CHAPTER 1
Security and Privacy Foundations

In the ever-evolving landscape of information security and privacy, it is crucial for professionals to have a solid foundation in both domains. This chapter is designed to equip you with essential knowledge and insights that are fundamental to safeguarding information and ensuring privacy in your organization. As security and privacy threats become more sophisticated, understanding the core principles and frameworks that underpin these fields will enable you to develop robust strategies and implement effective controls.

By exploring the foundational concepts of security and privacy, you will gain a comprehensive understanding of key principles such as confidentiality, integrity, availability, authentication, authorization, and accounting. Additionally, you will delve into the intricacies of privacy in the modern era and the foundational principles that guide privacy practices. This chapter also covers critical frameworks and policies that provide structure and guidance for security and privacy initiatives. By the end of this chapter, you will be well-versed in the foundations of creating and enforcing policies, establishing security awareness programs, and developing strategic approaches to security and privacy management. This knowledge is vital for protecting your organization's assets and ensuring compliance with regulatory requirements.

Security 101

We often hear how important security is, but we don't always understand why. Security is essential because it helps to ensure that an organization can continue to exist and operate despite any attempts to steal its data or compromise its physical or logical elements. Security is an element of business management rather than only an information technology (IT) or information systems (IS) concern. Furthermore, IT/IS and security are different. IT/IS comprises the hardware and software that support the operations or functions of a business. Security is the business management tool that ensures the reliable and protected operation of IT/IS. Security exists to support the organization's objectives, mission, and goals.

Generally, a security framework that provides a starting point for implementing security should be adopted. Once security is initiated, fine-tuning that security is accomplished through continuous evaluation and stress testing. There are three common types of security evaluation:

• Risk assessment is identifying assets, threats, and vulnerabilities to calculate risk. Once risk is understood, it is used to guide the improvement of the existing security infrastructure.
• Vulnerability assessment uses automated tools to locate known security weaknesses, which can be addressed by adding more defenses or adjusting the current protections.
• Penetration testing uses trusted teams to stress test the security infrastructure to find issues that may not be discovered by the prior two means and to find those concerns before an adversary takes advantage of them.

Security should be cost-effective. Organizations do not have infinite budgets and, thus, must allocate their funds appropriately. Additionally, an organizational budget includes a percentage of monies dedicated to security, just as most other business tasks and processes require capital, not to mention payments to employees, insurance, retirement, and so on. You should select security controls that provide the most significant protection for the lowest resource cost.

Security should be legally defensible. The laws of your jurisdiction are the backstop of organizational security. When someone intrudes into your environment and breaches security, especially when such activities are illegal, prosecution in court may be the only available response for compensation or closure. Also, many decisions made by an organization will have legal liability issues. If required to defend a security action in the courtroom, legally supported security will go a long way toward protecting your organization from facing significant fines, penalties, or charges of negligence.

Security is a journey, not a finish line. It is not a process that will ever be concluded. It is impossible to fully secure something because security issues are always changing. Our deployed technology is changing with the passage of time, by users' activities, and by adversaries discovering flaws and developing exploits. The defenses that were sufficient yesterday may not be sufficient tomorrow. As new vulnerabilities are discovered, new means of attack are crafted, and new exploits are built, we have to respond by reassessing our security infrastructure and responding appropriately.

Confidentiality, Integrity, and Availability (CIA)

The CIA triad is a fundamental concept in information security, representing the three core principles that guide the protection of data and systems. This section provides an overview of these principles—confidentiality, integrity, and availability—and their importance in maintaining a secure information environment.

Confidentiality

Confidentiality is the concept of ensuring the protection of the secrecy of data, objects, or resources. The goal is to prevent or minimize unauthorized access to data. Confidentiality is maintained through various countermeasures such as encryption, strict access control, rigorous authentication procedures, data classification, and extensive personnel training. Violations of confidentiality can occur through intentional attacks, human error, oversight, or misconfigured security controls. Key concepts related to confidentiality include:

• Sensitivity: Determining whether information could cause harm if disclosed.
• Discretion: Controlling disclosure to minimize harm.
• Criticality: Measuring how vital to the company's mission the information is.
• Concealment: Hiding or preventing disclosure of information.
• Secrecy: Keeping information secret.
• Privacy: Keeping personally identifiable information confidential.
• Seclusion: Storing information in a secure location.
• Isolation: Keeping information separated from others.

Integrity

Integrity is the concept of protecting the reliability and correctness of data. It ensures that data is not altered in an unauthorized manner. Integrity protection allows for authorized changes while preventing unauthorized modifications, whether they are intentional, malicious, or accidental. Key aspects include:

• Data integrity: Ensuring that data remains accurate and consistent over its life cycle.
• System integrity: Ensuring that a system performs its intended function in an unimpaired manner.
• Process integrity: Ensuring that processes operate correctly without unauthorized modification.

Availability

Availability is the principle that ensures authorized users have timely and uninterrupted access to data and resources. It is crucial for maintaining the functionality of systems and services. Availability can be impacted by hardware failures, software issues, or malicious attacks such as denial of service (DoS). Measures to ensure availability include:

• Redundancy: Having backup systems in place.
• Failover: Switching automatically to a standby system.
• Load balancing: Distributing workloads across multiple systems.
• Maintenance: Updating and patching regularly to prevent system failures.

Disclosure, Alteration, and Destruction (DAD)

The DAD triad is a fundamental concept in information security that represents the failures of security protections in the CIA triad. Understanding the DAD triad is essential for identifying and mitigating the risks associated with security breaches. The DAD triad consists of three key elements: disclosure, alteration, and destruction.

• Disclosure: Occurs when sensitive or confidential material is accessed by unauthorized entities. This is a direct violation of confidentiality. Disclosure can happen through various means, such as data breaches, unauthorized access, or accidental exposure due to misconfigurations. Attackers who gain access to sensitive information and remove it from the organization are performing data exfiltration. Additionally, disclosure can occur accidentally, such as when an administrator misconfigures access controls or an employee loses a device.
• Alteration: Refers to the unauthorized modification of information, which violates the principle of integrity. This can happen through malicious activities like injecting fraudulent transactions into financial records or through accidental means such as typographical errors or system malfunctions. Attackers may seek to alter data for financial gain, reputational damage, or other malicious purposes. Natural activities, such as power surges causing bit flips, can also lead to unintended alterations.
• Destruction: Involves the damage or inaccessibility of resources, which violates the principle of availability. This can be the result of intentional actions like distributed denial-of-service (DDoS) attacks or unintentional events such as hardware failures or natural disasters. Destruction can significantly impact an organization's operations by making critical data or services unavailable to authorized users.

The DAD triad is a useful tool for cybersecurity planning and...