ITEC85 - Introduction to Information Security

Pre-Computer

Security meant physical safes, guards, and codebooks (Enigma machine).

1960s (ARPANET)

Early internet. Security was not a priority; connectivity was. This legacy of "openness" creates many vulnerabilities today.

1990s (The Morris Worm)

The first major internet worm showed us the need for network security.

Today

Interconnected IoT, Cloud, and AI mean the attack surface is everywhere.

Information Security (InfoSec)

The protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.

Information Assurance (IA)

A broader term that includes reliability and strategic risk management. It means ensuring the data is not only safe but usable for the business.

The CIA Triad

The industry standard model for security.

Confidentiality

Integrity

Availability

The Core Principle: Confidentiality

Ensuring that information is accessible only to those authorized to have access.

The Core Principle: Confidentiality

Breach Example: A hacker stealing credit card numbers (Data Leak).

The Core Principle: Confidentiality

Controls: Encryption, Passwords, Multi-Factor

Authentication (MFA), File Permissions.

The Core Principle: Integrity

Ensuring that information remains accurate, complete, and is not modified by unauthorized actions (whether malicious or accidental).

The Core Principle: Integrity

Breach Example: A student changing their grade in the database from F to A.

The Core Principle: Integrity

Controls: Hashing (checksums), Digital Signatures, Version Control, Backups.

The Core Principle: Availability

Ensuring that authorized users have access to information and assets when required.

The Core Principle: Availability

Breach Example: A Denial of Service (DoS) attack crashing a website, or a power outage shutting down a server.

The Core Principle: Availability

Controls: Redundant power (UPS), RAID (disk redundancy), Cloud Backups, Disaster Recovery Plans.

Balancing the Triad

- You cannot have 100% of all three.

- Business Alignment

You cannot have 100% of all three.

Example: To make a system perfectly Confidential (unplug it from the internet), you hurt Availability (remote users can't access it).

Business Alignment

The balance depends on the business goal. A bank prioritizes Integrity. A news site prioritizes Availability.

The McCumber Cube

Created by John McCumber. It creates a grid to ensure no security gap is missed.

X-Axis

Security Principles (CIA Triad).

Y-Axis

Information States (Transmission, Storage, Processing).

Z-Axis

Countermeasures (Technology, Policies, People)

States of Data

Data at Rest (Storage)

Data in transit (Transmission)

Data in Process

States of Data - Data at Rest (Storage)

Data stored on a physical or

digital medium (Hard drives, USBs, Cloud servers, Filing cabinets).

States of Data - Data at Rest (Storage)

Risk: Physical theft, hacking the server.

States of Data - Data at Rest (Storage)

Control: Disk Encryption (BitLocker), Physical locks.

States of Data - Data in Transit (Transmission)

Data currently moving across a network (Cable, Wi-Fi, Cellular).

States of Data - Data in Transit (Transmission)

Risk: Interception (Man-in-the-Middle attacks), Eavesdropping.

States of Data - Data in Transit (Transmission)

Control: VPN (Virtual Private Network), SSL/TLS (HTTPS websites).

States of Data - Data in Process

Data currently being used by

the computer's CPU or RAM. It is unencrypted during this brief moment to be readable by the computer.

States of Data - Data in Process

Risk: Malware reading memory, Power loss causing corruption.

States of Data - Data in Process

Control: Antivirus, Error-checking memory.

Countermeasures

- Technology

- Policies and Practices

- People

Countermeasures - Technology

- The hardware and software tools.

Countermeasures - Technology

Firewalls, IDS/IPS, Biometrics, Smart Cards.

Countermeasures - Technology

Note: _____ is often the first line of defense, but not the only one.

Countermeasures - Policies and Practices

The administrative rules.

Countermeasures - Policies and Practices

"Users must change passwords every 90 days."

"No USB drives allowed."

Policies enforce the use of technology.

Countermeasures - People

The human factor. Often called the "weakest link" but can be the "strongest asset."

Countermeasures - People

Training, Awareness programs,

Background checks.

Countermeasures - People

Example: You can have the best firewall, but if a user gives their password to a

stranger (Phishing), the firewall is useless.

Critical Characteristics of Information

- Accuracy

- Authenticity

- Utility

- Possession

Accuracy

Data is free from errors

(Integrity).

Authenticity

Data is genuine and came

from the stated source.

Utility

The data has value to the

organization.

Possession

The organization actually

owns/controls the data.

Summary & Key Takeaways

Effective security requires addressing every intersection of the Cube. But, we cannot achieve 100% of it as it may hurt the other aspects within

the Cube.

(e.g., Protecting Confidentiality of Data in Transit using Technology).