Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 2: Information Security Principles of Success

Chapter 2 Chapter 2: Information Security Principles of Success © Pearson Education Information Security: Principles and Practices 2

3 Objectives Build an awareness of 12 basic principles of information security…to help you to determine how these basic principles are applied to real life situations. Distinguish between the three main security goals Learn how to design and apply the principle of “Defense in Depth” Explain the difference between functional and assurance requirements

Introduction Many of the topics you study can be implemented at the lab, for example new programming, system analysis and design projects, BUT Security is a little different… The best security specialists combine their: practical knowledge of computers and networks with Theories about security, technology, and human nature. These concepts, some borrowed from other fields like military defense, often take years © Pearson Education Information Security: Principles and Practices 4

Of experience to learn. Note that no two systems are identical in solving the security problems, and no books to consult on how to solve security problems, so you have to depend on principle –based analysis and decision making. This chapter introduce these key information principles, concepts… © Pearson Education Information Security: Principles and Practices 5

6 Van Gogh, Picasso, the paintings were protected by closed circuit television, a series of alarm systems. Thieves broke into the museum and made off with three masterpieces. Investigators discovered that there was a note from the thieves saying: “The intention was not to steal, only to high light the woeful security” Information Security Principles: #1 There Is No Such Thing as Absolute Security

So… Given enough time, tools, skills, a hacker can break through يخترق any security measure… This principle applies to the physical world as well and is best illustrated by using the analogy of saves خزائن which business commonly use to protect their assets ممتلكات © Pearson Education Information Security: Principles and Practices 7

Principle 2: The security goals are Confidentiality, Integrity, and Availability (CIA) All the security measures try to address at least one of the three goals: - Protect the Confidentiality of data. - Preserve the Integrity of data. - Promote the Availability of data for authorized use. © Pearson Education Information Security: Principles and Practices 8

These goals are described by the following figure, where CIA is the basis of all security programs. IS professionals who create polices and procedures must consider each goal when creating a plan to protect a computer system. © Pearson Education Information Security: Principles and Practices 9

Confidentiality by Another Name Confidentiality is sometimes referred to as the “ principle of least privilege مبدأ الامتيازات الأقل Meaning that users should only be given enough privilege to perform their duties, and no more. - Some other synonyms for confidentiality you may encounter include Privacy, Secrecy السرية, and discretion حرية التصرف © Pearson Education Information Security: Principles and Practices 10

© Pearson Education Information Security: Principles and Practices 11  Protect the confidentiality of data  Confidentiality are primarily intended to assure that no unauthorized access to information is permitted  Common Confidentiality controls are user ID and Password

© Pearson Education Information Security: Principles and Practices 12  Preserve the integrity of data Integrity of data should be done to protect data from any accidental changes. Integrity has three goals: 1- prevent unauthorized users from making modifications to data or programs 2- prevent authorized users from making improper or unauthorized modifications. 3- maintain internal and external consistency of data and programs. Principles 2: Three Security Goals cont.

Promote the availability of data for authorized use  Availability keep data and resources available for authorized use, especially during emergencies or disasters.  Information security professionals usually address three common challenges to availability:  Denial of Service (DoS) الحرمان من الخدمة Due to international attacks  Loss of information system capabilities because of natural disasters (e.g., fires, storms, or earthquakes) © Pearson Education Information Security: Principles and Practices 13

Equipment failures during normal use. Note: some of the activities that preserve CIA are: the granting of access only to authorized personnel, applying encryption to information that will be sent out over the internet. Periodic testing of operating system security. © Pearson Education Information Security: Principles and Practices 14

Principles 3: Defense in Depth as Strategy A bank would never leave its assets ممتلكات inside an unguarded safeخزنة alone. Typically, access to the safe requires passing through layers of protection that may include human guards and locked doors with special access control. Furthermore, the room where the safe resides may be monitored by closed circuit television, motion sensors, and alarm systems that can detect quickly unusual activity. (Layers….) © Pearson Education Information Security: Principles and Practices 15

the sound of an alarm may trigger the doors to automatically lockصوت انذار قد تؤدي الى قفل الأبواب تلقائيا the police to be notified (Layers…) Layered security, like the example described above, is called Defense in Depth. Defense in Depth is security implemented in overlapping layers that provide the three elements needed to secure assets: Prevention, Detection, and Response © Pearson Education Information Security: Principles and Practices 16

Defense in Depth also means that the weaknesses of one security layer are offset يعوض عن by the strengths of two or more layers. In the Information security world, defense in depth means you should layer security devices in a series that protects, detects, and responds to attacks on systems. © Pearson Education Information Security: Principles and Practices 17

Principles 4: When Left on Their Own, People Tend to Make the Worst Security Decisions The primary reason that identify theft, viruses, and stolen passwords are so common is that people are easily duped into giving up يتخلي عن the secrets that technologies use to secure systems. السبب الأساسي أن سرقة الهوية ، والفيروسات ، وسرقة كلمات السر هي شائعة جدا هو أن الناس بسهولة تخدع في التخلي عن الأسرار التي تستخدم التكنولوجيات لتأمين النظم. © Pearson Education Information Security: Principles and Practices 18

Virus writers know all too well how easy it is to fool يخدعpeople into spreading their viruses for them كاتبي الفيروسات تعلم جيدا كم هو سهل لخداع الناس في نشر هذه الفيروسات لها When the file was opened, the virus can copy itself to the Windows directory and then send the file as an attachment to all the addresses listed in the victim’s Microsoft Outlook address book © Pearson Education Information Security: Principles and Practices 19

Practice Pages …….Lab…ID theft © Pearson Education Information Security: Principles and Practices 20

© Pearson Education Information Security: Principles and Practices 21 Many people are easily convinced to double- click on the attachment Subject: Here you have, ;o) Message body: Hi: Check This! Attachment: AnnaKournikova.jpg.vbs Note on: When Left on Their Own, People Tend to Make the Worst Security Decisions

Principle 5:Computer Security Depends on Two types of Requirements: Functional and Assurance Requirements Functional requirements  Describe what a system should do Assurance requirements  Describe how functional requirements should be implemented and tested Both sets of requirements are needed to answer the following questions: © Pearson Education Information Security: Principles and Practices 22

© Pearson Education Information Security: Principles and Practices 23 Does the system do the right things (behave as expected)? Does the system do the right things in the right way?  Verification:التحقق Is the process of confirming that one or more predetermined requirements or specifications are met  Validationالتحقق من الصحة : Is a determination of the correctness or quality of the mechanisms used in meeting the needs

Using car safety testing as an example, verification testing for seat belt functions may include stress tests on the fabric, testing the locking mechanisms, and making certain the belt will fit the intended application, thus completing the functional tests. Validation, or assurance testing, might then include crashing تحطمthe car with crash-test dummies inside to “prove” that the seat belt is indeed safe when used under normal conditions and can survive under harsh conditions © Pearson Education Information Security: Principles and Practices 24

© Pearson Education Information Security: Principles and Practices 25 Many people believe that if hackers don’t know how software is secured, security is better  Although this seems logical, it’s actually untrue Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all Information Security Principles: #6 Security Through Obscurity Is Not an Answer

© Pearson Education Information Security: Principles and Practices 26 Security is not concerned with eliminating all threats within a system or facility but with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability Risk analysis and risk management are central themes to securing information systems Risk assessment and risk analysis are concerned with placing an economic value on assets to best determine appropriate countermeasures that protect them from losses Information Security Principles: #7 Security = Risk Management

© Pearson Education Information Security: Principles and Practices 27 Vulnerability  A known problem within a system or program Exploit  A program or a “cookbook” on how to take advantage of a specific vulnerability Attacker  The link between a vulnerability and an exploit Information Security Principles: #7 Security = Risk Management cont.

© Pearson Education Information Security: Principles and Practices 28 Information Security Principles: #7 Security = Risk Management cont.

© Pearson Education Information Security: Principles and Practices 29 A security mechanism serves a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it is happening or after it has been discovered Information Security Principles: #8 Security Controls: Preventative, Detective, and Responsive

© Pearson Education Information Security: Principles and Practices 30 The more complex a system gets, the harder it is to secure Information Security Principles: #9 Complexity Is The Enemy of Security

© Pearson Education Information Security: Principles and Practices 31 Information security managers must justify all investments in security using techniques of the trade When spending resources can be justified with good, solid business rationale, security requests are rarely denied Information Security Principles: #10 Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security

© Pearson Education Information Security: Principles and Practices 32 People, process, and technology controls are essential elements of security practices including operations security, applications development security, physical security, and cryptography Information Security Principles: #11 People, Process and Technology Are All Needed

© Pearson Education Information Security: Principles and Practices 33 Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security The need to know trumps the need to keep secrets in order to give users the right to protect themselves Information Security Principles: #12 Open Disclosure of Vulnerabilities Is Good for Security

© Pearson Education Information Security: Principles and Practices 34 Summary Computer security specialists must not only know the technical side of their jobs but also must understand the principles behind information security These principles are mixed and matched to describe why certain security functions and operations exist in the real world of IT