Cybersecurity Concepts

Defense in Depth

A comprehensive strategy of including multiple layers of security within a system so that if one layer fails, another layer of security is already in place to stop the attack/unauthorized access. Examples:

1. A castle is secured by a moat, a drawbridge, and guards at the gate.
2. Your home computer is secured by locks on the door, an alarm system, and a firewall.
3. Company data is secured by a firewall, passwords, and encryption.

Confidentiality

The property that information is not disclosed to individuals, devices, or processes unless they have been authorized to access the information.

• Student grades can only be accessed by specific individuals within the organization, such as authorized teachers and the principal.
• At a hospital, medical information about a patient is protected and only provided to authorized personnel.
• Salary information is typically only available to authorized personnel within a company, such as the supervisor and human resources.

Integrity

The property that information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.

• Student grades are accurate and have not been modified by an unauthorized user.
• A website is the entity it claims to be.
• A computer system is virus-free and uncompromised.

Avalibility

The property that information or information systems are accessible and usable upon demand.

• A student’s grades can be viewed by the student and principal and modified by the teacher
• A website for a store allows orders to be placed and viewed.
• A banking system is appropriately accessible by both customers and banking employees.
• A Denial-of-Service attack can result in a system being unavailable and inaccessible.

Think Like and Adversary

The strategy of putting yourself inside the mindset of a potential attacker that allows you to anticipate attack strategies and defend your systems accordingly.

• In order to best protect a student’s data, it is useful to think of potential adversaries and their motivations, such as a student wishing harm on another, a student seeking to modify his own data, and consider possible strategies – breaking physically into an office, breaching a network to obtain unauthorized access, etc. and build your security strategy accordingly.
• Discussions on ethics of a cybersecurity professional must correlate with any activity in which adversarial thinking is being modeled.

Keep it Simple

The strategy of designing information and security systems to be configured and operated as simply as possible; all systems perform best when they have simple designs rather than complex ones.

• A complex alarm system can have many points of failure, including the hardware and the software.
• A complex computer system has many points of access and may be difficult to secure. A simple solution is often the best strategy.