Principles of Information Security

ITSECUR 02

ITSECUR | Introduction to Information Security

The Pillars of Information Security

2
CIA Triad - The Three Pillars of Information Security

Confidentiality
(vs. Disclosure)

Integrity
(vs. Alteration)

Availability
(vs. Destruction)

Confidentiality Assurance that information is available only to those who are authorized to have access

Trustworthiness of data or resources in terms of preventing improper and

Integrity
unauthorized changes

Availability Assurance that systems are accessible when required by authorized users

3
Confidentiality

● Prevent unauthorized access to information

● Precautions to avoid accidental disclosure of sensitive information

4
Integrity

● Prevent unauthorized users from modifying data or programs

● Maintain internal and external consistency of data and programs

● Includes methods to prevent, detect and reverse changes to data

5
Availability

● Keep data and resources available for authorized use even during emergencies
or disasters

● Challenges
○ Denial of service due to intentional attacks
○ Loss of system capability due to natural disasters or human actions
○ Equipment failure due to normal use

6
Recap: Essential InfoSec Terminologies

Action or event that may compromise security

Threat
A potential violation of security

Existence of a weakness, design or implementation error that can lead to

Vulnerability an undesirable event that compromises security

A defined way to breach the security of an IT system through a

Exploit vulnerability

Assault on the system security derived from an intelligent threat acting on a

vulnerability
Attack
Any action taken against a target that violates security

7
True or False?

If I patch all operating system and application

vulnerabilities, implement network design best
practices, and enforce correct data access controls,
the I have already covered all bases in securing my
information assets.

False

8
Security Domains

Information
Security

9
Security Domains

10
 InfoSec Principle 1
No single security approach applies
to everyone

11
InfoSec Principle 1 - No single security approach applies to everyone

● Desirable levels of security varies across organizations, industries, and

departments

● What dictates the level is the organization’s security objectives

● Need to know how to gauge risk tolerance of own organization and apply the
intent behind the security standards

12
A Balancing Act

COST

SECURITY PRODUCTIVITY
13
True or False?

A simple security system can be more secure than a

complex system with multiple controls

True

14
 InfoSec Principle 2
Complexity is the enemy of security

15
InfoSec Principle 2 - Complexity is the enemy of security

● Complexity leads to errors and difficulty in detecting unauthorized activity

● Complexity can easily get in the way of comprehensive testing of security

mechanisms

16
True or False?

By keeping system implementation details

confidential; hackers won’t know how it works and
won’t be able to exploit it.

False

17
 InfoSec Principle 3
Security by obscurity is not an
answer*

*sometimes; good obscurity vs bad obscurity 18

InfoSec Principle 3 - Security by obscurity is not an answer

● Hiding details of security mechanisms leads to a false sense of security

● System collapses once a vulnerability is discovered

● Open disclosure of vulnerabilities is sometimes good for security

19
True or False?

With good security practices, it is possible to provide

absolute security such that a system will no longer
have any vulnerability.

False

20
 InfoSec Principle 4
An IT system can never be fully
secure

21
InfoSec Principle 4 - An IT system can never be fully secure

Defense in Depth

● Since this strategy focuses on security being redundant, this ensures that a
single point of failure is prevented

● Due to its nature, DiD increases the time and complexity required to
successfully compromise a network or system
○ Also drains the adversaries’ resources
○ Increases the chances that an attack is identified and mitigated early on in the attack kill chain

22
InfoSec Principle 4 - An IT system can never be fully secure

Defense in Depth

● DiD is everywhere! This more or less proves its effectiveness

○ Banks
■ Security guards
■ Security Cameras
■ Ballistic Glass
■ Vaults
○ Elections
■ Chain of Custody Logs
■ Security Cameras
■ Physical Presence
■ Locks
○ Etc.

23
InfoSec Principle 4 - An IT system can never be fully secure

Defense in Depth

24
 InfoSec Principle 5
The Three Types of Security Controls
are: Preventive, Detective, and
Responsive
25
ISPr 5 - The Three Types of Security Controls are Preventative, Detective and Responsive

Information Security Controls

● Categorized in terms of function

○ Preventive
■ Its main goal is to prevent the threat from coming in contact with the weakness
○ Detective
■ Identify the threat that has landed on the systems
○ Responsive
■ Mitigate or lessen the effects of the threat being manifested

26
 InfoSec Principle 6
When left on their own, people tend
to make the worst security decisions

27
ISPr 6 - When left on their own, people tend to make the worst security decisions

● Modern adversaries now tend to focus on Layer 8 Attacks

○ Exploiting the human, the weakest link in any organization

● When left with vague, inconsistent, and inefficient security controls people
tend to make insecure workarounds
○ Bypass proxy
○ Click on suspicious links
○ Root their devices
○ Use a single password across multiple accounts, or have a predictable pattern for their
passwords
○ And many more!

28
ISPr 6 - When left on their own, people tend to make the worst security decisions

● Need for an acceptable balance between security, convenience, and cost with
regards to tools and policies
○ This is to prevent people from employing workarounds
○ Also make policies as “safety nets” just in case someone messes up

29
 InfoSec Principle 7
Computer Security depends on two
types of requirements: Functional
and Assurance
30
Information Security Principle 7 - Functional and Assurance

● Functional
○ The purpose of the system
■ What is it intended to do?

● Assurance
○ Involves testing the system to make sure that it’s doing its intended function
■ Does the system do what it’s intended to do?

31
 InfoSec Principle 8
Security = Risk Management

32
Information Security Principle 8 - Security = Risk Management

● Risk Management
○ A continuous process of identifying and determining security risks by considering the
likelihood that known threats will exploit vulnerabilities and addressing the possible impact
they will have on valuable assets, while making plans of addressing and mitigating them

33
Information Security Principle 8 - Security = Risk Management

● Risk Management
○ A continuous process of identifying and determining security risks by considering the
likelihood that known threats will exploit vulnerabilities and addressing the possible impact
they will have on valuable assets, while making plans of addressing and mitigating them

34
 InfoSec Principle 9
People, Process, and Technology are
all needed to adequately secure a
system or facility
35
Information Security Principle 9 - People, Process, Technology

● People
○ Employee Training and Awareness
■ The simplest and most effective cyber attacks target those who are less skilled in
cybersecurity
○ Competent and Skilled Professionals
■ Some cybersecurity skills may become irrelevant due to technology and processes. Thus,
the need for the latest training cannot be overemphasized.
○ Staff Management
■ By assigning roles, cybersecurity professionals identify the most efficient way to
coordinate responses to incidents, detect and identify attacks at the onset and prevent
severe damage

36
Information Security Principle 9 - People, Process, Technology

● Process
○ Defines how an organization’s activities, roles and documentation all work together
○ Usually safer to follow a framework and improve upon it rather than making your own
○ Is usually broken down into five core functions (as per NIST):
■ Identification
■ Protection
■ Detection
■ Response
■ Recovery

37
Information Security Principle 9 - People, Process, Technology

● Technology
○ Integrated Technology Solutions
■ Individual tools will not protect against all threats
■ “Defense in Depth”
○ Vulnerability Scanning
■ Identify weaknesses in systems, fix them, and verify their effectivity
○ Patch Management
■ Deploying fixes and updates to technology will improve the functionality of the tools
○ Secure Configuration
■ Ensuring secure configurations on all your endpoints is essential
■ Change default configurations as soon as possible!
○ Segmentation
■ By putting your eggs in one basket, you risk prioritizing security on highly classified data
like passwords and personal data
■ If segmentation is not employed, it will make it easier for adversaries to traverse through
your network and successfully achieve their goals 38
 InfoSec Principle 10
Open Discussion of Vulnerabilities is
Good for Security

39
Information Security Principle 10 - Open Discussion of Vulnerabilities is Good for Security

● Just improves the industry as a whole

● Imagine if there were no awareness drives about the latest exploits and
adversary campaigns
● Bug Bounty Programs
○ Allow companies to crowdsource the security testing of their assets and reward the security
researchers’ efforts in a legal and healthy manner
■ Permission to test is given once you apply for their bug bounty programs
■ Allows companies and researchers to responsibly disclose their vulnerabilities so that
everyone can benefit from the findings
○ BugCrowd
○ Hackerone
○ Synack
○ Secuna
○ Etc.
40
The Current State of Information Security

41
What are You Up Against?

● State-sponsored cyber operations

● Ideological and political extremism (hacktivism)

● Criminal organizations for profit

● Individual hackers for personal gain

42
Hacker and Hacking

● Hacker
○ Refers to a person who enjoys learning the details of computer systems and stretch their
capabilities

● Hacking
○ Describes the rapid development of new programs or reverse engineering of already existing
software to make the code better and more efficient

43
Cracker vs Ethical Hacker

Cracker Ethical Hacker

refers to a person who uses his refers to security professionals
hacking skills for offensive who apply their hacking skills
purposes for defensive purposes

individuals with the capability individuals utilizing cracker

to resort to malicious or skills professionally to use them
destructive activities for for defensive purposes
personal gain
a.k.a Black Hats a.k.a White Hats

44
Ethical Hacker

● Tries to answer:
○ What can the intruder see on a target system?
○ What can an intruder do with that information?
○ Does anyone at the target notice the intruders’ attempts or successes?

45
Ethical Hacker

● Is required to have the following, before doing anything:

○ A specific set of goals and plans
○ Formal Permission
○ Ethical mindset (awareness of the confidentiality and non-disclosure of findings; compliance)

46
Ethical Hacker

● And must be able to

○ Keep proper documentation in the form of factual records/notes (both electronic and in paper)
○ Respect the privacy of others
○ Stick to the plan in order to limit the harm done
○ Use a scientific process in performing the engagement (keyword: empirical)
○ Write concise, consistent, clear, and repeatable reports

47
Seven Steps of a Cyber Attack / Lockheed-Martin’s Cyber Kill-chain

48
How Do We Prevent Our Condition from Being Worse?

● By employing Best Practices in Information Security

49
Best Practices in Information Security

● Management Support
● Sound corporate security policy
● Defense in depth: Internal and External
● Effective awareness and training program
● Information security audit
● Constant monitoring of intrusions/attempts
● Incident Response
● Business Continuity Management

50