This course begins with an overview of information security and its evolution. This first section introduces the core goals of information security; the CIA triad. Some common information security terms and processes used in the information security industry are defined and outlined. Types of controls and their function are categorized so the learner can comprehend the design of a defense-in-depth system. The unit concludes with a justification of why humans are known as the weakest link in information security and describes how security awareness training can serve to mitigate this risk. The topics in this unit are in preparation for the more detailed security topics in the following units.
Completing this unit should take you approximately 6 hours.
Let us begin our journey into learning about information security (IS). IS is less than sixty years old as its history began in the 1960s. Before the world wide web was developed, threats and security techniques were different from that of today where the use of cloud and mobile technologies are prevalent. Although threats and technologies have changed, their development is often derived from that of previous technologies. Therefore, it is important to understand these technologies and their evolution.
This exhibit gives a history of the evolution of users, key technologies, threats, concerns, and security techniques in information security since 1960. Click on the links in the pre-web computing (1960s-'90s), open web (1990s-2000s), and mobile and cloud (2000s-future) section. What were the threats and concerns of each time period? How did security technology or techniques develop in response to those threats?
As you learned in the previous section, the basis for information security (IS) was developed in the 1980s and is known as the confidentiality, integrity, and availability (CIA) triad. Information security professionals must have a good understanding of the CIA triad as it is the cornerstone of the profession. The goal for every security program is the protection of a system's CIA. System threats are evaluated on the impact they have on CIA. In this section, you should develop a good understanding of the components of the CIA triad. From here, you will build on these concepts to discover the mechanisms that can be used to protect each tenet of the triad as explained later in the course.
As an information security professional, you will be evaluating risks and conducting risk assessments. Three commonly used terms used in risk assessment are vulnerability, threat, and risk. These terms are closely related and often used interchangeably, but in IS the terms have very different meanings. A vulnerability is a system weakness, a threat is the potential to exploit a vulnerability, and a risk is the potential for loss. The equation used when evaluating risk is asset + vulnerability + threat = risk. To effectively manage and evaluate risk, an IS professional must understand the difference between these three terms, and this section will provide you with the information to differentiate between them.
Read section 1.3. When you are new to the information security industry, you may use the words vulnerability, threat, and risk interchangeably, though they actually have very different meanings. As you read, think about the differences between these terms and try to explain each term in the context of information security.
Now that you understand the differences between vulnerabilities, risks, and threats, we will look at how to manage risk. As an information security professional, you will be tasked to provide guidance on risk management, therefore you should be aware of industry standards for risk management and the risk management process. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 is an industry standard for managing risks. This document provides information about the four steps of the risk management process: risk framing, risk assessment, risk response, and risk monitoring. While there is a lot of information presented here, it is most important to know the steps of the risk management process and the basics of what is involved in each process. Risk framing is the risk management strategy determined by senior leaders. Risk assessment is an evaluation of the vulnerabilities and threats on the system. Risk response is the determination of how to respond to the risk, and risk monitoring is the continuous management of risk. Since this section is about risk, we will go one step further and learn the formulas used to calculate risk and how to use these formulas.
Read this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).
Risk management outlines risks that need to be managed, and then controls are put in place to protect against those risks. Controls can be in the form of administrative, technical, or physical controls, and can be further divided into deterrent, preventative, detective, and compensating. The functionality determines the type of control needed, as well as whether the control is protecting for confidentiality, availability, or integrity. For instance, a physical control can protect unauthorized access to a server room. A lock is a physical control that is preventative because it keeps a person from entering. Protecting against unauthorized access or viewing, would be protecting for confidentiality. This section will provide more detail to help you differentiate between between types of controls and their functions.
You learned about the goals of security based on the CIA triad from a previous section, and you have an understanding of the terms vulnerability, threats and risks. Now, watch this video to understand the types of controls and their functions to ensure the confidentiality, availability, and integrity of information systems.
Controls are broken down into control types such as administrative, physical, and technical. Read this section, which will help you differentiate between administrative, technical, and physical control types.
Now that you know about some security controls that can be used to protect a system, we will look at how to use more than one control to make the system even more secure. Using multiple controls is the most effective form of defense and is called defense-in-depth. Often, defense-in-depth is compared to the layers of an onion; when one layer of protection fails there is another layer underneath to provide protection. A simple example is an attack on your home network. If an attacker is successful in breaching your firewall, then the attacker can access your email. But if your email application is protected with a smart card then you have a second layer of protection. In this section, you should learn the concept of defense-in-depth and be able to propose a defense-in-depth strategy for a simple system.
Defense-in-depth is a layered strategy to provide security to information systems. The layers are often comparted to the layers of an onion, when one layer is peeled back there is another layer of defense or protection. Watch the first two minutes of this video for an introduction to the concept of defense-in-depth.
Watch this video from 24:00 to 27:00 for a practical example of how layers of defense protect a system when defense-in-depth mechanisms are in place.
Read the section on defense-in-depth. Pay attention to how it compares defense-in-depth to protecting of a castle, and note how it recalls the CIA triad. After you read, you should be able to explain the concept of defense-in-depth and be able to propose a defense-in-depth security strategy for a simple system.
One risk that an information security (IS) professional needs to pay particular attention to is the human risk. Humans are the greatest risk to security, both internal and external to an organization. Why humans are considered the weakest link relates to human behavioral factors. Humans are social beings and may unintentionally, or intentionally, provide attackers with protected information. Attackers use a technique called social engineering to trick humans into providing valuable information. The best protection against social engineering is security awareness training and education. In this section, you will learn about social engineering and why humans are the weakest link. You will also learn the benefits and limitations of formal awareness training and computer-based training.
So far, we have discussed security control types and functions and how layers of controls provide defense-in-depth. These controls protect data from outside threats, but an even greater area of concern is the "inside threat" – people. Read the introduction and the two sections on social engineering in this article about the human factor. Why are people a threat to information security?
Humans are the weakest link in information security. Giving someone access to information systems involves an element of trust. Watch this video about how people, not machines, are the biggest concern in cybersecurity. Then, read this article, which describes how humans the last line of defense for an organization. How can people, either intentionally or unintentionally, expose their organizations to risks?
The most effective way to combat the risk posed by people is to provide formal security awareness training. Read this section on conducting a formal security awareness training. Once read, you should understand the need for training programs, the types of security awareness training, and how to evaluate a training program.
Although formal training is the most effective way to build security awareness, computer-based training is another option. Read this section on delivering security awareness training. After you read, you should be able to explain the benefits and limitations of computer-based and instructor-led security awareness training. How can human behavior be modified through security awareness and training programs?
Many government regulations and security frameworks have been written to assist information security (IS) professionals in their role to protect information systems. Depending on the role or area of business of an IS professional, you will be concerned with one or several of these documents. Some general information is provided about ISO/IEC 27001, and this is the standard used across the IT industry. State and local governments focus on Federal Information Processing Standards (FIPS), and Control Objectives for Information and Related Technologies (COBIT) 5 was written for enterprise organizations. Any company that processes payment via cards must comply with the Payment Card Industry Data Security Standard (PCI DSS), and the Center for Internet Security (CIS) Top 20 controls map to PCI DSS. Information technology (IT) professionals often have many opportunities for movement within the career field. Consequently, you should have some basic knowledge of these frameworks and the basic knowledge for the type of business when each one would apply.
While working in the area of information security, it is important to have an understanding of the common security standards or frameworks. While reading this article, you will obtain some knowledge of the controls specified by ISO/IEC 27001, the Federal Information Processing Standards (FIPS), the NIST cybersecurity framework and NIST Special Publication 800-53, as well as COBIT5.
The Center for Internet Security (CIS) has developed 20 controls called the CIS Top 20, to secure an organization's system against cyber attacks or threats. While watching, pay attention to the 20 controls. You are not expected to memorize all 20 controls, but it is important to know the first six controls as the implementation of these controls will protect against approximately 91 percent of security breaches.
The Payment Card Industry Data Security Standard (PCI DSS) is a standard that protects the security of credit card data. While watching this video you will learn about the penalties that can be inflicted on a business for non-compliance with PCI DSS. What are some of the requirements of PCI DSS compliance?
Take this assessment to see how well you understood this unit.