Below are the lessons covered in this lecture:
Securing data and information is of utmost importance, especially in times of crises. We need to maintain confidentiality and integrity of data.
This lesson covers the importance of Confidentiality, Integrity, and Availability of data.
At the end of this lesson, you will be able to:
• Define ways to maintain confidentiality
• Explain importance of Integrity
• Define technologies that protect availability
• Discuss aspects of security and safety
Careful selection of security controls is essential for the success of any security project. The BIA and other assessment tools help us define the target by addressing security cases such as redundancy, uptime, points of failure, and possible weaknesses. Once the target is known, it is important for you to work towards the target by selecting appropriate security goals.
The goals of security focus on three primary areas: Confidentiality, Integrity, and Availability, which together are termed as CIA.
The goal is to provide a desired amount of each of these without affecting the sanctity of sensitive data or the ability to work in your environment. Too much availability may compromise confidentiality. Too much confidentiality and integrity may limit availability, making it impossible for proper production.
We will first discuss these three concepts, and then review how it can be applied to a scenario that involves controls and other protective measures.
In this topic, you will learn the concept of confidentiality.
This is the concept of keeping the data secret. Confidentiality enforcement prevents unauthorized access of data and controls, and follows processes to ensure only authorized individuals or users can see the data. Confidentiality concerns with data in motion or data at rest.
There are many security controls that provide data confidentiality. Let’s see the key controls in the following screen.
Encryption is the process of converting data into a hidden or unreadable form. It uses Cryptography, a science of masking information using different patterns or systems of encoding.
Access controls determine what a user is allowed to access on the system. First, they must authenticate, and depending on the authentication and credentials, they are given authorization to the required data. These controls can be put in place to enforce confidentiality.
Steganography is the process of hiding information within another file. This can be a message hidden in an image or a song, or even data that can be extracted from bits of a file. There are additional bits in a jpeg file, which can be extracted and converted to hidden information. This is a form of cryptography.
Many malicious users use steganography to leak data outside of a network.
In this topic, we will learn some techniques to maintain integrity of data.
Integrity is the measure that ensures the data delivered or stored is correct, and hasn’t been tampered. Integrity has to ensure that no unauthorized changes are performed on the protected data. Hashing and cryptography techniques are often used to ensure integrity. Verification of integrity is essential with data, and can be done using digital signatures, certifications, and non-repudiation.
We will discuss all of these in greater detail.
Hashing is a numeric representation of data used to check whether integrity has been violated.
Digital Signatures are used to verify the identity of the sender, and if the dataset was changed in transit. These are often used with driver signing and email. After a driver is approved, it is validated with a digital signature to ensure the driver hasn’t been modified by a malicious user, and driver is actually from an authorized vendor.
Certificates are used within the Public Key Infrastructure or PKI, and are based on the Public-key cryptography. Certificates are generally third party authentication, and are involved in providing integrity to the sent information, and authenticating the sender and the recipient.
Certificates help prevent man-in-the-middle attacks, and confirm the information has not been tampered. The third party organizations maintain the security of the issued certificates. If a certificate has expired or has been compromised, then it is revoked and will no longer be valid.
Non-repudiation is the process of making a sender accountable. This verifies identity and validates the person who sent the data or information. It is used to prove that an action was taken by a particular person. This is enforced in cryptography, and prevents people from denying that they have sent data.
In this topic, you will learn the concepts on protecting availability.
Availability is the security service that provides protection for timely and effective use of a resource. It goes hand in hand with securing data in CIA. It makes sure that data or resources on the network are available for employees to perform their normal job functions. Too much confidentiality or integrity can prevent a person from accessing the necessary resources they need to accomplish their task.
When you review the risks and business continuity of your network, it is important to weigh the amount of confidentiality, integrity, and availability. This amount should be only as per the requirement to secure the data. Also, it ensures that users are allowed to access the resources as per their need without interrupting production.
Availability can also be violated if data is no longer accessible. For instance, if data is destroyed when it is still needed, or modified without authorization.
Within the environment, your team has redefined security policies and goals. And, there is a desired increase in availability of networks and resources for users outside the office and working remotely. The problem is, you want to ensure security is maintained when data is transmitted between clients and remote users, and strong controls should be in place to increase the integrity of the data in motion. This ensures both user and the network authenticate their identity.
Increasing the availability of resources for the network can be done in multiple ways. RDP or Remote Desktop Protocol allows users to work remotely. But this doesn’t provide the desired confidentiality or integrity.
It is recommended to create a secure VPN tunnel to encrypt the data transferred between client and remote users to increase confidentiality. Moreover, using an SSL VPN that uses server and client certificates to authenticate the sender and receiver identity in the tunnel transaction ensures there is no man-in-the-middle who will increase integrity.
We require redundancy in various aspects of operational security. Job Rotation and cross training offers redundancy in the job role. This ensures there is availability of necessary tasks performed by a particular job.
Additionally, redundancy enhances the availability by avoiding single point of failure, whether it is related to device, person, route of traffic, or location of data storage.
Fault tolerance provides enhanced availability. This allows systems to continue to operate in some fashion even after a critical failure.Patching is a process of applying updates to systems and devices. This maintains a stable and secure environment. However, before rolling out patched devices such as drivers, they should be tested thoroughly. This is because, sometimes they conflict with the system’s live setup, and defeat the point of increased availability due to patching.
Systems or devices no longer patched by vendors become an open target for attack and vulnerabilities. When devices become vulnerable due to lack of patching, there is a chance for loss of availability.
In this topic, we will discuss different aspects of security and safety.
Safety of facility and personnel often fall under the authority of the security administrator. Safety should be one of the primary goals of security along with the trio of Confidentiality, Integrity, and Availability. Moreover, physical security should be provided for employees and assets that need to be protected with the same controls that we use to enforce CIA.
You have a server farm that uses the HVAC system. In the event of a fire, it pulls the oxygen out of the server room and seals the room. The doors allowing access to the server room are electronically locked by Biometrics. In the event of an emergency, you don’t want the employees in the server farm to worry about Biometrics to let them out before the oxygen is pulled from the room. The task on your hand is to identify the controls that would ensure protection of employee lives in during such an emergency.
The security policy and technologies of the biometric and electronic door locks should reflect the doors to failsafe or failopen to ensure the locking mechanism is disabled automatically in the case of an emergency.
Users should be trained properly on the procedures and escape routes. The escape routes and plans should be clearly posted in the server farm to ensure employees know how to get out of the farm in case of an emergency.
Lastly, proper training exercises should be performed to ensure employees do not panic in the real-time situations.
Now, let’s see the key safety aspects related to physical controls.
Fencing – It is used to protect against basic trespassing, and it clearly identifies geographic boundaries of a property.
Escape Plans – It is important to have an escape plan in case of an emergency such as fire, a terrorist attack, or a natural disaster.
There should also be a backup plan or an alternative for the primary escape plan, which should be employed only if the primary escape plan fails.
These plans should be posted on the walls for the employees, and escape paths should be clearly marked. Moreover, the security officer should regularly communicate this information to the employees.
Drills – Employees need to be trained on the safety and escape procedures. The training given should be tested using drills and simulations. This ensures the emergency procedures, and escape plans and routes are clearly understood by the users. This minimizes the likeliness of anxiety and panic, which arises if the escape plans aren’t followed in case of an emergency.
Escape Routes – It is the route an individual should take to reach the safety point outside the building. These routes should be clearly defined in the mentioned escape plans, and indicated by clearly visible sign boards. Moreover, the escape routes should be practiced in timely drills and exercises to ensure that employees are aware of what needs to be done in case of an emergency.
Testing Controls – All elements of safety of human life should be tested regularly. If these elements fail, there is room for a data breach. The elements include: fences, gates, mantraps, cameras, and other physical security controls placed within your network.
Lighting – It is a means of security to deter undesirable activities such as theft, loitering, and vandalism.
Locks – These are used to secure doors, containers, hardware, to protect assets, and keep malicious things and criminals away from entering an unauthorized area.
CCTV – CCTV or security cameras are recording devices that create a digital record of events. It is recommended to use detecting and auditing controls along with security guards to enhance the safety of a facility.
• The goals of security focus on three primary areas: Confidentiality, Integrity, and Availability.
• Encryption, Access Controls, and Steganography are the three security controls related to Confidentiality.
• Hashing, Digital Signatures, Certificates, and Non-repudiation form the four Integrity techniques.
• Availability is the security service that provides protection for the use of a resource in a timely and effective manner.
• Safety should be one of the primary goals of security along with the trio of Confidentiality, Integrity, and Availability.
With this, we conclude the lesson, ‘Select the Appropriate Control to Meet the Goals of Security.’
The next lesson is, ‘Explain Different Types of Malware.’