Monday, 14 January 2013
The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.
These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security.
Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.
Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to negative consequences
Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.
For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures.
The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics science
What is Information Security?Information is an asset to all individuals and businesses. Information Security refers to the protection of these assets in order to achieve C - I - A as the following diagram:
Most people, when they hear the term “information security”, usually focus on single events like website hacking, procuring credit card details, email viruses or the like. Most people immediately think of some incident in which they themselves were the victim.
The fact is that these are only the tips of the information security iceberg. To fully appreciate the importance and scope of information security we need to widen our view considerably. Information security is more than just IT security. The focus of information security is not on the security of an organisation’s IT operations per se, but on the organisation’s ‘Information Assets’.
Information assets’ can be a variety of items such as;
- business records
- client and contact databases
- personnel information
- financial records and transactions
- information databases
- e-commerce transaction details
Most people underrate information security because they don’t see it from this wider perspective. Information security covers the whole of an organization's information.
How should I think of information security?
There are three letters to remember when thinking of information security; they are C I A. This has nothing to do with men in black suits. CIA stands for Confidentiality, Integrity and Availability, the three main checklist items when considering information security. Try them now:
Confidentiality. Can you guarantee that your confidential information will remain confidential or is it open to compromise by unauthorized persons gaining access to it? This access does not have to be deliberate or malicious, it could occur accidentally because you have provided insufficient control over its access. Regardless of the intent, the impact can be just as devastating to a business.
Integrity. Can you guarantee that all your information will remain free from unauthorized change so that it can always be relied upon for accuracy. Again, this does not have to be deliberate. Without adequate control, well-meaning but unauthorized staff can alter data without malicious intent.
Availability. Can you guarantee that your information (whether confidential or not) will always be available to those who need it, when they need it. There are few things more disruptive to business than for the staff being unable to access the computer system for a period.
This last point raises the unpopular twin spectra of Business Continuity and Disaster Recovery. What if your entire premises are destroyed? What are the critical parts of your business activities? How long would it take to reconstruct your entire IT infrastructure on another site? What resources would you need to do it? What critical systems would you need first, what systems can wait? You need a plan which enables your staff to quickly assess damage, and institute a planned recovery process. This process may go as far as the establishment of a mirror site where critical IT resources are duplicated.
It is common to view this scenario as an 'acceptable risk', that is, it can’t happen to me. It will continue to be viewed as an acceptable risk – that is, until it happens. Then it is an unacceptable risk. But too late!
The CIA principles should guide your thinking about information security. Remember that a security breach need not be a malicious act; it could be as innocent and simple as a power outage or a failure to set network access privileges correctly, or it could be the total loss of all your facilities through a disastrous event, natural or unnatural.
What do I do about it?
The only defense you have against such events is to:
Deter. Have in place the means to avoid or prevent the occurrence of preventable information security breaches.
Protect. Be in a position to safeguard your information assets from security breaches.
Detect. Equip yourself to rapidly detect the occurrence of security breaches.
Respond. Be ready to react to rapidly overcome the effects of security breaches.
Recover. Be able to restore the integrity, availability and confidentiality of information assets to their expected state.
Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputation damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited Web sites altered by attackers.
What do we understand by Information security and Ethical hacking?