Fundamentals of Security (OBJ 1.1 and 1.2)

(OBJ 1.1 and 1.2)

Information Security

• Act of protecting data and information from unauthorized access, unlawful modification and disruption, disclosure, and corruption, and destruction
• "The data that the systems are holding, not the systems themselves"

Information Systems Security

• Act of protecting the systems (e.g., computers, servers, network devices) that hold and process the critical data

The CIA Triad

"The three pillars of security"

• Confidentiality

  • Ensures information is accessible only to authorized personnel (e.g., encryption)

• Integrity

  • Ensures data remains accurate and unaltered (e.g., checksums), unless modification is required
  • Example: Checksums can be used to verify that a file has not been changed or corrupted as it moves along our network during a data transfers

• Availability

  • Ensures information and resources are accessible and functional when needed by authorized users (e.g., redundancy measures)

Non-repudiation

• Guarantees that an action or event has taken place and cannot be denied by the involved parties (e.g., digital signatures)
• Example: If I send you an email and I digitally signed, that means that I cannot deny sending that email because my digital signature is attached to it.

The CIANA Pentagon

An extension of the CIA triad with the addition of non-repudiation and authentication.

• Confidentiality
• Integrity
• Availability
• Non-repudiation
• Authentication

Triple A's of Security

Authentication, Authorization, and Accounting (AAA)

• Authentication

  • Process of verifying the identity of a user or system (e.g., password checks)

• Authorization

  • Determining actions or resources an authenticated user can access (e.g., permissions)

• Accounting

  • Tracking user activities and resource usage for audit or billing purposes (logging)

Security Controls

Measures or mechanisms put in place to mitigate risks and protect the confidentiality, integrity, and availability of information systems and data

Security Control Categories

• Technical
• Managerial
• Operational
• Physical

Security Control Types

• Preventive
• Deterrent
• Detective
• Corrective
• Compensating
• Directive

Zero Trust Model

• Security model that operates on the principle that no one, whether inside or outside, should be trusted by default

• To achieve zero trust, we use the control plane and the data plane

  • Control Plane
    • Adaptive identity, threat scope reduction, policy-driven access control, and secured zones
  • Data Plane
    • Subject/system, policy engine, policy administrator, and establishing policy enforcement points