Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 2: Information Security Principles of Success.

Published byArron Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 2: Information Security Principles of Success."— Presentation transcript:

1 Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 2: Information Security Principles of Success

2 Chapter 2 Chapter 2: Information Security Principles of Success © Pearson Education Information Security: Principles and Practices 2

3 3 Objectives Build an awareness of 12 basic principles of information security…to help you to determine how these basic principles are applied to real life situations. Distinguish between the three main security goals Learn how to design and apply the principle of “Defense in Depth” Explain the difference between functional and assurance requirements

4 Introduction Many of the topics you study can be implemented at the lab, for example new programming, system analysis and design projects, BUT Security is a little different… The best security specialists combine their: practical knowledge of computers and networks with Theories about security, technology, and human nature. These concepts, some borrowed from other fields like military defense, often take years © Pearson Education Information Security: Principles and Practices 4

5 Of experience to learn. Note that no two systems are identical in solving the security problems, and no books to consult on how to solve security problems, so you have to depend on principle –based analysis and decision making. This chapter introduce these key information principles, concepts… © Pearson Education Information Security: Principles and Practices 5

6 6 Van Gogh, Picasso, the paintings were protected by closed circuit television, a series of alarm systems. Thieves broke into the museum and made off with three masterpieces. Investigators discovered that there was a note from the thieves saying: “The intention was not to steal, only to high light the woeful security” Information Security Principles: #1 There Is No Such Thing as Absolute Security

7 So… Given enough time, tools, skills, a hacker can break through يخترق any security measure… This principle applies to the physical world as well and is best illustrated by using the analogy of saves خزائن which business commonly use to protect their assets ممتلكات © Pearson Education Information Security: Principles and Practices 7

8 Principle 2: The security goals are Confidentiality, Integrity, and Availability (CIA) All the security measures try to address at least one of the three goals: - Protect the Confidentiality of data. - Preserve the Integrity of data. - Promote the Availability of data for authorized use. © Pearson Education Information Security: Principles and Practices 8

9 These goals are described by the following figure, where CIA is the basis of all security programs. IS professionals who create polices and procedures must consider each goal when creating a plan to protect a computer system. © Pearson Education Information Security: Principles and Practices 9

10 Confidentiality by Another Name Confidentiality is sometimes referred to as the “ principle of least privilege مبدأ الامتيازات الأقل Meaning that users should only be given enough privilege to perform their duties, and no more. - Some other synonyms for confidentiality you may encounter include Privacy, Secrecy السرية, and discretion حرية التصرف © Pearson Education Information Security: Principles and Practices 10

11 © Pearson Education Information Security: Principles and Practices 11  Protect the confidentiality of data  Confidentiality are primarily intended to assure that no unauthorized access to information is permitted  Common Confidentiality controls are user ID and Password

12 © Pearson Education Information Security: Principles and Practices 12  Preserve the integrity of data Integrity of data should be done to protect data from any accidental changes. Integrity has three goals: 1- prevent unauthorized users from making modifications to data or programs 2- prevent authorized users from making improper or unauthorized modifications. 3- maintain internal and external consistency of data and programs. Principles 2: Three Security Goals cont.

13 Promote the availability of data for authorized use  Availability keep data and resources available for authorized use, especially during emergencies or disasters.  Information security professionals usually address three common challenges to availability:  Denial of Service (DoS) الحرمان من الخدمة Due to international attacks  Loss of information system capabilities because of natural disasters (e.g., fires, storms, or earthquakes) © Pearson Education Information Security: Principles and Practices 13

14 Equipment failures during normal use. Note: some of the activities that preserve CIA are: the granting of access only to authorized personnel, applying encryption to information that will be sent out over the internet. Periodic testing of operating system security. © Pearson Education Information Security: Principles and Practices 14

15 Principles 3: Defense in Depth as Strategy A bank would never leave its assets ممتلكات inside an unguarded safeخزنة alone. Typically, access to the safe requires passing through layers of protection that may include human guards and locked doors with special access control. Furthermore, the room where the safe resides may be monitored by closed circuit television, motion sensors, and alarm systems that can detect quickly unusual activity. (Layers….) © Pearson Education Information Security: Principles and Practices 15

16 the sound of an alarm may trigger the doors to automatically lockصوت انذار قد تؤدي الى قفل الأبواب تلقائيا the police to be notified (Layers…) Layered security, like the example described above, is called Defense in Depth. Defense in Depth is security implemented in overlapping layers that provide the three elements needed to secure assets: Prevention, Detection, and Response © Pearson Education Information Security: Principles and Practices 16

17 Defense in Depth also means that the weaknesses of one security layer are offset يعوض عن by the strengths of two or more layers. In the Information security world, defense in depth means you should layer security devices in a series that protects, detects, and responds to attacks on systems. © Pearson Education Information Security: Principles and Practices 17

18 Principles 4: When Left on Their Own, People Tend to Make the Worst Security Decisions The primary reason that identify theft, viruses, and stolen passwords are so common is that people are easily duped into giving up يتخلي عن the secrets that technologies use to secure systems. السبب الأساسي أن سرقة الهوية ، والفيروسات ، وسرقة كلمات السر هي شائعة جدا هو أن الناس بسهولة تخدع في التخلي عن الأسرار التي تستخدم التكنولوجيات لتأمين النظم. © Pearson Education Information Security: Principles and Practices 18

19 Virus writers know all too well how easy it is to fool يخدعpeople into spreading their viruses for them كاتبي الفيروسات تعلم جيدا كم هو سهل لخداع الناس في نشر هذه الفيروسات لها When the file was opened, the virus can copy itself to the Windows directory and then send the file as an attachment to all the addresses listed in the victim’s Microsoft Outlook email address book © Pearson Education Information Security: Principles and Practices 19

20 Practice Pages 24-25 …….Lab…ID theft © Pearson Education Information Security: Principles and Practices 20

21 © Pearson Education Information Security: Principles and Practices 21 Many people are easily convinced to double- click on the attachment Subject: Here you have, ;o) Message body: Hi: Check This! Attachment: AnnaKournikova.jpg.vbs Note on: When Left on Their Own, People Tend to Make the Worst Security Decisions

22 Principle 5:Computer Security Depends on Two types of Requirements: Functional and Assurance Requirements Functional requirements  Describe what a system should do Assurance requirements  Describe how functional requirements should be implemented and tested Both sets of requirements are needed to answer the following questions: © Pearson Education Information Security: Principles and Practices 22

23 © Pearson Education Information Security: Principles and Practices 23 Does the system do the right things (behave as expected)? Does the system do the right things in the right way?  Verification:التحقق Is the process of confirming that one or more predetermined requirements or specifications are met  Validationالتحقق من الصحة : Is a determination of the correctness or quality of the mechanisms used in meeting the needs

24 Using car safety testing as an example, verification testing for seat belt functions may include stress tests on the fabric, testing the locking mechanisms, and making certain the belt will fit the intended application, thus completing the functional tests. Validation, or assurance testing, might then include crashing تحطمthe car with crash-test dummies inside to “prove” that the seat belt is indeed safe when used under normal conditions and can survive under harsh conditions © Pearson Education Information Security: Principles and Practices 24

25 © Pearson Education Information Security: Principles and Practices 25 Many people believe that if hackers don’t know how software is secured, security is better  Although this seems logical, it’s actually untrue Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all Information Security Principles: #6 Security Through Obscurity Is Not an Answer

26 © Pearson Education Information Security: Principles and Practices 26 Security is not concerned with eliminating all threats within a system or facility but with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability Risk analysis and risk management are central themes to securing information systems Risk assessment and risk analysis are concerned with placing an economic value on assets to best determine appropriate countermeasures that protect them from losses Information Security Principles: #7 Security = Risk Management

27 © Pearson Education Information Security: Principles and Practices 27 Vulnerability  A known problem within a system or program Exploit  A program or a “cookbook” on how to take advantage of a specific vulnerability Attacker  The link between a vulnerability and an exploit Information Security Principles: #7 Security = Risk Management cont.

28 © Pearson Education Information Security: Principles and Practices 28 Information Security Principles: #7 Security = Risk Management cont.

29 © Pearson Education Information Security: Principles and Practices 29 A security mechanism serves a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it is happening or after it has been discovered Information Security Principles: #8 Security Controls: Preventative, Detective, and Responsive

30 © Pearson Education Information Security: Principles and Practices 30 The more complex a system gets, the harder it is to secure Information Security Principles: #9 Complexity Is The Enemy of Security

31 © Pearson Education Information Security: Principles and Practices 31 Information security managers must justify all investments in security using techniques of the trade When spending resources can be justified with good, solid business rationale, security requests are rarely denied Information Security Principles: #10 Fear, Uncertainty, and Doubt (FUD) Do Not Work in Selling Security

32 © Pearson Education Information Security: Principles and Practices 32 People, process, and technology controls are essential elements of security practices including operations security, applications development security, physical security, and cryptography Information Security Principles: #11 People, Process and Technology Are All Needed

33 © Pearson Education Information Security: Principles and Practices 33 Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security The need to know trumps the need to keep secrets in order to give users the right to protect themselves Information Security Principles: #12 Open Disclosure of Vulnerabilities Is Good for Security

34 © Pearson Education Information Security: Principles and Practices 34 Summary Computer security specialists must not only know the technical side of their jobs but also must understand the principles behind information security These principles are mixed and matched to describe why certain security functions and operations exist in the real world of IT

Download ppt "Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 2: Information Security Principles of Success."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.

Advanced Networks and Computer Security Curt Carver & Jeff Humphries © 1999 Texas A&M University.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Similar presentations

Ads by Google