Elements of Information Security
Information security is the practice of protecting information by mitigating information risks. It is a part of information risk management. It consists of 5 elements which are: Confidentiality, Integrity, Availability, Authenticity and Non-repudiation.
The National Institute of Standards and Technology (NIST) defines confidentiality as “Preserving authorized restrictions on information access and disclosure while including means for protecting personal privacy and proprietary information”. We always want to make sure that our secret and sensitive data is secure. Confidentiality means that only authorized personnel can work with and see our infrastructure’s digital resources. It also implies that unauthorized persons should not have any access to the data. There are two types of data in general. First is data in motion, as it moves across the network and data at rest when the data is in any media storage (such as servers, local hard drives, the cloud). For data in motion, we need to ensure data encryption before sending it over the network. Another option, which we can use along with encryption, is to use a separate network for sensitive data. For data at rest, we can apply encryption on storage media drives so that it cannot be read in the event of theft.
The NIST defines integrity as “Guarding against improper information modification or destruction, this includes ensuring information non-repudiation and authenticity”. We never want our sensitive and personal data to be modified or manipulated by unauthorized persons. Data integrity ensures that only authorized parties can modify data. NIST SP 800-56B defines data integrity as a property whereby data has not been altered in an unauthorized manner since it was created, transmitted, or stored. In this recommendation, the statement that a cryptographic algorithm “provides data integrity” means that the algorithm is used to detect unauthorized alterations.
Ensuring timely and reliable access to and using information applied to systems and data is termed as Availability. If authorized personnel cannot access data due to general network failure or a Denial-of-Service (DOS) attack, then it is considered a critical problem from the point of view of business, as it may result in loss of revenue or of records of some important results.
We can use the term “CIA” to remember these basic yet most important security concepts.
Cyber Risk and Protection with Respect to CIA
|Confidentiality||Loss of privacy,
Unauthorized access to information & Identity theft
|Encryption, Authentication, Access Control|
|Integrity||Information is no longer reliable or accurate, Fraud||Maker/Checker, Quality Assurance, Audit Logs|
|Availability||Business disruption, Loss of customer’s confidence, Loss of revenue||Business continuity, Plans and tests Backup storage, Sufficient capacity|
Authentication is the process of identifying credentials of authorized users or devices before granting privileges or access to a system or network and enforcing certain rules and policies. Similarly, authenticity ensures the appropriateness of certain information and whether it has been initiated by a valid user who claims to be the source of that information. Authenticity can be verified through the process of authentication.
Non-repudiation is one of the Information Assurance (IA) pillars. It guarantees the transmission and receiving of information between the sender and receiver via different techniques, such as digital signatures and encryption. Non-repudiation is the assurance of communication and its authenticity so that the sender is unable to deny the sent message. Similarly, the receiver cannot deny what she/he has received. Signatures, digital contracts, and email messages use non-repudiation techniques.
Elements of Information Security
Securing our data is one of the most essential steps to ensure its safety. Our new Certified Ethical Hacker V11 is fully updated with cutting-edge technology solutions and latest developments in the field, delivering a deep understanding of applications of the vulnerability analysis in a real-world environment.