Chapter 4: Secure Design Principles Introduction ✓ Solved

Chapter 4 Secure Design Principles Introduction This chapter

This chapter covers information security principles. Every network security implementation is based on a model. The CIA triad is perhaps the most well-known model, with focus on confidentiality, integrity, and availability of data. Other models focus on different aspects of information security, such as firewalls as a primary defense in a perimeter security model and relying on several different security mechanisms as in a layered defense model. Every security design includes assumptions about what is trusted and what is not trusted, and who can access which resources.

The CIA Triad

The CIA triad is a data-centric model that helps individuals and organizations think about security, although it is not perfect nor all-inclusive. Its components include:

  • Confidentiality: Restriction of access to data only to those authorized to use it. Confidentiality implies access to one set of data by multiple sources, whereas 'private' means the data is accessible only to a single source.
  • Integrity: Assurance that data has not been altered.
  • Availability: Assurance that a service will be accessible when needed.

Alternatives to the CIA Triad

Several alternative models to the CIA triad include:

  • Parkerian Hexad: This model includes Confidentiality, Integrity, Availability, Control, Authenticity, and Utility.
  • U.S. DoD Five Pillars of Information Assurance: This includes Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation.
  • OECD Guidelines: This comprises Confidentiality, Integrity, Availability, Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment.

Best Practices in Secure Design

The following best practices can enhance security frameworks:

  • Secure the physical environment.
  • Harden the operating system.
  • Keep patches updated.
  • Use an antivirus scanner with real-time protection.
  • Employ firewall software.
  • Secure network share permissions.
  • Utilize encryption.
  • Secure applications.
  • Back up the system regularly.
  • Create a comprehensive computer security defense plan.
  • Implement ARP poisoning defenses.

Defensive Models

Different defense models offer various strategies, including:

The Lollipop Model

This model features a hard, crunchy shell with a soft, chewy center; once the outer layer is breached, the inner core is exposed. While intuitive, this is not considered the best defense.

The Onion Model

The onion model employs layered security approaches, known as defense in depth, where attackers must peel away layers one at a time.

Security Management

Security management should focus on assessing zones of trust within a network. Not every area is trusted equally; hence, proper access control measures must ensure that access is granted based on need. Essential tasks include hardening operating systems, creating detailed asset inventories, and developing tailored security methodologies.

Creating a Computer Security Defense Plan

A robust defense plan encompasses:

  1. Inventory of assets to protect, assessing their value and potential vulnerabilities.
  2. A risk quantification process to prioritize assets according to their exposure risk.
  3. Security baselines for assets.
  4. Implementation of security configurations with regular testing.
  5. Adaptation of security policies in response to evolving threats.

Conclusion

In summary, the CIA triad, while fundamentally significant, is augmented by various considerations and models. The onion model offers a more robust security framework than the lollipop, advocating for trust assessment and the layered security approach. By securing environments, keeping systems updated, employing antivirus and firewall solutions, managing user permissions diligently, and instituting a comprehensive security defense plan, organizations can markedly reduce their exposure to potential threats.

References

  • Anderson, R. (2008). "Security Engineering: A Guide to Building Dependable Distributed Systems." Wiley.
  • Stallings, W. (2015). "Network Security Essentials: Applications and Standards." Pearson.
  • Gollmann, D. (2011). "Computer Security." Wiley.
  • Crowley, R. (2016). "Fundamentals of Information Systems Security." Jones & Bartlett Learning.
  • Murray, A. (2018). "Cyber Security: A Practical Guide to the Law of Cyber Risk." Wiley.
  • Schneier, B. (2015). "Secrets and Lies: Digital Security in a Networked World." Wiley.
  • Tipton, H. F., & Talevich, S. (2017). "Information Security Management Handbook." Auerbach Publications.
  • NIST Special Publication 800-27. (2005). "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)."
  • US Department of Defense. (2000). "Information Assurance: Sample Policy Documents." Defense Technical Information Center.
  • OECD. (2012). "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data." OECD Publishing.

Related Assignments