Merkow - PPT - 02 F

Information Security
Principles and Practices, 2nd Edition
by Mark Merkow and Jim Breithaupt
Chapter 2: Information Security Principles of Success
Objectives
Build an awareness of 12 basic principles of

information security
Distinguish among the three main security
goals
Learn how to design and apply the principle
of Defense in Depth
Comprehend human vulnerabilities are
security systems
Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition
Objectives (cont.)
Explain the difference between functional and

assurance requirements
Comprehend the fallacy of security through
obscurity
Comprehend the importance of risk analysis
and risk management tools and techniques
Determine which side of open disclosure
debate you would take
Introduction
Best security specialists combine practical

knowledge and technical skills with understanding of
human nature
No two systems or situations are identical, and there are no

cookbooks to consult on how to solve security problems

Principle 1:There Is No Such Thing as Absolute

Security
Given enough time, tools, skills, and

inclination, a hacker can break through any
security measure
Security testing can buy additional time so
the attackers are caught in the act

Principle 2: The Three Security Goals Are

Confidentiality, Integrity, and Availability
All information security measures try to address at least

one of the three goals:
Confidentiality
Integrity
Availability
The three security goals form the CIA triad

Confidentiality
Security
Goals
Integrity
Availabilit
y

Principle 2: The Three Security Goals Are

Confidentiality, Integrity, and Availability (cont.)
Protect the confidentiality of data
Preserve the integrity of data
Confidentiality models are primarily intended to ensure that no

unauthorized access to information is permitted and that
accidental disclosure of sensitive information is not possible
Integrity models keep data pure and trustworthy by protecting
system data from intentional and accidental changes
Promote the availability of data for authorized use
Availability models keep data and resources available for

authorized use during denial-of-service attacks, natural disasters,
and equipment failures

Principles 3: Defense in Depth as Strategy
Defense in depth
Involves implemented security in overlapping

layers that provide the three elements needed to
secure assets: prevention, detection, and
response
The weaknesses of one security layer are offset
by the strengths of two or more layers

Principle 4: When Left on Their Own, People

Tend to Make the Worst Security Decisions
Takes little to convince someone to give up

their credentials in exchange for trivial or
worthless goods
Many people are easily convinced to doubleclick the attachment or links inside emails
Subject: Here you have, ;o)
Message body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
Principle 5: Computer Security Depends on Two

Types of Requirements: Functional and Assurance
Functional requirements
Describe what a system should do
Assurance requirements
Describe how functional requirements should be

implemented and tested
Does the system do the right things in the right way?

Verification: The process of confirming that one or more
predetermined requirements or specifications are met
Validation: A determination of the correctness or quality of
the mechanisms used in meeting the needs
10
Principle 6: Security Through Obscurity Is Not an

Answer
Many people believe that if hackers dont

know how software is secured, security is
better
Although this seems logical, its actually untrue
Obscuring security leads to a false sense of

security, which is often more dangerous than
not addressing security at all

11
Principle 7: Security = Risk Management
Security is not concerned with eliminating all threats

within a system or facility but with eliminating
known threats and minimizing losses if an
attacker succeeds in exploiting a vulnerability
Spending more on security than the cost of an asset
is a waste of resources
Risk assessment and risk analysis are used to
place an economic value on assets to best
determine appropriate countermeasures that
protect them from losses
12
Principle 7: Security = Risk

Management cont.
Two factors to determine risk
What is the consequence of a loss?

What is the likelihood the loss will occur?
Consequences/likelihood matrix
Likelihood
Consequences
1. Insignificant
2. Minor
3. Moderate
4. Major
5. Catastrophic
A (almost
certain)
High
High
Extreme
Extreme
Extreme
B (likely)
Moderate
High
High
Extreme
Extreme
C
(moderate)
Low
Moderate
High
Extreme
Extreme
D (unlikely)
Low
Low
Moderate
High
Extreme
E (rare)
Low
High
High
Pearson
2014, Information
LowEducation Moderate
13
Principle 7: Security = Risk Management
cont.
Vulnerability
Exploit
A known problem within a system or program

A program or a cookbook on how to take
advantage of a specific vulnerability
Attacker
The link between a vulnerability and an exploit

14
Principle 8: The Three Types of Security Controls

Are Preventative, Detective, and Responsive
A security mechanism serves a purpose by

preventing a compromise, detecting that a
compromise or compromise attempt is
underway, or responding to a compromise
while it is happening or after it has been
discovered

15
Principle 9: Complexity Is the Enemy of Security
The more complex a system gets, the harder

it is to secure

16
Principle 10: Fear, Uncertainty, and Doubt (FUD)

Do Not Work in Selling Security
Information security managers must justify all

investments in security using techniques of
the trade
When spending resources can be justified
with good, solid business rationale, security
requests are rarely denied

17
Principle 11: People, Process, and Technology

Are All Needed to Adequately Secure a System
or Facility
People controls
Process controls
Dual control and separation of duties

Different people can perform the same operation the same
way every time
Technology alone without people and process

controls can fail
People, process, and technology controls are
essential elements of security practices including
operations security, applications development security,
physical security, and cryptography
18
Principle 12: Open Disclosure of Vulnerabilities

Is Good for Security!
Keeping a given vulnerability secret from

users and from the software developer can
only lead to a false sense of security
The need to know trumps the need to keep
secrets to give users the right to protect
themselves

19
Summary
Computer security specialists must not only

know the technical side of their jobs but also
must understand the principles behind
information security
These principles are mixed and matched to
describe why certain security functions and
operations exist in the real world of IT

20

Merkow - PPT - 02 F

Uploaded by

Copyright:

Available Formats

Merkow - PPT - 02 F

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Merkow - PPT - 02 F

Uploaded by

Copyright:

Available Formats

What are the three main security goals discussed in the text?

What are the three main security goals discussed in the text?

What are the three types of security controls mentioned?

What are the three types of security controls mentioned?

Information Security

Principles and Practices, 2nd Edition

by Mark Merkow and Jim Breithaupt

Chapter 2: Information Security Principles of Success

Build an awareness of 12 basic principles of

Explain the difference between functional and

Best security specialists combine practical

No two systems or situations are identical, and there are no

Pearson Education 2014, Information

Principle 1:There Is No Such Thing as Absolute

Given enough time, tools, skills, and

Pearson Education 2014, Information

Principle 2: The Three Security Goals Are

All information security measures try to address at least

The three security goals form the CIA triad

Pearson Education 2014, Information

Principle 2: The Three Security Goals Are

Protect the confidentiality of data

Preserve the integrity of data

Confidentiality models are primarily intended to ensure that no

Promote the availability of data for authorized use

Availability models keep data and resources available for

Pearson Education 2014, Information

Principles 3: Defense in Depth as Strategy

Involves implemented security in overlapping

Pearson Education 2014, Information

Principle 4: When Left on Their Own, People

Takes little to convince someone to give up

Principle 5: Computer Security Depends on Two

Describe what a system should do

Describe how functional requirements should be

Does the system do the right things in the right way?

Principle 6: Security Through Obscurity Is Not an

Many people believe that if hackers dont

Although this seems logical, its actually untrue

Obscuring security leads to a false sense of

Pearson Education 2014, Information

Principle 7: Security = Risk Management

Security is not concerned with eliminating all threats

Principle 7: Security = Risk

Two factors to determine risk

What is the consequence of a loss?

Principle 7: Security = Risk Management

A known problem within a system or program

The link between a vulnerability and an exploit

Pearson Education 2014, Information

Principle 8: The Three Types of Security Controls

A security mechanism serves a purpose by

Pearson Education 2014, Information

Principle 9: Complexity Is the Enemy of Security

The more complex a system gets, the harder

Pearson Education 2014, Information

Principle 10: Fear, Uncertainty, and Doubt (FUD)

Information security managers must justify all