part0009

Chapter 5: Information Security and Cybersecurity

Many businesses have gone digital, and it has now become a necessity to move to the digital era in order to have easy access to everything. However, with technology, digital as well as physical information is not secure and needs to be protected against threats and attacks. Before the Internet error, organizations used to store data in file cabinets and keep them under lock and key. Security was then upgraded by keeping the file cabinets in a room with security access. Now that most companies’ data resides electronically, measures have to be put in place to protect it.

Information security and cybersecurity are usually used interchangeably. The two have similarities, but they also vary greatly. Both of them protect data from theft, unauthorized usage, accessibility, and modification and those are the only similarities. They differ in the following ways:

Information securit y

Information security is generally just the protection of data and information. The difference between data and information is that data becomes information when it is interpreted and given meaning. For example, 17071988 is just data, but it becomes information when we know that it is a person’s date of birth.

Information security involves measures taken to protect the integrity, confidentiality, and availability of information.

Integrity ensures data is not modified, manipulated, or destroyed
Confidentiality ensures information is not accessed or disclosed to unauthorized personnel
Availability ensures data is readily available and reliable

Information security protects data from unauthorized personnel both internally and externally. For example, an employee without a certain level of clearance cannot access certain information. In addition, a client cannot access confidential information from another client.

Cybersecurit y

Cybersecurity takes data protection to a whole other level. Cybersecurity is a subset of information security. It offers protection of electronic data from both internal and external cyber-attacks. Businesses nowadays are more vulnerable to cyber-attacks and owners have to implement proper security measures to protect against cyber-attacks.

Cybersecurity is all about preventing unauthorized personnel from accessing digital data or compromising it. It is usually done using advanced IT security tools and the implementation of several security protocols. The most common cyber-attacks include data breaching and phishing - which is the use of emails, telephone, and text messages to pose as legitimate institutions to lure individuals to provide sensitive information.

Information Security vs Cybersecurity

1. Security

Both information security and cybersecurity offer some type of security protection. The difference between the two is fine-drawn. Cybersecurity offers protection of data from unauthorized digital access in cyberspace while information security offers protection of data from unauthorized personnel not just in cyberspace but everywhere else.

2. Value of Data

Both offer protection of the value of data. Information security offers protection of the value of data from any type of threat while cybersecurity offers protection of data from unauthorized digital access only in cyberspace.

3. Dealing with Threat

Information security deals with measures put in place to protect data before dealing with any threats while cybersecurity deals with the threat first especially if it is about to happen in order to protect the data. Information systems protect data from any form of threat while cybersecurity offers protection in cyberspace.

4. Function

Information security protects information from unauthorized access, modification, uses, disclosure, or destruction while maintaining integrity, confidentiality, and availability. Cybersecurity offers protection from anything in cyberspace that can attacks the information include crime, cyber frauds, and law enforcement.

5. Format

Information security offers protection of information in any realm while cybersecurity only offers protection in only the cyber realm. Information systems safeguard information in both physical and digital formats while cybersecurity safeguards information only in the digital format.

Note: Businesses, nowadays, are urged to implement both information security and cybersecurity especially if they are dealing with super-sensitive information like banks and hospitals.

Computer Security in Wireless Networks

Wireless networking is the use of data connections between network nodes as opposed to incurring the costs of using cables. Individuals and organizations commonly use wireless networks. Examples include the usage of cell phones for personal communication or the use of satellite to communicate across the world. Most computers and devices nowadays come with wireless card pre-installed, which allow access to various networks.

While wireless networks offer great benefits, they are prone to some security issues.

Hackers - Hackers have devised ways of hacking into wireless networks. They even hack wired networks using the wireless invention. They have invented ways of hacking that are more innovative and sophisticated using this wireless technology.

Accidental Association - Accidental Association, which sometimes can also be deliberate, is when a computer is turned on by a user. It accidentally connects to a wireless access point in a neighboring overlapping network, and the user is not aware. The security issue here is that if one is a company computer, its information is now exposed to the person using the other overlapping network.

Malicious Association - This is when cybercriminals use wireless devices to connect to a company network through their laptop as opposed to using the company access point. They make their laptop wireless cards look like a legit access point, and when they gain access to the company’s information, they can steal passwords, launch attacks, or plant malware.

Ad Hoc Networks – Networks that are found between computers that are wireless and don’t have an access point are called Ad hoc networks. The bridge provided to the other networks, and not the ad hoc network, is the real security issue. Most Windows OS have this feature on default; therefore, users have really no idea that their computers also operate an ad hoc network that is unsecured. Encryption methods can be used for security.

Non-Traditional Networks - Wireless networks like Bluetooth devices, barcode readers, handheld PDAs, wireless printers, and copiers can also cause serious security risks and should be secured. They are greatly targeted by hackers.

Identity Theft - This occurs when a hacker identifies and gains access to the computer’s media access control (MAC) address. For example, when they gain access to a computer that can create a new user, install software, or change functions, they can do so. The gained access allows them to get around.

Denial of Service (DoS) - DoS is more of a nuisance than an attack; with DoS, the hacker sends access point failure messages or any other commands denying that person access to the network. The attackers here are not concerned about accessing data because the disruption they cause disrupts the flow of data. What they are more concerned about is recording and copying the codes used for recovery. Security weaknesses can be assessed using the codes and then utilize them in gaining an unauthorized access.

Network Injection - This occurs when hackers affect the switches, intelligent hubs, and routers using wireless networks to introduce bogus networking re-configuration commands. They can bring down a whole network using this method.

Crack Attacks - This security issue involves cracking passwords to gain access. There are simple crack attacks as well as complex ones. Wi-Fi passwords can be cracked by the use of tools like Aircrack-ng.

Man-in-the-middle (MITM) Attacks – Hackers use these kinds of attacks to sniff, probe, and attack Wi-Fi networks. These MITM attacks are enabled by software like AirJack and LANjack.

Caffe Latte Attack - This security concerned is achieved by defeating the Wire Equivalent Privacy ( WEP). The attacker doesn’t need to be in the network’s area physically. The Windows wireless stack is targeted using a process. Within six minutes, the remote client’s WEP key is then obtained using this process.

How do we offer computer security in wireless networks?

Wireless networks are not as secure as wired ones. Hackers are able to access important information when they gain access to a network. Offering end-to-end encryption, therefore, is one step in securing data from hackers. For example, banks use end-to-end encryption to secure their Internet banking services. They ensure independent authentication on all resources.

For closed networks like for homes and companies, a good security measure would restrict access-to-access points using various configurations. To counteract these risks in wireless security, a wireless intrusion prevention system is used.

For open networks like large organizations and hotspots, the security measure should be to have an open and unencrypted but isolated wireless network or require users to connect to a secure network using VPN .

RF shielding - You can use special window film or wall paint in an area to reduce wireless signals and prevent access to anyone away from the room.

Denial of service (DoS) defense - You can stop the denial of service attack using three common ways:

Black holing - This strategy will not last long since hackers can change their addresses but it involves that the attacker drops all IP packets. However, this should not be done automatically to avoid added problems.
Handshake Validation – This includes the creation of false opens. It also sets aside the resources acknowledged by the sender.
Rate limiting - For Subtle DoS attacks, rate limiting can reduce traffic to a more reasonable amount to deal with. This method doesn’t actually solve the problem; it only helps because it frustrates both the hacker and the user

Using smart cards or tokens is a great form of security especially for conducting wireless transmissions. It involves combining the server software, the internal identity of a hardware card plus a user-entered pin to create an algorithm that frequently generates a new encryption code. The use of smart cards or tokens is actually one of the safest security measures. However, it is very expensive.

To secure our mobile devices, handsets, and PDAs, you can connect to rogue access points, protect against ad hoc networks, use of mutual authentication schemes, and use wireless intrusion prevention system (WIPS) solutions.

Devices such as printers and copiers connected to a wireless network need to be secured using proper authentication like passwords.

Avoid using unsecured Internet connections. In some countries, persons who provide open access points are usually held liable when any illegal activity is conducted using their access point.

The following simple techniques offer a range of wireless security measure from unsophisticated hackers but do not guarantee protection against sophisticated hackers:

1. SSID (Service Set Identifier) hiding - To secure a wireless network, one can hide the SSID. Attackers will not see your network and, therefore, not attack it. However, sophisticated hackers will be able to access the SSID. This only offers little protection but can be effective

2. MAC ID filtering - Wireless access points have a MAC ID filtering. Mac filtering can prevent unauthorized access to wireless networks. However, with karma attacks, this method has become less efficient because hackers can still sniff the MAC address

3. Static IP addressing - Wireless networks provide IP addresses to users using a Dynamic Host Configuration Protocol (DHCP). If you tell the users to set up their own addresses, it provides some security measure.

4. Wi-Fi Protected Access - this security protocol works when you use long passwords and avoid dictionary words, which can be easily cracked

The Cybersecurity Framework and Its Processes

Companies are well aware that they need to protect their data and information against cybersecurity. The National Institute of Standards and Technology (NIST) came up with a cybersecurity framework of how to identify, protect, detect, respond, and recover from cyber-attacks .

The NIST cybersecurity framework is started by understanding the organization’s mission, its risk tolerance down to how to protects, and detect any security violation. The framework is broken down into five main functions each with its own unique categories and subcategories:

1. Identify

This first function is used to identify the cybersecurity goals the organization wants to achieve in line with their systems. These goals will definitely vary from company to company. Here are five identifiers covered by this category.

Asset Management - This involves identifying data, systems, personnel, and facilities that enable the organization to achieve its goals
Business Environment - This involves identifying and understanding the organization’s mission and objectives in order to make informed cybersecurity information
Governance - understanding of the company’s procedures, policies, and processes to give management facts or information about risks in cybersecurity
Risk Assessment – Make sure that the operation’s cybersecurity risks are understood by the organization.
Risk Management Strategy - The establishment of the organization’s constraints, risk tolerance, and priorities used to support operational decisions

2. Protect

After performing all the above categories, you can now move on to the protection function. This function is all about developing measures of achieving the goals identified in the identification function.

Access Control - Organizational assets and facilities should only be accessible to authorized users
Awareness and Training - Organizational personnel should have easy access to cybersecurity awareness education and should also receive training on how to perform their duties inconsistent with the policies and procedures identified in the first function
Data Security - Management of information and data in line with the organizations risk strategies while protecting the information’s integrity, confidentiality, and availability.
Information Protection Processes and Procedures - Maintenance of company’s policies, processes, and procedures to protect information systems and assets
Maintenance - Maintenance of information systems is done in line with the company’s procedures and policies.
Protective Technology – Ensure the security is in line with policies and procedures by managing the technical solutions.

3. Detect

This third function involves establishing activities needed to identify any anomaly in cybersecurity.

Deviating from what is expected

Anomalies and Events - Any activity that deviates from what is expected is detected on time and any potential impact assessed
Security Continuous Monitoring - Monitoring of information system and assets is done discretely to identify cybersecurity inconsistencies and assess the protective measures in place
Detection Processes - Maintenance of the detection processes and procedure to ensure timely awareness of any anomalies

4. Respond

This fourth function involves developing appropriate activities to act on detected cybersecurity events.

Response Planning - Execution and maintenance of response processes to ensure on-time response on any detected cyber insecurity
Communications - Communication of response activities to internal and external stakeholders
Analysis – Analysis is done to ensure proper response measures have been put in place
Mitigation - This involves reducing the severity of cybersecurity events
Improvements - Improve response activities by incorporating lessons learned from the other three functions

5. Recover

This last function ensures appropriate activities are put in place so that impaired capabilities due to cybersecurity event can be restored.

Recovery Planning - Execution and maintenance of recover processes to ensure any systems affected by cybersecurity are restored on time
Improvements - Improving the recovery processes by incorporating any lessons learned
Communications - Communication of restoration activities to internal and external stakeholders

The Framework Implementation Tiers

The implementation tiers show how an organization views cybersecurity risks and processes in place to manage the risks. There are four tiers in the framework.

Tier 1: Partial

Risk Management Process - Management of cybersecurity risks are not formalized and risk is managed when necessary or needed. The risks are not yet in line with the company’s objectives
Integrated Risk Management Program - Cybersecurity risk management is not done regularly. The organization does not have ways of sharing cybersecurity information with their staff members and there is limited awareness of the risks
External Participation - The role of the organization in spreading cybersecurity awareness to the larger ecosystem is not yet understood. The organization does not receive information from other external organization nor does it share information since they are not aware of the cyber supply chain risks

Tier 2: Risk-Informed

Risk Management Process - Management approves risk management practices, but they still are not yet in line with the organization’s policies
Integrated Risk Management Program - The organization is aware of cybersecurity risks, but approaches have not been put in place to manage the risks. Cybersecurity risk management is done but not repeatable or reoccurring
External Participation - The organization understands its role in the larger ecosystem with respect to either its own dependencies but not both. The organization is aware of the cyber supply chain risk but does not act consistently on those risks.

Tier 3: Repeatable

Risk Management Process - Management approves the risk management policies, and they are put in line with the company’s policies. They are also updated regularly.
Integrated Risk Management Program - Policies and processes on risk management are always reviewed; staff in charge of cybersecurity communicates regularly on cybersecurity risk. Management ensures cybersecurity is looked at in all levels of operation
External Participation - The organization understands and contributes to the broader understanding of cybersecurity to the larger ecosystem. The organization is aware of the cyber supply chain risk and acts upon the risks.

Tier 4: Adaptive

Risk Management Process – The cybersecurity practices are adapted by the organization with regards to the current and past activities. It also incorporates any lessons learned. The organization has advanced its cybersecurity technologies and practices and responds to threats on time
Integrated Risk Management Program - The organization has approaches in place for managing cybersecurity risks and can be able to handle any risks and threats. Cybersecurity management risk is now part of their organizational culture. The link between organizational objectives and cybersecurity risks is understood clearly and used in making decision.
External Participation – There is an awareness of the organization’s role in the wider ecosystem and helps the community understand the risks. The organization now shares information internally and externally and understands the cyber supply chain risk

Proper Usage of the Framework

The framework can be used by the companies as a process of managing, assessing, and identifying the risks in cybersecurity
This should not replace the current systems used by a company but complement what cybersecurity measures they already have in place
This framework can also help companies identify any gaps in their current cybersecurity measures
It can also be used as a risk management tool to identify critical activities and prioritizing expenditure
The framework can also be used as a basic review of cybersecurity practices. This can be done by reviewing the current activities in cybersecurity of the company with the ones defined in the framework
The framework can also be used to create a new cybersecurity program or improve the current one
The framework can also help communicate the cybersecurity requirements to stakeholders