Lesson 1
Understanding Security Layers

Lesson Skill Matrix

Key Terms

• access control
• attack surface
• attack surface analysis
• availability
• confidentiality
• defense in depth
• DREAD
• egress traffic
• flash drive
• ingress traffic
• integrity
• keylogger
• mobile devices
• Principle of Least Privilege
• removable device
• residual risk
• risk
• risk acceptance
• risk assessment
• risk avoidance
• risk mitigation
• risk register
• risk transfer
• separation of duties
• social engineering
• STRIDE
• threat
• threat and risk management
• threat modeling

Lesson 1 Case

When thinking about security, most people start by thinking about their stuff. We all have stuff. We have stuff that we really care about, we have stuff that would be really difficult to replace, and we have stuff that has great sentimental value. We have stuff we really don't want other people to find out about. We even have stuff that we could probably live without. Now think about where you keep your stuff. It could be in your house, your car, your school, your office, in a locker, in a backpack or a suitcase, or a number of other places. Lastly, think about all of the dangers that could happen to your stuff. People could be robbed or experience a disaster such as a fire, earthquake, or flood. In any case, we all want to protect our possessions no matter where the threat comes from.

At a high level, security is about protecting stuff. In the case of personal stuff, it's about making sure to lock the door when leaving the house, or remembering to take your purse when leaving a restaurant, or even making sure to cover all the presents purchased for Christmas and putting them in the back of the car before heading back into the mall.

Many of the security topics we will discuss in this lesson boil down to the same common sense used every day to protect stuff. In the business environment, the stuff we protect is assets, information, systems, and networks, and we can protect these valuable assets with a variety of tools and techniques that we will discuss at length in this book.

In this lesson, we will start with the basics. We'll look at some of the underlying principles of a security program to set the foundation for understanding the more advanced topics covered later in the book. We'll also discuss the concepts of physical security, which is critical not only for securing physical assets but information assets as well. By the time we're done, you'll have a good idea how to protect stuff for a living.

Introducing Core Security Principles

A fundamental understanding of the standard concepts of security is essential before people can start securing their environment. It's easy to start buying firewalls, but until you understand what needs to be protected, why it needs to be protected, and what it's being protected from, you're just throwing money away.

Certification Ready

List and describe what CIA stands for as it relates to security. Objective 1.1

When working in the security field, one of the first acronyms to be encountered in the information security field is CIA. Not to be confused with the government agency with the same acronym, in information security, this acronym represents the core goals of an information security program. These goals are:

• Confidentiality
• Integrity
• Availability

Understanding Confidentiality

is a concept we deal with frequently in real life. We expect our doctor to keep our medical records confidential. We trust our friends to keep our secrets confidential. In the business world, we define confidentiality as the characteristic of a resource-ensuring access is restricted to only permitted users, applications, or computer systems. What does this mean in reality? Confidentiality deals with keeping information, networks, and systems secure from unauthorized access.

An area where this issue is particularly critical in today's environment is with the high-profile leaking of people's personal information by several large companies. These breaches in confidentiality made the news largely because the information could be used to perpetrate identity theft against the people whose information was breached.

There are several technologies that support confidentiality in an enterprise security implementation. These include the following:

• Strong encryption
• Strong authentication
• Stringent access controls

More Info

Lesson 2 contains more details on these security technologies.

Another key component to consider when discussing confidentiality is how to determine what information is considered confidential. Some common classifications of data are Public, Internal Use Only, Confidential, and Strictly Confidential. The Privileged classification is also used frequently in the legal profession. The military often uses Unclassified, Restricted, Confidential, Secret, and Top Secret. These classifications are then used to determine the appropriate measures needed to protect the information. If information is not classified, there are two options available-protecting all information as if it were confidential (an expensive and daunting task) or treating all information as if it were Public or Internal Use Only and not taking stringent protection measures.

Classify all data and assets-it's the only way to effectively protect them.

Understanding Integrity

We define in the information security context as the consistency, accuracy, and validity of data or information. One of the goals of a successful information security program is to ensure that the information is protected against any unauthorized or accidental changes. The program should include processes and procedures to manage intentional changes, as well as the ability to detect changes.

Some of the processes that can be used to effectively ensure the integrity of information include authentication, authorization, and accounting. For example, rights and permissions could be used to control who can access the information or resource. Also, a hashing function (a mathematical function) can be calculated before and after to show if information has been modified. In addition, an auditing or accounting system can be used that records when changes have been made.

Understanding Availability

is the third core security principle, and it is defined as a characteristic of a resource being accessible to a user, application, or computer system when required. In other words, when a user needs to get to information, it's available to them. Typically, threats to availability come in two types-accidental and deliberate. Accidental threats would include natural disasters like storms, floods, fire, power outages, earthquakes, and so on. This category would also include outages due to equipment failure, software issues, and other unplanned system, network, or user issues. The second category is related to outages that result from the exploitation of a system vulnerability. Some examples of this type of threat would include a denial-of-service attack or a network worm that impacts vulnerable systems and their availability. In some cases, one of the first actions a user needs to take following an outage is to determine into which category an outage fits. Companies handle accidental outages very differently than deliberate ones.

Defining Threat and Risk Management

is the process of identifying, assessing, and prioritizing threats and risks. A is generally defined as the probability that an event will occur. In reality, businesses are only concerned about risks that would negatively impact a computing environment. There is a risk that you'll win the lottery on Friday-that's not a risk to actively address, because it would be a positive. A is a very specific type of risk, and it is defined as an action or occurrence that could result in a breach in the security, outage, or corruption of a system by exploiting known or unknown vulnerabilities. The goal of any risk management plan is to remove risks when possible and to minimize the consequences of risks that cannot be eliminated.

The first step in creating a risk management plan is to conduct a risk assessment. Risk assessments are used to identify the risks that might impact an environment.

In a mature risk assessment environment, it is common to record risks in a , which...