Fundamentals of Information Security - D430

The CIA Triad

Confidentiality, Integrity, Availability

Confidentiality

the principle of keeping information secret and protected from unauthorized access ensuring that data is only accessible to authorized individuals.

Integrity

The assurance that information is accurate and trustworthy, protecting it from unauthorized modification or destruction.

Availability

The principle that information and resources are accessible to authorized users when needed, ensuring that systems operate reliably and without interruption.

The Parkerian Hexad

An expansion of the CIA Triad that includes six properties: confidentiality, integrity, availability, possession, authenticity, and utility.

Possession

Preventing unauthorized control of information, such as a stolen laptop (similar to confidentiality)

Authenticity

Verifying data is genuine and coming from a genuine source (similar to Integrity)

Utility

Ensuring information is useful (similar to Availability)

AAA

An information security framework for managing and securing access to resources through Authentication, Authorization, and Accounting.

Authentication (AAA)

The process of verifying the identity of a user via the process of logging into a system or service, typically through credentials like a username and password.

Authorization (AAA)

Determines what a user has the authority to do and have access to.

Accounting (AAA)

Tracks and records user access and actions with system logs

FISMA

Federal Information Security Management Act enacted in 2002 to promote the security of federal information systems.

HIPAA

Health Insurance Portability Accountability Act that establishes standards for protecting sensitive patient data and ensuring continuity of health insurance coverage.

GLBA

Gramm-Leach-Bliley Act that mandates financial institutions to explain their information-sharing practices and to safeguard sensitive data.

PCI-DSS

Payment Card Industry Data Security Standard, a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Identification

An assertion of who we are, such as username, fingerprint, or account numbers.

Authentication

The set of methods used to establish whether a claim of identity is true, usually by something you know, something you are, something you have, something you do, and where you are.

Examples of “something you know”

Passwords and PINs.

Examples of “something you have”

Physical tokens, smart cards, or mobile devices used for authentication.

Examples of “something you are”

Physical characteristics such as fingerprints, facial recognition, or iris patterns.

Examples of “something you do”

Behaviors or actions used for authentication, such as typing patterns or voice recognition.

Examples of “where you are”

Geolocation data, IP address, or GPS coordinates.

Access Control

How we control access to our assets. Broken down into 6 categories, including Preventive, Detective, Corrective, Recovery, Deterrent, and Compensating.

Preventive Controls

Prevents actions from occurring, examples include background checks and drug tests.

Detective Controls

Send alerts during or after an attack. Examples include a building alarm triggered during a break in or intrusion detection system (IDS) alerting to an attack

Corrective Controls

Correct a damaged system or process. Examples include Anti virus that can delete malicious software or an intrusion prevention system (IPS) that can stop a network attack by blocking it.

Recovery Controls

Restores systems after a security incident. Examples include data backups and disaster recovery plans that ensure business continuity.

Deterrent Controls

Designed to discourage security incidents. Examples include security cameras and warning signs that indicate surveillance or enforcement.

Compensating Controls

Add additional security. Defense in depth, multiple layers of security combined.

Physical Access Controls

Security measures that restrict access to physical locations and assets. Examples include locks, access cards, and biometric scanners.

Logical Access Controls

Security measures that manage access to systems and data. Examples include passwords, user authentication, and role-based access permissions.

Mandatory Access Control (MAC)

Strictest of all access control models. Both subjects and objects are given security labels that dictate access levels. Used by the government and military.

Discretionary Access Control (DAC)

Every object has an owner, and the owner decides who gets access. It is less restrictive than mandatory access control. Most common type of access control model.

Role and Rule Based Access Control (RBAC)

Access control method that assigns permissions based on roles and rules defined by the organization. Used in medium to large business environments.

Attribute Based Access Control

Similar to Role and Rule based, but instead of using factors like roles, it uses attributes of the user, resource, and environment to determine access permissions. This allows for more granular and dynamic control over access rights.

Privileged Access

Control that gives users elevated permissions, enabling them to perform specific actions beyond those of standard users. Often used for system administrators or IT personnel.

Sandbox

A controlled environment used for testing and securely executing untrusted applications or code, without affecting the host system.

Defense in Depth

A security strategy that uses multiple layers of defense to protect information systems, ensuring that if one layer is compromised, additional layers still provide protection.

Non-Repudiation

Used to prevent an entity from denying an action took place by using digitally signed documents and auditing system logs.

Data at Rest

Data that’s stored on a storage device that isn’t being transmitted over a network or in use.

Data in Motion

Data that’s currently moving across the network from one device to another. It is vulnerable to interception or unauthorized access during transmission.

Data in Use

Data that’s being used by a system process, application, or user. It’s either being created, updated, or erased. This is the most difficult data to protect because it is being modified and therefore cannot be encrypted.

IT Audit

A formal evaluation of an organization's information systems, ensuring compliance with internal and external standards, effectiveness, and security controls.

Qualys

Cloud based vulnerability assessment tool

BSA

Business Software Alliance; advocates for the software industry, promoting copyright protections and the adoption of legitimate software.

Cryptography