Least Privilege and Need to know. Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less. Need to know – Even if you have access, if you do not need to know, then you should not access the data. Non-repudiation. A user can
Identification: Your name, username, ID number, employee number, SSN etc. “I am Thor”. Authentication: “Prove you are Thor”. – Should always be done with Multifactor Authentication! Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.). Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token,
Confidentiality, Integrity and Availability Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the corner stone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer. Too much Integrity and the Availability can suffer.
We want to keep our System and Data available. We use: IPS/IDS. Patch Management. Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more. SLA’s – How high uptime to we want (99,9%?) – (ROI) Threats: Malicious attacks (DDOS,
We want system and Data integrity We use: Cryptography (again). Check sums (This could be CRC). Message Digests also known as a hash (This could be MD5, SHA1 or SHA2). Digital Signatures – non-repudiation. Access control. Threats: Alterations of our data. Code injections. Attacks on your encryption (cryptanalysis).
We want to keep our information confidential. We use: Encryption for data at rest (for instance AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS or IPSEC). Good best practices for data in use – clean desk, no shoulder surfing, screen view angle protector, PC locking