Security Concepts. Objective 1.2. Green Lock In A 3D Electronic System.
[Audio] To become certified as a CISSP, you must have knowledge and experience that covers a wide variety of topics. However, regardless of the experience you may have in the different domains, such as networking, digital forensics, compliance, or penetration testing, you need to comprehend some fundamental concepts that are the basis of all the other security knowledge you will need in your career. This core knowledge includes the goals of security and its supporting principles. In this objective we're going to discuss this core knowledge, which serves as a reminder for the experience you likely already have before attempting the exam. We'll cover the goals of security as well as the supporting tenets, such as identification, authentication, authorization, and nonrepudiation. We will also discuss key supporting concepts such as principles of least privilege and separation of duties. You'll find that no matter what expertise you have in the CISSP domains, these core principles are the basis for all of them. As we discuss each of these core subjects we'll talk about how different topics within the CISSP domains articulate to these areas. First, it's useful to establish common ground with some terms you'll likely see throughout this book and your studies for the exam..
[Audio] There are terms that we commonly use in cybersecurity that can cause confusion if everyone in the field does not have a mutual understanding of what the terms mean. Our field is rich with acronyms, such as MAC, DAC, RBAC, IdM, and many more. Often the same acronym can stand for different terms. It's important to define a few terms up front before we get into our discussion of security concepts. These terms include data, information, system, and entity (and its related terms subject and object). Two terms often used interchangeably by technology people in everyday conversation are data and information. In nontechnical discussion, the difference really doesn't matter, but as cybersecurity professionals, we need to be more precise in our speech and differentiate between the two. For purposes of this book, and studying for the exam, data are raw, singular pieces of fact or knowledge that have no immediate context or meaning. An example might be an IP address, or domain name, or even an audit log entry, which by itself may not have any meaning. Information is data organized into context and given meaning. An example might be several pieces of data that are correlated to show an event that occurred on host at a specific time by a specific individual. A system consists of multiple components such as hardware, software, network protocols, and even processes. A system could also consist of multiple smaller systems, sometimes called a system of systems but most frequently just referred to as a system, regardless of the type or quantity of subsystems. An entity, for our purposes, is a general, term that includes any combination of organizations, persons, hardware, software, processes, and so on, that may interact with people, systems, information, or data. Frequently we talk about users accessing data, but in reality, software programs, hardware, and processes can also independently access data and other resources on a network, regardless of user action. So it's probably more correct to say that an entity or entities access these resources. We can assign accounts and permissions to almost any type of entity, not just humans. It's also worth noting that entities are also referred to as subjects, which perform actions (read, write, create, delete, etc.) on objects, which are resources such as computers, systems, and information. Now that we have those terms defined, let's discuss the three goals of security—confidentiality, integrity, and availability..
[Audio] Goals of information security are often expressed in three terms: Confidentiality, Integrity and Availability. These three form a triangle which is often known as CIA triad. Let's know more about Confidentiality, integrity and availability..
[Audio] Of the three primary goals of information security, confidentiality is likely the one that most people associate with cybersecurity. Certainly, it's important to make sure that systems and data are kept confidential and only accessed by entities that have a valid reason, but the other goals of security, which we will discuss shortly, are also of equal importance. Confidentiality is about keeping information secret and, in some cases, private. It requires protecting information that is not generally accessible to everyone, but rather only to a select few. Whether it's personal privacy or health data, proprietary company information, classified government data, or just simply data of a sensitive nature, confidential information is meant to be kept secret. In later objectives we will discuss different access controls, such as file permissions, encryption, authentication schemes, and other measures, that are designed to keep data and systems confidential..
[Audio] Integrity is the goal of security to ensure that data and systems are not modified or destroyed without authorization. To maintain integrity, data should be altered only by an entity that has the appropriate access and a valid reason to modify. Obviously, data may be altered purposefully for malicious reasons, but accidental or unintentional changes may be caused by a well-intentioned user or even by a bad network connection that degrades the integrity of a file or data transmission. Integrity is assured through several means, including identification and authentication mechanisms (discussed shortly), cryptographic methods (e.g., file hashing), and checksums..
[Audio] Availability means having information and the systems that process it readily accessible by authorized users any time and in any manner they require. Systems and information do users little good if they can't get to and use those resources when needed, and simply preventing their authorized use contradicts the availability goal. Availability can be denied accidentally by a network or device outage, or intentionally by a malicious entity that destroys systems and data or prevents use via denial-of-service attacks. Availability can be ensured through various means including equipment redundancy, data backups, access control, and so on..