The methods and processes to protect information and information systems from unauthorized access, the disclosure of information, usage or modification. Information security ensures the confidentiality, integrity, and availability. An organization without security policies and appropriate security rules are at great risk, and the confidential information and data related to that organization are not secure in the absence of these security policies. An organization along with well-defined security policies and procedures helps in protecting the assets of that organization from unauthorized access and disclosures. In the modern world, with the latest technologies and platforms, millions of users interacting with each other every minute. These sixty seconds can be vulnerable and costly to the private and public organizations due to the presence of various types of old and modern threats all over the world. Public internet is the most common and rapid option for spreading threats all over the world. Malicious Codes and Scripts, Viruses, Spams, and Malware are always waiting for you. That is why the Security risk to a network or a system can never eliminate. It is always a great challenge to implement a security policy that is effective and beneficial to the organization instead of the application of an unnecessary security implementation which can waste the resources and create a loophole for threats. Our Security objectives are surrounding these three basic concepts:
eBay Data Breach
One of the real-life examples describing the need for information and network security within the corporate network is eBay data breach. eBay is well-known online auction platform that is widely used all over the world.
eBay announced its massive data breach in 2014 which contained sensitive data. 145 million customers were estimated having data loss in this attack. According to eBay, the data breach compromised the following information including:
- Customer’s names
- Encrypted passwords
- Email address
- Postal Address
- Contact Numbers
- Date of birth
These sensitive information must be stored in an encrypted form that uses strong encryption. Information must be encrypted, instead of being stored in plain text. eBay claims that no information relating to Security numbers like credit cards information was compromised, although identity and password theft can also cause severe risk. eBay database containing financial information such as credit cards information and other financial related information are claimed to be kept in a separate and encrypted format.
The Origin of eBay data breach for hackers is by compromising a small number of employees credentials via phishing in between February & March 2014. Specific employees may be targeted to get access to eBay’s network or may eBay network was entirely being monitored and then compromised. They claimed detection of this cyberattack within two weeks.
Google Play Hack
A Turkish Hacker, “Ibrahim Balit” hacked Google Play twice. He conceded the responsibility of the Google Play attack. It was not his first attempt; he acclaimed that he was behind the Apple’s Developer site attack. He tested vulnerabilities in Google’s Developer Console and found a flaw in the Android Operating System, which he tested twice to make sure about it causing crash again and again.
Using the result of his vulnerability testing, he developed an android application to exploit the vulnerability. When the developer’s console crashed, users were unable to download applications and developers were unable to upload their applications.
The Home Depot Data Breach
Theft of information from payment cards, like credit cards is common nowadays. In 2014, Home Depot’s Point of Sale Systems were compromised. A released statement from Home Depot on the 8th of September 2014 claimed breach of their systems.
The attacker gained access to third-party vendors login credentials and accessed the POS networks. Zero-Day Vulnerability exploited in Windows which created a loophole to enter the corporate network of Home Depot to make a path from the third-party environment to Home Depot’s network. After accessing the corporate network, Memory Scrapping Malware was released then attacked the Point of Sale terminals. Memory Scraping Malware is highly capable; it grabbed millions of payment cards information.
Home Depot has taken several remediation actions against the attack, using EMV Chip-&-Pin payment cards. These Chip-& Pin payment cards has a security chip embedded into it to ensure duplicity with magstripe.
The term Hack Value refers to a value that denotes attractiveness, interest or something that is worthy. Value describes the targets’ level of attraction to the hacker.
Zero-Day Attacks referrs to threats and vulnerabilities that can exploit the victim before the developer identify or address and release any patch for that vulnerability.
The vulnerability refers to a weak point, loophole or a cause in any system or network which can be helpful and utilized by the attackers to go through it. Any vulnerability can be an entry point for them to reach the target.
Daisy Chaining is a sequential process of several hacking or attacking attempts to gain access to network or systems, one after another, using the same information and the information obtained from the previous attempt.
Exploit is a breach of security of a system through Vulnerabilities, Zero-Day Attacks or any other hacking techniques.
The term Doxing referrs to Publishing information or a set of information associated with an individual. This information is collected publicly, mostly from social media or other sources.
The payload refers to the actual section of information or data in a frame as opposed to automatically generated metadata. In information security, Payload is a section or part of a malicious and exploited code that causes the potentially harmful activity and actions such as exploit, opening backdoors, and hijacking.
The bots are software that is used to control the target remotely and to execute predefined tasks. It is capable to run automated scripts over the internet. The bots are also known as for Internet Bot or Web Robot. These Bots can be used for Social purposes such as Chatterbots, Commercial purpose or intended Malicious Purpose such as Spam bots, Viruses, and Worms spreading, Botnets, DDoS attacks.
Elements of Information Seturity
We want to make sure that our secret and sensitive data is secure. Confidentiality means that only authorized persons can work with and see our infrastructure’s digital resources. It also implies that unauthorized persons should not have any access to the data. There are two types of data in general: data in motion as it moves across the network and data at rest, when data is in any media storage (such as servers, local hard drives, cloud). For data in motion, we need to make sure data encryption before sending it over the network. Another option we can use along with encryption is to use a separate network for sensitive data. For data at rest, we can apply encryption at storage media drive so that no one can read it in case of theft.
We do not want our data to be accessible or manipulated by unauthorized persons. Data integrity ensures that only authorized parties can modify data.
Availability applies to systems and data. If authorized persons cannot get the data due to general network failure or denial-of-service (DOS) attack, then that is the problem as long as the business is concerned. It may also result in loss of revenues or recording some important results.
We can use the term “CIA” to remember these basic yet most important
|Confidentiality||Loss of privacy. Unauthorized access to information. Identity theft.||Encryption. Authentication. Access Control|
|Integrity||Information is no longer reliable or accurate. Fraud.||Maker/Checker. Quality Assurance. Audit Logs|
|Availability||Business disruption. Loss of customer’s confidence. Loss of revenue.||Business continuity. Plans and test. Backup storage. Sufficient capacity.|
Authentication is the process which identifies the user, or device to grant privileges, access and certain rules and policies. Similarly, Authenticity ensures the authentication of certain information initiates from a valid user claiming to be the source of that information & message transactions. The process of authentication through the combined function of identities and passwords can achieve Authenticity.
Nonrepudiation is one of the Information Assurance (IA) pillar which guarantees the information transmission & receiving between the sender and receiver via different techniques such as digital signatures and encryption. Non-repudiation is the assurance the communication and its authenticity, so the sender cannot deny from what he sent. Similarly, the receiver cannot deny from receiving. Digital contracts, signatures and email messages use Nonrepudiation techniques.
The Security, Functionality, and Usability Triangle
In a System, Level of Security is a measure of the strength of the Security in the system, Functionality, and Usability. These three components are known as the Security, Functionality and Usability triangle. Consider a ball in this triangle, if the ball is centered, it means all three components are stronger, on the other hand, if the ball is closer to security, it means the system is consuming more resources for security and feature and function of the system and Usability requires attention. A secure system must provide strong protection along with offering all services and features and usability to the user.
Implementation of High level of Security typically impacts the level of functionality and usability with ease. The system becomes nonuser-friendly with a decrease in performance. While developing an application, deployment of security in a system, Security experts must keep in mind to make sure about functionality & ease of usability. These three components of a triangle must be balanced.