fbpx
The idea behind writing this post is to differentiate the Information's Security and Cybersecurity.
 
I have found that people are still struggling to make a good distinction between these too.
 
 
 
 
Many years ago, the term 'Information Security' was very popular for businesses. In recent years, it is the term 'Cybersecurity' which had gained a lot of momentum. Not only it has got more attention, it has attracted a lot of research too.
 
But both terms don't mean the same. They are not equal. You can't claim that Old Wine in New Bottle.
 
-
 
👉 What is Information Security?
 
NIST defined it as--
 
The protection of information and information Systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to provide confidentiality, integrity and availability.
 
Kindly observe the use of word "unauthorized" here, and then Confidentiality, Integrity and Availability.
 
Here the GOAL of information security is so well laid out that you cannot miss that it is all about your CIA triad, i.e., Confidentiality, Integrity, and Availability. The whole idea of information security is totally based on your systems or procedures that collect, organize and disseminate information.
 
This CIA is so well known to all that I need not to elaborate much here. I will touch only the essence here...
 
  • The right understanding of Confidentiality basically refers about putting in place some limits on the access to IT systems. It mandates putting a layer of defenses between the user and the IT resource(s) they might be accessing. 
  • Integrity refers to how would you manage that your data remains intact and unchanged throughout. Again it is about putting in place a layer of measures to ensure that non-authorized people and entities cannot make changes to data. 
  • Similarly, the right understanding of Availability demands that you put in place some measures that virtually guarantee your legitimate/authorized users can access the information at any time (better say, all the time). However, you need to realize that there is a concept of 'redundancy' that is the foundation of Availability. Redundancy warrants you that you make optimum arrangements for backing up your IT systems and manage their patches, as soon as they are released. For example, if you make backup of your stored data on a second drive (server or cloud for example), ransomware attacks, although still concerning, will not cripple your company by locking out access to information.
 
With every growing concerns of Information Security, a number of Laws were made (in USA). For example
 
1. e-Government Act (2002)
2. Federal Information Security Management Act [FISMA] (2002)
3. Federal Information Security Modernization Act [FISMA] (2014)
 
Some standards were also made. For example,
 
1.Federal Information Processing Standards (FIPS). I guess these were part of FISMA (2014)...
 
All in all, I can say that a large of check-n-balances were introduced over the years, all aiming for heightened information security.
 
-
 
👉 What is Cybersecurity?
 
NIST defines cybersecurity as--
 
The ability to protect or defend the use of 'cyberspace' from cyber-attacks.
 
What is this cyberspace here?
 
Cyberspace refers to a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
 
That's why, Cybersecurity encompasses networks, devices on the networks, and the programs used in conjunction with the network. With high specificity, cybersecurity draws your attention to threats emanating from the internet itself or the malicious usage of internet.
 
In order to make the difference between Information Security and Cybersecurity, I wish you read the following few lines very carefully.
 
Information Security focuses on CIA ( with underlying emphasis on data & information).
 
Cybersecurity focuses (not on data or information, if I may say so), instead on all the followings:
 
(1) Technologies (Hardware & software) used to store and manage your data/info, these are usually called ICT and includes servers, databases, routers, switches etc.
(2) Technologies (Hardware & software) used to protect technologies, as mention in point (1). These include our hardware & software based firewalls, IPS/IDS, EDR, SIEM, SOAR, IAM, and many more in-between...
 
Lastly, information security deals more with unauthorized access or disclosure as well as operational disruptions, while cybersecurity targets more on threats generated by criminals from cyberspace.
 
Information security covers more than info in cyberspace or in digital formats, it includes info in physical forms too.
 
Final example, if a hacker makes in-roads and reaches to your database, it is a case that belongs to cybersecurity. if an insider or outsider manages to reach to your server room physically where database resides is the case of information security.
 
All in all, both forms of securities overlap considerably but there are subtle differences.
 
-
 
Where does IoT belong?
 
IoT devices add to the complexities of cyberspace, hence it belongs to cybersecurity.
 
Since cybersecurity deals with the devices and interconnection of devices, technologies, the onus of protecting IoT devices falls squarely on the companies.
 
A major IoT problem lies in the fact that every device connection means data must be collected and stored (e.g., who connected, from where, for how long). Add on top of that the many connection the IoT allows per day and you have a plethora of different potential entry points for threat actors. For example, man-in-the-middle attacks or paralyzing botnet continue to be an issue for companies and individuals.
 
As they hugely increase the number of possible entry-points for an outside attackers, you need to manage the cybersecurity issues raised by them.
 
-
 
👉👉 World-view of Information Security is not the same.
 
While information security went mainstream before cybersecurity, both are of equal importance. Many of the information security safeguards bolster cybersecurity controls and vice versa. Moreover, there is a significant overlap between the two in terms of corresponding best practices too.
 
To sum it up, cybersecurity is all about the security of 'anything and everything' pertaining to the cyber realm, while information security is all about security concerning 'information' irrespective of the realm.
 
So, you can infer, in a way, that information security is a superset of cybersecurity.
 
Still, there is a difference between information security and cybersecurity, but this difference becomes much more glaring if we look it through the lenses of Russia & China. They look at 'Information' from the angle of not only cyber-warfare, but also from the angle of information-warfare. Their perspective is that information itself is a tool which can be weaponized and viciously used. Particularly, the effects a piece or set of information can have on individual and social consciousness, the information infrastructure, and information itself.
 
This extended view of Information Security results in interesting situations in which Russian (or Chinese) information security practitioners, together with linguists, psychologists and others explore risks and defenses to electronic means of zombification – tools and techniques that act on consciousness and subconsciousness of population to influence irrational behavior.
 
Risks such as psychological warfare, negative influence of sects, mass exposure to psychotropic drugs, zombie-creating (mind control) directed energy weapons, etc. are all being considered in discussions around national protection and in development of their national information security doctrine and policies.
 
It is hugely in contrast to Euro-Atlantic view of Information Security, as they simply do not consider the mind as an aspect of information space and as a concern for infosec.
 
In my personal opinion, I am in agreement of Russia-China's perspective. Because here in India, I am witnessing the deliberately done malicious manipulation of INFO to fuel the communal, religious, faith and political fault-lines of the society. Such threats are poised not only from inside, but largely from the outside influences generated by enemy or unfriendly nations. Almost on everyday basis, so much of concentrated propagandas are being carried out using the media and social media. All this is being done freely under the garb of 'Freedom of Expression.'
 
I am appalled by such powerful but negative influences that are being forced on the people of India daily. I guess, the people of my country need PROTECTION from all sorts of such information campaigns and propagandas. In fact, I would want my country's laws to acknowledge this reality and enforce some sort of control mechanisms.
 
-
 
Kindly write 💚 your comment 💚 on the posts or topics, because when you do that you help me greatly in ✍️ designing new quality article/post on cybersecurity.
 
You can also share with all of us if the information shared here helps you in some manner.
 
 

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

30,000+ professionals are following her on Facebook and  mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM