Security Design Principles

Questions and Answers

What is the primary reason for ensuring that security measures in hardware and software are as simple and small as possible?

• To increase the aesthetic appeal of the system.
• To reduce the cost of hardware components.
• To make the system easier to test and verify for security vulnerabilities. (correct)
• To make the system run faster by reducing code size.

The principle of 'fail-safe defaults' suggests that the default state of access should be permission rather than exclusion.

False (B)

What is the 'complete mediation' principle in security design?

Every access must be checked against the access control mechanism and exercise access control.

Why should a security mechanism’s design be open rather than secret?

To gain high confidence in the security mechanism through public scrutiny. (A)

The security design principle of _______ suggests using multiple privilege attributes to achieve access to a restricted resource, such as multifactor authentication.

separation of privilege

The 'least privilege' principle means that every user should have administrative rights to the system.

False (B)

What is the primary goal of the 'least common mechanism' principle?

To minimize the functions shared by different users, thereby enhancing mutual security. (B)

Define the 'psychological acceptability' principle in the context of security mechanisms.

Security mechanisms should not interfere unnecessarily with the work of users and be transparent or introduce minimal obstruction.

________ in security design involves isolating public access systems from critical resources to prevent unauthorized access.

isolation

Encapsulation is a general principle and is not related to object-oriented functionality.

False (B)

What is the main benefit of implementing modularity in security functions?

To allow for easy migration to new technologies or upgrades without redesigning the entire system. (D)

Explain the concept of 'layering' in security design.

Layering involves using multiple, overlapping protection approaches to address different aspects of information systems.

The 'least _______' principle means that a program or interface should always respond in the way that is least likely to surprise the user.

astonishment

Attack surfaces are limited to software vulnerabilities and do not include human-related weaknesses.

False (B)

Which of the following is considered an 'attack surface'?

An employee with access to sensitive information vulnerable to social engineering. (A)

List the three main categories of attack surfaces.

Network, software, and human.

The _______ attack surface refers to vulnerabilities over an enterprise network, wide-area- network, or the Internet usually used for DoS attacks.

network

Software attack surfaces only include vulnerabilities in web server software.

False (B)

What does the 'human attack surface' refer to?

Vulnerabilities created by personnel, such as social engineering or human error. (C)

What benefits does attack surface analysis provide in cybersecurity?

Assessing the scale and severity of threats, deciding where security mechanisms are required, and setting priorities for testing and strengthening security measures.

In attack trees, the primary goal of an attack is represented by the _______ node, while the different ways of achieving this goal are represented by _______ nodes.

root, leaf

Attack trees are primarily used to document successful attacks.

False (B)

Which of the following is NOT one of the three aspects of a comprehensive security strategy?

User training/awareness (A)

What is the purpose of a security policy in an organization?

To specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

Security implementation involves four complementary courses of action: prevention, detection, _______, and recovery.

response

The ideal security scheme is one in which some attacks are still successful.

False (B)

What is the role of intrusion detection systems in security?

To detect the presence of unauthorized individuals logged onto a system. (B)

Match following security principles to descriptions:

Economy of Mechanism = Design should be as simple and small as possible. Fail-Safe Defaults = Base access decisions on permission rather than exclusion. Least Privilege = Granting minimum necessary access. Layering = Use multiple, overlapping protection approaches.

What is the purpose of the 'response' phase in security implementation?

The response phase is used to halt an ongoing attack and prevent further damage.

Backup systems used for data integrity is known as the security implementation phase of _______.

recovery

Assurance provides a formal proof that a design and implementation is correct.

False (B)

What two questions does assurance address regarding the security provided?

Does the security system design meet its requirements? Does the security system implementation meet its specifications? (A)

What is the term used for examining a compute product or system with respect to certain criteria.

Evaluation

The development of _______ is the central focus of security systems.

evaluation criteria

What is the term to describe the possible weaknesses of the system?

Attack Surface (B)

Attack surface can only be triggered by the network?

False (B)

Match the following attack surfaces:

Network = Vulnerabilities over an enterprise network. Software = Vulnerabilities in utility or operating system code. Human = Vulnerabilities created by social engineering or human errors.

What is an attack tree and how is it used in cybersecurity?

It assesses a set of potential security vulnerabilities, where the root node represents a goal.

What principle of secure design is violated where complex configurations increase maintenance costs?

Economy of Mechanism (B)

An effective security implementation should aim for _______, where no attack is successful.

prevention

Flashcards

Economy of mechanism

Security measures should be simple and small.

Fail-safe defaults

Base decisions on permission. Lack of access is the default.

Complete mediation

Check every access to resources against an access control list.

Open design

Security mechanisms should be open, not secret.

Separation of privilege

Require more than one privilege attribute for resource access.

Least privilege

Each process uses the least set of privileges needed.

Least common mechanism

Minimize shared functions between users.

Psychological acceptability

Security mechanisms should not interfere with users.

Isolation

Public access systems should be isolated from critical resources.

Encapsulation

A specific form of isolation based on object oriented functionality.

Modularity

Security functions designed as separate modules.

Layering

Use multiple, overlapping protection approaches.

Least astonishment

Programs respond in a predictable way.

Attack surface

Reachable and exploitable system vulnerabilities.

Network attack surface

Network protocol vulnerabilities.

Software attack surface

Vulnerabilities in application, utility, or OS code.

Human attack surface

Vulnerabilities from personnel or outsiders.

Attack Trees

Documents security attacks in a structured form.

Attack Surface Analysis

A breakdown of risks, how they can interact and their potential impacts.

Computer Security Strategy

Specification, implementation, and assurance security.

Security policy

Formal statement on how an organization protects its assets.

Security Implementation

Prevention, detection, response, and recovery.

Prevention

Stop the attack from being successful.

Detection

Detect security attacks.

Response

Halt the attack and prevent further damage.

Recovery

Restore security after data integrity is compromised.

Assurance

Confidence that a system operates as enforced by policy.

Evaluation

Examining a computer product by certain criteria.

Study Notes

Fundamental Security Design Principles

• Design security measures in hardware and software to be as simple and small as possible for easier testing, verification, less costly maintenance, and simplified configuration.
• Base decisions on permission rather than exclusion; the default situation is lack of access for quicker detection of permission refusal.
• Every access must be checked against the access control mechanism, without relying on cached access decisions.
• Security mechanisms should be open rather than secret to gain high confidence.
• Encryption and hash algorithms should be open to public scrutiny, however, encryption keys must remain secret.
• Multiple privilege attributes are needed to achieve access to restricted resources.
• Multifactor user authentication uses multiple techniques to authorize a user.
• Access to program resources should be divided by user privileges.
• Users and processes should operate using only the minimum set of privileges necessary.
• Each role is assigned only the necessary permissions to perform its functions using Role Based Access Control methodologies.
• Each permission specifies permitted access to a resource, such as read/write access to a file/directory.
• Assign special privileges only when necessary
• The design should minimize functions shared by different users for mutual security.
• Reduces the number of unintended communication paths and amount of hardware and software shared by all users.
• Security mechanisms should not interfere unnecessarily with users while still meeting the authorization needs.
• Transparency or minimal obstruction of security mechanisms should be incorporated.
• If a user's mental model of protection differs from the security mechanisms, mistakes are more likely.
• Isolation applies in public access systems from critical resources.
• Isolation applies in user processes and files from one another, except where explicitly desired
• Isolation applies in security mechanisms to prevent access to those mechanisms.
• Encapsulation is a specific form of isolation rooted in object oriented functionality.
• Protection is offered by encapsulating procedures and data objects in their own domain.
• Security functions should be developed as separate and protected modules.
• Modular architecture supports migration and upgrades without system redesign, which provides common security functions and services like cryptographic functions.
• Layering utilizes multiple, overlapping protection approaches addressing people, technology, and operations.
• The failure of any single protection approach doesn't leave the system unprotected.
• "Defense in depth" is considered a best practice for system security protection.
• Layers ensure potential attack surfaces are reduced.
• A program or user interface should always respond in the most predictable way to avoid user surprise.
• Authorization mechanisms should be transparent enough for intuitive understanding.

Attack Surfaces and Attack Trees

• Attack surfaces consist of reachable and exploitable system vulnerabilities.
• Examples - Open ports on outward-facing web servers, services on the inside of firewalls, interfaces such as SQL and web forms.
• Software attack surfaces are vulnerabilities in application, utility, or O/S code.
• Network attack surfaces are vulnerabilities over an enterprise network
• Human attack surfaces are vulnerabilities created by personnel, outsiders, social engineering, human error, trusted insights.
• Attack surface analysis assesses the scale and severity of threats.
• It helps developers decide where security mechanisms are needed.
• It provides guidance on priorities for strengthening security, testing and modifying services or applications.
• Attack trees are potential techniques for exploiting security vulnerabilities.
• The security incident that starts an attack is the root of the node tree.
• The ways an attacker can reach the goal are iteratively represented as branches or sub-nodes.
• Final nodes on the path outward from the root are "leaf nodes"
• Attack trees document security attacks can be performed and in a structured form that reveals vulnerabilities.
• Attack trees assess risk of each attack as well as design principles and can design a comprehensive security facility.

Computer Security Strategy

• A comprehensive security strategy involves the aspects of specification/policy, implementation/mechanisms, and correctness/assurance..
• Security policy is a formal statement of rules and practices that regulate how an organization provides security services.
• Security policy protects sensitive and critical resources

Security Policy Factors

• Assets to be protected.
• System vulnerabilities.
• Potential threats and likelihood of attacks.
• Ease of use vs. security.
• Cost of security vs. cost of failure and recovery.
• Security implementation involves four complementary courses of action: prevention, detection, response, and recovery.
• Prevention aims for an ideal security scheme, where no attacks succeed, but is not always practical.
• Detection systems identify security attacks.
• Intrusion detection systems detect unauthorized individuals logged onto a system.
• Response involves halting attacks and preventing further damage upon detection.
• IDS/IPS and SIEM are deployed to detect usual and unusual traffic.
• Recovery uses backup systems to restore data integrity when compromised.
• Assurance provides confidence that a system operates as enforced by its security policy, without formal proof of correctness.
• Evaluation examines a computer product or system against certain criteria, involving testing and mathematical techniques.
• The central push of evaluation is to develop evaluation criteria that can be applied to any security system.