What is Information Security?
Information security is not well-defined, with multiple definitions (e.g., nine definitions on Wikipedia).
Importance arises from the need to communicate effectively with legal professionals who require precise language.
Key Categories of Security Definitions:
Security is often categorized into three main components:
Confidentiality:
Ensures only authorized individuals have access to data.
Examples: If unauthorized access is gained to HR files, confidentiality is compromised.
Integrity:
Ensures data remains accurate and uncorrupted over time.
For instance, modifying someone else's banking information constitutes an integrity breach.
Availability:
Ensures data is accessible when needed.
Example: A website's functionality is compromised if servers are shut down.
Other components like authenticity (verifying identities) and non-repudiation (confirming actions cannot be denied) are debated.
Definitions through Risk Management:
Some definitions encompass managing a set of identified risks.
Example: Taking steps to reduce the risk of stolen laptops (locking them down).
Different Perspectives on Risk:
Technical perspective: Risks linked to software bugs or vulnerabilities.
Risk management perspective: Risks are potential issues that never go away.
Defining Risk:
A risk can be quantified as likelihood multiplied by impact.
Mitigation measures can reduce both likelihood and impact (e.g., locking laptops).
Understanding Security Operations:
The operation of security involves establishing what actions are taken to mitigate risks and analyze exposure.
Cybersecurity vs. Information Security:
Cybersecurity deals with online threats while information security encompasses a broader array of threats, including physical breaches.
Information Security Management:
Focuses on measuring and managing security efforts and the effectiveness of implemented security measures.
Goals of Security:
Security should aim to ensure that only desired outcomes occur concerning data possession.
Roles in Data Protection:
Data Subject: Individual whose data is collected.
Data Controller: Entity that collects and manages data for services.
Data Processor: Third-party services engaged by the data controller to process data.
Regulatory Responsibilities:
Controllers must ensure secure data processing, with regulations like GDPR outlining data subjects' rights and controllers' obligations.
Definitions of Phishing and Related Terms:
Phishing: Deceptive attempts via electronic communications to extract information or install malware.
Variants:
Spear Phishing: Targeted phishing attempts aimed at specific individuals or organizations.
Vishing, Smishing: Variants targeting voice and SMS mediums.
Malware: Software with malicious intent, including viruses, worms, and ransomware.
Social Engineering and Authorized Access:
Techniques like shoulder surfing (observing someone’s password entry) and tailgating (following someone into a secure area).
Security Principles:
Least Privilege: Individuals should only have access necessary for their roles.
Defense in Depth: Utilizing multiple security measures to protect against various threats.
Role-Based Access Control: Permissions based on job roles instead of individual assignments for efficiency.
Authentication Mechanisms:
One-Time Passwords: Unique codes for login sent via SMS or generated by apps, forming part of multifactor authentication.
Exploit and Attack Types:
Zero-Day Exploit: Unaddressed vulnerabilities at the time of exploitation.
Brute Force Attack: Constantly attempting all password combinations until access is granted.
Multifactor Authentication Types:
Something you know, something you have, something you are (e.g., passwords, mobile devices, biometric data).
Discussion on Ethical Implications in Hacking:
The ambiguity of defining ethical boundaries between black hat (malicious hackers) and white hat (ethical hackers) behavior.
Week 2
What is Information Security?
Information security is not well-defined, with multiple definitions (e.g., nine definitions on Wikipedia).
Importance arises from the need to communicate effectively with legal professionals who require precise language.
Key Categories of Security Definitions:
Security is often categorized into three main components:
Confidentiality:
Ensures only authorized individuals have access to data.
Examples: If unauthorized access is gained to HR files, confidentiality is compromised.
Integrity:
Ensures data remains accurate and uncorrupted over time.
For instance, modifying someone else's banking information constitutes an integrity breach.
Availability:
Ensures data is accessible when needed.
Example: A website's functionality is compromised if servers are shut down.
Other components like authenticity (verifying identities) and non-repudiation (confirming actions cannot be denied) are debated.
Definitions through Risk Management:
Some definitions encompass managing a set of identified risks.
Example: Taking steps to reduce the risk of stolen laptops (locking them down).
Different Perspectives on Risk:
Technical perspective: Risks linked to software bugs or vulnerabilities.
Risk management perspective: Risks are potential issues that never go away.
Defining Risk:
A risk can be quantified as likelihood multiplied by impact.
Mitigation measures can reduce both likelihood and impact (e.g., locking laptops).
Understanding Security Operations:
The operation of security involves establishing what actions are taken to mitigate risks and analyze exposure.
Cybersecurity vs. Information Security:
Cybersecurity deals with online threats while information security encompasses a broader array of threats, including physical breaches.
Information Security Management:
Focuses on measuring and managing security efforts and the effectiveness of implemented security measures.
Goals of Security:
Security should aim to ensure that only desired outcomes occur concerning data possession.
Roles in Data Protection:
Data Subject: Individual whose data is collected.
Data Controller: Entity that collects and manages data for services.
Data Processor: Third-party services engaged by the data controller to process data.
Regulatory Responsibilities:
Controllers must ensure secure data processing, with regulations like GDPR outlining data subjects' rights and controllers' obligations.
Definitions of Phishing and Related Terms:
Phishing: Deceptive attempts via electronic communications to extract information or install malware.
Variants:
Spear Phishing: Targeted phishing attempts aimed at specific individuals or organizations.
Vishing, Smishing: Variants targeting voice and SMS mediums.
Malware: Software with malicious intent, including viruses, worms, and ransomware.
Social Engineering and Authorized Access:
Techniques like shoulder surfing (observing someone’s password entry) and tailgating (following someone into a secure area).
Security Principles:
Least Privilege: Individuals should only have access necessary for their roles.
Defense in Depth: Utilizing multiple security measures to protect against various threats.
Role-Based Access Control: Permissions based on job roles instead of individual assignments for efficiency.
Authentication Mechanisms:
One-Time Passwords: Unique codes for login sent via SMS or generated by apps, forming part of multifactor authentication.
Exploit and Attack Types:
Zero-Day Exploit: Unaddressed vulnerabilities at the time of exploitation.
Brute Force Attack: Constantly attempting all password combinations until access is granted.
Multifactor Authentication Types:
Something you know, something you have, something you are (e.g., passwords, mobile devices, biometric data).
Discussion on Ethical Implications in Hacking:
The ambiguity of defining ethical boundaries between black hat (malicious hackers) and white hat (ethical hackers) behavior.