Security Triad-CIA
- Confidentiality. Provides data secrecy.
- Integrity. Only authorized people can change data.
- Availability. Data must always be accessible and ready.
Reverse Security Triad-DAD
- Disclosure. Breach of confidentiality.
- Alteration. Data is modified.
- Disruption. Service/data is no longer available.
___________________________________________________________-
Risk management:Risk management includes the following
- Risk analysis. Discovering what the risks are and their associated potential damages
- Risk control. Implementing controls to bring the potential damage to an acceptable level (that is, having a correct balance between the cost of risk control and the reduced potential damage)
Risk analysis relies on a specific vocabulary:
1:Vulnerability. A system weakness (usually not on purpose). This weakness can be in procedures (for example, lack of approval for moving network equipment); in a
product (for example, a software bug); or in the implementation (for example, not setting an enable secret).
2:Threat. This person, organization, worm, and so on wants to exploit vulnerabilities.
3:Risk. Probability that a threat will leverage a vulnerability to make an attack and cause damage.
4:Exposure. When a threat actually leverages vulnerability and runs an attack.
Risk Control
Risk analysis is about finding all potential vulnerabilities and estimating the associated damage. Risk control involves handling those risks to reduce their financial impact. Risk can be
- Reduced by means of control (also called countermeasures) to remove vulnerabilities or threats, reduce the probability of a risk, or prevent an attack. Risk reduction is not always achievable at 100 percent; the remaining risk is called residual risk.
- Transferred to another organization. An example of this is getting fire insurance to cover fire risk.
- Accepted, such as when you accept the risk associated with driving on a highway where you risk a car accident.
- Ignored. Even if the risk analysis shows that a risk exists, no attempt is made to control it. This is different than accepting a risk, because you don’t even think about
it. This is a foolish behavior, of course.
_______________________________________________________________
Access Control and Identity Management
- Identification. Simply the name of a subject (such as a Microsoft Active Directory username or an IP address).
- Authentication. Proof of the identity, typically done with the help of credentials (such as a password). Identification without authentication is of little value.
- Authorization. Set of authorized access rights (that is, which subjects can access which objects). ACLs are primarily used in networks for authorization.
- Audit (also called accounting). List of accesses and actions done by the subjects that enables the examination of a given sequence of events. The major intent is for
forensics. The logging of event messages to servers with protocols, like syslog, is often used in networks for auditing.
Here is a simplified view of these four steps:
Step 1 Identification. Who are you?
Step 2 Authentication. Prove it.
Step 3 Authorization. What can you do?
Step 4 Audit. What have you done?