Basic Concepts of Information Security (1)

Information can be communicated in a number of different ways: messages, signals, data, intelligence, or knowledge. It may exist in multiple forms, for example, data/programs stored and processed in information facilities, printed or written papers/emails/design drawings/business solutions, or messages in slides or sessions.

Information security is to protect hardware, software, and system data on information networks from occasional or malicious damage, tampering, and leakage. It ensures continuous and reliable system operating as well as uninterrupted information services.

In the case mentioned previously, it was ignored that the photo might reveal sensitive information about the oilfield. By limiting the dissemination or recipients of the photo, information leakage could have been prevented.

Confidentiality
  • Ensures that information can be obtained only by authorized users.
Integrity
  • Ensures the accuracy and integrity of information and its processing method.
Availability
  • Ensures that authorized users can obtain desired information and use related assets.
Controllability
  • Implements security monitoring to protect information and its system against attacks.
Non-repudiation
  • Prevents the information sender or receiver from denying the information.
Information security involves information confidentiality, integrity, availability, controllability, and non-repudiation. In general, information security is to ensure the effectiveness of electronic information. Confidentiality means resisting passive attacks by adversaries and preventing information leakage to unauthorized users. Integrity means resisting active attacks by adversaries and preventing unauthorized tampering. Availability is to ensure that information and information systems are actually used by authorized users. Controllability is to implement security monitoring on information and information systems.

 
Exploiting the vulnerability of port 445 on Windows operating systems, the WannaCry ransomware cryptoworm featured self-replication and included a "transport" mechanism to automatically spread itself. Among infected Windows operating systems in China, those on campus networks suffered most, and a large number of laboratory data and final year projects were locked and encrypted. The application systems and database files of some large enterprises were encrypted and failed to run properly 

The OceanLotus group mainly uses two attack methods:
  • Spear phishing: The Trojan horse is emailed to targeted computers as an attachment with an attractive title (such as Salary Reform Scheme). The computers are infected after the attachment is opened.
  • Watering hole: The attacker exploits the vulnerabilities of websites that targeted individuals or organizations visit frequently and use these websites to distribute malware. For example, on the intranet server that employees frequently visit, the attacker replaces an internal shared document with the Trojan horse. All computers that download the document as required will be infected with the Trojan horse and send confidential information to the attacker.

Information system complexity: The information system may be attacked during the design or operation process due to its vulnerabilities and defects. Major issues are as follows:
  • Complex process: In information system design, security is placed inferior to factors such as usability and enforceability. Due to human error and imperfect design methodology, the information system always has vulnerabilities.
  • Complex structure: The information system may need to support multiple types of terminals (such as employee terminals, remote users, mobile terminals, routing devices, and servers) and data services (such as service data, management data, and voice data) on the network. All terminal and data types must be considered for cyber security management.
  • Complex application: Network redundancy and stability are preferentially considered during network topology design, and redundant links and backup devices may be added. The complexity of network application can lead to failure in rapid fault locating and rectification.
Human and environment factors: environmental threats and man-made damages.  


  • Information security, in the broadest terms, defines data confidentiality, integrity, availability, controllability, and non-repudiation. In terms of cyber security, information security defines more specific requirements, such as physical security, identity authentication, and audit and monitoring.
  • The C4I system is mainly used in the military field.

Information storage security includes protection of server disks and encryption and antitheft of storage information. 

The enterprise business information transmitted between the headquarters and branch may be stolen by the attacker. In the figure, the attacker tampers with information sent by the branch, and then sends it on to the headquarters.

An unauthorized user impersonates an authorized user to remotely access intranet resources.

Security zone: A network system generally has zones at different security levels, for example, a server zone at high security level and an office zone at low security level. Devices are placed in zones corresponding to their security levels, and untrusted zones are separated from security zones.

Effective management is an essential part of achieving information security goals. Its role should not be underestimated.


Ref : [1]