Scribd
Upload
373 views20 pages

Merkow - PPT - 02 F

The document outlines 12 principles of information security including that absolute security does not exist, security goals are confidentiality, integrity and availability, defense in depth is a key strategy, human vulnerabilities must be addressed, and security requires both functional and assurance requirements. Risk management and analysis are also important principles.

Uploaded by

JuanDelaCruz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
373 views20 pages

Merkow - PPT - 02 F

The document outlines 12 principles of information security including that absolute security does not exist, security goals are confidentiality, integrity and availability, defense in depth is a key strategy, human vulnerabilities must be addressed, and security requires both functional and assurance requirements. Risk management and analysis are also important principles.

Uploaded by

JuanDelaCruz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 20

Information Security

Principles and Practices, 2nd Edition

by Mark Merkow and Jim Breithaupt

Chapter 2: Information Security Principles of Success

Objectives

Build an awareness of 12 basic principles of


information security
Distinguish among the three main security
goals
Learn how to design and apply the principle
of Defense in Depth
Comprehend human vulnerabilities are
security systems
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition

Objectives (cont.)

Explain the difference between functional and


assurance requirements
Comprehend the fallacy of security through
obscurity
Comprehend the importance of risk analysis
and risk management tools and techniques
Determine which side of open disclosure
debate you would take
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition

Introduction

Best security specialists combine practical


knowledge and technical skills with understanding of
human nature

No two systems or situations are identical, and there are no


cookbooks to consult on how to solve security problems

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

Principle 1:There Is No Such Thing as Absolute


Security

Given enough time, tools, skills, and


inclination, a hacker can break through any
security measure
Security testing can buy additional time so
the attackers are caught in the act

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

Principle 2: The Three Security Goals Are


Confidentiality, Integrity, and Availability

All information security measures try to address at least


one of the three goals:

Confidentiality
Integrity
Availability

The three security goals form the CIA triad


Confidentiality

Security
Goals

Integrity

Availabilit
y

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

Principle 2: The Three Security Goals Are


Confidentiality, Integrity, and Availability (cont.)

Protect the confidentiality of data

Preserve the integrity of data

Confidentiality models are primarily intended to ensure that no


unauthorized access to information is permitted and that
accidental disclosure of sensitive information is not possible
Integrity models keep data pure and trustworthy by protecting
system data from intentional and accidental changes

Promote the availability of data for authorized use

Availability models keep data and resources available for


authorized use during denial-of-service attacks, natural disasters,
and equipment failures

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

Principles 3: Defense in Depth as Strategy

Defense in depth

Involves implemented security in overlapping


layers that provide the three elements needed to
secure assets: prevention, detection, and
response
The weaknesses of one security layer are offset
by the strengths of two or more layers

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

Principle 4: When Left on Their Own, People


Tend to Make the Worst Security Decisions

Takes little to convince someone to give up


their credentials in exchange for trivial or
worthless goods
Many people are easily convinced to doubleclick the attachment or links inside emails
Subject: Here you have, ;o)
Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition

Principle 5: Computer Security Depends on Two


Types of Requirements: Functional and Assurance

Functional requirements

Describe what a system should do

Assurance requirements

Describe how functional requirements should be


implemented and tested

Does the system do the right things in the right way?


Verification: The process of confirming that one or more
predetermined requirements or specifications are met
Validation: A determination of the correctness or quality of
the mechanisms used in meeting the needs
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition

10

Principle 6: Security Through Obscurity Is Not an


Answer

Many people believe that if hackers dont


know how software is secured, security is
better

Although this seems logical, its actually untrue

Obscuring security leads to a false sense of


security, which is often more dangerous than
not addressing security at all

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

11

Principle 7: Security = Risk Management

Security is not concerned with eliminating all threats


within a system or facility but with eliminating
known threats and minimizing losses if an
attacker succeeds in exploiting a vulnerability
Spending more on security than the cost of an asset
is a waste of resources
Risk assessment and risk analysis are used to
place an economic value on assets to best
determine appropriate countermeasures that
protect them from losses
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition

12

Principle 7: Security = Risk


Management cont.

Two factors to determine risk

What is the consequence of a loss?


What is the likelihood the loss will occur?

Consequences/likelihood matrix

Likelihood

Consequences
1. Insignificant

2. Minor

3. Moderate

4. Major

5. Catastrophic

A (almost
certain)

High

High

Extreme

Extreme

Extreme

B (likely)

Moderate

High

High

Extreme

Extreme

C
(moderate)

Low

Moderate

High

Extreme

Extreme

D (unlikely)

Low

Low

Moderate

High

Extreme

E (rare)

Low

High

High

Pearson
2014, Information
LowEducation Moderate
Security: Principles and Practices, 2nd Edition

13

Principle 7: Security = Risk Management

cont.

Vulnerability

Exploit

A known problem within a system or program


A program or a cookbook on how to take
advantage of a specific vulnerability

Attacker

The link between a vulnerability and an exploit

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

14

Principle 8: The Three Types of Security Controls


Are Preventative, Detective, and Responsive

A security mechanism serves a purpose by


preventing a compromise, detecting that a
compromise or compromise attempt is
underway, or responding to a compromise
while it is happening or after it has been
discovered

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

15

Principle 9: Complexity Is the Enemy of Security

The more complex a system gets, the harder


it is to secure

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

16

Principle 10: Fear, Uncertainty, and Doubt (FUD)


Do Not Work in Selling Security

Information security managers must justify all


investments in security using techniques of
the trade
When spending resources can be justified
with good, solid business rationale, security
requests are rarely denied

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

17

Principle 11: People, Process, and Technology


Are All Needed to Adequately Secure a System
or Facility

People controls

Process controls

Dual control and separation of duties


Different people can perform the same operation the same
way every time

Technology alone without people and process


controls can fail
People, process, and technology controls are
essential elements of security practices including
operations security, applications development security,
physical security, and cryptography
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition

18

Principle 12: Open Disclosure of Vulnerabilities


Is Good for Security!

Keeping a given vulnerability secret from


users and from the software developer can
only lead to a false sense of security
The need to know trumps the need to keep
secrets to give users the right to protect
themselves

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

19

Summary

Computer security specialists must not only


know the technical side of their jobs but also
must understand the principles behind
information security
These principles are mixed and matched to
describe why certain security functions and
operations exist in the real world of IT

Pearson Education 2014, Information


Security: Principles and Practices, 2nd Edition

20

You might also like