Chapter Objectives After reading this chapter and completing the exercises, you will be able to do the following: Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles apply to real-life situations Distinguish among the three main security goals Learn how to design and apply the principle of defense in depth Comprehend human vulnerabilities in security systems to better design solutions to counter them Explain the difference between functional requirements and assurance requirements Comprehend the fallacy of security through obscurity to avoid using it as a measure of security Comprehend the importance of risk-analysis and risk-management tools and techniques for balancing the needs of business Determine which side of the open disclosure debate you would take Introduction Many of the topics information technology students study in school carry directly from the classroom to the workplace. For example, new programming and systems analysis and design skills can often be applied on new systems-development projects as companies espouse cloud computing and mobile infrastructures that access internal systems. Security is a little different. Although their technical skills are certainly important, the best security specialists combine their practical knowledge of computers and networks with general theories about security, technology, and human nature.
|Published (Last):||2 April 2005|
|PDF File Size:||2.54 Mb|
|ePub File Size:||9.41 Mb|
|Price:||Free* [*Free Regsitration Required]|
A common example in InfoSec is called the buffer overflow or buffer overrun vulnerability. Programmers tend to be trusting and not worry about who will attack their programs, but instead worry about who will use their programs legitimately.
A malicious user, however, might take advantage of this weakness and overload the input area with more information than it can handle, crashing or disabling the program. This is called buffer overflow, and it can permit a malicious user to gain control over the system. This common vulnerability with software must be addressed when developing systems.
It might also be a series of documented steps on how to exploit the vulnerability after an attacker finds a system that contains it. An attacker, then, is the link between a vulnerability and an exploit. The attacker has two characteristics: skill and will. Attackers either are skilled in the art of attacking systems or have access to tools that do the work for them.
They have the will to perform attacks on systems they do not own and usually care little about the consequences of their actions.
In applying these concepts to risk analysis, the IS practitioner must anticipate who might want to attack the system, how capable the attacker might be, how available the exploits to a vulnerability are, and which systems have the vulnerability present.
Risk analysis and risk management are specialized areas of study and practice, and the IS professionals who concentrate in these areas must be skilled and current in their techniques.
In the room where the safe resides, closed-circuit televisions, motion sensors, and alarm systems quickly detect any unusual activity detection. The sound of an alarm could trigger the doors to automatically lock, the police to be notified, or the room to fill with tear gas response. The process, called user access request, is initiated when a new user is brought into the company or switches department or role within the company.
The user access request form is initially completed by the user and approved by the manager. It protects the system from unauthorized access by requiring a user ID and password, and it prevents password guessing from an unauthorized person by limiting the number of attempts to three before locking the account from further access attempts.
Having specific knowledge of a security vulnerability gives administrators the knowledge to properly defend their systems from related exploits.
The ethical question is, how should that valuable information be disseminated to the good guys while keeping it away from the bad guys? Hackers tend to communicate among themselves far better than professional security practitioners ever could. Hackers know about most vulnerabilities long before the general public gets wind of them.
By the time the general public is made aware, the hacker community has already developed a workable exploit and disseminated it far and wide to take advantage of the flaw before it can be patched or closed down. Because of this, open disclosure benefits the general public far more than is acknowledged by the critics who claim that it gives the bad guys the same information. If you see something, say something. You learn in Chapter 5 how complexity can easily get in the way of comprehensive testing of security mechanisms.
Now IS managers must justify all investments in security using techniques of the trade. When spending resources can be justified with good, solid business rationale, security requests are rarely denied. One such control might be dual control, a practice borrowed from the military. The U. This means that at least two on-site people must agree to launch a nuclear weapon. If one person were in control, he or she could make an error in judgment or act maliciously for whatever reason.
But with dual control, one person acts as a countermeasure to the other: Chances are less likely that both people will make an error in judgment or act maliciously. Likewise, no one person in an organization should have the ability to control or close down a security activity. This is commonly referred to as separation of duties. Process controls are implemented to ensure that different people can perform the same operations exactly in the same way each time.
Processes are documented as procedures on how to carry out an activity related to security. The process of configuring a server operating system for secure operations is documented as one or more procedures that security administrators use and can be verified as done correctly. Just as the information security professional might establish process controls to make sure that a single person cannot gain complete control over a system, you should never place all your faith in technology.
An example of this type of waste is installing an expensive firewall system a network perimeter security device that blocks traffic and then turning around and opening all the ports that are intended to block certain traffic from entering the network. People, process, and technology controls are essential elements of several areas of practice in information technology IT security, including operations security, applications development security, physical security, and cryptography.
These three pillars of security are often depicted as a three-legged stool see Figure 2. A raging and often heated debate within the security community and software developing centers concerns whether to let users know about a problem before a fix or patch can be developed and distributed. Principle 6 tells us that security through obscurity is not an answer: Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security.
Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects. The need to know trumps the need to keep secrets, to give users the right to protect themselves. Test Your Skills 31 Summary To be most effective, computer security specialists not only must know the technical side of their jobs, but also must understand the principles behind information security.
No two situations that security professionals review are identical, and there are no recipes or cookbooks on universal security measures. Because each situation calls for a distinct judgment to address the specific risks inherent in information systems, principles-based decision making is imperative.
The goal is to help you create a toolkit and develop the skills to use these tools like a master craftsman. As you explore the rest of the Common Body of Knowledge CBK domains, try to relate the practices you find to one or more of these. This helps prevent breaches in confidentiality, integrity, and availability, and implements the principle of defense in depth.
As you will find, these principles are mixed and matched to describe why certain security functions and operations exist in the real world of IT. Which of the following represents the three goals of information security? Confidentiality, integrity, and availability B. Prevention, detection, and response C. People controls, process controls, and technology controls D. Network security, PC security, and mainframe security 2. Which of the following terms best describes the assurance that data has not been changed unintentionally due to an accident or malice?
Availability B. Confidentiality C. Integrity D. Related to information security, confidentiality is the opposite of which of the following? Closure B. Disclosure C. Disaster D. Disposal 4. The CIA triad is often represented by which of the following? Triangle B. Diagonal C. Ellipse D. Circle 5. Defense in depth is needed to ensure that which three mandatory activities are present in a se- curity system? Prevention, response, and prosecution B.
Response, collection of evidence, and prosecution C. Prevention, detection, and response D. Prevention, response, and management 6. Which of the following statements is true?
The weakest link in any security system is the technology element. The weakest link in any security system is the process element. The weakest link in any security system is the human element. Both B and C 7. Which of the following best represents the two types of IT security requirements? Functional and logical B. Logical and physical C. Functional and assurance D.
Functional and physical 8. Security functional requirements describe which of the following? What a security system should do by design B.
What controls a security system must implement C. Quality assurance description and testing approach D. How to implement the system Test Your Skills 33 9. Security assurance requirements describe how to test the system. Security assurance requirements describe how to program the system. Security assurance requirements describe to what degree the testing of the system is conducted. Security assurance requirements describe implementation considerations.
Which of the following terms best describes the probability that a threat to an information sys- tem will materialize? Threat B. Vulnerability C. Hole D.
Information Security Principles of Success
Information Security: Principles and Practices, 2nd Edition
Join Kobo & start eReading today