Join Michael Lester for an in-depth discussion in this video Information security concepts, part of CISA Cert Prep: 5 Information Asset Protection for IS Auditors.
- [Narrator] Well, hello there, and welcome to intro to information security where we'll talk about some interesting definitions, some key terms, and all the other things that you might need to know to take the rest of the courses in this series, so let's get right to it. So, the AIC Triad, an important series of definitions that we really need to know for talking about anything do with security. So we used to refer to this as the CIA Triad but since that tends to get confused with a three letter agency, we now refer to it as the AIC Triad, but, none the less, it's the same thing.
Confidentiality, integrity, and availability, anytime you're talking about security, you're talking about protecting the confidentiality of something, its integrity, or its availability. Now from a testing perspective this is important to understand the differences between the two and, believe it or not, they can ask some pretty weird questions about what you would think would be a fairly easy to understand thing. So, let's just go down through them. Confidentiality is protecting something from being known by someone who's unauthorized. Integrity is all about making sure something isn't messed up or edited by someone that is unauthorized.
Of course, if you are authorized, then it's not a problem, you're not compromising something's integrity or its confidentiality if you're authorized to either access it or modify it in some way. Availability, of course, is something being available or accessible when it needs to be. So the most classic example of something that comprises something's availability would be a Denial of Service attack, where we knock something offline and prevent it from being accessed in some way. Now, from a testing perspective, here's an interesting little tip, if they ever ask you something about a situation where they describe something that's being read from inappropriately, that's a challenge to something's confidentiality.
If they're ever asking you a question that's referring to something being modified in some way or written-to in some way by an unauthorized person or entity, it's integrity that's being challenged. Whenever something is challenging something's confidentiality, it's always a read operation that's being performed, whenever it's something that's challenging something's integrity, it's always a write operation that's being performed, whether it's being written-to by some unauthorized user or it's some kind of disk corruption that's an unauthorized write or modification of something, those are challenging something's integrity, so keep that in mind, that'll help you through any weird questions they may ask you on the exam.
So let's talk about some more key terms. So a vulnerability is a weakness in some system. And a threat is the thing that attacks that weakness, so, a vulnerability might be a hole in a system in some way, some unpatched software, and the threat is the hacker that exploits that vulnerability. The threat, or the threat agent as we call it, is the thing that does the exploiting, whether it's in the physical world, like a fire, or a hurricane, or in the digital world, like a hacker or some malware.
Risk and business impact, we'll talk a little bit about in a second, but risk is the probability that something bad is gonna happen and then the resulting pain that you would feel and that pain we call business impact, that's the result of something bad happening, the impact on the business. An exposure is when you have a vulnerability in an environment where some threat agent can actually access it, you are exposed in some way, you've got vulnerable servers out in your environment and they're not mitigated by any kind of control or countermeasure, you're exposed, now how do you prevent such exposures, or how do you reduce the exposure? You put countermeasures, AKA controls, into the environment, to reduce or to mitigate the risk, and you do that by either reducing the likelihood of something bad happening or the impact of something bad happening, or both, both the likelihood and the impact of something bad happening, we put countermeasures or controls in place like putting a firewall in place or installing some antivirus software, for example, those are controls or countermeasures.
Defense in depth is the all important term that means we never rely on any one control, we always wanna surround the problem with layers and layers of protection that way we require, we force the threat agent to penetrate through many different countermeasures to actually get to the crown jewels. It's the idea of increasing the attacker's work factor make them really, really work for a small reward, that's defense in depth and it's a good attitude for any kind of security environment. Risk management is the practice of managing risk and remember risk is that combination of the likelihood of something bad happening, or the probability, and the business impact.
Well, risk management, the name of the game with that is, to make sure that we spend the right amount but not too much, and really, what this really comes down to is understanding what's the cost of an impact is and then what the cost of the control alternatives or the countermeasure alternatives are that you can put in place. And you wanna spend enough to mitigate your risk but you don't wanna spend too much so that you're wasting money, and resources, and time, et cetera. So security versus privacy, well security, of course, are all the measures that we take to guard against threats exploiting our vulnerabilities.
And what you're protecting is really what it comes down to. If you're protecting your data, you're performing security, you're performing good confidentiality, you might say. If you're protecting somebody else's data that's what we refer to as privacy, whenever you hear the buzzword privacy spoken about in security, it's always you protecting your customers information, let's say, or your employees' personal information, or some medical data about somebody else, it's something that you are protecting on behalf of someone else. If you're protecting intellectual property, for example, we don't necessarily refer to that as privacy, although you certainly could, if you look in the English dictionary, privacy is meaning keeping something private, but when we say privacy in security we're always referring to someone else's data like our customers or our employees.
- Information security basics
- Access control models
- Network security
- Secure protocols
- Wireless security
- Cyber attacks and countermeasures
- Conducting SOC audients