Principles of Cybersecurity, 1st Edition page 35

Copyright Goodheart-Willcox Co., Inc. Chapter 2 Information Security Fundamentals 35 Confi dentiality Confi dentiality is the condition of being private or secret. Providing confi dentiality is the practice of ensuring users only have access to the data they need. The data are protected against unauthorized or unin- tentional access. Often, need to know is used to deter- mine the level of access a user has to data, if at all. If a worker does not “need to know” the information to do his or her job, then access is not granted to the data. Confi dentiality is implemented by the rights and privileges granted to the individual computer users. For example, an employee who edits a company’s social media accounts probably does not need access to corporate payroll information. It is not simply a mat- ter of not trusting an employee. Consider what would happen if that user’s password is stolen. A hacker could login as the user and access whatever data the employee has rights to view or manage. It could even be another employee who steals the password. Another way to incorporate confi dentiality is through encryption. Encryption converts the data into a format that can only be read by the holder of the decryption key. Encryption is covered in detail in Chapter 11. Integrity Integrity is the state of being complete or uncorrupted. This core principle ensures the data are not changed or altered without permission to do so. For exam- ple, an employee in the payroll department should not be able to change his or her own wage. Nor should such an employee be able to delete a bad performance review for a friend. In both cases, doing so would lower the integrity of the data. A practical example of ensuring integrity can be handled using folder and fi le permissions. Figure 2-2 shows the permissions settings for a user. Edward Johnson has been given the Windows fi le permissions to the payroll folder to view and read data. However, he cannot make changes to fi les in this folder. In this way, he cannot affect the integrity of the data in the folder. You will learn how to view and grant permissions in Chapter 3. Another key aspect of ensuring integrity is a process known as nonrepu- diation. In a nonrepudiation process, changes are tracked by which user account made them. The user is unable to refuse to accept changes that he or she made. Through the nonrepudiation process, a historical reference shows which accounts made which changes. The nonrepudiation process also is important in legal issues. The historical record may be used to prove a user’s actions in criminal or civil cases. Availability The third principle in the CIA triad is availability. This means the data can be accessed when needed. A problem such as a hardware failure or a hacking attack might prevent access to data. Security professionals must have solutions to ensure data can be accessed when a problem such as one of these occurs. Security Domains When looking at a business or organization, it can be overwhelming to con- sider the many areas that must be secured. The goal is to protect data and assets. To make this a more manageable process, security teams often break down the Goodheart-Willcox Publisher Figure 2-1. The CIA triad provides three basic prin- ciples guiding cybersecurity professionals. 0110100 010110101 01010101110 110100101010110 10101011010101010 101010011001010101 01010101010101010010 1010101010101101001011 101100110110010101100110 DATA Confidentiality Integrity0101010001010 Availability

Previous Page Next Page

Principles of Cybersecurity, 1st Edition Page 35 (47 of 634)

Resources and Downloads

Help