View profile

Cybersecurity vs. Information Security


Understanding Security and Privacy

February 16 · Issue #2 · View online

Security & privacy issues are often overcomplicated, let's simplify them.

Cybersecurity is becoming a mainstream topic.
…well, it’s getting there. 
It’s not that rare to see the story of a victim of cybercrime hit the mainstream news outlets. Cybercriminals are getting better and better at making money and a lot of that is easy money.
Organizations are—unfortunately—feeling the impact of cybercrime on their bottom line and that’s finally spurring awareness and action.
If there is any bright spot, it’s that increased awareness and more actions being taken to prevent cybercrime.
What Is Cybersecurity?
While we can agree that cybersecurity is becoming a mainstream topic, does everyone agree on what it actually is?
That’s a weird question but a fair one with any technical subject. If you’re not actively in a technical field, your understanding of that field will depend on your exposure to it.
Are you just getting the headlines? Doing some in-depth reading? Getting more of your awareness from movies and TV?
That’s not a horrible definition.
Using this wording, cybersecurity is basically what you do to what sure that hackers don’t get into your computer systems. Pretty straight forward and it gets the point across.
If you ask a practitioner, you’ll probably get some slight variation of this technical definition, to protect the integrity, availability, and confidentiality of data.
This comes from the CISSP certification material. This certification has long been a “gold standard” to getting into the field of corporate cybersecurity.
What most don’t realize or remember, is that’s the definition for information security.
And information security is different than cybersecurity.
The Security Umbrella
Security is a broad term. It covers a lot of nuance, all dealing with protecting something against something undesired.
There are essentially four areas of security;
  1. Cybersecurity
  2. Physical security
  3. Information security
  4. Operational security
Each of these areas are important and rarely done in isolation.
We already know that cybersecurity is all about protecting computer systems from unauthorized access or attack. 
Physical security protects people, property, and other assets from events that cause damage or loss. Security guards in buildings, access passes, gates, etc. are all examples of physical security controls.
Information security or INFOSEC is a set of practices that ensure that information and ideas are safe from unauthorized access and modification. This echoes the CISSP answer from above.
Operational security or OPSEC can be a little harder to wrap your head. It’s a set of practices and procedures that make sure you aren’t providing information unintentionally that could help break the other types of security.
This idea was most famously conveyed in the WWII allied campaign, “Loose lips sink ships”. 
Confusion Reigns
One of the biggest challenges facing organizations today is that far too much time and attention is spent on cybersecurity and not enough on information security.
This may seem like splitting hairs. After all, aren’t computers an example of “information technology” (IT)? Wouldn’t that make protecting them part of information security?
While you could make that argument, I think it’s a matter of scope.
Cybersecurity is a lower level task more concerned with specific aspects of larger, more complex systems.
Making sure that your phone isn’t being hacked. Verifying that the server only allows authorized users to download files. Getting users to use multi-factor authentication to log in. 
All of these 👆 are examples of cybersecurity.
What we’re seeing in cybercrime (another confusing name but let’s not go there right now) is that these criminals are looking at other aspects of how information flows in an organization to find weakness.
Complex Systems
If a production application has a strong security posture and a motivated attacker can’t get in, they just don’t give up. They will look at other aspects of the system that could be weaker.
This is where information security comes back into play. While it’s not a perfect divide, the idea of INFOSEC lends itself more to the larger system.
While the production application is hard to access, what about a developer who has access to it? Are they are a vulnerability?
Maybe the attacker could use malware to gain access to the developers laptop. Or use a system on their home network to gain the permissions required to attack the production application.
Or, let’s get really evil here, they could attack or bribe the developer themselves. 
You see what’s really important is the information on how to access production. Whether that’s a digital access key or username/password stored in a developers head. 
It’s the information, not the system hosting it that the attacker is after.
XKCD put it best…

xkcd: Security
xkcd: Security
The strict definitions of each of the security pillars aren’t that important. What is important is that teams with the proper expertise focus on areas where they can be the most effective.
This is where organizations run into issues.
Often the security experts are worried about small cybersecurity issues and not the larger scale information security ones. 
They focus on whether or not a particular server can be access without the proper authorization. They worry if the permissions are set correctly to make sure that only one set of users can access a particular application. And so on, and so on…
These are all important areas but they should be the responsibility of teams running those systems. That work should be verified by another team to ensure that it’s done well, but still a lever where that type of specific work makes sense.
Security experts should be focused on larger scale information and operational security issues.
Their expertise is truly required in these more complex situations. Trying to determine what controls make sense in each security area to deliver the desired outcome.
What do you think? Is the difference between different areas of security important? Hit reply and let me know or hit me up on Twitter, where I’m @marknca .
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
@marknca, Box #9104, K2T 0A3, Canada