Mission CISSP

100 Days plan

CISSP
Security and Risk
Management
1.1 – Understand and apply concepts of Confidentiality, Integrity and Availability

MISSION CISSP
The CIA Triad

 CIA proportion may change from

one organisation to another

 CIA needs for an organisation

helps deriving security controls

 Impact on CIA determines the

effectiveness of a security control

 Security is inversely proportional

to human comfort

MISSION CISSP
Confidentiality
Principle
Authorized people , process or
system has access
Data must be protected from
unauthorized access / disclosure
MISSION CISSP
Threats
Eavesdropping, Sniffing,
shoulder surfing. Password
cracking
Human errors - misconfigured
Access controls, Emails sent to
unintended recipients
Policy or security control gaps
Countermeasures
Security through Design
Strong Authentication
Encryption at rest and in Transit
Appropriate policies and controls
Security Awareness
Terms around Confidentiality

MISSION CISSP
Integrity

Principle: Threats: Countermeasures:

Concept of preventing
unauthorised modification
attempt to impact content,
accuracy or consistency of
data or system
Intentional: Unauthorised Authentication, front and
access, Virus, Bugs, backend Validation, Hashing,
malicious modification etc Checksums, HVAC, Physical
and admin controls

MISSION CISSP
Other aspects of Integrity

Accuracy

Integrity

Complete Authenticity

MISSION CISSP
Availability
Principle: Threats:
Authorised users are granted
timely and uninterrupted Device failures, Software
access to objects Errors, and
environmental issues,
Attacks on availability,
MISSION CISSP
Countermeasures:
Redundancy and Fault
tolerance, prevention to
Dos/DDos, Ransomwares,
Backups, Avoiding SPOF
Other aspects of Availability

Usability

Availabilit
y

Accessibili
Timeliness
ty

MISSION CISSP
Nonrepudiation

• Preventive measures implemented

to prevent a situation where the
user deny it’s own action and
deems himself/ herself not
accountable

• Nonrepudiation is ensured through

digital signature, session identifiers,
transaction logs etc.

MISSION CISSP
Authentication and Auditing terms

Identification Authentication Authorisation Auditing Accounting

MISSION CISSP
Layered Security

• Often also termed as “Defense in

Depth”

• Deployment of multiple controls in

a sequence to protect an asset

Image curtsey – Plixer .com

MISSION CISSP
Security through Obscurity

• Any false sense of

security achieved
through implementing
certain controls based
on incorrect
assumptions
courtesy – explainhow.com

MISSION CISSP
Abstraction

Data hiding

Data Obfuscation

MISSION CISSP
 Thank you
Stay tuned for more interesting stuff…

MISSION CISSP