What is Information Security - Protection Goals & Measures

Author Dr. Ewan Fleischmann 25.05.2022

The most important things in a nutshell

Information security aims to protect information from theft, unauthorized modification or destruction.
Information can be digital or non-digital.
IT security is a subfield of information security that deals with the protection of digitally present information.
The most important protection goals of information security are
- The prevention of unauthorized access (confidentiality),
- the protection against unauthorized modification (integrity) and
- the protection against destruction (availability).
Depending on the application, other protection goals may be relevant and considered.

Serie Informationssicherheit

What is Information Security?
Information Security Management Systems (ISMS)

Importance of information security

The information security aims to protect information from theft, unauthorized modification or destruction. Information can exist either digitally in IT systems or, for example, in paper form.

What information is worth protecting?

Information worth protecting is often success-relevant and confidential company data such as customer inventories, company strategies, in-house developments or know-how. Due to strict legal requirements, the protection of personal data is particularly important. This includes, for example, the purchasing behavior of the company's own customers or the personal data of its employees.

Protection goals information security

The main protection goals of IT and information security. (ISO/IEC 27001, IT-Grundschutz , DSGVO) are included:

Protection of confidentiality (engl. confidentiality; no access to sensitive data for unauthorized third parties),
Protection of integrity (engl. integrity; no falsification).
Protection of availability (Engl. availabilty; data are available when they are needed).

Depending on the use case, other protection goals of information security can be included in the consideration.

Protection goal confidentiality of information

In information security, confidentiality means that data is accessible only to authorized individuals.

Examples

Company data worthy of protection should always be stored on cloud services or your own computers in such a way that only authorized employees have access to it. (Access protection with user rights)
When accessing a server, data transmission should be encrypted so that no one can read the transmitted passwords and information (transport encryption).

Confidentiality attacks:

Every data leak is an attack on the confidentiality of information. Unfortunately, these happen far too often - with the larger ones also being often a news story. Services like Have I Been Pwned? track these Data leaks (also called data breaches).

Protection goal integrity of information

Integrity of data and information means that no unauthorized modification has been made.

Example

When transferring money online, both the amount of money and the recipient account should not be able to be changed during the transfer to the bank server.

Integrity attacks:

An integrity attack is the unauthorized addition of an administrator role to a user. Integrity attacks can be very consequential. In a ransomware incident, if an organization's Active Directory has been unauthorizedly has been modified, a complete rebuild of the AD is often a mandatory consequence.
But also any other type of change such as a changed sender of an email of an e-mail falls under it.

Protection goal availability of information

Availability of information means that all retrieved information can be used in a timely manner and can be used in accordance with expectations.

Example

After logging in to your cloud service, for example Microsoft Office 365, all documents will be available after a few seconds.
On the user computer, all stored files can be accessed.

Attacks on availability:

At their core, current ransomware attacks on enterprises are often classic Availability Attacks. All data and accessible backups are encrypted or deleted in exchange for a cryptocurrency ransom (with a lot of luck...) to be available again. It should be noted that with ransomware at the moment, attacks on the confidentiality and integrity of information also frequently take place.
However, other attacks such as DDoS attacks are also common.

Do you need reliable experts to help you protect your IT systems ?

Let's talk about it today!

contact

Other information security protection goals

In Art. 32 para. 1b DSGVO, the so-called resilience is additionally required as a further protection goal. This is regularly understood to mean the availability of IT systems even under load conditions.

Depending on the use case, in addition to the protection goals of confidentiality, integrity and availability, other protection goals are considered.

Authenticity protection goal

Authenticity refers to both ensuring the identity of the communication partner and ensuring the originator of data. Authenticity is often considered the overriding protection goal. Other protection goals are worthless if it is not possible to determine whether communication is taking place with the desired communication partner.

Example

The purpose of a username/password login is to ensure that the correct communication partner is on the other end of the line. This simple example also illustrates that in order to achieve the three primary protection goals of information security.

Protection goal of non-repudiation

Non-repudiation is intended to ensure that a communication cannot be subsequently denied to third parties by a party involved. (English: non-repudiation).

Example

For digital signatures, non-repudiation, along with authenticity, is critical.
If contracts (online) are concluded, non-repudiation is important for the service provider.

Protection goal bindingness

When authenticity and non-repudiation of a communication are ensured, it is also called binding.

Threats to information security protection goals

There are hundreds of categories of threats that threaten information security protection goals in one way or another. Below, we cover some of the most important modern threats to protection goals that are current priorities for enterprise security teams.

Inadequately secured or unpatched systems

The speed and evolution of technology often leads to compromises in security measures. In other cases, systems are developed without regard to security and remain in operation as legacy systems within an organization. Organizations need to identify these poorly secured systems and mitigate the threat by securing, patching, decommissioning or isolating them.

Attacks involving use of social media

Many people have accounts on social media where they often inadvertently disclose information. Attackers can exploit this type of information to launch attacks.

Social Engineering

In social engineering, attackers manipulate IT system users through psychological triggers such as curiosity or fear to achieve a desired response.

Because the source of a social engineering message usually appears trustworthy, users often click on a link that installs malware on the computer they are using. This exposes personal information, login credentials and other corporate data that the user has access to to the attacker.

Companies can mitigate social engineering by training users to recognize suspicious social engineering messages and forward them to the security team. But technical systems such as email filtering systems can also play a role.

Malware on clients

Enterprise users work with a variety of endpoints, including mobile devices such as laptops, tablets and smartphones. A key threat to all of these endpoints is malware, which can be transmitted in a variety of ways. It can lead to the compromise of the client itself as well as the extension of privileges to other clients and servers.

Missing mobile device encryption

Encryption methods encrypt data so that it can only be decrypted by users with secret keys. Using cryptography for encryption is very effective in preventing data loss or corruption when devices are lost or stolen.

Inaccurate or inadequate security configuration of cloud services

Modern enterprises often use a variety of platforms and cloud services. Almost all of these services have sophisticated built-out security features, but they must be configured and customized by the enterprise to meet its needs. Incorrect or negligent security configuration, or even human error, can easily lead to a serious security incident.

Information security protection goals - what measures can be used to achieve them?

Achieving the protection goals relevant to information security involves both organizational and technical measures.

An Information Security Management System (ISMS) is regularly used for the holistic management of information security in the company. In this context, responsibility for information security and the ongoing operation of the ISMS is delegated to an information security officer (ISO).