BCS2014

Cyber Security
Lecture 2:
Principles of Cyber Security
 Learning Objectives
• Understand confidentiality, integrity, and availability (the CIA security model)
• Describe the security objectives of confidentiality, integrity, and availability
• Discuss why organizations choose to adopt a security framework
• Understand the intent of the National Institute of Standards and Technology
(NIST) Cybersecurity Framework
• Understand the intent of the ISO/IEC 27000-series of standards
• Outline the domains of a cybersecurity program
• The unique functions of information security management are known as the
six Ps
2
CIA Triad (CIA Security Model)
• Confidentiality, Integrity, and Availability
• An attack against one or several of the elements of the CIA triad is an
attack against the cybersecurity of the organization
• Protecting the CIA triad means protecting the assets of the company

3
Confidentiality Principles
• Not all data owned by the company should be made available to the
public
• Failing to protect data confidentiality can be disastrous for an
organization
• Protected Health Information (PHI) between doctor and patient
• Protected Financial Information (PFI) between bank and customer
• Business-critical information to rival company

4
Confidentiality Principles
• Only authorized users should gain access to information
• Information must be protected when it is used, shared, transmitted,
and stored
• Information must be protected from unauthorized users both
internally and externally
• Information must be protected whether it is in digital or paper format

5
Threats to Confidentiality
• Hackers and hacktivists
• Shoulder surfing
• Lack of shredding of paper documents
• Malicious Code (viruses, worms, Trojans)
• Unauthorized employee activity
• Improper access control

6
Integrity Principles
• Integrity: The protection of data, processes, or systems from
intentional or accidental unauthorized modification
• Data integrity
• System integrity
• It is critical that a business be able to trust the integrity of its data
• A breach of data integrity can prevent the business from conducting
business

7
Threats to Integrity
• Human error
• Hackers
• Unauthorized user activity
• Improper access control
• Malicious code
• Interception and alteration of data during transmission

8
Controls to Protect Data Integrity
• Access controls • Behavioral controls
• Encryption • Separation of duties
• Digital signatures • Rotation of duties
• Process controls • Training
• Code testing
• Monitoring controls
• File integrity monitoring
• Log analysis

9
Availability
• Availability: The assurance that the data and systems are accessible
when needed by authorized users
• What is the cost of the loss of data availability to the organization?
• A risk assessment should be conducted to more efficiently protect
data availability

10
Threats to Availability
• Natural disaster
• Hardware failures
• Programming errors
• Human errors
• Distributed Denial of Service attacks
• Loss of power
• Malicious code
• Temporary or permanent loss of key personnel

11
How to measure the value of information - CIA
Triangle
The value of information comes from the
characteristics it possesses

Expa
nded
inclu to
de Identification
Authentication
Authorization
Privacy
Accountability
12
Identification and Authentication
Identification
– An information system possesses the characteristic of
identification when it is able to recognize individual users
– Identification and authentication are essential to
establishing the level of access or authorization that an
individual is granted

Authentication
– Occurs when a control proves that a user possesses the
identity that he or she claims

13
Authorization
Assures that the user has been specifically and
explicitly authorized by the proper authority to access,
update, or delete the contents of an information asset

Authorization occurs after authentication

14
Privacy
Information collected, used, and stored by an organization is to be used
only for the purposes stated to the data owner at the time it was
collected

Privacy as a characteristic of information does not signify freedom from

15
Accountability
Exists when a control provides assurance that every activity undertaken
can be attributed to a named person or automated process

16
The Five A’s of Information Security
• Accountability
• Assurance
• Authentication
• Authorization
• Accounting

17
Accountability
• Make sure all actions are traceable to the actor
• Keep, archive, and secure logs
• Deploy intrusion detection systems
• Use computer forensic techniques retroactively
• Focus accountability on both internal and external
actions

18
Assurance
• Assurance: The knowledge that the measures taken are efficient and
appropriate
• Design and test security measures to ensure they are efficient and
appropriate
• Assurance activities
• Auditing and monitoring
• Testing
• Reporting

19
Authentication
• Authentication: The positive identification of the person or system
seeking access to secured information and/or system
• Cornerstone of most network security models
• Examples of authentication models:
• User ID and password combination
• Tokens
• Biometric devices

20
Authorization
• Authorization: The act of granting users or systems actual access to
information resources
• Level of access may change based on the user’s defined access level
• Examples of access level include:
• Read only
• Read and write
• Full

21
Accounting
• Accounting: The logging of access and usage of resources
• Keeps track of who accesses what resource, when, and for how long
• Example: Internet café where users are charged by the minute of use
of the service

22
Who Is Responsible for CIA?
• Information owner
• An official with statutory or operational authority for specified information
• Has the responsibility for ensuring information is protected from creation
through destruction
• Information custodian
• Maintains the systems that store, process, and transmit the information

23
Cybersecurity Framework Models
• NIST Cybersecurity Framework
• Information Security Management System
by ISO

24
NIST (National Institute of Standards and
Technology)
• Founded in 1901 as a nonregulatory federal agency
• Mission: To develop and promote measurement,
standards, and technology to enhance productivity,
facilitate trade, and improve quality of life
• Publishes 500+ information security-related documents
including
• Federal Information Processing Standards
• Special Publication 800 series
• ITL bulletins

25
ISO (International Organization for
Standardization)
• A network of national standards institutes of 160 countries
• Nongovernmental organization that has developed more than 13,000
international standards
• The ISO/IEC 27000 series represents information security standards
published by ISO and Electro-technical Commission (IEC)

26
ISO 27002:2013 Code of Practice
• Comprehensive set of best practices in cybersecurity
• ISO 27002:2013 domains:
• Information Security Policies
• Organization of Information Security
• Human Resources Security
• Asset Management
• Access Control
• Cryptography

27
ISO 27002:2013 Code of Practice
• ISO 27002:2013 domains (continued):
• Physical and Environmental Security
• Operations Security
• Communications Security
• Systems Acquisition, Development, and Maintenance
• Supplier Relationships
• Information Security Incident Management
• Business Continuity Management
• Compliance Management

28
Principles of Information Security Management
• The unique functions of information security management are known
as the six P’s:
Planning
Policy
Programs
Protection
People
Project Management

29
 InfoSec Planning
• Planning as part of InfoSec management
is an extension of the basic planning
model discussed earlier in this chapter.

• Included in the InfoSec planning model

30
InfoSec Planning (Cont.)
• Several types of Incident Business Disaster
InfoSec Plans response continuity recovery
exist: planning planning planning

Technology
Policy Personnel
rollout
planning planning
planning

Risk Security
management program
planning planning

31
Policy
• Policy is “a set of organizational guidelines that dictate certain
behavior within the organization”.
• In InfoSec, there are three general categories of policy (will be
discussed in detailed in Chapter 4):
Enterprise Information Security Policy (EISP)
Issue-Specific Security Policies (ISSPs)
System-Specific Policies (SysSPs)

32
Programs
• InfoSec operations that are specifically
managed as separate entities are called
“programs”.
• A security education training and
awareness (SETA) program in one such
entity.
• SETA programs provide critical information
to employees to maintain or improve their
current levels of security knowledge.
• Other programs that may emerge include a
physical security program, complete with
fire protection, physical access, gates,
guards and so on.

33
Protection
• The protection function is executed via a set of risk management
activities, including risk assessment and control, as well as protection
mechanisms, technologies and tools.
• Each of these mechanisms represents some aspect of the
management of specific controls in the overall information security
plan.

34
People
• People are the most critical link in the InfoSec program.
• This area encompasses security personnel (the professional
information security employees), the security personnel (the
protection of employees and their information) and aspects of the
SETA program mentioned earlier.

35
Projects
• The final component is the application of
thorough project management discipline
to all elements of the information
security program.

• Project management involves identifying

36
36
Project Management
• Information security is a process, not a project, however, each
element of an information security program must be managed as a
project, even if the overall program is perpetually ongoing.
• How can information security be both a process and a project? It is, in
fact, a continuous series, or chain of projects.
• Some aspects of information security are not project based; rather
they are managed processes and are on going.

37
Summary
• The CIA triad is the blueprint of what assets needs to be protected
to protect the organization
• The information owners and information custodians are jointly
responsible for CIA
• The 5 A’s of information security are Accountability, Assurance,
Authentication, Authorization, and Accounting
• Standards such as the ISO 27002 exist to help organizations better
define appropriate ways to protect their information assets
• The unique functions of information security management are
known as the six Ps
38