The BASICS
Overview of Security Disciplines
Holistic Security Approach: Organizations must develop an enterprise-wide security program that integrates technologies, processes, and procedures.
Common Issues: Many organizations have partial security implementations and face challenges in risk assessment and resource allocation.
Importance of Well-rounded Knowledge: Security professionals must understand various disciplines to address deficiencies in security programs effectively.
Fundamental Principles of Security
AIC Triad: Availability, Integrity, and Confidentiality are the core goals of security, protecting critical assets.
Availability: Ensures reliable access to data and resources for authorized users; requires mechanisms against disruptions.
Integrity: Guarantees the accuracy and reliability of information and systems while preventing unauthorized modifications.
Confidentiality: Protects sensitive information from unauthorized access and disclosure.
The AIC principles guide how risks, threats, and vulnerabilities are assessed and managed.
Detailed Principles
Availability
Objective: Ensures timely data access and operation without productivity loss.
Requirement: Protection against threats such as hardware failures, environmental disturbances, and unauthorized access.
Must consider operational environments to mitigate availability risks.
Integrity
Objective: Maintains data accuracy and prevents unauthorized changes.
Mechanisms: Utilize access controls, hashing, and segregation of duties to prevent data integrity issues.
User errors can also compromise integrity through accidental modifications or deletions.
Confidentiality
Objective: Enforces secrecy at all stages of data processing.
Threats: Includes network monitoring, social engineering, and shoulder surfing.
Protection Methods: Encrypting data, access controls, and employee training on data protection.
Balanced Security Approach
Emphasizes that all three principles (AIC) are critical and often overlooked in favor of confidentiality.
Security must be tailored to the specific requirements of assets based on confidentiality, integrity, and availability needs.
Key Terms
Availability: Accessible data and resources for authorized individuals.
Integrity: Assurance of accurate information without unauthorized modification.
Confidentiality: Levels of secrecy enforced to prevent unauthorized disclosure.
Shoulder Surfing: Unauthorized viewing of data by observing over another's shoulder.
Social Engineering: Manipulation to gain confidential information.
Security Definitions
Vulnerability
Defined as weaknesses in a system or security controls that can be exploited.
Threat
Any potential danger targeting a vulnerability, executed by a threat agent.
Risk
The likelihood of a threat agent exploiting a vulnerability, impacting business.
Exposure
Instance where an organization is vulnerable to loss.
Control/Countermeasure
Mechanisms implemented to mitigate risks.
Control Types
Administrative Controls: Soft controls focused on management (e.g., personnel security, documentation).
Technical Controls: Hard controls involving software/hardware (e.g., firewalls, encryption).
Physical Controls: Security measures protecting facilities and resources (e.g., locks, guards).
Control Functionalities
Preventive: Aim to prevent incidents from occurring.
Detective: Identify activities and incidents after they happen.
Corrective: Address and fix issues post-incident.
Deterrent: Discourage potential attacks.
Recovery: Restore operations to normal.
Compensating: Offer alternative protection methods.
Security Frameworks
Security through Obscurity: Ineffective strategy relying on assumed ignorance of attackers.
Importance of solid original coding instead of relying solely on the obscurity of code as a security measure.
Summary
Defense-in-depth: The strategy of using multiple layer controls to enhance security and protect valuable assets from various threats.