SECTION 6: Security (19%) PART 1

Security Concepts, Device Security and Passwords

Confidentiality

• A security concept of protecting information from unauthorized access and only authorized users can view and access their authorized data

• Prevents data breaches and leaks

Integrity

• The security concept of ensuring data accuracy and completeness

• Prevents unauthorized modification and data remains trustworthy and reliable

• Ensure only the right people can modify the data

Availability

• The security concept of ensuring that systems and data are accessible and authorized users can access data when needed

• Prevents denial of service situations

Privacy

• The security concept of protecting personal information and control over how data is collected and used

• Legal and ethical obligations

Personally Identifiable Information (PII)

• It is data that specifies specific individuals such as names, addresses, phone numbers, social security numbers and IDs

• Legal obligation to protect, have encryption and access controls, and breach notification requirements

General Data Protection Regulation (GDPR)

• This is a European privacy law that applies to EU resident’s data

• It requires the explicit consent for data collection, right to access and delete data, and protects data by design

Cookie Consent

• Web browser tracking permissions in which the user must approve cookie usage

• Required for transparent data collection practices

Authentication

• A security concept of verifying user identity; proving you are who you claim to be

• The first step in access control

• Ex: Passwords, PIN, biometrics, 2FA, etc.

Single Factor Authentication

• The most basic authentication approach in which one method is needed to prove identity such as passwords, PIN, or biometrics

• Not the most secure

Multifactor Authentication

• An authentication approach of having multiple methods combined

• Something you know, have, and are

• Significantly increases security

Single Sign-On (SSO)

• An authentication approach of having one login for multiple systems

• reduces password fatigue

• centralized authentication management

Authorization

• The security concept of determining what authenticated users can do, these are permissions and access rights

• Controls system and data access

Permissions

• These are specific rights granted to users

• Read, Write, Execute, Delete

• Applied to files, folders, and systems

• Ex: Administrators have full control, while User has limited permissions

Least Privilege Model

• A concept of authorization in which regular Users get minimum required permissions

• Reduces potential damage from breaches

• Regular review of access rights

Accounting

• A security concept of tracking and recording user activities

• Who did what and when

• Essential for security auditing

Logs

• These are records of system and user activities such as login attempts and file access

• Evidence for incident investigation

Location Tracking

• This is the process of recording where activities occur

• IP addresses and geographic data

• Physical location of mobile devices

Web Browser History

• The record of visited websites, search queries and downloads

• useful for forensic investigation

Non-repudiation

• In cybersecurity, this ensures a party involved in a transaction or communication cannot falsely deny their actions

• A key aspect in verifying accountability in digital environments

Security Awareness

• The 1st line of defense against cyber attacks (user education)

• Understanding common threats and risks

• Recognizing suspicious activities

Social Engineering (Phishing)

• The process of manipulating people to reveal information, exploiting human psychology rather than technology

• Often bypasses technical security measures

• Ex: fake bank emails requesting login, urgent messages about account problems, suspicious attachments or links to malicious websites

Malicious/Compromised Content

• These are software of files containing harmful code which may steal data or damage systems

• Are often disguised as legitimate content

• These can come from legitimate websites or apps that have been hacked

Device Authentication

• The process of securing a device by using unique passwords, having multi-factor authentication, biometric locks or PINs that prevents unauthorized use

Anti-Malware Protection

• The process of securing a device by installing software that detects harmful programs that have real-time scanning and removal, and having regular updates for new threats

Firewall Protection

• The process of securing a device by having a firefall that blocks unauthorized network connections, monitor incoming and outgoing traffic. This can be hardware of software based

Patching/Updating

• The process of securing a device by frequently installing stable security fixes/improvements, OS and application updates that fixes known vulnerabilities

Physical Device Security

• The process of securing a device physically by protecting against theft and tampering in public spaces with tools such as cable locks or USB locks

Licensing

• These are legal permissions to use software

• Different models available and have compliance requirements and costs

• Open-source or proprietary

Open-Source Software

• These are software that are free-to-use, modify, and distribute

Proprietary Software

• These are commercial software with license required (ex: Microsoft, Adobe)

Subscription License

• A type of license that has ongoing monthly or yearly fees

One-time Purchase License

• A type of license that only requires a single payment for a software

Perpetual License

• A type of license that is lifetime, permanent access

Product Keys/Serial Numbers

• These are unique identifiers for software licenses required for installation and activation

• Keep secure and backed-up

Research

• Before installing a software, check developer reputation and reviews, verify digital signatures, and compare with known legitimate sources

Original Equipment Manufacturer (OEM) Websites

• When trying to download or install drivers and system software, find the official website of the manufacturer and download directly from there.

Third Party Distributors

• They are resellers and distributors of legitimate software and hardware

• Make sure use cautiously, check reviews, scan for viruses

Application Stores

• These are curated software repositories and safer than random downloads

• Ex: Google Playstore, Microsoft Store, etc.

Software Piracy

• The activity of download, installing, and using software without licensing

• Is illegal and carries legal risks, and often contains backdoors or malware

Valid Web Certificates

• These are digital credentials that verify website identity issued by trusted authorities, indicated by the green lock icon in browser

• Means that a website uses encrypted connections and is safe to enter sensitive information

Invalid Web Certificates

• These are expired, self-aligned, or mismatched web certificates

• Browser warnings are often displayed upon opening the website

• Avoid entering sensitive data

Password Length Consideration

• Longer passwords are more secure and longer to crack using brute force attacks

• 8 characters: easily cracked

• 10+ characters: much stronger protection

Brute Force Attacks

• An attacker systematically test all possible character combinations for a password, so increased password length increases security

Passphrase

• is a sequence of words, typically longer than a traditional password, used to authenticate or secure access to a computer system, online account, or other digital resource.

• Usually consists of a combination of words that are easy to remember, but difficult for others to guess or crack through brute force attacks.

• Ex: I Like Pancakes I Like Color Yellow

Password Complexity Considerations

• A password should have a mix of uppercase, lowercase, numbers, and symbols

• Avoid dictionary words and common patterns, use unpredictable character combinations

• Weak: password123

• Strong: K9$mR#8nF2pL

• Passphrase: Coffee!Morning@7am

Past Passwords Considerations

• Prevent reusing recent password

• There are systems that remembers previous passwords and forces you yo create a new one

• Reusing passwords for every account or website is risky, use a unique password for each critical/important account or website to prevent cross-account compromise

Password Expiration Considerations

• An organization sets a policy to force users to create new passwords in intervals like 30-90 days

• Can lead to password fatigue, so the modern approach is to have longer passwords with greater complexity and less expiration

Password Fatigue

• This happens when users may struggle to remember frequent password changes, which can lead to weak passwords such as predictable/incremented passwords:

• Ex: “Password1” to “Password2”

Password Managers

• These are software or web extensions that stores and generates passwords

• generate unique password for every account

• Has encrypted storage with master password

Change Default Usernames/Passwords

• Replace manufacturer default credentials because most default credentials are publicly known (can be found in manuals or online) and are common targets for attackers

• The first step in securing new devices