• The National Centers of Academic Excellence in Information
Assurance/Cyber Defense, jointly sponsored by the U.S. National Security Agency and U.S Department of Homeland Security list the following as fundamental security design principles.
• Economy of Mechanism • Isolation
• Fail – Safe Defaults • Encapsulation • Complete Mediation • Modularity • Open design • Layering • Separation of Privilege • Least Astonishment • Least Privilege • Psychological Acceptability Economy of Mechanism • Design of security measures in both hardware and software.
Small Design Huge Design
• Easier to test and verify thoroughly. • In huge design, attackers can have many more opportunities for an adversary to discover subtle • Simple mechanisms tend to have weakness. fewer exploitable flaws and requires less maintenance. • The more likely the mechanism, the • Configuration management issues are more likely it is to posses exploitable simplified, updating (or) replacing a flaws. simple mechanism becomes a less intensive process. Fail – Safe Defaults
• A design (or) implementation mistake in a mechanism gives explicit
permission.
• Tends to fail by allowing access.
• Most file access systems and virtually all protected services on
client/server systems use fail-safe defaults. Complete Mediation • Complete mediation means that every access must be checked against the access control mechanisms.
• Systems should on rely on access control mechanisms retrieved from
cache.
• Once a user has opened a file, no check is made to see if permission
change.
• To implement complete mediation, system must check the access control
allocated for files (or) records. Open Design • The design of the security mechanism should be open rather than secret.
• Although, encryption keys are secret, encryption algorithms are
open for public scrutiny.
• Those algorithms can be reviewed by many experts, and so users
have high confidence in them. Separation of Privilege • Multi – User Authentication • Multiple Techniques • Password (or) a smart card to authorize the user.
Least Privilege • Role-based access control.
– Student – Staff – Vice – Chancellor – Director Least Common Mechanism
• Design should minimize the functions shared by different users,
providing mutual security.
• This principle helps,
• to reduce the number of unintended communication paths
• to reduce the amount of hardware and software used
Psychological Acceptability
• Security mechanisms should not interfere unduly with the work of
users.
• If security mechanism hinder the usability (or) accessibility of
resources, then user may opt to turn off those mechanisms Isolation • Public access systems should be isolated from critical resources to prevent disclosure (or) tampering.
• If sensitivity (or) criticality of the information is high,
organizations may want to limit the number of systems on which the data is stored and isolates either physically (or) logically.
• Physical isolation may include ensuring that no physical connection
exists between the public systems and critical systems.
• Logic isolation is implemented to secure systems for protecting
critical resources.
Encapsulation • Specific form of isolation based on object oriented functionality. • Modularity
• Layering (or) Defense in Depth.
• Least Astonishment Attack Surfaces and Attack Trees • Attack Surface
• Reachable and Exploitable Vulnerabilities in a system.
• Examples
• Open Ports • Services available inside the firewall • Interfaces, SQL and Web forms • Code that processes incoming data, email, XML documents • An employee with access to sensitive information • Attack surfaces can be categorized as follows :
• Network Attack Surface
• This category refers to vulnerabilities over an enterprise network, wide area network, or the Internet.
• Included in this category are network protocol vulnerabilities, used for DoS attacks, Disruption of Communication Links and various forms of intruder attacks.
• Software Attack Surface
• Refers to vulnerabilities in application, utility (or) operating system code
• Eg : Web server software
• Human Attack Surface
• Refers to vulnerabilities created by outsiders (or) personnel • Social Engineering • Human error • Trusted insiders Attack Trees • Branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities. • Security Incident (Goal of the Attack) = Represented as the root node. Security Incident (Root Node)
SN1 SN2 SN3
SN4 SN5 • Leaf node initiates an attack.
• Each node other than leaf node is either represented by an AND node and OR node.
