WEBVTT

00:00:00.990 --> 00:00:05.070
We started this course off with a question, what is security?

00:00:05.970 --> 00:00:10.200
And that is a question that's hard for many people to actually answer.

00:00:10.810 --> 00:00:13.880
Security for them couldn't be based on a perception

00:00:13.880 --> 00:00:18.840
of what they think security is, it's not necessarily positive,

00:00:19.360 --> 00:00:21.150
and that includes management.

00:00:21.410 --> 00:00:25.040
Management was raised maybe in an era of finance or

00:00:25.040 --> 00:00:27.370
marketing or one of those career paths,

00:00:27.800 --> 00:00:32.390
and now all of a sudden they have this concern about information security,

00:00:32.409 --> 00:00:34.260
but they don't even know what it is,

00:00:34.560 --> 00:00:38.850
so that's why it's good that we have the information security triad.

00:00:39.840 --> 00:00:43.110
This is often known as the CIA triad,

00:00:43.320 --> 00:00:49.070
and it really deals with three core principles or pillars of a security program.

00:00:49.620 --> 00:00:52.330
The first is dealing with confidentiality,

00:00:52.910 --> 00:00:57.270
the second, integrity, and the third availability.

00:00:57.980 --> 00:01:01.700
Because these are terms that management and everybody

00:01:01.700 --> 00:01:04.480
can understand confidentiality, integrity,

00:01:04.480 --> 00:01:05.519
and availability,

00:01:05.990 --> 00:01:12.760
this allows us to define a complex term like security in a meaningful way.

00:01:14.030 --> 00:01:16.970
When we look at confidentiality, obviously,

00:01:16.970 --> 00:01:20.110
what we're trying to do is protect something which should

00:01:20.110 --> 00:01:23.760
be kept secret from improper disclosure.

00:01:24.540 --> 00:01:27.410
In some cases, we have to disclose information,

00:01:27.510 --> 00:01:31.730
but we don't want to disclose information that should not be disclosed.

00:01:32.100 --> 00:01:37.760
So we're protecting individual's privacy such as employee and customer data.

00:01:38.220 --> 00:01:42.690
We're protecting secrecy that trade secrets of our organization,

00:01:42.690 --> 00:01:46.330
for example, and our research, our marketing plans.

00:01:46.750 --> 00:01:50.710
We need to protect these because if an adversary or a

00:01:50.710 --> 00:01:53.220
competitor was able to get access to these,

00:01:53.300 --> 00:01:56.400
it could be that that would undermine the future

00:01:56.400 --> 00:01:59.180
profitability of the organization.

00:02:00.960 --> 00:02:05.010
The second part of the CIA triad is integrity.

00:02:05.240 --> 00:02:08.330
Integrity is all about accuracy.

00:02:09.229 --> 00:02:11.840
Not only accuracy of the data,

00:02:12.100 --> 00:02:16.250
but also the accuracy of the way we process the data.

00:02:16.850 --> 00:02:20.760
We want to protect our data from improper modification.

00:02:21.170 --> 00:02:24.570
When we're transmitting data over a network,

00:02:24.570 --> 00:02:29.930
for example, if there was noise or anything that could disturb that network,

00:02:29.940 --> 00:02:31.480
could it corrupt the data?

00:02:31.740 --> 00:02:34.190
Well then the data is not trustworthy anymore.

00:02:34.740 --> 00:02:38.660
If a person makes a deposit at the ATM machine to

00:02:38.660 --> 00:02:43.130
put money into their bank account, they don't want it to be close,

00:02:43.130 --> 00:02:46.020
but it went to somebody else's account, but not theirs,

00:02:46.140 --> 00:02:49.230
so integrity of the process as well.

00:02:50.120 --> 00:02:52.970
This means we have to make sure that we don't have

00:02:52.980 --> 00:02:57.860
unauthorized users able to access or change our data,

00:02:58.320 --> 00:03:01.570
but we also have to make sure that users that do have

00:03:01.570 --> 00:03:06.630
authorization only can change data in authorized ways.

00:03:06.980 --> 00:03:11.120
So certain fields, maybe they can't change, but others they could.

00:03:12.830 --> 00:03:16.740
So what is that idea of an authorized entity?

00:03:17.190 --> 00:03:22.760
An authorized entity is a person who has given then that level of trust

00:03:22.770 --> 00:03:29.540
and privilege that is able to access or modify data, and that is often

00:03:29.540 --> 00:03:32.510
done through a process we call authentication.

00:03:33.080 --> 00:03:36.140
A person says yes, I am Joe,

00:03:36.880 --> 00:03:42.120
but how do we prove they are Joe and not somebody else pretending to be Joe,

00:03:42.120 --> 00:03:46.270
what we call spoofing or masquerading, and we use

00:03:46.270 --> 00:03:50.380
authentication for that to validate who they are.

00:03:50.580 --> 00:03:51.890
This is something we'll look at,

00:03:51.890 --> 00:03:57.640
especially in a very important area that is Domain Three: Access Controls.

00:03:58.660 --> 00:04:02.410
We quite often will use multi‑factor authentication,

00:04:02.410 --> 00:04:03.630
or MFA,

00:04:04.120 --> 00:04:08.130
and this means that when a person is going to be authenticated

00:04:08.280 --> 00:04:12.710
maybe by knowing a password or having a smartcard or an

00:04:12.710 --> 00:04:15.880
employee ID badge or by biometrics,

00:04:15.950 --> 00:04:19.440
we don't just use one of those three forms of authentication,

00:04:19.440 --> 00:04:22.110
we always use at least two of them.

00:04:22.570 --> 00:04:27.910
So that means we're not trusting just a single authentication technique.

00:04:27.920 --> 00:04:30.450
If you know the password, well you must be Joe.

00:04:30.740 --> 00:04:35.300
Well we don't know if somebody else has learned what Joe's password is.

00:04:36.870 --> 00:04:39.980
The third part of the triad is availability.

00:04:40.350 --> 00:04:44.860
Availability means that our systems and our data are

00:04:44.860 --> 00:04:46.900
accessible when they're required.

00:04:47.450 --> 00:04:51.830
Now some system's availability is more important than others.

00:04:52.290 --> 00:04:54.280
We take email, for example.

00:04:54.640 --> 00:04:57.770
For many departments and most organizations,

00:04:57.780 --> 00:05:01.210
email is an important communications tool,

00:05:01.400 --> 00:05:04.570
but if email went down for an hour over lunch,

00:05:04.570 --> 00:05:05.820
nobody would notice.

00:05:06.060 --> 00:05:10.660
We don't need 100% availability on something that doesn't

00:05:10.870 --> 00:05:14.550
require that level of redundancy and protection,

00:05:15.060 --> 00:05:18.090
but we want to know what systems do need to be

00:05:18.090 --> 00:05:21.340
available as close to 100% as possible.

00:05:21.760 --> 00:05:25.440
So availability is the protection of our systems from

00:05:25.540 --> 00:05:28.820
being unavailable or destroyed, for example,

00:05:29.150 --> 00:05:31.400
through things like having backups,

00:05:31.690 --> 00:05:36.460
making sure that a person is not able to be deprived of access maybe through

00:05:36.460 --> 00:05:40.390
something like a distributed denial of service attack,

00:05:40.620 --> 00:05:45.240
or through something like a cut cable or equipment failure that

00:05:45.240 --> 00:05:47.980
now that system is not there when it's needed.

00:05:49.500 --> 00:05:52.840
One of the ways we address this is through redundancy.

00:05:52.900 --> 00:05:55.940
Have alternate paths, more than one cable,

00:05:56.250 --> 00:05:59.760
more than one power supply, more than one backup,

00:05:59.770 --> 00:06:03.130
so we're able to ensure that even if there is a failure

00:06:03.130 --> 00:06:05.340
even to say one piece of the equipment,

00:06:05.480 --> 00:06:10.090
we can failover and run using that other piece of equipment.

00:06:12.260 --> 00:06:14.870
When we look at the term non‑repudiation,

00:06:14.870 --> 00:06:18.130
this is not really a part of the CIA triad,

00:06:18.380 --> 00:06:20.800
but it's good to look at it here as well.

00:06:21.220 --> 00:06:24.260
To repudiate is to say I didn't do it.

00:06:24.760 --> 00:06:29.950
In today's network world, we need to establish who made that order,

00:06:29.960 --> 00:06:34.930
who made that change so they can't turn around later and repudiate.

00:06:35.330 --> 00:06:36.460
Oh, I didn't do it.

00:06:36.690 --> 00:06:39.620
So we establish non‑repudiation.

00:06:40.060 --> 00:06:44.600
This can be defined as protection against an individual who

00:06:44.600 --> 00:06:48.350
falsely denies having performed a certain action.

00:06:48.900 --> 00:06:54.640
And this then provides the capability to determine whether

00:06:54.640 --> 00:06:59.970
an individual took a certain action, such as creating a new customer record,

00:07:00.110 --> 00:07:04.540
sending a message, approving something, or receiving the message.

00:07:05.060 --> 00:07:08.570
This is how it's defined in the National Institute of Standards and

00:07:08.570 --> 00:07:16.660
Technology Special Publication 800‑53 r5, so it's a good benchmark for what

00:07:16.660 --> 00:07:20.510
is a good definition for what non‑repudiation is.

00:07:21.750 --> 00:07:25.610
In summary, throughout this module,

00:07:25.760 --> 00:07:30.260
we've set out a foundation for our information security program.

00:07:30.550 --> 00:07:35.060
We've defined some key terminology, and of course,

00:07:35.070 --> 00:07:38.670
we know that security requires oversight.

00:07:38.980 --> 00:07:40.720
It doesn't just happen.

00:07:41.010 --> 00:07:45.710
It must be managed with a strategy of what we're going to try to do,

00:07:45.800 --> 00:07:51.010
but then actions to back up and to realize that strategy.