Wednesday, March 24, 2021

Cybersecurity 101

A quick introduction to cybersecurity



(note : I am writing this in a "top-down" approach; i.e. from business, risk management, to finally the role of cybersecurity. This duplicates the approach ISC2 took for its CISSP certification.)



Business Portion 

  • Businesses (that have the luxury to think ahead) have a team and process to plan for risks, because risks can bring business to a halt
  • The plan to address business risk is called a Business Continuity Plan (BCP). 
  • The goal of the BCP is to secure (protect) assets, including such as people, equipment, building, and data - all needed to run a business. 
  • BCP starts with ACCESSING the value of your assets : to do this, need to catalog all assets, and calculating the RISK impacting your business RISK = impact * probability
  • Evaluate how you want to MANAGE the risk :
    • accept the risk - it might happen but that's ok, loss of life is NOT OK
    • mitigate the risk - reduce the risk using protection, training
    • transfer the risk - buy insurance
    • avoid the risk - move, don't do business
    • reject the risk - deny that it will happen
  • Security, as part of risk management, codifies how to protect people, property, data
policies : rules / law
procedures : steps
baseline : configuration
guidance : optional
  • Information Security, a subset of security  : business needs a plan to protect the ALL data assets,  including physical (a printout of financial forecast) and electronic (code for the next software release), is protected against misuse and theft by governance, which entails:
  • Cybersecurity, a subset of information security : focuses on electronic data at rest, in use, in motion

Tech Portion - Cyber Security

  • CyberSecurity : is a subset of Information Security, and is focused on the electronic data aspect of Information Security
  • What does CyberSecurity care about? the 3 CIA tenets (per ISC2):
    • C = Confidentiality : keep sensitive data secret so that only authorized people can read it, usually via strong encryption; sometimes also called Privacy
      • Encryption : DES, 3-DES, AES
    • I = Integrity : no un-authorized changes to data, usually using hashing
      • Hashing : MD5, SHA1, SHA2
    • A = Availability : data can be used at the right time, right place
  • Since the advent of the original CIA tenants, variants and additions, as seen from more modern interpretation of "CIA":
    • Authenticity : data can be verified to be sent from originator, usually using digital signature
    • Non-repudiation : sender of data cannot claim that they did not send it, usually using digital signature
  • Access control follows the AAA framework
    • Authentication : only allowed people can access information
    • Authorization : allowed people doing allowed actions on information
    • Accounting : logging of all activities centered around information 

Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )