Day 2 - Chapter 1
Project
The company under review must not be associated with Mississippi State University.
Groups will be decided on Monday.
Slide Notes
This is not hacking 101.
We are trying to wrap our head around how we protect information and what business decisions are made in this process
Outline
- CIA Triad
- Other Security Concepts
- Data Classification
Security in a nutshell
Subjects are allowed or denied access to an object.
Subjects
The user/process/system requesting access to a protected resource
Objects
The protected resource
CIA Triad
Confidentiality
- Keeping information protected from unauthorized access
- Violation
- Capturing network traffic / Eavesdropping
- Social engineering
- Port scanning
- Shoulder surfing
- Relies on Integrity
- Necessary, but not sufficient
- Previous versions of Study Guide: Most important goal for government agencies
Violation of Confidentiality
Integrity
- Information can only be modified by authorized subjects
- Information is protected from “honest mistakes”
- Information is valid, consistent, and verifiable
- Violations
- Viruses
- “Logic Bombs”
- Sabotage
- Dependent on confidentiality
Violation of Integrity
Availability
- Information is timely and accessible to subjects
- Handles interruptions and outages
- Violations
- Attacks (denial of service)
- Device failure
- Environmental issues
- Dependent on both confidentiality & integrity
- Most important goal for business organizations (p.7)
Violation of Availability
CIA Triad + 1
Agility (Harvard Business School)
- “The capability to change with managed cost and speed”- Westerman and Hester
- Could affect:
- Developing countermeasures
- Availability
- Trade-off between agility and security?
Other Security Concepts
Privacy
- Multiple definitions
- Freedom from being observed, monitored, or examined without consent or knowledge
- Company Monitoring
- 4th amendment rights
- “If you gather any type of information about any person or company, you must address privacy”
Accountability
- The capability to prove a subject’s identity and track their activities
Nonrepudiation
- Ensures that the subject of an activity or event cannot deny that the event occurred
- “A suspect cannot be held accountable if they can repudiate the claim against them” (p.32)
Data Classification
A realistic means of securing data based on its “value”
Useful for:
- Determining where best to deploy security resources
- Establishing access control and rights
- Implementing procedures for data dissemination, maturation, storage, and disposal
Hierarchical View of Data
Data Classification
Government/Military
Business/Corporate
Security Standards
National Institute of Standards and Technology (NIST)
International Organization for Standardization (ISO)
International Society for Automation (ISA)
Federal & State Laws
- HIPAA
- Sarbanes-Oxley / COBIT
- Banking (Gramm-Leach-Bliley Act)