Security+ Training Online | Cyber-security Goals (1 of 3)

confidentiality Jan 01, 2018
 

What's up! So let's start your mission to earning your Security+ certification with some basic security goals.

Whenever we start talking about information security we always need to begin with core security goals.  We need to ask what's the real purpose of information security?

Have you every thought about that? Why do passwords, encryption and backups even exist?

Welcome to the CIA

Almost everything in cyber-security boils down to three concepts:

  • Confidentiality
  • Integrity
  • Availability

Remember it like this: CIA. 

I drew a little graphic below to help you with a visual:

Businesses and organizations usually try to apply one or more of these security goals to their security infrastructure.  The specific cases where a business uses these goals are known as use cases

In this quick post, I'm going to share three use cases for Confidentiality.  In the next post we'll talk about Integrity and then we'll wrap up our little series with Availability.

So what is Confidentiality?

How would you define confidentiality? The first time I heard the term I couldn't help but think of the movie Mission Impossible (or was it James Bond?)  I can't remember but the point is that the word "confidential" almost always invokes images of top secret spies stealing sensitive information foreign governments. 

And that's exactly how I want you to think of this stuff. When you think of confidentiality think of this key fact:

The chief purpose of confidentiality is to stop unauthorized data disclosure.

That's it.  Confidentiality simply means we are trying to grant authorized people access to data while simultaneously denying unauthorized people access to that data.

Promising Confidentiality

There are three ways we can make sure confidential data actually stays confidential. 

  1. Access Controls
  2. Encryption
  3. Steganography

Get control of your people!

I feel like the phrase "get control of your people!" is a movie quote or something.  I'm picturing an overweight gym teacher chastising a neophyte substitute teacher because she can't tame her unruly gang of hoodlum students...

Anyway, I have no idea where that came from haha. 

So back to the topic: this may sound like common sense, but access control is all about... drum roll please... controlling access!

Yeah! You got it.

In order to make sure only authorized people are viewing confidential data we need to ask them who they are and then we need to make then prove it.

For example, a person might tell a computer system he is J. Dilla by putting in [email protected] or something like that as his username. This would be his claim to an identity. 

But anyone can claim to be J. Dilla right?  So the system forces the user to prove his identity with a password.  The password constitutes proof because only Dilla should know Dilla's password.  

So when Dilla enters his password, the system needs to grant him access to various resources. 

Should Dilla have the ability to delete all the tables in the Wells Fargo database or should he simply have the ability to log into his checking account?  Should he have the rights to create new users in the banking system or should he merely be able to transfer funds?

That's the role of authorization.

So a system can use identification, authentication and authorization to grant or deny people access to specific resources. 

  • Identification is claiming an identity.
  • Authentication refers to proving your identity with a password and
  • Authorization is all about what you can do once you gain access to the system.

Make sense so far?

Stenography and You

The second way we can make it hard for unauthorized people to view sensitive data is to scramble it up.  If you mix up the words and make it look like a big mess but do it in an orderly fashion so that the only people who can read are the people you want to read it...  well then you've got encryption my friend.

This is great when you need to transmit sensitive data such as card holder data (CHD), protected healthcare information (PHI) and personally identifiable information (PII).  The process of obfuscating data like this is known as encryption.  Encryption is a great way to ensure confidentiality and we'll talk about it more detail as we go through your training.

Stegosaurus Text

The last bit to this whole confidentiality business is known as steganography, or stego if you're leet.  

This is probably my favorite data hiding technique because it's so creative.  Some people refer to steganography as hiding data in plain sight because the data isn't visible even when looking at it directly.  Let me try to explain what I mean by that.

I often go to various security conferences in the Washington, D.C area and there's this one conference called BSides-DC where geeks gather to learn about new cybersecurity technologies and hacking techniques. 

One night I participated in this thing called NetWars which is basically a hacking playground for nerds.  

You get like 300 script kiddies, system admins, network engineers and penetration testers in this huge conference room and you start hacking away at various challenges.  And there's this huge screen in the front with everyone's score displayed so you know how you're matching up against everyone else. 

One day I was working on a mission and I needed to load an image inside of a free graphical imagining editor known as Gimp.  The picture looked like a normal image but when I applied the Warp Image effect, a hidden message emerged which happened to be the password to the next level.

This is stego at it's finest! It's all about hiding data within data.  

By the way,  if you want to see a great example of stego, pop in your email address below and I'll send you my step by step lab that walks you through the process.

It includes a short video so you can get some hands on practice with this stuff and really make it stick in your mind.  

And don't forget to sign-up for our free Security+ Training course!  It's got your name all over it.

Coming Up: Integrity!

In the meantime, I hope you learned something awesome today.  Next week, we'll talk about the "I" of CIA matrix: Integrity.

Peace!  

Take the Next Step!

Join our FREE mailing list to get FREE Security+ training online. You'll get tons of Security+ videos, braindump PDFs, lab simulations and more.

Yes! I want to subscribe
Close

50% Complete

Let's do this!

Pop in your first name and best email address and we'll send you:

The latest updates on the CompTIA Security+ SY0-501 exam

Proven tips and tricks for passing the exam

Hands on video labs with complete step-by-step walk-throughs

And don't forget to refresh your inbox.  You should see us there in about 3 minutes.