In this article, Manish Kumar, is going to explain to us, ¿What is INFOSEC?, ¿How important is this field?, and ¿How can you be an INFOSEC professional?.
Information Security is a serious topic that needs to be included in the curriculum of every classroom that uses a computer.
It is important for teachers, administrators, and technology coordinators to be fluent on this topic in order to protect the integrity of school records, student information, and institution credibility.
But, it is EQUALLY important that the students understand the basics of information security in order to protect themselves, their work, and school environment.
So, now that we all want to include information security as a topic in our classroom… How do we implement these ideas?
¿What is Information Security?
Information security, often shortened to infosec, is the practice, policies and principles to protect digital data and other kinds of information.
infosec responsibilities include establishing a set of business processes that will protect information assets, regardless of how that information is formatted or whether it is in transit, is being processed or is at rest in storage.
Generally, an organization applies information security to guard digital information as part of an overall cybersecurity program.
infosec’s three primary principles, called the CIA triad, are confidentiality, integrity and availability.
In short, infosec is how you make sure your employees can get the data they need, while keeping anyone else from accessing it.
It can also be associated with risk management and legal regulations.
The Principles of Information Security
The overall goal of infosec is to let the good guys in, while keeping the bad guys out.
The three primary tenants to support this are confidentiality, integrity and availability.
This is called the CIA triad, or the three pillars or principles of information security (You can read more of the CIA Triad here).
Confidentiality is the principle that information should only be available to those with the proper authorization to that data.
Integrity is the principle that information is consistent, accurate, and trustworthy.
Availability is the principle that information is easily accessible by those with proper authorization and will remain so in case of failure to minimize interruptions to users.
These three principles do not exist in isolation, but they inform and affect one another.
Therefore, any infosec system will involve a balance of these factors.
As an extreme example, information only available as a written sheet of paper stored in a vault is confidential but not easily available.
Information carved into stone displayed in the lobby has a lot of integrity but is not confidential or available.
¿What are the Threats?
Receiver sender Confidentiality:
unauthorized disclosure of information.
unauthorized modification of information, unauthorized use of service.
-Modification of data
-Denial of service
The Elements of Information Security
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.
Data should be kept secret.
The owner of data has to decide who can only access the data and who can’t. Example: Password hacking in online money transaction systems.
Prevention: by encrypting the data and by limiting the places where it might appear.
Means that data cannot be modified undetectably.
Unauthorized persons should not modify the data without owner’s permission.
Not only modification, they should not remove the data and add the false data.
Prevention: message authentication & integrity codes (MAC/MIC), and message digests such as MD5 or SHA-1 hashes.
Ability of the infrastructure to function according to business expectations during its specified time of operation Nobody can disturb the system to make it unusable.
Prevention: Backup systems.
Computer system to be able to verify the identity of user.
Security mechanisms to protect the Network
-install up-to–dated antivirus program
-make a regular backup of critical data,
-use strong firewall program,
-keep your system patched,
-use strong passwords,
-install and configure file encryption program,
-place your network server at a very secure place and only authorized users should be allowed to enter in the server room.
Information security certifications
A number of certifications are available to IT professionals who already — or would like to — focus on infosec and cybersecurity more broadly, including the following:
This certification covers core cybersecurity knowledge and is used to qualify for entry level IT and infosec roles.
Certified Information Systems Auditor (CISA).
ISACA, a nonprofit and independent association that advocates for professionals involved in information security, assurance, risk management and governance, offers this certification.
The exam certifies the knowledge and skills of security professionals.
To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.
Certified Information Security Manager (CISM).
CISM is an advanced certification offered by ISACA that validates individuals who have demonstrated the in-depth knowledge and experience required to develop and manage enterprise information security programs.
ISACA aims this certification at information security managers, aspiring managers or IT consultants who support information security program management.
GIAC Security Essentials (GSEC).
Created and administered by the Global Information Assurance Certification (GIAC) organization, this certification is geared toward security professionals who want to demonstrate they are qualified for hands-on roles with respect to security tasks related to IT systems.
The exam requires candidates to demonstrate an understanding of information security beyond simple terminology and concepts.
Certified Information Systems Security Professional (CISSP).
CISSP is an advanced certification offered by (ISC)², an international nonprofit cybersecurity certification body.
For experienced cybersecurity professionals, the exam covers the ability to design and implement an infosec program.
Thank you for your time (Manish Kumar).
Contact Manish Kumar