Lesson 1: Summarize Fundamental Security Concepts

Lesson Objectives

• summarize information security concepts
• compare and contrast security control types
• describe security roles and responsibilities

Topic 1A: Security Concepts

Exam Objectives Covered:

1.2 Summarize fundamental security concepts

Information Security

Information security (infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage. Data may be vulnerable because of the way it is stored, transferred, or processed. The systems used to store, transmit, and process data must demonstrate the properties of security. Secure information has three properties, often referred to as the CIA Triad:

• Confidentiality: information can only be read by people who have been explicitly authorized to access it
• Integrity: means that the data is stored and transferred as intended and that any modification is authorized
• Availability: means that information is readily accessible to those authorized to view or modify it

The triad can also be referred to as "AIC" to avoid confusion with the Central Intelligence Agency

Some security models and researchers identify other properties of secure systems. The most important of these is non-repudiation. Non-repudiation means that a person cannot deny doing something, such as creating, modifying, or sending a resource. For example, a legal document, such as a will, must usually be witnessed when it is signed. If there is a dispute about whether the document was correctly executed, the witness can provide evidence that it was.

Cybersecurity Framework

Within the goal of ensuring information security, cybersecurity refers specifically to provisioning secure processing hardware and software. Information security and cybersecurity tasks can be classified as five functions, following the framework developed by the National Institute of Standards and Technology (NIST):

https://nist.gov/cyberframework/online-learning/five-functions:

• Identify: develop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.
• Protect: procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operation’s lifecycle.
• Detect: perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
• Respond: identify, analyze, contain, and eradicate threats to systems and data security.
• Recover: implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

NIST’s framework is just one example. There are many other cybersecurity frameworks (CSF).

Gap Analysis

Each security function is associated with a number of goals or outcomes. For example, one outcome of the Identify function is an inventory of the assets owned and operated by the company. Outcomes are achieved by implementing one or more security controls

Numerous categories and types of security controls cover a huge range of functions. This makes selection of appropriate and effective controls difficult

A cybersecurity framework guides the selection and configuration of controls. Frameworks are important because they save an organization from building its security program in a vacuum, or from building the program on a foundation that fails to account for important security concepts.

The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. This gives a structure to internal risk management procedures and provides an externally verifiable statement of regulatory compliance.

Gap analysis is a process that identifies how an organization’s security systems deviate from those required or recommended by a framework. This will be performed when first adopting a framework or when meeting a new industry or legal compliance requirement. The analysis might be repeated every few years to meet compliance requirements or to validate any changes that have been made to the framework.

For each section of the framework, a gap analysis report will provide an overall score, a detailed list of missing or poorly configured controls associated with that section, and recommendations for remediation

Summary of gap analysis findings showing number of recommended controls not implemented per function and category; plus risks to confidentiality, integrity, and availability from missing controls; and target remediation date.

While some or all work involved in gap analysis could be performed by the internal security team, a gap analysis is likely to involve third-party consultants. Frameworks and compliance requirements from regulations and legislation can be complex enough to require a specialist. Advice and feedback from an external party can alert the internal security team to oversights and to new trends and changes in best practice.

Access Control

An access control system ensures that an information system meets the goals of the CIA triad. Access control governs how subjects/principals may interact with objects. Subjects are people, devices, software processes, or any other system that can request and be granted access to a resource. Objects are the resources. An object could be a network, server, database, app, or file. Subjects are assigned rights or permissions on resources.

Modern access control is typically implemented as an identity and access management (IAM) system. IAM comprises four main processes:

• Identification: creating an account or ID that uniquely represents the user, device, or process on the network.
• Authentication: proving that a subject is who or what it claims to be when it attempts to access the resource. An authentication factor determines what sort of credential the subject can use. For example, people might be authenticated by providing a password; a computer system could be authenticated using a token such as a digital certificate.
• Authorization: determining what rights subjects should have on each resource, and enforcing those rights. An authorization model determines how these rights are granted. For example, in a discretionary model, the object owner can allocate rights. In a mandatory model, rights are predetermined by system-enforced rules and cannot be changed by any user within the system.
• Accounting: tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted

Differences among identification, authentication, authorization, and accounting

The servers and protocols that implement these functions can also be referred to as authentication, authorization, and accounting (AAA). The use of IAM to describe enterprise security workflows is becoming more prevalent as the importance of the identification process is better acknowledged.

For example, if you aree appropriate controls to perform each function:

• Identification: ensure that customers are legitimate. For example, you might need to ensure that billing and delivery addresses match and that they are not trying to use fraudulent payment methods.
• Authentication: ensure that customers have unique accounts and that only they can manage their orders and billing information.
• Authorization: rules to ensure customers can place orders only when they have valid payment mechanisms in place. You might operate loyalty schemes or promotions that authorize certain customers to view unique offers or content.
• Accounting: the system must record the actions a customer takes (to ensure that they cannot deny placing an order, for instance).

Remember that these processes apply both to people and to systems. For example, you need to ensure that your e-commerce server can authenticate its identity when customers connect to it using a web browser.