From the course: Cert Prep: ISC2 Certified in Cybersecurity (CC)
Confidentiality
From the course: Cert Prep: ISC2 Certified in Cybersecurity (CC)
Confidentiality
- Information plays a vital role in the operations of the modern business. And we find ourselves entrusted with sensitive information about our customers, employees, internal operations, and other critical matters. As IT professionals, we must work with information security teams, other technology professionals, and business leaders to protect the security of that information. Now, when we talk about cybersecurity. we're referring to three main concerns: the confidentiality of information, the integrity of information, and the availability of information. You can remember these three main goals by thinking of the CIA triangle. Each sign of this triangle covers one of the three main goals. I'm going to spend a few minutes talking about each one of them, beginning with confidentiality. Confidentiality ensures that only authorized individuals have access to information and resources. And this is what most people think of when they think about information security, keeping secrets away from prying eyes. And confidentiality is in fact how security professionals spend the majority of their time. As you prepare for the exam, you'll need to understand the main threats against each of the cybersecurity objectives. We'll talk about many different kinds of threat as we work our way through this course. But for now, I'd like to introduce you to five of them. Snooping, dumpster diving, eavesdropping, wiretapping, and social engineering. Snooping is exactly what the name implies. The individual engaging in snooping wanders around your office or other facility and simply looks to see what information they can gather. When people have sensitive papers on their desks or in a public area, it creates an opportunity for snooping. Organizations can protect against snooping by enforcing a clean desk policy. Employees should maintain a clean workspace and put away any sensitive materials whenever they step away even if it's just for a moment. Dumpster diving attacks also look for sensitive materials, but the attacker doesn't walk around the office. Instead, they look through the trash trying to find sensitive documents that an employee threw in the garbage or recycling bin. You can protect your organization against dumpster diving attacks using a pretty simple piece of technology, a paper shredder. If you destroy documents before discarding them, you'll protect against a dumpster diver pulling them out of the trash. Eavesdropping attacks come in both physical and electronic forms. In a physical eavesdropping attack, the attacker simply positions themselves where they can overhear conversations, such as in a cafeteria or hallway and then listens for sensitive information. We can protect against eavesdropping attacks by putting rules in place, limiting where sensitive conversations can take place. For example, sensitive conversations should generally take place in a closed office or conference room, definitely not in the cafeteria. Electronic eavesdropping attacks are also known as wiretapping. They occur when an attacker gains access to a network and then monitors the data being sent electronically within an office. The best way to protect against electronic eavesdropping attacks is to use encryption to protect information being sent over the network. If data is encrypted, an attacker who intercepts that data won't be able to make any sense of it. I'll talk more about how encryption works later in this course. The last type of confidentiality attack we'll talk about is social engineering. In a social engineering attack, the attacker uses psychological tricks to persuade an employee to give them sensitive information or access to internal systems. They might pretend that they're on an urgent assignment from a senior leader, impersonate an IT professional, or send a phishing email. Now, it's really difficult to protect against social engineering attacks. The best defense against these attacks is educating users to recognize the dangers of social engineering and empowering them to intervene whenever they suspect an attack is taking place. That wraps up our discussion of five major confidentiality threats: snooping, dumpster diving, eavesdropping, wiretapping, and social engineering.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.