The Open System Interconnect (OSI) model gives people an understanding of networking by layer.
The physical layer is all about getting data to your system via wired or wireless connections. This deals with bits of data.
The data link layer is where your local area network settings and media access control. MAC detects collision traffic. This deals with frames of data.
The network layer is where your IP and routers are used. IP is a connectionless protocol. This deals with packets of data.
The transport layer looks at flow controls, putting packets in order,and maintaining a virtual circuit. This deals with segments or datagrams.
The session layer establishes, maintains, and terminates communication between applications.
The presentation layer provides independence from data representation by translating between application and network formats.
The application layer manages user services.
An example of what is happening at each layer would be frames converted into bits (Layer 1). Packets converted into frames (Layer 2). Segments converted into datagrams/packets (Layer 3). Data converted into segments (Layer 4). Data created by the user (Layer 5-7).
An IPv4 address is 32 bits and is represented by 4 bytes separated by a dot 172.16.45.220. It is separated in two sections: Network 172.16 and Host 45.220.
Subnetting are subdivisions of a network created for performance and security and makes networks easier to manage. It is used to identify the portion of the address that belongs to the network versus the portion belonging to the host.
There are two types of addresses, public and private. Public addresses can be routed through internet and are assigned by regional internet registries. Private addresses cannot be routed through internet but can be used on a private network.
IPv6 is the latest version of IP addressing and extends addresses to 128 bits. It includes added security for authentication and integrity. It also has built-in multicast and new anycast type.
Physical security is just as important to a cybersecurity specialist as technical security is. Why is that? Well, how can we protect our systems when someone can walk right through the door and take it?
That’s why a cybersecurity specialist will use a layered defense model. Think of the perimeter, the building grounds, entrance, offices, and data centers.
Crime prevention through environmental design (CPTED) has three main strategies:
1. Territoriality
2. Surveillance
3. Access Control
This through science has proven to deter attackers from a psychological standpoint. If the place looks like a fortress, it can stop an attacker from even trying to enter.
Many different tools exist to enhance the your physical security. Think about lighting, fences, CCTVs, bollards, doors, locks, access cards, alarms, man traps, guards, dogs, motion detection, fire protection, cable locks, etc. As a cybersecurity specialist these will be controls you will be looking over throughout your career.
It is good to know the different system environments that may exist so you can begin to think of best practices to secure it. Let’s go over a few environments and define them.
Virtualization allows multiple instances of “machines” to operate on a platform. The platform is known as a hypervisor. There are two types of hypervisors:
Type 1 – Sits on the actual hardware.
Type 2 – Sits on top of an operating system which itself sits on actual hardware.
Internet of Things (IoT) are smart devices that can be internet connected such as sensors, CCTVs, fridges, etc. These devices may provide a platform to attack corporate systems due to their limited security.
Industrial control systems (ICS) allows us to control systems using supervisory control and data acquisition (SCADA) systems. These are the systems you find in electrical, water, and related industries. The systems use distributed control and programmable logic controllers.
SCADA systems are used to control geographically dispersed assets based on information received from remote stations.
The history of cryptography has evolved from ancient times. But understanding history helps us understand where we are now.
Many forms have existed such as:
Egyptian hieroglyphs
Phaistos disc
Hebrew’s Atbash
Scytale
Caesar Cypher
Vigenere
Vernam Cypher
Enigma
Lucifer/DES
Diffie-Helman
RSA
PGP
The purpose of cryptography is the art of secret writing. To speak the same language we must have the same definitions to terms I’ll be writing about.
Algorithm – Mathematical techniques that are applied to do the substitution of transposition
Cryptosystem – Is a combination of algorithm and cryptographic keys used to encrypt and decrypt the data.
Work Factor – States how hard it would be to break the cryptosystem. Tested by cryptoanalysts.
Encryption/Encipher – Conversion of plain text information into cipher text.
Decryption/Decipher – Conversion of cipher text to plain text.
Key – Encrypts and decrypts information. The more bits the key the bigger the key space. Some systems use more than one key known as key clustering.
Kerkchoffs principle is that someone can have public knowledge of the cryptosystem and the algorithm can still be secure.
Substitution cipher replaces bits, characters or blocks of characters with alternate ones.
Transposition cipher is where the position of a letter or of a binary digit is moved.
Symmetric Key Cryptography is a single key that encrypts and decrypts the data. It uses 128 bits and is very fast at encryption and decryption. Does not provide authentication or non-repudiation.
There are different algorithms used in symmetric key cryptography.
1. Block cipher – Blocks undergo a series of substitutions. Very time consuming and used mostly for storage of data.
2. Stream cipher – Data is treated as a stream and is encrypted one bit at a time while streaming. This makes it good to use for data in transit.
Data Encryption Standard (DES) is a symmetric algorithm that uses 64 bits for input and output and was broken into in 1998.
DES operates in native mode called the electronic code book. The theory was that data was broken into unique blocks using the same key and same method. Break one, break them all.
Another mode DES can operate is cipher block chaining where the plain text data is put into blocks and before encryption additional data is injected known as the initialization vector.
Double DES was then created to provide enhanced security. It used two 56 bit keys to give it a double work factor but still had the same strength as DES.
3DES was then born to use three 56 bit keys for an effective key length of 112 bits.
Rijandel was created to provide even more security. Two Belgian cryptographers, Joan Daemen and Vincent Rijmen created block ciphers that ranged from 128 to 256 bits.
The Advanced Encryption Standard (AES) was based off the Rijandel algorithm using a fixed 128 bits with key length of 128, 192, or 256 bits and was selected by NIST to replace DES.
Asymmetric key cryptography uses 2 keys. One key is a public and the other is a private key. If you encrypt data with the public key, only the private key can decrypt the data. Imagine it was your postbox, the mailman can drop off the mail (public key) but only you open the box (private key). This covers confidentiality, integrity, authentication and non-repudiation.
Diffie-Helman is a asymmetric key exchange algorithm used to exchange encryption keys that allows establishment of a shared secret key over an insecure communications channel using the discrete logarithm problem.
Hybrid cryptography is a mix of public key and symmetric key cryptography. Key distribution is done through public key cryptography. Asymmetric key algorithm is used to encrypt and communicate a session key. Symmetric key algorithm is used encrypt the data using the session key.
There is also cryptography in protocols. The Secure Socket Layer (SSL) enables secure communication between a client and a server. This was replaced by Transport Layer Security (TLS). TLS is mostly used in HTTP and converted it to HTTPS to identify a site is using a secure protocol.
Hashing functions takes a block of data and returns a fixed-size bit string. Hash value is sometimes called the message digest or simply digest. It is like a unique digital fingerprint of the data. This helps ensure that data has not been tampered with. Be wary that a birthday attack can happen if the same hash value is created for two different messages.
Hashing algorithms that exist are:
MD2, MD4, MD5
HAVAL
SHA-0
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
RIPEMD-160
But how are hash algorithms put in use? Digital signatures can be hashed to verify that the document is encrypted with the user’s private key.
A Public Key Infrastructure uses user certificates. Certificate authorities would be like Symantec and Amazon web services. The registrationauthorities reviews the certificate authorities and tells the certificate authorities to issue keys to whom and supports functions to certificate authorities. The certificate revocationlist is a list of certificates that are no longer valid.
Systems have many access points which may leave it vulnerable such as:
Emanations
State attacks
Covert channels
Technology and process integration
Mainframes and thin client systems
Middleware
Embedded systems
Pervasive computing/mobile devices
Single Point of Failure (SOF)
Connectivity (Data, Network)
Availability
Client-based vulnerabilities
System emanations spew out electromagnetic frequencies and a person within range can intercept this communication keystrokes and even the image. With the right equipment an attacker can view your screen from 100 feet away!
Time-of-check/Time-of-use attacks take advantage of the dependency on the timing of events that take place in a multitasking operating system. A race condition can occur as well that can cause a system crash.
Covert Channels have two types:
1. Storage channels that communicate via a stored object
2. Timing channels that modify the timing of events relative to each other
How do we evaluate security? One way is the Orange Book. This is the trusted computer system evaluating criteria. It is used by the department of defense to protect systems and networks given a security level making it suitable to protect the confidentiality of information.
This was based on the Bell-LaPadula model. Decision makers would use this model to evaluate the security level of risk a system would be rated.
The model begins with Division C1: Discretionary Security Protection. This requires identification and authentication protection. The system must enforce access and identify system faults.
Divison C2: Controlled Access Protection is a higher level of protection including C1 protection in addition to having the capability to audit and monitor individuals on a system.
Divison B1: Labeled Security means the system requires higher level of security. The security model must be addressed and the system must be labeled.
Divison B2: Structured Protection means you now have to specifically manage covert channels. Privileges must be separated as well.
Divison B3: Security Domains is the highest level of security requiring specific intrusion detection capabilities and recovery procedures for the system.
Divison A1: Verified Design is a complete independent review of the system to ensure the controls have been implemented.
Information Technology Security Evaluation Criteria (ITSEC) model was created for testing systems and products for the public to use. They are rated based on what form of testing was completed to give a level of assurance of what has been tested by common criteria:
EAL 1 – Functionally tested
EAL 2 – Structurally tested
EAL 3 – Methodically tested/checked
EAL 4 – Methodically designed
EAL 5 – Semi formally designed
EAL 6 – Semi formally verified
EAL 7 – Formally verified
Three things to review from the common criteria report is the Protection Profile (PP) which includes organizational security requirements of the system. The Security Target(ST) which is the functionality and claims made by the vendor. The the Target of Evaluation(TOE) which is the assessment criteria based on the match between the security target and protection profile. The table below shows the relationship between these evaluation methods.
Two ways to evaluate a system is certification or accreditation. Certification is the verification if security is appropriate for an organization’s needs. Accreditation is the formal acceptance by management of the security level provided and the level of risk associated to its usage.
Enterprise security architecture represents a holistic approach to incorporate building blocks of security across the enterprise.
Common security services are a number of security functions suitable as foundations for common security services in the enterprise. Examples are access control, boundary control, integrity, cryptographic, and audit monitoring services.
In a security architecture we start with creation and documentation. Capture and analyze functional and non-functional requirements.
Document the security architecture from a business and architect’s view. Think of your physical and component security. Use an architecture to begin building your security program.
Have a Trusted Computing Base (TCB) which is a combination of protection mechanisms within a computer system such as hardware, firmware, and software to provide a secured area.
Build a security perimeter. This will be the frontier between entities inside and outside the TCB. External communication must be ruled and controlled.
Begin to reference and monitor the security kernel. Reference monitor using logical services, object access, and audit logs. Monitor security kernel hardware and software to understand system capabilities.
Use the least privilege concept. Provide only minimal privileges in order to do the job to personnel.
A security model is a way of describing the main objective or workings of an object, system, or concept.
State machine model is a system’s state at a given point in time. The state is always changing with each interaction made to a system. Example, if all possible transitions bring the system from a secure, to a secure state, then the system will always be in a secure state.
Information flow model manages information flow between entities independently of the clearance level or classification. This model prevents information flows that violate security policy.
The Bell-LaPadula model protects the confidentiality of information based on the rank of a person. The model is meant to prevent the leakage of information from personnel of a lower ranks. You can’t read up a level, you can’t write down a level, and users can only access objects at the same level. Purely works with confidentiality protection.
The Biba model allows to read information from a higher level of integrity. It also allows to write information from a lower level of integrity. But this does not authorize to write in a document belonging to a higher integrity level. User cannot write up and cannot read low. Does not provide confidentiality.
The Lipner model combines Bell-LaPadula and Biba. This assigns security levels and functional categories to subjects and objects.
The Clark Wilson model is what is mostly used today. A user cannot access resources directly and they must access resources through application. This is based on the level of security which will authorize the user to write or read only.
The Chinese Wall model prevents conflicts of interest for information access. User access changes according to previous actions. Information cannot flow between object and the user if it can cause a conflict of interest.
The Graham-Denning model deals with user access rights and the integrity of those rights such as Active Directory. Users have transferable rights and cN therefore be delegated.
Having considered these models and patterns we should explore the components of hardware and operating systems and vulnerabilities that these models aim to address and build a model that best protects your organization.
Ring 0 in a operating system architecture is the OS core (Kernel). Ring 1 is OS components. Ring 2 are drivers for inputs and outputs. Ring 3 consists of of programs.
In a physical computer architecture there are covert channels an attacker may pass through to attack your system. They can access your cache, random access memory, virtual memory, flash memory, etc. Removable media are also covert channels.
Overall, tools and techniques that we covered that’s important to note are the tools and techniques of the security architecture that make it whole:
An organization will select appropriate security controls to protect from disclosure or undetected alterations to data whether it is at rest, in use, or in transit. This can include passwords, backups, cryptography, etc.
Key concepts a cybersecurity specialist should know about asset management.
1. Inventory management
What assets are on hand, where they reside, and who owns them.
2. Configuration management
Association of each item with other items in an inventory.
3. IT Asset Management (ITAM)
Financial aspects of assets, including cost, value, and contractual status
Designed to manage the physical, contractual, and financial aspects of IT assets, from acquisition through disposition.
4. Configuration Management Database (CMDB)
Supports processes in service delivery, service support, IT asset management, and other IT disciplines.
Holds the relationship among all system components, including incidents, problems, known errors, changes, and releases.
Keep in mind that asset management covers both hardware and software.
Software licensing are original copies of licensed software that must be controlled by the organization to prevent copyright infringement. All software copies should be managed by a software or media librarian.
Inventory scans of installed software should be conducted by the organization to identify unauthorized installations or licensed violations.
The equipment lifecycle will help you understand equipment from acquisition to disposal:
1. Define security requirements of equipment.
2. Acquire, implement, and validate security features and configurations.
3. Ensure security features and configurations remain operational on the system.
4. Dispose and decomission equipment by ensuring they are securely erased and destroyed or recycled depending on security requirements of the organization.
For appropriate retention, understand where data exists. Where does data reside?
Classify and define the data.
Archive and manage the data.
Ensure the appropriate roles and responsibilities are clearly defined and understood regarding data classification and retention to ensure security.
How certain are the answers to the first the questions? (Uncertainty)
Risk management is an approach to manage uncertainty through risk assessment, strategy, and risk mitigation.
Every organization must manage risk. Information security is only one type of enterprise risk. Check laws, react, identify organization goals, analyze, manage plans, then implement.
A risk assessment is just a step in risk management. It is an integral part of an organization’s information security risk management program. To identify the risk the assessment focuses on asset valuation, threat analysis, and a vulnerability assessment.
Frameworks and methodologies with security controls to be familiar with that can be used to structure controls are:
COSO
ITIL
COBIT
ISO 27002: 2013
ISO 27005 and 31000
NIST SP 800-30, 800-39, and 800-661
MEHARI
EBIOS
IRAM
OCTAVE
There are many types of risks such as strategic, financial, organizational, technological, operational, and legal.
Before a risk assessment can be made, how do you determine a risk?
1. Identify a method
2. Determine the risk acceptance criteria
3. Identify the acceptable risk levels.
How is the risk assessment performed?
Make a high-level evaluation performed to identify the highest risks that justify a detailed evaluation.
The second phase can consist in an in-depth evaluation of the risks discovered in the first phase.
How do you determine a vulnerability? First we need to understand what a vulnerability is. A vulnerability is a weakness in a control, or lack of control, that puts an entity at risk. Here are a few examples:
Administrative control – No pre-employment screening.
Technical control – Anti-virus not up-to-date.
Physical control – No fire suppressant in room.
We must also understand what a threat is. A threat is something that looks to take advantage of a vulnerability and brings potential danger to valuable assets. A threat agent is an entity that is taking advantage of a vulnerability.
There are 3 types of threats in cybersecurity to be aware of:
Deliberate (malicious) threat – Gaining unauthorized access. A malicious employee downloading a virus.
Natural threat – Hurricanes, floods, tornadoes, etc. Someone setting a fire.
Analyze the threat. Find the areas in a company that are of interest to an attacker. What are the consequences of the threat is successful at exploiting your vulnerability? How likely can this occur? All assets bring value and have potential to be harmed. You can do this by organizing it by the following:
Threat source – Who are your potential threats? Organized crime, activists, etc.
Capabilities (0-5) – How IT trained is the source? Talk to key security personnel to gain this intel.
Motivation (0-5) – How interested are they in your organization?
Total threat score
Let’s break down why this is important. We mentioned an asset brings value to a company. Tangible assets are like computers. Intangible assets would be like intellectual property.
Value determines the assets worth. To note, does not only mean financial. Can be something important to your company like trade secrets.
Exposure is the materialization of a threat against your company’s assets.
Exposure factor is the loss percentage of the asset would be exploited by this threat.
This leads to the level of impact on the organization. (Value × Exposure Factor = Impact)
Then you think of the probability this threat would likely take place.
Risk exposure then is calculated by Probability × Impact = Risk Exposure.
With this information a control can be created. A control is a safeguard or countermeasure put into place to mitigate risk.
A manager may use a quantitative risk analysis as a monetary approach to the analysis. This approach is often automated and can be used to prove a cost-benefit analysis. But this approach takes high effort and time to create and still requires some assumptions.
The quantitative formula consists of single loss expectancy (SLE) and annualized rate of occurrence (ARO) to determine the annualized loss expectancy (ALE).
SLE – Financial loss an exposure would have on a certain asset. (Impact)
ARO – Estimated probability of a specific exposure over one full year.
ALE – Amount of loss over the full year.
So, SLE × ARO = ALE.
A manager may use a qualitative risk analysis. This approach does not attempt to assign financial values. The challenge of this approach is to develop real scenarios to describe threats and predict potential losses.
Overall, once a risk is assessed there’s are 4 risk treatment options. It can either be mitigated, accepted, assigned, or avoided. Rejecting a risk is not accepted.
If risk is being mitigated, it is calculated using a cost-benefit analysis by subtracting ALE before safeguard – ALE after safeguard – Cost of safeguard = Value of safeguard. This helps management understand if overall the mitigation will save the company money or not.
Now we know how to manage risk and understand what we need to do to keep it at a low level. Go out there and protect those assets!
A few things that you’ll want to pay attention to as a cybersecurity professional related to personnel management is before employment, during employment, and after employment.
Before employment focus on hiring procedures, background checks, and security clearances.
During employment focus on employee agreements, job descriptions, and roles and responsibilities.
After employment we focus on termination procedures.
A background check should focus on employment history, reference checks, education, certifications, credit check, criminal records, citizenship, membership to union and associations, driving record, and drug testing.
To focus on employee agreements is to think about using non-disclosure and non-compete agreements as well as acceptable use policies.
It is important to capture the job description as well. Lay out what is expected of the employee.
When terminating an employee ensure removal of system credentials and access, returning company assets, signing of the non-disclosure agreement, and an exit interview. Have a good process to maintain good security.
A security program consists of policies. Examples of policies are regulatory, advisory, organizational, issue-specific, and system-specific.
A regulatory policy is highly detailed and specific to a type of industry which is either mandated by federal, state, industry, or contractual requirements.
An advisory policy is highly recommended but not mandatory. May have penalties for failure to comply. You will also notice throughout your career that most policies fall into this category.
An organizational policy comes from executive management and lays out company objectives.
An issue-specific policy concentrates on a specific issue in an organization.
A system-specific policy focuses on the use and maintenance of one system.
Guidelines are recommendations as well, not mandatory such as operational guides, configuration, and actions where standards don’t apply.
Standards are rules that dictate how hardware and software are to be used and the expected behavior of employees. They are specific mandatory requirements that define and support higher-level policies.
Procedures are step-by-step actions to achieve a task. Procedures may include standard operating procedures Procedures and function books.
Organizations follow several laws and regulations applicable to the work they do. Law always takes precedence over standards.
The implementation of an ISO standard can help, but it is not a legal condition. The ISO 27001 can be used if an organization wants an idea of the types of laws and regulations apply to them.
Here are categories of laws to be familiar with.
Criminal Law – Laws that protect society and enforced by law enforcement.
Civil Law – Matters that are not crimes but where people are wronged, such as lawsuits.
Administrative Law – Ensures government functions effectively. Executive branch enacts policies and regulations to enforce both civil and criminal law.
Religious Law – Based on religious principles.
An organization’s management must understand risk and put it to effect. This helps the organization from legal liability. Two ways to do this is by practicing Due Care and Due Diligence.
Due Care – Organization responds to risk and uses best practices.
Due Diligence– Steps taken by the organization to implement appropriate security.
But what laws does an organization follow to mitigate legal liabilities you may ask. Here is a list of different laws with their description.
Sarbanes-Oxley – Public company accounting reform and investor protection act.
HIPAA – Protection of information in storage, use, and transmission in the health industry.
GLBA – Protection of information in the finance industry, making the board of directors responsible for security issues.
FISMA – Information system protection measures used by federal agencies. Required for an organization to be audited on an annual basis.
SB 1386 – California law explaining disclosure obligation in the case of a breach of security affecting customer data.
Computer Fraud and Abuse Act – Broad law focused on protecting computer systems in interstate commerce and federal interest extended by the National Infrastructure Protection Act of 1986.
Federal Sentencing Guidelines – Provides guidelines to help interpretation of computer crime law. Applies the prudent man rule related to negligence.
Federal Cybersecurity Laws – Centralizes cyber security responsibility for the Federal government and charges NIST with the responsibility for coordinating Federal security standards.
PCI-DSS – A standard to reduce the risk of credit card fraud for all organizations that process, handle, or store credit card information.
General Data Protection Regulation – Considers issues such as globalization, use of social media, and this law protects people in the EU. Data controllers must report breaches to the DPA in 72 hours.
Information Security Law – Provides guidance on encryption export controls where the U.S submits their products for review by the Commerce Department with a review to be completed within 30 days.
Digital MillenniumCopyright Act – Brings the U.S in compliance with the World Intellectual Property Organization (WIPO).
USA Patriot Act – Gives authorities less restrictions to investigate and gather information, and to detain and deport people suspected of terrorism.
Now let’s go over Intellectual Property laws.
Copyright – Exclusive rights regulating the use of a particular expression for an idea or information. Lasts 70 years after the death of the last surviving author.
Patent – Set of rights to keep an idea for a limited duration and on a given territory. Must be a new idea. Can be granted for 20 years.
Trade Secret – Intellectual property that makes your product unique and requires protection to maintain competitive advantage.
Trademark – A word, symbol, logo, etc. to identify a firms products. Can be granted for 10 years and can be renewed for successive 10 year periods.
A security program is built by an organization as a set of activities used to manage information security on an ongoing basis.
This requires support from executive management so that decisions in this program can be made.
The security program should be held by a forum or committee chaired by a security officer, and essential personnel such as Human Resources, IT, Legal, and Compliance departments that are management level. This ensures that security decisions are accepted and don’t affect the organization in a detrimental way.
This forum or committee does this by evaluating security metrics. This allows the organization to assess effectiveness of the program from policies, procedures, and standards set in place and identify what deficiencies can evolve from a decision. Once decided an organization can prioritize activities to begin implementation.
There are several goals that are addressed in a security program such as operational goals, tactical goals, and strategic goals.
Operational goals focus on day-to-day activities.
Tactical goals include key infrastructures and processes of the security program.
Strategic goals are about long-term directions and objectives.
Every organization will have different challenges and laws that apply to ensure security is being met. Know your business! What is the network architecture? Is it cloud- based? Is it a small subset of systems? What information are you protecting?
Let’s talk about the roles and responsibilities that can be found in your organization.
CEO – The Chief Executive Officer oversees the company’s finances, strategic planning, and operations.
CFO – Chief Financial Officer is responsible for the company’s financial activities and financial structure.
CIO – The Chief Information Officer reports to the CEO or CFO and is responsible for strategic use and management of information systems.
CPO – The Chief Privacy Officer is usually an attorney. The CPO is responsible for ensuring customer, company, and employees data is kept safe.
CSO – The Chief Security Officer is responsible for understanding company risks and how to mitigate these risks to an acceptable level.
CISO – The Chief Information Security Officer is focused deeply to technology of the organization.
ISSM – The Information System Security Manager is responsible for information security management and operations.
Legal counsel – Identifies legal, regulatory, and contractual compliance requirements.
Head of Human Resources – Implements and manages the training and awareness of information security and implements security involved with recruitment, termination, and disciplinary information.
Head of Real Estate – Manages physical security such as access control to buildings, protection against fire, electrical maintenance, etc.
Head of IT – Manages solutions to technical measures in managing daily operations.
Help Desk – Manages services to users
Publication Relations Officer – Validates the impact of a company’s reputation and communication with external shareholders.
Internal Auditor – Validates security controls and compliance.
Document Manager – Ensures all stages of the document life cycle.
An organization uses an IT governance framework to set directions and policies to monitor compliance and how risk decisions will be made.
Risk management follows after the governance to determine what risks are acceptable to the organization.
Then this follows into compliance. This is where security is monitored and ensuring governance is being followed.
Security governance is built by being aligned with an organization’s organizational policy which includes what’s their mission, values, strategies, and objectives.
An information security governance focuses on involving information security integrated with processes to organizational resources. It is the responsibility of the board of directors and executive management to develop this governance.
To begin understanding the concepts behind cybersecurity you should become familiar with the CIA (Confidentiality, Integrity, and Availability) triad.
The CIA triad helps with understanding what goals and objectives must be reached to develop a secure environment for your organization.
Confidentiality ensures the protection of the secrecy of data.
Integrity ensures that data hasn’t been altered.
Availability ensures that resources can be accessed by authorized subjects without interruption.
Common threats to confidentiality can range from discovering password files, releasing information to unauthorized individuals, and even walking away from your monitor while data is present.
Confidentiality countermeasures can include providing encryption, authentication procedures, data classification, and training personnel on protecting their information.
Common threats to integrity are user mistakes and viruses.
Integrity countermeasures can include access control from subject, object, access data padded with encryption, hashing, and applying the principle of least privilege.
Common threats to availability is device, software, and network failures. This can happen due to environmental factors as well as malicious factors such as virus access intrusion.
Availability countermeasures can include remediation testing, proper system configuration, and monitoring system performance.
Different organizations prioritize what’s important to them differently. Ask your organization what is important to them. They may value confidentiality over integrity and availability. Learning what’s important to your organization can help you determine how to best protect it.
Cybersecurity Fundamentals 