Weekly Standup — Information Security & Information Privacy

Welcome back to our weekly standups. Last week, I discussed filtering in SQL, I also talked about attacks, threats, vulnerabilities, asset classifications, and the NIST CSF. This week, I’ll be talking about Effective data handling processes, The role of encryption and hashing in safeguarding information, and Standard access controls.

Disclaimer: The information (most of the definitions) shared here is based on my knowledge gained from the Google cybersecurity certification program on Coursera and some online articles and videos.

These days, information is in so many places at once. As a result, organizations are under a lot of pressure to implement effective security controls that protect everyone’s information from being stolen or exposed.

Security controls are safeguards designed to reduce specific risks. They are tools that protect assets before, during, and after an incident occurs. It consists of three types:

1. Technical controls: This involves the various technologies used for security. Example encryption, authentication, hashing, etc
2. Operational controls: This form of control is performed by people, and entails maintaining day to day security environment. Example: Security awareness training, incident response.
3. Managerial controls: This is centered around how the technical and operational controls reduce risks by putting policies, standards, and procedures in place.

Security controls are the technologies used to regulate information privacy.

Information privacy is the protection of unauthorized access and distribution of data.

According to Educause, Information Privacy involves the policies, procedures, and other controls that determine which personal information is collected, how it is used, with whom it is shared, and how individuals who are the subject of that information are informed and involved in this process.

Information Security on the other hand is the practice of keeping data in all states away from unauthorized users, encompassing measures like confidentiality, integrity, and availability.

Security controls are intended to limit access based on the user and situation to maintain privacy, which is known as the principle of least privilege.

The Principle of Least Privilege (PoLP) — according to Palo Alto Networks — is an information security concept that maintains that a user or entity should only have access to the specific data, resources, and applications needed to complete a required task.

Organizations can inadvertently create security vulnerabilities by providing users and entities with excessive privileges. The principle of least privilege reduces the chances of unauthorized access to sensitive information and resources. Configuring user accounts with the appropriate levels of access and authorization, auditing user accounts, and revoking unnecessary access rights can reduce the attack surface and prevent potential breaches and misuse of critical systems and data, which are important practices that help to maintain the confidentiality, integrity, and availability of information.

Good data handling practice is one of the keys to preventing data leaks. Least privilege is a fundamental security control that keeps information private, but only when it’s effectively implemented.

The internet is an open system of networks with information traveling from one end to the other, both non-sensitive and private information, which when left unprotected, is vulnerable to attack by malicious actors. In security, this private information is referred to as Personal Identifiable Information (PII) — any information that can be used to infer an individual’s identity.

Maintaining Personally Identifiable Information (PII) securely on the internet requires the implementation of proper security controls, such as cryptography.

Cryptography is the process of transforming information into a form that unintended readers cannot understand. One of the earliest cryptographic methods is known as Caesar’s cipher. This method is named after a Roman general, Julius Caesar. Caesar’s cipher is a pretty simple algorithm that works by shifting letters in the Roman alphabet forward by a fixed number of spaces.

Photo by Markus Spiske on Unsplash

Data of any kind is kept secret using a two-step process: encryption to hide the information, and decryption to unhide it. The process starts by taking data in its original and readable form, known as plaintext. Encryption takes that information and scrambles it into an unreadable form, known as ciphertext. We then use decryption to unscramble the ciphertext back into plaintext form, making it readable again. A cipher is an algorithm that encrypts information, while a cryptographic key is a mechanism that decrypts ciphertext.

Some approved algorithms for encryption:

1. Symmetric algorithms: Triple Data Encryption Standard (3DES — generates key lengths of 192 bits), Advanced Encryption Standard (AES — generates key lengths of 128, 192, or 256 bits).
2. Asymmetric algorithms: Rivest Shamir Adleman (RSA — generates key lengths of 1,028, 2048, or 4096 bits), Digital Signature Algorithm (DSA — generates key lengths of 2,048 bits.

Encryption keys are vulnerable to being lost or stolen, which can lead to sensitive information at risk. A hash function is an algorithm that produces a code that can’t be decrypted. Unlike asymmetric and symmetric algorithms, hash functions are one-way processes that do not generate decryption keys. Instead, these algorithms produce a unique identifier known as a hash value or digest. Some hashing algorithms include message Digest 5 (MD5), and Secure Hashing Algorithm (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512).

Salting is an additional safeguard that strengthens hash functions. A Salt is a random string of characters that are added to data before it’s hashed, producing a more unique hash value.

Security professionals often use hashing as a tool to validate the integrity of program files, documents, and other types of data. Another way it’s used is to reduce the chances of a data breach. As you’ve learned, not all hashing functions provide the same level of protection. Rainbow table attacks are more likely to work against algorithms that generate shorter keys, like MD5.

In addition to the topics discussed above, I also learned about Access Controls. Access Controls are security controls that manage access, authorization, and accountability of information. I learned about the 3A’s in access control: Authentication, Authorization, and Accounting, as well as MFA and SSO (Single Sign-On) authentication protocols and their benefits.

Thanks for reading. Let’s discuss, exchange ideas, and connect in the comment section. Also looking forward to collaborations.

See you next week.