Security is the state of being free from danger; it is the goal of security and the measure taken to ensure safety (the process of security).
As security is increased, convenience is often decreased: the more secure something is, the less convenient it may be to use.
By the end of this module you should be able to define information security, explain its principles, identify threat actors and their motives, describe how attacks occur, and understand their impact; and list various information security resources.
Principles of Security (CIA Triad and Access Control)
The three types of security principles are protections, and the CIA triad: Confidentiality, Integrity, Availability.
Confidentiality: ensures that only approved individuals may access information.
Integrity: ensures information is correct and unaltered.
Availability: ensures information is accessible to authorized users.
Controlling access to information involves:
Authentication: verifying that a user’s credentials are authentic.
Authorization: granting permission for a user to take a particular action.
Accounting: recording who accessed the network, what resources were accessed, and when they disconnected.
Security Controls
A security control is a safeguard employed within an enterprise to protect the CI of information.
Types of controls include:
Deterrent controls
Preventive controls
Detective controls
Compensating controls
Corrective controls
Directive controls
Cybersecurity vs Information Security
Cybersecurity typically involves practices, processes, and technologies to protect devices, networks, and programs that process and store data in electronic form.
Information security protects processed data that is essential in an enterprise environment.
Confidentiality in Practice (Exam Cue)
Question: Which CIA element ensures that only authorized parties can view protected information?
Answer: Confidentiality.
Examples of confidentiality tools: encryption of credit card numbers on a web server; door locks to prevent access to servers; access controls.
Confidentiality can involve a range of tools from software to physical security.
Threat Actors and Their Motives
A threat actor is an individual or entity responsible for attacks (also called attacker).
Target categories in financial crime include individuals, enterprises, and governments.
Threat actors can be categorized as:
Unskilled attackers: lack technical knowledge; use easy-to-use tools that are freely available or cheap; motivation is usually data exfiltration or service disruption.
Shadow IT: bypassing corporate approval for technology purchases; motivation is often ethical, but security is weakened.
Organized crime: highly centralized groups engaged in illegal activities; moved into cybercrime; motivation is financial gain.
Insiders: company employees, contractors, or business partners; motivation could be revenge or blackmail; hard to recognize attacks.
Hacktivists: ideology-driven actors; aim to disrupt or spread political messages; may break into websites and alter content or disrupt services.
Misconfigurations: improper configuration settings leading to vulnerabilities.
Zero-day vulnerabilities: exploited before anyone else knows they exist; zero days of warning; considered extremely serious.
Impact of Attacks
A successful attack results in several negative impacts, which can be classified as data impacts and overall effects:
Availability loss: systems become inaccessible, leading to lost productivity and financial loss.
Data loss: destruction of data that cannot be recovered.
Data exfiltration: stealing data to distribute to others.
Data breach: unauthorized disclosure of data.
Identity theft: stealing personal information to impersonate someone (e.g., Social Security numbers, credit card numbers).
Reputational impact: damage to public perception of the enterprise.
Financial loss: direct/indirect costs associated with attacks.
Other data-related harms: deletion of patient data in healthcare, compromised research data, etc.
Information Security Resources
Defenders have external cybersecurity resources to help ward off attacks, including frameworks, regulations, legislations, standards, benchmarks/guides, and information sources.
Frameworks
An information security framework is a set of documented processes to define policies and procedures for implementing and managing security controls.
The NIST Cybersecurity Framework (CSF) components:
Regulations: regulatory compliance is the process of adhering to regulations.
Categories of regulations:
Broadly applicable regulations
Industry-specific regulations
US state regulations
International regulations
Legislations: laws enacted by governing bodies (national, territorial, state) that relate to information security; complexity can lead to a “hold pogue” of not always good cybersecurity outcomes.
Standards
A standard is a document approved by a recognized standardization body that provides frameworks, rules, guidelines, or characteristics for products and processes.
Example: PCI DSS (Payment Card Industry Data Security Standard).
Benchmarks / Secure Configuration Guides
Benchmarks or secure configuration guides are provided by hardware manufacturers or software developers.
They serve as guidelines for configuring devices or software to be resilient to attacks.
These are typically platform/vendor-specific.
Information Sources
Request for Comments (RFCs): documents authored by technology bodies, with input from engineers and scientists.
Data feeds: continuously maintained databases of the latest cybersecurity incidents.
Common data feeds include vulnerability feeds that provide information on the latest vulnerabilities.
Adversary TTPs (Tactics, Techniques, and Procedures): database of threat actor behaviors and how they conduct attacks.
Knowledge Check (Key Takeaway)
Question: What is another name for attack surface?
Answer: Threat vector.
Explanation: An attack surface is also called a threat vector; both refer to the digital platforms threat actors target for exploits.