By Corey Moss
Information security (also known as InfoSec) ensures that both physical and digital data is protected from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. Information security differs from cybersecurity in that InfoSec aims to keep data in any form secure, whereas cybersecurity protects only digital data. If your business is starting to develop a security program, information security is where you need to begin as it’s the foundation for data security.
When creating an information security program, a proper governance structure must be put in place – a framework established to ensure that security strategies align with business objective and goals. It bridges the gap between business and information security, allowing teams to efficiently work together. This framework defines roles, responsibilities and accountabilities of each person, along with ensuring that an organization meets compliance.
Confidentiality, integrity and availability are of utmost importance for the most effective information security program:
- Confidentiality: ensures information is inaccessible to unauthorized people—most commonly enforced through encryption—which is available in many forms
- Integrity: protects information and systems from being modified by unauthorized people; ensures the data is accurate and trustworthy
- Availability: ensures authorized people can access the information when needed and that all hardware and software are maintained properly and updated when necessary
The practice of implementing various processes, technologies and practices to defend one’s organization’s networks, computers and data from unauthorized digital access, attack or damage, is a subset of information security. With countless types of sophisticated threat actors, it is critical that an organization’s IT infrastructure is secured at all times to prevent a full-scale attack on the network, risking exposure of data – and reputation.
Consists of policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs dependent on organizational procedure. Network security covers a variety of computer networks, both public and private.
Cybersecurity company Secureworks in Cybersecurity vs. Network Security vs. Information Security spells out how each serve a specific purpose in an organization’s security infrastructure. It begins:
We are in a time where businesses are more digitally advanced than ever, and as technology improves, organizations’ security postures must be enhanced as well. Failure to do so could result in a costly data breach, as we’ve seen happen with many businesses.
With that, two classic data breach examples (out of an endless multitude…)
The Equifax breach
Cybersecurity – in terms of controls, preparation and awareness, Equifax rated a zero.
In an attack that lasted from mid-May through July of 2017, hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole over 200,000 credit card numbers and dispute documents with personal identifying information for about 182,000 people. Hackers were also able to obtain personal information of people in the UK and Canada.
It’s hard to figure out where exactly to begin pointing fingers – why not CEO Richard Smith? One of the most shocking enterprise hires that I’ve ever witnessed put a Music Composition MBA in the top security seat in the organization – CSO Susan M., as she became known on LinkedIn after the breach (she no longer exists). An article in Infosecurity Magazine Was the Equifax CSO to Blame? specified that there seemed to have been an issue with the entire cybersecurity program, with the biggest being a lack of necessary resources available to efficiently monitor and mitigate risks to the company, along with protecting most valuable personally identifiable information (PII).
On top of that, a true major issue may have been a board that didn’t fully understand cybersecurity (CEO Richard Smith served as Chairman of the Board as well), and the potential consequences without proper controls in place. Fingers were also pointed at the CIO, the day to day security gatekeeper, and the article even pointed to the the number of open security related jobs at the time in the organization (not including C-levels) – 12.
For an organization of its type – a consumer credit reporting agency collecting and aggregating information on over 800 million individual consumers and more than 88 million businesses worldwide – it’s hard to classify this as anything less than highly irresponsible… bordering on egregious.
The Tesla breach
Network security – enter the world of internal corporate grudge data theft.
Dark Reading: Tesla Employee Steals, Sabotages Company Data
A Tesla employee used his trusted access to the company’s network to steal a large amount of highly sensitive data and ship it to unknown third parties. The employee, according to Elon Musk, made changes to Tesla’s manufacturing operating system using false usernames, wherein a large volume of highly sensitive Tesla data was exported to third parties.
An e-mail was sent by Musk to the entire Tesla organization:
From: Elon Musk
Subject: Some concerning news
June 17, 2018
I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.
The full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad. His stated motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move.
However, there may be considerably more to this situation than meets the eye, so the investigation will continue in depth this week. We need to figure out if he was acting alone or with others at Tesla and if he was working with any outside organizations.
As you know, there are a long list of organizations that want Tesla to die. These include Wall Street short-sellers, who have already lost billions of dollars and stand to lose a lot more. Then there are the oil & gas companies, the wealthiest industry in the world — they don’t love the idea of Tesla advancing the progress of solar power & electric cars. Don’t want to blow your mind, but rumor has it that those companies are sometimes not super nice. Then there are the multitude of big gas/diesel car company competitors. If they’re willing to cheat so much about emissions, maybe they’re willing to cheat in other ways?
The full e-mail can be found here.
Now we know that Musk is just a little “out there” as evidenced by his warnings of AI and robot world domination, and maybe he’s going just a little further than necessary here beyond an employee who is angry over not getting a promotion? Maybe getting back at the company in the best way that he technologically knows how? Ex-Tesla employee Martin Tripp is in the process of crowdfunding his legal defense, battling the “machine” (as he calls it) that is Tesla.
From the Dark Reading article, Ken Spinner, vice president of global engineering at Varonis:
“In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees,” Spinner says. “Companies are doing and creating, but they’re not locking down their data.”
In a Beyond Trust article Tesla Breach Re-Affirms Need for Greater Controls Over Insider Access to Critical Data, it lists the “5 Steps to Avoid Becoming the Next Tesla” – steps that all of America’s enterprise institutions need to recognize.
Though considerations concerning this insider breach appear to still be speculative (including whistle-blowing), this incident, along with Equifax and a slew of other breaches in corporate, education, government and healthcare prove beyond the shadow of a doubt that threat mitigation and ultimately prevention practices (including strategy and preparedness from the top down) need to fully advance across the board — and fast.
And while we’re talking about Tesla…
Part 2 coming soon.
(Header image: Pixabay/CC0 Creative Commons).
With over 20 years in audio visual integration and IT/computer sales and consulting, Corey Moss is the owner of Convergent AV. Corey writes for the publication and hosts/produces podcasts – The AV Life, Convergent Tech Talk and Convergent Week. He has written for numerous industry publications about AV, IT, unified communications and collaboration (UCC), cloud and software, IoT, cybersecurity and more. He has also conducted interviews with AV and IT executives and global influencers. Find him talking about a whole lot of things, tech and otherwise. On LinkedIn https://www.linkedin.com/in/mosscorey/.