6.0 Understand principles of security

6.1 CIA - principles of information security

Integrity - All information must be kept up to date, accurate and protected from being corrupted

Availability - All information kept must be available 24/7 for authorized parties and individuals

Confidentiality - Only authorized personnel can access certain files and kept private from prying eyes

Information must be encrypted so if it get's encrypted it cannot be read by a third party

Constant backups and updates to files must be made to keep their information up to date

Have to put in prevention methods against attacks like DoS and hardware must go through constant checks and repairs to prevent any downtime

6.2 Risks

Intentional tampering (hacking)

Accidental loss (human error)

Intentional destruction (malicious attack, viruses)

Natural disasters

Unauthorised or unintended access to data (poor security policy)

A flood could destroy all servers at ground level

An employee could forget to save all their files or lose their USB on the train etc

The Mirai Botnet (a.k.a. Dyn attack) which took down parts of the internet

Someone sending you a virus or malware which can corrupt or damage files

A teacher not locking their computer when they leave the classroom

6.3 Impacts

Failure in security of confidential information

Loss of information belonging to a third party

Loss of service and access

Loss of reputation

Loss of intellectual property

Threat to national security

Malware or viruses sent can purposely delete or replace all your files on a device making it unusable or make all file unrecoverable.

Due to natural disasters they could stop services being provided due to weather conditions or just the general destruction of certain hardware.

If parties or individuals access files without authorisation they can possibly leak files on stuff like medical records, bank details etc.

Companies can lose partnerships with other companies as they could not keep their partners information safe.

If a company can’t keep unauthorised parties or individuals from seeing their information clients will not trust the company with their information.

If a big weapons company or military plan was hacked and stolen it could cause worldwide panic and lead to a threat to national security.

6.4 Protection Measures - Policy

Disaster recovery

Information security risk assessment

Responsibilities of staff for security of information

Effectiveness of protection measures

Staff access rights to information

Training of staff to handle information

Staff must be trained in technical and non-technical ways to handle information that is practical so staff are less likely to be susceptible to human error when handling data.
For example training staff to save and backup all modifications made to a file every 15 minutes.

Measuring the quality of protection methods based on how efficient, easy to perform and circumstantial each protection method is.

This is process done to identify, resolve and prevent security problems often based on what kind of security you offer for information stored by a company.
An example of an information security risk assessment can be checks on the level of encryption for all files in the company.

A procedure to recover and protect an IT infrastructure in the event of a natural disaster, such as a plan to follow when there is a flood.
An example being if their is a flood backup any salvageable files to a crypto stick.

Responsibilities that staff security should have, such as checking cameras, searches/check of employees, keeping updated on changes to information etc.
An example could be security guards could forget to check if all doors are locked in a company building or are not alert and checking cameras and could possibly be robbed.

Making it so only certain staff in a company can access certain files such as bankers having access to peoples account details while customer services having access to information on improving their customer support.
An example could be admin and IT technician having access to all files while students only have access to their own files.

6.5 Protection Methods - Physical

Backup systems in other locations

Security staff

Placing computers above known flood levels

Shredding old paper based records

Locks, keypads and bio-metrics

Shredding old paper based records make sure that no confidential information can be seen by anyone that cleans out the rubbish that can be used to incriminate of blackmail the company for their information.

Security staff monitor the infrastructure to make sure no unauthorized personnel enter or access files they are not supposed to, also constant monitoring of employees to make sure they do not leak any confidential information etc.

Backup systems in other locations prevents all information being lost incase the entire infrastructure of a company in one specific location incase that entire building is destroyed there is still a backup of all the information in another location.

By placing computers above known flood levels (higher floors) this can prevent the computers from being damaged due to water reaching them in the event of a flood making information loss less susceptible to flooding.

Biometrics, locks or keypads must be used to prevent unauthorised access to servers as they contain backups of every file in the entire infrastructure and if something were to happen to the servers information lost or tampered with will not be able to be recovered or reverted to their original unmodified state.

6.6 Protection measures - Logical

Obfuscation

Encryption of data at rest - for stand alone documents

Anti-malware applications

Encryption of data in transit - Via email

Firewalls(hardware and software)

Password protection

Tiered levels of access to data

Prevent or allows certain users to access restricted files or lower level users are restricted from accessing certain data.

Designed to prevent unauthorized users or files from being accessed

Protects your device from malicious software, through signature & behavior based malware detection and alerting (flagging), sandboxing (separating running programs) and quarantining harmful files.

Obfuscation is purposely making data unintelligible so that it can’t be understood by a human and has to be interpreted by a machine.

Files that are stored on a device or a stand alone file need a cipher key to be accessed as they have to be decrypted first.

Files are sent encrypted, but the encryption is dynamic therefore the encryption key is constantly changing so the file can’t be intercepted and only the receiver can decrypt the message.

Files are sent encrypted, but the encryption is dynamic therefore the encryption key is constantly changing so the file can’t be intercepted and only the receiver can decrypt the message.

For example, HR’s can access a teacher emergency contact but HOY’s cannot.

For example, if someone to open a file which a permission level higher than your own, you won’t be able to access said file.

For example, if MalwareBytes detects any malware trying to be downloaded of a website containing malware it will be flagged and prevent access.

For example, Credit Card numbers having an extra couple digits that can only be seen by the computer.

For example encrypting files on your computer so if it was stolen you wouldn’t be able to access the files without a cipher key.

For example, sending an email across Gmail, it is encrypted while being sent across to web to the receiver to decrypt and read.

For example, schools give every student and staff member a specific login and password so you can’t access your files if you don’t know the password.