In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can’t.
—M. Dacier, Eurecom Institute
What is information security?
Information security management ISO 27001
Why is it important to safeguard information?
How is the ISO 27001 applicable to you?
What Is Information Security?
Before you learn about information security and see how important it is, you first need to understand terms like information and security.
When you see these two words—information and security—you might wonder what type of information is being discussed and why you would need to secure it.
The truth is that people unknowingly do many things that put their personal information at risk and they often don’t know the impact of this mistake.
Securing information is a big challenge. This includes not only the protection of your personal information but also of organizations that store your personal information on their systems. We give organizations our consent to keep our information and they have the responsibility to protect it from getting into the wrong hands.
In addition, an organization’s information could be stolen by their competitors. Industries that are particularly vulnerable include the banking, automobile, aviation, software, and hardware industries.
The type of information that you need to secure includes personal and organizational data.
Personal information includes banking data like ATM card details, transaction details, information regarding banking passwords, and other personal details. Medical reports are also at risk of being stolen—this can be in the form of electronic reports or hard copies.
Organizational data, such as trade secrets, product designs, and customer information, is also at risk and must be secured.
There are various ways and means to protect information. In this book, you will learn about the various best practices. To explain these best practices, the book uses the ISO 27001 information security standard, which is recognized internationally.
The following section discusses data and information, so you have a broader understanding of information security.
Data
Data can be any raw fact used to make decisions. Data is defined as a group of numbers, letters, special characters in the form of text, images, voice recordings, and so on. For example, the number 1034778 could be a bank account number, an enrollment number at a university, a vehicle number, and so on. The number in this example is just raw fact and hence it’s called data.
Information
Information is data that can be processed to provide meaning. Information can be related data that enables you to make decisions. In other words, information brings clarity to the data so that you can act on it.
Information is data that has been processed into a form that is meaningful to the recipient and is of real or perceived value in current or prospective actions or decisions.
How data is processed to get information
Note
We are living in an age in which we deal with lots of information on a daily basis, but we care most about the information that is relevant to us.
Availability: The information is available when required. For example, if you need some back-dated data that you saved on the cloud a few years ago, it should be available when required.
Accuracy: The information is correct. The decisions that you make are based on the accuracy of the information. For example, an experienced team member estimates the project’s timeline and your budget is allocated based on that information. If the information is not correct, that may lead to project delays or even termination.
Authenticity: This term refers to the originality of the information. It should not have been altered by anyone else. For example, if you are presenting a status report to your client, it should be authentic or original.
Confidentiality: Only those people who have access rights or are authorized can see the information. For example, salary data is confidential, so only authorized persons should be able to access that information.
Integrity: Integrity refers to the completeness of the information. The information that you save must be complete and not corrupted. For example, you save important information to the database. When you access it, it must be retrieved the same way it was saved.
Information security is the practice of protecting information from unauthorized use. We are living in an era where electronic devices such as laptops and mobile phones have become part of our basic needs. We save huge amounts of information on our computers, smartphones, storage devices, tablets, and on paper and then we often treat them as ordinary files that have no importance.
But if this information gets into the wrong hands, it can lead to inconvenience, monetary losses, and reputation issues for the organization. Hence, you need to make sure that all your important documents are password protected, and you should avoid the habit of using the same passwords for everything.
Information security is not only about securing information against unauthorized access. It is the practice of preventing unauthorized access, use, modification, and destruction of information.
Let’s now look at why a standard on information security was necessary. You should know the basic history and origin of information security.
How ISO 27001 Applies to You
Imagine you are responsible for securing confidential data. What if this information was stolen? What if your competitor accessed this information? In the wrong hands, personal information can be used against you. This section explains how ISO 27001 can safeguard your information.
ISO 27001: Information Security Management System
The BSI (British Standards Institution) Group originally published the standard called BS 7799. It was written by the United Kingdom government's Department of Trade and Industry (DTI) and consisted of several parts.
The first part, containing the best practices for information security management, was revised in 1998. It was adopted in 2000 by the ISO as ISO/IEC 17799, titled “Information Technology: Code of Practice for Information Security Management”. ISO/IEC 17799 was then revised in June 2005 and incorporated into the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.
The second part of the standard BS 7799 was published in 1999 with the title “Information Security Management System”. The focus of BS 7799-2 was on how to implement an information security management system. Later, this was updated to cover risk analysis and management and was called ISO/IEC 27001:2005.
The latest published version of the Information Security Management System (ISMS) standard is BS EN ISO/IEC 27001: 2017. The ISO version of the standard (2013) was not affected by the 2017 publication and the changes do not introduce any new requirements. If you are interested in reading a detailed history of information security, read BS 7799-3:2017.
Define an information security policy: The main purpose of an information security policy is to define what top management wants to achieve with its security measures. This tells management who is responsible for which items, with clear expectations, roles, and responsibilities.
Define the scope of ISMS: Scope is an important factor in accordance with the statement of applicability. The scope should cover the location of the information security audit, the functions involved in the audit, as well as the personnel and assets involved (physical, software, and information). It should clearly define any exclusions. For example, say you are performing an audit for a software division that includes the HR, IT, and admin departments (not including sales and marketing). In this case, your scope document should clearly define sales and marketing as exclusions.
Conduct a risk assessment: Risk assessment is an essential part of any business and ISO 27001 focuses on risk-based planning. The assessment or analysis is based on the asset register. In simple words, you need to identify which incidents might happen and determine the best way to do asset-based risk assessments. This can be done by creating a focus group, holding a brainstorming session, or interviewing asset owners.
Manage identified risks: When managing identified risks, it is important to use the plan document. When a risk is identified, it should be registered into the risk register and categorized based on the organizational risk management plan. The asset owners should be responsible for their asset risk; however, the standard does not tell you how to deal with the risk.
Select the control objectives and controls to be implemented: There is a long list of controls in ISO 27001. Chapter 7 covers these controls in detail.
Prepare a statement of applicability: A statement of applicability in ISO 27001 is also referred to as an SOA document. It is one of the most important documents in the system and organizations generally tend to spend more time preparing it. This document will tell you how they implement the controls. It also identifies any inclusions and exclusions.
This international standard provides requirements for establishing, implementing, maintaining, and continually improving an information security management system. An ISMS is a systematic approach to managing sensitive company information so that it remains secure.
Adopting an ISMS is a strategic decision since it includes people, processes, and IT systems. It can help small, medium, and large businesses in any sector keep their assets secure.
If you are new to ISO 27001 and are familiar with some other standard, you may assume that by purchasing/downloading the standard, you can figure out what you need to do, but that is not the case.
ISO 27001 is not prescriptive. It doesn’t tell you what kind of technology to use to protect your network or how often you need to perform backups, for example. Those decisions need to be made by your organization.
Imagine if the standard prescribed that you needed to back up your system every 24 hours. How do you know that this is the right interval for your organization? Organizations have different needs and different types and amounts of data.
For example, companies like Facebook, Google, LinkedIn, etc. generate petabytes of data every day. The rate of change of their data is very quick and they need real-time backup (or if not real-time, at least hourly backup). Conversely, there are small organizations for which the rate of data change is very slow. Their backup interval could easily be once a week.
Note
Facebook generates four new petabytes of data and runs 600,000 queries and 1 million MapReduce jobs per day. Source: https://research.fb.com/.
Confidentiality
Integrity
Availability
Confidentiality
Confidentiality refers to protecting information from being accessed by unauthorized parties. Imagine that you started a new company. You have physical assets like a building, equipment, and computers. You have employees and important data, which are also assets. You want only authorized people to see the data, so you want to implement confidentiality. This way, only authorized people can access the data and work with it. You can implement confidentiality by encrypting the data files and then storing them to a disk. By doing this, only people who have access to the disk can see the data and work with it.
In terms of personal information, say you want to open a new savings account at the bank and need to invest $10,000. This information is confidential, as only the bank and you can access it.
Integrity
Integrity refers to the consistency, accuracy, and trustworthiness of data over its entire lifecycle. If you transfer $1001 to your friend, you want to be sure that he receives $1001. You want to be confident that an unauthorized attacker can’t alter or manipulate it to make it $100, or that the bank won’t make an error.
Availability
The CIA triad
Why Is It Important to Safeguard Information?
What the motive was and what kind of information was stolen
What the impact was
How the security breach happened
Yahoo
Year: 2013-14
Impact: 3 billion user accounts
Yahoo announced that a state-sponsored actor pulled off a big data breach in 2014. This breach included the real names, email addresses, dates of birth, and telephone numbers of 500 million users. Most of the passwords were hashed using a robust encryption algorithm.
Marriott International
Year: 2014-18
Impact: 500 million customers
In November 2018, Marriott International announced that cybercriminals had stolen 500 million customers’ data. Marriott had acquired the Starwood hotel in 2016, and the cyberthieves had attacked and entered their system. This was not discovered until September 2018.
In this attack, 100 million customers’ credit card numbers and expiration dates were stolen. For some, only their names and contact information were taken. Marriott communicated that they believed the attackers were not able to decrypt the credit card numbers.
According to The New York Times published article, a Chinese intelligence group pulled off that attack.
eBay
Year: May 2014
Impact: 145 million users compromised
In May 2014, eBay reported a cyberattack in which all of its 145 million users’ personal details were stolen. That included their names, addresses, dates of birth, and encrypted passwords. How did this happen? The hackers used the credentials of eBay employees to enter the company network. They had complete access to the user database for more than seven months.
When eBay discovered this breach, they requested its users change their passwords, and they communicated that the users’ credit card numbers were not stolen, as they were stored separately.
Heartland Payment Systems
Year: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems
In January 2009, Visa and MasterCard reported suspicious transactions to Heartland payment systems. At that time, Heartland was processing over 100 million payment card transactions per month.
Heartland was declared non-compliant by the Payment Card Industry Data Security Standard (PCI DSS). That meant that major credit card providers were not allowed to process their payments. This ban was in place until May 2009. They were also asked to pay an estimated $145 million in compensation for fraudulent payments.
It was discovered that two unnamed Russians masterminded the international operation that stole the credit and debit cards. This all happened due to a vulnerability of many web-facing applications which made SQL injection the most common form of attack against websites.
Uber
Year: Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers exposed
In late 2016, Uber discovered that a hacker had stolen the names, email addresses, and mobile phone numbers of 57 million users of their app. The driver license numbers of 600,000 Uber drivers were also stolen. Hackers also stole usernames and password credentials to Uber’s AWS account by getting access to their GitHub account.
Uber had to pay the hackers $100,000 to destroy the data. It cost Uber in terms of reputation and money.
Note
The source of this security breach was published on the csonline blog at https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html.
NHS Cyberattack
Year: May 2017
Impact: WannaCry crippled 200,000 computers with a message demanding cryptocurrency in bitcoin. This attack resulted in about $112 million in losses.
Hackers broadcasted ransomware called WannaCry, also called WanaCrypt, through emails that tricked the recipients into opening the attachments and releasing malware onto their systems. Once the system was affected, it encrypted the files and locked it in such a manner that users could not access it. Then a red message was displayed demanding payment in cryptocurrency bitcoin in order to regain access.
Hospitals and GP surgeries in the UK were hit by this ransomware attack. The hospital staff had no option other than to use pen, paper, and their own mobile phones when the attack affected key systems, including telephones and other important equipment. This forced the hospitals to cancel appointments, which resulted in huge losses.
The attackers blackmailed the healthcare systems without any assurance that access would be granted after the payment was done.
Safeguarding Summary
After reading these real-life scenarios, you can see where information security may apply to you and your organization. You learned that you need to reduce or eliminate the risks related to unauthorized disclosure, modification, and deletion of critical information.
Industry-wide information security can be applicable to any industry. There is a myth about information security being applicable only to the software or IT industries. The fact is that any industry that generates information that’s valuable to them needs good information security.
Scenario 1: Banking
Banking transactions are part of our day-to-day activities and most people have one or more savings accounts. According to the Global Findex World Bank report, 69 percent of adults have an account, up from 62 percent in 2014 and 51 percent in 2011.
India saw a major rise in account numbers after the announcement of PM Narendra Modi’s “Jan Dhan” scheme. The total number of savings accounts rose to 1.57 billion in March 2017, compared to 1.22 billion in 2015.
The numbers clearly show that banking is integral to our daily life and hence securing that data is a continuous challenge. The good news is that with emerging technologies, we can keep our data secure if we follow the guidelines and standard procedures.
If a bank does not secure important information like account details, account balances, and transaction histories, its customers would lose trust in it and may not feel safe depositing money there.
As a personal example, imagine you ran into one of your friends after a long time and she asked for your phone or cell number. You would probably feel comfortable exchanging this information, since she is your friend. But what if she asked for your credit card number and CVV pin? You should be willing to share only things that are not confidential. The same goes with banks. Your account number is yours only and only you are supposed to get the details of your account by authenticating your identity.
If you are using a mobile banking application, you understand that your customer ID and password are highly confidential and sharing them with others is like sharing the key to your home and valuables. Some countries do not require two-factor authentication, but others require you to enter your high security code, which is one-time password (OTP) received on your registered mobile number. This gives you the assurance that your transactions are more secure.
Cybersecurity is of utmost importance in the financial/banking sector. The foundation of the banking system lies in nurturing trust and credibility. In this digital age, people seem to be going cashless, instead using digital currencies like crypto-currencies such as bitcoin, debit cards, credit cards, and wallet payments. In this context, it becomes very important for banks to ensure all measures of cybersecurity, to protect your money and your privacy.
For financial institutions such as banks, data breaches can result in serious trust issues. A weak cybersecurity system can lead to data breaches that could easily cause the customer base to take its money elsewhere.
Even in the case of a minor information leak, banks need have to cancel the previously issued card, dispatch a new card, and then monitor accounts for similar incidents.
Banks are responsible for guarding the financial data of their customers and for keeping their operations safe. Banks are prone to security breaches if they are not protected from cybercrime.
These days, people do lots of financial transactions via online banking and ATM machines. Both of these must be very secure. Banks therefore make a lot of effort to safeguard online transactions and data from hackers.
ATM machines are an important part of the banking system and must be secure. There are cases in which the ATM card slot was compromised. This is a high-tech form of theft from ATM machines called skimming . Thieves place a card reader over the real ATM card slot. When you slide your card into the card slot, the reader captures all your information and later they can clone the card to steal your hard-earned money.
Cosmos Bank Cyberattack
Impact of the attack: $13.5 million stolen from the Cosmos Bank
Scope: ATM switch compromise, swift environment compromise, and malware infection
Switch architecture
Whenever you do any transactions like change your PIN or withdraw money, the ATM switch authenticates the transaction. When you do transactions using a different bank's ATM card, the ATM switch verifies that the card is the original card issued by the bank and it belongs to you.
In the case of the Cosmos cyberattack, the hackers bypassed the firewall of the ATM switch and performed self-authorized transactions by using a proxy server that they created.
The attackers directly connected to the bank’s server and performed approximately 12,000 transactions using a Visa debit card. The bank was unaware of the false transactions for two days.
According to the report available from the Maharashtra Special Investigation Team, who investigated the attack, they have not been able to link the attack to any group, since the attacker wiped out all tracks, leaving no evidence of the incident.
Scenario 2: Trade Secrets
We all are aware of Apple and the iPhone. Imagine if you are an Apple employee and are working in the product design department. You have the access to the new iPhone designs before their launch. If this information gets leaked to the outside world, imagine the impact on the company and on the morale of the employees.
Management may feel mistrustful of the employees, thinking that they are the origin of this breach. The outside world may be concerned that the company cannot protect its confidential data. This can have a major impact on company revenue and on the product image. Competitors get to see the new design and might be able to release a similar look-alike product before the launch of the original product at a cheaper price.
It becomes important to protect the product information throughout its lifecycle, from its concept/design phase to the product release phase.
Information security was and always will be a challenge. Apple has been affected by serious security issues many times. In 2014, the company's iCloud data storage was hit by a flurry of apparent breaches, culminating in a targeted attack on celebrity accounts. This was dubbed Celebgate. In this attack, various embarrassing images of Hollywood celebrities and actors were leaked to the Internet. In short, if you are storing personal data on cloud services, you should know that it is not 100% safe. Better not to store any personal and sensitive data on the cloud. For example, if you saved an Excel file on your mobile or laptop that’s highly confidential, you need to keep it password protected.
Scenario 3: Healthcare
Healthcare is one the sector in which awareness about security is low. Hackers try attack systems that are less secure and more easily prone to compromise. Cybercriminals can easily trap hospital data, as it is often less secure. You might wonder what kind of data one can get from a hospital. The answer is social security numbers (SSN), names of the patient, companies they are insured with, their blood types, and so on. This kind of information can be very handy for criminals.
They can get more details and interlinked information from your SSN or Aadhar card, if you are from India. Again, your confidential information, like credit card details if you happen to pay through that medium, are all exposed. More innocuous information can serve as the first step to steal confidential information that otherwise you would not share.
According to the PwC Healthcare research institute, the consequences of a data breach in a hospital can be up to $200 per patient, while the cost of prevention is just $8 per patient. The famous quote by Desiderius Erasmus, “prevention is better than cure,” comes to mind here. It fits well with cybersecurity. Some of the leading healthcare organizations are now investing in information security. So, will the ISO 27001 standard be enough to protect the healthcare industry?
Directive s Provided in ISO 27799 (Section 6) But Not Stated in the ISO 27001
ISO 27799 Subsection | Summary of Additional Directives Pertaining to the Healthcare Domain as Provided in the ISO 27799 |
|---|---|
6.4.3 | A unique forum called an information security management forum (ISMF) should be established to manage and direct the information security management system activities within the healthcare sector. When organizing the ISMF within the healthcare sector, stakeholder views need to be accommodated and regulatory obligations are to be met. |
A scope statement may be used in various types of organizations, but in the case of health organizations, the scope statement should be publicized widely, reviewed, and adopted by the organization’s information, clinical and corporate governance groups. Some health organizations seek comments on the scope statement from clinicians' professional regulatory bodies, which may be aware of other organizations pursuing compliance or certification. | |
6.4.4.2 | Information security risk assessment is important in the healthcare sector because the sector carries high risk due to having facilities such as laboratories, emergency departments and operating theatres. Both qualitative and quantitative factors need to be considered when assessing information security risks in these environments. Examples of issues to consider when designing valuation guidelines are recognizing the importance of patient safety; uninterrupted availability of emergency services; professional accreditation; and clinical regulation. |
6.4.4.4 | Information custodianship, ownership, and responsibility are issues that are raised when risk assessment is to be undertaken in the healthcare sector. For effective information security risk assessment to be achieved in the healthcare sector, the knowledge and skills listed below are necessary: a) Clinical and nursing process knowledge, including care protocols and pathways b) Knowledge of the formats of clinical data and the capability for the misuse of this data c) Knowledge of external environment factors that could exacerbate or moderate any or all the levels of the risk components described previously d) Information on IT and medical device attributes and performance/failure characteristics e) Knowledge of incident histories and actual case impact scenarios f) Detailed knowledge of systems architectures g) Familiarity with change management programs that would change any or all the risk component levels |
6.4.5.3 | There are numerous factors to be considered to define criteria for the acceptance of risks. A selection from these factors includes: a) Health sector, industry or organizational standards b) Clinical or other priorities c) Cultural fit d) Reactions of subjects of care (patients) e) Coherence with IT, clinical, and corporate risk acceptance strategy |
6.4.6 | The organization’s information security officer, data protection officer or risk manager should be responsible for the security improvement plan of the organization on behalf of the ISMF. The plans should be made available to clinical and other staff; they are useful in demonstrating progress and process improvement. These plans are sometimes effective in minimizing interruptions to operations when integrated with information security improvement, planned changes in IT facilities and healthcare. |
6.5 | Because of the critical nature of health information systems, it is especially important to define responsibilities and action steps in the initial phase of response because events can unfold quickly, and this leaves little time for reflection as a security incident unfolds. |
In the health context the ISMF is further responsible for making sure that the risk treatment plan is carried out. In healthcare approving the risk treatment plan may involve both information governance and clinical governance. |
Note
If you work in the healthcare domain and have further interest in this topic, check out https://www.iso.org/obp/ui/#iso:std:iso:27799:ed-2:v1:en
Scenario 4: Manufacturing
The manufacturing industry is no different than other industries when it comes to vulnerability. Attackers are targeting manufacturers in order to steal information about new products, processes, or technologies that the manufacturer creates. This can be a secret formula, blueprints of confidential designs, or any process. For example, a competitor try to steal the magic formula or unique ingredients for his new noodle business in order to sell products at a lower price and reduce the margins and competitive edge.
The operation technology used by manufacturers is very often unsecured and therefore vulnerable to external cyberattacks and internal threats. Attackers know that manufacturers’ networks can be easily compromised because of the lack of awareness of cybersecurity tools and processes.
The following sections look at some real-world examples of manufacturing threats. These real-world cases will help you understand the potential consequences for the manufacturing industry.
Stuxnet Virus
In 2011, the Stuxnet worm targeted the PLC system of Iran’s nuclear program and destroyed many of its nuclear centrifuges. This virus is said to be one of the most successful industrial attacks in cyber history.
At the time of this writing, no data was available to show the impact in terms of revenue. But the attack successfully destroyed a fifth of Iran's nuclear centrifuges and damaged the country’s nuclear program quite badly.
Scenario 5: Information Technology
This scenario considers people who work with software development companies or are aware of how the industry operates. The software company develops software applications/products for their external and internal customers. The company receives a lot of information in terms of requirements from their clients and these are highly confidential. They can be considered the intellectual property of the customer, especially if the product/application is not available in the market yet.
It becomes very important for the company to safeguard this information. That’s why many companies require non-disclosure agreements (NDA) to be signed. Both parties officially agree not to disclose information to another third party.
An NDA creates a confidential relationship between the parties, in order to protect confidential and proprietary information or trade secrets. Once both companies agree and start working together, we call it a project and assign a team to it.
Note
A project is a temporary endeavor having a definite start and end date. Projects must be aligned to organizational goals and should be executed in a secure environment.
Upon assigning team members to the project, they must be reminded of their responsibilities to safeguard client information. They should never disclose that information to unauthorized persons or to anyone outside the organization.
Consider how the information will be used and accessed during the project execution and all the ways it needs to be safeguarded.
As part of the project, team members need to prepare or access many documents and work on the source code repository. The project manager, with the help of the IT team, must define and provide access for each team member working on the project. Members access is usually defined as read, write, and delete. Only a few privileged members can delete information. This may be a part of the configuration control and the role may vary depending on the organization.
It is also important to review the access rights on a regular basis. IT teams who provide access to the source code repository must keep track of users, in order to stop any unauthorized access or tampering with the information. For example, a team member may try to send client information outside the official email system to their personal email or other known contacts. Also, if USB ports are not disabled, it becomes very easy to copy and transfer information to a USB stick and carry it outside.
Once the project is delivered, the client might ask to have the source code (developed by the company for the client), which must then be deleted from company systems. This is to ensure that the company doesn’t reuse that source code for its benefit.
Summary
The most important point of this chapter is that information security is critical. The impact of having your personal or organizational information stolen could be devastating; it’s important to safeguard it.
This chapter also discussed who is responsible for information security—the answer is everybody is responsible! You are responsible for protecting your own information, and, in an organization, it becomes important that every employee understand his responsibility to protect the organization and client information.
This chapter covered a few examples to explain how information security is applicable in different industries. You should now also understand that there is no one way to safeguard information. You may need various controls and checks in place to do so. You will learn more about this in the upcoming chapters that cover ISO 27001 security controls.
The next chapter discusses various aspects of the implementation process and how to start it.