Day 050 #FromZeroToHacker – Principles of security

This lesson is going to outline some of the fundamental principles of information security, including the CIA triad and security models.

Let’s start our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Principles of security

This lesson is going to outline some of the fundamental principles of information security: The frameworks used to protect data and systems to the elements of what makes data secure.

The measures, frameworks and protocols discussed here play a small part in Defense in depth: The use of multiple varied layers of security that provide redundancy in an organisation’s security perimeter.

What have I learnt today?

The CIA triad

As we saw 2 lessons ago, the CIA Triad is an information security model consisting of three sections: Confidentiality, Integrity and Availability.

CIA Triad

This is a continuous cycle. While the three elements may overlap, if even one element is not met, the other two are useless (Like a real triangle). If a security policy doesn’t answer these three sections, it is worthless.

Confidentiality

This protects the data from unauthorised access and misuse. To provide confidentiality is to protect sensible data from parties that it is not intended for.

Employee records and accounting documents are sensitive, and confidentiality will be provided if only HR administrators have access to them. Other information, like accounting records, is less sensitive.

Integrity

Integrity is the condition where information is kept accurate and consistent unless authorised changes are made. Integrity is maintained when the information remains unchanged while stored, transmitted, and used (with the modification exception).

Access control and rigorous authentication prevent authorised users from making unauthorised changes. Hash verifications and digital signatures help to ensure the transactions made are authentic.

Availability

Data must be available and accessible by the user, but only when authorised users need to access it.

Availability is a key benchmark for an organisation, like having a 99,99% uptime on their websites or systems. Availability is achieved by many elements, including:

  • Having reliable and well-tested hardware.
  • Having redundant technology and services in case of failure.
  • Implementing well-versed security protocols to protect technology and services from attacks.

Principles of privileges

We need to define and administrate the various levels of access to information. The levels of access are determined by two factors:

  • The individual’s role or function within the organisation.
  • The sensitivity of the information being stored on the system.

Two concepts are used to assign and manage the access rights of individuals: Privileged Identity Management (PIM) and Privileged Access Management (PAM).

PIM is used to translate a user’s role within an organisation into an access role on a system. PAM is the management of the privileges a system’s access role has.

Users should have the minimum amount of privileges needed.

Despite that, PAM incorporates more than assigning access: Also enforces security policies such as password management, auditing policies and reducing the attack surface a system faces.

Security models continued

We can achieve the three elements of the CIA triad (Confidentiality, Integrity and Availability) in a formal way, and for that, we have two models:

The Bell-La Padula model

This model is used to achieve Confidentiality. This model has a few assumptions, such as an organisation’s hierarchical structure it is used in, where everyone’s responsibilities and roles are well-defined.

This model works by granting access to pieces of data (objects) on a strictly need-to-know basis:

Bell LaPadula Model

The Bell LaPadula model is popular with organisations such as the government and the military, where members of the organisation are vetted and then trustworthy.

Bell LaPadula advantages and disavantages

Biba model

This is the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.

This model applies the rule to objects (data) and subjects (users) that can be summarised as “No write up, no read down”. Users can create or write content to objects at or below their level but can only read the contents of above the user’s level.

Biba model

The Biba model is used in organisations or situations where integrity is more important than confidentiality, for example, in software development where developers only have access to the code that is necessary for their job and not to critical pieces such as databases.

Biba model advantages and disavantages

Threat modelling and incident response

Threat modelling is the process of reviewing, improving and testing the security protocols in place in an organisation.

Threat Modelling

A critical stage of the threat modelling process is identifying likely threats and vulnerabilities that an application or system may face.

The threat modelling process is similar to a risk assessment made in workplaces for employees and customers:

  • Identification
  • Preparation
  • Mitigations
  • Review

An effective threat model includes:

  • Threat intelligence
  • Asset identification
  • Mitigation capabilities
  • Risk assessment

There are frameworks that tackle this like STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of service and Elevation of privileges.) and PASTA (Process of Attack Simulation and Threat Analysis) Let’s detail STRIDE below:

STRIDE model

Despite all the security we may use in a system, incidents (a breach of security) happen. Actions taken to solve and remediate the threat are known as Incident Response (IR). Incidents are classified using a rating of urgency and impact:

Urgency impact

An incident is responded to by a Computer Security Incident Response Team (CSIRT). To successfully solve an incident, they follow the six phases of Incident Response:

CSIRT model

Summary

In this lesson we have learnt about:

  • The CIA triad.
  • Principles of privileges.
  • Security models used by organisations.
  • Threat modelling.
  • Incident response phases.

Stats

From 86.165th to 82.639th. Still at the top 4%!

Here is also the Skill Matrix:

Skills Matrix

Resources

Path: Jr Penetration tester

Introduction to Pentesting

TryHackMe: Principles of Security

Other resources

CIA Triad