Introduction to Information Security

Millions of bytes of customer data are stored somewhere on the Internet, maybe in the data centres of tech giants like Google, Microsoft and Amazon or (hopefully not) floating around the web from a data breach of a system they registered with. Attacking systems to obtain and sell this information — termed as Cybercrime — is a lucrative industry and is estimated to cost companies over $6 trillion by 2021.
From small businesses to large companies, identifying security and privacy issues in systems and designing them to be more secure is of utmost importance to keep sensitive data and control of critical operations out of reach of malicious actors.

This is part of a series covering topics in Information Security:

1. Introduction to Information Security (this post)
2. Security in the Cloud
3. Challenges in Mobile Security
4. Secure Software Design — Part 1
5. Secure Software Design — Part 2
6. Red Team — Penetration testing

What is Information Security?

Information security is termed as a means to prevent misuse, unauthorized access, and corruption of sensitive data and assets. It’s designed to build secure and reliable systems, following the Core Security Principles (represented by the CIA triad):

1. Confidentiality
   A secure system allows access to only authorized and authenticated users
2. Integrity
   Data that is returned from a secure system must be correct and not corrupted or modified in a malicious manner
3. Availability
   Data in a secure system must always be available to the user (when you want it)

CIA triad (from https://resources.infosecinstitute.com)

Attacks and Vulnerabilities

An attack on a system comprises the C, I or A (described above) of an asset or the entire system by exploiting a vulnerability. Attackers generally observe and assess a system, devise an exploit to penetrate it, take control of the system, and then either collect data in the background or deny access to the system until a ransom or other criteria if fulfilled.

A vulnerability is a weakness in the system which can be exploited by a threat actor. There are hundreds of these in every system which are patched as soon they are discovered to be a risk to the system. A threat is a willingness or potential to harm a system by exploiting a vulnerability and an attack is a malicious activity on an asset carried out by the threat actor on the system.

Impact of Attacks

During threat modelling and assessing risks, the impact level of an attack is often useful.
For organisations, the level of impact of an attack is characterized as:

1. High
   - Could have a severe or catastrophic adverse effect on operations, assets or individuals
2. Medium
   - Could have a serious adverse effect
3. Low
   - Expected to have a limited adverse effect

Types of Attacks

Attacks can be:

• Active — A deliberate attempt to affect operations of the system or modify a data stream. Includes Replay, Masquerade, Modification, Denial of Service attacks.
• Passive — An attempt to collect or use information from a system without affecting the operations of a system. Includes eavesdropping and releasing message contents, Analysing (network) traffic of a system.
• Insider — An attack initiated from inside the system
• Outsider — An attack from outside the security perimeter

Cyber attacks

Cyber attacks usually fall under

• Deliberate attacks — due to their value of data and high profile identity of the company, like the Target security breach
• Opportunity attacks — attacks on entities with exposed common vulnerabilities found from scans over the Internet.

Attack Surfaces

An attack surface is an exposed region where a malicious actor can launch an attack.
There are 3 major attack surfaces:

1. Network attack surface
   Vulnerabilities present on over the Internet, WAN (Wide Area Networks), or in the network protocol
   Attackers can launch Denial of Service, Disruption of communications, Eavesdropping and Intruder attacks
2. Software attack surface
   Vulnerabilities in the applications, operating systems, web server software etc
3. Human attack surface
   Vulnerabilities in personnel, through social engineering, human error or insiders

Attacks can target a range of systems including Internet applications, Operating systems, Databases and Cloud, IoT and Mobile applications/devices. With the explosion of IoT devices in the market, attack surfaces have expanded rapidly as more non-secure devices come online and are vulnerable to attacks.

Finally, what can we do?

Countermeasures are safeguards against attacks and reduce risk to assets through proper prevention, detection and recovery procedures. However, if not implemented properly, they may introduce new vulnerabilities or not protect existing vulnerabilities adequately. Following best security design practices (covered in a post later on) and keeping up with current attacks and new vulnerabilities is essential to keeping systems up to date and secure. Investing in the security of their systems can save the company in the long run and protect them from data breaches and ransomware attacks which are extremely expensive and may result in loss of trust from customers.

Note: This post has been made with reference to slides used in Information Security lectures by Mr Prasad Honnavalli and various online sources