ST1 - session 2 - Fundamentals.pdf
Document Details
Uploaded by EntrancedMaracas
North Carolina State University
Tags
Full Transcript
Secure Thinking: Issues in Cybersecurity and Privacy Session 2 – Security Fundamentals Jeff Crume, PhD, CISSP, ISSAP IBM Distinguished Engineer NCSU Teaching Assistant Professor Last week’s assignment Read Schneier’s essay on “Policy vs. Technology” and be prepared to discus...
Secure Thinking: Issues in Cybersecurity and Privacy Session 2 – Security Fundamentals Jeff Crume, PhD, CISSP, ISSAP IBM Distinguished Engineer NCSU Teaching Assistant Professor Last week’s assignment Read Schneier’s essay on “Policy vs. Technology” and be prepared to discuss insights. https://www.schneier.com/blog/archives/2020 /02/policy_vs_techn.html Secure Thinking Thinking in “photo negative” “Normal” architect considers how a system will work. Security architect considers how a system will fail. Secure Thinking No such thing as absolute security – Typical question: Is it secure? – Better question: Is it secure enough? Constant vigilance – Shooting at a moving target – “If you’re happy with your security, so are the bad guys.” – “There is nothing more dangerous than presumed security.” – Zero Trust philosophy is a natural conclusion IT Security is about “CIA” Confidentiality Integrity Availability 5 Security Principles Principle of Least Privilege Only authorized users are granted access and only to what is absolutely necessary – Avoid “privilege creep” “Less is more” – Hardening (removing unnecessary services, changing defaults, etc.) Defense in Depth No single security mechanism is expected to cover all A system of security controls which provide a failsafe Separation of Duties (a.k.a. Segregation of Duties) No single individual has control Built-in oversight Would require collusion to subvert the system Secure by Design Security should not be an afterthought Involve security principles at the design phase When your security is a ladder KISS Principle “Complexity is the enemy of security” Keep It Simple Stupid Security by Obscurity? The Kerckhoff Principle A cryptographic system should be secure even if everything about the system, except the key, is public knowledge Similar principle to other aspects of security as well Resources Crypto-Gram Newsletter https://www.schneier.com/crypto-gram/ Dragon Newsbytes https://lists.cymru.com/mailman/listinfo/dragon_newsbytes PCworld Top Stories Newsletter https://www.pcworld.com/newsletters/signup.html?utm_so urce=Adestra&utm_medium=email&utm_content=Sign%2 0up&utm_campaign=PCWorld%20Top%20Stories%20%4 0PCWorld&utm_term=Editorial%20- %20Top%20Stories%20%40PCWorld&utm_date=202008 12184056&huid=d489520e-2895-409f-877c- 8913e3674769 Macworld Daily Newsletter https://www.macworld.com/newsletters/signup IBM Security Intelligence Blog https://securityintelligence.com Assignment Peruse the Resources links Subscribe to the ones you like Make a current events post to the Discussion Board
