Week 1: Security & Principles

Contents
Week 1: Security & Principles......................................................................................................................1

CIA Triad..................................................................................................................................................2

Confidentiality.....................................................................................................................................2

Integrity...............................................................................................................................................2

Availability...........................................................................................................................................3

Identity and Access Management............................................................................................................3

Identification........................................................................................................................................3

AAA – Authentication..........................................................................................................................4

AAA – Authorization............................................................................................................................4

AAA – Accountibility............................................................................................................................4

Logs and Audit Trail.................................................................................................................................4

Logs......................................................................................................................................................4

Audit Trail............................................................................................................................................4

Security Architecture, Policy and Standards............................................................................................5

Process, Policies and Standards...........................................................................................................5

Security Architecture...........................................................................................................................5

Secure Design Principles..........................................................................................................................5

What is a principle...............................................................................................................................5
CIA Triad

Confidentiality
- Information should stay secret, Only those who are authorised to access it may receive access

- Maintaining confidentiality us nondisclosure of objects / data to unauthorized persons

Examples

- Bank Accounts, Health Records

Controls that provide confidentiality

- Encryption

- Access Control

- Passwords

Integrity
Integrity is the trustworthiness, origin and correctness / completeness of data while also preventing
improper access.

- Integrity of information itself and the source of information

- Maintain integrity – Stop unauthorised edit

Controls that provide integrity

- Hashing
Availability
Availability is to ensure information is readily available to authorised users at all times in a timely
manner.

- Attacks against availability is know as Denial of Service or DoS

Example

- Availability of spreadsheet or register to authorised user when they need it

Controls

- Clustering

- RAID (Redundant Array of Independent Disks)

- Redundancy

- File Backup

Identity and Access Management

Identity and access management is a process used to enable authorised users to access the right
information and resources while also denying access to unauthorized users.

Authentication, Authorization and Accountability (AAA) are a part of this process

Identification
Process where a user has to be identified with some form of individual identification such as usernames
and SID.

- Identification is the first step in identify-authenticate-authorize sequence

AAA – Authentication
After identification and the authenticity of the ID has been confirmed and verified you then need to
prove you are who you claim to be with a 3rd party measure.

These are based on 3 things

- What you know – PIN/Password

With

- Something you have – Smart card, 2FA

Or

- Something you are – Fingerprint, eye scan, face scan

AAA – Authorization
After proving the users identity users are assigned authoriszation such as rights, privileges and
permissions which can define what they can do on the systems

- Teacher can mark grades and students cannot mark

Authorizations are defined by security policy

AAA – Accountibility
The tracing of actions and events over time for users, systems or processes that have preformed them to
establish responsibility allowing to audit.

Logs and Audit Trail

Logs
- Ordered list of events and actions of systems and applications

- Only trustworthy if integrity is maintained

- Logs must be correctly timestamped

Audit Trail
- Highly detailed information about actions and events

- Logs show high level actions such as E-mail delivery, Audit trains are low levels such as writing a
file or packet tracing
Security Architecture, Policy and Standards

Process, Policies and Standards

- Process is a sequence of steps preformed for a given purpose

o Secure software process can be defied as set of actions to develop, maintain and deliver
secure software solutions

- Standards are established by authorities or general consent as examples of best practice

o Standards provide materials suitable for the definition of process

- Policies are hight level business rules outlining what organisations will do to protect data

o Standards are detailed statements on how an organisation will implement written policy

Security Architecture
Designing the system with security in mind using high level design princibles.

Secure Design Principles

What is a principle
- Principle – Basic rule or idea that explains how something happens or works

- Secure Design Principle – Rules that are set out to make security related design decisions with
respect to system needs and capability which improves overall security

Standards
- Open Web Application Security Project (OWASP)

- Clifford J. Berg – 180 security related principles

- National institute of Standards and Technology (NIST) – 30+ security principles

Key Principles
- Least Privilege Principle – Give users minimum amount of privilege so they cant install malicious
software or edit sensitive restricted resources

- Separation of duties – Splits users into roles therefore one user cannot hold all the power such
as one person setting firewall or directory policy and another will check them or someone
submits a request and another approves, never the same person

- Keep security Simple – The more complex the system the more possible vulnerability appears
alongside keeping unintended interactions to a minimum also complex designs are harder to
understand.

- Audit security events – Keeping a record is critical for debugging, security and learning about
exploitation vectors for malicious users

- Fail Securely principle – When the system fails and is no longer available it must do so in a secure
way such as stopping attackers from gaining more privilege to maintain confidentiality and
integrity. Deny access to users instead of granting it by shutting down

- Never rely on security by obscurity – Keeping critical information hidden can never be secure,
keeping security hidden does not keep It secure as it can be found therefore password policies
and audit controls must be used to keep track and patch vulnerabilities

- Defence in Depth principle – Use multiple security measures to avoid single points of failure,
such as 2FA needing password and the code, or Firewalls > Encryption > Passwords to access files

- Do not use untested or personal security techniques – Personally developed methods could be
insecure or open vulnerabilities alongside their not accessed like professionally developed
systems leaving the system open for exploitation

- Find and Secure the weakest link of the system – Security is only as strong as the weakest point
of failure, If you don’t find it the attacker will and they will exploit it, Humans are usually the
weakest link therefore principles must be put in place.
Assets, Threats, Vulnerability and Risks
Assets

- Something valuable to the company that they will want to protect.

Threats

- Events that can lead to a harmful state for the system, Usually using a vulnerability to infiltrate
the system

Vulnerability

- Weaknesses in the system from technical to non-technical issues

Risk

- A quantified unit measured from the impact of a threat.

o Risk = threat probability * potential loss

Database – Asset

SQL injection – Threat

Poor design / No input cleaning – Vulnerability

Unauthorized access or loss of data – Risk

Risk Assessment
- Determine Sources

- Identify Risk events.

- Identify existing vulnerabilities.

- Determine likelihood of attacks and their success

- Determine potential impacts