12 Principles Of Information Security

Principle 1: There Is No Such Thing As Absolute Security Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability Principle 3: Defense in Depth as Strategy Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance Principle 6: Security Through Obscurity Is Not an Answer Principle 7: Security = Risk Management Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive Principle 9: Complexity Is the Enemy of Security Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

1-Protect the confidentiality of data 2-Preserve the integrity of data 3-Promote the availability of data for authorized use --These goals form the confidentiality, integrity, availability (CIA) triad The principle of information security protection of confidentiality, integrity, and availability cannot be overemphasized: This is central to all studies and practices in IS. You'll often see the term CIA triad to illustrate the overall goals for IS throughout the research, guidance, and practices you encounter. Integrity Models

Layered security, is known as defense in depth. This security is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. Defense in depth also seeks to offset the weaknesses of one security layer by the strengths of two or more layers.

Principle 4: When Left on Their Own, People Tend to Make the Worst Security Decisions

Functional and assurance -Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested. Answering the 2 questions: 1-Does the system do the right things (behave as promised)? 2-Does the system do the right things in the right way?

Security through obscurity means that hiding the details of the security mechanisms is sufficient to secure the system alone. Obscuring security leads to a false sense of security, which is often more dangerous than not addressing security at all. If the security of a system is maintained by keeping the implementation of the system a secret, the entire system collapses when the first person discovers how the security mechanism works—and someone is always determined to discover these secrets. The better bet is to make sure no one mechanism is responsible for the security of the entire system. Again, this is defense in depth in everything related to protecting data and resources.

placing an economic value on assets to best determine appropriate countermeasures that protect them from losses. Determining the degree of a risk involves looking at two factors: 1-What is the consequence of a loss? 2-What is the likelihood that this loss will occur?

Every system has unique security issues and considerations, so it's imperative to understand the specific nature of data the system will maintain, what hardware and software will be used to deploy the system, and the security skills of the development teams.

A raging and often heated debate within the security community and software developing centers concerns whether to let users know about a problem before a fix or patch can be developed and distributed. Principle 6 tells us that security through obscurity is not an answer: Keeping a given vulnerability secret from users and from the software developer can only lead to a false sense of security. Users have a right to know about defects in the products they purchase, just as they have a right to know about automobile recalls because of defects. The need to know trumps the need to keep secrets, to give users the right to protect themselves.

B-Rate is a catchall rating for any box with a lock on it. This rating describes the thickness of the steel used to make the lockbox. No actual testing is performed to gain this rating.

This is defined as a variably thick steel box with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either.

Safes with an Underwriters Laboratory (UL) TL-15 rating have passed standardized tests as defined in UL Standard 687 using tools and an expert group of safe-testing engineers. The UL TL-15 label requires that the safe be constructed of 1-inch solid steel or equivalent. The label means that the safe has been tested for a net working time of 15 minutes using "common hand tools, drills, punches hammers, and pressure applying devices." Net working time means that when the tool comes off the safe, the clock stops. Engineers exercise more than 50 different types of attacks that have proven effective for safecracking.

UL TL-30 testing is essentially the same as the TL-15 testing, except for the net working time. Testers get 30 minutes and a few more tools to help them gain access. Testing engineers usually have a safe's manufacturing blueprints and can disassemble the safe before the test begins to see how it works.

Confidentiality is sometimes referred to as the principle of least privilege, meaning that users should be given only enough privilege to perform their duties, and no more. Some other synonyms for confidentiality you might encounter include privacy, secrecy, and discretion.

Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs and passwords

Disclosure - Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible.

1-Protect the confidentiality of data 2-Preserve the integrity of data 3-Promote the availability of data for authorized use --These goals form the confidentiality, integrity, availability (CIA) triad

The principle of information security protection of confidentiality, integrity, and availability cannot be overemphasized: This is central to all studies and practices in IS. You'll often see the term CIA triad to illustrate the overall goals for IS throughout the research, guidance, and practices you encounter. Integrity Models

Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes

1-Prevent unauthorized users from making modifications to data or programs 2-Prevent authorized users from making improper or unauthorized modifications 3-Maintain internal and external consistency of data and programs

Availability models keep data and resources available for authorized use, especially during emergencies or disasters

1-Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) 2-Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes) 3-Equipment failures during normal use

-Granting access only to authorized personnel -Applying encryption to information that will be sent over the Internet or stored on digital media -Periodically testing computer system security to uncover new vulnerabilities -Building software defensively -Developing a disaster recovery plan to ensure that the business can continue to exist in the event of a disaster or loss of access by personnel.

1-Confidentiality, 2- integrity, and 3-availability -- These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs.

Integrity - Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes.

Prevention, detection, and response -Defense in depth is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response.

Functional and assurance -Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested.

... to what degree the testing of the system is conducted. -Assurance requirements describe how functional requirements should be implemented and tested.

1-Does the system do the right things (behave as promised)? 2-Does the system do the right things in the right way?

Verification is the process of confirming that one or more predetermined requirements or specifications are met.

Validation determines the correctness or quality of the mechanisms used to meet the needs.

Risk -Risk involves looking at what is the consequence of a loss and the likelihood that this loss will occur.

Vulnerability refers to a known problem within a system or program.

... with eliminating known threats and minimizing losses if an attacker succeeds in exploiting a vulnerability.

1-The risks are mitigated (countered). 2-Insurance is acquired against the losses that would occur if a system were compromised. 3-The risks are accepted and the consequences are managed.

1-What is the consequence of a loss? 2-What is the likelihood that this loss will occur?

Immediate action is required.

Senior management's attention is needed.

Management responsibility must be specified.

Management is handled by routine procedures.

refers to a known problem within a system or program.

Weakness; overload the input area with more information than it can handle, crashing or disabling the program. This is called buffer overflow, and it can permit a malicious user to gain control over the system.

Exploit is a program or "cookbook" on how to take advantage of a specific vulnerability. It might be a program that a hacker can download over the Internet and then use to search for systems that contain the vulnerability it's designed to exploit. It might also be a series of documented steps on how to exploit the vulnerability after an attacker finds a system that contains it.

Attacker is the link between a vulnerability and an exploit. The attacker has two characteristics: skill and will. 1-Attackers either are skilled in the art of attacking systems or have access to tools that do the work for them. 2-They have the will to perform attacks on systems they do not own and usually care little about the consequences of their actions.

An exploit is a program or "cookbook" on how to take advantage of a specific vulnerability.

...mitigate risk and reduce the potential for loss. -Controls mitigate a wide variety of information security risks and reduce loss.

1-preventing a compromise 2-detecting that a compromise or compromise attempt is underway 3-responding to a compromise while it's happening or after it has been discovered.

...professional security practitioners ever could. Hackers know about most vulnerabilities long before the general public gets wind of them.

say something.

the harder it is to secure. With too many "moving parts" or interfaces between programs and other systems, the system or interfaces become difficult to secure while still permitting them to operate as intended.

The tactic of fear, uncertainty, and doubt (FUD) no longer works: Information security and IT management is too mature. Now IS managers must justify all investments in security using techniques of the trade. Although this makes the job of information security practitioners more difficult, it also makes them more valuable because of management's need to understand what is being protected and why. When spending resources can be justified with good, solid business rationale, security requests are rarely denied.

What a security system should do by design -Functional requirements describe what a system should do.

People, process, and technology -Security controls are the basic toolkit for the security practitioner who mixes and matches them to carry out the objectives of confidentiality, integrity, and/or availability by using people, processes, and technology to bring them to life.

1-assignment of roles for least privilege 2-separation of duties 3-documented procedures --Process controls are implemented to ensure that different people can perform the same operations exactly in the same way each time. Processes are documented as procedures on how to carry out an activity related to security.

The practice of requiring that processes should be divided between two or more individuals; no one person in an organization should have the ability to control or close down a security activity

...that different people can perform the same operations exactly in the same way each time.

...procedures on how to carry out an activity related to security.