The Security Ledger

Five Pillars of Everyday Information Security

A practitioner’s field notes on the controls, tricks, and disciplines that decide whether data stays safe, drawn from the classic texts and mapped to today’s threats.

Post 01

Access Control: The Heart of the Security System

Who gets in, what they may touch, and how we prove it later.

If information security had a beating heart, it would be access control. Merkow and Breithaupt put it plainly: access controls are “a collection of mechanisms that work together to create a security architecture that protects the assets of an information system,” and they exist to meet the two central objectives of InfoSec: confidentiality and integrity. The CC Certified in Cybersecurity guide frames the same idea more broadly: access controls are “the means by which we make sure that only those people who are specifically authorized can access an organization’s data or other protected resources.”

Both books describe the interaction using three terms. A subject is the person, program, or process requesting access; an object is the resource being protected, such as a file, database, or field in a table; and access is the right granted to the subject to read, modify, create, delete, or execute on that object. Access is never arbitrary: it follows rules the organization writes into policy and enforces through an access management system such as Microsoft Active Directory.

Identification, Authentication, Accountability

Access begins with a claim and ends with a record. Identification credentials uniquely name the user: a username, employee number, or email. Authentication then verifies that claim by requiring something the user knows, has, or is. The payoff, as Merkow notes, is personal accountability: “the mechanism that proves someone performed a computer activity at a specific point in time.” The CC guide rounds this out with authorization (what an authenticated user is actually allowed to do) and monitoring that records who accessed what, when, and for how long.

Two Guiding Principles

The governing philosophy is least privilege, also called need to know: give people only the access their job requires, and no more. Closely related is separation (segregation) of duties, which ensures no single person controls a transaction end to end. Modern practice pushes this further with what the CC guide calls zero trust: access is denied by default and granted only when explicitly authorized, whether the request comes from across the Internet or the next desk over.

The Classic Models

The practical lesson from both texts is the same: strong passwords and multifactor techniques (smart cards, tokens, biometrics) matter, but they are only as good as the model behind them. Access control is not a single lock on a door: it is the whole architecture of who may enter, what they may do, and the audit trail that lets us reconstruct events when something goes wrong.

References
Merkow & Breithaupt, Information Security: Principles and Practices, 2nd ed., Ch. 10 (Access Control Systems and Methodology). · Genung & Bennett, CC Certified in Cybersecurity All-in-One Exam Guide, Ch. 1–2 (Security Principles; Access Controls Concepts).
Post 02

Steganography: Hiding the Message in Plain Sight

Cryptography hides the meaning; steganography hides the very existence.

To understand steganography, start with its cousin. Merkow and Breithaupt explain that cryptographers rely on two basic methods of disguising messages: transposition, in which letters are rearranged, and substitution, in which letters are replaced by others. Both produce ciphertext: a message that is obviously scrambled and obviously secret. Anyone intercepting it knows a conversation is being protected, even if they cannot read it.

Steganography takes the opposite approach. Rather than scrambling a message, it conceals the fact that a message exists at all. The word comes from the Greek steganos (“covered”) and graphein (“writing”): literally, covered writing. A secret payload is embedded inside an innocent-looking “carrier” such as an image, audio file, video, or document, so that a casual observer sees only a vacation photo or an ordinary spreadsheet.

The goal of cryptography is to make a message unreadable. The goal of steganography is to make a message unnoticed. Used together, a message can be both hidden and, if discovered, still unreadable.

From Wax Tablets to Megapixels

The technique is ancient. Classical accounts describe messages tattooed on a messenger’s shaved scalp and hidden once the hair grew back, or scratched into wood beneath a fresh layer of wax. Invisible inks, microdots, and coded newspaper advertisements carried the idea through the centuries. What changed in the digital age is capacity and cover: a single high-resolution image contains millions of data points, giving a modern message far more room to hide than any wax tablet ever did.

How It Works

The most common digital technique is least-significant-bit (LSB) insertion. Every pixel in an image is stored as numbers; changing the last bit of each color value shifts the shade so slightly that the human eye cannot detect it. Those borrowed bits, gathered across thousands of pixels, spell out the hidden message. Similar tricks hide data in the inaudible ranges of audio files or in unused fields of file formats.

Why Security Professionals Care

Steganography has legitimate uses, most notably digital watermarking, where ownership or copyright data is embedded invisibly to prove authenticity. But it is a double-edged tool. Attackers use it for data exfiltration, smuggling stolen information out of a network inside ordinary-looking media, and malware has been known to hide command-and-control instructions inside images. Because the traffic looks benign, it often slips past filters that would catch obvious encryption.

The defensive response is steganalysis: statistical analysis that looks for the tiny anomalies embedding leaves behind. For the practitioner, the takeaway connects directly to Merkow’s treatment of cryptography: confidentiality is not only about making data unreadable, but sometimes about controlling whether an adversary even realizes sensitive data is moving at all.

References
Concept framed against Merkow & Breithaupt, Information Security: Principles and Practices, 2nd ed., Ch. 11 (Cryptography: transposition and substitution ciphers). · Supplementary general definitions (steganography, LSB insertion, steganalysis) from standard information-security references, as the two course texts focus on cryptography rather than steganography directly.
Post 03

Physical Security: You Can’t Protect What You Can’t Lock Up

The oldest domain in the field, and still one of the most neglected.

Merkow and Breithaupt open their physical security chapter with a sentence every administrator should tape to their monitor: “If you can’t physically protect your hardware, you can’t protect the programs and data running on your hardware.” Physical security, they write, “deals with who has access to buildings, computer rooms, and the devices within them,” protecting sites from natural and man-made threats through smart location choices and controls that keep the wrong people from making physical contact with equipment.

The stakes are not hypothetical. The authors cite retail-security surveys attributing more than 43% of company losses to employee (insider) theft, including the trafficking of proprietary information. Physical security, in other words, defends against the disgruntled insider as much as the outside intruder.

The Goal and the Balancing Act

Regardless of an organization’s size, the goal of the Physical Security domain is “to put safeguards in place to protect an organization’s assets and ensure the continuity of business in the event of man-made or natural disasters.” The challenge is a balancing act: make it easy for people who belong in a building to move around, and hard for everyone else. That balance requires trusted people, effective processes, and appropriate technology working together.

Threats the Domain Addresses

The CISSP Common Body of Knowledge, as summarized in the text, groups physical threats into categories worth memorizing:

Geography drives risk: a data center in the San Francisco Bay area worries about earthquakes, while one in Kansas plans for tornadoes and ice storms. This is why site selection is the first line of physical defense.

Controls in Practice

The CC guide offers a concrete catalog of physical controls found in a typical organization: fencing, locks, and mantraps; lighting and bollards; server-room doors and alarms; security guards or guard dogs; badge readers; surveillance cameras; fire suppression systems; and biometrics to enter a building or room. It adds a subtle but important point: the same technology can be physical or technical depending on what it protects, since “a fingerprint scanner protecting access to a datacenter is a physical control… a fingerprint scanner used to log in to a computer is a technical control.” Above all, both texts agree on one priority: the safety of personnel always takes precedence over the safety of structures, computers, and data.

References
Merkow & Breithaupt, Information Security: Principles and Practices, 2nd ed., Ch. 8 (Physical Security Control). · Genung & Bennett, CC Certified in Cybersecurity All-in-One Exam Guide, Ch. 1–2 (physical controls; physical access controls).
Post 04

Ethical Hacking: Thinking Like the Attacker, on Purpose

The same skills that break in can be turned to build stronger walls.

A hacker is not automatically a criminal. The distinction lies in intent and authorization, and the field sorts practitioners into three familiar “hats,” a framing Merkow and Breithaupt use directly in their end-of-chapter exercises:

Ethical hacking (the white-hat discipline) is best understood through its formal counterpart, penetration testing. The CC guide explains that penetration testing and vulnerability assessments are often performed together: “vulnerability assessments provide a comprehensive view of an organization’s security vulnerabilities” while “penetration testing demonstrates how selected vulnerabilities could be exploited.” Crucially, penetration testers “usually try to mimic the steps that an actual hacker would take to compromise an organization.”

The Attacker’s Playbook (Followed Ethically)

The CC guide lays out the phases a real attacker moves through, which the ethical hacker deliberately reproduces in a controlled, authorized way:

By documenting their activities in a report, penetration testers give management “a revealing and sometimes eye-opening account of how, and sometimes how easily, cyber criminals could execute a successful cyberattack.”

Rules of Engagement

What separates the white hat from the black hat is a signed agreement. Ethical hacking is performed only under explicit written authorization that defines the scope (which systems may be tested), the timing, and the limits (what testers may and may not do). This matters legally as well as ethically: Merkow and Breithaupt’s chapter on law and ethics is a reminder that unauthorized access to a computer system is a crime regardless of intent, so even well-meaning probing without permission can cross the line. Formal credentials such as the Certified Ethical Hacker (CEH) and OSCP exist precisely to professionalize this discipline and hold practitioners to a code of conduct.

Where It Fits in the Lifecycle

Merkow and Breithaupt locate this work firmly inside software assurance: during the test phase of the development lifecycle, “a specialized penetration testing team is often deployed,” and manual security reviews prove “effective in discovering business logic flaws in the application.” The value, as the CC guide concludes, compounds over time: performed regularly, vulnerability assessments and penetration tests help organizations understand their true security posture and improve it. Ethical hacking, then, is not about breaking things; it is about breaking them first, on your own terms, so no one else can.

References
Merkow & Breithaupt, Information Security: Principles and Practices, 2nd ed., Ch. 13 (penetration testing in the SDLC) and Ch. 14 (white/gray/black-hat hackers). · Genung & Bennett, CC Certified in Cybersecurity All-in-One Exam Guide, Ch. 3 (Network Security: attack lifecycle, scanning, penetration testing).
Post 05

Social Engineering: Hacking the Human

The cheapest exploit in the world targets trust, not technology.

The most sophisticated firewall in the world can be undone by a polite phone call. Merkow and Breithaupt define social engineering crisply: “Using deception, the attacker solicits information such as passwords or personal identification numbers (PINs) from unwitting victims. For example, a thief might call a help desk pretending to be a user whose password needs resetting.” The CC guide generalizes the definition: social engineering is “any act that attempts to influence a person to do something that may not be in their best interest.”

What makes it so dangerous is its position in the attack chain. The CC guide notes that social-engineering attacks are “often used as the first step in a cyberattack, often to gain a user’s login credentials or other information that may help an attacker gain access to a system or network.” In other words, it is frequently the pry-bar that opens the door for everything else.

Why It Works

The CC guide is blunt about the root cause: “Human vulnerabilities are one of the weakest links in cybersecurity. Employees who do not follow security policies, break rules, or commit errors are juicy targets for cyberattackers to exploit using social engineering techniques.” Attackers exploit ordinary human instincts: the desire to be helpful, deference to authority, fear of getting in trouble, and simple curiosity.

Common Forms

The Defense Is People

Because the target is human judgment, the strongest control is human awareness. Security-awareness training, clear verification procedures for sensitive requests, a healthy culture of “trust but verify,” and technical backstops such as multifactor authentication all reduce the odds that a single convincing message hands over the keys. As both texts make clear, technology alone will never close this gap: the last line of defense is an educated, skeptical user.

References
Merkow & Breithaupt, Information Security: Principles and Practices, 2nd ed., Ch. 7 (Law, Investigations, and Ethics: social engineering, dumpster diving, phishing). · Genung & Bennett, CC Certified in Cybersecurity All-in-One Exam Guide, Ch. 1–3 (social engineering, human vulnerabilities, ransomware delivery).