What is Information Security (InfoSec)?

Information security (sometimes referred to as InfoSec) covers the

tools and processes that organizations use to protect information.
This includes policy settings that prevent unauthorized people from
accessing business or personal information. InfoSec is a growing and
evolving field that covers a wide range of fields, from network and
infrastructure security to testing and auditing.

Information security protects sensitive information from

unauthorized activities, including inspection, modification,
recording, and any disruption or destruction. The goal is to ensure
the safety and privacy of critical data such as customer account
details, financial data or intellectual property.

The consequences of security incidents include theft of private

information, data tampering, and data deletion. Attacks can disrupt
work processes and damage a company’s reputation, and also have
a tangible cost.

Organizations must allocate funds for security and ensure that they
are ready to detect, respond to, and proactively prevent, attacks
such as phishing, malware, viruses, malicious insiders,
and ransomware.

Whitepaper: Meeting Data Security Challenges in the Age of Digital

Transformation.

What are the 3 Principles of Information

Security?
The basic tenets of information security are confidentiality, integrity
and availability. Every element of the information security program
must be designed to implement one or more of these principles.
Together they are called the CIA Triad.

Confidentiality
Confidentiality measures are designed to prevent unauthorized
disclosure of information. The purpose of the confidentiality principle
is to keep personal information private and to ensure that it is
visible and accessible only to those individuals who own it or need it
to perform their organizational functions.

Integrity

Consistency includes protection against unauthorized changes

(additions, deletions, alterations, etc.) to data. The principle of
integrity ensures that data is accurate and reliable and is not
modified incorrectly, whether accidentally or maliciously.

Availability

Availability is the protection of a system’s ability to make software

systems and data fully available when a user needs it (or at a
specified time). The purpose of availability is to make the
technology infrastructure, the applications and the data available
when they are needed for an organizational process or for an
organization’s customers.

Blog: 7 Ways Good Data Security Practices Drive Data Governance.

The CIA Triad defines three key principles of data security

Information Security vs Cybersecurity

Information security differs from cybersecurity in both scope and
purpose. The two terms are often used interchangeably, but more
accurately, cybersecurity is a subcategory of information security.
Information security is a broad field that covers many areas such as
physical security, endpoint security, data encryption, and network
security. It is also closely related to information assurance, which
protects information from threats such as natural disasters and
server failures.

Cybersecurity primarily addresses technology-related threats, with

practices and tools that can prevent or mitigate them. Another
related category is data security, which focuses on protecting an
organization’s data from accidental or malicious exposure to
unauthorized parties.

Information Security Policy

An Information Security Policy (ISP) is a set of rules that guide
individuals when using IT assets. Companies can create information
security policies to ensure that employees and other users follow
security protocols and procedures. Security policies are intended to
ensure that only authorized users can access sensitive systems and
information.

Creating an effective security policy and taking steps to ensure

compliance is an important step towards preventing and mitigating
security threats. To make your policy truly effective, update it
frequently based on company changes, new threats, conclusions
drawn from previous breaches, and changes to security systems and
tools.

Make your information security strategy practical and reasonable.

To meet the needs and urgency of different departments within the
organization, it is necessary to deploy a system of exceptions, with
an approval process, enabling departments or individuals to deviate
from the rules in specific circumstances.

Top Information Security Threats

There are hundreds of categories of information security threats and
millions of known threat vectors. Below we cover some of the key
threats that are a priority for security teams at modern enterprises.
Unsecure or Poorly Secured Systems

The speed and technological development often leads to

compromises in security measures. In other cases, systems are
developed without security in mind, and remain in operation at an
organization as legacy systems. Organizations must identify these
poorly secured systems, and mitigate the threats/">threat by
securing or patching them, decommissioning them, or isolating
them.

Social Media Attacks

Many people have social media accounts, where they often

unintentionally share a lot of information about
themselves. Attackers can launch attacks directly via social media,
for example by spreading malware via social media messages, or
indirectly, by using information obtained from these sites to analyze
user and organizational vulnerabilities, and use them to design an
attack.

Social Engineering

Social engineering involves attackers sending emails and messages

that trick users into performing actions that may compromise their
security or divulge private information. Attackers manipulate users
using psychological triggers like curiosity, urgency or fear.

Because the source of a social engineering message appears to be

trusted, people are more likely to comply, for example by clicking a
link that installs malware on their device, or by providing personal
information, credentials, or financial details.

Organizations can mitigate social engineering by making users

aware of its dangers and training them to identify and avoid
suspected social engineering messages. In addition, technological
systems can be used to block social engineering at its source, or
prevent users from performing dangerous actions such as clicking
on unknown links or downloading unknown attachments.
Malware on Endpoints

Organizational users work with a large variety of endpoint devices,

including desktop computers, laptops, tablets, and mobile phones,
many of which are privately owned and not under the organization’s
control, and all of which connect regularly to the Internet.

A primary threat on all these endpoints is malware, which can be

transmitted by a variety of means, can result in compromise of the
endpoint itself, and can also lead to privilege escalation to other
organizational systems.

Traditional antivirus software is insufficient to block all modern

forms of malware, and more advanced approaches are developing
to securing endpoints, such as endpoint detection and response
(EDR).

Lack of Encryption

Encryption processes encode data so that it can only be decoded by

users with secret keys. It is very effective in preventing data loss or
corruption in case of equipment loss or theft, or in case
organizational systems are compromised by attackers.

Unfortunately, this measure is often overlooked due to its

complexity and lack of legal obligations associated with proper
implementation. Organizations are increasingly adopting encryption,
by purchasing storage devices or using cloud services that support
encryption, or using dedicated security tools.

Security Misconfiguration

Modern organizations use a huge number of technological platforms

and tools, in particular web applications, databases, and Software as
a Service (SaaS) applications, or Infrastructure as a Service (IaaS)
from providers like Amazon Web Services.
Enterprise grade platforms and cloud services have security
features, but these must be configured by the organization. Security
misconfiguration due to negligence or human error can result in a
security breach. Another problem is “configuration drift”, where
correct security configuration can quickly become out of date and
make a system vulnerable, unbeknownst to IT or security staff.

Organizations can mitigate security misconfiguration using

technological platforms that continuously monitor systems, identify
configuration gaps, and alert or even automatically remediate
configuration issues that make systems vulnerable.

Active vs Passive Attacks

Information security is intended to protect organizations against
malicious attacks. There are two primary types of attacks: active
and passive. Active attacks are considered more difficult to prevent,
and the focus is on detecting, mitigating and recovering from them.
Passive attacks are easier to prevent with strong security measures.

Active Attack

An active attack involves intercepting a communication or message

and altering it for malicious effect. There are three common variants
of an active attacks:

 Interruption—the attacker interrupts the original

communication and creates new, malicious messages,
pretending to be one of the communicating parties.
 Modification—the attacker uses existing communications,
and either replays them to fool one of the communicating
parties, or modifies them to gain an advantage.
 Fabrication—creates fake, or synthetic, communications,
typically with the aim of achieving denial of service (DoS). This
prevents users from accessing systems or performing normal
operations.

Passive Attack
In a passive attack, an attacker monitors, monitors a system and
illicitly copies information without altering it. They then use this
information to disrupt networks or compromise target systems.

The attackers do not make any change to the communication or the

target systems. This makes it more difficult to detect. However,
encryption can help prevent passive attacks because it obfuscates
the data, making it more difficult for attackers to make use of it.

Active Attacks Passive Attacks

Modify messages, communications Do not make any change to data

or data or systems

Poses a threat to the availability Poses a threat to the

and integrity of sensitive data confidentiality of sensitive data.

May result in damage to Does not directly cause damage

organizational systems. to organizational systems.

Victims typically know about the Victims typically do not know

attack about the attack.

Main security focus is on detection Main security focus is on

and mitigation. prevention.
Information Security and Data Protection
Laws
Information security is in constant interaction with the laws and
regulations of the places where an organization does business. Data
protection regulations around the world focus on enhancing the
privacy of personal data, and place restrictions on the way
organizations can collect, store, and make use of customer data.

Data privacy focuses on personally identifiable information (PII), and

is primarily concerned with how the data is stored and used. PII
includes any data that can be linked directly to the user, such as
name, ID number, date of birth, physical address, or phone number.
It may also include artifacts like social media posts, profile pictures
and IP addresses.

Data Protection Laws in the European Union (EU): the GDPR

The most known privacy law in the EU is the General Data Protection
Regulation (GDPR). This regulation covers the collection, use,
storage, security and transmission of data related to EU residents.

The GDPR applies to any organization doing business with EU

citizens, regardless of whether the company itself is based inside or
outside the European Union. Violation of the guidelines may result in
fines of up to 4% of global sales or 20 million Euro.

The main goals of the GDPR are:

 Setting the privacy of personal data as a basic human right

 Implementing privacy criteria requirements
 Standardization of how privacy rules are applied

GDPR includes protection of the following data types:

 Personal information such as name, ID number, date of birth,

or address
  Web data such as IP address, cookies, location, etc.
 Health information including diagnosis and prognosis
 Biometric data including voice data, DNA, and fingerprints
 Private communications
 Photos and videos
 Cultural, social or economic data

Data Protection Laws in the USA

Despite the introduction of some regulations, there are currently no

federal laws governing data privacy in general in the United States.
However, some regulations protect certain types or use of data.
These include:

 Federal Trade Commission Act—prohibits organizations

from deceiving consumers with regard to privacy policies,
failure to adequately protect customer privacy, and misleading
advertising.
 Children’s Online Privacy Protection Act—regulates the
collection of data related to minors.
 Health Insurance Portability and Accounting Act (HIPAA)
—regulates the storage, privacy and use of health information.
 Gramm Leach Bliley Act (GLBA)—regulates personal
information collected and stored by financial institutions and
banks.
 Fair Credit Reporting Act—regulates the collection, use, and
accessibility of credit records and information.

Additionally, the Federal Trade Commission (FTC) is responsible for

protecting users from fraudulent or unfair transactions such as data
security and privacy. The FTC can enact regulations, enforce laws,
punish violations, and investigate organizational fraud or suspected
violations.

In addition to federal guidelines, 25 US states have enacted various

laws to regulate data. The most famous example is the California
Consumer Privacy Act (CCPA). The law went into effect in January
2020 and provides protection to California residents, including the
right to access private information, request deletion of private
information, and opt out of data collection or resale.
There also other regional regulations such as:

 Australian Prudential Regulatory Authority (APRA) CPS 234

 Canada Personal Information Protection and Electronic
Documents Act (PIPEDA)
 Singapore Personal Data Protection Act (PDPA)

Information Security with Imperva

Imperva helps organizations of all sizes implement information
security programs and protect sensitive data and assets.

Imperva Application Security

Imperva provides multi-layered protection to make sure websites

and applications are available, easily accessible and safe. The
Imperva application security solution includes:

 DDoS Protection—maintain uptime in all situations. Prevent

any type of DDoS attack, of any size, from preventing access to
your website and network infrastructure.
 CDN—enhance website performance and reduce bandwidth
costs with a CDN designed for developers. Cache static
resources at the edge while accelerating APIs and dynamic
websites.
 WAF—cloud-based solution permits legitimate traffic and
prevents bad traffic, safeguarding applications at the edge.
Gateway WAF keeps applications and APIs inside your network
safe.
 Bot management—analyzes your bot traffic to pinpoint
anomalies, identifies bad bot behavior and validates it via
challenge mechanisms that do not impact user traffic.
 API security—protects APIs by ensuring only desired traffic
can access your API endpoint, as well as detecting and
blocking exploits of vulnerabilities.
 Account takeover protection—uses an intent-based
detection process to identify and defends against attempts to
take over users’ accounts for malicious purposes.
  RASP—keep your applications safe from within against known
and zero-day attacks. Fast and accurate protection with no
signature or learning mode.
 Attack analytics—mitigate and respond to real security
threats efficiently and accurately with actionable intelligence
across all your layers of defense.

Imperva Data Protection

Imperva’s data security solution protects your data wherever it lives

—on premises, in the cloud and in hybrid environments. It also
provides security and IT teams with full visibility into how the data is
being accessed, used, and moved around the organization.

Our comprehensive approach relies on multiple layers of protection,

including:

 Database firewall—blocks SQL injection and other threats,

while evaluating for known vulnerabilities.
 User rights management—monitors data access and
activities of privileged users to identify excessive,
inappropriate, and unused privileges.
 Data masking and encryption—obfuscates sensitive data so
it would be useless to the bad actor, even if somehow
extracted.
 Data loss prevention (DLP)—inspects data in motion, at rest
on servers, in cloud storage, or on endpoint devices.
 User behavior analytics—establishes baselines of data
access behavior, uses machine learning to detect and alert on
abnormal and potentially risky activity.
 Data discovery and classification—reveals the location,
volume, and context of data on premises and in the cloud.
 Database activity monitoring—monitors relational
databases, data warehouses, big data and mainframes to
generate real-time alerts on policy violations.
 Alert prioritization—Imperva uses AI and machine learning
technology to look across the stream of security events and
prioritize the ones that matter most.