Let’s have a look at the definition of
“Information Security”, given by three different organizations:
"Preservation of
confidentiality, integrity and availability of information."
(ISO/IEC 27000:2009)
"Ensures that only authorized
users (confidentiality) have access to accurate and complete information
(integrity) when required (availability)."
(ISACA, 2008)
"The protection of information
and information systems, from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide confidentiality, integrity,
and availability."
(CNSS, 2010)
As we can see, in all three
definition given above, three things are common i.e. Confidentiality,
Integrity, and Availability. These three properties are known as CIA Triad.
Confidentiality: Confidentiality refers to limiting information access and disclosure
to authorized users and preventing access by or disclosure to unauthorized
ones.
Possible
attacks:
Ø Injection
Ø Authentication
Bypass
Ø MITM
(Man in the Middle)
Ø XSS
Ø Directory
Browsing
Risks:
Ø Loss of
Privacy
Ø Unauthorized
access to information
Ø Identity
Theft
Controls:
Ø Encryption
Ø Authentication
Ø Access
control
Primary
Focus:
Ø Information
Security
Integrity: Integrity
of information refers to protecting information from being modified by
unauthorized users.
Possible attacks:
Ø Injection
Ø Authentication
Bypass
Ø MITM
(Man in the Middle)
Ø CSRF
Risks:
Ø Loss of
Accuracy
Ø Loss of
Reliability
Ø Fraud
Controls:
Ø Digital
Signature
Ø Maker/Checker
Ø Audit Logs
Primary
Focus:
Ø Operational
Controls
Availability: Availability
of information refers to ensuring that authorized users are able to access
the information when needed.
Possible attacks:
Ø Injection
Ø DoS (Denial of Service)
Ø DDoS (Distributed Denial of Service)
Risks:
Ø Business
disruption
Ø Loss of
customer confidence
Ø Loss of
Revenue
Controls:
Ø Back-up
storage
Ø Sufficient
capacity
Ø BCP Plans
and Tests
Primary
Focus:
Ø Business
continuity planning
No comments:
Post a Comment