Chapter 2_Information Security Principles of Success (1).ppt PDF

Summary

This document covers the principles of information security, including confidentiality, integrity, and availability. It explains the importance of security and how different components such as people, processes, and technologies can be utilized to implement security.

Full Transcript

principles of information
security
Objectives

Build an awareness of 12 basic principles of
information security
Distinguish among the three main security
goals
Learn how to design and apply the principle
of “Defense in Depth”
Comprehend human vulnerabilities are
security systems

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 2
Objectives (cont.)

Explain the difference between functional and
assurance requirements
Comprehend the fallacy of security through
obscurity
Comprehend the importance of risk analysis
and risk management tools and techniques
Determine which side of open disclosure
debate you would take

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 3
Introduction
Best security specialists combine practical
knowledge and technical skills with understanding of
human nature
 No two systems or situations are identical, and there are no
cookbooks to consult on how to solve security problems

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 4
Principle 1:There Is No Such Thing as Absolute
Security
Given enough time, tools, skills, and
inclination, a hacker can break through any
security measure
Security testing can buy additional time so
the attackers are caught in the act

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 5
Principle 2: The Three Security Goals Are
Confidentiality, Integrity, and Availability
All information security measures try to address at least
one of the three goals:
 Confidentiality
 Integrity
 Availability
The three security goals form the CIA triad
Confidentiality

Security
Goals

Integrity Availabilit
y
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 6
Principle 2: The Three Security Goals Are
Confidentiality, Integrity, and Availability (cont.)
Protect the confidentiality of data
Confidentiality models are primarily intended to ensure that no
unauthorized access to information is permitted and that accidental
disclosure of sensitive information is not possible.

Confidentiality is sometimes referred to as the principle of least privilege,
meaning that users should be given only enough privilege to perform their
duties, and no more. Some other synonyms for confidentiality you might
encounter include privacy, secrecy, and discretion.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 7
Principle 2: The Three Security Goals Are
Confidentiality, Integrity, and Availability (cont.)
Preserve the integrity of data
Integrity models keep data pure and trustworthy by protecting system data from
intentional or accidental changes. Integrity models have three goals:
Prevent unauthorized users from making modifications to data or programs
Prevent authorized users from making improper or unauthorized modifications
Maintain internal and external consistency of data and programs

An example of integrity checks is balancing a batch of transactions to make sure that all
the information is present and accurately accounted for.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 8
Principle 2: The Three Security Goals Are
Confidentiality, Integrity, and Availability (cont.)
Promote the availability of data for authorized use
 Availability models keep data and resources available for
authorized use during denial-of-service attacks, natural disasters,
and equipment failures

Denial of service (DoS) due to intentional attacks or because of undiscovered
flaws in implementation(for example, a program written by a programmer who
is unaware of a flaw that could crash the program if a certain unexpected
input is encountered)
Loss of information system capabilities because of natural disasters (fires,
floods, storms, or earthquakes) or human actions (bombs or strikes)
Equipment failures during normal use

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 9
Principles 3: Defense in Depth as Strategy

Defense in depth
 Involves implemented security in overlapping
layers that provide the three elements needed to
secure assets: prevention, detection, and
response
 The weaknesses of one security layer are offset
by the strengths of two or more layers

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 10
Principle 4: When Left on Their Own, People
Tend to Make the Worst Security Decisions

Takes little to convince someone to give up
their credentials in exchange for trivial or
worthless goods
Many people are easily convinced to double-
click the attachment or links inside emails
Subject: Here you have, ;o)
Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 11
Principle 5: Computer Security Depends on Two
Types of Requirements: Functional and Assurance

Functional requirements
 Describe what a system should do
Assurance requirements
 Describe how functional requirements should be
implemented and tested

Does the system do the right things in the right way?
 Verification: The process of confirming that one or more

predetermined requirements or specifications are met
 Validation: A determination of the correctness or quality of

the mechanisms used in meeting the needs
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 12
Principle 6: Security Through Obscurity Is Not an
Answer
Many people believe that if hackers don’t
know how software is secured, security is
better
 Although this seems logical, it’s actually untrue
Obscuring security leads to a false sense of
security, which is often more dangerous than
not addressing security at all

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 13
Principle 7: Security = Risk Management

Security is not concerned with eliminating all threats
within a system or facility but with eliminating
known threats and minimizing losses if an
attacker succeeds in exploiting a vulnerability
Spending more on security than the cost of an asset
is a waste of resources
Risk assessment and risk analysis are used to
place an economic value on assets to best
determine appropriate countermeasures that
protect them from losses

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 14
 Principle 7: Security = Risk
Management cont.
Two factors to determine risk
 What is the consequence of a loss?
 What is the likelihood the loss will occur?
Consequences/likelihood matrix
Likelihood Consequences
1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic
A (almost High High Extreme Extreme Extreme
certain)
B (likely) Moderate High High Extreme Extreme
C Low Moderate High Extreme Extreme
(moderate)
D (unlikely) Low Low Moderate High Extreme
E (rare) Low LowEducation Moderate
© Pearson 2014, Information High High
Security: Principles and Practices, 2nd Edition 15
Principle 7: Security = Risk Management
cont.
Vulnerability
 A known problem within a system or program
Exploit
 A program or a “cookbook” on how to take
advantage of a specific vulnerability
Attacker
 The link between a vulnerability and an exploit

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 16
Principle 8: The Three Types of Security
Controls Are Preventative, Detective, and
Responsive
Controls (such as documented processes) and countermeasures (such as firewalls)
must be implemented
as one or more of these previous types, or the controls are not there for the purposes of
security.
Shown in another triad, the principle of defense in depth dictates that a security
mechanism serve a purpose by preventing a compromise, detecting that a
compromise or compromise attempt is underway, or responding to a compromise
while it’s happening or after it has been discovered.

Referring to the example of the bank vault in Principle 3
 access to a bank’s safe or vault requires passing through layers of protection that
might include human guards and locked doors with special accesscontrols
(prevention).
 In the room where the safe resides, closed-circuit televisions, motion sensors,
and alarm systems quickly detect any unusual activity (detection).
 The sound of an alarm could trigger the doors to automatically lock, the police to
be notified, or the room to fill with tear gas (response).
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 17
Principle 8: The Three Types of Security
Controls Are Preventative, Detective, and
Responsive
A security mechanism serves a purpose by
preventing a compromise, detecting that a
compromise or compromise attempt is
underway, or responding to a compromise
while it is happening or after it has been
discovered

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 18
Principle 9: Complexity Is the Enemy of Security

The more complex a system gets, the harder
it is to secure

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 19
Principle 10: Fear, Uncertainty, and Doubt (FUD)
Do Not Work in Selling Security

At one time, “scaring” management into spending resources on
security to avoid the unthinkable was effective. The tactic of fear,
uncertainty, and doubt (FUD) no longer works: Information security
and IT management is too mature.
Now IS managers must justify all investments in security using
techniques of the trade. Although this makes the job of information
security practitioners more difficult, it also makes them more
valuable because of management’s need to understand what is
being protected and why.
When spending resources can be justified with good, solid business
rationale, security requests are rarely denied.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 20
Principle 11: People, Process, and Technology
Are All Needed to Adequately Secure a System
or Facility
As described in Principle 3, “Defense in Depth as Strategy,” the
information security practitioner needs a series of countermeasures
and controls to implement an effective security system. One such
control might be dual control, a practice borrowed from the military.
The U.S. Department of Defense uses a dual control protocol to
secure the nation’s nuclear arsenal.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 21
Principle 11: People, Process, and Technology
Are All Needed to Adequately Secure a System
or Facility
This means that at least two on-site people must agree to launch a
nuclear weapon. If one person were in control, he or she could
make an error in judgment or act maliciously for whatever reason.
But with dual control, one person acts as a countermeasure to the
other: Chances are less likely that both people will make an error in
judgment or act maliciously. Likewise, no one person in an
organization should have the ability to control or close down a
security activity. This is commonly referred to as separation of
duties.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 22
Principle 11: People, Process, and Technology
Are All Needed to Adequately Secure a System
or Facility
People controls
 Dual control and separation of duties
Separation of duties

A security principle that says no one person should be able to effect a
breach of security.
dual control

A security procedure requiring two people (or possibly processes or
devices) to cooperate in gaining authorized access to a system
resource (data, files, devices).

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 23
Principle 11: People, Process, and Technology
Are All Needed to Adequately Secure a System
or Facility

Process controls are implemented to ensure that different people
can perform the same operations exactly in the same way each
time. Processes are documented as procedures on how to carry out
an activity related to security.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 24
Principle 11: People, Process, and Technology
Are All Needed to Adequately Secure a System
or Facility
Technology can fail, and without people to notice and fix technical
problems, computer systems would stall permanently.
An example of this type of waste is installing an expensive firewall
system (a network perimeter security device that blocks traffic) and
then turning around and opening all the ports that are intended to
block certain traffic from entering the network.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 25
Principle 11: People, Process, and Technology
Are All Needed to Adequately Secure a System
or Facility
People, process, and technology controls are essential elements of
several areas of practice in information technology (IT) security,
including operations security, applications development security,
physical security, and cryptography.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 26
Principle 12: Open Disclosure of Vulnerabilities
Is Good for Security!

A raging and often heated debate within the security community and
software developing centers concerns whether to let users know about a
problem before a fix or patch can be developed and distributed.
Principle 6 tells us that security through obscurity is not an answer: Keeping
a given vulnerability secret from users and from the software developer can
only lead to a false sense of security.
Users have a right to know about defects in the products they purchase, to
give users the right to protect themselves.

© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 27