Argosenpaikun

Posted on Mar 3

Security Principles

#security #cybersecurity #securirtyprinciples

CIA Triad

Confidentiality, Integrity, and Availability

Confidentiality
- Ensures that sensitive information is only accessible to authorized users.
- Prevents unauthorized disclosure of data
- Examples:
  - Using strong passwords and encryption.
  - Implementing access control.
Integrity
- Ensures that data remains accurate and unaltered, except by authroized users.
- Protects against unauthorized modification, deletion, or corruption.
- Examples:
  - Using checksums or hashes to verify file integrity.
  - Version control systems to track changes.
Availability
- Ensures that authorized users can access data and systems when needed.
- Protect against disruptions that might make systems or information unavailable.
- Examples:
  - Redundant servers, backups, and failover systems.
  - Protection against Denial-of-Service (DoS) attacks.

The CIA triad is like a security balance when we want our data private (confidential), trustworthy (integrity), and accessible when needed (availability).

Identification, Authentication, and Multi-Factor Authentication (MFA)

Identification
- The process of claiming an identity.
- The purpose is to tells the system "Who are you?"
- Example:
  - Entering a username or email when logging in.
  - Presenting an ID card at a workplace.
- Keypoint: Identification alone does not prove you are who you claim to be; it just declares an identity.
Authentication
- The process of verifying the identity claimed during identification.
- The purpose is to ensures that person is actually who they claim to be.
- Methods of authentication:
  1. Something you know-password, PIN, or secret answer.
  2. Something you have-smart card, security token, or phone.
  3. Something you are-fingerprint, face scan, or other biometrics.
- Example:
  - Entering a password after typing a username.
  - Scanning a fingerprint to unlock a device.
Multi-Factor Authentication (MFA)
- A security process that requires two or more different authentication factors to verify identity.
- The purpose is to adds extra layers of security, so that even if one factor is compromised, unauthorized access is prevented.
- Typical MFA combinations:
  - Password (something you know) + SMS code (something you have).
  - Password + fingerprint (something you are).
- Example:
  - Logging into your email, then entering a code sent to you phone.
  - Using an authenticator app (such as Google Authenticator) along with your password.

Three Main Types of Factors in MFA

Something You Know (Knowledge Factor)
Information that only the user should known.
Examples:
- Passwords
- PINs
- Security questions

Its purpose is to confirm the user knows a secret that other don't.

Something You Have (Possession Factor)
A physical items or devices that the user possesses.
Examples:
- Security tokens or key fobs.
- Smartphones with authenticator apps (e.g., Google Authenticator).
- Smart cards or ID cards.
- One-time passwords (OTP) sent via SMS or email.

It purpose is to confirm the user physically has a trusted device.

Something You Are (Inherence Factor)
A unique physical or behavioral characteristics of the user (biometrics).
Examples:
- Fingerprint scans
- Facial recognition
- Iris or retina scans
- Voice recognition

Its purpose is to confirms the user is physically who they claim to be.

Non-Repudiation

Ensures that a person or entity cannot deny the authenticity of their actions or communication.
Its purpose to protect against disputes by providing proof of who did what and when.
The keypoint is that non-repudiation is about accountability and traceability.
Examples:
- Digital signatures on emails or documents to prove the sender actually sent it.
- Transaction logs in banking to show who authorized a payment.
- Certificates or receipts in online transactions that cannot be denied later.

Privacy

The right of individuals or organizations to control their personal or sensitive information and determine who can access it.
Its purpose to protect personal data from misuse or exposure.
The key point of privacy is about control over information, while confidentiality is about keeping it secret.
Examples:
- A website asking for consent before collecting your data.
- Encrypting emails so only intended recipients can read them.
- Laws like GDPR that regulate how personal data can be used.

What is GDPR?

Known as General Data Protection Regulation (GDPR) is a data protection law enforced by the European Union since 25th May 2018.
Its main purpose is:

To protect the privacy and personal data of individuals within the EU.

How Privacy and GDPR Are Connected?

The GDPR is basically a legal tool to enforce privacy rights.

Here's the connection clearly:

Privacy Concept	How GDPR Supports It
Control over personal data	Requires consent before collecting data
Transparency	Organizations must explain how data is used
Data protection	Requires security measures to protect data
Right to access	Individuals can request their data
Right to delete	"Right to be forgotten"
Accountability	Organizations must prove compliance

This indicates that:

Privacy is the right. GDPR is the law that protects that right.

What is PII?

Stands for Personally Identifiable Information
It refers to any information that can be used to identify, contact, or locate a specific person, either directly or indirectly.
PII is a key concept in privacy and data protection because if it's exposed, it can lead to identity theft, fraud or privacy violations.

Types of PII

Direct PII - Information that directly identifies a person:
Full name
Social Security Number (or national ID)
Passport number
Email address
Phone number
Indirect PII - Information that can identify a person when combined with other data:
Date of birth
Gender
Job title
IP address or device ID
Location data

Why PII is Important?

Protecting PII is crucial to privacy and legal compliance.
Many regulations require organizations to safeguard PII:
- GDPR (European Union)
- CCPA (California, USA)
- PDPA (Malaysia and other countries in Asia)

How to Protect PII

Encrypt sensitive data.
Limit access only to authorized users.
Avoid collecting unnecessary PII.
Use strong authentication and security measures.

PII is essentially any data that could identify a person, and protecting it is essential to privacy, security, and legal compliance.

Risk

What is Risk?

Risk is the possibility of a negative event or loss occuring, usually as a result of threats exploiting vulnerabilities.
In information security, risk is the chance that data, systems, or networks will be compormised, causing harm to confidentiality, integrity, or availability.

Core Concepts of Risk

Risk is generally defined using three key elements:

Threat
- Anything that can cause harm or exploit a vulnerability.
- Example: hackers, malware, naterual disasters, insider threats.
Vulnerability
- A weakness in a system, process, or control that can be exploited by a threat.
- Examples: weak passwords, outdated software, unsecured networks.
Impact (or Consequence)
- The damage or loss that results if threat exploits a vulnerability.
- Examples: financial loss, data breach, reputation damage.

What Is an Asset?

In security and risk management, an asset is anything that has value to an organization.

Examples:

Data (customer information, source code)
Systems and servers
Applications
Reputation
Employees
Intellectual property
Financial resources

If it has value and losing it would cause damage - it is an asset.

Why Risk Management Focused on Assets?

The main goal of risk management is not to eliminate all risk.

Its main goal is:

Protect valuable assets
Reduce the likelihood of loss
Minimize impact if something happens

Because without assets, there is nothing to protect.

Core Object Protect Assets Value

Organizations protect assets in three may ways based on CIA Triad:

Confidentiality → Prevent unauthorized access
Integrity → Prevent unauthorized modification
Availability → Ensure systems are accessible when needed

If any of these are compromized, the asset's value decreases.

Risk Formula (Conceptual)

A simple way to resent risk is:

Risk=Threat×Vulnerability×Impact

The higher the threat, vulnerability, or impact, the higher the risk.
This helps organizations prioritize which risks to mitigate first.

Types of Risk in Information Security

Operational Risk: Risk from daily IT operations.
Strategic Risk: Risk that affects long-term goals.
Compliance Risk: Risk of violating laws, regulations, or policies.
Financial Risk: Risk of monetary loss due to security incidents.

Keypoints of Risk

Risk in inherent in every system or organization; it cannot be eliminated entirely.
Risk management focuses on identifying, assessing, and mitigating risk to acceptable levels.
Methods to handle risk include avoidance, mitigation, transfer (insurance), or acceptance.

Risk Matrix

Probability \ Impact	Low Impact	Medium Impact	High Impact
Low Probability	Low Risk	Low Risk	Medium Risk
Medium Probability	Low Risk	Medium Risk	High Risk
High Probability	Medium Risk	High Risk	Crtical Risk

Low Risk: Minor imapct, unlikely to happen → monitor only.
Medium Risk: Moderate impact or probability → implement mitigation.
High Risk: High impact or high probability → active mitigation needed.
Critical Risk: Both high probability and high impact → immediate action required.

graph TD
    style LowProbability fill:#d4edda,stroke:#155724,stroke-width:2px
    style MediumProbability fill:#fff3cd,stroke:#856404,stroke-width:2px
    style HighProbability fill:#f8d7da,stroke:#721c24,stroke-width:2px

    subgraph Probability
        LowProbability[Low Probability]
        MediumProbability[Medium Probability]
        HighProbability[High Probability]
    end

    subgraph Impact
        LowImpact[Low Impact]
        MediumImpact[Medium Impact]
        HighImpact[High Impact]
    end

    LowProbability --> LowImpact
    LowProbability --> MediumImpact
    LowProbability --> HighImpact

    MediumProbability --> LowImpact
    MediumProbability --> MediumImpact
    MediumProbability --> HighImpact

    HighProbability --> LowImpact
    HighProbability --> MediumImpact
    HighProbability --> HighImpact

Risks in the top-right corner (high probabiliy, high impact) are the most critical.
Risks in the bottom-left corner (low probability, low impact) are the least critical.

Risk Assessment

A risk assesssment is the process identifying, analyzing and evaluating.
Its purpose:
- Understand potential threat and vulnerabilities.
- Determine the likehood and impact of risks.
- Help prioritize actions to reduce or manage risks effectively.

Key Steps in Risk Assessment:

Identify assets → what you need to protect.
Identify threats → what could harm your assets.
Identify vulnerabilities → weakness that could be exploited.
Analyze risk → likelihood x impact.
Evaluate risk → decide whether to accept, mitigate, or avoid.

Asset Management

Asset management is the process of identifying, classifying, and maintaining control over an organization's assets to ensure they are protected and used efficiently.
Examples of Assets:
- Hardware: servers, laptops, network devices
- Software: applications, databases,
- Data: PII, intellectual property
- People: employees with access to critical system
Its purpose of knowing what assets exists is essential to asasess risk accurately.

Threat Management

Theat management is the process of identifying, assessing, and mitigating threats that could exploit vulnerabilities in assets.
Examples:
- Cyber attacks (malware, phising, ransomware)
- Insider threats (disgruntled employees)
- Physical threats (fire, theft, natual disasters)
Its purpose is to anticipate potential attacks or harms and implement controls to reduce them.

Vulnerability Management

Vulnerability management is the process of identifying, evaluating, and mitigating weakness in systems, processes, or applications that could be exploited by threats.
Examples:
- Outdated software or unpatched systems
- Weak passwords or misconfigured network settings.
- Poor access controls.
Its purpose is to reduce the likelihood of exploitation and lower overall risk.

Term	Definition	Purpose
Risk Assessment	Process of identifying and analyzing risk.	Determine likelihood and impact of risks.
Asset Management	Identifying and controlling assets.	Know what to protect.
Threat Management	Identifying and mitigating threats.	Reduce chances of harm.
Vulnerability Management	Identifying and fixing weakness.	Prvent exploitation of vulnerabilities.

Risk Appetite

Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives.
Purpose:
- Helps guide decision and strategy.
- Determines which risks are acceptable without mitigation.
Key Points:
- It is strategic - set by management.
- Varies by organization, industry, and type of risk.
Example:
- A startup might have a high risk appetite and accept some cybersecurity risks to move quickly.
- A bank may have a low risk appetite because security breaches can cause major financial and legal issues.

Risk Tolerance

Risk tolerance is the acceptable level of variation or exposure to risk within a specific activity.
Purpose:
- Provides practical limits on risk-taking.
- Help determine how much risk is too much for a particular project or operation.
Key Points:
- It is operational - applied to day-to-day decisions.
- Often quantified (e.g., maximum acceptable downtime, financial loss, or data breach likelihood).
Example:
- A company may tolerate up to 1% of data loss per year for non-critical systems.
- In a software project, the tolerance may be no more than 2 hours of downtime per month.

Difference Between Risk Appetite and Risk Tolerance

Aspect	Risk Appetite	Risk Tolerance
Scope	Strategic, organization-wide	Operational, specific to activity/project
Definition	Level of risk willing to accept	Acceptable deviation from risk limits
Decision Guidance	Guides major strategic decisions	Guides day-to-day operational decisions

DEV Community