Fatskills
Practice. Master. Repeat.
Study Guide: SSCP: 1. Security Fundamentals
Source: https://www.fatskills.com/systems-security-certified-practitioner-sscp/chapter/sscp-security-fundamentals

SSCP: 1. Security Fundamentals

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~21 min read

Understanding Basic Security Concepts
Three primary goals of information security are to prevent the loss of confidentiality, the loss of integrity, and the loss of availability for information technology (IT) systems and data. You’ll find that most security practices and security controls are designed to help prevent losses in one or more of these areas. The SSCP objectives identify these as the CIA triad, using the initials for confidentiality, integrity, and availability. 


The CIA security triad is sometimes called the AIC security triad. Both are correct because the order of the initials doesn’t matter. What you really need to know is what each letter represents (confidentiality, integrity, and availability) and what it means to prevent losses in these areas.
System and information owners are responsible for ensuring that security controls are in place to protect their systems and data. For example, managers that own proprietary data need to ensure that security controls are in place to prevent the unauthorized disclosure of that data. IT security personnel implement and maintain these security controls.

The three primary goals of an information security program are to prevent the loss of confidentiality, the loss of integrity, and the loss of availability for any IT systems and data. System and information owners are responsible for ensuring that security controls address the confidentiality, integrity, and availability of their systems and data.

Confidentiality
You protect against the loss of confidentiality by ensuring that unauthorized users cannot access data. This starts by identifying and authenticating users, and then implementing access controls to restrict access. For example, you can use permissions to ensure that only authorized users can access the data.

Encryption provides another layer of protection for confidentiality. Figure 1-4 shows the overall process of encryption, where data starts as plaintext, is ciphered using an encryption algorithm, and then becomes ciphered text. For example, if you’ve ever ordered anything over the Internet using a credit card, you’ve probably used a Hypertext Transfer Protocol Secure (HTTPS) connection. HTTPS encrypted your credit card information to prevent unauthorized individuals from intercepting it and using it without your permission. If criminals had managed to capture this transmission, they wouldn’t have been able to read and use your credit card information.

Confidentiality only works when organizations implement secure encryption algorithms and practice sound security practices. With this in mind, it’s important to know which algorithms are secure and which algorithms have been compromised and shouldn’t be used anymore. A. an example, the Data Encryption Standard (DES) is an older encryption algorithm that was used to encrypt data. It is now considered compromised and it shouldn’t be used. The common replacement used today is the Advanced Encryption Standard (AES).

Confidentiality controls help prevent the unauthorized disclosure of data. You ensure confidentiality by authenticating users and implementing access controls to ensure that only authorized users can access the data. You can also encrypt data to ensure that even if the data falls into the wrong hands, it’s less likely that unauthorized users can read it.

Integrity
Integrity controls prevent any unauthorized or unwanted modification of data or systems. Several different methods are used to protect integrity, including hashing and audit logging. Hashing methods will detect the alteration of data and alert personnel that it has lost its integrity.

A hash is simply a number created by performing a mathematical operation against data, such as a file or message. As long as the data stays the same, the hash (the number) will always be the same. A. an example, imagine that Sally needs to inform Joe of the price of a particular company’s stock. She creates an e-mail message stating “The price is $99” and creates a hash of the message. To keep the example simple, the hash for this message is 1234, though an actual hash would be much longer. Sally could re-create the hash on this message 100 times and each time it would be 1234. Here’s how she can use the hash to validate the integrity of the message after she sends it:
1. Sally sends her message to Joe along with the calculated hash.
2. When Joe’s system receives the message, it calculates the hash again.
3. The received hash is the same as the calculated hash, providing assurances that the received message is the same as the sent message.
In contrast, imagine that someone intercepted the message and modified it before resending it to Joe. Joe’s system calculates the hash on the received message, “The price is .99,” and determines it is 9876. It compares the calculated hash (9876) against the received hash (1234) and discovers that the message is different. In other words, the message has lost integrity.

 If attackers can change the message, they can also change the hash. Some cryptography systems protect the hash by encrypting it, which prevents attackers from modifying the hash.
Using hashing alone, you can’t determine what altered the message. You only know that it was changed. However, this is valuable information. If the message is different, it shouldn’t be trusted.
While it’s important to be able to verify the integrity of data, integrity also applies to system configuration. As an example, organizations often use change and configuration management processes to prevent unexpected system outages resulting from changes to the system. If a technician makes an unauthorized change, it results in a loss of integrity for the system. Worse, many unauthorized changes have caused unexpected system outages.
You can also use audit logging for system integrity. An audit log tracks changes to a resource, including what was changed, who changed it, and when. A set of one or more audit logs creates an audit trail that you can use to verify whether the configuration of a system is the same or has been modified. If someone did make a change that caused an outage, investigators can use audit logs to identify what was changed and who made the change.
Integrity ensures that data or systems have not been altered. Two common methods used to ensure integrity are hashing and audit logs.

Availability
Preventing the loss of availability ensures that IT systems and data are available when needed. Note that there isn’t a timeframe here. Some organizations operate only during the daytime from Monday to Friday, so this is the only time when the systems are needed. Other organizations are operational 24/7, so the systems and data must also be available 24/7.
If users need to access data on a server and they can access it, then the data is available. However, if the data becomes corrupt or the server fails, the result is a loss of availability.

Organizations protect against loss of availability using a variety of different technologies. These include the following:
-  Backups: Regular backups capture a copy of the data. If something happens to the original data, administrators can restore the data from backups. It’s important to keep a copy of backup data in an offsite location, so that if a fire or other catastrophe destroys the entire building, the data is still available.
-  Redundant disks: Many Redundant Array of Independent Disks (RAID) systems will continue to operate even if a disk fails. A mirror (RAID 1) is one example of redundant disks. The RAID system stores identical data on two disks, and if one disk drive fails, a copy of the data is still available.
-  Redundant servers: If a service provided by a server is critically important to an organization, the organization can add redundant servers. For example, failover clustering uses multiple servers and ensures that a service will remain available, even if a server fails.
-  Redundant connections: Organizations often need to stay connected to the Internet or stay connected between buildings in separate locations via an intranet. When this connectivity is critical to the operation of the organization, two or more connections are used so that even if one fails, the organization still has connectivity.
-  Redundant sites: Many organizations must stay operational even if a catastrophic event destroys their building or makes it uninhabitable. For example, many locations are susceptible to earthquakes, tornadoes, floods, and hurricanes. An organization can plan for these catastrophes by establishing a separate location. Redundant sites are known as hot sites (ready at a moment’s notice), cold sites (an empty building with electricity and running water), and warm sites (a cross between a hot site and a cold site).
In addition to using fault-tolerant and redundant technologies, organizations create business continuity plans and disaster recovery plans. These help the organizations maintain the availability of critical systems even after a disaster.

Availability ensures that authorized users can access any resource when it’s needed. Fault-tolerant and redundant technologies ensure that availability is not lost even if a system suffers a failure.

Exploring Fundamentals of Security
In addition to knowing the main goals of security (the CIA security triad), you need to understand some basic terms and concepts for the SSCP exam. The following sections introduce these concepts and some of the common terminology.
Least Privilege A. important security principle is the principle of least privilege. In short, this means that you grant users access to what they need to perform their jobs, and no more. This includes granting permissions to access resources such as files and granting rights to perform actions such as modifying system configurations.
For example, consider a group of project managers and project team members who all need access to a folder named Project Data. The team members need to be able to read the data but not modify it, while the managers need full control over the folder. So, you create a simple matrix identifying appropriate permissions. Notice that regular users are not granted any permissions because they don’t need access to any of this data to perform their jobs.

If you instead gave the project team members full control permission on the folder, they would still be able to read the files, but they could also modify them or even delete them. Consider what could happen if the team members had full control and one of the team members became a disgruntled employee. That user could deliberately modify or delete data on the server. Even the most loyal employees can accidentally modify or delete files, but not if they don’t have permissions to do so. By assigning only the required permissions, you reduce the risk of anyone modifying or deleting the data.
Similarly, network administrators need elevated privileges to modify network and server configuration settings. Regular users don’t need these privileges to perform their jobs, so administrators ensure that regular users don’t have them. This reduces the possibility of a regular user accidentally making a change that affects the availability of a system.

The principle of least privilege ensures that users are granted only the rights and permissions needed to perform their jobs, and no more.

Separation of Duties
Separation of duties is a security principle that ensures that no single person has complete control over a process. When properly implemented, separation of duties significantly reduces the risk of fraud within an organization.
Consider the process of approving and paying invoices. If Joe controlled the entire process, he could create an invoice for his own fictitious company, approve the invoice, and then make a payment to his own bank account. Of course, the loser in this scenario is the company that is employing Joe. Separating the payment process into two steps and assigning different people to handle each step reduces the risk of fraud.

For example: How one person approves the invoice, while another person pays the invoice. Because neither person has full control of the process, neither person can defraud the company without involving the other person.

Implementing separation of duties policies doesn’t eliminate the possibility of fraud, because the two employees could choose to collude to defraud the company. Therefore, many companies also use job rotation and mandatory vacations to reduce the risks of collusion. Chapter 13 covers both of these concepts in more depth.

- Separation of duties helps prevent fraud by ensuring that no single person has complete control over a process.
Privacy and Data Sensitivity
- Data is often an extremely valuable asset for an organization. Three types of data that are sensitive and require extra steps to protect are PII, PHI, and intellectual property.
Personally identifiable information (PII) is information that identifies an individual and includes items such as the person’s name, national identification number such as the U.S. Social Security number, and birthdate. Protected health information (PHI) is any information about an individual’s medical and health history.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” includes details on identifying and protecting PII. NIST SP 800-66, Revision 1, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” discusses various methods of protecting PHI.
Intellectual property refers to creations of the mind or intellect, such as literary and artistic works, and inventions. The World Intellectual Property

Organization (WIPO) divides intellectual property into two categories: industrial property and copyrights. Industrial property applies to industrial designs, trademarks, and patents for inventions. Copyrights apply to literary works (such as books and screenplays), music, films, and other artistic works.
Organizations often apply confidentiality principles to protect sensitive data such as PII, PHI, and intellectual property. This includes using strong access controls to restrict access to the data. It also includes encrypting privacy data as an added layer of protection.
TIP Several laws mandate the protection of an individual’s personally identifiable information (PII) and protected health information (PHI). Organizations have a requirement to exercise due care to protect PII, PHI, and intellectual property.

 

Defense in Depth
One of the primary tenets of security is that you’re never done. You can’t just write a security policy, install antivirus software or enable firewalls, and say, “There. We’re safe and secure now.” Instead, IT security uses the principle of defense in depth to implement several layers of security.
One of the primary benefits of a defense in depth strategy is that even if a single control fails, other controls still provide protection.

For example, you may combine access controls with the principle of least privilege to restrict access to data within your organization. You may also have some research and development data that you want to ensure remains confidential. In addition to access controls and least privilege, you can use cryptography methods to add an extra layer of security for this research and development data. Even if someone is able to bypass the access controls, he or she will not be able to decrypt the data easily.

A defense in depth strategy provides a layered approach to security by implementing multiple controls at different layers.

 

Nonrepudiation
Nonrepudiation ensures that a party cannot believably deny (or repudiate) taking an action. Audit logging and digital signatures are two common methods used to enforce nonrepudiation.
Consider a system that has audit logging enabled for a specific folder. If any user reads, modifies, or deletes data in the folder, the system logs the event in an audit log. The log includes who performed the activity, when they did it, and what they did. If Joe logs on to a computer using his credentials and he deletes a file, the audit log holds a record of his actions. Because the log recorded information from Joe’s credentials, you know that Joe did it.

A remote possibility is that someone else is using Joe’s credentials. This possibility increases if the organization uses weak authentication or has poor security practices. However, if Joe logs on with strong authentication (such as with a smart card or biometrics), it’s highly unlikely someone is impersonating him.
Digital signatures also provide nonrepudiation. For example, if Sally sends an e-mail to Bob and signs it with a digital signature, Sally can’t later deny that she sent the e-mail. Digital signatures use certificates and public/private key encryption. They also provide authentication, giving assurances of who sent the e-mail.
Another example of nonrepudiation is related to commerce and e-commerce transactions. If you use a credit card to purchase a product and you sign the credit card bill, the company can use your signature to prove you are the person who made the purchase. You couldn’t later deny it, because your signature verifies that you purchased it. Similarly, e-commerce transactions require you to enter additional information such as the expiration date and the security code on the card. The idea is that only someone with the card in his or her possession knows this additional information.

Nonrepudiation prevents a party from denying that he or she took an action. The sender of a digitally signed e-mail cannot believably deny sending it. If a system has accountability and an audit trail shows the user took an action, the user cannot believably repudiate it.

AAAs of Security
The AAAs of security are authentication, authorization, and accounting. Combined, they help to ensure that only authorized entities have access to resources and that their access is recorded. Figure 1-9 shows the AAAs of security, and the following list explains them. While reading the explanations, imagine that Dawn is a project manager and she needs to modify project files stored on a server.

-  Authentication: A user provides credentials (such as a username and password) that are checked against a database to prove the user’s identity. The authentication system verifies the credentials. In the scenario, Dawn’s username is her identity, and she provides the correct password to prove her identity. If she enters the correct username and password, the system authenticates her.

There are three types or factors of authentication, known as (1) something you know (such as a username and password), (2) something you have (such as a smart card), and (3) something you are (using biometrics). Chapter 2 covers authentication in greater depth.

-  Authorization: Administrators assign rights and permissions to resources, which authorize users to access the resources. In the scenario, when Dawn attempts to access files on the server, the system checks to see if Dawn’s user account has been granted appropriate permissions and is authorized to access the files. If her account has appropriate permissions, the system grants her access. If her account doesn’t have appropriate permissions, the system blocks her access.
-  Accounting: Logging tracks activity of a user through monitoring. A basic accounting mechanism is an audit log, such as the Security log in Windows systems, and audit logs create an audit trail. Imagine that administrators have configured the server storing the project files to log events anytime someone accesses the files. When Dawn opens a file, the system logs an event in the Security log. Similarly, if she saves changes that modify a file, or deletes a file, the system records these events with log entries.
Note that you cannot restrict authorization without proper identification and authentication. If all users have the same account, you can either authorize access to everyone or block access to everyone. Similarly, without authentication, you can’t have accounting. If everyone used the same account, event logs could record when users accessed a resource, but they wouldn’t be able to record who accessed the resource.

The AAAs of security are authentication, authorization, and accounting.
 

Accountability
One of the underlying goals of the AAAs of security is accountability. If a system can identify individual users, track their actions, and monitor their behavior, it provides accountability. Authentication provides identification for users, and accounting tracks their activities in audit logs. If users are not required to authenticate or if audit trails are not created, then a system does not provide accountability.
It’s worthwhile noting that you don’t have to track every single action of a user to provide accountability. For example, your network may have proprietary data stored in a folder named Research and publicly available information stored in a folder named Public. You may want to track each time any single user accesses any single file within the Research folder. This includes any time someone views, modifies, or deletes a file. However, it’s not important to know who viewed any of the data in the Public folder; instead, you only want to know who modified it. In this situation, you would track all activity in the Research folder, but only some of the activity in the Public folder.

If a system can track activity of an individual on a system, it provides accountability.
 

Due Diligence
Due diligence refers to the investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase. In the IT world, an organization has an obligation to exercise due diligence to discover risks associated with a large purchase.
For example, if an organization is planning to purchase a software development company, that organization is obligated to exercise due diligence to determine as much as it can about the company and whether the purchase is a sound decision. Suppose the software company claims it earns about $100 million in revenue a year, but in actuality only earns $10,000. If the organization ignores due diligence and simply believes the company’s statements without verifying them, they may purchase the company based on the $100 million claim and pay way too much for it. By exercising due diligence and investigating the claims, the organization will likely discover the discrepancies and avoid the losses.
From an IT security perspective, an organization has a responsibility to exercise due diligence to discover risks. The goal is to identify risks that can result in the loss of availability, integrity, or confidentiality of any data or IT systems. Risks can’t be eliminated, but an organization can take steps to mitigate or reduce the risks by exercising due care.

You cannot eliminate risk. Management decides which risks to mitigate, and the risk that remains is residual risk. Management is responsible for any losses that occur because of residual risk.
 

Due Care
Due care is the practice of implementing security policies and practices to protect resources. It ensures that a certain level of protection is applied to protect against losses from known risks. The goal is to reduce the risk to the resources to a manageable level.
Because risks can’t be eliminated, an organization is likely to experience losses. If these losses are due to negligence, then the organization may face legal action against it. However, if the organization took due care to protect the resources but still suffered the loss, it’s less likely that a court will find the organization negligent.
For example, imagine that a company holds customer data—including names, addresses, birth dates, and credit card data—in cleartext in a database hosted on a web server. The company uses this information when customers make purchases through a website. A hacker checks out the website, discovers the database, and realizes that he can easily retrieve all the data. He steals the data and sells it to identity thieves, who proceed to steal millions of dollars.
Did the company take due care? Many would say no.
A web server accessible by users on the Internet will be attacked. It’s not a matter of if it will happen, but when. Further, if valuable data is on the server, attackers will find it. Even if it does have some protection, such as encryption, it’s still at risk if it’s accessible from the Internet.
Taking due care, the organization would implement security controls to protect the data. For example, administrators could store the customer information on a different server within the private network that isn’t accessible from the Internet but is accessible from the web server. Additionally, they could encrypt sensitive data on the server to protect against the loss of confidentiality. They don’t need to encrypt the entire database, but instead just encrypt columns holding sensitive data such as credit card data.

If an organization doesn’t take due care to protect private data, it might be sued or forced to pay fines for privacy violations.

The CIA security triad includes confidentiality, integrity, and availability. System and information owners are responsible for ensuring that security and access controls are in place to prevent losses in these areas.
-  Confidentiality protects against the unauthorized disclosure of information. You can ensure confidentiality with access controls and encryption.
-  Integrity ensures that unauthorized users have not altered data. Hashing provides assurances that data, such as messages or files, has not been altered. Audit logs provide an audit trail identifying whether data has been modified, who modified it, and when.
-  Preventing loss of availability ensures that systems and data are operational and available when needed. Organizations prevent the loss of availability with backups, fault tolerance, and redundant systems.


Recap: Some fundamental security terms:
-  The principle of least privilege ensures that users are granted only the rights and permissions they need to perform their jobs, and no more.
-  Separation of duties helps prevent fraud by ensuring that no single individual has complete control over a process. Instead, tasks are divided between multiple people.
-  Organizations are responsible for protecting the confidentiality of sensitive data. Many laws mandate the protection of both PII and PHI. Organizations also have a responsibility for protecting intellectual property.
-  Defense in depth provides a layered approach to security and protects an organization even if one or more security elements fail.
-  Nonrepudiation prevents an individual from denying that he or she took an action. For example, if a user sends a digitally signed message, the user cannot later deny sending it, because a digital signature provides nonrepudiation.
-  The AAAs of security are authentication, authorization, and accounting. Authentication identifies users, authorization defines what the users can access, and accounting tracks a user’s activities.
-  If a system has accountability, it can identify and track the activity of a user. Accountability starts with strong authentication practices.
-  Due diligence refers to the investigative steps that an organization takes prior to making a major purchase or taking on an obligation.
-  Due care refers to the steps that an organization takes to protect resources. If an organization doesn’t take due care to protect resources, such as any individual’s private data, it can be susceptible to legal action or fines.



ADVERTISEMENT