Tanmay Borge's Blog

Security Principles

Tanmay Borge's photo
Tanmay Borge
Security Principles

Photo by Scott Webb on Unsplash

Table of contents

In this article, I have explained Security Principles which are used in Cybersecurity.

Security Concepts of Information Security

CIA Triad:

The CIA triad, also known as Confidentiality, Integrity, and Availability, is a widely used framework to describe and understand security. It utilizes meaningful terms that make it easier for management and users to grasp its purpose.

Confidentiality: Confidentiality pertains to protecting sensitive information from unauthorized disclosure. It ensures that only authorized individuals or entities can access the data. Techniques like encryption, access controls, and secure communication channels are employed to prevent unauthorized access or breaches. Personally Identifiable Information (PII) is a term related to the area of confidentiality. It pertains to any data about an individual that could be used to identify them. Other terms related to confidentiality are protected health information (PHI), which is information regarding one’s health status, and classified or sensitive information, which includes trade secrets, research, business plans, and intellectual property.

Integrity: Integrity guarantees the accuracy and completeness of data throughout its lifecycle. It ensures that the information remains consistent and trustworthy. Measures such as checksums, digital signatures, and access controls are implemented to detect and prevent unauthorized modifications, data corruption, or tampering. Data integrity is the assurance that data has not been altered in an unauthorized manner. This requires the protection of the data in systems and during processing to ensure that it is free from improper modification, errors, or loss of information and is recorded, used, and maintained in a way that ensures its completeness. Data integrity covers data in storage, during processing, and while in transit.

Availability: Availability ensures that information and resources are accessible and usable as required. It safeguards against disruptions, failures, or malicious attacks that could lead to unavailability or downtime. Techniques like redundant systems, data backups, disaster recovery plans, and robust network infrastructure are utilized to maximize availability and minimize service interruptions. The core concept of availability is that data is accessible to authorized users when and where it is needed and in the form and format required. This does not mean that data or systems are available 100% of the time. Instead, the systems and data meet the requirements of the business for timely and reliable access.

Authentication

Authentication is the process of verifying someone's identity to ensure they are who they claim to be. It involves providing credentials like passwords or fingerprints to prove authenticity and gain access to systems or information. It helps prevent unauthorized access and protects sensitive data from being compromised.

There are three common ways of Authentication:

  1. Something you know: Passwords or paraphrases

  2. Something you have: Tokens, memory cards, smart cards

  3. Something you are: Biometrics, measurable characteristics

Non-repudiation

Non-repudiation is a term used in legal contexts to describe the protection against individuals falsely denying their involvement in a specific action. It ensures the ability to verify whether someone performed a particular action, such as creating, approving, or transmitting information or messages.

Privacy

Privacy refers to the individual's right to control the collection, use, and disclosure of their personal information. It encompasses the ability to keep certain aspects of one's life and personal data confidential and protected from unauthorized access or intrusion. Privacy involves maintaining autonomy and having the power to decide how personal information is shared, with whom, and for what purposes. It is an essential aspect of personal freedom, security, and maintaining trust in various contexts, including online activities, healthcare, financial transactions, and everyday life.

Risk Management Terminology

  • An asset is anything that must be safeguarded.

  • A vulnerability is a gap or flaw in those attempts to safeguard.

  • A threat is anything or someone who attempts to exploit a vulnerability to frustrate security measures.

Risk Management Process

The process of identifying, assessing, and prioritizing risks to an organization's operations (including its mission, functions, image, and reputation), assets, personnel, other organizations, and even the nation is known as Risk Assessment.

Risk Treatment entails deciding on the appropriate course of action to take in response to the detected and prioritized risk. Decisions are made based on management's attitude toward risk and the availability — and expense — of risk reduction.

Risk Priorities: After identifying risks, it is time to prioritize and assess core risks using qualitative risk analysis and/or quantitative risk analysis. This is required to establish the root cause and narrow down apparent and core threats.

Risk Tolerance: Organizational risk tolerance varies, even within one organization: Different departments may have different views on what constitutes an acceptable or unacceptable degree of risk.

Security Controls

Security controls are the physical, technical, and administrative safeguards or countermeasures prescribed for an information system to protect the system's and its information's confidentiality, integrity, and availability. Controls should be put in place to decrease risk to an acceptable level.

  • Physical Controls use physical hardware devices such as badge readers, architectural elements of buildings and facilities, and particular security actions to be conducted by humans to satisfy process-based security needs. They often provide means of managing, guiding, or restricting people and equipment from moving across a specified physical place, such as an office suite, factory, or other facility.

  • Technical Controls are security measures that computer systems and networks proactively carry out (also known as logical controls). These controls can support security needs for applications and data and offer automatic defense against unauthorized access or misuse. They can also make it easier to find security violations.

  • Administrative Controls are directives, rules, or advisories addressed to employees. They establish rules, limits, and standards for human conduct and should apply to the entire spectrum of the organization's activities as well as its contacts with external parties and stakeholders.

Governance Concepts

  • Procedures are the exact processes required to accomplish a task following departmental or organizational policies.

  • Policies are put in place by organizational governance, such as executive management, to guide all activities to ensure that the organization supports industry standards and regulations.

  • Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

  • Regulations are frequently given in the form of laws, usually by the government, and usually entail financial consequences for violation.

Security