8.1 Security risks

8.1.1 Know the type of confidential information held by organisations:

• Human Resources:

o salaries and benefits

o staff personal details

• commercially sensitive information:

o client details

o stakeholder details

o intellectual property

o sales numbers

o contracts

• access information:

o usernames

o passwords

o multi-factor authentication details

o personal identification number (PIN)

o access codes

o passphrases

o biometric data.

8.1.2 Understand why information must be kept confidential by organisations:

• salary and benefits:

o prevent competitors from offering higher wages to attract staff

o prevent employees from comparing salaries/demanding

comparable pay

• staff details:

o protect privacy

o prevent competitors from directly contacting them

• intellectual property:

o prevent competitors from copying designs

• client details:

o prevent competitors from contacting clients

o protect client privacy

• sales numbers

• access information:

o prevent unauthorised access.

8.1.3 Understand the potential impact to an organisation of failing to maintain

privacy and confidentiality:

• non-compliance with regulations:

o loss of licence to practice

• loss of trust

• damage to organisation’s image

• financial loss:

o fines

o refunds

o loss of earnings/termination of contracts

• legal action

• reduced security.

8.2 Types of threats and vulnerabilities

8.2.1 Understand potential technical threats and their impacts on organisations

and individuals, including prevention and mitigation methods:

• botnets

• denial of service (DoS)/Distributed Denial of Service (DDoS)

• malicious hacking:

o hacktivists/nation states/organised crime/individual

o password cracking/brute force

o cross-site scripting

o SQL injection

o buffer overflow

• malware:

o viruses

o worms

o key loggers

o ransomware

o spyware

o remote access trojans

• social engineering:

o phishing

o spear phishing

o smishing

o vishing

o pharming

o watering hole attacks

o USB baiting

• domain name server attack/redirection of traffic

• open/unsecured Wi-Fi networks.

8.2.2 Understand potential technical vulnerabilities to systems and data:

• inadequate security processes:

o weak encryption

o inadequate password policy

o failure to use multi-factor authentication

• out-of-date components:

o hardware

o software (lack of support/compatibility with legacy systems,

zero-day bugs)

o firmware.

8.2.3 Understand potential human threats, including prevention and mitigation

methods, to systems and data:

• human error:

o file properties

o confirmation boxes

o staff training

• malicious employee:

o immediate removal from the premises

o suspend user accounts immediately

• disguised criminal:

o accompany all visitors

o check identification of visitors

• poor cyber hygiene:

o locking all unattended machines

o not writing passwords down

o poor password management.

8.2.4 Understand potential physical vulnerabilities, including prevention and

mitigation methods, to systems, data and information, including:

• lack of access control:

o entry control systems

• poor access control:

o do not allow tailgating

o use complex access codes

o change codes regularly

o monitor access areas

o audit of staff access to secure areas

• nature of location:

o protect against shoulder surfing

o protect against the environment

o protect against vandalism

• poor system robustness:

o rugged machines

• natural disasters.

8.2.5 Understand the potential impact to an organisation of threats and

vulnerabilities:

• loss/leaking of sensitive data

• unauthorised access to digital systems

• data corruption

• disruption of service

• unauthorised access to restricted physical areas.

8.4 Interrelationship of components required for effective security

8.4.1 Understand how the relationships in the CIA triad interrelate:

• confidentiality:

o ensuring that data is kept private by controlling who has access to

the data

• integrity:

o ensuring that the data has not been tampered with; this can be done

by maintaining confidentiality

• availability:

o ensuring that data is available and useful; this can be done by

ensuring integrity.

8.4.2 Understand the elements of the Identification Authentication Authorisation

Accountability (IAAA) model, including the techniques used and their

benefits and drawbacks:

• identification:

o recognising the individual within a digital system

o knowledge-based identification, including username

o possession-based identification methods

o biometric-based ID methods

• authentication:

o verifying the identity claimed during the identification phase

o multi-factor authentication methods

o passwords and pass phrases

o biometric authentication

• authorisation:

o ensuring that authenticated users can only access resources and

perform actions that they are permitted to

o role-based using the role of the user within the digital system

o access control lists

• accountability:

o ensuring that any actions within a system can be traced back to the

responsible user

o audit logs

o user activity monitoring.

8.3 Threat Mitigation

8.3.1 Understand the purposes, processes, benefits and drawbacks of common

threat mitigation techniques:

• security settings:

o hardware

o software

• anti-malware software:

o function

o actions

• intrusion detection

• encryption:

o hashing

o symmetric

o asymmetric

• user access policies

• staff vetting

• staff training

• software-based access control

• device hardening

• backups:

o type (full, incremental, differential)

o safe storage

• software updates

• firmware/driver updates

• air gaps

• certification of APIs (application programme interface)

• VPNs (Virtual private networks)

• multi-factor authentication (MFA)

• password managers

• port scanning

• penetration testing:

o ethical hacking

o unethical hacking

8.3.2 Understand the processes and procedures that assure internet security,

and the reasons why they are used:

• firewall configuration:

o rules for traffic (inbound and outbound)

o traffic type rules

o application rules

o IP address rules

• network segregation:

o virtual

o physical

o offline network

• network monitoring

• port scanning.