Section 2: Fundamentals of Security

information security

act of protecting data and information from unauthorized access, unlawful modification, disruption, disclosure, corruption, and destruction

information systems security

act of protecting the systems that hold and process the critical data

information security vs information systems security

protecting the data vs devices that hold the data

CIA triad

confidentiality

integrity

availability

confidentiality

ensures information is only accessible to those with the appropriate authorization

integrity

ensures data remains accurate and unaltered unless modification is required

availability

ensures information and resources are accessible and functional when needed by authorized users

CIANA pentagon

extension of CIA triad with the inclusion of:

• non-repudiation

• authentication

non-repudiation

guaranteeing a specific action/event has taken place and cannot be denied by the parties involved

AAA of security

authenticaiton

authorization

accounting

authentication

process of verifying the indentity of a user or system

authorization

defines what actions/resources a user can access

accounting

act of tracking user activities and resource usage, typically for audit or billing purposes

security controls

measures/mechanisms put in place to mitigate risks and protect the CIA of IS and data

categories of security controls

• technical

• managerial

• operational

• physical

types of security controls

• preventative

• deterrent

• detective

• corrective

• compensating

• directive

zero trust

security model that operates on the principle that no one, whether inside or outside the organizations, should be trusted by default

how to acheive zero trust

• control plane

• data plane

what does the control plane consist of

• adaptive identity

• threat scope reduction

• policy-driven access control

• secured zones

what does the data plane focus on

• subject/system

• policy engine

• policy admin

• establishing policy enforcement points

threat vs vulnerability

external sources vs internal factors

where does the risk to enterprise systems and networks lie

the intersection of threats and vulnerabilities

importance of confidentiality

1. protect personal privacy

2. maintain business advantage (proprietary data)

3. achieve regulatory compliance (data protection regulations)

5 methods to esure confidentiality

1. encryption

2. access controls

3. data masking

4. physical security measures

5. training/awareness

data masking

obscuring data within a database to make it inaccessible for unauthroized users while retaining the real data’s authenticity

ex. only last 4 digits of credit card can be seen

importance of integrity

1. ensure data accurracy

2. maintain trust

3. ensure system operability

5 methods to ensure integrity

1. hashing

2. digital signatures

3. checksums

4. access controls

5. regular audits

hash digest

digital fingerprint to prove data integrity;

result of hashing function

checksums

method to verify the integrity of data during transmission

checksum is sent from sender to reciever for verification

availability status

based on number of nines

• 3 nines = 99.9%

• 5 nines = 99.999%

5 nines is gold standard

more 9 = less downtime

4 types of redundancy to ensure availability

1. server: multiple servers in a load balance

2. data: storing data in multiple places

3. network: if one network fails, the data can travel through another route

4. power: backup power sources

non-repudiation

providing undeniable proof in digital transactions

digital signature

hashing amessage to be digitally signes and encrypting the hash digest with the user’s private key using asymmetric encryption

importance of non-repudiation

1. confirm authenticity of digital transactions

2. ensure integrity

3. provide accountability

5 commonly used authentication methods

1. something you know (knowledge factor): info a user can recall

2. something you have (possession factor): physical item for authentication

3. something you are (inherence factor): unique physical or behavioral characteristic of the person to validate they are who they claim to be

4. something you do (action factor): relies on the user conducting a unique action to prove who they are

5. somewhere you are (location factor): relies on the user’s location before access is granted

authorization

permissions and privileges granted to users or entities after they have been authenticated

recommended accounting system

1. audit trail

2. regulatory compliance

3. forensic analysis

4. resource optimization

5. user accountability

audit trail

provides a chronological record of all user activities that can be used to trace changes, unauthorized access, or anomalies back to the specific user or point in time

regulatory compliance

maintains a comprehensive record of all the users’ activities

forensic analysis

uses detailed accounting and event logs that can help cybersecurity experts understand what and how an incident occurred and how to prevent similar events from occurring again in the future

resource optomization

organizations can optimize system performance and minimize consts by tracking resource utlization and allocation decisions

user accountability

thorough accounting system ensures users’ actions are monitored and logged, deterring potential misuse and promoting adherence to the organization’s policies

techonologies used in accounting

1. syslog servers: aggregate logs from various network devices/systems for sys admin

2. network analysis tools: capture and analyze network traffic for net admin

3. Security Information and Event Management (SIEM): provides real-time analysis of security alerts generated by various hw/sw infrastructures in an organization

4 categories of security controls

1. technical: hw/sw implemented for risk management

2. managerial: strategic planning and governance

3. operational: procedures designed to protect data on a day-to-day basis and are governed by internal processes and human actions

4. physical: real-world measures taken to protect assets

6 types of security controls

1. preventative

2. deterrent

3. detective

4. corrective

5. compensating

6. directive

deterrent controls

aim to discourage potential attackers by making the effort seem less appealing or more challenging

ex. ADT warning signs (not the system itself)

compensating controls

alternative measures that are implemented when primary security controls are not feasible or effective

directive controls

guide/form/mandate actions

often rooted in policy or documentation and set the standards for behavior within an organization

2 planes of zero trust architecture

1. control: policies and procedures

2. data: enforce the policies and procedures

elements of the control plane (zero trust)

1. adaptive identity

2. threat scope reduction

3. policy-driven access control

4. secured zones

adaptive identity

rely on real-time validation that takes into account the user’s behavior, device, location, etc

• constantly adapting to the environment to adjust accordingly

threat scope reduction

limit the users’ access to only what they need for their work tasks because this drastically reduces the network’s potential attack surface

policy-driven access control

developing, managing, and enforcing user access policies based on their roles and responsibilities

secured zones

isolated environments within an network that are designed to house sensitive data

• only users with permissions can access these zones certain

how the control plane makes decisons about access (zero trust)

1. policy engine: cross references the access request with its predefined policies

2. policy administrator: establishes and manages the access policies

elements of the data plane (zero trust)

1. subject/system: entity attempting to gain access

2. policy enforcement point: allow or restrict access

gap analysis

process of evaluating the differences between an organization’s current performance and its desired performance

2 types of gap analysis

1. techical: evaluating and identifying lack/weakness in technical capabilities required to utilize security solutions

2. business: evaluating and identifying weaknesses in business processes required to utilize cloud-based solutions

plan of actiona and milestones (POA&M)

based on gap analysis findings

outlines the specific measures to address each vulnerability, allocate resources, and set up timelines for each remdiation task that is needed