Understanding the basic layers of information security is key to building your security knowledge. This post outlines 10 principles of cyber security and addresses the CIA security triad, the principle of least privilege and attack surfaces.
Understanding the CIA Triad
Firstly, you should understand the purpose of security on a network. The CIA Triad represents the core goals of an information security program:
Confidentiality deals with keeping information, networks, and systems secure from unauthorised access. Several technologies that support confidentiality in enterprise security include strong encryption, authentication and access controls. Integrity, on the other hand, is defined as the consistency, accuracy, and validity of data or information in the information security context; a significant aim of a successful information security program is to ensure that the information is protected against any unauthorised changes. Finally, availability refers to the accessibility of a resource to a user, application, or computer system when required.
Threat and Risk Management
Threat and risk management is the process of identifying, assessing, and prioritising threats and risks. Risk is generally defined as the probability that an event will occur. Although, in reality, businesses are only concerned about risks that would negatively impact a computing environment. A threat is a very specific type of risk, and it is defined as an action or occurrence that could result in a breach in the security, outage, or corruption of a system by exploiting known or unknown vulnerabilities.
Conducting a risk assessment is the first step in the security of a network. A risk register is an alternative, formal mechanism for documenting the risks, impacts, controls, and other information required by the risk management program.
There are four responses to risk:
Risk avoidance is the process of eliminating risk by choosing to not engage in an action or activity. A problem with this is that there is frequently a reward associated with risk—avoid the risk and you avoid the reward.
Risk acceptance is the act of identifying and then making an informed decision to accept the likelihood and impact of a specific risk.
Risk mitigation consists of taking steps to reduce the likelihood or impact of a risk. The risk still exists, but it has been reduced by a user’s actions.
Risk transfer is the act of taking steps to move responsibility for a risk to a third party through insurance or outsourcing.
The Principle of Least Privilege
The Principle of Least Privilege is a security discipline that requires that a user, system, or application be given no more privilege than necessary to perform its function or job. This addresses the concept of multiple users within the security of IT. Some high-level tools and strategies include:
Groups logically group users and applications so that permissions are not applied on a user by user basis or application by application basis.
Multiple user accounts for administrators: one for their role as a user of the company’s applications and systems, and the other for their role as an administrator.
Account standardisation so each different account type permitted in an environment adds an order of magnitude to the permissions management strategy. Standardising on a limited set of account types makes managing the environment much easier.
Third-party applications can make managing permissions easier. These can range from account lifecycle management applications to auditing applications and application firewalls.
Processes and procedures so the support organisation doesn’t have to address each account as a unique circumstance. They can rely on the defined process to determine how an account is created, classified, and maintained.
Separation of Duties
Separation of duties is a principle that prevents any single person or entity from being able to have full access or complete all the functions of a critical or sensitive process.
The Attack Surface
An attack surface consists of the set of methods and avenues an attacker can use to enter a system and potentially cause damage. The larger the attack surface of an environment, the greater the risk of a successful attack. The attack surface is split into three components:
An example of the application attack surface is the number of current services, whereas the potential for human errors is an instance of the employee attack surface.
Attack Surface Analysis
An attack surface analysis helps to identify the attack surface that an organisation may be susceptible to. Because the network infrastructure and necessary services and applications are usually complicated, particularly for medium and large organisations, performing an attack surface analysis can also be just as complicated. When completed, the attack surface analysis can be used to determine how to reduce the attack surface.
One of the key factors to consider when evaluating the employee attack surface is the risk of a social engineering attack. Social engineering is a method used to gain access to data, systems, or networks, primarily through misrepresentation. This technique typically relies on the trusting nature of the person being attacked.
The key to thwarting a social engineering attack is through employee awareness—if employees know what to look out for, an attacker will find little success.
Most businesses keep some level of control over who accesses their physical environment. There is a tendency when securing computer-related assets and data to only look at the virtual world. Large companies in a location with a data center often use badge readers and/or keypads to provide access to the building and any secure areas. Guards and logbooks are also used to control and track who is in the building. Final layers of security include keys for offices and desk drawers. Similar measures are taken in smaller offices, albeit usually on a smaller scale.
Threat modelling is a procedure for optimising network security by identifying vulnerabilities, identifying their risks, and defining countermeasures to prevent or mitigate the effects of the threats to the system. It addresses the top threats that have the greatest potential impact to an organisation.
It is also an iterative process. Threat modelling should be started when designing a system or solution and should be performed throughout the system or solution lifecycle. The reason for multiple passes is that it is impossible to identify all of the possible threats in a single pass. In addition, the infrastructure, system, or solution is always changing and new threats are found.
Linking Cost with Security
Finally, when dealing with security, there are some points to keep in mind when developing a security plan. First, security costs money. Typically, the more money is spent, the more secure the information or resources will be. So, when examining risk and threats, look at how much the confidential data or resource is worth to the organisation if it is compromised or lost, and how much money the organisation is willing to spend to protect the confidential data or resource.
In addition to cost, strive to make the security seamless to the users who are using or accessing the confidential information. If the security becomes a heavy burden, users will often look for methods to circumvent the security that has been established. Of course, training goes a long way in protecting confidential information and resources, because it will show users what to look for regarding security issues.
Would your core 10 principles of cyber security be the same? Leave a comment below with your thoughts.