What Is Information Security?
Information security is the study and practice of protecting information. Its main goal is to protect the confidentiality, integrity, and availability of information. Professionals usually refer to this as the C-I-A triad, or sometimes the A-I-C triad. (A triad is a group of three things considered to be a single unit.)
The C-I-A triad appears in FIGURE 1-1.
FIGURE 1-1
The C-I-A triad.
The need to protect information is not a new concept. For instance, Julius Caesar used a simple letter-substitution code to share secrets with his military commanders. Caesar used this type of code, called a Caesar cipher, to ensure that his enemies could not read his messages. Cryptography is the practice of hiding information so that unauthorized persons cannot read it. Using cryptography preserves confidentiality, because only those with the secret key are able to read an encoded note.
NOTE
You might think that information security refers only to data stored on a computer. However, it refers to information in both paper and electronic form.
Secret decoder badges were popular during the golden days of radio (about 1920–1950). Business sponsors often paid for decoders to market their products, and radio program fan clubs gave them to their members to promote specific radio shows. These secret decoder badges often used a Caesar cipher.
In some ways, however, information security is a relatively new area of study. Modern computing systems have existed only since the 1960s, and the internet did not exist in its current form until almost 1983. The first well-known computer security incident was discovered in 1986, and President Obama created the first “cybersecurity czar” in the federal government in 2009.
The range of information security topics may seem overwhelming. However, it is important to keep in mind that the main goal of information security is to protect the confidentiality, integrity, and availability of data.
What Is Confidentiality?
Confidentiality means that only people with the right permission can access and use information. It also means protecting information from unauthorized access at all stages of its life cycle. You must create, use, store, transmit, and destroy information in ways that protect its confidentiality.
NOTE
Cliff Stoll described the first well-known computer security incident in his book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Stoll noticed an error in the records of systems connected to the internet’s predecessor—the Advanced Research Projects Agency Network (ARPANET). During the investigation, he exposed an international plot to steal information from U.S. computer systems.
Encryption is one way to make sure that information remains confidential while it is stored and transmitted. The encryption process converts information into code that is unreadable. Only people authorized to view the information can decode and use it, thereby protecting the information’s confidentiality. Attackers who intercept an encrypted message cannot read it because they do not have the key to decode it.
Access controls, another way to ensure confidentiality, grant or deny access to information systems. An example of an access control is requiring a password or PIN to access a computer system. Passwords keep unauthorized individuals out of information systems. You also can use access controls to ensure that individuals view only information they have permission to see.
Individuals can compromise information confidentiality on purpose or by accident. For example, shoulder surfing is a type of intentional attack. It occurs when an attacker secretly looks “over the shoulder” of someone at a computer and tries to discover his or her sensitive information without permission. Shoulder surfing is a visual attack, because the attacker must view the personal information. This term also describes attacks in which a person tries to learn sensitive information by viewing keystrokes on a monitor or keyboard. Attackers use the stolen data to access computer systems and commit identity theft.
Social engineering is another type of attack that represents an intentional threat to confidentiality. These attacks rely heavily on human interaction. They take advantage of how people normally talk with one another and interact. It is not a technical attack, but rather involves tricking other people to break security rules and share sensitive information. Social engineering attackers take advantage of human nature, such as kindness, helpfulness, and trust. Because the attackers are so charming, their victims want to help them by providing information. The attacker then uses the information obtained from the victim to try to learn additional sensitive information. The attacker’s ultimate goal is to obtain enough information to access computer systems or gain access to protected areas.
FYI
The classic film The Sting is a great example of a social engineering scam. In the movie, two con artists, played by Paul Newman and Robert Redford, set up an elaborate plan to con a man out of his money. Their scam, which takes advantage of human nature, relies heavily on manipulating the victim and those around him.
Kevin Mitnick is perhaps one of the best-known computer hackers of all time. In his book The Art of Deception, he writes that he gained much of the information he used to compromise computer systems through social engineering. Mitnick said that it was very easy to get information from people if he asked questions in the right way.
Confidentiality compromises also take place by accident. For example, an employee of the U.S. Transportation Security Administration (TSA) posted a redacted copy of a TSA manual on a federal website in December 2009. This manual described how TSA agents should screen airline passengers and luggage. It also contained the technical details of how airport screening machines work. The manual contained pictures of identification cards for average Americans, Central Intelligence Agency employees, and U.S. legislators.
The TSA posted the manual by mistake, and for several months the public had access to the manual online. Although TSA employees had redacted some portions of the manual, the TSA improperly performed technical aspects of the redaction. Therefore, some people were able to uncover the original information with common software tools. Those people then reposted the manual on several other nongovernmental websites. Some of these websites posted the document with all of the original text available.
The manual also highlighted the increase in airport security requirements after the September 11, 2001 terrorist attacks. Once posted, the unredacted material could have been used by attackers to exploit new airport security measures. The TSA argued that posting the manual did not compromise the safety of U.S. air travel. Nonetheless, lawmakers immediately questioned the TSA about the incident and asked how the TSA would mitigate the disclosure. Lawmakers wanted to know how the government could prevent other websites from reposting the unredacted manual. They also asked what the TSA would do to prevent similar mistakes in the future.
What Is Integrity?
Integrity means that information systems and their data are accurate. It ensures that changes cannot be made to data without appropriate permission. If a system has integrity, it means that the data in the system is moved and processed in predictable ways and does not change when it is processed.
Controls that ensure the correct entry of information protect the data’s integrity. In a computer system, this means that if a field contains a number, the system checks the values that a user enters to make sure that the user actually entered numbers. Making sure that only authorized users have the ability to move or delete files on information systems also protects integrity. Antivirus software is another example of a control that protects integrity. This type of software checks to make sure that there are no viruses in the system that could harm it or change the data in it.
Information system integrity can be compromised in several ways, either accidentally or intentionally. For example, an employee may accidentally mistype a name or address during data entry. Integrity is compromised if the system does not prevent or check for this type of error. Another common type of accidental compromise of integrity is an employee deleting a file by mistake.
Integrity compromises also can take place intentionally. Employees or external attackers are potential threats. For example, suppose an employee deletes files that are critical to an organization’s business. The employee might do this on purpose because of some grievance against the organization. Employees or others affiliated with an organization are sometimes called insider threats when they purposefully harm an organization’s information systems. External attackers also are a concern. They can infect information systems with computer viruses or vandalize a webpage. External attackers who access systems without permission and deliberately change them harm confidentiality and integrity.
In 2007, three Florida A&M University students installed secret keystroke loggers on computers in the university registrar’s office. A keystroke logger is a device or program that records keystrokes made on a keyboard or mouse, which the students used to obtain the usernames and passwords of registrar employees. For a fee, the hackers modified 650 grades in the computer system for other students, changing many failing scores to an “A.” The student hackers also changed the residency status of other students from “out-of-state” to “in-state,” which resulted in the out-of-state students paying less tuition.
The university discovered the keystroke loggers during a routine audit. It then found the modified data. Although the university fixed the incorrect data, the student hackers accessed the system and changed the data again. However, the university discovered the hackers’ identities through additional security measures such as logging and audit review.
Prosecutors charged the student hackers with breaking federal laws. The court sentenced two of them to 22 months in prison each. In September 2009, it sentenced the third student hacker to 7 years in prison.
The Florida A&M case illustrates how safeguards can be implemented to protect the integrity of computer systems. Routine security audits can detect unauthorized or harmful software on a system.
What Is Availability?
Availability, the security goal of making sure information systems operate reliably, ensures that data is accessible when it needs to be. It also helps to ensure that individuals with proper permission can use systems and retrieve data in a dependable and timely manner.
Organizations need to have information available to conduct their business. When systems work properly, an organization can function as intended. Ensuring availability means that systems and information are available during peak hours when customer demand is high. System maintenance should be scheduled for off hours when customer demand is low.
Availability can be protected in several ways. Information systems must recover quickly from disturbances or failures. Organizations create plans that describe how to repair or recover systems after an incident. These plans specify how long systems may be offline before an organization starts to lose money or fails to meet its business goals. In the worst case, an organization might go out of business if it cannot repair its information systems quickly.
Organizations also can protect system availability by designing systems to have no single points of failure. A single point of failure is a piece of hardware or application that is key to the functioning of the entire system. If that single item fails, a critical portion of the system could fail. Single points of failure also can cause the whole system to fail.
An easy example of a single point of failure is a modem, which connects an organization to the internet. If the modem fails, the organization cannot connect to the internet. Thus, if the organization does most of its business online, the modem failure can really hurt its business.
Organizations also can protect availability by using redundant equipment that has extra functional elements designed into it. In the event of a failure, the extra elements make sure that the piece of equipment is still able to operate for a certain period. Backing up systems also ensures their availability.
Attackers target availability in order to harm an organization’s business. As an example, a denial of service (DoS) attack disrupts information systems so they are no longer available to users. These attacks also can disable internet-based services by consuming large amounts of bandwidth or processing power, as well as disable an organization’s website. These services are critical for businesses that sell web-based products and services or provide information via the internet.
Not all DoS attacks directly target information systems and their data. Attackers also target physical infrastructures. For example, an organization can experience a loss of availability if an attacker cuts a network or power cable. The result is the same as a technical DoS attack: Customers and other audiences cannot reach the needed services.
Unplanned outages can also negatively impact availability. An outage is an interruption of service. For example, natural disasters may create outages, such as a power outage after an earthquake. Outages also take place if a technician accidentally cuts a service cable.
NOTE
Domain Name Service (DNS) providers translate internet domain names into Internet Protocol (IP) addresses. In 2016 the Mirai malware was used to attack a major DNS provider named Dyn. The Dyn attack was one of the largest DoS attacks to date, affecting websites for large companies such as Netflix, Amazon, and the New York Times.
A website experiencing an increase in use can result in a loss of availability. When Michael Jackson died in 2009, for example, the internet experienced a massive increase in search queries from people trying to find out what had happened to him. The rapid rise in search traffic caused Google to believe it was under a DoS attack. In response to this perceived attack, Google slowed down the processing of “Michael Jackson” queries. Users entering those queries received error messages until Google determined its services were not under attack.
The Michael Jackson/Google example shows that organizations can take actions to make sure their information systems are available to their customers. These actions can alert organizations to an issue, prompting them to take steps to correct it.