CIA = confidentiality, integrity, and availability
– these concepts represent the three fundamental principles of information security; their opposites are disclosure, alteration, and destruction (DAD). Overall attitudes toward and application of CIA defines an organization’s security posture. A bank’s security posture (for example) will be different from that of a coffee shop’s. Note that the CIA concepts apply not just to the entire organization, but to individual components of a system as well.
AAA = Authentication, Authorization, and Auditing
a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
Defense in Depth
Defense in depth minimizes the probability that the efforts of malicious hackers will succeed. A well-designed strategy of this kind can also help system administrators and security personnel identify people who attempt to compromise a computer, server, proprietary network or ISP (Internet service provider).
Principle of Least Privilege
The principle of least privilege (PoLP; also known as the principle of least authority) is an important concept in computer security, promoting minimal user profile privileges on computers, based on users’ job necessities.
SoD - Segregation (or Separation) of Duties
Physical or logical segregation of personnel or parts of systems which have powerful capabilities in order to prevent intentional or unintentional damage to the CIA of that system. Examples include users with multiple roles being required to specially log on to a system with different credentials, e.g., separate login as unprivileged user versus log on as an administrative user; separation of sensitive data entry personnel from transaction approval personnel, separation of development from production systems, etc.
the process of defining and analyzing the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. In IT, a risk analysis report can be used to align technology-related objectives with a company’s business objectives.
the countermeasures an organization applies to protect the CIA of its information. Controls can be
Physical, e.g., locks, lighting, cameras, alarms
Technical (or logical), e.g. firewalls, routers, and switches
Procedural, e.g., due diligence, security awareness training, disaster recovery and business resumption plans, incident response procedures
Regulatory compliance (enforced by government or industry), e.g. HIPAA, SOX, and the credit card industry’s PCI-DSS.
The different types of controls include:
Detective controls such as logging systems, cameras, security guard watch rounds
Preventive controls, i.e., firewalls, SoD, personnel rotation, mandatory vacations
Deterrent controls, i.e., warning signs, lighting, visible cameras, security guards, Login warning messages, non-disclosure agreements
Corrective controls, redundant systems, incident response procedures, backups, anti-virus systems, account lock-out systems, and procedures.
Compensating controls, employed when a vulnerability cannot be effectively mitigated directly, i.e., partial isolation, e.g., DMZ; complete isolation from the network or Internet; defense in depth, layering security controls around a vulnerability.
– The Open Web Application Security Project is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. The most used document from OWASP is the OWASP Top Ten, which is a project that keeps track of and up-to-date, a document of the top ten web application vulnerabilities and their avoidance. There is a trove of valuable information and tools for web application security, freely available at OWASP.org
is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. NIST has a series of well-written special publications on security, which are freely available for use in learning more about information security, advances in the field, application of security controls, and includes a comprehensive framework for designing and implementing a security program.
stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection
is a set of command-line tools for managing WordPress installations. You can update plugins, configure multisite installs and much more, without using a web browser. http://wp-cli.org
a Linux-based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site.
SSL/TLS Transport Layer Security (TLS)
and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Major websites use TLS to secure all communications between their servers and web browsers. — Wikipedia
Brute force attack
a methodical (usually automated) attempt to log on to a system by trying every conceivable password until the correct one is discovered.
for Distributed Denial of Service. DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target systems in order to cause them to fail by overwhelming the target system’s’ or network’s resources. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the attacker in the distributed attack.