DACS 2201 / 01-INTRODUCTION TO SECURITY
Administrative Information and Acknowledgements
- Source Material Adaptation: The slides and laboratory handouts utilized in the course involve information and exercises adapted from various major resources: * Textbook: CompTia Security+ Guide to Network Security Fundamentals authored by Mark Ciampa. * Historical Course Material: Content created by previous instructors including Nalin Wijesinghe, Abdullatif Shikfa, Robert Ford, and others. * Cisco Networking Academy: Security courses sourced from the Cisco Networking Academy website (https://www.netacad.com/courses/cybersecurity).
Lecture Attendance Policies
- Recording Mechanism: Attendance is recorded via the card reader located at the theater door.
- Requirement for Entry: Students must tap their identification cards for attendance to be registered.
- Tapping Protocol: * Tapping is only required at the beginning of the lecture. * There is no requirement to tap the card when exiting the theater.
- Timing Constraints: * Cards should not be tapped too early. Record entries made more than minutes before the official start of the lecture will not be considered. * Late arrival threshold: If a student is more than minutes late, they will be recorded as absent.
- Management and Exceptions: * Attendance is managed by a centralized attendance office. * Students are instructed not to email the instructor to apologize for absences or request to be excused. * Assessment Misses: The only instance requiring direct contact with the instructor is if an assessment is missed. This contact must be face-to-face, not via email. * Grade Accommodation: Recorded absences will not be changed; however, the student will be informed regarding potential grade accommodations if possible.
Learning Objectives of Introduction to Security
- Define Information Security: Establish a formal definition of the field.
- Key Objectives: Enumerate and realize the primary goals of security.
- The CIA Triad: Explain the principles of confidentiality, integrity, and availability.
- States of Data: Identify the different physical and digital forms data takes.
- Cybersecurity Countermeasures: Describe the methods used to protect systems.
- Trade-offs: Explain the balance between security and other factors such as usability and cost.
The Ubiquity of Modern Computing
- Pervasive Nature: Computers are considered ubiquitous in contemporary society.
- Daily Dependencies: Humans depend on computers for a variety of regular tasks, including but not limited to: * Education and academic study. * Online commerce (shopping). * Online financial transactions (banking). * Gaming and entertainment. * Communication (emails, instant messaging/chat, and video conferencing). * Management of Smart Home and Internet of Things () devices.
Discussion: Dangers of Unauthorized Access
- Sensitive Information Sources: Discussion explores the risks associated with malicious actors or unauthorized persons accessing the following: * Personal student laptops (e.g., a student at UDST). * Social media accounts. * Personally Identifiable Information () such as Social Security Numbers, Qatar IDs, dates of birth, or residential addresses. * Institutional educational records and computers. * Large-scale data center servers (e.g., Google or Amazon). * Healthcare and medical records. * Employment and organizational records. * Financial data.
Technology and Security Risks
- The Risk of Convenience: While technology provides convenience, it introduces significant risks: * Financial Theft: Funds can be stolen if bank accounts are breached. * Privacy Violations: Exposure of private photos, emails, or chat logs. * Reputational and Economic Damage: Organizations can lose millions of dollars and suffer brand degradation if databases containing proprietary information are breached. * Infrastructure Impact: Large-scale damage can include powering off the electricity grid or grounding commercial flights.
Defining Information Security
- Core Goal of Security: To be free from danger, including natural disasters, network invasions, vandalism, loss, or misuse.
- Attainability: Achieving security is considered almost impossible. However, protective measures (steps) are implemented to safeguard digital assets.
- Information Security Definition: The task of securing digital information in various forms: * Microprocessor Manipulation: Data being handled by a CPU (e.g., a personal computer). * Storage Preservation: Data saved on devices like hard drives or flash drives. * Network Transmission: Data moving over Local Area Networks () or the Internet.
The CIA Triad
- Purpose: To protect information that provides value to individuals and enterprises.
- The Three Principles: * Confidentiality. * Integrity. * Availability.
- System Integrity: If any one of these three principles is breached, the information system is deemed unsecure.
- Specialist Focus: The triad allows cybersecurity specialists to prioritize what needs to be protected in the cyber world.
Confidentiality
- Definition: Ensuring data is protected from those not authorized to view it (keeping secret data secret).
- Examples of Secret Data: * Bank card codes. * Learning management system passwords (e.g., account). * Credit card numbers.
- Data Classification: Organizations collect vast amounts of data. Some data (names/phone numbers) may not be sensitive, while other data must be protected from disclosure to safeguard individuals or organizations.
- Ways Confidentiality is Compromised: * Physical loss of hardware (laptops) containing private files. * Shoulder surfing (looking over someone's shoulder during password entry). * System penetration (hacking) of organizational databases.
- Methods of Protection: Data encryption, authentication mechanisms, and access control.
Integrity
- Definition: Also referred to as "quality," it is the accuracy, consistency, and trustworthiness of data throughout its entire life cycle.
- Prevention of Alteration: It refers to the ability to prevent unauthorized or undesirable modifications to data.
- Scenario: An attacker modifying a bank request from sending to a family member to sending to the attacker's account.
- Maintenance Requirements: * Preventing unauthorized access. * The ability to reverse (roll back) unwanted changes.
- Implementation Examples: * Operating system permissions: Assigning read, write, and execute permissions to specific files. * Version control: Systems that allow reverting to earlier versions of data.
Availability
- Definition: The ability to access data whenever it is needed.
- Causes of Loss: * Power Failures. * Malfunctions of the Operating System (), network, or applications. * Denial of Service (DoS) attack: An attacker floods a system with fake requests to slow or stop legitimate server responses.
- Methods of Ensuring Availability: * System redundancy. * Regular system backups. * Equipment maintenance. * Disaster recovery plans.
Questions & Discussion
- Case 1: The Hijab Photo Incident * Question: A student loses a smartphone containing photos of her without a hijab. The phone has no screen lock. The finder views the photos and recognizes her before returning the phone. Which pillar of the CIA triad was breached? * Response: Confidentiality. The data (photos) was viewed by someone unauthorized to see it.
- Case 2: The Password Protected USB * Question: A student loses a drive containing password-protected files. What can be said about this incident? * Response: Availability was compromised because the student no longer has access to the files stored on the lost drive.
The Three States of Data
Data must be protected in all three of its possible states:
Data at Rest (Data in Storage) * Definition: Data retained on a storage device when it is not being used by a process or user. * Direct-Attached Storage (DAS): Storage connected directly to a computer (e.g., internal hard drive, flash drive). * Network Storage Technologies: * RAID: Redundant Array of Independent Disks. * NAS: Network Attached Storage. * SAN: Storage Area Network.
Data in Transit (Data in Motion) * Definition: Data moving from one device to another across a wired or wireless network. * Examples: Web form submissions, emails, text messages, or sensor data sent for processing.
Data in Process * Definition: Data currently being utilized or manipulated by a user or a system process. * Examples: An active file being edited by a user or information being processed by a web server.
Cybersecurity Countermeasures
Countermeasures are categorized into three distinct powers used to protect the cyber world:
Security Products and Technologies
- Software: Antivirus and antimalware programs.
- Hardware: Firewalls, Intrusion Detection Systems (), and Intrusion Prevention Systems ().
- Network: Virtual Private Networking (), Network Access Control (), and Wireless Access Point security.
- Cloud: Cloud-based security technologies.
Policies and Procedures
- Security Policy: A set of objectives and rules of behavior for users and admins.
- Standards: Help Maintain consistency in network operations.
- Guidelines: Suggestions for efficient and secure operations.
- Procedures: Detailed, step-by-step instructions (operation/configuration manuals) often featuring graphics.
Human Training and Education
- Role: Humans are critical to security; errors often stem from lack of awareness rather than malice.
- Implementation: * Onboarding security awareness training. * Linking security to performance evaluations or job requirements. * In-person sessions and online courses.
- Continuity: Training must be ongoing because threats and techniques evolve constantly.
The Cybersecurity Cube
- Integration: Protection is achieved by combining three entities into what is known as the Cybersecurity Cube: 1. The CIA Triad (Confidentiality, Integrity, Availability). 2. The States of Data (Rest, Transit, Process). 3. Security Countermeasures (Technology, Policy, People).
- Definition of Information Security within the Cube: The protection of the confidentiality, integrity, and availability of information by using countermeasures to protect data in all states.
Security Trade-offs
- The Perfection Paradox: Security is never perfect. The only fully secure system is one that is shut down and isolated, which renders it unusable and unproductive.
- Competing Interests: Security is a balance between: * Security vs. Convenience. * Security vs. Usability. * Security vs. Performance. * Security vs. Cost.
- Cost-Effectiveness: Security is often sought to be "good enough" under specific conditions. If the cost to secure an item is higher than the harm caused by its loss, it is more cost-effective to fix the damage later.
- Practical Examples: * No password: Very usable/convenient, but zero security. * Extreme security: A computer logging off every minute requiring a -character password, finger swipe, and face scan. This is secure but destroys productivity. * Metaphor: One would not build a castle and hire armed guards specifically to protect a mother's cake recipe.