SlideShare a Scribd company logo

Information security principles

Download as PPTX, PDF
Dan Morrill, profile picture
Dan Morrill

The document discusses the key principles of information security - confidentiality, integrity, and availability (CIA). It provides definitions for each principle and explains their importance. For example, it states that confidentiality prevents unauthorized disclosure of information, integrity ensures accuracy and consistency of data, and availability means systems and information are accessible when needed. The document also introduces common information security concepts like identification, authentication, authorization, and accountability.

EducationTechnologyBusiness
1 of 14
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
CIS 264 Highline Community College Dan Morrill
 CIA is:  Confidentiality  Integrity  Availability  The entire information security industry is based on this concept for Defense  Offense is a totally different matter, we want to corrupt CIA as much as possible for the other person  There are entire manuals on this subject  http://csrc.nist.gov/publications/nistpubs/800- 33/sp800-33.pdf is a good start
 Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.  Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds
 In information security, data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means that data cannot be modified, unauthorized, or undetected. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.
 For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial- of-service attacks.
Information security principles
 Identification – am I who I say I am when I log in? If I know your router operating system – I know how to hack it and fake the router out  Authentication – same thing – if I can fake it I can make it do my own thing  Accountability – if I can log in as someone else, no one will hold me accountable  Authorization – if I am root, I can do anything I want to do  How long does it take to crack a Cisco Password using IOS 12.0(10)W5(18g)
Oh really? Thanks Google and Shodan If I own two routers on the internet What can I do? Where are the limits Can I get caught?
And this is why they have formal development and management processes
 IATF (Information Assurance Technical Framework)  People  There must be a commitment to the process  Training, Roles and Responsibilities, Policies and Procedures, Commitment, Penalties for violating  Technology  That the organization has the proper technologies in place  Risk Assessment, Patching, Architecture, Validated products in use, Configuration  Operations  Day to Day activities promote effective security  Enforcement, certification and accreditation, key management
Information security principles
 System Characterization  Threat Identification  Vulnerability Identification  Control Analysis  Likelihood determination  Impact analysis  Risk determination  Control determination  Results documentation
 Risk Assumption  Risk Avoidance  Risk Limitation  Risk Planning  Research and Development  Risk Transference  Supporting, Preventative, Detection and Recovering Controls
Information security principles

More Related Content

PPT
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
PDF
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
PDF
Information Security Intelligence
guest08b1e6
 
PPTX
Optimizing Security Operations: 5 Keys to Success
Sirius
 
PPTX
Security architecture, engineering and operations
Piyush Jain
 
PPT
Information Security Management.Introduction
yuliana_mar
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PDF
Incident response methodology
Piyush Jain
 
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Information Security Intelligence
guest08b1e6
 
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Security architecture, engineering and operations
Piyush Jain
 
Information Security Management.Introduction
yuliana_mar
 
Understanding security operation.pptx
Piyush Jain
 
Incident response methodology
Piyush Jain
 

What's hot (19)

DOCX
Security architecture principles isys 0575general att
SHIVA101531
 
PPTX
Architecting for Security Resilience
Joel Aleburu
 
PPTX
Security Operations Center
MDS CS
 
PDF
"Thinking diffrent" about your information security strategy
Jason Clark
 
DOCX
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
DOCX
The NIST Cybersecurity Framework
EMMAIntl
 
PDF
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
Assuring Reliable and Secure IT Services
tsaiblake
 
PDF
From Business Architecture to Security Architecture
Priyanka Aash
 
PPT
Layered Approach - Information Security Recommendations
Michael Kaishar, MSIA | CISSP
 
PPTX
Cissp- Security and Risk Management
Hamed Moghaddam
 
PPTX
Cyber Security Landscape: Changes, Threats and Challenges
Bloxx
 
PDF
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
PDF
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PDF
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
PPTX
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PPTX
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
PDF
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Security architecture principles isys 0575general att
SHIVA101531
 
Architecting for Security Resilience
Joel Aleburu
 
Security Operations Center
MDS CS
 
"Thinking diffrent" about your information security strategy
Jason Clark
 
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
The NIST Cybersecurity Framework
EMMAIntl
 
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Assuring Reliable and Secure IT Services
tsaiblake
 
From Business Architecture to Security Architecture
Priyanka Aash
 
Layered Approach - Information Security Recommendations
Michael Kaishar, MSIA | CISSP
 
Cissp- Security and Risk Management
Hamed Moghaddam
 
Cyber Security Landscape: Changes, Threats and Challenges
Bloxx
 
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
PCI DSS Implementation: A Five Step Guide
AlienVault
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Logging, monitoring and auditing
Piyush Jain
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Ad

Similar to Information security principles (20)

PPTX
security IDS
Gregory Hanis
 
DOCX
The CIA Triad - Assurance on Information Security
Bharath Rao
 
PDF
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
PDF
Information security
Onkar Sule
 
PDF
Cyber Security Matters a book by Hama David Bundo
hdbundo
 
PPTX
Information Systems.pptx
KnownId
 
PDF
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
PDF
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
PDF
Safeguarding Sensitive Data with Encryption
Home
 
DOC
Information security
Sanjay Tiwari
 
PDF
CIA = Confidentiality of information, Integrity of information, Avai.pdf
annaielectronicsvill
 
PDF
INTERVIEW QUESTION FOR IT AUDITOR
Infosec Train
 
PDF
Cyber security
Prem Raval
 
PDF
it2042-unit1.pd AIM To study the critical need for ensuring Information Secu...
Perumalraja Rengaraju
 
PDF
Enhanced method for intrusion detection over kdd cup 99 dataset
ijctet
 
PDF
Security and Privacy Considerations in the Open Network for Digital Commerce.pdf
Nikhil Khunteta
 
PPTX
Information System Security
Syed Asif Sherazi
 
PDF
Fundamentals of-information-security
madunix
 
PPTX
Module 2 - Information Assurance Concepts.pptx
Humphrey Humphrey
 
PPTX
Cloud computing
ShakthiShakthi13
 
security IDS
Gregory Hanis
 
The CIA Triad - Assurance on Information Security
Bharath Rao
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Careerera
 
Information security
Onkar Sule
 
Cyber Security Matters a book by Hama David Bundo
hdbundo
 
Information Systems.pptx
KnownId
 
Cybersecurity Interview Questions and Answers.pdf
Jazmine Brown
 
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
Safeguarding Sensitive Data with Encryption
Home
 
Information security
Sanjay Tiwari
 
CIA = Confidentiality of information, Integrity of information, Avai.pdf
annaielectronicsvill
 
INTERVIEW QUESTION FOR IT AUDITOR
Infosec Train
 
Cyber security
Prem Raval
 
it2042-unit1.pd AIM To study the critical need for ensuring Information Secu...
Perumalraja Rengaraju
 
Enhanced method for intrusion detection over kdd cup 99 dataset
ijctet
 
Security and Privacy Considerations in the Open Network for Digital Commerce.pdf
Nikhil Khunteta
 
Information System Security
Syed Asif Sherazi
 
Fundamentals of-information-security
madunix
 
Module 2 - Information Assurance Concepts.pptx
Humphrey Humphrey
 
Cloud computing
ShakthiShakthi13
 
Ad

More from Dan Morrill (19)

PPTX
Windows power shell and active directory
Dan Morrill
 
PPTX
Windows power shell basics
Dan Morrill
 
PPTX
Understanding web site analytics
Dan Morrill
 
PPTX
Process monitoring in UNIX shell scripting
Dan Morrill
 
PPTX
Creating a keystroke logger in unix shell scripting
Dan Morrill
 
PPTX
Understanding UNIX CASE and TPUT
Dan Morrill
 
PPTX
Using Regular Expressions in Grep
Dan Morrill
 
PPTX
Understanding the security_organization
Dan Morrill
 
PPTX
You should ask before copying that media
Dan Morrill
 
PPTX
Cis 216 – shell scripting
Dan Morrill
 
PPTX
Understanding advanced persistent threats (APT)
Dan Morrill
 
PPTX
AWS Hadoop and PIG and overview
Dan Morrill
 
PPTX
What is cloud computing
Dan Morrill
 
PPT
Social Media Plan for CityU of Seattle
Dan Morrill
 
PPT
BSIS Overview
Dan Morrill
 
PPT
Case Studies In Social Media Chinese
Dan Morrill
 
PPT
Case Studies In Social Media
Dan Morrill
 
PPT
Turn On Tune In Step Out
Dan Morrill
 
PPT
Technology And The Future Of Management
Dan Morrill
 
Windows power shell and active directory
Dan Morrill
 
Windows power shell basics
Dan Morrill
 
Understanding web site analytics
Dan Morrill
 
Process monitoring in UNIX shell scripting
Dan Morrill
 
Creating a keystroke logger in unix shell scripting
Dan Morrill
 
Understanding UNIX CASE and TPUT
Dan Morrill
 
Using Regular Expressions in Grep
Dan Morrill
 
Understanding the security_organization
Dan Morrill
 
You should ask before copying that media
Dan Morrill
 
Cis 216 – shell scripting
Dan Morrill
 
Understanding advanced persistent threats (APT)
Dan Morrill
 
AWS Hadoop and PIG and overview
Dan Morrill
 
What is cloud computing
Dan Morrill
 
Social Media Plan for CityU of Seattle
Dan Morrill
 
BSIS Overview
Dan Morrill
 
Case Studies In Social Media Chinese
Dan Morrill
 
Case Studies In Social Media
Dan Morrill
 
Turn On Tune In Step Out
Dan Morrill
 
Technology And The Future Of Management
Dan Morrill
 

Recently uploaded (20)

PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
The Final Stretch: How to Release a Game and Not Die in the Process.
Marta Fijak
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
Cardiovascular Pharmacology for pharmacy students.pptx
TumwineRobert
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
The Final Stretch: How to Release a Game and Not Die in the Process.
Marta Fijak
 
master seminar digital applications in india
ananyaray35
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Cardiovascular Pharmacology for pharmacy students.pptx
TumwineRobert
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 

Information security principles

  • 1. CIS 264 Highline Community College Dan Morrill
  • 2.  CIA is:  Confidentiality  Integrity  Availability  The entire information security industry is based on this concept for Defense  Offense is a totally different matter, we want to corrupt CIA as much as possible for the other person  There are entire manuals on this subject  http://csrc.nist.gov/publications/nistpubs/800- 33/sp800-33.pdf is a good start
  • 3.  Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.  Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds
  • 4.  In information security, data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle. This means that data cannot be modified, unauthorized, or undetected. This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.
  • 5.  For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial- of-service attacks.
  • 7.  Identification – am I who I say I am when I log in? If I know your router operating system – I know how to hack it and fake the router out  Authentication – same thing – if I can fake it I can make it do my own thing  Accountability – if I can log in as someone else, no one will hold me accountable  Authorization – if I am root, I can do anything I want to do  How long does it take to crack a Cisco Password using IOS 12.0(10)W5(18g)
  • 8. Oh really? Thanks Google and Shodan If I own two routers on the internet What can I do? Where are the limits Can I get caught?
  • 9. And this is why they have formal development and management processes
  • 10.  IATF (Information Assurance Technical Framework)  People  There must be a commitment to the process  Training, Roles and Responsibilities, Policies and Procedures, Commitment, Penalties for violating  Technology  That the organization has the proper technologies in place  Risk Assessment, Patching, Architecture, Validated products in use, Configuration  Operations  Day to Day activities promote effective security  Enforcement, certification and accreditation, key management
  • 12.  System Characterization  Threat Identification  Vulnerability Identification  Control Analysis  Likelihood determination  Impact analysis  Risk determination  Control determination  Results documentation
  • 13.  Risk Assumption  Risk Avoidance  Risk Limitation  Risk Planning  Research and Development  Risk Transference  Supporting, Preventative, Detection and Recovering Controls