This is an introduction to the National Institute of Standards and Technology Cybersecurity Framework also known as the CSF. This program is designed to provide you an understanding of the NIST Cybersecurity Framework and how to implement it. Before we jump into the CSF, let's continue with some cybersecurity basics. In this course we focus on information security terms and concepts you will need to understand. You should be familiar with these terms and understand what they mean. Let's start off with confidentiality. We've talked about this already. This is the prevention of unintentional disclosure. We do this by encrypting, masking, obfuscation substitution etc. Those are methodologies in order to maintain confidentiality. Integrity, preventing unauthorized modifications either by authorized users or an unauthorized user. Availability, this is accessibility to authorized users and processes when they need them. Auditability, this is the ability to track and reconstruct events from logs. Identification, this is the verification of authorized persons or processes. This satisfies the who are you question of IAM identification and authorization management. Authentication, this is the proof of identification. I am who I say I am based on the authentication factors that I provided. The factors are type one, something you know like a password type two, something you have like a token and then type three, something you are like a biometric, a fingerprint, a voice print, an iris print. Authorization, is what can you do based on the identification and authentication you provided. This is also based on clearances and accessibility or need to know, in other words what can you have access to based on your identification and authentication. Nonrepudiation, this is the fact that you cannot deny an event or transaction has happened under your user ID. This is the opposite of repudiation, which is the fact that you can deny it. So nonrepudiation is usually enforced by digital signatures. Layered security, this is also known as defense in depth, having multiple defenses in order to be able to secure a system. For example entering a government building by providing your user ID to the guard and then using your badge in order to pass through the turnstiles and possibly even using your badge at the elevator to badge up to a floor having multiple layers of defense. Access control is about limiting access to authorized users or processes using some kind of control. Security metrics and monitoring, this is measuring security activities. Governance provides control and direction to activities. Strategy is a method of achieving objectives, plans, processes, etc. Architecture, this is used to define the information security strategy that consists of layers of solutions, processes and procedures and the way they are linked across the enterprise strategically tactically and operationally. Frameworks that deal with enterprise architecture development are Zachman framework. Which is a model for the development of enterprise architectures developed by John Zachman. TOGAF which is The Open Group Architecture Framework model and methodology for the development of enterprise architecture is developed by the open group. DoDAF which is the Department of Defense Architecture Framework which ensures interoperability of systems to meet military mission goals. MODAF which is The British Ministry of Defense Architecture Framework. This is used mainly in military support missions developed by the British Ministry of Defense. Then you have SABSA, this is a model of methodology which is developed by the Sherwood Applied Business Security Architecture. It is a development of information security enterprise architecture which is similar to the Zachman Framework. Here we have the term management, this is overseeing activities to ensure objectives are met. Risk, in information security, risk is the likelihood that a threat source will exploit one or more vulnerabilities. Or the potential to create significant impacts or consequences that affect the organization's assets. When we look at risk, we also have to look at the acceptable level of risk, also known as the risk appetite for the organization. This is a suitable level of risk commensurate with the potential benefits of the organization's operations as determined by senior management. Senior management will determine what level of risk the organization is willing to accept, relative to the rewards offered by conducting operations. Remember that every organization makes its own determination of what constitutes an acceptable level of risk and how to manage that risk. Exposure, this is being susceptible to asset loss because of a threat exploiting a vulnerability or a flaw. Exposure also establishes the realistic potential for organizations to face certain types of threat. Obviously the organization will have a greater exposure to those threats posed by the organization's activities. For instance, an organization involved in commercial fishing faces a threat of losing personnel to drowning, whereas of Metropolitan bike messenger service does not. Location might be another factor that affects exposure. Some natural disasters are native to certain geographical locations while others are not. Vulnerabilities, NIST special publication, 800-30 defines vulnerabilities as an inherent weakness in an information system, security procedure, internal control or implementation that could be exploited by a threat source. Said another way, a vulnerability is a weakness that can be exploited by a threat. It is a hole through which the threat gains access to a protected asset. A threat is any person, event or environmental factor that could affect or harm a protected asset. A protected asset may include a network or its components, files and data's financial assets or even personnel or organizational reputation. When identifying threats, you first need to understand the threats, vulnerabilities and risks to your organization and what they could be. For example, natural threats such as fires, floods, tornadoes, hurricanes, storms, earthquakes, etc. Human threats, whether criminal or user error, malicious outsiders, malicious insiders, loss of key personnel, human errors, those types of things. It could be technical threats in other words, hardware failures, software failure, malicious code, unauthorized use of systems, wireless or new technologies. Physical such as closed circuit television failures due to components, perimeter or defense failures. Environmental such as hazardous waste, biological agents or utility failures. Or operational a process either manual or automated that affects confidentiality, integrity or availability of a system. Residual risk is the risk remaining after controls are put in place. Impact is the results and consequences of a risk materializing. Criticality, this goes hand in hand with sensitivity because the higher the value of information is to the mission and the organization, the more protection it's going to need. Sensitivity is based on classification and categorization of information which if disclosed, could cause a specific level of harm to the organization. Maintaining the confidentiality of information helps reduce harm or damage to the organization if that information was disclosed. So how do you think that we could accomplish this? Well we normally do that through access control, lease privileges and need to know. Business impact analysis, this is evaluating the results and consequences of compromise. Doing a business impact analysis helps you identify critical processes and functions, what they support the people, the systems, the critical infrastructure, the suppliers and those kinds of things. And what dependencies on other functions exist. For example, manufacturing would rely on financing in order to be able to pay the invoices to get the product so that they can manufacture. It also adds a time sensitivity on top of the risk assessment. Business dependency analysis is an analysis of business resources dependencies like a supply chain review. Gap analysis is the difference between what is and the stated objectives. Controls are actions to mitigate or reduce risk. Countermeasures are actions or processes, controls used to reduce vulnerabilities which could be exploited by a threat resulting in risk. Policies are management's interpretation of requirements, regulatory organizational, those types of things in other words, management's intent and direction. Standards support a policy by setting the boundaries along with procedures, guidelines and baselines. Attacks are types of compromises. And finally, data classification, determining the sensitivity and criticality of the information to the organization. All risks, threats and vulnerabilities are measured for their potential capability to compromise one or all of the CIA triad principles we discussed earlier confidentiality, integrity and availability. It's a process known as threat modeling, which is a process used to understand security threats to a system, determine risks from those threats and establish appropriate mitigation. Listed here are some technologies you should have an understanding of. You should understand the uses, benefits and constraints of these technologies. Some of the resources used to develop cybersecurity strategies are technologies as well as processes. Things like firewalls, user account administration, intrusion detection and intrusion prevention systems, antivirus, public key infrastructure, secure socket layer, single sign on systems, biometrics, encryption privacy, compliance and remote access. Digital signatures, electronic data interchange and electronic fund transfers virtual private networks forensics and finally, monitoring technologies. You should have an understanding of those systems in order to be able to do your assessments and apply the cybersecurity framework within your organization. In summary, in this course, we have covered some information system terms and concepts you should understand in order to apply the cybersecurity framework.
