The term information security is used to describe the practices, methodologies, and technologies that are used to protect information physically (e.g., locked doors, security guards, etc.) and in cyberspace (e.g., firewalls, anti-viruses, etc.). In order to accomplish this, we determine information confidentiality (e.g., who can access the information), information integrity (e.g., is the information from a reliable source) and information availability (e.g., would the information be available in time to people who are authorized to use/see it).
According to Gartner, by 2015 the spending on information security around the globe would reach $76.9 billion. To put this number into perspective, this amount of money is close to what the US Federal government spends on technology in one year. By looking at this, in the near future, more money would be spent on securing personal and organizational information than actually creating information systems. But despite the importance of information security and its effects on individuals and organizations, very few people understand the kinds of threats that are out there. Security threats are always evolving and in the digital century, geography is not a limitation. Individual and organizational information can be potentially compromised from a local intruder to someone sitting on the other side of the globe. Thus, before you can mitigate information security risks, understand what is out there. Here is a non-exhaustive list of how information security can be compromised:
- Adware – Pay to remove advertisements.
- Bacteria – Overwhelms computer resources by making copies.
- Botnets – A network of compromised systems.
- Bots – Derived from robots and refers to automated processes.
- Buffer Overflow – A program goes beyond the boundary of the buffer.
- Clone Phishing – Legitimate email resent with malicious link/attachment.
- DDoS – Multiple systems attack a single target.
- DNS Attacks – Determine types of devices in the network.
- Easter Eggs – Hidden code in the software to show control.
- Emerging Technologies –Security is not considered in new technologies.
- Evil-Twin Wi-Fi – Impersonates an access point (e.g., router).
- Exploits – Vulnerabilities in scripts, servers, browsers, routers, computer networks, devices, software, and hardware.
- Hardware Attacks – Exploits system bus, a peripheral bus, chips, power/timing, interrupts and RAM.
- Human Error – Unintentional legitimate errors caused by people.
- ICMP Scanning – Identify open ports (e.g., port 81).
- Keylogger – Track keystrokes when logging on to legitimate sites.
- Link Manipulation – The destination link is different than what is displayed.
- Logic Bombs – Performs some action when certain conditions are met.
- Malware – Malicious code.
- Masquerading – Pretends to be authorized access.
- Metamorphic – Code that modifies itself.
- Network QoS – Service interruptions and performance issues.
- Old technology – Outdated technology that is too costly to replace.
- Pharming – Redirecting web traffic to a fake site and more sophisticated.
- Phishing – Emails/instant messages asking to click a link/attachment, sign up for some kind of service and/or take you to a site that looks legitimate.
- Phone Phishing – Call to ask for information.
- Polymorphic – The same underlying code used for multiple purposes.
- Rogue Wi-Fi – Compromised wireless access points (e.g., routers).
- Script Kiddies – Amateur use of scripts developed by professionals.
- Social Engineering – Psychologically manipulating people.
- Spear Phishing – Directed toward specific individuals or organizations.
- Spyware – Typically free software that collects information about you.
- SQL Injection – SQL code is entered into the input fields of a database.
- Trapdoors – Secrets in the code that allow access to the system.
- Trojan Horses – Impersonates another software, prompts to install software and prompts to go to a certain site.
- Viruses – Adds code to an uninfected copy of the host program in the network and then replicates itself.
- VoIP Attacks – Software and hardware exploit in Internet telephony.
- VPN – Only as secure as the most unsecure system in both ends of the network.
- Weather – Mother Nature and lack of disaster recovery.
- Whaling – Attacks directed at high profile individuals and organizations.
- Worms – Copies itself across the network, runs by itself and does not need a host.
- Zero-Day Exploits – Vulnerabilities in software unknown to anyone.
Now that we understand the potential risks that are out there, let’s look at what motivates people to do this. While there are many theories in what drives human motivation, for our purposes we look at the following two frameworks used by the top clandestine organization in the world. These frameworks are:
- MICE looks at human motivation in terms of Money (e.g., cash, stocks, insider information, etc.), Ideology (e.g., religion, patriotism), Coercion or Compromise (e.g., blackmail) and Ego or Excitement.
- RASCLS looks at human motivation in terms of Reciprocation (e.g., feel obligation to repay), Authority (e.g., prestige), Scarcity (e.g., supply vs. demand), Commitment and Consistency (e.g., trustworthy flip-flopper vs. untrustworthy but consistent), Liking (e.g., share same attributes) and Social Proof (e.g., correct behavior).
In order to understand the complexities of information security and motivations behind it, let’s ask the following questions:
|Who is responsible for information security?||Who should be responsible for information security?|
|What happens when information is compromised?||What should happen when information is compromised?|
|Where is information security a priority?||Where should information security be a priority?|
|When is information security thoroughly reviewed?||When should information security be thoroughly reviewed?|
|Why information security was compromised in the first place?||Why information security would continue to be compromised in the future?|
When you are asking the above questions across all levels of the organization, keep in mind that information security is not something that you just “bolt-on” at the end but in fact, it should be a top priority at every juncture of your organizations. Thus, information security spans across people, processes and technologies and simply paying lip service do not help anyone in the long run.
While there are many laws, regulations, and guidelines to safeguard information but they do not mean much if you cannot apply them across and within your ecosystem of vendors, partners, suppliers and any external entities. In short, information security is a collective effort that requires organizations to be self-aware from the lowest ranks to the highest executives.