Introduction

The goals of information security

Information security professionals have broad and important responsibilities for safeguarding
the information and systems that are often an organization's most valuable assets. When we
think of the goals of information security, we often use a model known as the CIA triad, shown
here. This model highlights the three most important functions that information security
performs in an enterprise. Confidentiality, integrity, and availability. Confidentiality ensures
that only authorized individuals have access to information and resources.
Confidentiality is what most people think of when they think about information security,
keeping secrets away from prying eyes. And in fact, confidentiality is how most security
professionals spend the majority of their time. Malicious individuals seeking to undermine
confidentiality are often said to engage in disclosure attacks, making sensitive information
available to individuals or the general public without the information owner's consent.
Security professionals are also responsible for protecting the integrity of an organization's
information. This means that there aren't any unauthorized changes to information. These
unauthorized changes may come in the form of a hacker seeking to intentionally alter
information, or a service disruption that accidentally affects data stored in a system. In either
case, it's the information security professional's responsibility to prevent these lapses in
integrity. The final goal of information security is availability, ensuring that authorized
individuals are able to gain access to information when they need it.
If users can't access important business records or systems, that lack of availability may have
a profound impact on the business. Malicious individuals seeking to undermine availability
engage in attacks known as denial of service attacks. These attacks try to either overwhelm a
system or cause it to crash, therefore denying legitimate users the access that they need.

Confidentiality
Throughout this course, you will learn about many different controls, that information
security professionals use to achieve their goals. Each of these controls is a line with at least
one of the three key objectives of information security. Confidentiality, Integrity, and
Availability. One of the things you'll need to do on the exam, is match security controls, with
their corresponding security goals. Let's take a look at some of the controls that security
professionals use, to enhance confidentiality.
One way that we protect the confidentiality of information, is preventing people from
accessing sensitive information in the first place. Access controls are the primary mechanism
for restricting people from seeing data that they should not. Access controls protect
confidentiality by limiting users to accessing only those files where they have been granted
permission. You'll learn more about access controls in the courses covering domain two, asset
security, and domain five, identity and access management.
In those courses, you learn how to use the windows and TFS file access controls, that are
linked with active directory, to restrict file and folder access to individual users and groups

1
that require this type of access. In those same courses, you learn how linux file permissions
achieve the same goal, as administrators manipulate the permissions for a file's user owner,
group owner, and other users, by editing linux permission strings. Encryption is also an
important security control for enforcing confidentiality.
Attackers may try to steal information without going through normal channels. For example,
they might attempt to eavesdrop on network communications, or remove data from a hard
drive, by bypassing the operating system, and it's access controls. Encryption uses
mathematical algorithms to transform plain text into cipher text, that is unintelligible to
anyone who does not have the appropriate decryption key. Encryption is an incredibly
important topicon the exam, and you'll learn more about it in the course covering domain
three, security engineering.
Information can also be hidden in plain sight to protect it. Steganography is a technique that
hides information inside of other files, but subtly manipulating the contents of that file. For
example, steganography may be used to embed a secret message within an image file that's
undetectable to the naked eye.

Integrity
Information security professionals must also supply controls to protect the integrity of
information. As the second leg of the CIA triad, integrity controls ensure that information is
not altered without authorization. Integrity controls protect an organization's
information from accidental or intentional tampering that may come as the result of many
different issues. Integrity failures may result from the intentional alteration of
information, such as an employee altering his or her salary, or a student altering grades.
They may come from user error, such as a data entry clerk accidentally entering the wrong
information into a field, or they may come from software or hardware error, such as an
application or hard drive malfunctioning and writing erroneous data. Finally, they may come
from acts of nature, such as a lightning strike that alters information stored on a disk. Hashing
is one of the core controls used to protect integrity. A hash function is a mathematical
algorithm that computes a unique digest from a file of any length.
This digest is like a fingerprint for the file. It's a short piece of data that can uniquely identify
the contents of a file and tell if it's been modified. Let's take a quick look at hashing in action.
Here I am going to use a common hash function called md5, short for message digest version
five, along with a very simple text file, the Gettysburg Address. So this page that we're looking
at, an md5 hash generator, will take any text that you type into this string field and compute
the md5 hash value for that string.
I'm going to go ahead and paste the text of the Gettysburg Address into this, and as you can
see, the web page already computed for me the md5 hash value of this text. This long string,
beginning with 78E35 and ending with FD7, is the hash value of the text of Gettyburg Address.
Now if I go back up here and make a change, let's say I change this from "Four score and seven
years ago" to "Four score and eight years ago," notice that the hash value has changed to a
completely different value.
If I go ahead and change this back and type "seven" again, I have that original hash value that
began with 78E35 and ended with FD7. That's a major change to the file, but hash values are

2
extremely sensitive. Notice, for example, if I take this comma after "new nation" and delete
it, the hash value again changes completely. Hash values are very good at telling us if any
change has been made to a file, but they can't tell us what changes were made or how
significant those changes were.
Hashes can easily detect changes in a file. You can compute the hash value of a file today and
then compare it to the hash value that you compute tomorrow. If the hash value hasn't
changed, the file hasn't changed. If the two hashes are different, you know that some
modification to the file has taken place. Hashes are the foundation for many different
integrity controls. One of those is digital signatures, a control that helps us achieve the goal
of non-repudiation.
Non-repudiation means that the creator of text cannot later dispute that he or she was the
real originator of that text by claiming that the message was a forgery. Just as you'd sign a
paper document with your physical signature, you can apply a digital signature to a digital file
to achieve non-repudiation. To create a digital signature, the person signing the document
first uses a hash function to create a digest of that document, and then encrypts the hash
value using his or her private encryption key.
The recipient of a digitally signed message can then use the sender's public key to decrypt the
signature and then compute the hash value of the message themselves and compare the
values from step one and step two. If they match, the message is authentic. If they don't
match, the message may have been tampered with. There's a bit more technology in this that
I cover in the CISSP Security Engineering course. Digital signatures can also be used to create
digital certificates.
Digital certificates are files used to provide a system or individual's public encryption key to
previously unknown third parties. Organizations known as certificate authorities create these
certificates and then digitally sign them to show that they are authentic. Again, I cover this in
more detail in the CISSP Security Engineering course.

Availability
As a security professional, you must also understand how to apply security controls that
protect the availability of information and systems. As the third leg of the CIA
triad, availability controls ensure that information and systems remain available to all the
authorized users when needed. Availability controls protect against disruptions to normal
system operation or data availability. Potential availability failures may result from a variety
of causes such as malicious attackers, like someone conducting a denial of service attack to
bring down a website.
Or component failures such as the failure of a hard drive or power supply. They can also come
from application failures such as errors in code that cause an application crash. Or utility
failures such as a power outage that disrupts systems or a network disruption that prevents
internet access. There are many controls in place that can protect the availability of systems
and information. One example of an availability control is the use of redundant components
such as including two power supplies in a system or having extra hard drives that use RAID
technology.

3
Another example is the use of high availability systems that have multiple servers
dedicated to the same purpose so that if one server fails, the others may continue carrying
the operational load. And the more general category of fault tolerance ensures that IT
services remain functioning even when small failures occur. There is one additional
availability control that you should be familiar with for the CISSP exam. Keeping operating
systems and applications patched to current levels ensures that any flaws identified by the
manufacturer are corrected promptly.
This not only protects your system from vulnerabilities that might allow an attacker to gain
access, but also corrects issues that may cause a system to crash, disrupting availability.