- Overview
- The CIA Triad
- Core Security Principles
- Threat Modeling
- Attack Surfaces and Vectors
- Security Domains
- Common Security Threats
- Security Mechanisms
- Security Lifecycle
- Risk Management
Information Security (InfoSec) is the practice of protecting information by mitigating information risks. It involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to ensure confidentiality, integrity, and availability.
Information security aims to protect information assets through:
- Prevention: Implementing controls to prevent security incidents
- Detection: Identifying security breaches and anomalies
- Response: Reacting to security incidents effectively
- Recovery: Restoring systems and data after security incidents
- Data Breaches: Exposure of sensitive information
- Financial Loss: Theft, ransomware, recovery costs, legal penalties
- Reputation Damage: Loss of customer trust
- Operational Disruption: Downtime and productivity loss
- Legal Compliance: Violations of regulations (GDPR, HIPAA, PCI DSS)
- IP Theft: Loss of competitive advantage
The CIA Triad is the foundational model for information security policies and implementations.
Ensures information is accessible only to authorized entities.
Mechanisms: Encryption, access control lists, authentication, physical security, data masking
Threats: Eavesdropping, social engineering, insider threats, unauthorized access
Ensures information remains accurate and unmodified except by authorized processes.
Mechanisms: Hash functions (SHA-256), digital signatures, MACs, input validation, database constraints
Threats: Man-in-the-middle attacks, data tampering, SQL injection, malware
Ensures information and systems are accessible to authorized users when needed.
Mechanisms: Redundancy, load balancing, DDoS protection, backups, disaster recovery
Threats: DoS/DDoS attacks, hardware failures, natural disasters, ransomware
Modern security frameworks extend the CIA triad:
- Authenticity: Verifying the genuineness of information and its source
- Non-repudiation: Ensuring that actions cannot be denied after the fact
- Accountability: Tracing actions to responsible entities
Users and processes should have only the minimum access rights necessary to perform their functions.
Benefits:
- Reduces attack surface
- Limits damage from compromised accounts
- Simplifies security auditing
Implementation:
- Role-Based Access Control (RBAC)
- Just-In-Time (JIT) access provisioning
- Regular access reviews
Implement multiple layers of security controls throughout an IT system.
Layered Approach:
┌─────────────────────────────────────┐
│ Physical Security │
│ ┌──────────────────────────────┐ │
│ │ Perimeter Security │ │
│ │ ┌────────────────────────┐ │ │
│ │ │ Network Security │ │ │
│ │ │ ┌──────────────────┐ │ │ │
│ │ │ │ Host Security │ │ │ │
│ │ │ │ ┌────────────┐ │ │ │ │
│ │ │ │ │ Application│ │ │ │ │
│ │ │ │ │ Data │ │ │ │ │
│ │ │ │ └────────────┘ │ │ │ │
│ │ │ └──────────────────┘ │ │ │
│ │ └────────────────────────┘ │ │
│ └──────────────────────────────┘ │
└─────────────────────────────────────┘
Critical tasks should require multiple parties to complete, preventing fraud and errors.
Examples:
- Code review before deployment
- Multi-signature approval for financial transactions
- Separate roles for development, testing, and production
Systems should default to a secure state when errors occur.
Principles:
- Deny access by default; explicitly grant permissions
- Fail closed rather than open
- Disable unnecessary services and features
Every access to every resource must be checked for authorization.
Implementation:
- Avoid caching authorization decisions
- Validate permissions on each request
- Implement centralized authorization services
Security should not depend on secrecy of implementation (Kerckhoffs's principle).
Implications:
- Use peer-reviewed cryptographic algorithms
- Avoid security through obscurity
- Open-source security tools benefit from community review
Security mechanisms should be usable and not unduly interfere with legitimate work.
Considerations:
- Balance security with user experience
- Provide clear security indicators
- Minimize friction in authentication flows
Threat modeling is the systematic process of identifying and evaluating potential threats to a system.
A Microsoft-developed threat classification model:
| Threat | Security Property Violated | Example |
|---|---|---|
| Spoofing | Authentication | Impersonating another user |
| Tampering | Integrity | Modifying data in transit or at rest |
| Repudiation | Non-repudiation | Denying performed actions |
| Information Disclosure | Confidentiality | Exposing sensitive information |
| Denial of Service | Availability | Making systems unavailable |
| Elevation of Privilege | Authorization | Gaining unauthorized permissions |
- Identify Assets: Determine what needs protection (data, systems, services)
- Create Architecture Overview: Document system components and data flows
- Identify Threats: Use frameworks like STRIDE or PASTA
- Assess Risk: Evaluate likelihood and impact
- Identify Mitigations: Design controls to address threats
- Validate: Test that mitigations are effective
Hierarchical diagrams representing how an asset might be attacked. Example: Goal (Steal User Data) can be achieved through Exploit Web App (SQL Injection, XSS) or Social Engineering (Phishing, Pretexting).
The attack surface is the sum of all points where an unauthorized user can try to enter or extract data.
Types:
- Network attack surface: Open ports, services, protocols
- Physical attack surface: Access to hardware, USB ports
- Software attack surface: Applications, libraries, OS
- Human attack surface: Social engineering targets
Reducing Attack Surface:
- Disable unnecessary services
- Minimize exposed APIs
- Implement network segmentation
- Regular security patching
Attack vectors are the paths or means by which attackers gain unauthorized access.
| Vector | Description | Example |
|---|---|---|
| Malicious attachments or links | Phishing, malware distribution | |
| Web Applications | Exploiting vulnerabilities | SQL injection, XSS |
| Networks | Intercepting or manipulating traffic | Man-in-the-middle, packet sniffing |
| Physical | Direct access to systems | Stolen devices, USB attacks |
| Supply Chain | Compromising third-party components | Malicious libraries, backdoored hardware |
| Insider Threats | Malicious or negligent insiders | Data exfiltration, sabotage |
- Physical Security: Access control, surveillance, environmental controls
- Network Security: Firewalls, IDS/IPS, VPNs, TLS/SSL
- Application Security: Secure SDLC, input validation, security testing
- Data Security: Encryption, DLP, key management, data classification
- Identity and Access Management (IAM): Authentication, authorization, SSO
- Endpoint Security: Antivirus, EDR, device encryption, MDM
Malware (malicious software) is software designed to disrupt, damage, or gain unauthorized access to computer systems.
| Type | Behavior | Impact |
|---|---|---|
| Virus | Self-replicating code attached to files | Data corruption, system slowdown |
| Worm | Self-replicating over networks | Network congestion, mass infection |
| Trojan | Disguised as legitimate software | Backdoors, data theft |
| Ransomware | Encrypts data, demands payment | Data unavailability, financial loss |
| Spyware | Monitors user activity | Privacy violation, credential theft |
| Rootkit | Hides presence and activities | Persistent access, difficult removal |
Exploits human psychology: Phishing, spear phishing, pretexting, baiting, quid pro quo, tailgating
SQL Injection, XSS, CSRF, remote code execution, directory traversal
Man-in-the-Middle (MitM), DNS spoofing, ARP poisoning, session hijacking, DoS/DDoS
Mathematical techniques for secure communication in the presence of adversaries.
Core Services:
- Confidentiality: Encryption algorithms (AES, ChaCha20)
- Integrity: Hash functions (SHA-256, SHA-3)
- Authentication: Message Authentication Codes (HMAC)
- Non-repudiation: Digital signatures (RSA, ECDSA)
Network security devices that monitor and control traffic based on security rules.
Types:
- Packet-filtering: Inspects packet headers
- Stateful inspection: Tracks connection states
- Application-layer: Deep packet inspection, protocol-aware
- Next-generation: Includes IPS, application awareness, threat intelligence
Monitors network or system activities for malicious activities or policy violations.
Detection Methods:
- Signature-based: Matches known attack patterns
- Anomaly-based: Detects deviations from normal behavior
- Stateful protocol analysis: Tracks protocol states
Deployment:
- Network-based (NIDS): Monitors network traffic
- Host-based (HIDS): Monitors individual hosts
Authentication using two or more verification factors:
- Something you know: Password, PIN
- Something you have: Token, smart card, mobile device
- Something you are: Biometrics (fingerprint, facial recognition)
- Somewhere you are: Geolocation
- Something you do: Behavioral biometrics
Information security is an ongoing process, not a one-time implementation.
- Planning: Requirements, risk assessment, policies
- Design: Threat modeling, architecture, control selection
- Implementation: Secure coding, testing, code reviews
- Testing: Vulnerability scanning, penetration testing, audits
- Deployment: Configuration, hardening, monitoring
- Operations: Monitoring, incident response, patch management
- Decommissioning: Data disposal, asset retirement, access revocation
Continuous Security: Ongoing monitoring, assessment, and improvement based on evolving threats
Risk management is the process of identifying, assessing, and controlling threats to an organization's assets.
- Identify Assets: Catalog systems, data, and services
- Identify Threats: Determine potential threats to assets
- Identify Vulnerabilities: Find weaknesses that threats can exploit
- Assess Likelihood: Estimate probability of threat occurrence
- Assess Impact: Evaluate potential damage
- Calculate Risk: Risk = Likelihood × Impact
| Strategy | Description | When to Use |
|---|---|---|
| Avoidance | Eliminate the risk by removing the activity | Risk exceeds benefit |
| Mitigation | Implement controls to reduce risk | Cost-effective controls exist |
| Transfer | Shift risk to third party (insurance) | Risk is external or insurable |
| Acceptance | Accept the risk without action | Risk is within acceptable tolerance |
- Annualized Loss Expectancy (ALE): Expected annual loss from a risk
- ALE = Single Loss Expectancy × Annual Rate of Occurrence
- Return on Security Investment (ROSI): Justifying security spending
- Mean Time to Detect (MTTD): Average time to identify incidents
- Mean Time to Respond (MTTR): Average time to contain incidents
Information security protects information assets through core principles (CIA triad, defense in depth, least privilege), threat awareness, layered defenses across multiple domains, and continuous risk management. Effective security requires technical controls, organizational policies, and security-aware culture that adapts to evolving threats.
- Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.)
- Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.)
- NIST Special Publication 800-53: Security and Privacy Controls
- OWASP (Open Web Application Security Project) - Security Knowledge Framework
- ISO/IEC 27001: Information Security Management Systems
- SANS Institute - Information Security Resources