Foundational cybersecurity concepts

This section introduces core and foundational cybersecurity concepts such as the CIA triad, risk, threat, vulnerability, mitigation, and the AAA framework

Learning objectives

• Become familiar with key cybersecurity concepts and practices

• Learn key cybersecurity definitions

• Describe where cybersecurity fits within corporate organizational structures

• Understand how cybersecurity is practiced within organizations

This section introduces cybersecurity concepts and practices germane to any instruction aiming to establish a practical understanding of the goals of cybersecurity and how it is practiced within organizations. This section covers definitions of information security, the CIA triad, risk, threat, vulnerability, mitigation, and the AAA framework (Authentication, Authorization, and Accounting).

Topics covered in this section

• Information security definition

• The place of information security in enterprise IT governance

• Confidentiality, Integrity, and Availability (CIA) of information

• Information security risk management

• Techniques of CIA attacks

• CIA attacks mitigation technologies

• Other foundational information security concepts

Information security definition

The terms information security, cybersecurity, Internet security, computer security, and network security have intersecting and evolving meanings, but generally refer to processes of implementing security controls including IA (Information Assurance)/IT governance frameworks to protect the confidentiality, integrity, and availability of privileged information as well as the technological infrastructure of a computer network or system against unauthorized access or manipulation (Anderson, 2003; Blakley, McDermott & Geer, 2001; Cherdantseva & Hilton, 2013; CNSS, 2010; ISACA, 2008; ISO/IEC 27000:2009; Venter & Eloff, 2003).

Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. Confidentiality refers to protecting information from being accessed by unauthorized parties. Integrity refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine. Availability of information means that information is accessible by authorized users when needed.

Information security is “a risk management discipline" (Blakley et al., 2001) focused on identifying information assets, associated risks, and suitable mitigation methods. An asset is any hardware, software, information system, network, or database which an organization uses to achieve its business goals.

Information security,

• “preserves the confidentiality, integrity and availability of information” (ISO/IEC 27000:2009);

• is concerned with “authenticity, accountability, non-repudiation and reliability” (ISO/IEC 27000:2009);

• ensures that “only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability)” (ISACA, 2008);

• is concerned with both the protection of information as well as the of technological infrastructure or information systems (Cherdantseva & Hilton, 2013; CNSS, 2010);

• is concerned with access to information (CNSS, 201; ISACA, 2008); and

• aims to provide assurance “that information risks and controls are in balance” (Anderson, J., 2003).

Key information security concepts include privacy, authenticity and trustworthiness, non-repudiation, accountability and auditability, and reliability (Cherdantseva & Hilton, 2013; ISO/IEC 27000:2009).

The broad pragmatic goal of information security is to reduce the likelihood of unauthorized access or damage to valued information assets to an acceptable level through risk mitigation strategies that involve management controls (e.g., security policies), technological controls (e.g., intrusion detection techniques), and procedural/operational controls (best practices/standard operating procedures).

Information security threats most commonly rated as a concern in higher education in North America are as follows. Confidentiality attacks: Exposure of confidential or sensitive information (79%); Integrity attacks: Unauthorized or accidental modification of data (29%); Availability attacks: Loss of availability or sabotage of systems (16%); Mixed threat attacks: Email viruses, ransomware, or other malware (31%); and Unauthorized, malicious network/system access (27%) (EDUCAUSE Information Security Almanac, April 2019, p. 2).

The place of information security in enterprise IT governance

Information systems (IS) are comprised of hardware, software, and communications infrastructure, designed to process, store, and transmit data. Within this context, information security is the specialized discipline focused on protecting the confidentiality, integrity, and availability (CIA) of that data against unauthorized access, disclosure, disruption, or damage "at three levels or layers: Physical, personal and organizational” (Cherdantseva & Hilton, 2013).

To understand the place of information security in enterprise IT governance, we must first distinguish between governance and management. Governance is the system of direction and control. Information security governance is a top-level enterprise business function, operating under the broader rubric of IT governance (e.g., COBIT, ISO 38500), responsible for defining security strategy, establishing policy, and ensuring that security investments align with business objectives.

In comparison, IT security (often referred to as security management or operations) is the technical and administrative function responsible for implementing that strategy. IT security professionals execute controls, monitor systems, manage identities, and maintain the technological infrastructure. In this structure, the IT department functions as the primary execution partner and control implementer for the security governance function. While Human Resources or Finance are business customers who consume security services (e.g., access recertification), the IT organization itself is the subject of governance oversight, responsible for operationalizing policy within the network and systems architecture.

This clear distinction is codified in the separation of duties common in mature enterprises. Governance sets the risk appetite and policy framework; IT security operationalizes controls to keep the organization within that appetite. This is evidenced by the 2019 EDUCAUSE Information Security Almanac, which notes that central IT holds primary responsibility for technical domains such as Network security (94%), Monitoring (88%), and Identity management (83%).

The relationship between information security and IT governance can be visualized through the three-tier governance model frequently cited in risk management frameworks (NIST SP 800-39, ISO 27001). At the top tier (Tier 1), enterprise governance defines the organizational risk tolerance and strategic direction. Information security governance translates this enterprise view into specific security principles and a formal security program charter.

At the middle tier (Tier 2), these policies are interpreted into specific business process requirements and system-level control objectives. This is where risk management acts as the bridge. IT security professionals conduct risk assessments (qualitative and quantitative) to identify gaps between current operational states and the governance-mandated policy. The results of these assessments flow up to governance to inform policy updates, and flow down to IT operations to drive control selection (e.g., technical safeguards, intrusion detection systems, encryption standards).

At the operational tier (Tier 3), IT security implements and monitors controls. However, a key CISSP principle is that security governance retains accountability even when operational control is delegated. This is achieved through continuous monitoring and formal reporting mechanisms (e.g., Balanced Scorecards, KRIs). Thus, information security governance is not merely a support function for IT; it is an integrated component of enterprise governance, ensuring that cyber risk is treated with the same fiduciary gravity as financial or legal risk. This integration prevents security from being viewed as a technical obstacle and repositions it as an enabler of informed business risk-taking.

Confidentiality, Integrity, and Availability (CIA) of information

The most concrete (as opposed to abstract) and tactical (as opposed to strategic) goal of information security is the protection of the confidentiality, integrity, and availability of information assets. By comparison, the most strategic goal of information security in an enterprise is to support the enterprise's strategic vision and mission. The principles of the CIA triad form the foundation of security. These three principles help ensure that data is protected, accurate, and accessible when needed.

• Confidentiality denotes an imperative that only authorized users should be able to access privileged/private data.

• Integrity denotes an imperative that data should not be changed or modified by unauthorized users. Data should be correct and authentic.

• Availability denotes an imperative that an information system should be operational and accessible to authorized users. For example, staff should be able to access the internal resources they need to perform their duties, and the company’s website should be up and running and available to customers.

Information security risk management

Organizations evaluate information security risks for multiple drivers: insurance underwriting requires quantified risk profiles, resource allocation demands prioritized investments, and regulatory frameworks such as HIPAA, PCI DSS, and SSAE 16 mandate periodic risk assessments. Before these assessments can begin, however, the organization must first understand itself.

The essential first step in identifying business risks is understanding the organization as a social and operational system—its identity, corporate vision, stakeholder relationships, and core values. This contextual foundation is formalized in Clause 4 of ISO 22301 (Business Continuity Management System), which requires organizations to analyze their internal and external environments, including their activities, functions, services, and—critically—their risk appetite (ISO 22301 Portal, 2015). Risk appetite represents the amount and type of risk senior management is willing to accept in pursuit of strategic objectives. Once this appetite is established, it becomes the benchmark against which all identified risks are evaluated.

The following three subsections build upon this foundation. First, we establish the core vocabulary of risk management—vulnerabilities, threats, exploits, and mitigation. Second, we examine the specific sources from which vulnerabilities arise in modern networks and systems. Finally, we explore how organizations translate these concepts into practice through structured risk management approaches.

Foundational definitions in information security risk management

Risk management requires understanding the key concepts of vulnerabilities, exploits, threats, threat vectors, and mitigation.

• A vulnerability is any potential weakness that can compromise the CIA of information assets. A glass window in a house is a vulnerability burglars can exploit to enter the house.

• An exploit is something that can potentially be used to exploit the vulnerability. A rock can exploit the weakness of glass windows and may be used to enter a house.

• A threat is the potential of a vulnerability to be exploited. The threat of house burglary is the potential a burglar will exploit the glass window vulnerability using a rock (or other exploits) to gain entry into a house.

• A threat vector is a means or method a threat actor can use or follow to exploit a vulnerability (i.e., the pathway of an attack). A glass window a burglar can use to gain entry into a house can be considered a threat vector.

• A mitigation technique is something that can protect against threats. Appropriate mitigation techniques should be implemented everywhere a vulnerability can be exploited, for example, devices, servers, switches, and routers. In our glass window example, adding welded metallic bars would be a mitigation technique.

Sources of network vulnerabilities

Computer system vulnerabilities can be categorized based on their origin. Understanding these root causes is essential for effective risk assessment and control selection.

• Software infrastructure: Insecure code embedded within operating systems, applications, or firmware (e.g., buffer overflows, SQL injection flaws, business logic errors, or race conditions) and unpatched software (e.g., missing vendor security updates for operating systems, applications, or firmware). This also includes vulnerabilities introduced by third-party libraries, software dependencies, and end-of-life software no longer supported by the vendor.

• Network infrastructure: Weaknesses arising from misconfigured protocols and IP services (e.g., unnecessary open ports, default SNMP community strings, weak VPN ciphers), inherent flaws in network protocol designs (e.g., ARP spoofing, DNS cache poisoning, TCP/IP stack vulnerabilities), or insecure device configurations (e.g., lack of access control lists, default administrative credentials on routers and switches).

• Hardware: Physical security flaws (e.g., exposed debugging interfaces like JTAG, lack of tamper resistance), hardware-based side-channel attacks (e.g., speculative execution vulnerabilities like Meltdown and Spectre, power analysis attacks), or insecure device design and supply chain integrity issues (e.g., implanted backdoors during manufacturing, counterfeit components).

• Organizational policies: The absence of, or poorly defined, enterprise-level security policies, standards, and procedures. This includes a lack of acceptable use policies, missing data classification and handling guidelines, inadequate background check processes, or the absence of formal security awareness training—all of which create exploitable gaps in the security culture.

• Network policies: Weak or missing technical policies governing network behavior and access. This includes poorly designed firewall rulebases that violate least privilege, lack of network segmentation between trusted and untrusted zones, missing access control lists on critical network devices, or the absence of standard, secure configuration templates for network infrastructure.

• Human factors: The susceptibility of users and administrators to social engineering tactics (e.g., phishing, pretexting, baiting, vishing), errors in judgment, lack of security awareness and training, or negligent behavior such as writing down passwords, reusing credentials across systems, or mishandling sensitive data.

• Configuration mistakes: The failure to securely configure systems and devices during deployment or maintenance. This includes unsecured endpoints (e.g., disabled host firewalls, unnecessary services running), failure to change default passwords on any asset (servers, databases, IoT devices), overly permissive file shares or cloud storage buckets, misconfigured cloud security groups, or the unintentional exposure of administrative interfaces to the public internet. These errors often directly violate the principle of least privilege and represent one of the most common and preventable vulnerability classes.

Information security risk management in practice

Organizations take a risk-based approach to information security, meaning that decisions about controls and investments are driven by a structured understanding of risk. In practice, risk is most usefully defined as a function of likelihood and impact.

Likelihood represents the probability that a given threat will exploit a vulnerability, taking into account the effectiveness of existing security controls. Impact represents the magnitude of harm that would result to the organization if the event occurred—measured in financial loss, operational disruption, regulatory penalties, or reputational damage. This relationship is expressed as:

Risk = Likelihood × Impact

While theoretical models sometimes frame risk as "threat × vulnerability × asset value" (Landoll & Landoll, 2005, p. 8) or "a threat that exploits some vulnerability that could cause harm to an asset" (Peltier, 2005, p. 16), these factors ultimately resolve into the two core dimensions that organizations can assess and act upon: the probability of an adverse event and the severity of its consequences.

The Risk Assessment Process

Risk assessment is "the process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact" (NIST, as cited in Landoll & Landoll, 2005, p. 10). According to the ASIS International General Security Risk Assessment Guidelines (2003), a comprehensive risk assessment includes:

• Identifying assets requiring protection

• Specifying potential loss events (threats)

• Assessing the frequency and impact of those events

• Recommending mitigation options

• Conducting cost/benefit analysis

• Supporting management decision-making

The PCI DSS Risk Assessment Guidelines (2005) similarly define risk assessment as a process that "identifies risks generated by the possibility of threats acting on vulnerabilities, and what can be done to mitigate each one." Because multiple regulatory frameworks—including HIPAA, PCI DSS, and SSAE 16—require periodic assessments, many organizations conduct them within a compliance context. However, effective risk management extends beyond compliance to genuinely inform security strategy.

A critical prerequisite to meaningful risk assessment is data classification. Organizations cannot protect what they do not understand. To simplify data governance, information assets should be segregated by levels of importance and risk, as it is impractical—and inefficient—to apply uniform controls to all data. Sensitive data warrants greater protection, and classification standards make those distinctions operational.

Risk Prioritization and Treatment

A central challenge in risk management is prioritizing risks to optimize investment in countermeasures. The ISO Risk Management Guide 73:2009 describes ideal prioritization as follows:

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

Once risks are assessed and prioritized, organizations have four treatment options (Stewart, 2012):

• Risk acceptance: Acknowledging the risk and its potential consequences without implementing additional controls, typically because the cost of mitigation exceeds the potential loss, or because the risk falls within the established risk appetite.

• Risk mitigation: Implementing safeguards and countermeasures to reduce either the likelihood of exploitation or the impact should exploitation occur—the most common treatment approach.

• Risk transfer: Shifting the financial consequences of the risk to another party, typically through insurance, or outsourcing the associated activity to a third party better equipped to manage it.

• Risk avoidance: Eliminating the activity or asset that gives rise to the risk entirely, effectively removing the risk from the organization's risk profile.

The Goals and Limits of Risk Management

The ultimate objective of risk assessment is "to identify which investments of time and resources will best protect the organization from its most likely and serious threats" (Reynolds, 2012, p. 103). This requires accepting a fundamental truth: there is no absolute security. Systems can be more secure or less secure, but never perfectly secure. An organization may deploy malware detection at the network perimeter and endpoint protection on every client, yet the probability of infection never reaches zero.

This reality leads to another essential insight: security must be balanced with functionality. Data that is completely inaccessible may be perfectly secure, but it is also worthless to an enterprise. Security controls inevitably introduce friction; the art of risk management lies in applying just enough friction to protect critical assets while enabling the business to function. A security access policy is always navigating the tension between protection and productivity, and effective risk management provides the compass for that navigation.

Techniques of CIA attacks

Confidentiality attacks

A confidentiality attack is a type of cyberattack aimed at gaining unauthorized/unlawful access to privileged/private information. These attacks exploit vulnerabilities in systems, networks, or human behavior to access confidential data such as personal records, financial details, or trade secrets. Common attack techniques that compromise confidentiality include:

1. Packet sniffing (packet capture): Attackers intercept and analyze network traffic to extract sensitive information (e.g., using tools like Wireshark or tcpdump). For example, an attacker on an unsecured Wi-Fi network could capture unencrypted login credentials.

2. Port scanning: Attackers scan a target system’s open ports (e.g., using Nmap) to identify vulnerable services. While port scanning itself does not directly steal data, it is often a precursor to exploitation (e.g., targeting an open SSH port to brute-force a password).

3. Wiretapping (eavesdropping): Attackers secretly monitor communications, such as phone calls (traditional wiretapping) or unencrypted VoIP traffic. Modern variants include man-in-the-middle (MITM) attacks, where an attacker intercepts and possibly alters data exchanged between two parties.

4. SQL injection: Malicious code is injected into a database query to extract unauthorized information from a vulnerable system.

5. SSL/TLS stripping (HTTPS downgrade)

   • Technique: An attacker forces a victim’s browser to downgrade an encrypted HTTPS connection to unencrypted HTTP using tools like sslstrip.

   • Impact: Login credentials or session cookies are transmitted in plaintext, allowing interception (e.g., on public Wi-Fi).

These techniques undermine confidentiality by exposing data to unauthorized entities, whether through passive interception (e.g., sniffing) or active exploitation (e.g., credential theft).

Integrity attacks

An information integrity attack is a malicious attempt to alter, modify, or corrupt data to deceive users, disrupt operations, or cause harm. The goal is to make data inaccurate or unreliable. Information sabotage through viruses, malware, or unauthorized modifications constitutes an integrity attack, as it compromises the accuracy, consistency, and reliability of data (Bishop, 2003; Pfleeger & Pfleeger, 2015). Common attack techniques that compromise integrity include:

1. Session hijacking: An attacker takes over an active session (e.g., a logged-in user’s web session) to manipulate or falsify data.

   • Example: Using cross-site scripting (XSS) or session fixation to steal a user’s session cookie, allowing the attacker to alter account details in a banking system.

2. Man-in-the-middle (MITM) attacks: An attacker intercepts and alters communications between two parties without their knowledge.

   • Example: Using ARP spoofing or SSL stripping to modify transaction details in real time (e.g., changing a recipient’s bank account number during an online transfer).

3. Data tampering via malware: Malicious software (e.g., ransomware, rootkits, or logic bombs) corrupts or falsifies data.

   • Example: The Stuxnet worm manipulated industrial control systems by altering programmable logic controller (PLC) code, causing physical damage.

4. SQL injection: A hacker injects malicious SQL code into a database query to modify, delete, or corrupt data.

Unlike confidentiality attacks (which focus on unauthorized access), integrity attacks ensure that even if data is accessed, it cannot be trusted due to unauthorized modifications.

Availability attacks

An information availability attack aims to disrupt access to data, systems, or services, making them unavailable to legitimate users. These attacks often involve overwhelming a system or blocking access. A denial-of-service (DoS) attack targets the availability of information systems, rendering them inaccessible to legitimate users (Stallings & Brown, 2018; Skoudis & Liston, 2005). Ransomware is another availability attack where attackers encrypt a victim’s data and demand payment to restore access, effectively denying service until the ransom is paid (e.g., WannaCry or LockBit). Common attack techniques that compromise availability include:

1. SYN flood attack: A SYN flood attack exploits the TCP three-way handshake by flooding a target with SYN packets (often from spoofed IPs). The server allocates resources for each request and sends SYN-ACKs, but the attacker never completes the handshake with the final ACK. This exhausts the server’s connection queue, denying service to legitimate users.

   • Impact: Overwhelms a web server, causing it to drop legitimate connections (e.g., disrupting an e-commerce site during peak sales).

2. ICMP flood (ping flood) attack: The target is bombarded with fake ICMP Echo Request (ping) packets, consuming bandwidth and processing power.

   • Impact: Slows down or crashes network devices (e.g., routers), making services unreachable.

3. Distributed denial-of-service (DDoS) attack: A coordinated large-scale attack using multiple compromised systems (e.g., a botnet) to amplify traffic and cripple targets.

   • Example: The Mirai botnet attack (2016) exploited IoT devices to take down major websites like Twitter and Netflix.

4. Ransomware attack: Encrypting critical data and demanding payment to restore access.

5. Physical infrastructure sabotage: Cutting network cables or destroying servers to halt operations.

CIA attacks mitigation technologies

Key mitigation technologies against CIA attacks

Follows is a tabulated summary of key mitigation technologies/approaches against confidentiality, integrity, and availability attacks.

Security Objective	Key Technologies	Purpose	Notes
Confidentiality	Data Loss Prevention (DLP) Encryption (AES, TLS, PGP) Access Controls (IAM, RBAC, AAA) Tokenization SIEM Backups Rate Limiting (prevents brute-force attacks)	Protects data from unauthorized access and leaks	SIEM provides monitoring for all three pillars
Integrity	Hashing (SHA-256, HMAC) Digital Signatures Version Control (Git, SVN) SIEM + Centralized Logging Access Controls (audit logs track changes) Backups (ensure clean restore points)	Ensures data accuracy and prevents tampering	Access controls support integrity through audit trails
Availability	DDoS Protection (Cloudflare, AWS Shield) Backups (recovery, 3-2-1 Rule, immutable backups) Load Balancers (Nginx, F5) High Availability systems SIEM Access Controls (MFA) Rate Limiting	Maintains system uptime and access	Rate limiting protects both availability and confidentiality

See CIA attacks mitigation technologies

Confidentiality mitigation technology in focus: Data Loss Prevention (DLP)

A key technology for ensuring data confidentiality is Data Loss Prevention (DLP), which monitors and protects sensitive information by detecting and blocking unauthorized transfers. For instance, DLP can trigger alerts if confidential files are copied to removable drives or if payment card data is shared improperly. While highly effective, DLP requires careful configuration—including accurate data classification and tailored alert rules—to maximize its security value.

How DLP Monitors and Blocks Unauthorized Data Transfers

1. Content-Centric Detection DLP systems scan data at rest (e.g., databases), in use (e.g., open files), and in motion (e.g., emails, cloud uploads) for sensitive content. DLP systems use techniques like:

   • Pattern matching (e.g., credit card/PII regex).

   • File fingerprinting (e.g., exact matches of proprietary designs).

   • Machine learning (e.g., identifying confidential documents by context).

2. Policy-Driven Blocking When DLP detects policy violations (e.g., an employee attaching customer data to an external email), it can:

   • Block the action outright (like preventing file copies to USB).

   • Quarantine the data for review.

   • Encrypt sensitive content mid-transfer.

3. Targeted Alerting DLP generates specific alerts for policy breaches (e.g., "Unauthorized SharePoint export of HR records"). These alerts can:

   • Feed into broader security systems (e.g., SIEMs for correlation).

   • Trigger automated workflows (e.g., notifying compliance teams).

DLP operates at the data layer—understanding content, not just traffic or behavior—making it uniquely effective against insider threats and accidental leaks.

Open-Source & Freemium DLP Tools

1. MyDLP (Community Edition)

   • Network/email DLP with basic policies (e.g., credit card detection).

2. OpenDLP

   • Scans endpoints for sensitive files (no real-time blocking).

3. Spyderbat (Behavioral DLP)

   • Open-source runtime monitoring for data exfiltration.

4. Apache Nifi + Regex Policies

   • Custom DIY DLP using workflows to filter sensitive data in transit.

Commercial DLP Solutions

1. Symantec Data Loss Prevention (Broadcom)

   • Comprehensive coverage (network, endpoint, cloud).

   • Strong regulatory compliance (GDPR, HIPAA, PCI-DSS).

2. Microsoft Purview Data Loss Prevention

   • Native integration with M365, Azure, and Windows endpoints.

   • Uses AI for content classification (e.g., sensitive docs in SharePoint).

3. Forcepoint DLP

   • Focuses on behavioral analytics (e.g., detects risky user actions).

   • Supports hybrid cloud/on-prem deployments.

4. Digital Guardian

   • Endpoint-centric with advanced threat response (blocks USB/exfiltration).

Cloud-Native & Integrated Tools

• Google Workspace DLP (for Gmail/Drive)

• AWS Macie (ML-based S3 data classification)

• Nightfall.ai (API-driven DLP for SaaS apps)

Integrity mitigation technology in focus: Centralized logging

Several centralized logging technologies can enhance security and compliance by aggregating logs from multiple sources for monitoring, analysis, and auditing. Some key solutions include:

1. SIEM (Security Information and Event Management) Systems

• Splunk – Powerful log aggregation, real-time analysis, and alerting.

• IBM QRadar – Combines logs with threat intelligence for security monitoring.

• Microsoft Sentinel – Cloud-native SIEM with AI-driven threat detection.

• Elastic SIEM (Elastic Stack / ELK Stack) – Open-source option using Elasticsearch, Logstash, and Kibana (ELK) for log parsing and visualization.

2. Log Management & Analytics Platforms

• Graylog – Open-source log aggregation with alerting and dashboards.

• Datadog – Cloud-based monitoring with log correlation and APM.

• Sumo Logic – SaaS-based log analytics with machine learning insights.

• Fluentd / Fluent Bit – Lightweight log collectors that integrate with other tools.

3. Cloud-Native & Enterprise Solutions

• AWS CloudTrail + Amazon CloudWatch Logs – For AWS environments.

• Google Cloud Logging – Centralized logging for GCP services.

• Azure Monitor Logs – Log analytics for Microsoft Azure.

• Syslog-ng / Rsyslog – Traditional Unix-based log forwarders.

Key Features to Look For:

• Real-time log aggregation (from servers, applications, network devices).

• Retention & compliance (long-term storage for audits).

• Search & analytics (to detect anomalies or breaches).

• Alerting & automation (trigger responses to suspicious activity).

Free/Open-Source vs. Commercial Logging Tools

Category	Tool Name	Type	Notes
SIEM Systems	Splunk	Commercial	Powerful commercial platform. A free version (Splunk Free) exists with a daily data cap.
	IBM QRadar	Commercial	Enterprise-grade commercial SIEM.
	Microsoft Sentinel	Commercial	Cloud-native SaaS solution, billed based on data ingestion.
	Elastic SIEM (ELK Stack)	Open Source	The core Elasticsearch, Logstash, and Kibana stack is open-source. Elastic offers paid commercial features and support.
Log Management & Analytics	Graylog	Open Source	The core Graylog product is open-source. An enterprise version with advanced features is available.
	Datadog	Commercial	Commercial SaaS platform with usage-based pricing.
	Sumo Logic	Commercial	Commercial SaaS platform with usage-based pricing.
	Fluentd / Fluent Bit	Open Source	Cloud-native CNCF-graduated open-source projects.
Cloud-Native & Enterprise	AWS CloudTrail + CloudWatch	Commercial	Part of AWS's paid ecosystem. Pricing is based on events and log storage.
	Google Cloud Logging	Commercial	Part of GCP's paid ecosystem. Includes a free tier with monthly allowances.
	Azure Monitor Logs	Commercial	Part of Microsoft Azure's paid ecosystem. Billed based on data ingestion and retention.
	Syslog-ng / Rsyslog	Open Source	Standard, free, and open-source log forwarders available on most Unix/Linux systems.

Clarifications:

• Freemium Models: Several tools listed as "Commercial" (like Splunk, Datadog, and the cloud platforms) offer generous free tiers or free plans for low-volume use, but their full-featured enterprise versions are paid services.

• Open Core Models: Tools like Elastic SIEM and Graylog have strong open-source cores. However, the companies behind them also sell commercial extensions (like advanced security features, supported plugins, and professional support), which is a common business model in the open-source world.

• Cloud Services: While the underlying technology of tools like Fluentd is open source, the managed services from AWS, GCP, and Azure (CloudWatch, Google Cloud Logging, Azure Monitor) are commercial products.

Availability mitigation technology in focus: DDoS protection services (e.g., AWS Shield, Cloudflare)

Data can become unavailable due to being damaged or destroyed, or due to ransomeware or dormant malware. Unlike confidentiality or integrity attacks, availability attacks aim primarily to disrupt service rather than steal or alter data. Mitigation strategies include rate limiting, traffic filtering, and cloud-based DDoS protection services (e.g., AWS Shield, Cloudflare).

Availability attacks, such as Distributed Denial of Service (DDoS) attacks, aim to disrupt services by overwhelming systems with malicious traffic, rendering data or applications inaccessible. To counter these threats, organizations leverage cloud-based DDoS protection services like AWS Shield and Cloudflare, which employ advanced mitigation techniques such as traffic filtering, rate limiting, and anomaly detection. AWS Shield provides automatic protection for AWS resources, defending against common network-layer attacks, while Cloudflare’s global Anycast network absorbs and disperses malicious traffic before it reaches the target. These services ensure high availability by continuously monitoring and mitigating attack traffic, allowing legitimate requests to proceed uninterrupted. By integrating such solutions, businesses can maintain operational resilience against increasingly sophisticated DDoS campaigns.

Other foundational information security concepts

The AAA framework

AAA stands for Authentication, Authorization, and Accounting. It’s a framework for controlling and monitoring users of a computer system such as a network.

• Authentication is the process of verifying a user’s identity. When a user logs in, ideally using multi-factor authentication, that’s authentication. In other words, Authentication is how you control access to your network and prevent intrusions, data loss, and unauthorized users.

• Authorization is the process of granting the user the appropriate access and permissions. So, granting the user access to some files and services, but restricting access to other files and services, is authorization.

• Accounting is the process of recording the user’s activities on the system. For example, logging when a user makes a change to a file, or recording when a user logs in or logs out, is accounting.

Enterprises typically use an AAA server to provide AAA services. ISE (Identity Services Engine) is Cisco’s AAA server. AAA servers typically support the following two AAA protocols for network access control: 1) RADIUS (Remote Authentication Dial-In User System), which is an open standard protocol and uses UDP ports 1812 and 1813; and 2) TACACS+ (Terminal Access Controller Access-Control System Plus), which is also an open standard (that was developed by Cisco) and uses TCP port 49.

Foundational cryptography concepts

Cryptography is the science of securing information through mathematical techniques. The primary goals of cryptography are confidentiality, authentication, data integrity, and non-repudiation.

• Confidentiality protects information from unauthorized access. This is achieved through encryption algorithms that transform plaintext into ciphertext, rendering it unreadable without the appropriate cryptographic key. Symmetric encryption (e.g., AES, 3DES, ChaCha20) uses the same key for encryption and decryption and is optimized for bulk data encryption. Asymmetric encryption (e.g., RSA, Elliptic Curve Cryptography) uses mathematically related public-private key pairs and is typically used for key exchange and digital signatures. In network security, confidentiality is implemented through protocols like TLS, IPsec, and SSH.

• Authentication verifies the identity of users and systems, and the authenticity of data. Cryptographic authentication answers the question: "Is this entity who they claim to be?" Mechanisms include digital certificates (X.509), challenge-response protocols, and message authentication codes (MACs). In practice, authentication often combines "something you know" (password) with cryptographic proofs—such as verifying that a party possesses the correct private key without transmitting that key directly.

• Data integrity guarantees that information remains unaltered by unauthorized parties during transmission or storage. Integrity is achieved through hash functions and message authentication codes. A cryptographic hash function (e.g., SHA-256, SHA-3) produces a fixed-length digest from arbitrary input data; any modification to the data results in a completely different digest. However, hashing alone does not verify the source of the data. For this reason, networks use HMAC (Hash-based Message Authentication Code)—a keyed hash that combines a secret key with the data hash to provide both integrity and authenticity.

• Non-repudiation ensures that a party cannot later deny having performed an action, such as sending a message, approving a transaction, or accessing a system. It provides irrefutable evidence—typically through digital signatures, timestamps, and audit logs—that a specific entity took a particular action. Digital signatures combine asymmetric cryptography with hashing: the sender creates a hash of the message and encrypts it with their private key; the recipient decrypts it with the sender's public key and verifies the hash. This provides both authentication (only the private key holder could have created it) and integrity (the hash verification ensures the message was not altered). Non-repudiation is fundamental to digital contracts, code signing, and forensic accountability.

Key takeaways

• The core, tactical goal of information security is to protect the Confidentiality, Integrity, and Availability (CIA Triad) of information assets.

• Information security is a risk management discipline focused on identifying assets, associated risks, and implementing suitable mitigation controls (management, technical, and operational).

• Key related concepts form the foundation of risk management:

  • A vulnerability is a weakness that can be exploited.

  • A threat is the potential for a vulnerability to be exploited.

  • Risk is the likelihood that a threat will exploit a vulnerability, resulting in a negative impact.

• Organizations take a risk-based approach to prioritize vulnerabilities and focus mitigation efforts on the most significant risks to business operations, often driven by compliance requirements.

• Information security governance is a top-level business function accountable for defining security policy and aligning security strategy with business objectives, while IT security is a stakeholder-level concern focused on the technological infrastructure.

• There is no absolute security; the goal is to reduce risk to an acceptable level through mitigation, acceptance, or transfer, while balancing security needs with system functionality.

• The AAA framework (Authentication, Authorization, and Accounting) is essential for controlling and monitoring access to systems and data.

• Foundational cryptography provides the technical mechanisms to achieve the core security goals of confidentiality, integrity, authentication, and non-repudiation.

References

Anderson, J. M. (2003). Why we need a new definition of information security. Computers & Security. 22 (4): 308–313. doi:10.1016/S0167-4048(03)00407-3.

ASIS International. (2003). General Security Risk Assessment Guidelines.

Bishop, M. (2003). Computer security: art and science. Addison-Wesley Professional.

Blakley, B., McDermott, E., & Geer, D. (2001, September). Information security is information risk management. In Proceedings of the 2001 workshop on New security paradigms (pp. 97-104). ACM.

Cherdantseva, Y. & Hilton, J. (2013). Information security and information assurance. The discussion about the meaning, scope and goals. In: Organizational, Legal, and Technological Dimensions of Information System Administrator. Almeida F., Portela, I. (eds.). IGI Global Publishing.

CNSS (Committee on National Security Systems). (2010). National Information Assurance (IA) Glossary, CNSS Instruction No. 4009, 26 April 2010.

EDUCAUSE Information Security Almanac 2019. (April 10, 2019). Retrieved January 21, 2020, from https://library.educause.edu/resources/2019/4/the-educause-information-security-almanac-2019

Engebretson, P. (2011). The basics of hacking and penetration testing: Ethical hacking and penetration testing made easy. [Books24x7 version] Retrieved March 26, 2013, from http://common.books24x7.com.proxy.bib.uottawa.ca/toc.aspx?bookid=44730

ISACA. (2008). Glossary of terms, 2008. Retrieved January 21, 2020, from http://www.isaca.org/Knowledge-Center/Documents/Glossary/glossary.pdf

ISO/IEC 27000:2009. Information technology — Security techniques — Information security management systems — Overview and vocabulary.

ISO 22301 Portal. (2015). Societal security – Business continuity management system.

ISO Risk Management Guide. (2009). Risk management — Vocabulary (ISO Guide 73:2009).

Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press.

NCC (National Computing Centre). (2005). IT Governance: Developing a Successful Governance Strategy (published by ISACA). Retrieved August 20, 2019, from http://m.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf

PCI DSS. (2005). PCI DSS Risk Assessment Guidelines. Retrieved from https://www.pcisecuritystandards.org/

Peltier, T. R. (2005). Information Security Risk Analysis (2nd ed.). Auerbach Publications.

Pfleeger, C. P., & Pfleeger, S. L. (2015). Analyzing computer security: A threat/vulnerability/countermeasure approach (5th ed.). Pearson Education.

Reynolds, G. W. (2012). Ethics in information technology. Boston, MA: Cengage Learning.

Skoudis, E., & Liston, T. (2005). Counter hack reloaded: A step-by-step guide to computer attacks and effective defenses (2nd ed.). Prentice Hall.

Stallings, W., & Brown, L. (2018). Computer security: Principles and practice (4th ed.). Pearson.

Stewart, J. (2012). CISSP Certified Information Systems Security Professional Study Guide Sixth Edition. Canada: John Wiley & Sons, Inc. pp. 255–257. ISBN 978-1-118-31417-3.

Venter, H. S., & Eloff, J. H. (2003). A taxonomy for information security technologies. Computers & Security, 22(4), 299-307.

Whitman, M. E., & Mattord, H. J. (2014). Principles of information security (p. 656). Boston, MA: Thomson Course Technology.