INFOSEC

More Than Rules and Regulations

Information Security—commonly called InfoSec—is one of the most pressing needs for modern organizations. The issue is even more severe today due to vulnerabilities created by COVID-19. In the first quarter of 2020, we saw cloud-based attacks increase by 630% across the board, while phishing attempts were up by 600% as of February’s end. As cyberthreats increase, firms need to develop dynamic infosec policies to protect both internal data and private customer information.

What is InfoSec?

While Information Security as a concept is a contemporary idea, its fundamentals date back to 100 BC and the development of the Caesar cipher. Also called a shift cipher, Julius Caesar used it to send encrypted messages to his generals in the field. This strategy involved shifting the letters in the alphabet to make messages unreadable without the key. The shift cipher would become a building block for many other complex cryptography methods in the future.

Today, the word InfoSec is primarily used to describe the protection of computer systems and the data contained within. InfoSec is often described as being based in the “CIA triad” of confidentiality, integrity, and availability:

Confidentiality

Ensuring that information is not disclosed to unauthorized parties

Integrity

Establishing that information is protected from unauthorized changes for its entire life cycle

Availability

Assuring that data will be accessible for its designated purpose at any time it is needed

InfoSec is an overly broad term and is frequently applied to many different classifications of data—sensitive, classified, intellectual property, or privacy-based information. As a result, there is no single InfoSec process that works for all data. Instead, individual regulatory bodies create rules and restrictions for data specific to an industry or individual.

Rules and Regulations to Know

The list of regulations regarding data security is virtually endless, and many of them are focused on specific industries. However, there are some which are more common for companies to deal with. Here are a few of the more commonly encountered security and privacy regulations:

Children’s Online Privacy Protection Act (COPPA)

COPPA applies to companies which collect personal information on minors—specifically children under 13 years old. It strictly limits the information that can be collected on minors, as well as what can be done with that information. Companies subject to COPPA must provide notices of data collection and make an effort to inform parents or guardians of use. Parental permission is required to retain data, and companies can only keep it long enough to fulfill the initial contact. Provisions within this act are so challenging that companies often use 13 as the cutoff age for participants to avoid barriers.

Federal Information Security Management Act of 2002 (FISMA)

This act applies to entities within the federal government. It establishes the required protocols for developing, documenting, and implementing information security policies. It also sets a framework for all information security technology based on standards set by the National Institute of Standards and Technology.

The Gramm-Leach-Bliley Act (GLBA)

This applies to financial institutions and sets three sections. Section one is the Financial Privacy Rule, which establishes the what and how of data collection. Section 2 is the Safeguards Rule, which sets minimum standards for protecting this data. Section three adds additional safeguards against identity theft called the Pretexting rule, which requires institutions to make a good faith effort to prevent unauthorized access to client accounts.

General Data Protection Regulation (GDPR)

The GDPR is a European Union regulation that centers on data from EU residents and whether it stays within the union or is transferred to non-EU countries. It requires the disclosure of data collection policies and permits those on whom data is held to obtain a copy of that information. Among other provisions, the GDPR requires the appointment of a data protection officer and establishes protocols for records of data processing activities.

Health Insurance Portability and Accountability Act (HIPAA)

This applies to any company that handles personal health information and covers both the protection and transmission of data. It requires strict control of records on a need-to-know basis and standardizes transactions through vetted protocols. It also gives patients access to records upon request. While this is for healthcare providers, it also applies to insurance companies and companies that hold Health Savings Accounts for clients.

Sarbanes-Oxley Act (SOX)

Under this rule, all publicly traded companies in the US must maintain financial records for seven years. The bill was created in 2002 in response to scandals like Enron and WorldCom and establishes criminal penalties for failure to keep accurate accounting records. Adhering to SOX often requires the implementation of strict data integrity policies.

Family Educational Rights and Privacy Act (FERPA)

This act pertains strictly to student records. It limits who can gain access to them and under what circumstances. Generally, the only individuals permitted to access records are students, guardians of students, or educational institutions who have received permission.

It’s not uncommon for a business to fall under the purview of multiple security regulations. A good example would be holders of Health Savings Accounts (HSAs), who must comply with HIPAA, GLBA and SOX. On top of that, it’s rare that all regulations will apply to all customers of an organization. Sometimes companies will attempt to juggle multiple regulations at the client level, making privacy management even more challenging, but usually an organization will simply apply the most stringent requirements to all of their customers.

In addition, there are a number of security frameworks that an organization’s business customers may expect their vendors to be compliant with—these are but a few of them:

NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

NIST 800-53 is a comprehensive set of controls published by the National Institute of Standards and Technology (NIST), which any company wishing to become a vendor (directly or indirectly) to the government will certainly need to become familiar with. It covers a wide range of InfoSec concepts, from Awareness and Training to Physical Security, and is often used as a security baseline, even outside of a government context.

NIST SP 800-171: Assessing Security Requirements for Controlled Unclassified Information

NIST 800-171 is another NIST publication which is designed to help in assessing the security of unclassified systems and the policies associated with those systems against standards such as NIST 800-53, FISMA, and Executive Order 13556. It is also often referred to by non-governmental entities as a baseline for security.

Service Organization Controls – Level 2 (SOC 2)

SOC 2 is the shorthand term for a comprehensive audit standard set by the American Institute of Certified Public Accountants (AICPA) for organizations operating in the cloud. SOC 2 reports on the security behind the financial transactions an organization makes. It consists of five Trust Services Principle areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. It can be a somewhat challenging set of guidelines, because the audit must be performed by a certified SOC 2 auditor, and the end result of the audit is based on the auditor’s opinion of adherence to the guidelines.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS (usually just referred to as PCI) is a standard set forth by the PCI Security Standards Council, and is mandated for any organization handling payment card data. There are multiple levels of PCI compliance, depending on how an organization makes use of credit card and cardholder data. For example, an organization which simply acts as a passthrough but does not store payment card data will have less stringent requirements than an organization that stores and processes cardholder data. Basic levels of PCI compliance can be self-attested to, whereas the higher level requirements must be certified by a PCI Qualified Security Auditor (QSA).

Common Threats to Information Security

Bad actors continually think of new ways to access protected information. Companies and organizations must be aware of these threats and take the appropriate steps to combat these threats before they are breached. This can be a huge challenge in the face of growing data stores and limited budgets, but being prepared for these threats in advance is far easier than recovering from a breach that could have been prevented. Here are some of the most prevalent threats to data today:

Distributed Denial of Service

Attacks: Availability

A DDoS uses an army of compromised computers across the internet to make network requests and disrupt regular traffic. This will eventually impact the website’s ability to function correctly and make it vulnerable to other attacks. The rapidly-growing number of IoT devices has created a reemergence of such threats. Many of these devices are poorly protected and are easily hijacked as bots to perpetrate DDoS attacks.

Backdoor and Supply-Chain Attacks

Attacks: Confidentiality, Integrity, and Availability

Backdoor attacks involve bad actors exploiting a path of access that was intentionally placed in software by the developers. The backdoor may have been created for benign reasons, such as patching the software, but has been discovered and exploited. In the case of supply-chain attacks, the backdoor is placed in the software (or hardware) with bad intentions from the very beginning.

Ransomware

Attacks: Availability

This is a more recent take on traditional malware that is proving quite lucrative for bad actors. Users are tricked into running malicious software which accesses company data to which the user has access and encrypts it. They then demand a ransom, typically paid in cryptocurrency, to remove the encryption and allow the company access to their data again. The total cost of ransomware to global businesses so far this year is estimated to be about $20 billion.

Social Engineering

Attacks: Confidentiality

Human error continues to be one of the most significant liabilities for companies, making social engineering—which takes advantage of human error—a serious problem. Typically the perpetrator will try and “hack” the human by getting them to fill out information on a fake website or provide personal details over the phone. Once the individual provides that information, the bad actor then uses malware or steals data. One of the most concerning problems with social engineering is that it’s often not evident there was a problem until well after the breach.

Insider Attacks

Attacks: Confidentiality and Integrity

An insider attack is different from social engineering because it’s intentional on the behalf of the employee. An employee (or more likely, disgruntled ex-employee) will sell their information to bad actors, allowing them to access system resources with valid credentials. This attack is particularly challenging because the insider is already familiar with company policies and protocols. This familiarity allows them to better mask their trail.

Advanced Persistent Threats

Attacks: Confidentiality and Integrity

An APT isn’t a single attack. It’s a massive, organized effort that can include many methods designed to target a single asset. This extremely sophisticated, prolonged effort is usually only perpetrated by large, organized groups. Unlike a brute force attack, every effort is made to avoid detection as long as possible. As a result, governments or large corporations are typical targets. Often, a foreign military or terrorist group is behind the APT, though not always.

This is only a small subset of the myriad InfoSec threats corporations face today, and new ones are being invented every day. With that in mind, methods for preventing attacks on a company’s data must evolve rapidly, just like the threats they defend against.

Managing Information Security More Effectively

The management of information security requires a wide range of knowledge across numerous domains, and the ability to properly frame that knowledge in the larger picture of the business. Among other things, organizations in today’s world must consider Application Security, Cloud Security, Infrastructure and Network Security, Cryptography, Vulnerability Management, and Incident Response.

Application Security

Application Security (AppSec) is focused on using development practices which ensure that an application is secure from the ground up. Sometimes referred to as “shifting security left,” AppSec measures center primarily on the period before code is deployed, when security issues are easier and less costly to fix. When creating an app, it’s widespread for creators to miss small things that can become serious vulnerabilities later. In fact, in one study of 85,000 unique applications, 83% had at least one exploitable security flaw.

Continuous testing throughout the Software Development Lifecycle (SDLC) is absolutely vital to limit these issues. The DevSecOps approach builds security into the SDLC, resulting in security being front-loaded into the app, rather than something that is retro-fitted after development is complete.

Cloud Security

Cloud Security is particularly challenging for a number of reasons. Cloud-based deployments can provide a number of security benefits, but in many cases those benefits come with trade-offs, such as limited visibility into infrastructure security. A significant factor of cloud security is ensuring that the appropriate legal agreements are in place to ensure that your cloud provider is doing their part to secure your data. In addition, many organizations work in a multi-cloud environment, with segmented data in different locations, which requires juggling disparate security configurations. This additional complexity can lead to errors that cause breaches. A hybrid cloud environment, made up of both public and private clouds, might be more secure, but it still comes with its own challenges.

Encryption for both data at rest and data in motion is vital. Centralized monitoring can provide visibility to attacks and allow organizations to defend against them and redundant backups can also help to recover from any issues more quickly. Orchestrating security using Infrastructure-as-Code techniques to allow for automated compliance and audits will also help firms control their cloud access and protect data.

Encryption

Encryption, the practical usage of cryptography, can provide a level of assurance that an organization’s data cannot be used, even if bad actors are able to access it. By making the data unreadable without the correct key, companies can protect the private information of individuals and make it less appealing to pursue in the first place.

Of course, cryptography has come a long way since the development of the shift cipher during the BC era. Modern cryptography leverages mathematical theories, algorithms, and binary bit sequences to make it impossible for someone to decipher a message without the appropriate key. With a complex enough program, this is true even if the bad actor is familiar with the algorithm used in the code. This process keeps data confidential and protects its integrity. The complexity of modern cryptography can lead to subtle errors in implementation, meaning organizations should not attempt to implement their own encryption, but instead make use of well-tested, publicly-available cryptographic systems.

Infrastructure Security

Poorly-managed infrastructure will open a company up to vulnerabilities, even if they have all the other needed security methods in place. Modern infrastructures are often segmented, which adds extra complexity and makes security delivery more challenging.

Infrastructure as Code (IaC) can help to solve this problem. IaCallows firms to build their infrastructure, including security, as a series of commands (code). This allows it to be tracked, maintained and deployed as part of their SDLC, so that their infrastructure can be built in a repeatable manner. IaC can also provide organizations with a route to rapidly scale their infrastructure, which is vital for growing companies in our data-driven world.

Incident Response

The reality is that no firm will be able to prevent all forms of breaches at all times. The sheer volume of attacks, along with the quantity of data stored, makes perfection unattainable. An incident response plan is essential. No organization ever wants to use it, but it is invaluable when it’s needed.

The ability to contain and quarantine affected systems and files can minimize the scope of the problem, but this is only if it’s possible to identify the issue and trace its origin. Building a system with clear observability and configuring automated monitoring of expected behavior are vital parts of error tracing and root cause analysis.

Vulnerability Management

Vulnerability management is an on-going process that involves continuous improvement of the systems and software. Scans, vulnerability alerting and threat intelligence feeds alert administrators to problems within a system and allow them to respond rapidly to patch or mitigate the issues. This process can often be automated to ensure timely regular testing to catch emerging threats.

New threats to information security emerge every day. Security cannot be static. Constant improvements must respond to these issues, and cyber threat intelligence feeds should be leveraged to stay abreast of changes.

This is a small listing of threats firms face today. Some of the biggest threats to come likely haven’t even been invented yet. With that in mind, security methods for preventing data breaches or modification must evolve right along with the risks.

Modern infosec is challenging for many reasons: segmented information storage, numerous disparate regulations, system complexity, and human fallibility, among others. The best way to manage it all is to have a comprehensive security assessment performed, and use the result to prioritize the integration of security tools and processes into applications, software, and infrastructure. This strategy allows for greater control of the flow of information while ensuring access for those who need it, and also allows you to make the greatest improvements upfront with the least effort.

New Context can help you meet your infosec needs with a thorough security assessment and program. See where you stand with our DevSecOps scorecard or contact us at 1.888.773.8360 for more information.