Professional Documents
Culture Documents
ITSECUR 02
2
CIA Triad - The Three Pillars of Information Security
Confidentiality
(vs. Disclosure)
Integrity
(vs. Alteration)
Availability
(vs. Destruction)
Confidentiality Assurance that information is available only to those who are authorized to have access
Availability Assurance that systems are accessible when required by authorized users
3
Confidentiality
4
Integrity
5
Availability
● Keep data and resources available for authorized use even during emergencies
or disasters
● Challenges
○ Denial of service due to intentional attacks
○ Loss of system capability due to natural disasters or human actions
○ Equipment failure due to normal use
6
Recap: Essential InfoSec Terminologies
7
True or False?
False
8
Security Domains
Information
Security
9
Security Domains
10
InfoSec Principle 1
No single security approach applies
to everyone
11
InfoSec Principle 1 - No single security approach applies to everyone
● Need to know how to gauge risk tolerance of own organization and apply the
intent behind the security standards
12
A Balancing Act
COST
SECURITY PRODUCTIVITY
13
True or False?
True
14
InfoSec Principle 2
Complexity is the enemy of security
15
InfoSec Principle 2 - Complexity is the enemy of security
16
True or False?
False
17
InfoSec Principle 3
Security by obscurity is not an
answer*
19
True or False?
False
20
InfoSec Principle 4
An IT system can never be fully
secure
21
InfoSec Principle 4 - An IT system can never be fully secure
Defense in Depth
● Since this strategy focuses on security being redundant, this ensures that a
single point of failure is prevented
● Due to its nature, DiD increases the time and complexity required to
successfully compromise a network or system
○ Also drains the adversaries’ resources
○ Increases the chances that an attack is identified and mitigated early on in the attack kill chain
22
InfoSec Principle 4 - An IT system can never be fully secure
Defense in Depth
23
InfoSec Principle 4 - An IT system can never be fully secure
Defense in Depth
24
InfoSec Principle 5
The Three Types of Security Controls
are: Preventive, Detective, and
Responsive
25
ISPr 5 - The Three Types of Security Controls are Preventative, Detective and Responsive
26
InfoSec Principle 6
When left on their own, people tend
to make the worst security decisions
27
ISPr 6 - When left on their own, people tend to make the worst security decisions
● When left with vague, inconsistent, and inefficient security controls people
tend to make insecure workarounds
○ Bypass proxy
○ Click on suspicious links
○ Root their devices
○ Use a single password across multiple accounts, or have a predictable pattern for their
passwords
○ And many more!
28
ISPr 6 - When left on their own, people tend to make the worst security decisions
● Need for an acceptable balance between security, convenience, and cost with
regards to tools and policies
○ This is to prevent people from employing workarounds
○ Also make policies as “safety nets” just in case someone messes up
29
InfoSec Principle 7
Computer Security depends on two
types of requirements: Functional
and Assurance
30
Information Security Principle 7 - Functional and Assurance
● Functional
○ The purpose of the system
■ What is it intended to do?
● Assurance
○ Involves testing the system to make sure that it’s doing its intended function
■ Does the system do what it’s intended to do?
31
InfoSec Principle 8
Security = Risk Management
32
Information Security Principle 8 - Security = Risk Management
● Risk Management
○ A continuous process of identifying and determining security risks by considering the
likelihood that known threats will exploit vulnerabilities and addressing the possible impact
they will have on valuable assets, while making plans of addressing and mitigating them
33
Information Security Principle 8 - Security = Risk Management
● Risk Management
○ A continuous process of identifying and determining security risks by considering the
likelihood that known threats will exploit vulnerabilities and addressing the possible impact
they will have on valuable assets, while making plans of addressing and mitigating them
34
InfoSec Principle 9
People, Process, and Technology are
all needed to adequately secure a
system or facility
35
Information Security Principle 9 - People, Process, Technology
● People
○ Employee Training and Awareness
■ The simplest and most effective cyber attacks target those who are less skilled in
cybersecurity
○ Competent and Skilled Professionals
■ Some cybersecurity skills may become irrelevant due to technology and processes. Thus,
the need for the latest training cannot be overemphasized.
○ Staff Management
■ By assigning roles, cybersecurity professionals identify the most efficient way to
coordinate responses to incidents, detect and identify attacks at the onset and prevent
severe damage
36
Information Security Principle 9 - People, Process, Technology
● Process
○ Defines how an organization’s activities, roles and documentation all work together
○ Usually safer to follow a framework and improve upon it rather than making your own
○ Is usually broken down into five core functions (as per NIST):
■ Identification
■ Protection
■ Detection
■ Response
■ Recovery
37
Information Security Principle 9 - People, Process, Technology
● Technology
○ Integrated Technology Solutions
■ Individual tools will not protect against all threats
■ “Defense in Depth”
○ Vulnerability Scanning
■ Identify weaknesses in systems, fix them, and verify their effectivity
○ Patch Management
■ Deploying fixes and updates to technology will improve the functionality of the tools
○ Secure Configuration
■ Ensuring secure configurations on all your endpoints is essential
■ Change default configurations as soon as possible!
○ Segmentation
■ By putting your eggs in one basket, you risk prioritizing security on highly classified data
like passwords and personal data
■ If segmentation is not employed, it will make it easier for adversaries to traverse through
your network and successfully achieve their goals 38
InfoSec Principle 10
Open Discussion of Vulnerabilities is
Good for Security
39
Information Security Principle 10 - Open Discussion of Vulnerabilities is Good for Security
41
What are You Up Against?
● Hacker
○ Refers to a person who enjoys learning the details of computer systems and stretch their
capabilities
● Hacking
○ Describes the rapid development of new programs or reverse engineering of already existing
software to make the code better and more efficient
43
Cracker vs Ethical Hacker
44
Ethical Hacker
● Tries to answer:
○ What can the intruder see on a target system?
○ What can an intruder do with that information?
○ Does anyone at the target notice the intruders’ attempts or successes?
45
Ethical Hacker
46
Ethical Hacker
47
Seven Steps of a Cyber Attack / Lockheed-Martin’s Cyber Kill-chain
48
How Do We Prevent Our Condition from Being Worse?
49
Best Practices in Information Security
● Management Support
● Sound corporate security policy
● Defense in depth: Internal and External
● Effective awareness and training program
● Information security audit
● Constant monitoring of intrusions/attempts
● Incident Response
● Business Continuity Management
50