I’ve been spending a lot of time at work recently being involved in audits of our company’s security. Some of them we are paying for (3rd party pentesting), some are voluntary compliance (SOC 2), and some are from clients doing their due diligence on vendors. In conducting and discussing the requests and our answers, it occurred to me just how vital that having a good understanding of Information Security is becoming table stakes to be in the industry, whether you’re a budding programmer, an aspiring entrepreneur, or just someone curious about the tech world. Let’s dive into the basics in the first post of what I hope will become a series.
What is Information Security (Infosec)?
At its essence, information security (infosec) is about safeguarding data from unauthorized access and alterations. It’s the practice of defending our digital valuables – be it personal information, business data, or governmental records. We live in a world where data flows everywhere, and just like dams ensure water flows in controlled and safe ways, infosec ensures data remains confidential, intact, and accessible only by those meant to access it.
Why is Infosec Important?
Imagine writing a personal letter and leaving it at a coffee shop. Anyone could read it, modify it, or take it away. That’s what the digital world is like without information security. With the invention and expansion of the internet, we’re more connected than ever. That means that our data – from emails to credit card numbers – is exposed to potential misuse.
The CIA Triad is a common model to use to talk about information systems. CIA doesn’t stand for the United States Central Intelligence Agency, rather it is an acronym for these concepts:
- Confidentiality: This principle ensures that sensitive information is only accessed by those who have the right to view it. Think of it like putting a letter in a sealed envelope rather than leaving it open for all to see.
- Integrity: Ensuring data remains unaltered during storage or transmission is vital. It’s like ensuring that the letter you wrote reaches its destination without anyone changing the words inside.
- Availability: Data needs to be accessible when needed. Imagine sending a letter and ensuring it reaches its destination on time for whenever the recipient wants to read it. Availability in infosec ensures that systems and data are available when required.
What’s at Stake?
Every day, new vulnerabilities and threats emerge. From ransomware attacks holding data hostage to data breaches leaking sensitive information, it can seem like we’re in a Wild West scenario. Companies of all sizes heavily invest in securing the data that they generate and are entrusted with by having dedicated security teams (both offensive and defensive) to constantly remain vigilant while finding their own weaknesses to fix before the adversaries do. This can take many forms, including monitoring, proactive Bug Bounty Programs to engage ethical hackers, simulated attacks, and tabletop exercises, to name a few.
If these companies fail, the results can be disastrous. Compromising one or more points of the CIA Triad can directly affect a company’s revenue and reputation. One great example of this is what happened to LastPass after they had a large security incident. Customers left in droves for other alternatives like BitWarden, 1Password, and KeePass. That certainly will hurt LastPass’ revenue, but even worse is that the attack directly harmed their customers’ finances. The Verge reported that there was a potential link was made between the 2022 data theft and a total of more than $35 million in cryptocurrency that had been stolen, due the fact that almost all victims were LastPass users. Those are sobering consequences.
Why Should You Care?
As we plunge deeper into the digital era, infosec isn’t just a concern for IT departments but is everyone’s responsibility. Understanding infosec can not only make you a more informed digital citizen but can also open doors to a thriving career path. Even if you’re not interested in becoming a cybersecurity specialist, you should look to secure your online presence. Your security is only as strong as the weakest link and you should do all that you can to not be that weak link, and the journey into information security can be rewarding and eye-opening.
What’s Next?
Embarking on the infosec journey equips you with the knowledge to protect not just your data but also contribute to a safer digital ecosystem. From teaching to policy-making to ethical hacking, the field is vast and ripe with opportunity. Over the next few posts, I hope to explore these points more in depth and talk more about what we in technology can do to sharpen these tools in our own toolkits.
Episode 24 was planned to be timely, but it ended up being super timely. Originally, I wanted to have Wolfgang Goerlich come on and talk about application security after the iCloud photo leaks. But, between the time that we recorded the interview and the time I’m releasing this episode, the Shellshock bug/vulnerability came to light as well. Listen, folks, writing secure software is hard! Wolfgang talks about the average day in the life of the good guys, what mindset makes a good security expert, how developers can write more secure code, why the Internet of Things might be a security nightmare, and why you shouldn’t “poke the bear”.
