Computer Security Technology

and Principles: Building Secure

Digital Foundations
z

BY

DR RUKAYAT A. KOLEOSO
 z
Table of Contents

 Foundational Security • Understanding Access Control

Principles (CIA Triad)  What is Access Control?

 Key Security Technologies  Types of Access Control (DAC, MAC, RBAC,

ABAC)
 Network Security
 Authentication and Authorisation
 Endpoint Security  The Role of Cryptography

  Security Policies and Procedures

Data Security
 The Human Element
 Database Security
 Conclusion & Key Takeaways
 Cloud Security  Q&A
 z Foundational Security Principles:
Recapping the core – The CIA Triad
 Confidentiality: Protecting information from unauthorised access and disclosure.

 Goal: Only authorised individuals/systems can view sensitive data.

 Example: Encryption, access controls, data masking.

 Integrity: Ensuring information remains accurate, complete, and untampered with.

 Goal: Data is consistent and trustworthy; changes are authorised.

 Example: Hashing, digital signatures, and version control.

 Availability: Ensuring authorised users can access information and systems when needed.

 Goal: Systems and data are reliably accessible and operational.

 Example: Redundancy, backups, disaster recovery, load balancing.

 Discussion: How would a breach in each of these impact an organisation?

 z
Key Security Technologies – Overview:
The Cybersecurity Toolbelt

 Technology plays a crucial role in enforcing security principles.

 Different technologies address different layers and aspects of the digital environment.

 No single technology provides complete security; a layered approach is essential.

 We'll look at network, endpoint, data, database, and cloud security technologies.

Discussion: Why is a multi-layered (defence-in-depth) approach critical?

 z
Network Security Technologies: Securing the Perimeter
and Pathways

 Firewalls: Act as a barrier between trusted and untrusted networks, controlling inbound and
outbound traffic based on rules.

 Types: Packet-filtering, stateful inspection, application-level gateway.

 Intrusion Detection/Prevention Systems (IDS/IPS): Monitor network traffic for suspicious

activity or known attack signatures.

 IDS: Detects and alerts. IPS: Detects and actively blocks.

 Virtual Private Networks (VPNs): Create encrypted tunnels over public networks, ensuring
secure remote access and data transmission.

 Network Segmentation: Dividing a network into smaller, isolated segments to limit the spread of
attacks.
 z
Endpoint Security Technologies: Protecting Devices at
the Edge

 Antivirus/Anti-malware Software: Detects, prevents, and removes malicious software

from individual devices (endpoints).

 Endpoint Detection and Response (EDR): Advanced tools that continuously monitor
endpoint activity for suspicious behaviour, providing incident response capabilities.

 Device Encryption: Encrypting entire hard drives or specific files on laptops, desktops,
and mobile devices to protect data at rest.

 Patch Management: Systematically applying software updates and security patches to

fix known endpoint vulnerabilities.

 Discussion: Why are endpoints often a primary target for attackers?

 z
Data Security Technologies: Safeguarding Information
Itself

 Encryption: Converting data into a coded format to prevent unauthorised access.

 Data at Rest: Encrypting files on storage devices.
 Data in Transit: Encrypting data as it moves across networks (e.g., TLS/SSL).
 Data Loss Prevention (DLP): Tools and policies designed to prevent sensitive data from leaving the
organisation's control, whether accidentally or maliciously.
 Data Masking/Tokenisation: Obscuring sensitive data with non-sensitive substitutes to protect it in
non-production environments or during sharing.
 Backup and Recovery Systems: Creating copies of data and systems to ensure availability and
recoverability after data loss or a breach.

 Discussion: Which is more critical: protecting data at rest or in transit? Why?

 z
Database Security Basics: Securing Your Data
Repositories

 Access Control: Strict access control (often using RBAC) for database users, roles, and applications.

 Encryption: Encrypting sensitive data within the database (at rest) and encrypting communication channels (in transit).

 Auditing and Logging: Comprehensive tracking of database activities (who accessed what, when, and how) for security
monitoring, forensics, and compliance.

 Vulnerability Management: Regular patching, secure configuration hardening, and vulnerability scanning specifically for
database systems.

 Database Activity Monitoring (DAM): Real-time monitoring of database transactions and alerting on suspicious or
unauthorised activities.

 Principle of Least Privilege: Granting database users only the minimum necessary permissions to perform their job
functions.

 Discussion: Why are databases a prime target for attackers, and what's the greatest risk if they are compromised?
 Cloud Security Basics: Protecting Data and Applications
z
in the Cloud

 Shared Responsibility Model: Understanding the division of security responsibilities between the cloud provider and the customer.

 Provider: Security of the cloud (physical infrastructure, global network, underlying services).

 Customer: Security in the cloud (customer data, applications, network configurations, identity and access management).

 Identity and Access Management (IAM): Crucial for controlling who can access specific cloud resources and services.

 Network Security in Cloud: Implementing virtual private clouds (VPCs), security groups, network access control lists (NACLs), and
cloud-native firewalls.

 Data Encryption: Ensuring data is encrypted both at rest (in cloud storage services) and in transit (between cloud services or
to/from users).

 Configuration Management: Regularly auditing and ensuring secure configurations for all cloud services and resources (e.g.,
public S3 buckets, open security groups).

 Compliance: Adapting security controls to meet regulatory and industry compliance requirements in the cloud environment.

 Discussion: What are the common misunderstandings about the shared responsibility model in the cloud?
z
What is Access Control? Access Control: Who Gets In
and What Can They Do?

 Definition: The process of regulating who or what can view or

use resources in a computing environment.

 It's a fundamental security principle ensuring Confidentiality

and Integrity.

 Involves two key steps:

 Authentication: Verifying the identity of a user or system ("Are you
who you say you are?").
 Authorisation: Determining what an authenticated user or system
is permitted to do ("What are you allowed to access or perform?").
 z
Type 1: Discretionary Access Control
(DAC)

 Principle: The owner of a resource (e.g., a file, a folder) dictates who can access it and what permissions they
have.

 Characteristics:

 Highly flexible and common in operating systems (e.g., Windows NTFS permissions, Unix file permissions).

 "Discretionary" because the owner has full control over access permissions.

 Pros: Granular control, easy to implement for small systems.

 Cons: Can be difficult to manage at scale, prone to misconfigurations if not properly controlled, and security
depends heavily on user discretion.

 Example: A user creates a document and decides who can read, write, or execute it.
 z
Type 2: Mandatory Access Control
(MAC)
 Principle: Access decisions are enforced by a system-wide policy, not by the individual owner.

 Characteristics:
 Based on security labels (e.g., "Top Secret," "Confidential") assigned to both subjects (users/processes)
and objects (data/resources).
 Users can only access resources with matching or lower security classifications.
 Often used in high-security environments (e.g., military, government) where strict separation is required.

 Pros: Very strong security, central control, reduces risk of human error.

 Cons: Complex to implement and manage, less flexible, can be rigid.

 Example: A "Secret" clearance user cannot access "Top Secret" documents, regardless of who owns them.
 z
Type 3: Role-Based Access Control
(RBAC)
 Principle: Access permissions are assigned to specific roles within an organisation, not directly to individual users. Users
are then assigned to one or more roles.

 Characteristics:

 The most common access control model in enterprise environments.

 Simplifies management as users change roles; permissions are updated by changing role assignments, not individual
permissions.

 Enforces the "Principle of Least Privilege" more easily.

 Pros: Scalable, easier to manage large user bases, improves consistency, aligns with organisational structure.

 Cons: Roles need to be carefully defined; they can become complex if too many roles or overly granular permissions are
created.

 Example: A "Sales Manager" role has access to sales reports; any user assigned to this role automatically gains those
permissions.
 z
Type 4: Attribute-Based Access Control (ABAC)

 Principle: Access decisions are made dynamically at the time of access request, based on a set of
attributes associated with the user, the resource, the environment, and the action being requested.

 Characteristics:
 Highly flexible and granular, suitable for complex, dynamic environments.
 Attributes can include the user's department, time of day, location, resource sensitivity, and type of
action (read, write).

 Pros: Extremely fine-grained control, adaptable to changing conditions, supports "zero trust" models.

 Cons: Very complex to design, implement, and manage; requires robust policy engines.

 Example: A user from the "Finance" department can access "Financial Reports" only during "business
hours" from a "company-approved network."
 Authentication and Authorisation Revisited: Deeper Dive -
z
Authentication & Authorisation

 Authentication (Who you are):

 Proving identity using credentials (e.g., username/password, biometrics, smart cards,
security tokens).
 Multi-Factor Authentication (MFA): Requires two or more distinct forms of verification
(e.g., something you know + something you have + something you are).
 Authorisation (What you can do):
 Once authenticated, the system determines what actions the user is permitted to perform
based on access control policies.
 Enforces the Principle of Least Privilege: Users should only have the minimum access
necessary to perform their job functions.

 Discussion: Why is MFA considered a critical security control today?

 z
The Role of Cryptography: The Language of Secrecy
and Trust

 Definition: The art and science of secure communication in the presence of adversaries.

 Key Functions:
 Confidentiality: Encryption (Symmetric/Asymmetric).
 Integrity: Hashing, Digital Signatures.
 Authentication: Digital Signatures, Certificates.
 Non-repudiation: Digital Signatures.

 Applications: Secure communication (HTTPS, VPNs), data at rest encryption, digital certificates,
secure coding practices.

 Discussion: How does cryptography underpin much of modern internet security?

 z
Security Policies and Procedures: Guiding Principles -
Policies & Procedures

 Security Policy: High-level statements that define what is acceptable and unacceptable
behaviour and what security objectives the organisation aims to achieve. (e.g., "All
sensitive data must be encrypted.")

 Security Procedure: Detailed, step-by-step instructions on how to implement the

policies. (e.g., "Steps for encrypting a drive using BitLocker.")

 Importance: Provide a framework for decision-making, ensure consistency,

communicate expectations to employees, and demonstrate due diligence.

 Must be regularly reviewed and updated.

 Discussion: What happens if an organisation has great technology but weak policies?
 The Human Element in Computer Security: People - The
z
Strongest Link, or the Weakest?

 Often, the Target: Social engineering attacks (phishing, pretexting, baiting) exploit
human psychology.
 Source of Error: Accidental misconfigurations, sharing passwords, and losing devices.
 Crucial for Defence: Employees who are well-trained and security-aware can be the
first line of defence.
 Security Awareness Training: Essential for educating users about threats, policies,
and best practices.
 Culture of Security: Fostering an environment where security is a shared
responsibility.

 Discussion: Share an example of a breach caused by human error or social engineering.

 z
Conclusion & Key Takeaways: Building a Resilient
Digital Defence

 Computer security relies on a blend of foundational principles (CIA Triad).

 Various technologies (network, endpoint, data, database, cloud) implement these

principles.

 Access Control is central to managing who can do what, with different models (DAC,
MAC, RBAC, ABAC) offering varying levels of flexibility and control.

 Authentication, Authorisation, Cryptography, and Policies are all critical components.

 The human element is paramount and requires continuous attention.

 Effective security is a continuous, multi-faceted process.