Because today's increasingly nomadic lifestyle allows employees to connect to information systems virtually from anywhere, employees are required to carry a part of the information system outside of the company's secure infrastructure. It is essential to know which of the company's resources needs protection and to control system access and the user rights of the information system. In this article, we will walk you through the basic principles of IT security.
What is IT security?
There are many threats on the internet nowadays, including hackers, malware, viruses, malicious software, cyber intrusions, data leakage, etc. The threat represents the type of action likely to be of harm, whereas vulnerability (sometimes called flaws or breaches) represents the level of exposure to threats in a particular context. Finally, the countermeasure is all actions implemented to prevent the threat.
The countermeasures to be implemented are not only technical solutions but also include user training and awareness, as well as clearly defined rules.
To secure a system, the potential threats must be identified to identify and anticipate the enemy's course of action. Therefore, this report aims to provide an overview of possible hacker motivations, categorize them and give an idea of how they work to better know how to limit the risk of intrusion and cyber attacks.
What are the goals of IT security?
Information systems are generally defined by all of a company's data and the material and software resources that allow a company to store and circulate this data. Information systems are essential to companies and must be protected.
IT security generally ensures that an organization's material and software resources are used only for their intended purposes.
IT security generally is comprised of five main goals:
- Integrity: guaranteeing that the data are those that they are believed to be. Data integrity also determines if the data were changed during transmission (accidentally or intentionally).
- Confidentiality: ensuring that only authorized individuals have access to exchanged resources. Confidentiality makes information unintelligible to individuals other than those involved in the operation.
- Availability: guaranteeing the information system's proper operation.
- Non-repudiation: guaranteeing that an operation cannot be denied
- Authentication: ensuring that only authorized individuals have access to the resources. An access control (e.g. an encrypted password) grants access to resources only to authorized individuals.
Need for a global approach
Information system security is often the subject of metaphors. It is often compared to a chain in the example that a system's security level is only as strong as the security level of its weakest link. Likewise, a reinforced door is useless in protecting a building if its windows are left wide open.
All this goes to show that the issue of security must be tackled at a global level and must comprise the following elements:
- Making users aware of security problems
- Logical security, i.e., security at the data level, notably company data, applications, and even operating systems
- Telecommunications security: network technologies, company servers, access networks, etc.
- Physical security, or the security of material infrastructures: secure rooms, places open to the public, company common areas, employee workstations, etc.
How to implement a security policy?
IT system security is generally limited to guaranteeing the right to access a system's data and resources by establishing authentication and control mechanisms that ensure that the users of these resources only have the rights granted to them.
And yet security mechanisms can create difficulties for users. Instructions and rules often become increasingly complicated as networks grow. Thus, IT security must be studied so that it does not prevent users from developing the necessary uses and so that they can use information systems securely.
This is why one of the first steps a company must take is to define a security policy, which is implemented with the four following stages:
- Identify the security needs and the IT risks that the company faces and their possible consequences
- Outline the rules and procedures that must be implemented for the identified risks in the organization's different departments
- Monitor and detect the information system's vulnerabilities and keep informed of the flaws in the applications and materials being used
- Define the actions to be taken and the individuals to contact in case a threat is detected
The security policy is all of the security rules that an organization (in the general sense of the word) follows. Therefore, it must be defined by the management of the organization in question because it affects all the system's users.
In this respect, it is not the job of the IT administrators to define user access rights but rather that of their superiors. An IT administrator's role is to ensure that IT resources and access rights to these resources align with the organization's security policy.
Moreover, given that he or she is the only person who masters the system, he or she must give security information to the management, advise the decision-makers on the strategies to be implemented, and be the entry point for communications intended for users about problems and security recommendations.
A company's IT security depends on employees (users) learning the rules through training and awareness-building sessions. However, security must go beyond employee knowledge and cover the following areas:
- A physical and logical security mechanism that is adapted to the needs of the company and to employee use
- A procedure for managing updates
- A properly planned backup strategy
- A post-incident recovery plan
- An up-to-date documented system
What are the causes of insecurity?
Insecurities are generally broken down into two categories:
- An active state of insecurity, i.e., user ignorance of the system's functionalities, some of which can be harmful to the system (e.g., not deactivating network services that the user does not need).
- A passive state of insecurity, i.e., lack of knowledge of the security measures in place (e.g., when the administrator or user of a system does not know what security devices he or she has).