Information and Security - Information - Senior High School

[Information II] Information Security: Building a Secure Digital Society

Hello everyone! In this chapter, we will learn about "Information Security." Building on the foundations you learned in "Information I," we will step things up to look at more advanced technologies and organizational approaches to protection.
You might feel that "security sounds difficult..." but don't worry! If you think of it as the technology that protects our familiar smartphones and social media, it will feel much more relatable. Let's master this together and have fun doing it!

1. The Three Pillars of Information Security (CIA)

What does it actually mean to protect information? Among professionals, this is known as CIA, named after the initials of the following three core principles:

(1) Confidentiality

Ensuring that only authorized individuals can access information.
Example: A DM (Direct Message) with a friend is kept in a state where no one else can see it.

(2) Integrity

Ensuring that information is correct and has not been tampered with or corrupted.
Example: Your bank balance is recorded accurately without being increased or decreased by unauthorized parties.

(3) Availability

Ensuring that information can be used whenever it is needed.
Example: A website or app continues to function without interruption, even during an earthquake or technical issue.

[Key Point!]
In the past, the focus was often exclusively on "keeping things hidden" (Confidentiality), but in the modern era, "being able to use it whenever" (Availability) is considered just as important.

★ Pro-tip:
Recently, there are also "7 elements" that add Authenticity (verifying the identity), Accountability (tracking who did what), Non-repudiation (preventing someone from denying their actions), and Reliability to the mix!

[Summary so far]
Security is only truly complete when the "three beats" of hiding, keeping correct, and being available are all present.

2. Encryption Technology: Understanding Information "Keys"

The ultimate weapon for protecting information is "encryption." Let’s clearly organize the differences between "Symmetric Key Encryption" and "Public Key Encryption."

(1) Symmetric Key Encryption

A method where the key used for encryption and the key used to restore the data (decryption) are the same.
・Pros: Processing speed is extremely fast.
・Cons: There is a risk that the key could be stolen while being sent to the recipient (The Key Distribution Problem).
Example: Like a "padlock" at home. You use the same key to lock and unlock it.

(2) Public Key Encryption

A method that uses a pair: a "Public Key" (which you give to everyone) and a "Private Key" (which only you keep).
・Mechanism: Anything locked with the Public Key can only be opened with the corresponding Private Key.
・Pros: No risk of the key being stolen during transit (since you don't need to share the private key).
・Cons: Calculations are complex, and processing takes time.
Example: A mailbox. Anyone can drop a letter in (locking it with a Public Key), but only you, as the manager, can take the contents out (using your Private Key).

(3) Hybrid Encryption

Modern internet protocols (like HTTPS) combine the best of both worlds:
1. Use Public Key Encryption to safely send the "Symmetric Key" to the other party.
2. Subsequent data exchanges are performed using fast Symmetric Key Encryption.
\( \text{Security} + \text{Speed} = \text{The Ultimate Security} \)!

[Common Mistake]
It is a mistake to think you "encrypt with a public key and decrypt with the same public key"! You must always use the corresponding different key.

[Summary so far]
The modern rule is to use the Public Key method when exchanging keys, and the Symmetric Key method when sending large amounts of data.

3. Digital Signatures and Authentication

In the world of the internet, "spoofing" and "tampering" (unauthorized changes) are major threats. Digital signatures are used to prevent these.

How Digital Signatures Work (Step-by-step)

1. The sender creates a summary of the data (hash value).
2. The sender encrypts that summary using their own Private Key (this becomes the signature!).
3. The recipient uses the sender's Public Key to restore/verify it and checks if the contents are correct.
*This takes advantage of the property that "only the owner can lock something with their private key."

PKI (Public Key Infrastructure)

To resolve the question, "Is this public key really from Person A?", a third-party organization called a Certificate Authority (CA) issues a "Digital Certificate" to guarantee it.

[Key Point!]
The "lock icon" next to a URL in your browser confirms that this mechanism is being used to certify that "this site is authentic."

4. Network Security and Defense Against Attacks

Let's learn about the specific "walls" used to protect systems.

(1) Firewall

Stands at the border of a network, acting like a "firewall" to prevent suspicious packets (chunks of data) from passing through. It only allows authorized traffic.

(2) IDS and IPS

・IDS (Intrusion Detection System): Acts like a "surveillance camera," notifying administrators when it detects suspicious activity.
・IPS (Intrusion Prevention System): Acts like a "security guard," not only finding the attack but automatically blocking it.

(3) VPN (Virtual Private Network)

A technology that creates a "virtual tunnel" exclusive to you within the public internet. Because the contents cannot be seen from the outside, you can exchange information safely.

★ Pro-tip:
Recently, the idea that "protecting the perimeter is not enough" has led to the mainstream adoption of Zero Trust, a concept where all traffic—even from inside the company—is treated as untrusted and must be verified!

5. Risk Management: Is 100% Security Possible?

Unfortunately, there is no such thing as "100% safe" in security. That is precisely why it is important to know how to manage "risk."

Four Ways to Handle Risk

1. Reduction: Lower the probability of damage, such as by installing antivirus software.
2. Avoidance: Stop using dangerous services or avoid handling personal information altogether.
3. Transfer (Shifting): Move the risk to others, such as by buying insurance or outsourcing to professional contractors.
4. Retention (Acceptance): Accept small risks if the cost of implementing countermeasures is too high.

[Summary so far]
It is impossible to prevent everything perfectly. That is why the professional approach is to consider "what is most important" and wisely choose different countermeasures.

Conclusion: Preparing for Your Future Studies

It might feel overwhelming with all the new terminology at first, but understanding how keys are exchanged and how to approach risk is like solving a puzzle—it’s actually quite an interesting field.
Start by memorizing the three terms: "Confidentiality, Integrity, and Availability." That is the first step toward boosting your digital literacy to the next level!
I'm rooting for you!

* The content provided by thinka is generated by AI and may not always be accurate or up-to-date. Please use it as a supplementary resource and verify with official materials.