Information Security

Information security should be a top priority for all organizations. It involves

protecting organizational data and optimizing information systems. The purpose
of information security is to prevent confidentiality breaches, data losses,
inappropriate data deletion and inaccurate data production. The three
fundamental bases of information security are represented in the CIA triad:
confidentiality, integrity and availability.

What is Confidentiality?

The principle of confidentiality involves restricting data access strictly to

authorized personnel. Users have a responsibility to ensure they maintain secure
access control systems, including both logical (e.g. PC passwords) and physical
restrictions (e.g. ID cards). For this reason, it is important that all employees
receive thorough training in information security awareness and best practices.

The importance of physical restrictions should not be underestimated. Door codes

help to ensure your building remains secure. They should not be written down
and staff should be vigilant in ensuring no one is watching or recording them
input codes. Similarly, many organizations insist that their employees wear ID
badges, this makes it easier to identify non-employees within your workplace. ID
badges should be worn at all times within the workplace but never outside of
work. Wearing them outside of work enables criminals to quote your details (e.g.
name, position and organization) in an attempt to gain access to your building.
Areas containing particularly sensitive information can be protected by extra
access restrictions e.g. an additional door code.
Passwords are another basic, yet vital, means of protecting your information. A
strong password is at least 8 characters long, contains upper and lower case
letters, numbers and special symbols. Passwords should never be shared (even
with your colleagues or IT providers) and should be changed immediately if
discovered. Changing your password regularly allows hackers less time to guess it
and stops them from using your account if they have already obtained your
password. You should change your password at least once every 90 days.

Some information security basics to keep your data confidential are:

Information Security

1. Encryption

2. Password

3. Two-factor authentication

4. Biometric verification

What is Integrity?

Upholding integrity means that measures are taken to ensure that data is kept
accurate and up to date. The integrity of your data impacts how trustworthy and
conscientious your organization is. One of the eight Data Protection Principles
(which are the foundations of the Data Protection Act 2018) is that data should be
‘kept accurate and up to date’. Users must make sure that they comply with their
legal duties and fulfil this requirement. It can be useful to assign individuals
specific roles and responsibilities regarding data integrity. These way employees
cannot shelve the responsibility and expect someone else to pick up the slack.

Some security controls designed to maintain the integrity of information include:

1. Encryption

2. User access controls

3. Version control

4. Backup and recovery procedures

5. Error detection software

What is Availability?

Availability means guaranteeing reliable access to information by authorized

personnel. In order to be readily accessible, data must be stored in a logical yet
secure system. High availability aids rapid business processing and ultimately
benefits your organisation. It is every user’s responsibility to file desktop
documents in a way that makes them easy to locate in the future. Similarly, paper
copies should be filed securely and not left lying around.
Information Security

Copies should be made to ensure important information is not irreversibly lost.

Certain storage methods are more vulnerable to loss and theft than others.
Information on portable storage devices, such a USBs, is particularly vulnerable.
That’s why this information should be encrypted and backed up. Temporary
displays (e.g. whiteboards and charts) are similarly vulnerable to prying eyes, and
information recorded in this way should be transferred to a more permanent,
confidential place at the earliest opportunity.
Data is often shared, not only within your organization, but also to individuals
outside of your organization, such as customers, business partners and the
general public. Emails are a quick and easy way of sharing data around the world,
especially convenient when transferring big data sets. However, information sent
over the internet can sometimes be intercepted and accessed by hackers,
compromising confidentiality. Encrypting your information can make it harder for
hackers to access, as without the decryption key the data will appear to be
nonsense.

Information security measures for mitigating threats to data availability include:

1. Off-site backups

2. Disaster recovery

3. Redundancy

4. Failover

5. Proper monitoring

6. Environmental controls

7. Virtualization

8. Server clustering

9. Continuity of operations planning

Information Security

Authentication Models of Information security

The goal of identity and access management is to ensure the right people have
the right access to the right resources and unauthorized users can't get in.
Authentication -- the process of determining users are who they claim to be -- is
one of the first steps in securing data, networks and applications.

Six authentication types and the authentication protocols available to determine

which best fit your organization's needs.

Why is user authentication important?

Requiring users to provide and prove their identity adds a layer of security
between adversaries and sensitive data. With authentication, IT teams can
employ the principle of least privilege to limit what employees can see. The
average employee, for example, doesn't need access to company financials, and
accounts payable doesn't need to touch developer projects.

When selecting an authentication type, companies must consider UX along with

security. Some user authentication types are less secure than others, but too
much friction during authentication can lead to poor employee practices.

6 user authentication types

Authentication methods include something users know, something users have

and something users are. Not every authentication type is created equal to
protect the network, however; these authentication methods range from offering
basic protection to stronger security.

1. Password-based authentication

Also known as knowledge-based authentication, password-based authentication

relies on a username and password or PIN. This is the most common
authentication method; anyone who has logged in to a computer knows how to
use a password.

Password-based authentication is the easiest authentication type for adversaries

to abuse. People often reuse passwords and create guessable passwords with
Information Security

dictionary words and publicly available personal info. Further, employees need a
password for every application and device they use, making them difficult to
remember and leading employees to simplify passwords wherever possible.
Companies should create password policies restricting password reuse. Password
policies can also require users to change passwords regularly and require
password complexity, such as meeting a certain length and using special
characters.

2. Two-factor/multifactor authentication

Two-factor authentication (2FA) requires users provide at least one additional

authentication factor beyond a password. MFA requires two or more factors.
Factors can also include out-of-band authentication, which involves the second
factor being on a different channel from the original device to mitigate man-in-
the-middle attacks. This authentication type strengthens the security of accounts
because attackers need more than just credentials for access.

The strength of 2FA relies on the secondary factor. Attackers can easily breach
text and email. Using biometrics or push notifications, which require something
the user is or has, offers stronger 2FA. Be careful when deploying 2FA or MFA,
however, as it can add friction to UX.

3. Biometric authentication

Biometrics uses something the user is. It relies less on an easily stolen secret to
verify users own an account. Biometric identifiers are unique, making it more
difficult to hack accounts using them.

Common types of biometrics include the following:

 Fingerprint scanning verifies authentication based on a user's fingerprints.

 Palm scanning identifies users by examining their unique vein patterns.

 Facial recognition uses the person's facial characteristics for verification.

 Iris recognition scans the user's eye with infrared to compare patterns
against a saved profile.
Information Security

 Behavioral biometrics uses how a person walks, types or handles a device.

Users may be familiar with biometrics, making it easier to deploy in an enterprise

setting. Many consumer devices feature biometric authentication capabilities,
including Windows Hello and Apple's Face ID and Touch ID. A biometric
authentication experience is often smoother and quicker because it doesn't
require a user to recall a secret or password. It's also harder for attackers to
spoof.

Technology remains biometrics' biggest drawback. Not every device handles

biometrics the same way, if at all. Older devices might only use a saved static
image that could be fooled with a picture. Newer software, such as Windows
Hello, might require a device to have a camera with near-infrared imaging. This
could require heavier upfront costs than other authentication types. Users also
must be comfortable sharing their biometric data with companies, which can still
be hacked.

4. Single sign-on

Single sign-on (SSO) enables an employee to use a single set of credentials to

access multiple applications or websites. The user has an account with an identity
provider (IdP) that is a trusted source for the application (service provider). The
service provider doesn't save the password. The IdP tells the site or application
via cookies or tokens that the user verified through it.

SSO reduces how many credentials a user needs to remember, strengthening

security. UX is also improved as users don't have to log in to each account each
time they access it, provided they recently authenticated to the IdP. SSO can also
help reduce a help desk's time assisting with password issues.

This authentication method does mean that, if an IdP suffers a data breach,
attackers could gain access to multiple accounts with a single set of credentials.
SSO also requires an initial heavy time investment for IT to set up and connect to
its various applications and websites.

5. Token-based authentication
Information Security

Token-based authentication enables users to log in to accounts using a physical

device, such as a smartphone, security key or smart card. It can be used as part of
MFA or to provide a password less experience. With token-based authentication,
users verify credentials once for a predetermined time period to reduce constant
logins.

Tokens make it difficult for attackers to gain access to user accounts. Attackers
would need physical access to the token and know the user's credentials to
infiltrate the account.

Employees must be trusted to keep track of their tokens, or they may be locked
out of accounts. Because users are locked out if they forget or lose the token,
companies must plan for a reenrollment process.

6. Certificate-based authentication

Certificate-based authentication uses digital certificates issued by a certificate

authority and public key cryptography to verify user identity. The certificate
stores identification information and the public key, while the user has the private
key stored virtually.

Certificate-based authentication uses SSO. IT can deploy, manage and revoke

certificates. This authentication type works well for companies that employ
contractors who need network access temporarily.

Certificate-based authentication can be costly and time-consuming to deploy. IT

must also create a reenrollment process in the event users can't access their keys
-- for example, if they are stolen or the device is broken.