Some security notes

In this post I would like to describe main concepts of information security.
CIA triad:

• confidentiality 
• integrity 
• availability

Three types of controls

• Administrative control 
• Technical control 
• Physical control

 And supplemental: nonrepudiation

4 A's:

• authentication - verifies unique identification 
• authorization - check user rights 
• access control - check resource rights 
• auditing - tracks activities 

Security consists of three main areas:

• Physical security 
• Operational security
• Management and policies

Main goals if information security are:

• prevention 
• detection 
• response 

Security is combination of 3 Ps:

• processes 
• procedures 
• policies 

The main concerns in security process are:

• design goals 
• security zones
• technologies 
• business requirments 

When you think about security design, you have to think about:

• confidentiality 
• integrity 
• authentication 
• accountability 
• availability 

Main security zones are:

• internet 
• extranet 
• DMZ 
• intranet

Main business requirments are:

• identifying assets 
• assessing risks - consists of identifying assests, threat assesment and impact assesment. During impact assesment you are determining potential monetary losts. During threat assesment you are determining probability that threat can occur. Risk assesment may be qualitative and quantitative. Qualitative is descriptive assesment. It needs short time and small budget. 
• identifying threats 
• evaluating vulnerabilities

Three main attack types:

• access attack: dumpster diving, eavesdropping, snooping, interception, 
• modification or repudiation attack
• denial of service attack: ping of death, buffer overflow, TCP SYN flood, smurth attack

Stages of incident response:

• Preparation 
• Identification 
• Containment 
• Eradication 
• Recovery 
• Follow-up