Section 2 Fundamentals of Security

CompTIA IT Security Course

Section 2

Fundamentals of Security

convenience and security is always a trade-ff

important to distinguish between:

Information Security – protecting the actual data, ie content, not the system itself

Information Systems Security – protecting the system that holds the data – hardware and software systems, OS etc.

Remember the CIA triad:

Confidentiality – Integrity – Avaibility

confidentiality – unauthorized persons or systems cant access it
integrity means ensuring data remains accurate and not tampered with

non repudiation very important concept: guarantees an action has taken place and cant be denied.

2 new things added:

non repudiation

Authenticaion,

so we now have the CIANA – pentagon!

Authentication: verifying id of user or system

Authorization: defines what actions a user or system can perform, or access it has.

Accounting : tracking user activities and resource uses 0 often for audit security or billing purposes

 

Security Controls are put into place:

Technical
Managerial
Operational
Fiscal

Zero Trust is a new security model, means no-one is trusted by default.

Control plane

data plane

 

THREATS and VULNERABILITIES

we cant control all threats, but we do have the ability to control vulnerabilities as they are from internal factors – s/w bbugs, lack of physical security, misconfigurations, network weaknesses etc

where threats and vulnerabilities intersect is where the biggest risk to systems and organizations lies – v important

threat + no vulnerability = no risk

vulnerability + no threat = no risk

 

 

hashing – process of converting data into a fixed size value – indicates if data has been alterned

= result is a hash digest or digital sig

digital signature – uses encryption]]checsums, to verify data is still correct when in transit – sending and receipt can be compared

access controls and regular audits also used

integrity is best achieved via hashing – is necessary

 

system uptime of ” 5 9s ” = 99.999% means no more than 5 minutes downtime per year (99% means no more than 3.5 days of downtime per year.

best solution is redundancy

backup options to ensure uninterrupted service

4 types of redundancy:

server = multiple servers

data = storing data in multiple locations – raids, cloud services

network = multiple network paths

power = ups, etc backup power supplies, generators, battery systems etc

 

remember:
redundancy = increased availability

 

NONREPUDIATION:

providing undeniable proof in digital transactions: compare ordinary letter post with registered post

 

AUTHENTICATION of user – aims to verify id of users or entities

something you know eg password

something you have eg mobile phone with particular number for 2FA

something you are eg facial recognition or fingerprint id

something you do – action factor,

omewhere you are – location based factor, acc to where you are geographically

 

you can combine more than one:

2FA – 2 factor authentication

2 or more: MFA – multi factor authentication – safer

AUTHORIZATION:

refers to permissions granted to users or entitites once authenticated. About WHAT they can do once in the system.

thus even if 2 users have the same authentication, they need not have the same authorization

protects data – only those with sufficient authorization can do certain things to data, reading, writing, deleting etc

to maintain system integrity – only sysadmins can do root level actions

or dbase changes – only specific users can modify or write

 

SECURITY CONTROL CATEGORIES

multi faceted controls:

Technical: eg anti virus software, firewalls, IDS, encryption

managerial: strategic planning and governance side of security

operational:

physical

TYPES OF SECURTY CONTROLS:

preventative eg firewalls

deterrent – eg warnings on websites

detective – monitor for malicious activities, detect and nofify, does not try to directly stop break ins eg IDS

corrective – one a thread detective, we use a corrective cotnrol to mitigate potential damager, eg quarantine malware and remove it, so things can be in multiple categories, can be eg detective and corrective

compensating – eg using a different more simplier encryption or password system which is not the latest

directive controls – guide or mandate different action, eg user control policies or regulations

 

 

ZERO TRUST:

we trust no one, only as little permission as required

 

means trust nothing – verify everything, device, user ,transaction, regardless of origin.

 

GAP ANALYSIS:

id the diff between current performance and desired performance states of an organization or dept.

1. define scope – which areas are we talking about

2. gather data on current state of the scope under question

3. analyse the data to id the gaps

4. plan to bridge the gaps
include the goals, objectives, and a time line to achieve them

tech gap analysis
looks at the current tech infra

business gap analysis

looks at the biz processes and where they fall short eg data management requires extra cloud storage or servers