Security Concepts of Information Assurance

security traids

the CIA traid (defence)

to help organizations protects their info

confidentiality
only people with access can have see the information
- it protects the data that needs protection yet permits access to authorized
individuals

integrety
ensures that information has not been altered in an authorized manner
only people who are authorized can change the information
- data integrety
- system integrety

data in storage
data in transit
data during processing

Avalibilty
ensures data is accessible to authoried users when and where it is needed and in
the form and format that
is required
- make sure the data is available whenever we need it
how important for a resource to be avaiable

the DAD triad

hackers use to attack

identification
telling people who you are (id, passport)

authentication
proof of identification (passwords, face id)
something you know - something you have - something you are
email card finger print

there are two types of authentiation

- single factor authentication (using one of the three)
- multi-factor authentication (combining two or three together)

authorization
permission that is granted to access a resource

non-repudiation

privacy
to control wht happens with your data
gdpr- protects info in europe
hippa- protects health info in america

Risk Management Process

Risk appetite:
how much are you willing to take a risk
some companies are more willing to take risks then othere
some comanies like to play it save even though it might take longer for them to
achive their goals
others like to take risks and achieve their oals faster

risk tolerence
the maximum level of risk that you can take
if you go over the maximum you can be fined by the police

importance
it helps mitigate potential risks

Asset: something that we need to protect

tangible asset: physical
intangible asset: something that we cannot touch

vulnerability: weakness or flaw

when a vulnerbility is found it needs to be reported and shared

data base:
where things are saved or information is stored

threat actor:
hacker, theif

threat vector
what he usses to hack

threat actor:

insiders:
they spread the hate or complains

outside individsuals:

risk avoidance
deciding that the risk is too hight and decided not to take it

review:

three things that we need to protect :

confidentiality
integrity

risk managment process:

risk identificatin, assesment, treatment

security control

three types of security controls:

technical controls (intangible): anything that we apply to it systems to protect
the data inside
administrative controls: rules to control the behaviour of people (ex: having to
wear a uniform)
physical control: anything physical to protect something

technical controls:
firewalls: controls of going to certain wesites its like a barrier from going to
certain websites or apps

antivirus:
it detects viruses and blocks them

encryption:
changing data so hackers don't understand it when they hack you

configuration

administrative control:
telling people what to do and what not to do

physical controls:
fences - cameras - signs - guards - locks - scanners

how controls mitigate risks:

it prevents - detects - corrects - compensating