Security Engineering and Management

Questions and Answers

What is the primary focus of security engineering in the context of system development?

• Monitoring system performance
• Managing infrastructure security
• Implementing user permission protocols
• Designing systems to resist malicious attacks (correct)

In the context of security, how does application security differ from infrastructure security?

• Application security focuses on hardware, while infrastructure security focuses on software.
• There is no practical difference between application and infrastructure security.
• Application security is a software engineering concern focused on design, while infrastructure security is a systems management concern focused on configuration. (correct)
• Application security involves configuring the system, while infrastructure security involves designing the system.

Which of the following is a key aspect of system security management?

• Network cabling maintenance
• Hardware optimization
• Developing new programming languages
• User permission management (correct)

What is the main objective of security risk management?

Assessing potential losses from attacks and balancing them against the cost of security procedures (D)

Which of the following best describes a 'misuse case' in the context of system security?

An instance representing a threat to a system, detailing how it can be compromised (B)

In security engineering, what does 'threat and control analysis' primarily involve?

Evaluating potential threats to a system, their probabilities, and the controls to mitigate them (B)

Which security design guideline emphasizes the importance of ensuring that a security failure requires multiple points of failure?

Avoid a single point of failure (C)

What does the security design guideline 'Fail securely' primarily aim to achieve?

Guaranteeing that sensitive information remains inaccessible to unauthorized users even when normal security measures are unavailable. (D)

Why is it important to 'Balance security and usability' in system design?

To ensure that security measures do not make the system too difficult for users to operate effectively (B)

What is the primary purpose of 'logging user actions' as a security design guideline?

To track user behavior and identify potential security breaches (D)

In the context of security engineering, what does 'System Survivability' refer to?

The system's ability to deliver essential services while under attack or after being damaged. (D)

Why is 'Survivability' considered important for computer systems in today's world?

Because modern economic and social lives depend on these systems. (D)

What is the main goal of the 'Resistance' strategy in System Survivability?

To avoid problems by building capabilities into the system to resist attacks. (B)

Which strategy focuses on identifying attacks and assessing their impact?

Recognition (C)

In the context of system survivability, what does the 'Recovery' strategy involve?

Maintaining service delivery while under attack. (A)

Which layer of a system is commonly a point where security can be compromised?

Application layer (B)

Why is it crucial to 'validate all inputs' as a design guideline for security engineering?

To prevent unexpected inputs from causing problems or security vulnerabilities (B)

What does it mean to 'Compartmentalize your assets' in security design?

To organize the system so that assets are in separate areas with restricted user access (D)

In security engineering, why should a system be designed considering its deployment environment?

To avoid deployment-related problems and ensure smooth installation (C)

Why is 'designing for recoverability' an important aspect of secure system design?

To simplify the process of recovering the system after a successful attack (A)

Flashcards

Security Engineering

Tools, techniques, and methods to support the development and maintenance of systems that can resist malicious attacks intended to damage a computer-based system or its data.

Application Security

A software engineering concern where the system is designed to resist attacks.

Infrastructure Security

A systems management area where the infrastructure is configured to resist attacks.

User and Permission Management

Adding/removing users, setting appropriate user permissions.

Software Deployment and Maintenance

Installing and configuring software/middleware to avoid vulnerabilities.

Attack Monitoring, Detection, and Recovery

Monitoring for unauthorized access and creating strategies to resist/recover from attacks.

Misuse Cases

Instances of threats to a system.

Interception Threats

Attacker gains access to an asset.

Interruption Threats

Attacker makes part of a system unavailable.

Modification Threats

A system asset is tampered with.

Fabrication Threats

False information is added to a system.

Security Risk Management

Considering losses from attacks and balancing them against security costs.

Security Design Guidelines

Good practice in secure systems design.

Key Design Guidelines

Define security policy, use multiple security procedures, protect sensitive data on failure.

Base decisions on an explicit security policy

Base security decisions on an explicit security policy that sets out organization security requirements.

Avoid a single point of failure

Ensure security failure only happen when multiple security procedures fail, for example, password AND question-based authentication.

Fail securely

When systems fail, ensure sensitive information isn't accessed by unauthorized users, even when normal procedures are unavailable.

System Survivability

System's ability to deliver essential services during/after an attack.

Resistance

Avoiding problems by building capabilities into the system to resist attacks.

Recognition

Detecting problems by building capabilities into the system to detect attacks and failures and assess the resultant damage.

Study Notes

Topics Covered

• Security engineering and management focus on applications, while security management focuses on the underlying infrastructure
• Security risk assessment involves creating a system based on assessing those risks
• System architectures must be designed with security in mind

Security Engineering

• Security engineering uses tools, techniques, and methods to develop and maintain systems resistant to malicious attacks intended to damage computer-based systems or data
• Security engineering is a sub-field of computer security

Application and Infrastructure Security

• Application security relies on software engineering to design systems to resist attacks
• Infrastructure security relies on systems management to configure infrastructure to resist attacks
• Application security is the primary focus

System Security Management

• User and permission management consists of adding/removing users and setting appropriate permissions
• Software deployment and maintenance involves installing and configuring application software and middleware to avoid vulnerabilities
• Attack monitoring, detection, and recovery includes monitoring for unauthorized access, designing resistance strategies, and developing backup and recovery plans

Security Risk Management

• Risk management involves assessing potential losses from attacks and balancing those losses against the cost of security procedures
• Risk management should be driven by organizational security policy
• Risk management contains:
  • Preliminary risk assessment
  • Life cycle risk assessment
  • Operational risk assessment

Misuse Cases

• Misuse cases are instances of threats to a system
• Interception threats include attackers gaining access to system assets
• Interruption threats include attackers making part of a system unavailable
• Modification threats include system assets being tampered with
• Fabrication threats include false information being added to a system

Asset Analysis

• The information system has a high value as it is required to support all clinical consultations and is potentially safety-critical, and is marked as a high exposure because the financial loss associated with clinics being canceled and the resulting cost of restoring the system
• The patient database has a high value because it's required to support all clinical consultations and is potentially safety-critical, and has a high exposure because of financial loss caused by the possibility of cancellations and harm due to treatments not prescribed
• An individual patient record typically has a low value, except for high-profile patients, resulting in a low exposure due to direct losses and a potential loss of reputation

Threat and Control Analysis

• Low probability of system manager account unauthorized use, so control by allowing managers from physically secure locations to perform system management, this has low cost
• High probability of system user account unauthorized use, counter by requiring user authentication, and logging all patient information changes. This has technically high cost and possible user resistance.

Design Guidelines for Security Engineering

• Design guidelines should encapsulate good practice in secure systems design
• Design guidelines are applicable during software specification and design

Security Guideline List

• Base security decisions on an explicit security policy
• Avoid a single point of failure
• Fail securely
• Balance security and usability
• Log user actions
• Use redundancy and diversity to reduce risk
• Validate all inputs
• Compartmentalize assets
• Design for deployment
• Design for recoverability

Design Guidelines 1-3

• Base decisions on security policy: Define a security policy for the organization, setting out fundamental security requirements for all organizational systems
• Avoid single point of failure: Ensure security failure results from multiple security procedure failures, and use password and question-based authentication
• Fail securely: Ensure sensitive information inaccessible to unauthorized users when systems fail, even when normal security procedures are unavailable

Design Guidelines 4-6

• Balance security and usability: Avoid security procedures that complicate system use, and accept weaker security for usability
• Log user actions: Maintain a log of user actions for analysis, deterring irresponsible behavior if users are aware of the log
• Use redundancy and diversity to reduce risk: Keep multiple copies of data and use diverse infrastructure to avoid a single point of failure

Design Guidelines 7-10

• Validate all inputs: Check if the inputs are within acceptable ranges
• Compartmentalize assets: Organize the system so that assets are in separate areas and users only have access to the information they need rather than all system information
• Design for deployment: Design the system to avoid deployment problems
• Design for recoverability: Design the system to simplify recovery after a successful attack

System Survivability

• Survivability is an emergent system property that shows the system's ability to deliver essential services while under attack or after damage
• Survivability analysis and design should be within the security engineering process

Importance of Survivability

• Economic and social lives rely on computer systems, specifically:
  • Critical infrastructure (electricity, gas, telecommunications, transport)
  • Healthcare
  • Government
• The loss of business systems has very severe economic effects, like:
  • Airline reservation systems
  • E-commerce systems
  • Payment systems

Survivability Strategies

• Resistance: Building capabilities into the system to resist attacks
• Recognition: Detecting problems by building capabilities into the system to detect attacks and failures and assess the resultant damage
• Recovery: Tolerating problems by building capabilities into the system to deliver services whilst under attack

Key Points

• General security guidelines sensitize designers to security issues and serve as review checklists
• Configuration visualization, setting localization, and minimization of default privileges help reduce deployment errors
• System survivability reflects the ability of a system to deliver services whilst under attack or after damage