The document discusses various aspects of information security including protecting data from unauthorized access, natural disasters, and other threats. It defines key concepts like confidentiality, integrity, and availability and explains vulnerabilities like failing to patch systems, using weak passwords, and opening unknown email attachments. The document advocates adopting a defense in depth approach with multiple layers of security controls at different levels to still provide protection even if one control fails.

1. DATA SECURITY

2. INFORMATION SECURITY
• Protecting information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction
• Protecting data from attackers invading networks, natural
disasters, adverse environmental conditions, power
failures, theft or vandalism, or other undesirable states

3. INFORMATION SECURITY
• In any environment, where we plan to put heightened
levels of security in place, we also need to take into
account the cost of replacing our assets if we do happen
to lose them, and make sure we establish reasonable
levels of protection for their value.
• The cost of security we put in place should never outstrip
the value of what it is protecting.

4. WHEN ARE WE SECURE ?
Even if our systems are
properly patched, there
will always be new attacks
to which we are
vulnerable.

5. WHEN ARE WE INSECURE ?
• Not patching our systems
• Using weak passwords
• Downloading programs from the internet
• Opening email attachments from unknown senders
• Using wireless networks without encryption

6. • The good thing is that once we are able to point out
the areas in the environment that can cause it to be
insecure, we can take steps to mitigate these issues.
• This problem is akin to cutting something in half over
and over; there will always be some small portion
left to cut again.
• Although we may never get to state that we can
definitively call “secure”, we can take steps in the
right direction.

7. MODELS FOR DISCUSSING SECURITY
ISSUES
• The Confidentiality, Integrity and Availability ( CIA ) Triad
Confidentiality
Availability
Integrity

8. CONFIDENTIALITY
• Refers to the ability to protect data from those who are
not authorized to view it.
• Examples of breaches / compromised confidentiality
• Loss of laptop containing data
• Person looking over our shoulder while typing our password
• Email attachment sent to the wrong person
• Attacker penetrating our systems

9. INTEGRITY
• Refers to the ability to prevent data from being changed
in an unauthorized or undesirable manner.
• Means to prevent unauthorized changes to the data
• Means to reverse authorized changes that needs to be
undone.
• Example : undo, rollback

10. AVAILABILITY
• Refers to the ability to access our data when we need it.
• Examples of loss of availability
• Power loss
• Operating system or application problems
• Network attacks
• Compromise of a system
• Denial of service attack

11. AVAILABILITY
• Refers to the ability to access our data when we need it.
• Examples of loss of availability
• Power loss
• Operating system or application problems
• Network attacks
• Compromise of a system
• Denial of service attack

12. THE PARKERIAN HEXAD
• Named after Donn Parker
Confidentiality Integrity Availability
Possession
or
Control
Authenticity Utility

13. CONFIDENTIALITY
• Refers to the ability to protect data from those who are
not authorized to view it.
• Examples of breaches / compromised confidentiality
• Loss of laptop containing data
• Person looking over our shoulder while typing our password
• Email attachment sent to the wrong person
• Attacker penetrating our systems

14. INTEGRITY
• Refers to the state of data itself in the sense of
completeness

15. AVAILABILITY
• Refers to the ability to access our data when we need it.
• Examples of loss of availability
• Power loss
• Operating system or application problems
• Network attacks
• Compromise of a system
• Denial of service attack

16. POSSESSION OR CONTROL
• Refers to the physical disposition of the media on which
the data is stored

17. AUTHENTICITY
• Proper attribution as to the owner or creator of the data in
question.

18. UTILITY
• Refers to how useful the data is to us

19. ATTACKS
• What makes up an attack ?
• Type of attack that it represents
• The risk the attack represents
• Controls to use when mitigating the attack

20. TYPES ATTACKS
Confidentiality • Interception
Integrity
• Interruption
• Modification
• Fabrication
Availability
• Interruption
• Modification
• Fabrication

21. INTERCEPTION
• Attacks that allows unauthorized users to access data,
applications or environments
• Examples :
• Unauthorized file viewing or copying
• Eavesdropping on phone conversations
• Reading emails not yours

22. INTERRUPTION
• Attacks that cause our assets to become unusable or
unavailable for our use, on a temporary or permanent
basis.
• Examples :
• Denial of Service attack

23. MODIFICATION
• Attacks that involves tampering with our assets.

24. FABRICATION
• Attacks that involves generating data, processes,
communications, or other similar activities with a system

25. THREATS
• Things that have potential to cause harm to our assets
• Identify the possibility of something happening that can
cause a security breach or network outage
• example :
• Natural threats
• Intentional

26. VULNERABILITIES
• Weakness that can be used to harm the asset.
• Holes that can be exploited by threats to cause harm
• Example
• Poor coding in software installed
• OS vulnerabilities
1. Problems in hardware or physical structure of the machines

27. RISK
• The likelihood that something bad will happen
• The best strategy is to spend our time mitigating the most
likely attacks.

28. RISK MANAGEMENT
• Evaluation of threats and the cost of protection

29. IMPACT
• Effect that an attack can cause harm considering the
value of the asset being threatened.

30. CONTROL
• measures in place to help ensure that a given threat us
accounted for.
• Categories
• Physical
• Logical
• Administrative

31. PHYSICAL CONTROL
• Controls to protect the physical environment in which the
system sits or where the data is stored
• examples :
• Fences, gates, locks, guards, cameras, air conditioning system,
backup power generators

32. LOGICAL CONTROL
• Also called Technical Controls
• Controls that protect the system, network, and
environment that process, transmit, and store data
• examples :
• Passwords, encryption, logical access controls, firewalls

33. ADMINISTRATIVE CONTROL
• Controls based on rules, policies, laws, procedures,
guidelines, and other items that are “paper” in nature.
• Set out the rules for how users are expected in the
environment to behave
• These controls must be totally enforced for compliance.
• examples :
• Change of password every 90 days
• Differing levels of authority

34. DEFENSE IN DEPTH
• Strategy to formulate a multi-layered defense what will
allow to still mount a successful defense should one or
more defensive measures fail.
Internal network
host
application
data
external network

35. DEFENSIVE IN DEPTH
EXTERNAL
NETWORK
• DMZ
• VPN
• Logging
• Auditing
• Penetration
Testing
• Vulnerability
Analysis
NETWORK
PERIMETER
• Firewalls
• Proxy
• Logging
• Stateful
Packet
Inspection
• Auditing
• Penetration
Testing
• Vulnerability
Analysis
INTERNAL
NETWORK
• IDS
• IPS
• Logging
• Auditing
• Penetration
Testing
• Vulnerability
Analysis
HOST
• Authentication
• Antivirus
• IDS
• IPS
• Password
Hashing
• Logging
• Auditing
• Penetration
Testing
• Vulnerability
Analysis
APPLICATION
• SSO
• Content
Filtering
• Data
Validation
• Auditing
• Penetration
Testing
• Vulnerability
Analysis
DATA
• Encryption
• Access
Controls
• Backup
• Penetration
Testing
• Vulnerability
Analysis