Information Security Principles and Threats Overview

Absolute Security

The concept that no system can be made invulnerable; the goal is to make it difficult for attackers to succeed.

CIA Triad

The three security goals of Confidentiality, Integrity, and Availability that form the basis of all security programs.

Confidentiality

Keeping sensitive information private and accessible only to authorized users, often referred to as the principle of least privilege.

Integrity

Ensuring that data remains accurate, reliable, and unaltered, preventing unauthorized modifications.

Availability

Ensuring that data and systems are accessible whenever needed by authorized users, especially during emergencies.

Denial of Service (DoS) attacks

Common challenges to availability that disrupt access to services.

Defense in Depth

A strategy that involves using multiple layers of security to protect information.

Security Layers

Overlapping layers that provide prevention, detection, and response in information security.

Intrusion Detection Systems (IDS)

Devices used in defense in depth to detect unauthorized access or anomalies.

Security Training

Organizations must train employees on cybersecurity best practices to prevent security breaches.

Functional Requirements

Describe what a system should do to protect data and operations, aligning with the CIA triad.

Assurance Requirements

Describe how functional requirements should be implemented and tested to ensure correct performance.

Verification

The process of confirming that requirements are met.

Validation

Determining the correctness of the mechanisms used in a system.

Security Through Obscurity

The belief that hiding security mechanism details is sufficient for system security, which is a false sense of security.

Strong Encryption

A necessary component of real security, alongside multi-layer defenses and proper security policies.

Risk Management

The balance between the level of risk and the expected reward of expending resources on security.

Identity Theft

A common issue resulting from individuals being duped into giving up sensitive information.

Security Policies

Guidelines implemented by organizations to limit human mistakes in security.

Automated Mechanisms

Systems used for response in security that operate without human intervention.

Traffic Analyzers

Tools used in security to monitor and analyze network traffic for potential threats.

User IDs and Passwords

Common controls used to maintain confidentiality in information security.

Batch Transactions

An example of integrity models aiming to maintain data accuracy and consistency.

Human Monitors

Real-time personnel involved in the detection of security breaches.

Security

Focuses on eliminating known threats and minimizing losses if an attack succeeds.

Risk analysis and risk management

Central themes to securing information systems.

Risk outcomes

When risks are understood, they can be mitigated, insured against, or accepted.

Risk assessment

Considers the consequence of a loss and the likelihood that the loss will occur.

Risk matrix

Used to determine the degree of risk (Extreme, High, Moderate, Low).

Preventive controls

Designed to prevent cyber security incidents; examples include security guards, locked doors, and access controls.

Detective controls

Aim at detecting a breach attempt or successful breach while it is in progress; examples include closed-circuit televisions, motion sensors, and alarm systems.

Responsive controls

Used after a cyber security incident to minimize data loss and damage; an example is the alarm triggering doors to lock.

Complexity

The more complex a system gets, the harder it is to secure.

Best practices for security

Include using only necessary security controls, keeping software and access controls up-to-date, and following the principle of least privilege (PoLP).

Fear, Uncertainty, and Doubt (FUD)

Using FUD to scare management into spending on security is no longer effective.

Justification of security investments

IS managers must justify all investments in security using business rationale.

Education on security benefits

Organizations should educate people on the real benefits of security, such as data protection, trust, and business continuity.

People, Process, and Technology

All are needed to adequately secure a system or facility.

Process controls

Ensure operations are performed consistently through documented procedures.

Technology in security

Includes hardware and software security measures.

Open Disclosure of Vulnerabilities

Good for security; keeping vulnerabilities secret leads to a false sense of security.

Compromises to Intellectual Property

Concerns the ownership of ideas and control over their tangible or virtual representation.

Software piracy

The unlawful use or duplication of software, the most common IP breach.

Deliberate Software Attacks

Occur when individuals or groups design and deploy software to attack a system.

Malicious code (malware)

Designed to damage, destroy, or deny service.

Viruses

Spread from host to host, replicate by attaching to legitimate programs or documents, and can cause damaging effects like data corruption.

Worms

Spread copies of themselves from computer to computer without human interaction or needing to attach to a program; can modify/delete files, install backdoors, and deplete system resources.

Trojan Horses

Disguised as legitimate software, trick users into executing them, and can enable spying, data theft, and backdoor access.

Back Doors (Trap Doors)

Components installed by malware that allow attackers to access the system at will with special privileges.

Polymorphic Threats

Change their appearance over time to evade antivirus software detection.

Virus and Worm Hoaxes

False warnings about malware, often spread through email and internal networks.

Deviations in Quality of Service

Irregular service from providers (power, water, internet, phone, etc.) can disrupt business operations and threaten information security.

Availability disruptions

Can occur due to irregular service from providers.

Power issues

Blackout, brownout, fault, noise, sag, spike, surge can damage IT equipment.

Internet disruptions

Physical damage to cables or electronic disruptions can negatively impact communication and service delivery.

Service Level Agreements (SLAs)

Specify expected service levels and potential restitution for failures.

Espionage

Involves unauthorized individuals gaining access to protected information.

Competitive intelligence

Legal information gathering techniques.

Industrial espionage

Illegal or unethical techniques to gather information.

Trespass

Involves unauthorized physical or virtual actions to enter premises or systems.

Shoulder surfing

Gathering unauthorized information by looking over someone's shoulder.

Hackers

People who use computer software to gain illegal access to information.

Phreakers

Hack the public telephone network to make free calls or disrupt services.

Forces of Nature

Unpredictable events beyond human control that can disrupt information storage, transmission, and use.

Fire

Damages equipment and facilities, including smoke and water damage.

Flood

Water damage to systems and buildings, and can disrupt access.

Earthquake

Can directly damage systems and buildings, and disrupt access.

Lightning

Directly damages systems and power components, can cause fires, and disrupt access.

Landslide or mudslide

Damages buildings and disrupts access.

Tornado or severe windstorm

Damages systems and buildings, and interrupts access.

Hurricane or typhoon

Primarily disrupts access to facilities.

Tsunami

Damages systems and buildings in coastal areas, and can disrupt access and power.

Electronic discharge (ESD)

Static electricity can damage electronic components and disrupt service.

Dust contamination

Can shorten the lifespan of systems and cause downtime.

Human Error or Failure

Unintentional acts by authorized users that can cause extensive damage.

Information Extortion

Attackers or trusted insiders steal information and demand compensation for its return or non-disclosure.

Missing, Inadequate, or Incomplete Organizational Policy or Planning

Makes an organization vulnerable to loss, damage, or disclosure of information assets when other threats lead to attacks.

Information security

A management function where executive leadership is responsible for strategic planning (governance).

Missing, Inadequate, or Incomplete Controls

Absent, misconfigured, outdated, or poorly designed/managed security safeguards that increase the likelihood of losses.

Example of inadequate controls

Failing to upgrade network equipment can lead to performance issues and data loss.

Routine security audits

Help ensure continuous protection.

Sabotage or Vandalism

Deliberate acts to damage a computer system or business, or to harm an organization's image.

Range of sabotage

Ranges from petty vandalism to organized sabotage.

Attacks on an organization's image

Like website defacement, can erode consumer confidence.

Hacktivist operations

Disrupt systems to protest.

Cyberterrorism

Involves hacking systems to conduct terrorist activities.

Theft

Illegal taking of another's property (physical, electronic, or intellectual).

Physical theft

Often easier to control than electronic theft.

Electronic theft

Can be difficult to detect if tracks are covered carefully.

Technical Hardware Failures or Errors

Flaws in manufactured equipment can cause unreliable service or lack of availability.

Consequences of hardware failures

Can result in unrecoverable loss or intermittent faults.

Technical Software Failures or Errors

Bugs in code, especially when combined with certain hardware, can lead to failures.

Trap doors

Purposeful shortcuts bypassing security checks that can cause serious breaches.

Technological Obsolescence

Outdated infrastructure can lead to unreliable and untrustworthy systems and risk data integrity.

Management's strategic planning

Should include technology analysis and timely action to prevent obsolescence.

Malicious Code Attack

Includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information.

Polymorphic worm

A state-of-the-art attack that can use up to six known attack vectors to exploit vulnerabilities.

Types of malware

Includes covert software applications like bots, spyware, and adware.

Bot

An automated software program that executes commands upon specific input and can be used to implement Trojans, logic bombs, back doors, and spyware.

Spyware

Gathers information about a person or organization without their knowledge.