This room covers the fundamental principles of information security including the CIA triad, privilege principles, security models, threat modeling, and incident response. Essential knowledge for understanding security foundations in penetration testing.
Outlines fundamental principles of information security and frameworks used to protect data and systems.
Information security model used in creating security policies. Consists of three sections: Confidentiality, Integrity and Availability (CIA).
Protection of data from unauthorized access and misuse. Examples: employee records, accounting documents, government classification systems.
Information kept accurate and consistent unless authorized changes are made. Defences: access control, authentication, hash verifications, digital signatures.
Information should be available when authorised users need to access it. Achieved through reliable hardware, redundancy, and security protocols.
It is vital to administrate and correctly define the various levels of access to an information technology system individuals require.
The levels of access given to individuals are determined on two primary factors:
Two key concepts are used to assign and manage the access rights of individuals:
Users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties. Other people should be able to trust what people write to.
Before discussing security models further, let's recall the three elements of the CIA triad: Confidentiality, Integrity and Availability. We've previously outlined what these elements are and their importance. However, there is a formal way of achieving this.
According to a security model, any system or piece of technology storing information is called an information system, which is how we will reference systems and devices in this task.
Used to achieve confidentiality. This model has a few assumptions, such as an organisation's hierarchical structure it is used in, where everyone's responsibilities/roles are well-defined.
The model works by granting access to pieces of data (called objects) on a strictly need to know basis. This model uses the rule "no write down, no read up".
Advantages:
Disadvantages:
The Bell-La Padula Model is popular within organisations such as governmental and military where members have already gone through vetting (background screening process).
Arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.
This model applies the rule to objects (data) and subjects (users) that can be summarised as "no write up, no read down". This rule means that subjects can create or write content to objects at or below their level but can only read the contents of objects above the subject's level.
Advantages:
Disadvantages:
The Biba model is used in organisations where integrity is more important than confidentiality, such as software development where developers have access only to necessary code.
Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and services.
A critical stage of the threat modelling process is identifying likely threats that an application or system may face, the vulnerabilities a system or application may be vulnerable to.
The threat modelling process is very similar to a risk assessment made in workplaces for employees and customers. The principles all return to:
An effective threat model includes:
STRIDE, authored by two Microsoft security researchers in 1999, is still very relevant today. STRIDE includes six main principles:
| Principle | Description |
|---|---|
| Spoofing | This principle requires you to authenticate requests and users accessing a system. Spoofing involves a malicious party falsely identifying itself as another. Access keys (such as API keys) or signatures via encryption helps remediate this threat. |
| Tampering | By providing anti-tampering measures to a system or application, you help provide integrity to the data. Data that is accessed must be kept integral and accurate. For example, shops use seals on food products. |
| Repudiation | This principle dictates the use of services such as logging of activity for a system or application to track. |
| Information Disclosure | Applications or services that handle information of multiple users need to be appropriately configured to only show information relevant to the owner. |
| Denial of Service | Applications and services use up system resources, these two things should have measures in place so that abuse of the application/service won't result in bringing the whole system down. |
| Elevation of Privilege | This is the worst-case scenario for an application or service. It means that a user was able to escalate their authorization to that of a higher level i.e. an administrator. This scenario often leads to further exploitation or information disclosure. |
A breach of security is known as an incident. Despite all rigorous threat models and secure system designs, incidents do happen. Actions taken to resolve and remediate the threat are known as Incident Response (IR).
Incidents are classified using a rating of urgency and impact. Urgency will be determined by the type of attack faced, where the impact will be determined by the affected system and what impact that has on business operations.
| Action | Description |
|---|---|
| Preparation | Do we have the resources and plans in place to deal with the security incident? |
| Identification | Has the threat and the threat actor been correctly identified in order for us to respond to? |
| Containment | Can the threat/security incident be contained to prevent other systems or users from being impacted? |
| Eradication | Remove the active threat. |
| Recovery | Perform a full review of the impacted systems to return to business as usual operations. |
| Lessons Learned | What can be learnt from the incident? I.e. if it was due to a phishing email, employees should be trained better to detect phishing emails. |
This room covers fundamental security principles essential for the PT1 certification: