Concepts of Cyber Security lecture notes.pdf
158 views
29 slides
Nov 01, 2024
Slide 1 of 29
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
About This Presentation
It is about security goals for Cyber Security
Slide Content
Lecture 2
COMP SCI 7328 Concepts in Cyber Security
Security Goals
Lecturer: Faheem Ullah ([email protected])
COMP SCI 7328 Concepts in Cyber Security
Security Goals
Lecturer: Faheem Ullah ([email protected])
Outline
•Introduction to security goals
•Confidentiality, Integrity, and Availability (CIA)
•Authentication and Authorization
•Accountability
2
•Introduction to security goals
•Confidentiality, Integrity, and Availability (CIA)
•Authentication and Authorization
•Accountability
2
Computer Security Goals
3
3
Confidentiality (1/6)
•Only authorized parties can
access non-public information
•Examples:
–technically: data encryption
–procedurally: physical access
control
•Related terms:
–privacy: how personal sensitive
information is shared
–anonymity: actions are not linked
to a public identity
4
•Only authorized parties can
access non-public information
•Examples:
–technically: data encryption
–procedurally: physical access
control
•Related terms:
–privacy: how personal sensitive
information is shared
–anonymity: actions are not linked
to a public identity
4
Confidentiality (2/6)
•At large, the goal of confidentiality is to stop sensitive
data from getting into the wrong hands
•Before implementing security controls, group your
data into different categories according to how much
damage could be done if accessed by an authorized
entity
•The higher the negative impact, the stronger the
security controls need to be.
5
•At large, the goal of confidentiality is to stop sensitive
data from getting into the wrong hands
•Before implementing security controls, group your
data into different categories according to how much
damage could be done if accessed by an authorized
entity
•The higher the negative impact, the stronger the
security controls need to be.
5
Confidentiality (3/6)
•Ensuring confidentiality is the responsibility of both
technologists and everyone else in the organization
•Everyone having access to information has a role in
preserving confidentiality
•Some ways to ensure data confidentiality
–Encryption
–Strong password
–Two-factor authentication
–Biometric verification
6
•Ensuring confidentiality is the responsibility of both
technologists and everyone else in the organization
•Everyone having access to information has a role in
preserving confidentiality
•Some ways to ensure data confidentiality
–Encryption
–Strong password
–Two-factor authentication
–Biometric verification
6
Confidentiality (4/6)
•Sometimes safeguarding data confidentiality involves special training
for those privy to sensitive documents
•Training can help familiarize authorized people with risk factors and
how to guard against them
•Further aspects of training may include strong passwords and
password-related best practices
•Users can take precautions to minimize the number of places where
information appearsand the number of times it is actually transmitted
to complete a required transaction
7
•Sometimes safeguarding data confidentiality involves special training
for those privy to sensitive documents
•Training can help familiarize authorized people with risk factors and
how to guard against them
•Further aspects of training may include strong passwords and
password-related best practices
•Users can take precautions to minimize the number of places where
information appearsand the number of times it is actually transmitted
to complete a required transaction
7
Confidentiality (5/6)
Can you give an example of a
threat to data confidentiality and
explain how you would mitigate
it?
8
Can you give an example of a
threat to data confidentiality and
explain how you would mitigate
it?
8
Confidentiality (6/6)
Can you explain how encryption
can be used to enhance the
confidentiality of data?
9
Can you explain how encryption
can be used to enhance the
confidentiality of data?
9
Integrity (1/5)
•Data remain unaltered, excepted
by authorized parties
•Integrity involves maintaining the
accuracy and completeness of
data over its entire life cycle
•Examples:
–error detection/correction codes
10
•Data remain unaltered, excepted
by authorized parties
•Integrity involves maintaining the
accuracy and completeness of
data over its entire life cycle
•Examples:
–error detection/correction codes
10
Integrity (2/5)
•Challenges that could affect the integrity of your
information
–Human Error
–Compromising a server where end -to-end encryption isn’t there
–Physical compromise to a device
11
Source: ‘The CIA Triad: The key to Improving Your Information Security’ by Katie, 2018
•Challenges that could affect the integrity of your
information
–Human Error
–Compromising a server where end -to-end encryption isn’t there
–Physical compromise to a device
11
Source: ‘The CIA Triad: The key to Improving Your Information Security’ by Katie, 2018
Integrity (3/5)
•Some ways of ensuring integrity
–Encryption
–User access controls
–Version control
–Backup and recovery procedures
–Error detection software
•Measures for detecting change in data
•Backups must be available to restore the affected data to its correct
state
12
•Some ways of ensuring integrity
–Encryption
–User access controls
–Version control
–Backup and recovery procedures
–Error detection software
•Measures for detecting change in data
•Backups must be available to restore the affected data to its correct
state
12
Integrity (4/5)
How do you detect and respond to
a data integrity breach in your
organization?
13
How do you detect and respond to
a data integrity breach in your
organization?
13
Integrity (5/5)
Have you ever implemented
controls or procedures to ensure
the accuracy and completeness of
data in an organization?
14
Have you ever implemented
controls or procedures to ensure
the accuracy and completeness of
data in an organization?
14
Availability (1/5)
•Resources are accessible for
authorized use
•Example:
–protection against denial-of-
service attacks
15
•Resources are accessible for
authorized use
•Example:
–protection against denial-of-
service attacks
15
Availability (2/5)
•Availability is typically associated with reliability and
system uptime.
•Availability can be impacted by
–Hardware failures
–Unscheduled software downtime
–Human error
–Cyber attacks like denial-of-service
16
•Availability is typically associated with reliability and
system uptime.
•Availability can be impacted by
–Hardware failures
–Unscheduled software downtime
–Human error
–Cyber attacks like denial-of-service
16
Availability (3/5)
•Availability is ensured via
–Backups
–Redundancy
–Disaster recovery
–Proper monitoring
–Incident response plan
–Hardware repairs and maintenance
17
•Availability is ensured via
–Backups
–Redundancy
–Disaster recovery
–Proper monitoring
–Incident response plan
–Hardware repairs and maintenance
17
Availability (4/5)
How would you approach
planning for disaster recovery and
business continuity in the event of
a cyber attack or system failure?
18
How would you approach
planning for disaster recovery and
business continuity in the event of
a cyber attack or system failure?
18
Availability (5/5)
What are some common current
threats to the availability of
systems and services?
19
What are some common current
threats to the availability of
systems and services?
19
CIA –Confidentiality, Integrity, Availability
20
20
Challenges to ensure CIA
21
•The large volume of data
•The high variety of data
•The heterogenous sources of data
•Internet of things
21
•The large volume of data
•The high variety of data
•The heterogenous sources of data
•Internet of things
Authentication (1/2)
•Assurance that data is
genuine relative to
expectations
•Authentication is used by a
server when the server needs
to know exactly who is
accessing their information
or site
22
•Assurance that data is
genuine relative to
expectations
•Authentication is used by a
server when the server needs
to know exactly who is
accessing their information
or site
22
Authentication (2/2)
•Authentication does not determine what tasks the
individual can do or what files the individual can see.
•Authentication merely identifies and verifies who the
person or system is.
•In authentication, the user or computer has toprove
its identity to the server or client.
•Usually done before authorization
23
•Authentication does not determine what tasks the
individual can do or what files the individual can see.
•Authentication merely identifies and verifies who the
person or system is.
•In authentication, the user or computer has toprove
its identity to the server or client.
•Usually done before authorization
23
Authorization
•Resources are accessible only
by authorized entities
•A process by which a server
determines if the client has
permission to use a resource
or access a file
•Usually done after
authentication
•Example:
–access control: access restriction
24
•Resources are accessible only
by authorized entities
•A process by which a server
determines if the client has
permission to use a resource
or access a file
•Usually done after
authentication
•Example:
–access control: access restriction
24
Accountability (1/2)
•Every individual who works
with an information system
should have specific
responsibilities for information
assurance
•Ability to identify actors
responsible for past actions
25
•Every individual who works
with an information system
should have specific
responsibilities for information
assurance
•Ability to identify actors
responsible for past actions
25
Accountability (2/2)
•Example: Policy statement that all employees must
avoid installing outside software on a company-owned
information infrastructure
•The person in charge of information security should
perform periodic checks to be certain that the policy is
being followed.
•Individuals must be aware of what is expected of them
26
Source: https://www.computer-security-glossary.org/accountability.html
•Example: Policy statement that all employees must
avoid installing outside software on a company-owned
information infrastructure
•The person in charge of information security should
perform periodic checks to be certain that the policy is
being followed.
•Individuals must be aware of what is expected of them
26
Source: https://www.computer-security-glossary.org/accountability.html
Summary
27
•The security policy of organizations are primarily
driven by security goals
•Confidentiality, integrity, and availability are the three
most important security requirements/goals
•Authentication and authorization are key measures for
ensuring confidentiality, integrity, and availability
•Accountability also plays a key role in ensuring
security of an organization
27
•The security policy of organizations are primarily
driven by security goals
•Confidentiality, integrity, and availability are the three
most important security requirements/goals
•Authentication and authorization are key measures for
ensuring confidentiality, integrity, and availability
•Accountability also plays a key role in ensuring
security of an organization
Extended Readings (1/2)
28
Articles
•"Confidentiality, Integrity, and Availability (CIA) Triad in Cybersecurity" by
SANS Institute
•"Balancing Confidentiality, Integrity, and Availability in Cybersecurity" by
ISACA
•"The Importance of Confidentiality, Integrity, and Availability in
Cybersecurity" by Dark Reading
•"Confidentiality, Integrity, and Availability (CIA) Triad: A Vital Component
of Cybersecurity" by InfoSec Institute
28
Articles
•"Confidentiality, Integrity, and Availability (CIA) Triad in Cybersecurity" by
SANS Institute
•"Balancing Confidentiality, Integrity, and Availability in Cybersecurity" by
ISACA
•"The Importance of Confidentiality, Integrity, and Availability in
Cybersecurity" by Dark Reading
•"Confidentiality, Integrity, and Availability (CIA) Triad: A Vital Component
of Cybersecurity" by InfoSec Institute
Extended Readings (2/2)
29
Research Papers
•"A Framework for Confidentiality, Integrity, and Availability in
Cybersecurity" by R. K. Jain and P. K. Sahu
•"Cybersecurity: A Study of Confidentiality, Integrity, and Availability" by R.
Jain and R. K. Jain
•"Cybersecurity Risks and Countermeasures: Confidentiality, Integrity, and
Availability" by D. C. Anderson and J. L. Brown
•"Confidentiality, Integrity, and Availability in Cybersecurity: A Review and
Future Directions" by A. P. Sahoo and S. Sahoo
29
Research Papers
•"A Framework for Confidentiality, Integrity, and Availability in
Cybersecurity" by R. K. Jain and P. K. Sahu
•"Cybersecurity: A Study of Confidentiality, Integrity, and Availability" by R.
Jain and R. K. Jain
•"Cybersecurity Risks and Countermeasures: Confidentiality, Integrity, and
Availability" by D. C. Anderson and J. L. Brown
•"Confidentiality, Integrity, and Availability in Cybersecurity: A Review and
Future Directions" by A. P. Sahoo and S. Sahoo
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 158
- Slides 29
- Age 401 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
34 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
37 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views