Management Information Security
Information Security
Principles and Practices, 2nd Edition
Dr. Cindi Nadelman
New England College
Chapter 2: Information Security Principles of Success
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
Objectives
- Build an awareness of 12 basic principles of information security
- Distinguish among the three main security goals
- Learn how to design and apply the principle of “Defense in Depth”
- Comprehend human vulnerabilities are security systems
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
Objectives (cont.)
- Explain the difference between functional and assurance requirements
- Comprehend the fallacy of security through obscurity
- Comprehend the importance of risk analysis and risk management tools and techniques
- Determine which side of open disclosure debate you would take
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
Introduction
- Best security specialists combine practical knowledge and technical skills with understanding of human nature
- No two systems or situations are identical, and there are no cookbooks to consult on how to solve security problems
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Given enough time, tools, skills, and inclination, a hacker can break through any security measure
- Security testing can buy additional time so the attackers are caught in the act
Principle 1:There Is No Such Thing as Absolute Security
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- All information security measures try to address at least one of the three goals:
- Confidentiality
- Integrity
- Availability
- The three security goals form the CIA triad
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Protect the confidentiality of data
- Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible
- Preserve the integrity of data
- Integrity models keep data pure and trustworthy by protecting system data from intentional and accidental changes
- Promote the availability of data for authorized use
- Availability models keep data and resources available for authorized use during denial-of-service attacks, natural disasters, and equipment failures
Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability (cont.)
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Defense in depth
- Involves implemented security in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response
- The weaknesses of one security layer are offset by the strengths of two or more layers
Principles 3: Defense in Depth as Strategy
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Takes little to convince someone to give up their credentials in exchange for trivial or worthless goods
- Many people are easily convinced to double-click the attachment or links inside emails
Subject: Here you have, ;o)
Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Functional requirements
- Describe what a system should do
- Assurance requirements
- Describe how functional requirements should be implemented and tested
Does the system do the right things in the right way?
- Verification: The process of confirming that one or more predetermined requirements or specifications are met
- Validation: A determination of the correctness or quality of the mechanisms used in meeting the needs
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Many people believe that if hackers don’t know how software is secured, security is better
- Although this seems logical, it’s actually untrue
- Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all
Principle 6: Security Through Obscurity Is Not an Answer
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Security is not concerned with eliminating all threats within a system or facility but with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability
- Spending more on security than the cost of an asset is a waste of resources
- Risk assessment and risk analysis are used to place an economic value on assets to best determine appropriate countermeasures that protect them from losses
Principle 7: Security = Risk Management
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
Principle 7: Security = Risk Management cont.
- Two factors to determine risk
- What is the consequence of a loss?
- What is the likelihood the loss will occur?
- Consequences/likelihood matrix
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
| Likelihood | Consequences | ||||
| 1. Insignificant | 2. Minor | 3. Moderate | 4. Major | 5. Catastrophic | |
| A (almost certain) | High | High | Extreme | Extreme | Extreme |
| B (likely) | Moderate | High | High | Extreme | Extreme |
| C (moderate) | Low | Moderate | High | Extreme | Extreme |
| D (unlikely) | Low | Low | Moderate | High | Extreme |
| E (rare) | Low | Low | Moderate | High | High |
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Vulnerability
- A known problem within a system or program
- Exploit
- A program or a “cookbook” on how to take advantage of a specific vulnerability
- Attacker
- The link between a vulnerability and an exploit
Principle 7: Security = Risk Management
cont.
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- A security mechanism serves a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it is happening or after it has been discovered
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- The more complex a system gets, the harder it is to secure
Principle 9: Complexity Is the Enemy of Security
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Information security managers must justify all investments in security using techniques of the trade
- When spending resources can be justified with good, solid business rationale, security requests are rarely denied
Principle 10: Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- People controls
- Dual control and separation of duties
- Process controls
- Different people can perform the same operation the same way every time
- Technology alone without people and process controls can fail
- People, process, and technology controls are essential elements of security practices including operations security, applications development security, physical security, and cryptography
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
- Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security
- The need to know trumps the need to keep secrets to give users the right to protect themselves
Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects.
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
Summary
- Computer security specialists must not only know the technical side of their jobs but also must understand the principles behind information security
- These principles are mixed and matched to describe why certain security functions and operations exist in the real world of IT
© Pearson Education 2014, Information Security: Principles and Practices, 2nd Edition
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects.
*