# Lecture 1: Core Concepts and Terminology in Information Security **Theme:** Information Security Fundamentals **Technical University of Moldova** **Lecturer:** Maxim Masiutin, Adjunct Professor --- ## Introduction Good morning, everyone. Welcome to our first lecture in the Information Security Technologies course. Over the next three months, we will explore the fascinating and critically important world of information security. Today, we begin with the foundational concepts that everything else builds upon. Before we dive into specific technologies, attacks, or defenses, we need to establish a common vocabulary. Information security has its own language, and understanding these terms precisely is essential. A single misunderstood concept can lead to a misconfigured system, and a misconfigured system can lead to a breach affecting millions of people. Let me start with a question: How many of you have heard about a data breach in the news this year? I suspect everyone raised their hand. Data breaches are now so common that we almost expect them. According to Cybersecurity Ventures, the global cost of cybercrime is projected to reach 10.5 trillion dollars by 2025. That number is larger than the GDP of most countries. This is why we are here today. --- ## Part 1: Information Security vs. Cybersecurity Let us begin by clarifying two terms that are often used interchangeably but have distinct meanings: information security and cybersecurity. **Information security**, sometimes called InfoSec, is the practice of protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction. Notice that this definition does not specify how the information is stored. Information security covers paper documents in a filing cabinet just as much as it covers data in a cloud server. If you have ever seen a notice saying "Authorized Personnel Only" on a door, that is information security in action. **Cybersecurity** is a subset of information security that specifically deals with protecting electronic systems, networks, and data from digital attacks. When we talk about firewalls, intrusion detection systems, or malware, we are in the realm of cybersecurity. Here is a practical way to think about the difference: If someone breaks into an office and steals printed customer records from a desk, that is an information security incident but not a cybersecurity incident. If someone hacks into a database remotely and downloads those same records, that is both an information security incident and a cybersecurity incident. Throughout this course, we will focus primarily on cybersecurity, but always remember that it exists within the broader context of information security. The most sophisticated firewall in the world cannot protect you if an employee leaves confidential documents on a train. --- ## Part 2: The CIA Triad Now we come to the most fundamental model in information security: the CIA Triad. No, this has nothing to do with the Central Intelligence Agency. In our context, CIA stands for **Confidentiality**, **Integrity**, and **Availability**. These three properties form the foundation of every security decision we make. Let me draw this on the board as a triangle. Each corner represents one of these properties, and a secure system must maintain all three in balance. ### Confidentiality **Confidentiality** means ensuring that information is accessible only to those who are authorized to access it. When we protect confidentiality, we are preventing unauthorized disclosure of information. Think about your bank account. Only you and authorized bank employees should be able to see your account balance. If a random stranger could view your financial information, that would be a confidentiality breach. Confidentiality is threatened by various attacks: - **Eavesdropping**: Someone intercepts your network traffic to read your emails - **Shoulder surfing**: Someone watches you type your password - **Social engineering**: Someone tricks you into revealing confidential information - **Data breaches**: Attackers steal databases containing personal information We protect confidentiality through: - **Encryption**: Converting data into an unreadable format without the proper key - **Access controls**: Ensuring only authorized users can access specific resources - **Authentication**: Verifying the identity of users before granting access - **Physical security**: Locks, guards, and secure facilities Let me give you a real-world example. In 2017, the Equifax breach exposed the personal information of 147 million Americans, including Social Security numbers, birth dates, and addresses. This was a catastrophic confidentiality failure. The attackers exploited a known vulnerability that Equifax had failed to patch. The lesson here is that confidentiality requires constant vigilance. ### Integrity **Integrity** means ensuring that information remains accurate, complete, and unaltered except by authorized parties. When we protect integrity, we are preventing unauthorized modification of data. Consider a medical records system. If a patient is allergic to penicillin, that information must remain accurate in their medical record. If an attacker or a software bug changed that record, the consequences could be fatal. That is why integrity matters. Integrity is threatened by: - **Man-in-the-middle attacks**: An attacker intercepts and modifies data in transit - **Malware**: Viruses or worms that corrupt or modify files - **Insider threats**: Employees who intentionally alter records - **Hardware failures**: Disk errors that cause data corruption - **Software bugs**: Programming errors that unintentionally modify data We protect integrity through: - **Hashing**: Creating a digital fingerprint of data to detect changes - **Digital signatures**: Cryptographically verifying the source and integrity of data - **Version control**: Tracking all changes to detect unauthorized modifications - **Access controls**: Limiting who can modify data - **Checksums**: Mathematical verification that data has not been altered Here is an example to illustrate the importance of integrity. In 2010, the Stuxnet worm targeted Iranian nuclear facilities. It did not steal data; instead, it modified the instructions sent to centrifuges, causing them to spin at incorrect speeds while displaying normal readings to operators. This was an integrity attack with physical consequences. The centrifuges destroyed themselves, setting back Iran's nuclear program by years. ### Availability **Availability** means ensuring that information and systems are accessible to authorized users when needed. When we protect availability, we are preventing disruption of service. Imagine you need to withdraw money from an ATM, but the bank's systems are down. Or consider a hospital where doctors cannot access patient records during an emergency. Availability is about ensuring systems work when you need them. Availability is threatened by: - **Denial of Service (DoS) attacks**: Overwhelming systems with traffic to make them unavailable - **Distributed Denial of Service (DDoS) attacks**: DoS attacks from many sources simultaneously - **Ransomware**: Malware that encrypts data, making it unavailable until ransom is paid - **Hardware failures**: Server crashes, disk failures, network outages - **Natural disasters**: Floods, fires, earthquakes that damage infrastructure - **Power outages**: Electricity failures that shut down systems We protect availability through: - **Redundancy**: Having backup systems ready to take over if primary systems fail - **Backups**: Regular copies of data stored separately from the original - **Disaster recovery planning**: Procedures for restoring operations after a major incident - **Load balancing**: Distributing traffic across multiple servers - **DDoS mitigation**: Systems designed to absorb or deflect massive traffic attacks Let me share an availability example. In October 2016, the Mirai botnet launched a DDoS attack against Dyn, a major DNS provider. The attack took down much of the internet on the US East Coast, including Twitter, Netflix, Reddit, and CNN. Millions of users could not access these services for hours. The attackers used compromised IoT devices, including security cameras and DVRs, to generate the attack traffic. This incident demonstrated how availability threats can have widespread consequences. ### Balancing the Triad Here is something important to understand: these three properties often conflict with each other. Improving one can sometimes harm another. For example, to maximize confidentiality, you might encrypt all data and require multiple forms of authentication. But this could harm availability because authorized users might find it difficult to access the data they need quickly. To maximize availability, you might remove all access controls and store data on many servers. But this would destroy confidentiality because anyone could access anything. Security professionals must constantly balance these competing demands based on the specific context and risk tolerance of their organization. There is no universal right answer. --- ## Part 3: Beyond the CIA Triad - Additional Security Properties While the CIA Triad has served us well for decades, modern security requirements have expanded. Let us discuss three additional properties that are now considered essential. ### Authentication **Authentication** is the process of verifying that someone or something is who or what they claim to be. Before you can enforce any access controls, you must first know who is making the request. Authentication typically involves one or more factors: - **Something you know**: A password or PIN - **Something you have**: A smart card, phone, or security token - **Something you are**: Biometrics like fingerprints or facial recognition - **Somewhere you are**: Location-based authentication - **Something you do**: Behavioral patterns like typing rhythm Multi-factor authentication (MFA) combines two or more of these factors. When you log into your bank and receive a text message with a code, you are using two factors: something you know (your password) and something you have (your phone). ### Non-repudiation **Non-repudiation** means that a party cannot deny having performed an action. If you sign a contract, non-repudiation ensures you cannot later claim you did not sign it. In the digital world, non-repudiation is achieved through digital signatures and comprehensive logging. When an executive approves a financial transaction with their digital signature, they cannot later deny having approved it because the cryptographic evidence proves their involvement. Non-repudiation is crucial for: - Legal evidence in court - Audit trails for compliance - Accountability in financial transactions - Preventing fraud ### Accountability **Accountability** means being able to trace actions to the entity that performed them. Every action in a system should be attributable to a specific user or process. Accountability requires: - Strong authentication to identify users - Comprehensive logging to record actions - Secure log storage to prevent tampering - Regular log review to detect anomalies Without accountability, it is impossible to investigate incidents, enforce policies, or hold individuals responsible for their actions. --- ## Part 4: Assets, Threats, Vulnerabilities, and Risks Now let us discuss four interconnected concepts that are fundamental to security analysis: assets, threats, vulnerabilities, and risks. ### Assets An **asset** is anything of value that an organization wants to protect. Assets can be tangible or intangible. **Tangible assets** include: - Servers and computers - Network equipment - Buildings and facilities - Physical documents **Intangible assets** include: - Data and databases - Software and applications - Intellectual property - Brand reputation - Customer trust When performing security analysis, we must first identify what we are trying to protect. You cannot secure what you do not know you have. ### Threats A **threat** is any potential cause of an unwanted incident that could harm an asset or the organization. Threats can be intentional or accidental, internal or external. **Intentional external threats**: - Hackers seeking financial gain - Nation-state actors conducting espionage - Hacktivists making political statements - Competitors stealing trade secrets **Intentional internal threats**: - Disgruntled employees sabotaging systems - Insiders stealing data for sale - Contractors exceeding their authorized access **Accidental threats**: - Employees clicking phishing links - Administrators misconfiguring systems - Developers introducing bugs **Environmental threats**: - Natural disasters - Power failures - Hardware malfunctions ### Vulnerabilities A **vulnerability** is a weakness that can be exploited by a threat to gain unauthorized access or cause harm. Vulnerabilities exist in systems, processes, and people. **Technical vulnerabilities**: - Unpatched software with known security flaws - Misconfigured firewalls allowing unauthorized traffic - Weak encryption algorithms that can be broken - Default passwords that were never changed **Process vulnerabilities**: - Lack of security policies - Insufficient employee training - Inadequate incident response procedures - Missing access reviews **Human vulnerabilities**: - Susceptibility to social engineering - Tendency to use weak passwords - Failure to report suspicious activities - Negligence in following procedures ### Risks **Risk** is the potential for loss or damage when a threat exploits a vulnerability. Risk is typically calculated as: **Risk = Threat × Vulnerability × Impact** Or sometimes simplified as: **Risk = Likelihood × Impact** Where likelihood is the probability that a threat will exploit a vulnerability, and impact is the consequence if it does. Let me illustrate with an example. Suppose your organization uses a web server running old software with a known vulnerability. The threat is hackers who could exploit this vulnerability. The vulnerability is the unpatched software. The risk depends on how likely attackers are to find and exploit this vulnerability and what damage they could cause. If the server is on the public internet containing customer credit card data, the risk is very high. If the server is on an isolated network containing only public marketing materials, the risk is much lower. Understanding risk allows us to prioritize our security efforts. We cannot protect everything equally, so we must focus on the highest risks first. --- ## Part 5: Security Incidents vs. Security Breaches Students often confuse these terms, so let us clarify them. A **security incident** is any event that potentially compromises the confidentiality, integrity, or availability of an information asset. Incidents include: - Attempted attacks, even if unsuccessful - Policy violations - System malfunctions - Suspicious activities A **security breach** is a security incident that results in confirmed unauthorized access to data, applications, services, networks, or devices. All breaches are incidents, but not all incidents are breaches. Here is an example: If someone tries to log into your account with an incorrect password, that is an incident. If they succeed in logging in without authorization, that is a breach. Organizations must detect, respond to, and learn from both incidents and breaches. Incident response procedures, which we will cover later in this course, define how to handle these situations. --- ## Part 6: Defense in Depth **Defense in depth** is a security strategy that uses multiple layers of protection. If one layer fails, others remain to provide security. This concept comes from military strategy, where castles had moats, walls, towers, and armed guards, each layer making penetration more difficult. In information security, defense in depth includes: **Physical layer**: Guards, locks, fences, surveillance cameras **Perimeter layer**: Firewalls, intrusion detection systems, demilitarized zones **Network layer**: Network segmentation, VPNs, access control lists **Host layer**: Antivirus software, host-based firewalls, patch management **Application layer**: Input validation, secure coding practices, web application firewalls **Data layer**: Encryption, access controls, data loss prevention **Human layer**: Security awareness training, policies, background checks Each layer addresses different threats and provides additional protection. An attacker must penetrate multiple layers to reach valuable assets, making successful attacks much more difficult. --- ## Part 7: Security by Design and Security by Default Two principles guide how we should build secure systems from the beginning. **Security by design** means considering security throughout the entire development lifecycle, not as an afterthought. When architects design a building, they include fire exits and sprinkler systems from the start. They do not add them after construction is complete. The same principle applies to information systems. Security by design includes: - Threat modeling during requirements gathering - Secure architecture decisions - Security testing throughout development - Security reviews before deployment **Security by default** means that systems should be secure in their default configuration. Users should not need to enable security features; they should need to explicitly disable them if desired. Examples of security by default: - Passwords required immediately after installation - Network services disabled unless explicitly enabled - Encryption enabled by default - Minimal privileges granted by default The opposite approach, where systems ship insecure and users must configure security, leads to countless vulnerabilities because many users never change defaults. --- ## Part 8: Practical Applications Let me conclude with some practical applications of what we have learned today. **Scenario 1: Designing a new application** When your organization develops a new customer portal, you should: 1. Identify assets: Customer data, login credentials, transaction records 2. Identify threats: Hackers, malicious insiders, accidental exposure 3. Identify vulnerabilities: Potential SQL injection, weak authentication, insufficient logging 4. Calculate risks: High risk for customer data theft 5. Apply controls: Encrypt data (confidentiality), validate inputs (integrity), deploy redundant servers (availability) 6. Implement defense in depth: Firewall, WAF, secure coding, encryption, monitoring **Scenario 2: Evaluating a vendor** When selecting a cloud provider, ask: - How do they protect confidentiality? (Encryption, access controls) - How do they ensure integrity? (Checksums, version control) - What is their availability SLA? (Uptime guarantees, redundancy) - How do they handle incidents? (Response procedures, notification) - What certifications do they have? (ISO 27001, SOC 2) **Scenario 3: Responding to a phishing attempt** If an employee receives a suspicious email: 1. Do not click links or download attachments 2. Report to security team (this is an incident) 3. Security team analyzes the threat 4. If credentials were compromised, it becomes a breach 5. Implement additional controls (training, email filtering) 6. Document lessons learned --- ## Summary Today we covered the fundamental concepts that form the foundation of information security: 1. **Information security vs. cybersecurity**: InfoSec protects all information; cybersecurity focuses on electronic systems 2. **The CIA Triad**: Confidentiality, Integrity, and Availability are the three pillars of security 3. **Additional properties**: Authentication, non-repudiation, and accountability extend the basic model 4. **Assets, threats, vulnerabilities, and risks**: Understanding these relationships enables effective security planning 5. **Incidents vs. breaches**: Incidents are potential compromises; breaches are confirmed unauthorized access 6. **Defense in depth**: Multiple layers of protection provide resilience 7. **Security by design and default**: Build security in from the start In our next lecture, we will explore the threat landscape in detail, examining who attacks us, why they do it, and what methods they use. We will also discuss frameworks like MITRE ATT&CK that help us understand and categorize threats. Are there any questions before we conclude? --- ## Further Reading For those interested in deeper exploration: - ISO/IEC 27000:2022 for formal definitions of security terms - NIST Glossary of Key Information Security Terms - The classic textbook "Security Engineering" by Ross Anderson (available free online) Thank you for your attention. I will see you in our next session.