Information Security, Cybersecurity, IT Security, Computer Security... What's the Difference?

Image

Information security, cybersecurity, IT security, and computer security are all terms that we often use interchangeably. I know that I do. I've written a lot about those areas for the past several years. I notice that sometimes I switch between the terms in an article simply to avoid repeating the same phrases over and over again in my prose. Very often, it's legitimate to use the terms interchangeably. Computers deal with information. IT security is a facet of information technology, which usually applies to computers. Computer security... ditto. Cybersecurity is defined as protecting systems from cyber threats. “Cyber” is defined by Merriam-Webster as something “of, related to, or involving computers or computer networks.” So, I'm talking about a few different terms that generally mean the same thing. It might be useful to examine the origins of those terms to appreciate their meanings better. I believe military communications and pre-digital ciphers marked the genesis of information security as a whole. One of the saddest facets of the history of humanity is that war has always been with us. Even way back in the B.C. times when brontosauruses worked as dishwashers in cavemen kitchens, tribes, civilizations, clans, and nations have wanted to kill others in the quest for power. (Okay, I'm an infosec writer, not an anthropologist. Maybe wooly mammoths worked in cavemen kitchens instead. I only have the Hanna Barbera historical record to go by, I'm afraid.) One of the keys to success in war is to make sure that the enemy doesn't know where or how you're going to strike and to figure out what the enemy plans to do. So, cryptography predates electronic computers by thousands of years. Cryptography is a key component of information security. Cryptography's aim is to keep data only accessible by the intended recipient. That applies to the monoalphabetic substitution ciphers used around 600 to 500 B.C. as much as it does to the AES ciphers used today. What we usually think of as cryptography, digital cryptography, dates back to innovations made during World War II. The cipher machines of that era weren't really digital. They were electro-mechanical. The Enigma series of machines were amongst the earliest, invented by German engineer Arthur Scherbius toward the end of the first World War and used commercially throughout the 1920s. It was the primary cryptographic technology that was used by Nazi Germany in World War II, so the Allied powers worked very hard to crack it. Predating World War II, there was already progress in the cryptanalysis of Enigma. In 1929, the Polish Cipher Bureau started to employ mathematicians by inviting students at Poznan University to take a class on cryptology. By 1932, Poznan graduates Marian Rejewski, Henryk Zygalski and Jerzy Rozycki were working for the Polish Cipher Bureau on a full-time basis. Concurrently, a French spy, Hans-Thilo Schmidt, had infiltrated Germany's Cipher Office in Berlin. That reminds me of how social engineering is always a major information security risk. It's often overlooked by laypeople who think “hacking” is typing commands in a terminal at 300 words per minute as depicted by Hollywood. “That hacker is out-hacking that other hacker! His typing is so much faster than his enemy's, and he looks much more suave in a hoodie!” Cracking Enigma required some technical and mathematical brilliance, but fooling Nazi Germany into thinking that a spy was on their side was instrumental. Schmidt's espionage helped the Polish Cipher Bureau acquire key Enigma documentation from the Germans. Rejewski used those documents and commenced his cryptanalysis of Enigma with a couple of hours of work each day near the end of 1932. During World War II, Britain's military cryptanalysis effort was headquartered at Bletchley Park. Alan Turing, the famous computer science pioneer, was employed by the UK's Government Code and Cypher School by 1938 just before the War. He worked under Dilly Knox, a senior codebreaker. The day after Britain declared war on Germany in September 1939, Turing, Knox, and GC & CS operations in general moved to Bletchley Park. Britain was focused on cracking Enigma from that base, and Polish Cipher Bureau breakthroughs from the early 1930s were essential to those efforts. Cracking German electromechanic Enigma and Lorenz ciphers may have been a key factor in the Allied powers winning the War by 1945. ENIAC's debut in 1946 heralded the advent of digital computing. PDP mainframe computers drove MIT innovation in the 50s and 60s. By the early 1970s, many large corporations were customers of IBM mainframe technology. Data on corporate mainframes often constituted industry trade secrets and sensitive data pertaining to client transactions. Also, the U.S. government identified a need to keep unclassified but sensitive data secure. The work of cryptographer Horst Feistel addressed both realms. His Lucifer cipher for IBM was an essential precursor to the development of DES for the National Security Agency. So, information security predates digital computers, but computer security and cybersecurity were born from computer science innovations that started just after World War II. Keeping information secure for the history of data predating electronic computers (such as ancient cryptography) to this very day falls under the banner of information security. Computer security and cybersecurity are completely interchangeable terms, and require digital computer technology from 1946's ENIAC to now. Computer security and cybersecurity are both children of information security. IT security is information security as it pertains to information technology. Information technology is a child of computer science. IT is the application of computer science for practical purposes, largely for industry (mainframes, supercomputers, datacentres, servers, PCs and mobile devices as endpoints for worker interaction) and consumers (PCs, mobile devices, IoT devices, and video game console endpoints for enduser lifestyles.) IT security can probably be used interchangeably with cybersecurity, computer security and information security if it pertains to business. For example, that paper shredder is an information security measure but it's not really a device for cybersecurity or computer security. The paper shredder can be considered a factor in IT security if a corporation's information security policy mandates its use. Ensuring proper HTTPS implementation for an e-commerce website or mobile app falls under cybersecurity and computer security, so it's information security, as well. And a corporation's IT department works on the e-commerce website's HTTPS implementation, so it's IT security, as well. In the 21^st century, information security, cybersecurity, computer security, and IT security are often, but not always, interchangeable terms.  

Image

About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.