Security Fundamentals

Introduction

Information security is the practice of protecting information by mitigating risks and threats. It encompasses principles, technologies, and processes designed to protect systems, networks, programs, devices, and data from attacks, damage, or unauthorized access.

CIA Triad:

  • Confidentiality: Preventing unauthorized access
  • Integrity: Ensuring data accuracy and reliability
  • Availability: Ensuring authorized access when needed

Core Principles

Defense in Depth

Security Layers:

  • Physical Security
  • Network Security
  • Application Security
  • Data Security
  • User Security
  • Administrative Controls

Security Design Principles

Key Principles:

  • Least Privilege
  • Separation of Duties
  • Defense in Depth
  • Fail Secure
  • Complete Mediation
  • Zero Trust

Common Threats

OWASP Top 10

{
  "vulnerabilities": {
    "injection": {
      "description": "SQL, NoSQL, OS, LDAP injection",
      "mitigation": [
        "Use parameterized queries",
        "Input validation",
        "Escape special characters"
      ]
    },
    "broken_authentication": {
      "description": "Authentication and session management flaws",
      "mitigation": [
        "Strong password policies",
        "Multi-factor authentication",
        "Secure session management"
      ]
    },
    "sensitive_data_exposure": {
      "description": "Insufficient protection of sensitive data",
      "mitigation": [
        "Encryption at rest and in transit",
        "Proper key management",
        "Data classification"
      ]
    }
  }
}

Attack Vectors

Common Attacks:

  • Phishing
  • Malware
  • DDoS
  • Man-in-the-Middle
  • Social Engineering
  • Password Attacks

Security Controls

Access Control Implementation

interface AccessPolicy {
    resource: string;
    action: string;
    conditions?: Condition[];
}

interface Condition {
    type: 'time' | 'ip' | 'role' | 'mfa';
    value: any;
}

class AccessControl {
    private policies: Map;

    constructor() {
        this.policies = new Map();
    }

    addPolicy(user: string, policy: AccessPolicy) {
        if (!this.policies.has(user)) {
            this.policies.set(user, []);
        }
        this.policies.get(user)?.push(policy);
    }

    async checkAccess(
        user: string,
        resource: string,
        action: string,
        context: any
    ): Promise {
        const userPolicies = this.policies.get(user) || [];
        
        for (const policy of userPolicies) {
            if (policy.resource === resource && 
                policy.action === action &&
                await this.checkConditions(policy.conditions, context)) {
                return true;
            }
        }
        
        return false;
    }

    private async checkConditions(
        conditions?: Condition[],
        context?: any
    ): Promise {
        if (!conditions) return true;
        
        for (const condition of conditions) {
            switch (condition.type) {
                case 'time':
                    if (!this.checkTimeCondition(condition.value)) {
                        return false;
                    }
                    break;
                case 'ip':
                    if (!this.checkIPCondition(condition.value, context.ip)) {
                        return false;
                    }
                    break;
                case 'role':
                    if (!context.roles.includes(condition.value)) {
                        return false;
                    }
                    break;
                case 'mfa':
                    if (!await this.checkMFACondition(context.user)) {
                        return false;
                    }
                    break;
            }
        }
        
        return true;
    }
}

Encryption Implementation

import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';

class DataEncryption {
    private algorithm: string;
    private key: Buffer;

    constructor(key: Buffer) {
        this.algorithm = 'aes-256-gcm';
        this.key = key;
    }

    encrypt(data: string): {
        encrypted: Buffer,
        iv: Buffer,
        authTag: Buffer
    } {
        const iv = randomBytes(16);
        const cipher = createCipheriv(this.algorithm, this.key, iv);
        
        let encrypted = cipher.update(data, 'utf8');
        encrypted = Buffer.concat([encrypted, cipher.final()]);
        
        return {
            encrypted,
            iv,
            authTag: cipher.getAuthTag()
        };
    }

    decrypt(
        encrypted: Buffer,
        iv: Buffer,
        authTag: Buffer
    ): string {
        const decipher = createDecipheriv(this.algorithm, this.key, iv);
        decipher.setAuthTag(authTag);
        
        let decrypted = decipher.update(encrypted);
        decrypted = Buffer.concat([decrypted, decipher.final()]);
        
        return decrypted.toString('utf8');
    }
}

Security Frameworks

Industry Standards:

  • ISO 27001
  • NIST Cybersecurity Framework
  • CIS Controls
  • COBIT
  • SOC 2
  • PCI DSS

NIST Framework Core

Functions:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Best Practices

Implementation:

  • Regular security assessments
  • Security awareness training
  • Incident response planning
  • Regular backups
  • Change management
  • Security monitoring

Technical Controls:

  • Strong authentication
  • Network segmentation
  • Data encryption
  • Access controls
  • Security logging
  • Patch management

Administrative Controls:

  • Security policies
  • Risk assessments
  • Employee training
  • Vendor management
  • Compliance audits
  • Incident response