. For example, in the Russian Federation such bodies include the Federal Security Service of the Russian Federation (ensuring IS within the country), the Federal Service for Technical and Export Control (certification of IS protection means), the Roskomnadzor (tracking compliance of systems), the Ministry of Communications (development and implementation of regulatory documentation in the sphere) and others.
These measures may include written (codes of ethics, codes of conduct, etc.) and unwritten (personal moral qualities, internal standards of honesty, patriotism, duty) norms of regulating human behavior in a certain situation.
Administrative measures of information security are steps to regulate processes, the use of labor and material resources, and the creation of a scheme of interaction between all participants in the information system. The goal of these measures is to create reasonable and understandable rules of behavior directed to prevent risks for IS. An example of such a measure is a trade secret agreement in the company (prior to informing the employee of the responsibility for possessing information within their competence).
Actual physical reaction to disruptions: lock and safe installation, access control systems, video surveillance, etc.
It is an intermediate stage between physical protection and software protection. Hardware measures, like software measures, become part of the system. They can be tools to protect speech information (white noise, audio) or electronic devices to prevent unauthorized access (USB identifiers, electronic keys, hardware firewalls, etc.). But at the same time they use mechanical capabilities to counter potential threats, they are independent physical objects that can be quickly removed from the protected system.
Program measures for ensuring information security are aimed at the execution of three main functions: identification of objects, authentication of system participants, encryption and data processing.
In the modern world cybercriminals learn and adapt faster than a weapon against them is created. Only self-educating mobile systems such as artificial intelligence (AI) are able to keep up with all the changes. AI development has peaked in the last two years. And if most recently AI was just a support tool in the general complex of IS measures, then now it is a full-fledged solution to prevent leaks.
Examples:
The modern state in general has set its attitude toward information security. This term is given a legal definition, the sequence of ensuring, auditing and responsibility for its observance by the participants in society is established. We suggest reviewing the main legal acts using the examples of Great Britain, the European Union, the United States of America and Australia.
In the UK, data protection is governed by the UK GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) 2018.
GDPR (General Data Protection Regulation) determine how organizations should process personal data. After Brexit, there is two versions of this document: UK GDPR and EU GDPR. These documents are quite similar, and UK GDPR is supplemented by DPA - Data Protection Act, about which we’ll talk a little below.
The UK GDPR is based on six main principles: lawful processing, data subjects’ rights, valid consent, data protection by design and by default, transparency and privacy notices, international data transfers, mandatory data breach notification, DPOs (data protection officers). Document applies to UK organizations that collect, store or otherwise process the personal data of the UK residents, as well as to non-UK organizations.
In UK legislation suggests the existence of controllers and processors; both can be represented as a person or legal entity, public authority, agency or any other body. Data controllers determine how and why personal data is processed, and data processors – process personal data.
One of the notable features in UK legislation is division of personal data into two groups: personal data itself and sensitive data (Special categories of personal data). It is said that the second group of data is putted under much stronger control in terms of GDPR.
The next important document is DPA 2018 (Data Protection Act 2018). This UK law sets out how personal data must be collected, handled and stored. It also gives every person the right to know what personal data is held about them and to have that data erased in certain circumstances.
UK DPA 2018’s main provisions are as follows.
These are two main legislation documents - UK DPA 2018 and UK GDPR - which regulate the data security in Great Britain.
Another important legal acts:
One of the main controlling body responsible for overseeing the UK GDPR in the Information Commissioner’s Office.
The DSA applies to a wide range of companies providing Internet services. It requires online intermediaries to identify and promptly remove illegal content, restricts the use of interfaces that can mislead users, and strengthens protections for children, who spend significantly more time online than ever before.
The Cybersecurity Act significantly strengthens the EU Cybersecurity Agency ("ENISA"), giving it greater responsibilities and at the same time greater powers. ENISA's tasks include strengthening co-operation in the EU, assisting Member States in combating cybercrimeu. ENISA also supports and co-ordinates the actions of EU member states in the event of large-scale cyber attacks.
This document is one of the most important data protection laws in the EU. The GDPR standardises data protection regulation in the EU, defines what constitutes personal data and privacy, and simplifies data protection regulatory processes for international organisations.
Alongside the GDPR, the Network and Information Systems Security Directive (NIS Directive) is an important piece of legislation for the financial sector. The NIS Directive was the first ever EU cybersecurity and resilience directive adopted to improve cybersecurity across the EU.
The adoption of the convention united the efforts of EU member states in the fight against cybercrime. The provisions of the Convention serve to co-ordinate and provide assistance: technical, expert and information knowledge that can be utilised in the event of a critical cybersecurity situation. This instrument provides for a comprehensive criminal law policy for offences related to information technology, personal information, etc. The Convention classifies the main types of offences in the cyber environment; special attention is paid to the procedure for international cooperation in the field of information security.
Here are a few U.S. laws that govern information security:
The FPA regulates the collection, storage, use and dissemination of personal information that is kept on federal systems. The document forbids the disclosure of such information from systems controlled by a federal agencies without the written consent of the person to whom the data belongs. The exception is cases provided for by law - there are 12 such situations described in the law.
The law gives people the ability to seek access to and changes to their records and sets various requirements for how the agency records data.
The GLBA applies to financial institutions (insurance companies, banks, auto dealers, securities firms, etc.) - the list of companies is quite wide. The document requires organizations to “develop, implement and maintain a comprehensive information security program, structured in one or more easily accessible parts and containing administrative, technical and physical security measures commensurate with the size and complexity of the organization, the nature and scope of its activities, and also the sensitivity of any customer information." Under the Privacy Rule created by this law, financial institutions are required to take measures to protect consumer rights.
COPPA applies to websites and online services whose audience and users include children under the age of 13. The law regulates how websites for children collect, use and/or disclose personal information from children who use such online services.
The Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) are privacy laws. These documents were originally developed and adopted to limit the surveillance of citizens - today the ECPA and SCA prohibit the intentional use, disclosure or unauthorized access to any wire, oral or electronic communications. It means that emails, phone talks and data stored on computers is protected and cannot be disclosed without permission. At the same time, not all of that data considers by law as equal. For example, if disclosure is needed, some information may be obtained from subpoena; other information requires a special court decision; another information requires a search warrant.
The law is exclusively related to the healthcare sector and regulates the protection of confidential medical information. Without the patient’s consent, data about their health stored in the systems of medical institutions cannot be disclosed. At the same time, medical information may be shared to provide health care and protect the welfare of the public. As with other examples of legislation that have already been mentioned, exceptions are possible.
Now HIPAA is a set of rules (Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, etc.). For companies providing information security services, the HIPAA Security Rule is of particular importance in this regard, because It is in this section of the document that the safety measures that a medical institution must comply with are outlined.
In the United States, along with federal laws, other documents may be applied; law enforcement practice differs. Laws and documents governing the protection of personal data may vary from state to state.
Australia's information security laws govern the storage and processing of personal data in areas of public life such as privacy, government, healthcare, telecommunications, video and audio surveillance, freedom and accessibility of information and much more. The legislative framework can be called broad and well-developed. Let's look at the most important documents and their provisions.
This document defines how businesses and federal government agencies must handle personal information. The Act sets out 13 Privacy Principles (APPs) – the core tenets on which Australia's information security is based.
The law defines and establishes penalties for the most serious federal crimes, including crimes committed in the cyber environment against information security.
SOCI protects information about critical infrastructure assets. This means that it is an offense to disclose information about these assets, even if you are the responsible person.
The TIA makes it an offense to intercept or access private telecommunications communications without the knowledge of those involved in those communications. The TIA authorizes access to such content when necessary for law enforcement and national security purposes.
The law states that individuals have the right to have their personal information collected and processed in accordance with certain rules. Companies are required to collect and store only the information that is directly necessary for their activities. This legal entity must ensure that a person can easily find out what information it holds about them and how he uses it. If a person asks, a company must give them access to their personal information and allow them to make changes to it, as long as it is not contrary to the public interest.
The purpose of this document is to protect the privacy of individuals by controlling the ways in which the government may collect, store, use, and publish records containing sensitive personal information that clearly identifies an individual. The law also gives individuals the right to access this information, which may appear in various types of records, including, for example, case files and patient records maintained by the Department of Health, Human Services and Justice, etc.
Obviously, such a mobile environment as information and its security have a number of problems. Let’s discuss those problems.
The first issue is that the amount of data needed to be protected is only growing. Every year the amount of information used is growing, the volume of business correspondence increases, people are more and more communicating through social media, apps and services that are used in every aspect of one’s life and business activities. Every year volume of online communication is growing by hundreds of percent, and so that information needs to be protected. To meet that need IS tools are being adapted, but their adaptation is not always successful in direct proportion to the growth of data volumes.
Today every government, every company and every person remain alone with the problem of making their environment safe. There is no one approved approach to IS and so there is no general legislation that could solve that problem.
Along with data volume growth, the number of ways it can be leaked or maliciously externally injected also increased. Cybercriminals adapt much faster than products that ensure security. An example is near: malware based on AI already exists.
Information security is a set of measures. It’s impossible to create a working IS tool without taking into consideration the comprehensiveness and complexity of this task. Each object: government, company, a person can freely choose their way of protecting information. But the one thing remains solid – in the modern world no one can ignore the question of information security.