What Is Information Security (InfoSec)?

Information Security (InfoSec) refers to the practice of protecting digital data, systems, and
networks from unauthorized access, misuse, disclosure, disruption, modification, or destruction.
It encompasses techniques, technologies, and strategies aimed at ensuring the confidentiality,
integrity, and availability (CIA triad) of valuable information and systems.

InfoSec covers various aspects, including physical security, technical measures, and
administrative controls to safeguard information assets from threats such as cyberattacks, data
breaches, and natural disasters.
What Are the Principles of Information Security?

The CIA triad is a widely recognized model that forms the foundation of information security.
These three principles are essential for ensuring the protection of sensitive data and the proper
functioning of information systems.
Confidentiality

This principle aims to protect sensitive information from unauthorized access and disclosure.
Confidentiality ensures that only authorized users can access the information, while others are
restricted. Techniques used to maintain confidentiality include encryption, password protection,
user authentication, access controls, and the implementation of strict privacy policies.

Integrity

The integrity principle ensures that information remains accurate, complete, and consistent
during its entire lifecycle. It prevents unauthorized users from modifying, tampering with, or
deleting data. Integrity also ensures that authorized users can only make modifications in an
approved manner. Measures for maintaining data integrity include checksums, digital signatures,
version control, and strict access controls.

Availability

This principle ensures that information and systems are accessible to authorized users when
needed. Availability is crucial for maintaining the functionality of information systems,
minimizing downtime, and ensuring that authorized users can access the data they require.
Strategies for maintaining availability include redundancy, backup systems, disaster recovery
planning, robust infrastructure, and network load balancing.
Together, the CIA triad forms a comprehensive framework that helps organizations develop
robust information security policies and procedures. It is essential for businesses to implement
measures that address each aspect of the triad to safeguard their data and maintain the trust of
stakeholders.
Information Security vs. Cybersecurity

Information security and cybersecurity are closely related fields that often overlap but have
distinct focuses and scopes.

InfoSec deals with the protection of information in various forms, including digital, physical,
and even verbal. It encompasses a wide range of measures, such as administrative, technical, and
physical controls, to safeguard data from unauthorized access, disclosure, disruption,
modification, or destruction. InfoSec addresses the security of data in storage, during processing,
and in transit.

Cybersecurity, on the other hand, specifically focuses on protecting digital information,

computer systems, networks, and electronic devices from cyber threats. This field is primarily
concerned with defending against malicious attacks, such as hacking, malware, ransomware, and
phishing, that originate from the internet or other digital channels. Cybersecurity covers various
aspects, including network security, application security, endpoint security, and incident
response.
While both information security and cybersecurity share common goals, such as maintaining the
confidentiality, integrity, and availability of information, their scopes differ. InfoSec has a
broader perspective that covers all forms of information, while cybersecurity is a more
specialized domain that concentrates on digital assets. In practice, cybersecurity can be
considered a subset of InfoSec that specifically addresses cyber threats and vulnerabilities.

10 Common Information Security Threats and Attacks

Information security threats and attacks are actions or events that can compromise the
confidentiality, integrity, or availability of data and systems. They can originate from various
sources, such as individuals, groups, or even natural events. Here are some common information
security threats and attacks:

1. Malware: Malicious software designed to infiltrate, damage, or disrupt systems.

Malware includes viruses, worms, Trojans, ransomware, and spyware. It can steal
sensitive information, cause system downtime, or provide unauthorized access to
attackers.
2. Phishing: A social engineering attack where attackers deceive users into revealing
sensitive information or executing malicious actions, typically through fraudulent emails
or messages that impersonate legitimate entities.
 3. Advanced persistent threats (APTs): Sophisticated, long-term cyberattacks, often state-
sponsored, that target specific organizations or governments to steal sensitive information
or cause disruption.
4. Zero-day exploits: Attacks that exploit previously unknown vulnerabilities in software
or hardware, giving developers no time to create patches or fixes.
5. Insider threats: These involve employees, contractors, or partners with legitimate access
to an organization's systems and data who misuse their privileges, either intentionally or
unintentionally, to cause harm or compromise security.
6. Password attacks: Attackers attempt to gain unauthorized access by cracking user
passwords through methods such as brute force, dictionary attacks, or keylogging.
7. Man-in-the-Middle (MitM) attacks: Attackers intercept communication between two
parties, eavesdropping on, manipulating, or injecting malicious data into the conversation
without the parties' knowledge.
8. Distributed Denial of Service (DDoS): A coordinated attack on a target system or
network by overwhelming it with a flood of traffic, rendering it inaccessible to legitimate
users.
9. Physical attacks: Unauthorized access, theft, or damage to physical assets, such as
computer systems, servers, or storage devices, which can lead to data loss or disruption of
operations.
10. Natural disasters: Events like floods, earthquakes, or fires that can cause physical
damage to infrastructure, leading to data loss or system downtime.
Types of Information Security

Here are common types of information security in modern organizations:

Network security

This type of security encompasses the protection of computer networks against unauthorized
access or misuse. Network security involves a range of technologies, such as firewalls, intrusion
detection/prevention systems, virtual private networks (VPNs), and secure protocols, to ensure
data confidentiality, integrity, and availability.
Application security

Application security involves securing software applications from cyber threats, such as
malware, SQL injection attacks, and cross-site scripting (XSS). Application security solutions
include secure coding practices, penetration testing, and vulnerability assessments.

Data security

Data security is the practice of protecting sensitive data from unauthorized access, use,
disclosure, or destruction. Data security involves a range of technologies, such as encryption,
access control, and backup and restore procedures, to ensure data confidentiality, integrity, and
availability.

Endpoint security

Endpoint security focuses on protecting endpoints, such as laptops, desktops, servers, and mobile
devices, from cyber threats. Traditional endpoint security technologies include antivirus and anti-
malware software and firewalls. Modern endpoint security includes advanced solutions like
endpoint detection and response (EDR) that can protect against zero-day threats.

Mobile security

Mobile security refers to the protection of mobile devices, applications, and data from
unauthorized access or exploitation. Mobile security solutions include mobile device
management (MDM) software, secure mobile application development, and secure
communication protocols.

Cloud security

Cloud security involves the protection of cloud-based data, applications, and infrastructure. It
covers a variety of security concerns, including data privacy, access control, threat management,
and compliance.
IoT security
IoT security involves securing the networks, devices, and data associated with the Internet of
Things (IoT). IoT security covers a range of security issues, including data privacy, access
control, device authentication, and network security.
What Is an Information Security Policy?

An information security policy is a formal, documented set of rules and guidelines that an
organization establishes to protect its information assets and ensure the confidentiality, integrity,
and availability of its data.

This policy serves as a framework for managing risk, defining acceptable behaviors, and setting
security expectations for employees, contractors, partners, and other stakeholders. It also helps
organizations comply with legal, regulatory, and industry requirements.

An effective information security policy typically includes the following components:

 Purpose: A clear statement outlining the policy's objectives and the organization's
commitment to information security.
 Scope: A description of the systems, data, and personnel covered by the policy, including
any third-party vendors or partners.
 Roles and responsibilities: A definition of the roles and responsibilities of various
stakeholders, such as management, IT staff, and employees, in implementing,
maintaining, and enforcing the policy.
 Asset management: Guidelines for identifying, classifying, and managing the
organization's information assets to ensure appropriate protection levels.
 Access control: Rules for granting and revoking access to systems and data, including
user authentication, authorization, and password management.
 Incident response: Procedures for detecting, reporting, and responding to security
incidents, including communication protocols and escalation paths.
 Physical security: Measures to protect the organization's facilities, equipment, and
information assets from unauthorized access, theft, or damage.
  Training and awareness: Requirements for regular employee training and awareness
programs to promote a culture of security and ensure that personnel understand their
responsibilities.
 Monitoring and auditing: Processes for monitoring compliance with the policy,
including regular audits, assessments, and reviews to identify gaps and areas for
improvement.
 Policy review and updates: A schedule for periodically reviewing and updating the
policy to ensure it remains relevant, effective, and aligned with the organization's
evolving needs and the changing threat landscape.
An information security policy is a critical component of an organization's overall security
strategy, as it provides a foundation for implementing technical measures, administrative
controls, and best practices to safeguard its information assets.
Notable Information Security Solutions and Technologies

It is not possible to list the thousands of security tools and technologies used by modern security
organizations. However, here are some of the most common tools that are typically present in a
mature security stack.

Firewalls

A firewall is a network security device that monitors incoming and outgoing traffic, acting as a
barrier between a trusted internal network and untrusted external networks. Firewalls use
predefined rules to allow or block traffic based on factors like IP addresses, ports, and protocols,
preventing unauthorized access and malicious traffic from entering the network.

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)

IDS is a security technology that monitors network traffic for signs of malicious activity or
policy violations. If detected, it generates alerts for security personnel to investigate. IPS, on the
other hand, is an active system that not only detects but also blocks or prevents malicious traffic
in real-time. Both IDS and IPS can be host-based (focusing on a single system) or network-based
(monitoring the entire network).
Security Incident and Event Management (SIEM)

SIEM solutions collect, aggregate, and analyze log data from various sources, such as firewalls,
IDS/IPS, servers, and applications. They help organizations detect, investigate, and respond to
security incidents by providing real-time monitoring, advanced analytics, and automated
response capabilities. SIEM solutions also enable compliance with regulatory requirements
through centralized reporting and auditing.

Vulnerability Management

Vulnerability Management is the process of identifying, evaluating, and addressing security

weaknesses in an organization's IT infrastructure, software, and applications. This process
involves continuous scanning, monitoring, and assessment of systems to detect possible
vulnerabilities.

Once vulnerabilities are identified, organizations prioritize and remediate them through patching,
configuration changes, or other security controls. The main goal of vulnerability management is
to reduce the likelihood and impact of successful cyberattacks by minimizing exploitable
vulnerabilities in the environment.

Attack Surface Management

Attack surface management is the practice of identifying, mapping, and reducing the potential
entry points (attack vectors) an adversary could use to compromise an organization's IT systems
and data. This involves understanding and securing all components of the IT environment,
including hardware, software, networks, cloud services, and third-party integrations.

By minimizing the attack surface, organizations can reduce the risk of cyberattacks, lower the
chances of successful breaches, and improve their overall security posture. Attack surface
management includes activities such as continuous monitoring, threat modeling, secure
configuration management, and proper access control implementation.
Cloud Security Posture Management (CSPM)

CSPM solutions help organizations maintain and improve their security posture in cloud
environments by continuously monitoring cloud infrastructure, identifying misconfigurations,
and providing recommendations for remediation. CSPM tools enable organizations to enforce
security policies, assess compliance, and mitigate risks associated with cloud adoption.

Threat Intelligence
Threat intelligence refers to the collection, analysis, and sharing of information about existing
and emerging threats, such as threat actors, tactics, techniques, and procedures (TTPs),
vulnerabilities, and indicators of compromise (IoCs). Threat intelligence solutions help
organizations proactively identify and mitigate risks, prioritize security efforts, and improve their
overall security posture.
What Is Information Security Risk Management?

Information Security Risk Management is the process of identifying, assessing, prioritizing, and
mitigating risks associated with an organization's information assets and IT infrastructure. The
goal of information security risk management is to protect the confidentiality, integrity, and
availability of information assets while minimizing the impact of security incidents on the
organization's operations, reputation, and legal obligations.

The process typically involves the following steps:

1. Identify assets: Create an inventory of information assets, such as hardware, software,

data, and network components, and determine their value to the organization.
2. Identify threats and vulnerabilities: Analyze the potential threats and vulnerabilities
that could compromise the security of the information assets. Threats can come from
various sources, such as hackers, malware, natural disasters, or human error.
Vulnerabilities refer to weaknesses in systems, processes, or policies that could be
exploited by threats.
 3. Assess risks: Evaluate the likelihood and potential impact of identified threats and
vulnerabilities on the information assets. This can be done using qualitative or
quantitative methods, such as risk matrices, scoring systems, or probabilistic models.
4. Prioritize risks: Rank the identified risks based on their potential impact and likelihood,
focusing on the most significant risks that require immediate attention and resources.
5. Develop mitigation strategies: Design and implement security controls, policies, and
procedures to mitigate the prioritized risks. These may include preventive measures (e.g.,
firewalls, encryption), detective measures (e.g., intrusion detection systems, log
monitoring), and corrective measures (e.g., incident response plans, backups).
6. Monitor and review: Continuously monitor the effectiveness of the implemented
security controls and review the risk management process to ensure that it remains
relevant and up-to-date. This involves staying informed about emerging threats and
vulnerabilities, as well as changes in the organization's assets, operations, and legal
requirements.
7. Report and communicate: Regularly report on the status of information security risks
and mitigation efforts to stakeholders, such as senior management, board members, and
auditors. Clear communication helps ensure that everyone in the organization
understands their roles and responsibilities in maintaining information security.
Information Security Best Practices

Develop an Incident Response Plan

An incident response plan prepares an organization to effectively manage and respond to security
incidents, minimizing the potential impact and ensuring a swift return to normal operations.

By establishing clear roles and responsibilities, outlining response procedures, and promoting
continuous improvement, an incident response plan helps organizations maintain a strong
security posture and protect their critical assets.

Adopt DevSecOps

DevSecOps, which stands for Development, Security, and Operations, integrates security
practices throughout the software development lifecycle. By incorporating security as an integral
part of the development process, DevSecOps aims to reduce vulnerabilities, ensure faster
response to security incidents, and promote a culture of shared responsibility for security across
the entire organization.

Create a Red Team and Blue Team

Red team-blue team exercises involve two groups working together to strengthen an
organization's security posture. The red team simulates real-world attacks, while the blue team
defends against these attacks, detects intrusions, and mitigates threats.

By engaging in these exercises, organizations can strengthen their security posture, improve
incident response capabilities, and foster a culture of shared responsibility for security.

Conduct Penetration Testing

Penetration testing involves simulating real-world cyberattacks on an organization's systems,

networks, or applications to identify vulnerabilities and evaluate their security defenses. By
conducting regular penetration tests, organizations can discover weaknesses in their security
controls, assess their resilience against attacks, and remediate issues before they are exploited.

Automate Vulnerability Management

Implementing automated vulnerability management tools, such as vulnerability scanners and

patch management systems, helps organizations regularly identify, assess, prioritize, and
remediate security vulnerabilities in their systems. This continuous process reduces the window
of opportunity for attackers to exploit known weaknesses and improves the organization's overall
security posture.

Implement Data Encryption

Data encryption protects sensitive data from unauthorized access and ensures the confidentiality
and integrity of that data, both in transit and at rest.

By implementing strong encryption measures, organizations can minimize the risk of data
breaches, build trust with stakeholders, and maintain a robust security posture.
Leverage Strong Authentication

Implementing strong authentication mechanisms, such as multi-factor authentication (MFA),

helps ensure that only authorized users can access sensitive data and systems. MFA combines
multiple methods of verification, such as something the user knows (password), something the
user has (security token or Smartphone), or something the user is (biometrics). This layered
approach significantly reduces the risk of unauthorized access due to compromised credentials.

Educate and Train Users

Human error is often a significant factor in information security breaches. Providing regular
security awareness training to employees, contractors, and partners helps build a security-
conscious culture and ensures that users understand their responsibilities in protecting the
organization's data. Topics covered in such training may include phishing awareness, safe
password practices, and how to report suspected security incidents.

Information Assurance:
Businesses that store and exchange critical data over information networks need to be mindful
of how vulnerable each individual machine can be. Whether you’re supporting existing
systems or designing and implementing new ones, your organization should aim to reduce the
exposure to and impact of cyber risk by working within the frameworks of compliance,
industry regulations, risk management and organizational policies, aka information assurance.

As network security issues become more prevalent, information assurance (IA) has grown to
be a nuanced and essential part of information security. However, implementing sound
information assurance management is difficult.

Adding to the challenge is a variety of confusing terms and misnomers. Even seasoned IT pros
can get confused between information assurance, cyber assurance, cybersecurity and
information security. Often, these terms are used interchangeably, leading to IA bad practices.

What is information assurance?

“Assurance” in security engineering is defined as the degree of confidence that the security
needs of a system are satisfied.

Information assurance (IA) is the practice of assuring information and managing risks related
to the use, processing, storage and transmission of information. Information assurance
includes protection of the integrity, availability, authenticity, non-repudiation and
confidentiality of user data.

Undetected loopholes in the network can lead to unauthorized access, editing, copying or
deleting of valuable information. This is where information assurance plays a key role.

Information assurance vs. cybersecurity

Information assurance predates the internet, and even though cybersecurity falls under the
umbrella of IA, both play different roles in network security.

Focus

IA focuses on risk management and comes up with guidelines for keeping information secure,
whether on physical (hard drives, PCs, laptops and tablets) or digital (cloud) systems.
Cybersecurity focuses on setting up resilient network architecture to secure digital assets from
unwarranted access.

Scope

IA is concerned with the business aspect of information. As a result, the scope is broader.
Cybersecurity deals in the nitty-gritty to protect everything. As a result, the scope is more
detailed.

Approach

IA is strategic, dealing with policy creation and deployment to keep information assets secure.
It understands how an organization engages with information, the value of the information and
how exposed that information happens to be. Cybersecurity is technical, dealing with security
controls and tools to defend against cyberattacks.
Resources protected

IA protects data and information systems and includes both physical and digital data.
Cybersecurity protects all digital investments, which include information, infrastructures,
networks and applications.

Information assurance vs. information security

The NIST defines information security as the process of protection of information and
information systems from unauthorized access, use, disclosure, disruption, modification or
destruction in order to provide confidentiality, integrity and availability.

The differences between information assurance and information security are more than just
semantics.

Let’s break it down:

Focus

Information assurance focuses on quality, reliability and restoration of information.

Information security focuses on deploying security solutions, encryption, policies and
procedures to secure information.

Approach

IA is not concerned with the specific technology or tools used to protect information. Rather, it
is centered around developing policies and standards. Information security directly deals with
tools and technologies used to protect information. It’s a hands-on approach that safeguards
data from cyberthreats.

Scope

IA stresses organizational risk management and overall information quality. As a result, IA has
a broad scope. Information security stresses risk control and agreement. As a result,
information security has a detailed scope.
What is the goal of information assurance?

The purpose of IA is to reduce information risks by ensuring the information on which the
business makes decisions is reliable. This purpose is achieved by following:

 Risk management: Businesses face legal fines and penalties if the information in the
network is compromised. IA enables risk assessment to identify vulnerabilities and the
potential impact on the business in terms of compliance, cost and operational continuity.
The goal is to mitigate potential threats.
 Encryption at rest and in transit: IA mandates end-to-end encryption to protect privacy
by ensuring no human or computer can read data at rest and in transit except the intended
parties. The goal is to help businesses stay compliant with regulatory requirements and
standards.
 Data integrity: Bad business decisions usually stem from bad data. IA focuses on
auditing data collection and tracking process, improving transparency in the
organizational process. The goal is to manage data in a way that a future audit can retrace
the process, leading to better decision-making.

Why do we need information assurance?

Adopting good IA best practices provides several benefits:

 Operational benefits:
 Resilient business processes
 Improved customer service
 Better information usage
 Improved responsiveness
 Tactical benefits:
 Easy compliance
 Better understanding of business opportunities
 Commitment from business partners and customers
 Strategic benefits:
 Better governance
  Cheaper equity
 More sales
 Lower costs
 Organizational benefits:
 Improved shareholder value
 Gain competitive advantage
 License to operate

How does information assurance work?

Information assurance is a strategic endeavor that extends beyond simply IT. The reality is that
the legal and reputational ramifications that ensue from a data breach affect the entire
organization. A proper security framework helps protect your organization and customers. IA
is a work in progress that includes:

 Strategy: Develop Governance, Risk and Compliance (GRC) readiness by evaluating

maturity as compared to your peers. Utilize key use cases to identify gaps and build
roadmaps. Rationalize and prioritize GRC initiatives by aligning the essential
requirements of your information and infrastructure with the organization’s objectives.
 Design: Design GRC programs and models to align with organizational policies.
Exposures and risks should be quantified and classified to evaluate defined metrics. Once
established, use these findings to define mitigation steps to manage risk and optimize
speed, accuracy and efficiency of resolution.
 Implementation: Implement processes, policies, controls and technology that monitor
operations against key metrics. Measure potential exposures in personnel, processes and
technology controls in the context of IT infrastructure interdependencies.
 Operations: Mitigate exposures through continuous enforcement of policies. Detect
violations and measure outcomes in comparison to your desired state. Use these learnings
to continuously improve processes to maximize synergies and optimize outcomes.
Who is responsible for information assurance?

Conventionally, IA is seen as an incoherent function that is solely exclusive to the IT

department. The reality is that the legal and reputational ramifications that ensue from a data
breach affect the entire organization. It is essential to create a security-centric culture from top
to bottom, with a focus on complying with information security regulations.

What are the five pillars of information assurance?

The CIA triad is considered the first model of information assurance introduced to define
effective practices of assuring information security and integrity. Here are the following five
pillars of IA that make information networks safe against all threats:

 Integrity (protection of information systems and assets)

 Availability (dependable access to information systems by authorized users)
 Authentication (the process of restricting access and confirming the identity of users)
 Confidentiality (restriction of access to authorized users only)
 Non-repudiation (forensic tracking to create a reliable “paper trail” of all actions)

Integrity

Information sent should always remain in its original state. Integrity means tampering or
modification by bad actors should not occur. Therefore, the primary goal of this pillar is to set
up safeguards to deter threats.

Availability

Easy data access helps users seamlessly access important information to perform critical tasks.
Availability means those who need access to information can do so. Therefore, the primary
goal of this pillar is to ensure systems always remain fully functional.

Authenticity

Verify the identity of a user (device) before allowing them to access data with methods like
two-factor authentication, password management, biometrics and other devices. Authenticity
means ensuring that those who have access to information are who they say they are. The
primary goal of this pillar is to prevent identity theft.

Confidentiality

Protect private information from getting exposed by any unauthorized users, systems or
networks. Confidentiality means data should be accessed only by those who have proper
authorization. Therefore, the primary goal of this pillar is to avoid IP theft or the compromise
of Personal Identifiable Information (PII) of customers.

Non-repudiation

It is important that the information system is able to provide proof of delivery to confirm that
the data was properly transmitted. Non-repudiation means someone with access to your
organization’s information system cannot deny having completed an action within the system,
as there should be methods in place to prove that they did make said action. The primary goal
of this pillar is to guarantee that the digital signature is that of the intended party, thereby
granting authorization to the protected information.

What are Cybersecurity Threats?

Cybersecurity threats are acts performed by individuals with harmful intent, whose goal is to
steal data, cause damage to or disrupt computing systems. Common categories of cyber threats
include malware, social engineering, man in the middle (MitM) attacks, denial of service (DoS),
and injection attack.
Cyber threats can originate from a variety of sources, from hostile nation states and terrorist
groups, to individual hackers, to trusted individuals like employees or contractors, who abuse
their privileges to perform malicious acts.
Types of Cybersecurity Threats
 Malware Attacks
Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans,
spyware, and ransomware, and is the most common type of cyberattack. Malware infiltrates a
system, usually via a link on an untrusted website or email or an unwanted software download. It
deploys on the target system, collects sensitive data, manipulates and blocks access to network
components, and may destroy data or shut down the system altogether.
Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the application runs, the
malicious code executes.
 Worms—malware that exploits software vulnerabilities and backdoors to gain access to an
operating system. Once installed in the network, the worm can carry out attacks such as
distributed denial of service (DDoS).
 Trojans—malicious code or software that poses as an innocent program, hiding in apps, games
or email attachments. An unsuspecting user downloads the trojan, allowing it to gain control of
their device.
 Ransomware—a user or organization is denied access to their own systems or data via
encryption. The attacker typically demands a ransom be paid in exchange for a decryption key to
restore access, but there is no guarantee that paying the ransom will actually restore full access or
functionality.
 Cryptojacking—attackers deploy software on a victim’s device, and begin using their
computing resources to generate cryptocurrency, without their knowledge. Affected systems can
become slow and cryptojacking kits can affect system stability.
 Spyware—a malicious actor gains access to an unsuspecting user’s data, including sensitive
information such as passwords and payment details. Spyware can affect desktop browsers,
mobile phones and desktop applications.
 Adware—a user’s browsing activity is tracked to determine behavior patterns and interests,
allowing advertisers to send the user targeted advertising. Adware is related to spyware but does
not involve installing software on the user’s device and is not necessarily used for malicious
purposes, but it can be used without the user’s consent and compromise their privacy.
 Fileless malware—no software is installed on the operating system. Native files like WMI and
PowerShell are edited to enable malicious functions. This stealthy form of attack is difficult to
detect (antivirus can’t identify it), because the compromised files are recognized as legitimate.
 Rootkits—software is injected into applications, firmware, operating system kernels or
hypervisors, providing remote administrative access to a computer. The attacker can start the
operating system within a compromised environment, gain complete control of the computer and
deliver additional malware.
Social Engineering Attacks
Social engineering involves tricking users into providing an entry point for malware. The victim
provides sensitive information or unwittingly installs malware on their device, because the
attacker poses as a legitimate actor.
Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such as
credentials to the attacker.
 Pretexting—similar to baiting, the attacker pressures the target into giving up information under
false pretenses. This typically involves impersonating someone with authority, for example an
IRS or police officer, whose position will compel the victim to comply.
 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing often
involves sending fraudulent emails to as many users as possible, but can also be more targeted.
For example, “spear phishing” personalizes the email to target a specific user, while “whaling”
takes this a step further by targeting high-value individuals such as CEOs.
 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing
sensitive data or grant access to the target system. Vishing typically targets older individuals but
can be employed against anyone.
 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the
victim.
 Piggybacking—an authorized user provides physical access to another individual who
“piggybacks” off the user’s credentials. For example, an employee may grant access to someone
posing as a new employee who misplaced their credential card.
 Tailgating—an unauthorized individual follows an authorized user into a location, for example
by quickly slipping in through a protected door after the authorized user has opened it. This
technique is similar to piggybacking except that the person being tailgated is unaware that they
are being used by another individual.
Supply Chain Attacks
Supply chain attacks are a new type of threat to software developers and vendors. Its purpose is
to infect legitimate applications and distribute malware via source code, build processes or
software update mechanisms.
Attackers are looking for non-secure network protocols, server infrastructure, and coding
techniques, and use them to compromise build and update process, modify source code and hide
malicious content.
Supply chain attacks are especially severe because the applications being compromised
by attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.
Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts
 Malicious code sent as automated updates to hardware or firmware components
 Malicious code pre-installed on physical devices
Man-in-the-Middle Attack
A Man-in-the-Middle (MitM) attack involves intercepting the communication between two
endpoints, such as a user and an application. The attacker can eavesdrop on the communication,
steal sensitive data, and impersonate each party participating in the communication.
Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor,

such as a business, that users may connect to. The fraudulent Wi-Fi allows the attacker to
monitor the activity of connected users and intercept data such as payment card details and login
credentials.
 Email hijacking—an attacker spoofs the email address of a legitimate organization, such as a
bank, and uses it to trick users into giving up sensitive information or transferring money to the
attacker. The user follows instructions they think come from the bank but are actually from the
attacker.
 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious
website posing as a legitimate site. The attacker may divert traffic from the legitimate site or
steal the user’s credentials.
 IP spoofing—an internet protocol (IP) address connects users to a specific website. An attacker
can spoof an IP address to pose as a website and deceive users into thinking they are interacting
with that website.
 HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but can
also be used to trick the browser into thinking that a malicious website is safe. The attacker uses
“HTTPS” in the URL to conceal the malicious nature of the website.
Denial-of-Service Attack
A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic,
hindering the ability of the system to function normally. An attack involving multiple devices is
known as a distributed denial-of-service (DDoS) attack.
DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm an
application or web server. This technique does not require high bandwidth or malformed packets,
and typically tries to force a target system to allocate as many resources as possible for each
request.
 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence
involves sending a SYN request that the host must respond to with a SYN-ACK that
acknowledges the request, and then the requester must respond with an ACK. Attackers can
exploit this sequence, tying up server resources, by sending SYN requests but not responding to
the SYN-ACKs from the host.
 UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets sent to
random ports. This technique forces the host to search for applications on the affected ports and
respond with “Destination Unreachable” packets, which uses up the host resources.
 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming both
inbound and outgoing bandwidth. The servers may try to respond to each request with an ICMP
Echo Reply packet, but cannot keep up with the rate of requests, so the system slows down.
 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and can
be exploited by an attacker to send large volumes of UDP traffic to a targeted server. This is
considered an amplification attack due to the query-to-response ratio of 1:20 to 1:200, which
allows an attacker to exploit open NTP servers to execute high-volume, high-bandwidth DDoS
attacks.
Injection Attacks
Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the
code of a web application. Successful attacks may expose sensitive information, execute a DoS
attack or compromise the entire system.
Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a web
form or comment field. A vulnerable application will send the attacker’s data to the database,
and will execute any SQL commands that have been injected into the query. Most web
applications use databases based on Structured Query Language (SQL), making them vulnerable
to SQL injection. A new variant on this attack is NoSQL attacks, targeted against databases that
do not use a relational data structure.
 Code injection—an attacker can inject code into an application if it is vulnerable. The web
server executes the malicious code as if it were part of the application.
 OS command injection—an attacker can exploit a command injection vulnerability to input
commands for the operating system to execute. This allows the attack to exfiltrate OS data or
take over the system.
 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access Protocol
(LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These attacks are
very severe because LDAP servers may store user accounts and credentials for an entire
organization.
 XML eXternal Entities (XXE) Injection—an attack is carried out using specially-constructed
XML documents. This differs from other attack vectors because it exploits inherent
 vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML documents can
be used to traverse paths, execute code remotely and execute server-side request forgery (SSRF).
 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious JavaScript.
The target’s browser executes the code, enabling the attacker to redirect users to a malicious
website or steal session cookies to hijack a user’s session. An application is vulnerable to XSS if
it doesn’t sanitize user inputs to remove JavaScript code.

Types of cybersecurity threats

Cybersecurity Solutions
Cybersecurity solutions are tools organizations use to help defend against cybersecurity threats,
as well as accidental damage, physical disasters, and other threats. Here are the main types of
security solutions:

 Application security—used to test software application vulnerabilities during development and

testing, and protect applications running in production, from threats like network attacks,
exploits of software vulnerabilities, and web application attacks.
 Network security—monitors network traffic, identifies potentially malicious traffic, and enables
organizations to block, filter or mitigate threats.
 Cloud Security—implements security controls in public, private and hybrid cloud environments,
detecting and fixing false security configurations and vulnerabilities.
 Endpoint security—deployed on endpoint devices such as servers and employee workstations,
which can prevent threats like malware, unauthorized access, and exploitation of operating
system and browser vulnerabilities.
 Internet of Things (IoT) security—connected devices are often used to store sensitive data, but
are usually not protected by design. IoT security solutions help gain visibility and improve
security for IoT devices.
 Threat intelligence—combines multiple feeds containing data about attack signatures and threat
actors, providing additional context for security events. Threat intelligence data can help security
teams detect attacks, understand them, and design the most appropriate response.

What is Information Security Risk Management (ISRM)?

Information security risk management, or ISRM, is the process of managing risks associated
with the use of information technology. It involves identifying, assessing, and treating risks
to the confidentiality, integrity, and availability of an organization’s assets. The end goal of
this process is to treat risks in accordance with an organization’s overall risk tolerance.
Businesses shouldn’t expect to eliminate all risks; rather, they should seek to identify and
achieve an acceptable risk level for their organization.
Stages of ISRM
Risk Identification
 Identify assets: What data, systems, or other assets would be considered your
organization’s “crown jewels”? For example, which assets would have the most
significant impact on your organization if their confidentiality, integrity or availability
were compromised? It’s not hard to see why the confidentiality of data like social
security numbers and intellectual property is important. But what about integrity? For
example, if a business falls under Sarbanes-Oxley (SOX) regulatory requirements, a
minor integrity problem in financial reporting data could result in an enormous cost. Or,
if an organization is an online music streaming service and the availability of music files
is compromised, then they could lose subscribers.
 Identify vulnerabilities: What system-level or software vulnerabilities are putting the
confidentiality, integrity, and availability of the assets at risk? What weaknesses or
deficiencies in organizational processes could result in information being compromised?
 Identify threats: What are some of the potential causes of assets or information
becoming compromised? For example, is your organization’s data center located in a
region where environmental threats, like tornadoes and floods, are more prevalent? Are
industry peers being actively targeted and hacked by a known crime syndicate, hacktivist
group, or government-sponsored entity? Threat modeling is an important activity that
helps add context by tying risks to known threats and the different ways those threats can
cause risks to become realized via exploiting vulnerabilities.
 Identify controls: What do you already have in place to protect identified assets? A
control directly addresses an identified vulnerability or threat by either completely fixing
it (remediation) or lessening the likelihood and/or impact of a risk being realized
(mitigation). For example, if you’ve identified a risk of terminated users continuing to
 have access to a specific application, then a control could be a process that automatically
removes users from that application upon their termination. A compensating control is a
“safety net” control that indirectly addresses a risk. Continuing with the same example
above, a compensating control may be a quarterly access review process. During this
review, the application user list is cross-referenced with the company’s user directory and
termination lists to find users with unwarranted access and then reactively remove that
unauthorized access when it’s found.
Information Security Risk Assessments
This is the process of combining the information you’ve gathered about assets,
vulnerabilities, and controls to define a risk. There are many frameworks and approaches for
this, but you’ll probably use some variation of this equation:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security
controls
Note: this is a very simplified formula analogy. Calculating probabilistic risks is not nearly
this straightforward, much to everyone’s dismay.
Risk Management Strategy
Once a risk has been assessed and analyzed, an organization will need to select treatment
options:
 Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
Example: You have identified a vulnerability on a server where critical assets are stored,
and you apply a patch for that vulnerability.
 Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
Example: You have identified a vulnerability on a server where critical assets are stored,
but instead of patching the vulnerability, you implement a firewall rule that only allows
specific systems to communicate with the vulnerable service on the server.
 Transference: Transferring the risk to another entity so your organization can recover
from incurred costs of the risk being realized.
Example: You purchase insurance that will cover any losses that would be incurred if
vulnerable systems are exploited. (Note: this should be used to supplement risk
remediation and mitigation but not replace them altogether.)
  Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly
low and the time and effort it takes to fix the risk costs more than the costs that would be
incurred if the risk were to be realized.
Example: You have identified a vulnerability on a server but concluded that there is
nothing sensitive on that server; it cannot be used as an entry point to access other critical
assets, and a successful exploit of the vulnerability is very complex. As a result, you
decide you do not need to spend time and resources to fix the vulnerability.
 Risk avoidance: Removing all exposure to an identified risk
Example: You have identified servers with operating systems (OS) that are about to reach
end-of-life and will no longer receive security patches from the OS creator. These servers
process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data
being compromised, you quickly migrate that sensitive data to newer, patchable servers.
The servers continue to run and process non-sensitive data while a plan is developed to
decommission them and migrate non-sensitive data to other servers.
Risk Communication Strategy
Regardless of how a risk is treated, the decision needs to be communicated within the
organization. Stakeholders need to understand the costs of treating or not treating a risk and
the rationale behind that decision. Responsibility and accountability needs to be clearly
defined and associated with individuals and teams in the organization to ensure the right
people are engaged at the right times in the process.
Rinse and Repeat
This is an ongoing process. If you chose a treatment plan that requires implementing a
control, that control needs to be continuously monitored. You’re likely inserting this control
into a system that is changing over time. Ports being opened, code being changed, and any
number of other factors could cause your control to break down in the months or years
following its initial implementation.
ISRM Process Ownership
There are many stakeholders in the ISRM process, and each of them have different
responsibilities. Defining the various roles in this process, and the responsibilities tied to
each role, is a critical step to ensuring this process goes smoothly.
Process Owners: At a high level, an organization might have a finance team or audit team
that owns their Enterprise Risk Management (ERM) program, while an Information Security
or Information Assurance team will own ISRM program, which feeds into ERM . Members of
this ISRM team need to be in the field, continually driving the process forward.
Risk Owners: Individual risks should be owned by the members of an organization who end
up using their budget to pay for fixing the problem. In other words, risk owners are
accountable for ensuring risks are treated accordingly. If you approve the budget, you own
the risk.
In addition to risk owners, there will also be other types of stakeholders who are either
impacted by, or involved in implementing, the selected treatment plan, such as system
administrators/engineers, system users, etc.
Here’s an example: Your information security team (process owner) is driving the ISRM
process forward. A risk to the availability of your company’s customer relationship
management (CRM) system is identified, and together with your head of IT (the CRM
system owner) and the individual in IT who manages this system on a day-to-day basis
(CRM system admin), your process owners gather the information necessary to assess the
risk.
Assuming your CRM software is in place to enable the sales department at your company,
and the data in your CRM software becoming unavailable would ultimately impact sales,
then your sales department head (i.e. chief sales officer) is likely going to be the risk owner.
The risk owner is responsible for deciding on implementing the different treatment plans
offered by the information security team, system administrators, system owners, etc. and
accepting any remaining risk; however, your system owner and system admin will likely be
involved once again when it comes time to implement the treatment plan. System users—the
salespeople who use the CRM software on a daily basis—are also stakeholders in this
process, as they may be impacted by any given treatment plan.
Cybersecurity risk management is an ongoing task, and its success will come down to how
well risks are assessed, plans are communicated, and roles are upheld. Identifying the critical
people, processes, and technology to help address the steps above will create a solid
foundation for a risk management strategy and program in your organization, which can be
developed further over time.