INTERNET SECURITY JOURNAL

BY

OBEDIENCE MUNASHE KUGUYO

CISSP, OSCP, E|CH

CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL YEARLY REQUIREMENT

CISSP JOURNAL 2016

CORPORATE INFORMATION GOVERNANCE AND RISK MANAGEMENT

Internet Security Topics Covered
Security Principles
Protection Controls
CIA Triad in Depth

CISSP JOURNAL 2016

SECURITY PRINCIPLES

Organizations exist to make money and increase their capacity of delivering their products. Some
organizations exist to render services to the public and if no threats were in existence, none of
them would deploy and maintain firewalls, intrusion detection systems, identity management
technologies and encryption devices. If it wasnt for the same, no business would want to
develop security policies, deploy antimalware products, maintain vulnerability management
systems and even hire security professionals to prepare for incidence response and comply with
the international security regulations. Business owners would like to be able to make their
widgets, sell their widgets, and rack more money into their business coffers. In this age, this is no
longer the case, as these organizations are faced with attackers who want to steal businesses
customer data to carry out illegal activities. Company secrets are commonly being stolen by
internal and external entities for economic espionage purposes. Systems are being hijacked and
being used within botnets to attack other organizations or to spread spam. Company funds are
being secretly siphoned off through complex and hard-to-identify digital methods such as cryptocurrency channels, commonly by organized criminal rings in different countries. And
organizations that find themselves in the crosshairs of attackers may come under constant attack
that brings their systems and websites offline for hours or days. Companies are required to
practice a wide range of security castigations today to keep their market share, protect their
customers and bottom line, stay out of jail, and still sell their widgets.
In this chapter, I want to begin with the foundational pieces of security and explain them
throughout the article. A solid security foundation is built on a strong understanding of the basics
of security principles. Building a security base is similar to building a house: without a solid
foundation, it is weak, unpredictable, and will fail in the most critical of moments. My goal is to
give corporates a solid and deep understanding of security that can help protect their
infrastructure against many of the threats we face today, but also protect the commercial and
government organizations that depends upon their services.
The core goals of security are to provide confidentiality, integrity, and availability commonly
referred to as (CIA triad) for asset protection. Each asset requires different levels of these types
of protection. All security reins, mechanisms, and safeguards are implemented to provide one or
more of these protection types, and all risks, threats, and vulnerabilities are measured to predict
their potential capability to compromise one or all of the CIA principles.

CISSP JOURNAL 2016

CONFIDENTIALITY
The basics of security principles ensure information confidentiality enforces the necessary level
of secrecy at each junction of data processing and prevents unauthorized disclosure of data by
any means necessary. Levels of confidentiality should prevail while data resides on information
systems and devices within the network area it is transmitted, and once it reaches its destination.
Attackers can thwart confidentiality mechanisms by network monitoring, shoulder surfing,
stealing password files, breaking encryption schemes, and social engineering. Any one-to-one
communication medium can be used to perform social engineering attacks. Confidentiality
ensures users are educated well enough so that they are aware of the consequences of
intentionally or accidentally disclosing sensitive information. Sensitive information can be
disclosed through not encrypting the communication before sending it to another company,
falling prey to social engineering attacks and also sharing company trade secrets and also not
taking extra care in protecting confidential information when protecting it. Confidentiality can be
provided by encrypting data as it is stored and transmitted, enforcing strict access control and
data classification, and by training personnel on the proper data protection procedures.
Availability, integrity, and confidentiality are critical principles of security. You should
understand their meaning, how they are provided by different mechanisms, and how their
absence can negatively affect an organization.
INTEGRITY
Integrity is upheld when the assurance of the accuracy and reliability of information and systems
is provided and any unauthorized modification is prevented. Hardware, software, and
communication mechanisms must work in concert to maintain and process data correctly and to
move data to intended destinations without unexpected alteration. The systems and network
should be protected from outside interference and contamination. Environments that enforce and
provide this attribute of security ensure that attackers, or mistakes by users, do not compromise
the integrity of systems or data. When an attacker inserts a virus, logic bomb, or back door into a
system, the systems integrity is compromised. This can, in turn, harm the integrity of
information held on the system by way of corruption, malicious modification, or the replacement
of data with incorrect data. Strict access controls, intrusion detection, and hashing can combat
these threats. Users usually affect a system or its datas integrity by mistake (although internal
users may also commit malicious deeds). For example, users with a full hard drive may
unwittingly delete configuration files under the mistaken assumption that deleting a boot.ini file
must be okay because they dont remember ever using it. Or, for example, a user may insert

CISSP JOURNAL 2016

incorrect values into a data processing application that ends up charging a customer $3,000
instead of $300. Incorrectly modifying data kept in databases is another common way users may
accidentally corrupt dataa mistake that can have lasting effects. Security should streamline
users capabilities and give them only certain choices and functionality, so errors become less
common and less devastating. System-critical files should be restricted from viewing and access
by users. Applications should provide mechanisms that check for valid and reasonable input
values. Databases should let only authorized individuals modify data, and data in transit should
be protected by encryption or other mechanisms.
AVAILABITY
Availability protection ensures reliability and timely access to data and resources to authorized
individuals. Network devices, computers, and applications should provide adequate functionality
to perform in a predictable manner with an acceptable level of performance. They should be able
to recover from disruptions in a secure and quick fashion so productivity is not negatively
affected. Necessary protection mechanisms must be in place to protect against inside and outside
threats that could affect the availability and productivity of all business-processing components.
Like many things in life, ensuring the availability of the necessary resources within an
organization sounds easier to accomplish than it really is. Networks have so many pieces that
must stay up and running (routers, switches, DNS servers, DHCP servers, proxies, firewalls).
Software has many components that must be executing in a healthy manner (operating system,
applications, antimalware software). There are environmental aspects that can negatively affect
an organizations operations (fire, flood, HVAC issues, and electrical problems), potential
natural disasters, and physical theft or attacks. An organization must fully understand its
operational environment and its availability weaknesses so that the proper countermeasures can
be put into place.
PROTECTION CONTROL - BALANCED SECURITY
Balanced Security In reality, when information security is dealt with, it is commonly only
through the lens of keeping secrets secret (confidentiality). The integrity and availability threats
can be overlooked and only dealt with after they are properly compromised. Some assets have a
critical confidentiality requirement (company trade secrets), some have critical integrity
requirements (financial transaction values), and some have critical availability requirements (ecommerce web servers). Many people understand the concepts of the CIA triad, but may not
fully appreciate the complexity of implementing the necessary controls to provide all the
protection these concepts cover.

CISSP JOURNAL 2016

The following provides a short list of some of these controls and how they map to the
components of the CIA triad:
Availability
Redundant array of inexpensive disks (RAID)
Clustering
Load balancing
Redundant data and power lines
Software and data backups
Disk shadowing
Co-location and off-site facilities
Roll-back functions
Fail-over configurations
Integrity
Hashing (data integrity)
Configuration management (system integrity)
Change control (process integrity)
Access control (physical and technical)
Software digital signing
Transmission CRC functions
Confidentiality
Encryption for data at rest (whole disk, database encryption)
Encryption for data in transit (IPsec, SSL, PPTP, SSH)
Access control (physical and technical)
It is important to realize at this point is that while the concept of the CIA triad may seem
simplistic, meeting its requirements in an organization is commonly more challenging.
The words vulnerability, threat, risk, and exposure are often interchanged, even though
they have different meanings. It is important to understand each words definition and the
relationships between the concepts they represent.

CISSP JOURNAL 2016

Vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It

can be software, hardware, procedural, or human weakness that can be exploited. Vulnerability
may be a service running on a server, unpatched applications or operating systems, an
unrestricted wireless access point, an open port on a firewall, lax physical security that allows
anyone to enter a server room, or unenforced password management on servers and
workstations.
A threat is any potential danger that is associated with the exploitation of vulnerability. The
threat is that someone, or something, will identify a specific vulnerability and use it against the
company or individual. The entity that takes advantage of vulnerability is referred to as a threat
agent. A threat agent could be an intruder accessing the network through a port on the firewall, a
process accessing data in a way that violates the security policy, a tornado wiping out a facility,
or an employee making an unintentional mistake that could expose confidential information.
A risk is the likelihood of a threat agent exploiting vulnerability and the corresponding business
impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use
one to access the network in an unauthorized method. If users are not educated on processes and
procedures, there is a higher likelihood that an employee will make an unintentional mistake that
may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there
is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability,
threat, and likelihood of exploitation to the resulting business impact.
An exposure is an instance of being exposed to losses. Vulnerability exposes an organization to
possible damages. If password management is lax and password rules are not enforced, the
company is exposed to the possibility of having users passwords captured and used in an
unauthorized manner. If a company does not have its wiring inspected and does not put proactive
fire prevention steps into place, it exposes itself to potentially devastating fires.
A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A
countermeasure may be a software configuration, a hardware device, or a procedure that
eliminates vulnerability or that reduces the likelihood a threat agent will be able to exploit
vulnerability. Examples of countermeasures include strong password management, firewalls, a
security guard, access control mechanisms, encryption, and security-awareness training.
The different functionalities of security controls are preventive, detective, corrective, deterrent,
recovery, and compensating. By having a better understanding of the different control

CISSP JOURNAL 2016

functionalities, you will be able to make more informed decisions about what controls will be
best used in specific situations. The six different control functionalities are as follows:

Deterrent:
Preventive:
Corrective:
Recovery:
Detective:
Compensating:

intended to discourage a potential attacker

intended to avoid an incident from occurring
fixes components or systems after an incident has occurred
intended to bring the environment back to regular operations
helps identify an incidents activities and potentially an intruder
controls that provide an alternative measure of control

Once you understand fully what the different controls do, you can use them in the right locations
for specific risksor you can just put them where they would look the prettiest.
When looking at a security structure of an environment, it is most productive to use a preventive
model and then use detective, recovery, and corrective mechanisms to help support this model.
Basically, you want to stop any trouble before it starts, but you must be able to quickly react and
combat trouble if it does find you. It is not feasible to prevent everything; therefore, what you
cannot prevent, you should be able to quickly detect. Thats why preventive and detective
controls should always be implemented together and should complement each other. To take this
concept further: what you cant prevent, you should be able to detect, and if you detect
something, it means you werent able to prevent it, and therefore you should take corrective
action to make sure it is indeed prevented the next time around. Therefore, all three types work
together: preventive, detective, and corrective.
The control types described next (administrative, physical, and technical) are preventive in
nature. These are important to understand when developing an enterprise wide security program.
Preventive: Administrative
Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness

Preventive: Physical
Badges, swipe cards

CISSP JOURNAL 2016

Guards, dogs
Fences, locks, mantraps

Preventive: Technical
Passwords, biometrics, smart cards
Encryption, secure protocols, call-back systems, database views, constrained user
interfaces
Antimalware software, access control lists, firewalls, intrusion prevention system

CISSP JOURNAL 2016