Information Security and Cybersecurity

Overview

Information Security is defined by SANS as:

the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.

U.S. Code Title 44, Chapter 35, Subchapter III, Section 3542 also defines information security.

(1) The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
(C) availability, which means ensuring timely and reliable access to and use of information.

 Cybersecurity is defined in ITU-T X.1205 as:

the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability, Integrity (which may include authenticity and non-repudiation), and Confidentiality

Digital Authentication

A significant part of information security integrity and confidentiality is ensuring that only authorized persons are able to view and modify the information. Authentication is one part of this. NIST’s Digitial Authentication Guideline, SP 800-63, provides guidance on digital authentication to federal agencies.

The latest revision, SP 800-63-3 has been split into a suite of documents organized as follows:

SP 800-63-3 Digital Authentication Guideline – Provides an overview of general authentication frameworks, for using authenticators, credentials, and assertions together in an information system, and possible methods of selecting discrete assurance levels. This document is informative.

SP 800-63A Enrollment and Identity Proofing – Provides guidelines on processes by which an individual is enrolled in an identity system and identity proofed. This document contains both normative and informative material.

SP 800-63B Authentication and Lifecycle Management – Provides guidelines on the selection, use, and management of authenticators (formerly called tokens) to authenticate a remote subscriber to an identity system at specified authenticator assurance levels. This document contains both normative and informative material.

SP 800-63C Federation and Assertions – Provides guidelines on the use of federated identity and assertions to convey the results of authentication processes to a relying party. This document contains both normative and informative material.

Internet of Things (IoT)

Internet of Things (IoT) ecosystems expose a large attack surface. Configuring tens or hundreds of connected devices can be time consuming and expensive. Doing the same for 30 billion devices will require a more efficient approach.

The Industrial Internet Consortium has released the Industrial Internet Security Framework Technical Report which is the result of the collective cybersecurity wisdom of members from over 25 different organizations.

The European Union Agency for Network and Information Security has released a study on “Cyber security and resilience for Smart Hospitals” (11/24/2016). They identify mitigation techniques and good practices when IoT components are used within a healthcare organization.