CompTIA Security+ Exam Cram: Risk Management
- Exemplify the Concepts of Confidentiality, Integrity, and Availability
- Explain Risk-Related Concepts
- Carry Out Appropriate Risk-Mitigation Strategies
- Explain the Importance of Security-Related Awareness and Training
- What Next?
The traditional “C-I-A Triad” of security directives includes maintaining the confidentiality, integrity, and availability of data and services. Threats to these three principles are constantly present and evolving. Defensive measures must be put into place to mitigate risk within the enterprise. This chapter examines risk, mitigation strategies, and the value of security-awareness training in managing risk.
Exemplify the Concepts of Confidentiality, Integrity, and Availability
The first principle of information security is that of confidentiality. Confidentiality involves controls to ensure that security is maintained when data is both at rest (stored) and in use (during processing and transport) to protect against unauthorized access or disclosure.
Confidentiality controls include physical access controls, data encryption, logical access controls, and management controls to put in place policies to protect against shoulder surfing, social engineering, and other forms of observational disclosure. We discuss individual access control mechanisms later in this book; this chapter addresses them only in terms of risk mitigation.
The second principle of information security is that of integrity. Integrity involves controls to preserve the reliability and accuracy of data and processes against unauthorized modification. Integrity controls include malware defenses protecting against data corruption or elimination, validation code that protects against code injection or malformed data input, data hashing validation identifying modifications, and limited user interface options controlling the types of access available to data.
The final principle of information security is that of availability. Availability involves controls to preserve operations and data in the face of service outages, disaster, or capacity variation. Availability controls include load balancing systems, redundant services and hardware, backup solutions, and environmental controls intended to overcome outages affecting networking, power, system, and service outages.
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
Which two of the following support the preservation of data availability?
- A. Anti-static carpet
- B. Firewall
- C. Mirrored windows
- D. Physical access control
Antivirus software preserves which two elements of data security?
- A. Confidentiality and Integrity
- B. Integrity and Availability
- C. Availability and Confidentiality
- D. Accuracy and Reliability
- Regularly expiring passwords preserves data __________ and __________.
- A. Confidentiality
- B. Integrity
- C. Availability
- D. Longevity
Cram Quiz Answers
- A and D. Environmental controls such as anti-static carpeting aid in protecting against system failure and so preserve availability of data and services. Physical access controls protect against system theft, destruction, or damage. Answer B is incorrect because firewalls restrict access data and services, and although deletion is possible, this control is focused on preserving confidentiality and integrity. Answer C is incorrect because mirrored windows protect confidentiality by preventing observation of displayed data, user keystrokes, and other information of potential interest.
- A. Malware defenses such as antivirus services protect the confidentiality and integrity of data by eliminating viral agents that could otherwise capture keystrokes, relay webcam audio/video, or modify data and services. Answers B and C are incorrect because malware defenses are not focused on the preservation of data and service availability beyond preventing outright wipe of the infected system. Answer D is incorrect because accuracy and reliability are data qualities within the Integrity principle, not directly parts of the C-I-A Triad.
- A and B. Regular password expiration protects against reuse of compromised passwords and mitigates brute-force attacks by changing keys before all combinations can be tested. These actions protect access controls over data review and modification, preserving confidentiality and integrity of data. Answer C is incorrect because password expiration does not directly affect data and service availability. Similarly, answer D is incorrect because data longevity is unrelated to passwords and exists only as business operations allow. Some data might be updated many times every minute whereas other data remains static for years.