Module 1: Core Principles

Module 1:
Core Principles

• The Principle of Least Privilege

• The Core of All Security (CIA, AAA and PPT)
• Prevent / Detect / Respond
• Security by Thirds
• Security Roles and Responsibilities
• The Nature of the Threat
The principle of least privilege

Everyone can do everything

they need to do, and
NOTHING MORE!
CIA: Confidentiality, Integrity and
Availability
One of the cornerstones of all security:
• Everything done in security addresses one or more of these three things:
• If it doesn’t, don’t do it at all, because it isn’t needed

Confidentiality:
• Only those who require access actually have access (The confidentiality of information is
protected)

Integrity:
• Data is edited correctly and by the right people

Availability:
• If you cannot use it, why do you have it?
Applying CIA
Ideal: Three equal parts
• Only works in “perfect world security”

Reality: Not three equal parts AbbVie made $19.94 billion on

• Government and Pharmaceuticals:
• Confidentiality rules
• Financial:
• Integrity must be maintained
• E-commerce:
• Availability is most important
Use CIA for PRIORITIZATION…
the sale of Humira® in 2018
($94.15 Billion 1992-2017).
If I can see your balance, its not
good. If I can change your
balance, it is VERY bad!
Amazon’s online sales in 2018:
$232.91 Billion
($443,132 per minute.)
The AAA
Authentication:
• The process of verifying someone's identity.
• Is Keith really Keith?

Authorization:
• While we know Keith is Keith, what can Keith do?

Accountability:
• While we know Keith is Keith, what did Keith do?
The PPT
Policy:
• Broad general statement of management’s intent
Procedure:
• The detailed steps to make policy happen
Training:
• Users must know what policies and procedures say in order to follow
them
The Core of All Security
Prevent/Detect/Respond (PDR)
Current state of the art – it is as good as it gets:
• Prevent as much as you can
• Detect for everything else:
• Or if the preventive measures fail
• Respond to what is detected

Prevention is ideal
Detection is a must
Detection without response is useless
Security by Thirds
A security professional needs to be:
• 1/3 technologist
• 1/3 manager
• 1/3 lawyer
• This is the perfect summation of the career field

Technology supports security efforts

Management decisions (and budgets) drive security
Legal issues mandate security requirements
 Roles and Responsibilities (1)
• Senior Manager:
• Has legal responsibility to protect the assets of the organization
• That gives them the ultimate responsibility for security

• Senior Manager means:

• Commercial (.com) = CEO
• DoD (.mil) = Commander
• Government (.gov) = Director, Secretory, and such

• Authority can be delegated – responsibility cannot be

Roles and Responsibilities (2)
Data Owner:
• Person with primary responsibility for data
• Owners determine classification, protective measures, and more

Data Custodian:
• The person/group that makes
the decisions of the owners happen

Users:
• Use data
• Are also automatically Data Custodians
The Nature of the Threat (1)
Years ago: We faced teenagers

Today: We face organized crime and nation states

• They are well funded
• They are highly motivated
• They are making a LOT of money

This completely changes the landscape

The Nature of the Threat (2)

Disgruntled Insider: Accidental Insider:

• Difficult to counter • No intent to cause harm
• Tends to be subtle • Common – User clicks a link or
• Often damaging or even open email attachment
devastating • In aggregate, more damaging
External Insider: than disgruntled
• Outside threat source
• Accidental inside threat actor:
• End result of the accidental insider
• The most-common attack vector
Core Principles
• The elements of the CIA follow (choose 3):
A. Authentication
B. Integrity
C. Authorization
D. Confidentiality
E. Availability
F. Cryptography
G. Impersonation
Core Principles
Which role always has ultimate responsibility in an organization?
A. Custodian
B. User
C. Senior Manager
D. Owner

What is the goal of most cyber threats today?

E. Ransom
F. Make money for the attacker
G. Obtain online banking credentials
H. Obtain credit cards
Which role always has ultimate responsibility in an organization?
A. Custodian
B. User
C. Senior Manager
D. Owner

What is the goal of most cyber threats today?

E. Ransom
F. Make money for the attacker
G. Obtain online banking credentials
H. Obtain credit cards
Core Principles
What is the name of the role with primary responsibility for data?
A. Senior Manager
B. Data Owner
C. Data Custodian
D. Data User

What role is responsible for implementing controls on data?

E. Data Custodian
F. Senior Manager
G. Security Manager
H. Data Owner