Information Security Fundamentals

Information Security

• Information Security is the process and methods of protecting assets to achieve CIA (Confidentiality, Integrity, Availability)
• CIA is crucial to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized access

Confidentiality

• Confidentiality ensures that information is kept private and secure
• It assures that information is available only to those who have authorized access
• Risks associated with confidentiality: loss of privacy, unauthorized access, identity theft
• Controls to maintain confidentiality: encryption, authentication, access controls

Integrity

• Integrity ensures that information is not modified, deleted, or added without authorization
• It ensures the trustworthiness, accuracy, and completeness of the data
• Risks associated with integrity: unreliable/inaccurate information
• Controls to maintain integrity: quality assurance and audit logs

Availability

• Availability ensures that systems for processing, delivering, and storing information are accessible when required
• Risks associated with availability: business disruption, loss of customer confidence, and loss of revenue
• Controls to maintain availability: back-up storage and sufficient capacity

Triple A of InfoSec

• Authentication: process in which a subject attempts to verify/prove their claims to a given identity
• Three primary forms of authentication: what you have, who you are, and what you know
• Authorization: the act of granting an authenticated subject to their proper access rights to different assets
• Schemes of authorization: Mandatory Access Control, Discretionary Access Control, Role-based Access Control, and Attribute-based Access Control

Audit Trail

• Audit Trail tracks security controls such as errors, login attempts, changes, etc.
• Actions should be traceable to a specific subject for the information to be useful

Assets

• Assets are any tangible/intangible item with value to an organization
• Assets whose loss can cause a potential disruption to an organization

Vulnerabilities

• Vulnerabilities are weaknesses/flaws that may intentionally/unintentionally triggered, leading to violation of security policies
• Vulnerabilities may be present in inherent design or the actual system
• Current and existing vulnerability tracking systems: U.S. Computer Emergency Readiness Team, Common Vulnerability Scoring System, Common Vulnerabilities and Exposure

Threats, Impacts, Exposure Factor

• Threat: an action/event that may potentially compromise/violate security
• Incident: the occurrence upon realization of a violation of security
• Impact: the outcome of the incident
• Exposure Factor: potential loss of an asset upon an incident

Risk

• Risk: probability of a particular threat to occur because of a specific vulnerability
• Risk Management: process of reducing risks to acceptable levels
• Goal of risk management is to minimize risk, not eliminate it

Security Controls (Countermeasures)

• Security Controls: mechanisms to mitigate threats
• Improper implementation may lead to increased risks
• Groups of Security Controls: Technical, Administrative, and Physical