Confindentiality - Applies to both data and system information and is somethines refered to as the secrecy object. Information must be protected to eliminate the lost or dsiclosure of the information. Encryption algorithm are used while data is in transit.
Availability - ensures accessibility to all hardware software applications, and date throughout the system. Availability concepts include hardware and data physical availability, system hardware redundancy, connection and transmission.
Integrity- Integrity ensures that the system resoureces are protected from unauthorized, unanticipated, or unintentional modifications.
Primary Security
Categories
Nota:
Prevention - These are the action taken or the products purchased and installed in an effort to reduce the likelihood that something bad may happen. I.E. Using a lock. creating a strong identification and authentication system, providing user training. Utilizing strong security rules on firewalls and routers.
Detection - Using IDS (Intrusion detection system). using automated log monitoring that generates various alerts.
Recovery - Actions any f us must take after an unwanted occurrence. Implement various plans and programs should systems be damaged, databases corrupted.
Access Controls
Nota:
Identification - First step in the process. Every user,application or system begins the access process by providing some form of identification.
Authentication - Second step of the access process. This FACTOR should be something unique to the user or the system.
Authorization - is the third step of the access process. Upon satisfactory Authentication, the user is assigned rights and privileges based upon a profile they have in storage.
Accounting Refers to tracing and recording the use of network assets and resources by users or intruders.
Auditing - is the act of reviewing log files or forensic information.
People are always the biggest threat to the resources and data within an enterprise. Training is a nontechnical control used with people.
Nonrepudiation
Nota:
Nonrepudiation, neither the sender nor the receiver (under certain circumstances may deny their actions). the primary tool user to enforce nonrepudiation of the sender is a digital signature.
A user is directly identified as the sender of a message.
Risk
Nota:
Reducing risk is referred to a mitigating risk. By locking the door, I reduce the risk and by placing chains around the door, I mitigate the risk even further.
Components of risk:
Threat - any incident or action that if carried out could cause harm or loss of data or an asset.
Threat vector is path that an attacker might take to take advantage of a vulnerability and do harm.
Threat vectors of the server room fire: A fuse shorts out and causes a power cable to overheat, causing a fire.
Lightning strikes a power pole and sends a surge into the server room equipment causing a fire.
Vulnerabilities: These are the weaknesses within a network , host application or database that may be penetrated or exploited by an attacker.
Controls: Are represented by safeguards, countermeasures, policies, and procedures that may be used to mitigate risk.
Controls are grouped into three categories: Physical, logical and administrative.
Exam point: Vulnerabilities are weaknesses. Controls are used to reduce possibility that a theat wil exploit a vulnerability, and these controls may be classified as physical , logical or administrative.
Due Care
Nota:
Due care ae the actions tat a reasonable and prudent person would make to protect an organization's assets. this would include selecting and installing controls to mitigate risk. Due diligences is ensuring that the controls put into place are functioning adequately.
User Security Management
Nota:
Security professional's responsibility is to secure and protect the organizations assets.
Resources: Physical resources include the general assets of the company - computer systems network hardware, printers telephone equipment.
Data - The content placed on the company network and storage devices.
Least Privilege
Nota:
Users, systems, and applications should have only the minimal level of access that is absolutely necessary for them to perform the duties required of them.
Granting the least amount of access rights and permissions required to perform a task.
AAA
Nota:
The three A's of Security - Authentication, Authorication and accounting. These three processes work together to provide the assurance that access is granted only to authorized users.
M of N
Nota:
M - represents the minimum number of individuals that must agree on a course of action. N - represents the total number individuals involved. Used for redundancy can act as a safeguard in the even that one of the check signers is on vacation.
Two man Rule
Nota:
Popular in very high security locations and situations. Two individuals who must agree upon action yet are physically separated and must therefore action independent of the other. officers had to turn their keys at exactly the same moment.
Job Rotation
Nota:
Primarily used as a fraud prevention mechanism, rating individuals between positions provides not only for cross training bu also for the capability of cross-checking individuals work.
Temporal Access Control - Time of day Control
Nota:
Time of Day - Users within a certain department who are not required to work on weekends may have their account logons restricted to only working hours Monday through Friday.
Privacy
Nota:
Protect personal Information. Personal health and medical information is protected by the Health Insurance Portability and Accountability Act. (HIPAA)
Implicit Deny
Nota:
Implicit deny restricts access to everyone unless they have been explicitly given specific right to access.
I.E. The act of providing two users with a key to a padlock. Providing each user with a key is an explicit action giving permission and granting access. By default, all other users are implicitly denied access because they simply do not have a key.
D 1 Access Controls
Nota:
The act of limiting risk is referred to as mitigation. The tools available to mitigated a risk are called controls.
Physical Controls - These include doors, locks and fences
Logical Controls - Access Control List (ACL) Intrusion Detection System(IDS) , Firewalls, routers, virus protection software, activity logging mechanisms.
Administrative Controls - Include banners, signs, policies or procedures, directives, rules or regulations, and documents.
Resources and assets
Nota:
Physical Assets -tangible things such as the building property or business equipment which includes network hardware and people.
Digital Assets - Data contained or stored on the IT systems.
Information Assets Content Information represented by the digital data.
Seven Main categories of Access Controls
Nota:
The seven main categories of access control are:
1. Directive: Controls designed to specify acceptable rules of behavior within an organization
2. Deterrent: Controls designed to discourage people from violating security directives
3. Preventive: Controls implemented to prevent a security incident or information breach
4.
Compensating: Controls implemented to substitute for the loss of
primary controls and mitigate risk down to an acceptable level
5. Detective: Controls designed to signal a warning when a security control has been breached
6. Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls
7. Recovery: Controls implemented to restore conditions to normal after a security incident