What is information security?
Information security encompasses practice, processes, tools, and resources created and used to protect data. This can include both physical information (for example in print), as well as electronic data.
Often referred to as InfoSec, information security includes a range of data protection and privacy practices that go well beyond data processing. Sometimes, information security is referenced as data security.
Some example of data types that might be covered by information security may include, but not be limited to personal health information (PHI); personally identifiable information (PII), for example, names, addresses, Social Security numbers, and birth dates; financial information, such as bank accounts and credit card numbers; company information, such as internal financials, research and development information, customer lists and information, and competitive data.
The SANS Institute defines information security as processes and methodologies “designed and implemented to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized use, misuse, disclosure, destruction, modification, or disruption.”
Many people mistakenly think that information security relates only to PHI or PII. Many organizations create, store, maintain, and transmit a range of data types covered by information security practices. As an organization, for example, you may create, access, or store information such as employee health records or salary data, as well as information about your customers, for example, their latest purchases. Further, your organization’s internal data, for example, company plans to scale or new product research information, may also be data under the umbrella of your information security practices.
Years ago, many organizations may have approached information security from a worst-case perspective. For example, implementing controls that might limit the impact of a security threat. However, today, as organizations across a range of industries face a growing number of threats from an evolving threat landscape and increasingly complex environments, modern information security practices must also include proactive and flexible approaches to protect the confidentiality, integrity, and availability of sensitive and confidential information.
Today, threats for InfoSec are not just increasing, they’re persistent and increasingly difficult to discover and prevent. Modern information security threats aren’t just limited to technology type or location. They’re encompassing a full range of technologies and exist around the world.
Information security issues are further complicated by our evolving work environments, where a growing number of organizations now rely on full or partially remote teams, increasing the reliance on technology, for example email and software as a service (SaaS) applications to handle critical day-to-day business functions.
Email is among attackers’ favorite attack vectors where they hope a malicious link click, file download, or successful phishing or social engineering scheme will result in the release of credentials or other critical information that can be used to gain foothold into systems and makes lateral movements—often undetected for months—throughout an entire enterprise. It’s a favorite vector for deploying malware, such as ransomware, across systems that can lead to data exfiltration, damage, misuse, or destruction.
And while some basic cyber hygiene is helpful, unfortunately if not part of a larger program and education and training initiative, your organization could still fall prey to information security attacks. Today, what once were considered “good” passwords might not be enough to keep would-be attackers at bay, especially if your organization hasn’t implemented tried-and-true best practices that drive home the do’s and don’ts for effective password creation and management.
InfoSec issues are even further complicated by the rapid adoption of cloud computing, which takes a specific set of skills to manage that are often very different from on-premises information security practices.
Cloud adoption brings with it a full range of benefits for organizations, but those benefits also introduce new information security risks. That’s compounded even more when organizations use public cloud services instead of private, where their data could face additional risk from successful attacker penetration at other points within the cloud service provider’s infrastructure.
When it comes to information security, the reality is there is a range of threats constantly emerging and targeted and InfoSec professionals must be attuned to all of them. Why? Because attackers are ready to exploit the weakest spot within your enterprise, often without you knowing.
What are the three principles of information security?
Most organizations build their information around three core principles: confidentiality, integrity, and availability. If you’re a healthcare organization or business associate, for example, these terms will likely be familiar to you as they are included in mandates established through the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
When we talk about the three core principles of information security here, the concepts are not exclusive to healthcare, but there may be congruences.
In terms of information security, confidentiality pertains to data use. This means your organization has implemented policies and practices to ensure data is not disclosed to or misused by unauthorized people, entities, or for unauthorized purposes. For example, if your employee prints out a document that contains PHI and leaves that document sitting on a table in the employee break room, the confidentiality of that information may be in question.
Here, integrity is all about ensuring that your organization’s data is complete and accurate—that data integrity is there. By ensuring data integrity, your organization has implemented controls that prevent that data from being altered in an unauthorized manner. For example, let’s say you allow your employees to use Bring Your Own Devices (BYOD) for work. When your employee leaves the organization, if you fail to remove accessibility from that device, then you may have left a door open for that employee to improperly alter your data.
When we’re discussing information security, there is an expectation that your organization’s data will be accessible as needed. For example, your human resources representative may need to look up an employee’s date of hire. There is an expectation that that sensitive data will be available as needed.
What are some information security examples?
There are a range of information security types and processes, but some of the more common areas include: application security, cloud security, cryptography, infrastructure security, incident response, and vulnerability management.
Application security encompasses all processes related to the creation, development, updates and modifications to applications throughout the software development lifecycle (SDLC) to identify and fix security issues before (in best cases pre-deployment) to prevent successful attacker exploitation.
Cloud security represents all of the processes, tools, and resources your organization employs to continuously assess all of your cloud assets to uncover and fix vulnerabilities, misconfigurations, and other security weaknesses.
Cryptography includes processes to secure data to ensure communication and processing that prohibits unintended users from reading or accessing protected data.
Infrastructure security goes beyond traditional network monitoring into a comprehensive approach to protecting complex enterprise environments, including IT, cloud, OT, IoT, and IIOT.
Incident response is a critical part of information security. It includes the plans and resources your organization has in place to ensure your teams can effectively respond to and recover from disruptions and other security issues.
Vulnerability management is a common information security practice used by organizations of all sizes across a range of industries. Vulnerability management is an ongoing process that includes proactive discovery of all of your organization’s assets, as well as continuous monitoring of security issues, mitigation, remediation, and defense tactics to protect your environments from threats.
What are some common information security threats?
While the list of information security threats is constantly evolving, there are some common infosec threats. While hackers are common and headline-making security threats, they’re not the only information security risk organizations face today.
Information security threats can also come in the form of insider threats, for example, a disgruntled employee who damages or alters company data. There are also increasing risks created by the growing number of assets organizations manage that may have access to sensitive data. Whether it’s a company-owned device such as a laptop, tablet, or computer, or a bring your own device (BYOD) such as a smartphone, lost, misplaced, or unsecured technologies are among that growing list of today’s information security threats.
But it’s not just technology that can put your information security at risk. Your employees can be a contributing factor, as well. For example, let’s say your business shares office space with other businesses within the same building. Two colleagues walk into the common-area lobby to discuss an important issue. In doing so, they share information about new product development that is overheard by an employee from another company. This is an example of a common information security risk.
Some other examples may include sending an email with sensitive data to the wrong person, mistakenly adding an attachment to an email the receiver is not authorized to access, mistyping a cell phone number when sending sensitive information via text message, or leaving an unprotected laptop open and walking away from it.
What are some common information security attack vectors?
While any of the information security risks mentioned above could open a pathway for an attack, there are other common information security attack vectors that apply to a range of circumstances and environment. Here are a few:
Exploiting misconfigurations and unpatched systems.
Malware attacks are growing in number and complexity, with ransomware being among a favorite attack vector. When malicious software is installed on a device, for example by downloading an infected file, clicking a malicious link, or visiting an infected website, attackers can often move laterally through your network, usually undetected for long periods of time, causing far reaching damage that could exfiltrate, destroy, or damage sensitive data. In addition to ransomware, attackers may infect devices with Trojan horses, viruses, or even spyware.
Phishing schemes or social engineering:
At their heart, phishing schemes and social engineering attempts have common goals—to get unsuspecting users to click malicious links, download malicious files, or divulge information such as credentials to gain access to systems and data. Phishing has recently risen to the top of the list of common attack vectors, showing significant growth in recent years.
Denial of Service (DoS) and Distributed Denial of Service (DDoS):
Flooding attacks to use up bandwidth and CPU resources so systems can’t respond to actual service requests.
Cross-Site Scripting (XSS):
Putting malicious code on websites to target visitors.
Compromising users through unsecure networks like public WIFI.
SQL Structured Query Language (SQL) Injection:
Putting malicious code on a server and then using SQL to access sensitive information that otherwise wouldn’t be accessible.
Zero day exploits:
Exploiting a system after a threat is publicly announced but before a patch or other fix is released.
While this may come in the form of a successful breach, unauthorized access may also be the result of an employee or contractor abusing or misusing system or data access privileges.
Advanced Persistent Threats (APTs):
These are commonly ongoing and targeted attacks where, after an attacker gets access to your enterprise, they remain detected for generally long periods of time, for example, watching your network activity, and stealing data and other sensitive information.
Why is information security important?
Information security is important for a range of reasons. Information security can:
- Help ensure your organization meets all of its mandatory compliance, regulatory, and other legal requirements to protect sensitive data.
- Help build confidence in your organization’s ability to conduct business on the day-to-day without significant disruption.
- Protect sensitive data your organization creates, transmits, processes, or stores, whether that data is in motion or at rest.
- Protect your critical assets, systems, data, and core functions.
- Protect the confidentiality, integrity, and availability of data.
- Create a competitive advantage
- Help align your IT and cybersecurity team goals with your business goals and objectives
Are there common challenges for information security?
Yes. There are a number of challenges for information security. While these challenges may be unique to your organization’s specific composition and needs, some common challenges exist across industries and organizational complexity based on the fact that the modern threat landscape is continuously evolving. Alongside this, most enterprises are increasingly complex at the same time.
The more interconnected organizations become, the more they rely on technologies (internally and through third parties) to conduct business, the more challenges they’ll encounter for information security management (ISM).
When you establish your relationship with a public cloud provider, it’s likely you’ll sign a service level agreement (SLA) or other contract, which should outline who is responsible for which security components. Make sure both parties have a clear understanding of expectations and be sure to routinely follow-up throughout the course of your relationship and any time you have a contract or other similar renewal. If you’re using a public cloud provider that is compliant with your organization’s regulatory requirements, ask to see compliance audit documentation.
As attack vectors increase and more technologies, assets, applications, and services are deployed within an organization, the more vulnerabilities and security issues arise. Many teams just don’t have the time, resources, or experience to tackle them all. This is a challenge further complicated by a far-reaching shortage of skilled information security professionals around the globe. And, in light of the pandemic, we’re seeing a growing number of skilled professionals saying they have plans to make job changes. In fact, Microsoft’s Work Trend Index said that more than 40% of the global workforce was considering leaving their employers last year.
Who is responsible for information security?
While some may argue that your chief information security officer (CISO) or IT director is responsible for your information security program, the reality is information security is not just an IT issue. Everyone within your organization is responsible for data protection, privacy and security. And that’s not just the people doing the day-to-day work within your organization. Your executive leadership team, key stakeholders, and your vendors across your supply chain are also responsible for information security and meeting compliance and regulatory mandates specific to your industry and/or organization.
What are some common information security technologies?
There are a growing number of information security technologies that can help your organization manage data security. Here are a few examples:
Evaluating all of your cloud resources to ensure you have no misconfigurations or policy violations so you can identify issues, mitigate threats, and remediate before a potential breach occurs.
Data loss prevention:
Data loss prevention (DLP) tools can help ensure your organization doesn’t lose your data. DLP can take several forms including data backups and data monitoring.
Endpoint detection and response:
Endpoint detection and response tools help you monitor a range of end user activities and similar to the intrusion tools mentioned above, can help you determine if any activities on your endpoints are suspicious and then respond to those issues. One of the benefits of employing endpoint detection as part of your information security program is it can help you discover potential security issues on your endpoints before they cross over into your networks or enable data transfer or exfiltration.
Firewalls are common tools used to protect networks. You can configure your firewalls and establish policies to enable, monitor and filter network traffic and alert you to suspicious activities and policy violations.
Infrastructure as Code (IaC):
Infrastructure as code can help you protect your cloud-native stack throughout your entire DevOps lifecycle, from code through production to usage, including insight to discover any flaws or security weaknesses, policy issues, or attack paths before provisioning to the cloud.
An intrusion detection tool can help your organization automatically monitor network traffic and alert you to potentially malicious activities. It’s often used in conjunction with an intrusion prevention system.
These tools can help you respond to unusual network activities. For example, through an intrusion prevention tool, you can end a connected session or block traffic requests. These tools are often used in conjunction with an intrusion detection system and align with your organization’s security policies and plans.
Security incident and event management (SIEM):
A SIEM is a tool that can help your organization collect and evaluate information from across your enterprise so you can seek out threats more effectively. Most SIEMs offer event and intrusion and detection alerts and event logging to help your teams automate some of your common information security practices. SIEMs can be effective tools for managing compliance and to help you identify weaknesses so you can make plan improvements and close gaps before a data breach incident occurs.
User analytics tools help you log and evaluate user behaviors so you can more easily spot suspicious or unusual activities, which may be potential threats. For example, if a user rarely downloads large files or high volumes of data and suddenly you discover unusual transfers, you may have an information security issue that needs your attention.
What is InfoSec?
InfoSec is a commonly used term that combines the words information security. InfoSec represents your organization’s policies, plans, processes, tools and resources to protect and secure data to prevent breaches, unauthorized access, and other data security issues.
Are cybersecurity and information security the same?
No. Cybersecurity and information security are not the same. They are, however, commonly confused and used interchangeably. The simplest way to explain the differences lies within each program’s scope. InfoSec, for example, generally refers specifically to the processes related to data security while cybersecurity’s scope is broader and includes a range of practices including information security.
How can I build an information security program?
While many organizations come right out of the gate seeking technologies to help build, implement, and manage their information security programs, many overlook some important first steps.
As with many program implementation processes, real success often begins with executive engagement and key stakeholder buy-in. This is where your program leader should seek out to establish and build relationships with an executive sponsor, someone who understands your program and requirements, will help you align your information security program with your organization’s business goals, and ensure you have the people, resources, and finances to succeed.
Your executives and stakeholders will play critical roles in approving your information security strategy, including risk profiles and thresholds, as well as other governance oversight. They may also have important contributing roles in compliance, which can help guide your program development.
While you’re working on that executive sponsor relationship, you’ll also want to build your information security team. And remember, information security is not just an IT issue, so you’ll want a good cross-representation of your organization on your team. Consider bringing in senior and middle-level managers across your organization in the areas of compliance, cybersecurity, risk management, business continuity, disaster response, and crisis management to gain an understanding of the congruences between your programs and shared goals.
Once you have your team in place, you’re going to need comprehensive insight into your organization’s assets, systems, and data. Remember, you can’t protect something if you don’t know about it.
Many organizations say this is a big stumbling block for program success. Many just don’t know how many assets they have, where they are, how they’re used, or who has access. Even more critical and often overlooked is the step aligning these assets with critical processes, products and services.
That’s why creating a comprehensive and updated asset inventory is an important part of developing your information security program. Don’t forget about things such as SaaS applications or cloud services. They should be included in your asset inventory as well.
Once you’ve compiled your list and understand how they’re used and who they’re assigned to, you may find it helpful to categorize that inventory in a way that makes most sense for your organization. For example, you may want to group together the assets required to continue operations as normal if you experienced a breach or other disruption.
Your asset inventory shouldn’t be approached as a one-and done process. Routinely update this inventory. Automating asset inventory ensures you have all the minute detail on every asset and that it’s fully up-to-date so you can detect threats and risk before they cause damage.
Once you know where all your assets are and how they’re used, this will help you have a better understanding of where you have risks and face information security threats. For example, do your assets have specific threats or vulnerabilities that should be addressed? Do they need patches or updates? What types of threats do these assets introduce into your organization?
When you have good insight into your threats, it’s important to assess that risk and score them based on likelihood and impact. Are there threats that exceed your organization’s risk tolerance levels? Do you have plans to mitigate or remediate any of these risks? How will you prioritize which risks to address first and then in what order?
Just like your asset inventory shouldn’t be one-and-done, your risk management processes should not be shelved away either. When it comes to information security, your organization may be better protected if you adopt continuous risk management practices. This practice can help ensure you always know where you have risks, even as your environment changes, so you can compare those risks against others and make plans for prioritization and mediation.
When we talk about risk management for information security, remember you have four key objectives here. Will you:
- Mitigate the risk?
- Transfer the risk (for example to a third-party)?
- Accept the risk?
- Avoid the risk?
Now, with a full understanding of your assets, their roles, vulnerabilities, and risks, it’s time to develop plans to respond to and recover from any potential information security issues. This may include choosing to implement an information security management framework or specific controls that align with your organization’s needs and requirements
Once you’ve developed those plans and chosen your frameworks and controls, now is the time to implement them. Since by now you should have a clear understanding of your critical assets and functions, you may find it beneficial to begin with those and then prioritize other control implementations for later. This is a great way to mature your program over time.
You may also find it beneficial at this stage to evaluate your current information security profile. For example, how is your information security program performing at this time related to all of your compliance, regulatory, and other obligations and goals? Are there areas where you’re falling short? Are these deficiencies you must correct now or are they longer-term goals you can focus on later.
After establishing your current information security profile, evaluate it against your target profile—where you want to be. You can use the information you discover from your target profile evaluation to make plans to mature your information security program over time.
With an understanding of your current profile, next you’ll need to test your information security controls to ensure they’re working as designed and fix issues as you uncover them. This can help you be a step ahead of attackers and possibly prevent a breach or real-world exploitation.
This is also a good time to establish employee education and training processes. The key to your education program success is to inspire, empower, and reinforce that information security is everyone’s responsibility within your organization.
While these are great steps to get started with information security, it’s never set-it-and-forget-it. Since your environment and threat landscape will continuously change, you approach your information security program as a continuous cycle. How effective is it? Where do you need improvements? Conducting internal audits may help keep you top of game for information security defense strategies.
What is an information security management system?
An information security management system is also known as an ISMS. An ISMS refers to all of your plans, policies, and processes that can empower your organization to detect, respond to, and recover from a data security issue.
ISO 270001, for example, is an internationally recognized set of best practices to help manage information security. There are more than 12 standards outlined in the ISO 27000 family. These standards can help your organization better manage all of your information security needs.
ISO 270001 covers six important areas for information security: leadership, planning, support, operation, performance evaluation, and improvement.
If your organization chooses to become ISO 27001 compliant, there are certain requirements you must meet in each of those six areas. Certification is not mandatory, but some industries require it.
Even if you’re not required to be ISO 27001 compliant, you may find it beneficial to adopt ISO 27001 best practices to help improve your information security practices.
What is an information security policy and what does it do?
An information security policy establishes how your organizations should address all of your assets to discover weaknesses and make plans to protect them. Many organizations develop an information security policy, which is often approved by executives and key stakeholders, to ensure they’re protecting the confidentiality, integrity, and availability of their sensitive data.
While you can adapt your policy to reflect your organization’s specific needs, there are a couple of key areas you should consider including in your information security policy: program objectives, scope, goals, responsibilities.
Is there an information security framework?
Yes. There are a number of frameworks your organization can use to develop an information security program. Here are some you may find helpful:
- Federal Information Security Modernization Act (FISMA)
- General Data Protection Regulation (GDPR)
- ISO 27000
- NIST 800-53
- NIST 800-171
- NIST Cybersecurity Framework
How much does a security breach cost?
Security breaches are expensive. According to IBM’s Cost of a Data Breach Report 2021, the average cost of a data breach is more than $4.2 million, which is a 10% increase from the previous year. Interestingly, in reflection of the pandemic, we’re seeing that remote work caused by the coronavirus outbreak increased the average cost of a data breach to more than $1 million higher than in environments where remote work wasn’t a factor.
For 11 years straight, healthcare led the report as the leading industry for highest average data breach cost, exceeding $9 million.
The report cites a $180 per record cost for PII, which was included in nearly half—almost 44%—of all breaches.
In 2021, the most common initial attack vector was compromised credential, followed by phishing and cloud misconfigurations. Other attack vectors included malicious insiders, vulnerabilities in third-party software, physical security compromises, accident data loss/loss device, social engineering, system errors, and business email compromise.
But data breaches aren’t just expensive in terms of response and remediation. There can also be extensive fines and penalties from compliance organizations, as well as civil and criminal issues that must be addressed. Further, there’s great risk for brand and reputational damage that must be factored in as well.
There is good news, however. Every breach doesn’t have to lead to huge expenses or catastrophic impact. That’s why information security best practices are so valuable to your organization. They enable you to predict, plan for, and respond to security issues with a goal of minimizing impact and longevity.
What is a SOC?
A SOC is a security operations center. Many organizations use a SOC as a centralized place to manage the people, processes, and technologies related to information security. Some organizations have on-site SOCs. Some choose to work with outside agencies who handle these operations for them in a cloud model. Others like working with a hybrid SOC model, which incorporates elements of an on-site operations center with some cloud-based components. Think of a SOC as an incident command post, a place that has comprehensive insight across your organization, where ongoing, automatic monitoring happens, and from where alerts can be sent if a security issue arises.
What is social engineering?
While many people think of information security in terms of data and technologies, remember, people can be an information security risk, too. Social engineering is a common attack vector. During a social engineering scheme, an attacker will attempt to manipulate an individual (sometimes by email, sometimes over the phone, or through other means such as text messages or social media, or even in person) into disclosing credentials or other confidential information. It’s all about believability and building trust. That’s why educating your entire organization about information security, threats, and their roles and responsibilities is paramount for success.
What is ransomware?
Ransomware is a form of malware. It’s an increasingly common attack vector where attackers deploy malicious software with a goal of blocking access to a system until payment is received to remove the block or unencrypt encrypted data. Oftentimes, ransomware attackers will (and/or threaten to) destroy, damage, or make public sensitive data, all while locking organizations out of systems. Even if an organization chooses to pay a ransom, it does not mean the encryption will work or that data will not be damaged or deleted.
What is phishing?
Phishing is a form of social engineering where attackers attempt to get a user to open an email or message, download a malicious file, click on a malicious link, or visit an infected website to obtain sensitive data and/or deploy malware and infect devices.
What are some infosec best practices?
There are a number of information security best practices your organization should consider. For a deeper dive, consider looking into ISO 270001 for control recommendations and certification help. From a higher-level perspective, a good rule of measure includes encouraging your employees to:
- Always be aware of their surroundings and never discuss confidential information in public spaces
- Always be aware of where your devices are
- Use strong passwords and multi-factor authentication
- Encrypt data
- Limit data access based on roles and responsibilities
- Never open emails or download attachments from people you don’t know
- Use a VPN and refrain from using open WIFI connections
- Contact your information security team if they suspect a potential attack or breach
What are some examples of data that should be considered confidential?
In general, you should treat these types of information as confidential: information about customers and workers, internal documents, financial records, research and development and any other areas that may give your organization a competitive edge in the marketplace.
Is a lost laptop or other device like a smartphone or tablet considered an information security breach?
Yes, but how serious that breach may be depends on a range of circumstances, including the type and volume of data stored on the device, encryption, as well as access that can be gained to sensitive data and systems through the device. Be sure to immediately report a lost or compromised device to your IT team or manager as soon as possible.
Tenable Information Security Resources
- What is Vulnerability Assessment? https://www.tenable.com/source/vulnerability-assessment
- What is Vulnerability Management? https://www.tenable.com/source/vulnerability-management
- What is Cloud Security? https://www.tenable.com/source/cloud-security
- What is Infrastructure as Code (IaC)? https://www.tenable.com/webinars/introducing-tenable-cs-secure-every-step-from-code-to-cloud