Principles of Information Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now our next topic is to take a moment and look at
00:00
the principles of information security.
00:00
When we talk about information security,
00:00
our goal is to protect
00:00
the organization's informational assets.
00:00
When we talk about information,
00:00
we talk about certainly
00:00
digital information and that's
00:00
by far the focus of this class,
00:00
but just don't forget that information can exist,
00:00
in other types of media,
00:00
it can be written,
00:00
it can also be verbal information,
00:00
so really, information security is broader than
00:00
just protecting our digital stuff.
00:00
We want to make sure that we protect
00:00
our informational assets,
00:00
we always have a priority to focus on individuals and
00:00
their protection and security and that's maybe
00:00
part of the broader realm of security,
00:00
but still, that's always,
00:00
the most critical thing that
00:00
we do in the world of security.
00:00
But by protecting our people
00:00
and our organization's assets,
00:00
that will help us accomplish
00:00
the mission and the vision of the organization.
00:00
Now when we do talk about assets,
00:00
one of the first things that we have to do is
00:00
identify our assets and then figure out their value.
00:00
When we talk about assets,
00:00
there's anything that we value.
00:00
Certainly, I value my data, absolutely,
00:00
but also my business processes,
00:00
those are assets,
00:00
my company's reputation, customer confidence,
00:00
software, hardware, data, anything that we value,
00:00
falls into the area of identification.
00:00
Now, when we figure out what
00:00
our assets are and how valuable they are,
00:00
at that point in time,
00:00
we want to have a classification scheme in place.
00:00
Now if you're in the government or military,
00:00
you're familiar with classified data
00:00
and maybe you are anyway,
00:00
but the idea about classification is it's
00:00
an indication of the value of the data.
00:00
Very high sensitivity data
00:00
gets classified as top secret,
00:00
based on whatever the criteria.
00:00
But that's military and government,
00:00
don't get bound to thinking of classification as
00:00
a government idea because
00:00
the private sector classifies data all the time.
00:00
It's always based on the value of the data.
00:00
It could be based on
00:00
the data's confidentiality or integrity or availability,
00:00
as we`ll see in a minute, those are
00:00
the three tenets of information security.
00:00
The bottom line is not everything is
00:00
like the way the military does it.
00:00
Identify and determine the value of your assets.
00:00
Classify those assets based on their value
00:00
and based on pre-defined criteria.
00:00
We shouldn't just be looking at information and go
00:00
, top-secret, confidential.
00:00
We should be able to look at
00:00
our asset and its value and say,
00:00
based on our predefined requirements,
00:00
this would be classified as confidential.
00:00
We need that documentation taken care of,
00:00
and that's part of a classification strategy.
00:00
Based on the classification,
00:00
we apply specific security controls.
00:00
When we talk about our security controls,
00:00
these are defensive measures and when we
00:00
talk about controls in relation to risk,
00:00
our controls are the ways that we mitigate risks.
00:00
My web presence,
00:00
is my asset and it's incredibly valuable because I make
00:00
all my money through online transactions, therefore,
00:00
it's considered critical in relation to availability
00:00
and based on its being
00:00
classified as critical or highly critical,
00:00
whatever my organization strategy is,
00:00
then I'll apply security controls
00:00
like a Web Application Firewall,
00:00
I'll monitor the network for
00:00
potential denial of service attacks.
00:00
But the bottom line is, identify your assets,
00:00
classify them accordingly, apply
00:00
the controls based on the classification.
00:00
Now, as I mentioned,
00:00
the three big areas of
00:00
information security: confidentiality,
00:00
integrity, and availability and
00:00
you'll hear this referred to a lot,
00:00
as the CIA triad.
00:00
With security, that's our focus, those three areas.
00:00
But we also have to be aware of the fact that,
00:00
as we increase security in these areas,
00:00
there's always a trade-off.
00:00
Security always costs something.
00:00
Ain't nothing free in this world.
00:00
If you think about it,
00:00
when you implement security,
00:00
you may have to trade off performance and that's one
00:00
of the most common costs for security.
00:00
The more secure I make things,
00:00
the slower we go.
00:00
I have a lock and a deadbolt, on my front door,
00:00
but if I add 15 more deadbolts,
00:00
maybe I'll be more secure.
00:00
But it'll take so much longer to open my house.
00:00
Can you imagine standing there with
00:00
your 18 bags of
00:00
groceries just trying to get in your house,
00:00
because God forbid, we make two trips to the car?
00:00
We got all these groceries,
00:00
we're trying to unlock 15 deadbolts.
00:00
It takes more time.
00:00
In that position also,
00:00
user acceptance decreases,
00:00
that's another cost for security.
00:00
People don't like having to
00:00
jump through additional hoops.
00:00
Seventeen bags of groceries,
00:00
I'm undoing all these deadbolts,
00:00
I drop a bag, that, of course,
00:00
has my eggs in it and boom, now I'm mad,
00:00
now I'm upset, and so I go to the security team and say,
00:00
I can't get anything done,
00:00
you've locked my house down so
00:00
much or you've locked my system down so much.
00:00
You can see the analogy there.
00:00
There is a point where we make things so "secure",
00:00
that we can't get anything done.
00:00
This is where risk management steps in.
00:00
Risk management looks at the value of security
00:00
versus the costs and helps us make a good decision,
00:00
taking into account risks
00:00
There are some activities that are incredibly risky.
00:00
Putting a web server out,
00:00
making it available to the general public,
00:00
that is a risky business.
00:00
But we have to do it,
00:00
to survive in today's economy
00:00
and in today's marketplace,
00:00
so that's a very risky action.
00:00
To make sure that that web server stays up,
00:00
that it doesn't get targeted,
00:00
that it doesn't get modified without our intention,
00:00
that it doesn't provide
00:00
access to some back-end information.
00:00
Those are some real risks,
00:00
so we're going to spend
00:00
an appropriate amount of money to protect
00:00
our web server based on
00:00
understanding the risks associated.
00:00
Now, the flip side of that,
00:00
my grocery list that I've written down in pencil and
00:00
paper and stuck on my refrigerator door,
00:00
they're very minimal risks associated with
00:00
that Would make sense to protect them the same way.
00:00
Now I know that's a silly example.
00:00
>> We make decisions based on
00:00
ideas like just blanket security.
00:00
We're going to protect everything the same way.
00:00
Or we make decisions
00:00
like if it ain't broke, don't fix it.
00:00
Meaning we're going to
00:00
wait until something's broken to fix it.
00:00
Meaning we applied to security control
00:00
five years ago and so far so good.
00:00
These aren't risk-aware business decisions.
00:00
These are mistakes in the realm of
00:00
security and that's where we're going with this class.
00:00
Now, as I mentioned,
00:00
confidentiality, integrity, and availability.
00:00
Your threats to confidentiality
00:00
come from social engineering.
00:00
That is by far the greatest threat that we face today.
00:00
The largest weakness in our organization is our people.
00:00
Of course, social engineering is
00:00
going to take advantage of
00:00
people that usually are well-meaning, they're helpful.
00:00
They're trying to be helpful and they wind up
00:00
giving out too much information or too much access.
00:00
They're all aspects to social engineering.
00:00
But it's basically an attacker
00:00
representing themselves as someone that
00:00
should have legitimate access.
00:00
What do we do about that?
00:00
It's about trickery.
00:00
Well, we train our people not to fall for it.
00:00
But you know what training can only get you so far.
00:00
Not only do we train our people,
00:00
we hold them accountable, we monitor,
00:00
we audit to make sure no one's giving
00:00
up too many pieces of information.
00:00
Separation of duties is
00:00
also helpful because it makes sure
00:00
no one individual has so much information or
00:00
too much information that
00:00
they could give away the keys to the kingdom.
00:00
Like for instance, if I'm
00:00
a front desk receptionist and you
00:00
have socially engineered an environment and I
00:00
trust you and you asked
00:00
me what the password for the server is.
00:00
I can't tell you that because I
00:00
don't know that because it's not my job.
00:00
Separation of duties is very
00:00
helpful against social engineering as well.
00:00
Now another threat to confidentiality is eavesdropping.
00:00
In this class, eavesdropping will
00:00
always be technical eavesdropping.
00:00
It's not that I'm listening in to
00:00
your phone call when I say eavesdropping in this class,
00:00
we're talking about technical eavesdropping.
00:00
I have maybe a packet sniffer
00:00
on your network and I'm capturing
00:00
traffic and anything in plain text I can view.
00:00
That's the beauty of a packet sniffer.
00:00
One of the ways that we think about minimizing losses
00:00
associated with the eavesdropping
00:00
is we encrypt our sensitive information.
00:00
We don't put things on the network in plain text.
00:00
Also maybe taking that a step further,
00:00
is that really sensitive stuff.
00:00
We just keep off the network.
00:00
We don't put passwords on the network.
00:00
Well, that gets tricky because how do
00:00
I prove I've entered my password
00:00
correctly if I don't send
00:00
that password to an authentication server?
00:00
There are lots of ways actually that we can do that.
00:00
One of the more common is a challenge-response system.
00:00
The way that works is the server knows my password.
00:00
I've typed in my password.
00:00
When I send I try to log in,
00:00
for instance, the server says,
00:00
oh Kelly Handerhand's logging in.
00:00
Let's send a challenge
00:00
based on her password across the network.
00:00
If my password had been entered correctly,
00:00
my system can appropriately respond to that challenge.
00:00
I never send my password across the network.
00:00
That's an even better way,
00:00
even better than encrypted.
00:00
We then move to integrity.
00:00
Integrity is all about being able
00:00
to detect modification of information.
00:00
I want to know if my data has changed,
00:00
if something's been deleted or erased or modified.
00:00
Now there are two ways that can happen.
00:00
It can happen accidentally.
00:00
Files get corrupted, packets get dropped.
00:00
If we're talking about accidental deletion
00:00
or accidental corruption of information,
00:00
a solution there is using hashes.
00:00
It's a process we called hashing.
00:00
Hashing creates hashes.
00:00
We can also call those
00:00
hashes checksums or message digests.
00:00
Really for this class, we'll
00:00
use them all together and of course,
00:00
we'll go much more in-depth later.
00:00
But for malicious modification,
00:00
hashing doesn't quite give us enough guarantee,
00:00
so we need digital signatures.
00:00
Again, we'll talk about those in a bit.
00:00
Then last but not least, availability.
00:00
We can't forget that availability is
00:00
the third aspect that we're concerned with security.
00:00
The thing is we want our users,
00:00
our customers, our clients, whatever,
00:00
to have timely access to resources as appropriate,
00:00
The way we keep our resources up and running,
00:00
the way we get high availability
00:00
is through redundancy and fault tolerance.
00:00
We want to be able to withstand a loss of
00:00
a certain server or
00:00
of a network link or whatever that may be.
00:00
We have redundant hard drives,
00:00
we have redundant servers,
00:00
we have redundant link,
00:00
we have redundant data.
00:00
That's the whole purpose of backing up
00:00
data or having server clusters.
00:00
Availability, we want redundancy.
00:00
Now, as always,
00:00
our balance has to be security versus business.
00:00
We're going to say that a lot in this class.
00:00
That's one thing that I really want to emphasize now.
00:00
I'll emphasize throughout all the chapters,
00:00
find the balance.
00:00
It's always a balancing act.
00:00
We've got to find the appropriate balance between
00:00
security and the day-to-day operations of the business.
00:00
Because when it comes right down to it,
00:00
the only reason that we have
00:00
jobs insecurity is because we enabled the business.
00:00
If we get to the point where what we're
00:00
doing doesn't help the business but hinders it,
00:00
we all of a sudden don't have jobs anymore.
00:00
This idea of you can never have
00:00
too much security is wrong.
00:00
It's flat-out wrong.
00:00
You can totally have too much security.
00:00
Fifteen deadbolts on my front doors is too much security.
00:00
It's not about as much security as you can get,
00:00
it's about the appropriate amount of
00:00
security based on threats,
00:00
which are those negative elements
00:00
and our weaknesses or vulnerabilities.
00:00
For every bit of security we add, there's a trade-off.
00:00
We have to align
00:00
our security decisions in relation to the business.
00:00
We always start with the business.
00:00
Any decision that you make in this class and on
00:00
this exam has to start with understanding the business.
00:00
That's always where we're going to
00:00
start and that's always our end goal.
00:00
Understand the business and support the business.
00:00
We want to think about
00:00
these elements and pink on our slide.
00:00
This is what we want.
00:00
We want strength and resilience.
00:00
We want reliability, we want
00:00
protection and stability within our organization.
00:00
We want our assets available consistently.
00:00
We want to be able to guarantee expected response times,
00:00
for instance, or expected returns.
00:00
Security is a business issue.
00:00
You can't make security decisions
00:00
without first understanding the business.
00:00
That wraps up this section.
00:00
Again, the big highlights.
00:00
Make sure you know
00:00
the definitions for these risk elements and
00:00
also understand the proper place
00:00
of risks and enabler of the business.
00:00
No such thing as security.
00:00
For the sake of security,
00:00
we always map out the pros and cons,
00:00
the trade-offs for security.
00:00
Next, we're going to go ahead and get started with
00:00
Chapter 1 from C risk or domain 1 from C risk.
00:00
That will be information security governance.
Up Next