Tell me, is it really annoying when you try to register on some site where you need to come up with a password, and over and over again you are shown the message “your password is insecure, come up with a new one” ?! You can come up with something, but it will be problematic to remember, so most people prefer simpler passwords, something like 1234 or 12345678 if the site requires at least 8 characters.
In fact, complex passwords are not at all a whim of the site owners, but to ensure the information security of resource users. Perhaps a too complicated information security system for some online karaoke is redundant. In the worst case scenario, evil hackers can shuffle the backing tracks in your playlist and sing for you, leaving your few singing fans just like you in bewilderment.
But if we are talking about the electronic document management of a serious organization, the “cloud” storage of important data, secret correspondence in instant messengers, then information security is not a whim, but a necessity. Not to mention the protection of data constituting state secrets, or secret developments in the field of the country’s defense capability.
We will definitely talk about the doctrine of information security of the Russian Federation separately, but for now we invite you to our programs “ Best Self-Education Techniques ” and “ Profiling ”, which will teach you how to navigate, among other things, in situations where you need to think about your own security additionally, and when don’t panic. So, our topic today is information security.
What is information security: a bit of history
Information security is a system of measures aimed at preventing unauthorized access, disclosure, use or destruction of information presented in electronic or any other form. For example, stored on paper, transmitted during telephone conversations or by radio.
The main task of the information security system is to ensure a reasonable balance of confidentiality, integrity and data availability. Simply put, if you close the data completely, store it “behind seven locks” and do not let anyone in, then the data will be safe and sound. However, it will be difficult, if not impossible, to use any information in such a closed mode.
Therefore, when it comes to information security, you need to remember that data security is not an end in itself, but only a means to an end that data serves. Any data is collected for something, for some business, and the success of the business should not suffer due to artificially difficult access. Moreover, the success of the business should not suffer due to unauthorized data leakage.
The search for ways to ensure information security has been going on since the very times when people began to transfer information to each other in ways that do not involve a personal conversation. The Annals of History and the multi-volume “Life of the Twelve Caesars” preserved evidence of the invention by the Roman emperor Gaius Julius Caesar of his own “Caesar cipher” [ S. Tranquill, 1993 ].
In parallel with encryption systems, systems were developed for decrypting encrypted messages, as well as intercepting them during transmission. With the advent of mail, governments of countries began to create special organizations engaged in viewing (perusal) letters from citizens.
For reference: perusal is the viewing of correspondence secretly from the sender and recipient.
In England, an organization engaged in perusal? It was called “Secret Office”. The book The evolution of British Sigint 1653-1939 Unknown Binding [ J. Johnson, 1998 ] is devoted to the history of this structure. In Russia, similar functions were performed by the so-called “black cabinets”. The book “Black Cabinets” tells about their history: the history of Russian perusal. XVIII – early XX century [ V. Izmozik, 2015 ].
However, the most important information in need of protection has traditionally been military secrets. Wars and preparations for hostilities stimulate the development of information security systems. The Enigma encryption machine, which was used by Nazi Germany during World War II, became a subject of interest not only for specialists, but also for filmmakers.
In 1979, the world saw the film “The Secret of Enigma ” directed by Roman Venchik, in 2001 the film ” Enigma ” directed by Michael Apted was released, and in 2014 a new film masterpiece ” The Imitation Game ” directed by Morten Tildum, also dedicated to Enigma, appeared.
One can talk endlessly about the history of the development of everything related to information security systems. However, it is time to move on to filling the concept of information security. Given that we live in the digital age, we will pay increased attention to cybersecurity , its components and everything related to it.
Areas of information security: what to protect?
So what does information security protection mean? What needs to be protected? In principle, anything can be the object of information security protection, from secret developments of the latest weapons to correspondence with a mistress on a smartphone.
First of all, objects of critical infrastructure should be protected, without which the activity of an organization, company, state is impossible. These are, of course, means of communication and telecommunications, through which data is usually leaked.
Of course, the necessary information can be obtained not only from a phone and a computer, but also through the good old “wiretapping”, therefore, serious organizations are developing a comprehensive information security system, which includes protecting the buildings and structures occupied by the organization from unauthorized penetration and “wiretapping” .
In a broader sense, at the state level, critical infrastructure facilities include everything that ensures the stable functioning of the energy industry, water supply, transport, communications, healthcare, banking, and everything without which normal everyday life is impossible in today’s conditions [ smart-soft, 2020 ].
In general, the following categories of objects of protection are distinguished:
- Information (digital and analog signals, electronic data).
- Resource objects (software and hardware systems).
- Physical objects (buildings, equipment, territories, communications, etc.).
- User objects, subjects and owners of information.
So, we figured out what is included in the field of information protection and what exactly needs to be protected. You can learn more from the article “What is information security and what data does it protect” [ E. Springer, 2020 ]. Now the second question – how to protect?
Information security system: how to protect?
First you need to consider the main threats to information security, because the method of protection is chosen based on the type of threat.
Types of threats:
- Natural – those that do not depend on man (natural and man-made disasters, fires, earthquakes, floods, etc.).
- Artificial – those that are created by man. These are intentional threats (hacker interference) and unintentional (carelessness, incompetence).
- Internal – those that arise within the organization.
- External – those that arise outside the organization.
How to protect yourself from these threats? Here it is necessary to distinguish between legal, organizational and administrative and technical aspects. In turn, technical means imply physical, hardware, software and cryptographic components [ smart-soft, 2020 ].
The concept of technical means of protection:
- Physical means – functioning outside information systems and preventing free access to them (sensors, locks, bars, video cameras, video recorders, etc.)
- Hardware – embedded devices (control systems, server and corporate network protection, eavesdropping protection, wiretapping detection tools, field indicators, noise generators, voice recorder and phone blockers, etc.).
- Software tools – special software (antiviruses, including cloud ones, Data Leak Prevention technologies, SIEM solutions).
- Cryptographic – cryptographic providers, VPN, generation and verification of electronic keys, electronic digital signatures, etc.)
Just in case, let’s clarify the meaning of some terms:
- SIEM solutions are a combination of two technologies: SIM for security information management and SEM for security event management.
- Data Leak Prevention is a technology for preventing information leakage, built on the basis of an analysis of the flow of data crossing a certain conditional “perimeter” of a protected system.
To put it simply, when it comes to the security of electronic data, here the computer itself, the server and software are the technical means of implementation. The information security of an organization involves storing data on its own or rented and protected from unauthorized access server, using a secure connection for data exchange, and everything that we talked about earlier.
However, purely physically, the user deals directly with the computer, the programs that are installed there, and the services that are available from the computer or phone. Programs and services require the user to enter a password, offer multi-level identification, antivirus updates and much more, which protects virtual data from unauthorized leakage.
This is about the technical side of protecting information security. In addition, the organizational and administrative measures taken in the field of information security are important.
In short, this refers to the circle of persons who have access to information, the volumes and access rights for each, established administratively and then implemented technically, access rights to the premises where protected information is stored, computers, servers, etc.
In other words, the information security of an organization implies, among other things, access to information only by reliable verified persons who are duly qualified to work with this or that information, software, and technical devices.
And finally, the legal aspect. Information security in the Russian Federation is regulated by constitutional provisions and a number of laws: “On Information”, “On Communications”, “On State Secrets” and others.
In addition, the Russian Federation adopted the Information Security Doctrine [ Electronic Fund of Legal and Regulatory Documents, 2016 ]. For reference: a doctrine is a certain concept, theory, teaching, guiding theoretical or political principle.
The doctrine contains the definition of national interests, the main information threats and directions for ensuring information security. Let us briefly go over the main provisions of the Doctrine.
- The rights and freedoms of citizens related to the receipt and use of information.
- Preservation of spiritual values.
- Stable operation of critical information infrastructure.
- Further development of the IT-sphere.
- Providing accurate information to the public.
- Promoting information security at the interstate level.
Actual information threats:
- Malicious impacts on information infrastructure.
- The activities of the special services of some states related to technical intelligence.
- The activities of the special services of some states in order to destabilize the situation in Russia.
- Biased assessment of the situation in Russia in foreign media.
- Obstacles in the work of Russian journalists abroad.
- Dishonest propaganda.
- Cybercrime in the credit and financial sphere.
- Attacks on personal data.
- Dependence of the Russian industry on foreign information technologies.
- Insufficient level of own developments.
- The impossibility of managing the Internet on the principles of justice and trust between different states.
The wording is quite general, as it should be for such a type of document as a Doctrine. On the other hand, such generalization of the wording allows, if desired, to “pull up” any decisions beneficial to the authorities under them, including blocking almost any Internet resource.
However, there is hardly a state that fully welcomes the interpretation of political events, decisions made, economic consequences of certain decisions, etc., which is unfavorable to the country’s leadership. Too independent or critical media is almost always out of favor with the authorities. However, depending on the degree of democracy of the state, disgrace can be expressed simply in ignoring or in criminal prosecution on far-fetched (not political!) grounds.
Now, after we have dealt with the main aspects of information security, the question arises: how can an ordinary citizen protect himself in the information sphere?
Personal information security for everyone and everyone
So, what information security or what level of information security should be provided for yourself? What can you do to ensure that your personal data does not end up where it is not needed? How to ensure the information security of children?
To begin with, let’s clarify what is meant by personal information security. Personal information security is the ability and opportunity to protect yourself and your inner world from various threats in the information sphere. What are these threats? Let’s figure it out.
Threats to personal information security:
- External administrative restrictions on receiving and transmitting information (media censorship, a ban on access to any data segment, blocking social networks, restricting access to certain online resources).
- Technical failures and unavailability of data for technical reasons.
- Data leaks due to their own negligence or as a result of targeted actions of intruders.
- Use by third parties of your personal data from open sources for mercenary and criminal purposes.
The last point is perhaps worth explaining in more detail. Today, even professional intelligence takes up to 90% of data from open sources, and only 10% of information is obtained from opportunities that are closed to the public [ Pentagonus, 2009 ]. What then to say about ordinary apartment thieves and scammers?
There are frequent cases when the departure of a family in full force to a resort was tracked simply through social networks, where family members boasted of purchased tickets and photos from the catalog of the hotel where they were going to rest. The thieves had to wait for the right date and “enclose the hut”, having 10 more days left to hide and “cover up their tracks” until the owners return from vacation and report the robbery to the police.
However, if you do not share personal information in a public plane and are not too talkative by nature, this does not mean that you are not in danger. Knowing only your email address, you can get a lot of information about you on the Internet.
The technical details of the process are a topic for a separate and very voluminous article. We can offer those who are interested to study the material “Collecting information from open sources – how do potential attackers see you?” [ A. Borisov, 2019 ].
Simply put, if your financial situation and material wealth are of any interest, they can always try to “get” you. For example, send a tempting offer, taking into account your inclinations, with forwarding ostensibly to the company’s website, but in fact to a website with a domain and design similar to the original branded ones.
And you just need to transfer the required amount so that the desired product with a big discount arrives right at your home. So at the same time they will find out your real address of residence. It is probably unnecessary to say further that the money will go to scammers, you will not receive the goods, and who will visit your address in order to find out when you are at home is also a big question.
What to do to protect your information security? Let’s say right away that if you want to join the benefits of civilization and use all the possibilities of digital technologies, it is unlikely that you will be able to fully insure yourself against data leakage. At a minimum, you are forced to leave a name and a contact phone number every time you order something from an online store.
And even with complete digital minimalism , it is also impossible to guarantee the absence of “wiretapping” of your phone if someone is interested in you for fraud. Although some ways, “How to find out if your mobile phone is being tapped” can be found [ O. Medvedeva, 2020 ].
How to minimize risks in the face of digital dangers everywhere? Here are some tips from experts, “How to protect yourself as an ordinary user” and what you should teach in terms of ensuring the information security of children [ Positive Technologies, 2020 ].
Top 10 Personal Information Security Tips:
- Use licensed software (programs, antiviruses) and update it in a timely manner.
- Enable two-factor authentication if the service offers such an option.
- Prefer complex passwords, different for different services, and change them every six months or a year.
- For daily work in the operating system, use an account without administrator privileges.
- To avoid loss of information, duplicate it on a hard drive and in a cloud storage with secure access.
- Do not open or check with an antivirus before opening all letters from unfamiliar recipients.
- Refrain from clicking on links sent from unknown recipients.
- Refrain from clicking on links contained in “pop-up” advertising, even if the name of the advertised company is familiar to you.
- Refrain from downloading files from suspicious sites. In particular, they are too “clogged” with advertising or obsessively offering to visit another resource.
- Make online payments only from trusted services and after making sure that they really belong to the company you are going to pay for the product or service.
These are program level tips. At the hardware level, you can often find advice to seal or otherwise close the camera of a smartphone and laptop when you are not using it. In principle, you can simply not give access to the camera, microphone and files on the hard drive to all applications in a row that request it.
However, if some kind of spyware “breaks” through the anti-virus “fence”, this will no longer help. But a special “curtain” or ordinary electrical tape with a piece of cardboard, so as not to leave glue spots on the optics, will help from video recording your actions for sure. In any case, Roskachestvo recommends doing just that [ M. Gerasyukova, 2019 ].
This is, in a nutshell, everything we wanted to tell you about the basics of information security. The topic, of course, is much broader, and it will be much easier for you to understand it if you go through our programs “ Best Self-Education Techniques ” and “ Profiling ”. We wish that nothing ever threatens you either in the real or in the virtual world! And please answer the question on the topic of the article: