Security Concepts | CompTIA Tech+ FC0-U71 | 6.1

In this post, we’ll cover the essential principles of security, including confidentiality, integrity, and availability, privacy considerations, and key concepts like authentication, authorization, accounting, and non-repudiation.

By the end of this post, you’ll have a clear understanding of how these elements form the foundation of modern cybersecurity practices.

The CIA Triad:  Confidentiality, Integrity, Availability

Let’s start with the CIA Triad, which forms the backbone of security principles.  CIA stands for confidentiality, integrity, and availability.

• Confidentiality
  • Confidentiality refers to protecting information from unauthorized access or disclosure.  In practice, this means ensuring that only those who have permission can view or use the data.
  • Examples include encrypting sensitive data, using passwords, and employing access control measures.
  • A common analogy is locking a diary with a key to prevent others from reading it.
• Integrity
  • Integrity involves ensuring that data remains accurate, complete, and unaltered.  Any unauthorized changes to the data should be detectable.
  • Examples include file checksums or hashing algorithms, which verify that data hasn’t been tampered with.
  • Think of integrity as keeping your bank statement correct and ensuring no one can change the amounts or dates.
• Availability
  • Availability ensures that data and systems are accessible to authorized users when needed.  This means maintaining system uptime and avoiding disruptions caused by hardware failure, cyberattacks, or natural disasters.
  • Examples include redundancy systems, data backups, and denial-of-service protection measures.
  • Consider availability like ensuring the power is always on in a critical hospital system – it must be operational 24/7.

Privacy Concepts

Next, we move on to privacy.  Privacy in the digital age is a growing concern, especially with the proliferation of social media, file sharing, and online communication tools.  Let’s break it down into key areas:

• Social Networking Sites
  • Social platforms like Facebook, Instagram, and X (formerly known as Twitter) collect vast amounts of user data.  Users should be aware of privacy settings and understand how their personal data is shared or sold to third parties.
• Email & Instant Messaging
  • Emails & instant messaging often contain sensitive information.  Using encryption technologies like PGP (Pretty Good Privacy) for emails and end-to-end encryption for messaging apps ensures that communications remain private.
• File Sharing
  • Services like Google Drive or Dropbox are used to share files, but proper access controls are crucial.  Encrypt sensitive files before sharing and ensure only authorized individuals can access them.
• Personally Identifiable Information (PII)
  • PII includes data like your name, address, phone number, and social security number.  Protecting PII is critical because it can be used for identity theft.  Always ensure that organizations handle PII with proper encryption and strict access control.
• Government Regulations (GDPR)
  • The General Data Protection Regulation (GDPR) is a European law that governs how personal data should be protected.  GDPR mandates that organizations need explicit consent from users to collect their data and that users have the right to know how their data is used.  Users also have the right to request the deletion of their data.
  • Cookie Consent is a common requirement of GDPR, where websites must get user consent before tracking their online behavior with cookies.

Authentication, Authorization, & Accounting (AAA)

Now, let’s look at the AAA framework, which stands for Authentication, Authorization, and Accounting.  These concepts help control access to resources and monitor activity.

• Authentication
  • Authentication is the process of verifying the identity of a user or system.
  • There are different types of authentication:
    • Single-factor authentication involves just one method, like a password.
    • Multi-factor authentication (MFA) adds more security by requiring two or more verification methods, such as a password and a fingerprint.
    • Single sign-on (SSO) allows users to log in once and gain access to multiple related systems or services without needing to re-enter credentials for each one.
  • For example, MFA is common in banking apps where you need a password and a one-time code sent to your phone.
• Authorization
  • Authorization determines what resources a user or system can access, and what actions they are allowed to perform.
  • Permissions
    • Administrator accounts have high-level permissions, allowing them to change settings, install software, or access all files.
    • User accounts have limited permissions to reduce the risk of accidental or malicious system changes.
  • Least Privilege Model
    • This security concept means that users should have the minimum permissions necessary to perform their job.  By limiting access, organizations reduce the risk of insider threats or accidental damage.
    • For instance, a marketing team member should not have access to confidential financial reports if it’s not part of their job function.
• Accounting
  • Accounting refers to tracking and logging user actions.  This includes maintaining logs of login attempts, location tracking, and web browser history to ensure all activities can be monitored and reviewed later if necessary.
  • Logs help in auditing and can be crucial in tracking down suspicious behavior.
  • For example, an organization might track login attempts to detect unusual patterns, such as failed login attempts from different countries, which might indicate a hacking attempt.

Non-Repudiation Concepts

The last concept in this framework is non-repudiation, which ensures that a person cannot deny their actions or communications after the fact.

• Authentication & Non-Repudiation
  • Non-repudiation is closely tied to authentication because, by verifying someone’s identity with secure methods (such as digital signatures), it becomes harder for that person to claim they didn’t perform the action.
  • Digital signatures and encryption are key tools used to guarantee non-repudiation.
• Authorization & Non-Repudiation
  • By strictly controlling and logging access to systems and files, authorization policies also support non-repudiation.  If only authorized users can access a file, it is easier to prove who did what, and when.
• Accounting & Non-Repudiation
  • Proper logging and tracking also help with non-repudiation.  Logs provide detailed records of actions performed by users, and since they are time stamped and immutable, they serve as evidence in case of disputes.
  • For example, in financial transactions, non-repudiation mechanisms are critical to ensure that users cannot deny authorizing a transaction.

Conclusion

Let’s summarize the key points we’ve covered in this lesson:

• Confidentiality, integrity, and availability are the pillars of the CIA Triad, ensuring data is protected, accurate, and accessible.
• Privacy involves understanding the risks posed by social networking, email, file sharing, and the handling of personally identifiable information (PII), with laws like GDPR setting clear standards.
• The AAA framework (Authentication, Authorization, & Accounting) plays a central role in controlling access to resources, tracking user actions, and ensuring non-repudiation.
  • Authentication:  Verifies who a user is through methods like passwords, MFA, and SSO.
  • Authorization:  Ensures users can only access what they need based on permission levels.
  • Accounting:  Monitors and logs user activity for security auditing.
• Non-repudiation ensures that individuals cannot deny actions or communications that they have initiated, supporting accountability and trust in digital systems.

Understanding these security concepts is vital for both the CompTIA Tech+ exam and real-world cybersecurity.  By mastering these fundamentals, you’ll be well-prepared to protect systems, data, and users from evolving threats.