what is information security?
Protecting data and information from unauthorised access, modification, disruption, disclosure and destruction
what is information systems security?
Protecting the systems (computers, servers, network devices) that hold and process critical data
what is the CIA triad? give an example
Confidentiality (encryption)
Integrity (checksums)
Availability (redundancy measures)
what is non repudiation
Guarantees that an action or event cannot be denied by the involved parties (digital signatures)
what is the CIANA Pentagon?
An extension of the CIA triad with the addition of non repudiation and authentication
what is the triple A of security
- Authentication: verify identity of user or system (password checks)
- Authorisation: Determining actions or resources an authenticated user can access( permissions)
- Accounting: Tracking user activities and resources usage for audit or billing purposes
security control categories:
Technical
Managerial
Operational
Physical
security control types
Preventative
Deterrent
Detective
Corrective
Compensating
Directive
what is zero trust model
Operates on the principle that no one should be trusted by default
how do we achieve zero trust
Control plane
Data plane
what is a control plane
Adaptive identity, threat scope reduction, policy driven access control and secured zones
what is data plane
Subject/system, policy engine, policy administrator and establishing policy enforcement points
Threats and vulnerabilities
what are threats?
Anything that can cause harm, loss, damage or compromise to our information technology systems
Examples:
Natural disaster
Cyber attacks
Data integrity breaches
Disclosure of confidential information
threats and vulnerabilities
what are vulnerabilities?
Any weakness in the system design or implementation
Comes from internal factors like the following:
Software bugs
Misconfigured software
Improperly protected network devices
Missing security patches
Lack of physical security
what is the relationship between threats and vulnerabilities?
If you have threats but no matching vulnerability there’s no risk
If you have vulnerabilities but no matching threat there’s no risk
What is risk management
finding different ways to minimise the likelihood of an out ome and achieve the desired outcome
What is confidentiality
protection of information from unauthorised access and disclosure
ensure that private or sensitive information is not available or disclosed to unauthorised individuals entities or processes
Why is confidentiality important
protect personal privacy
maintain a business advantage
achieve regulatory compliance
What are the 5 methods to ensure confidentiality
encryption(converting data into codde to prevent unauthorised access)
access controls(set up strong user permissions ensures only authorised personnel can access certain data types)
data masking ( obscuring specific data within a database so that its inaccessible for unauthorised users while retaining the real datas authenticity and use for authorised users
physical security measures (physical types of data such as paper records in filing cabinets and digital information in servers and workstations
training and awareness (conduct regular training on the security awarebess best practices that employees can use to protect their organisations sensitive data
what is Integrity
Helps ensure that information and data remain accurate and unchanged from its original state unless intentionally modified by an authorised individual
Verifies accuracy and trustworthiness of data over the entire lifecycle
importance of integrity
Ensure data accuracy
Maintain trust
Ensure system operability
five methods of integirty
Hashing(process of converting data into fixed sized value)
Digital signatures(integrity and authenticity)
Checksums(verify the integrity of data during transmission)
Access control(only authorised individuals can modify data and reduce risk of unintentional or malicious alterations
Regular audits(systematically reviewing logs and operations to ensure only authorised changes have been made. Any discrepancies immediately addressed)
