Monday, August 26, 2013

It's all about fundamentals

Every area has it's own language, it's own way of communicating. Security is no exception. So logically, this is where the book begins. Before we can dive in too deep, a common ground has to be set for what security is, and what it aims to do.

The CIA Triangle (no, not those guys)



The CIA triangle makes up the three things that security is always concerned with; confidentiality, availability, and integrity. Quite simply, confidentiality means that only those who should have access do. Integrity says that I can trust the information I get from the system. And availability means I'm able to access the information when I need it in a reasonable amount of time.

Balancing these three things is what it's all about. It's easy to make something really secure. I can just lock a hard drive in a waterproof safe and drop it into the ocean, but then no one can access it. And that's why it's a triangle. Just like the three angles of a triangle add up to form 180 - so too do these three concepts have to balance to form a cohesive security policy.

So with that goal in mind, we can now look at common security concepts. These include what constitutes a risk, threat, threat agent, vulnerability, countermeasure, asset and so forth. But rather than throw a bunch of definitions at you, I'd like to share a diagram that shows how each relates to the other. From there, I believe it's fairly intuitive.

Security Concept Relationships


So with this diagram in mind, lets give each concept a more concrete example. A hacker (threat agent) poses a danger (threat) because they may potentially find some outdated code that is vulnerable to sql injection (vulnerability). This constitutes a risk (which is measurable) to an asset. Should the vulnerability be exploited the result is a loss of information, reputation, etc. (exposure). This can potentially be prevented / mitigated by a safeguard which directly affects the threat agent. And thus the cycle is complete.

Bringing it together

So let's bring this together. We saw that the goal of security is balancing the CIA triangle. And now we see how various concepts relate to one another. So what does that mean?

It means that as a business, the decision has to be made about where priorities lie. Complete focus cannot be given to any one area, so risks have to be measured and the costs to install and maintain safeguards has to be figured. What is a large risk befitting a large response for one company is not likely to be the same for another.

In future posts, I will be further exploring this idea through the discussion of various security frameworks and architectures. These can form a strong foundation on which a company can build their security management system. (assuming they have one!)

Posted by at

4 comments:

  1. ArunSeptember 12, 2019 at 6:03 AM

    Nice Post, Very informative! Nowadays CISSP is one of the best cyber security certification. If you want to learn more then you can take the CISSP training by the reputed training company. Thanks!

    ReplyDelete
  2. sachin nagarOctober 18, 2019 at 11:44 PM

    Hi, This is a great article. Loved your efforts on it buddy. Thanks for sharing this with us. CISSP training.

    ReplyDelete
  3. cybers216November 30, 2019 at 12:09 AM

    Hey, It's nice post.
    Share more information about CISSP Certification Training

    ReplyDelete
  4. cybers216December 10, 2019 at 11:24 PM

    Hey,
    I read you post and i enjoy it. CISSP Training
    Keep Posting
    Good luck

    ReplyDelete

Subscribe to: Post Comments (Atom)