- Category: August 2013 - Data Protection & Security
IT security is a necessary precondition for the operational use of information systems and informational self-determination. Unfortunately, the actual relevance of IT security is often only recognized when absent. Although the industry is continuously working hard to make the Internet more secure for users, the more and more complex business processes and technologies make is difficult to gain the users’ confidence.
The Confidentiality, Integrity, and Availability (CIA) triad is one of the core principles of information security, which I want to depict briefly in the following article. Of course, I am aware of more fine-tuned concepts, like the nine proposed and generally accepted principles (awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management), and reassessment of the OECD Guidelines for the Security of Information Systems and Networks, or the Engineering Principles for Information Technology Security of the National Institute of Standards and Technology (NIST) that even proposes 33 principles, among others.
So, let us take a look at the CIA triad:
- Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems, enforced usually by encryption or by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. Actually, confidentiality is necessary for maintaining the privacy of the people whose personal information is held by the system.
- Integrity in information security means maintaining and assuring the accuracy and consistency of data over its entire life-cycle, implying that data cannot be modified in an unauthorized or undetected manner. Information security systems typically provide message integrity in addition to data confidentiality.
- Availability is a must for any information system to serve its purpose when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly and be available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.
Besides, IT security is not a static process but dynamic, depending on the technical developments. At times when there were just a few mainframe computers that were managed exclusively by experts, IT security hardly played a role and mainly focused on the physical protection of access to the system. But with the increase in electronic representations, networking and control of real processes in information systems, the scope of the term "IT security" expanded and thus, influenced the type of required and available security mechanisms as well.
As you have seen, IT security has different aspects, clarifying systematically and in detail what has to be protected from what, what threats exist and can be carried out, based on what security gaps and vulnerabilities for attacks exist. The definition of security requirements for an information system, and the decision in which framework protection mechanisms are used, are therefore the main subject of the IT security management.
Protection goals and threats
To answer the question, what is to be protected, IT security protection goals have to be defined. The three protection goals - confidentiality, integrity and availability - mentioned above are basically essential. Confidentiality aims to hide information and resources (e.g., manufacturing data, communication records) from prying eyes; integrity, focuses on the intactness of information and resources and aims to protect them from unauthorized changes; and constant availability is of course, required as well, in order to fight threats that violate the protection goals of IT security which can lead to damage.
Information systems weaknesses are potential targets for attacks and therefore mainly responsible for not achieving targeted protection goals. The causes of vulnerabilities are diverse and could be, for instance, faulty programming, incorrect system design, or lack of compliance with safety requirements, putting the identification of vulnerabilities in the forefront of IT security. Depending on the different reasons, there is a variety of methods that can be used to classify them based on their approach to collection-, creativity- and analytical methods. As a first approach, it can be stated that the effort of identification increases with the achievable completeness of identification. A complete identification of all vulnerabilities of an information system is however- if possible at all - difficult to achieve. Thus, absolute security is mostly an illusion as an inherent element of risk always remains.
However, a hazard occurs only when vulnerabilities encounter a threat that can be exploited for an attack. Targeted attacks are often in focus on networked information systems, using viruses, worms, Trojan horses, denial of service attacks and spoofing. Viruses are programs or program codes that require a "host", for example an e-mail, to be spread. With the proliferation of the host, the virus can then spread between information systems and "infect" them by replicating the virus. Worms contain such a reproductive mechanism as well, but are active on their own in terms of their spreading activity. By exploiting vulnerabilities they copy themselves from system to system.
Another type is the so-called Trojan that gets installed by users as a valuable tool, but secretly executes malicious functions. Trojans usually open "back doors", allowing the reloading of additional program code (universal Trojans) or the production of other Trojans (transitive Trojans). That way Trojans can obtain, for example, access to the entire system under attack or record passwords and submit them unnoticed to mostly criminal sources.
So-called denial of service attacks are, on the other hand, more focused on attacking the availability, trying to bring a service to a standstill, for example by overloading the system due to countless emails. Spoofing is the attempt to sham a foreign identity, by falsifying e.g. the source IP address of a data packet or by the deflection of a page request to the wrong website. Such attacks, well-known in particular in the area of online banking, are also referred to as phishing. Not to mention that there are other forms of attacks and combinations such as Trojan worms as well.
Many protection mechanisms are available to defend against known attacks that in their approach either try to achieve confidentiality and integrity by transforming the content (encryption) or prevent unauthorized access to information or resources. The basis for ensuring the confidentiality, integrity but also the accountability of information is the cryptography as well as its follow-up mechanisms: encryption of content and the creation and verification of digital signatures.
Another class of protection mechanisms establishes programs, such as antivirus programs, that detect known viruses, worms and Trojans, and prevent their execution. For this purpose, all network traffic, including all read and write accesses, has to be generally checked for known viruses to prevent an infection of an information system, which is usually performed in the background. Since this is not always successful, depending on the timeliness and completeness of the underlying virus lists, additional protection mechanisms, so-called malware programs, are available, which search for Trojans or other malicious software and try to remove them.
Despite these and other protection mechanisms, not all attacks can be completely blocked. On one hand, the protection of individual protection mechanisms is usually never complete, but often only increase the cost and the time required for an attacker to exploit a vulnerability (e.g. by decrypting data). Therefore, the underlying attacker model is of particular importance for the evaluation of protective mechanisms. Assuming an omnipotent attacker, who has access to all the necessary resources, it is simply impossible to be completely protected.
On the other hand, there are attacks for which there are no technical protection mechanisms available, such as phishing attacks in online banking, which rather require organizational measures and "common sense" to be averted. Fact is that even with regard to the effectiveness of technical protection mechanisms, an inherent residual risk always remains.
IT security is the ongoing process of exercising due care and due diligence to protect information as well as information systems, from unauthorized access, misuse, disclosure, destruction, modification, disruption, or distribution. It is a never ending process that involves ongoing training, assessment, monitoring and review, since it is an indispensable part of all the business operations across different domains.
By Daniela La Marca