Security Basics
This chapter will be going through the foundations for security starting with the CIA triad
CIA Triad
C= Confidentiality
Keeps the information/data secure, unauthorized individuals should not be able to access this information
Control for this would be access control and firewalls
I= Integrity
Ensure the data is correct and has not be tampered with by unauthorized individuals
A= Availability
Ensure the information and system is ready to be used by the authorized user
Control for this would be backups and clustering
DAD Triad
D= Disclosure
If the information within your organisation is disclosed then this will prevent you from achieving confidentiality
A=Alteration
if the information within your organisation is altered or has the options to be altered by an unauthorized user then your organisation will not meet the integrity part of the CIA triad
D= Destruction
If your data is destroyed by a hacker or malicious actor then your organisation will not meet the availability section of the CIA triad
Security Controls
Preventive controls:
This would be to help prevent the breach such as:
A security guard at the door
Biometrics at the entrance of the buildings
Detective controls:
This would be used to detect any break
in that is already happened
Log monitoring
Trend analysis
Security audit
Cctv
Biometrics at the entrance of the buildings
Deterrent controls:
Attempt to discourage threats, and example of this would be:
Warning Signs
Cable Locks
Hardware Locks
Corrective controls:
This would be used to correct the impact of the breach, an example of this would be:
Active IDS – IDS detects an intruder and engages systems to block the intrusion
Backups
Compensating controls:
This is used when the primary control is not feasible (can’t use the primary control or to enhance it)
Time based onetime passwords
Using Proximity cards
Data Breaches Impact
Financial:
A risk that involves monetary damage to the organisation
Reputational
A risk that effects the goodwill of customers, employees, suppliers and stakeholders
Strategical
A risk that affects/prevents the organisation from meetings it’s major goals
Operational
A risk that affects the organisation ability to carry out its day to day functions
Compliance
There can be legal fines associated with a data breach’s or organisation who run afoul of legal and regulatory requirements ,Example GDPR breach costs 4% of the company’s annual turnover
Data Handling
Data states:
Data in use
Data in motion
Data at rest
Hashing:
Tokenization: