since we're specifically focusing in this course on risk and information system controls, let's go ahead and look at some information security basics just to make sure that we're all on the same page. So when we talk about the goals of information, security were always looking at three main elements.
Confidentiality, integrity and availability.
It's a matter of fact. Sometimes you'll hear this referred to as the security triad,
confidentiality, integrity and availability.
So when we're looking at confidentiality, excuse me when we're looking confidentiality we're looking to prevent against unauthorized disclosure of information,
unauthorized disclosure of information. I want to keep my secret secret,
and some threats would be against confidentiality. Probably the biggest one today is social engineering. Social engineering is at the core of most of the major compromises you hear whether it's tricking someone into giving out more information than they should on the phone,
persuading them to click on a link on an email,
go to a certain sighting in her passwords, right social engineering starts and really is the key element in most attacks on confidentiality. It's almost always the starting point.
Training our people is really our best solution to mitigate social engineering, But we can also do things like enforced separation of duties. I can't tell you information I don't know. So if you ask me the server room, you might the severing password.
I might be willing to give it to you, but I don't have it because that's not my job. Separation of beauties is helpful. We also have to enforce policies and audit those policies. Conduct assessments. I want to send out
digital emails that don't that have attachments that aren't digitally signed. Who's opening? Those that's gonna help me know where I need to focus my training as we move forward.
Media reuse is another way. Reusing thumb drives hard drives. Well, we have to have in a hardware that's properly sanitized, destroy data remnants if it's and destroy the device if it's holding highly sensitive top secret information. Otherwise Ciro's ations help,
and then we have eavesdropping. And when we talk about eavesdropping in this course, we're not talking about me listening in to your phone call. We're talking about the fact that I have a protocol analyzer connected to your network. I'm capturing traffic. I'm examining the traffic in anything in plain text. I can see. So we refer to that is sniffing,
but its proper term is eavesdropping and two ways to mitigate problems with sniffing in crypt your data
and keep sensitive information off the network altogether.
Now we have integrity, challenges and
integrity is going to give us a guarantee that information or system has not been modified. Okay, so that system, when we talk about system integrity, we're gonna make sure that our system performs as designed without introduction of any sort of
additional code or software or
manipulation off the system.
So the system runs as it should. We have system integrity, and we would talk about things like internal and external integrity. You know, the system says I had five widgets on the shelf that I should have five, which it's on the shelf internal and external consistency
now data integrity. When we get that integrity assurance, we get the insurance it hasn't been modified, hasn't been corrupted, unintentionally or maliciously modified. Later, we'll talk about those solutions, but
hashes and message digests are good ways to detect against corruption.
If we want assurance against malicious modification than a digital signatures, what's gonna be most helpful to us
all? right. And then we have our compromises of availability and our goal with availability. We want timely access to resource is
well, in order to get timely access to resource is we have to have redundant systems. We must have redundancy. So in fact, we should have redundancy, redundancy
All right, we want to get rid of the single point of failure. We want fault, tolerance, and we wanted to be comprehensive.
So we want fault. Tolerance for our dad are hard drive servers, links, power, all of those different elements. We want redundancy
now. Other things that will help us in the realm of security is identity and access management.
Making sure that we have a means of guaranteeing that our users properly identify, authenticate, get authorized and audit
based on what they're, um,
function is on the network. So we do that through making sure our accounts or provisioned properly user accounts were created in the proper fashion. As redundantly as I won't say is, we're definitely but reducing redundancy. So I'll create a user account, one location, and I'd like that user account
to my other identity servers.
Then what's a user has an account.
They try to access a resource in their challenge to provide their identity and authentication.
Their identity makes a claim. So often a user name is your identity. I claim to be admitted,
and then authentication is proving it. And I may have to prove that with smart card, I may have to prove it with a password with biometrics. Whatever proof is chosen and we really want multi factor authentication something you know in something you have something you have in something, you are something you are in something you know.
multiple types of authentication
than authorization. What rights and permissions air you allowed to do based on your identity.
And then, of course, we want auditing so that we can track activities to users, and we get that accountability
And then last but not least, when I'm ready to leave the organization, I need my account de provisions. We always make sure those credentials air revoked after someone leaves the organization.
Non repudiation is another security concern with non repudiation. It's actually easier for me to tell you well know non repudiation means that a user can't dispute having sent a message nor the contents of the message. So I'm just using this for email, so I can't say, Oh, I didn't send that message.
But I also can't say, Well, I sent the message, but it's been changed in transit,
so we want assurance of authenticity and an assurance of integrity. The two of those give us not repudiation.
Classifications of data is another way that we protect our information by labeling the degree of value that the asset has. So when we use classification, we can use that for the military and use top secret Secret confidential. Or we can use classification in business and
confidential and private and so on.
But which ever form of classification we use. When we classify, we think about the three C's cost classify control
cost. What's the value of the assets?
Classify it based on predetermined criteria that reflect the value of the dad.
Okay, so I figure out what it's worth and then my organization have had should have standards for different value data, how they should be classified.
My organization should also have standards for based on the classification, what controls are applied to the death,
so figure out its cost classified accordingly and put security controls in place accordingly as well