Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Our last section in Module 2 looking at key concerns focuses on Goals of Security. We discuss why it's important to understand the goals of the security systems you'll put in place and what those goals accomplish for the organization. We'll review the CIA Triad and what each component of the triad means in terms of security and delivers to the organization as a result. Then we'll look at how we carry out and demonstrate the importance of security through the use of Safety Drills and what we learn when we conduct them. [toggle_content title="Transcript"] Now I will be discussing section 2.9 of the security plus syllabus. Given the scenario, select the appropriate controls to meet goals of security. Given the scenario, select the appropriate controls to meet the goals of security. What are the security goals? This gives rise to the C.I. A triad, this is the reason for which we have security, confidentiality, integrity and availability. The goals of confidentiality are that, only authorized disclosure should be allowed. Disclosure of information should only be allowed if it's authorized. Control should be in place to deny access if the disclosure is not authorized. Integrity dictates that only authorized modifications should be allowed. Where a modification is not approved, control should be in place to limit that modification taking place and availability dictates that our resources should be available in a timely fashion to authorized personnel. The security goals bother around confidentiality, integrity, and availability. We will see different types of attacks at confidentiality, some to compromise confidentiality. Some attack are targeted at integrity and some other attacks are targeted at availability. What sort of control could we have in place to protect confidentiality? To protect confidentiality we could put encryption in place. When we encrypt the content of our hard disk or our removable drives in this drives fall into the wrong hands; the driver is missing, the drive is stolen, and the drive is misplaced. Unauthorized persons don't have access to the information contained in them. Encryption is the best form of security on mobile devices. This device is very easy to lose them; you lose them in a taxi you lose them in a public toilet, in the restaurant and places like that. So you want them to be encrypted should you lose them. No other persons have access to the content we should also have access controls, access controls to limit who has access. If you don't have a need to know, the access control should limit what you're able to see. I'll give an example here, we have two individuals in H.R. one is a senior personnel in H.R; the other is a junior personnel in HR. By virtue of their job position, they have a different need to know of information about personnel. If you don't have a need to know there should be what we call databases views to limit what you can see. The junior personnel possibly could see my date of employment but has no need to know of my date of birth. So we should have database views to limit that user from seeing that information. That is access control. The senior staff on the other hand, could have a need to know of my date of birth and my date of employment. The access we grant them to information within the database is different from that of the junior user. Access control could also be used to limit confidentiality or rather enforce confidentiality. Lastly, here we talk about steganography. Steganography is the technology by which the very existence of data is hidden. Steganography could be used for good reasons and also malicious reasons what happens here is that, using software you could hide information within Information. You could hide pictures within audio file. People will listen to the audio file and they don't notice any batches'. You could hide pictures within pictures. The picture file that people see is what we call the carrier file. The carrier files... How do we do it? We use the least significant bit of the carrier file so that if we distort the carrier files you don't notice any distortions in the picture, yet it is carrying multiple pictures. If you were to intercept a U.S.B from me, maybe I'm carrying out some practices that are not best practice. I could be trafficking in certain types of things or transporting certain types of information but I hide that information within another information. For example you were to intercept my U.S.B. drive you connect my U.S.B. drive to your system and you looking at my U.S.B. drive and all you find is holiday pictures of myself in France; that is me at the Eifel tower, that is me on the train, that is me at a shopping mall. You would say he is having a good time in France but within each of those pictures, there could be other pictures that I actually aiming to hide and this is steganography. This can be done easily with software. Software that is readily available in the internet today. Individual could want to hide their own information so that only they see it. A malicious person could also use pictures as carrier files or even audio files as carrier files to hide the fact that they're transporting information or data that could be very harmful. That is steganography. All of this helps achieve confidentiality. Then we talk about integrity. We are giving out our signature. Electronic identifiers that could be appended to messages to show proof that the document originated from a particular person. Where digital signatures are being applied to messages, it is very easy to show proof that this message has come from a particular source, that helps and sure that the data has not been modified while it is in transit and that is the goal of integrity. If you want to modify with the data the signature will be compromised and then we don't know not to trust the data anymore. Certificate could also be used to ensure integrity. When these technologies are used to help ensure that messages are signed so that we can put the source or the author of the message we can also prove the receipt of a message and when we do that such that users cannot repudiate they're receiving the message or sending the message or taking part in an electronic transaction we call that non repudiation. Non repudiation the inability of a person to deny taking part in a transaction or being the author or recipient of a document or a message. That is non repudiation. These three are able to meet the goals of integrity next, we talk about our availability. Availability dictates that, our resources be available in a timely fashion to authorized personnel. We want to ensure things like redundancy. By putting redundancy in place, we have spares. If one technology fails we have a spare. The technology is available. The service will be available whatever that technology offers, is still made available because we have redundancy. You could also introduce fault tolerance, when you invest in equipment, you want to invest in equipment that are fault tolerance they experience a fault and not everything shuts down. At least some production is still taking place. This could be very expensive in terms of hardware but it is a price to pay for availability. if you are down you are losing money but the more of an ability you can guarantee the better. We also should do patching. Software are not perfect. There are Vulnerabilities that exist within software. By downloading the patches you test the patch before you applied to patch you are able to ensure that your system stay up and alive. We have zero day explored. The best way to protect against the zero day exploit is to ensure that all your patches are to the most recent, that way the immunity of the systems in your network is very high and you can guarantee availability if you have all of that. Next, we talk about safety. For safety, certain issues are considered; fencing. You want to use a fence to establish your perimeter. You want to use your fence to say people cannot come in from this part of the facility but can only coming maybe through the gate; you use a fence to establish the perimeter and guide access into the facility. When you use a fence, best practice is that your lead defense digs deep to some distance so that people cannot go through the underside of the fence. Some other organizations would like to put razor wire at the top of the fence to prevent people on the outside; the razor wire could tilt this way so people cannot climb from the outside. And to keep people on the inside, the razor wire could be looking down so that way so people cannot climb out from the inside and if you must keep people in and out you could have your razor both ways. We have different types of fences that could be used. We have fences for the domestic use that we have around our homes, could probably raised high, wire mesh or wood, in some cases there are also about the average human height. At the industrial level, we have wire fences or fences that are eight feet or ten feet high. For safety purposes, we also want to ensure that our environment is well lit. An environment that is well lit people can see what is taking place; there is no fear of being attacked. When you are living in an environment that is well it's because you can see everything happening around, you can see people trying to hide, possible to attack. If the environment is not, well it becomes difficult to see and why it is difficult to see you could be vulnerable to a several types of attacks. When we talk about lightning in an environment at least the lightning should be about eight feet tall. Eight feet so that there is ample coverage of light around. We also need to implement locks. We should implement locks on the doors; lock should be very robust so that when you lock the door, the lock should actually go way in to keep the door firm. We should also have C.C.T.V. closed circuit television C.C.T.V... It is normal that people tend to conduct themselves better when we see cameras. "Oh there is a camera over here let me carry my activities elsewhere. For safety we should have C.C.T.V. C.C.T.V will monitor everything. When we plant our cameras we have to be very strategic. We need to have cameras that can pan tilt and zoom in. Your camera should have the ability to pan so that they can cover the entire area. They can tilt as require, they can zoom for better visuals. The environment should be well lit so you can see clearly, what you're recording. If you are recording into tape make sure there's a tape in there And if it's digital make sure it's running. We could have active and passive for our recordings In the passive it's just being recorded and stored in the active. The screens are monitored by individuals and I can say "Joe Can you go to the third floor I see the lady in red can you go find out what she's doing there". In that instance somebody can instantly respond that is active monitoring. When we do C.C.T.V. as well. It is best practice these days that you have your camera in an open door, glass surrounds the camera so people don't see where the camera is pointing that way; they don't try to avoid the camera. When you plant your cameras make sure you are avoid blind spots, the people around will quickly try to identify the blind spots because they don't want to be recorded while they are carrying out their naughty activities so best practice we could even use C.C.T.V. You also shoot established escape plans. The escape plan incident indicates an incident happens, in case an incident happens an organization should have escape plans. This is a plan as to how to escape from the facility. Certain routes we shouldn't follow should not follow within the organization which will have a plan. It should be documented. The users need to be trained as to the use of these plans. Everybody has to understand his plans. How do we carry out the understanding of these escape plans, we carry out drills, as simple fire drill. The fire drill is an effort following the escape plan. In the case of a fire, how do we respond, how do we escape from the building. Fire drill should be conducted. Your user should be trained what to do and what not to do in the case of a fire. The escape route should be clearly identified. The escape route should be marked with signs; Exit escape route whatever it is you want to call it they should be clearly identified. So people are not trying to escape through the wrong route leading to possibly more disasters. These controls should all be periodically tested. It is that you can put a control in place if you don't test the controls, How are you sure it's the safety? How are you sure it's working? How are you sure it's doing what is meant to do the right way. So periodically we should have testing for some of these controls to guarantee safety within our environment. This is the last portion of section 2.9. Thank you. [/toggle_content]