LESSON 1.

98-367
98-367Security
SecurityFundamentals
Fundamentals

Understand Core Security

Principles
 LESSON 1.1

98-367 Security Fundamentals

Lesson Overview

In this lesson, you will learn:

 To identify the difference between computer security and
information security
 To define information security
 To outline the phases of the security systems development
cycle
 LESSON 1.1

98-367 Security Fundamentals

IT Infrastructure Threat Model

 Identify threats that could affect their organizations’ IT
infrastructures.
 Discover and mitigate design and implementation issues
that could put IT infrastructures at risk.
 Prioritize budget and planning efforts to address the most
significant threats.
 Conduct security efforts for both new and existing IT
infrastructure components in a more proactive and cost-
effective manner.
 LESSON 1.1

98-367 Security Fundamentals

Terms and Concepts to Know

1. CIA triangle (confidentiality, integrity, availability)

2. Principle of least privilege
3. Social engineering
4. Threat and risk principles
 LESSON 1.1

98-367 Security Fundamentals

 LESSON 1.1

98-367 Security Fundamentals

Confidentiality
The prevention of unauthorized disclosure of information.
This can be the result of poor security measures or
information leaks by personnel. An example of poor
security measures would be to allow anonymous access to
sensitive information.
 LESSON 1.1

98-367 Security Fundamentals

Integrity
The prevention of erroneous modification of information.
Authorized users are probably the biggest cause of
errors and omissions and the alteration of data. Storing
incorrect data within the system can be as bad as losing
data. Malicious attackers also can modify, delete, or
corrupt information that is vital to the correct operation
of business functions.
 LESSON 1.1

98-367 Security Fundamentals

Availability
The prevention of unauthorized withholding of
information or resources. This does not apply just to
personnel withholding information. Information should
be as freely available as possible to authorized users.
 LESSON 1.1

98-367 Security Fundamentals

Principle of Least Privilege

 Anyone who has been a victim of viruses, worms, and other
malicious software (malware) will appreciate the security
principle of “least privilege.”
 If all processes ran with the smallest set of privileges
needed to perform the user's tasks, it would be more
difficult for malicious and annoying software to infect a
machine and propagate to other machines.
 LESSON 1.1

98-367 Security Fundamentals

IT Infrastructure Threat Model

 LESSON 1.1

98-367 Security Fundamentals

How to Protect Insiders from Social Engineering

Threats
 To attack your organization, social engineering hackers
exploit the credulity, laziness, good manners, or even
enthusiasm of your staff. Therefore it is difficult to defend
against a socially engineered attack, because the targets
may not realize that they have been duped, or may prefer
not to admit it to other people.
 The goals of a social engineering hacker—someone who
tries to gain unauthorized access to your computer systems
—are similar to those of any other hacker: they want your
company’s money, information, or IT resources.
 LESSON 1.1

98-367 Security Fundamentals

Class Activity
 Create a timeline/flowchart explaining the history of computer security
and how it evolved into information security
Make sure to include important information security developments
during each decade beginning with the 1960s through today
 LESSON 1.1

98-367 Security Fundamentals

Lesson Review

 What do you think is the most important date in

information security and why?
 Have you, or family or friends, ever been a victim of social
engineering? Explain to the class how it happened.