To start, what is information assurance? In short, information assurance is the protection of information and how it is processed, used, transferred, and stored. There are 5 principles of information assurance:
Most organizations these days deal with sensitive information of some kind. This includes everything from your company’s bank account number, to your customers’ email addresses and credit card numbers, to any Controlled Unclassified Information (CUI) you come across while completing contract work for the U.S. government.
If this sensitive data falls into the hands of a hacker, the consequences can be devastating. On average, organizations that are hacked lose $1.1 million to damages and repairs. The data breach can also harm your public reputation, and you may even become embroiled in a data privacy lawsuit.
Information assurance is a crucial part of making sure your business protects its finances, runs its operations smoothly, and preserves the trust of your customers and partners. Learn about the 5 principles of information assurance and incorporate them into your business model today.
What to Protect with Information Assurance
As mentioned earlier, information assurance describes the set of processes used by an organization to keep its data and information systems safe from criminals. But what exactly does that encompass?
Typically, a company’s information assurance infrastructure includes secure methods for creating, transporting, and storing sensitive information. These security measures should be designed to detect and react to threats. Proactive monitoring and mitigation can help address threats before they ever reach your business.
When we talk about information assurance, we usually think about digital assets, since most organizations store their valuable information in a computing network. However, information assurance actually encompasses both digital and physical information channels.
Even if you do not store your sensitive information in file cabinets, the physical components of your business’ information processing need to be considered when establishing security measures. For example, where are your data centers located? How many remote endpoint devices are accessing your network?
Getting Started with Information Assurance
The first step to implementing a robust information assurance system is to review your information network. All of the locations in which your business data is generated, processed, saved, or transmitted should be documented. This gives you a clear map of how sensitive information flows through your business.
Each information asset and channel should then be evaluated in terms of its value to your organization. In addition, you should consider how much damage could potentially result if an asset or channel’s information fell into the wrong hands.
Once you identify which parts of your information system need the most protection, you can deploy the resources necessary to safeguard each of those components.
Why Prioritize Some Assets and Channels?
You may be wondering why you can’t simply safeguard every information asset and channel equally well, making it difficult to hack any of it. Most organizations have an enormous amount of assets and channels, but a finite amount of resources. Securing your information requires financial resources, personnel, and computing power.
Not only that, but the more secure a system is, the more challenging it can become for that system to actually remain functional. For example, a sealed car without any doors or windows would be incredibly secure, but not at all practical for you to use.
The same principle is true for the sensitive data your organization processes and stores. While you want to keep your data away from potential hackers, you still need to be able to access that information. You may need to be able to transmit it to employees or third-party contractors as well. It should be carefully safeguarded, but also remain accessible to those who need it with reasonable ease and speed.
For each component of your information system, you should evaluate its benefits to your business alongside its security risks. One way to think about an asset’s risk factor is in terms of the likelihood multiplied by the impact. What are the odds of this information component being breached? And what would the consequences be for your business operations, staff, and customers if it were compromised?
Knowing the answers to these questions and following the 5 principles of information assurance can help you create a successful system of risk management and prioritization.
The 5 Principles of Information Assurance
Learn more about the principles of information assurance below! Please feel free to share our infographic on social media, or copy and paste the code below to embed it on your website:
<img src="http://bit.ly/infoassuranceprinciples"> <p>The 5 Principles of Information Assurance - An infographic by the team at <a href="https://sdi.ai/">Sentient Digital, Inc.</a></p>
These 5 principles of information assurance will help guide you as you evaluate each component or asset that handles sensitive information in your organization.
Availability refers to how users are given access to sensitive information within your enterprise’s infrastructure.
Privileged information should not be readily available, as that can make it all too easy for hackers to obtain. But if the data is too difficult to access, then employees might not be able to perform critical job functions in a timely manner, costing your company lost time and revenue.
Availability also takes into consideration if and how sensitive information will be accessed, even if the information systems fail partially or fully. For instance, if a database failover occurs, ideally employees would still be able to access the information most critical to their business operations.
To ensure the continued availability of sensitive information only to a select few, security professionals will generally put measures such as firewalls and load balancers into place.
Integrity, as a principle of information assurance, means that your sensitive data is not tampered with in any way.
Antivirus software, penetration tests, and other security measures are often employed to ensure that your data’s integrity is not compromised by hackers. If malicious code or malware did manage to infect the data, your sensitive information could potentially be altered or deleted. Ideally, your company would use proactive cybersecurity measures to keep intruders from ever accessing your data in the first place.
Integrity also relates to user controls designed to prevent any meddling with sensitive data. Privileged users need to understand how to properly send information from one location to another without accidentally altering the data—or situating the data in such a way that it is easier for hackers to access.
Some organizations use hash signatures when transmitting sensitive data from one location to another. This allows them to confirm that the data has not been compromised while in transit.
Perhaps the most important principle of information assurance is confidentiality. Only users who need to access sensitive information should ever be able to view, store, alter (in approved ways), or transmit this data.
Confidentiality is preserved not only through access controls, but also data encryption methods. When data encryption is utilized, users without access to the information will just see nonsensical text. Only users with an encryption key, or a password of some kind, will be able to view the information as written.
Authentication means that there need to be controls in place to ensure that users are who they claim to be. Users must provide evidence of their identity before accessing any confidential information.
Authentication methods can be relatively common and easy to utilize, such as passwords, scannable cards, or multifactor authentication. They can also be more complex, such as biometrics tools capable of scanning your eyes or fingerprints.
Nonrepudiation is a word often used in legal contexts, but it can be applied to information assurance procedures, too. Nonrepudiation means that when information is transferred, there needs to be proof that the action was successfully completed on both the sender’s end and the receiver’s end.
This principle helps to ensure that users are who they say they are and that the data has not been altered during its transmission. Nonrepudiation is commonly tracked through file logs and verified cross-network data exchange systems.
How Principles of Information Assurance Help in Practice
Every modern organization needs to understand how to plan and execute a successful information assurance system. All businesses deal with sensitive information that could be disastrous if tampered with or destroyed, whether intentionally or accidentally. Altered or stolen sensitive information can lead to social security or credit card numbers falling into criminals’ hands, huge losses in both personal and global revenue, and many other damaging consequences.
So how do the principles of information assurance help avoid those disasters? Let’s take a look at the recent hack of multiple high-profile Twitter accounts and Equifax data breach as examples.
Security Lessons from Hacked Twitter Accounts
Although Twitter has not yet released the exact details regarding how the attack occurred, we do know that the starting point was a “phone spear phishing attack.” That phrasing could mean a number of different things. The hacker could have used caller ID spoofing, for instance, to make it appear that their phone calls came from a Twitter internal support member.
Whatever the exact tactic they used, we know that the cybercriminal eventually managed to access the individual accounts of multiple influential users. This was accomplished both by obtaining individual employee credentials and by bypassing various network controls.
All 5 principles of information assurance were violated during this attack:
- Nonrepudiation was compromised because the hacker was able to appear as if they were Joe Biden, Elon Musk, and other public figures.
- Users who sent Bitcoins to the hacker did so because the integrity of this sensitive information had been meddled with, and they believed the money would be directed to someone else.
- Although there were numerous authentication measures in place, the hacker was able to steal proof of identity through phishing and bypass other controls that allowed them to reach the admin panel.
- The sensitive information in this case was too available to outside users, and thus the confidentiality usually assumed for private social media accounts was violated.
Twitter has since recovered from the attack and is working to strengthen its information assurance practices. But all organizations can learn from this and similar cyberattacks when forming their information assurance plans.
Diligently considering and practicing the 5 principles of information assurance will help your organization avoid disrupted business operations, lost time and revenue, and damaged customer relationships.
Security Lessons from the Equifax Breach
In March 2017, millions of people’s personal identification data was stolen during a hack against Equifax, a multinational consumer credit reporting agency. The attack highlighted major failures in following the principles of information assurance. Several security vulnerabilities allowed the cybercriminals to enter the company’s seemingly secure data systems and exfiltrate terabytes of data.
The hackers initially entered a consumer complaint portal. Because of the Equifax systems’ inefficient segmentation, they were able to move to different outlets and servers. Apache Struts, the software provider for Equifax, discovered the CVE-2017-5638 vulnerability within the same month of the attack.
That same month, Apache Struts quickly released a patch for the exposure. However, none of the multiple vulnerable systems were flagged or patched during Equifax’s IT department scans.
From May through July, the attackers were able to find usernames and passwords of Equifax users stored in plain text. This gave them further access to the legal names, social security numbers, birthdays, addresses, and, in some cases, driver’s license numbers of these users.
By the time the hack ended, the attackers obtained 143 million individuals’ personal information, about 209,000 credit card numbers, and documents with further personally identifiable information for about 182,000 people. The breach included victims in the U.S. as well as in the U.K. and Canada. The company also did not announce the attack until September, leading to further customer distrust.
Equifax violated all 5 principles of information assurance during this attack:
- Nonrepudiation was compromised because the hackers could appear in a consumer complaint channel without registering as a security threat.
- There were not enough authentication measures in place to prevent the hackers from gaining access to additional information using only usernames and passwords.
- Equifax failed to protect users’ information in several countries, making it too available to outside users.
- Equifax’s user data being too widely and plainly available also demonstrated a breach in confidentiality. User data was not handled privately or securely within Equifax’s data systems. In addition, the users had no clue that their data was at risk while utilizing Equifax’s services.
- The hackers were able to go undetected because Equifax neglected the integrity of its digital systems. These cybercriminals could encrypt the stolen data and move it to other portals because Equifax failed to inspect encrypted traffic. While Equifax had the tools to decrypt, analyze, and re-encrypt internal network traffic, the company did not renew its public-key certificate, allowing the attackers to go unnoticed for 76 days.
Since the attack, Equifax has restaffed its C-level executives and spent $1.4 billion on cleaning costs. These costs include incremental costs to transform the company’s technology infrastructure and improve its application, network, and data security. Equifax also reached a record-breaking settlement with the Federal Trade Commission in July 2019 to conclude a class-action lawsuit, paying at least $1.38 billion to resolve consumer claims.
If Equifax had put the principles of information assurance into practice, this breach would not have occurred and the company would have avoided a major loss in business rating, consumer trust, time, and revenue.
Establish Strong Information Assurance Practices with Entrust
Implementing the principles of information assurance into your business is of vital importance. Whether you’re handling sensitive government information or customer payment information, it’s important to ensure that this data does not become accidentally altered or fall into the wrong hands.
At Sentient Digital, Inc., we have years of experience helping businesses not only develop information assurance plans, but use practical and affordable technology to integrate those plans into their daily operations.
Contact us today to learn more about how we can help your organization improve the proper authentication, integrity, confidentiality, availability, and nonrepudiation of its sensitive information.