Information Security: Why should you care?

Do you share your ATM pin code? Do your neighbors have copies of your house keys?

Probably not…so why would you trust them with your clients’ information?

Title 44 of the U.S Code defines information security as:

“The term 'information security' means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to provide:

  1. integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity
  2. confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
  3. availability, which means ensuring timely and reliable access to and use of information."

In essence, Information Security (IS), is the protection of personal and proprietary data from being accessed or modified by unauthorized parties, while keeping it available to those authorized to use it.

Below are some of the most common attacks.

Eavesdropping - most network communications are done in unsecured (cleartext) format, which means the data is not encrypted. This allows an eavesdropper to easily monitor and read any data being sent. An example is someone being able to see your password as you log into your account.

Modification - attackers modify the data being sent without the knowledge of the sender or receiver. Imagine creating an account for a website and having the e-mail address change without your knowledge or consent.

Identity Spoofing - networks, even secure ones, often rely on the IP address of a computer as a means of identification. It is possible for an attacker to falsely assume an IP address, or to make it look like the data they’re sending is coming from somewhere else. If the IP address is recognized, the attacker will be able to access your data.

Application-Layer Attacks - even a secure infrastructure can be brought down by a vulnerability in the software. These flaws can exist in your custom applications, applications you purchased, or even the operating system. There are multiple types of attacks, including:

  1. Redirects and Forwards - a type of phishing attack, in which malicious users can manipulate the URLs of a trusted site to redirect to an unwanted location.
  2. Components with Known Security Flaws - 3rd party components often have vulnerabilities. Not keeping them up to date puts your system at risk.
  3. Cross-Site Request Forgery (CSRF) - a malicious website attempts to perform actions on other websites that you are already logged into.
  4. Cross-Site Scripting (XSS) - a security breach that can take advantage of a dynamically generated web page, causing it to activate a script in an unsuspecting user’s browser.
  5. SQL Injection (SQLi) - a technique in which a malicious user attempts to access the database by injecting SQL statements through user generated input.

The attacks listed above barely scratch the surface of the security world. In order to protect the web, communities like the Open Web Application Security Project (OWASP) exist. These communities educate users on the latest security issues, and risks associated with them. By keeping up to date on security, or hiring a specialist, you minimize the risk of your data ending up in someone else's hands. 

If you won’t tell your friend your SSN, don’t let them see your clients’ either.