Page 64 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 64

the concept of the measures used to ensure the protection of the

               secrecy of data, objects, or resources. The goal of confidentiality
               protection is to prevent or minimize unauthorized access to data.
               Confidentiality focuses security measures on ensuring that no one
               other than the intended recipient of a message receives it or is able to
               read it. Confidentiality protection provides a means for authorized
               users to access and interact with resources, but it actively prevents
               unauthorized users from doing so. A wide range of security controls

               can provide protection for confidentiality, including, but not limited
               to, encryption, access controls, and steganography.

               If a security mechanism offers confidentiality, it offers a high level of
               assurance that data, objects, or resources are restricted from
               unauthorized subjects. If a threat exists against confidentiality,
               unauthorized disclosure could take place. An object is the passive
               element in a security relationship, such as files, computers, network
               connections, and applications. A subject is the active element in a

               security relationship, such as users, programs, and computers. A
               subject acts upon or against an object. The management of the
               relationship between subjects and objects is known as access control.

               In general, for confidentiality to be maintained on a network, data
               must be protected from unauthorized access, use, or disclosure while
               in storage, in process, and in transit. Unique and specific security

               controls are required for each of these states of data, resources, and
               objects to maintain confidentiality.

               Numerous attacks focus on the violation of confidentiality. These
               include capturing network traffic and stealing password files as well as
               social engineering, port scanning, shoulder surfing, eavesdropping,
               sniffing, escalation of privileges, and so on.

               Violations of confidentiality are not limited to directed intentional

               attacks. Many instances of unauthorized disclosure of sensitive or
               confidential information are the result of human error, oversight, or
               ineptitude. Events that lead to confidentiality breaches include failing
               to properly encrypt a transmission, failing to fully authenticate a
               remote system before transferring data, leaving open otherwise
               secured access points, accessing malicious code that opens a back
   59   60   61   62   63   64   65   66   67   68   69