Chapter 01

Security Concepts &

Controls 2022/09
Wenura Mendis
2022/09
Vibernets Streaming
 Chapter 01

1. Security Concepts

2. Security Controls

09/22/2022 VIBERNETS STREAMING 2

1.1 Security Concepts

CIA Triad
CIA is basically a model (more like the standard model) or a framework

• Confidentiality - Prevent unauthorized read access to data.

• Integrity - Prevent unauthorized modification of information

• Availability - You are able to access the data when you need it without any delays

09/22/2022 VIBERNETS STREAMING 3

VIBERNETS STREAMING
1.1 Security Concepts

Confidentiality
Confidentiality is the process of keeping safe while preventing disclosure to
unauthorized parties. This does not mean you should keep everything a secret.
This simply means that even if people are aware that such data/information
exists, only the relevant parties can have access to it.

Related Terms:
1. Personally Identifiable Information (PII)
Eg: Full name, Mailing address, Credit card info, passport info, telephone numbers

2. Protected Health Information (PHI)

The HIPAA Privacy Rule provides federal protections for personal health information
“What is HIPAA - Health Insurance Portability and Accountability Act”

09/22/2022 VIBERNETS STREAMING 4

VIBERNETS STREAMING
1.1 Security Concepts

Integrity
The integrity of the information means the information is and stays the
original, accurate, unchanged accidentally or improperly by any authorized or
unauthorized party.

Solution – Hashing
Hash functions are one-way mathematical functions that produce a result commonly
known as a message digest, a hash value, or more simply, a hash

• Fixed Length Output (Hash Value)

• Irreversible (referred to as a one-way hash)
• Eg: MD5, SHA
• Try this - https://www.md5hashgenerator.com/

09/22/2022 VIBERNETS STREAMING 5

VIBERNETS STREAMING
1.1 Security Concepts

Availability
You are able to access the data or information you need when you need it
without any delays or long wait times. There are lots of threats to the
availability of data.

Eg :
• Natural disasters - Major loss of data.
• Human-initiated threats –
Distributed Denial Of Service attacks (DDoS)
Configuration faults
• Internet failures
• Bandwidth limitations

09/22/2022 VIBERNETS STREAMING 6

VIBERNETS STREAMING
1.1 Security Concepts

Nonrepudiation
You are able to access the data or information you need when you need it
without any delays or long wait times. There are lots of threats to the
availability of data.

A user cannot deny (repudiate) having performed a transaction. It combines

authentication and integrity: Nonrepudiation authenticates the identity of a
user who performs a transaction and ensures the integrity of that transaction.

09/22/2022 VIBERNETS STREAMING 7

VIBERNETS STREAMING
1.1 Security Concepts

Privacy
Privacy is the protection of the confidentiality of personal information

Eg:
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a legal framework that sets
guidelines for the collection and processing of personal information from
individuals who live and outside of the European Union (EU)

Who has the right to be forgotten?

An individual has the right to have their personal
data is erased if: The personal data is no longer
necessary for the purpose an organization originally
collected or processed it.

09/22/2022 VIBERNETS STREAMING 8

VIBERNETS STREAMING
1.1 Security Concepts

AAA
AAA Stands for;
A – Authentication (Identity of the user, who are you?)
A – Authorization (What is the user allowed to do?)
A – Accounting (For billing and auditing)

09/22/2022 VIBERNETS STREAMING 9

VIBERNETS STREAMING
1.1 Security Concepts

Authentication
Authentication is the first level of access control. Before you access a system,
the system challenges you so that you have to provide a user id and a
password.

Three common methods of authentication:

• Something you know: Passwords, PIN
• Something you have: Tokens, memory cards, smart cards
• Something you are: Biometrics

Types of Authentications
• Single-factor authentication (SFA) - Using only one of the methods of
authentication
• Multi-factor authentication (MFA) - Granting users access only after
successfully demonstrating or displaying two or more of these methods.

09/22/2022 VIBERNETS STREAMING 10

VIBERNETS STREAMING
1.2 Security Controls

Security Control Types

Security controls play a foundational role in shaping the actions cyber security
professionals take to protect an organization.

There are three main types of IT security controls;

1. Physical
2. Administrative
3. Technical

09/22/2022 VIBERNETS STREAMING 11

VIBERNETS STREAMING
1.2 Security Controls

Physical Control
Physical (environmental) security protects the Confidentiality, Integrity, and
Availability of physical assets: people, buildings, systems, and data.
Eg:
• Fences
• Gates
• Bollards
• Locks
• Guards
• Tailgating
• Smart cards

09/22/2022 VIBERNETS STREAMING 12

VIBERNETS STREAMING
1.2 Security Controls

Administrative Control
Security mechanisms that are management’s responsibility and referred to as
“soft” controls. These controls include the development and publication
awareness training; the monitoring of system activity; and change control
procedures.

09/22/2022 VIBERNETS STREAMING 13

VIBERNETS STREAMING
1.2 Security Controls

Technical Control (logical)

At the most basic level, technical controls, also known as logic controls, use
technology to reduce vulnerabilities in hardware and software.

Eg:
• Access Control Lists (ACL) – Network traffic filters that can control incoming
or outgoing traffic.
• Configuration Rules – Instructional codes that guide the execution of the
system when information is passing through it.

09/22/2022 VIBERNETS STREAMING 14

VIBERNETS STREAMING
Chapter 01 - Summary

Try this
1. A big organization's chief information security officer (CISO) drafted a policy governing
the acceptable usage of cloud environments by all employees. This is an instance of?
A. Technical Control
B. Administrative Control
C. Physical Control
D. Cloud Control

2. A user receives an email that they believe to have been sent by a colleague. In actuality,
the email was spoofed by an attacker. What security services would have indicated that the
message was spoofed?
a. Privacy
b. Authorization
c. Integrity
d. Non-repudiation

09/22/2022 VIBERNETS STREAMING 15

VIBERNETS STREAMING
Chapter 01 - Summary

3. Which of the following is an example of an authentication factor based on "something

you know"?
A. Fingerprint
B. Password
C. Iris scan
D. User ID

4. Ranil is a security professional entrusted with preventing laptop theft from the
organization's offices. Which type of security control is most likely appropriate for this
purpose?
A. Obverse
B. Technical
C. Administrative
D. Physical

09/22/2022 VIBERNETS STREAMING 16

VIBERNETS STREAMING
Chapter 01 - Summary

5. As a security expert, Sunil is responsible for preventing unauthorized changes to the

company's public website. The purpose of this activity is to guarantee?
A. Availability
B. Confidentiality
C. Integrity
D. Confirmation

6. Hashing is frequently employed to ensure data …………..?

A. Integrity
B. Availability
C. Confirmation
D. Confidentiality

09/22/2022 VIBERNETS STREAMING 17

VIBERNETS STREAMING
 Thank you

Wenura Mendis @Vibernets Streaming

1. Study CCNA,CCNP & Linux with Vibernets:

https://www.facebook.com/vibernets/

2. Join Our Study Group:

https://www.facebook.com/groups/ccnastudygroup/

3. Vibernets Streaming Page:

https://www.facebook.com/vibernetsstreaming/

4. Telegram - Meet Wenura - https://t.me/meetwenura

5. Linkedin - https://www.linkedin.com/in/wenuragayan/

8/05/20XX VIBERNETS STREAMING 18