Chapter 1
availability
data and services are available when needed. Redundancy and Fault tolerance, patching
safety of assets
safety of individuals and of organisation's assets. assets - physical security controls ensure safety of assets. fencing, lighting, locks, CCTV. Chapter 2
identification
user claim an identity. eg use usernames
authorisation
grant and restrict access. eg using permissions
steganography
hiding data within data
access controls
identification, authentication, authorisation controls ensure only authorised personnel can access data.
safety
individuals and assets. people should be top priority (as assets can be replaced)
encryption
make confidential data difficult to decode. Covered in Chapter 10
confidentiality
prevents unauthorised disclosure of data. encryption, access controls, steganography
authentication
prove their identity. eg passwords
integrity
provides assurance that data has not changed. Ensuring that no one has modified, tampered with, or corrupted the data. Hashing, Digital Signatures Certificates and non-repudiation
safety of individuals
safety of individuals and of organisation's assets. people - risks include disasters, fires, earthquakes, hurricanes and tornadoes. business continuity plans to prepare for these. these include escape plans and escape routes. hold drills and training to teach personnel
security triad
confidentiality, integrity, availability
non-repudiation
digital signatures, audit logs prove if someone did a thing
hashing
a hash is a number created by executing a hashing algorithm against data. If the data doesn't change, the hash doesn't change. Hashing verifies integrity. MD5, HMC, SHA-1
redundancy
availability. adds duplication to critical systems and provides fault tolerance. Remove single points of failure. Disk, server, load balancing, site redundancies, backups, alternate power, cooling systems.
patching
availability. software bugs are patched. Chapter 5
Digital Signatures, certificates and non-repudiation
used for integrity. digital signatures can be attached to data. when it is received, the digital signature provides assurance it has not been modified. A digital signature provides authentication. It authenticates the sender. A digital signature provides non-repudiation. The sender cannot deny sending the data because digital signature proves she did. digital signatures require certificates and a Public Key Infrastructure. Certificates include keys used for encryption and the PKI provides the means to create, manage and distribute certificates.