Information Security Terminology: Key Terms Every Business Needs to Know
In today’s interconnected world, where digital threats are an ever-present danger, understanding information security terminology is essential for anyone involved in securing data, systems, or networks. As a business owner, IT professional, or simply someone concerned about digital security, having a solid grasp of key terms can help you navigate the complexities of information security and ensure that your data remains protected.
Information security, also known as InfoSec, is managing risk to the Confidentiality, Integrity and Availability of information through Administrative, Physical and Technical controls. It involves the processes and tools implemented to safeguard information from unauthorized access, alteration, disclosure or destruction. Therefore, it encompasses a variety of security tools, solutions, and processes designed to safeguard information across devices and locations. Together, these help businesses and individuals defend against cyber attacks and other forms of cyber incidents.
Common Information Security Terminology – General
CIA Triad of Information Security terminology:
Availability: Ensuring Access When Needed
Availability is about ensuring that information is accessible to authorized users whenever needed. This is critical for business continuity, as disruptions can lead to downtime and financial losses. Measures like data backups, disaster recovery plans, and network redundancy are key to maintaining availability while keeping systems secure.
Confidentiality: Keeping data secure and confidential
Information security terminology covers many aspects that contribute to the overall safety of your data. Keeping your data secure and confidential is imperative to security. One way to accomplish this is by only providing access to files information that is only absolutely necessary. Examples: HR files only accessible to those in the department, finance information only accessible to the finance team, etc.
Another method of keeping files confidential, as well as secure, is through zero-trust architecture. This eliminates implicit trust throughout an organization with the principle of “never trust, always verify”.
Integrity: Precision and accuracy of data is maintained
What is data integrity and why is it important? Data integrity is a principle and procedure that ensures an organization’s data is accurate, complete, consistent, and valid. Adhering to this process not only preserves the data’s integrity but also ensures that the information in the database is precise and correct.
Cyber attacks and Cyber crimes: The Threat Landscape
A cyber attack is any malicious action designed to disrupt, steal, or damage data, systems, or networks. Attacks like phishing, ransomware, and malware are common examples. Cyber crimes, however, refer specifically to illegal activities carried out using digital technologies, such as identity theft or fraud. Both cyberattacks and cybercrimes are growing threats and understanding them is key to defending against them.
DAD Triad of Information Security terminology
Disclosure
Information Disclosure refers to the unintended or unauthorized release of sensitive or confidential information due to vulnerabilities, flaws, or poor security practices within a system or platform. This can involve the exposure of personal data, credentials, source code, system configurations, or any other internal details that should remain private.
Information disclosure can occur through various means, such as website leaks, breaches in access control, software bugs, or misconfigurations, potentially allowing attackers or unauthorized users to gain access to data that was intended to be protected.
The consequences can range from privacy violations and financial harm to reputational damage for individuals and organizations. Effective security measures and robust controls are essential to prevent such leaks and mitigate their impact.
Alteration
Alteration refers to the unauthorized modification or manipulation of data, which compromises its integrity and accuracy. This can involve changing, deleting, or adding to information in a way that deviates from its original form, rendering it unreliable or incorrect.
Alteration can occur through various means, such as unauthorized access to systems, attacks targeting data storage, or malicious actions within a network. The impact of alteration is significant, as it can lead to erroneous decisions, loss of trust, and potential security risks for organizations or individuals relying on the altered information.
Destruction
Destruction refers to the act of rendering data or systems inaccessible or permanently irretrievable. Frequently, this is done by either making them unavailable through denial-of-service attacks or by physically or digitally eliminating the data.
This can involve actions like deleting files, crashing systems, or using specific methods to permanently destroy data, ensuring that it cannot be recovered or accessed by unauthorized individuals.
Destruction is often used as a malicious tactic to disrupt operations or to prevent sensitive information from being accessed or misused. Proper data destruction is also a key security measure for organizations, ensuring compliance with privacy regulations and safeguarding against data breaches.
In terms of information security terminology, risk refers to the potential for harm resulting from vulnerabilities being exploited by threats. A risk assessment helps organizations identify these risks and determine their potential impact. By assessing both the level of threat and the vulnerability of a system, businesses can prioritize security efforts and resources more effectively.
Common Information Security Terminology – Technical
Access Control: Protecting Resources
Access control ensures that access to physical and digital resources are only granted to users who are authorized to access them. It’s the foundation of data protection, involving setting permissions based on roles and responsibilities within an organization. Different models like mandatory access control (MAC) and role-based access control (RBAC) provide varying levels of security, ensuring that only the correct individuals have access to potentially sensitive information.
Antivirus vs. Endpoint Detection & Response
Antivirus is a program or software designed to detect and destroy computer viruses. It traditionally relies on a massive list of known threats that it uses as a basis of comparison when monitoring devices – making it no longer effective against modern cyber threats.
Endpoint Detection & Response (EDR) expands on the approach of Antivirus as a technique to identify threats, by monitoring devices for any possible suspicious activity, even if it doesn’t find a match for a known threat.
Related:
XDR: Extended Detection & Response
Extended Detection & Response goes a step further past EDR and includes additional layers like network and cloud. It also usually includes a Security Information and Event Management (SIEM).
MDR: Managed Detection & Response
Managed Detection & Response. This is the top level these systems, leveraging a Security Orchestration, Automation, and Response (SOAR) and Security Operation Center (SOC).
Authentication: Verifying Identity
Authentication is the process of confirming a user’s identity before granting access to a system. This can be done through methods such as username-password combinations, however multi-factor authentication (MFA) adds an extra layer of security. MFA may involve something the user knows (password), or something they have (a phone for a verification code, or biometric data like fingerprints).
There are 5 stages to AAA:
- Identification – Username
- Authentication – Password / Biometrics
- Authorization – Security permissions
- Auditing – Logging relevant actions that are taken
- Accounting – The act of holding subjects (e.g. users or programs) accountable for their actions
Authorization: Granting Permissions
After authentication, authorization determines what actions a user can perform. It assigns permissions to users based on their role within an organization. For example, an employee may be authorized to view certain files but not modify them. RBAC is a common method where access levels are based on job functions, ensuring minimal exposure to sensitive information.
Botnet: A Network of Compromised Devices
A botnet consists of a network of infected computers controlled remotely by an attacker. These compromised systems are often used for malicious purposes like sending spam, launching DDoS (Distributed Denial of Service) attacks, or spreading malware. Botnets can cause significant disruptions, making them a serious threat to network security.
Brute Force and Dictionary Attacks: Cracking Passwords
Brute force and dictionary attacks are common techniques cybercriminals use to crack passwords. In a brute force attack, every possible combination of characters is tried until the correct one is found. A dictionary attack, on the other hand, uses a predefined list of common words or phrases to guess the password more efficiently. Or pre-calculated hashes often referred to as a Rainbow Table, which is a password-cracking tool that utilizes a precomputed table of reversed password hashes to decipher passwords stored in a database.
To prevent both, strong passwords and multi-factor authentication are essential. Here’s an industry best practice:
Hashing and Salting
Best practice is never to transmit passwords in plain text. Instead, we use a one-way mathematical function called hashing.
Hashing is a data security method that transforms data values into distinct, unique identifiers known as hashes, enabling fast and secure access. This technique enhances security by using a one-way process, which makes it impossible to retrieve or alter the original data.
To add to the security of this function, a random set of characters (referred to as salt) is added to the end of the password before hashing.
Cookies: Small Files with Big Security Implications
While cookies are often associated with enhancing user experience on websites, they can also pose security risks. Cookies store information such as login credentials and browsing history, which, if not properly secured, can be exploited by attackers. Proper management and secure storage of cookies are crucial for maintaining privacy and security on the web.
Denial of Service (DoS) Attacks
A Denial of Service (DoS) attack aims to disrupt access to a system by overwhelming it with traffic, making it unavailable to legitimate users. A Distributed Denial of Service (DDoS) attack is a more advanced form, where multiple systems are used to flood the target. These attacks can bring down websites or services, causing significant downtime and financial loss.
Encryption and Decryption: Protecting and Restoring Data
In its simplest form, encryption refers to storing information in a coded format so that only people who know the code can read it. Encryption is the process of converting data into an unreadable format to prevent unauthorized access. Only users with the correct decryption key can restore the data to its original form. This is crucial for protecting sensitive information in all states, including:
- At rest – While being stored on a server
- In transit – While being sent from one system to another
- In use – While being operated on in memory
Quantum-Resistant Algorithm
Please note that Quantum Computing is likely to render most current encryption standards as insecure and the National Institute of Standards & Technology (NIST) are in the process of defining new Quantum-Resistant Algorithm.
Malware and Virus: Malicious Software
Malware is a general term for any software designed to cause harm to a system. Viruses, worms, trojans, and ransomware are all types of malware. Viruses replicate themselves and spread through systems, often causing damage or stealing information. Worms spread autonomously, while ransomware encrypts data and demands a ransom for its release.
Multi-Factor Authentication (MFA): Also known as Two-Factor Authentication (2FA) or 2 Step Verification (2SV)
MFA is a login security strategy where an account user is required to have a secondary method of verifying their identity in addition to username and password. Not only do we recommend this as a simple way to improve security, it is now standard for insurers to require this in order to receive coverage.
- Most secure: Biometric (face, fingerprint, etc)
- Second most secure: Authenticator app (Duo, Authy, Google, etc)
- Least secure: Text or email – these are the most easily intercepted by cyber criminals.
Non-Repudiation: Unnecessarily complicated information security terminology
Non-repudiation is when a person, program or entity performs an action can’t deny that they did so. This comes up frequently in information security terminology. It comes down to being able to hold your business, yourself and members of your team, accountable if anything bad happens.
For example: Let’s say 2 or more people share an account, like a new employee training account. If one of those people unintentionally clicked a bad link that led to a cyber incident – how do you know who did it? And hold the right person accountable? That’s where we’d use the term non-repudiation as a built-in principle to information security processes and procedures.
Penetration Test – Types of tests within Information Security Terminology
Sometimes referred to as an “external penetration test”, this is an experiment to determine if an unauthorized person can access your network, computers, servers, cloud services, email, etc. “Unauthorized” means someone who does not have permission to access your files, email, etc.
The cyber security experts who mimic cyber attacks on an organization’s IT defenses are referred to as the “red team”. They assume the role of malicious attackers, utilizing tools and techniques typically employed by cybercriminals to penetrate the security of the IT system.
There are three types of Penetration Tests:
Black Box – Red Team has no prior knowledge of the systems, usually the most expensive.
Grey Box – Red Team has partial knowledge of the environment.
White Box – Red Team is granted knowledge of the system and can help identify flaws and areas for improvement.
Note: The difference between a Vulnerability Assessment and a Penetration Test is that a vulnerability scan identifies a weakness, a penetration test attempts to exploit that weakness.
Phishing and Smishing: Deceptive Tactics
Phishing is a social engineering attack where cybercriminals trick users into providing sensitive information, such as login credentials or credit card numbers, by pretending to be legitimate entities. Smishing is a similar tactic, but it uses SMS text messages instead of emails. Both forms of attack exploit trust and can lead to severe consequences if not recognized in time.
Quishing: QR Code Phishing Scams
Quishing, or QR phishing, is a type of cyber crime that exploits the widespread use of QR codes to deceive individuals into revealing sensitive information or downloading malicious software. In a quishing attack, cyber criminals create counterfeit QR codes that, when scanned, lead to fraudulent websites or prompt harmful downloads. As QR codes are now commonly used for tasks like accessing menus, making payments, or accessing websites, users may unknowingly scan these deceptive codes. This puts their personal and financial data at risk.
The term “quishing” combines QR codes and phishing, indicating an attack where malicious actors use fake QR codes to direct users to spoofed sites, steal information, or install malware on devices. The goal is to steal personal and financial details by tricking users into interacting with seemingly harmless QR codes.
Ransomware
As per the definition of its simplest form, ransomware is software installed by a hacker that encrypts your information so you can no longer read it. The hacker is willing to let you decrypt your information if you pay them (i.e. pay the ransom).
However, it doesn’t end there. Because so many ransomware victims refuse to pay the ransom, hackers have “upped the ante” using extortion. Before encrypting your information, they copy it offsite and threaten to sell or publish your information or harass all of your clients/patients if you don’t pay.
Rootkit: Concealing Malicious Activity
A rootkit is a type of malware designed to hide its presence on a system. Once installed, it allows attackers to maintain privileged access to the system without detection. Rootkits are often used in conjunction with other types of malware to maintain long-term control over compromised systems.
Virtual Private Network (VPN): Secure Remote Access
A VPN provides a secure, encrypted connection between a user’s device and a network, making it particularly useful for remote workers. By encrypting internet traffic, a VPN prevents eavesdropping, man-in-the-middle attacks, and other forms of data interception. It’s an essential tool for organizations that want to protect sensitive data accessed outside of a secure office environment.
Vulnerability Assessment
Vulnerability assessments are a systematic review of security weaknesses. This and penetration tests often get confused. The key difference is that you can pass a penetration test but still have vulnerabilities. Vulnerabilities include anything from out-of-date software and hardware to lack of antivirus protection to inability of your staff to identify fraudulent emails.
Common Information Security Terminology – Administrative and Compliance
Disaster Recovery (DR) Plan
A formal document that contains detailed instructions on how to respond to major unplanned, disruptive events. Similar to an IRP, the DR plan goes a step further. What is the company’s plan for recovery after a major disaster were to occur?
A good DR plan outlines steps for an organization to take when potentially catastrophic events like COVID take place. For example:
- Pandemics
- Fire, flooding, ice storms, and other natural disasters
- Vandalism
- Theft
Incident Response Procedure or Incident Response Plan (IRP)
An IRP is a written document outlining the steps to take when a cyber incident event occurs. Insurance providers want to know if your business is prepared to deal with events such as unexpected email behaviour, stolen equipment, or a ransomware attack.
It’s important to note that IRPs must be tested on a regular basis. Effective testing will reveal any gaps that need to be addressed to improve the organization’s ability to respond. The normal method of testing an IRP is with a tabletop exercise – essentially a role play for executives and staff. Kind of like a fire drill for your information security.
IT Security Audit
Within information security terminology, this is also referred to as IT Resilience Assessments. These are assessments that review business IT practices on how effective their security measures are.
IT and information security overlap but they are distinctly different in how they decrease your cyber risk. IT’s main focus is to implement and maintain systems to ensure your business can be as productive as possible. Information security’s focus is to ensure the information stored in the systems implemented and maintained by IT are protected. Therefore, they need to be effectively aligned to deliver IT resilience through technical controls.
Personally Identifiable Records/Information (PII): Important Information Security Terminology
According to the Canadian federal government, “personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”
Cyber insurance note: A common question on insurance applications is some form of “How many PII records does your company store?” Higher numbers of PII records generally translates to higher risk for the underwriter. The intent of this question is generally not to determine how many individual pieces of information you have, like birthday, home address, etc.; but for how many people you store such information. For example, if you are a non-residential construction company with 250 current employees, the total number of PII records would be 250 + any information you still have for past employees. On the other hand, if you are a medical clinic with 8,000 patients, the total number of records is 8,000 + current employees + past patients and past employees.
Regulatory and Industry Frameworks
For some industries like healthcare and financial services, strict legislation exists to dictate how information can be handled, stored, and transferred. However, what is often overlooked are the regulations and frameworks that apply to all businesses, regardless of industry. For example:
- PCI – Payment Card Industry compliance
- PIPEDA – Personal Information Protection and Electronic Documents Act
- CASL: Canada Anti-Spam Legislation
Information Security Terminology: Wrapping up
Understanding information security terminology is essential for anyone involved in protecting digital assets from cyber threats. From authentication and access control to botnets, ransomware, and VPNs, these terms are fundamental to building a robust information security strategy. As these threats continue to evolve, staying informed and continually educating yourself and your team about the latest security terminology and strategies, is essential for safeguarding your digital assets.