InfoSec is the shortened fashion word for Information Security and that describes a range of subjects around defending data and information mostly but not limited to a professional corporate environment. It is a topic related to the term Datability, which I introduced earlier.
Usually the requirements around information security are defined by laws and organisation internal policies, which are further controlled and enforced by internal or external auditing parties. Affected data could be information about clients, financial transactions and eavesdropped communication just to name only a few.
Information security is related to other security risk subjects such as cyber security / warfare and countermeasures against same, mobile security, network security and of course internet security.
Threats and Considerations
There are many threats out there ranging from passive vulnerabilities you might have overlooked to some active ones when for example exploits are tactically analysed and systems are breached because of these gaps in the data security design.
Within corporate IT and especially networks departments there are a few defense systems that need to be deployed and some operational procedures to be designed and adhered to in order to prevent unauthorized access of data. You require an access control system for your network that only allows whitelisted and accepted assets to be able to get access to the network. You can do so based on the MAC address of a system or by allowing certain approved manufacturers and products within the network even though this way is technically more difficult to enforce and leaves risk for when outsiders are aware of the approved products.
Of course you also require security on software and application level such as the deployment of a good antivirus, ensuring for secure coding and development of systems following best practices and on non-user-facing systems you could even consider running operating systems that allow for more security than consumer systems.
You require a firewall solution that prevents access from outside the network and in some cases also the other way around. Similar to the access control for devices a firewall let’s you whitelist certain data traffic if required for certain business applications and generally block everything unknown and unplanned access attempts.
The amount of cyber attacks and even the presence of “cyber armies” in the world are increasing along with the amount of data to tamper with and possible weak points to leverage access into your systems. In order to prevent that you require a intrusion detection system and additionally an intrusion prevention system to cope with the risk of potential attacks. You might also deploy penetration testers who are educated and possibly certified ethical hackers who are hired to find vulnerabilities in order to mitigate them
In the days of BYOD you have employees handling data and possibly sensitive information on their smartphones. From a usability and productivity aspect this is unavoidable but since those devices might be prone to breach or allow data to be entering automated cloud data storage systems, this creates a point of risk for information security that cannot be overlooked. You need to roll out a mobile security gateway for your employees that ensures no business related data can be abused or get lost along the way. The function scope of such a solution is relative to your organisation’s size and the sensitivity of data users are handling. All these are applicable also for tablets, other smart devices and overall laptops used for professional purposes.
Summary
All these defense and security systems are useful but requires permanent buy-in and dedicated staff to run them and keeping them up to date and compliant to latest policies, making sure they are not behind on patching exploits.
From my personal experiences and risk assessment I would say that the prevention of information security issues are no trend but a generally increasing concern and something you need to account for when planning to upscale your business. Failure in mitigating these risks can and will not only break your credibility but your entire business. You don’t need an army of network security specialists for a 3 people start-up but you need to scale your information security team(s) along with the size of infrastructure you utilize to do business.
Further Reading
The Tao of Network Security Monitoring: Beyond Intrusion Detection (Richard Bejtlich)
Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis (Mark Talabis)
IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data (Lance Hayden)
Example Solutions
MobileIron
Aruba Networks / HP
Good Technology
EMC Corporation
Juniper Networks
Cisco
Photo credit: Kevin Jackson / Tim Reckmann
