Information security (also known as InfoSec) is the set of tools and procedures to protect confidential information from misuse, unauthorised access or other events such as destruction or disruption.
The concept of information security encompasses physical and environmental security, cyber security and access control.
Threats to information security
In this article we will analyse the main threats to information security, on the basis that they can have different origins, such as human error, deliberate and/or malicious attacks or natural disasters.
Should the threats materialise, there may be various consequences such as: deletion, theft or modification of information; interruption of a service and physical damage or theft of both equipment and information storage media.
These are some of the main threats and their most characteristic features:
Access to sensitive printed information
Apart from other sophisticated threats which will be discussed later, some of the most obvious threats relate to the physical environment.
Thus, accessing confidential hard-copy information that is not properly safeguarded or protected poses a threat if it becomes available to unauthorised personnel.
A first step in protecting sensitive information is therefore much more obvious than, for example, having secure passwords: be careful about what documentation can be left behind on the photocopier or in the workplace.
Physical damage to equipment
Physical damage to equipment can be caused for different reasons, and there are two broad categories: those of a voluntary nature and those of an involuntary origin.
Voluntary damage includes actions carried out intentionally, as the name suggests. The involuntary ones, on the other hand, are of two types: negligence on the part of the users (blows, falling drinks or food, etc.) or, in extreme cases, natural catastrophes such as electrical failures, fires or floods.
Identity theft
This type of threat occurs when someone, by computer means, obtains the personal information of others without their consent in order to commit fraudulent acts.
Preventing the theft of data such as full name, identity number, social security number or banking information, for example, can be a very effective way of preventing the theft of personal information.
Trashing
Searching for information in the recycle bin can be a potential threat to users who do not shred information once it has been sent to the recycle bin.
Social engineering
Social engineering encompasses the set of techniques used by cybercriminals to manipulate data to send confidential information, private keys or even send money by appealing to cognitive biases, misdirection or emotions to fraudulently obtain this data.
Social engineering is generally based on different tactics such as impersonation, intimidation and threats, flattery or creating a sense of scarcity to make wrong decisions motivated by a false sense of urgency.
Phishing
Phishing is a scam in which the identity of a person or organisation known to the victim is impersonated in order to obtain confidential data such as passwords, credit card numbers, addresses or bank accounts.
A tip to prevent this is to check the e-mail address from which you receive the notification, make sure whether the outgoing links are secure or not, and be wary of messages that ask you for personal information or money.
Viruses
Designed to generate problems in the computers on which they run, these programmes seek to interfere with the normal functioning of the computers in question. The way to prevent them is to have the antivirus enabled and updated.
Password attacks
Strong passwords help to minimise the risk of password attacks.
Attacks can be carried out in two ways: brute-force (using a tool to try every combination of letters and numbers, relying on guessing the key) or dictionary (using a list of words hoping that the password is a commonly used word or one seen on previous sites).
World Password Day has recently been commemorated to highlight the importance of Trashing passwords.
Searching for information inside the recycle bin can be a potential threat to users who do not shred the information.
Social engineering
Social engineering encompasses the set of techniques used by cybercriminals to manipulate data to send confidential information, private keys or even send money by appealing to cognitive biases, misdirection or emotions to fraudulently obtain this data.
Social engineering is generally based on different tactics such as impersonation, intimidation and threats, flattery or creating a sense of scarcity to make wrong decisions motivated by a false sense of urgency.
Phishing
Phishing is a scam that impersonates a person or organisation known to the victim in order to obtain confidential information such as passwords, credit card numbers, addresses or bank accounts.
A tip to prevent this is to check the e-mail address from which you receive the notification, make sure whether the outgoing links are secure or not, and be wary of messages that ask for personal information or money deposits.
use them correctly.
Deepfakes
Although we are talking about a threat of a different nature, deepfakes have also become a risk.
This is an advanced Artificial Intelligence technique, with different typologies such as deepvoice or deepface, which recreates physical movements, facial features or voice with a hyper-realistic result that seeks to deceive the audience with results that are often indistinguishable.