General security

Guiding principles in information security

Ivan Dimov
April 20, 2018 by
Ivan Dimov

 A principle which is a core requirement of information security for the safe utilization, flow, and storage of information is the CIA triad. CIA stands for confidentiality, integrity, and availability and these are the three main objectives of information security. For a deeper look into these objectives, check out out our security training classes.

Below is an illustration of the CIA triad along with the four layers of information security. These four layers represent the way systems communicate and how information flows among systems. Тhe concept of layers illustrates that data communications and computer network protocols are designated to function in a layered manner, transferring the data from one layer to the next.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

iDimov-fig1

  • The Application Access Layer describes the notion that access to end-user applications have to be constrained to business ought-to-know
  • The Infrastructure Access Layer describes the notion that access to infrastructure components has to be constrained to business ought-to-know. For instance, access to servers.
  • The Physical Access Layer describes the notion that the physical access to any system, server, computer, data center, or another physical object storing confidential information has to be constrained to business ought-to-know.
  • The Data In Motion Layer describes the notion that data ought to be secured while in motion.
  • This little icon in the middle of the illustration shows the center of information security and the reason for the emergence of the CIA principles; the icon represents information and represents the need to protect sensitive information.

Confidentiality

The aim of confidentiality is to ensure that information is hidden from people unauthorized to access it. The confidentiality principle dictates that information should solely be viewed by people with appropriate and correct privileges. The science (and art) used to ensure data confidentiality is cryptography, which involves encryption and decryption methods.

To continue, confidentiality can be easily breached so each employee in an organization or company should be aware of his responsibilities in maintaining confidentiality of the information delegated to him for the exercise of his duties. For instance, if an employee allows someone to take a glimpse of his computer screen while he is, at that moment, displaying confidential information on the computer screen may have already constituted a breach of confidentiality.

Furthermore, confidentiality and privacy are often used interchangeably.

Below, we discuss cryptography, effective manners of protecting confidentiality, and we have included some tips on confidentiality agreements.

  • Cryptography

Cryptography's beginning can be traced thousands of years ago. However, the contemporary cryptography differs substantially from the classic one, which used pen and paper for encryption and which was far less complex. The establishment of the Enigma rotor machine and the subsequent emergence of electronics and computing enabled the usage of much more elaborate schemes and allowed confidentiality to be protected much more effectively.

Contemporary cryptography (with SSL protocol) is explained plainly in the following link: /cryptography-101-with-ssl/.

Encryption is an accepted and effective way of protecting data in transit but is increasingly being used for protecting data at rest as well. The Computer Security Institute published the results of a survey in 2007, which showed that 71% of the businesses used encryption for various data in transit while 53% used encryption for selections of data at rest. Furthermore, there are different techniques for preserving confidentiality depending on whether the data is in motion, at rest or a physical object. Naturally, access controls are also a necessity for maintaining confidentiality. Access controls can consist of passwords, biometrics, or a mixture of both. As regards to physical data, its means of protection are somewhat similar – access to the area where the information is kept may be granted only with the proper badge or any different form of authorization, it can be physically locked in a safe or a file cabinet, there could be access controls, cameras, security, etc.

Encryption consists of changing the data located in files into unreadable bits of characters unless a key to decode the file is provided.

In manual encryption, the user utilizes software and initiates the encryption. In transparent encryption, the encryption happens automatically without any intervention on the side of the user.

Symmetric encryption occurs by utilizing character substitution with a key that will be the only means of decrypting the bits of information. Conversely, asymmetric encryption is used when there are two keys, a public key, and a private key. Any person may encrypt the information with the public key but it can only be decrypted by the holder of the private key.

  • How to protect confidential information properly

1. Encryption

If you encrypt your data, it will be unreadable for any third-party which may get hold of it. You can encrypt your hard drive using Microsoft's BitLocker software if you are using the Ultimate or Enterprise version of Windows 7 or Vista or Enterprise/Pro version of Windows 8. To do so, you only have to enable BitLocker in Control Panel > System and Security > BitLocker Drive. Alternatively, you can use TrueCrypt or DiskCryptor (free of charge). You can also encrypt any external and USB drive.

2. Two-factor authentication

Requiring two-factor authentication increases the safety of the confidential data and decreases the probability of data leakage. Two-factor authentication enables you to access the information only if you have both a physical object (like a card) and an immaterial* one (like a security code). Thus, two-factor authentication means that there must be a thing that you know* and a thing that you possess in order to gain access.

*It is presumed that you know the code as most companies require you to memorize the security code as if you keep it written down it may be stolen. To add, the security code or password should be a mixture of lowercase and uppercase letters, numbers, and symbols and be at least 10 characters long, preferably 12 or more.

3. Encrypt your interactions

You would not want your communications being intercepted and confidential data in motion being leaked to third parties. Firstly, you should configure your IM, and whenever it is possible - any communication software, to use SSL or TSL. Secondly, you should disable logging of past conversations and remove any logs that leak confidential information. Thirdly, you should encrypt your internet traffic as it can be intercepted. When using an unsecured Wi-Fi network, encrypt it by creating a secure tunnel to a trusted third-party server (VPN). So, do not send confidential information without proper encryption.

4. Safeguard your keys

Remember that sometimes access to the keys equals access to the information. One should keep a second set of keys in a safe place because the information can be lost or taken advantage of if he cannot access it or if he cannot access it on time in case of loss or theft of the first set of keys.

5. Backup your information and make sure the backup is safe and protected

The information should be accessible but encrypted and stored in a secure place.

Note that the average overall cost per business that reported a data breach in 2011 was 5.5 million dollars. Thus, not only confidentiality has a central role in avoiding data breaches but it can also save your company millions of dollars.

  • Drafting a successful confidentiality agreement that would effectively protect confidential data.

Business contracts often have confidential information clause(s), which is (are) inserted to protect information they deem proprietary and sensitive from disclosure to unauthorized third parties. These clauses usually state what is deemed as confidential information and what is not deemed as such. Typically, the confidentiality provisions that enumerate what the parties consider confidential are highly variable depending on the parties' type of business whereas there is, to some extent, a common stand on what is defined as non-confidential information.

A standard clause extracted from a non-disclosure agreement of Microsoft goes like this: "'Confidential Information' means nonpublic information that Microsoft designates as being confidential or which, under the circumstances surrounding disclosure ought to be treated as confidential by Recipient". It is worth mentioning that it is much more desirable to enlist the types of information that are to be considered confidential and, in this way, create a narrow and unambiguous clause. Mary Hanson, a California business lawyer, asserts that "Trying to cover too much information by defining the confidential information as 'all business information' may backfire. It is important to try to identify particular information, without giving out valuable information." Accordingly, the confidential information involved in the agreement must be defined to the extent which makes it enforceable in court without any particular sensitive information being disclosed in it.

The definition of confidential information can be narrowed down to (1) marked information, (2) written information, (3) information disclosed during a particular period of time and (4) particular categories of information.

However, a breach of confidentiality can occur even without a signed confidentiality provision or agreement. In the US, employees or other parties to a business contract are required to keep confidential any secret information disclosed to them by the other party and breaches of confidentiality may be sanctioned in courts. The courts will ask the following questions, which if answered affirmatively will result into a reimbursement of the injured party:

  • Whether the information was confidential by its nature
  • Whether the information was disclosed in circumstances which show that it was confidential
  • Whether the party who received the information misuse it

It has to be noted that although the law implies a duty of confidentiality – its scope, nature, and obligations are indeterminate and subject to judicial determination.

Statistics and discussion as regards to data breaches (failures to attain the objectives of information security and complying with the CIA principles).

Frequent manners of leakage of confidential data are enumerated below to understand what problems may occur when handling such information:

  1. Theft (of laptop, computer, paper, etc. – physical security)
  2. Improper disposal (it is a must to use a shredder)
  3. Unauthorized access/disclosure (access controls, authentication, lack of understanding of confidentiality agreements, negligence, etc.)
  4. Loss (negligence, etc.)
  5. Hacking/ IT incident, etc. ( most often Internet security )
  • The ways of leakage are enumerated in a random sequence.

In 2011, negligence was the cause of 39% of all reported data breaches while malicious attacks (defined as a mixture of hacking and insider theft) accounted for 37% of the data breaches whereas the cause was hacking in more than one-quarter of these malicious attacks. On a global scale, 232.4 million identities were exposed and endangered in 2011. Deliberate breaches were chiefly aimed at gathering client-related information as this information can be utilized for various fraud schemes. Businesses and companies in the computer software, IT, and healthcare sectors accounted for 93% of the overall number of stolen identities in 2011. Loss or theft was the most recurrent cause in all sectors and it accounted for 34.3% of exposed identities. The attacks were mostly undertaken because the criminals saw the crime easy to perform. Hence, 79% of the victims were chosen because of opportunity while 96% of the attacks did not appear to be very difficult. Of all laptops stolen, only 30% had their systems encrypted whereas merely 10% had different anti-theft technology.

Concerning insider intellectual property thefts, statistics show that it is usually done by men who serve in various positions such as scientists, managers, programmers within a month of leaving the company from which they steal. Often they have created their own business or have started working for another, only 20% steal the information as a consequence of recruitment by an outsider that wants the information. 75% of the perpetrators stole material to which they were granted access in the course of employment and trade secrets were unlawfully taken in 52% of the thefts. Furthermore, most insider thieves of intellectual property were caught by non-technical staff members.

It can be concluded that data breaches are a frequently occurring phenomena, and that not only CISOs' and other personnel in charge of information security ought to undertake measures to attain the objectives of InfoSec but also that non-technical staff in companies shall be aware of the risks and educated in maintaining the CIA principles in the course of their employment. This is so as most criminals or cyber-criminals perform their attack because they see an easy prey in their targets as their security is loose. Staff from all levels of the organization's hierarchy shall take measures to prevent theft, loss and take reasonable measures to protect the confidential information they have been granted access to for the fulfillment of their duties.

  • Top five methods for abiding by the CIA principles.

Below is an illustration of the top five layers that information security offers in terms of attaining the goals laid out in the CIA triad. It is presented in order to reveal the most commonly used manners of safeguarding the CIA principles and defending any system from a potential data breach.

  • The core of the chart is represented by the CIA principles
  • Firewalls can be hardware-based and software-based. Firewalls are a piece of equipment or software that are designed to block unsolicited connections, protocols, unwanted network activity and block spam and other malicious requests while you are connected a third-party network (usually the Internet). The hardware firewall utilizes packet filtering to examine the header of a packet and decide if the packet should be forwarded or dropped. Firewalls serve as an intermediary between your computer and the Internet connection. Thus, firewalls can block connections that their user did not wish to make, filter out bad data and prevent outside endeavors to gain control or access to your machine. They have a set of predefined rules that enable them to allow, deny or drop connections and as such their function is of a filtering gateway.
  • A server, through hardware such as proxy server can regulate what the external world sees of the network, this could be a type of protection by providing a "smoke screen" on the network. It can disguise the real network and display a minimal connection to the Internet
  • Routers, another piece of hardware, can regulate access to the network, just like firewalls, it may have access lists that allow or deny acess into the network. Nonetheless, they route IP packets to the other networks, a thing which is neither performed by firewalls, nor by any other appliance on the network or the Internet.
  • Network controls are implemented at local level, they involve authentication like logins and passwords.
  • Software controls are software that prevent malware from penetrating the machines. Should a malware infest the system, software controls are in charge of removing the infection and returning the system to the pre-infestation state. Unlike firewalls, software controls can remove existent malware, malware that has already affected the machine, whereas firewalls cannot deal with malware that has already been loaded on your computer.
  • Encryption has already been discussed above (Cryptography)

Below is an illustration of a firewall acting as an intermediary.

Confidentiality of information is frequently a regulatory requirement and, as such, there is an obligation to implement measures to protect such information for companies or governmental bodies.

Conclusion

It can be concluded from the discussion above that the fulfillment of the CIA principles and the compliance with the goal of information security is not a goal with a clear end but an open goal that continually changes with time and the development of technology, the means of information security and the emergence of new threats and vulnerabilities. Lasting efforts must be exerted to maintain the confidentiality, integrity and availability of information, it is not possible to take some precautions and declare that the CIA triad is fulfilled and that nothing more should be done.

Moreover, it can be deduced from the discussion that efforts ought to be exerted not only by information security professionals, but by employees and all holders of confidential information to safeguard the CIA principles.

In a nutshell, the discussion above affirms the centrality and the "objectives" status of the CIA principles in information security

Sources

Ivan Dimov
Ivan Dimov

Ivan is a student of IT and Information Security. He is currently working toward a Master's degree in the field of Informatics in Sweden. He is also a freelance web developer engaged in both front-end and back-end coding and a tech writer. Whenever he is not in front of an Interned-enabled device, he is probably reading a print book or traveling.