Like every topic, it's important to learn about the fundamentals before we dive into learning the details. In the beginning of chapter two, our primary focus to learn about the fundamental principles of security. The core goal of security is to provide availability, integrity, and confidentiality protection for the critical assets of a company. This core goal is usually referred to as the AIC triad.
The goal of Availability protection is to make sure the individuals who need access to certain data and resources have that ability in a timely and reliable manner. Integrity can be compromised when the system is attacked or users make mistakes, but if strict access controls, intrusion detection, and hashing are but in place then the integrity of the system can be upheld. Finally, Confidentiality ensures the necessary levels of security is enforced so that unauthorized discloser can be prevented.
I wanted to point out an interesting discovery, until I read it in the book, I never knew that when information security is dealt with, the common viewpoint is only keeping secrets secret or confidentiality. We really don't realize that there was more too it, integrity and availability threats are overlooked.
We all talk about security, but what exactly does it mean? To understand security, I have to use the definition given in the book. Security is defined by the terms: vulnerability, threat, risk and exposure. Although these terms are used interchangeably they actually have different meanings. If there are security vulnerabilities then the system lacks countermeasures or there is a weakness in a countermeasure that's in place currently. Threats are viewed as potential dangers that can occur if there are vulnerabilities in the system. Risk is the likelihood of a threat actually occurring and the corresponding business impacts. Exposure is the instance of being exposed to losses due to the risk. A control is the countermeasure to reduce the potential risk.
Now that we know what security is, we want to know the different control mechanisms that are used to stop threats from occurring. There are three different control types:
a. Administrative controls: management-oriented, "soft-controls"
b. Technical controls: software and hardware components, "logical controls"
c. Physical controls: protect facility, personnel, and resources.
These controls are implemented by the method of defense-in-depth, which is the use of multiple security controls in a layered approach.
As you can see, Figure 2-2 is an example from the book "All In One CISSP Exam Guide Sixth Edition" of a defense-in-depth control method. It is important to know the control types, but more importantly you should understand the different functionalities of security controls. The different functionalities are preventive, detective, corrective, deterrent, recovery, and compensating.
No comments:
Post a Comment