This lesson is going to outline some of the fundamental principles of information security, including the CIA triad and security models.
Let’s start our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to Principles of security
This lesson is going to outline some of the fundamental principles of information security: The frameworks used to protect data and systems to the elements of what makes data secure.
The measures, frameworks and protocols discussed here play a small part in Defense in depth: The use of multiple varied layers of security that provide redundancy in an organisation’s security perimeter.
What have I learnt today?
The CIA triad
As we saw 2 lessons ago, the CIA Triad is an information security model consisting of three sections: Confidentiality, Integrity and Availability.
This is a continuous cycle. While the three elements may overlap, if even one element is not met, the other two are useless (Like a real triangle). If a security policy doesn’t answer these three sections, it is worthless.
Confidentiality
This protects the data from unauthorised access and misuse. To provide confidentiality is to protect sensible data from parties that it is not intended for.
Employee records and accounting documents are sensitive, and confidentiality will be provided if only HR administrators have access to them. Other information, like accounting records, is less sensitive.
Integrity
Integrity is the condition where information is kept accurate and consistent unless authorised changes are made. Integrity is maintained when the information remains unchanged while stored, transmitted, and used (with the modification exception).
Access control and rigorous authentication prevent authorised users from making unauthorised changes. Hash verifications and digital signatures help to ensure the transactions made are authentic.
Availability
Data must be available and accessible by the user, but only when authorised users need to access it.
Availability is a key benchmark for an organisation, like having a 99,99% uptime on their websites or systems. Availability is achieved by many elements, including:
- Having reliable and well-tested hardware.
- Having redundant technology and services in case of failure.
- Implementing well-versed security protocols to protect technology and services from attacks.
Principles of privileges
We need to define and administrate the various levels of access to information. The levels of access are determined by two factors:
- The individual’s role or function within the organisation.
- The sensitivity of the information being stored on the system.
Two concepts are used to assign and manage the access rights of individuals: Privileged Identity Management (PIM) and Privileged Access Management (PAM).
PIM is used to translate a user’s role within an organisation into an access role on a system. PAM is the management of the privileges a system’s access role has.
Users should have the minimum amount of privileges needed.
Despite that, PAM incorporates more than assigning access: Also enforces security policies such as password management, auditing policies and reducing the attack surface a system faces.
Security models continued
We can achieve the three elements of the CIA triad (Confidentiality, Integrity and Availability) in a formal way, and for that, we have two models:
The Bell-La Padula model
This model is used to achieve Confidentiality. This model has a few assumptions, such as an organisation’s hierarchical structure it is used in, where everyone’s responsibilities and roles are well-defined.
This model works by granting access to pieces of data (objects) on a strictly need-to-know basis:
The Bell LaPadula model is popular with organisations such as the government and the military, where members of the organisation are vetted and then trustworthy.
Biba model
This is the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.
This model applies the rule to objects (data) and subjects (users) that can be summarised as “No write up, no read down”. Users can create or write content to objects at or below their level but can only read the contents of above the user’s level.
The Biba model is used in organisations or situations where integrity is more important than confidentiality, for example, in software development where developers only have access to the code that is necessary for their job and not to critical pieces such as databases.
Threat modelling and incident response
Threat modelling is the process of reviewing, improving and testing the security protocols in place in an organisation.
A critical stage of the threat modelling process is identifying likely threats and vulnerabilities that an application or system may face.
The threat modelling process is similar to a risk assessment made in workplaces for employees and customers:
- Identification
- Preparation
- Mitigations
- Review
An effective threat model includes:
- Threat intelligence
- Asset identification
- Mitigation capabilities
- Risk assessment
There are frameworks that tackle this like STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of service and Elevation of privileges.) and PASTA (Process of Attack Simulation and Threat Analysis) Let’s detail STRIDE below:
Despite all the security we may use in a system, incidents (a breach of security) happen. Actions taken to solve and remediate the threat are known as Incident Response (IR). Incidents are classified using a rating of urgency and impact:
An incident is responded to by a Computer Security Incident Response Team (CSIRT). To successfully solve an incident, they follow the six phases of Incident Response:
Summary
In this lesson we have learnt about:
- The CIA triad.
- Principles of privileges.
- Security models used by organisations.
- Threat modelling.
- Incident response phases.
Stats
From 86.165th to 82.639th. Still at the top 4%!
Here is also the Skill Matrix:
Resources
Path: Jr Penetration tester
Introduction to Pentesting
TryHackMe: Principles of Security