Information Security PDF
Information Security PDF
Table of Contents
1. Information Security
4. Cyber security threats and risk landscape evolving over the years.
5. Legal, Ethical and professional issues related to security and risk management.
6. References
1. Information security
As the modern world is run by information, information security has become one of the main fields
of concerns in the industry. Simply, information security refers to as InfoSec, is the field of
protecting information from unauthorized uses such as accessing, using, disclosing, modification,
etc.[1] As a valuable asset, information exist in the forms of both electronic and physical such as
books, papers, electronic data, video, audio, etc. As the current era is known as information age,
almost all the fields in the world required reliable, accurate and up-to date information. There have
been many attempts to address the term information by many studies. As a result the field of study,
information science was coined in 1955[2].
Following are some of the concepts which address the question what is information[3].
Information as a representation of knowledge.
This concept theorize information as stored knowledge and the medium could be books or
electronic media.
Information as data in the environment
This concept suggest that information can be obtained from different kinds of stimuli and
phenomena from environment, but an appropriate interpretation is required in order to understand
the conveyed message.
Information as part of communication process
This concept mainly focusses on people rather than words or data as information and it suggest
that timing and social factors plays a major role in the process of understanding information.
Information as a resource or commodity
As the information exchange between sender and receiver, a value is added to the information.
As information plays a major role in organizations, information security has a similar importance
too. In order to understand what security is, a number of computer scientists and researchers have
defined security as “The quality or state of being secure that is to be free from danger.”[4] And
they have defined multiple layers of security inside an organization. They are Physical security,
which concerns about items, objects or areas, personal security, which concerns on individual or
group of individuals who are involved in organization and its operations, Operations security,
which concerns about details of particular operations, communication security, which involves
communication media, technology and contents and information security which involves
information and its major elements including systems and hardware.
Information security protects information from various types of threats. The American National
Security Telecommunications and Information Systems Security committee (NSTISSC) implies
the need of information security as in order to protect the value of the information to the
organization. They defines that there are two main characteristics of information that gives the
specific value to the organization. First one is the scarcity of the information outside the
organization and second one is the share ability of the information within the organization. That
means the information has its value to the organization only if it gives advantages or utilities to
those who have it when compared to others. So the aim of information security is to protect the
value of information by correctly identifying and protecting these characteristics as the threats
influence the organization’s ability to protect the information’s scarcity and ability to share it
within. Information security protects the organization’s data while safeguarding assets and
technologies giving organization the ability to function.
There are three main fundamental principles of security which namely, availability, integrity and
confidentiality.[4] Those are commonly named as Central Intelligence Agency (CIA) triad or the
AIC triad. According to the business security goals and requirements of each company, the
required level of security for each principle differs. All the threats, vulnerabilities and hazards are
measured by the amount of capability of breaching one or more of these CIA triad principles.
Availability
Availability refers to the availability of data. If the information system is not available to the
authorized users, it will not be reliable and useful. In order to maintain the reliability, maintenance
of the hardware is necessary. Hardware failures, cyberattacks, human errors or insider threats
affects the system uptime, and ultimately affects the availability. If any disruption occurred to a
company website, all the online customers will be affected. This will cause dissatisfaction among
customers, loss of revenue, etc. Denial of Service or DoS attacks and Distributed Denial of
Services are the most commonly used attack against websites.
According to the ISTR 2017, 2016 there were some extraordinary cyber-attacks including
multimillion dollar virtual bank heists, attempts to disrupt US electrical process and also one of
the biggest DDoS powered by a botnet of IoI devices. The botnet was called Mirai and was
responsible for infecting routers and security cameras, low-powered and poorly secured devices.
Also in 2016, the first widespread attack on cloud services was done using a DoS campaign in
order to give a warning to show how cloud services are open to such types of attacks.
Confidentiality
This indicates the organizations effort to keep its data confidential by monitoring and preventing
unauthorized parties to access the data while giving access to the authorized ones. These
confidential data contains some degree of sensitivity and could be either personal data such as
employee data, client data or business information. By obtaining such information from
unauthorized parties, could damage the company reputation or gain some advantage over them.
Examples of such data are client data from healthcare industry. As healthcare organizations have
strict regulations and policies such as Health Insurance Portability and Accountability Act
(HIPAA) in the United States, which gives patient the control over their patient data while forcing
the organization to provide security over their data.
Another example case of confidentiality is the e-commerce sector. The personal information of the
customers of the banks such as credit card information, personal information are needed to be
secured. There are number of laws and regulations that governs the data protection in e-commerce
sector which differs with the country or region. General Data Protection Regulation 2016/679 or
GDPR, enacted by European Union (EU) is one of them.
Integrity
Integrity ensures the authenticity and reliability of data and make sure the data is not corrupted or
tampered with. It has 3 goals which ensures the security of data. Those are prevention of
information modification by unauthorized parties, prevention of information, unintentional
modification or unauthorized modification by authorized parties and preserving the consistency.
Simply, the data sent by the sender should be the same data received and there should not be any
addition or removal of data.
One of the common methods of attacking integrity of data are man in the middle attacks or MITM
attacks. It is done by intercepting communication between two parties in order to spy or tamper
the traffic data between the sender and receiver. These attacks are usually used for stealing
credentials and or communication interference purposes.
4. Cyber security threats and risk landscape evolving over the years.
According to the past data the threat landscape is a dynamic one rather than static.[9] Within a
single year there could be many shifts in the nature of cyber-attacks due to various reasons. For
example, Angler exploit kit was the mainly used exploit kit in the beginning of 2016. But after the
arrest of 50 Russian members who are responsible for Lurk banking fraud, the Angler attacks were
also vanished. Also the future prediction of cyber threats is not a simple or accurate one because
of the invention of newer technologies that we aren’t aware of. But by using the past data available,
some areas of threat landscape can be predicted. As in the beginning, cybercrimes were operated
under shadows and by individuals for personal agendas. But in nowadays, cybercrimes are more
organized and opened to public. The agendas are also gotten bigger such as political or terrorism.
Also there are groups or individuals who target financial institutes or organizations for stealing
valuable information or large sum of money.
Following data shows a comparison between cybercrimes over the past few years.[7],[10]
Spam rate to total emails have been declined from 60% in 2014 and 53% in both 2015 and 2016.
And in 2019 this rate has dropped to 48%. Also when considering about phishing rate, the rate has
declined through the years. In 2014, the rate is 1 in 965. In 2015 it has declined to 1 in 1,846 and
in 2016 it was 1 in 2,596. Also in 2018 it has declined to 1 in 3,207. When considering ransomware,
the number of ransomware have gone up since 2015. In 201, the number of detected ransomware
are 340,665 and in 2016 it was 463,841. And in 2018 it has gone up to 545,231.
When considering the amount of damage done, average ransom amount has increased too. In 2014
from average of $373, to $1,077 in 2016. By the 2018, this amount has gone up to $5000.
So we can say that information security threats for small and medium sized organizations will be
lower since the phishing rate and malware rate is getting lower. But organized group or individual
attacks on large institutes and economic organizations such as federal reserves or banks will get
higher since the inclination of average ransom amount.
Since the improvement of technology, almost everything is connected such as IoT technologies.
So these emerging technologies will become more likely targets for cyber-attacks. There are
already things such as IoT devices converted into botnets for targeted attacks such as the Mirai
botnet. As the day to day life become more digitalized, it will also provide more hunting grounds
to cybercriminals and hackers and will pose a bigger threat to human life and society. Modern
technologies such as auto driving cars are getting targeted too. But with the advancements such as
machine learning and deep learning, the defense mechanisms against cyber threats are also getting
stronger. Spam email recognition using machine learning algorithms is one example of such
instances. But the bad news is such technologies are also available to attackers too. There are
evidence that the use of AI in several cyber-attacks such as in the case of honeypot systems attack.
[3]A. D. Madden, “A definition of information,” Aslib Proceedings, vol. 52, no. 9. Emerald, pp.
343–349, Nov. 01, 2000. doi: 10.1108/eum0000000007027.
[5]S. D. Gantz and D. R. Philpott, “Thinking About Risk,” FISMA and the Risk Management
Framework. Elsevier, pp. 53–78, 2013. doi: 10.1016/b978-1-59-749641-4.00003-5.
[7]ISTR, Symantec Internet Security Threat Report, vol. 22, April 2017.
[8]S. Technologies, "Security Technologies | Top 7 Key Security Technologies", EDUCBA, 2022.
[Online]. Available: https://www.educba.com/security-technologies/. [Accessed: 15- Jul- 2022].
[9]"The Evolving Cyber Threat Landscape - Cyber Smart Consulting Ltd", Cyber Smart
Consulting Ltd, 2022. [Online]. Available: https://cybersmartconsulting.com/cyber-threat-
landscape/. [Accessed: 15- Jul- 2022].
[10]ISTR, Symantec Internet Security Threat Report, vol. 24, February 2019.
[11]"Legal, Ethical, and Professional Issues in Information Security", BrainKart, 2022. [Online].
Available: https://www.brainkart.com/article/Legal,-Ethical,-and-Professional-Issues-in-
Information-Security_7926/. [Accessed: 15- Jul- 2022].
[12] E. Warren, “Legal, Ethical, and Professional Issues in Information Security”, Available:
https://www.cengage.com -> 1111138214_259148.pdf [Accessed: 15- Jul- 2022].