Objective 1.1 - Understand the security Concepts of Information Assurance.

• CIA

  • Confidentiality
    • Confidentiality ensures that sensitive data is only accessible to authorized people, system, or processes.
    • Prevention of unauthorized access - it stops unauthorized users from seeing, stealing or altering private information
    • How to ensure confidentiality - techniques like encryption, access controls and passwords help maintain confidentiality
    • examples - excryption - protecting emails or files for only authorized recipients can read them
      • access control - restricting access to sensitive systems, like financial databases to specific employees,
      • data masking - hiding parts of sensitive information such as displaying only the last four digits of a credit card
      • 2fa - requiring a password and a code sent to your phone to access an account
      • nda - legal aggrements to ensure individuals dont share confidential information
  • Integrity
    • Integrity means keeping information correct and unaltered, preventing unauthorized changes.
    • Protection from Tampering - It ensures data cannot be modified, deleted or corrupted by unauthorized individuals.
    • Verification - Techniques like checksums or digital signatures verify data hasn’t been altered during transmission or storage.
    • examples - bank transactions - ensuring that the amount transferred from one account matches the amount received without unauthorized changes.
      • software downloads - using checksums (MD5 and SHA) to confirm that a downloaded file hasn’t been tampered with
      • medical records - protecting patient data to ensure that no unauthorized edits or deletions occur in health records
      • email security - digital signatures verify that an email has not been altered after it was sent.
      • database protection - ensuring logs and entries in a company database remain unmodified by unauthorized users.
  • Availability
    • Availability ensures that systems, data and resources are accessible to authorized users whenever needed.
    • Minimizes downtime - it focuses on reducing disruptions caused by hardware failures, cyberattacks or maintenance
    • backup and recovery - strategies like backups, redundancy and failover systems are used to keep services running smoothly.
    • examples - web servers with load balancers - ensures websites stay online even during high traffic by distributing load across multiple servers
      • cloud storage backups - allows users to access their files anytime even if one storage server fails
      • uninterruptible power supplies - keeps systems running during power outages to prevent downtime
      • redundant internet connections - business use multiple ISPs so operations continue if one connection fails
      • Disaster recovery sites - secondary data centers ready to take over if the primary center goes offline

• Non Repudiation

  • Non repudiation ensures that a person or system cannot deny actions they performed like sending a message or signing a document
  • Digital evidence - it uses methods like digital signatures and logs to provide solid proof of those actions
  • accountability - this builds trust and accountability in communication or transactions by holding parties responsible for their actions
  • examples - digital signatures - signing a contract electronically with a private key ensures the signer can’t deny it
    • blockchain transactions - cryptocurrency transfers are recorded immutably on the blockchain
    • audit logs - systems log user actions like accessing sensitive files as evidence
    • biometric access - fingerprint scans for system access prove individual responsibility
    • payment confirmations - receipts and transaction IDs verify completed purchases.

• AAA

  • Authentication
    • It is the process of verifying the identity of a user, device or system to ensure that only authorized entities gain access to resources.
    • examples - it typically involves validating credentials such as passwords, biometrics such as fingerprint or security tokens.
  • Authorization
    • It is the process of determining and granting a user’s permission to access specific resources, perform certain actions, or use particular services based on their verified identity
    • authorization usually takes place after authentication.
  • Accounting
    • accounting (or auditing) refers to tracking and recording a user’s activities, such as access to resources, performed actions, and system usage
    • examples - login and logout logs, command execution logs etc

• Authenticating People

  • Something you know - uses knowledge based authentication like passwords or pins
    • example - entering a passphrase to login
  • something you have - involves possession based authentication like smart card, security tokens or mobile device.
    • example - using a hardware token for 2fa
  • something you are - employs biometric authentication such as fingerprints, retina scans or facial recognition.
    • example - unlocking a phone with fingerprint
  • somewhere you are - relies on location based authentication using GPS or IP address.
    • example - restricting system access to specific regions

• Authenticating devices and systems

  • authentication purpose - ensures only authorized devices and systems can access the network or resources, reducing risks of unauthorized access.
  • methods - includes certificates, device biometrics, and unique identifiers like MAC addresses or TPM trusted platform module
  • mutual authentication - both the client and server verify each others identity for secure communication (eg - during ssl/tls handshakes)
  • device certificates - digital certificates assigned to devices verify their identity in secure environments
  • zero trust model - devices must continuously verify trustworthiness, even if inside the network perimeter

• Multifactor Authentication

  • Factors in MFA
    • Something you know
      • information only the user knows
      • examples - passwords, pins, security questions
      • weakness - vulnerable to guessing or theft
    • Something you know
      • A physical item in the user’s possession
      • examples - smartphones, smart cards, tokens.
      • strength - requires physical theft to compromise.
    • Something you are
      • Unique biological characteristics
      • examples - fingerprints, facial features or iris patterns.
      • strength - extremely hard to replicate or forge.
    • Somewhere you are
      • geographic or network based location
      • examples - access granted based on IP address, GPS, or wifi location
      • use cases - denying access if user’s location deviates from expected parameters.

• Privacy

  • Privacy refers to the protection of personal information and adherence to laws and policies governing its collection, storage, and use. effective privacy management ensures compliance, mitigates risks, and respects individual rights.
  • Data subject
  • controller vs processor
  • ownership
  • Data inventory and retention
  • Right to be forgotten

Objective 1.2 - Understand the risk management process.

• Elements of Risk Management Process
• Risk Analysis