Safeguarding the Digital Realm: Exploring the Core Tenets of Cyber Security

Understanding Cyber Security

Cyber security specialists today enlist strategies that exhibit due care toward three major necessities in information assurance: confidentiality, integrity, and availability, also called the CIA triad. That focus doesn’t change; no matter what technology does, it stands as a foundation to protect regardless of all other factors. Physical, operational, and technical security controls can all counter the threats to each division of the CIA triad. All are equally important, and you need an understanding of what confidentiality, integrity, and availability mean in relation to information security.

To realize our goals as security professionals, we should take note of the overarching theme of “risk management” throughout the cybersecurity community and the accurate implication that there will always be a risk. It can never be completely removed; we can only manage it to reduce it to acceptable levels. There are many ways to do so, and each control that we learn about will be an example of a risk strategy, such as risk avoidance, risk deterrence, and risk mitigation.

Importance of Information Assurance

It’s more important than ever that organizations protect the information they hold, whether it be proprietary documents, financial records/accounts, or employee and customer private information. We’ve seen an enormous rise in the number of attacks on company security infrastructures that have successfully exploited poor security practices, and in other cases, the company’s poor practices resulted in a breach with no intervention by an external entity. An ongoing report by the Identity Theft Resource Center reveals a detailed explanation of every known and reported data breach occurring in the calendar year 2018. They described 668 known breaches exposing 22,408,258 records.1. This is an insane count and only a portion of the actual breaches that affect more than personal information across all industries.

Data breaches are one exploit that threat agents use to surpass controls protecting confidentiality. They can be compromised by social engineering in a weak physical security environment or through the use of technology to take advantage of poor network configurations. Confidentiality is what keeps unauthorized individuals from accessing information. Authentication is a vital aspect of maintaining confidentiality by verifying the identity of authorized individuals to then grant access to the information requested.

In A+ Guide to IT Technical Support, the authors explain how Windows computers do this (as well as most other systems you will use). By requiring sign-in with a secure password when first signing on and when the computer goes to sleep, they ensure the authorized user is on the system and given access to the files and information stored on that profile. A good practice is to lock your workstation when leaving it to enable this feature manually and make sure you have a secure password that isn’t easy to guess or be attacked via brute force.2.

Password authentication is one of the most basic forms of access control that provides confidentiality. While other security implementations, such as encryption, may prove more effective in a wider range of environments. New standards for encryption have been developed over the past several years and are currently as secure as it has ever been. Old encryption standards have either been cracked, or their keys are easily accessible to malicious people. The impact on a business and the thousands of customers it serves is potentially severe without proper protection of confidentiality, thus calling for diligent conservation of information assurance in the realm of confidentiality by senior leaders responsible for its protection.

“Integrity first,” the first core value of the United States Air Force, means that, above all, we do the right thing even when no one is looking. But how do we know if what we are seeing is the “right thing” and hasn’t been tampered with? In a cyber world, this is especially valuable, yet there are so many avenues of communication in technology that it can seem daunting to figure out what is accurate and who really said or created it. The implementation of hashing is one way people have used technology to ensure that data has not been changed.

Hashing takes the data and, through the hashing function, returns a fixed-length string of characters that is extremely rare to result in the same string for any other set of data. Encryption does not ensure integrity. People can change data without ever finding out what it is, such as cutting a competitor’s bid request value by half on an online auction without knowing what their bid was.3. What that tells security professionals is that it is important to have multiple layers of security that envelope every aspect. This layered approach is widely accepted in government and industry worldwide.

We need to be sure that the information we are protecting is not changed. It is just as significant as protecting it from unauthorized exposure. Technology has made the world of business, healthcare, and finance fly like the wind in terms of speed. This is great! Experts are contributing to this growth daily, and we are becoming better at everything. The only problem is the “bad guys” are getting better every day, just like the rest of us, sometimes much quicker. It may seem like the integrity of information is the least probable threat vector, but with the amount of malicious intent in the attackers of the 668 public attacks in 2018, including those unknown, or ongoing attacks, it has been determined to be a popular exploit.

After all, consider common email scams, phony IRS claims, and originating authors who could be debunked with proper measures to protect integrity and non-repudiation. Phishing, whaling, and other intra-corporation email ploys are easily recognized as such with proper personnel training in security awareness. However, in more sophisticated attempts, the use of hashing algorithms can alert of changed emails in transmission depending on the type of attack.

I laude today’s innovators and developers who continuously grow the capability of people through the use of technology and other tools. It’s exciting to see the explosive growth of the cyber industry, and in turn, cyber security is growing just as fast in parallel. We know it’s important to protect information. We’ve seen the consequences of poor security practices. However, when we place so many controls on our infrastructure, we can reduce the availability of our resources. Sometimes, it is not our control but everything that is out of our control that degrades availability. Natural disasters, sole dependence on external entities, and certain attacks have all proven their terror throughout history.

One common-sense practice is to routinely back up systems to reliable hardware to mitigate risk and/or cloud-based backups to transfer risk to the cloud provider. This way, information would be recoverable in case of emergency or loss. DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks both directly target the availability of one’s network or system resources. In one case occurring in 2016, Hollywood Presbyterian Medical Center had its database compromised, and the attackers encrypted the entirety of their information and demanded a ransom in Bitcoin for anonymity (approx. $17,000).

This severely slowed duty performance down. No access to customer records other than paper in unused files. They had to go back to old-school pen-and-paper bookkeeping. Some patients in intensive care situations had to be moved, and others were inconvenienced by the hospital’s inability to verify and supply medications or information over the phone or email. Ultimately, within a couple of weeks, they paid the ransom.4. Imagine the effects this lack of availability had on them to cause them to just pay the price. We should strive to prevent these situations as security professionals by looking at every square inch of our security posture. We must calculate risk and reduce it to an acceptable level.

There are innumerable attacks employed by individuals that threaten these core tenets of security, and a deep understanding of them and how to defend against these attacks will prove valuable in securing the information we use every day. As we can see, it is not only important to keep one aspect of security in mind, but all three work together and cover the empty spaces left by the others. Defense-in-depth is the strategy that holds to this standard by layering security controls and ensuring the inclusion of each of the triad’s members and all other considerations relative to risk management and security awareness. Threats come from inside and out, and we must be prepared and properly trained to handle incidents from any source.

References:

1. Identity Theft Resource Center, and Cyber Scout. “The ITRC Data Breach Report.” Idtheftcenter.org, Identity Theft Resource Center, 30 June 2018, www.idtheftcenter.org/wp-content/uploads/2018/07/DataBreachReport_2018.pdf.
2. Andrews, Jean, et al. CompTIA A+ Guide to IT Technical Support. Cengage Learning, 2017.
3. Jung, E. J. “Hash Functions.” Www.cs.usfca.edu, University of San Francisco, Department of Computer Science, www.cs.usfca.edu/~ejung/courses/686/lectures/05hash.pdf.
4. “Ransomware Case Studies: Hollywood Presbyterian and The Ottawa Hospital.” InfoSec Resources, InfoSec Institute, resources.infosecinstitute.com/category/healthcare-information-security/healthcare-attack-statistics-and-case-studies/ransomware-case-studies-hollywood-presbyterian-and-the-ottawa-hospital/#gref.