For any information system to serve its purpose, the information must be available when it is
needed. This means that the computing systems used to store and process the information, the
security controls used to protect it, and the communication channels used to access it must be
functioning correctly. High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial -of- service attacks. Later Parker  proposed “the
Parkerian hexad” which adds three additional attributes to the three classic security attributes of
the CIA triad. It is a set of six elements of information security model. These attributes of
information are not broken down into further constituents, also all of them are non-overlapping
c. Critical Concepts of Information Security
1. Know Thy System
Perhaps the most important thing when trying to defend a system is knowing that system.
It doesn’t matter if it’s a castle or a Linux server — if you don’t know the ins and outs of
what you’re actually defending, you have little chance of being successful.
An good example of this in the information security world is knowledge of exactly what
software is running on your systems. What daemons are you running? What sort of
exposure do they create? A good self-test for someone in a small to medium-sized
environment would be to randomly select an IP from a list of your systems and see if you
know the exact list of ports that are open on the machines.
A good admin should be able to say, for example, “It’s a web server, so it’s only running
80, 443, and 22 for remote administration; that’s it.” — and so on and so on for every
type of server in the environment. There shouldn’t be any surprises when seeing port scan
What you don’t want to hear in this sort of test is, “Wow, what’s thatport?” Having to
ask that question is a sign that the administrator is not fully aware of everything running
on the box in question, and that’s precisely the situation we need to avoid.
2. Least Privilege
The next über-important concept is that of least privilege. Least privilege simply says that
people and things should only be able to do what they need to do their jobs, and nothing
else. The reason I include “things” is that that admins often configure automated tasks
that need to be able to do certain things — backups for example. Well, what often
happens is the admin will just put the user doing the backup into the domain admins
group — even if they could get it to work another way. Why? Because it’s easier.