Practical Foundations in Cybersecurity
  • 🖌️Practical Foundations in Cybersecurity
  • 1. IT career planning
    • Introduction - IT career planning
    • IT career paths – everything you need to know
    • Job roles in IT and cybersecurity
    • How to break into information security
    • The Security Operations Center (SOC) career path
    • The GRC analyst role
    • How to get CCNA certification
    • Job search strategy
  • 2. Introduction to cybersecurity
    • Introduction - Introduction to cybersecurity
    • Foundational cybersecurity concepts and practices
      • Information security definition
      • Confidentiality, integrity, and availability of information
      • Risk, threat, vulnerability
    • The cybersecurity threat landscape
    • Common cyber attacks
    • Risk mitigation methods
    • Network security risk mitigation best practices
  • 3. Cybersecurity GRC
    • Introduction - Cybersecurity GRC
    • Cybersecurity GRC
  • 4. Networking fundamentals
    • Introduction - Networking fundamentals
    • How data flow through the Internet
    • Network devices and their functions
    • The Open Systems Interconnection (OSI) model
    • Host to host communication in networking
    • How switches facilitate communication
    • How routers facilitate communication
    • Network protocols and their functions
    • OSI model layers and security threats
  • 5. Wireless security and cryptography
    • Introduction - Wireless security and cryptography
    • SSL/TLS cryptography
    • Wireless network security
    • Hashing algorithms and message integrity
    • Cryptographic encryption and confidentiality
    • The SSL/TLS handshake
    • Message signing using asymmetric keys
    • Authentication methods
    • Replay attacks and anti-replay methods
    • Generating and applying an RSA key
    • IEEE 802.11 authentication methods
    • IEEE 802.11 privacy and integrity methods
    • Authentication and encryption in WPA, WPA2, and WPA3
  • 6. Practical foundations in ethical hacking
    • Introduction - Practical foundations in ethical hacking
    • What is professional ethical hacking
    • The perils of unethical hacking
    • Defensive security vs offensive security
    • Defensive cybersecurity technologies
    • Phases of the penetration testing process
    • Types of penetration testing
    • Pentesting methodologies, frameworks, and technologies
    • Common attack targets
  • 7. Conclusion
    • Introduction - Conclusion
    • Final words
Powered by GitBook
On this page
  • Information security definition
  • Understanding information security risk
  • The place of information security in enterprise IT governance
  • References
  1. 2. Introduction to cybersecurity
  2. Foundational cybersecurity concepts and practices

Information security definition

Information security definition

The terms information security, cybersecurity, Internet security, computer security, and network security have intersecting and evolving meanings, but generally refer to processes of implementing security controls including IA/IT governance frameworks to protect the confidentiality, integrity, and availability of privileged information as well as the technological infrastructure of a computer network or system against unauthorized access or manipulation (Anderson, 2003; Blakley, McDermott & Geer, 2001; Cherdantseva & Hilton, 2013; CNSS, 2010; ISACA, 2008; ISO/IEC 27000:2009; Venter & Eloff, 2003).

Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. Confidentiality “refers to protecting information from being accessed by unauthorized parties.” Integrity “refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine.” Availability of information means that information is accessible by authorized users. Protection measures (security controls) tend to focus on two key areas: Mitigating known vulnerabilities and implementing the principle of least privilege whereby only the required functionality for each authorized user is granted.

Information security is “a risk management discipline, whose job is to manage the cost of information risk to the business” (Blakley et al., 2001). Information security,

  • “preserves the confidentiality, integrity and availability of information” (ISO/IEC 27000:2009);

  • is concerned with “authenticity, accountability, non-repudiation and reliability” (ISO/IEC 27000:2009 sees CIA as properties of information);

  • ensures that “only authorized users (confidentiality) have access to accurate and complete information (integrity) when required (availability)” (ISACA, 2008);

  • is concerned with both the protection of information as well as the of technological infrastructure or information systems (Cherdantseva & Hilton, 2013; CNSS, 2010);

  • is concerned with access to information (CNSS, 201; ISACA, 2008); and

  • aims to provide assurance “that information risks and controls are in balance” (Anderson, J., 2003);

Other key information security concepts include privacy, authenticity and trustworthiness, non-repudiation, accountability and auditability, and reliability (Cherdantseva & Hilton, 2013; ISO/IEC 27000:2009).

The broad pragmatic goal of information security management is to reduce the probability of unauthorized access or damage to valued information assets to an acceptable risk level through risk mitigation strategies that involve management controls (e.g., security policies), technical controls (e.g., intrusion detection techniques), and operational controls (best practices/standard operating procedures).

Information security threats most commonly rated as a concern in higher education in North America are as follows. Confidentiality attacks: Exposure of confidential or sensitive information (79%), Integrity attacks: Unauthorized or accidental modification of data (29%), Availability attacks: Loss of availability or sabotage of systems (16%), mixed threat attacks: Email viruses, ransomware, or other malware (31%), and Unauthorized, malicious network/system access (27%) (EDUCAUSE Information Security Almanac, April 2019, p. 2).

Understanding information security risk

A standard definition of risk is the potential to lose something of value. Another definition involves the exposure to danger. In information security, risk is typically understood as threat times vulnerability times impact (the likelihood that a threat will exploit a vulnerability resulting in a business impact), or threat times vulnerability with an overlay of control effectiveness or velocity. The cybersecurity risk manager should determine what is the suitable definition. A key challenge is prioritizing risk for optimal investment in countermeasures. A well-understood list of risks must be matched with a list of suitable mitigations for those risks. A risk can be accepted (evaluate if the cost of the countermeasure outweighs the possible cost of loss due to the threat), mitigated (implement safeguards and countermeasures to eliminate vulnerabilities or to block threats), or transferred (place the cost of the threat to another business function or unit) (Stewart, 2012).

A risk-based approach allows an organization to prioritize the vulnerabilities identified and focus its efforts on the risks that are the most significant to its operations. The first step in identifying business risks should be to understand the business as a society, as a social system–its identity, corporate vision, social/community relations, and values. Clause 4 of ISO 22301 calls for understanding internal and external environments, including an organization’s activities, functions, services, and the organization’s risk appetite (ISO 22301 Portal: Societal security – Business continuity management system, 2015). Businesses need to evaluate information security risks for the purposes of insurance underwriting and resource allocation; or if they are attempting to comply with HIPAA, PCI, and other regulations, they will perform a risk assessment periodically. Risk assessment “identifies risks generated by the possibility of threats acting on vulnerabilities, and what can be done to mitigate each one” (PCI DSS Risk Assessment Guidelines, 2005). Several major regulatory frameworks, including HIPAA, PCI, and SSAE 16, require businesses to perform periodic risk assessment.

A popular definition of risk management by ISO Guide 73:2009:

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

The place of information security in enterprise IT governance

Information security governance is the top-level enterprise business function accountable for information security under the rubric of IT governance (NCC 2005 IT Governance). The IT department is a customer of the information security governance business function or service, (e.g., HR, Finance).

IT security as integrated with enterprise-wide risk management policy/framework (IT security risk management) operates within the information security governance framework. Information security is a specialized function within business organizations focused on securing an organization’s information assets against unauthorized access or damage. An information security professional from IT ensures an institution’s IT system is operating in a way that meets varied regulatory requirements.

IT security is a stakeholder level concern within enterprises and is concerned with Internet access and identity and access management, and the technological infrastructure of the IT network and its smooth operation. Information security governance is concerned with defining security policy and aligning security strategy with business strategy. Information Systems are comprised of hardware, software, and communications “with the purpose to help identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: Physical, personal and organizational” (Cherdantseva & Hilton, 2013).

Areas for which central IT most commonly has primary responsibility in higher education are Network security (94%), Monitoring (88%), Communications security (86%), and Identity management (83%) (EDUCAUSE Information Security Almanac, April 2019).

References

Reference

PreviousFoundational cybersecurity concepts and practicesNextConfidentiality, integrity, and availability of information

Last updated 6 days ago