Principles of information security

Ruslan Rakhmetov, Security Vision

When solving information security tasks, reasonable questions arise: how information security principles are implemented in practice? How to organise information protection from unauthorised access? What should be prescribed in the company's IS policy in accordance with the best practices and recommendations?

So, in accordance with the definitions given earlier, information protection is to ensure the integrity, confidentiality and availability of information. Thus, the tasks of information security in the broad sense is to ensure its integrity, confidentiality and availability, which is implemented through measures and means of information protection (organisational, technical, physical). In order for the applied protection measures (also called countermeasures or controls) to be structured, logically interconnected and lead not to a formal closure of requirements, but to a real increase in the cyber security of the company, it is necessary to build information security processes within an integral IS management system (abbreviated as ISMS) to minimise cyber risks in order to meet the needs of the business (owners, stakeholders of the protected company). Protective measures apply to the company's employees, processes, technology, and data.

Example: a protective measure in the form of a cyber security awareness programme (so-called awareness training) is applied to employees in order to counter cyber-attacks carried out using social engineering methods (phishing, telephone fraud, blackmail, attempts to obtain confidential information during a personal meeting with employees, etc.). Another example: a countermeasure in the form of a process of verification of the company's counterparties (suppliers, contractors, outsourcers, etc.) is applied to the processes of information interaction between the company and its counterparties, such as data exchange, setting up remote connections, exchange of electronic correspondence, etc.

According to the purposes of applied countermeasures there is a division into preventive, directive, preventive, deterrent, corrective, remedial, investigative, compensatory, complementary measures. The following are examples. Preventive measures are notifying users and potential intruders of the control over their actions to prevent IS incidents: for example, it can be a message on a website that all user actions with an information resource are recorded and can be analysed in the future. Directive measures are explicitly stated rules for users' work and behaviour: for example, this could be signage in an office building so that well-meaning visitors can quickly find the office they are looking for, while those wandering aimlessly around the building could be considered potential intruders. Preventive measures are activities aimed at preventing IS incidents, avoiding the violation of IS policies or established rules, e.g., setting up antimalware and securely configuring the OS, software to prevent IS violations. Deterrent measures are ways to apprehend the intruder who has passed through the previous levels of protection, for example, if thieves have entered an office centre, valuable documents should be kept in a safe, opening which will apprehend the burglars until the police arrive; in an information system, such measures can be implemented with the help of decoy resources (honeypot or honeynet). Corrective action is the prompt correction of controls that failed to work to prevent an attack, including correcting control inconsistencies with IS policies. Restorative measures are the return of infrastructure after a cyberattack to a known secure, ‘good’ state, with the necessary corrective changes made to prevent the incident from recurring in the future. Investigative measures are a way to determine the root cause of an incident and identify the perpetrator, learn the attack vector and exploited vulnerabilities, and perform computer forensic investigations (forensic investigations). Compensating measures are additional controls that ensure the fulfilment of mandatory protection measures in an alternative way that is more appropriate and cost-effective: for example, to prevent data leaks, you can install an expensive DLP solution, or you can prohibit the use of removable drives, cloud storage, restrict the ability to send emails outside the company and take other measures to limit the number of potential channels of information leakage. Complementary measures ensure the effectiveness of already configured protection measures and complement them: for example, some antiviruses allow users with administrative privileges on a PC to disable protection, so it is important to limit user privileges and control the granting of local administrator rights to employees.

If the perpetrators were able to successfully overcome the built in defences and achieve their objectives, a cyber attack is said to have occurred. In other words, a cyberattack is, as we have written before, a targeted malicious attack on an asset to disrupt its operation and/or to realise a cyber threat (i.e., compromising the integrity, confidentiality, availability of information). The term hacking is also often used, which means unauthorised access to information, i.e. the recorded fact of information processing (reading, modification, deletion, etc.) with violation of established access rights: for example, when the contents of a company's payroll were accessed by an employee of a contractor or when valuable files were deleted by hackers as a result of a cyberattack.

It should be noted that foreign literature and news reports often use the term data breach, which some people incorrectly understand as data leakage, but in fact data breach is a breach of data security, i.e. unauthorised access to information. Data breach means not only theft of data by hackers, but also, for example, unauthorised deletion of information as a result of infection by a virus-viper or even accidental posting of confidential information by an employee on a publicly available resource.

A company's information security policy is a documented, coordinated and approved set of interrelated high-level principles of information protection, in accordance with which IS processes are built in the company. In terms of hierarchy and detail, the IS policy is at the head of all internal regulatory documents applied in the company for information protection; standards, regulations, procedures, instructions are lower down the hierarchy - they contain more detailed rules of IS provision in the company. Thus, the IS policy in a company is based on high-level IS principles; hereinafter we will give examples of the most important of such principles.

IS principles mean certain rules that have been shown to be effective in practical application for information protection:

1) The principle of least privilege is the rule of granting users and entities in an information system the privileges minimally necessary for them to fulfil their job responsibilities and achieve their job objectives. For example, a user from the accounting department should not be given domain administrator privileges, and a backup programme should run from under an account that has read-only access to the files being saved.

2) The principle of granting privileged (administrative) authority only to perform specific official actions and only for a certain period of time. This principle is realised by Just-In-Time Access (JIT, ‘access only for time’) and Just-Enough Access (JEA, ‘access no more than necessary’) technologies, which allow granting an account extended authority only for a certain time and to the minimum extent necessary. For example, an engineer is granted privileges to run with administrative rights only a specific script and only for the duration of that script.

3) Another set of IS principles is granting access to information only if there is a justification for using the data (English: need to use), familiarisation with the information (English: need to know), connection to the information system (English: need to connect), as well as if there is an agreement to perform actions from the direct supervisor of the user requesting access.

4) The principle of segmenting and controlling access to data using Zero Trust approach, which means that for all devices, applications and users, granular network access rules are created that apply to both external and internal network connections to the infrastructure. These rules allow for continuous monitoring of subjects' authorisation, as well as monitoring the subject's security status for each access attempt.

5) Another principle of IS when working with data is the encryption of information during data storage and transmission, as well as the use of cryptosystems with homomorphic encryption, which allow operations with encrypted data without decrypting them.

6) Another important principle of cybersecurity is the principle of separation of powers, which means that at least two workers are required to perform a critical operation. This is to ensure that one employee does not make a mistake and also to make it difficult for a single disloyal or recruited employee who has been given broad authority to perform malicious actions. An example familiar to many from cinema: opening a bank safe requires two different keys and their simultaneous turning by two different employees. In order to circumvent such a requirement, these employees would need to collude, which would expose them to greater criminal liability.

7) The principle of authority actualisation means that when an employee's job responsibilities change, for example, when he or she moves to another department, you should disable his or her old access rights to the information resources of his or her old department, and give him or her access rights to the resources of the new department. Another example: when an employee completes work on one project and moves to another project team, his account rights to access files from the old project should be revoked. This will avoid a situation where one long-time employee gradually gains excessive authority.

8) The Assumed Breach principle (literally translated as ‘Think as if you have already been breached’) means planning IS activities in the company with the assumption that one or more elements of the infrastructure have been compromised by attackers. It is important not to rule out the possibility that a cyberattack has already occurred, but the signs are not yet evident, so hackers are invisibly present on the network. In order to build cyber security with this principle in mind, proactive threat detection (Threat Hunting) and the Zero Trust approach described above should be used.

9) Building cyber defences in accordance with the principle of defence in depth means building a layered defence, where an attacker must first overcome several layers of defence to access a valuable asset. For example, to access a file server from the outside, attackers must first compromise the server in the DMZ (demilitarised zone), then move into the corporate network, then escalate privileges to connect to the server segment, and then attack the file storage. In this regard, cloud-based enterprise systems, while convenient to access from anywhere in the world and from any device, still lack some controls (e.g., the need to pre-install a VPN connection), which is why it is so important to use advanced authentication and account control systems in the cloud, such as multi-factor authentication, Conditional Access, Posturing, and device verification against security settings and geographic region of the company's presence.

10) Continuous Improvement and Process PDCA approach to cyber defence is probably the most important IS principle, which means that IS processes should be aligned according to the Deming cycle for process management: Plan - Do - Check - Act (abbreviated as PDCA-cycle). Continuous assessment of the adequacy of the built ISMS to current cyber threats and continuous improvement of cyber defences will help to proportionately prevent and respond to cyber attacks even from the most advanced attackers.