Security Instructor: Sara AL-Salameen

TOPICS
 Introduction to security
 Security Concepts
 Risks to IT security
 IT security solutions
 Mechanisms to control organizational IT security
 Organizational security
Basic Principles
Of Security
 Why Should You Be Concerned
o Personal data
o Credit information
o Medical information
o Purchasing history
o Corporate information

95752:1-4
DEFINITIONS
Introduction
Computers and digital devices are becoming integral
to
conducting business, which also makes them a target
of attack.

Devices needs to be secured.

Networks that computers and devices use should also

be secured.
Security
• Nothing is ever completely or truly secure. There
Data
is always a way around or through any security
precaution that we construct. Application

Host
Security talks about “hardening” systems and
resources Threats to security
Network
 Making it harder to hack
 If it’s too much of a hassle, then only
small percentage will even try… ‫إ‬
There is no perfect security Hmmm, now why does this diagram
look so familiar?
 But adding layers of security ensures that the overall
security can be made adequate for the requirements…
THE MAIN PLAYERS

Eve?

Alice Bob
DEFINITIONS
Computer security deals with computer-related assets that are subject to a variety of
threats and for which various measures are taken to protect those assets.
 Three fundamental questions:
1. What assets do we need to protect?
2. How are those assets threatened (vulnerable)?
3. What can we do to counter those threats?

Network Security - measures to protect data during their transmission. Network security is term that
describes that the policies and procedures implemented by a network administrator to avoid and keep
track of unauthorized access, exploitation, modification, or denial of the network and network
resources.
Internet Security - measures to protect data during their transmission over a collection of
interconnected networks.
DEFINITIONS
Internet security is a branch of computer security that deals specifically with
Internet-based threats. These include hacking, where unauthorized users gain
access to computer systems, email accounts or websites; viruses and other
malicious software (malware), which can damage data or make systems vulnerable
to other threats.
The field of network and Internet security consists of measures to deter,
prevent, detect, and correct security violations that involve the transmission of
information. That is a broad statement that covers a host of possibilities.
ANOTHER DEFINITION
Information security can be thought of as the protection of the information system
and its resources against accidental or intentional disclosure of confidential data,
unlawful modification of data or programs, the destruction of data, software or
hardware, and ensuring non-repudiation.
Information systems security- refers to the processes and methodologies involved
with keeping information confidential, available, and assuring its integrity.
 Computer Security
 Protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability and confidentiality of
information system assets .
 Computer security imposes requirements on computers that are different from
most system requirements because they often take the form of constraints on
what computers are not supposed to do.
ASSETS OF A COMPUTER
SYSTEM
Hardware

Software

Data

Communication facilities and

networks
ASSETS OF A COMPUTER
SYSTEM
The assets of a computer system can be categorized as follows:
• Hardware: Including computer systems and other data processing,
data storage, and data communications devices
• Software: Including the operating system, system utilities, and
applications.
• Data: Including files and databases, as well as security-related data,
such as password files.
• Communication facilities and networks: Local and wide area
network communication links, bridges, routers, and so on.
Computer Security
 This makes computer security particularly challenging because it is hard
enough just to make applications do everything they are designed to do
correctly.
 Furthermore, negative requirements are deceptively complicated to satisfy
and require exhaustive testing to verify, which is impractical for most computer
programs.
 For this reason, computer security is often a more technical and mathematical
field than some other computer science fields.
 Negative requirements: what the systems should not do.
Documentation of the security
requirements:
It is a document that specifies the security requirements that must be met in the
system or application to ensure its protection from security threats and risks.

This document is considered part of the software or systems development

process and contributes to designing a secure system that meets customer
needs and protects data from unauthorized access, manipulation, or loss.
 Make the Security requirement visible.

 Show which security requirements are high priority

 The requirements should focus on what should achieved- not how.

 Negative Requirements (“It should not be possible to” ) should be avoided.

 Good security requirements ”Only hashed passwords shall be stored in the user database”
Typical approaches to improving
computer security can include the
following:
Physically limit access to computers to only those who will not
compromise security.

Hardware mechanisms that impose rules on computer programs, thus

avoiding depending on computer programs for computer security.

Operating system mechanisms that impose rules on programs to avoid

trusting computer programs.

Programming strategies to make computer programs dependable and

resist subversion.
 Cybersecurity
•Cyber Security is the process and techniques involved in protecting sensitive data, computer
systems, networks and software applications from cyber attacks.
•Information Security is the protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification or destruction in order
to provide confidentiality, integrity and availability. (more on these later)|
•Cybersecurity is a challenging job that requires attention to detail at the same time as it
demands a higher-level awareness of what’s going on.
• However, like many tasks that seem complex at first glance, Cybersecurity can be broken down in to
basic steps / procedures that can simplify the process.
Cybersecurity Concepts
 Knowledge of the following key basic
principles, definitions, features, and
concepts is helpful to all actors involved in
cybersecurity.

 Strong IT or software/coding background

(or both, although rare)

 CIA Triad (Confidentiality, Integrity,

Availability) principles

 Identity and Access Management services

 Cybersecurity Reality
Reality and Core Detection of Analysis and
Rapid Response
All cybersecurity challenges Malicious Activities Monitoring
professionals must
come to terms with
the reality of the Breaches and Log analysis is time-
compromises will occur consuming, technically
cyber world, where demanding, and often
Focus on detecting the expensive. Response is required
breaches and common elements of Asset visibility is
sophisticated, ever- Detection instead of
prevention
malicious activity, not crucial to effective
malware. cybersecurity.
changing attacks are Malicious cyber actors
have learned to
inevitable. leverage common IT
Security must be administration tools, IT/IS and IoT security
affordable tactics, and must be integrated.
technologies to carry Network-based Detection and
out their attacks. monitoring and response must be
Understanding what detection is the near- faster
happens at the term solution to IoT
endpoint is a necessity. security..
Cybersecurity challenges
1. Security not simple to design, implement or maintain over time
 Can’t just implement and forget. Security solutions have to be tested, verified, monitored and constantly
tweaked as changes happen in the environment
 Mechanisms and solutions can be quite complex and subtle to integrate within environment

2. Must consider all potential risks, attacks and threat vectors

 Remember, you need to know all the potential access points and methods to protect
Hacker only needs to find … one!

3. Procedures used are typically counter-intuitive for users / apps

 Users want total, quick access and low hassles
 Security widely regarded as impediment to using systems by users
Cybersecurity challenges
4. Security mechanisms may involve complex algorithms and secret info
 Complex systems are complex to implement and maintain
 If it’s secret, not everyone knows about it and protecting it might be harder because of it

5. Must decide where & how to best deploy security mechanisms / procedures
 Wrong place and you’ve left a “door” open or you’re protecting the wrong thing(s)

6. Constant battle of wits between attacker / admin

 Hackers are always working to stay ahead of the “learning curve” and share their knowledge
 Security admins and practitioners work hard to get the job done, but have little-to-no time to dedicate
to upgrading their skills/knowledge and don’t share as much as they should
 Who do you think has more free time in their day to play, learn and explore ?!?!
 Cybersecurity challenges
7. No perceived benefit until security fails
 We’re spending $30k for protection against something that MIGHT happen?!?!
 No one says thank you when things work properly – it’s expected !
But gods forbid something goes wrong and see how fast the finger-pointing starts !!

8. Too often an after-thought to IT implementations

 Not unusual to create networks/systems/processes and THEN realise it needs security after.
 IT is notorious for making on-the-fly changes to systems and not notifying other areas/departments of the
upcoming specifics of the changes – makes it hard to test and/or anticipate security concerns about the
change!
CIA Triad Elements
& The Cube
 Security Balancing Act
In this day and age of “customer satisfaction”.
 Security is considered to be a balancing act
between:
 Security Concerns
 Functionality
 Ease of Use
 One of the main reasons organizations may
have security issues is that:
 As you increase security, you decrease
functionality
 As you increase ease of use, functionality can
increase but security can suffers
 Functionality is what keeps companies in
business, but it impedes security
 The CIA Triad
 CIA helps to define what you are trying to
protect using 3 elements
 Confidentiality
 Integrity
 Availability
 Also High-Availability
All 3 elements are important, but there is
usually one that’s more important
Confidentiality, Integrity,
Availability (CIA)
 CIA helps to define what you are trying to protect using 3 elements:

Confidentiality:
 Safeguards information from being accessed by individuals without the proper clearance, access level,
and need to know.
 Keeping sensitive information private.

 Encryption services can protect your data at rest or in transit and prevent unauthorized access to
protected data.
Confidentiality, Integrity,
Availability (CIA)
Integrity:

Results from the protection of unauthorized modification or destruction of information.

 Is the consistency of data, networks, and systems.

 This includes mitigation and proactive measures to restrict unapproved changes, while also having the
ability to recover data that has been lost or compromised.
Confidentiality, Integrity,
Availability (CIA)
Availability: Information services are accessible when they are needed.

Authentication means a security measure that establishes the validity of a transmission,

message, or originator, or a means of verifying an individual's authorization to receive specific
categories of information.
refers to authorized users that can freely access the systems, networks, and data needed to
perform their daily tasks.
Resolving hardware and software conflicts, along with regular maintenance is crucial to keep
systems up and available.
The CIA triad..
Confidentiality: Who is authorized to use data?
Integrity: Is data „good?”
Availability: Can access data whenever need it?

C S I

A
The CIA triad ..
All 3 elements are important, but there is usually
one that’s more important than the rest for a given
situation or implementation.

 The balancing act involves moving the target within

the triangle
 N.B.: CIA2 adds Accountability to the equation
 There is now talk of adding Accountability and
Authenticity as well
How do you use the CIA
triad?
 Confidentiality, integrity and availability together are considered the three most
important concepts within information security.
Help guide the development of security policies for organizations.
Thinking of the CIA triad's three concepts together as an interconnected system, rather
than as independent concepts, can help organizations understand the relationships
between the three.
When you get a new application or service, ask if this will affect the confidentiality,
integrity, and availability of the data it touches. Focus on one leg of the triad at a time.
Understanding the CIA triad will help you get started on your journey into cyber security.
Special challenges for
the CIA triad
 Big data poses challenges to the CIA paradigm
because of the sheer volume of information that
organizations need safeguarded.

 The multiplicity of sources that data comes

from

The variety of formats in which it exists.

Need to balance CIA
Example 1: C vs. I+A
 Disconnect computer from internet to increase confidentiality
 Availability suffers, integrity suffers due to lost updates.

Example 2: I vs. C+A

 Have extensive data checks by different people/systems to increase
integrity.

 Confidentiality suffers as more people see data, availability suffers due

to locks on data under verification)
Best practices for implementing the
CIA triad
Confidentiality:
• Data should be handled based on the organization's required privacy.
• Data should be encrypted.
• Keep access control lists and other file permissions up to date.
Integrity:
• Ensure employees are knowledgeable about compliance and regulatory requirements to
minimize human error.
• Use backup and recovery software.
• To ensure integrity, use version control, access control, security control, data logs and
checksums.
Best practices for
implementing the CIA triad
Availability
• Use preventive measures such as redundancy, failover and RAID. Ensure systems
and applications stay updated.

• Use network or server monitoring systems.

• Ensure a data recovery and business continuity (BC) plan is in place in case of data
loss.
Sensitive Data
Sensitive data is confidential information that must be kept safe and out of reach from all
outsiders unless they have permission to access it.
Access to sensitive data should be limited through sufficient data security and information
security practices designed to prevent data leaks and data breaches.
Types of sensitive information include:
Personnel
Financial
Payroll
Medical
Privacy Act information.
The Hacker’s Triad
Hackers have created their own version of the triad called the DAD

 Disclosure
 Attempts to defeat confidentiality
 Alteration
 Attempts to defeat integrity
 Destruction
 Attempts to defeat availability

The security conundrum:

 If I don’t protect it, they can get to it.
 But if it is well protected, it might identify something worth getting at by virtue of it being
protected!
 The Hacker’s Triad
The CIA Triad is being discussed as part of “The Three Dimensions of the Cybersecurity Cube”.

The first dimension of the cybersecurity cube identifies the goals to protect the cyber world
(Principles of Security).
The goals identified in the first dimension are the foundational principles of the cybersecurity
world - the 3 areas of the CIA Triad / Security Principles
Confidentiality, Integrity and Availability.

The principles provide focus and enable cybersecurity specialists to prioritize actions in
protecting the cyber world.
The Hacker’s Triad
The second dimension of the cybersecurity cube focuses on the problems of
protecting all of the states of data in the cyber world.
 The sorcery cube identifies the three 3 states of Data (Information States):
Transmission, Storage, Processing.

The third dimension of the cybersecurity sorcery cube defines the types of

powers used to protect the cyber world.

 The Cybersecurity Cube
 The sorcery cube identifies the three types of powers /
countermeasures:
 Technologies – devices and products available to allow
employees to do their jobs, protect critical IS/IT systems, and
fend off cybercriminals.
 Policies and Best Practice - procedures, and guidelines that
enable the citizens of the cyber world to stay safe and follow
good practices.
 People - aware and knowledgeable about their world, the
dangers that threaten their world, and the dangers of poor
management of private and protected information while using
the above technologies.
END OF WEEK ONE