In my working life as a Cyber Security Architect, I have to not only deal with cyber security but also, I need to understand information security. Both these elements of security are important and getting a good grasp of both of these is essential.
So what is the difference between information security and cyber security? Information security is about protecting the confidentiality and integrity of information, so the information is only available to those people who are authorized to access it. Cyber security is protecting an organization from online threats and cyber attacks from hackers, thereby protecting the organization from being breached.
Information Security and Cyber security work together in protecting an organization, as the goal of cyber security is to protect the organization from cyber attacks which generally are to steal information.
Therefore by stopping cyber security attacks and protecting information using information security, it becomes difficult for attackers to get access to the information and even if they manage to do, information security in itself can provide additional protection by making the stolen information unusable.
What is Information Security?
Information Security is about protecting an organizations most important asset, their information. This can be information about their customers, about the way the organization works, it’s secrets, it’s plans, strategies to information about their people, that is their employees.
Organizations deal with a lot of information and some of this information has more value than other information. Having a list of postal codes like zip codes is information but it’s not valuable information, as it’s publicly available.
So if the organization lost this information through a breach where hackers broke in and stole it, there would be a minimal loss to the organization. Apart from being red faced about being breached and having to deal with some minor reputational damage issues from news stories about being breached.
On the other hand, information like customers credit card details, their social security numbers, their medical history, are all examples of information that would be valuable. Valuable to hackers to use to commit identity fraud and valuable to organizations as any loss in terms of theft from a data breach could ensure reputational damage, penalties, fines to compensation costs to the victims of fraud, that is their customers.
How would you feel if your medical history was stolen and available publicly on some website on the internet?
Many people would feel violated and shocked, as this is private information to them and it’s highly valuable information to them. Any organization that couldn’t protect their highly valuable information like their medical history or their credit history, they could look at suing them for a breach of their trust.
Information like corporate information can be highly valuable too, like an organization’s secrets for example. There may projects on the go that potentially could make them a lot of money, these could be in cutting edge areas where the organization has a significant lead on their competitors.
If this information was stolen and ended up in the hands of their competitors, then their competitors could steal a march and catchup or even overtake the organization whose project research information has been stolen. This could be millions and billions of dollars worth of business an organization loses, so it’s paramount this information is protected at all costs.
There’s many stories about organizations being hacked and their secrets being stolen and used by other organizations as part of state sponsored hacking. Some organizations like Nortel have ended up going out of business because of this, others like Cisco, have lost valuable information to competitors as part of successful hacking attempts.
How do you ensure information security?
To ensure information security protects information, a number of practices can be adopted to make sure the underlying data associated with the information is protected. This can include:
- Data Encryption
- Data Hashing
- Access Controls
- Data Classification
- Data Integrity
- Data Obfuscation
Data can be encrypted making it difficult to see the information within the data without the correct decryption keys. The data is just a bunch of numbers and letters without any real meaning and only with the correct decryption key can the data be decrypted back into to its original usable and readable format.
Data hashing is another way to protect information, as the hashing tends to be one way unlike two way with encryption. Where with encryption, the data can be decrypted using a decryption key, with one-way hashing the information cannot be reverted back to it’s original format.
Data hashing is particularly useful in keeping passwords stored, as the passwords when created are hashed and then stored, typically in a database. When the user enters their password, the password is hashed and then compared to the hash stored in the database.
If the two hashes are identical then it’s safe to say the password entered is correct. The chances of a password having multiple different hashes produced from the same hash algorithm are extremely rare with strong robust hash mechanisms.
Even if the database is stolen the hackers will find it incredibly difficult to reverse engineer the hashed passwords back to their original format. There are some weaker hashes that can be brute forced to reveal passwords but commonly the stronger hashes are used.
Data hashing wouldn’t be useful for all information, as without being able to revert the information back to it’s original format, it will be less useful, especially if the name or social security number can’t be cross referenced because it appears as bunch of undecipherable characters. Therefore encryption would be used for information like this, whilst passwords would end up more than likely being hashed with strong hash mechanisms.
Access controls define who has access to see the data, that is who is authorized to see and use the data. This allows organizations to limit access to data instead of having a free for all method of access to all their data.
Some data is only meant to be seen by senior members of the organization whilst other data can be seen by anyone within the organization or by anyone outside the organization. By having roles associated with access permissions, organizations can control who can access, see and use the organization’s data.
Savvy organizations using access controls to control who can access, see and use their data, first need to classify their data, by organizing their data in terms of it’s value, based on who really needs access to the data and who doesn’t.
The data is generally classified as:
- Internal Only and
With restricted data being the highest classification where information with a high value is available on a need to know basis. So, corporate secrets could restricted information.
Confidential information like personally identifiable information (PII) such as credit card details, customer details to employee details would also have a high value and again only those who need access to this information for the purposes of their job would have access.
There would probably be more people with access to this information compared to restricted information, but restricted information could only be made available to executive like corporate board members.
Internal only information would be information that’s doesn’t contain any personally identifiable information like names, social security numbers to credit card numbers but does contain information for the eyes of people who work in the organization.
This information has value but not as much as confidential or restricted information, but it still isn’t available for anyone to view. It must remain within the organization and can only be accessed by the organizations employees or other approved personnel like third parties and contractors.
Information that has low value like postal codes could be classed as public, as this information is already available in the public domain. I can get a list of all the postal codes in my vicinity from the internet and if someone hacked my computer and stole this list, they’d be better of just getting it from the internet instead of just going to the effort to hack into my computer and steal it.
My postal code isn’t personal to me, just with my postal code, it’s impossible to identify me, because my postal code is shared with my neighbors. It’s value is diminished because there’s not a lot you can do with my postal code, like identity fraud because it’s just a small snippet on non-identifiable information.
Data integrity is vital for any information to ensure the data hasn’t been changed by unauthorized individuals like hackers. As having data with poor integrity could result in poorer decisions being made when using the data.
For example, if the initial accounting report from the accounts department shows no profit was made during the last accounting year, then this information can be used to try to readdress this. By maybe by cutting departmental budgets, laying off staff and changing strategies where corporate takeovers are limited or even restricted.
If the account information isn’t protected effectively and someone who’s not authorized get’s access to the information and makes changes, whereby they change the data to make it look like the organization had it’s best effect year with bumper profits. The organization could take this for granted and start making plans to expand, giving bigger budgets to projects, hiring more staff to considering potential takeover candidates.
All whilst in reality the organization has very little reserves in place to be able to effectively deal with the expansion costs. Leading to the serious consequence of actually pushing itself into receivership and going bust. Leaving hundreds to thousands of their employees with unpaid pay checks and no job.
This is why it’s vital to protect the integrity of information by making sure it can’t be tampered with by unauthorized individuals and only the proper access to the information is allowed.
Another generally overlooked aspect of Information Security is Data Obfuscation, where in instances where data like customer information is required for developing new applications to testing. This data is cleaned to remove any personally identifiable information like names, addresses, dates of birth, social security numbers to anything that could identify a customer.
This data cleansing is known as data obfuscation, sometimes also known as data masking, data anonymization to data de-identification.
With the resulting data still useable enough without containing real customer information. Data obfuscation is done because in development and testing environments more people have access than compared to a productionised environment where only a handful of people have access. Along with productionised environments having stronger security protections applied.
Therefore the risk of customer information being lost or seen by those employees who shouldn’t have access is high and therefore it makes a lot of sense to use data obfuscation to remove some of the value of the inherent data.
What is Cyber Security?
Cyber Security is about protecting against online threats and attacks with it’s primary aim to protect the organizations assets including it’s information. So cyber security measures like putting in antivirus and antimalware software, can help protect information from computer viruses, malware like ransomware and spyware.
Likewise putting cyber security tools to protect against website attacks like a Web Application Firewall, known as a WAF for short. Ultimately protects against hackers being able to break into website and steal information.
Hackers look for vulnerabilities in organizations that they can exploit to get inside and steal, change or destroy information. Cyber security looks at ensuring vulnerabilities are known about, the risks of these vulnerabilities are understood, and the risky vulnerabilities are remediated that is they are fixed.
Effective vulnerability management didn’t happen at Equifax, where during March 2017 and up to about July 2017, millions of credit history records of millions of Americans and British people including other nationalities too. The hackers got in by exploiting a vulnerability in one of their online systems, a vulnerability that hadn’t been fixed.
This exploitation allowed the hackers to get hold of actual employee login credentials and use these to access the Equifax databases, copying customer credit information and then siphoning this off slowly over a number of months, so as not to raise suspicion. Eventually Equifax found out they’d been breached, and the vulnerability was fixed by patching it.
So, from an information security perspective, the information was protected, there were measures to ensure only authorized people could access the information, as user accounts had roles with the correct access controls applied.
However, the cyber security aspects failed in protecting against vulnerabilities being exploited. These vulnerabilities allowed the hackers to gain access to the accounts and credentials used to protect the information.
The information was probably encrypted, so in theory it couldn’t be stolen and deciphered however, if the hacker using one of the Equifax user accounts could run data queries, the encryption wouldn’t provide any protection. The encryption only provides protection if the information data is stolen by someone who doesn’t have authorized access, that is they don’t have a user account capable to accessing the data.
However these hackers, had multiple user accounts and credentials, possibly administrative privileged access, like database administrator accounts, so the protection from encryption made no difference.
British Airways Breach
British Airways the flagship carrier of the United Kingdom also managed to give away important information about it’s customers their credit card details. Subsequently leading to hackers being able to use the British Airways customer credit cards running up huge bills.
Again, British Airways have sophisticated Information Security measures in place, with possible encryption, authentication to authorization of all users accessing their systems providing thorough access controls to ensure only those people who required access to their customers information as part of their jobs had access.
As British Airways was processing credit card data itself, it had to adhere to the Payment Card Industry Data Security Standard, PCI DSS for short. These are pretty stringent requirements that include protecting information. So, why would an organization which was using such strong security standards for protecting it’s information, end up giving away details of it’s customers credit cards?
So when hackers, hacked the third party where the script was stored, they changed the script, adding additional code, that allowed them to get a copy of the customers credit card information as it was being entered into the British Airways website.
This technique known as skimming went undetected for many months, in which time every credit card number entered including expiry dates, security codes like the CVV number and so on, were being sent to the hackers.
Again, even though British Airways had robust information security protections in place, like encryption, access controls like authentication and authorization, their cyber security protections and the cyber security protections of the third party they were using for the scripts let them down.
This skimming hack can easily be avoided from a cyber security perspective, by either copying the third party script onto your own systems where you have complete control or by adding integrity checks into the call out to the scripts, so if the script changes, the integrity check stops the scripts from working and this gives early insight into a problem with the script.
Talk Talk Breach
Talk Talk a British telecoms organization was breached in 2015 when customer information was stolen by a SQL injection attack on a database which was outdated, as it hadn’t been patched for a number of years. This type of attack is a common cyber security attack, it’s OWASP’s number 1 attack in their security Top 10.
Cyber Security is responsible to determining vulnerabilities in systems and getting these fixed by patching before they can be exploited. In this instance, it looks like the vulnerability management process used was not effective, that if one was used.
The information itself wasn’t fully encrypted, some of it was partially obscured through encryption, that is masked to only show certain parts of the information, like the last four digits of a credit card number. However, other personally identifiable information was not encrypted like names, addresses and bank details.
Around 160,000 customers were affected with 100,000 of these leaving Talk Talk as part of the fallout from the attack. This was an extremely costly exercise for Talk Talk, as it lost millions in revenue and paid £400,000 in fines to the UK information regulator.
The failure of both cyber security and information security can be highlighted by this case. Where the cyber security failed to deal with the vulnerabilities in the database, that exposed the database to a common cyber security attack, that being SQL injection.
Information security protections failed, because the data was not encrypted. However in this instance the cyber security failures are far more shocking, as even if the data was encrypted, the SQL injection attack could still have managed to get data from the database. The information security measures would only have provided additional protection if another method of entry was used where the hackers had limited user credentials and access.
Information Security and Cyber Security
It’s vitally important to understand that cyber security and information security need to work hand in hand to protect an organizations most important asset, information. You can have the best information security protections in place but if your cyber security protections are weak and get exploited, those information security protections will be worthless.
Likewise if you have very strong cyber security protections but weak information security protections then the information is still vulnerable, not from external sources like from internet connections and online connected services.
But from insiders, like your own employees and third parties including contractors. As this insider threat is very real, where organizations suffer from disgruntled employees who want revenge on their employers to espionage where employees and contractors are actually moonlighting for competitors or state sponsored hacking regimes.
For me, I spend a lot of time in my job ensuring the cyber security protections and the information security protections are maximized to protect from external threats like hackers and internal threats, like disgruntled employees, rogue contractors and corporate spies.