Chapter 2: Understanding the Security Layers

Lesson 1: Core Security Principles

CIA Triad

Confidentiality – the characteristic of resources be restricted to unauthorized access

- What are technologies ensuring confidentiality?

a. Strong encryption
- What are considered as confidential?

Classifications of Data:

a. Public
b. Internal/external
c. Unidentified

Integrity- the consistency, accuracy of the data.

Goal: Ensures that the data remains the same from the source to receiver.

Processes or methods to ensure Integrity:

Availability- accessible and usable by the user.

Threats:

a. Accidental- flood, storm

b. Deliberate- DoS, viruses

Risk: the probability that a negative will occur.

Ex: There is a risk that you win the lottery

Threat: a more specific kind of risk.

What re the steps to do in creating Risk Management Plans?

1. Risk Assessment- Identify the risks that would affect your environment
2. Evaluate the risk for the two factors -
a. How is it likely to occur? Determining the likelihood of that risk to occur.
b. What are the impacts of that risk in your environment?
3. Prioritize- risk matrix a mechanism to use for prioritization.
RISKS LIKELIHOOD IMPACT TOTAL CORE STRATEGY/IES DATE DOCUMENTATION STATUS Res
RISK PRINCIPLE TO DEAL WHEN OF RESIDUAL RISK
SCORE AFFECTED WITH THE THE RISK
RISK SHOULD
BE
ADDRESS

- Review the final order, also consider external factors such as cost.
- Availability of the resources
- After finalizing the priority

Types of Response:

1. Risk Avoidance- avoiding the risk is also avoiding the reward.

Ex: Risk of the value might drop.
2. Risk Acceptance- making an inform decision to accept the likelihood and impact of
specific risk.
3. Risk Mitigation- taking steps to reduce the likelihood and impact of the risk.
Ex: Multiple drives for backup in databases
4. Risk Transfer- move the responsibility to other third party.

Residual risk- the remaining risk after you solve the risks.

Two Concepts of Risk Assessment:

1. Understanding of the Least Privilege- security discipline that requires, system be given
no more privilege than necessary. Simple but difficult to implement in reality.
Challenge: Complexity of the environment
- Very rare of implementation, at least give best effort
Tools to use:
a. Group users in application
b. Multiple user accounts for administrators
c. Account Standardization
d. Third Party Applications
e. Processes and Procedures
2. Understanding Separation of Duties- principle that prevents every entity to have a full
access to information. Designed to prevent fraud, errors, and theft.
 3. Understanding an Attack Surface- the larger the attack surfaces the greater the risk could
happen
a. Divide the attack surface into 3 components
Application, network, employees
b. Evaluate the Application Surface- number of data input, number of running
services.
c. Evaluate the Network Surface- IP address
d. Evaluate the Employees- risk of malicious intention

1. Determine the security boundary within the organization

2. Determine everything that connects to your boundary
3. Look at the security mechanisms
4. Analyze the logs
Two kinds of Traffic:
a. Ingress- originates from the outside to inside, makes internet traceable to its
source
b. Egress- inside to outside, ensures unauthorized access be trap

Reviewing attack surfaces should be done periodically.

Social Engineering- a method uses to gain access

“Security Cost Money”

Look for an organization/company/agency outside and create a risk assessment.

Deadline: Monday (Feb.3)

Example question: What measures do they have?

 February 3, 2025

Lesson 2: Understanding the Physical Security

Physical Environment- the tangible part of the security

*Businesses keeps some level of access control

Data Center

SITE SECURITY- specialize area of security discipline

- Introduces some of the specific concept such as:

1. Access Control
o a key concept when thinking physical security
o The process of restricting access to the resources to only permitted users,
application,
o Examples: Those who have access to the keys(door)
o The difference of access control in the real world of business: The nature of
what is being protected and the technologies available to use.
o

EXTERNAL

PERIMETER EXTERNAL PARAMETERS (Fences, Building Doors)

GUARD DESK
INTERNAL PERIMETER

INTERNAL PARAMETER (Office Environment)

DATA CENTER ACCESS

SECURE AREAS
LOCKED SERVERS/ RACKS
DEFENSE IN DEPT- a concept in which multiple layers of defending assets

SEVERAL GOALS IN DESIGNING PHYSICAL PLAN:

1. AUTHENTICATION- the need to identify the permitted

2. ACCESS CONTROL- provides to audit the activities
3. AUDITING- can be done through reviewing video footages,
- Is the ability in auditing the activities

PHYSICAL PREMISES DIVIDED IN LOGICAL AREA

1. EXTERNAL PERIMETER
2. INTERNAL PERIMETER-the areas restricted to only the employees can occupy
3. SECURE AREA- security measures in place, data centers

EXTERNAL PERIMETERS

Common Possible Security Measures:

1. Security Cameras
2. Perimeter Fence
3. Identification Card

INTERNAL PERIMETERS

1. Locks
2. Security Camera
3. ID Badges
4. Guards within Perimeter
5. Smoke Detector
6. IDPS

SECURE AREA

1. Sensors
2. Badge Readers
3. Biometric Technologies
4. Locks
5. Metal Detectors
6. IDPS
SITE SECURITY PROCESSESS

1. External Perimeter Processes

2. Internal Perimeter Processes
3. Secure Are Processes- who is permitted to enter that area
- Only who are authorized to access that area

COMPUTER SECURITY

3 Types of Computers an Organization Have:

1. Servers
2. Desktop Computers- spreadsheets
3. Mobile Computers- those that could carry include laptops, phones, notebook