Understanding Basic

Security terms and Concepts

As security professionals, you must be able to understanding
the following concepts and processes to effectively deploy a
risk-based IT system
 DEFINITION OF AN INFROMATION
SYSTEM
• Information system is the study of complimentary networks of hardware
and software that people, and organization use to collect, filter, process,
create and distribute data.
 COMPONENTS OF AN INFORMATION
SYSTEM(IS)
• Hardware
• Software
• Data
• People
• Processes
• Network
 Hardware
• Encompasses digital devices that you can physically touch
• This includes devices such as the follow
1) Workstation(Laptops and Desktops)
2) Switch
3) Router
4) Firewall
5) Servers
As a security profession, main concerns are asset management and inventory control
 SOFTWARE
• Set of instruction that tell the hardware what to do.
• Created through the process of programming (coding)
• Can be broadly divided into two categories operating system and
application software
• Operation systems manage the hardware and create the interface between
the hardware and the user, e.g Windows, Linux, Unix.
• Application software is the category of programs that do something useful
for the user, e.g Office Suite, game software, web application
 DATA
• Raw bits and pieces of information with no context.
• Data put into context, aggregated and analyzed is called information and
used for the decision-making process (Data analytics or Business
intelligence)
• Can be stored in files, database and data warehouse
• Forms of data include:
1) Data at rest
2) Data in transit
3) Data in process
 PEOPLE
• Most important asset of an organization
• Weakest link in security
• Must constantly be trained
• Managed by creating accounts and constantly monitoring the privileges associate with the
accounts.
• People interact differently with an information system, They can be:
1) Creators e.g. system analyst, software developer, network engineers
2) Administrators e.g. System Administrator, Database Administrators
3) Maintenance e.g. Help Desk Support
4) Users
 Processes
• Series of task that are completed in order to accomplish a goal
• Processes are something that businesses go through every day in order to
accomplish their mission. The better their processes, the more effective the
business
• Documenting processes is vital for an organization
• Example of processes include:
1) Change management process
2) Configuration management process
3) Inventory control
4) Asset Management
 Information Security Processes and Basic
Concepts
• Asset: Anything of Value to the company, what we are trying to protect e.g. People, Information,
Systems etc.
• Vulnerability: A weakness; the absence of a safeguard. Weakness in an information system, system
security procedures, internal controls, or implementation that could be exploited or triggered by a
threat.
• Threat: What carries out the attack, i.e. anything that can exploit the vulnerability. What we are
protecting against.
Any circumstance or event with the potential to adversely impact agency operations (including
mission, functions, image, or reputation), agency assets, or individuals through an information system
via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
 Information Security Processes and Basic
Concepts Con’t
• Likelihood: The probability of a threat exploiting a vulnerability. An instance of
compromise.
• Risk: The level of impact on agency operations (including mission, functions, image,
or reputation), agency assets, or individuals resulting from the operation of an
information system given the potential impact of a threat and the likelihood of that
threat occurring.
- The probability of a threat materializing. The potential of loss, damage or destruction
of an asset
• Risk Formula: T * V= R
 Risk Choices
• Risk Acceptance: Risk acceptance is the result after a cost/benefit analysis
shows countermeasure cost would outweigh the possible cost of loss due to risk
• Risk Mitigation: It is the implementation of safeguards and countermeasures
to lower risk to an acceptable level.
• Risk Transfer: It is the placement of the cost of loss onto another entity or
organization. For example insurance company
• Risk Avoidance: It is the process of selecting alternate options or activities
than have less associated risk than the default.
 Sources of Risk
• Disgruntled Employees
• Poor physical security
• Weak access control
• No change management
• Lack of Redundancy
• Poorly Trained users
• Weak or non-existing anti-virus
 Identification and Authentication,
Authorization, and Accountability(IAAA)
These are terms used to describe the cornerstone concepts of authentication,
authorization and accountability.
- Identification and Authentication: Identity is a claim. Identity alone is weak
because there is no proof. Proving an identity claim is called authentication. You
authenticate the identity claim, usually by supplying a piece of information or an
object that only you posses, such as a password
- Authorization: It describes the action you can perform on a system once you have
been identified and authenticated
- Accountability: It is holding users accountable for their actions
 Authentication Methods
• 1) Factor Authentication: Username/Password
• 2) Factor Authentication: Username/Password and Token/Badge
• 3) Factor Authentication: Username/Password. Token/Badge and
Biometric
 Authentication Types
• Something you know – Password or Pin #
• Something you have – Token or Badge
• Who you are - Biometric
 Security Objective- CIA
There are three security objectives:

CONFIDENTIALITY, INTEGRITY AND AVAILABILITY.

FIPS 199 defines these as follows:

(FIPS: Federal Information Processing Standards)
 CONFIDENTIALITY
“Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary
information…”

- The loss of confidentiality is the unauthorized disclosure of information.

 INTEGRITY
“Guarding against improper information modification or destruction and
includes ensuring information non-repudiation and authenticity….”

-A loss of integrity is the unauthorized modification or destruction of

information.
(Hashing: Protecting Integrity of Information)
 AVAILABILITY
“Ensuring timely and reliable access to and use of information….”

- A loss of availability is the disruption to or use of information or an

information system.
 Security Objective- CIA
• Availability – The ability to use the
information or resource when it is needed
• Integrity – Describes the wholeness and
completeness of the information without any
alteration except by authorized sources
• Confidentiality – Ensuring information is only
available to those authorized to have access to
the information
 Potential Impact
It is the magnitude of harm or severity of damage that can be expected to
result from the consequences of unauthorized disclosure, modification and
destruction of information, or the loss of information or the availability.
FIPS 199 defines three levels of potential impact on organizations or
individuals should there be a breach of security. The application of these
definition must take place within the context of each organization and the
overall nation interest.
Impact Level: High, Moderate, Low
 Low Impact
• The potential impact is LOW if-

The loss of confidentiality, integrity, or availability could be expected to

have a limited adverse effect on organizational operations, organizational
assets, or individuals. Minor
- Minor harm to individuals
 Moderate Impact
• The potential impact is MODERATE if-

The loss of confidentiality, integrity, or availability could be expected to

have a serious adverse effect on organizational operations, organizational
assets , or individuals. Significant
- No loss of life or serious life-threatening injuries
 High Impact
• The potential impact is HIGH if-

The loss of confidentiality, integrity, or availability could be expected to

have a severe or catastrophic adverse effect on organizational operations,
organizational assets , or individuals. Major
- Loss of life or serious life-threatening injuries
 Security Objectives Con’t
SC information type ={(confidentiality, impact), (integrity, impact),
availability, impact)}

Example: SC information type = {(Confidentiality, High), (integrity, High),

Availability, Low)}
Overall Impact = High
 SECURITY CONTROLS
• Security Controls are safeguards or countermeasure to avoid, counteract
or minimize security risks.
Classes of Security Controls
• They are management, operational, and technical controls (i.e., safeguards
or countermeasures) prescribed for an information system to protect the
confidentiality, integrity, and availability of the system and its
information.
 Classes of Security Control
• Management Controls – The security controls for an information system that focus
on the management of risk and information system security.
• Operational Controls – The security controls for an information system that are
primarily implemented and executed by people.
• Technical Controls – The security controls for an information system that are
primarily implemented and executed by the information system through mechanisms
contained in the hardware, software, or firmware components of the system.
Ref: NIST SP 800-18, Appendix B*
 TYPES OF CONTROLS
• Common Control - Security Controls inherited by one or more
organizational information systems e. g. Awareness and Training (AT)
• System Specific - Controls that are specific to a given system
• Hybrid Controls - a combination of Common control and System Specific
 Classification of Controls

• Preventive: A Preventive Control is deployed to stop unwanted or

unauthorized activities occurring. Before an Event - e.g. Fences, Locks,
Biometrics, Lighting etc.
• Detective Controls: A Detective Control is deployed to discover or detect
unwanted activities. Detective Controls operate after the facts and can
discover the activities after it has occurred - e.g. Security Guards, Security
Camera, CCTV etc.
 SECURITY CONTROLS Con’t
• Corrective Controls: A Corrective Control modifies the environment to
return to normal after an unwanted or unauthorized activity has occurred.
It attempts to correct any problem that occurred as a result of a security
incident - e.g. Antivirus, Backup etc.
• Deterrent Controls: A Deterrent Control is deploying to discourage
violation of security policies. Deterrent and preventive controls are similar
but deterrent controls often depend on individuals deciding not to take an
unwanted action – e.g. Locks, Security Guards, Fences etc.
 SECURITY CONTROLS Con’t
• Compensating Controls: A Compensation Control is deployed to provide
various options to other existing controls to aid in enforcement and
support of security policies - e.g. adding an alarm to a door that already
has a fence and is locked.
 DATA CLASSIFICATION
• Data classification is the primary means by which data is protected based
on its need for secrecy, sensitivity, or confidentiality.
• Top Secret: It is the highest level of classification. The unauthorized
disclosure of top-secret data will have drastic effects and cause grave
damage to national security.
• Secret: Secret is used for data of a restricted nature. The unauthorized
disclosure of data classified as secret will have significant effects and
cause critical damage to national security
 DATA CLASSIFICATION con’t
• Confidential: Confidential is used for data of a sensitivity, proprietary, or
highly valuable nature. The unauthorized disclosure of data classified as
confidential will have noticeable effect and cause serious damage to
national security.
• Sensitive But Unclassified: It is used for data that is for internal use or
for official use.
• Unclassified: It is used for data that is neither sensitive nor classified.
 TYPES OF INFORMATION SYSTEMS
• General Support System (GSS) – An interconnected set of information resources under the same
direct management control that shares common functionality. It normally includes hardware,
software, information, data, applications, communications, and people.
• Major Application – An information system that requires special management attention because of
its importance to an agency mission; its high development, operating, or maintenance costs; or its
significant role in the administration of agency programs, finances, property, or other resources.
• Minor Application – An application, other than a major application, that requires attention to
security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access
to or modification of the information in the application. Minor applications are typically included as
part of a general support system; therefore information system(s) can not be labeled as minor
application.
Ref: NIST SP 800-37 Rev-1, Appendix B
 System Development Lifecycle(SDLC)
SDLC PHASE RMF STEP SECURITY TASKS
Initiation Categorization and Selection Need and Purpose (Business
Case)
Development/Acquisition Implementation, Assessment Design, Purchase and
Developed
Implementation Authorization Testing, Accept, and Install
Operation/ Maintenance Monitoring Operate. Modify, and Maintain
Disposition/Disposal System or Part Termination