Cyber Risk Analysis - Salem73616C656D/reading-notes GitHub Wiki

Key Takeaways

The two primary objectives of information security within the organization from a risk management perspective include:

Have controls in place to support the mission of the organization.
All the decisions should be based on risk tolerance of organization, cost and benefit.

Security Fundamentals

Confidentiality: Prevent unauthorized disclosure

Confidentiality of information refers to protecting the information from disclosure to unauthorized parties.

Key areas for maintaining confidentiality:

Social Engineering: Training and awareness, defining Separation of Duties at the tactical level, enforcing policies and conducting Vulnerability Assessments
Media Reuse: Proper Sanitization Strategies
Eavesdropping: Use of encryption and keeping sensitive information off the network with adequate access controls

Integrity: Detect modification of information

The integrity of information denotes protecting the sensitive information from being modified by unauthorized parties.

Key areas for maintaining confidentiality:

Encryption – Integrity based algorithms
Intentional or Malicious Modification
    Message Digest (Hash)
    MAC
    Digital Signatures

Availability: Provide timely and reliable access to resources

Availability of information signifies ensuring that all the required or intended parties are able to access the information when needed.

Key areas for maintaining availability:

Prevent single point of failure
Comprehensive fault tolerance (Data, Hard Drives, Servers, Network Links, etc.)

Best Practices

Separation of Duties: Prevents any one person from becoming too powerful within an organization. This policy also provides singleness of focus. For instance, a network administrator who is concerned with providing users access to resources should never be the security administrator. This policy also helps prevent collusion as there are many individuals with discrete capabilities. Separation of Duties is a preventative control.

Mandatory Vacations: Prevents an operator from having exclusive use of a system.  Periodically, that individual is forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.

Job rotation: Similar in purpose to mandatory vacations, but with the added benefit of cross-training employees.

Least privilege: Allowing users to have only the required access to do their jobs.

Need to know: In addition to clearance, users must also have “need to know” to access classified data.

Dual control: Requiring more than one user to perform a task.

Vocabulary

No new vocabulary