Please enable JavaScript.
Coggle requires JavaScript to display documents.
The CyberSecurity CUBE - Coggle Diagram
The CyberSecurity CUBE
The Three Dimensions of the Cybersecurity Cube
The Three Dimensions
The Principles of Security
the first dimension of the cybersecurity cube identifies the goals to protect the cyber world.
The goals identified in the first dimension are the foundational principles of the cybersecurity world.
These three principles are confidentiality, integrity and availability
Use the acronym CIA to remember these three principles
CIA Triad
Availability
Data availability is the principle used to describe the need to maintain availability of info systems and services at all times.
Cyberattacks and system failures can prevent access to information systems and services
Organizations can ensure availability by implementing the following
7 more items...
High availability systems typically include three design principles:
Eliminate single points of failure, provide for reliable crossover, and detect failures as they occur.
Methods used to ensure availability include system redundancy, system backups, increased system resiliency, equipment maintenance, up-to-date OS and software, and plans in place to recover quickly from unforeseen disasters
Integrity
Integrity Checks
An integrity check is a way to measure the consistency of a collection of data (a file, a picture, or a record.)
The integrity check performs a process called a hash function to take a snapshot of data at an instant in time.
Need for Data Integrity
Protecting data integrity is a constant challenge for most organizations.
Loss of data integrity can render entire data resources unreliable or unusable.
A bank or financial organization assigns a higher importance to data integrity than Facebook does.
Transactions and customer accounts must be accurate
The need for data integrity varies based on how an organization uses data.
1 more item...
Principle of Data Integrity
Methods used to ensure data integrity include hashing, data validation checks, data consistency checks, and access controls
Another term for integrity is quality
Integrity is the accuracy, consistency, and trustworthiness of data during its entire life cycle
Confidentiality
Confidentiality and privacy seem interchangeable, but from a legal standpoint, they mean different things
Privacy is the appropriate use of data.
When organizations collect info provided by customers or employees, they should only use that data for its intended purpose.
Confidential info has a non-public status.
Maintaining confidentiality is more of an ethical duty
Most privacy is confidential, but not all confidential data is private.
Access to confidential info occurs after confirming proper authorization.
Financial institutions, hospitals, medical professionals, law firms, and businesses handle confidential info
The Principle of Confidentiality
Methods used to ensure confidentiality include data encryption, authentication, and access control
Organizations need to train employees about best practices in safeguarding sensitive information to protect themselves and the organization from attacks
Confidentiality prevents the disclosure of information to unauthorized people, resources and processes.
Another term for confidentiality is Privacy
Controlling Access
The concept of AAA involve three security services: Authentication, Authorization, and Accounting
3 more items...
Access control defines a number of protection schemes that prevent unauthorized access to a computer, network, database, other data resources.
Protecting Data Privacy
Other data collected, though, is sensitive.
sensitive info is data protected from unauthorized access to safeguard an individual or an organization
Organizations collect a large amount of data and much of this data is not sensitive because it is publicly available, like names and telephone numbers
The principles provide focus and enable cybersecurity specialists to prioritize actions in protecting the cyber world
The States of Data
The cyber world is a world of data: therefore, cybersecurity specialists focus on protecting data.
The second dimension of the cybersecurity cube focuses on the problems of protecting all of the states of data in the cyber world.
Data has three possible states
Data at rest or in storage
Stored data refers to data at rest.
Data at rest means that a type of storage device retains the data when no user or process is using it.
A storage device can be local (on a computing device) or centralized (on the network).
A number of options exist for storing data
Direct-attached storage (DAS) is storage connected to a computer.
A hard drive or USB flash drive is an example of direct-attached storage
Redundant Array of Independent disks (RAID) uses multiple hard drives in an array, which is a method of combining multiple disks so that the Operating System sees them as a single disk.
RAID provides improved performance and fault tolerance
A Network Attached Storage (NAS) device is a storage device connected to a network that allows storage and retrieval of data from a centralized location by authorized network users.
NAS devices are flexible and scalable, meaning administrators can increase the capacity as needed.
A Storage Area Network (SAN) architecture is a network-based interfaces allowing improved performance and the ability to connect multiple servers to a centralized disk storage repository
Data in transit
Data transmission involves sending information from one device to another.
There are numerous methods to transmit information between devices
Including
Sneaker Net
1 more item...
Wired Networks
1 more item...
Wireless Networks
1 more item...
The protection of transmitted data is one of the most challenging jobs of a cybersecurity professional.
The greatest challenges are
Protecting data confidentiality
1 more item...
Protecting data integrity
1 more item...
Protecting data availability
1 more item...
Data in process
The third sate of data is data in process.
This refers to data during initial input, modification, computation, or output
Protection of data integrity starts with the initial input of data
Organizations use several methods to collect data,
such as
4 more items...
Each of these methods pose potential threats to data integrity
Data modification refers to any changes to the original data
such as
3 more items...
Processes like encoding/decoding, compression/decompression and encryption/decryption are all examples of data modification.
Malicious code also results in data corruption
Cybersecurity Safeguards
The third dimension of the cybersecurity sorcery cube defines the types of powers used to protect the cyber world.
the sorcery cube identifies the three types of powers
Technologies
devices, and products available to protect information systems and fend off cyber criminals
Cloud-based Technology Safeguards
Technological countermeasures now also include cloud-based technologies.
Cloud-based technologies shift the technology component from the organization to the cloud provider
Software as a Service (SaaS)
Allows users to gain access to application software and databases.
Cloud providers manage the infrastructure.
Users store data on the cloud provider's servers
Infrastructure as a Service (IaaS)
Provides virtualized computing resources over the Internet.
The provider hosts the hardware, software, servers, and storage components
Virtual security appliances
Run inside a virtual environment with a pre-packaged, hardened OS running on virtualized hardware
Policies and Practices
procedures, and guidelines that enable the citizens of the cyber world to stay safe and follow good practices
Security Policy
is a set of security objectives for a company that includes rules of behavior for users and administrators and specifies system requirements.
These objectives, rules, and requirements collectively ensure the security of a network, the data, and the computer systems within an organization
Standards
Help an IT staff maintain consistency in operating the network.
Standards provide the technologies that specific users or programs need in addition to any program requirements or criteria that an organization must follow
Guidelines
A list of suggestions on how to do things more efficiently and securely.
Guidelines define how standards are developed and guarantee adherence to general security policies
They are similar to standards, but are more flexible and are not usually mandatory.
Procedure
Documents are longer and more detailed than standards and guidelines.
Procedure documents include implementation details that usually contain step-by-step instructions and graphics
People
Aware and knowledgeable about their world and the dangers that threaten their world
A security awareness program is extremely important for an organization.
An employee may not be purposefully malicious but just unaware of what the proper procedures are.
There are several ways to implement a formal training program
Tie security awareness to job requirements or performance evaluations
Conduct in-person training sessions
Make security awareness training a part of the employee's onboarding process
Complete online courses
Security awareness should be an ongoing process since new threats and techniques are always on the horizon
Security Management Framework
The ISO Model (CyberSec)
Security professionals need to secure information from end-to-end within the organization.
This is a monumental task, and it is unreasonable to expect one individual to have all of the requisite knowledge
The International Organization for Standardization (ISO)/International Electrotechnical Commission(IEC) developed a comprehensive framework to guide information security management
The ISO cybersecurity model is to cybersecurity professionals what the OSI networking model is to network engineers.
Both provide a framework for understanding and approaching complex tasks
ISO/IEC 27000 is an information security standard published in 2005 and revised in 2013.
ISO publishes the ISO 27000 standards
Even though the standards are not mandatory, most countries use them as a de facto framework for implementing information security
The structure of the ISO cybersecurity model is different from the OSI model in that it uses domains rather than layers to describe the categories for security.
The reason for this is that the ISO cybersecurity model is not a hierarchical relationship.
It is a peer model in which each domain has a direct relationship with the other domains
The ISO 27000 cybersecurity model is very similar to the OSI model in that it is vital for cybersecurity specialists to understand both of these models to be successful.
Cybersecurity Domains
Twelve Domains of CyberSec
Security Policy
A document that addresses the constraints and behaviors of members of an organization and often specifies how data can be accessed and what data is accessible by whom.
Organization of Information Security
This is the governance model set out by an organization for information security
Risk Assessment
This is the first step in the risk management process.
It determines the quantitative and qualitative value of risk related to a specific situation or recognized threat
Asset Management
This is an inventory of and classification scheme for information assets
Human Resources Security
This addresses security procedures relating to employees joining, moving within, and leaving an organization
Physical and Environmental Security
this describes the protection of the computer facilities within an organization
Communications and Operations Management
This describes the management of technical security controls in systems and networks
Information Systems Acquisition, Development and Maintenance
This describes the integration of security into applications
Access Control
This describes the restriction of access rights to networks, systems, applications, functions, and data
Information Security Incident Management
this describes how to anticipate and respond to information security breaches
Business Continuity Management
This describes the protection, maintenance, and recover of business-critical processes and systems
Compliance
This describes the process of ensuring conformance with information security policies, standards, and regulations
Using the ISO Cybersecurity Model
The ISO 27000 is a universal framework for every type of organization.
In order the use the framework effectively, an organization must narrow down which domains, control objectives, and controls apply to its environment and operations
The ISO 27000 control objectives serve as a checklist.
The first step an organization takes is to determine if these control objectives are applicable to the organization
The ISO Cybersecurity Model and the States of Data
Different groups within an organization may be responsible for data in each of the various states
For Example
The Network security group is responsible for data during transmission
Programmers and data entry people are responsible for data during processing.
The hardware and server support specialists are responsible for stored data.
The ISO Controls specifically address security objectives for data in each of the three states
The ISO Cybersecurity Model and Safeguards
The ISO 27002 controls provide technical direction.
For example
Upper management establishes a policy specifying the protection of all data coming in to or out the organization.
Implementing the technology to meet the policy objectives would not involve upper management
It is the responsibility of IT professionals to properly implement and configure the equipment used to fulfill the policy directives set by upper management
The ISO 27001 control objectives relate directly to the organization's cybersecurity policies, procedures and guidelines which upper management determines