IT Security Fundamentals
This is a beginner-level course designed to provide you with an introduction to Information technology security concepts. The course will suit anyone interested in understanding the fundamentals of security concepts from a business and technology perspective.
In this course we will provide:
- An introduction to the concept of Information Security
- We will cover the basic concepts that pertain to Information Security
- We then begin to answer the question - what is information security and why do we need it?
- We then explore some of the frameworks, controls and activities we can implement to control information security
This is a beginner level course where having a basic understanding of computing concepts will be useful
Please reach out to us at firstname.lastname@example.org with any questions, comments or feedback.
Hello and welcome back. Let’s delve into assurance. We have intrinsic assurance if you will, which sort of works extrinsically as well. This is when we're creating products and we're using products.
Our users themselves will have functional requirements and they'll specify those. We need our software to do this. And it needs to be secure in this other fashion.
And we also have security assurance requirements. We need to be sure that our software does this. So we'll call this whole thing our protection profile. We take that protection profile and vendors themselves create what's known as a security target with a target evaluation.
So they then will evaluate the product that they've made to the specifications that were provided in this protection profile. And they'll call this whole thing a security target. There's our target evaluation, evaluating this protection profile. That's our security target, this is what we aim to have it at. We'll send it off to a test lab for an evaluation assurance level, an EAL level, and if you pass, you'll be given an EAL level of one to seven.
Now you specify as a vendor or a maker of software or hardware, whatever it might be, the level to which you want to be tested to.
Now, remember, because all you've done is you've implemented and you've made claims about your particular product, then you pushed it over to the lab and then you said hey listen, I've made a product here, I've made a satellite. It never goes down. It's always up. System never changes up there. I never need updates because I've just made the most perfect system ever, and it's going to be perfect for about 20 years. And then they test it and they say, “that's fantastic. Do you know what everything that you've said you've done is real and we've investigated it to a level seven, so thanks for the million pounds that you paid. Here's your EAL level.
EAL levels do arrive from level one to seven. There's an interesting level that arrives at level four. There's a one, seven, and our four. Around the four area, this is what we call our retrofit level
That's our retrofit level. The reason we call that our retrofit level is anything that was previously evaluated to let's say a level seven, or let's say a five or six. He was previously evaluated here or here or here. And if you ever, for any purpose, need to upgrade the software or the hardware or anything, you retrofit automatically back to level four and you will never be evaluated higher than that again because we assume that it was never truly at the level which you evaluated it at anyway. So that's our retrofit level. Things that live at the retrofit level, because software vendors are clever enough just not to waste their money to get evaluated to this type of level.
Operating systems. So if you jump online, and look for the evaluation assurance levels for Microsoft Office, OSX or, Red Hat, that type of thing, you will find that they're EAL level four.
That certifying body in the UK is NIST. So it is a UCAS, and over in the states it’s NIST. They will give you those certificates and it's backed by an ISO standard as well for the testing. That's 15408. I normally connect that with the target of evaluation, the 15408 ISO.
If you are dealing with government software, you're then going to probably want to make sure that you have testing done. And this is all under the common criteria by the way, for which there is a website: https://www.commoncriteriaportal.org/
Another certification program is CPA or Commercial product assurance. This is for programs like Word, Outlook, and other off the shelf products which may be added to systems at work or our governmental systems. These products have to be evaluated to a level that we trust and when they are evaluated to a level that we trust, they will align with the official tier of the government-protected marking scheme.
With software there will also be some different types of evaluation and risk management processes that that software goes through when it's included in the higher levels of certification. But with CPA it's the same type of thing. They are characteristics that have to be met, which is different from you saying, “my software does this.”
With the CPA there are characteristics that must be met in order for you to receive a certificate. So, the NCSC then publish the specific characteristics that must be met, and then you send it to a lab and it tests for those actual characteristics in your software. Then they'll award you a certificate.
Commercial product assurance. It's a foundational level here at the official tier of the government-protected marking scheme. And then up higher we've got this high grade type of software, and a legal cryptographic product assurance.
FIPS is managed by NIST. FIPS 140 dash 2 is the current standard: Security requirements for cryptographic modules, it's information about how we actually look at cryptographic modules, and the levels on those cryptographic modules.
FIPS has security levels. Security level four looks at physical security mechanisms and envelope of protection of the cryptographic modules. So we're looking at physical protection of that module.
At level three we’re looking at the system recognizing that it's under attack and doing something about it, such as wiping the flash media or the hard drive. Something like that. And these are our FIPS 140-2 levels that we use. So we have basic cryptographic assurance and then physical tamper evidence. We need some evidence that things have been physically tampered with.
We’ve got Role-Based Authentication. So not just administrators but actual different usernames and what they're able to do. Then we have Tamper Resistance, Identity-Based Authentication (so, who you are), Physical and Logical Separation Between Interfaces - not just physical but actual logical as well, or software-based, and then obviously there is Physical Security Robustness Against Environmental Attacks, so things like floods, electrical shocks, that sort of thing.
Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.