epts
The Security+ exam is well-known to test heavily on concepts rather than on purely technical knowledge. Security+ concepts relate to the ideas that govern good information security practices. You can think of these core concepts as a sort of “constitution” or even a “charter” of information security. Any organization or practice will inevitably have some sort of governing ideology; for the Security+ exam (for information security), this ideology is always related to the acronym: CIA.[edit section] What’s CIA?
CIA (in this context, of course) stands for Confidentiality, Integrity, and Availability. These are the three tenets or cornerstones of information security objectives. Virtually all practices within the umbrella called “Information Security” are designed to provide these objectives. They are relatively simple to understand and common-sense notions, yet the Security+ exam writers love to test on CIA concepts. So, you should understand CIA very well in order to understand the reasoning behind later practices as well as to ace this portion of the exam.
[edit section] Confidentiality
Confidentiality refers to the idea that information should only be accessible to its intended recipients and those authorized to receive the information. All other parties should not be able to access the information. This is a pretty common and straight-forward idea; the US government for example marks certain items “Top Secret,” which means that only those who are cleared to see that information can actually view it. In this way, the government is achieving information confidentiality. Another common example is the sharing of a secret between two friends. When the friends tell each other the secret, they usually whisper so that nobody else can hear what they are saying. The friends are also achieving confidentiality.[edit section] Integrity
Integrity is the idea that information should arrive at a destination as it was sent. In other words, the information should not be tampered with or otherwise altered. Sometimes, secret information may be sent in a locked box. This is to ensure both confidentiality and integrity: it ensures confidentiality by assuring that only those with a key can open it; it ensures integrity by assuring that the information is not able to be altered during delivery. Similarly, government documents are often sealed with some sort of special stamp that is unique to an office or branch of government. In this way, the government ensures that the people reading the documents know that the document is in fact a government document and not a phony.[edit section] Availability
Imagine that a terrorist blocks the entrance to the Library of Congress. Though he did not necessarily destroy the integrity of the books inside nor did he breach confidentiality, he did do something to negatively affect the security of the Library. We deem his actions a “denial of service,” or more appropriately, a denial of availability. Availability refers to the idea that information should be available to those authorized to use it. When a hacker floods a web server with erroneous requests and the web server goes down as a result of it, he denied availability to the users of the server, and thus, one of the major tenets of information security have been compromised.[edit section] Wrap Up
Well, you’ve completed your first Security+ lesson! That wasn’t so bad, now was it? As you can see, a lot of what is covered on the Security+ exam is actually commonsense. However, don’t take CIA lightly – it is heavily tested! Below are a few questions that should help you review what you’ve learned today:[edit section] Quick Review
1. Which of the following are components of CIA? (Choose all that apply)a. Confidentiality
b. Authentication
c. Integration
d. Integrity
e. Availability
f. Character
2. A user encrypts an email before sending it. The only person that can decrypt the email is the recipient. By encrypting the email in this way, the user is attempting to preserve the:
a. Confidentiality of the recipient
b. Accessibility of the email server
c. Confidentiality of the information
d. Integrity of the information
3. A hooligan unplugs the power from the central data server at a large bank. Which of the following describe the effect on information security?
a. Confidentiality has been breached
b. Loss of availability
c. The information has lost integrity
d. None of the above
[edit section] Answers
1. The components of CIA are Confidentiality, Integrity, and Availability. The answer is (A,D,E)2. This is a tough question that is sure to manifest itself on the exam. Don’t be confused between confidentiality and integrity. Remember that confidentiality refers to the fact that only the recipient can receive the information, whereas integrity means that the information is basically in the same state that it was sent. Although the encryption may prevent others “in the middle of the communication” from understanding the email, it does nothing to prevent them from manipulating the email being sent. So, the answer is that it only ensures the confidentiality of the information and NOT the integrity of the information. ( C )
3. By unplugging the power, the punk is basically denying availability to the users of the server. He is not however actually changing the information stored on the server nor is he trying to read any sort of confidential information. The answer is therefore that his actions produce a loss of availability (B)
No comments:
Post a Comment