Permitting authorized access to info/protecting it
A security professional’s obligation is to:
Regulate access: Protect data, but allow to authorized individuals
PII: Personally Ident. Info: Any data about someone that could ID them
PHI: Protected Health Info: Data regarding one's health
Sensitivity: Importance of info; need to protect it because of this
Info used in a way that is complete, accurate, consistent, useful
Info/Data: Data Integrity: Hasn't been altered in an unauthorized way
Storage protection: Processing/transit: No: errors, info loss, mods
Recorded, used, maintained to ensure completeness
Systems/Processes: Integrity: Maintenance of good configs/function
Awareness of current states/condition
Documenting/understanding states at certain points
Baseline: Current state of info/if protected
Comparing baselines with states validates integrity
Org: Reliability dictated by laws/regulations
People & Actions
Access to systems and data when users need it
Timely, reliable access; Not 100% of the time; Downtimes exist
Meets requirements of business
Criticality: Degree orgs depend on info NIST SP 800-60 Vol. 1, Rev. 1
Authentication
Process of verifying and proving people are who they say they are
Three common methods:
Something you know: Passwords/passphrases
Something you have: Tokens, memory or smart cards
Token: An object possessed to authenticate identity NISTIR 7711
Something you are: Biometrics, measurable characteristics
Biometrics: Bio characteristics: Fingerprints, hand geometry, voice, eyes
Two types:
SFA: Single-Factor Authentication: One method of authentication
MFA: Multi-Factor Authentication:Two or more methods
Threat Vector: The way a threat actor carries out objectives
Vulnerability: Inherent weakness and flaws in systems
Likelihood: Considers the probability of a vulnerability being exploited Impact: Measured harm expected from consequences of exposure
Risk Identification: Categorizing, estimating potential for disruption
Risk Assessment: Estimating and prioritizing assets
Risk Treatment
Making decisions about the best actions regarding identified, prioritized risk
Attempting to eliminate risk entirely
Stopping operation for some; all activities exposed to a risk
May choose when potential impact is too high; great
Taking no action to reduce risk
Conducting business with the risk without action
Impact or likelihood is negligible, or benefit offsets it
Taking actions to prevent; reduce possibility of risk
Remediation, controls, policies, procedures, standards to minimize
Can't always mitigate, can implement safety measures
Passing risk to another party who will accept the impact
Analyze risk through qualitative/quantitative measure for cause
Risk matrixes help ID priority: Intersection of likelihood, impact
What risks are companies willing to take in respect of rewards?
Low tolerance means more investment
Security Controls: Safeguards to CIA
Hardware: Badge readers, building structures
Controlling, directing, people movement through equipment
Protection, control over entry, parking lots
Supported by technical controls in an overall system
