Information security. Confidential information

Author

Affiliation

Andrei Biziuk

VSTU

Introduction

In our increasingly digitized world, information is the most valuable asset for individuals, corporations, and nations. It flows through networks, is stored in clouds, and resides on personal devices. But not all information is created equal. Some of it, due to its sensitive nature, requires special protection. This is what we classify as confidential information.

The goal of today’s lecture is to understand what constitutes confidential information, explore its various types, and discuss the legal frameworks and technological safeguards designed to protect it. We will also examine the threats it faces, particularly in the online realm, and the human element exploited through social engineering.

---

1. Confidential Information and Its Types

What is Confidential Information?

At its core, Confidential Information is information that is sensitive, private, or proprietary, and access to which is legally restricted. Its unauthorized disclosure, use, or modification could cause significant harm to an individual, an organization, or a state.

The principle governing this concept is the Principle of Limited Access. This means the information is not a public good and should only be accessible to a predefined, authorized circle of individuals or entities.

Confidentiality is one of the three pillars of the CIA Triad in information security:

• Confidentiality: Ensuring information is not disclosed to unauthorized individuals, entities, or processes.
• Integrity: Maintaining the accuracy and completeness of data.
• Availability: Ensuring that information and systems are accessible to authorized users when needed.

Today, our focus is squarely on the “C” - Confidentiality.

Key Types of Confidential Information:

Confidential information can be broadly categorized. Let’s look at the main types, each governed by its own set of rules and legal protections.

• Personal Data: Information relating to an identified or identifiable natural person.
• State Secrets: Information protected by the state in the fields of defense, foreign policy, economy, science, and intelligence.
• Official Secrets: Sensitive, but unclassified, information used by government bodies.
• Professional Secrets: Information entrusted within a professional relationship. This includes:
  • Attorney-Client Privilege
  • Medical Confidentiality
• Personal and Family Secrets: Private life information protected by constitutional rights.
• Commercial and Banking Secrecy: Information related to business operations and financial transactions.

Let’s break these down one by one.

---

2. Personal Data and the Right to Protection

What is Personal Data?

Personal Data is any information that can be used to identify a living person, either directly or indirectly. The scope is incredibly broad.

• Direct Identifiers: Name, identification number (like a Social Security or national ID number), passport details.
• Indirect Identifiers: Location data, IP address, cookie identifiers, physical or genetic characteristics, economic status, cultural or social identity.

Legislation like the General Data Protection Regulation (GDPR) in the European Union sets a global standard. GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” It also establishes a special category for sensitive personal data, which includes race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, and health data. This type of data requires even stricter protection.

Human Rights to Protect Personal Data

The right to privacy and the protection of personal data is a fundamental human right, enshrined in international conventions and national constitutions.

• Universal Declaration of Human Rights (Article 12): “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence… Everyone has the right to the protection of the law against such interference or attacks.”
• GDPR (EU): Grants individuals significant rights, including:
  • The Right to be Informed: about the collection and use of their personal data.
  • The Right of Access: to their data.
  • The Right to Rectification: to have inaccurate data corrected.
  • The Right to Erasure (Right to be Forgotten): to have their data deleted.
  • The Right to Restrict Processing: to limit how their data is used.
  • The Right to Data Portability: to obtain and reuse their data for their own purposes.
  • The Right to Object: to the processing of their data.

These rights empower individuals and place a heavy legal and ethical responsibility on organizations that handle personal data. Failure to comply can result in severe penalties, including fines of up to 4% of a company’s global annual turnover under GDPR.

---

3. State Secrets and Official Secrets

State Secrets (Classified Information)

State Secrets represent the most highly protected category of information. Unauthorized disclosure could cause exceptionally grave damage to national security.

• Definition: Information protected by the state concerning its military, foreign policy, economic, scientific, technical, intelligence, counter-intelligence, and operational-search activities.
• Classification Levels: Systems vary by country, but common levels include:
  • Top Secret: Disclosure would cause “exceptionally grave damage” to national security.
  • Secret: Disclosure would cause “serious damage.”
  • Confidential: Disclosure would cause “damage.”
• Access Control: Access is granted on a strict “need-to-know” basis to individuals with the appropriate security clearance. The handling, storage, and transmission of this information are governed by rigorous protocols, often involving physical security (safes, secure facilities) and advanced cryptographic technologies.

Official Secrets (For Official Use Only)

Official Secrets (or “For Official Use Only,” “Sensitive but Unclassified”) refer to information that is not classified as a state secret but whose dissemination is still restricted.

• Definition: Non-public information generated by government bodies in the course of their duties, the disclosure of which could impede government functions, violate privacy, or harm legitimate private interests.
• Examples: Internal government reports, draft legislation, law enforcement operational details not rising to the level of state secrets, and certain types of administrative data.
• Protection: While less stringent than for state secrets, access is still limited to authorized personnel. Protection relies on internal policies, non-disclosure agreements, and secure information systems.

---

4. Professional, Personal, and Family Secrets

Attorney-Client and Medical Confidentiality

This category, often called Professional Secrets or Privileged Communication, protects information shared within a professional relationship built on trust.

• Attorney-Client Privilege: Protects confidential communications between a lawyer and their client for the purpose of seeking or providing legal advice. This is fundamental to the justice system, as it allows clients to speak freely without fear that their words will be used against them.
• Medical Confidentiality (Doctor-Patient Confidentiality): A cornerstone of medical ethics. Patients must be able to disclose sensitive health information to their doctors to receive proper care. This secret is protected by law and professional codes of conduct (e.g., the Hippocratic Oath). Disclosure is only permitted with patient consent or in very specific circumstances, such as a court order or an immediate threat to public health.

Personal and Family Secrets

This refers to the right to privacy in one’s personal life.

• Definition: Information about a person’s private life, family relationships, personal correspondence, and home, which the person wishes to keep private.
• Protection: This is a constitutional right in most democracies. Violations can include illegal wiretapping, surveillance, or the publication of private facts without consent. The rise of social media has blurred the lines, creating new challenges for protecting this sphere.

---

5. Commercial, Banking, and Trade Secrets

Commercial and Banking Secrecy

This type of confidentiality is vital for the functioning of the economy.

• Commercial Secrecy: Broadly covers sensitive business information that gives a company a competitive edge. This is a very general term, and its more specific, legally defined subset is the “trade secret.”
• Banking Secrecy: A legal duty of banks and financial institutions to keep the financial affairs of their clients private. This includes account balances, transaction histories, and loan information. Disclosure is only allowed under specific legal mandates, such as investigations into money laundering, terrorism financing, or tax evasion.

Trade Secrets

A Trade Secret is a specific, legally protected form of commercial information.

• Definition (based on the Uniform Trade Secrets Act in the U.S.): Information that:
  1. Derives independent economic value from not being generally known.
  2. Is not readily ascertainable by proper means by others who can obtain economic value from its disclosure or use.
  3. Is the subject of reasonable efforts to maintain its secrecy.
• Examples: The formula for Coca-Cola, Google’s search algorithm, a unique manufacturing process, a customer list, or a strategic marketing plan.
• Protection: Unlike patents, trade secrets are not registered with the government. Protection lasts indefinitely as long as the information remains secret. Protection is enforced through legal action against misappropriation (theft) or breach of a confidentiality agreement (like an NDA).

---

6. Restricted Information on a Website and Online Legal Violations

The internet is a primary battleground for information protection. Websites often host or process restricted information, making them prime targets.

Restricted Information on a Website

This can include:

• User Personal Data: Names, emails, passwords, payment information stored in user accounts.
• Proprietary Content: Content behind a paywall, licensed digital media, or internal corporate documents on an intranet portal.
• Backend Code and Database Information: The website’s source code, API keys, database credentials.

Types of Online Legal Violations and Threats

1. Unauthorized Access (Hacking): Gaining access to a system, network, or data without permission.
   • Methods: Exploiting software vulnerabilities, brute-force password attacks, SQL injection, cross-site scripting (XSS).
2. Data Breaches: The intentional or unintentional release of secure or confidential information to an untrusted environment.
   • Causes: Hacking, malware, insider threats (malicious or accidental), or physical theft of devices.
3. Phishing: Deceiving users into divulging sensitive information (like credentials or credit card numbers) by masquerading as a trustworthy entity.
4. Malware/Ransomware: Software designed to disrupt operations, gather sensitive information, or gain unauthorized access. Ransomware encrypts data and demands payment for its release, directly attacking both Confidentiality and Availability.
5. Denial-of-Service (DoS) / Distributed Denial-of-Service (DDoS) Attacks: Overwhelming a website or server with traffic to make it unavailable to legitimate users. This is an attack on Availability.

Methods and Means of Protection

A multi-layered approach, often called Defense in Depth, is essential.

• Technical Measures:
  • Encryption: Encrypting data both at rest (on servers and databases) and in transit (using protocols like TLS/SSL for HTTPS).
  • Access Control: Implementing strong authentication (e.g., Multi-Factor Authentication - MFA) and authorization based on the principle of least privilege.
  • Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS): Monitoring network traffic and blocking malicious activity.
  • Regular Security Audits and Penetration Testing: Proactively identifying and fixing vulnerabilities.
  • Secure Coding Practices: Developing software that is resilient to common exploits (e.g., OWASP Top 10).
• Administrative Measures:
  • Information Security Policies: Clear guidelines for data handling, password creation, and device usage.
  • Employee Training: Educating users about threats like phishing and their responsibilities.
  • Incident Response Plan: A predefined plan for how to act during and after a security breach.
• Physical Measures:
  • Secure Data Centers: Controlling physical access to servers and networking equipment.

---

7. Social Engineering: The Human Factor

Despite the most advanced technology, the human element remains the weakest link in the security chain. Social Engineering is the art of manipulating people into performing actions or divulging confidential information.

• It exploits human psychology: Our natural tendencies to trust, to be helpful, or to respond to authority and urgency.

Common Social Engineering Techniques:

• Phishing: As discussed, sending deceptive emails or messages.
  • Spear Phishing: Highly targeted phishing aimed at a specific individual or organization.
  • Whaling: Spear phishing aimed at senior executives or high-profile targets.
• Pretexting: Creating a fabricated scenario (a pretext) to obtain information. For example, an attacker might pose as an IT support technician needing a user’s password to “fix an issue.”
• Baiting: Luring a victim with a tempting offer, like a free download or a USB stick left in a public place, which is infected with malware.
• Quid Pro Quo: A “something for something” attack. The attacker offers a small service or benefit in exchange for information. For example, offering a simple IT fix in exchange for login credentials.
• Tailgating: Following an authorized person into a restricted area without proper credentials.

Defense Against Social Engineering:

The primary defense is awareness and skepticism.

• Training: Regular, engaging training that teaches employees to recognize social engineering attempts.
• Verification: Always verify requests for sensitive information through a separate, trusted communication channel. If someone from “IT” calls for your password, hang up and call the official IT helpdesk number yourself.
• Policy: Establish clear policies that state sensitive information (like passwords) will never be requested via email or phone.
• Skepticism: Foster a healthy sense of skepticism. “Trust, but verify.”

---

Conclusion

Today, we’ve established that Confidential Information is a diverse and critical asset that underpins personal privacy, corporate success, and national security.

We’ve explored its key types—from personal data and state secrets to trade secrets and professional confidences. Each is protected by a unique combination of legal frameworks, ethical codes, and technological controls.

We also highlighted the persistent threats in the online world and the crucial importance of a multi-layered defense strategy. Finally, we emphasized that technology alone is not enough. Protecting against social engineering by building a resilient “human firewall” through awareness and training is absolutely essential.

The protection of confidential information is not just an IT problem; it is a legal, ethical, and organizational responsibility. As future professionals in this field, your role will be to design, implement, and maintain the systems that uphold the principle of confidentiality in our complex digital age.