Confidentiality (by encryption)
Keeping data secret with those who don’t have the need or rights to access the data
Confidentiality prevents unauthorized discloser of data.
We achieve this by encryption such as a public and private key.
Three methods to maintain confidentiality.
Encryption
Access Control
Identification
Authentication
Authorization
Steganography: hiding data within data
However, this method isn't preferred by most security professionals. They refer to steganography as hiding data in plain sight
The best way to protect the confidentiality of data is by encrypting it.
Integrity (by hashing)
Integrity provides assurances that data has not changed.
Data and systems remain unaltered when stored, transmitted, and received.
No unauthorized modification, alteration, or deletion of the data
Hashing ensures no bit has changed.
Examples - Message Digest (MD5), Secure Hash Algorithm (SHA), Hash-based Message, Authentication Code (HMAC), Digital Signature
By comparing the hashes, you can verify integrity has been maintained.
Availability (by redundancy and fault-tolerance)
Data and systems should be available when needed to the right person
A common goal of fault tolerance and redundancy techniques is to remove each single point of failure (SPOF). If an SPOF fails, the entire system can fail. For example, if a server has a single drive, the drive is an SPOF because its failure takes down the server.
Disk redundancies
Server redundancies
Site redundancies
Load balancing
Backups
Alternate powers
Cooling systems
Patching (that reduces security issues and even random crashes)
Digital signatures can verify the integrity of emails and files.
A digital signature also provides authentication. In other words, if the digital signature arrives intact, it authenticates the sender. Bart knows that Lisa sent it.
Digital signatures also provide non-repudiation. In other words, Lisa cannot later deny sending the email because the digital signature proves she did.
Digital signatures require certificates and a Public Key Infrastructure (PKI).
Authentication:
When a person's identity is established with proof and confirmed by a system
Something you know (like a username and password)
Something you are (like eye scan, figure prints)
Something you have (like a token, credit card)
Something you do (like the way you speak or sign your sign)
Somewhere you are
Authorization:
This occurs when a user is given access to a certain piece of data or a certain area of a building.
Accounting:
Tracking of data, computer usage, and network resources
Example: Log file of all the things such as internet and system usages
Who did something and when
Non-repudiation: You can’t deny if you have performed a particular action
A vulnerability is a weakness to an asset that leaves it open to bad things happening to it.
For example: Default password to a SOHO router, or your server is unlocked anyone can go in-out
A threat is a negative event/action that exploits a vulnerability to harm assets. Any negative event that has an adverse effect on the assets and resources associated with the system. Or, a threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability
For example: Accessing your SOHO router with your default username and password.
A vulnerability is a weakness.
Threats → Vulnerability = Risk
If an asset doesn’t have a vulnerability or if there is no threat, you don’t have any risk at all.
Note: USE NIST SP 800-30 as part of risk assessment
Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.
Risk is best defined as the potential for loss and damage associated with an asset. Not to be confused with the definition of a threat or vulnerability.
Reducing risk is also known as risk mitigation. Risk mitigation reduces the chances that a threat will exploit a vulnerability
Risk Analysis: The process of calculating and documenting potential problems that can have a negative impact. Qualitative vs. Quantitative:
Qualitative: Analysing risk by assessing the probability of occurrence and potential impact.
Quantitative: Analysing risk by assigning numerical values and calculating the impact by using the probability of occurrence.
Categories of security threats:
Malware (malicious software)
Unauthorized Access
Occurs when access to computer resources and data happens without the consent of the owner
Guessing the user's password and logon to their system
System Failure
Occurs when a computer crashes or an individual application fails
BSOD (Blue Screen of Death)
Social Engineering
Act of manipulating users into revealing confidential information or performing other detrimental actions.
Phishing: Phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity, or fear in victims. This happens through mass mailing.
Spear-Phishing: A more targeted version of the phishing.
Vishing: Phone calls in order to induce individuals to reveal personal info.
Physical Controls:
Alarm systems, locks, surveillance cameras, identification cards, and security guards
Technical Controls:
Smart cards, encryption, access, control lists (ACLs), intrusion detection systems, and network authentication
Administrative Controls:
Policies, procedures, security awareness training, contingency planning, and disaster recovery plans
Two types of administrative controls:
Procedural controls: A control that an organization chooses to do it own
Legal or regulatory controls
CompTIA lists the following control types in the objectives:
Technical controls use technology.
Encryption.
Anti-virus software
IDS/IPS
Firewalls
Least priviledge
Administrative controls use administrative or management methods.
Risk assessments
Vulnerability assessments
Penetration Tests
Many administrative controls are also known as operational or management controls:
Awareness and training
Configuration and change management
Contingency planning
Media protection
Physical and environmental protection
Physical controls refer to controls you can physically touch.
Preventive controls attempt to prevent an incident from occurring.
System Hardening.
Security awareness and training
Security guards
Change management
Account disablement policy
Detective controls attempt to detect incidents after they have occurred.
Log monitoring
Trend analysis
Security audit
Video surveillance
Motion detection
Corrective controls attempt to reverse the impact of an incident.
IPS
Backups and system recovery
Deterrent controls attempt to discourage individuals from causing an incident.
Compensating controls are alternative controls used when a primary control is not feasible.
The first three control types in the list (technical, administrative, and physical) refer to how the security controls are implemented. The remaining control types refer to the goals of the security control.
A security policy is a statement that tells you what you are or aren't supposed to do. And, security mechanism is the way of enforcing the policy and making it work for in practice.
A security mechanism is something that enforces your security policy, either in whole or in part. Different security mechanisms contribute to the security policy in different ways. Some security mechanisms contribute to the enforcement of the security policy by prevention, meaning that they ensure that an aspect of the policy cannot be violated. Other security mechanisms contribute to the enforcement of the security policy by detection, or determining when the policy has been violated. Last, other mechanisms contribute through recovery, or being able to revert back to a secure state after the policy has been violated.
A secure system is a system that starts in an authorized state and cannot enter an unauthorized state.
A breach of security occurs when a system enters an unauthorized state.