CYB 440 Computer & Network Security

Information Security (InfoSec)

Protection of data and systems to ensure confidentiality, integrity, and availability (CIA Triad).

Computer Security

Focuses on safeguarding computer systems and networks from attacks or misuse.

Network Security

Protects data during transmission between systems.

Confidentiality

Ensuring only authorized individuals can access information.

Integrity

Maintaining accuracy and completeness of data.

Availability

Ensuring information and resources are accessible when needed.

Vulnerability

Weakness in a system (e.g., unpatched software).

Threat

Any event or actor that could exploit a vulnerability.

Control (Safeguard)

A measure to reduce risk (e.g., firewalls, encryption, policies).

Hacktivists

Attack for political or social reasons.

Cybercriminals

Seek financial gain.

Insiders

Employees who misuse access.

Nation-states

Conduct espionage or sabotage.

Layered (defense-in-depth) security

A method of defense that employs multiple security measures.

Access controls

Authentication and authorization mechanisms to restrict access.

Encryption

A method for data protection.

System monitoring and patching

Regularly checking systems for vulnerabilities and applying updates.

Security awareness training

Education to reduce human error and improve security practices.

Least privilege

Principle that users should have the minimum level of access necessary.

Fail-safe defaults

Systems should default to a secure state.

Separation of duties

Dividing responsibilities to reduce risk of fraud or error.

Defense in depth

Layered security approach to protect information.

Accountability and auditing

Tracking actions and ensuring responsible behavior.

Information as an Asset

Data has value — loss or compromise can harm reputation, finances, and operations.

Security vs. Convenience

More security often means less convenience; organizations must find balance.

Drivers for Security

Laws, regulations, customer trust, and protecting intellectual property.

Common Threats

Deliberate attacks, unintentional threats, and natural disasters.

The Security Problem

Threats are growing in frequency and sophistication; technology alone isn't enough.

Business Impact

Breaches cause financial losses, legal penalties, loss of trust, and downtime.

Security Awareness

Employees play a vital role — training and education reduce human error.

Information Security Management (ISM)

The process of defining, implementing, and maintaining controls to protect information assets.

Governance

The framework that ensures security efforts align with business objectives and compliance requirements.

Policy

A formal statement of management intent — defines what must be protected and how.

Senior Management

Sets direction, allocates resources, enforces accountability.

CISO (Chief Information Security Officer)

Oversees strategy and coordinates efforts across departments.

Security Administrators & Technicians

Implement technical controls.

Users

Must comply with policies and maintain security awareness.

Enterprise Information Security Policy (EISP)

High-level organizational vision.

Issue-Specific Security Policy (ISSP)

Focused on specific topics (e.g., email use, passwords).

System-Specific Policy (SysSP)

Technical details for systems and configurations.

Strategic Planning

Long-term goals aligned with business mission.

Tactical Planning

Mid-term, implementing objectives.

Operational Planning

Short-term, daily security procedures.

NIST Cybersecurity Framework (CSF)

Provides structured guidance for establishing and improving security programs.

ISO/IEC 27001

Information Security Management System.

COBIT

Governance and management of IT.

Risk

The likelihood that a threat will exploit a vulnerability and cause harm.

Risk Management

The process of identifying, evaluating, and controlling risks to acceptable levels.

Risk Appetite

The amount of risk an organization is willing to accept.

Residual Risk

Risk remaining after controls are applied.

Identify Risks

List assets, threats, and vulnerabilities.

Assess Risks

Evaluate likelihood and impact.

Develop Controls

Determine safeguards to reduce or transfer risk.

Implement Controls

Apply technical, administrative, and physical measures.

Monitor and Review

Continuously track effectiveness and update as needed.

Avoidance

Eliminate the risk (e.g., stop risky activity).

Mitigation

Reduce likelihood or impact with controls.

Transfer

Shift risk to a third party (e.g., insurance, outsourcing).

Acceptance

Acknowledge and tolerate the risk.

Technical Controls

Firewalls, encryption, access management.

Administrative Controls

Policies, training, procedures.

Physical Controls

Locks, surveillance, restricted areas.

Qualitative Assessment

Uses descriptive scales (high, medium, low).

Quantitative Assessment

Uses numerical values (costs, probabilities).

NIST SP 800-30

Common risk assessment framework.

Incident

Any event that threatens the confidentiality, integrity, or availability of information systems.

Incident Response (IR)

A structured approach to handling and managing security breaches.

Contingency Planning

Preparing for unexpected events that disrupt normal operations.

Disaster Recovery (DR)

Restoring systems after catastrophic failure.

Business Continuity Planning (BCP)

Ensuring critical operations continue during or after disruptions.

Preparation (IR Phase)

Develop policies, train staff, and establish IR teams.

Detection & Analysis (IR Phase)

Identify and confirm an incident.

Containment (IR Phase)

Limit damage and prevent spread.

Eradication (IR Phase)

Remove root cause (malware, compromised accounts, etc.).

Recovery (IR Phase)

Restore systems and verify they are secure.

Post-Incident Activity (IR Phase)

Document lessons learned and improve procedures.

IR Plan

Procedures for handling incidents.

DR Plan

Steps to recover IT systems.

Crisis Management Plan

Coordinates communication and leadership during crises.

Law

Rules enforced by government authority that define acceptable behavior.

Ethics

Principles of right and wrong that guide professional and personal decisions.

Professionalism

Conduct that upholds integrity, confidentiality, and trustworthiness in the field of information security.

Civil Law

Governs private rights and disputes (contracts, negligence).

Criminal Law

Defines offenses punishable by the state (hacking, fraud).

Administrative Law

Governs regulations and enforcement by agencies (e.g., FTC, FCC).

Intellectual Property (IP) Law

Protects creations like software, designs, and inventions.

Computer Fraud and Abuse Act (CFAA)

Criminalizes unauthorized access to systems.

Electronic Communications Privacy Act (ECPA)

Protects digital communications from interception.

HIPAA

Secures healthcare information.

GLBA (Gramm-Leach-Bliley Act)

Requires financial institutions to protect customer data.

SOX (Sarbanes-Oxley Act)

Ensures accuracy and security of financial data.

GDPR (EU)

Protects personal data and privacy.

Budapest Convention

First international treaty on cybercrime.

Utilitarianism

Focus on outcomes that maximize overall good.

Deontology

Follow moral rules regardless of results.

(ISC)² Code of Ethics

Protect society, the common good, and infrastructure.

ACM Code of Ethics

Emphasizes honesty, fairness, and respect for privacy.