CyberSecurity Course
CyberSecurity Course
CyberSecurity Course
C – Confidentiality
I – Integrity
Pertains to the property of information whereby it is recorded, used and maintained in a way
that ensures its completeness, accuracy, internal consistency and usefulness for the stated
purpose.
Data integrity is the assurance that data has not been altered in an unauthorized manner.
This requires the protection of the data in systems and during processing to ensure that it is
free from improper modification, errors or loss of information and is recorded, used and
maintained in a way that ensures its completeness.
Data integrity covers data in storage, during processing and while in transit.
System integrity refers to the maintenance of a known good configuration and expected
operational function as the system processes the information.
This awareness concerns the ability to document and understand the state of data or a
system at a certain point, creating a baseline then going forward from that baseline, the
integrity of the data or the system can always be ascertained by comparing the baseline with
the current state. If the two match, then the integrity of the data or the system is intact; if
the two do not match, then the integrity of the data or the system has been compromised.
Integrity is a primary factor in the reliability of information and systems.
A – Availability
Means systems and data are available at the time when users need them.
Availability can be defined as (1) timely and reliable access to information and the ability to
use it, and (2) for authorized users, timely and reliable access to data and information
services.
Availability is often associated with the term criticality, because it represents the importance
an organization gives to data or an information system in performing its operations or
achieving its mission.
Authentication
When users have stated their identity, it is necessary to validate that they are the rightful owners of
that identity. This process of verifying or proving the user’s identification is known as authentication.
Simply put, authentication is a process to prove the identity of the requestor.
Methods of Authentication
There are two types of authentication. Using only one of the methods of authentication stated
previously is known as single-factor authentication (SFA) . Granting users access only after
successfully demonstrating or displaying two or more of these methods is known as multi-factor
authentication (MFA) .
Common best practice is to implement at least two of the three common techniques for
authentication:
Knowledge-based
Token-based
Characteristic-based
Non-repudiation
Non-repudiation is a legal term and is defined as the protection against an individual falsely denying
having performed a particular action. It provides the capability to determine whether a given
individual took a particular action, such as created information, approved information or sent or
received a message.
Non-repudiation methodologies ensure that people are held responsible for transactions they
conducted.
Privacy
Privacy is the right of an individual to control the distribution of information about themselves.
Risk
1. the adverse impacts that would arise if the circumstance or event occurs, and
2. the likelihood of occurrence.
Information security risk reflects the potential adverse impacts that result from the possibility of
unauthorized access, use, disclosure, disruption, modification or destruction of information
and/or information systems.
An asset is anything of value that the company own and in need of protection.
A vulnerability is a gap or weakness in those protection efforts that could be exploited by a
threat source.
A threat is something or someone that aims to exploit a vulnerability to thwart protection
efforts.
Threats
Vulnerabilities
An organization’s security team strives to decrease its vulnerability. To do so, they view their
organization with the eyes of the threat actor, asking themselves, “Why would we be an attractive
target?” The answers might provide steps to take that will discourage threat actors, cause them to
look elsewhere or simply make it more difficult to launch an attack successfully. For example, to
protect yourself from the pickpocket, you could carry your wallet in an inside pocket instead of the
back pant pocket or behave alertly instead of ignoring your surroundings. Managing vulnerabilities
starts with one simple step: Learn what they are.
Likelihood
When determining an organization’s vulnerabilities, the security team will consider the probability,
or likelihood , of a potential vulnerability being exploited within the construct of the organization’s
threat environment. Likelihood of occurrence is a weighted factor based on a subjective analysis of
the probability that a given threat or set of threats is capable of exploiting a given vulnerability or set
of vulnerabilities.
Finally, the security team will consider the likely results if a threat is realized and an event
occurs. Impact is the magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information system availability.
Risk Identification
Identifying risks is not a one-and-done activity. It’s a recurring process of identifying different
possible risks, characterizing them and then estimating their potential for disrupting the
organization.
It involves looking at your unique company and analyzing its unique situation. Security professionals
know their organization’s strategic, tactical and operational plans.