Today we have part 2 of a 2-part guest post by security analyst Chris Goff. Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources! You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris
There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test! Just skim it, enjoy it and bookmark it!
Security
Concepts
There are
three key concepts of information security which you may or may not be familiar
with:
-
Confidentiality
o
Confidentiality
is the characteristic of information whereby only those with sufficient
privileges and a demonstrated need may access certain information. When
unauthorized individuals or systems can view information, confidentiality is
breached.
-
Integrity
o
Integrity
is the quality or state of being whole, complete, and uncorrupted. The
integrity of information is threatened when it is exposed to corruption,
damaged, destruction, or other disruption of its authentic state. Corruption
can occur while information is being entered, stored, or transmitted.
-
Availability
o
Availability
is the characteristic of information that enables user access to information in
a usable format without interference or obstruction. A user in this definition
may be either a person or another computer system. Availability does not imply
that the information is accessible to any user; rather, it means availability
to authorized users.
This is
known as the “security triad”. It can be further expanded upon:
-
Privacy
o
Information
that is collected, used, and stored by an organization is intended only for the
purposes stated by the data owner at the time it was collected. Privacy as a
characteristic of information does not signify freedom from observation (the
meaning usually associated with the word), but in this context, privacy means
that information will be used only in ways known to the person providing it. Many
organizations collect, swap, and sell personal information as a commodity. It
is now possible to collect and combine information on individuals from separate
sources, which has yielded detailed databases whose data might be used in ways
not agreed to, or even communicated to, the original data owner. Many people
have become aware of these practices and are looking to the government for
protection of the privacy of their data.
-
Identification
o
An
information system possesses the characteristic of identification when it is
able to recognize individual users. Identification is the first step in gaining
access to secured material, and it services as the foundation for subsequent
authentication and authorization. Identification and authentication are
essential to establishing the level of access or authorization that an
individual is granted. Identification is typically performed by means of a user
name or other ID.
-
Authentication
o
An
information system possesses the identity that he or she claims. Examples include
the use of cryptographic certificates to establish Secure Sockets Layer (SSL)
connections or the use of cryptographic hardware devices--for example, hardware
tokens provided by companies such as RSA's SecurID--to confirm a user's
identity.
-
Authorization
o
After
the identity of a user is authenticated, a process called authorization assures
that the user (whether a person or a computer) has been specifically and
explicitly authorized by the proper authority to access, update, or delete the
contents of an information asset. An example of authorization is the activation
and use of access control lists and authorization groups in a networking
environment. Another example is a database authorization scheme to verify that
the user of an application is authorized for specific functions such as
reading, writing, creating, and deleting.
-
Accountability
o
Accountability
of information exists when a control provides assurance that every activity
undertaken can be attributed to a named person or automated process. For example,
audit logs that track user activity on an information system provide
accountability. (Management of Information Security by Michael E. Whitman and
Herbert J. Mattord)