Information Security (Infosec) is relatively a new discipline in Information Technology (IT). Usually, it is included as an elective in a course or just a section in software development or network administration. But in these modern times, the study of Infosec encompasses various domains in IT and industries. Meaning to say, Infosec can be applied to database, business administration, human resource etc. It is important to understand that Infosec must be taken as a disparate discipline. Lastly, there are a lot of career opportunities that focus on Infosec because the field is taken as a separate entity. In the 90’s for instance, Infosec is just part of the IT department. Now, there is a separate Security Operations team that manages just security related incidents.
Infosec vs. IT Security
The question “What is the difference between Infosec and IT Security?” is usually queried in job interviews. Now, is there any distinction between the two terms? The answer can be based on the scope of the two. When we say IT Security, this talks about security solutions that are deployed to answer IT needs. For instance, IT Security can be deploying a firewall in the network to control acceptable packets that go in and out of the private network. Another IT Security solution can be deployment of Anti-virus (AV) software in end devices such as desktop computers and laptops.
Infosec is bigger than just IT. IT Security is a subset of Infosec. A good example is, what type of door should I buy to securely lock the servers in the data center? Another example can be, what skills should the receptionist have in order to detect and counteract with fraud calls asking for confidential information?
Formula of Security
Can you imagine yourself going to SM Mall of Asia? Before you are allowed to get inside the mall, you will be subjected to so much inspection and frisking. I’m just not sure if the guards know what they are looking for (pun intended). After the bag inspection and frisking, the queue of people getting in becomes longer and a lot are already angry.
Same is true when you are going to inquire about your credit card balance over the phone. Before you are given the account balance, you will be subjected to various verification questions like date of birth, mother’s maiden name, address and phone number.
Isn’t security a hassle? You may somehow have thought how to show the formula for security.
Simply put, Security is inversely proportional to Convenience. This formula is applicable to all scenarios that will involve security. The more you enforce security, the more it is inconvenient to the users of the facility.
Functionality-Usability-Security (FUS) Model
Supposed you are in your Software Development class or a freelance programmer doing a project for a client. The normal tendency of the programmer is to make sure that the requirements are met and that it is “user-friendly” with the user. In short, you need to please your client.
In security, it will teach you to lessen the attack surface of your application. Yes, you will have to meet the client requirements but you have to check if you can improve it in the security perspective. If you have written the program with 1,000 lines of code, can you improve it by lessening the lines of code? Hypothetically, if you can provide the same program with 100 lines of code with the same functionalities (or removing unnecessary functionalities), then your program is much better for security. There are less ways to exploit a program of 100 lines of code compare to 1,000.
The FUS Model simply states that if you focus solely on Usability, then there will be less Functionality and Security in your program. If you focus on Security on the other hand, there will be less Functionality and Usability in the program. The ideal scenario is to have balance between the three, as depicted in Figure 2.
Depending on the program, however, the focus can change. If you are creating an online banking system for example, the program should be more on Security. In reality, the functionalities of online banking systems are very limited such as view account balance and transfer money from verified accounts at the very least. It is not user-friendly because you will be prompted to type a Transaction Password every time you do a transaction. All your activities are logged for auditing purposes.
—– NOTHING FOLLOWS —–
You can download the PDF version of this lesson here: INFOSEC_L1_IntroToInfosec.