Any person preparing to appear for IT security exams must have foundational concepts under the fast-evolving cybersecurity landscape.
This article deals with key subjects such as CIA, Identity and Authentication, AAA, Non-repudiation, Least Privilege and Need to Know, Subjects and Objects, Defense-in-Depth, and Due Care and Due Diligence.
To relate these concepts to our scenario, we’ll incorporate them into an integrated scenario of a hypothetical company, TechSecure Inc., which is a problem in cybersecurity.
The Scenario: TechSecure Inc.
TechSecure Inc. is a middle technology firm that specializes in software packages to be provided to financial institutions. The company has lately been preparing for a major software launch that contains clients’ sensitive information. They should prepare by following main cybersecurity principles while launching the product.
CIA
In preparation for the software launch, TechSecure prioritizes CIA where:
•Confidentiality : When it comes to keeping sensitive data related to clients confidential, TechSecure has been equipped with the latest encryption protocols applied both for data at rest and data in transit. Strict access control is also conducted where only authorized individuals can browse on the details of the clients. One example of this is confining the database of all details regarding clients only to project managers and senior developers.
• Integrity: TechSecure uses checksums and hashing algorithms to ensure no change in data as a result of transmission. For example, during the process of sending updates of software programs to clients, they send a hash value that the recipient clients can check to verify that files downloaded into the clients are valid and not distorted.
•Availability: The software developed by TechSecure is made readily available to clients by the use of redundancy such as load balancers and backup servers. They ensure that the system of their clients is regularly maintained to minimize break downtime during attack. It serves to ensure that the services are accessible at times of need.
Identity and Authentication, Authorization, and Accountability (AAA)
The AAA framework is used by TechSecure to allow proper management of users’ access.
•Identification: All users of the TechSecure’s internal systems must identify themselves using unique usernames.
•Authentication: The use of MFA is implemented by TechSecure. As shown above, apart from providing the password, employees are further required to authenticate their identity through a mobile application that generates a code they are required to key in.
•Authorization: Based on successful authentication, the system verifies the role of the user. The junior developers may access development environments while senior developers would need to access production servers. It allows only the resource access required for a specific role.
•Accountability: TechSecure logs all activities of the users in a centralized system. Then it will know who accessed what and when. The logging happens to be very pivotal for auditing and investigation purposes in case some suspicious activity is detected.
Non-repudiation
Under the contract that they enter into with their clients, TechSecure utilizes digital signatures to ensure non-repudiation. To do this, in signing off on the contracts related to the software, clients use a secure platform for digital signatures. Thus, upon a dispute regarding the terms of the contract, TechSecure can prove that the client had agreed to the terms. That way, the client cannot deny having had a hand in the matter.
Least Privilege and Need to Know
The principle of least privilege is followed by TechSecure, in which the employees are given access to only the amount of information necessary for their job functions. For example, an intern working in marketing department is not provided with access to some sensitive financial data or client records under fear that such a system might be broken into or unintentionally exposed.
Subjects and Objects
In the case of TechSecure, subjects are those accessing the data and objects refer to the accessed data as well as other resources. For instance, when a developer (subject) tries to access the source code repository (object), the system authenticateates him to obtain knowledge of how much access level he possesses before granting him permission to access it.
Defense-in-Depth
The most important strategy of the protection of the TechSecure systems is through the use of defense in-depth. This is made up of several layers of security mechanisms:
• Firewalls: To cut off unauthorized access to their network.
• IDS: This will continuously scan for suspicious activities and notify security personnel.
• Training of employees: In this, conventions or seminars are organized to promote awareness among the employees about phishing attacks and secure online behavior. With these layers, TechSecure feels sure that if one fails, others would have protected a potential breach.
Due Care and Due Diligence
Due care is demonstrated by the firm TechSecure, as it updates security protocols on a routine basis. It also does vulnerability assessments. They do some form of due diligence by trying to bring about compliance with industry standards like GDPR and PCI DSS. For example, prior to the launching of its new software, these risks that would be in circulation would have been assessed and taken proactive measures concerning them.
CONCLUSION
Through the case of TechSecure Inc, we reviewed key cybersecurity concepts pertinent to an IT security exam. Understanding the concepts of Confidentiality, Integrity, and Availability (CIA), Identity and Authentication, Authorization and Accountability (AAA), Non-repudiation, Least Privilege and Need to Know, Subjects and Objects, Defense-in-Depth, and Due Care and Due Diligence not only puts a student in a good position to pass an exam but ensures future cybersecurity professionals have the information they need to go about the complex world of information security. This will make readers realize the significance of the principles applied in the real world, making them well-equipped for their future cybersecurity careers. This book is a comprehensive resource for future professionals in cybersecurity, providing them with the relevant means that will impact their future careers.