Information Security Concepts
Confidentiality, Integrity, Availaibilty – CIA Triad
Confidentiality – Seeks to prevent unauthorized read access to data. Data must only be accessible to users who have the clearance, formal access approval and the need to know.
Integrity – Seeks to prevent unauthorized modification of information.
- Data Integrity – Protect information from modification
- System Intgrity – Protect system from modification
Availability – Ensures information in available when needed. DoS (Denial of Service) is an attack on availability.
Our mission is to balance the needs of confidentiality, integrity and availability and make tradeoffs when needed.
Disclosure, Alteration and Destruction – DAD Triad – opposite of CIA
Disclosure – unauthorized release of information
Alteration – unauthorized modification of data
Destruction – making systems or data unavailable
Identity and Authentication, Authorization, and Accountability (AAA)
Identity and Authentication – Proving who you claim you are (authenticate) by providing a piece of information or an object that only you possess – such as a password.
Authorization – Describes the actions you can perform on a system once you have been identified and authenticated.
Accountability – Holds users accountable for their actions. Can be done by logging and analyzing audit data.
A user cannot deny (repudiate) having performed a transaction. It requires both authentication and Integrity to have non-repudiation.
Least Privilege and need to know
A user should be granted to a minimum amount of access (authorization) required to perform their jobs. Need to know is more granular thatn least privilege; the user must need to know that specific piece of information before accessing it.
Subjects and objects
Subject – Active entity on a data system. ie People, scripts and programs accessing data files are common subjects.
Object – Passive data within a system. ie Documents, database tables, text files.
Note – iexplore.exe is a subject while running in memory and a object on the file system
Defense in depth
Defense in depth aka layered defense – applies safeguards (controls – measures to reduce risk) to protect an asset. Any single security control may fail, but by deploying multiple controls you improve CIA.