Fundamentals of Info. Security (D430)

CIA Triad

Confidentiality, Integrity, and Availability.

DAD

Disclosure, Alteration and Denial. (Represents what attackers try to cause, the opposite of CIA)

Defense in Depth

External Network » Internal Network » Host » Application » Data. Cybersecurity strategy that uses multiple layers of security so that if one layer fails, others still protect the system.

Fabrication Attack (The four types of attacks)

When an attacker created fake or unauthorized data, messages, processes or activity inside a system.

Incident Response

1. Preparation - Putting things in place to respond to security incidents BEFORE they occur.

2. Detection and Analysis

3. Containment, Eradication, and Recovery - Stop damage spread, remove, and restore.

4. Post-Incident Activity - “What did we learn?”

Information Security

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Modification Attack (The Four Types of Attacks)

When an attacker changes, alters, or tampers with existing data, files, messages, or system settings without permission.

Parkerian Hexad

Confidentiality , Integrity , Availability , Authenticity , Utility , and Possession.

Risk Management (Definition)

Identify Assets » Identify Threats » Assess Vulnerabilities » Assess Risks » Mitigate Risks.

The process of identifying, assessing, and controlling potential events or situations that could negatively affect an organization, project, or individual.

The Four Types of Attacks

Interception, Interruption, Modification, and Fabrication

Vulnerabilities

Weaknesses, or holes that threats can exploit to cause you harm.

Risk

Likelihood that something bad will happen.

Threats

Something that has the potential to cause harm.

Impact

Taking into account the value of the threatened asset and using it to calculate risk.

AAA

Authentication, Authorization (Access control), Accounting.

An information security framework for controlling access to data and system resources, enforcing policies, and auditing actions.

Identification

Claiming an identity.

Identity Verification

Checking whether the claimed identity appears valid using documents or information. (Doesn’t fully prove identity)

Authentication

Proving your identity using authentication factors. (Pass, fingerprint, phone code, smart card, etc)

Authentication Factors

• Something you know

• Something you are

• Something you have

• Something you do

• Where you are

Authorization

The process of determining exactly what an authenticated party can do.

Access Control

The tools and systems you use to deny or allow access.

File System ACLs (Access Control Lists)

Define what actions (Read, Write, Execute) users or groups are allowed to perform on files and directories.

Network ACLs (Access Control Lists)

Security rules that allow or deny network traffic based on identifiers such as IP addresses, MAC (Media Access Control) addresses, or ports.

Media Access Control (MAC)

A system used in networking that helps devices identify each other and control access on a network. (your actual person/identity badge inside the building)

Confused Deputy Problem

A trusted system or program gets tricked into doing something bad for someone who normally wouldn’t be allowed to do it.

CSRF (Cross-Site Request Forgery)

Tricking (by a hacker) your browser into using your logged-in account to perform actions you didn’t intend.

Clickjacking

An attack where a hacker tricks you into clicking something different from what you think you’re clicking.

Capability-Based Security

Give access based on possession of a token or key, not just who the user is. (This makes attacks like CSRF and Clickjacking much harder.)

Access Control Models

A method or set of rules used to decide who is allowed to access what, and what they are allowed to do with it.

DAC (Discretionary Access Control)

The owner of the resource determines who gets access to it and exactly what level of access they can have.

Mandatory Access Control (MAC)

Instead of the owner, a separate group or individual has the authority to set access to resources.

Rule-Based Access Control

A security model where access is allowed or denied based on predefined rules set by the system.

Role-Based Access Control

Allows access based on the role of the individual being granted access.

Attribute-Based Access Control

An access control model where access is granted or denied based on attributes (characteristics) of the user, resource, action, or environment.

Multilevel Access Control

A security model where information and users are assigned different security levels, and access is based on those levels.

Bell-LaPadula Model

A confidentiality-focused security model that prevents unauthorized reading of sensitive data and prevents sensitive data from being written to lower security levels.

Biba Model

A security system that ensures trusted data is not influenced or corrupted by less trusted data, using “no read down” and “no write up” rules.

The Brewer and Nash Model

A security model that prevents conflicts of interest by controlling what data a user can access based on what they’ve already accessed.

Accountable

Making sure a person is responsible for their actions.

Sarbanes-Oxley Act of 2002

A law that requires public companies to keep accurate financial records and prove that their financial reporting is trustworthy.

Auditing

The process of reviewing an organization’s records and information to ensure that people comply with laws, policies, and other bodies of administrative control.

Nonrepudiation

A security concept that ensures that a person cannot deny that they performed an action or sent a message.

Deterrence

Discourages people from attempting an attack or violating security policies.

Intrusion Detection and Prevention (IDPS)

A security tool that monitors activity for attacks or suspicious behavior.

Intrusion Detection System (IDS)

Monitoring and alerting tool; notifies when an attack or other undesirable activity is taking place.

Intrusion Prevention Systems (IPS)

Detects and automatically blocks suspicious activity.

Admissibility of Records

Refers to whether a record can be accepted as evidence in a legal proceeding, investigation, or court case. (Ex. Audit logs, Access logs, email records, etc.)

Logging

The process of recording events and activities that occur in a computer system, application, or network.

Vulnerability Assessments

The process of finding, identifying, and evaluating security weaknesses in a system, network, or application by using vulnerability scanning tools.

Penetration Testing

An ethical hacking exercise where security professionals try to break into a system to find and demonstrate real security weaknesses.

Compliance

Your adherence to the rules and regulations that govern the information you handle and the industry within which you operate.

Regulatory Compliance

Your adherence to the laws specific to the industry in which you operate.

Industry compliance

Adherence to rules, standards, regulations, or best practices that apply to a specific industry.

Administrative Controls

The rules and processes that tell people how to work securely.

Federal Information Security Management Act (FISMA)

A U.S. law that requires government agencies and organizations that work with the federal government to protect their information systems.

Federal Risk and Authorization Management Program (FedRAMP)

A government program created in 2011 that sets cybersecurity requirements for cloud service providers that want to work with U.S. federal agencies.

Gramm-Leach-Bliley Act (GLBA)

Requires financial institutions to protect customers’ personal and financial information, monitor access to it, notify customers about information sharing, and maintain a formal information security program.

Children’s Internet Protection Act (CIPA)

Requires schools and libraries to prevent children from accessing obscene or harmful content over the Internet.

Children’s Online Privacy Protection Act (COPPA)

Protects children under 13 by limiting the collection of their personal information and requiring parental notice and consent.

Family Educational Rights and Privacy Act (FERPA)

U.S. law that protects the privacy of student education records.