Core Concepts and Terminology | Cybersecurity Policy

Slide 1 of 14 | CSP-W1-01 | Week 1

Core Concepts and
Terminology

CIA Triad • AAA • Threat Modeling • Defense in Depth • Zero Trust • Kill Chain

Before you can write cybersecurity policy, you have to speak the language. Every framework, every regulation, every incident report uses a shared vocabulary. This deck establishes the foundational concepts that the rest of the course builds on. Master these terms and their relationships -- they are the grammar of the field.

14 Slides CSP-W1-01 Week 1 CIS2208 -- Cybersecurity Policy

Slide 2 of 14

The CIA Triad

The foundational model of information security. Every control maps back to at least one of these three pillars.

Confidentiality

Only authorized parties can access information. Enforced through encryption, access controls, and classification. Breached by data leaks, eavesdropping, and social engineering. If unauthorized eyes see the data, confidentiality has failed.

Integrity

Data remains accurate, complete, and unaltered except by authorized processes. Enforced through hashing, checksums, digital signatures, and version control. If an attacker modifies a record without detection, integrity has failed.

Availability

Systems and data are accessible when needed by authorized users. Enforced through redundancy, failover, backups, and DDoS mitigation. If a hospital cannot access patient records during an emergency, availability has failed.

Why It Matters for Policy

Every cybersecurity policy decision maps back to the CIA triad. When you write a password policy, you are protecting confidentiality. When you mandate audit logs, you are protecting integrity. When you require 99.9% uptime SLAs, you are protecting availability. The triad is not abstract -- it is the classification system for every control you will ever implement.

Slide 3 of 14

Authentication vs Authorization vs Accounting

Three distinct functions that are frequently confused. Each answers a different question about access.

Authentication (AuthN)

Proving identity. Methods range from passwords (something you know) to biometrics (something you are) to hardware tokens (something you have). Multi-factor authentication combines two or more categories. AuthN answers: "Are you who you claim to be?"

Authorization (AuthZ)

Granting or denying access to specific resources after identity is confirmed. Implemented through ACLs, RBAC, ABAC, or policy engines. AuthZ answers: "What are you allowed to do?" A user may be authenticated but unauthorized for a given resource.

Accounting (Audit)

Recording what happened -- who accessed what, when, and what they did. Implemented through logging, SIEM systems, and audit trails. Accounting answers: "What did you actually do?" Without accounting, breaches go undetected and forensics are impossible.

Common Mistake

Organizations often invest heavily in authentication but underinvest in authorization and accounting. Strong passwords with no access controls mean every authenticated user can access everything. No audit trail means breaches can persist undetected for months -- the average dwell time for an undetected breach is 204 days.

Slide 4 of 14

Threat, Vulnerability, Risk

Three distinct concepts with a precise mathematical relationship. Confusing them leads to misallocated budgets and broken policy.

Threat

Any potential cause of an unwanted incident. A threat is an actor (hacker, insider, natural disaster) paired with intent or capability. Threats exist whether or not your organization has weaknesses. A tornado is a threat to a data center regardless of its construction.

Vulnerability

A weakness in a system, process, or procedure that a threat can exploit. An unpatched server, a misconfigured firewall, a poorly trained employee -- these are vulnerabilities. Vulnerabilities without threats create no risk. Threats without vulnerabilities create no risk.

Risk

The probability that a threat will exploit a vulnerability and the resulting impact. Risk = Likelihood x Impact. Risk is what organizations actually manage. You cannot eliminate threats, but you can reduce vulnerabilities and mitigate impact to bring risk to acceptable levels.

Policy Connection

Risk management is the engine of cybersecurity policy. Every policy exists to reduce risk. Understanding the relationship between threat, vulnerability, and risk is the prerequisite for writing effective policy -- because policy that addresses threats you do not face or ignores vulnerabilities you do have is worse than useless. It creates false confidence.

Slide 5 of 14

Attack Surface and Attack Vectors

The surface is what you expose. The vector is how they get in. Reducing the surface shrinks the vector space.

Attack Surface

The sum of all points where an attacker could attempt to enter or extract data. Includes network interfaces, web applications, APIs, physical access points, employee inboxes, and third-party integrations. Every new service, device, or vendor increases the attack surface. Minimizing it is a core security principle.

Attack Vectors

The specific path or method an attacker uses to reach a target. Common vectors include phishing emails, unpatched software, stolen credentials, malicious USB devices, and compromised supply chain components. Understanding vectors helps prioritize defenses -- most breaches use a small set of well-known vectors.

The 80/20 Rule

Verizon's Data Breach Investigations Report consistently shows that the vast majority of breaches use a handful of vectors: stolen credentials, phishing, vulnerability exploitation, and misconfigurations. Effective policy focuses hardening efforts on the vectors that actually get exploited -- not theoretical exotic attacks.

Slide 6 of 14

Defense in Depth

No single control is sufficient. Layered security ensures that failure of one layer does not mean total compromise.

Layer 1-2: Policy + Perimeter

Written security policies define acceptable behavior. Perimeter controls (firewalls, DMZs, IDS/IPS) filter traffic at the boundary. These are the outermost defenses -- necessary but never sufficient alone.

Layer 3-4: Network + Host

Network segmentation, VLANs, and ACLs limit lateral movement. Host-level controls include endpoint protection, OS hardening, and patch management. If the perimeter fails, these layers slow the attacker.

Layer 5-6: Application + Data

Input validation, secure coding, and WAFs protect applications. Encryption at rest and in transit, access controls, and DLP protect the data itself. The innermost layers are the last line of defense.

The Castle Analogy

A medieval castle did not rely on a single wall. It had a moat, outer walls, inner walls, a keep, and guards at every level. Defense in depth applies the same principle to information systems -- multiple independent layers, each capable of stopping or slowing an attacker even if the layers above have been breached.

Slide 7 of 14

Least Privilege and Need-to-Know

Two complementary principles that limit the blast radius of any compromise -- human or technical.

Principle of Least Privilege (PoLP)

Every user, process, and system should operate with the minimum permissions necessary to accomplish its task -- and no more. An accountant does not need admin rights. A web server does not need database write access to tables it only reads. Excess privilege is excess risk.

Need-to-Know

Access to information should be restricted to individuals who require it for their specific role or task. Even if someone has the clearance level, they should not access data unrelated to their duties. Need-to-know is about data classification. Least privilege is about system permissions. Together they form a complete access control strategy.

Anti-Pattern: Privilege Creep

As employees change roles, they accumulate permissions from every position. After three transfers, they may have more access than any single role requires. Regular access reviews and role-based access control (RBAC) prevent this.

Anti-Pattern: Shared Accounts

When multiple people share one admin account, accountability is destroyed. If something goes wrong, you cannot determine who did it. Every privileged action must be traceable to a single individual.

Best Practice: JIT Access

Just-In-Time access grants elevated privileges only when needed, for a defined duration, with approval. Engineers do not hold permanent admin rights -- they request them, get time-limited access, and privileges are automatically revoked.

Policy Implication

A least privilege policy is not a one-time implementation. It requires continuous enforcement: automated provisioning and deprovisioning tied to HR systems, quarterly access reviews, and privileged access management (PAM) tools. The goal is zero standing privilege -- no one holds elevated access by default.

Slide 8 of 14

Zero Trust Architecture

"Never trust, always verify." The modern security model that assumes breach and verifies every request.

Core Principles

Verify explicitly -- authenticate and authorize based on all available data points (identity, location, device health, data classification). Use least privilege access. Assume breach -- minimize blast radius using micro-segmentation and end-to-end encryption.

Why It Replaced Perimeter Security

The traditional model trusted everything inside the network. Remote work, cloud services, and BYOD destroyed that boundary. Zero Trust assumes attackers may already be inside the network and treats every access request as potentially hostile regardless of origin.

NIST SP 800-207

The U.S. government standardized Zero Trust Architecture in NIST SP 800-207. Executive Order 14028 (May 2021) mandated federal agencies adopt Zero Trust. If you write policy for any organization that works with the federal government, ZTA compliance is no longer optional -- it is contractual.

Slide 9 of 14

Threat Actors

Understanding who attacks and why is essential for writing policy that addresses real threats, not imaginary ones.

Script Kiddies

Low-skill attackers using pre-made tools and scripts. Opportunistic, not targeted. Dangerous in volume -- they scan the entire internet for known vulnerabilities. Your policy must cover basic hygiene because these attacks never stop.

Hacktivists

Ideologically motivated. Target organizations for political or social reasons. Methods include website defacement, DDoS, and data dumps. Anonymous and LulzSec are historical examples. Motivation: embarrassment and disruption, not profit.

Organized Crime

Profit-driven criminal enterprises. Ransomware, business email compromise, and credential theft are primary tools. Operate like businesses with customer support and affiliate programs. Responsible for the majority of financially motivated breaches.

Insiders

Current or former employees, contractors, or partners with legitimate access. May be malicious (disgruntled employee stealing data), negligent (clicking phishing links), or compromised (credentials stolen). The hardest threat to detect because they already have authorized access.

Nation-States (APTs)

State-sponsored groups with virtually unlimited resources, patience, and sophistication. Conduct espionage, sabotage, and intellectual property theft. Operate for years undetected. Examples: APT28 (Russia), APT41 (China), Lazarus Group (North Korea). If a nation-state targets you specifically, your defense strategy changes fundamentally.

Slide 10 of 14

The Cyber Kill Chain

Lockheed Martin's 7-stage model of how attacks progress. Disrupting any stage breaks the chain.

1

Reconnaissance

Research the target. Harvest emails, scan networks, identify technologies and personnel.

2

Weaponization

Pair an exploit with a payload. Create a malicious document, craft a phishing lure, or build a custom tool.

3

Delivery

Transmit the weapon to the target. Email attachment, malicious link, compromised website, or USB drop.

4

Exploitation

Trigger the vulnerability. Code executes, credentials are captured, or access is gained.

5

Installation

Establish persistence. Install backdoor, create accounts, modify startup scripts, or deploy rootkit.

6

Command & Control

Open a channel back to the attacker. Beaconing, DNS tunneling, or encrypted C2 over HTTPS.

7

Actions on Objectives

Achieve the goal. Exfiltrate data, deploy ransomware, destroy systems, or pivot laterally.

Defense Strategy

The kill chain is a defender's tool, not just an attacker's roadmap. If you can detect and disrupt any single stage, the attack fails. Block reconnaissance with minimal public exposure. Filter delivery with email security. Prevent exploitation with patching. Detect C2 with network monitoring. The earlier you break the chain, the lower the cost.

Slide 11 of 14

MITRE ATT&CK Framework

A knowledge base of adversary tactics and techniques based on real-world observations. The industry standard for threat classification.

What It Is

A curated knowledge base of adversary tactics (the "why") and techniques (the "how") based on real-world observations. Organized as a matrix where columns are tactical goals (initial access, execution, persistence, etc.) and rows are specific techniques used to achieve them. Continuously updated with contributions from the global security community.

How It Is Used

Threat intelligence teams map adversaries to ATT&CK techniques. Red teams use it to plan realistic simulations. Blue teams use it to identify detection gaps. Vendors map their products to ATT&CK coverage. Policy writers use it to justify controls -- "We need EDR because we have no detection for T1059 (Command and Scripting Interpreter)."

Kill Chain vs ATT&CK

The kill chain is linear: recon through actions. ATT&CK is a matrix: attackers can use any combination of techniques across any tactic at any point. ATT&CK does not assume attacks follow a sequence. In practice, most organizations use both -- the kill chain for strategic communication and ATT&CK for operational detection and response.

Slide 12 of 14

Key Terms Glossary

Reference definitions for the core terminology introduced in this presentation.

Term	Definition
CIA Triad	Confidentiality, Integrity, Availability -- the three pillars of information security.
AAA	Authentication, Authorization, Accounting -- the three functions of access control.
Threat	Any potential cause of an unwanted incident that may harm a system or organization.
Vulnerability	A weakness in a system that can be exploited by a threat to cause harm.
Risk	The probability that a threat will exploit a vulnerability, weighted by the potential impact.
Attack Surface	The total number of points where an unauthorized user could attempt to enter or extract data.
Attack Vector	The specific path or method used to gain unauthorized access to a system.
Defense in Depth	A layered security strategy where multiple independent controls protect each asset.
Least Privilege	The principle that users and processes should have only the minimum access required.
Zero Trust	A security model that requires verification for every access request regardless of origin.
Kill Chain	Lockheed Martin's 7-stage model of a cyberattack lifecycle.
MITRE ATT&CK	A knowledge base of adversary tactics, techniques, and procedures based on real-world observations.
APT	Advanced Persistent Threat -- a sophisticated, long-term attack campaign, typically state-sponsored.
IoC	Indicator of Compromise -- forensic evidence that a breach or attack has occurred.

Slide 13 of 14

Key Takeaways

The foundational concepts you need to carry into every policy discussion for the rest of this course.

1 The CIA triad (Confidentiality, Integrity, Availability) is the classification system for every security control. Every policy decision maps back to at least one pillar.

2 Authentication proves identity. Authorization grants access. Accounting records actions. All three are required -- investing in only one or two creates critical gaps.

3 Risk = Threat x Vulnerability x Impact. You cannot eliminate threats, but you can reduce vulnerabilities and mitigate impact. Policy exists to manage risk to acceptable levels.

4 Defense in depth means no single point of failure. Multiple independent layers ensure that breaching one control does not mean total compromise.

5 Least privilege and need-to-know limit the blast radius of any compromise. Zero standing privilege is the modern standard.

6 Zero Trust replaces perimeter-based security. "Never trust, always verify" is now federal policy (NIST 800-207, EO 14028).

7 Know your adversary. Script kiddies, hacktivists, organized crime, insiders, and nation-states each require different policy responses.

8 The kill chain and MITRE ATT&CK are complementary frameworks. The kill chain is strategic (linear stages). ATT&CK is operational (matrix of tactics and techniques).

What Comes Next

These concepts are not isolated topics -- they are the vocabulary you will use when writing policies, evaluating frameworks, assessing risk, and communicating with stakeholders. Every subsequent module in this course builds directly on the definitions and relationships established here.

Slide 14 of 14 | Complete

Presentation
Complete

Core Concepts and Terminology -- 14 slides

CIA Triad • AAA • Threat/Vulnerability/Risk • Attack Surface • Defense in Depth • Least Privilege • Zero Trust • Threat Actors • Kill Chain • MITRE ATT&CK

CIS2208 Cybersecurity Policy Week 1