Technology progresses rapidly, and new security tactics are developed with each innovation. Several years ago, the key term for businesses was “information security,” but today cybersecurity tends to garner more attention and research. However, both information and cybersecurity have their respective merits and their similarities. As an organization, it’s critical that your private info is secured. Learn about the differences between information security vs cybersecurity here.
What is Information Security?
The National Institute of Standards and Technology (NIST) defines information security as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. The base of information security depends on the systems or procedures that collect, organize, and disseminate information. As NIST noted, information security has three primary goals: confidentiality, integrity, and availability.
Confidentiality refers to putting in place limits on access. For example, are there layers of authorization and credentials required for the various levels of access? Confidentiality controls bolster the overall credibility of a company, particularly in how it handles sensitive information.
Integrity refers to data remaining intact and unchanged by outside/unauthorized individuals. Again, like confidentiality, integrity strengthens credibility for the customers and business partners.
Availability allows authorized users to access information at any time. The concept of redundancy underlies availability. Implementing redundancy means backing up systems and updating them when new versions or patches are released. For example, if a company backs up its stored data on a second drive, ransomware attacks, although still concerning, will not cripple the company by locking out access to information.
Laws regarding Information Security
e-Government Act of 2002 – This act, targeting federal agencies and departments, sought to regulate security and promote the utilization of electronic platforms. It established a Federal Chief Information Officer position in the Office of Budget and Management (OBM). Today, the act strives to provide greater access for the public to government services (i.e., through internet-based services) and improve related online security measures.
Federal Information Security Management Act of 2002 (FISMA)
FISMA, a part of the e-government act, applies to government agencies but its guidelines are useful for private sector firms as well. FISMA requires an annual review of security procedures to evaluate if the security checks/procedures in place are effective and economical. While there are many resources available for managing information security, NIST’s nine steps for information security parallel FISMA’s requirements.
Federal Information Security Modernization Act of 2014
is an amendment to FISMA centered on improving monitoring guidelines.
Federal Information Processing Standards (FIPS) – The federal government published information security and risk management standards. The two main FIPS publications include FIPS 199 and FIPS 200. FIPS 199 specifies how entities should categorize information and systems in order to promote better security management. FIPS 200 sets the bar for minimum security measures and details a risk categorization process for selecting which security controls to use.
What is Cybersecurity?
NIST defines cybersecurity as the ability to protect or defend the use of cyberspace from cyber attacks. Cyberspace refers to a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Cybersecurity encompasses networks, devices on the networks, and the programs used in conjunction with the network.
Three Common Cyber-threats
In order to fight cyber threats, you have to understand the methods of attack. Norton security notes three common threats that endanger cyberspace: social engineering, Advanced Persistent Threats (APTs), and Malware. Although these are not the only threats, they occur often and can have detrimental effects on company operations and consumer trust.
Social Engineering – Social engineering relies on manipulation and often plays on emotions. Attackers use enticing deals or misrepresentation so people reveal personal information. Phishing scams are a very common example of social engineering and usually manifest through fraudulent emails.
Advanced Persistent Threats – APTs occur when threat actors penetrate a system undetected and remain in the system for a long period of time. Since APTs require stealth they are often more sophisticated and much harder to detect. Because APTs have access to a network for extended periods of time, attackers typically target high-value information, sifting through data throughout the network and potentially intercepting communications.
Malware – Malware, also called malicious software, comes in many forms and affects the operation of a network. Some of the many types include spyware, keyloggers, viruses, and worms.
Information Security vs Cybersecurity
Despite the differing definitions above, most professionals still find it difficult to differentiate between cybersecurity and information security. This can lead to confusion when establishing a security department. Should there be separate information and cybersecurity groups or is one a subset of the other?
To clarify, information security focuses on CIA in regard to data and information (i.e., data with context). In contrast, cybersecurity focuses on the systems/devices securing information/data and the security of hardware and software (i.e., Information and Communication Technology – ICT).
Unlike cybersecurity, information security encompasses more than information in cyberspace; it includes information in physical form. While cybersecurity targets cyber criminals and fraud, information security deals more with unauthorized access or disclosure as well as operational disruptions. All in all, both forms of securities overlap but there are subtle differences.
Cybersecurity Best Practices
- Behavioral biometrics – Behavioral biometrics analyzes human activity and uses it to alert cybersecurity teams if irregular behavior is detected. This contrasts the increasingly popular physical biometrics (e.g., fingerprints, facial scans). Keystroke analysis, mouse analysis, gait analysis, and voiceID fall under behavioral biometrics. Many companies already possess the capability to collect behavioral biometrics and simply need to acquire biometric analysis tools. As technology develops, more companies will likely incorporate behavioral biometric innovations into their authentication processes.
- Policies, standards, guidelines – Writing a security policy lays the foundation for accountability and consistency in combating cyber threats. SANS Institute states that any policy should be point-specific with sections covering standards, guidelines, and policies. Standards are or requirements that must be followed by all employees and often involve technical specifications, like how to properly update a system. Distributing guidelines, strongly recommended best-practices, will help educate employees. Since the threats to cyberspace continue to evolve, policies, standards, and guidelines should also be updated on a regular basis.
- Risk-based – Risks change from industry to industry. Consequently, NIST outlines a Risk Management Framework. Taking stock of past threats and running tests on current system controls helps security teams identify weak spots. Moreover, it’s important to classify operations by level of importance. For example, what are the most critical systems and do they have controls equal to their importance?
- Third-Party Access – Third parties are often necessary for efficient business operation, but what does “third party” encompass? In the case of cybersecurity, any party that is accessing your data remotely should be considered a third party. This may include remote workers, subcontractors, vendors, suppliers, and business partners to name a few. Using access controls and third-party monitoring systems narrow the scope of threats or, in the event of a threat, help narrow down the likely point of entry. Another good idea includes one-time passwords for access.
NIST’s 5 Functions
In its cybersecurity framework, NIST outlines 5 functions that serve as a “backbone” for cybersecurity policies. Although not very specific in terms of types of controls, the 5 functions offer an abstract guide for establishing a well-rounded cyber policy. These policies are written with regard to cybersecurity overlap with information security practices.
1. Identify –
The identification process examines people, assets, data, and capabilities. Identifying critical systems enables companies to prioritize how time and money are used. For example, a company should analyze its supply chains or its role in a supply chain. Additionally, entities should verify that applicable legal/regulatory requirements are being followed. Audits will assist in the identification process. Finally, establish what level of risk tolerance your company is willing to take. Risk tolerance refers to the data and systems that can be risked and still be deemed acceptable by an entity.
2. Protect –
Protecting information centers on limiting the impact or eventuality of an attack. Part of a comprehensive protection plan requires employee training. The protection function overlaps with information security’s goals, as it focuses not only on protecting cyberspace but also on ensuring confidentiality, integrity, and accessibility. Maintenance is also a large part of protection. It’s not enough to put a control in place and then move on. Companies must review the effectiveness of controls. SANS Institute published a report on Measuring effectiveness inInformation Security Controls.
3. Detect –
The impact of a security breach or cyber attack depends largely on how quickly the breach is discovered. Tools that scan for anomalies increase the probability of quickly detecting and mitigating a breach. The Open Web Application Security Project (OWASP) provides a list of web application vulnerability scanning tools, also called Dynamic Application Security Testing (DAST), and delineates the owner, availability, and platform associated with each tool. Some of the threats these tools look for include insecure server configuration, command injection, and SQL injection.
4. Respond –
Responding centers on containment and restoring normal operations as soon as possible. A clear plan and smooth communication channels are key. To start developing an incident response plan, define what falls under a security incident, identify essential data, and then analyze the IT environment. Assessing the environment means companies can better allocate resources. Next, assemble a response team with experts who are capable of both technical mitigation and coherent communication. Create a written policy for response procedures and the desired timeline for resolution. In the event of a severe attack, it’s wise to have a backup and disaster recovery (BDR) procedure. Running practice scenarios to help work out the kinks in a response plan and reviewing the results will help refine incident response plans.
5. Recover –
NIST defines recovery as a process for identifying appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The process should review if the incident response plan succeeded and evaluate the effectiveness of the chain of communication.
IoT and Cybersecurity
Data storage now extends beyond hard drives and individual devices. Consequently, cyberspace has become an increasingly enticing target. Since cybersecurity deals with the devices and interconnection of devices, it falls to companies to protect their IoT environment.
A major IoT problem lies in the fact that every device connection means data must be collected and stored (e.g., who connected, from where, for how long). Add on top of that the many connection the IoT allows per day and you have a plethora of different potential entry points for threat actors. For example, man-in-the-middle attacks or paralyzing botnet continue to be an issue for companies and individuals.
So what can you do? Norton Security recommends the following precautions:
Internet security software – Installing firewall software and other software to block against viruses or malware will help keep the whole interconnected system protected.
Don’t use common passwords – It can’t be said enough that changing default passwords on new devices and using complex passwords or passphrases is beneficial. Passwords like “1234” or passwords that involve personal information are highly insecure. Likewise, if you are completing security questions, do not use information readily available on social media (e.g., what’s your mother’s name?). Instead, try to use questions that only you would know.
Use a VPN – VPNs provide an added layer of security when working from public WiFi networks or at home.
Beware of sharing functions – Sharing information is convenient, but depending on the application in use, it can reveal a person’s location or allow threat actors to track an individual.
Don’t leave devices unattended – Imagine you are working at a coffee shop and you get up to go get a napkin. Do you close your laptop? Most people don’t realize how quickly a device can be compromised. Another precaution is to shut off Wi-Fi or Bluetooth if you aren’t using it, as some newer devices automatically connect to similar devices in the vicinity.
Research what data your device collects – Devices need to collect data to function, but you should know how that data is stored or if third parties have access to that data. Similarly, be wary of apps that ask for access to seemingly irrelevant data.
Update devices – Rather than only waiting for push updates, proactively check the device manufacturer’s website for firmware updates.
While information security went mainstream before cybersecurity, both are of equal importance. Many of the information security safeguards bolster cybersecurity controls and vice versa. In short, there is a difference between information security and cybersecurity, but it’s largely in definition only. Moreover, there is a significant overlap between the two in terms of best practices. To receive help reviewing your information or cybersecurity policy or for assistance developing an incident response plan, contact RSI Security today.