IT Security Principles and Practices

Questions and Answers

What does the Principle of Least Privilege emphasize?

Granting authorized users access only to what is necessary. (correct)

Eliminating all access controls for better user experience.

Allowing all users maximum access permissions to ensure functionality.

Implementing the same access level for all users in a system.

Which statement best describes the concept of Defense in Depth?

It suggests that all security measures should be visible to deter attackers.

It relies on a single robust security mechanism to prevent security breaches.

It involves multiple security controls to provide a fail-safe against attacks. (correct)

It emphasizes the use of outdated security protocols for simplicity.

What is implied by the phrase 'Constant vigilance' in security?

A satisfied security status could indicate vulnerabilities that attackers may exploit. (correct)

There is no need to update security protocols after they have been implemented.

Security measures should be applied only once and maintained without further checks.

Security only needs to be a focus during the initial development phase.

Which philosophy aligns with the understanding that there is no such thing as absolute security?

Zero Trust Philosophy

What does the KISS Principle stand for in the context of security?

Keep It Simple Stupid

What is one of the key goals of the Separation of Duties principle?

Ensure no single individual has total control to prevent fraud or error.

What role does secure design play in security practices?

Security should be integrated at the initial design phase to be effective.

Why is it a concern to rely on Security by Obscurity?

Once the obscurity is broken, the system has no other protection.

Study Notes

Last Week's Assignment

• Read Schneier's essay, "Policy vs. Technology," and be prepared to discuss insights.

Secure Thinking

• Security architects consider how systems fail, unlike "normal" architects who focus on how systems work.
• Absolute security is impossible; the question is "secure enough?".
• Constant vigilance is crucial; security is a moving target. Presumed security is dangerous.
• Zero Trust philosophy is a natural outcome of this approach.

IT Security and CIA Triad

• IT security focuses on Confidentiality, Integrity, and Availability (CIA).

Security Principles

• Principle of Least Privilege: Grant authorized users only necessary access; avoid "privilege creep." "Less is more." Includes hardening (removing unnecessary services, changing defaults).
• Defense in Depth: Multiple security mechanisms create a failsafe; no single mechanism is sufficient.
• Separation of Duties (Segregation of Duties): Prevents single-person control; requires collusion to compromise the system; provides built-in oversight.
• Secure by Design: Integrate security from the initial design phase; don't treat it as an afterthought.
• KISS Principle (Keep It Simple Stupid): Complexity undermines security.

Security by Obscurity?

• The notes do not explicitly discuss this topic beyond mentioning it at the end.

Description

Explore key concepts in IT security, including the CIA triad, the Principle of Least Privilege, and Defense in Depth. This quiz encourages you to think critically about the balance between security and usability, as well as the implications of the Zero Trust philosophy. Prepare to discuss these insights and apply them to real-world scenarios.