2019 ITEC854 Security Management - Week 08
2019 ITEC854 Security Management - Week 08
Management
Week 8 – Information Classification and Exposures
• Presentations will now be both Saturday and Sunday, you only need to come
to one session, Saturday AM, Saturday PM or Sunday
Start Saturday Sunday
08:30
09:00
09:30
10:00
11:00
11:30
12:00
12:30
13:00 LUNCH
14:00
14:30
15:00
15:30
16:00
16:30
Practical deliverables WEEKS 8-12
Practical deliverables
• Components in light
blue should be
created and/or
refined before week
12
• No fixed weekly
tasks but lectures
inform your process
• Practical work is
now independent
Week 7 deliverables comments
• Peer assessment due by 1200 30-SEP-2019, by that time 133 people had
not submitted
• By 2359 20-SEP-2019, 85 people had not submitted
• By 1200 today, 1-OCT-2019, 33 people had not submitted
• Final marks will not be given until all peer assessments are received
Guidelines
• Must be business oriented –
classifications must be
reasonable and
implementable
• Classified information can be
described in terms of integrity
or availability – confidentiality
is, of course, a given!
• A classification often has a
“use by” date – or may be
driven by events, such as
public release
How to classify information…
There are myriad strategies and techniques used to design security systems.
There are few, if any, effective strategies to enhance security after design.
One technique enforces the principle of least privilege to great extent, where an
entity has only the privileges that are needed for its function. That way even if
an attacker gains access to one part of the system, fine-grained security
ensures that it is just as difficult for them to access the rest.
Security by design…
Bell-LaPadula model
• This was developed by David Elliott Bell and Len LaPadula in 1973 to formalize
the U.S. Department of Defense (DoD) multilevel security (MLS) policy
• The model is a formal state transition model of computer security policy that
describes a set of access control rules which use security labels on objects and
clearances for subjects
• Security labels range from the most sensitive, e.g., "Top Secret", down to the least
sensitive, e.g., "Unclassified" or "Public."
• The Bell-LaPadula model is an example of a model where there's no clear
distinction of protection and security
• The Bell-LaPadula model focuses on data confidentiality and access to classified
information, in contrast to the Biba Integrity Model which describes rules for the
protection of data integrity
Computer security models…
Biba model
• This was developed by Kenneth J.
Biba in 1977, is a formal state
transition system of computer security
policy that describes a set of access
control rules designed to ensure data
integrity
• Data and subjects are grouped into
ordered levels of integrity - the model
is designed such that subjects may
not corrupt data in a level ranked
higher than the subject, or be
corrupted by data from a lower level
than the subject
• In general the model was developed
to circumvent a weakness in the Bell-
LaPadula Model which only address
data confidentiality