Information security is emerging as one of the top priorities for business to support growth aspirations, create new online and mobile channels and move to the cloud. As the internet of people becomes the internet of connected devices, ranging from desktops and mobile devices to consumer electronics, businesses on the internet will continue to face cybersecurity threats.
As well as their financial impact, security breaches erode your customers’ confidence in your product or services.
While it’s a specialist area requiring skilled help, the core principles of information security are useful to know because they help us make sense of constantly evolving security threats and technologies. Too often we focus on the technologies, not knowing why they are being applied.
There are five core concepts that make information trustworthy and valuable. These principles have been applied throughout history. Since the early days of communication, military commanders understood that it was necessary to protect information and detect breaches.
Here’s a look at the five key concepts with examples spanning military battles and modern day cyberattacks.
Confidentiality means preventing private information being disclosed to unauthorised individuals or systems.
In a battle, an order may contain sensitive information which must be kept secret from the enemy. During World War II, British cryptologists decrypted a vast number of messages enciphered on German Enigma machines, with the intelligence gleaned a substantial aid to the Allied war effort.
Encryption is widely used in ICT today to protect confidentiality. For example, a credit card transaction requires the card number to be encrypted and transmitted from the buyer to the merchant and then on to a transaction processing network with permission to access the encrypted file. If an unauthorised party decrypts the message and obtains the card number or password, a breach of confidentiality has occurred.
Integrity means maintaining the accuracy and consistency of information. Integrity is violated when a message is actively modified in transit in an unauthorised manner. For example, tampering with evidence in a court trial would compromise its integrity.
In combat, a form of attack that impacts integrity may be to change the order or even just cause doubt in the battle order. Today, information security systems and algorithms, such as MD5 hashing, are designed to ensure file consistency and message integrity.
Availability simply means the information is available when needed. That means that the systems used to store and process the information, the security controls used to protect it and the communication channels used to access it must be functioning correctly.
In warfare, if the enemy could not intercept and decrypt the information (confidentiality) or corrupt it (integrity), then preventing timely access to it would be just as effective.
A common example is a Distributed Denial of Service (DDoS) attack against a website which causes a flood of incoming messages to the target system and forces it to shut down. Rather than compromising and accessing sensitive information, preventing access from legitimate users can also cause significant business loss and reputational damage.
Authenticity means that the parties in a transaction are who they say they are. An analogy would be pretending to be the courier carrying the battle order. Fake radio transmissions from Japanese aircraft carriers prior to the Battle of Pearl Harbor were made from Japanese local waters, while the attacking ships moved under strict radio silence.
A modern day example is email spoofing, where messages with a forged sender address, such as spam and phishing emails, mislead the recipient about theorigin of the message to market an unsolicited service or, worse, send malicious content.
Security systems include authentication features, such as digital signatures, to prove that the message data is genuine and was sent by someone possessing the proper signing key.
Non-repudiation means to avoid denials which could allow a party from not carrying out its obligations. It also implies that one party of a transaction cannot deny having received a transaction, nor can the other party deny having sent a transaction.
Non-repudiation is a legal concept. Technologies implementing non-repudiation also include authentication. However not all authentication protocols provide non-repudiation (in fact some authentication protocols are designed to explicitly allow deniability).
An example of repudiation would be a shopping website disputing that it has received payment from a customer for an online purchase.
Digital signatures using private keys are used to authenticate the sender of electronic messages as well as deliver non-repudiation.
How to take control
It’s important to remember that attacks often target many of these concepts, so security technologies and techniques are combined as countermeasures.
So the next time you hear about access permissions and encryption, message integrity checks, denial of service protection and digital signatures, you’ll know exactly what they are protecting.
We welcome the chance to discuss your company’s security profile. Simply make an appointment for a call today.