UEL-CN-7014 Computer Security

Week 1 – Reading Material

Fundamental Security Concepts

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

TABLE OF CONTENTS
Introduction ............................................................................................................................................................ 3
Learning objectives ............................................................................................................................................. 4
The modern Information Security & cybersecurity landscape ............................................................................... 5
An evolving security landscape .......................................................................................................................... 5
The core principles of security ............................................................................................................................... 6
Fundamental concepts of security....................................................................................................................... 6
Types of security ................................................................................................................................................ 6
Physical Security ............................................................................................................................................ 7
Operations Security ........................................................................................................................................ 7
Communications Security ............................................................................................................................... 7
Network Security ............................................................................................................................................ 8
The C.I.A. Triad ................................................................................................................................................. 9
Confidentiality ................................................................................................................................................ 9
Integrity ........................................................................................................................................................ 10
Availability ................................................................................................................................................... 11
Extensions to the C.I.A. Triad .......................................................................................................................... 11
Management of Information Security ................................................................................................................... 14
The role of managers ........................................................................................................................................ 14
Characteristics of managers .............................................................................................................................. 14
An overview Information Security management .............................................................................................. 16
Conclusion ............................................................................................................................................................ 18
The core principles of security.......................................................................................................................... 18
Management of Information Security ............................................................................................................... 19
References ............................................................................................................................................................ 21

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

INTRODUCTION

The material for Week 1 will be an introduction and review of the fundamental concepts and

principles of security. This is an important step to take when covering new topics in the

subject area. By solidifying and refreshing your knowledge and understanding of these

concepts, you will be able to contextualise their relevance and application in new knowledge

areas. The last section of this week’s material will be provide you with an overview of the

management of Information Security. In this segment, you will develop an understanding of

the important role of management towards achieving of an organisations security goals.

Below is a list of the topics that will be covered in this week

 The modern security landscape

 The core principles of security

o Fundamental concepts of security

o Types of security

o The C.I.A. Triad

o Extensions to the C.I.A. Triad

 Management of Information Security

o The role of managers

o The characteristics of managers

o An overview of Information Security management

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

LEARNING OBJECTIVES

By the end of this week, you will be able to:

 Develop an awareness of the modern security landscape

 Solidify knowledge and understanding of the core aspects, concepts and principles of

security

 Describe and analyse the core aspects, concepts and principles of security in the

context of security management

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

THE MODERN INFORMATION SECURITY & CYBERSECURITY LANDSCAPE

“If you think you know-it-all about cybersecurity, this discipline was probably ill-explained

to you” – Stephane Nappo

AN EVOLVING SECURITY LANDSCAPE

The challenge that faces everyone working in the field of Information Security and

cybersecurity is the need to be knowledgeable and up-to date with ongoing security threats

and trends that are a result of an evolving Information Age. By being aware of these threats

and trends, security specialists can be properly prepared to adapt one’s security position.

Although the types of security threats that currently exist are not new, the nature of these

threats are determined by the environment in which they operate. The current COVID-19

pandemic has resulted in a significant shift in the nature and quantity of cyber threats. Due to

lockdown measures, many individuals are forced to spend more time at home and

organisations are increasingly shifting their operations heavily towards remote work. The use

of computers in this ‘home’ setting has increased (Lallie et al., 2021). Some of the key cyber

threats of the current environment include:

 Network based attacks – home networks exposed due to unpatched/insecure routers

 Social engineering – targeted vaccination related email campaigns and scams

 Data security – reduced compliance to data processing and storage due to remote and

cloud services

 Cloud service vulnerabilities – cloud service providers targeted by cybercriminals

due to shift towards cloud services for day-to-day business operations

5

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

THE CORE PRINCIPLES OF SECURITY

FUNDAMENTAL CONCEPTS OF SECURITY

In general, the term ‘security’ is the ‘state of being secure’, defined by the Merriam-Webster

dictionary “to relieve from exposure to danger or “act to make safe against adverse

contingencies” (Security, 2021). In the traditional sense and without the existence of any of

the modern information and communications technology, security would simply be a set of

methods that can be used by individuals and organisations to protect themselves and any

objects, possessions, resources or interests they deem valuable. The primary objectives of

security is to protect against potential theft, loss or damage.

TYPES OF SECURITY

In the context of Information Technology (IT), ‘security’ is the protection hardware,

software, resources, information systems, assets and infrastructure from potential threats.

Figure 1 - Components of Information Security (Whitman and Mattford, 2014, p. 4)

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

IT security strategies are commonly grouped as (a) Physical Security, (b) Operations

Security, (c) Communications Security and (d) Network Security.

PHYSICAL SECURITY
The physical resources of an organisation include personnel, hardware assets and other

infrastructure such including buildings, servers or office space. The goal of physical security

is to protect these resources against threats such as:

 Physical damage from fires or other hazards

 Physical damage from natural disasters

 Physical theft by malicious parties

 Unauthorised use and access

OPERATIONS SECURITY

The intention for any successful business or organisation is their ability to operate and

conduct daily tasks at an acceptable level (without disruption). The goal of operations

security is to ensure this level of continuity at all times, especially in the event of a cyber-

threat that can potentially affect this regular operation.

COMMUNICATIONS SECURITY

Organisations that operate in the cyberspace rely on information and communications

technology to carry out their daily tasks and activities. These organisations leverage these

technologies for communication and productivity via email, video chat, instant messaging or

web browsing. The security threats that exists due to the use of these tools mainly concerns

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

that of ‘content’ and ‘information’ (Whitman and Matford, 2014, pp.4-5). The goal of

communications security is to protect this content and information from the following threats:

 Unauthorised access

 Intentional misuse

 Unintentional misuse

 Malicious cyber-attacks.

NETWORK SECURITY

Network technologies have transformed the way organisations communicate and share

resources between devices such as desktop computers, laptops and smartphones. With the

existence of internal and external networks, personnel within the organisation can

communicate, exchange and share information and data on their devices locally and remotely.

Communication on networks connected to the internet can cause a range of potential cyber

threats. The majority of these threats are cyber-attacks that work only on the networked

medium. Network Security is the all-encompassing software and hardware strategies used to

prevent threats:

 Encryption – adoption of data encryption mechanisms to secure networks

 Access Control – setting user access rights and privileges

 Firewalls – adopting inbound and outbound network traffic rules

 Intrusion prevention and detection systems – software that prevents or detects

cyber threats

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

THE C.I.A. TRIAD

Information Security (InfoSec) as described by the NIST SP 800-12 Rev.1 is ‘The protection

of information and information systems from unauthorized access, use, disclosure, disruption,

modification, or destruction in order to provide confidentiality, integrity, and availability’

(InfoSec, Glossary, 2021). Of particular interest, this definition of Information Security

focuses on the key security principles of: (a) confidentiality, (b) integrity and (c)

availability. These principles, commonly referred to as the C.I.A Triad are the fundamental

aspects of computer security, Information Security and cybersecurity.

Figure 2 - The CNSS security model (Whitman and Mattford, 2014, p. 5)

CONFIDENTIALITY
Confidentiality refers to the aspect of Information Security where access to information

should be restricted to personnel with a set of required privileges or with explicit

authorisation. Unauthorised access and use of such information is considered as breaking

confidentiality, which affects the privacy of sensitive information. Confidentiality can be

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

assured through the implementation of effective strategies to protect the information from

unauthorised access including:

 Segmentation and classification of information and data

 Configuration of user access controls and access rights to information and data

 Implementation of an organisation-wide security policy governing the use of

information and data

 Secure storage of information and data on computing devices and networks

 Encryption of sensitive information and data

INTEGRITY

Integrity of information refers to the accuracy, validity or completeness of information. When

information is in storage, being used or in transit, it must remain authentic, in an unmodified

state and be free from unauthorized modification, corruption or damage. The integrity of

information can be maintained using some of the following measures:

 The use of integrity checking tools and software (i.e. hashing, checksum) that can

detect and determine if, when and whether files have been altered in any way

 Developing effective security measures, policies and controls to reduce the risk that

information can be modified

 Conducting forensic analysis in the case of a cybersecurity incident caused by

modified data

10

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

AVAILABILITY
Availability of information refers to the aspect of ‘continuity’ as it relates to business or

organisation led activity. The idea of information availability implies that information should

be accessible and in a useable state when needed. To clarify this point, an authorised user

with appropriate access rights to resources, services or information on a network should

expect uninterrupted use and access. A common form of reduced availability of information

is a server-based network interruption caused by a distributed denial-of-service (DDoS)

cyber-attack.

Strategies used for assuring the availability of information can include:

 Scheduled upkeep and maintenance of information systems and infrastructure

 Strategic development of business continuity and disaster recovery plans

 Prevention and mitigation of cyber threats using software security including anti-

malware, firewalls, intrusion detection, data redundancy and scheduled back-ups

EXTENSIONS TO THE C.I.A. TRIAD

There are notable extensions to the C.I.A. Triad are known as AAA (Chapple, Stewart and

Gibson, 2018, pp. 8-11). These extensions include the following:

 Identification: when a user has access to a computer system or resource, they must

be given the facility to identify themselves

 Authentication: when a user accesses a computer system or resource, they must be

given the facility to prove their identity (i.e. that they are who they say they are)

11

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

  Authorisation: any user with access to a computer system or resource should be

authorised with the appropriate set of access rights and privileges

 Auditing: any computer system or resource that a user has access to should be able to

log information concerning activity in the event forensic analysis or a security audit

 Accountability: based on an organisation’s security policy, users with access to

systems and resources should be held accountable for their actions whether intentional

or unintentional

The table below is a summary of the key terminology associated with the C.I.A. Triad. These

can be considered as additional elements of the C.I.A. Triad, which are still important in

defining the overall principles of security.

Element of the Associated terminology

C.I.A. Triad
Sensitivity
 Sensitive information should be protected from exposure
Discretion
 Disclosure of information should be done in a controlled manner
Criticality
 Information should be evaluated based on priority (i.e. information that is
most critical should be protected first)
Concealment
Confidentiality  Exposure of information should be prevented with additional security
measures
Secrecy
 Prevent information from exposure by keeping it secret (i.e. on a need to
know basis)
Privacy
 Personal information and information of a sensitive nature should be kept
private

12

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

 Seclusion
 Avoid information being exposed by relocating it
Isolation
 Avoid information being exposed by separating it from other information
Accuracy
 Information and data is correct
Truthfulness
 Information and data is ‘realistic’ or representative of reality
Authenticity
 Information and data is genuine and trustworthy
Integrity Validity
 Information and data is logical and factual
Non-repudiation
 A user of a computer system or resource cannot deny an action they had
performed once identified, authorised and authenticated
Accountability
 A user should be held responsible for actions and activity performed on a
computer system or resource
Usability
 The use of computer systems and resources should be user-friendly and
understandable for the majority of users

Availability Accessibility
 The use of computer systems and resources should be available to anyone
regardless of any limitations they may have
Timelessness
 Computer systems and resources should be available whenever needed
Figure 3 – Associated terminology of the C.I.A. Triad (Chapple, Stewart and Gibson, 2018, pp. 2-12)

13

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

MANAGEMENT OF INFORMATION SECURITY

THE ROLE OF MANAGERS

Management is known as a process in which members of an organisation ‘mangers’ are

tasked with setting goals and objectives that they wish to achieve in a specific timeframe and

with a specific set of resources. Whitman and Mattford (2014, pp. 8-9) describe three main

roles of a manager:

 An informational role: to inform

 An interpersonal role: to relate

 A decisional role: to take action

CHARACTERISTICS OF M ANAGERS

According to Popular Management Theory (POLC), effective managers employ good skills

in the following domains (Whitman and Mattford, 2014, pp. 8-14):

 Planning: The creation, implementation and development of strategies that can be

used to achieve goals and objectives. Planning can be further split into the following

categories:

o Strategic planning: Long-term strategies

o Tactical planning: Mid-term strategies

o Operational planning: Short-term (day-to-day) strategies

 Organising: This concerns the ability of managers to optimise the combination of

available set of resources to achieve goals and objectives. Organising can include

14

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

 building departments within the organisation that consist of the right combination of

personnel and expertise required to meet these goals and objectives.

 Leading: one of the more critical tasks that a manager has to do well to ensure that

personnel are being positively steered and motivated to accomplish their tasks and

activities.

 Controlling: A manager needs to actively monitor that all activities are progressing

as intended and to make the appropriate adjustments in the event that an activity is not

in-line with the set goals and objectives

 Problem solving: A key skill that managers need to have is an ability to effectively

solve problems and develop solutions that can reduce or eliminate them.

The interlink between the roles of managers and the characteristics of management is

outlined in the figure below:

Figure 4 - Management Characteristics (Whitman and Mattford, 2014, p. 10)

15

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

AN OVERVIEW INFORMAT ION SECURITY MANAGEMENT

The goals of the Information Security management team is to focus on assuring the three

elements of the C.I.A. Triad. This is done with effective planning, development of

organisation-wide security policies, creation of programs for security awareness,

management of personnel, projects and project management (Whitman and Mattford,

2014, pp. 13-16). The principles of Information Security management are summarised below.

1. Planning: Ensuring the alignment of the overall business strategy with the IT

strategy. The goal of planning for Information Security management is to ensure that

the strategies and achievement of objectives are in support of each other.

2. Policy: The development of a set of guidelines that govern the behaviour and use of

information systems, resources and infrastructure in the achievement of security

goals. Policies can either be Enterprise Information Security policy (EISP), Issue-

specific security policies (ISSPs), System-specific policies (SysSPs) (Whitman and

Mattford, 2014, p. 14). Examples of such policies are Access Control policies, Data

Protection policies and Internet Usage policies.

3. Programs: A set of programs can be developed individually to support improved

security outcomes within the organisation. Examples of such a program is the

commonly used Security Awareness Training which provides personnel with the

education and knowledge needed to understand the existing cyber threats, the

underlying systems, processes and procedures used to deal with them.

16

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

 4. Protection: The development and implementation of Information Security protection

strategies such as risk management, incident response, disaster recovery and cyber

threat intelligence.

5. People: The security management team is segmented and built with the appropriate

level and separation of skills to carry out and achieve overall security outcomes.

6. Projects and project management: The implementation, management and

development of individual Information Security projects such as the adoption of

technology or systems to improve security readiness or the allocation of resources to

ensure the continual alignment and progress towards goals and objectives. Project

management is generally adopted using a standardised process or Information

Security specific project management methodology or framework.

17

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

CONCLUSION

The section below is a summary of all the topics that have been covered in the reading

material for this week.

THE CORE PRINCIPLES OF SECURITY

Security refers to the strategies and mechanisms that organisations use to protect their

information systems, resources and infrastructure from potential security threats.

The four main Information Security strategies are:

1. Physical Security - protection of resources from physical threats

2. Operations Security - assuring the continuity of business operations and preventing

interruption and disruption of operations

3. Communications security - protecting devices and technology from malicious cyber-

attacks and unauthorised use

4. Network Security - preventing the risk of cyber-attacks by adopting software and

hardware strategies such as encryption, access control, firewalls, intrusion detection

and intrusion prevention

Protecting the elements from the C.I.A. Triad is fundamental in achieving Information

Security and cybersecurity goals and objectives:

1. Confidentiality - assuring restricted and authorised access to data and information

2. Integrity - assuring that information and data is accurate, valid, complete and

unmodified during use, storage and transit

18

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

 3. Availability - information and data should be accessible and in a useable state when

needed

The relevant extensions to the C.I.A. Triad include:

 Identification - users can identify themselves when using systems and resources

 Authentication - users can prove their identify when using systems and resources

 Authorisation - users are provided with specific access rights and privileges when

using systems and resources

 Auditing - a computer system can trace and log activity in the event of a cyber-attack

or if an audit is required

 Accountability - users can be held responsible for their actions and activities on the

systems and the resources they use

MANAGEMENT OF INFORMATION SECURITY

The management of Information Security involves managers taking on informational,

interpersonal and decisional roles to achieve goals and objectives. They are responsible for a

variety of tasks including planning, organising, leading, controlling, and solving problems

Information Security management is the process of assuring the elements of the C.I.A.

Triad based on the following principles:

 Planning - alignment of business strategy with Information Security strategy

19

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

  Policy - development of guidelines governing behaviour and use of information

systems, resources and infrastructure.

 Programs - developing programs to support and improve security outcomes

 Protection - developing and implementing of Information Security strategies to

prevent, mitigate or eliminate cyber threats

 People - building a security team with the required skills needed to achieve security

outcomes

 Projects and project management - developing, managing and implementing

projects that support continued efforts to achieve security outcomes

20

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts

REFERENCES

Bosworth, S, Kabay, M.E & Whyne, E., 2014. Computer Security Handbook. 6th ed. NJ:

John Wiley and Sons Inc.

Brooks, C.J et al., 2018. Cyber Security Essentials. : John Wiley and Sons, Inc.

Chapple, M, Stewart, J.M & Gibson, D., 2018. CISSP Certified Information Systems Security

Professional: Official Study Guide. 8th ed. Indianapolis: John Wiley and Sons Inc.

In: Merriam-Webster. 2021. Security. [online] Merriam-Webster. Available at:

<https://www.merriam-webster.com > [Accessed 5 June 2021]

Lallie, H., Shephard, L., Nurse, J., Erola, A., Epiphaniou, G., Maple, C. and Bellekens, X.,

2021. Cyber security in the age of COVID-19: A timeline and anylysis of cyber-crime and

cyber-attacks during the pandemic. Computers & Security, 105, p. 102248.

NIST – Computer Security Resource Center. 2021. InfoSec - Glossary. [online] Available at:

< https://csrc.nist.gov/glossary >

Sutton, D., 2017. Cyber Security - A Practitioner's Guide. Swindon: BCS Learning &

Development Ltd.

Whitman, M. and Mattford, H., 2014. Management of information security. 4th ed. Stamford:

Cengage Learning.

21

UEL-CN-7014 – Security Management – Week 1 – Fundamental security concepts