IT Security, Information Security and Data Security
What Is IT Security?
IT Security, Cyber Security or Internet Security: all these terms seem similar, however, there are subtle differences. Generally, IT Security is defined as the protection of IT systems against damage and risks. This counts for single files to computers, networks and cloud services to whole data centers. Cyber Security extends IT Security to the overall cyber space. As most systems are connected to the Internet nowadays, IT Security and Cyber Security are often used interchangeably. IT Security and Cyber Security cover all technical and organizational measures to defend systems from cyber attacks and other threats. This includes access controls, cryptography, rights management, firewalls, proxies, virus scanners, vulnerability management and much more. The term Internet Security is specifically related to the protection against dangers from the Internet.
Often, IT Security and Information Security are used interchangeably. However, strictly speaking, IT Security is only a partial aspect of Information Security. While IT Security is focused on the protection of technical systems, Information Security comprises the preservation of information in general. This information can also exist on non-technical systems such as paper. The protection goals of Information Security are to ensure the confidentiality, integrity and availability of information. For example, suitable measures can be found in the internationally valid ISO/IEC-27000 series of standards. In Germany, the IT-Grundschutz of the Federal Office for Information Security (BSI) serves as a guideline for Information Security. An important component is the establishment of an Information Security Management System (ISMS).
Data Security has the aim to secure the confidentiality, integrity and availability of data. In contrast to data protection, it is not restricted to personal data but includes all data. Confidentiality means only authorized individuals are able to access the data. Integrity means the data was not manipulated or damaged. The availability refers to the fact that the data can be used when it is needed. To establish Data Security, different technical and organizational measures are required, e.g., access controls, cryptography or redundant storage systems.
Information Security Management System (ISMS)
An Information Security Management System (ISMS) is not a technical system but defines rules and methods for ensuring, checking and continuously improving Information Security. Amongst other things, this includes the determination and evaluation of risks, the specification of security goals as well as a clear definition and documentation of responsibilities, communication channels and processes. The requirements for an ISMS are regulated in the ISO27001 standard. An ISMS is an important component for a comprehensive IT security concept.
Cyber Resilience is understood as the ability of a company or an organization to maintain its business processes despite adverse cyber circumstances. These can be cyber attacks but also unintentional obstacles such as a failed software update or human error. Cyber Resilience is a comprehensive concept exceeding IT Security. It combines the areas Information Security, business continuity and organizational resilience. To achieve a state of Cyber Resilience, it is important to identify vulnerabilities at an early stage, to prioritize them economically and to remove them.
Questions on IT Security
Why IT Security?
IT is a central element of each company and forms the base for almost all business processes. Without it, nearly nothing works anymore. In the worst case, IT disruptions can stop the whole business leading to huge economical and reputational damages. Hence, it is essential for companies to secure their IT systems and protect them against cyber risks and cyber attacks. More linkage leads to a larger attack surface as well. Each linked device is a potential gateway for cyber criminals increasing the risk for being attacked.
Why Information Security?
Information is one oft the most valuable company goods. Nowadays, it is mostly present as digital data within IT systems where it is stored, transported and processed. However, it can also be put down on paper or passed on verbally. If information is lost, stolen, manipulated or no longer usable, existence-threatening effects can be the consequence for companies. For this reason, it is important to take care of an adequate Information Security to ensure information confidentiality, integrity and availability.
Which Effects Does an Attack Have on My Information?
If the availability, confidentiality and integrity of information is affected, serious consequences may be the result. For example, due to an attack sensitive data can fall into the wrong hands – whether personal data or business secrets. Hackers are able to carry out industrial espionage, steal the identities of individuals, abuse credit card information and much more. The manipulation of data can lead to incorrect transactions, production errors or wrong analysis results. If data is not available, business processes that rely on data processing are affected as well. In such cases, orders cannot be placed or production machines stop.
Which Attack Methods and Instruments Endanger IT Security?
Cyber criminals develop new attack methods constantly and become smarter. Nowadays, they are usually organized professionally and work with the latest technology. Thus, IT Security is a permanent race against growing threats.
Common attack methods are:
Advanced Persistent Threats (APTs)
This refers to targeted cyber attacks that are adjusted to chosen victims or victim groups and work with advanced methods. Attackers gain permanent access to a network and then expand this access to other systems. To do so, cyber criminals often implant malware.
The term “malware” includes all types of computer programs that run undesirable or harmful operations on a system, e.g., viruses, worms and Trojan.
Ransomware is malware that encrypts a system and only enables access to the data again if the victim pays a ransom. This type of malware has become particularly popular in the recent years. Known examples are the cypto Trojans WannaCry and Petya. Common distribution channels for ransomware are spam mails, phishing and drive-by exploits. The latter take advantage of vulnerabilities in browsers, browser plug-ins or operating systems.
Spam and Phishing
Spam describes undesirable e-mails and is a popular method to distribute malware. Phishing e-mails are a special type of spam. They should convince a user to carry out a certain action – for example, revealing login data or installing malware.
Cyber criminals integrate foreign computer systems in botnets – an amalgamation of compromised PCs they can control remotely like robots and misuse for their purposes. For that, the computers are infected with malware. A popular field of applications for botnets are Distributed Denial of Service attacks (DDoS).
Distributed Denial of Service attacks intend to paralyze a service or server. Mostly this happens by hackers sending vast amounts of requests to the server via a botnet, overloading the server and making it inoperative.
Vulnerabilities in Software and Hardware
Cyber criminals often exploit vulnerabilities in software or hardware for their attacks. Thus, it is significant for IT Security, to recognize and eliminate such vulnerabilities. For example, an important measure is installing up-to-date updates and patches to close security holes.
How Can the IT Security Risk Be Minimized?
To minimize IT risks and to provide IT Security, companies have to introduce both technical and organizational measures. First of all, a process and vulnerability analysis is important. It serves to identify which processes are particularly essential for the company, which vulnerabilities exist, how likely the vulnerabilities are exploited and which damage this may cause. It will never be possible to eradicate all IT risks. Instead, a good risk management is required. Companies have to evaluate risks and reduce them according to their priority.
How Good Is the IT Security of My Company?
IT Security is never completed but an ongoing process. For this reason, companies should check their status and measures continuously. Vulnerability Management or a security audit by a specialized consultant may be helpful for that.
How Do I Prepare My Employees for IT Security?
IT Security and Information Security are not only a matter of technology. In fact, humans are the biggest vulnerability. Cyber criminals take advantage of this, for example by gaining network or system access using social engineering or phishing. For this reason it is important to train employees and to sensitize them for IT risks and IT Security. Online trainings with interactive exercises are advisable. Employees are able to carry out those trainings independently at any desired time and receive direct feedback due to the interactive components. In this way, a fast learning effect is achieved.
What Value Has Information or Its Security for the Digitalization/Digital Transformation?
Data plays a key role for a successful digital transformation. Based on data, companies are able to gain knowledge, derive action recommendations and develop new business models. The ability to collect and evaluate data and to use it correctly is significant for success. Because of this, it is essential for companies to protect the confidentiality, integrity and availability of their data.
Paradigm Shift – From IT Security to Cyber Resilience
Realizing Cyber Resilience
Considering the growing threat situation, companies have to strive for sustainable Cyber Resilience. This means preventing attacks if possible, reacting fast in case of a security incident and maintaining business operations without larger damage. To gain Cyber Resilience, companies have to take suitable technical and organizational actions, e.g., hardening the company IT and reducing the attack surface.
Differentiation from Cyber Security/IT Security
Cyber Resilience includes Cyber Security, but goes even further. While Cyber Security mostly concentrates on technical measures, Cyber Resilience is a comprehensive, more strategically oriented concept. In the past, Cyber Security was usually oriented reactively. Nowadays, this is not sufficient anymore. Companies have to face IT risks preventively. A paradigm shift is necessary – from Cyber Security to Cyber Resilience.
The steps leading to Cyber Resilience start with a risk management. Companies have to evaluate and prioritize IT risks they want to protect themselves against by all means or they may accept. IT risks can never be eliminated completely because protection measures have to be considered against the background of economic efficiency and must not disrupt running business operations. Building a large barrier around IT would not be useful and affect the flexibility. IT risks have to be managed instead.
The IT risk management base is an analysis of the business processes and their vulnerabilities. Which are the most important assets of a company, what damage could an attack cause to these assets and how likely is such an attack? A risk evaluation with the levels low, medium and high results from the relation between possible damage and probability of occurrence. Companies should now prioritize and reduce the risks according to the rating.
Compliance management comes with a good risk management. Compliance is understood as the observance of rules. These can be legal requirements, ethical principles or corporate regulations. Compliance violation is a risk companies have to take into account when carrying out the risk management. The introduction of a Compliance Management Systems (CMS) is recommended. It defines processes, measures and structures to ensure compliance observance.
IT Security for Critical Infrastructures
What Are Critical Infrastructures?
Cyber Resilience is especially important for companies that belong to the critical infrastructures. This means organizations and establishments that are of crucial significance for state community. If systems fail here, dramatic consequences may follow, for example the impairment of drinking water and power supply or the threat to public security. In Germany, the critical infrastructures are divided into nine sectors:
- Information technology and telecommunications
- Finance and insurance
- State and administration
- Media and culture
Due to the fact that the single sectors depend on each other, a disruption may lead to a cascade effect, so that the entire public life grinds to a halt. For example, all sectors need energy. If the power supply fails, this also affects the drinking water and nutrition supply, the sewage disposal or the operation of medical devices and financial systems.
How Are Critical Infrastructures Protected?
Securing critical infrastructures and making them resilient is extremely complex. Often, control systems from IT and OT (operational technology) are linked to each other. Due to the increasing linking, Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are suddenly vulnerable via the Internet as well. In many cases, these systems do not have an integrated security and come from different generations. Security policies and processes in OT have also been set up in a time before IT and have to be adjusted. In the area OT, safety has to be considered in addition to security – meaning the reliability of devices so that users do not hurt themselves when operating them. To obtain Cyber Resilience in critical infrastructures, it is important to integrate IT systems and OT systems of different generations, processes and policies into a comprehensive security concept.
In Germany, the legislative decree BSI Kritis-V defines who belongs to the critical infrastructures. The EU NIS directive prescribes minimum requirements regarding IT Security and reporting obligation for KRITIS companies. It was implemented in Germany by the implementation act for the NIS directive that extends the IT Security law (German: IT-Sicherheitsgesetz, IT-SiG). KRITIS operators are therefore obligated to establish IT Security based on the „state-of-the-art“ and to report significant or exceptional IT malfunctions to the BSI. Furthermore, the BSI functions as a control instance and checks whether companies observe the legal requirements.
The new EU General Data Protection Regulation (GDPR) puts minimum requirements on the technical and organizational security as well. In case of abuses, penalties of up to four percent of the worldwide annual turnover are imposed.
Vulnerability Management Within the Scope of Cyber Resilience
To achieve IT Security, Information Security and a state of Cyber Resilience, Vulnerability Management is indispensable. This means the ability to promptly identify, evaluate and eliminate vulnerabilities based on their priority. This enables companies to harden their systems and to reduce to attack surface. In many legal directives, Vulnerability Management is required explicitly or implicitly.
The GDPR for example, expects an implemented Vulnerability Management and for an ISO-27001 certification it is required as well. KRITIS companies are obligated to perform Vulnerability Management. However, Vulnerability Management is only one component within a comprehensive Cyber Resilience concept.
Vulnerability Management is never concluded but an ongoing process. It consists of the following four phases that form a cycle:
The preparing phase is about defining the own IT Security goals. What has to be protected with what intensity? How do security processes look like and who is responsible for what? Afterwards, the IT Security policies can be linked with technical checks in the Vulnerability Management system.
Identify, Classify, Prioritize
A Vulnerability Scan that checks the infrastructure for vulnerabilities is carried out now. The Vulnerability Management solution questions the plausibility of the found results and groups them – for example, to which department an IT system belongs or which function it fulfills. After that, it is evaluated how critical the vulnerabilities are for the company and which have to be eliminated first.
Assign, Mitigate & Remediate
The next steps is about eliminating the vulnerabilities. The Vulnerability Management system ensures that the information about a vulnerability is transferred to the responsible person. It knows which ways and means are available to remove the vulnerability and is able to cooperate with other workflow tools like a ticket or SIEM system.
Store & Repeat, Improve
The last phase serves the purpose of making the Vulnerability Management auditable and o improve it continuously. Important information regarding vulnerabilities are logged, e.g., when they were found and reported and how fast they were eliminated. Afterwards, the Vulnerability Management cycle starts once again. Companies can refine goals for the IT Security and adjust security policies if needed.
Which Critical Infrastructures Do Exist?
In Germany, the critical infrastructures are divided into nine sectors. We take a closer look at six of them.
The Energy sector includes the divisions electricity, gas and mineral oil. If failures occur, other critical infrastructures are affected as well because every organization and every company needs energy these days. Without power, the cold chain for the food supply cannot work, the water supply is impaired, the electronics assembly in hospitals fails and much more. A particular challenge for the IT Security and the Cyber Resilience in the Energy sector is that a complex landscape of IT and OT systems and applications from different generations have to be taken into account.
Read more about Cyber Resilience in the Energy sector > Download WhitePaper
Many medical devices are linked today and thus, vulnerable from the outside. If hackers affect those devices’ functionality, the health of patients and, in the worst case, lives are threatened. Furthermore, mobile devices that extend the attack surface are increasingly used by physicians and in hospitals. Patient records are stored digitally these days. By that, vast quantities of sensitive patient data is collected in the health sector. This is an appealing target for cyber criminals who can sell the data for much money.
Read more about Cyber Resilience in the Health sector > Download WhitePaper
The Water sector comprises the divisions public water supply and sewage disposal. Water is life: we do not only need it for drinking and cooking but also for washing and cleaning. Many industrial companies do not function without water. Equally important is a good sewage disposal because otherwise, hygienic and sanitary problems occur. Nowadays, various linked IT and OT systems that have to be protected against cyber attacks are used in the water infrastructure. Due to the fact that processes are usually strongly automated, cyber criminals can cause huge damage with only a small manipulation – for example, influencing the drinking water quality.
Read more about Cyber Resilience in the Water sector > Download WhitePaper
Information and Communications Technology (ICT)
Companies that provide the technical infrastructure for speech and data communication or that run data processing for third parties and IT hosting belong to the KRITIS sector Information Technology and Telecommunications. ICT is indispensable for both work and personal life. Without it, many business processes or production facilities do not work anymore. If there are cyber attacks in the ICT sector, failures can occur in all other KRITIS sectors.
Read more about Cyber Resilience in the ICT sector > Download WhitePaper
Finance and Insurance
Finance and Insurance includes banks, stock markets, financial service providers and insurance companies. They take care of working transactions, pension schemes and financial protection in the event of damage. If disruptions occur in finance, trading would not be possible anymore, companies would not be able to pay salaries and the state would not be able to receive taxes. Due to the fact that the finance and insurance industry mostly uses digital documents and automated workflows and that cyber criminals could capture a huge amount of money, the risk for cyber attacks is high.
Read more about Cyber Resilience in the Finance and Insurance sector > Download WhitePaper
Transport and Traffic
The sector Transport and Traffic includes aviation, maritime traffic, inland waterway transport, rail transport, road transport and logistics. It plays an important role for our economy because goods, components and raw materials have to be transported from A to B and employees need public transport to reach their workplace. Furthermore, attacks on transportation can risk lives, for example if traffic lights or light signals on tracks are manipulated.